diff --git a/windows/client-management/manage-settings-app-with-group-policy.md b/windows/client-management/manage-settings-app-with-group-policy.md index b51971615e..231682d2b9 100644 --- a/windows/client-management/manage-settings-app-with-group-policy.md +++ b/windows/client-management/manage-settings-app-with-group-policy.md @@ -8,9 +8,20 @@ author: brianlic-msft ms.date: 04/19/2017 --- +**Applies to** + +- Windows 10, Windows Server 2016 + + # Manage the Settings app with Group Policy -Starting in Windows 10, version 1703, you can now manage the pages that are shown in the Settings app by using Group Policy. This lets you hide specific pages from users. Before Windows 10, version 1703, you could either show everything in the Settings app or hide it completely. +You can now manage the pages that are shown in the Settings app by using Group Policy. This lets you hide specific pages from users. Before Windows 10, version 1703, you could either show everything in the Settings app or hide it completely. +To make use of the Settings App group polices on Windows server 2016, install fix [4457127](https://support.microsoft.com/help/4457127/windows-10-update-kb4457127) or a later cumulative update. + +>[!Note] +>Each server that you want to manage access to the Settings App must be patched. + +To centrally manage the new policies copy the ControlPanel.admx and ControlPanel.adml file to [Central Store](https://support.microsoft.com/help/3087759/how-to-create-and-manage-the-central-store-for-group-policy-administra) if your company uses one or the PolicyDefinitions folder of the Domain Controllers used for Group Policy management. This policy is available at **Computer Configuration** > **Administrative Templates** > **Control Panel** > **Settings Page Visibility**. diff --git a/windows/client-management/mdm/dynamicmanagement-csp.md b/windows/client-management/mdm/dynamicmanagement-csp.md index 4d50badd48..710e19855a 100644 --- a/windows/client-management/mdm/dynamicmanagement-csp.md +++ b/windows/client-management/mdm/dynamicmanagement-csp.md @@ -93,8 +93,8 @@ Disable Cortana based on Geo location and time, From 9am-5pm, when in the 100 me text/plain chr - <SyncML> - <SyncBody><Replace><CmdID>1001</CmdID><Item><Target><LocURI>./Vendor/MSFT/Policy/Config/Experience/AllowCortana</LocURI></Target><Meta><Format xmlns="syncml:metinf">int</Format></Meta><Data>0</Data></Item></Replace><Final/></SyncBody></SyncML> + + 1001./Vendor/MSFT/Policy/Config/Experience/AllowCortanaint0 @@ -108,15 +108,15 @@ Disable Cortana based on Geo location and time, From 9am-5pm, when in the 100 me chr - <rule schemaVersion="1.0"> + - <and> - <signal type="geoloc" latitude="47.6375" longitude="-122.1402" radiusInMeters="100"/> - <signal type="time"> - <daily startTime="09:00:00" endTime="17:00:00"/> - </signal> - </and> - </rule> + + + + + + + @@ -147,31 +147,31 @@ Disable camera using network trigger with time trigger, from 9-5, when ip4 gatew text/plain chr - <SyncML> - <SyncBody><Replace><CmdID>1002</CmdID><Item><Target><LocURI>./Vendor/MSFT/Policy/Config/Camera/AllowCamera</LocURI></Target><Meta><Format xmlns="syncml:metinf">int</Format></Meta><Data>0</Data></Item></Replace> <Final/></SyncBody></SyncML> + + 1002./Vendor/MSFT/Policy/Config/Camera/AllowCameraint0 301 - ./Vendor/MSFT/DynamicManagement/Contexts/ NetworkWithTime /SignalDefinition + ./Vendor/MSFT/DynamicManagement/Contexts/NetworkWithTime/SignalDefinition text/plain chr - <rule schemaVersion="1.0"> - <and> - <signal type="ipConfig"> - <ipv4Gateway>192.168.0.1</ipv4Gateway> - </signal> - <signal type="time"> - <daily startTime="09:00:00" endTime="17:00:00"/> - </signal> - </and> - </rule> + + + + 192.168.0.1 + + + + + + @@ -179,7 +179,7 @@ Disable camera using network trigger with time trigger, from 9-5, when ip4 gatew 302 - ./Vendor/MSFT/DynamicManagement/Contexts/ NetworkWithTime /Altitude + ./Vendor/MSFT/DynamicManagement/Contexts/NetworkWithTime/Altitude int diff --git a/windows/hub/index.md b/windows/hub/index.md index adbc774252..531d071af4 100644 --- a/windows/hub/index.md +++ b/windows/hub/index.md @@ -8,7 +8,7 @@ author: greg-lindsay ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security -ms.date: 04/30/2018 +ms.date: 10/02/2018 --- # Windows 10 and Windows 10 Mobile @@ -18,15 +18,16 @@ Find the latest how to and support content that IT pros need to evaluate, plan,   -> [!video https://www.microsoft.com/en-us/videoplayer/embed/RE21ada?autoplay=false] + +> [!video https://www.youtube.com/embed/hAva4B-wsVA] -## Check out [what's new in Windows 10, version 1803](/windows/whats-new/whats-new-windows-10-version-1803). +## Check out [what's new in Windows 10, version 1809](/windows/whats-new/whats-new-windows-10-version-1809).
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md index 1ad4aaad24..6a8e0bd587 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md @@ -19,7 +19,7 @@ ms.date: 08/18/2018 - Certificate trust -You're environment is federated and you are ready to configure device registration for your hybrid environment. Hybrid Windows Hello for Business deployment needs device registration and device write-back to enable proper device authentication. +Your environment is federated and you are ready to configure device registration for your hybrid environment. Hybrid Windows Hello for Business deployment needs device registration and device write-back to enable proper device authentication. > [!IMPORTANT] > If your environment is not federated, review the [New Installation baseline](hello-hybrid-cert-new-install.md) section of this deployment document to learn how to federate your environment for your Windows Hello for Business deployment. @@ -514,4 +514,4 @@ For your reference, below is a comprehensive list of the AD DS devices, containe 3. [New Installation Baseline](hello-hybrid-cert-new-install.md) 4. Configure Azure Device Registration (*You are here*) 5. [Configure Windows Hello for Business settings](hello-hybrid-cert-whfb-settings.md) -6. [Sign-in and Provision](hello-hybrid-cert-whfb-provision.md) \ No newline at end of file +6. [Sign-in and Provision](hello-hybrid-cert-whfb-provision.md) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md index f6a16d45b9..f14eedf3af 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md @@ -24,7 +24,7 @@ Windows Hello for Business deployments rely on certificates. Hybrid deployments All deployments use enterprise issued certificates for domain controllers as a root of trust. Hybrid certificate trust deployments issue users sign-in certificate that enables them to authenticate using Windows Hello for Business credentials to non-Windows Server 2016 domain controllers. Additionally, hybrid certificate trust deployments issue certificate to registration authorities to provide defense-in-depth security for issuing user authentication certificates. -## Certifcate Templates +## Certificate Templates This section has you configure certificate templates on your Windows Server 2012 or later issuing certificate authority. @@ -146,7 +146,8 @@ Sign-in to an **AD FS Windows Server 2016** computer with _Enterprise Admin_ equ >[!NOTE] >If you gave your Windows Hello for Business Authentication certificate template a different name, then replace **WHFBAuthentication** in the above command with the name of your certificate template. It's important that you use the template name rather than the template display name. You can view the template name on the **General** tab of the certificate template using the Certificate Template management console (certtmpl.msc). Or, you can view the template name using the **Get-CATemplate** ADCS Administration Windows PowerShell cmdlet on our Windows Server 2012 or later certificate authority. -Publish Templates + +## Publish Templates ### Publish Certificate Templates to a Certificate Authority diff --git a/windows/security/information-protection/tpm/tpm-recommendations.md b/windows/security/information-protection/tpm/tpm-recommendations.md index 792d6b059a..7fa22e10ce 100644 --- a/windows/security/information-protection/tpm/tpm-recommendations.md +++ b/windows/security/information-protection/tpm/tpm-recommendations.md @@ -104,8 +104,8 @@ The following table defines which Windows features require TPM support. | BitLocker | Yes | Yes | Yes | TPM 1.2 or 2.0 is required | | Device Encryption | Yes | N/A | Yes | Device Encryption requires Modern Standby/Connected Standby certification, which requires TPM 2.0. | | Windows Defender Application Control (Device Guard) | No | Yes | Yes | | -| Windows Defender Exploit Guard | Yes | Yes | Yes | | -| Windows Defender System Guard | Yes | Yes | Yes | | +| Windows Defender Exploit Guard | No | N/A | N/A | | +| Windows Defender System Guard | Yes | No | Yes | | | Credential Guard | No | Yes | Yes | Windows 10, version 1507 (End of Life as of May 2017) only supported TPM 2.0 for Credential Guard. Beginning with Windows 10, version 1511, TPM 1.2 and 2.0 are supported. | | Device Health Attestation| Yes | Yes | Yes | | | Windows Hello/Windows Hello for Business| No | Yes | Yes | Azure AD join supports both versions of TPM, but requires TPM with keyed-hash message authentication code (HMAC) and Endorsement Key (EK) certificate for key attestation support. | diff --git a/windows/security/threat-protection/auditing/audit-ipsec-driver.md b/windows/security/threat-protection/auditing/audit-ipsec-driver.md index 4b1c430188..1fb88b5fd4 100644 --- a/windows/security/threat-protection/auditing/audit-ipsec-driver.md +++ b/windows/security/threat-protection/auditing/audit-ipsec-driver.md @@ -8,7 +8,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: Mir0sh -ms.date: 04/19/2017 +ms.date: 10/02/2018 --- # Audit IPsec Driver @@ -56,7 +56,7 @@ This subcategory is outside the scope of this document. ## 5478(S): IPsec Services has started successfully. -## 5479(): IPsec Services has been shut down successfully. The shutdown of IPsec Services can put the computer at greater risk of network attack or expose the computer to potential security risks. +## 5479(S): IPsec Services has been shut down successfully. The shutdown of IPsec Services can put the computer at greater risk of network attack or expose the computer to potential security risks. ## 5480(F): IPsec Services failed to get the complete list of network interfaces on the computer. This poses a potential security risk because some of the network interfaces may not get the protection provided by the applied IPsec filters. Use the IP Security Monitor snap-in to diagnose the problem. diff --git a/windows/security/threat-protection/auditing/audit-ipsec-extended-mode.md b/windows/security/threat-protection/auditing/audit-ipsec-extended-mode.md index 9edf8ad528..e9388ef13f 100644 --- a/windows/security/threat-protection/auditing/audit-ipsec-extended-mode.md +++ b/windows/security/threat-protection/auditing/audit-ipsec-extended-mode.md @@ -8,7 +8,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: Mir0sh -ms.date: 04/19/2017 +ms.date: 10/02/2018 --- # Audit IPsec Extended Mode @@ -28,17 +28,17 @@ Audit IPsec Extended Mode subcategory is out of scope of this document, because | Member Server | IF | IF | IF | IF | IF - This subcategory is mainly used for IPsec Extended Mode troubleshooting, or for tracing or monitoring IPsec Extended Mode operations. | | Workstation | IF | IF | IF | IF | IF - This subcategory is mainly used for IPsec Extended Mode troubleshooting, or for tracing or monitoring IPsec Extended Mode operations. | -## 4978: During Extended Mode negotiation, IPsec received an invalid negotiation packet. If this problem persists, it could indicate a network issue or an attempt to modify or replay this negotiation. +## 4978(S): During Extended Mode negotiation, IPsec received an invalid negotiation packet. If this problem persists, it could indicate a network issue or an attempt to modify or replay this negotiation. -## 4979: IPsec Main Mode and Extended Mode security associations were established. +## 4979(S): IPsec Main Mode and Extended Mode security associations were established. -## 4980: IPsec Main Mode and Extended Mode security associations were established. +## 4980(S): IPsec Main Mode and Extended Mode security associations were established. -## 4981: IPsec Main Mode and Extended Mode security associations were established. +## 4981(S): IPsec Main Mode and Extended Mode security associations were established. -## 4982: IPsec Main Mode and Extended Mode security associations were established. +## 4982(S): IPsec Main Mode and Extended Mode security associations were established. -## 4983: An IPsec Extended Mode negotiation failed. The corresponding Main Mode security association has been deleted. +## 4983(S): An IPsec Extended Mode negotiation failed. The corresponding Main Mode security association has been deleted. -## 4984: An IPsec Extended Mode negotiation failed. The corresponding Main Mode security association has been deleted. +## 4984(S): An IPsec Extended Mode negotiation failed. The corresponding Main Mode security association has been deleted. diff --git a/windows/security/threat-protection/auditing/audit-ipsec-main-mode.md b/windows/security/threat-protection/auditing/audit-ipsec-main-mode.md index d0764daf4b..1a34ba32f3 100644 --- a/windows/security/threat-protection/auditing/audit-ipsec-main-mode.md +++ b/windows/security/threat-protection/auditing/audit-ipsec-main-mode.md @@ -8,7 +8,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: Mir0sh -ms.date: 04/19/2017 +ms.date: 10/02/2018 --- # Audit IPsec Main Mode @@ -28,21 +28,21 @@ Audit IPsec Main Mode subcategory is out of scope of this document, because this | Member Server | IF | IF | IF | IF | IF - This subcategory is mainly used for IPsec Main Mode troubleshooting, or for tracing or monitoring IPsec Main Mode operations. | | Workstation | IF | IF | IF | IF | IF - This subcategory is mainly used for IPsec Main Mode troubleshooting, or for tracing or monitoring IPsec Main Mode operations. | -## 4646: Security ID: %1 +## 4646(S): Security ID: %1 -## 4650: An IPsec Main Mode security association was established. Extended Mode was not enabled. Certificate authentication was not used. +## 4650(S): An IPsec Main Mode security association was established. Extended Mode was not enabled. Certificate authentication was not used. -## 4651: An IPsec Main Mode security association was established. Extended Mode was not enabled. A certificate was used for authentication. +## 4651(S): An IPsec Main Mode security association was established. Extended Mode was not enabled. A certificate was used for authentication. -## 4652: An IPsec Main Mode negotiation failed. +## 4652(F): An IPsec Main Mode negotiation failed. -## 4653: An IPsec Main Mode negotiation failed. +## 4653(F): An IPsec Main Mode negotiation failed. -## 4655: An IPsec Main Mode security association ended. +## 4655(S): An IPsec Main Mode security association ended. -## 4976: During Main Mode negotiation, IPsec received an invalid negotiation packet. If this problem persists, it could indicate a network issue or an attempt to modify or replay this negotiation. +## 4976(S): During Main Mode negotiation, IPsec received an invalid negotiation packet. If this problem persists, it could indicate a network issue or an attempt to modify or replay this negotiation. -## 5049: An IPsec Security Association was deleted. +## 5049(S): An IPsec Security Association was deleted. -## 5453: An IPsec negotiation with a remote computer failed because the IKE and AuthIP IPsec Keying Modules (IKEEXT) service is not started. +## 5453(S): An IPsec negotiation with a remote computer failed because the IKE and AuthIP IPsec Keying Modules (IKEEXT) service is not started. diff --git a/windows/security/threat-protection/auditing/audit-ipsec-quick-mode.md b/windows/security/threat-protection/auditing/audit-ipsec-quick-mode.md index 7adfcddd8c..40aabcd719 100644 --- a/windows/security/threat-protection/auditing/audit-ipsec-quick-mode.md +++ b/windows/security/threat-protection/auditing/audit-ipsec-quick-mode.md @@ -8,7 +8,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: Mir0sh -ms.date: 04/19/2017 +ms.date: 10/02/2018 --- # Audit IPsec Quick Mode @@ -28,9 +28,9 @@ Audit IPsec Quick Mode subcategory is out of scope of this document, because thi | Member Server | IF | IF | IF | IF | IF - This subcategory is mainly used for IPsec Quick Mode troubleshooting, or for tracing or monitoring IPsec Quick Mode operations. | | Workstation | IF | IF | IF | IF | IF - This subcategory is mainly used for IPsec Quick Mode troubleshooting, or for tracing or monitoring IPsec Quick Mode operations. | -## 4977: During Quick Mode negotiation, IPsec received an invalid negotiation packet. If this problem persists, it could indicate a network issue or an attempt to modify or replay this negotiation. +## 4977(S): During Quick Mode negotiation, IPsec received an invalid negotiation packet. If this problem persists, it could indicate a network issue or an attempt to modify or replay this negotiation. -## 5451: An IPsec Quick Mode security association was established. +## 5451(S): An IPsec Quick Mode security association was established. -## 5452: An IPsec Quick Mode security association ended. +## 5452(S): An IPsec Quick Mode security association ended. diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/customize-controlled-folders-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/customize-controlled-folders-exploit-guard.md index 0c74046601..8c879a5721 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/customize-controlled-folders-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/customize-controlled-folders-exploit-guard.md @@ -54,9 +54,7 @@ You can use the Windows Security app or Group Policy to add and remove additiona 3. Under the **Controlled folder access** section, click **Protected folders** 4. Click **Add a protected folder** and follow the prompts to add apps. - - ![Screenshot of the Virus and threat protection settings button](images/cfa-prot-folders.png) - + ### Use Group Policy to protect additional folders 1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md b/windows/security/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md index e689b26a32..54719a5b2f 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md @@ -11,7 +11,7 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 08/08/2018 +ms.date: 10/02/2018 --- # Customize exploit protection @@ -39,8 +39,6 @@ You can set each of the mitigations to on, off, or to their default value. Some Default values are always specified in brackets at the **Use default** option for each mitigation. In the following example, the default for Data Execution Prevention is "On". -![Screenshot showing the drop down menu for DEP which shows the default for DEP as On](images/ep-default.png) - The **Use default** configuration for each of the mitigation settings indicates our recommendation for a base level of protection for everyday usage for home users. Enterprise deployments should consider the protection required for their individual needs and may need to modify configuration away from the defaults. For the associated PowerShell cmdlets for each mitigation, see the [PowerShell reference table](#cmdlets-table) at the bottom of this topic. @@ -116,9 +114,7 @@ Validate stack integrity (StackPivot) | Ensures that the stack has not been redi >[!NOTE] >You may see a User Account Control window when changing some settings. Enter administrator credentials to apply the setting. - Changing some settings may required a restart, which will be indicated in red text underneath the setting. - - ![Screenshot showing the DEP drop down menu where you can select On, Off, or Default](images/wdsc-exp-prot-sys-settings.png) + Changing some settings may required a restart, which will be indicated in red text underneath the setting. 4. Repeat this for all the system-level mitigations you want to configure. @@ -138,15 +134,11 @@ Exporting the configuration as an XML file allows you to copy the configuration 2. If the app is not listed, at the top of the list click **Add program to customize** and then choose how you want to add the app: - Use **Add by program name** to have the mitigation applied to any running process with that name. You must specify a file with an extension. You can enter a full path to limit the mitigation to only the app with that name in that location. - Use **Choose exact file path** to use a standard Windows Explorer file picker window to find and select the file you want. - - ![Screenshot showing the add file or folder button](images/wdsc-exp-prot-app-settings.png) - + 4. After selecting the app, you'll see a list of all the mitigations that can be applied. To enable the mitigation, click the check box and then change the slider to **On**. Select any additional options. Choosing **Audit** will apply the mitigation in audit mode only. You will be notified if you need to restart the process or app, or if you need to restart Windows. 5. Repeat this for all the apps and mitigations you want to configure. Click **Apply** when you're done setting up your configuration. - - ![Screenshot showing some of the options available for an added program](images/wdsc-exp-prot-app-settings-options.png) - + You can now [export these settings as an XML file](import-export-exploit-protection-emet-xml.md) or return to configure system-level mitigations. Exporting the configuration as an XML file allows you to copy the configuration from one machine onto other machines. diff --git a/windows/security/threat-protection/windows-defender-security-center/images/security-center-custom-flyout.png b/windows/security/threat-protection/windows-defender-security-center/images/security-center-custom-flyout.png index bf7a3e3910..a60f5edbab 100644 Binary files a/windows/security/threat-protection/windows-defender-security-center/images/security-center-custom-flyout.png and b/windows/security/threat-protection/windows-defender-security-center/images/security-center-custom-flyout.png differ diff --git a/windows/security/threat-protection/windows-defender-security-center/images/wdsc-all-hide.png b/windows/security/threat-protection/windows-defender-security-center/images/wdsc-all-hide.png index 98083a937c..68b94302a1 100644 Binary files a/windows/security/threat-protection/windows-defender-security-center/images/wdsc-all-hide.png and b/windows/security/threat-protection/windows-defender-security-center/images/wdsc-all-hide.png differ diff --git a/windows/whats-new/index.md b/windows/whats-new/index.md index e37e313557..c6ac6d12ab 100644 --- a/windows/whats-new/index.md +++ b/windows/whats-new/index.md @@ -16,6 +16,7 @@ Windows 10 provides IT professionals with advanced protection against modern sec ## In this section +- [What's new in Windows 10, version 1809](whats-new-windows-10-version-1809.md) - [What's new in Windows 10, version 1803](whats-new-windows-10-version-1803.md) - [What's new in Windows 10, version 1709](whats-new-windows-10-version-1709.md) - [What's new in Windows 10, version 1703](whats-new-windows-10-version-1703.md) diff --git a/windows/whats-new/whats-new-windows-10-version-1809.md b/windows/whats-new/whats-new-windows-10-version-1809.md index 50352d8816..62ee95e835 100644 --- a/windows/whats-new/whats-new-windows-10-version-1809.md +++ b/windows/whats-new/whats-new-windows-10-version-1809.md @@ -189,8 +189,6 @@ Windows Defender Credential Guard has always been an optional feature, but Windo A network connection is now required to set up a new device. As a result, we removed the “skip for now” option in the network setup page in Out Of Box Experience (OOBE). -<<<<<<< HEAD -======= ### Windows Defender ATP [Windows Defender ATP](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection) has been enhanced with many new capabilities. For more information, see the following topics: @@ -220,7 +218,6 @@ Windows Defender ATP now adds support for Windows Server 2019. You'll be able to - [Onboard previous versions of Windows](https://docs.microsoft.com/windows/security/threat-protection/onboard-downlevel-windows-defender-advanced-threat-protection)
Onboard supported versions of Windows machines so that they can send sensor data to the Windows Defender ATP sensor ->>>>>>> 951a08abdd8a55231838c35a12890ed68af95f88 ## Faster sign-in to a Windows 10 shared pc Do you have shared devices deployed in your work place? **Fast sign-in** enables users to sign in to a shared Windows 10 PC in a flash!
- + Read what's new in Windows 10
What's New?