merging th1 content

2025-05-27 20:57:23 +00:00 · 2016-07-14 10:07:22 -07:00 · 2016-07-14 10:07:22 -07:00 · e47d3fdcdf
commit e47d3fdcdf
parent 262ece9170
7 changed files with 170 additions and 8 deletions
--- a/windows/whats-new/applocker.md
+++ b/windows/whats-new/applocker.md
@ -7,7 +7,7 @@ ms.prod: w10
 ms.mktglfcycl: explore
 ms.sitesec: library
 author: brianlic-msft
-redirect_url: whats-new-windows-10-version-1511.md
+redirect_url: whats-new-windows-10-version-1507-and-1511.md
 ---

 # What's new in AppLocker?
--- a/windows/whats-new/bitlocker.md
+++ b/windows/whats-new/bitlocker.md
@ -7,7 +7,7 @@ ms.mktglfcycl: explore
 ms.sitesec: library
 ms.pagetype: security, mobile
 author: brianlic-msft
-redirect_url: whats-new-windows-10-version-1511.md
+redirect_url: whats-new-windows-10-version-1507-and-1511.md
 ---

 # What's new in BitLocker?
--- a/windows/whats-new/credential-guard.md
+++ b/windows/whats-new/credential-guard.md
@ -7,7 +7,7 @@ ms.prod: w10
 ms.mktglfcycl: explore
 ms.sitesec: library
 author: brianlic-msft
-redirect_url: whats-new-windows-10-version-1511.md
+redirect_url: whats-new-windows-10-version-1507-and-1511.md
 ---

 # What's new in Credential Guard?
--- a/windows/whats-new/security-auditing.md
+++ b/windows/whats-new/security-auditing.md
@ -7,7 +7,7 @@ ms.mktglfcycl: explore
 ms.sitesec: library
 author: brianlic-msft
 ms.pagetype: security, mobile
-redirect_url: whats-new-windows-10-version-1511.md
+redirect_url: whats-new-windows-10-version-1507-and-1511.md
 ---

 # What's new in security auditing?
--- a/windows/whats-new/trusted-platform-module.md
+++ b/windows/whats-new/trusted-platform-module.md
@ -7,7 +7,7 @@ ms.mktglfcycl: explore
 ms.sitesec: library
 ms.pagetype: security, mobile
 author: brianlic-msft
-redirect_url: whats-new-windows-10-version-1511.md
+redirect_url: whats-new-windows-10-version-1507-and-1511.md
 ---

 # What's new in Trusted Platform Module?
--- a/windows/whats-new/user-account-control.md
+++ b/windows/whats-new/user-account-control.md
@ -7,7 +7,7 @@ ms.mktglfcycl: explore
 ms.sitesec: library
 ms.pagetype: security
 author: brianlic-msft
-redirect_url: whats-new-windows-10-version-1511.md
+redirect_url: whats-new-windows-10-version-1507-and-1511.md
 ---

 # What's new in User Account Control?
--- a/windows/whats-new/whats-new-windows-10-version-1507-and-1511.md
+++ b/windows/whats-new/whats-new-windows-10-version-1507-and-1511.md
@ -23,9 +23,19 @@ With Windows 10, you can create provisioning packages that let you quickly and e

 ## Security

+### Applocker
+
+#### New Apolocker features in Windows 10, version 1507
+
+-   A new parameter was added to the [New-AppLockerPolicy](http://technet.microsoft.com/library/hh847211.aspx) Windows PowerShell cmdlet that lets you choose whether executable and DLL rule collections apply to non-interactive processes. To enable this, set the **ServiceEnforcement** to **Enabled**.
+-   A new [AppLocker](http://msdn.microsoft.com/library/windows/hardware/dn920019.aspx) configuration service provider was add to allow you to enable AppLocker rules by using an MDM server.
+-   You can manage Windows 10 Mobile devices by using the new [AppLocker CSP](http://msdn.microsoft.com/library/windows/hardware/dn920019.aspx).
+
+[Learn how to manage AppLocker within your organization](../keep-secure/applocker-overview.md).
+
 ### Bitlocker

-The following Bitlocker features were added in Windows 10, version 1511.
+#### New Bitlocker features in Windows 10, version 1511

 -   **XTS-AES encryption algorithm**. BitLocker now supports the XTS-AES encryption algorithm. XTS-AES provides additional protection from a class of attacks on encryption that rely on manipulating cipher text to cause predictable changes in plain text. BitLocker supports both 128-bit and 256-bit XTS-AES keys.
    It provides the following benefits:
@ -33,9 +43,17 @@ The following Bitlocker features were added in Windows 10, version 1511.
    -   Easy to administer. You can use the BitLocker Wizard, manage-bde, Group Policy, MDM policy, Windows PowerShell, or WMI to manage it on devices in your organization.
        >**Note:**  Drives encrypted with XTS-AES will not be accessible on older version of Windows. This is only recommended for fixed and operating system drives. Removable drives should continue to use the AES-CBC 128-bit or AES-CBC 256-bit algorithms.

+#### New Bitlocker features in Windows 10, version 1507
+
+-   **Encrypt and recover your device with Azure Active Directory**. In addition to using a Microsoft Account, automatic [Device Encryption](http://technet.microsoft.com/library/dn306081.aspx#bkmk-encryption) can now encrypt your devices that are joined to an Azure Active Directory domain. When the device is encrypted, the BitLocker recovery key is automatically escrowed to Azure Active Directory. This will make it easier to recover your BitLocker key online.
+-   **DMA port protection**. You can use the [DataProtection/AllowDirectMemoryAccess](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) MDM policy to block DMA ports when the device is starting up. Also, when a device is locked, all unused DMA ports are turned off, but any devices that are already plugged into a DMA port will continue to work. When the device is unlocked, all DMA ports are turned back on.
+-   **New Group Policy for configuring pre-boot recovery**. You can now configure the pre-boot recovery message and recover URL that is shown on the pre-boot recovery screen. For more info, see the "Configure pre-boot recovery message and URL" section in [BitLocker Group Policy settings](../keep-secure/bitlocker-group-policy-settings.md).
+
+[Learn how to deploy and manage BitLocker within your organization](../keep-secure/bitlocker-overview.md).
+
 ### Credential Guard

-The following Credential Guard features were added in Windows 10, version 1511.
+#### New Credential Guard features in Windows 10, version 1511

 -   **Credential Manager support**. Credentials that are stored with Credential Manager, including domain credentials, are protected with Credential Guard with the following considerations:
    -   Credentials that are saved by the Remote Desktop Protocol cannot be used. Employees in your organization can manually store credentials in Credential Manager as generic credentials.
@ -44,6 +62,8 @@ The following Credential Guard features were added in Windows 10, version 1511.
 -   **Enable Credential Guard without UEFI lock**. You can enable Credential Guard by using the registry. This allows you to disable Credential Guard remotely. However, we recommend that Credential Guard is enabled with UEFI lock. You can configure this by using Group Policy.
 -   **CredSSP/TsPkg credential delegation**. CredSSP/TsPkg cannot delegate default credentials when Credential Guard is enabled.

+[Learn how to deploy and manage Credential Guard within your organization](../keep-secure/credential-guard.md).
+
 ### Easier certificate management


@ -57,12 +77,154 @@ Microsoft Passport lets users authenticate to a Microsoft account, an Active Dir

 ### Security auditing

+#### New Security auditing features in Windows 10, version 1511
+
 -   The [WindowsSecurityAuditing](http://go.microsoft.com/fwlink/p/?LinkId=690517) and [Reporting](http://go.microsoft.com/fwlink/p/?LinkId=690525) configuration service providers allow you to add security audit policies to mobile devices.

+## New features in Windows 10, version 1507
+
+In Windows 10, security auditing has added some improvements:
+-   [New audit subcategories](#bkmk-auditsubcat)
+-   [More info added to existing audit events](#bkmk-moreinfo)
+
+### <a href="" id="bkmk-auditsubcat"></a>New audit subcategories
+
+In Windows 10, two new audit subcategories were added to the Advanced Audit Policy Configuration to provide greater granularity in audit events:
+-   [Audit Group Membership](../keep-secure/audit-group-membership.md) Found in the Logon/Logoff audit category, the Audit Group Membership subcategory allows you to audit the group membership information in a user's logon token. Events in this subcategory are generated when group memberships are enumerated or queried on the PC where the logon session was created. For an interactive logon, the security audit event is generated on the PC that the user logged on to. For a network logon, such as accessing a shared folder on the network, the security audit event is generated on the PC hosting the resource.
+    When this setting is configured, one or more security audit events are generated for each successful logon. You must also enable the **Audit Logon** setting under **Advanced Audit Policy Configuration\\System Audit Policies\\Logon/Logoff**. Multiple events are generated if the group membership information cannot fit in a single security audit event.
+-   [Audit PNP Activity](../keep-secure/audit-pnp-activity.md) Found in the Detailed Tracking category, the Audit PNP Activity subcategory allows you to audit when plug and play detects an external device.
+    Only Success audits are recorded for this category. If you do not configure this policy setting, no audit event is generated when an external device is detected by plug and play.
+    A PnP audit event can be used to track down changes in system hardware and will be logged on the PC where the change took place. A list of hardware vendor IDs are included in the event.
+
+### <a href="" id="bkmk-moreinfo"></a>More info added to existing audit events
+
+With Windows 10, version 1507, we've added more info to existing audit events to make it easier for you to put together a full audit trail and come away with the information you need to protect your enterprise. Improvements were made to the following audit events:
+-   [Changed the kernel default audit policy](#bkmk-kdal)
+-   [Added a default process SACL to LSASS.exe](#bkmk-lsass)
+-   [Added new fields in the logon event](#bkmk-logon)
+-   [Added new fields in the process creation event](#bkmk-logon)
+-   [Added new Security Account Manager events](#bkmk-sam)
+-   [Added new BCD events](#bkmk-bcd)
+-   [Added new PNP events](#bkmk-pnp)
+
+### <a href="" id="bkmk-kdal"></a>Changed the kernel default audit policy
+
+In previous releases, the kernel depended on the Local Security Authority (LSA) to retrieve info in some of its events. In Windows 10, the process creation events audit policy is automatically enabled until an actual audit policy is received from LSA. This results in better auditing of services that may start before LSA starts.
+
+### <a href="" id="bkmk-lsass"></a>Added a default process SACL to LSASS.exe
+
+In Windows 10, a default process SACL was added to LSASS.exe to log processes attempting to access LSASS.exe. The SACL is L"S:(AU;SAFA;0x0010;;;WD)". You can enable this under **Advanced Audit Policy Configuration\\Object Access\\Audit Kernel Object**.
+This can help identify attacks that steal credentials from the memory of a process.
+
+### <a href="" id="bkmk-logon"></a>New fields in the logon event
+
+The logon event ID 4624 has been updated to include more verbose information to make them easier to analyze. The following fields have been added to event 4624:
+1.  **MachineLogon** String: yes or no
+    If the account that logged into the PC is a computer account, this field will be yes. Otherwise, the field is no.
+2.  **ElevatedToken** String: yes or no
+    If the account that logged into the PC is an administrative logon, this field will be yes. Otherwise, the field is no. Additionally, if this is part of a split token, the linked login ID (LSAP\_LOGON\_SESSION) will also be shown.
+3.  **TargetOutboundUserName** String
+    **TargetOutboundUserDomain** String
+    The username and domain of the identity that was created by the LogonUser method for outbound traffic.
+4.  **VirtualAccount** String: yes or no
+    If the account that logged into the PC is a virtual account, this field will be yes. Otherwise, the field is no.
+5.  **GroupMembership** String
+    A list of all of the groups in the user's token.
+6.  **RestrictedAdminMode** String: yes or no
+    If the user logs into the PC in restricted admin mode with Remote Desktop, this field will be yes.
+    For more info on restricted admin mode, see [Restricted Admin mode for RDP](http://blogs.technet.com/b/kfalde/archive/2013/08/14/restricted-admin-mode-for-rdp-in-windows-8-1-2012-r2.aspx).
+
+### <a href="" id="bkmk-process"></a>New fields in the process creation event
+
+The logon event ID 4688 has been updated to include more verbose information to make them easier to analyze. The following fields have been added to event 4688:
+1.  **TargetUserSid** String
+    The SID of the target principal.
+2.  **TargetUserName** String
+    The account name of the target user.
+3.  **TargetDomainName** String
+    The domain of the target user..
+4.  **TargetLogonId** String
+    The logon ID of the target user.
+5.  **ParentProcessName** String
+    The name of the creator process.
+6.  **ParentProcessId** String
+    A pointer to the actual parent process if it's different from the creator process.
+
+### <a href="" id="bkmk-sam"></a>New Security Account Manager events
+
+In Windows 10, new SAM events were added to cover SAM APIs that perform read/query operations. In previous versions of Windows, only write operations were audited. The new events are event ID 4798 and event ID 4799. The following APIs are now audited:
+-   SamrEnumerateGroupsInDomain
+-   SamrEnumerateUsersInDomain
+-   SamrEnumerateAliasesInDomain
+-   SamrGetAliasMembership
+-   SamrLookupNamesInDomain
+-   SamrLookupIdsInDomain
+-   SamrQueryInformationUser
+-   SamrQueryInformationGroup
+-   SamrQueryInformationUserAlias
+-   SamrGetMembersInGroup
+-   SamrGetMembersInAlias
+-   SamrGetUserDomainPasswordInformation
+
+### <a href="" id="bkmk-bcd"></a>New BCD events
+
+Event ID 4826 has been added to track the following changes to the Boot Configuration Database (BCD):
+-   DEP/NEX settings
+-   Test signing
+-   PCAT SB simulation
+-   Debug
+-   Boot debug
+-   Integrity Services
+-   Disable Winload debugging menu
+
+### <a href="" id="bkmk-pnp"></a>New PNP events
+
+Event ID 6416 has been added to track when an external device is detected through Plug and Play. One important scenario is if an external device that contains malware is inserted into a high-value machine that doesn’t expect this type of action, such as a domain controller.
+
+[Learn how to manage your security audit policies within your organization](../keep-secure/security-auditing-overview.md).
+
 ### Trusted Platform Module

+#### New TPM features in Windows 10, version 1511
+
 -   Key Storage Providers (KSPs) and srvcrypt support elliptical curve cryptography (ECC).

+#### New TPM features in Windows 10, version 1507
+
+The following sections describe the new and changed functionality in the TPM for Windows 10:
+-   [Device health attestation](#bkmk-dha)
+-   [Microsoft Passport](microsoft-passport.md) support
+-   [Device Guard](device-guard-overview.md) support
+-   [Credential Guard](../keep-secure/credential-guard.md) support
+
+## <a href="" id="bkmk-dha"></a>Device health attestation
+
+Device health attestation enables enterprises to establish trust based on hardware and software components of a managed device. With device heath attestation, you can configure an MDM server to query a health attestation service that will allow or deny a managed device access to a secure resource.
+Some things that you can check on the device are:
+-   Is Data Execution Prevention supported and enabled?
+-   Is BitLocker Drive Encryption supported and enabled?
+-   Is SecureBoot supported and enabled?
+
+> **Note**  The device must be running Windows 10 and it must support at least TPM 2.0.
+
+[Learn how to deploy and manage TPM within your organization](../keep-secure/trusted-platform-module-overview.md).
+
+### User Account Control
+
+User Account Control (UAC) helps prevent malware from damaging a computer and helps organizations deploy a better-managed desktop environment.
+
+You should not turn off UAC because this is not a supported scenario for devices running Windows 10. If you do turn off UAC, all Univeral Windows Platform apps stop working. You must always set the **HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\EnableLUA** registry value to 1. If you need to provide auto elevation for programmatic access or installation, you could set the **HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\ConsentPromptBehaviorAdmin** registry value to 0, which is the same as setting the UAC slider Never Notify. This is not recommended for devices running Windows 10.
+
+For more info about how manage UAC, see [UAC Group Policy Settings and Registry Key Settings](../keep-secure/user-account-control-group-policy-and-registry-key-settings.md).
+
+In Windows 10, User Account Control has added some improvements.
+
+#### New User Account Control features in Windows 10, version 1507
+
+-   **Integration with the Antimalware Scan Interface (AMSI)**. The [AMSI](http://msdn.microsoft.com/library/windows/desktop/dn889587.aspx) scans all UAC elevation requests for malware. If malware is detected, the admin privilege is blocked.
+
+[Learn how to manage User Account Control within your organization](../keep-secure/user-account-control-overview.md).
+
 ### VPN profile options

 Windows 10 provides a set of VPN features that both increase enterprise security and provide an improved user experience, including: