deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-16 07:17:24 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'refs/remotes/origin/rs3' into jd3csp

Browse Source
This commit is contained in:
jdeckerMS 2017-09-14 06:59:15 -07:00
commit e57360dcba
10 changed files with 69 additions and 24 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

BIN
windows/application-management/media/user-service-flag.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 44 KiB

After

Width:  |  Height:  |  Size: 65 KiB

22
windows/application-management/per-user-services-in-windows.md
View File

@ -7,7 +7,7 @@ ms.sitesec: library
ms.pagetype: mobile
ms.author: elizapo
author: lizap
ms.date: 08/14/2017
ms.date: 09/13/2017
---
# Per-user services in Windows 10 and Windows Server
@ -19,23 +19,17 @@ Per-user services are services that are created when a user signs into Windows o
> [!NOTE]
> Per-user services are only in available in Windows Server if you have installed the Desktop Experience. If you are running a Server Core or Nano Server installation, you won't see these services.
Beginning with Windows 10, version 1709 and Windows Server, version 1709, there are two ways to prevent per-user services from being created:
You can set the template service's **Startup Type** to **Disabled** to create per-user services in a stopped and disabled state.
- Configure the template service to create them in a stopped and disabled state. You do this by setting the template service's **Startup Type** to **Disabled**.
> [!IMPORTANT]
> If you change the template service's Startup Type, make sure you carefully test that change prior to rolling it out in your production environment.
- Create a new Registry entry named UserServiceFlags under the service configuration in the registry as a DWORD (32 bit) value set to 0, as shown in the following example:
![UserServiceFlags registry entry](media/user-service-flag.png)
> [!IMPORTANT]
> Carefully test any changes to the template service's Startup Type before deploying to a production environment.
Use the following information to understand per-user services, change the template service Startup Type, and manage per-user services through Group Policy and security templates.
For more information about disabling system services for Windows Server, see [Guidance on disabling system services on Windows Server with Desktop Experience](https://docs.microsoft.com/windows-server/security/windows-services/security-guidelines-for-disabling-system-services-in-windows-server).
## Per-user services
Windows 10 and Windows Server 2016 (with the Desktop Experience) have the following per-user services. The template services are located in the registry at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services.
Windows 10 and Windows Server (with the Desktop Experience) have the following per-user services. The template services are located in the registry at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services.
Before you disable any of these services, review the **Description** column in this table to understand the implications, including dependent apps that will no longer work correctly.
@ -137,13 +131,17 @@ REG.EXE ADD HKLM\System\CurrentControlSet\Services\WpnUserService /v Start /t RE
### Managing Template Services with regedit.exe
If you cannot use Group Policy preferences to manage the per-user services, you can edit the registry with regedit.exe. To disable the Template Services change the Startup Type for each service to 4 (disabled), as shown in the following example:
If you cannot use Group Policy preferences to manage the per-user services, you can edit the registry with regedit.exe. To disable the template services, change the Startup Type for each service to 4 (disabled):
![Using Regedit to change servive Starup Type](media/regedit-change-service-startup-type.png)
> [!CAUTION]
> We recommend that you do not directly edit the registry unless there is no other alternative. Modifications to the registry are not validated by the Registry Editor or by the Windows operating system before they are applied. As a result, incorrect values can be stored, and this can result in unrecoverable errors in the system. When possible, instead of editing the registry directly, use Group Policy or other Windows tools such as the Microsoft Management Console (MMC) to accomplish tasks. If you must edit the registry, use extreme caution.
Beginning with Windows 10, version 1709 and Windows Server, version 1709, you can prevent the per-user service from being created by setting **UserServiceFlags** to 0 under the same service configuration in the registry:
![Create per-user services in disabled state](media/user-service-flag.png)
### Manage template services by modifying the Windows image
If you're using custom images to deploy Windows, you can modify the Startup Type for the template services as part of the normal imaging process.

2
windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
View File

@ -992,6 +992,7 @@ For details about Microsoft mobile device management protocols for Windows 10 s
<td style="vertical-align:top">[Policy CSP](policy-configuration-service-provider.md)</td>
<td style="vertical-align:top"><p>Added the following new policies for Windows 10, version 1709:</p>
<ul>
<li>Authentication/AllowAadPasswordReset</li>
<li>Browser/LockdownFavorites</li>
<li>Browser/ProvisionFavorites</li>
<li>CredentialProviders/DisableAutomaticReDeploymentCredentials</li>
@ -1355,6 +1356,7 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
<td style="vertical-align:top">[Policy CSP](policy-configuration-service-provider.md)</td>
<td style="vertical-align:top"><p>Added the following new policies for Windows 10, version 1709:</p>
<ul>
<li>Authentication/AllowAadPasswordReset</li>
<li>Search/AllowCloudSearch</li>
<li>System/LimitEnhancedDiagnosticDataWindowsAnalytics</li>
</ul>

3
windows/client-management/mdm/policy-configuration-service-provider.md
View File

@ -307,6 +307,9 @@ The following diagram shows the Policy configuration service provider in tree fo
### Authentication policies
<dl>
<dd>
<a href="./policy-csp-authentication.md#authentication-allowaadpasswordreset" id="authentication-allowaadpasswordreset">Authentication/AllowAadPasswordReset</a>
</dd>
<dd>
<a href="./policy-csp-authentication.md#authentication-alloweapcertsso" id="authentication-alloweapcertsso">Authentication/AllowEAPCertSSO</a>
</dd>

42
windows/client-management/mdm/policy-csp-authentication.md
View File

@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 08/30/2017
ms.date: 09/06/2017
---
# Policy CSP - Authentication
@ -19,6 +19,42 @@ ms.date: 08/30/2017
## Authentication policies
<!--StartPolicy-->
<a href="" id="authentication-allowaadpasswordreset"></a>**Authentication/AllowAadPasswordReset**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
<p style="margin-left: 20px">Added in Windows 10, version 1709. Specifies whether password reset is enabled for Azure Active Directory accounts. This policy allows the Azure AD tenant administrators to enable self service password reset feature on the windows logon screen. 
<p style="margin-left: 20px">The following list shows the supported values:
- 0 (default) Not allowed.
- 1 Allowed.
<!--EndDescription-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="authentication-alloweapcertsso"></a>**Authentication/AllowEAPCertSSO**
@ -46,10 +82,6 @@ ms.date: 08/30/2017
<!--EndSKU-->
<!--StartDescription-->
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
<p style="margin-left: 20px">Allows an EAP cert-based authentication for a single sign on (SSO) to access internal resources.
> [!IMPORTANT]

5
windows/threat-protection/windows-defender-atp/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md
View File

@ -29,6 +29,11 @@ You can use mobile device management (MDM) solutions to configure endpoints. Win
For more information on using Windows Defender ATP CSP see, [WindowsAdvancedThreatProtection CSP](https://msdn.microsoft.com/library/windows/hardware/mt723296(v=vs.85).aspx) and [WindowsAdvancedThreatProtection DDF file](https://msdn.microsoft.com/library/windows/hardware/mt723297(v=vs.85).aspx).
## Before you begin
If you're using Microsoft Intune, you must have the device MDM Enrolled. Otherwise, settings will not be applied successfully.
For more information on enabling MDM with Microsoft Intune, see [Setup Windows Device Management](https://docs.microsoft.com/intune-classic/deploy-use/set-up-windows-device-management-with-microsoft-intune).
## Configure endpoints using Microsoft Intune
For more information on using Windows Defender ATP CSP see, [WindowsAdvancedThreatProtection CSP](https://msdn.microsoft.com/library/windows/hardware/mt723296(v=vs.85).aspx) and [WindowsAdvancedThreatProtection DDF file](https://msdn.microsoft.com/library/windows/hardware/mt723297(v=vs.85).aspx).

BIN
windows/threat-protection/windows-defender-atp/images/atp-preview-features.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 62 KiB

6
windows/threat-protection/windows-defender-atp/portal-overview-windows-defender-advanced-threat-protection.md
View File

@ -30,7 +30,7 @@ Enterprise security teams can use the Windows Defender ATP portal to monitor and
You can use the [Windows Defender ATP portal](https://securitycenter.windows.com/) to:
- View, sort, and triage alerts from your endpoints
- Search for more information on observed indicators such as files and IP Addresses
- Change Windows Defender ATP settings, including time zone and alert suppression rules
- Change Windows Defender ATP settings, including time zone and licensing information.
## Windows Defender ATP portal
When you open the portal, youll see the main areas of the application:
@ -48,10 +48,10 @@ You can navigate through the portal using the menu options available in all sect
Area | Description
:---|:---
(1) Search bar, Feedback, Settings, Help and support | **Search** - Provides access to the search bar where you can search for file, IP, machine, URL, and user. Displays the Search box: the drop-down list allows you to select the entity type and then enter the search query text. </br> **Feedback** -Access the feedback button to provide comments about the portal. </br> **Settings** - Gives you access to the configuration settings where you can set time zones, alert suppression rules, and license information. </br> **Help and support** - Gives you access to the Windows Defender ATP guide, Microsoft support, and Premier support.
(1) Search bar, Feedback, Settings, Help and support | **Search** - Provides access to the search bar where you can search for file, IP, machine, URL, and user. Displays the Search box: the drop-down list allows you to select the entity type and then enter the search query text. </br> **Feedback** -Access the feedback button to provide comments about the portal. </br> **Settings** - Gives you access to the configuration settings where you can set time zones and view license information. </br> **Help and support** - Gives you access to the Windows Defender ATP guide, Microsoft support, and Premier support.
(2) Navigation pane | Use the navigation pane to move between the **Dashboards**, **Alerts queue**, **Machines list**, **Service health**, **Preferences setup**, and **Endpoint management**.
**Dashboards** | Enables you to view the Security operations or the Security analytics dashboard.
**Alerts queue** | Enables you to view separate queues of new, in progress, and resolved alerts.
**Alerts queue** | Enables you to view separate queues of new, in progress, resolved alerts, alerts assigned to you, and suppression rules.
**Machines list** | Displays the list of machines that are onboarded to Windows Defender ATP, some information about them, and the corresponding number of alerts.
**Service health** | Provides information on the current status of the Window Defender ATP service. You'll be able to verify that the service health is healthy or if there are current issues.
**Preferences setup** | Shows the settings you selected during onboarding and lets you update your industry preferences and retention policy period. You can also set email notifications, activate the preview experience, and enable or turn off advanced features.

3
windows/threat-protection/windows-defender-atp/preview-windows-defender-advanced-threat-protection.md
View File

@ -34,6 +34,9 @@ You'll have access to upcoming features which you can provide feedback on to hel
Turn on the preview experience setting to be among the first to try upcoming features.
1. In the navigation pane, select **Preferences setup** > **Preview experience**.
![Image of Preferences setup and preview experience](images/atp-preview-features.png)
2. Toggle the setting between **On** and **Off** and select **Save preferences**.
## Preview features

10
windows/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md
View File

@ -93,11 +93,15 @@ You can roll back and remove a file from quarantine if youve determined that
> Windows Defender ATP will remove all files that were quarantined on this machine in the last 30 days.
## Block files in your network
You can prevent further propagation of an attack in your organization by banning potentially malicious files or suspected malware. If you know a potentially malicious file, you can block it. This operation will prevent it from being read, written, or executed on machines in your organization.
You can prevent further propagation of an attack in your organization by banning potentially malicious files or suspected malware. If you know a potentially malicious portable executable (PE) file, you can block it. This operation will prevent it from being read, written, or executed on machines in your organization.
>[!NOTE]
>This feature is only available if your organization uses Windows Defender Antivirus and Cloudbased protection is enabled. For more information, see [Manage cloudbased protection](../windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus.md). </br></br>
This feature is designed to prevent suspected malware (or potentially malicious files) from being downloaded from the web. The coverage will be extended over time. The action takes effect on machines with the latest Windows 10 Insider Preview build.
This feature is designed to prevent suspected malware (or potentially malicious files) from being downloaded from the web. It currently supports portable executable (PE) files, including _.exe_ and _.dll_ files. The coverage will be extended over time. This response action is available for machines on Windows 10, version 1703 or later.
>[!IMPORTANT]
> The PE file needs to be in the machine timeline for you to be able to take this action.
### Enable the block file feature
1. In the navigation pane, select **Preference Setup** > **Advanced features** > **Block file**.
@ -109,9 +113,7 @@ This feature is designed to prevent suspected malware (or potentially malicious
3. Type a comment and select **Yes, block file** to take action on the file.
The Action center shows the submission information:
![Image of block file](images/atp-blockfile.png)
- **Submission time** - Shows when the action was submitted. <br>