diff --git a/browsers/edge/Index.md b/browsers/edge/Index.md index 0e6fcc05f5..d60f64de73 100644 --- a/browsers/edge/Index.md +++ b/browsers/edge/Index.md @@ -12,9 +12,9 @@ title: Microsoft Edge - Deployment Guide for IT Pros (Microsoft Edge for IT Pros **Applies to:** -- Windows 10 -- Windows 10 Mobile - +- Windows 10 +- Windows 10 Mobile +- Windows Server 2016 Microsoft Edge is the new, default web browser for Windows 10, helping you to experience modern web standards, better performance, improved security, and increased reliability. Microsoft Edge also introduces new features like Web Note, Reading View, and Cortana that you can use along with your normal web browsing abilities. diff --git a/browsers/edge/available-policies.md b/browsers/edge/available-policies.md index 8b2cf5059e..1b28328f38 100644 --- a/browsers/edge/available-policies.md +++ b/browsers/edge/available-policies.md @@ -16,8 +16,6 @@ title: Available policies for Microsoft Edge (Microsoft Edge for IT Pros) - Windows 10 Mobile - Windows Server 2016 -[Some information relates to pre-released product, which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.] - Microsoft Edge works with Group Policy and Microsoft Intune to help you manage your organization's computer settings. Group Policy objects (GPO's) can include registry-based Administrative Template policy settings, security settings, software deployment information, scripts, folder redirection, and preferences. By using Group Policy and Intune, you can set up a policy setting once, and then copy that setting onto many computers. For example, you can set up multiple security settings in a GPO that's linked to a domain, and then apply all of those settings to every computer in the domain. diff --git a/browsers/edge/change-history-for-microsoft-edge.md b/browsers/edge/change-history-for-microsoft-edge.md index 963fec25bf..892a85fbe7 100644 --- a/browsers/edge/change-history-for-microsoft-edge.md +++ b/browsers/edge/change-history-for-microsoft-edge.md @@ -14,7 +14,7 @@ For a detailed feature list of what's in the current Microsoft Edge releases, th ## July 2016 |New or changed topic | Description | |----------------------|-------------| -|[Microsoft Edge - Deployment Guide for IT Pros](index.md)| Updated to include support for Windows Server 2016 and a note about the Long Term Servicing Branch (LTSB) | +|[Microsoft Edge - Deployment Guide for IT Pros](index.md)| Updated various topics to include support for Windows Server 2016 and a note about the Long Term Servicing Branch (LTSB) | ## July 2016 |New or changed topic | Description | diff --git a/browsers/edge/emie-to-improve-compatibility.md b/browsers/edge/emie-to-improve-compatibility.md index 32cc1d9d2d..10698fde4f 100644 --- a/browsers/edge/emie-to-improve-compatibility.md +++ b/browsers/edge/emie-to-improve-compatibility.md @@ -14,7 +14,6 @@ title: Use Enterprise Mode to improve compatibility (Microsoft Edge for IT Pros) **Applies to:** - Windows 10 -- Windows 10 Mobile - Windows Server 2016 If you have specific web sites and apps that you know have compatibility problems with Microsoft Edge, you can use the Enterprise Mode site list so that the web sites will automatically open using Internet Explorer 11. Additionally, if you know that your intranet sites aren't going to work properly with Microsoft Edge, you can set all intranet sites to automatically open using IE11. diff --git a/devices/surface-hub/appendix-a-powershell-scripts-for-surface-hub.md b/devices/surface-hub/appendix-a-powershell-scripts-for-surface-hub.md index 7fd65a2aa4..9763adf01d 100644 --- a/devices/surface-hub/appendix-a-powershell-scripts-for-surface-hub.md +++ b/devices/surface-hub/appendix-a-powershell-scripts-for-surface-hub.md @@ -34,7 +34,7 @@ You can check online for updated versions at [Surface Hub device account scripts What do the scripts do? - Create device accounts for setups using pure single-forest on-premises (Microsoft Exchange and Skype 2013 and later only) or online (Microsoft Office 365), that are configured correctly for your Surface Hub. -- Validate existing device accounts for any setup (on-premises, online, or hybrid using Exchange or Lync 2010 or later) to make sure they're compatible with Surface Hub. +- Validate existing device accounts for any setup (on-premises or online) to make sure they're compatible with Surface Hub. - Provide a base template for anyone wanting to create their own device account creation or validation scripts. What do you need in order to run the scripts? diff --git a/devices/surface-hub/on-premises-deployment-surface-hub-device-accounts.md b/devices/surface-hub/on-premises-deployment-surface-hub-device-accounts.md index fca0089996..489d304b97 100644 --- a/devices/surface-hub/on-premises-deployment-surface-hub-device-accounts.md +++ b/devices/surface-hub/on-premises-deployment-surface-hub-device-accounts.md @@ -16,7 +16,7 @@ localizationpriority: high This topic explains how you add a device account for your Microsoft Surface Hub when you have a single-forest, on-premises deployment. -If you have a single-forest on-premises deployment with Microsoft Exchange 2013 or later and Skype for Business 2013 or later, then you can [use the provided PowerShell scripts](appendix-a-powershell-scripts-for-surface-hub.md#create-on-premise-ps-scripts) to create device accounts. If you’re using a multi-forest deployment, or are using Exchange 2010 or Lync 2010, you can use equivalent cmdlets that will produce the same results. Those cmdlets are described in this section. +If you have a single-forest on-premises deployment with Microsoft Exchange 2013 or later and Skype for Business 2013 or later, then you can [use the provided PowerShell scripts](appendix-a-powershell-scripts-for-surface-hub.md#create-on-premise-ps-scripts) to create device accounts. If you’re using a multi-forest deployment, you can use equivalent cmdlets that will produce the same results. Those cmdlets are described in this section. 1. Start a remote PowerShell session from a PC and connect to Exchange. diff --git a/devices/surface-hub/online-deployment-surface-hub-device-accounts.md b/devices/surface-hub/online-deployment-surface-hub-device-accounts.md index cb9e9ed979..545d0ec9d4 100644 --- a/devices/surface-hub/online-deployment-surface-hub-device-accounts.md +++ b/devices/surface-hub/online-deployment-surface-hub-device-accounts.md @@ -16,7 +16,7 @@ localizationpriority: high This topic has instructions for adding a device account for your Microsoft Surface Hub when you have a pure, online deployment. -If you have a pure, online (O365) deployment, then you can [use the provided PowerShell scripts](appendix-a-powershell-scripts-for-surface-hub.md#create-os356-ps-scripts) to create device accounts. If you’re using Microsoft Exchange 2010 or Lync 2010, you can use equivalent cmdlets that will produce the same results. Those cmdlets are described in this section. +If you have a pure, online (O365) deployment, then you can [use the provided PowerShell scripts](appendix-a-powershell-scripts-for-surface-hub.md#create-os356-ps-scripts) to create device accounts. 1. Start a remote PowerShell session on a PC and connect to Exchange. diff --git a/devices/surface/ethernet-adapters-and-surface-device-deployment.md b/devices/surface/ethernet-adapters-and-surface-device-deployment.md index 21af99c93f..b7dd253652 100644 --- a/devices/surface/ethernet-adapters-and-surface-device-deployment.md +++ b/devices/surface/ethernet-adapters-and-surface-device-deployment.md @@ -58,8 +58,7 @@ To boot a Surface device from an alternative boot device, follow these steps: >**Note:**  In addition to an Ethernet adapter, a keyboard must also be connected to the Surface device to enter the preinstallation environment and navigate the deployment wizard.   - -To support booting from the network in a Windows Preinstallation Environment (WinPE), such as is used in the Microsoft Deployment Toolkit and Configuration Manager, you must add drivers for the Ethernet adapter to WinPE. You can download the drivers for Surface Ethernet adapters from the Microsoft Download Center page for your specific device. For a list of the available downloads for Surface devices, see [Download the latest firmware and drivers for Surface devices](deploy-the-latest-firmware-and-drivers-for-surface-devices.md). +For Windows 10, version 1511 and later – including the Windows Assessment and Deployment Kit (Windows ADK) for Windows 10, version 1511 – the drivers for Microsoft Surface Ethernet Adapters are present by default. If you are using a deployment solution that uses Windows Preinstallation Environment (WinPE), like the Microsoft Deployment Toolkit, and booting from the network with PXE, ensure that your deployment solution is using the latest version of the Windows ADK. ## Manage MAC addresses with removable Ethernet adapters diff --git a/windows/keep-secure/create-and-verify-an-efs-dra-certificate.md b/windows/keep-secure/create-and-verify-an-efs-dra-certificate.md index efe9a2b7a9..a9511d644b 100644 --- a/windows/keep-secure/create-and-verify-an-efs-dra-certificate.md +++ b/windows/keep-secure/create-and-verify-an-efs-dra-certificate.md @@ -43,7 +43,7 @@ If you already have an EFS DRA certificate for your organization, you can skip c >**Note**
To add your EFS DRA certificate to your policy by using Microsoft Intune, see the [Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune.md) topic. To add your EFS DRA certificate to your policy by using System Center Configuration Manager, see the [Create a Windows Information Protection (WIP) policy using System Center Configuration Manager](create-wip-policy-using-sccm.md) topic. -**To verify your data recovery certificate is correctly set up on an WIP client computer** +**To verify your data recovery certificate is correctly set up on a WIP client computer** 1. Find or create a file that's encrypted using Windows Information Protection. For example, you could open an app on your allowed app list, and then create and save a file so it’s encrypted by WIP. diff --git a/windows/keep-secure/create-wip-policy-using-intune.md b/windows/keep-secure/create-wip-policy-using-intune.md index 01d0136664..ed343a003a 100644 --- a/windows/keep-secure/create-wip-policy-using-intune.md +++ b/windows/keep-secure/create-wip-policy-using-intune.md @@ -24,10 +24,10 @@ We've received some great feedback from you, our Windows 10 Insider Preview cust Note that if you exit the **Policy** page before you've saved your new policy, your existing deployments won't be affected. However, if you save the policy without reconfiguring your apps, an updated policy will be deployed to your employees with an empty app rules list. -## Add an WIP policy -After you’ve set up Intune for your organization, you must create an WIP-specific policy. +## Add a WIP policy +After you’ve set up Intune for your organization, you must create a WIP-specific policy. -**To add an WIP policy** +**To add a WIP policy** 1. Open the Intune administration console, and go to the **Policy** node, and then click **Add Policy** from the **Tasks** area. 2. Go to **Windows**, click the **Windows Information Protection (Windows 10 Desktop and Mobile and later) policy**, click **Create and Deploy a Custom Policy**, and then click **Create Policy**. diff --git a/windows/keep-secure/create-wip-policy-using-sccm.md b/windows/keep-secure/create-wip-policy-using-sccm.md index 0f91219ae8..f439f23db6 100644 --- a/windows/keep-secure/create-wip-policy-using-sccm.md +++ b/windows/keep-secure/create-wip-policy-using-sccm.md @@ -20,9 +20,9 @@ author: eross-msft System Center Configuration Manager helps you create and deploy your Windows Information Protection (WIP) policy, including letting you choose your protected apps, your WIP-protection mode, and how to find enterprise data on the network. >**Important**
-If you previously created an WIP policy using System Center Configuration Manager version 1511 or 1602, you’ll need to recreate it using version 1606 or later. Editing a WIP policy created in version 1511 or 1602 is not supported in later versions and there is no migration path between older and newer WIP policies. +If you previously created a WIP policy using System Center Configuration Manager version 1511 or 1602, you’ll need to recreate it using version 1606 or later. Editing a WIP policy created in version 1511 or 1602 is not supported in later versions and there is no migration path between older and newer WIP policies. -## Add an WIP policy +## Add a WIP policy After you’ve installed and set up System Center Configuration Manager for your organization, you must create a configuration item for WIP, which in turn becomes your WIP policy. **To create a configuration item for WIP** diff --git a/windows/keep-secure/protect-enterprise-data-using-wip.md b/windows/keep-secure/protect-enterprise-data-using-wip.md index a2e1d5ffd9..824df7b27f 100644 --- a/windows/keep-secure/protect-enterprise-data-using-wip.md +++ b/windows/keep-secure/protect-enterprise-data-using-wip.md @@ -56,19 +56,19 @@ WIP gives you a new way to manage data policy enforcement for apps and documents - **Manage your enterprise documents, apps, and encryption modes.** - - **Copying or downloading enterprise data.** When an employee or an app downloads content from a location like SharePoint, a network share, or an enterprise web location, while using an WIP-protected device, WIP encrypts the data on the device. + - **Copying or downloading enterprise data.** When an employee or an app downloads content from a location like SharePoint, a network share, or an enterprise web location, while using a WIP-protected device, WIP encrypts the data on the device. - **Using allowed apps.** Managed apps (apps that you've included on the Allowed Apps list in your WIP policy) are allowed to access your enterprise data and will interact differently when used with unallowed, non-enterprise aware, or personal-only apps. For example, if WIP management is set to **Block**, your employees can copy and paste from one protected app to another allowed app, but not to personal apps. Imagine an HR person wants to copy a job description from an allowed app to the internal career website, an enterprise-protected location, but goofs and tries to paste into a personal app instead. The paste action fails and a notification pops up, saying that the app couldn’t paste because of a policy restriction. The HR person then correctly pastes to the career website without a problem. - **Managed apps and restrictions.** With WIP you can control which apps can access and use your enterprise data. After adding an app to your allowed apps list, the app is trusted with enterprise data. All apps not on this list are blocked from accessing your enterprise data, depending on your WIP management-mode. - - You don’t have to modify line-of-business apps that never touch personal data to list them as allowed apps; just include them in the allowed apps list. + + You don’t have to modify line-of-business apps that never touch personal data to list them as allowed apps; just include them in the allowed apps list. - **Deciding your level of data access.** WIP lets you block, allow overrides, or audit employees' data sharing actions. Blocking the action stops it immediately. Allowing overrides let the employee know there's a risk, but lets him or her continue to share the data while recording and auditing the action. Silent just logs the action without blocking anything that the employee could've overridden while using that setting; collecting info that can help you to see patterns of inappropriate sharing so you can take educative action or find apps that should be added to your allowed apps list. - **Data encryption at rest.** WIP helps protect enterprise data on local files and on removable media. - Apps such as Microsoft Word work with WIP to help continue your data protection across local files and removable media. These apps are being referred to as, enterprise aware. For example, if an employee opens WIP-encrypted content from Word, edits the content, and then tries to save the edited version with a different name, Word automatically applies WIP to the new document. + Apps such as Microsoft Word work with WIP to help continue your data protection across local files and removable media. These apps are being referred to as, enterprise aware. For example, if an employee opens WIP-encrypted content from Word, edits the content, and then tries to save the edited version with a different name, Word automatically applies WIP to the new document. - **Helping prevent accidental data disclosure to public spaces.** WIP helps protect your enterprise data from being accidentally shared to public spaces, such as public cloud storage. For example, if Dropbox™ isn’t on your allowed apps list, employees won’t be able to sync encrypted files to their personal cloud storage. Instead, if the employee stores the content to an app on your allowed apps list, like Microsoft OneDrive for Business, the encrypted files can sync freely to the business cloud, while maintaining the encryption locally. diff --git a/windows/keep-secure/testing-scenarios-for-wip.md b/windows/keep-secure/testing-scenarios-for-wip.md index 125cf80953..113768489b 100644 --- a/windows/keep-secure/testing-scenarios-for-wip.md +++ b/windows/keep-secure/testing-scenarios-for-wip.md @@ -25,9 +25,9 @@ You can try any of the processes included in these scenarios, but you should foc |---------|----------| |Automatically encrypt files from enterprise apps |
  1. Start an unmodified (for example, WIP-unaware) line-of-business app that's on your allowed apps list and then create, edit, write, and save files.
  2. Make sure that all of the files you worked with from the WIP-unaware app are encrypted to your configured Enterprise Identity. In some cases, you might need to close the file and wait a few moments for it to be automatically encrypted.
  3. Open File Explorer and make sure your modified files are appearing with a **Lock** icon.

    **Note**
    Some file types, like .exe and .dll, along with some file paths, like `%windir%` and `%programfiles%`, are excluded from automatic encryption.

| |Block enterprise data from non-enterprise apps |
  1. Start an app that doesn't appear on your allowed apps list, and then try to open an enterprise-encrypted file.

    The app shouldn't be able to access the file.

  2. Try double-clicking or tapping on the enterprise-encrypted file.

    If your default app association is an app not on your allowed apps list, you should get an **Access Denied** error message.

| -|Copy and paste from enterprise apps to non-enterprise apps |
  1. Copy (CTRL+C) content from an app on your allowed apps list, and then try to paste (CTRL+V) the content into an app that doesn't appear on your allowed apps list.

    You should see an WIP-related warning box, asking you to click either **Got it** or **Cancel**.

  2. Click **Cancel**.

    The content isn't pasted into the non-enterprise app.

  3. Repeat Step 1, but this time click **Got it**, and try to paste the content again.

    The content is pasted into the non-enterprise app.

  4. Try copying and pasting content between apps on your allowed apps list.

    The content should copy and paste between apps without any warning messages.

| -|Drag and drop from enterprise apps to non-enterprise apps |
  1. Drag content from an app on your allowed apps list, and then try to drop the content into an app that doesn't appear on your allowed apps list.

    You should see an WIP-related warning box, asking you to click either **Drag Anyway** or **Cancel**.

  2. Click **Cancel**.

    The content isn't dropped into the non-enterprise app.

  3. Repeat Step 1, but this time click **Drag Anyway**, and try to drop the content again.

    The content is dropped into the non-enterprise app.

  4. Try dragging and dropping content between apps on your allowed apps list.

    The content should move between the apps without any warning messages.

| -|Share between enterprise apps and non-enterprise apps |
  1. Open an app on your allowed apps list, like Microsoft Photos, and try to share content with an app that doesn't appear on your allowed apps list, like Facebook.

    You should see an WIP-related warning box, asking you to click either **Share Anyway** or **Cancel**.

  2. Click **Cancel**.

    The content isn't shared into Facebook.

  3. Repeat Step 1, but this time click **Share Anyway**, and try to share the content again.

    The content is shared into Facebook.

  4. Try sharing content between apps on your allowed apps list.

    The content should share between the apps without any warning messages.

| +|Copy and paste from enterprise apps to non-enterprise apps |
  1. Copy (CTRL+C) content from an app on your allowed apps list, and then try to paste (CTRL+V) the content into an app that doesn't appear on your allowed apps list.

    You should see a WIP-related warning box, asking you to click either **Got it** or **Cancel**.

  2. Click **Cancel**.

    The content isn't pasted into the non-enterprise app.

  3. Repeat Step 1, but this time click **Got it**, and try to paste the content again.

    The content is pasted into the non-enterprise app.

  4. Try copying and pasting content between apps on your allowed apps list.

    The content should copy and paste between apps without any warning messages.

| +|Drag and drop from enterprise apps to non-enterprise apps |
  1. Drag content from an app on your allowed apps list, and then try to drop the content into an app that doesn't appear on your allowed apps list.

    You should see a WIP-related warning box, asking you to click either **Drag Anyway** or **Cancel**.

  2. Click **Cancel**.

    The content isn't dropped into the non-enterprise app.

  3. Repeat Step 1, but this time click **Drag Anyway**, and try to drop the content again.

    The content is dropped into the non-enterprise app.

  4. Try dragging and dropping content between apps on your allowed apps list.

    The content should move between the apps without any warning messages.

| +|Share between enterprise apps and non-enterprise apps |
  1. Open an app on your allowed apps list, like Microsoft Photos, and try to share content with an app that doesn't appear on your allowed apps list, like Facebook.

    You should see a WIP-related warning box, asking you to click either **Share Anyway** or **Cancel**.

  2. Click **Cancel**.

    The content isn't shared into Facebook.

  3. Repeat Step 1, but this time click **Share Anyway**, and try to share the content again.

    The content is shared into Facebook.

  4. Try sharing content between apps on your allowed apps list.

    The content should share between the apps without any warning messages.

| |Use the **Encrypt to** functionality |
  1. Open File Explorer on the desktop, right-click a decrypted file, and then click **Encrypt to** from the **Encrypt to** menu.

    WIP should encrypt the file to your Enterprise Identity.

  2. Make sure that the newly encrypted file has a **Lock** icon.
  3. In the **Encrypted to** column of File Explorer on the desktop, look for the enterprise ID value.
  4. Right-click the encrypted file, and then click **Not encrypted** from the **Encrypt to** menu.

    The file should be decrypted and the **Lock** icon should disappear.

| |Verify that Windows system components can use WIP |
  1. Start Windows Journal and Internet Explorer 11, creating, editing, and saving files in both apps.
  2. Make sure that all of the files you worked with are encrypted to your configured Enterprise Identity. In some cases, you might need to close the file and wait a few moments for it to be automatically encrypted.
  3. Open File Explorer and make sure your modified files are appearing with a **Lock** icon
  4. Try copying and pasting, dragging and dropping, and sharing using these apps with other apps that appear both on and off the allowed apps list.

    **Note**
    Most Windows-signed components like Windows Explorer (when running in the user’s context), should have access to enterprise data.

    A few notable exceptions include some of the user-facing in-box apps, like Wordpad, Notepad, and Microsoft Paint. These apps don't have access by default, but can be added to your allowed apps list.

| |Use WIP on FAT/exFAT systems |
  1. Start an app that uses the FAT or exFAT file system and appears on your allowed apps list.
  2. Create, edit, write, save, and move files.

    Basic file and folder operations like copy, move, rename, delete, and so on, should work properly on encrypted files.

  3. Try copying and moving files or folders between apps that use NTFS, FAT and exFAT file systems.
| diff --git a/windows/keep-secure/windows-security-baselines.md b/windows/keep-secure/windows-security-baselines.md index d9f379c2a6..690b516662 100644 --- a/windows/keep-secure/windows-security-baselines.md +++ b/windows/keep-secure/windows-security-baselines.md @@ -12,7 +12,10 @@ author: brianlic-msft Microsoft is dedicated to provide our customers with a secure operating system, such as Windows 10 and Windows Server, as well as secure apps, such as Microsoft Edge. In addition to the security assurance of its products, Microsoft also enables you to have fine control of your environments by providing various configuration capabilities. Even though Windows and Windows Server are designed to be secure out-of-the-box, a large number of organizations still want more granular control of their security configurations. To navigate these large number of controls, organizations need guidance for configuring various security features. Microsoft provides this guidance in the form of security baselines. -We recommend implementing an industry-standard configuration that is broadly known and well-tested, such as a Microsoft security baseline, as opposed to creating one yourself. This helps increase flexibility and reduce costs. +We recommend implementing an industry-standard configuration that is broadly known and well-tested, such as a Microsoft security baseline, as opposed to creating one yourself. This helps increase flexibility and reduce costs. + + > [!NOTE] + > Microsoft Security Compliance Manager 4.0 is available from the [Microsoft Download Center](https://www.microsoft.com/en-us/download/details.aspx?id=53353). ## What are security baselines? @@ -31,18 +34,19 @@ In modern organizations, the security threat landscape is constantly evolving. I To help faster deployments and increase the ease of managing Windows, Microsoft provides customers with security baselines that are available in formats that can be consumed, such as Group Policy Objects backups. - ## How can you use security baselines? +## How can you use security baselines? You can use security baselines to: - Ensure that user and device configuration settings are compliant with the baseline. - Set configuration settings. For example, you can use Group Policy, System Center Configuration Manager, or Microsoft Intune to configure a device with the setting values specified in the baseline. - ## Where can I get the security baselines? +## Where can I get the security baselines? Here's a list of security baselines that are currently available. - > **Note:** If you want to know what has changed with each security baseline, or if you want to stay up-to-date on what’s happening with them, check out the [Microsoft Security Guidance](http://blogs.technet.microsoft.com/secguide) blog. + > [!NOTE] + > If you want to know what has changed with each security baseline, or if you want to stay up-to-date on what’s happening with them, check out the [Microsoft Security Guidance](http://blogs.technet.microsoft.com/secguide) blog. ### Windows 10 security baselines diff --git a/windows/plan/windows-10-servicing-options.md b/windows/plan/windows-10-servicing-options.md index 6ac55f7ffc..de610fd342 100644 --- a/windows/plan/windows-10-servicing-options.md +++ b/windows/plan/windows-10-servicing-options.md @@ -72,6 +72,7 @@ Windows 10 enables organizations to fulfill the desire to provide users with the ## Related topics +[Windows 10 release information](https://technet.microsoft.com/windows/release-info)
[Windows 10 deployment considerations](windows-10-deployment-considerations.md)
[Windows 10 compatibility](windows-10-compatibility.md)
[Windows 10 infrastructure requirements](windows-10-infrastructure-requirements.md) \ No newline at end of file