Merge remote-tracking branch 'refs/remotes/origin/master' into wsfb-7611326

education/index.md

@@ -1 +0,0 @@
-#OP Testing file

windows/deploy/TOC.md

@@ -1,3 +1,5 @@
+# [What's new in Windows 10](../whats-new/index.md)
+# [Plan for Windows 10 deployment](../plan/index.md)
 # [Deploy Windows 10](index.md)
 ## [Windows 10 deployment scenarios](windows-10-deployment-scenarios.md)
 ## [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md)
@@ -135,3 +137,5 @@
 ###### [XML Elements Library](usmt-xml-elements-library.md)
 ##### [Offline Migration Reference](offline-migration-reference.md)
 ## [Change history for Deploy Windows 10](change-history-for-deploy-windows-10.md)
+# [Keep Windows 10 secure](../keep-secure/index.md)
+# [Manage and update Windows 10](../manage/index.md)

windows/deploy/change-history-for-deploy-windows-10.md

@@ -15,6 +15,7 @@ This topic lists new and updated topics in the [Deploy Windows 10](index.md) doc
 | New or changed topic | Description |
 |----------------------|-------------|
 | [Configure a PXE server to load Windows PE](configure-a-pxe-server-to-load-windows-pe.md) | New |
+| [User State Migration Tool Technical Reference](usmt-technical-reference.md) | Updated |
 
 ## May 2016
 | New or changed topic | Description |

windows/deploy/configure-a-pxe-server-to-load-windows-pe.md

@@ -21,7 +21,7 @@ This walkthrough describes how to configure a PXE server to load Windows PE by
 
 ## Prerequisites
 
-- A deployment computer: A computer with the [Windows Assessment and Deployment Kit](https://www.microsoft.com/en-us/download/details.aspx?id=39982) (Windows ADK) installed.
+- A deployment computer: A computer with the [Windows Assessment and Deployment Kit](http://go.microsoft.com/fwlink/p/?LinkId=526740) (Windows ADK) installed.
 - A DHCP server: A DHCP server or DHCP proxy configured to respond to PXE client requests is required.
 - A PXE server: A server running the TFTP service that can host Windows PE boot files that the client will download.
 - A file server: A server hosting a network file share.
@@ -59,7 +59,7 @@ All four of the roles specified above can be hosted on the same computer or each
     ```
     Dism /mount-image /imagefile:c:\winpe_amd64\media\sources\boot.wim /index:1 /mountdir:C:\winpe_amd64\mount
     ```
-5. Map a network share to the root TFTP directory on the PXE/TFTP server and create a \Boot folder. Consult your TFTP server documentation to determine the root TFTP server directory, then enable sharing for this directory, and verify it can be accessed on the network. In the following example, the PXE server name is PXE-1 and the TFTP root directory is shared using a network path of \\PXE-1\TFTPRoot:
+5. Map a network share to the root TFTP directory on the PXE/TFTP server and create a \Boot folder. Consult your TFTP server documentation to determine the root TFTP server directory, then enable sharing for this directory, and verify it can be accessed on the network. In the following example, the PXE server name is PXE-1 and the TFTP root directory is shared using a network path of \\\PXE-1\TFTPRoot:
 
     ```
     net use y: \\PXE-1\TFTPRoot

windows/deploy/index.md

@@ -15,6 +15,7 @@ Learn about deploying Windows 10 for IT professionals.
 
 |Topic |Description |
 |------|------------|
+|[Change history for Deploy Windows 10](change-history-for-deploy-windows-10.md) |This topic lists new and updated topics in the Deploy Windows 10 documentation for [Windows 10 and Windows 10 Mobile](../index.md). |
 |[Windows 10 deployment scenarios](windows-10-deployment-scenarios.md) |To successfully deploy the Windows 10 operating system in your organization, it is important to understand the different ways that it can be deployed, especially now that there are new scenarios to consider. Choosing among these scenarios, and understanding the key capabilities and limitations of each, is a key task. |
 |[Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md) |This guide will walk you through the process of deploying Windows 10 in an enterprise environment using the Microsoft Deployment Toolkit (MDT), and MDT 2013 Update 2 specifically. |
 |[Deploy Windows 10 with System Center 2012 R2 Configuration Manager](deploy-windows-10-with-system-center-2012-r2-configuration-manager.md) |If you have Microsoft System Center 2012 R2 Configuration Manager in your environment, you will most likely want to use it to deploy Windows 10. This topic will show you how to set up Configuration Manager for operating system deployment and how to integrate Configuration Manager with the Microsoft Deployment Toolkit (MDT) or, more specifically, MDT 2013 Update 2. |
@@ -28,7 +29,7 @@ Learn about deploying Windows 10 for IT professionals.
 |[Sideload apps in Windows 10](sideload-apps-in-windows-10.md) |Sideload line-of-business apps in Windows 10. |
 |[Volume Activation [client]](volume-activation-windows-10.md) |This guide is designed to help organizations that are planning to use volume activation to deploy and activate Windows 10, including organizations that have used volume activation for earlier versions of Windows. |
 |[Windows 10 deployment tools reference](windows-10-deployment-tools-reference.md) |Learn about the tools available to deploy Windows 10. |
-|[Change history for Deploy Windows 10](change-history-for-deploy-windows-10.md) |This topic lists new and updated topics in the Deploy Windows 10 documentation for [Windows 10 and Windows 10 Mobile](../index.md). |
+
 ## Related topics
 - [Windows 10 and Windows 10 Mobile](../index.md)
 

windows/deploy/usmt-technical-reference.md

@@ -13,6 +13,8 @@ The User State Migration Tool (USMT) 10.0 is included with the Windows Assessme
 
 Download the Windows ADK [from this website](http://go.microsoft.com/fwlink/p/?LinkID=526803).
 
+**Note**: USMT version 10.1.10586 supports migration of user settings for installations of Microsoft Office 2003, 2007, 2010, and 2013.
+
 USMT 10.0 includes three command-line tools:
 
 -   ScanState.exe

windows/index.md

@@ -2,7 +2,7 @@
 title: Windows 10 and Windows 10 Mobile (Windows 10)
 description: This library provides the core content that IT pros need to evaluate, plan, deploy, and manage devices running Windows 10 or Windows 10 Mobile.
 ms.assetid: 345A4B4E-BC1B-4F5C-9E90-58E647D11C60
-ms.prod: W10
+ms.prod: w10
 author: brianlic-msft
 ---
 

windows/keep-secure/TOC.md

@@ -692,6 +692,115 @@
 #### [Update and manage Windows Defender in Windows 10](get-started-with-windows-defender-for-windows-10.md)
 #### [Configure Windows Defender in Windows 10](configure-windows-defender-in-windows-10.md)
 #### [Troubleshoot Windows Defender in Windows 10](troubleshoot-windows-defender-in-windows-10.md)
+### [Windows Firewall with Advanced Security](windows-firewall-with-advanced-security.md)
+#### [Isolating Windows Store Apps on Your Network](isolating-apps-on-your-network.md)
+#### [Securing End-to-End IPsec Connections by Using IKEv2 in Windows Server 2012](securing-end-to-end-ipsec-connections-by-using-ikev2.md)
+#### [Windows Firewall with Advanced Security Administration with Windows PowerShell](windows-firewall-with-advanced-security-administration-with-windows-powershell.md)
+#### [Windows Firewall with Advanced Security Design Guide](windows-firewall-with-advanced-security-design-guide.md)
+##### [Understanding the Windows Firewall with Advanced Security Design Process](understanding-the-windows-firewall-with-advanced-security-design-process.md)
+##### [Identifying Your Windows Firewall with Advanced Security Deployment Goals](identifying-your-windows-firewall-with-advanced-security-deployment-goals.md)
+###### [Protect Devices from Unwanted Network Traffic](protect-devices-from-unwanted-network-traffic.md)
+###### [Restrict Access to Only Trusted Devices](restrict-access-to-only-trusted-devices.md)
+###### [Require Encryption When Accessing Sensitive Network Resources](require-encryption-when-accessing-sensitive-network-resources.md)
+###### [Restrict Access to Only Specified Users or Computers](restrict-access-to-only-specified-users-or-devices.md)
+##### [Mapping Your Deployment Goals to a Windows Firewall with Advanced Security Design](mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md)
+###### [Basic Firewall Policy Design](basic-firewall-policy-design.md)
+###### [Domain Isolation Policy Design](domain-isolation-policy-design.md)
+###### [Server Isolation Policy Design](server-isolation-policy-design.md)
+###### [Certificate-based Isolation Policy Design](certificate-based-isolation-policy-design.md)
+##### [Evaluating Windows Firewall with Advanced Security Design Examples](evaluating-windows-firewall-with-advanced-security-design-examples.md)
+###### [Firewall Policy Design Example](firewall-policy-design-example.md)
+###### [Domain Isolation Policy Design Example](domain-isolation-policy-design-example.md)
+###### [Server Isolation Policy Design Example](server-isolation-policy-design-example.md)
+###### [Certificate-based Isolation Policy Design Example](certificate-based-isolation-policy-design-example.md)
+##### [Designing a Windows Firewall with Advanced Security Strategy](designing-a-windows-firewall-with-advanced-security-strategy.md)
+###### [Gathering the Information You Need](gathering-the-information-you-need.md)
+####### [Gathering Information about Your Current Network Infrastructure](gathering-information-about-your-current-network-infrastructure.md)
+####### [Gathering Information about Your Active Directory Deployment](gathering-information-about-your-active-directory-deployment.md)
+####### [Gathering Information about Your Computers](gathering-information-about-your-devices.md)
+####### [Gathering Other Relevant Information](gathering-other-relevant-information.md)
+###### [Determining the Trusted State of Your Computers](determining-the-trusted-state-of-your-devices.md)
+##### [Planning Your Windows Firewall with Advanced Security Design](planning-your-windows-firewall-with-advanced-security-design.md)
+###### [Planning Settings for a Basic Firewall Policy](planning-settings-for-a-basic-firewall-policy.md)
+###### [Planning Domain Isolation Zones](planning-domain-isolation-zones.md)
+####### [Exemption List](exemption-list.md)
+####### [Isolated Domain](isolated-domain.md)
+####### [Boundary Zone](boundary-zone.md)
+####### [Encryption Zone](encryption-zone.md)
+###### [Planning Server Isolation Zones](planning-server-isolation-zones.md)
+###### [Planning Certificate-based Authentication](planning-certificate-based-authentication.md)
+###### [Documenting the Zones](documenting-the-zones.md)
+###### [Planning Group Policy Deployment for Your Isolation Zones](planning-group-policy-deployment-for-your-isolation-zones.md)
+####### [Planning Isolation Groups for the Zones](planning-isolation-groups-for-the-zones.md)
+####### [Planning Network Access Groups](planning-network-access-groups.md)
+####### [Planning the GPOs](planning-the-gpos.md)
+######## [Firewall GPOs](firewall-gpos.md)
+######### [GPO_DOMISO_Firewall](gpo-domiso-firewall.md)
+######## [Isolated Domain GPOs](isolated-domain-gpos.md)
+######### [GPO_DOMISO_IsolatedDomain_Clients](gpo-domiso-isolateddomain-clients.md)
+######### [GPO_DOMISO_IsolatedDomain_Servers](gpo-domiso-isolateddomain-servers.md)
+######## [Boundary Zone GPOs](boundary-zone-gpos.md)
+######### [GPO_DOMISO_Boundary](gpo-domiso-boundary.md)
+######## [Encryption Zone GPOs](encryption-zone-gpos.md)
+######### [GPO_DOMISO_Encryption](gpo-domiso-encryption.md)
+######## [Server Isolation GPOs](server-isolation-gpos.md)
+####### [Planning GPO Deployment](planning-gpo-deployment.md)
+##### [Appendix A: Sample GPO Template Files for Settings Used in this Guide](appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md)
+#### [Windows Firewall with Advanced Security Deployment Guide](windows-firewall-with-advanced-security-deployment-guide.md)
+##### [Planning to Deploy Windows Firewall with Advanced Security](planning-to-deploy-windows-firewall-with-advanced-security.md)
+##### [Implementing Your Windows Firewall with Advanced Security Design Plan](implementing-your-windows-firewall-with-advanced-security-design-plan.md)
+##### [Checklist: Creating Group Policy Objects](checklist-creating-group-policy-objects.md)
+##### [Checklist: Implementing a Basic Firewall Policy Design](checklist-implementing-a-basic-firewall-policy-design.md)
+###### [Checklist: Configuring Basic Firewall Settings](checklist-configuring-basic-firewall-settings.md)
+###### [Checklist: Creating Inbound Firewall Rules](checklist-creating-inbound-firewall-rules.md)
+###### [Checklist: Creating Outbound Firewall Rules](checklist-creating-outbound-firewall-rules.md)
+##### [Checklist: Implementing a Domain Isolation Policy Design](checklist-implementing-a-domain-isolation-policy-design.md)
+###### [Checklist: Configuring Rules for the Isolated Domain](checklist-configuring-rules-for-the-isolated-domain.md)
+###### [Checklist: Configuring Rules for the Boundary Zone](checklist-configuring-rules-for-the-boundary-zone.md)
+###### [Checklist: Configuring Rules for the Encryption Zone](checklist-configuring-rules-for-the-encryption-zone.md)
+###### [Checklist: Configuring Rules for an Isolated Server Zone](checklist-configuring-rules-for-an-isolated-server-zone.md)
+##### [Checklist: Implementing a Standalone Server Isolation Policy Design](checklist-implementing-a-standalone-server-isolation-policy-design.md)
+###### [Checklist: Configuring Rules for Servers in a Standalone Isolated Server Zone](checklist-configuring-rules-for-servers-in-a-standalone-isolated-server-zone.md)
+###### [Checklist: Creating Rules for Clients of a Standalone Isolated Server Zone](checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md)
+##### [Checklist: Implementing a Certificate-based Isolation Policy Design](checklist-implementing-a-certificate-based-isolation-policy-design.md)
+##### [Procedures Used in This Guide](procedures-used-in-this-guide.md)
+###### [Add Production Devices to the Membership Group for a Zone](add-production-devices-to-the-membership-group-for-a-zone.md)
+###### [Add Test Devices to the Membership Group for a Zone](add-test-devices-to-the-membership-group-for-a-zone.md)
+###### [Assign Security Group Filters to the GPO](assign-security-group-filters-to-the-gpo.md)
+###### [Change Rules from Request to Require Mode](change-rules-from-request-to-require-mode.md)
+###### [Configure Authentication Methods](configure-authentication-methods.md)
+###### [Configure Data Protection (Quick Mode) Settings](configure-data-protection-quick-mode-settings.md)
+###### [Configure Group Policy to Autoenroll and Deploy Certificates](configure-group-policy-to-autoenroll-and-deploy-certificates.md)
+###### [Configure Key Exchange (Main Mode) Settings](configure-key-exchange-main-mode-settings.md)
+###### [Configure the Rules to Require Encryption](configure-the-rules-to-require-encryption.md)
+###### [Configure the Windows Firewall Log](configure-the-windows-firewall-log.md)
+###### [Configure the Workstation Authentication Certificate Template](configure-the-workstation-authentication-certificate-template.md)
+###### [Configure Windows Firewall to Suppress Notifications When a Program Is Blocked](configure-windows-firewall-to-suppress-notifications-when-a-program-is-blocked.md)
+###### [Confirm That Certificates Are Deployed Correctly](confirm-that-certificates-are-deployed-correctly.md)
+###### [Copy a GPO to Create a New GPO](copy-a-gpo-to-create-a-new-gpo.md)
+###### [Create a Group Account in Active Directory](create-a-group-account-in-active-directory.md)
+###### [Create a Group Policy Object](create-a-group-policy-object.md)
+###### [Create an Authentication Exemption List Rule](create-an-authentication-exemption-list-rule.md)
+###### [Create an Authentication Request Rule](create-an-authentication-request-rule.md)
+###### [Create an Inbound ICMP Rule](create-an-inbound-icmp-rule.md)
+###### [Create an Inbound Port Rule](create-an-inbound-port-rule.md)
+###### [Create an Inbound Program or Service Rule](create-an-inbound-program-or-service-rule.md)
+###### [Create an Outbound Port Rule](create-an-outbound-port-rule.md)
+###### [Create an Outbound Program or Service Rule](create-an-outbound-program-or-service-rule.md)
+###### [Create Inbound Rules to Support RPC](create-inbound-rules-to-support-rpc.md)
+###### [Create WMI Filters for the GPO](create-wmi-filters-for-the-gpo.md)
+###### [Enable Predefined Inbound Rules](enable-predefined-inbound-rules.md)
+###### [Enable Predefined Outbound Rules](enable-predefined-outbound-rules.md)
+###### [Exempt ICMP from Authentication](exempt-icmp-from-authentication.md)
+###### [Link the GPO to the Domain](link-the-gpo-to-the-domain.md)
+###### [Modify GPO Filters to Apply to a Different Zone or Version of Windows](modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md)
+###### [Open the Group Policy Management Console to IP Security Policies](open-the-group-policy-management-console-to-ip-security-policies.md)
+###### [Open the Group Policy Management Console to Windows Firewall](open-the-group-policy-management-console-to-windows-firewall.md)
+###### [Open the Group Policy Management Console to Windows Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md)
+###### [Open Windows Firewall with Advanced Security](open-windows-firewall-with-advanced-security.md)
+###### [Restrict Server Access to Members of a Group Only](restrict-server-access-to-members-of-a-group-only.md)
+###### [Turn on Windows Firewall and Configure Default Behavior](turn-on-windows-firewall-and-configure-default-behavior.md)
+###### [Verify That Network Traffic Is Authenticated](verify-that-network-traffic-is-authenticated.md)
 ## [Enterprise security guides](windows-10-enterprise-security-guides.md)
 ### [Control the health of Windows 10-based devices](protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md)
 ### [Device Guard deployment guide](device-guard-deployment-guide.md)

windows/keep-secure/add-production-devices-to-the-membership-group-for-a-zone.md

@@ -0,0 +1,83 @@
+---
+title: Add Production Devices to the Membership Group for a Zone (Windows 10)
+description: Add Production Devices to the Membership Group for a Zone
+ms.assetid: 7141de15-5840-4beb-aabe-21c1dd89eb23
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+---
+
+# Add Production Devices to the Membership Group for a Zone
+
+**Applies to**
+-   Windows 10
+-   Windows Server 2016 Technical Preview
+
+
+After you test the GPOs for your design on a small set of devices, you can deploy them to the production devices.
+
+**Caution**  
+For GPOs that contain connection security rules that prevent unauthenticated connections, be sure to set the rules to request, not require, authentication during testing. After you deploy the GPO and confirm that all of your devices are successfully communicating by using authenticated IPsec, then you can modify the GPO to require authentication. Do not change the boundary zone GPO to require mode.
+
+ 
+
+The method discussed in this guide uses the **Domain Computers** built-in group. The advantage of this method is that all new devices that are joined to the domain automatically receive the isolated domain GPO. To do this successfully, you must make sure that the WMI filters and security group filters exclude devices that must not receive the GPOs. Use device groups that deny both read and apply Group Policy permissions to the GPOs, such as a group used in the CG\_DOMISO\_NOIPSEC example design. Devices that are members of some zones must also be excluded from applying the GPOs for the main isolated domain. For more information, see the "Prevent members of a group from applying a GPO" section in [Assign Security Group Filters to the GPO](assign-security-group-filters-to-the-gpo.md).
+
+Without such a group (or groups), you must either add devices individually or use the groups containing device accounts that are available to you.
+
+**Administrative credentials**
+
+To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the membership of the group for the GPO.
+
+In this topic:
+
+-   [Add the group Domain Devices to the GPO membership group](#to-add-domain-devices-to-the-gpo-membership-group)
+
+-   [Refresh Group Policy on the devices in the membership group](#to-refresh-group-policy-on-a-device)
+
+-   [Check which GPOs apply to a device](#to-see-what-gpos-are-applied-to-a-device)
+
+## To add domain devices to the GPO membership group
+
+1.  Open Active Directory Users and Computers.
+
+2.  In the navigation pane, expand **Active Directory Users and Computers**, expand *YourDomainName*, and then the container in which you created the membership group.
+
+3.  In the details pane, double-click the GPO membership group to which you want to add computers.
+
+4.  Select the **Members** tab, and then click **Add**.
+
+5.  Type **Domain Computers** in the text box, and then click **OK**.
+
+6.  Click **OK** to close the group properties dialog box.
+
+After a computer is a member of the group, you can force a Group Policy refresh on the computer.
+
+## To refresh Group Policy on a device
+
+From an elevated command prompt, type the following:
+
+``` syntax
+gpupdate /target:computer /force
+```
+
+After Group Policy is refreshed, you can see which GPOs are currently applied to the computer.
+
+## To see which GPOs are applied to a device
+
+From an elevated command prompt, type the following:
+
+``` syntax
+gpresult /r /scope:computer
+```
+
+ 
+
+ 
+
+
+
+
+

windows/keep-secure/add-test-devices-to-the-membership-group-for-a-zone.md

@@ -0,0 +1,77 @@
+---
+title: Add Test Devices to the Membership Group for a Zone (Windows 10)
+description: Add Test Devices to the Membership Group for a Zone
+ms.assetid: 47057d90-b053-48a3-b881-4f2458d3e431
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+---
+
+# Add Test Devices to the Membership Group for a Zone
+
+**Applies to**
+-   Windows 10
+-   Windows Server 2016 Technical Preview
+
+Before you deploy your rules to large numbers of devices, you must thoroughly test the rules to make sure that communications are working as expected. A misplaced WMI filter or an incorrectly typed IP address in a filter list can easily block communications between devices. Although we recommend that you set your rules to request mode until testing and deployment is complete, we also recommend that you initially deploy the rules to a small number of devices only to be sure that the correct GPOs are being processed by each device.
+
+Add at least one device of each supported operating system type to each membership group. Make sure every GPO for a specific version of Windows and membership group has a device among the test group. After Group Policy has been refreshed on each test device, check the output of the **gpresult** command to confirm that each device is receiving only the GPOs it is supposed to receive.
+
+**Administrative credentials**
+
+To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the membership of the group for the GPO.
+
+In this topic:
+
+-   [Add the test devices to the GPO membership groups](#to-add-domain-devices-to-the-gpo-membership-group)
+
+-   [Refresh Group Policy on the devices in each membership group](#to-refresh-group-policy-on-a-device)
+
+-   [Check which GPOs apply to a device](#to-see-what-gpos-are-applied-to-a-device)
+
+## To add test devices to the GPO membership groups
+
+1.  Open Active Directory Users and Computers.
+
+2.  In the navigation pane, expand **Active Directory Users and Computers**, expand *YourDomainName*, and then expand the container that holds your membership group account.
+
+3.  In the details pane, double-click the GPO membership group to which you want to add devices.
+
+4.  Select the **Members** tab, and then click **Add**.
+
+5.  Type the name of the device in the text box, and then click **OK**.
+
+6.  Repeat steps 5 and 6 for each additional device account or group that you want to add.
+
+7.  Click **OK** to close the group properties dialog box.
+
+After a device is a member of the group, you can force a Group Policy refresh on the device.
+
+## To refresh Group Policy on a device
+
+From a elevated command prompt, run the following:
+
+``` syntax
+gpupdate /target:device /force
+```
+
+After Group Policy is refreshed, you can see which GPOs are currently applied to the device.
+
+## To see which GPOs are applied to a device
+
+From an elevated command prompt, run the following:
+
+``` syntax
+gpresult /r /scope:computer
+```
+
+ 
+
+ 
+
+
+
+
+

windows/keep-secure/appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md

@@ -0,0 +1,93 @@
+---
+title: Appendix A Sample GPO Template Files for Settings Used in this Guide (Windows 10)
+description: Appendix A Sample GPO Template Files for Settings Used in this Guide
+ms.assetid: 75930afd-ab1b-4e53-915b-a28787814b38
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+---
+
+# Appendix A: Sample GPO Template Files for Settings Used in this Guide
+
+**Applies to**
+-   Windows 10
+-   Windows Server 2016 Technical Preview
+
+You can import an XML file containing customized registry preferences into a Group Policy Object (GPO) by using the Preferences feature of the Group Policy Management Console (GPMC).
+
+To manually create the file, build the settings under **Computer Configuration**, **Preferences**, **Windows Settings**, **Registry**. After you have created the settings, drag the container to the desktop. An .xml file is created there.
+
+To import an .xml file to GPMC, drag it and drop it on the **Registry** node under **Computer Configuration**, **Preferences**, **Windows Settings**. If you copy the following sample XML code to a file, and then drag and drop it on the **Registry** node, it creates a **Server and Domain Isolation** collection with the six registry keys discussed in this guide.
+
+The following sample file uses item-level targeting to ensure that the registry keys are applied only on the versions of Windows to which they apply.
+
+>**Note:**  The file shown here is for sample use only. It should be customized to meet the requirements of your organization’s deployment. To customize this file, import it into a test GPO, modify the settings, and then drag the Server and Domain Isolation Settings node to your desktop. The new file will contain all of your customization.
+
+``` syntax
+<?xml version="1.0" encoding="utf-8"?>
+
+<Collection clsid="{53B533F5-224C-47e3-B01B-CA3B3F3FF4BF}" name="Server and Domain Isolation Settings">
+
+<Registry
+         clsid="{9CD4B2F4-923D-47f5-A062-E897DD1DAD50}"
+         name="Enable PMTU Discovery"
+         status="EnablePMTUDiscovery"
+         image="12"
+         changed="2008-05-30 20:37:37"
+         uid="{52C38FD7-A081-404C-A8EA-B24A9614D0B5}"
+         desc="&lt;b&gt;Enable PMTU Discovery&lt;/b&gt;&lt;p&gt;
+            This setting configures whether computers can use PMTU
+            discovery on the network.&lt;p&gt;
+            &lt;b&gt;1&lt;/b&gt; --  Enable&lt;br&gt;
+            &lt;b&gt;0&lt;/b&gt; --  Disable"
+         bypassErrors="1">
+   <Properties
+         action="U"
+         displayDecimal="1"
+         default="0"
+         hive="HKEY_LOCAL_MACHINE"
+         key="System\CurrentControlSet\Services\TCPIP\Parameters"
+         name="EnablePMTUDiscovery" type="REG_DWORD" value="00000001"/>
+</Registry>
+
+<Registry
+         clsid="{9CD4B2F4-923D-47f5-A062-E897DD1DAD50}"
+         name="IPsec Default Exemptions (Vista and W2K8)"
+         status="NoDefaultExempt"
+         image="12"
+         changed="2008-05-30 20:33:32"
+         uid="{AE5C505D-283E-4060-9A55-70659DFD56B6}"
+         desc="&lt;b&gt;IPsec Default Exemptions for Windows Server 2008
+            and later&lt;/b&gt;&lt;p&gt;
+            This setting determines which network traffic type is exempt
+            from any IPsec authentication requirements.&lt;p&gt;
+            &lt;b&gt;0&lt;/b&gt;: Exempts multicast, broadcast, RSVP, Kerberos, ISAKMP&lt;br&gt;
+            &lt;b&gt;1&lt;/b&gt;: Exempts multicast, broadcast, ISAKMP&lt;br&gt;
+            &lt;b&gt;2&lt;/b&gt;: Exempts RSVP, Kerberos, ISAKMP&lt;br&gt;
+            &lt;b&gt;3&lt;/b&gt;: Exempts ISAKMP only"
+         bypassErrors="1">
+   <Properties
+         action="U"
+         displayDecimal="1"
+         default="0"
+         hive="HKEY_LOCAL_MACHINE"
+         key="SYSTEM\CurrentControlSet\Services\PolicyAgent"
+         name="NoDefaultExempt"
+         type="REG_DWORD"
+         value="00000003"/>
+   <Filters>
+      <FilterOs
+         bool="AND" not="0"
+         class="NT" version="VISTA"
+         type="NE" edition="NE" sp="NE"/>
+      <FilterOs
+         bool="OR" not="0"
+         class="NT" version="2K8"
+         type="NE" edition="NE" sp="NE"/>
+   </Filters>
+</Registry>
+
+</Collection>
+```

windows/keep-secure/appendix-a-security-monitoring-recommendations-for-many-audit-events.md

@@ -2,7 +2,7 @@
 title: Appendix A, Security monitoring recommendations for many audit events (Windows 10)
 description: Appendix A, Security monitoring recommendations for many audit events
 ms.pagetype: security
-ms.prod: W10
+ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 author: Mir0sh

windows/keep-secure/assign-security-group-filters-to-the-gpo.md

@@ -0,0 +1,70 @@
+---
+title: Assign Security Group Filters to the GPO (Windows 10)
+description: Assign Security Group Filters to the GPO
+ms.assetid: bcbe3299-8d87-4ec1-9e86-8e4a680fd7c8
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+---
+
+# Assign Security Group Filters to the GPO
+
+**Applies to**
+-   Windows 10
+-   Windows Server 2016 Technical Preview
+
+To make sure that your GPO is applied to the correct computers, use the Group Policy Management MMC snap-in to assign security group filters to the GPO.
+
+>**Important:**  This deployment guide uses the method of adding the Domain Computers group to the membership group for the main isolated domain after testing is complete and you are ready to go live in production. To make this method work, you must prevent any computer that is a member of either the boundary or encryption zone from applying the GPO for the main isolated domain. For example, on the GPOs for the main isolated domain, deny Read and Apply Group Policy permissions to the membership groups for the boundary and encryption zones.
+
+ 
+
+**Administrative credentials**
+
+To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the relevant GPOs.
+
+In this topic:
+
+-   [Allow members of a group to apply a GPO](#to-allow-members-of-a-group-to-apply-a-gpo)
+
+-   [Prevent members of a group from applying a GPO](#to-prevent-members-of-a-group-from-applying-a-gpo)
+
+## To allow members of a group to apply a GPO
+
+Use the following procedure to add a group to the security filter on the GPO that allows group members to apply the GPO.
+
+1.  Open the Group Policy Management console.
+
+2.  In the navigation pane, find and then click the GPO that you want to modify.
+
+3.  In the details pane, under **Security Filtering**, click **Authenticated Users**, and then click **Remove**.
+
+    >**Note:**  You must remove the default permission granted to all authenticated users and computers to restrict the GPO to only the groups you specify.
+
+4.  Click **Add**.
+
+5.  In the **Select User, Computer, or Group** dialog box, type the name of the group whose members are to apply the GPO, and then click **OK**. If you do not know the name, you can click **Advanced** to browse the list of groups available in the domain.
+
+## To prevent members of a group from applying a GPO 
+
+Use the following procedure to add a group to the security filter on the GPO that prevents group members from applying the GPO. This is typically used to prevent members of the boundary and encryption zones from applying the GPOs for the isolated domain.
+
+1.  Open the Group Policy Management console.
+
+2.  In the navigation pane, find and then click the GPO that you want to modify.
+
+3.  In the details pane, click the **Delegation** tab.
+
+4.  Click **Advanced**.
+
+5.  Under the **Group or user names** list, click **Add**.
+
+6.  In the **Select User, Computer, or Group** dialog box, type the name of the group whose members are to be prevented from applying the GPO, and then click **OK**. If you do not know the name, you can click **Advanced** to browse the list of groups available in the domain.
+
+7.  Select the group in the **Group or user names** list, and then select the box in the **Deny** column for both **Read** and **Apply group policy**.
+
+8.  Click **OK**, and then in the **Windows Security** dialog box, click **Yes**.
+
+9.  The group appears in the list with **Custom** permissions.

windows/keep-secure/audit-account-lockout.md

@@ -2,12 +2,8 @@
 title: Audit Account Lockout (Windows 10)
 description: This topic for the IT professional describes the advanced security audit policy setting, Audit Account Lockout, which enables you to audit security events that are generated by a failed attempt to log on to an account that is locked out.
 ms.assetid: da68624b-a174-482c-9bc5-ddddab38e589
-<<<<<<< HEAD
-ms.prod: w10
-=======
 ms.pagetype: security
-ms.prod: W10
->>>>>>> secaudit
+ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 author: Mir0sh

windows/keep-secure/audit-application-generated.md

@@ -2,12 +2,8 @@
 title: Audit Application Generated (Windows 10)
 description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Application Generated, which determines whether the operating system generates audit events when applications attempt to use the Windows Auditing application programming interfaces (APIs).
 ms.assetid: 6c58a365-b25b-42b8-98ab-819002e31871
-<<<<<<< HEAD
-ms.prod: w10
-=======
 ms.pagetype: security
-ms.prod: W10
->>>>>>> secaudit
+ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 author: Mir0sh

windows/keep-secure/audit-application-group-management.md

@@ -2,12 +2,8 @@
 title: Audit Application Group Management (Windows 10)
 description: This topic for the IT professional describes the advanced security audit policy setting, Audit Application Group Management, which determines whether the operating system generates audit events when application group management tasks are performed.
 ms.assetid: 1bcaa41e-5027-4a86-96b7-f04eaf1c0606
-<<<<<<< HEAD
-ms.prod: w10
-=======
 ms.pagetype: security
-ms.prod: W10
->>>>>>> secaudit
+ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 author: Mir0sh

windows/keep-secure/audit-audit-policy-change.md

@@ -2,12 +2,8 @@
 title: Audit Audit Policy Change (Windows 10)
 description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Audit Policy Change, which determines whether the operating system generates audit events when changes are made to audit policy.
 ms.assetid: 7153bf75-6978-4d7e-a821-59a699efb8a9
-<<<<<<< HEAD
-ms.prod: w10
-=======
 ms.pagetype: security
-ms.prod: W10
->>>>>>> secaudit
+ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 author: Mir0sh

windows/keep-secure/audit-authentication-policy-change.md

@@ -2,12 +2,8 @@
 title: Audit Authentication Policy Change (Windows 10)
 description: This topic for the IT professional describes this Advanced Security Audit policy setting, Audit Authentication Policy Change, which determines whether the operating system generates audit events when changes are made to authentication policy.
 ms.assetid: aa9cea7a-aadf-47b7-b704-ac253b8e79be
-<<<<<<< HEAD
-ms.prod: w10
-=======
 ms.pagetype: security
-ms.prod: W10
->>>>>>> secaudit
+ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 author: Mir0sh

windows/keep-secure/audit-authorization-policy-change.md

@@ -2,12 +2,8 @@
 title: Audit Authorization Policy Change (Windows 10)
 description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Authorization Policy Change, which determines whether the operating system generates audit events when specific changes are made to the authorization policy.
 ms.assetid: ca0587a2-a2b3-4300-aa5d-48b4553c3b36
-<<<<<<< HEAD
-ms.prod: w10
-=======
 ms.pagetype: security
-ms.prod: W10
->>>>>>> secaudit
+ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 author: Mir0sh

windows/keep-secure/audit-central-access-policy-staging.md

@@ -2,12 +2,8 @@
 title: Audit Central Access Policy Staging (Windows 10)
 description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Central Access Policy Staging, which determines permissions on a Central Access Policy.
 ms.assetid: D9BB11CE-949A-4B48-82BF-30DC5E6FC67D
-<<<<<<< HEAD
-ms.prod: w10
-=======
 ms.pagetype: security
-ms.prod: W10
->>>>>>> secaudit
+ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 author: Mir0sh

windows/keep-secure/audit-certification-services.md

@@ -2,12 +2,8 @@
 title: Audit Certification Services (Windows 10)
 description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Certification Services, which determines whether the operating system generates events when Active Directory Certificate Services (ADÂ CS) operations are performed.
 ms.assetid: cdefc34e-fb1f-4eff-b766-17713c5a1b03
-<<<<<<< HEAD
-ms.prod: w10
-=======
 ms.pagetype: security
-ms.prod: W10
->>>>>>> secaudit
+ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 author: Mir0sh

windows/keep-secure/audit-computer-account-management.md

@@ -2,12 +2,8 @@
 title: Audit Computer Account Management (Windows 10)
 description: This topic for the IT professional describes the advanced security audit policy setting, Audit Computer Account Management, which determines whether the operating system generates audit events when a computer account is created, changed, or deleted.
 ms.assetid: 6c406693-57bf-4411-bb6c-ff83ce548991
-<<<<<<< HEAD
-ms.prod: w10
-=======
 ms.pagetype: security
-ms.prod: W10
->>>>>>> secaudit
+ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 author: Mir0sh

windows/keep-secure/audit-credential-validation.md

@@ -2,12 +2,8 @@
 title: Audit Credential Validation (Windows 10)
 description: This topic for the IT professional describes the advanced security audit policy setting, Audit Credential Validation, which determines whether the operating system generates audit events on credentials that are submitted for a user account logon request.
 ms.assetid: 6654b33a-922e-4a43-8223-ec5086dfc926
-<<<<<<< HEAD
-ms.prod: w10
-=======
 ms.pagetype: security
-ms.prod: W10
->>>>>>> secaudit
+ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 author: Mir0sh

windows/keep-secure/audit-detailed-file-share.md

@@ -2,12 +2,8 @@
 title: Audit Detailed File Share (Windows 10)
 description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Detailed File Share, which allows you to audit attempts to access files and folders on a shared folder.
 ms.assetid: 60310104-b820-4033-a1cb-022a34f064ae
-<<<<<<< HEAD
-ms.prod: w10
-=======
 ms.pagetype: security
-ms.prod: W10
->>>>>>> secaudit
+ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 author: Mir0sh

windows/keep-secure/audit-directory-service-access.md

@@ -2,12 +2,8 @@
 title: Audit Directory Service Access (Windows 10)
 description: This topic for the IT professional describes the advanced security audit policy setting, Audit Directory Service Access, which determines whether the operating system generates audit events when an Active Directory Domain Services (ADÂ DS) object is accessed.
 ms.assetid: ba2562ba-4282-4588-b87c-a3fcb771c7d0
-<<<<<<< HEAD
-ms.prod: w10
-=======
 ms.pagetype: security
-ms.prod: W10
->>>>>>> secaudit
+ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 author: Mir0sh

windows/keep-secure/audit-directory-service-changes.md

@@ -2,12 +2,8 @@
 title: Audit Directory Service Changes (Windows 10)
 description: This topic for the IT professional describes the advanced security audit policy setting, Audit Directory Service Changes, which determines whether the operating system generates audit events when changes are made to objects in Active Directory Domain Services (ADÂ DS).
 ms.assetid: 9f7c0dd4-3977-47dd-a0fb-ec2f17cad05e
-<<<<<<< HEAD
-ms.prod: w10
-=======
 ms.pagetype: security
-ms.prod: W10
->>>>>>> secaudit
+ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 author: Mir0sh

windows/keep-secure/audit-directory-service-replication.md

@@ -2,12 +2,8 @@
 title: Audit Directory Service Replication (Windows 10)
 description: This topic for the IT professional describes the advanced security audit policy setting, Audit Directory Service Replication, which determines whether the operating system generates audit events when replication between two domain controllers begins and ends.
 ms.assetid: b95d296c-7993-4e8d-8064-a8bbe284bd56
-<<<<<<< HEAD
-ms.prod: w10
-=======
 ms.pagetype: security
-ms.prod: W10
->>>>>>> secaudit
+ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 author: Mir0sh

windows/keep-secure/audit-distribution-group-management.md

@@ -2,12 +2,8 @@
 title: Audit Distribution Group Management (Windows 10)
 description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Distribution Group Management, which determines whether the operating system generates audit events for specific distribution-group management tasks.
 ms.assetid: d46693a4-5887-4a58-85db-2f6cba224a66
-<<<<<<< HEAD
-ms.prod: w10
-=======
 ms.pagetype: security
-ms.prod: W10
->>>>>>> secaudit
+ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 author: Mir0sh

windows/keep-secure/audit-dpapi-activity.md

@@ -2,12 +2,8 @@
 title: Audit DPAPI Activity (Windows 10)
 description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit DPAPI Activity, which determines whether the operating system generates audit events when encryption or decryption calls are made into the data protection application interface (DPAPI).
 ms.assetid: be4d4c83-c857-4e3d-a84e-8bcc3f2c99cd
-<<<<<<< HEAD
-ms.prod: w10
-=======
 ms.pagetype: security
-ms.prod: W10
->>>>>>> secaudit
+ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 author: Mir0sh

windows/keep-secure/audit-file-share.md

@@ -2,12 +2,8 @@
 title: Audit File Share (Windows 10)
 description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit File Share, which determines whether the operating system generates audit events when a file share is accessed.
 ms.assetid: 9ea985f8-8936-4b79-abdb-35cbb7138f78
-<<<<<<< HEAD
-ms.prod: w10
-=======
 ms.pagetype: security
-ms.prod: W10
->>>>>>> secaudit
+ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 author: Mir0sh

windows/keep-secure/audit-file-system.md

@@ -2,12 +2,8 @@
 title: Audit File System (Windows 10)
 description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit File System, which determines whether the operating system generates audit events when users attempt to access file system objects.
 ms.assetid: 6a71f283-b8e5-41ac-b348-0b7ec6ea0b1f
-<<<<<<< HEAD
-ms.prod: w10
-=======
 ms.pagetype: security
-ms.prod: W10
->>>>>>> secaudit
+ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 author: Mir0sh

windows/keep-secure/audit-filtering-platform-connection.md

@@ -2,12 +2,8 @@
 title: Audit Filtering Platform Connection (Windows 10)
 description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Filtering Platform Connection, which determines whether the operating system generates audit events when connections are allowed or blocked by the Windows Filtering Platform.
 ms.assetid: d72936e9-ff01-4d18-b864-a4958815df59
-<<<<<<< HEAD
-ms.prod: w10
-=======
 ms.pagetype: security
-ms.prod: W10
->>>>>>> secaudit
+ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 author: Mir0sh

windows/keep-secure/audit-filtering-platform-packet-drop.md

@@ -2,12 +2,8 @@
 title: Audit Filtering Platform Packet Drop (Windows 10)
 description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Filtering Platform Packet Drop, which determines whether the operating system generates audit events when packets are dropped by the Windows Filtering Platform.
 ms.assetid: 95457601-68d1-4385-af20-87916ddab906
-<<<<<<< HEAD
-ms.prod: w10
-=======
 ms.pagetype: security
-ms.prod: W10
->>>>>>> secaudit
+ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 author: Mir0sh

windows/keep-secure/audit-filtering-platform-policy-change.md

@@ -2,12 +2,8 @@
 title: Audit Filtering Platform Policy Change (Windows 10)
 description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Filtering Platform Policy Change, which determines whether the operating system generates audit events for certain IPsec and Windows Filtering Platform actions.
 ms.assetid: 0eaf1c56-672b-4ea9-825a-22dc03eb4041
-<<<<<<< HEAD
-ms.prod: w10
-=======
 ms.pagetype: security
-ms.prod: W10
->>>>>>> secaudit
+ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 author: Mir0sh

windows/keep-secure/audit-group-membership.md

@@ -2,12 +2,8 @@
 title: Audit Group Membership (Windows 10)
 description: This topic for the IT professional describes the advanced security audit policy setting, Audit Group Membership, which enables you to audit group memberships when they are enumerated on the client PC.
 ms.assetid: 1CD7B014-FBD9-44B9-9274-CC5715DE58B9
-<<<<<<< HEAD
-ms.prod: w10
-=======
 ms.pagetype: security
-ms.prod: W10
->>>>>>> secaudit
+ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 author: Mir0sh

windows/keep-secure/audit-handle-manipulation.md

@@ -2,12 +2,8 @@
 title: Audit Handle Manipulation (Windows 10)
 description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Handle Manipulation, which determines whether the operating system generates audit events when a handle to an object is opened or closed.
 ms.assetid: 1fbb004a-ccdc-4c80-b3da-a4aa7a9f4091
-<<<<<<< HEAD
-ms.prod: w10
-=======
 ms.pagetype: security
-ms.prod: W10
->>>>>>> secaudit
+ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 author: Mir0sh

windows/keep-secure/audit-ipsec-driver.md

@@ -2,12 +2,8 @@
 title: Audit IPsec Driver (Windows 10)
 description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit IPsec Driver, which determines whether the operating system generates audit events for the activities of the IPsec driver.
 ms.assetid: c8b8c02f-5ad0-4ee5-9123-ea8cdae356a5
-<<<<<<< HEAD
-ms.prod: w10
-=======
 ms.pagetype: security
-ms.prod: W10
->>>>>>> secaudit
+ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 author: Mir0sh

windows/keep-secure/audit-ipsec-extended-mode.md

@@ -2,12 +2,8 @@
 title: Audit IPsec Extended Mode (Windows 10)
 description: This topic for the IT professional describes the advanced security audit policy setting, Audit IPsec Extended Mode, which determines whether the operating system generates audit events for the results of the Internet Key Exchange (IKE) protocol and Authenticated Internet Protocol (AuthIP) during Extended Mode negotiations.
 ms.assetid: 2b4fee9e-482a-4181-88a8-6a79d8fc8049
-<<<<<<< HEAD
-ms.prod: w10
-=======
 ms.pagetype: security
-ms.prod: W10
->>>>>>> secaudit
+ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 author: Mir0sh

windows/keep-secure/audit-ipsec-main-mode.md

@@ -2,12 +2,8 @@
 title: Audit IPsec Main Mode (Windows 10)
 description: This topic for the IT professional describes the advanced security audit policy setting, Audit IPsec Main Mode, which determines whether the operating system generates events for the results of the Internet Key Exchange (IKE) protocol and Authenticated Internet Protocol (AuthIP) during Main Mode negotiations.
 ms.assetid: 06ed26ec-3620-4ef4-a47a-c70df9c8827b
-<<<<<<< HEAD
-ms.prod: w10
-=======
 ms.pagetype: security
-ms.prod: W10
->>>>>>> secaudit
+ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 author: Mir0sh

windows/keep-secure/audit-ipsec-quick-mode.md

@@ -2,12 +2,8 @@
 title: Audit IPsec Quick Mode (Windows 10)
 description: This topic for the IT professional describes the advanced security audit policy setting, Audit IPsec Quick Mode, which determines whether the operating system generates audit events for the results of the Internet Key Exchange (IKE) protocol and Authenticated Internet Protocol (AuthIP) during Quick Mode negotiations.
 ms.assetid: 7be67a15-c2ce-496a-9719-e25ac7699114
-<<<<<<< HEAD
-ms.prod: w10
-=======
 ms.pagetype: security
-ms.prod: W10
->>>>>>> secaudit
+ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 author: Mir0sh

windows/keep-secure/audit-kerberos-authentication-service.md

@@ -2,12 +2,8 @@
 title: Audit Kerberos Authentication Service (Windows 10)
 description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Kerberos Authentication Service, which determines whether to generate audit events for Kerberos authentication ticket-granting ticket (TGT) requests.
 ms.assetid: 990dd6d9-1a1f-4cce-97ba-5d7e0a7db859
-<<<<<<< HEAD
-ms.prod: w10
-=======
 ms.pagetype: security
-ms.prod: W10
->>>>>>> secaudit
+ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 author: Mir0sh

windows/keep-secure/audit-kerberos-service-ticket-operations.md

@@ -2,12 +2,8 @@
 title: Audit Kerberos Service Ticket Operations (Windows 10)
 description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Kerberos Service Ticket Operations, which determines whether the operating system generates security audit events for Kerberos service ticket requests.
 ms.assetid: ddc0abef-ac7f-4849-b90d-66700470ccd6
-<<<<<<< HEAD
-ms.prod: w10
-=======
 ms.pagetype: security
-ms.prod: W10
->>>>>>> secaudit
+ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 author: Mir0sh

windows/keep-secure/audit-kernel-object.md

@@ -2,12 +2,8 @@
 title: Audit Kernel Object (Windows 10)
 description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Kernel Object, which determines whether the operating system generates audit events when users attempt to access the system kernel, which includes mutexes and semaphores.
 ms.assetid: 75619d8b-b1eb-445b-afc9-0f9053be97fb
-<<<<<<< HEAD
-ms.prod: w10
-=======
 ms.pagetype: security
-ms.prod: W10
->>>>>>> secaudit
+ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 author: Mir0sh

windows/keep-secure/audit-logoff.md

@@ -2,12 +2,8 @@
 title: Audit Logoff (Windows 10)
 description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Logoff, which determines whether the operating system generates audit events when logon sessions are terminated.
 ms.assetid: 681e51f2-ba06-46f5-af8c-d9c48d515432
-<<<<<<< HEAD
-ms.prod: w10
-=======
 ms.pagetype: security
-ms.prod: W10
->>>>>>> secaudit
+ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 author: Mir0sh

windows/keep-secure/audit-logon.md

@@ -2,12 +2,8 @@
 title: Audit Logon (Windows 10)
 description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Logon, which determines whether the operating system generates audit events when a user attempts to log on to a computer.
 ms.assetid: ca968d03-7d52-48c4-ba0e-2bcd2937231b
-<<<<<<< HEAD
-ms.prod: w10
-=======
 ms.pagetype: security
-ms.prod: W10
->>>>>>> secaudit
+ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 author: Mir0sh

windows/keep-secure/audit-mpssvc-rule-level-policy-change.md

@@ -2,12 +2,8 @@
 title: Audit MPSSVC Rule-Level Policy Change (Windows 10)
 description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit MPSSVC Rule-Level Policy Change, which determines whether the operating system generates audit events when changes are made to policy rules for the Microsoft Protection Service (MPSSVC.exe).
 ms.assetid: 263461b3-c61c-4ec3-9dee-851164845019
-<<<<<<< HEAD
-ms.prod: w10
-=======
 ms.pagetype: security
-ms.prod: W10
->>>>>>> secaudit
+ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 author: Mir0sh

windows/keep-secure/audit-network-policy-server.md

@@ -2,12 +2,8 @@
 title: Audit Network Policy Server (Windows 10)
 description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Network Policy Server, which determines whether the operating system generates audit events for RADIUS (IAS) and Network Access Protection (NAP) activity on user access requests (Grant, Deny, Discard, Quarantine, Lock, and Unlock).
 ms.assetid: 43b2aea4-26df-46da-b761-2b30f51a80f7
-<<<<<<< HEAD
-ms.prod: w10
-=======
 ms.pagetype: security
-ms.prod: W10
->>>>>>> secaudit
+ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 author: Mir0sh

windows/keep-secure/audit-non-sensitive-privilege-use.md

@@ -2,12 +2,8 @@
 title: Audit Non Sensitive Privilege Use (Windows 10)
 description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Non-Sensitive Privilege Use, which determines whether the operating system generates audit events when non-sensitive privileges (user rights) are used.
 ms.assetid: 8fd74783-1059-443e-aa86-566d78606627
-<<<<<<< HEAD
-ms.prod: w10
-=======
 ms.pagetype: security
-ms.prod: W10
->>>>>>> secaudit
+ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 author: Mir0sh

windows/keep-secure/audit-other-account-logon-events.md

@@ -2,12 +2,8 @@
 title: Audit Other Account Logon Events (Windows 10)
 description: This topic for the IT professional describes the advanced security audit policy setting, Audit Other Account Logon Events, which allows you to audit events generated by responses to credential requests submitted for a user account logon that are not credential validation or Kerberos tickets.
 ms.assetid: c8c6bfe0-33d2-4600-bb1a-6afa840d75b3
-<<<<<<< HEAD
-ms.prod: w10
-=======
 ms.pagetype: security
-ms.prod: W10
->>>>>>> secaudit
+ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 author: Mir0sh

windows/keep-secure/audit-other-account-management-events.md

@@ -2,12 +2,8 @@
 title: Audit Other Account Management Events (Windows 10)
 description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Other Account Management Events, which determines whether the operating system generates user account management audit events.
 ms.assetid: 4ce22eeb-a96f-4cf9-a46d-6642961a31d5
-<<<<<<< HEAD
-ms.prod: w10
-=======
 ms.pagetype: security
-ms.prod: W10
->>>>>>> secaudit
+ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 author: Mir0sh

windows/keep-secure/audit-other-logonlogoff-events.md

@@ -2,12 +2,8 @@
 title: Audit Other Logon/Logoff Events (Windows 10)
 description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Other Logon/Logoff Events, which determines whether Windows generates audit events for other logon or logoff events.
 ms.assetid: 76d987cd-1917-4907-a739-dd642609a458
-<<<<<<< HEAD
-ms.prod: w10
-=======
 ms.pagetype: security
-ms.prod: W10
->>>>>>> secaudit
+ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 author: Mir0sh

windows/keep-secure/audit-other-object-access-events.md

@@ -3,7 +3,7 @@ title: Audit Other Object Access Events (Windows 10)
 description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Other Object Access Events, which determines whether the operating system generates audit events for the management of Task Scheduler jobs or COM+ objects.
 ms.assetid: b9774595-595d-4199-b0c5-8dbc12b6c8b2
 ms.pagetype: security
-ms.prod: W10
+ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 author: Mir0sh

windows/keep-secure/audit-other-policy-change-events.md

@@ -3,7 +3,7 @@ title: Audit Other Policy Change Events (Windows 10)
 description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Other Policy Change Events, which determines whether the operating system generates audit events for security policy changes that are not otherwise audited in the Policy Change category.
 ms.assetid: 8618502e-c21c-41cc-8a49-3dc1eb359e60
 ms.pagetype: security
-ms.prod: W10
+ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 author: Mir0sh

windows/keep-secure/audit-other-privilege-use-events.md

@@ -3,7 +3,7 @@ title: Audit Other Privilege Use Events (Windows 10)
 description: This security policy setting is not used.
 ms.assetid: 5f7f5b25-42a6-499f-8aa2-01ac79a2a63c
 ms.pagetype: security
-ms.prod: W10
+ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 author: Mir0sh

windows/keep-secure/audit-other-system-events.md

@@ -3,7 +3,7 @@ title: Audit Other System Events (Windows 10)
 description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Other System Events, which determines whether the operating system audits various system events.
 ms.assetid: 2401e4cc-d94e-41ec-82a7-e10914295f8b
 ms.pagetype: security
-ms.prod: W10
+ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 author: Mir0sh

windows/keep-secure/audit-pnp-activity.md

@@ -3,7 +3,7 @@ title: Audit PNP Activity (Windows 10)
 description: This topic for the IT professional describes the advanced security audit policy setting, Audit PNP Activity, which determines when plug and play detects an external device.
 ms.assetid: A3D87B3B-EBBE-442A-953B-9EB75A5F600E
 ms.pagetype: security
-ms.prod: W10
+ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 author: Mir0sh

windows/keep-secure/audit-process-creation.md

@@ -3,7 +3,7 @@ title: Audit Process Creation (Windows 10)
 description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Process Creation, which determines whether the operating system generates audit events when a process is created (starts).
 ms.assetid: 67e39fcd-ded6-45e8-b1b6-d411e4e93019
 ms.pagetype: security
-ms.prod: W10
+ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 author: Mir0sh

windows/keep-secure/audit-process-termination.md

@@ -3,7 +3,7 @@ title: Audit Process Termination (Windows 10)
 description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Process Termination, which determines whether the operating system generates audit events when an attempt is made to end a process.
 ms.assetid: 65d88e53-14aa-48a4-812b-557cebbf9e50
 ms.pagetype: security
-ms.prod: W10
+ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 author: Mir0sh

windows/keep-secure/audit-registry.md

@@ -3,7 +3,7 @@ title: Audit Registry (Windows 10)
 description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Registry, which determines whether the operating system generates audit events when users attempt to access registry objects.
 ms.assetid: 02bcc23b-4823-46ac-b822-67beedf56b32
 ms.pagetype: security
-ms.prod: W10
+ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 author: Mir0sh

windows/keep-secure/audit-removable-storage.md

@@ -3,7 +3,7 @@ title: Audit Removable Storage (Windows 10)
 description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Removable Storage, which determines when there is a read or a write to a removable drive.
 ms.assetid: 1746F7B3-8B41-4661-87D8-12F734AFFB26
 ms.pagetype: security
-ms.prod: W10
+ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 author: Mir0sh

windows/keep-secure/audit-rpc-events.md

@@ -3,7 +3,7 @@ title: Audit RPC Events (Windows 10)
 description: This topic for the IT professional describes the advanced security audit policy setting, Audit RPC Events, which determines whether the operating system generates audit events when inbound remote procedure call (RPC) connections are made.
 ms.assetid: 868aec2d-93b4-4bc8-a150-941f88838ba6
 ms.pagetype: security
-ms.prod: W10
+ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 author: Mir0sh

windows/keep-secure/audit-sam.md

@@ -3,7 +3,7 @@ title: Audit SAM (Windows 10)
 description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit SAM, which enables you to audit events that are generated by attempts to access Security Account Manager (SAM) objects.
 ms.assetid: 1d00f955-383d-4c95-bbd1-fab4a991a46e
 ms.pagetype: security
-ms.prod: W10
+ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 author: Mir0sh

windows/keep-secure/audit-security-group-management.md

@@ -3,7 +3,7 @@ title: Audit Security Group Management (Windows 10)
 description: This topic for the IT professional describes the advanced security audit policy setting, Audit Security Group Management, which determines whether the operating system generates audit events when specific security group management tasks are performed.
 ms.assetid: ac2ee101-557b-4c84-b9fa-4fb23331f1aa
 ms.pagetype: security
-ms.prod: W10
+ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 author: Mir0sh

windows/keep-secure/audit-security-state-change.md

@@ -3,7 +3,7 @@ title: Audit Security State Change (Windows 10)
 description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Security State Change, which determines whether Windows generates audit events for changes in the security state of a system.
 ms.assetid: decb3218-a67d-4efa-afc0-337c79a89a2d
 ms.pagetype: security
-ms.prod: W10
+ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 author: Mir0sh

windows/keep-secure/audit-security-system-extension.md

@@ -3,7 +3,7 @@ title: Audit Security System Extension (Windows 10)
 description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Security System Extension, which determines whether the operating system generates audit events related to security system extensions.
 ms.assetid: 9f3c6bde-42b2-4a0a-b353-ed3106ebc005
 ms.pagetype: security
-ms.prod: W10
+ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 author: Mir0sh

windows/keep-secure/audit-sensitive-privilege-use.md

@@ -3,7 +3,7 @@ title: Audit Sensitive Privilege Use (Windows 10)
 description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Sensitive Privilege Use, which determines whether the operating system generates audit events when sensitive privileges (user rights) are used.
 ms.assetid: 915abf50-42d2-45f6-9fd1-e7bd201b193d
 ms.pagetype: security
-ms.prod: W10
+ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 author: Mir0sh

windows/keep-secure/audit-special-logon.md

@@ -3,7 +3,7 @@ title: Audit Special Logon (Windows 10)
 description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Special Logon, which determines whether the operating system generates audit events under special sign on (or log on) circumstances.
 ms.assetid: e1501bac-1d09-4593-8ebb-f311231567d3
 ms.pagetype: security
-ms.prod: W10
+ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 author: Mir0sh

windows/keep-secure/audit-system-integrity.md

@@ -3,7 +3,7 @@ title: Audit System Integrity (Windows 10)
 description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit System Integrity, which determines whether the operating system audits events that violate the integrity of the security subsystem.
 ms.assetid: 942a9a7f-fa31-4067-88c7-f73978bf2034
 ms.pagetype: security
-ms.prod: W10
+ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 author: Mir0sh

windows/keep-secure/audit-user-account-management.md

@@ -3,7 +3,7 @@ title: Audit User Account Management (Windows 10)
 description: This topic for the IT professional describes the advanced security audit policy setting, Audit User Account Management, which determines whether the operating system generates audit events when specific user account management tasks are performed.
 ms.assetid: f7e72998-3858-4197-a443-19586ecc4bfb
 ms.pagetype: security
-ms.prod: W10
+ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 author: Mir0sh

windows/keep-secure/audit-user-device-claims.md

@@ -3,7 +3,7 @@ title: Audit User/Device Claims (Windows 10)
 description: This topic for the IT professional describes the advanced security audit policy setting, Audit User/Device Claims, which enables you to audit security events that are generated by user and device claims.
 ms.assetid: D3D2BFAF-F2C0-462A-9377-673DB49D5486
 ms.pagetype: security
-ms.prod: W10
+ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 author: Mir0sh

windows/keep-secure/basic-firewall-policy-design.md

@@ -0,0 +1,66 @@
+---
+title: Basic Firewall Policy Design (Windows 10)
+description: Basic Firewall Policy Design
+ms.assetid: 6f7af99e-6850-4522-b7f5-db98e6941418
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+---
+
+# Basic Firewall Policy Design
+
+**Applies to**
+-   Windows 10
+-   Windows Server 2016 Technical Preview
+
+Many organizations have a network perimeter firewall that is designed to prevent the entry of malicious traffic in to the organization's network, but do not have a host-based firewall enabled on each device in the organization.
+
+The Basic Firewall Policy Design helps you to protect the devices in your organization from unwanted network traffic that gets through the perimeter defenses, or that originates from inside your network. In this design, you deploy firewall rules to each device in your organization to allow traffic that is required by the programs that are used. Traffic that does not match the rules is dropped.
+
+Traffic can be blocked or permitted based on the characteristics of each network packet: its source or destination IP address, its source or destination port numbers, the program on the device that receives the inbound packet, and so on. This design can also be deployed together with one or more of the other designs that add IPsec protection to the network traffic permitted.
+
+Many network administrators do not want to tackle the difficult task of determining all the appropriate rules for every program that is used by the organization, and then maintaining that list over time. In fact, most programs do not require specific firewall rules. The default behavior of Windows and most contemporary applications makes this task easy:
+
+-   On client devices, the default firewall behavior already supports typical client programs. Programs create any required rules for you as part of the installation process. You only have to create a rule if the client program must be able to receive unsolicited inbound network traffic from another device.
+
+-   When you install a server program that must accept unsolicited inbound network traffic, the installation program likely creates or enables the appropriate rules on the server for you.
+
+    For example, when you install a server role, the appropriate firewall rules are created and enabled automatically.
+
+-   For other standard network behavior, the predefined rules that are built into Windows Server 2012, Windows Server 2008 R2, Windows Server 2008, Windows 8, Windows 7, and Windows Vista can easily be configured in a GPO and deployed to the devices in your organization.
+
+    For example, by using the predefined groups for Core Networking and File and Printer Sharing you can easily configure GPOs with rules for those frequently used networking protocols.
+
+With few exceptions, the firewall can be enabled on all configurations. Therefore, we recommended that you enable the firewall on every device in your organization. This includes servers in your perimeter network, on mobile and remote clients that connect to the network, and on all servers and clients in your internal network.
+
+>**Caution:**  Stopping the service associated with Windows Firewall with Advanced Security is not supported by Microsoft.
+
+By default, in new installations, Windows Firewall is turned on in Windows Server 2012, Windows 8, and later.
+
+If you turn off the Windows Firewall with Advanced Security service you lose other benefits provided by the service, such as the ability to use IPsec connection security rules, Windows Service Hardening, and network protection from forms of attacks that use network fingerprinting.
+
+Compatible third-party firewall software can programmatically disable only the parts of Windows Firewall with Advanced Security that might need to be disabled for compatibility. This is the recommended approach for third-party firewalls to coexist with the Windows Firewall; third-party party firewalls that comply with this recommendation have the certified logo from Microsoft. 
+
+An organization typically uses this design as a first step toward a more comprehensive Windows Firewall with Advanced Security design that adds server isolation and domain isolation.
+
+After implementing this design, you will have centralized management of the firewall rules applied to all devices that are running Windows in your organization.
+
+>**Important:**  If you also intend to deploy the [Domain Isolation Policy Design](domain-isolation-policy-design.md), or the [Server Isolation Policy Design](server-isolation-policy-design.md), we recommend that you do the design work for all three designs together, and then deploy in layers that correspond with each design.
+
+The basic firewall design can be applied to devices that are part of an Active Directory forest. Active Directory is required to provide the centralized management and deployment of Group Policy objects that contain the firewall settings and rules.
+
+For more information about this design:
+
+-   This design coincides with the deployment goal to [Protect Devices from Unwanted Network Traffic](protect-devices-from-unwanted-network-traffic.md).
+
+-   To learn more about this design, see [Firewall Policy Design Example](firewall-policy-design-example.md).
+
+-   Before completing the design, gather the information described in [Designing a Windows Firewall with Advanced Security Strategy](designing-a-windows-firewall-with-advanced-security-strategy.md).
+
+-   To help you make the decisions required in this design, see [Planning Settings for a Basic Firewall Policy](planning-settings-for-a-basic-firewall-policy.md).
+
+-   For a list of detailed tasks that you can use to deploy your basic firewall policy design, see [Checklist: Implementing a Basic Firewall Policy Design](checklist-implementing-a-basic-firewall-policy-design.md).
+
+**Next: **[Domain Isolation Policy Design](domain-isolation-policy-design.md)

windows/keep-secure/boundary-zone-gpos.md

@@ -0,0 +1,28 @@
+---
+title: Boundary Zone GPOs (Windows 10)
+description: Boundary Zone GPOs
+ms.assetid: 1ae66088-02c3-47e4-b7e8-74d0b8f8646e
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+---
+
+# Boundary Zone GPOs
+
+**Applies to**
+-   Windows 10
+-   Windows Server 2016 Technical Preview
+
+All the devices in the boundary zone are added to the group CG\_DOMISO\_Boundary. You must create multiple GPOs to align with this group, one for each operating system that you have in your boundary zone. This group is granted Read and Apply permissions in Group Policy on the GPOs described in this section.
+
+>**Note:**  If you are designing GPOs for at least Windows Vista or Windows Server 2008, you can design your GPOs in nested groups. For example, you can make the boundary group a member of the isolated domain group, so that it receives the firewall and basic isolated domain settings through that nested membership, with only the changes supplied by the boundary zone GPO. For simplicity, this guide describes the techniques used to create the independent, non-layered policies. We recommend that you create and periodically run a script that compares the memberships of the groups that must be mutually exclusive and reports any devices that are incorrectly assigned to more than one group.
+
+This means that you create a GPO for a boundary group for a specific operating system by copying and pasting the corresponding GPO for the isolated domain, and then modifying the new copy to provide the behavior required in the boundary zone.
+
+The boundary zone GPOs discussed in this guide are only for server versions of Windows because client devices are not expected to participate in the boundary zone. If the need for one occurs, either create a new GPO for that version of Windows, or expand the WMI filter attached to one of the existing boundary zone GPOs to make it apply to the client version of Windows.
+
+In the Woodgrove Bank example, only the GPO settings for a Web service on at least Windows Server 2008 are discussed.
+
+-   [GPO\_DOMISO\_Boundary\_WS2008](gpo-domiso-boundary.md)

windows/keep-secure/boundary-zone.md

@@ -0,0 +1,63 @@
+---
+title: Boundary Zone (Windows 10)
+description: Boundary Zone
+ms.assetid: ed98b680-fd24-44bd-a7dd-26c522e45a20
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+---
+
+# Boundary Zone
+
+**Applies to**
+-   Windows 10
+-   Windows Server 2016 Technical Preview
+
+In most organizations, some devices must be able to receive network traffic from devices that are not part of the isolated domain, and therefore cannot authenticate. To accept communications from untrusted devices, create a boundary zone within your isolated domain.
+
+Devices in the boundary zone are trusted devices that can accept communication requests both from other isolated domain member devices and from untrusted devices. Boundary zone devices try to authenticate any incoming request by using IPsec, initiating an IKE negotiation with the originating device.
+
+The GPOs you build for the boundary zone include IPsec or connection security rules that request authentication for both inbound and outbound network connections, but do not require it.
+
+Because these boundary zone devices can receive unsolicited inbound communications from untrusted devices that use plaintext, they must be carefully managed and secured in other ways. Mitigating this additional risk is an important part of deciding whether to add a device to the boundary zone. For example, completing a formal business justification process before adding each device to the boundary zone can help ensure that the additional risk is minimized. The following illustration shows a sample process that can help make such a decision.
+
+![design flowchart](images/wfas-designflowchart1.gif)
+
+The goal of this process is to determine whether the risk of adding a device to a boundary zone can be mitigated to a level that makes it acceptable to the organization. Ultimately, if the risk cannot be mitigated, membership must be denied.
+
+You must create a group in Active Directory to contain the members of the boundary zones. The settings and rules for the boundary zone are typically very similar to those for the isolated domain, and you can save time and effort by copying those GPOs to serve as a starting point. The primary difference is that the authentication connection security rule must be set to request authentication for both inbound and outbound traffic, instead of requiring inbound authentication and requesting outbound authentication as used by the isolated domain.
+
+Creation of the group and how to link it to the GPOs that apply the rules to members of the group are discussed in the [Planning Group Policy Deployment for Your Isolation Zones](planning-group-policy-deployment-for-your-isolation-zones.md) section.
+
+## GPO settings for boundary zone servers running at least Windows Server 2008
+
+
+The boundary zone GPO for devices running at least Windows Server 2008 should include the following:
+
+-   IPsec default settings that specify the following options:
+
+    1.  Exempt all ICMP traffic from IPsec.
+
+    2.  Key exchange (main mode) security methods and algorithm. We recommend that you use at least DH4, AES and SHA2 in your settings. Use the strongest algorithm combinations that are common to all your supported operating systems.
+
+    3.  Data protection (quick mode) algorithm combinations. We recommend that you do not include DES or MD5 in any setting. They are included only for compatibility with previous versions of Windows. Use the strongest algorithm combinations that are common to all your supported operating systems..
+
+        If any NAT devices are present on your networks, use ESP encapsulation. If isolated domain members must communicate with hosts in the encryption zone, ensure that you include algorithms that are compatible with the requirements of the encryption mode policies.
+
+    4.  Authentication methods. Include at least device-based Kerberos V5 authentication. If you want to use user-based access to isolated servers then you must also include user-based Kerberos V5 authentication as an optional authentication method. Likewise, if any of your domain isolation members cannot use Kerberos V5, you must include certificate-based authentication as an optional authentication method.
+
+-   The following connection security rules:
+
+    -   A connection security rule that exempts all devices on the exemption list from authentication. Be sure to include all your Active Directory domain controllers on this list. Enter subnet addresses, if applicable in your environment.
+
+    -   A connection security rule, from **Any IP address** to **Any IP address**, that requests inbound and outbound authentication.
+
+-   A registry policy that includes the following values:
+
+    -   Enable PMTU discovery. Enabling this setting allows TCP/IP to dynamically determine the largest packet size supported across a connection. The value is found at HKLM\\System\\CurrentControlSet\\Services\\TCPIP\\Parameters\\EnablePMTUDiscovery (dword). The sample GPO preferences XML file in [Appendix A: Sample GPO Template Files for Settings Used in this Guide](appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md) sets the value to **1**.
+
+    >**Note:**  For a sample template for these registry settings, see [Appendix A: Sample GPO Template Files for Settings Used in this Guide](appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md)
+
+**Next: **[Encryption Zone](encryption-zone.md)

windows/keep-secure/certificate-based-isolation-policy-design-example.md

@@ -0,0 +1,52 @@
+---
+title: Certificate-based Isolation Policy Design Example (Windows 10)
+description: Certificate-based Isolation Policy Design Example
+ms.assetid: 509b513e-dd49-4234-99f9-636fd2f749e3
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+---
+
+# Certificate-based Isolation Policy Design Example
+
+**Applies to**
+-   Windows 10
+-   Windows Server 2016 Technical Preview
+
+This design example continues to use the fictitious company Woodgrove Bank, as described in the sections [Firewall Policy Design Example](firewall-policy-design-example.md), [Domain Isolation Policy Design Example](domain-isolation-policy-design-example.md), and [Server Isolation Policy Design Example](server-isolation-policy-design-example.md).
+
+One of the servers that must be included in the domain isolation environment is a device running UNIX that supplies other information to the WGBank dashboard program running on the client devices. This device sends updated information to the WGBank front-end servers as it becomes available, so it is considered unsolicited inbound traffic to the devices that receive this information.
+
+## Design requirements
+
+One possible solution to this is to include an authentication exemption rule in the GPO applied to the WGBank front-end servers. This rule would instruct the front-end servers to accept traffic from the non-Windows device even though it cannot authenticate.
+
+A more secure solution, and the one selected by Woodgrove Bank, is to include the non-Windows device in the domain isolation design. Because it cannot join an Active Directory domain, Woodgrove Bank chose to use certificate-based authentication. Certificates are cryptographically-protected documents, encrypted in such a way that their origin can be positively confirmed.
+
+In this case, Woodgrove Bank used Active Directory Certificate Services to create the appropriate certificate. They might also have acquired and installed a certificate from a third-party commercial certification authority. They then used Group Policy to deploy the certificate to the front-end servers. The GPOs applied to the front-end servers also include updated connection security rules that permit certificate-based authentication in addition to Kerberos V5 authentication. They then manually installed the certificate on the UNIX server.
+
+The UNIX server is configured with firewall and IPsec connection security rules using the tools that are provided by the operating system vendor. Those rules specify that authentication is performed by using the certificate.
+
+The creation of the IPsec connection security rules for a non-Windows device is beyond the scope of this document, but support for a certificate that can be used to authenticate such a non-Windows device by using the standard IPsec protocols is the subject of this design.
+
+The non-Windows device can be effectively made a member of the boundary zone or the encryption zone based on the IPsec rules applied to the device. The only constraint is that the main mode and quick mode encryption algorithms supported by the UNIX device must also be supported by the Windows-based devices with which it communicates.
+
+**Other traffic notes:**
+
+-   None of the capabilities of the other designs discussed in this guide are compromised by the use of certificate authentication by a non-Windows device.
+
+## Design details
+
+Woodgrove Bank uses Active Directory groups and GPOs to deploy the domain isolation settings and rules to the devices in their organization.
+
+The inclusion of one or more non-Windows devices to the network requires only a simple addition to the GPOs for devices that must communicate with the non-Windows device. The addition is allowing certificate-based authentication in addition to the Active Directory–supported Kerberos V5 authentication. This does not require including new rules, just adding certificate-based authentication as an option to the existing rules.
+
+When multiple authentication methods are available, two negotiating devices agree on the first one in their lists that match. Because the majority of the devices in Woodgrove Bank's network run Windows, Kerberos V5 is listed as the first authentication method in the rules. Certificate-based authentication is added as an alternate authentication type.
+
+By using the Active Directory Users and Computers snap-in, Woodgrove Bank created a group named NAG\_COMPUTER\_WGBUNIX. They then added the device accounts to this group for Windows devices that need to communicate with the non-Windows devices. If all the devices in the isolated domain need to be able to access the non-Windows devices, then the **Domain Computers** group can be added to the group as a member.
+
+Woodgrove Bank then created a GPO that contains the certificate, and then attached security group filters to the GPO that allow read and apply permissions to only members of the NAG\_COMPUTER\_WGBUNIX group. The GPO places the certificate in the **Local Computer / Personal / Certificates** certificate store. The certificate used must chain back to a certificate that is in the **Trusted Root Certification Authorities** store on the local device.
+
+**Next: **[Designing a Windows Firewall with Advanced Security Strategy](designing-a-windows-firewall-with-advanced-security-strategy.md)

windows/keep-secure/certificate-based-isolation-policy-design.md

@@ -0,0 +1,40 @@
+---
+title: Certificate-based Isolation Policy Design (Windows 10)
+description: Certificate-based Isolation Policy Design
+ms.assetid: 63e01a60-9daa-4701-9472-096c85e0f862
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+---
+
+# Certificate-based Isolation Policy Design
+
+**Applies to**
+-   Windows 10
+-   Windows Server 2016 Technical Preview
+
+In the certificate-based isolation policy design, you provide the same types of protections to your network traffic as described in the [Domain Isolation Policy Design](domain-isolation-policy-design.md) and [Server Isolation Policy Design](server-isolation-policy-design.md) sections. The only difference is the method used to share identification credentials during the authentication of your network traffic.
+
+Domain isolation and server isolation help provide security for the devices on the network that run Windows and that can be joined to an Active Directory domain. However, in most corporate environments there are typically some devices that must run another operating system. These devices cannot join an Active Directory domain, without a third-party package being installed. Also, some devices that do run Windows cannot join a domain for a variety of reasons. To rely on Kerberos V5 as the authentication protocol, the device needs to be joined to the Active Directory and (for non-Windows devices) support Kerberos as an authentication protocol.
+
+To authenticate with non-domain member devices, IPsec supports using standards-based cryptographic certificates. Because this authentication method is also supported by many third-party operating systems, it can be used as a way to extend your isolated domain to devices that do not run Windows.
+
+The same principles of the domain and server isolation designs apply to this design. Only devices that can authenticate (in this case, by providing a specified certificate) can communicate with the devices in your isolated domain.
+
+For Windows devices that are part of an Active Directory domain, you can use Group Policy to deploy the certificates required to communicate with the devices that are trusted but are not part of the Active Directory domain. For other devices, you will have to either manually configure them with the required certificates, or use a third-party program to distribute the certificates in a secure manner.
+
+For more info about this design:
+
+-   This design coincides with the deployment goals to [Protect Devices from Unwanted Network Traffic](protect-devices-from-unwanted-network-traffic.md), [Restrict Access to Only Trusted Devices](restrict-access-to-only-trusted-devices.md), and optionally [Require Encryption When Accessing Sensitive Network Resources](require-encryption-when-accessing-sensitive-network-resources.md).
+
+-   To learn more about this design, see [Certificate-based Isolation Policy Design Example](certificate-based-isolation-policy-design-example.md).
+
+-   Before completing the design, gather the information described in [Designing a Windows Firewall with Advanced Security Strategy](designing-a-windows-firewall-with-advanced-security-strategy.md).
+
+-   To help you make the decisions required in this design, see [Planning Certificate-based Authentication](planning-certificate-based-authentication.md).
+
+-   For a list of tasks that you can use to deploy your certificate-based policy design, see [Checklist: Implementing a Certificate-based Isolation Policy Design](checklist-implementing-a-certificate-based-isolation-policy-design.md).
+
+**Next: **[Evaluating Windows Firewall with Advanced Security Design Examples](evaluating-windows-firewall-with-advanced-security-design-examples.md)

windows/keep-secure/change-history-for-keep-windows-10-secure.md

@@ -12,6 +12,13 @@ author: brianlic-msft
 # Change history for Keep Windows 10 secure
 This topic lists new and updated topics in the [Keep Windows 10 secure](index.md) documentation for [Windows 10 and Windows 10 Mobile](../index.md).
 
+## June 2016
+
+|New or changed topic | Description |
+|----------------------|-------------|
+| [Windows Firewall with Advanced Security](windows-firewall-with-advanced-security.md) (multiple topics) | New |
+| [Advanced security audit policy settings](advanced-security-audit-policy-settings.md) (mutiple topics) | New security monitoring reference topics |
+
 ## May 2016
 
 |New or changed topic | Description |

windows/keep-secure/change-rules-from-request-to-require-mode.md

@@ -0,0 +1,56 @@
+---
+title: Change Rules from Request to Require Mode (Windows 10)
+description: Change Rules from Request to Require Mode
+ms.assetid: ad969eda-c681-48cb-a2c4-0b6cae5f4cff
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+---
+
+# Change Rules from Request to Require Mode
+
+**Applies to**
+-   Windows 10
+-   Windows Server 2016 Technical Preview
+
+After you confirm that network traffic is being correctly protected by using IPsec, you can change the rules for the domain isolation and encryption zones to require, instead of request, authentication. Do not change the rules for the boundary zone; they must stay in request mode so that devices in the boundary zone can continue to accept connections from devices that are not part of the isolated domain.
+
+**Administrative credentials**
+
+To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the GPOs.
+
+In this topic:
+
+-   [Convert a rule from request to require mode](#to-convert-a-rule-from-request-to-require-mode)
+
+-   [Apply the modified GPOs to the client devices](#to-apply-the-modified-gpos-to-the-client-devices)
+
+## To convert a rule from request to require mode
+
+1.  [Open the Group Policy Management Console to Windows Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md).
+
+2.  In the navigation pane, click **Connection Security Rules**.
+
+3.  In the details pane, double-click the connection security rule that you want to modify.
+
+4.  Click the **Authentication** tab.
+
+5.  In the **Requirements** section, change **Authenticated mode** to **Require inbound and request outbound**, and then click **OK**.
+
+## To apply the modified GPOs to the client devices
+
+1.  The next time each device refreshes its Group Policy, it will receive the updated GPO and apply the modified rule. To force an immediate refresh, run the following command from an elevated command prompt:
+
+    ``` syntax
+    gpupdate /force
+    ```
+
+2.  To verify that the modified GPO is correctly applied to the client devices, you can run the following command:
+
+    ``` syntax
+    gpresult /r /scope computer
+    ```
+
+3.  Examine the command output for the list of GPOs that are applied to the device, and make sure that the list contains the GPOs you expect to see on that device.

windows/keep-secure/checklist-configuring-basic-firewall-settings.md

@@ -0,0 +1,26 @@
+---
+title: Checklist Configuring Basic Firewall Settings (Windows 10)
+description: Checklist Configuring Basic Firewall Settings
+ms.assetid: 0d10cdae-da3d-4a33-b8a4-6b6656b6d1f9
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+---
+
+# Checklist: Configuring Basic Firewall Settings
+
+**Applies to**
+-   Windows 10
+-   Windows Server 2016 Technical Preview
+
+This checklist includes tasks for configuring a GPO with firewall defaults and settings that are separate from the rules.
+
+**Checklist: Configuring firewall defaults and settings**
+
+| Task | Reference |
+| - | - |
+| Turn the firewall on and set the default inbound and outbound behavior.| [Turn on Windows Firewall and Configure Default Behavior](turn-on-windows-firewall-and-configure-default-behavior.md)| 
+| Configure the firewall to not display notifications to the user when a program is blocked, and to ignore locally defined firewall and connection security rules. | [Configure Windows Firewall to Suppress Notifications When a Program Is Blocked](configure-windows-firewall-to-suppress-notifications-when-a-program-is-blocked.md) |
+| Configure the firewall to record a log file. | [Configure the Windows Firewall Log](configure-the-windows-firewall-log.md)| 

windows/keep-secure/checklist-configuring-rules-for-an-isolated-server-zone.md

@@ -0,0 +1,43 @@
+---
+title: Checklist Configuring Rules for an Isolated Server Zone (Windows 10)
+description: Checklist Configuring Rules for an Isolated Server Zone
+ms.assetid: 67c50a91-e71e-4f1e-a534-dad2582e311c
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+---
+
+# Checklist: Configuring Rules for an Isolated Server Zone
+
+**Applies to**
+-   Windows 10
+-   Windows Server 2016 Technical Preview
+
+The following checklists include tasks for configuring connection security rules and IPsec settings in your GPOs for servers in an isolated server zone that are part of an isolated domain. For information about creating a standalone isolated server zone that is not part of an isolated domain, see [Checklist: Implementing a Standalone Server Isolation Policy Design](checklist-implementing-a-standalone-server-isolation-policy-design.md).
+
+In addition to requiring authentication and optionally encryption, servers in an isolated server zone can be accessed only by users or devices who are authenticated members of a network access group (NAG). If you include user accounts in the NAG, then the restrictions can still apply; they are just enforced at the application layer, rather than the IP layer.
+
+Devices that are running at least Windows Vista and Windows Server 2008 can identify both devices and users in the NAG because IPsec in these versions of Windows supports AuthIP in addition to IKE. AuthIP adds support for user-based authentication.
+
+The GPOs for an isolated server or group of servers are similar to those for the isolated domain itself or the encryption zone, if you require encryption to your isolated servers. This checklist refers you to procedures for creating rules as well as restrictions that allow only members of the NAG to connect to the server.
+
+**Checklist: Configuring rules for isolated servers**
+
+| Task | Reference |
+| - | - |
+| Create a GPO for the devices that need to have access restricted to the same set of client devices. If there are multiple servers and they run different versions of the Windows operating system, then start by creating the GPO for one version of Windows. After you have finished the tasks in this checklist and configured the GPO for that version of Windows, you can create a copy of it.<br/>Copy the GPO from the isolated domain or from the encryption zone to serve as a starting point. Where your copy already contains elements listed in the following checklist, review the relevant procedures and compare them to your copied GPO’s element to make sure it is constructed in a way that meets the needs of the server isolation zone. |[Copy a GPO to Create a New GPO](copy-a-gpo-to-create-a-new-gpo.md)| 
+| Configure the security group filters and WMI filters on the GPO so that only members of the isolated server zone’s membership group that are running the specified version of Windows can read and apply it.| [Modify GPO Filters to Apply to a Different Zone or Version of Windows](modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md) |
+| Configure IPsec to exempt all ICMP network traffic from IPsec protection. | [Exempt ICMP from Authentication](exempt-icmp-from-authentication.md)| 
+| Configure the key exchange (main mode) security methods and algorithms to be used. | [Configure Key Exchange (Main Mode) Settings](configure-key-exchange-main-mode-settings.md)| 
+| Configure the data protection (quick mode) algorithm combinations to be used. If you require encryption for the isolated server zone, then make sure that you choose only algorithm combinations that include encryption. | [Configure Data Protection (Quick Mode) Settings](configure-data-protection-quick-mode-settings.md)| 
+| Configure the authentication methods to be used. | [Configure Authentication Methods](configure-authentication-methods.md)| 
+| Create a rule that exempts all network traffic to and from devices on the exemption list from IPsec. | [Create an Authentication Exemption List Rule](create-an-authentication-exemption-list-rule.md)| 
+| Create a rule that requests authentication for all network traffic.<br/>**Important:**  Just as in an isolated domain, do not set the rules to require authentication for inbound traffic until you have completed testing. That way, if the rules do not work as expected, communications are not affected by a failure to authenticate.| [Create an Authentication Request Rule](create-an-authentication-request-rule.md)| 
+| Create the NAG to contain the device or user accounts that are allowed to access the servers in the isolated server zone. | [Create a Group Account in Active Directory](create-a-group-account-in-active-directory.md)| 
+| Create a firewall rule that permits inbound network traffic only if authenticated as a member of the NAG. | [Restrict Server Access to Members of a Group Only](restrict-server-access-to-members-of-a-group-only.md)| 
+| Link the GPO to the domain level of the Active Directory organizational unit hierarchy. | [Link the GPO to the Domain](link-the-gpo-to-the-domain.md)| 
+| Add your test server to the membership group for the isolated server zone. Be sure to add at least one server for each operating system supported by a GPO in the group.| [Add Test Devices to the Membership Group for a Zone](add-test-devices-to-the-membership-group-for-a-zone.md) |
+
+Do not change the rules for any of your zones to require authentication until all of the zones have been set up and are operating correctly.

windows/keep-secure/checklist-configuring-rules-for-servers-in-a-standalone-isolated-server-zone.md

@@ -0,0 +1,40 @@
+---
+title: Checklist Configuring Rules for Servers in a Standalone Isolated Server Zone (Windows 10)
+description: Checklist Configuring Rules for Servers in a Standalone Isolated Server Zone
+ms.assetid: ccc09d06-ef75-43b0-9c77-db06f2940955
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+---
+
+# Checklist: Configuring Rules for Servers in a Standalone Isolated Server Zone
+
+**Applies to**
+-   Windows 10
+-   Windows Server 2016 Technical Preview
+
+This checklist includes tasks for configuring connection security rules and IPsec settings in your GPOs for servers in a standalone isolated server zone that is not part of an isolated domain. In addition to requiring authentication and optionally encryption, servers in a server isolation zone are accessible only by users or devices that are authenticated as members of a network access group (NAG). The GPOs described here apply only to the isolated servers, not to the client devices that connect to them. For the GPOs for the client devices, see [Checklist: Creating Rules for Clients of a Standalone Isolated Server Zone](checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md).
+
+The GPOs for isolated servers are similar to those for an isolated domain. This checklist refers you to those procedures for the creation of some of the rules. The other procedures in this checklist are for creating the restrictions that allow only members of the server access group to connect to the server.
+
+**Checklist: Configuring rules for isolated servers**
+
+| Task | Reference |
+| - | - |
+| Create a GPO for the devices that need to have access restricted to the same set of client devices. If there are multiple servers running different versions of the Windows operating system, start by creating the GPO for one version of Windows. After you have finished the tasks in this checklist and configured the GPO for that version of Windows, you can create a copy of it. | [Checklist: Creating Group Policy Objects](checklist-creating-group-policy-objects.md) <br/>[Copy a GPO to Create a New GPO](copy-a-gpo-to-create-a-new-gpo.md)| 
+| If you are working on a copy of a GPO, modify the group memberships and WMI filters so that they are correct for the devices for which this GPO is intended. | [Modify GPO Filters to Apply to a Different Zone or Version of Windows](modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md) |
+| Configure IPsec to exempt all ICMP network traffic from IPsec protection. | [Exempt ICMP from Authentication](exempt-icmp-from-authentication.md)| 
+| Create a rule that exempts all network traffic to and from devices on the exemption list from IPsec. | [Create an Authentication Exemption List Rule](create-an-authentication-exemption-list-rule.md) |
+| Configure the key exchange (main mode) security methods and algorithms to be used. | [Configure Key Exchange (Main Mode) Settings](configure-key-exchange-main-mode-settings.md)| 
+| Configure the data protection (quick mode) algorithm combinations to be used. | [Configure Data Protection (Quick Mode) Settings](configure-data-protection-quick-mode-settings.md)| 
+| Configure the authentication methods to be used. This procedure sets the default settings for the device. If you want to set authentication on a per-rule basis, this procedure is optional.| [Configure Authentication Methods](configure-authentication-methods.md) |
+| Create a rule that requests authentication for all inbound network traffic. <br/><br/>**Important:**  Just as in an isolated domain, do not set the rules to require authentication until your testing is complete. That way, if the rules do not work as expected, communications are not affected by a failure to authenticate.| [Create an Authentication Request Rule](create-an-authentication-request-rule.md)| 
+| If your design requires encryption in addition to authentication for access to the isolated servers, then modify the rule to require it. | [Configure the Rules to Require Encryption](configure-the-rules-to-require-encryption.md)| 
+| Create the NAG to contain the device or user accounts that are allowed to access the isolated servers. If you have multiple groups of isolated servers that are accessed by different client devices, then create a NAG for each set of servers.| [Create a Group Account in Active Directory](create-a-group-account-in-active-directory.md) |
+| Create a firewall rule that allows inbound network traffic only if it is authenticated from a user or device that is a member of the zone’s NAG.| [Restrict Server Access to Members of a Group Only](restrict-server-access-to-members-of-a-group-only.md)| 
+| Link the GPO to the domain level of the Active Directory organizational unit hierarchy. | [Link the GPO to the Domain](link-the-gpo-to-the-domain.md)| 
+| Add your test server to the membership group for the isolated server zone. Be sure to add at least one for each operating system supported by a different GPO in the group.| [Add Test Devices to the Membership Group for a Zone](add-test-devices-to-the-membership-group-for-a-zone.md)| 
+ 
+Do not change the rules for any of your zones to require authentication until all zones have been set up and thoroughly tested.

windows/keep-secure/checklist-configuring-rules-for-the-boundary-zone.md

@@ -0,0 +1,32 @@
+---
+title: Checklist Configuring Rules for the Boundary Zone (Windows 10)
+description: Checklist Configuring Rules for the Boundary Zone
+ms.assetid: 25fe0197-de5a-4b4c-bc44-c6f0620ea94b
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+---
+
+# Checklist: Configuring Rules for the Boundary Zone
+
+**Applies to**
+-   Windows 10
+-   Windows Server 2016 Technical Preview
+
+The following checklists include tasks for configuring connection security rules and IPsec settings in your GPOs to implement the boundary zone in an isolated domain.
+
+Rules for the boundary zone are typically the same as those for the isolated domain, with the exception that the final rule is left to only request, not require, authentication.
+
+**Checklist: Configuring boundary zone rules**
+
+This checklist assumes that you have already created the GPO for the isolated domain as described in [Checklist: Implementing a Domain Isolation Policy Design](checklist-implementing-a-domain-isolation-policy-design.md). After you create a copy for the boundary zone, make sure that you do not change the rule from request authentication to require authentication when you create the other GPOs.
+
+| Task | Reference |
+| - | - |
+| Make a copy of the domain isolation GPO for this version of Windows to serve as a starting point for the GPO for the boundary zone. Unlike the GPO for the main isolated domain zone, this copy is not changed after deployment to require authentication.| [Copy a GPO to Create a New GPO](copy-a-gpo-to-create-a-new-gpo.md) |
+| If you are working on a copy of a GPO, modify the group memberships and WMI filters so that they are correct for the boundary zone and version of Windows for which this GPO is intended.| [Modify GPO Filters to Apply to a Different Zone or Version of Windows](modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md) |
+| Link the GPO to the domain level of the Active Directory organizational unit hierarchy.| [Link the GPO to the Domain](link-the-gpo-to-the-domain.md)| 
+| Add your test computers to the membership group for the boundary zone. Be sure to add at least one for each operating system supported by a different GPO in the group.| [Add Test Computers to the Membership Group for a Zone](add-test-devices-to-the-membership-group-for-a-zone.md)| 
+| Verify that the connection security configuration is protecting network traffic with authentication when it can, and that unauthenticated traffic is accepted. | [Verify That Network Traffic Is Authenticated](verify-that-network-traffic-is-authenticated.md)| 

windows/keep-secure/checklist-configuring-rules-for-the-encryption-zone.md

@@ -0,0 +1,33 @@
+---
+title: Checklist Configuring Rules for the Encryption Zone (Windows 10)
+description: Checklist Configuring Rules for the Encryption Zone
+ms.assetid: 87b1787b-0c70-47a4-ae52-700bff505ea4
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+---
+
+# Checklist: Configuring Rules for the Encryption Zone
+
+**Applies to**
+-   Windows 10
+-   Windows Server 2016 Technical Preview
+
+This checklist includes tasks for configuring connection security rules and IPsec settings in your GPOs to implement the encryption zone in an isolated domain.
+
+Rules for the encryption zone are typically the same as those for the isolated domain, with the exception that the main rule requires encryption in addition to authentication.
+
+**Checklist: Configuring encryption zone rules**
+
+This checklist assumes that you have already created the GPO for the isolated domain as described in [Checklist: Implementing a Domain Isolation Policy Design](checklist-implementing-a-domain-isolation-policy-design.md). You can then copy those GPOs for use with the encryption zone. After you create the copies, modify the main rule to require encryption in addition to the authentication required by the rest of the isolated domain.
+
+| Task | Reference |
+| - | - |
+| Make a copy of the domain isolation GPOs to serve as a starting point for the GPOs for the encryption zone.| [Copy a GPO to Create a New GPO](copy-a-gpo-to-create-a-new-gpo.md)| 
+| Modify the group memberships and WMI filters so that they are correct for the encryption zone and the version of Windows for which this GPO is intended. | [Modify GPO Filters to Apply to a Different Zone or Version of Windows](modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md) |
+| Add the encryption requirements for the zone. | [Configure the Rules to Require Encryption](configure-the-rules-to-require-encryption.md)| 
+| Link the GPO to the domain level of the Active Directory organizational unit hierarchy. | [Link the GPO to the Domain](link-the-gpo-to-the-domain.md)| 
+| Add your test computers to the membership group for the encryption zone. Be sure to add at least one for each operating system supported by a different GPO in the group.| [Add Test Computers to the Membership Group for a Zone](add-test-devices-to-the-membership-group-for-a-zone.md)| 
+| Verify that the connection security rules are protecting network traffic.| [Verify That Network Traffic Is Authenticated](verify-that-network-traffic-is-authenticated.md)| 

windows/keep-secure/checklist-configuring-rules-for-the-isolated-domain.md

@@ -0,0 +1,37 @@
+---
+title: Checklist Configuring Rules for the Isolated Domain (Windows 10)
+description: Checklist Configuring Rules for the Isolated Domain
+ms.assetid: bfd2d29e-4011-40ec-a52e-a67d4af9748e
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+---
+
+# Checklist: Configuring Rules for the Isolated Domain
+
+**Applies to**
+-   Windows 10
+-   Windows Server 2016 Technical Preview
+
+The following checklists include tasks for configuring connection security rules and IPsec settings in your GPOs to implement the main zone in the isolated domain.
+
+**Checklist: Configuring isolated domain rules**
+
+| Task | Reference |
+| - | - |
+| Create a GPO for the computers in the isolated domain running one of the operating systems. After you have finished the tasks in this checklist and configured the GPO for that version of Windows, you can create a copy of it.| [Checklist: Creating Group Policy Objects](checklist-creating-group-policy-objects.md)<br/>[Copy a GPO to Create a New GPO](copy-a-gpo-to-create-a-new-gpo.md)| 
+| If you are working on a GPO that was copied from another GPO, modify the group memberships and WMI filters so that they are correct for the isolated domain zone and the version of Windows for which this GPO is intended. | [Modify GPO Filters to Apply to a Different Zone or Version of Windows](modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md) |
+| Configure IPsec to exempt all ICMP network traffic from IPsec protection. | [Exempt ICMP from Authentication](exempt-icmp-from-authentication.md)| 
+| Create a rule that exempts all network traffic to and from computers on the exemption list from IPsec. | [Create an Authentication Exemption List Rule](create-an-authentication-exemption-list-rule.md)| 
+| Configure the key exchange (main mode) security methods and algorithms to be used. | [Configure Key Exchange (Main Mode) Settings](configure-key-exchange-main-mode-settings.md)| 
+| Configure the data protection (quick mode) algorithm combinations to be used. | [Configure Data Protection (Quick Mode) Settings](configure-data-protection-quick-mode-settings.md)| 
+| Configure the authentication methods to be used. | [Configure Authentication Methods](configure-authentication-methods.md)| 
+| Create the rule that requests authentication for all inbound network traffic. | [Create an Authentication Request Rule](create-an-authentication-request-rule.md)| 
+| Link the GPO to the domain level of the AD DS organizational unit hierarchy. | [Link the GPO to the Domain](link-the-gpo-to-the-domain.md)| 
+| Add your test computers to the membership group for the isolated domain. Be sure to add at least one for each operating system supported by a different GPO in the group.| [Add Test Devices to the Membership Group for a Zone](add-test-devices-to-the-membership-group-for-a-zone.md)| 
+| Verify that the connection security rules are protecting network traffic to and from the test computers. | [Verify That Network Traffic Is Authenticated](verify-that-network-traffic-is-authenticated.md)| 
+ 
+
+Do not change the rules for any of your zones to require authentication until all of the zones have been set up and are operating correctly.

windows/keep-secure/checklist-creating-group-policy-objects.md

@@ -0,0 +1,43 @@
+---
+title: Checklist Creating Group Policy Objects (Windows 10)
+description: Checklist Creating Group Policy Objects
+ms.assetid: e99bd6a4-34a7-47b5-9791-ae819977a559
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+---
+
+# Checklist: Creating Group Policy Objects
+
+**Applies to**
+-   Windows 10
+-   Windows Server 2016 Technical Preview
+
+To deploy firewall or IPsec settings or firewall or connection security rules, we recommend that you use Group Policy in AD DS. This section describes a tested, efficient method that requires some up-front work, but serves an administrator well in the long run by making GPO assignments as easy as dropping a device into a membership group.
+
+The checklists for firewall, domain isolation, and server isolation include a link to this checklist.
+
+## About membership groups
+
+For most GPO deployment tasks, you must determine which devices must receive and apply which GPOs. Because different versions of Windows can support different settings and rules to achieve similar behavior, you might need multiple GPOs: one for each operating system that has settings different from the others to achieve the same result. For example, Windows 10, Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2 use rules and settings that are incompatible with Windows 2000, Windows XP, and Windows Server 2003. Therefore, if your network included those older operating systems you would need to create a GPO for each set of operating systems that can share common settings. To deploy typical domain isolation settings and rules, you might have five different GPOs for the versions of Windows discussed in this guide. By following the procedures in this guide, you only need one membership group to manage all five GPOs. The membership group is identified in the security group filter for all five GPOs. To apply the settings to a device, you make that device's account a member of the membership group. WMI filters are used to ensure that the correct GPO is applied.
+
+## About exclusion groups
+
+A Windows Firewall with Advanced Security design must often take into account domain-joined devices on the network that cannot or must not apply the rules and settings in the GPOs. Because these devices are typically fewer in number than the devices that must apply the GPO, it is easier to use the Domain Members group in the GPO membership group, and then place these exception devices into an exclusion group that is denied Apply Group Policy permissions on the GPO. Because deny permissions take precedence over allow permissions, a device that is a member of both the membership group and the exception group is prevented from applying the GPO. Devices typically found in a GPO exclusion group for domain isolation include the domain controllers, DHCP servers, and DNS servers.
+
+You can also use a membership group for one zone as an exclusion group for another zone. For example, devices in the boundary and encryption zones are technically in the main domain isolation zone, but must apply only the GPO for their assigned role. To do this, the GPOs for the main isolation zone deny Apply Group Policy permissions to members of the boundary and encryption zones.
+
+**Checklist: Creating Group Policy objects**
+
+| Task | Reference |
+| - | - |
+| Review important concepts and examples for deploying GPOs in a way that best meets the needs of your organization.| [Identifying Your Windows Firewall with Advanced Security Deployment Goals](identifying-your-windows-firewall-with-advanced-security-deployment-goals.md)<br/>[Planning Group Policy Deployment for Your Isolation Zones](planning-group-policy-deployment-for-your-isolation-zones.md)| 
+| Create the membership group in AD DS that will be used to contain device accounts that must receive the GPO.<br/>If some devices in the membership group are running an operating system that does not support WMI filters, such as Windows 2000, create an exclusion group to contain the device accounts for the devices that cannot be blocked by using a WMI filter.| [Create a Group Account in Active Directory](create-a-group-account-in-active-directory.md)|
+| Create a GPO for each version of Windows that has different implementation requirements.| [Create a Group Policy Object](create-a-group-policy-object.md) |
+| Create security group filters to limit the GPO to only devices that are members of the membership group and to exclude devices that are members of the exclusion group.|[Assign Security Group Filters to the GPO](assign-security-group-filters-to-the-gpo.md) |
+| Create WMI filters to limit each GPO to only the devices that match the criteria in the filter.| [Create WMI Filters for the GPO](create-wmi-filters-for-the-gpo.md) |
+| If you are working on a GPO that was copied from another, modify the group memberships and WMI filters so that they are correct for the new zone or version of Windows for which this GPO is intended.|[Modify GPO Filters to Apply to a Different Zone or Version of Windows](modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md) |
+| Link the GPO to the domain level of the Active Directory organizational unit hierarchy.| [Link the GPO to the Domain](link-the-gpo-to-the-domain.md) |
+| Before adding any rules or configuring the GPO, add a few test devices to the membership group, and make sure that the correct GPO is received and applied to each member of the group.| [Add Test Devices to the Membership Group for a Zone](add-test-devices-to-the-membership-group-for-a-zone.md) |

windows/keep-secure/checklist-creating-inbound-firewall-rules.md

@@ -0,0 +1,39 @@
+---
+title: Checklist Creating Inbound Firewall Rules (Windows 10)
+description: Checklist Creating Inbound Firewall Rules
+ms.assetid: 0520e14e-5c82-48da-8fbf-87cef36ce02f
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+---
+
+# Checklist: Creating Inbound Firewall Rules
+
+**Applies to**
+-   Windows 10
+-   Windows Server 2016 Technical Preview
+
+This checklist includes tasks for creating firewall rules in your GPOs.
+
+**Checklist: Creating inbound firewall rules**
+
+| Task | Reference |
+| - | - |
+| Create a rule that allows a program to listen for and accept inbound network traffic on any ports it requires. | [Create an Inbound Program or Service Rule](create-an-inbound-program-or-service-rule.md)| 
+| Create a rule that allows inbound network traffic on a specified port number. | [Create an Inbound Port Rule](create-an-inbound-port-rule.md)| 
+| Create a rule that allows inbound ICMP network traffic. | [Create an Inbound ICMP Rule](create-an-inbound-icmp-rule.md)| 
+| Create rules that allow inbound RPC network traffic. | [Create Inbound Rules to Support RPC](create-inbound-rules-to-support-rpc.md)| 
+| Enable a predefined rule or a group of predefined rules. Some predefined rules for basic network services are included as part of the installation of Windows; others can be created when you install a new application or network service. | [Enable Predefined Inbound Rules](enable-predefined-inbound-rules.md)| 
+
+ 
+
+ 
+
+ 
+
+
+
+
+

windows/keep-secure/checklist-creating-outbound-firewall-rules.md

@@ -0,0 +1,39 @@
+---
+title: Checklist Creating Outbound Firewall Rules (Windows 10)
+description: Checklist Creating Outbound Firewall Rules
+ms.assetid: 611bb98f-4e97-411f-82bf-7a844a4130de
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+---
+
+# Checklist: Creating Outbound Firewall Rules
+
+**Applies to**
+-   Windows 10
+-   Windows Server 2016 Technical Preview
+
+This checklist includes tasks for creating outbound firewall rules in your GPOs.
+
+>**Important:**  By default, outbound filtering is disabled. Because all outbound network traffic is permitted, outbound rules are typically used to block traffic that is not wanted on the network. However, it is a best practice for an administrator to create outbound allow rules for those applications that are approved for use on the organization’s network. If you do this, then you have the option to set the default outbound behavior to block, preventing any network traffic that is not specifically authorized by the rules you create.
+
+**Checklist: Creating outbound firewall rules for Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2**
+
+| Task | Reference |
+| - | - |
+| Create a rule that allows a program to send any outbound network traffic on any port it requires. | [Create an Outbound Program or Service Rule](create-an-outbound-program-or-service-rule.md)| 
+| Create a rule that allows outbound network traffic on a specified port number. | [Create an Outbound Port Rule](create-an-outbound-port-rule.md)| 
+| Enable a predefined rule or a group of predefined rules. Some predefined rules for basic network services are included as part of the installation of Windows; others can be created when you install a new application or network service. | [Enable Predefined Outbound Rules](enable-predefined-outbound-rules.md)| 
+
+ 
+
+ 
+
+ 
+
+
+
+
+

windows/keep-secure/checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md

@@ -0,0 +1,33 @@
+---
+title: Checklist Creating Rules for Clients of a Standalone Isolated Server Zone (Windows 10)
+description: Checklist Creating Rules for Clients of a Standalone Isolated Server Zone
+ms.assetid: 6a5e6478-add3-47e3-8221-972549e013f6
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+---
+
+# Checklist: Creating Rules for Clients of a Standalone Isolated Server Zone
+
+**Applies to**
+-   Windows 10
+-   Windows Server 2016 Technical Preview
+
+This checklist includes tasks for configuring connection security rules and IPsec settings in the GPOs for client devices that must connect to servers in an isolated server zone.
+
+**Checklist: Configuring isolated server zone client rules**
+
+| Task | Reference |
+| - | - |
+| Create a GPO for the client devices that must connect to servers in the isolated server zone, and that are running one of the versions of Windows. After you have finished the tasks in this checklist, you can make a copy of it.| [Checklist: Creating Group Policy Objects](checklist-creating-group-policy-objects.md) <br/>[Copy a GPO to Create a New GPO](copy-a-gpo-to-create-a-new-gpo.md)| 
+| To determine which devices receive the GPO, assign the NAG for the isolated servers to the security group filter for the GPO. Make sure that each GPO has the WMI filter for the correct version of Windows.| [Modify GPO Filters to Apply to a Different Zone or Version of Windows](modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md) |
+| Configure IPsec to exempt all ICMP network traffic from IPsec protection. | [Exempt ICMP from Authentication](exempt-icmp-from-authentication.md)| 
+| Create a rule that exempts all network traffic to and from devices on the exemption list from IPsec. | [Create an Authentication Exemption List Rule](create-an-authentication-exemption-list-rule.md)| 
+| Configure the key exchange (main mode) security methods and algorithms to be used. | [Configure Key Exchange (Main Mode) Settings](configure-key-exchange-main-mode-settings.md)| 
+| Configure the data protection (quick mode) algorithm combinations to be used. | [Configure Data Protection (Quick Mode) Settings](configure-data-protection-quick-mode-settings.md)| 
+| Configure the authentication methods to be used. | [Configure Authentication Methods](configure-authentication-methods.md)| 
+| Create a rule that requests authentication for network traffic. Because fallback-to-clear behavior in Windows Vista and Windows Server 2008 has no delay when communicating with devices that cannot use IPsec, you can use the same any-to-any rule used in an isolated domain.| [Create an Authentication Request Rule](create-an-authentication-request-rule.md)| 
+| Link the GPO to the domain level of the Active Directory organizational unit hierarchy. | [Link the GPO to the Domain](link-the-gpo-to-the-domain.md)| 
+| Add your test devices to the NAG for the isolated server zone. Be sure to add at least one for each operating system supported by a different GPO in the group.| [Add Test Devices to the Membership Group for a Zone](add-test-devices-to-the-membership-group-for-a-zone.md)| 

windows/keep-secure/checklist-implementing-a-basic-firewall-policy-design.md

@@ -0,0 +1,36 @@
+---
+title: Checklist Implementing a Basic Firewall Policy Design (Windows 10)
+description: Checklist Implementing a Basic Firewall Policy Design
+ms.assetid: 6caf0c1e-ac72-4f9d-a986-978b77fbbaa3
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+---
+
+# Checklist: Implementing a Basic Firewall Policy Design
+
+**Applies to**
+-   Windows 10
+-   Windows Server 2016 Technical Preview
+
+This parent checklist includes cross-reference links to important concepts about the basic firewall policy design. It also contains links to subordinate checklists that will help you complete the tasks that are required to implement this design.
+
+>**Note:**  Complete the tasks in this checklist in order. When a reference link takes you to a procedure, return to this topic after you complete the steps in that procedure so that you can proceed with the remaining tasks in this checklist.
+
+The procedures in this section use the Group Policy MMC snap-in interfaces to configure the GPOs, but you can also use Windows PowerShell. For more info, see [Windows Firewall with Advanced Security Administration with Windows PowerShell](windows-firewall-with-advanced-security-administration-with-windows-powershell.md).
+
+ **Checklist: Implementing a basic firewall policy design**
+
+| Task | Reference |
+| - | - |
+| Review important concepts and examples for the basic firewall policy design to determine if this design meets the needs of your organization. | [Identifying Your Windows Firewall with Advanced Security Deployment Goals](identifying-your-windows-firewall-with-advanced-security-deployment-goals.md)<br/>[Basic Firewall Policy Design](basic-firewall-policy-design.md)<br/>[Firewall Policy Design Example](firewall-policy-design-example.md)<br/>[Planning Settings for a Basic Firewall Policy](planning-settings-for-a-basic-firewall-policy.md)| 
+| Create the membership group and a GPO for each set of devices that require different firewall rules. Where GPOs will be similar, such as for Windows 10 and Windows Server 2016 Technical Preview, create one GPO, configure it by using the tasks in this checklist, and then make a copy of the GPO for the other version of Windows. For example, create and configure the GPO for Windows 10, make a copy of it for Windows Server 2016 Technical Preview, and then follow the steps in this checklist to make the few required changes to the copy. | [Checklist: Creating Group Policy Objects](checklist-creating-group-policy-objects.md)<br/>[Copy a GPO to Create a New GPO](copy-a-gpo-to-create-a-new-gpo.md)| 
+| If you are working on a GPO that was copied from another, modify the group membership and WMI filters so that they are correct for the devices for which this GPO is intended.| [Modify GPO Filters to Apply to a Different Zone or Version of Windows](modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md)| 
+| Configure the GPO with firewall default settings appropriate for your design.| [Checklist: Configuring Basic Firewall Settings](checklist-configuring-basic-firewall-settings.md)| 
+| Create one or more inbound firewall rules to allow unsolicited inbound network traffic.| [Checklist: Creating Inbound Firewall Rules](checklist-creating-inbound-firewall-rules.md)| 
+| Create one or more outbound firewall rules to block unwanted outbound network traffic. | [Checklist: Creating Outbound Firewall Rules](checklist-creating-outbound-firewall-rules.md)| 
+| Link the GPO to the domain level of the Active Directory organizational unit hierarchy.| [Link the GPO to the Domain](link-the-gpo-to-the-domain.md)| 
+| Add test devices to the membership group, and then confirm that the devices receive the firewall rules from the GPOs as expected.| [Add Test Devices to the Membership Group for a Zone](add-test-devices-to-the-membership-group-for-a-zone.md)|
+| According to the testing and roll-out schedule in your design plan, add device accounts to the membership group to deploy the completed firewall policy settings to your devices. | [Add Production Devices to the Membership Group for a Zone](add-production-devices-to-the-membership-group-for-a-zone.md)| 

windows/keep-secure/checklist-implementing-a-certificate-based-isolation-policy-design.md

@@ -0,0 +1,30 @@
+---
+title: Checklist Implementing a Certificate-based Isolation Policy Design (Windows 10)
+description: Checklist Implementing a Certificate-based Isolation Policy Design
+ms.assetid: 1e34b5ea-2e77-4598-a765-550418d33894
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+---
+
+# Checklist: Implementing a Certificate-based Isolation Policy Design
+
+**Applies to**
+-   Windows 10
+-   Windows Server 2016 Technical Preview
+
+This parent checklist includes cross-reference links to important concepts about using certificates as an authentication option in either a domain isolation or server isolation design.
+
+>**Note:**  Complete the tasks in this checklist in order. When a reference link takes you to a procedure, return to this topic after you complete the steps in that procedure so that you can proceed with the remaining tasks in this checklist
+
+**Checklist: Implementing certificate-based authentication**
+
+| Task | Reference |
+| - | - |
+| Review important concepts and examples for certificate-based authentication to determine if this design meets your deployment goals and the needs of your organization.| [Identifying Your Windows Firewall with Advanced Security Deployment Goals](identifying-your-windows-firewall-with-advanced-security-deployment-goals.md)<br/>[Certificate-based Isolation Policy Design](certificate-based-isolation-policy-design.md)<br/>[Certificate-based Isolation Policy Design Example](certificate-based-isolation-policy-design-example.md)<br/>[Planning Certificate-based Authentication](planning-certificate-based-authentication.md) |
+| Install the Active Directory Certificate Services (AD CS) role as an enterprise root issuing certification authority (CA). This step is required only if you have not already deployed a CA on your network.| |
+| Configure the certificate template for workstation authentication certificates.| [Configure the Workstation Authentication Certificate Template](configure-the-workstation-authentication-certificate-template.md)| 
+| Configure Group Policy to automatically deploy certificates based on your template to workstation devices. | [Configure Group Policy to Autoenroll and Deploy Certificates](configure-group-policy-to-autoenroll-and-deploy-certificates.md)| 
+| On a test device, refresh Group Policy and confirm that the certificate is installed. | [Confirm That Certificates Are Deployed Correctly](confirm-that-certificates-are-deployed-correctly.md)| 

windows/keep-secure/checklist-implementing-a-domain-isolation-policy-design.md

@@ -0,0 +1,34 @@
+---
+title: Checklist Implementing a Domain Isolation Policy Design (Windows 10)
+description: Checklist Implementing a Domain Isolation Policy Design
+ms.assetid: 76586eb3-c13c-4d71-812f-76bff200fc20
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+---
+
+# Checklist: Implementing a Domain Isolation Policy Design
+
+**Applies to**
+-   Windows 10
+-   Windows Server 2016 Technical Preview
+
+This parent checklist includes cross-reference links to important concepts about the domain isolation policy design. It also contains links to subordinate checklists that will help you complete the tasks that are required to implement this design.
+
+>**Note:**  Complete the tasks in this checklist in order. When a reference link takes you to a procedure, return to this topic after you complete the steps in that procedure so that you can proceed with the remaining tasks in this checklist.
+
+The procedures in this section use the Group Policy MMC snap-ins to configure the GPOs, but you can also use Windows PowerShell to configure GPOs. For more info, see [Windows Firewall with Advanced Security Administration with Windows PowerShell](windows-firewall-with-advanced-security-administration-with-windows-powershell.md).
+
+**Checklist: Implementing a domain isolation policy design**
+
+| Task | Reference |
+| - | - |
+| Review important concepts and examples for the domain isolation policy design, determine your Windows Firewall with Advanced Security deployment goals, and customize this design to meet the needs of your organization.| [Identifying Your Windows Firewall with Advanced Security Deployment Goals](identifying-your-windows-firewall-with-advanced-security-deployment-goals.md)<br/>[Domain Isolation Policy Design](domain-isolation-policy-design.md)<br/>[Domain Isolation Policy Design Example](domain-isolation-policy-design-example.md)<br/>[Planning Domain Isolation Zones](planning-domain-isolation-zones.md) |
+| Create the GPOs and connection security rules for the isolated domain.| [Checklist: Configuring Rules for the Isolated Domain](checklist-configuring-rules-for-the-isolated-domain.md)| 
+| Create the GPOs and connection security rules for the boundary zone.| [Checklist: Configuring Rules for the Boundary Zone](checklist-configuring-rules-for-the-boundary-zone.md)| 
+| Create the GPOs and connection security rules for the encryption zone.| [Checklist: Configuring Rules for the Encryption Zone](checklist-configuring-rules-for-the-encryption-zone.md)| 
+| Create the GPOs and connection security rules for the isolated server zone.| [Checklist: Configuring Rules for an Isolated Server Zone](checklist-configuring-rules-for-an-isolated-server-zone.md)| 
+| According to the testing and roll-out schedule in your design plan, add computer accounts to the membership group to deploy rules and settings to your computers.| [Add Production Devices to the Membership Group for a Zone](add-production-devices-to-the-membership-group-for-a-zone.md)| 
+| After you confirm that network traffic is authenticated by IPsec, you can change authentication rules for the isolated domain and encryption zone from request to require mode.| [Change Rules from Request to Require Mode](change-rules-from-request-to-require-mode.md)| 

windows/keep-secure/checklist-implementing-a-standalone-server-isolation-policy-design.md

@@ -0,0 +1,33 @@
+---
+title: Checklist Implementing a Standalone Server Isolation Policy Design (Windows 10)
+description: Checklist Implementing a Standalone Server Isolation Policy Design
+ms.assetid: 50a997d8-f079-408c-8ac6-ecd02078ade3
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+---
+
+# Checklist: Implementing a Standalone Server Isolation Policy Design
+
+**Applies to**
+-   Windows 10
+-   Windows Server 2016 Technical Preview
+
+This checklist contains procedures for creating a server isolation policy design that is not part of an isolated domain. For the steps required to create an isolated server zone within an isolated domain, see [Checklist: Configuring Rules for an Isolated Server Zone](checklist-configuring-rules-for-an-isolated-server-zone.md).
+
+This parent checklist includes cross-reference links to important concepts about the domain isolation policy design. It also contains links to subordinate checklists that will help you complete the tasks that are required to implement this design.
+
+>**Note:**  Complete the tasks in this checklist in order. When a reference link takes you to a procedure, return to this topic after you complete the steps in that procedure so that you can proceed with the remaining tasks in this checklist.
+
+**Checklist: Implementing a standalone server isolation policy design**
+
+| Task | Reference |
+| - | - |
+| Review important concepts and examples for the server isolation policy design to determine if this design meets your deployment goals and the needs of your organization.| [Identifying Your Windows Firewall with Advanced Security Deployment Goals](identifying-your-windows-firewall-with-advanced-security-deployment-goals.md)<br/>[Server Isolation Policy Design](server-isolation-policy-design.md)<br/>[Server Isolation Policy Design Example](server-isolation-policy-design-example.md)<br/>[Planning Server Isolation Zones](planning-server-isolation-zones.md) |
+| Create the GPOs and connection security rules for isolated servers.| [Checklist: Configuring Rules for Servers in a Standalone Isolated Server Zone](checklist-configuring-rules-for-servers-in-a-standalone-isolated-server-zone.md)| 
+| Create the GPOs and connection security rules for the client devices that must connect to the isolated servers. | [Checklist: Creating Rules for Clients of a Standalone Isolated Server Zone](checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md)| 
+| Verify that the connection security rules are protecting network traffic on your test devices. | [Verify That Network Traffic Is Authenticated](verify-that-network-traffic-is-authenticated.md)| 
+| After you confirm that network traffic is authenticated by IPsec as expected, you can change authentication rules for the isolated server zone to require authentication instead of requesting it. | [Change Rules from Request to Require Mode](change-rules-from-request-to-require-mode.md)| 
+| According to the testing and roll-out schedule in your design plan, add device accounts for the client devices to the membership group so that you can deploy the settings. | [Add Production Devices to the Membership Group for a Zone](add-production-devices-to-the-membership-group-for-a-zone.md) |

windows/keep-secure/configure-authentication-methods.md

@@ -0,0 +1,75 @@
+---
+title: Configure Authentication Methods (Windows 10)
+description: Configure Authentication Methods
+ms.assetid: 5fcdc523-617f-4233-9213-15fe19f4cd02
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+
+author: brianlic-msft
+---
+
+# Configure Authentication Methods
+
+**Applies to**
+-   Windows 10
+-   Windows Server 2016 Technical Preview
+
+This procedure shows you how to configure the authentication methods that can be used by computers in an isolated domain or standalone isolated server zone.
+
+>**Note:**  If you follow the steps in the procedure in this topic, you alter the system-wide default settings. Any connection security rule can use these settings by specifying **Default** on the **Authentication** tab.
+
+**Administrative credentials**
+
+To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the GPOs.
+
+**To configure authentication methods**
+
+1.  [Open the Group Policy Management Console to Windows Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md).
+
+2.  In the details pane on the main Windows Firewall with Advanced Security page, click **Windows Firewall Properties**.
+
+3.  On the **IPsec Settings** tab, click **Customize**.
+
+4.  In the **Authentication Method** section, select the type of authentication that you want to use from among the following:
+
+    1.  **Default**. Selecting this option tells the computer to use the authentication method currently defined by the local administrator in Windows Firewall with Advanced Security or by Group Policy as the default.
+
+    2.  **Computer and User (using Kerberos V5)**. Selecting this option tells the computer to use and require authentication of both the computer and the currently logged-on user by using their domain credentials.
+
+    3.  **Computer (using Kerberos V5)**. Selecting this option tells the computer to use and require authentication of the computer by using its domain credentials. This option works with other computers that can use IKE v1, including earlier versions of Windows.
+
+    4.  **User (using Kerberos V5)**. Selecting this option tells the computer to use and require authentication of the currently logged-on user by using his or her domain credentials.
+
+    5.  **Computer certificate from this certification authority**. Selecting this option and entering the identification of a certification authority (CA) tells the computer to use and require authentication by using a certificate that is issued by the selected CA. If you also select **Accept only health certificates**, then only certificates that include the system health authentication enhanced key usage (EKU) typically provided in a Network Access Protection (NAP) infrastructure can be used for this rule.
+
+    6.  **Advanced**. Click **Customize** to specify a custom combination of authentication methods required for your scenario. You can specify both a **First authentication method** and a **Second authentication method**.
+
+        The first authentication method can be one of the following:
+
+        -   **Computer (Kerberos V5)**. Selecting this option tells the computer to use and require authentication of the computer by using its domain credentials. This option works with other computers that can use IKE v1, including earlier versions of Windows.
+
+        -   **Computer (NTLMv2)**. Selecting this option tells the computer to use and require authentication of the computer by using its domain credentials. This option works only with other computers that can use AuthIP. User-based authentication using Kerberos V5 is not supported by IKE v1.
+
+        -   **Computer certificate from this certification authority (CA)**. Selecting this option and entering the identification of a CA tells the computer to use and require authentication by using a certificate that is issued by that CA. If you also select **Accept only health certificates**, then only certificates issued by a NAP server can be used.
+
+        -   **Preshared key (not recommended)**. Selecting this method and entering a preshared key tells the computer to authenticate by exchanging the preshared keys. If they match, then the authentication succeeds. This method is not recommended, and is included only for backward compatibility and testing purposes.
+
+        If you select **First authentication is optional**, then the connection can succeed even if the authentication attempt specified in this column fails.
+
+        The second authentication method can be one of the following:
+
+        -   **User (Kerberos V5)**. Selecting this option tells the computer to use and require authentication of the currently logged-on user by using his or her domain credentials. This authentication method works only with other computers that can use AuthIP. User-based authentication using Kerberos V5 is not supported by IKE v1.
+
+        -   **User (NTLMv2)**. Selecting this option tells the computer to use and require authentication of the currently logged-on user by using his or her domain credentials, and uses the NTLMv2 protocol instead of Kerberos V5. This authentication method works only with other computers that can use AuthIP. User-based authentication using Kerberos V5 is not supported by IKE v1.
+
+        -   **User health certificate from this certification authority (CA)**. Selecting this option and entering the identification of a CA tells the computer to use and require user-based authentication by using a certificate that is issued by the specified CA. If you also select **Enable certificate to account mapping**, then the certificate can be associated with a user in Active Directory for purposes of granting or denying access to specified users or user groups.
+
+        -   **Computer health certificate from this certification authority (CA)**. Selecting this option and entering the identification of a CA tells the computer to use and require authentication by using a certificate that is issued by the specified CA. If you also select **Accept only health certificates**, then only certificates that include the system health authentication EKU typically provided in a NAP infrastructure can be used for this rule.
+
+        If you select **Second authentication is optional**, then the connection can succeed even if the authentication attempt specified in this column fails.
+
+        >**Important:**  Make sure that you do not select the check boxes to make both first and second authentication optional. Doing so allows plaintext connections whenever authentication fails.
+
+5.  Click **OK** on each dialog box to save your changes and return to the Group Policy Management Editor.

windows/keep-secure/configure-data-protection-quick-mode-settings.md

@@ -0,0 +1,62 @@
+---
+title: Configure Data Protection (Quick Mode) Settings (Windows 10)
+description: Configure Data Protection (Quick Mode) Settings
+ms.assetid: fdcb1b36-e267-4be7-b842-5df9a067c9e0
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+---
+
+# Configure Data Protection (Quick Mode) Settings
+
+**Applies to**
+-   Windows 10
+-   Windows Server 2016 Technical Preview
+
+This procedure shows you how to configure the data protection (quick mode) settings for connection security rules in an isolated domain or a standalone isolated server zone.
+
+**Administrative credentials**
+
+To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the GPOs.
+
+**To configure quick mode settings**
+
+1.  [Open the Group Policy Management Console to Windows Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md).
+
+2.  In the details pane on the main Windows Firewall with Advanced Security page, click **Windows Firewall Properties**.
+
+3.  On the **IPsec Settings** tab, click **Customize**.
+
+4.  In the **Data protection (Quick Mode)** section, click **Advanced**, and then click **Customize**.
+
+5.  If you require encryption for all network traffic in the specified zone, then check **Require encryption for all connection security rules that use these settings**. Selecting this option disables the **Data integrity** section, and forces you to select only integrity algorithms that are combined with an encryption algorithm. If you do not select this option, then you can use only data integrity algorithms. Before selecting this option, consider the performance impact and the increase in network traffic that will result. We recommend that you use this setting only on network traffic that truly requires it, such as to and from computers in the encryption zone.
+
+6.  If you did not select **Require encryption**, then select the data integrity algorithms that you want to use to help protect the data sessions between the two computers. If the data integrity algorithms displayed in the list are not what you want, then do the following:
+
+    1.  From the left column, remove any of the data integrity algorithms that you do not want by selecting the algorithm and then clicking **Remove**.
+
+    2.  Add any required data integrity algorithms by clicking **Add**, selecting the appropriate protocol (ESP or AH) and algorithm (SHA1 or MD5), selecting the key lifetime in minutes or sessions, and then clicking **OK**. We recommend that you do not include MD5 in any combination. It is included for backward compatibility only. We also recommend that you use ESP instead of AH if you have any devices on your network that use network address translation (NAT).
+
+    3.  In **Key lifetime (in sessions)**, type the number of times that the quick mode session can be rekeyed. After this number is reached, the quick mode SA must be renegotiated. Be careful to balance performance with security requirements. Although a shorter key lifetime results in better security, it also reduces performance because of the more frequent renegotiating of the quick mode SA. We recommend that you use the default value unless your risk analysis indicates the need for a different value.
+
+    4.  Click **OK** to save your algorithm combination settings.
+
+    5.  After the list contains only the combinations you want, use the up and down arrows to the right of the list to rearrange them in the correct order for your design. The algorithm combination that is first in the list is tried first, and so on.
+
+7.  Select the data integrity and encryption algorithms that you want to use to help protect the data sessions between the two computers. If the algorithm combinations displayed in the list are not what you want, then do the following:
+
+    1.  From the second column, remove any of the data integrity and encryption algorithms that you do not want by selecting the algorithm combination and then clicking **Remove**.
+
+    2.  Add any required integrity and encryption algorithm combinations by clicking **Add**, and then doing the following:
+
+    3.  Select the appropriate protocol (ESP or AH). We recommend that you use ESP instead of AH if you have any devices on your network that use NAT.
+
+    4.  Select the appropriate encryption algorithm. The choices include, in order of decreasing security: AES-256, AES-192, AES-128, 3DES, and DES. We recommend that you do not include DES in any combination. It is included for backward compatibility only.
+
+    5.  Select the appropriate integrity algorithm (SHA1 or MD5). We recommend that you do not include MD5 in any combination. It is included for backward compatibility only.
+
+    6.  In **Key lifetime (in minutes)**, type the number of minutes. When the specified number of minutes has elapsed, any IPsec operations between the two computers that negotiated this key will require a new key. Be careful to balance performance with security requirements. Although a shorter key lifetime results in better security, it also reduces performance because of the more frequent rekeying. We recommend that you use the default value unless your risk analysis indicates the need for a different value.
+
+8.  Click **OK** three times to save your settings.

windows/keep-secure/configure-group-policy-to-autoenroll-and-deploy-certificates.md

@@ -0,0 +1,38 @@
+---
+title: Configure Group Policy to Autoenroll and Deploy Certificates (Windows 10)
+description: Configure Group Policy to Autoenroll and Deploy Certificates
+ms.assetid: faeb62b5-2cc3-42f7-bee5-53ba45d05c09
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+---
+
+# Configure Group Policy to Autoenroll and Deploy Certificates
+
+**Applies to**
+-   Windows 10
+-   Windows Server 2016 Technical Preview
+
+You can use this procedure to configure Group Policy to automatically enroll client computer certificates and deploy them to the workstations on your network. Follow this procedure for each GPO that contains IPsec connection security rules that require this certificate.
+
+**Administrative credentials**
+
+To complete these procedures, you must be a member of both the Domain Admins group in the root domain of your forest and a member of the Enterprise Admins group.
+
+**To configure Group Policy to autoenroll certificates**
+
+1.  Open the Group Policy Management console.
+
+2.  In the navigation pane, expand **Forest:** *YourForestName*, expand **Domains**, expand *YourDomainName*, expand **Group Policy Objects**, right-click the GPO you want to modify, and then click **Edit**.
+
+3.  In the navigation pane, expand the following path: **Computer Configuration**, **Policies**, **Windows Settings**, **Security Settings**, **Public Key Policies**.
+
+4.  Double-click **Certificate Services Client - Auto-Enrollment**.
+
+5.  In the **Properties** dialog box, change **Configuration Model** to **Enabled**.
+
+6.  Select both **Renew expired certificates, update pending certificates, and remove revoked certificates** and **Update certificates that use certificate templates**.
+
+7.  Click **OK** to save your changes. Computers apply the GPO and download the certificate the next time Group Policy is refreshed.

windows/keep-secure/configure-key-exchange-main-mode-settings.md

@@ -0,0 +1,62 @@
+---
+title: Configure Key Exchange (Main Mode) Settings (Windows 10)
+description: Configure Key Exchange (Main Mode) Settings
+ms.assetid: 5c593b6b-2cd9-43de-9b4e-95943fe82f52
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+---
+
+# Configure Key Exchange (Main Mode) Settings
+
+**Applies to**
+-   Windows 10
+-   Windows Server 2016 Technical Preview
+
+This procedure shows you how to configure the main mode key exchange settings used to secure the IPsec authentication traffic.
+
+**Administrative credentials**
+
+To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the GPOs.
+
+**To configure key exchange settings**
+
+1.  [Open the Group Policy Management Console to Windows Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md).
+
+2.  In the details pane on the main Windows Firewall with Advanced Security page, click **Windows Firewall Properties**.
+
+3.  On the **IPsec Settings** tab, click **Customize**.
+
+4.  In the **Key exchange (Main Mode)** section, click **Advanced**, and then click **Customize**.
+
+5.  Select the security methods to be used to help protect the main mode negotiations between the two devices. If the security methods displayed in the list are not what you want, then do the following:
+
+    **Important**  
+    In Windows Vista, Windows Server 2008, or later, you can specify only one key exchange algorithm. This means that if you want to communicate by using IPsec with another device running Windows 8 or Windows Server 2012, then you must select the same key exchange algorithm on both devices.
+
+    Also, if you create a connection security rule that specifies an option that requires AuthIP instead of IKE, then only the one combination of the top integrity and encryption security method are used in the negotiation. Make sure that all of your devices that are running at least Windows Vista and Windows Server 2008 have the same methods at the top of the list and the same key exchange algorithm selected.
+
+    **Note**  
+    When AuthIP is used, no Diffie-Hellman key exchange protocol is used. Instead, when Kerberos V5 authentication is requested, the Kerberos V5 service ticket secret is used in place of a Diffie-Hellman value. When either certificate authentication or NTLM authentication is requested, a transport level security (TLS) session is established, and its secret is used in place of the Diffie-Hellman value. This happens no matter which Diffie-Hellman key exchange protocol you select.
+
+    1.  Remove any of the security methods that you do not want by selecting the method and then clicking **Remove**.
+
+    2.  Add any required security method combinations by clicking **Add**, selecting the appropriate encryption algorithm and integrity algorithm from the lists, and then clicking **OK**.
+
+        >**Caution:**  We recommend that you do not include MD5 or DES in any combination. They are included for backward compatibility only.
+
+    3.  After the list contains only the combinations you want, use the up and down arrows to the right of the list to arrange them in the order of preference. The combination that appears first in the list is tried first, and so on.
+
+6.  From the list on the right, select the key exchange algorithm that you want to use.
+
+    >**Caution:**  We recommend that you do not use Diffie-Hellman Group 1. It is included for backward compatibility only. 
+
+7.  In **Key lifetime (in minutes)**, type the number of minutes. When the specified number of minutes has elapsed, any IPsec operation between the two devices requires a new key.
+
+    >**Note:**  You need to balance performance with security requirements. Although a shorter key lifetime results in better security, it also reduces performance.
+
+8.  In **Key lifetime (in sessions)**, type the number of sessions. After the specified number of quick mode sessions have been created within the security association protected by this key, IPsec requires a new key.
+
+9.  Click **OK** three times to save your settings.

windows/keep-secure/configure-the-rules-to-require-encryption.md

@@ -0,0 +1,53 @@
+---
+title: Configure the Rules to Require Encryption (Windows 10)
+description: Configure the Rules to Require Encryption
+ms.assetid: 07b7760f-3225-4b4b-b418-51787b0972a0
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+---
+
+# Configure the Rules to Require Encryption
+
+If you are creating a zone that requires encryption, you must configure the rules to add the encryption algorithms and delete the algorithm combinations that do not use encryption.
+
+**Administrative credentials**
+
+To complete this procedure, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the GPOs.
+
+**To modify an authentication request rule to also require encryption**
+
+1.  [Open the Group Policy Management Console to Windows Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md).
+
+2.  In the navigation pane, click **Connection Security Rules**.
+
+3.  In the details pane, double-click the connection security rule you want to modify.
+
+4.  On the **Name** page, rename the connection security rule, edit the description to reflect the new use for the rule, and then click **OK**.
+
+5.  In the navigation pane, right-click **Windows Firewall with Advanced Security – LDAP://CN={***guid***}**, and then click **Properties**.
+
+6.  Click the **IPsec Settings** tab.
+
+7.  Under **IPsec defaults**, click **Customize**.
+
+8.  Under **Data protection (Quick Mode)**, click **Advanced**, and then click **Customize**.
+
+9.  Click **Require encryption for all connection security rules that use these settings**.
+
+    This disables the data integrity rules section. Make sure the **Data integrity and encryption** list contains all of the combinations that your client devices will use to connect to members of the encryption zone. The client devices receive their rules through the GPO for the zone to which they reside. You must make sure that those rules contain at least one of the data integrity and encryption algorithms that are configured in this rule, or the client devices in that zone will not be able to connect to devices in this zone.
+
+10. If you need to add an algorithm combination, click **Add**, and then select the combination of encryption and integrity algorithms. The options are described in [Configure Data Protection (Quick Mode) Settings](configure-data-protection-quick-mode-settings.md).
+
+    **Note**  
+    Not all of the algorithms available in Windows 8 or Windows Server 2012 and later can be selected in the Windows Firewall with Advanced Security user interface. To select them, you can use Windows PowerShell.
+
+    Quick mode settings can also be configured on a per-rule basis, but not by using the Windows Firewall with Advanced Security user interface. Instead, you can create or modify the rules by using Windows PowerShell.
+
+    For more info, see [Windows Firewall with Advanced Security Administration with Windows PowerShell](windows-firewall-with-advanced-security-administration-with-windows-powershell.md)
+
+11. During negotiation, algorithm combinations are proposed in the order shown in the list. Make sure that the more secure combinations are at the top of the list so that the negotiating devices select the most secure combination that they can jointly support.
+
+12. Click **OK** three times to save your changes.

windows/keep-secure/configure-the-windows-firewall-log.md

@@ -0,0 +1,53 @@
+---
+title: Configure the Windows Firewall Log (Windows 10)
+description: Configure the Windows Firewall Log
+ms.assetid: f037113d-506b-44d3-b9c0-0b79d03e7d18
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+
+author: brianlic-msft
+---
+
+# Configure the Windows Firewall Log
+
+**Applies to**
+-   Windows 10
+-   Windows Server 2016 Technical Preview
+
+To configure Windows Firewall to log dropped packets or successful connections, use the Windows Firewall with Advanced Security node in the Group Policy Management MMC snap-in.
+
+**Administrative credentials**
+
+To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the GPOs.
+
+In this topic:
+
+- [To configure the Windows Firewall log](#to-configure-the-windows-firewall-log)
+
+## To configure the Windows Firewall log
+
+1.  [Open the Group Policy Management Console to Windows Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md).
+
+2.  In the details pane, in the **Overview** section, click **Windows Firewall Properties**.
+
+3.  For each network location type (Domain, Private, Public), perform the following steps.
+
+    1.  Click the tab that corresponds to the network location type.
+
+    2.  Under **Logging**, click **Customize**.
+
+    3.  The default path for the log is **%windir%\\system32\\logfiles\\firewall\\pfirewall.log**. If you want to change this, clear the **Not configured** check box and type the path to the new location, or click **Browse** to select a file location.
+
+        >**Important:**  The location you specify must have permissions assigned that permit the Windows Firewall service to write to the log file.
+
+    4.  The default maximum file size for the log is 4,096 kilobytes (KB). If you want to change this, clear the **Not configured** check box, and type in the new size in KB, or use the up and down arrows to select a size. The file will not grow beyond this size; when the limit is reached, old log entries are deleted to make room for the newly created ones.
+
+    5.  No logging occurs until you set one of following two options:
+
+        -   To create a log entry when Windows Firewall drops an incoming network packet, change **Log dropped packets** to **Yes**.
+
+        -   To create a log entry when Windows Firewall allows an inbound connection, change **Log successful connections** to **Yes**.
+
+    6.  Click **OK** twice.

windows/keep-secure/configure-the-workstation-authentication-certificate-template.md

@@ -0,0 +1,48 @@
+---
+title: Configure the Workstation Authentication Certificate Template (Windows 10)
+description: Configure the Workstation Authentication Certificate Template
+ms.assetid: c3ac9960-6efc-47c1-bd69-d9d4bf84f7a6
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+---
+
+# Configure the Workstation Authentication Certificate Template
+
+**Applies to**
+-   Windows 10
+-   Windows Server 2016 Technical Preview
+
+This procedure describes how to configure a certificate template that Active Directory Certification Services (AD CS) uses as the starting point for device certificates that are automatically enrolled and deployed to workstations in the domain. It shows how to create a copy of a template, and then configure the template according to your design requirements.
+
+**Administrative credentials**
+
+## To configure the workstation authentication certificate template and autoenrollment
+To complete these procedures, you must be a member of both the Domain Admins group in the root domain of your forest, and a member of the Enterprise Admins group.
+
+
+1.  On the device where AD CS is installed, open the Certification Authority console.
+
+2.  In the navigation pane, right-click **Certificate Templates**, and then click **Manage**.
+
+3.  In the details pane, click the **Workstation Authentication** template.
+
+4.  On the **Action** menu, click **Duplicate Template**. In the **Duplicate Template** dialog box, select the template version that is appropriate for your deployment, and then click **OK**. For the resulting certificates to have maximum compatibility with the available versions of Windows, we recommended that you select **Windows Server 2003**.
+
+5.  On the **General** tab, in **Template display name**, type a new name for the certificate template, such as **Domain Isolation Workstation Authentication Template**.
+
+6.  Click the **Subject Name** tab. Make sure that **Build from this Active Directory information** is selected. In **Subject name format**, select **Fully distinguished name**.
+
+7.  Click the **Request Handling** tab. You must determine the best minimum key size for your environment. Large key sizes provide better security, but they can affect server performance. We recommended that you use the default setting of 2048.
+
+8.  Click the **Security** tab. In **Group or user names**, click **Domain Computers**, under **Allow**, select **Enroll** and **Autoenroll**, and then click **OK**.
+
+    >**Note:**  If you want do not want to deploy the certificate to every device in the domain, then specify a different group or groups that contain the device accounts that you want to receive the certificate.
+
+9.  Close the Certificate Templates Console.
+
+10. In the Certification Authority MMC snap-in, in the left pane, right-click **Certificate Templates**, click **New**, and then click **Certificate Template to Issue**.
+
+11. In the **Enable Certificate Templates** dialog box, click the name of the certificate template you just configured, and then click **OK**.

windows/keep-secure/configure-windows-firewall-to-suppress-notifications-when-a-program-is-blocked.md

@@ -0,0 +1,46 @@
+---
+title: Configure Windows Firewall to Suppress Notifications When a Program Is Blocked (Windows 10)
+description: Configure Windows Firewall to Suppress Notifications When a Program Is Blocked
+ms.assetid: b7665d1d-f4d2-4b5a-befc-8b6bd940f69b
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+---
+
+# Configure Windows Firewall to Suppress Notifications When a Program Is Blocked
+
+**Applies to**
+-   Windows 10
+-   Windows Server 2016 Technical Preview
+
+To configure Windows Firewall to suppress the display of a notification when it blocks a program that tries to listen for network traffic and to prohibit locally defined rules, use the Windows Firewall with Advanced Security node in the Group Policy Management console.
+
+>**Caution:**  If you choose to disable alerts and prohibit locally defined rules, then you must create firewall rules that allow your users’ programs to send and receive the required network traffic. If a firewall rule is missing, then the user does not receive any kind of warning, the network traffic is silently blocked, and the program might fail.
+
+We recommend that you do not enable these settings until you have created and tested the required rules.
+
+**Administrative credentials**
+
+To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the GPOs.
+
+## To configure Windows Firewall to suppress the display of a notification for a blocked program and to ignore locally defined rules
+
+1.  [Open the Group Policy Management Console to Windows Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md).
+
+2.  In the details pane, in the **Overview** section, click **Windows Firewall Properties**.
+
+3.  For each network location type (Domain, Private, Public), perform the following steps.
+
+    1.  Click the tab that corresponds to the network location type.
+
+    2.  Under **Settings**, click **Customize**.
+
+    3.  Under **Firewall settings**, change **Display a notification** to **No**.
+
+    4.  Under **Rule merging**, change **Apply local firewall rules** to **No**.
+
+    5.  Although a connection security rule is not a firewall setting, you can also use this tab to prohibit locally defined connection security rules if you are planning to deploy IPsec rules as part of a server or domain isolation environment. Under **Rule merging**, change **Apply local connection security rules** to **No**.
+
+    6.  Click **OK** twice.

windows/keep-secure/confirm-that-certificates-are-deployed-correctly.md

@@ -0,0 +1,48 @@
+---
+title: Confirm That Certificates Are Deployed Correctly (Windows 10)
+description: Confirm That Certificates Are Deployed Correctly
+ms.assetid: de0c8dfe-16b0-4d3b-8e8f-9282f6a65eee
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: securit
+author: brianlic-msft
+---
+
+# Confirm That Certificates Are Deployed Correctly
+
+**Applies to**
+-   Windows 10
+-   Windows Server 2016 Technical Preview
+
+After configuring your certificates and autoenrollment in Group Policy, you can confirm that the policy is being applied as expected, and that the certificates are being properly installed on the workstation devices.
+
+In these procedures, you refresh Group Policy on a client device, and then confirm that the certificate is deployed correctly.
+
+**Administrative credentials**
+
+To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the GPOs.
+
+In this topic:
+
+-   [Refresh Group Policy on a device](#to-refresh-group-policy-on-a-device)
+
+-   [Verify that a certificate is installed](#to-verify-that-a-certificate-is-installed)
+
+## To refresh Group Policy on a device
+
+ From an elevated command prompt, run the following command:
+
+``` syntax
+gpupdate /target:computer /force
+```
+
+After Group Policy is refreshed, you can see which GPOs are currently applied to the device.
+
+## To verify that a certificate is installed
+
+1.  Open the Cerificates console.
+
+2.  In the navigation pane, expand **Trusted Root Certification Authorities**, and then click **Certificates**.
+
+    The CA that you created appears in the list.