mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-06-17 19:33:37 +00:00
Merge remote-tracking branch 'refs/remotes/origin/master' into vs-10202987
This commit is contained in:
LizRoss
@ -1,5 +1,5 @@
|
||||
---
|
||||
title: Access this computer from the network (Windows 10)
|
||||
title: Access this computer from the network - security policy setting (Windows 10)
|
||||
description: Describes the best practices, location, values, policy management, and security considerations for the Access this computer from the network security policy setting.
|
||||
ms.assetid: f6767bc2-83d1-45f1-847c-54f5362db022
|
||||
ms.prod: w10
|
||||
@ -9,7 +9,7 @@ ms.pagetype: security
|
||||
author: brianlic-msft
|
||||
---
|
||||
|
||||
# Access this computer from the network
|
||||
# Access this computer from the network - security policy setting
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
---
|
||||
title: Accounts Guest account status (Windows 10)
|
||||
title: Accounts Guest account status - security policy setting (Windows 10)
|
||||
description: Describes the best practices, location, values, and security considerations for the Accounts Guest account status security policy setting.
|
||||
ms.assetid: 07e53fc5-b495-4d02-ab42-5b245d10d0ce
|
||||
ms.prod: w10
|
||||
@ -9,7 +9,7 @@ ms.pagetype: security
|
||||
author: brianlic-msft
|
||||
---
|
||||
|
||||
# Accounts: Guest account status
|
||||
# Accounts: Guest account status - security policy setting
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
---
|
||||
title: Accounts Rename guest account (Windows 10)
|
||||
title: Accounts Rename guest account - security policy setting (Windows 10)
|
||||
description: Describes the best practices, location, values, and security considerations for the Accounts Rename guest account security policy setting.
|
||||
ms.assetid: 9b8052b4-bbb9-4cc1-bfee-ce25390db707
|
||||
ms.prod: w10
|
||||
@ -9,7 +9,7 @@ ms.pagetype: security
|
||||
author: brianlic-msft
|
||||
---
|
||||
|
||||
# Accounts: Rename guest account
|
||||
# Accounts: Rename guest account - security policy setting
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
---
|
||||
title: Allow log on locally (Windows 10)
|
||||
title: Allow log on locally - security policy setting (Windows 10)
|
||||
description: Describes the best practices, location, values, policy management, and security considerations for the Allow log on locally security policy setting.
|
||||
ms.assetid: d9e5e1f3-3bff-4da7-a9a2-4bb3e0c79055
|
||||
ms.prod: w10
|
||||
@ -9,7 +9,7 @@ ms.pagetype: security
|
||||
author: brianlic-msft
|
||||
---
|
||||
|
||||
# Allow log on locally
|
||||
# Allow log on locally - security policy setting
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
---
|
||||
title: Back up files and directories (Windows 10)
|
||||
title: Back up files and directories - security policy setting (Windows 10)
|
||||
description: Describes the best practices, location, values, policy management, and security considerations for the Back up files and directories security policy setting.
|
||||
ms.assetid: 1cd6bdd5-1501-41f4-98b9-acf29ac173ae
|
||||
ms.prod: w10
|
||||
@ -9,7 +9,7 @@ ms.pagetype: security
|
||||
author: brianlic-msft
|
||||
---
|
||||
|
||||
# Back up files and directories
|
||||
# Back up files and directories - security policy setting
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
|
||||
@ -40,7 +40,7 @@ BitLocker encryption can be done using the following methods:
|
||||
|
||||
### Encrypting volumes using the BitLocker control panel
|
||||
|
||||
Encrypting volumes with the BitLocker control panel is how many users will utilize BitLocker. The name of the BitLocker control panel is BitLocker Drive Encryption. The BitLocker control panel supports encrypting operating system, fixed data and removable data volumes. The BitLocker control panel will organize available drives in the appropriate category based on how the device reports itself to Windows. Only formatted volumes with assigned drive letters will appear properly in the BitLocker control panel applet.
|
||||
Encrypting volumes with the BitLocker control panel (click **Start**, type **bitlocker**, click **Manage BitLocker**) is how many users will utilize BitLocker. The name of the BitLocker control panel is BitLocker Drive Encryption. The BitLocker control panel supports encrypting operating system, fixed data and removable data volumes. The BitLocker control panel will organize available drives in the appropriate category based on how the device reports itself to Windows. Only formatted volumes with assigned drive letters will appear properly in the BitLocker control panel applet.
|
||||
To start encryption for a volume, select **Turn on BitLocker** for the appropriate drive to initialize the BitLocker Drive Encryption Wizard. BitLocker Drive Encryption Wizard options vary based on volume type (operating system volume or data volume).
|
||||
|
||||
### Operating system volume
|
||||
|
||||
@ -47,6 +47,8 @@ Yes, BitLocker supports multifactor authentication for operating system drives.
|
||||
|
||||
### <a href="" id="bkmk-hsrequirements"></a>What are the BitLocker hardware and software requirements?
|
||||
|
||||
For requirements, see [System requirements](https://technet.microsoft.com/itpro/windows/keep-secure/bitlocker-overview#system-requirements).
|
||||
|
||||
> **Note:** Dynamic disks are not supported by BitLocker. Dynamic data volumes will not be displayed in the Control Panel. Although the operating system volume will always be displayed in the Control Panel, regardless of whether it is a Dynamic disk, if it is a dynamic disk it is cannot be protected by BitLocker.
|
||||
|
||||
### <a href="" id="bkmk-partitions"></a>Why are two partitions required? Why does the system drive have to be so large?
|
||||
|
||||
@ -14,7 +14,7 @@ author: brianlic-msft
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
|
||||
This topic for the IT professional explains how to deploy BitLocker and Windows Server 2012 and later.
|
||||
This topic for the IT professional explains how to deploy BitLocker on Windows Server 2012 and later.
|
||||
|
||||
For all Windows Server editions, BitLocker must be installed using Server Manager. However, you can still provision BitLocker before the server operating system is installed as part of your deployment.
|
||||
|
||||
|
||||
@ -79,4 +79,4 @@ When installing the BitLocker optional component on a server you will also need
|
||||
| [Protect BitLocker from pre-boot attacks](protect-bitlocker-from-pre-boot-attacks.md)| This detailed guide will help you understand the circumstances under which the use of pre-boot authentication is recommended for devices running Windows 10, Windows 8.1, Windows 8, or Windows 7; and when it can be safely omitted from a device’s configuration. |
|
||||
| [Protecting cluster shared volumes and storage area networks with BitLocker](protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md)| This topic for IT pros describes how to protect CSVs and SANs with BitLocker.|
|
||||
|
||||
If you're looking for info on how to use it with Windows 10 IoT Core, see [Enabling Secure Boot and BitLocker Device Encryption on Windows 10 IoT Core](https://developer.microsoft.com/windows/iot/win10/SB_BL.htm).
|
||||
If you're looking for info on how to use it with Windows 10 IoT Core, see [Enabling Secure Boot and BitLocker Device Encryption on Windows 10 IoT Core](https://developer.microsoft.com/windows/iot/docs/securebootandbitlocker).
|
||||
@ -1,5 +1,5 @@
|
||||
---
|
||||
title: Change the system time (Windows 10)
|
||||
title: Change the system time - security policy setting (Windows 10)
|
||||
description: Describes the best practices, location, values, policy management, and security considerations for the Change the system time security policy setting.
|
||||
ms.assetid: f2f6637d-acbc-4352-8ca3-ec563f918e65
|
||||
ms.prod: w10
|
||||
@ -9,7 +9,7 @@ ms.pagetype: security
|
||||
author: brianlic-msft
|
||||
---
|
||||
|
||||
# Change the system time
|
||||
# Change the system time - security policy setting
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
---
|
||||
title: Change the time zone (Windows 10)
|
||||
title: Change the time zone - security policy setting (Windows 10)
|
||||
description: Describes the best practices, location, values, policy management, and security considerations for the Change the time zone security policy setting.
|
||||
ms.assetid: 3b1afae4-68bb-472f-a43e-49e300d73e50
|
||||
ms.prod: w10
|
||||
@ -9,7 +9,7 @@ ms.pagetype: security
|
||||
author: brianlic-msft
|
||||
---
|
||||
|
||||
# Change the time zone
|
||||
# Change the time zone - security policy setting
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
---
|
||||
title: Create a pagefile (Windows 10)
|
||||
title: Create a pagefile - security policy setting (Windows 10)
|
||||
description: Describes the best practices, location, values, policy management, and security considerations for the Create a pagefile security policy setting.
|
||||
ms.assetid: dc087897-459d-414b-abe0-cd86c8dccdea
|
||||
ms.prod: w10
|
||||
@ -9,7 +9,7 @@ ms.pagetype: security
|
||||
author: brianlic-msft
|
||||
---
|
||||
|
||||
# Create a pagefile
|
||||
# Create a pagefile - security policy setting
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
|
||||
@ -27,3 +27,7 @@ You can perform this task by using the Group Policy Management Console for an Ap
|
||||
1. Open the AppLocker console.
|
||||
2. Right-click the appropriate rule type for which you want to automatically generate default rules. You can automatically generate rules for executable, Windows Installer, script rules and Packaged app rules.
|
||||
3. Click **Create Default Rules**.
|
||||
|
||||
## Related topics
|
||||
|
||||
- [Understanding AppLocker default rules](understanding-applocker-default-rules.md)
|
||||
|
||||
@ -195,10 +195,9 @@ Requirements for running Credential Guard in Hyper-V virtual machines
|
||||
- The Hyper-V host must have an IOMMU, and run at least Windows Server 2016 or Windows 10 version 1607.
|
||||
- The Hyper-V virtual machine must be Generation 2, have an enabled virtual TPM, and running at least Windows Server 2016 or Windows 10.
|
||||
|
||||
|
||||
### Remove Credential Guard
|
||||
|
||||
If you have to remove Credential Guard on a PC, you need to do the following:
|
||||
If you have to remove Credential Guard on a PC, you can use the following set of procedures, or you can [use the Device Guard and Credential Guard hardware readiness tool](#turn-off-with-hardware-readiness-tool).
|
||||
|
||||
1. If you used Group Policy, disable the Group Policy setting that you used to enable Credential Guard (**Computer Configuration** -> **Administrative Templates** -> **System** -> **Device Guard** -> **Turn on Virtualization Based Security**).
|
||||
2. Delete the following registry settings:
|
||||
@ -242,7 +241,8 @@ If you have to remove Credential Guard on a PC, you need to do the following:
|
||||
|
||||
For more info on virtualization-based security and Device Guard, see [Device Guard deployment guide](device-guard-deployment-guide.md).
|
||||
|
||||
**Turn off Credential Guard by using the Device Guard and Credential Guard hardware readiness tool**
|
||||
<span id="turn-off-with-hardware-readiness-tool" />
|
||||
#### Turn off Credential Guard by using the Device Guard and Credential Guard hardware readiness tool
|
||||
|
||||
You can also disable Credential Guard by using the [Device Guard and Credential Guard hardware readiness tool](https://www.microsoft.com/download/details.aspx?id=53337).
|
||||
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
---
|
||||
title: Interactive logon Require smart card (Windows 10)
|
||||
title: Interactive logon Require smart card - security policy setting (Windows 10)
|
||||
description: Describes the best practices, location, values, policy management and security considerations for the Interactive logon Require smart card security policy setting.
|
||||
ms.assetid: c6a8c040-cbc7-472d-8bc5-579ddf3cbd6c
|
||||
ms.prod: w10
|
||||
@ -9,7 +9,7 @@ ms.pagetype: security
|
||||
author: brianlic-msft
|
||||
---
|
||||
|
||||
# Interactive logon: Require smart card
|
||||
# Interactive logon: Require smart card - security policy setting
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
---
|
||||
title: Remove computer from docking station (Windows 10)
|
||||
title: Remove computer from docking station - security policy setting (Windows 10)
|
||||
description: Describes the best practices, location, values, policy management, and security considerations for the Remove computer from docking station security policy setting.
|
||||
ms.assetid: 229a385a-a862-4973-899a-413b1b5b6c30
|
||||
ms.prod: w10
|
||||
@ -9,7 +9,7 @@ ms.pagetype: security
|
||||
author: brianlic-msft
|
||||
---
|
||||
|
||||
# Remove computer from docking station
|
||||
# Remove computer from docking station - security policy setting
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
|
||||
@ -24,7 +24,7 @@ The following requirements must be met or addressed before you deploy your AppLo
|
||||
|
||||
### <a href="" id="bkmk-reqdepplan"></a>Deployment plan
|
||||
|
||||
An AppLocker policy deployment plan is the result of investigating which applications are required and necessary in your organization, which apps are optional, and which apps are forbidden. To develop this plan, see [AppLocker Design Guide](applocker-policies-design-guide.md). The following table is an example of the data you need to collect and the decisions you need to make to successfully deploy AppLocker policies on the supported operating systems (as listed in [Requirements to use AppLocker](requirements-to-use-applocker.md).
|
||||
An AppLocker policy deployment plan is the result of investigating which applications are required and necessary in your organization, which apps are optional, and which apps are forbidden. To develop this plan, see [AppLocker Design Guide](applocker-policies-design-guide.md). The following table is an example of the data you need to collect and the decisions you need to make to successfully deploy AppLocker policies on the supported operating systems (as listed in [Requirements to use AppLocker](requirements-to-use-applocker.md)).
|
||||
|
||||
<table style="width:100%;">
|
||||
<colgroup>
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
---
|
||||
title: Restore files and directories (Windows 10)
|
||||
title: Restore files and directories - security policy setting (Windows 10)
|
||||
description: Describes the best practices, location, values, policy management, and security considerations for the Restore files and directories security policy setting.
|
||||
ms.assetid: c673c0fa-6f49-4edd-8c1f-c5e8513f701d
|
||||
ms.prod: w10
|
||||
@ -9,7 +9,7 @@ ms.pagetype: security
|
||||
author: brianlic-msft
|
||||
---
|
||||
|
||||
# Restore files and directories
|
||||
# Restore files and directories - security policy setting
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
|
||||
@ -55,7 +55,7 @@ In the Woodgrove Bank example, the line-of-business app for the Bank Tellers bus
|
||||
|
||||
### Determine how to allow system files to run
|
||||
|
||||
Because AppLocker rules build a list of allowed apps, a rule or rules must be created to allow all Windows files to run. AppLocker provides a means to ensure system files are properly considered in your rule collection by generating the default rules for each rule collection. You can use the default rules as a template when creating your own rules. However, these rules are only meant to function as a starter policy when you are first testing AppLocker rules so that the system files in the Windows folders will be allowed to run. When a default rule is created, it is denoted with "(Default rule)" in its name as it appears in the rule collection.
|
||||
Because AppLocker rules build a list of allowed apps, a rule or rules must be created to allow all Windows files to run. AppLocker provides a means to ensure system files are properly considered in your rule collection by generating the default rules for each rule collection. You can use the default rules (listed in [AppLocker default rules](working-with-applocker-rules.md#applocker-default-rules)) as a template when creating your own rules. However, these rules are only meant to function as a starter policy when you are first testing AppLocker rules so that the system files in the Windows folders will be allowed to run. When a default rule is created, it is denoted with "(Default rule)" in its name as it appears in the rule collection.
|
||||
|
||||
You can also create a rule for the system files based on the path condition. In the preceding example, for the Bank Tellers group, all Windows files reside under C:\\Windows and can be defined with the path rule condition type. This will permit access to these files whenever updates are applied and the files change. If you require additional application security, you might need to modify the rules created from the built-in default rule collection. For example, the default rule to allow all users to run .exe files in the Windows folder is based on a path condition that allows all files within the Windows folder to run. The Windows folder contains a Temp subfolder to which the Users group is given the following permissions:
|
||||
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
---
|
||||
title: Shut down the system (Windows 10)
|
||||
title: Shut down the system - security policy setting (Windows 10)
|
||||
description: Describes the best practices, location, values, policy management, and security considerations for the Shut down the system security policy setting.
|
||||
ms.assetid: c8e8f890-153a-401e-a957-ba6a130304bf
|
||||
ms.prod: w10
|
||||
@ -9,7 +9,7 @@ ms.pagetype: security
|
||||
author: brianlic-msft
|
||||
---
|
||||
|
||||
# Shut down the system
|
||||
# Shut down the system - security policy setting
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
---
|
||||
title: Shutdown Clear virtual memory pagefile (Windows 10)
|
||||
title: Shutdown Clear virtual memory pagefile - security policy setting (Windows 10)
|
||||
description: Describes the best practices, location, values, policy management and security considerations for the Shutdown Clear virtual memory pagefile security policy setting.
|
||||
ms.assetid: 31400078-6c56-4891-a6df-6dfb403c4bc9
|
||||
ms.prod: w10
|
||||
@ -9,7 +9,7 @@ ms.pagetype: security
|
||||
author: brianlic-msft
|
||||
---
|
||||
|
||||
# Shutdown: Clear virtual memory pagefile
|
||||
# Shutdown: Clear virtual memory pagefile - security policy setting
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
|
||||
@ -24,7 +24,7 @@ The following tools can help you administer the application control policies cre
|
||||
|
||||
- **Generate Default Rules tool**
|
||||
|
||||
AppLocker includes default rules for each rule collection accessed through the Local Security Policy snap-in. These rules are intended to help ensure that the files that are required for Windows to operate properly are allowed in an AppLocker rule collection. For info about how to use this tool, see [Create AppLocker default rules](create-applocker-default-rules.md).
|
||||
AppLocker includes default rules for each rule collection accessed through the Local Security Policy snap-in. These rules are intended to help ensure that the files that are required for Windows to operate properly are allowed in an AppLocker rule collection. For info about how to use this tool, see [Create AppLocker default rules](create-applocker-default-rules.md). For a list of the default rules, see [AppLocker default rules](working-with-applocker-rules.md#applocker-default-rules).
|
||||
|
||||
- **Automatically Generate AppLocker Rules wizard**
|
||||
|
||||
|
||||
@ -42,5 +42,4 @@ These permissions settings are applied to this folder for app compatibility. How
|
||||
## Related topics
|
||||
|
||||
- [How AppLocker works](how-applocker-works-techref.md)
|
||||
|
||||
|
||||
- [Create AppLocker default rules](create-applocker-default-rules.md)
|
||||
@ -33,3 +33,5 @@ For info about how to enable the DLL rule collection, see [Enable the DLL rule c
|
||||
## Related topics
|
||||
|
||||
- [How AppLocker works](how-applocker-works-techref.md)
|
||||
- [Understanding AppLocker default rules](understanding-applocker-default-rules.md)
|
||||
|
||||
|
||||
@ -61,7 +61,7 @@ The following table compares the features and functions of Software Restriction
|
||||
<tr class="odd">
|
||||
<td align="left"><p>Enforcement mode</p></td>
|
||||
<td align="left"><p>SRP works in the “deny list mode” where administrators can create rules for files that they do not want to allow in this Enterprise whereas the rest of the file are allowed to run by default.</p>
|
||||
<p>SRP can also be configured in the “allow list mode” such that the by default all files are blocked and administrators need to create allow rules for files that they want to allow.</p></td>
|
||||
<p>SRP can also be configured in the “allow list mode” so that by default all files are blocked and administrators need to create allow rules for files that they want to allow.</p></td>
|
||||
<td align="left"><p>AppLocker by default works in the “allow list mode” where only those files are allowed to run for which there is a matching allow rule.</p></td>
|
||||
</tr>
|
||||
<tr class="even">
|
||||
|
||||
@ -123,7 +123,7 @@ When you choose the file hash rule condition, the system computes a cryptographi
|
||||
|
||||
## AppLocker default rules
|
||||
|
||||
AppLocker allows you to generate default rules for each rule collection.
|
||||
AppLocker includes default rules, which are intended to help ensure that the files that are required for Windows to operate properly are allowed in an AppLocker rule collection. For background, see [Understanding AppLocker default rules](understanding-applocker-default-rules.md), and for steps, see [Create AppLocker default rules](create-applocker-default-rules.md).
|
||||
|
||||
Executable default rule types include:
|
||||
|
||||
|
||||
Reference in New Issue
Block a user