From a6667e1dd0581149d1b2bc97bc7692afc146d7c4 Mon Sep 17 00:00:00 2001 From: Ed Gallagher Date: Mon, 7 Jan 2019 07:53:40 -0600 Subject: [PATCH 01/10] Correct typo Corrected typo in Step 2 --- .../hello-for-business/passwordless-strategy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md index 89535ec25d..3b8bb58b5d 100644 --- a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md +++ b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md @@ -25,7 +25,7 @@ Before you move away from passwords, you need something to replace them. With W Deploying Windows Hello for Business is the first step towards password-less. With Windows Hello for Business deployed, it coexists with password nicely. Users are likely to use Windows Hello for Business because of its convenience, especially when combined with biometrics. However, some workflows and applications may still need passwords. This early stage is about implementing an alternative and getting users used to it. ### 2. Reduce user-visible password surface area -With Windows Hello for Business and passwords coexisting in your environment, the next step towards password-less is to reduce the password surface. The environment and workflows need to stop asking for passwords. The goal of this step is to achieve a state where the user knows they have a password, but they never user it. This state helps decondition users from providing a password any time a password prompt shows on their computer. This is a how passwords are phished. Users who rarely, it at all, use their password are unlikely to provide it. Password prompts are no longer the norm. +With Windows Hello for Business and passwords coexisting in your environment, the next step towards password-less is to reduce the password surface. The environment and workflows need to stop asking for passwords. The goal of this step is to achieve a state where the user knows they have a password, but they never user it. This state helps decondition users from providing a password any time a password prompt shows on their computer. This is a how passwords are phished. Users who rarely, if at all, use their password are unlikely to provide it. Password prompts are no longer the norm. ### 3. Transition into a password-less deployment Once the user-visible password surface has been eliminated, your organization can begin to transition those users into a password-less world. A world where: From cdaab7f8d44b124b10552deea6fb4f286321c22e Mon Sep 17 00:00:00 2001 From: Ed Gallagher Date: Mon, 7 Jan 2019 12:53:57 -0600 Subject: [PATCH 02/10] Update passwordless-strategy.md --- .../hello-for-business/passwordless-strategy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md index 3b8bb58b5d..4b89db5500 100644 --- a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md +++ b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md @@ -25,7 +25,7 @@ Before you move away from passwords, you need something to replace them. With W Deploying Windows Hello for Business is the first step towards password-less. With Windows Hello for Business deployed, it coexists with password nicely. Users are likely to use Windows Hello for Business because of its convenience, especially when combined with biometrics. However, some workflows and applications may still need passwords. This early stage is about implementing an alternative and getting users used to it. ### 2. Reduce user-visible password surface area -With Windows Hello for Business and passwords coexisting in your environment, the next step towards password-less is to reduce the password surface. The environment and workflows need to stop asking for passwords. The goal of this step is to achieve a state where the user knows they have a password, but they never user it. This state helps decondition users from providing a password any time a password prompt shows on their computer. This is a how passwords are phished. Users who rarely, if at all, use their password are unlikely to provide it. Password prompts are no longer the norm. +With Windows Hello for Business and passwords coexisting in your environment, the next step towards password-less is to reduce the password surface. The environment and workflows need to stop asking for passwords. The goal of this step is to achieve a state where the user knows they have a password, but they never use it. This state helps decondition users from providing a password any time a password prompt shows on their computer. This is a how passwords are phished. Users who rarely, if at all, use their password are unlikely to provide it. Password prompts are no longer the norm. ### 3. Transition into a password-less deployment Once the user-visible password surface has been eliminated, your organization can begin to transition those users into a password-less world. A world where: From 966540d2df2fa4265ea36d8d050fde1b9a664bd6 Mon Sep 17 00:00:00 2001 From: Ed Gallagher Date: Mon, 7 Jan 2019 12:57:05 -0600 Subject: [PATCH 03/10] Corrected second typo Corrected second typo in step 2 --- .../hello-for-business/passwordless-strategy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md index 89535ec25d..2f1318e697 100644 --- a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md +++ b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md @@ -25,7 +25,7 @@ Before you move away from passwords, you need something to replace them. With W Deploying Windows Hello for Business is the first step towards password-less. With Windows Hello for Business deployed, it coexists with password nicely. Users are likely to use Windows Hello for Business because of its convenience, especially when combined with biometrics. However, some workflows and applications may still need passwords. This early stage is about implementing an alternative and getting users used to it. ### 2. Reduce user-visible password surface area -With Windows Hello for Business and passwords coexisting in your environment, the next step towards password-less is to reduce the password surface. The environment and workflows need to stop asking for passwords. The goal of this step is to achieve a state where the user knows they have a password, but they never user it. This state helps decondition users from providing a password any time a password prompt shows on their computer. This is a how passwords are phished. Users who rarely, it at all, use their password are unlikely to provide it. Password prompts are no longer the norm. +With Windows Hello for Business and passwords coexisting in your environment, the next step towards password-less is to reduce the password surface. The environment and workflows need to stop asking for passwords. The goal of this step is to achieve a state where the user knows they have a password, but they never use it. This state helps decondition users from providing a password any time a password prompt shows on their computer. This is a how passwords are phished. Users who rarely, it at all, use their password are unlikely to provide it. Password prompts are no longer the norm. ### 3. Transition into a password-less deployment Once the user-visible password surface has been eliminated, your organization can begin to transition those users into a password-less world. A world where: From 5e1958c857c3ee654dcaac0c00e4ebba33653ae3 Mon Sep 17 00:00:00 2001 From: adrianwells Date: Tue, 8 Jan 2019 11:32:22 -0500 Subject: [PATCH 04/10] Update overview-create-wip-policy.md Correction to a description and edits to match style of defining terms within descriptions. --- .../overview-create-wip-policy.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/security/information-protection/windows-information-protection/overview-create-wip-policy.md b/windows/security/information-protection/windows-information-protection/overview-create-wip-policy.md index b0cbdd55e6..e160720d9f 100644 --- a/windows/security/information-protection/windows-information-protection/overview-create-wip-policy.md +++ b/windows/security/information-protection/windows-information-protection/overview-create-wip-policy.md @@ -22,8 +22,8 @@ Microsoft Intune helps you create and deploy your enterprise data protection (WI ## In this section |Topic |Description | |------|------------| -|[Create a Windows Information Protection (WIP) policy with MDM using the Azure portal for Microsoft Intune](create-wip-policy-using-intune-azure.md)|Details about how to use the Azure portal for Microsoft Intune to create and deploy your WIP policy with MDM, including letting you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network. | -|[Create a Windows Information Protection (WIP) policy with MAM using the Azure portal for Microsoft Intune](create-wip-policy-using-mam-intune-azure.md)|Details about how to use the Azure portal for Microsoft Intune to create your WIP policy with MDM, including letting you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network.| +|[Create a Windows Information Protection (WIP) policy with MDM using the Azure portal for Microsoft Intune](create-wip-policy-using-intune-azure.md)|Details about how to use the Azure portal for Microsoft Intune to create and deploy your WIP policy with MDM (Mobile Device Management), including letting you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network. | +|[Create a Windows Information Protection (WIP) policy with MAM using the Azure portal for Microsoft Intune](create-wip-policy-using-mam-intune-azure.md)|Details about how to use the Azure portal for Microsoft Intune to create your WIP policy with MAM (Mobile Application Management), including letting you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network.| |[Create a Windows Information Protection (WIP) policy using the classic console for Microsoft Intune](create-wip-policy-using-intune.md) |Details about how to use the classic console for Microsoft Intune to create and deploy your WIP policy, including letting you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network. | |[Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](create-and-verify-an-efs-dra-certificate.md) |Steps to create, verify, and perform a quick recovery using a Encrypting File System (EFS) Data Recovery Agent (DRA) certificate. | -|[Determine the Enterprise Context of an app running in Windows Information Protection (WIP)](wip-app-enterprise-context.md) |Use the Task Manager to determine whether an app is considered work, personal or exempt by Windows Information Protection (WIP). | \ No newline at end of file +|[Determine the Enterprise Context of an app running in Windows Information Protection (WIP)](wip-app-enterprise-context.md) |Use the Task Manager to determine whether an app is considered work, personal or exempt by Windows Information Protection (WIP). | From 26af9520876ae5574032aa8105d6c9891a6a8788 Mon Sep 17 00:00:00 2001 From: Jeanie Decker Date: Tue, 8 Jan 2019 12:57:02 -0800 Subject: [PATCH 05/10] no RDP for kiosk; UAC must be on --- windows/configuration/kiosk-methods.md | 4 +++- windows/configuration/kiosk-prepare.md | 6 +++++- windows/configuration/kiosk-single-app.md | 5 +++++ .../configuration/lock-down-windows-10-to-specific-apps.md | 7 ++++++- 4 files changed, 19 insertions(+), 3 deletions(-) diff --git a/windows/configuration/kiosk-methods.md b/windows/configuration/kiosk-methods.md index 8f2904b128..00c0e21b1f 100644 --- a/windows/configuration/kiosk-methods.md +++ b/windows/configuration/kiosk-methods.md @@ -7,7 +7,7 @@ ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium author: jdeckerms -ms.date: 07/30/2018 +ms.date: 01/08/2019 --- # Configure kiosks and digital signs on Windows desktop editions @@ -30,6 +30,8 @@ There are several kiosk configuration methods that you can choose from, dependin ![icon that represents Windows](images/windows.png) | **Which edition of Windows 10 will the kiosk run?** All of the configuration methods work for Windows 10 Enterprise and Education; some of the methods work for Windows 10 Pro. Kiosk mode is not available on Windows 10 Home. ![icon that represents a user account](images/user.png) | **Which type of user account will be the kiosk account?** The kiosk account can be a local standard user account, a local administrator account, a domain account, or an Azure Active Directory (Azure AD) account, depending on the method that you use to configure the kiosk. If you want people to sign in and authenticate on the device, you should use a multi-app kiosk configuration. The single-app kiosk configuration doesn't require people to sign in to the device, although they can sign in to the kiosk app if you select an app that has a sign-in method. +>[!IMPORTANT] +>Kiosk mode is not supported over a remote desktop connection. Your kiosk users must sign in on the physical device that is set up as a kiosk. ## Methods for a single-app kiosk running a UWP app diff --git a/windows/configuration/kiosk-prepare.md b/windows/configuration/kiosk-prepare.md index 986da71577..bf646cbee3 100644 --- a/windows/configuration/kiosk-prepare.md +++ b/windows/configuration/kiosk-prepare.md @@ -8,7 +8,7 @@ ms.mktglfcycl: manage ms.sitesec: library author: jdeckerms ms.localizationpriority: medium -ms.date: 10/02/2018 +ms.date: 01/08/2019 --- # Prepare a device for kiosk configuration @@ -23,6 +23,10 @@ ms.date: 10/02/2018 > >Assigned access can be configured via Windows Management Instrumentation (WMI) or configuration service provider (CSP) to run its applications under a domain user or service account, rather than a local account. However, use of domain user or service accounts introduces risks that an attacker subverting the assigned access application might gain access to sensitive domain resources that have been inadvertently left accessible to any domain account. We recommend that customers proceed with caution when using domain accounts with assigned access, and consider the domain resources potentially exposed by the decision to do so. +>[!IMPORTANT] +>[User account control (UAC)](../security/identity-protection/user-account-control/user-account-control-overview.md) must be turned on to enable kiosk mode. +> +>Kiosk mode is not supported over a remote desktop connection. Your kiosk users must sign in on the physical device that is set up as a kiosk. For a more secure kiosk experience, we recommend that you make the following configuration changes to the device before you configure it as a kiosk: diff --git a/windows/configuration/kiosk-single-app.md b/windows/configuration/kiosk-single-app.md index 4af964b132..78969fb439 100644 --- a/windows/configuration/kiosk-single-app.md +++ b/windows/configuration/kiosk-single-app.md @@ -24,6 +24,11 @@ ms.date: 10/09/2018 --- | --- A single-app kiosk uses the Assigned Access feature to run a single app above the lockscreen.

When the kiosk account signs in, the app is launched automatically. The person using the kiosk cannot do anything on the device outside of the kiosk app. | ![Illustration of a single-app kiosk experience](images/kiosk-fullscreen-sm.png) +>[!IMPORTANT] +>[User account control (UAC)](../security/identity-protection/user-account-control/user-account-control-overview.md) must be turned on to enable kiosk mode. +> +>Kiosk mode is not supported over a remote desktop connection. Your kiosk users must sign in on the physical device that is set up as a kiosk. + You have several options for configuring your single-app kiosk. Method | Description diff --git a/windows/configuration/lock-down-windows-10-to-specific-apps.md b/windows/configuration/lock-down-windows-10-to-specific-apps.md index eb93365fca..fb8fca3fc2 100644 --- a/windows/configuration/lock-down-windows-10-to-specific-apps.md +++ b/windows/configuration/lock-down-windows-10-to-specific-apps.md @@ -9,7 +9,7 @@ ms.sitesec: library ms.pagetype: edu, security author: jdeckerms ms.localizationpriority: medium -ms.date: 01/04/2019 +ms.date: 01/09/2019 ms.author: jdecker ms.topic: article --- @@ -39,6 +39,11 @@ New features and improvements | In update You can configure multi-app kiosks using [Microsoft Intune](#intune) or a [provisioning package](#provision). +>[!IMPORTANT] +>[User account control (UAC)](../security/identity-protection/user-account-control/user-account-control-overview.md) must be turned on to enable kiosk mode. +> +>Kiosk mode is not supported over a remote desktop connection. Your kiosk users must sign in on the physical device that is set up as a kiosk. + ## Configure a kiosk in Microsoft Intune From 0c13dddae35652dc01fa266e031552a1e6ea099e Mon Sep 17 00:00:00 2001 From: Harshitha Chidananda Murthy Date: Wed, 9 Jan 2019 12:55:29 -0800 Subject: [PATCH 06/10] Note about SDE taking long time in Studios --- devices/surface/microsoft-surface-data-eraser.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/devices/surface/microsoft-surface-data-eraser.md b/devices/surface/microsoft-surface-data-eraser.md index 5a35a44360..23e0c2dd91 100644 --- a/devices/surface/microsoft-surface-data-eraser.md +++ b/devices/surface/microsoft-surface-data-eraser.md @@ -57,6 +57,9 @@ Some scenarios where Microsoft Surface Data Eraser can be helpful include: >[!NOTE] >Because the ability to boot to USB is required to run Microsoft Surface Data Eraser, if the device is not configured to boot from USB or if the device is unable to boot or POST successfully, the Microsoft Surface Data Eraser tool will not function. +>[!NOTE] +>Surface Data Eraser on Surface Studio and Surface Studio 2 can take up to 6 minutes to boot into WinPE before disk erasure can occur. + ## How to create a Microsoft Surface Data Eraser USB stick From 8680cc3f2c0ce4e60740d61085eab2a9d0827a29 Mon Sep 17 00:00:00 2001 From: nicolonsky <32899754+nicolonsky@users.noreply.github.com> Date: Thu, 10 Jan 2019 13:40:31 +0100 Subject: [PATCH 07/10] Fix registry key paths for HTTP.SYS Corrected invalid registry key paths for the HTTP.SYS configuration. --- .../hello-for-business/hello-hybrid-aadj-sso-cert.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md index d855efc036..dda2b53178 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md @@ -517,8 +517,8 @@ Sign-in the NDES server with access equivalent to _local administrator_. #### Configure Parameters for HTTP.SYS 1. Open an elevated command prompt. 2. Run the following commands
-```reg add HKLM\CurrentControlSet\Services\HTTP\Parameters /v MaxFieldLength /t REG_DWORD /d 65534```
-```reg add HKLM\CurrentControlSet\Services\HTTP\Parameters /v MaxRequestBytes /t REG_DWORD /d 65534```
+```reg add HKLM\SYSTEM\CurrentControlSet\Services\HTTP\Parameters /v MaxFieldLength /t REG_DWORD /d 65534```
+```reg add HKLM\SYSTEM\CurrentControlSet\Services\HTTP\Parameters /v MaxRequestBytes /t REG_DWORD /d 65534```
3. Restart the NDES server. ## Download, Install and Configure the Intune Certificate Connector From 56407649f6087363664cbfb9c804de7e6c39cd7a Mon Sep 17 00:00:00 2001 From: bb-froggy Date: Thu, 10 Jan 2019 16:24:59 +0100 Subject: [PATCH 08/10] typo --- windows/client-management/mdm/policy-csp-internetexplorer.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/policy-csp-internetexplorer.md b/windows/client-management/mdm/policy-csp-internetexplorer.md index 3cac24872a..823af29f0b 100644 --- a/windows/client-management/mdm/policy-csp-internetexplorer.md +++ b/windows/client-management/mdm/policy-csp-internetexplorer.md @@ -2132,7 +2132,7 @@ If you disable or do not configure this policy, users may choose their own site- > [!Note] > This policy is a list that contains the site and index value. -The list is a set of pairs of strings. Each string is seperated by F000. Each pair of string are stored as a registry name and value. The registry name is the site and the value is an index. The index has to be sequential. See an example below. +The list is a set of pairs of strings. Each string is seperated by F000. Each pair of strings is stored as a registry name and value. The registry name is the site and the value is an index. The index has to be sequential. See an example below. > [!TIP] From e9f6928dfaced28b34ef66ba0a4f5f72018a8745 Mon Sep 17 00:00:00 2001 From: Jeanie Decker Date: Thu, 10 Jan 2019 15:54:57 +0000 Subject: [PATCH 09/10] Merged PR 13714: clean up after merge conflict --- windows/configuration/kiosk-methods.md | 5 ----- windows/configuration/kiosk-prepare.md | 2 ++ 2 files changed, 2 insertions(+), 5 deletions(-) diff --git a/windows/configuration/kiosk-methods.md b/windows/configuration/kiosk-methods.md index 693a763c2b..e0121dbd6c 100644 --- a/windows/configuration/kiosk-methods.md +++ b/windows/configuration/kiosk-methods.md @@ -7,11 +7,6 @@ ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium author: jdeckerms -<<<<<<< HEAD -ms.date: 01/08/2019 -======= -ms.date: 01/09/2019 ->>>>>>> origin/master --- # Configure kiosks and digital signs on Windows desktop editions diff --git a/windows/configuration/kiosk-prepare.md b/windows/configuration/kiosk-prepare.md index 4cef49132c..8fa3845086 100644 --- a/windows/configuration/kiosk-prepare.md +++ b/windows/configuration/kiosk-prepare.md @@ -28,6 +28,7 @@ ms.date: 01/09/2019 > >Kiosk mode is not supported over a remote desktop connection. Your kiosk users must sign in on the physical device that is set up as a kiosk. +## Configuration recommendations For a more secure kiosk experience, we recommend that you make the following configuration changes to the device before you configure it as a kiosk: @@ -237,3 +238,4 @@ The following table describes some features that have interoperability issues we + From 18bb349f2dcaf685fa01ebe3e370b0cdf3adf580 Mon Sep 17 00:00:00 2001 From: Liza Poggemeyer Date: Thu, 10 Jan 2019 08:46:53 -0800 Subject: [PATCH 10/10] Update passwordless-strategy.md --- .../hello-for-business/passwordless-strategy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md index 2f1318e697..0156ec9a78 100644 --- a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md +++ b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md @@ -25,7 +25,7 @@ Before you move away from passwords, you need something to replace them. With W Deploying Windows Hello for Business is the first step towards password-less. With Windows Hello for Business deployed, it coexists with password nicely. Users are likely to use Windows Hello for Business because of its convenience, especially when combined with biometrics. However, some workflows and applications may still need passwords. This early stage is about implementing an alternative and getting users used to it. ### 2. Reduce user-visible password surface area -With Windows Hello for Business and passwords coexisting in your environment, the next step towards password-less is to reduce the password surface. The environment and workflows need to stop asking for passwords. The goal of this step is to achieve a state where the user knows they have a password, but they never use it. This state helps decondition users from providing a password any time a password prompt shows on their computer. This is a how passwords are phished. Users who rarely, it at all, use their password are unlikely to provide it. Password prompts are no longer the norm. +With Windows Hello for Business and passwords coexisting in your environment, the next step towards password-less is to reduce the password surface. The environment and workflows need to stop asking for passwords. The goal of this step is to achieve a state where the user knows they have a password, but they never use it. This state helps decondition users from providing a password any time a password prompt shows on their computer. This is how passwords are phished. Users who rarely, if at all, use their password are unlikely to provide it. Password prompts are no longer the norm. ### 3. Transition into a password-less deployment Once the user-visible password surface has been eliminated, your organization can begin to transition those users into a password-less world. A world where: