deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 13:27:23 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Fixing remaining insecure links

Browse Source
This commit is contained in:
Duncan Mackenzie 2018-08-28 11:46:18 -07:00
parent ca5b28b334
commit f424acf885
18 changed files with 107 additions and 107 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
browsers/edge/security-enhancements-microsoft-edge.md
View File

@ -40,7 +40,7 @@ Microsoft Edge is the first browser to natively support Windows Hello as a more
Microsoft SmartScreen, used in Windows 10 and both Internet Explorer 11 and Microsoft Edge, helps to defend against phishing by performing reputation checks on visited sites and blocking any sites that are thought to be phishing sites. SmartScreen also helps to defend people against being tricked into installing malicious [socially-engineered software downloads](http://operationstech.about.com/od/glossary/g/Socially-Engineered-Malware.htm and against [drive-by attacks](https://blogs.windows.com/msedgedev/2015/12/16/smartscreen-drive-by-improvements/). Drive-by attacks are malicious web-based attacks that compromise your system by targeting security vulnerabilities in commonly used software, and may be hosted on trusted sites.
#### Certificate Reputation system
While people trust sites that have encrypted web traffic, that trust can be undermined by malicious sites using improperly obtained or fake certificates to impersonate legitimate sites. To help address this problem, we introduced the [Certificate Reputation system](http://blogs.msdn.com/b/ie/archive/2014/03/10/certificate-reputation-a-novel-approach-for-protecting-users-from-fraudulent-certificates.aspx) last year. This year, weve extended the system to let web developers use the [Bing Webmaster Tools](http://www.bing.com/toolbox/webmaster) to report directly to Microsoft to let us know about fake certificates.
While people trust sites that have encrypted web traffic, that trust can be undermined by malicious sites using improperly obtained or fake certificates to impersonate legitimate sites. To help address this problem, we introduced the [Certificate Reputation system](https://blogs.msdn.com/b/ie/archive/2014/03/10/certificate-reputation-a-novel-approach-for-protecting-users-from-fraudulent-certificates.aspx) last year. This year, weve extended the system to let web developers use the [Bing Webmaster Tools](http://www.bing.com/toolbox/webmaster) to report directly to Microsoft to let us know about fake certificates.
### Help against hacking
While Microsoft Edge has done much to help defend against trickery, the browsers “engine” has also been overhauled to resist hacking (attempts to corrupt the browser itself) including a major overhaul of the DOM representation in the browsers memory, and the security mitigations described here.
@ -65,7 +65,7 @@ Internet Explorer 10 introduced Enhanced Protected Mode (EPM), based on the Wind
Microsoft Edge takes the sandbox even farther, running its content processes in app containers not just by default, but all of the time. Because Microsoft Edge doesnt support 3rd party binary extensions, theres no reason for it to run outside of the containers, ensuring that Microsoft Edge is more secure.
#### Microsoft Edge is now a 64-bit app
The largest security change to Microsoft Edge is that it's designed like a Universal Windows app. By changing the browser to an app, it fundamentally changes the process model so that both the outer manager process and the assorted content processes all live within app container sandboxes; helping to provide the user and the platform with the [confidence](http://blogs.msdn.com/b/b8/archive/2012/05/17/delivering-reliable-and-trustworthy-metro-style-apps.aspx) provided by other Microsoft Store apps.
The largest security change to Microsoft Edge is that it's designed like a Universal Windows app. By changing the browser to an app, it fundamentally changes the process model so that both the outer manager process and the assorted content processes all live within app container sandboxes; helping to provide the user and the platform with the [confidence](https://blogs.msdn.com/b/b8/archive/2012/05/17/delivering-reliable-and-trustworthy-metro-style-apps.aspx) provided by other Microsoft Store apps.
##### 64-bit processes and Address Space Layout Randomization (ASLR)
Microsoft Edge runs in 64-bit not just by default, but anytime its running on a 64-bit operating system. Because Microsoft Edge doesnt support legacy ActiveX controls or 3rd-party binary extensions, theres no longer a reason to run 32-bit processes on a 64-bit system.

2
browsers/internet-explorer/ie11-deploy-guide/blocked-out-of-date-activex-controls.md
View File

@ -37,4 +37,4 @@ You will receive a notification if a webpage tries to load one of the following
| Everything below (but not including) Silverlight 5.1.50907.0 |
|--------------------------------------------------------------|
For more information, see [Out-of-date ActiveX control blocking](out-of-date-activex-control-blocking.md) and [Internet Explorer begins blocking out-of-date ActiveX controls](http://blogs.msdn.com/b/ie/archive/2014/08/06/internet-explorer-begins-blocking-out-of-date-activex-controls.aspx). You can also view Microsoft's complete list of out-of-date ActiveX controls in the XML-based [version list](https://go.microsoft.com/fwlink/?LinkId=403864).
For more information, see [Out-of-date ActiveX control blocking](out-of-date-activex-control-blocking.md) and [Internet Explorer begins blocking out-of-date ActiveX controls](https://blogs.msdn.com/b/ie/archive/2014/08/06/internet-explorer-begins-blocking-out-of-date-activex-controls.aspx). You can also view Microsoft's complete list of out-of-date ActiveX controls in the XML-based [version list](https://go.microsoft.com/fwlink/?LinkId=403864).

68
education/trial-in-a-box/educator-tib-get-started.md
View File

@ -1,6 +1,6 @@
---
title: Educator Trial in a Box Guide
description: Need help or have a question about using Microsoft Education? Start here.
description: Need help or have a question about using Microsoft Education? Start here.
keywords: support, troubleshooting, education, Microsoft Education, full cloud IT solution, school, deploy, setup, manage, Windows 10, Intune for Education, Office 365 for Education, Microsoft Store for Education, Set up School PCs
ms.prod: w10
ms.technology: Windows
@ -28,8 +28,8 @@ ms.date: 03/18/2018
| [![Launch Microsoft Teams](images/edu-TIB-setp-3-v3.png)](#edu-task3) | **Looking to foster collaboration, communication, and critical thinking in the classroom?** </br>Launch [Microsoft Teams](#edu-task3) and learn how to set up digital classroom discussions, respond to student questions, and organize class content. |
| [![Open OneNote](images/edu-TIB-setp-4-v3.png)](#edu-task4) | **Trying to expand classroom creativity and interaction between students?** </br>Open [OneNote](#edu-task4) and create an example group project for your class. |
| [![Try Photos app](images/edu-tib-setp-5-v4.png)](#edu-task5) | **Curious about telling stories through video?** </br>Try the [Photos app](#edu-task5) to make your own example video. |
| [![Play with Minecraft: Education Edition](images/edu-tib-setp-6-v4.png)](#edu-task6) | **Want to teach kids to further collaborate and problem solve?** </br>Play with [Minecraft: Education Edition](#edu-task6) to see how it can be used as a collaborative and versatile platform across subjects to encourage 21st century skills. |
| [![Do Math with Windows Ink](images/edu-tib-setp-7-v1.png)](#edu-task7) | **Want to provide a personal math tutor for your students?** </br>Use [Windows Ink and the Math Assistant feature](#edu-task7) in OneNote to give students step-by-step instructions and interactive 2D graphs for math problems. |
| [![Play with Minecraft: Education Edition](images/edu-tib-setp-6-v4.png)](#edu-task6) | **Want to teach kids to further collaborate and problem solve?** </br>Play with [Minecraft: Education Edition](#edu-task6) to see how it can be used as a collaborative and versatile platform across subjects to encourage 21st century skills. |
| [![Do Math with Windows Ink](images/edu-tib-setp-7-v1.png)](#edu-task7) | **Want to provide a personal math tutor for your students?** </br>Use [Windows Ink and the Math Assistant feature](#edu-task7) in OneNote to give students step-by-step instructions and interactive 2D graphs for math problems. |
| | |
</br>
@ -40,21 +40,21 @@ ms.date: 03/18/2018
</br>
![Log in to Device A and connect to the school network](images/edu-TIB-setp-1-jump.png)
![Log in to Device A and connect to the school network](images/edu-TIB-setp-1-jump.png)
## <a name="edu-task1"></a>1. Log in and connect to the school network
To try out the educator tasks, start by logging in as a teacher.
1. Turn on **Device A** and ensure you plug in the PC to an electrical outlet.
2. Connect **Device A** to your school's Wi-Fi network or connect with a local Ethernet connection using the Ethernet adapter included in this kit.
>**Note**: If your Wi-Fi network requires a web browser login page to connect to the Internet, connect using the Ethernet port. If your Wi-Fi network has additional restrictions that will prevent the device from connecting to the internet without registration, consider connecting **Device A** to a different network.
3. Log in to **Device A** using the **Teacher Username** and **Teacher Password** included in the **Credentials Sheet** located in your kit.
</br>
</br>
![Improve student reading speed and comprehension](images/edu-TIB-setp-2-jump.png)
![Improve student reading speed and comprehension](images/edu-TIB-setp-2-jump.png)
## <a name="edu-task2"></a>2. Significantly improve student reading speed and comprehension
> [!VIDEO https://www.youtube.com/embed/GCzSAslq_2Y]
@ -65,7 +65,7 @@ To try out the educator tasks, start by logging in as a teacher.
Learning Tools and the Immersive Reader can be used in the Microsoft Edge browser, Microsoft Word, and Microsoft OneNote to:
* Increase fluency for English language learners
* Build confidence for emerging readers
* Provide text decoding solutions for students with learning differences such as dyslexia
* Provide text decoding solutions for students with learning differences such as dyslexia
**Try this!**
@ -75,7 +75,7 @@ Learning Tools and the Immersive Reader can be used in the Microsoft Edge browse
3. Select the **View** menu.
4. Select the **Immersive Reader** button.
4. Select the **Immersive Reader** button.
![Word Online's Immersive Reader](images/word_online_immersive_reader.png)
@ -92,7 +92,7 @@ Learning Tools and the Immersive Reader can be used in the Microsoft Edge browse
![Spark communication, critical thinking, and creativity with Microsoft Teams](images/edu-TIB-setp-3-jump.png)
![Spark communication, critical thinking, and creativity with Microsoft Teams](images/edu-TIB-setp-3-jump.png)
## <a name="edu-task3"></a>3. Spark communication, critical thinking, and creativity in the classroom
> [!VIDEO https://www.youtube.com/embed/riQr4Dqb8B8]
@ -100,7 +100,7 @@ Learning Tools and the Immersive Reader can be used in the Microsoft Edge browse
</br>
Microsoft Teams is a digital hub that brings conversations, content, and apps together in one place. This guided tour walks you through the essential teaching features of the app. Then, through interactive prompts, experience how you can use this tool in your own classroom to spark digital classroom discussions, respond to student questions, organize content, and more!
Microsoft Teams is a digital hub that brings conversations, content, and apps together in one place. This guided tour walks you through the essential teaching features of the app. Then, through interactive prompts, experience how you can use this tool in your own classroom to spark digital classroom discussions, respond to student questions, organize content, and more!
Take a guided tour of Microsoft Teams and test drive this digital hub.
@ -113,7 +113,7 @@ Take a guided tour of Microsoft Teams and test drive this digital hub.
</br>
</br>
![Expand classroom collaboration and interaction with OneNote](images/edu-TIB-setp-4-jump.png)
![Expand classroom collaboration and interaction with OneNote](images/edu-TIB-setp-4-jump.png)
## <a name="edu-task4"></a>4. Expand classroom collaboration and interaction between students
> [!VIDEO https://www.youtube.com/embed/dzDSWMb_fIE]
@ -125,7 +125,7 @@ Microsoft OneNote organizes curriculum and lesson plans for teachers and student
**Try this!**
See how a group project comes together with opportunities to interact with other students and collaborate with peers. This one works best with the digital pen, included with your Trial in a Box.
When you're not using the pen, just use the magnet to stick it to the left side of the screen until you need it again.
When you're not using the pen, just use the magnet to stick it to the left side of the screen until you need it again.
1. On the **Start** menu, click the OneNote shortcut named **Imagine Giza** to open the **Reimagine the Great Pyramid of Giza project**.
@ -136,12 +136,12 @@ When you're not using the pen, just use the magnet to stick it to the left side
![OneNote Draw tab](images/onenote_draw.png)
- Type anywhere on the page! Just click your cursor where you want to place text.
- Use the checkmark in the **Home** tab to keep track of completed tasks.
- Type anywhere on the page! Just click your cursor where you want to place text.
- Use the checkmark in the **Home** tab to keep track of completed tasks.
![OneNote To Do Tag](images/onenote_checkmark.png)
- To find information without leaving OneNote, use the Researcher tool found under the Insert tab.
- To find information without leaving OneNote, use the Researcher tool found under the Insert tab.
![OneNote Researcher](images/onenote_researcher.png)
@ -160,18 +160,18 @@ The Photos app now has a built-in video editor, making it easy for you and your
**Try this!**
Use video to create a project summary.
1. Check you have the latest version of Microsoft Photos. Open the **Start** menu and search for **Store**. Select the **See more** button (**…**) and select **Downloads and updates**. Select **Get updates**.
1. Check you have the latest version of Microsoft Photos. Open the **Start** menu and search for **Store**. Select the **See more** button (**…**) and select **Downloads and updates**. Select **Get updates**.
2. Open Microsoft Edge and visit <a href="http://aka.ms/PhotosTIB" target="_blank">http://aka.ms/PhotosTIB</a> to download a zip file of the project media.
2. Open Microsoft Edge and visit <a href="https://aka.ms/PhotosTIB" target="_blank">http://aka.ms/PhotosTIB</a> to download a zip file of the project media.
3. Once the download has completed, open the zip file and select **Extract** > **Extract all**. Select **Browse** and choose the **Pictures** folder as the destination, and then select **Extract**.
3. Once the download has completed, open the zip file and select **Extract** > **Extract all**. Select **Browse** and choose the **Pictures** folder as the destination, and then select **Extract**.
4. In the **Start** menu, search for **Photos** or select the Photos tile to launch the app.
4. In the **Start** menu, search for **Photos** or select the Photos tile to launch the app.
5. Select the first video to preview it full screen. Select **Edit & Create**, then select **Create a video with text**.
1. If you don't see the **Edit & Create** menu, select the video and the menu will appear at the top of the screen.
1. If you don't see the **Edit & Create** menu, select the video and the menu will appear at the top of the screen.
6. Name your project “Laser Maze Project.” Hit Enter to continue.
6. Name your project “Laser Maze Project.” Hit Enter to continue.
7. Select **Add photos and videos** and then **From my collection**. Scroll to select the 6 additional videos and select **Add**.
@ -179,12 +179,12 @@ Use video to create a project summary.
![Photos app layout showing videos added in previous steps](images/photo_app_1.png)
9. Select the first card in the Storyboard (the video of the project materials) and select **Text**, type a title in, a text style, a layout, and select **Done**.
9. Select the first card in the Storyboard (the video of the project materials) and select **Text**, type a title in, a text style, a layout, and select **Done**.
10. Select the third card in the Storyboard (the video of the children assembling the maze) and select **Trim**. Drag the trim handle on the left to shorten the duration of the clip and select **Done**.
10. Select the third card in the Storyboard (the video of the children assembling the maze) and select **Trim**. Drag the trim handle on the left to shorten the duration of the clip and select **Done**.
11. Select the last card on the Storyboard and select **3D effects**.
1. Position the playback indicator to be roughly 1 second into the video clip, or when the boy moves down to examine the laser.
1. Position the playback indicator to be roughly 1 second into the video clip, or when the boy moves down to examine the laser.
2. Find the **lightning bolt** effect and click or drag to add it to the scene. Rotate, scale, and position the effect so it looks like the lightning is coming out of the laser beam and hitting the black back of the mirror.
3. Position the blue anchor over the end of the laser pointer in the video and toggle on **Attach to a point** for the lightning bolt effect to anchor the effect in the scene.
4. Play back your effect.
@ -196,30 +196,30 @@ Use video to create a project summary.
1. The music will update automatically to match the length of your video project, even as you make changes.
2. If you dont see more than a few music options, confirm that youre connected to Wi-Fi and then close and re-open Microsoft Photos (returning to your project via the **Albums** tab). Additional music files should download in the background.
13. You can adjust the volume for the background music using the **Music volume** button.
13. You can adjust the volume for the background music using the **Music volume** button.
14. Preview your video to see how it all came together.
15. Select **Export or share** and select either the **Small** or **Medium** file size. You can share your video to social media, email, or another apps.
15. Select **Export or share** and select either the **Small** or **Medium** file size. You can share your video to social media, email, or another apps.
Check out this use case video of the Photos team partnering with the Bureau Of Fearless Ideas in Seattle to bring the Photos app to local middle school students: <a href="https://www.youtube.com/watch?v=0dFFAu6XwPg" target="_blank">https://www.youtube.com/watch?v=0dFFAu6XwPg</a>
</br>
</br>
</br>
![Further collaborate and problem solve with Minecraft: Education Edition](images/edu-TIB-setp-5-jump.png)
![Further collaborate and problem solve with Minecraft: Education Edition](images/edu-TIB-setp-5-jump.png)
## <a name="edu-task6"></a>6. Get kids to further collaborate and problem solve
> [!VIDEO https://www.youtube.com/embed/QI_bRNUugog]
</br>
Minecraft: Education Edition provides an immersive environment to develop creativity, collaboration, and problem-solving in an immersive environment where the only limit is your imagination.
Minecraft: Education Edition provides an immersive environment to develop creativity, collaboration, and problem-solving in an immersive environment where the only limit is your imagination.
**Try this!**
Today, we'll explore a Minecraft world through the eyes of a student.
1. Connect the included mouse to your computer for optimal interaction.
1. Connect the included mouse to your computer for optimal interaction.
2. Open Microsoft Edge and visit <a href="https://aka.ms/lessonhub" target="_blank">https://aka.ms/lessonhub</a>.
@ -242,7 +242,7 @@ Today, we'll explore a Minecraft world through the eyes of a student.
* **A** moves left.
* **S** moves right.
* **D** moves backward.
10. Use your mouse as your "eyes". Just move it to look around.
11. For a bird's eye view, double-tap the SPACE BAR. Now press the SPACE BAR to fly higher. And then hold the SHIFT key to safely land.
@ -265,7 +265,7 @@ Today, we'll explore a Minecraft world through the eyes of a student.
</br>
</br>
![Help students understand new math concepts with the Math Assistant in OneNote](images/Inking.png)
![Help students understand new math concepts with the Math Assistant in OneNote](images/Inking.png)
## <a name="edu-task7"></a>7. Use Windows Ink to provide a personal math tutor for your students
The **Math Assistant** and **Ink Replay** features available in the OneNote app for Windows 10 and OneNote Online give your students step-by-step instructions on how to solve their math problems and help them visualize math functions on an interactive 2D graph.
@ -293,7 +293,7 @@ To solve the equation 3x+4=7, follow these instructions:
![Lasso button](images/lasso.png)
3. On the **Draw** tab, click the **Math** button.
3. On the **Draw** tab, click the **Math** button.
![Math button](images/math-button.png)
@ -312,7 +312,7 @@ To graph the equation 3x+4=7, follow these instructions:
![Graph both sides in 2D](images/graph-for-x.png)
2. Click the **Insert on Page** button below the graph to add a screenshot of the graph to your page.
2. Click the **Insert on Page** button below the graph to add a screenshot of the graph to your page.
</br>
</br>
@ -327,7 +327,7 @@ Bring out the best in students by providing a platform for collaborating, explor
## Update your apps
Microsoft Education works hard to bring you the most current Trial in a Box program experience. As a result, you may need to update your apps to get our latest innovations.
Microsoft Education works hard to bring you the most current Trial in a Box program experience. As a result, you may need to update your apps to get our latest innovations.
For more information about checking for updates, and how to optionally turn on automatic app updates, see the following articles:

6
education/windows/windows-editions-for-education-customers.md
View File

@ -32,7 +32,7 @@ Windows 10 Pro Education builds on the commercial version of Windows 10 Pro and
For Cortana<sup>[1](#footnote1)</sup>,
- If you're using version 1607, Cortana is removed.
- If you're using new devices with version 1703, Cortana is turned on by default.
- If you're upgrading from version 1607 to version 1703, Cortana will be enabled.
- If you're upgrading from version 1607 to version 1703, Cortana will be enabled.
You can use the **AllowCortana** policy to turn Cortana off. For more information, see [Windows 10 configuration recommendations for education customers](configure-windows-for-education.md).
@ -51,7 +51,7 @@ Windows 10 Education builds on Windows 10 Enterprise and provides the enterprise
For Cortana<sup>1</sup>,
- If you're using version 1607, Cortana<sup>1</sup> is removed.
- If you're using new devices with version 1703, Cortana is turned on by default.
- If you're upgrading from version 1607 to version 1703, Cortana will be enabled.
- If you're upgrading from version 1607 to version 1703, Cortana will be enabled.
You can use the **AllowCortana** policy to turn Cortana off. For more information, see [Windows 10 configuration recommendations for education customers](configure-windows-for-education.md).
@ -63,7 +63,7 @@ For any other questions, contact [Microsoft Customer Service and Support](https:
## Related topics
* [Switch to Windows 10 Pro Education from Windows 10 Pro or Windows 10 S](change-to-pro-education.md)
* [Windows deployment for education](http://aka.ms/edudeploy)
* [Windows deployment for education](https://aka.ms/edudeploy)
* [Windows 10 upgrade paths](https://go.microsoft.com/fwlink/?LinkId=822787)
* [Volume Activation for Windows 10](https://go.microsoft.com/fwlink/?LinkId=822788)
* [Plan for volume activation](https://go.microsoft.com/fwlink/?LinkId=822789)

4
mdop/appv-v5/performance-guidance-for-application-virtualization-50.md
View File

@ -445,9 +445,9 @@ The following section contains lists with information about Microsoft documentat
About NGEN technology
- [How to speed up NGEN optimaztion](http://blogs.msdn.com/b/dotnet/archive/2013/08/06/wondering-why-mscorsvw-exe-has-high-cpu-usage-you-can-speed-it-up.aspx)
- [How to speed up NGEN optimaztion](https://blogs.msdn.com/b/dotnet/archive/2013/08/06/wondering-why-mscorsvw-exe-has-high-cpu-usage-you-can-speed-it-up.aspx)
- [Script](http://aka.ms/DrainNGenQueue)
- [Script](https://aka.ms/DrainNGenQueue)
**Windows Server and Server Roles**

4
mdop/appv-v5/performance-guidance-for-application-virtualization-51.md
View File

@ -452,9 +452,9 @@ The following section contains lists with information about Microsoft documentat
About NGEN technology
- [How to speed up NGEN optimaztion](http://blogs.msdn.com/b/dotnet/archive/2013/08/06/wondering-why-mscorsvw-exe-has-high-cpu-usage-you-can-speed-it-up.aspx)
- [How to speed up NGEN optimaztion](https://blogs.msdn.com/b/dotnet/archive/2013/08/06/wondering-why-mscorsvw-exe-has-high-cpu-usage-you-can-speed-it-up.aspx)
- [Script](http://aka.ms/DrainNGenQueue)
- [Script](https://aka.ms/DrainNGenQueue)
**Windows Server and Server Roles**

4
windows/client-management/manage-windows-10-in-your-organization-modern-management.md
View File

@ -21,7 +21,7 @@ Your organization can support various operating systems across a wide range of d
This six-minute video demonstrates how users can bring in a new retail device and be up and working with their personalized settings and a managed experience in a few minutes, without being on the corporate network. It also demonstrates how IT can apply policies and configurations to ensure device compliance.
> [!VIDEO https://www.youtube.com/embed/g1rIcBhhxpA]
> [!VIDEO https://www.youtube.com/embed/g1rIcBhhxpA]
>[!NOTE]
>The video demonstrates the configuration process using the classic Azure portal, which is retired. Customers should use the new Azure portal. [Learn how use the new Azure portal to perform tasks that you used to do in the classic Azure portal.](https://docs.microsoft.com/information-protection/deploy-use/migrate-portal)
@ -113,7 +113,7 @@ MDM with Intune provide tools for applying Windows updates to client computers i
There are a variety of steps you can take to begin the process of modernizing device management in your organization:
**Assess current management practices, and look for investments you might make today.** Which of your current practices need to stay the same, and which can you change? Specifically, what elements of traditional management do you need to retain and where can you modernize? Whether you take steps to minimize custom imaging, re-evaluate settings management, or reassesses authentication and compliance, the benefits can be immediate. You can use the [MDM Migration Analysis Tool (MMAT)](http://aka.ms/mmat) to help determine which Group Policies are set for a target user/computer and cross-reference them against the list of available MDM policies.
**Assess current management practices, and look for investments you might make today.** Which of your current practices need to stay the same, and which can you change? Specifically, what elements of traditional management do you need to retain and where can you modernize? Whether you take steps to minimize custom imaging, re-evaluate settings management, or reassesses authentication and compliance, the benefits can be immediate. You can use the [MDM Migration Analysis Tool (MMAT)](https://aka.ms/mmat) to help determine which Group Policies are set for a target user/computer and cross-reference them against the list of available MDM policies.
**Assess the different use cases and management needs in your environment.** Are there groups of devices that could benefit from lighter, simplified management? BYOD devices, for example, are natural candidates for cloud-based management. Users or devices handling more highly regulated data might require an on-premises Active Directory domain for authentication. Configuration Manager and EMS provide you the flexibility to stage implementation of modern management scenarios while targeting different devices the way that best suits your business needs.

36
windows/client-management/mdm/enterprisedesktopappmanagement-csp.md
View File

@ -21,34 +21,34 @@ The following diagram shows the EnterpriseDesktopAppManagement CSP in tree forma
![enterprisedesktopappmanagement csp](images/provisioning-csp-enterprisedesktopappmanagement.png)
<a href="" id="--vendor-msft-enterprisedesktopappmanagement"></a>**./Device/Vendor/MSFT/EnterpriseDesktopAppManagement**
<a href="" id="--vendor-msft-enterprisedesktopappmanagement"></a>**./Device/Vendor/MSFT/EnterpriseDesktopAppManagement**
The root node for the EnterpriseDesktopAppManagement configuration service provider.
<a href="" id="msi"></a>**MSI**
<a href="" id="msi"></a>**MSI**
Node for all settings.
<a href="" id="msi-productid"></a>**MSI/****_ProductID_**
<a href="" id="msi-productid"></a>**MSI/****_ProductID_**
The MSI product code for the application.
<a href="" id="msi-productid-version"></a>**MSI/*ProductID*/Version**
<a href="" id="msi-productid-version"></a>**MSI/*ProductID*/Version**
Version number. Value type is string. Supported operation is Get.
<a href="" id="msi-productid-name"></a>**MSI/*ProductID*/Name**
<a href="" id="msi-productid-name"></a>**MSI/*ProductID*/Name**
Name of the application. Value type is string. Supported operation is Get.
<a href="" id="msi-productid-publisher"></a>**MSI/*ProductID*/Publisher**
<a href="" id="msi-productid-publisher"></a>**MSI/*ProductID*/Publisher**
Publisher of application. Value type is string. Supported operation is Get.
<a href="" id="msi-productid-installpath"></a>**MSI/*ProductID*/InstallPath**
<a href="" id="msi-productid-installpath"></a>**MSI/*ProductID*/InstallPath**
Installation path of the application. Value type is string. Supported operation is Get.
<a href="" id="msi-productid-installdate"></a>**MSI/*ProductID*/InstallDate**
<a href="" id="msi-productid-installdate"></a>**MSI/*ProductID*/InstallDate**
Installation date of the application. Value type is string. Supported operation is Get.
<a href="" id="msi-productid-downloadinstall"></a>**MSI/*ProductID*/DownloadInstall**
<a href="" id="msi-productid-downloadinstall"></a>**MSI/*ProductID*/DownloadInstall**
Executes the download and installation of the application. Value type is string. Supported operations are Execute and Get.
In Windows 10, version 1703 service release, a new tag \<DownloadFromAad\> was added to the \<Enforcement\> section of the XML. The default value is 0 (do not send token). This tag is optional and needs to be set to 1 in case the server wants the download URL to get the AADUserToken.
In Windows 10, version 1703 service release, a new tag \<DownloadFromAad\> was added to the \<Enforcement\> section of the XML. The default value is 0 (do not send token). This tag is optional and needs to be set to 1 in case the server wants the download URL to get the AADUserToken.
Here is an example:
@ -68,7 +68,7 @@ Here is an example:
</Enforcement>
```
<a href="" id="msi-productid-status"></a>**MSI/*ProductID*/Status**
<a href="" id="msi-productid-status"></a>**MSI/*ProductID*/Status**
Status of the application. Value type is string. Supported operation is Get.
| Status | Value |
@ -86,23 +86,23 @@ Status of the application. Value type is string. Supported operation is Get.
 
<a href="" id="msi-productid-lasterror"></a>**MSI/*ProductID*/LastError**
<a href="" id="msi-productid-lasterror"></a>**MSI/*ProductID*/LastError**
The last error code during the application installation process. This is typically stored as an HRESULT format. Depending on what was occurring when the error happened, this could be the result of executing MSIExec.exe or the error result from an API that failed.
Value type is string. Supported operation is Get.
<a href="" id="msi-productid-lasterrordesc"></a>**MSI/*ProductID*/LastErrorDesc**
<a href="" id="msi-productid-lasterrordesc"></a>**MSI/*ProductID*/LastErrorDesc**
Contains the last error code description. The LastErrorDesc value is looked up for the matching LastError value. Sometimes there is no LastErrorDesc returned.
Value type is string. Supported operation is Get.
<a href="" id="msi-upgradecode"></a>**MSI/UpgradeCode**
<a href="" id="msi-upgradecode"></a>**MSI/UpgradeCode**
Added in the March service release of Windows 10, version 1607.
<a href="" id="msi-upgradecode"></a>**MSI/UpgradeCode/_Guid_**
<a href="" id="msi-upgradecode"></a>**MSI/UpgradeCode/_Guid_**
Added in the March service release of Windows 10, version 1607. A gateway (or device management server) uses this method to detect matching upgrade MSI product when a Admin wants to update an existing MSI app. If the same upgrade product is installed, then the update is allowed.
Value type is string. Supported operation is Get.
Value type is string. Supported operation is Get.
## Examples
@ -226,7 +226,7 @@ The following table describes the fields in the previous sample:
<ContentURL>https://dp2.com/packages/myApp.msi</ContentURL>
</ContentURLList>
</Download>
<Validation>
<Validation>
<FileHash>134D8F1F7C3C036DC3DCDA9F97515C8C7951DB154B73365C9C22962BD23E3EB3</FileHash>
</Validation>
<Enforcement>
@ -532,7 +532,7 @@ Properties can be specified in the package, passed through the command line, mod
Here's a list of references:
- [Using Windows Installer](https://technet.microsoft.com/library/cc782896.aspx)
- [Authoring a single package for Per-User or Per-Machine Installation context in Windows 7](http://blogs.msdn.com/b/windows_installer_team/archive/2009/09/02/authoring-a-single-package-for-per-user-or-per-machine-installation-context-in-windows-7.aspx)
- [Authoring a single package for Per-User or Per-Machine Installation context in Windows 7](https://blogs.msdn.com/b/windows_installer_team/archive/2009/09/02/authoring-a-single-package-for-per-user-or-per-machine-installation-context-in-windows-7.aspx)
- SyncML Representation Protocol, Draft Version 1.3 - 27 Aug 2009 (OMA-TS-SyncML\_RepPro-V1\_3-20090827-D)
## Alert example

4
windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
View File

@ -1349,7 +1349,7 @@ For details about Microsoft mobile device management protocols for Windows 10 s
<td style="vertical-align:top"><p>Added a new CSP in Windows 10, version 1803.</p>
</td></tr>
<tr>
<td style="vertical-align:top">[MDM Migration Analysis Too (MMAT)](http://aka.ms/mmat)</td>
<td style="vertical-align:top">[MDM Migration Analysis Too (MMAT)](https://aka.ms/mmat)</td>
<td style="vertical-align:top"><p>Updated version available. MMAT is a tool you can use to determine which Group Policies are set on a target user/computer and cross-reference them against the list of supported MDM policies.</p>
</td></tr>
<tr>
@ -2031,7 +2031,7 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
<td style="vertical-align:top"><p>Added a new CSP in Windows 10, version 1803.</p>
</td></tr>
<tr>
<td style="vertical-align:top">[MDM Migration Analysis Too (MMAT)](http://aka.ms/mmat)</td>
<td style="vertical-align:top">[MDM Migration Analysis Too (MMAT)](https://aka.ms/mmat)</td>
<td style="vertical-align:top"><p>Updated version available. MMAT is a tool you can use to determine which Group Policies are set on a target user/computer and cross-reference them against the list of supported MDM policies.</p>
</td></tr>
<tr>

2
windows/configuration/cortana-at-work/cortana-at-work-o365.md
View File

@ -55,7 +55,7 @@ You must tell your employees to turn on Cortana before theyll be able to use
Cortana can only access data in your Office 365 org when its turned on. If you dont want Cortana to access your corporate data, you can turn it off in the Office 365 admin center.
**To turn off Cortana with Office 365**
1. [Sign in to Office 365](http://www.office.com/signin) using your Azure AD account.
1. [Sign in to Office 365](https://www.office.com/signin) using your Azure AD account.
2. Go to the [Office 365 admin center](https://support.office.com/article/Office-365-admin-center-58537702-d421-4d02-8141-e128e3703547).

2
windows/security/identity-protection/smart-cards/smart-card-debugging-information.md
View File

@ -49,7 +49,7 @@ To delete a container, type **certutil -delkey -csp "Microsoft Base Smart Card C
## Debugging and tracing using WPP
Windows software trace preprocessor (WPP) simplifies tracing the operation of the trace provider, and it provides a mechanism for the trace provider to log real-time binary messages. Logged messages can subsequently be converted to a human-readable trace of the operation of the trace provider. For more information about WPP, see [Diagnostics with WPP - The NDIS blog](http://blogs.msdn.com/b/ndis/archive/2011/04/06/diagnostics-with-wpp.aspx).
Windows software trace preprocessor (WPP) simplifies tracing the operation of the trace provider, and it provides a mechanism for the trace provider to log real-time binary messages. Logged messages can subsequently be converted to a human-readable trace of the operation of the trace provider. For more information about WPP, see [Diagnostics with WPP - The NDIS blog](https://blogs.msdn.com/b/ndis/archive/2011/04/06/diagnostics-with-wpp.aspx).
### Enable the trace

2
windows/security/information-protection/secure-the-windows-10-boot-process.md
View File

@ -78,7 +78,7 @@ These requirements help protect you from rootkits while allowing you to run any
- **Configure UEFI to trust your custom bootloader.** All Certified For Windows 10 PCs allow you to trust a non-certified bootloader by adding a signature to the UEFI database, allowing you to run any operating system, including homemade operating systems.
- **Turn off Secure Boot.** All Certified For Windows 10 PCs allow you to turn off Secure Boot so that you can run any software. This does not help protect you from bootkits, however.
To prevent malware from abusing these options, the user must manually configure the UEFI firmware to trust a non-certified bootloader or to turn off Secure Boot. Software cannot change the Secure Boot settings. For more information about Secure Boot, read the blog, [Protecting the pre-OS environment with UEFI](http://blogs.msdn.com/b/b8/archive/2011/09/22/protecting-the-pre-os-environment-with-uefi.aspx).
To prevent malware from abusing these options, the user must manually configure the UEFI firmware to trust a non-certified bootloader or to turn off Secure Boot. Software cannot change the Secure Boot settings. For more information about Secure Boot, read the blog, [Protecting the pre-OS environment with UEFI](https://blogs.msdn.com/b/b8/archive/2011/09/22/protecting-the-pre-os-environment-with-uefi.aspx).
Like most mobile devices, ARM-based Certified For Windows RT devices, such as the Microsoft Surface RT device, are designed to run only Windows 8.1. Therefore, Secure Boot cannot be turned off, and you cannot load a different operating system. Fortunately, there is a large market of ARM devices designed to run other operating systems.

2
windows/security/threat-protection/auditing/event-5039.md
View File

@ -16,7 +16,7 @@ ms.date: 04/19/2017
- Windows Server 2016
This event should be generated when registry key was virtualized using [LUAFV](http://blogs.msdn.com/b/alexcarp/archive/2009/06/25/the-deal-with-luafv-sys.aspx).
This event should be generated when registry key was virtualized using [LUAFV](https://blogs.msdn.com/b/alexcarp/archive/2009/06/25/the-deal-with-luafv-sys.aspx).
This event occurs very rarely during standard LUAFV registry key virtualization.

2
windows/security/threat-protection/auditing/event-5051.md
View File

@ -16,7 +16,7 @@ ms.date: 04/19/2017
- Windows Server 2016
This event should be generated when file was virtualized using [LUAFV](http://blogs.msdn.com/b/alexcarp/archive/2009/06/25/the-deal-with-luafv-sys.aspx).
This event should be generated when file was virtualized using [LUAFV](https://blogs.msdn.com/b/alexcarp/archive/2009/06/25/the-deal-with-luafv-sys.aspx).
This event occurs very rarely during standard LUAFV file virtualization.

2
windows/security/threat-protection/intelligence/index.md
View File

@ -19,6 +19,6 @@ Here you will find information about different types of malware, safety tips on
* [Submit files for analysis](submission-guide.md)
* [Safety Scanner download](safety-scanner-download.md)
Keep up with the latest malware news and research. Check out our [Windows security blogs](http://aka.ms/wdsecurityblog) and follow us on [Twitter](https://twitter.com/wdsecurity) for the latest news, discoveries, and protections.
Keep up with the latest malware news and research. Check out our [Windows security blogs](https://aka.ms/wdsecurityblog) and follow us on [Twitter](https://twitter.com/wdsecurity) for the latest news, discoveries, and protections.
Learn more about [Windows security](https://docs.microsoft.com/windows/security/index).

2
windows/security/threat-protection/intelligence/understanding-malware.md
View File

@ -34,6 +34,6 @@ There are many types of malware, including:
- [Unwanted software](unwanted-software.md)
- [Worms](worms-malware.md)
Keep up with the latest malware news and research. Check out our [Windows security blogs](http://aka.ms/wdsecurityblog) and follow us on [Twitter](https://twitter.com/wdsecurity) for the latest news, discoveries, and protections.
Keep up with the latest malware news and research. Check out our [Windows security blogs](https://aka.ms/wdsecurityblog) and follow us on [Twitter](https://twitter.com/wdsecurity) for the latest news, discoveries, and protections.
Learn more about [Windows security](https://docs.microsoft.com/en-us/windows/security/index).

54
windows/security/threat-protection/windows-10-mobile-security-guide.md
View File

@ -17,13 +17,13 @@ ms.date: 10/13/2017
>This guide provides a detailed description of the most important security features in the Windows 10 Mobile operating system—identity access and control, data protection, malware resistance, and app platform security.
Smartphones now serve as a primary productivity tool for business workers and, just like desktops or laptops, need to be secured against malware and data theft. Protecting these devices can be challenging due to the wide range of device operating systems and configurations and the fact that many employees use their own personal devices. IT needs to secure corporate assets on every device, but also ensure the privacy of the users personal apps and data.
Smartphones now serve as a primary productivity tool for business workers and, just like desktops or laptops, need to be secured against malware and data theft. Protecting these devices can be challenging due to the wide range of device operating systems and configurations and the fact that many employees use their own personal devices. IT needs to secure corporate assets on every device, but also ensure the privacy of the users personal apps and data.
Windows 10 Mobile addresses these security concerns directly, whether workers are using personal or corporate-owned devices. It uses the same security technologies as the Windows 10 operating system to help protect against known and emerging security threats across the spectrum of attack vectors. These technologies include:
- **Windows Hello for Business** Enhanced identity and access control features ensure that only authorized users can access corporate data and resources. Windows Hello simplifies multifactor authentication (MFA) deployment and use, offering PIN, companion device, and biometric authentication methods.
- **Windows Hello for Business** Enhanced identity and access control features ensure that only authorized users can access corporate data and resources. Windows Hello simplifies multifactor authentication (MFA) deployment and use, offering PIN, companion device, and biometric authentication methods.
- **Windows Information Protection** Automatic data separation keeps corporate information from being shared with personal data and apps.
- **Malware resistance** Multi-layered protections built into the device hardware, startup processes, and app platform help reduce the threat of malware that can compromise employee devices.
- **Malware resistance** Multi-layered protections built into the device hardware, startup processes, and app platform help reduce the threat of malware that can compromise employee devices.
This guide helps IT administrators better understand the security features in Windows 10 Mobile, which can be used to improve protection against unauthorized access, data leakage, and malware.
This guide helps IT administrators better understand the security features in Windows 10 Mobile, which can be used to improve protection against unauthorized access, data leakage, and malware.
**In this article:**
- Windows Hello for Business
@ -32,25 +32,25 @@ This guide helps IT administrators better understand the security features in Wi
## Windows Hello
Windows 10 Mobile includes Windows Hello, a simple, yet powerful, multifactor authentication solution that confirms a users identity before allowing access to corporate confidential information and resources. Multifactor authentication is a more secure alternative to password-based device security. Users dislike having to enter long, complex passwords particularly on a mobile device touch screen that corporate policy requires they change frequently. This leads to poor security practices like password reuse, written down passwords, or weak password creation.
Windows 10 Mobile includes Windows Hello, a simple, yet powerful, multifactor authentication solution that confirms a users identity before allowing access to corporate confidential information and resources. Multifactor authentication is a more secure alternative to password-based device security. Users dislike having to enter long, complex passwords particularly on a mobile device touch screen that corporate policy requires they change frequently. This leads to poor security practices like password reuse, written down passwords, or weak password creation.
Windows Hello offers a simple, cost-effective way to deploy multifactor authentication across your organization. Unlike smart cards, it does not require public key infrastructure or the implementation of additional hardware. Workers use a PIN, a companion device (like Microsoft Band), or biometrics to validate their identity for accessing corporate resources on their Azure Active Directory (Azure AD) registered Windows 10 Mobile device.
Windows Hello offers a simple, cost-effective way to deploy multifactor authentication across your organization. Unlike smart cards, it does not require public key infrastructure or the implementation of additional hardware. Workers use a PIN, a companion device (like Microsoft Band), or biometrics to validate their identity for accessing corporate resources on their Azure Active Directory (Azure AD) registered Windows 10 Mobile device.
Because Windows Hello is supported across all Windows 10 devices, organizations can uniformly implement multifactor authentication across their environment. Deploying Windows Hello on Windows 10 Mobile devices does require Azure AD (sold separately), but you can use Azure AD Connect to synchronize with your on-premises Active Directory services.
Windows Hello supports iris scan, fingerprint, and facial recognition-based authentication for devices that have biometric sensors.
Windows Hello supports iris scan, fingerprint, and facial recognition-based authentication for devices that have biometric sensors.
>**Note:** When Windows 10 first shipped, it included **Microsoft Passport** and **Windows Hello**, which worked together to provide multifactor authentication. To simplify deployment and improve supportability, Microsoft has combined these technologies into a single solution under the **Windows Hello** name. Customers who have already deployed these technologies will not experience any change in functionality. Customers who have yet to evaluate Windows Hello will find it easier to deploy due to simplified policies, documentation, and semantics.
>**Note:** When Windows 10 first shipped, it included **Microsoft Passport** and **Windows Hello**, which worked together to provide multifactor authentication. To simplify deployment and improve supportability, Microsoft has combined these technologies into a single solution under the **Windows Hello** name. Customers who have already deployed these technologies will not experience any change in functionality. Customers who have yet to evaluate Windows Hello will find it easier to deploy due to simplified policies, documentation, and semantics.
### <a href="" id="secured-credentials"></a>Secured credentials
Windows Hello eliminates the use of passwords for login, reducing the risk that an attacker will steal and reuse a users credentials. Windows 10 Mobile devices are required to have a Trusted Platform Module (TPM), a microchip that enables advanced security features. The TPM creates encryption keys that are “wrapped” with the TPMs own storage root key, which is itself stored within the TPM to prevent credentials from being compromised. Encryption keys created by the TPM can only be decrypted by the same TPM, which protects the key material from attackers who want to capture and reuse it.
Windows Hello eliminates the use of passwords for login, reducing the risk that an attacker will steal and reuse a users credentials. Windows 10 Mobile devices are required to have a Trusted Platform Module (TPM), a microchip that enables advanced security features. The TPM creates encryption keys that are “wrapped” with the TPMs own storage root key, which is itself stored within the TPM to prevent credentials from being compromised. Encryption keys created by the TPM can only be decrypted by the same TPM, which protects the key material from attackers who want to capture and reuse it.
To compromise Windows Hello credentials, an attacker would need access to the physical device, and then find a way to spoof the users biometric identity or guess his or her PIN. All of this would have to be accomplished before TPM brute-force resistance capabilities lock the mobile device, the theft-protection mechanism kicks in, or the user or corporate administrator remotely wipes the device. With TPM-based protection, an attackers window of opportunity for compromising a users credentials is greatly reduced.
### <a href="" id="support-for-biometrics"></a>Support for biometrics
Biometrics help prevent credential theft and make it easier for users to login to their devices. Users always have their biometric identity with them there is nothing to forget, lose, or leave behind. Attackers would need to have both access to the users device and be able to impersonate the users biometric identity to gain access to corporate resources, which is far more difficult than stealing a password.
Biometrics help prevent credential theft and make it easier for users to login to their devices. Users always have their biometric identity with them there is nothing to forget, lose, or leave behind. Attackers would need to have both access to the users device and be able to impersonate the users biometric identity to gain access to corporate resources, which is far more difficult than stealing a password.
Windows Hello supports three biometric sensor scenarios:
- **Facial recognition** uses special IR cameras to reliably tell the difference between a photograph or scan and a living person. Several vendors are shipping external cameras that incorporate this technology, and major manufacturers are already shipping laptops with integrated facial-recognition technology. Both Surface Pro 4 and Surface Book support this technology.
@ -71,9 +71,9 @@ A Windows Hello companion device enables a physical device, like a wearable, to
In some cases, the companion device for Windows Hello enables a physical device, like a phone, wearable, or other types of device to store all of the users credentials. Storage of the credentials on a mobile device makes it possible to use them on any supporting device, like a kiosk or family PC, and eliminates the need to enroll Windows Hello on each device. Companion devices also help enable organizations to meet regulatory requirements, such as Federal Information Processing Standard (FIPS) Publication 140-2, (FIPS 140-2).
### <a href="" id="standards-based-approach"></a>Standards-based approach
### <a href="" id="standards-based-approach"></a>Standards-based approach
The Fast Identity Online (FIDO) Alliance is a nonprofit organization that works to address the lack of interoperability among strong authentication devices and the problems users face in creating and remembering multiple user names and passwords. FIDO standards help reduce reliance on passwords to authenticate users of online services securely, allowing any business network, app, website, or cloud application to interface with a broad variety of existing and future FIDO-enabled devices and operating system platforms.
The Fast Identity Online (FIDO) Alliance is a nonprofit organization that works to address the lack of interoperability among strong authentication devices and the problems users face in creating and remembering multiple user names and passwords. FIDO standards help reduce reliance on passwords to authenticate users of online services securely, allowing any business network, app, website, or cloud application to interface with a broad variety of existing and future FIDO-enabled devices and operating system platforms.
In 2014, Microsoft joined the board of the FIDO Alliance. The FIDO 1.0 specifications, published in December 2014, provide for two types of authentications: password-less (known as UAF) and second factor (U2F). The FIDO Alliance is working on a set of 2.0 proposals that incorporate the best ideas from its U2F and UAF FIDO 1.0 standards. Microsoft has contributed Windows Hello technology to the FIDO 2.0 specification workgroup for review and feedback and continues to work with the FIDO Alliance as the FIDO 2.0 specification moves forward. Interoperability of FIDO products is a hallmark of FIDO authentication. Microsoft believes that bringing a FIDO solution to market will help solve a critical need for both enterprises and consumers.
@ -81,7 +81,7 @@ In 2014, Microsoft joined the board of the FIDO Alliance. The FIDO 1.0 specifica
Enterprises have seen huge growth in the convergence of personal and corporate data storage. Personal data is frequently stored on corporate devices and vice versa. This fluidity increases the potential for sensitive corporate data to be accidentally compromised.
Inadvertent disclosure is rapidly becoming the biggest source of confidential data leakage as organizations allow personal devices to access corporate resources. Its easy to imagine that an employee using work email on their personal phone could unintentionally save an attachment containing sensitive company information to personal cloud storage, which could be shared with unauthorized people. This accidental sharing of corporate data is just one example of the challenges common to using mobile devices in the workplace. To prevent this type of data leakage, most solutions require users to login with a separate username and password to a container that stores all corporate apps and data, an experience that degrades user productivity.
Inadvertent disclosure is rapidly becoming the biggest source of confidential data leakage as organizations allow personal devices to access corporate resources. Its easy to imagine that an employee using work email on their personal phone could unintentionally save an attachment containing sensitive company information to personal cloud storage, which could be shared with unauthorized people. This accidental sharing of corporate data is just one example of the challenges common to using mobile devices in the workplace. To prevent this type of data leakage, most solutions require users to login with a separate username and password to a container that stores all corporate apps and data, an experience that degrades user productivity.
Windows 10 Mobile includes Windows Information Protection to transparently keep corporate data secure and personal data private. Because corporate data is always protected, users cannot inadvertently copy it or share it with unauthorized users or apps. Key features include:
- Automatically tag personal and corporate data.
@ -89,13 +89,13 @@ Windows 10 Mobile includes Windows Information Protection to transparently keep
- Control which apps can access corporate data.
- Control which apps can access a virtual private network (VPN) connection.
- Prevent users from copying corporate data to public locations.
- Help ensure business data is inaccessible when the device is in a locked state.
- Help ensure business data is inaccessible when the device is in a locked state.
### <a href="" id="enlightened-apps"></a>Enlightened apps
Third-party data loss protection solutions usually require developers to wrap their apps. However, Windows Information Protection builds this intelligence right into Windows 10 Mobile so most apps require nothing extra to prevent inappropriate corporate data sharing.
Windows Information Protection classifies apps into two categories: enlightened and unenlightened. Enlighted apps can differentiate between corporate and personal data, correctly determining which to protect based on internal policies. Corporate data will be encrypted on the managed device and attempts to copy/paste or share this information with non-corporate apps or users will fail. Unenlightened apps, when marked as corporate-managed, consider all data corporate and encrypt everything by default.
Windows Information Protection classifies apps into two categories: enlightened and unenlightened. Enlighted apps can differentiate between corporate and personal data, correctly determining which to protect based on internal policies. Corporate data will be encrypted on the managed device and attempts to copy/paste or share this information with non-corporate apps or users will fail. Unenlightened apps, when marked as corporate-managed, consider all data corporate and encrypt everything by default.
When you do not want all data encrypted by default because it would create a poor user experience developers should consider enlightening apps by adding code and compiling them using the Windows Information Protection application programming interfaces. The most likely candidates for enlightenment are apps that:
- Dont use common controls for saving files.
@ -104,14 +104,14 @@ When you do not want all data encrypted by default because it would create a
In many cases, most apps dont require enlightenment for them to use Windows Information Protection. Simply adding them to the allow list is the only step you need to take. Line-of-Business (LOB) apps are a good example of where this works well because they only handle corporate data.
**When is app enlightenment required?**
- **Required**
**When is app enlightenment required?**
- **Required**
- App needs to work with both personal and enterprise data.
- **Recommended**
- **Recommended**
- App handles only corporate data, but needs to modify a file (such as a configuration file) in order to launch, uninstall itself, update etc. Without enlightenment you wouldnt be able to properly revoke these apps.
- App needs to access enterprise data, while protection under lock is activated.
- **Not required**
- App handles only corporate data
- App handles only corporate data
- App handles only personal data
### <a href="" id="companion-devices"></a>Data leakage control
@ -130,17 +130,17 @@ The extent to which users will be prevented from copying and pasting data from a
Most third-party solutions require an app wrapper that directs enterprise data into a password-protected container and keeps personal data outside the container. Depending on the implementation, this may require two different versions of the same apps to be running on the device: one for personal data and another for enterprise data.
Windows Information Protection provides data separation without requiring a container or special version of an app to access business or personal data. There is no separate login required to see your corporate data or open your corporate applications. Windows Information Protection identifies enterprise data and encrypts it to only enterprise use. Data separation is automatic and seamless.
Windows Information Protection provides data separation without requiring a container or special version of an app to access business or personal data. There is no separate login required to see your corporate data or open your corporate applications. Windows Information Protection identifies enterprise data and encrypts it to only enterprise use. Data separation is automatic and seamless.
### <a href="" id="companion-devices"></a>Encryption
Windows 10 Mobile uses device encryption, based on BitLocker technology, to encrypt all internal storage, including operating systems and data storage partitions. The user can activate device encryption, or the IT department can activate and enforce encryption for company-managed devices through MDM tools. When device encryption is turned on, all data stored on the phone is encrypted automatically. A Windows 10 Mobile device with encryption turned on helps protect the confidentiality of data stored even if the device is lost or stolen. The combination of Windows Hello lock and data encryption makes it extremely difficult for an unauthorized party to retrieve sensitive information from the device.
You can customize how device encryption works to meet your unique security requirements. Device encryption even enables you to define your own cipher suite. For example, you can specify the algorithm and key size that Windows 10 Mobile uses for data encryption, which Transport Layer Security (TLS) cipher suites are permitted, and whether Federal Information Processing Standard (FIPS) policy is enabled. The list below shows the policies you can change to customize device encryption on Windows 10 Mobile devices.
- Cryptography
- Cryptography
- Allow FIPS Algorithm: This policy enables or disable the FIPS policy. A restart is needed to enforce this policy. The default value is disabled.
- TLS Cipher Suite: This policy contains a list of the cryptographic cipher algorithms allowed for Secure Sockets Layer connections.
- BitLocker
- BitLocker
- Encryption Method: Configures the BitLocker Drive Encryption Method and cipher strength. The default value is AES-CBC 128-bit. If the device cannot use the value specified, it will use another one.
To help make the device even more secured against outside interference, Windows 10 Mobile also now includes protection-under-lock. That means that encryption keys are removed from memory whenever a device is locked. Apps are unable to access sensitive data while the device is in a locked state, so hackers and malware have no way to find and co-opt keys. Everything is locked up tight with the TPM until the user unlocks the device with Windows Hello.
@ -218,7 +218,7 @@ UEFI can run internal integrity checks that verify the firmwares digital sign
When a mobile device with UEFI and Secure Boot starts, the UEFI firmware verifies the bootloaders digital signature to verify that no one has modified it after it was digitally signed. The firmware also verifies that a trusted authority issued the bootloaders digital signature. This check helps to ensure that the system starts only after checking that the bootloader is both trusted and unmodified since signing.
All Windows 10 Mobile devices always have Secure Boot enabled. In addition, they trust only the Windows operating system signature. Neither Windows 10 Mobile, apps, or even malware can change the UEFI configuration. For more information about UEFI with Secure Boot, read [Protecting the pre-OS environment with UEFI](http://blogs.msdn.com/b/b8/archive/2011/09/22/protecting-the-pre-os-environment-with-uefi.aspx)
All Windows 10 Mobile devices always have Secure Boot enabled. In addition, they trust only the Windows operating system signature. Neither Windows 10 Mobile, apps, or even malware can change the UEFI configuration. For more information about UEFI with Secure Boot, read [Protecting the pre-OS environment with UEFI](https://blogs.msdn.com/b/b8/archive/2011/09/22/protecting-the-pre-os-environment-with-uefi.aspx)
### <a href="" id="companion-devices"></a>Trusted Platform Module
@ -264,7 +264,7 @@ In earlier versions of Windows, the biggest challenge with rootkits and bootkits
Windows 10 Mobile implements the Measured Boot feature, which uses the TPM hardware component to record a series of measurements for critical startup-related components, including firmware, Windows boot components, and drivers. Because Measured Boot uses the hardware-based security capabilities of TPM, which isolates and protects the measurement data against malware attacks, the log data is well protected against even sophisticated attacks.
Measured Boot focuses on acquiring the measurement data and protecting it against tampering. To provide more complete security, it must be coupled with a service that can analyze the data to determine device health.
Measured Boot focuses on acquiring the measurement data and protecting it against tampering. To provide more complete security, it must be coupled with a service that can analyze the data to determine device health.
### <a href="" id="device-health-attestation"></a>Device Health Attestation
@ -327,7 +327,7 @@ You cannot configure CFG; rather, an application developer can take advantage of
### <a href="" id="protected-processes"></a>Protected Processes
Unfortunately, no device is immune to malware. Despite all the best preventative controls, malware can eventually find a way to infect any operating system or hardware platform. So, although prevention with a defense-in-depth strategy is important, additional malware controls are required.
Unfortunately, no device is immune to malware. Despite all the best preventative controls, malware can eventually find a way to infect any operating system or hardware platform. So, although prevention with a defense-in-depth strategy is important, additional malware controls are required.
If malware is running on a system, you need to limit what it can do Protected Processes prevents untrusted processes from tampering with those that have been specially signed. Protected Processes defines levels of trust for processes: it prevents less trusted processes from interacting with and therefore attacking more trusted processes. Windows 10 Mobile uses Protected Processes broadly throughout the operating system.
### <a href="" id="appcontainer"></a>AppContainer
@ -352,13 +352,13 @@ The combination of Device Guard and AppContainer help to prevent unauthorized ap
The web browser is a critical component of any security strategy. It is the users interface to the Internet, an environment teeming with malicious sites and potentially dangerous content. Most users cannot perform at least part of their job without a browser, and many users are completely reliant on one. This reality has made the browser the number one pathway from which malicious hackers initiate their attacks.
Windows 10 Mobile includes Microsoft Edge, an entirely new web browser that goes beyond browsing with features like Reading View. Microsoft Edge is more secure than previous Microsoft web browsers in several ways:
- **Microsoft Edge on Windows 10 Mobile does not support extensions.** Microsoft Edge has built-in PDF viewing capability.
- **Microsoft Edge on Windows 10 Mobile does not support extensions.** Microsoft Edge has built-in PDF viewing capability.
- **Microsoft Edge is designed as a UWP app.** It is inherently compartmentalized and runs in an AppContainer that sandboxes the browser from the system, data, and other apps.
- **Microsoft Edge simplifies security configuration tasks.** Because Microsoft Edge uses a simplified application structure and a single sandbox configuration, fewer security settings are required. In addition, Microsoft established Microsoft Edge default settings that align with security best practices, making it more secure by design.
## Summary
Windows 10 Mobile provides security on personal and corporate-owned devices to protect against unauthorized access, data leakage, and malware threats. All of the features covered in this paper multifactor authentication, data separation, and malware resistance are seamlessly incorporated into the operating system. This means enterprises are protected without compromising the productivity and ease of use that drives users to bring mobile devices into the workplace.
Windows 10 Mobile provides security on personal and corporate-owned devices to protect against unauthorized access, data leakage, and malware threats. All of the features covered in this paper multifactor authentication, data separation, and malware resistance are seamlessly incorporated into the operating system. This means enterprises are protected without compromising the productivity and ease of use that drives users to bring mobile devices into the workplace.
## Revision History

14
windows/whats-new/whats-new-windows-10-version-1703.md
View File

@ -210,7 +210,7 @@ To check out all the details, see [Configure Delivery Optimization for Windows 1
### Uninstalled in-box apps no longer automatically reinstall
Starting with Windows 10, version 1703, in-box apps that were uninstalled by the user won't automatically reinstall as part of the feature update installation process.
Starting with Windows 10, version 1703, in-box apps that were uninstalled by the user won't automatically reinstall as part of the feature update installation process.
Additionally, apps de-provisioned by admins on Windows 10, version 1703 machines will stay de-provisioned after future feature update installations. This will not apply to the update from Windows 10, version 1607 (or earlier) to version 1703.
@ -234,7 +234,7 @@ Some of the other new CSPs are:
- The [EnterpriseAppVManagement CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/enterpriseappvmanagement-csp) is used to manage virtual applications in Windows 10 PCs (Enterprise and Education editions) and enables App-V sequenced apps to be streamed to PCs even when managed by MDM.
IT pros can use the new [MDM Migration Analysis Tool (MMAT)](http://aka.ms/mmat) to determine which Group Policy settings have been configured for a user or computer and cross-reference those settings against a built-in list of supported MDM policies. MMAT can generate both XML and HTML reports indicating the level of support for each Group Policy setting and MDM equivalents.
IT pros can use the new [MDM Migration Analysis Tool (MMAT)](https://aka.ms/mmat) to determine which Group Policy settings have been configured for a user or computer and cross-reference those settings against a built-in list of supported MDM policies. MMAT can generate both XML and HTML reports indicating the level of support for each Group Policy setting and MDM equivalents.
[Learn more about new MDM capabilities.](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/new-in-windows-mdm-enrollment-management#whatsnew10)
@ -244,7 +244,7 @@ The Windows version of mobile application management (MAM) is a lightweight solu
For more info, see [Implement server-side support for mobile application management on Windows](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/implement-server-side-mobile-application-management).
### MDM diagnostics
### MDM diagnostics
In Windows 10, version 1703, we continue our work to improve the diagnostic experience for modern management. By introducing auto-logging for mobile devices, Windows will automatically collect logs when encountering an error in MDM, eliminating the need to have always-on logging for memory-constrained devices. Additionally, we are introducing [Microsoft Message Analyzer](https://www.microsoft.com/download/details.aspx?id=44226) as an additional tool to help Support personnel quickly reduce issues to their root cause, while saving time and cost.
@ -314,7 +314,7 @@ Miracast over Infrastructure offers a number of benefits:
Users attempt to connect to a Miracast receiver as they did previously. When the list of Miracast receivers is populated, Windows 10 will identify that the receiver is capable of supporting a connection over the infrastructure. When the user selects a Miracast receiver, Windows 10 will attempt to resolve the device's hostname via standard DNS, as well as via multicast DNS (mDNS). If the name is not resolvable via either DNS method, Windows 10 will fall back to establishing the Miracast session using the standard Wi-Fi direct connection.
### Enabling Miracast over Infrastructure
### Enabling Miracast over Infrastructure
If you have a device that has been updated to Windows 10, version 1703, then you automatically have this new feature. To take advantage of it in your environment, you need to ensure the following is true within your deployment:
@ -322,8 +322,8 @@ If you have a device that has been updated to Windows 10, version 1703, then you
- A Windows PC or Surface Hub can act as a Miracast over Infrastructure *receiver*. A Windows PC or phone can act as a Miracast over Infrastructure *source*.
- As a Miracast receiver, the PC or Surface Hub must be connected to your enterprise network via either Ethernet or a secure Wi-Fi connection (e.g. using either WPA2-PSK or WPA2-Enterprise security). If the Hub is connected to an open Wi-Fi connection, Miracast over Infrastructure will disable itself.
- As a Miracast source, the PC or phone must be connected to the same enterprise network via Ethernet or a secure Wi-Fi connection.
- The DNS Hostname (device name) of the device needs to be resolvable via your DNS servers. You can achieve this by either allowing your device to register automatically via Dynamic DNS, or by manually creating an A or AAAA record for the device's hostname.
- Windows 10 PCs must be connected to the same enterprise network via Ethernet or a secure Wi-Fi connection.
- The DNS Hostname (device name) of the device needs to be resolvable via your DNS servers. You can achieve this by either allowing your device to register automatically via Dynamic DNS, or by manually creating an A or AAAA record for the device's hostname.
- Windows 10 PCs must be connected to the same enterprise network via Ethernet or a secure Wi-Fi connection.
It is important to note that Miracast over Infrastructure is not a replacement for standard Miracast. Instead, the functionality is complementary, and provides an advantage to users who are part of the enterprise network. Users who are guests to a particular location and dont have access to the enterprise network will continue to connect using the Wi-Fi Direct connection method.
@ -334,7 +334,7 @@ The following new features aren't part of Windows 10, but help you make the most
Upgrade Readiness helps you ensure that applications and drivers are ready for a Windows 10 upgrade. The solution provides up-to-date application and driver inventory, information about known issues, troubleshooting guidance, and per-device readiness and tracking details. The Upgrade Readiness tool moved from public preview to general availability on March 2, 2017.
The development of Upgrade Readiness has been heavily influenced by input from the community the development of new features is ongoing. To begin using Upgrade Readiness, add it to an existing Operation Management Suite (OMS) workspace or sign up for a new OMS workspace with the Upgrade Readiness solution enabled.
The development of Upgrade Readiness has been heavily influenced by input from the community the development of new features is ongoing. To begin using Upgrade Readiness, add it to an existing Operation Management Suite (OMS) workspace or sign up for a new OMS workspace with the Upgrade Readiness solution enabled.
For more information about Upgrade Readiness, see the following topics: