mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-05-13 13:57:22 +00:00
Merge remote-tracking branch 'refs/remotes/origin/master' into sh-7986263
This commit is contained in:
Trudy Hakala
commit
fa8cc5c9eb
@ -43,7 +43,7 @@ The Surface Dock firmware update process shown in Figure 1 follows these steps:
|
||||
|
||||
8. When the Surface Dock is disconnected for a second time, the Surface dock installs the firmware update to the DisplayPort chipset. This process takes up to 3 minutes to apply.
|
||||
|
||||
|
||||
|
||||
|
||||
*1- Driver installation can be performed by Windows Update, manual installation, or automatically downloaded with Microsoft Surface Dock Updater*
|
||||
|
||||
|
||||
@ -39,9 +39,9 @@ You will also find detailed information about the firmware of your Surface devic
|
||||
|
||||
- Touch Firmware
|
||||
|
||||
*Figure 1. System information and firmware version information*
|
||||
|
||||
|
||||
|
||||
*Figure 1. System information and firmware version information*
|
||||
|
||||
You can find up-to-date information about the latest firmware version for your Surface device in the [Surface Update History](https://www.microsoft.com/surface/en-us/support/install-update-activate/surface-update-history) for your device.
|
||||
|
||||
@ -59,21 +59,21 @@ On the **Security** page of Surface UEFI settings, you can set a password to pro
|
||||
|
||||
The password must be at least 6 characters and is case sensitive.
|
||||
|
||||
*Figure 2. Add a password to protect Surface UEFI settings*
|
||||
|
||||
|
||||
|
||||
*Figure 2. Add a password to protect Surface UEFI settings*
|
||||
|
||||
On the **Security** page you can also change the configuration of Secure Boot on your Surface device. Secure Boot technology prevents unauthorized boot code from booting on your Surface device, which protects against bootkit and rootkit-type malware infections. You can disable Secure Boot to allow your Surface device to boot third-party operating systems or bootable media. You can also configure Secure Boot to work with third-party certificates, as shown in Figure 3. Read more about [Secure Boot](https://msdn.microsoft.com/windows/hardware/commercialize/manufacture/desktop/secure-boot-overview) in the TechNet Library.
|
||||
|
||||
*Figure 3. Configure Secure Boot*
|
||||
|
||||
|
||||
|
||||
*Figure 3. Configure Secure Boot*
|
||||
|
||||
You can also enable or disable the Trusted Platform Module (TPM) device on the **Security** page, as shown in Figure 4. The TPM is used to authenticate encryption for your device’s data with BitLocker. Read more about [BitLocker](https://technet.microsoft.com/en-us/itpro/windows/keep-secure/bitlocker-overview) in the TechNet Library.
|
||||
|
||||
*Figure 4. Configure Surface UEFI security settings*
|
||||
|
||||
|
||||
|
||||
*Figure 4. Configure Surface UEFI security settings*
|
||||
|
||||
##Devices
|
||||
|
||||
@ -95,9 +95,9 @@ On the **Devices** page you can enable or disable specific devices and component
|
||||
|
||||
Each device is listed with a slider button that you can move to **On** (enabled) or **Off** (disabled) position, as shown in Figure 5.
|
||||
|
||||
*Figure 5. Enable and disable specific devices*
|
||||
|
||||
|
||||
|
||||
*Figure 5. Enable and disable specific devices*
|
||||
|
||||
##Boot configuration
|
||||
|
||||
@ -115,9 +115,9 @@ You can boot from a specific device immediately, or you can swipe left on that d
|
||||
|
||||
For the specified boot order to take effect, you must set the **Enable Alternate Boot Sequence** option to **On**, as shown in Figure 6.
|
||||
|
||||
*Figure 6. Configure the boot order for your Surface device*
|
||||
|
||||
|
||||
|
||||
*Figure 6. Configure the boot order for your Surface device*
|
||||
|
||||
You can also turn on and off IPv6 support for PXE with the **Enable IPv6 for PXE Network Boot** option, for example when performing a Windows deployment using PXE where the PXE server is configured for IPv4 only.
|
||||
|
||||
@ -125,14 +125,14 @@ You can also turn on and off IPv6 support for PXE with the **Enable IPv6 for PXE
|
||||
|
||||
The **About** page displays regulatory information, such as compliance with FCC rules, as shown in Figure 7.
|
||||
|
||||
*Figure 7. Regulatory information is displayed on the About page*
|
||||
|
||||
|
||||
|
||||
*Figure 7. Regulatory information displayed on the About page*
|
||||
|
||||
##Exit
|
||||
|
||||
Use the **Restart Now** button on the **Exit** page to exit UEFI settings, as shown in Figure 8.
|
||||
|
||||
*Figure 8. Click Restart Now to exit Surface UEFI and restart the device*
|
||||
|
||||
|
||||
|
||||
*Figure 8. Click Restart Now to exit Surface UEFI and restart the device*
|
||||
|
||||
@ -65,24 +65,24 @@ After the creation tool is installed, follow these steps to create a Microsoft S
|
||||
|
||||
3. Click **Start** to acknowledge that you have a USB stick of at least 4 GB connected, as shown in Figure 1.
|
||||
|
||||
|
||||
|
||||
|
||||
Figure 1. Start the Microsoft Surface Data Eraser tool
|
||||
*Figure 1. Start the Microsoft Surface Data Eraser tool*
|
||||
|
||||
4. Select the USB drive of your choice from the **USB Thumb Drive Selection** page as shown in Figure 2, and then click **Start** to begin the USB creation process. The drive you select will be formatted and any existing data on this drive will be lost.
|
||||
>**Note:** If the Start button is disabled, check that your removable drive has a total capacity of at least 4 GB.
|
||||
|
||||
|
||||
|
||||
|
||||
Figure 2. USB thumb drive selection
|
||||
*Figure 2. USB thumb drive selection*
|
||||
|
||||
5. After the creation process is finished, the USB drive has been formatted and all binaries are copied to the USB drive. Click **Success**.
|
||||
|
||||
6. When the **Congratulations** screen is displayed, you can eject and remove the thumb drive. This thumb drive is now ready to be inserted into a Surface device, booted from, and wipe any data on the device. Click **Complete** to finish the USB creation process, as shown in Figure 3.
|
||||
|
||||
|
||||
|
||||
|
||||
Figure 3. Complete the Microsoft Surface Data Eraser USB creation process
|
||||
*Figure 3. Complete the Microsoft Surface Data Eraser USB creation process*
|
||||
|
||||
7. Click **X** to close Microsoft Surface Data Eraser.
|
||||
|
||||
@ -105,9 +105,9 @@ After you create a Microsoft Surface Data Eraser USB stick, you can boot a suppo
|
||||
|
||||
3. When the Surface device boots, a **SoftwareLicenseTerms** text file is displayed.
|
||||
|
||||
|
||||
|
||||
|
||||
Figure 4. Booting the Microsoft Surface Data Eraser USB stick
|
||||
*Figure 4. Booting the Microsoft Surface Data Eraser USB stick*
|
||||
|
||||
4. Read the software license terms, and then close the notepad file.
|
||||
|
||||
@ -123,9 +123,9 @@ After you create a Microsoft Surface Data Eraser USB stick, you can boot a suppo
|
||||
|
||||
7. If you typed **S** to begin the data erase process, the partition that will be erased is displayed, as shown in Figure 5. If this is correct, press **Y** to continue, or **N** to shut down the device.
|
||||
|
||||
|
||||
|
||||
|
||||
Figure 5. Partition to be erased is displayed in Microsoft Surface Data Eraser
|
||||
*Figure 5. Partition to be erased is displayed in Microsoft Surface Data Eraser*
|
||||
|
||||
8. If you pressed **Y** in step 7, due to the destructive nature of the data erasure process, an additional dialog box is displayed to confirm your choice.
|
||||
|
||||
|
||||
@ -60,7 +60,7 @@ The following steps show you how to create a deployment share for Windows 10 th
|
||||
>**Note:** As of SDA version 1.96.0405, SDA will install only the components of the Windows ADK that are required for deployment, as follows:
|
||||
* Deployment tools
|
||||
* User State Migration Tool (USMT)
|
||||
* Windows Preinstallation Environment (WinPE)</br>
|
||||
* Windows Preinstallation Environment (WinPE)</br></br>
|
||||
|
||||
>**Note:** As of SDA version 1.96.0405, SDA will install and use MDT 2013 Update 2. Earlier versions of SDA are compatible only with MDT 2013 Update 1.
|
||||
|
||||
@ -116,7 +116,7 @@ The following steps show you how to create a deployment share for Windows 10 th
|
||||
|
||||
|
||||
|
||||
*Figure 5. The **Installation Progress** window*
|
||||
*Figure 5. The Installation Progress window*
|
||||
|
||||
8. When the SDA process completes the creation of your deployment share, a **Success** window is displayed. Click **Finish** to close the window. At this point your deployment share is now ready to perform a Windows deployment to Surface devices.
|
||||
|
||||
@ -250,7 +250,7 @@ After you have prepared the USB drive for boot, the next step is to generate off
|
||||
|
||||
|
||||
|
||||
*Figure 12. Select the **Update Media Content** option*
|
||||
*Figure 12. Select the Update Media Content option*
|
||||
|
||||
22. The **Update Media Content** window is displayed and shows the progress as the media files are created. When the process completes, click **Finish.**
|
||||
|
||||
@ -358,7 +358,7 @@ To run the Deploy Microsoft Surface task sequence:
|
||||
|
||||
|
||||
|
||||
*Figure 15. Select the **1 – Deploy Microsoft Surface** task sequence*
|
||||
*Figure 15. Select the 1 – Deploy Microsoft Surface task sequence*
|
||||
|
||||
2. On the **Computer Details** page, type a name for the Surface device in the **Computer Name** box. In the **Join a domain** section, type your domain name and credentials as shown in Figure 16, and then click **Next**.
|
||||
|
||||
@ -378,7 +378,7 @@ To run the Deploy Microsoft Surface task sequence:
|
||||
|
||||
|
||||
|
||||
*Figure 17. The **Installation Progress** window*
|
||||
*Figure 17. The Installation Progress window*
|
||||
|
||||
8. When the deployment task sequence completes, a **Success** window is displayed. Click **Finish** to complete the deployment and begin using your Surface device.
|
||||
|
||||
|
||||
@ -34,15 +34,15 @@ To update a Surface Dock with Microsoft Surface Dock Updater, follow these steps
|
||||
|
||||
- If the tool determines that the firmware of your Surface Dock is up to date, a **You have the latest firmware for this Surface Dock** message is displayed, as shown in Figure 1.
|
||||
|
||||
|
||||
|
||||
|
||||
Figure 1. Your Surface Dock firmware is up to date.
|
||||
*Figure 1. Your Surface Dock firmware is up to date*
|
||||
|
||||
- If Microsoft Surface Dock Updater determines that the firmware of your Surface Dock is not up to date, a **This Surface Dock is not running the latest firmware** message is displayed, as shown in Figure 2.
|
||||
|
||||
|
||||
|
||||
|
||||
Figure 2. Your Surface Dock firmware needs to be updated
|
||||
*Figure 2. Your Surface Dock firmware needs to be updated*
|
||||
|
||||
3. To begin the firmware update process, click **Update** on the **Surface Dock Firmware** page.
|
||||
|
||||
@ -50,27 +50,27 @@ To update a Surface Dock with Microsoft Surface Dock Updater, follow these steps
|
||||
|
||||
5. As the firmware update is uploaded to the Surface Dock, a **Progress** page is displayed, as shown in Figure 3. Do not disconnect the Surface Dock while firmware is being uploaded.
|
||||
|
||||
|
||||
|
||||
|
||||
Figure 3. Progress of firmware update upload to Surface Dock
|
||||
*Figure 3. Progress of firmware update upload to Surface Dock*
|
||||
|
||||
6. After the firmware update has successfully uploaded to the Surface Dock, you are prompted to disconnect and then reconnect the Surface Dock from the Surface device, as shown in Figure 4. The main chipset firmware update will be applied while the Surface Dock is disconnected.
|
||||
|
||||
|
||||
|
||||
|
||||
Figure 4. Disconnect and reconnect Surface Dock when prompted
|
||||
*Figure 4. Disconnect and reconnect Surface Dock when prompted*
|
||||
|
||||
7. When the main chipset firmware update is verified, the DisplayPort chipset firmware update will be uploaded to the Surface Dock. Upon completion, a **Success** page is displayed and you will again be prompted to disconnect the Surface Dock, as shown in Figure 5.
|
||||
|
||||
|
||||
|
||||
|
||||
Figure 5. Successful upload of Surface Dock firmware
|
||||
*Figure 5. Successful upload of Surface Dock firmware*
|
||||
|
||||
8. After you disconnect the Surface Dock the DisplayPort firmware update will be installed. This process occurs on the Surface Dock hardware while it is disconnected. The Surface Dock must remain powered for up to 3 minutes after it has been disconnected for the firmware update to successfully install. An **Update in Progress** page is displayed (as shown in Figure 6), with a countdown timer to show the estimated time remaining to complete the firmware update installation.
|
||||
|
||||
|
||||
|
||||
|
||||
Figure 6. Countdown timer to complete firmware installation on Surface Dock
|
||||
*Figure 6. Countdown timer to complete firmware installation on Surface Dock*
|
||||
|
||||
9. If you want to update multiple Surface Docks in one sitting, you can click the **Update another Surface Dock** button to begin the process on the next Surface Dock.
|
||||
|
||||
@ -83,9 +83,9 @@ To update a Surface Dock with Microsoft Surface Dock Updater, follow these steps
|
||||
|
||||
If the Surface Dock firmware update process encounters an installation error with either firmware update, the **Encountered an unexpected error** page may be displayed, as shown in Figure 7.
|
||||
|
||||
|
||||
|
||||
|
||||
Figure 7. Firmware update installation has encountered an error
|
||||
*Figure 7. Firmware update installation has encountered an error*
|
||||
|
||||
Microsoft Surface Dock Updater logs its progress into the Event Log, as shown in Figure 8. If you need to troubleshoot an update through this tool, you will find Surface Dock events recorded with the following event IDs:
|
||||
|
||||
@ -97,9 +97,9 @@ Microsoft Surface Dock Updater logs its progress into the Event Log, as shown in
|
||||
| 12105 | Error |
|
||||
|
||||
|
||||
Figure 8. Surface Dock Updater events in Event Viewer
|
||||
|
||||
|
||||
|
||||
*Figure 8. Surface Dock Updater events in Event Viewer*
|
||||
|
||||
|
||||
## Related topics
|
||||
|
||||
@ -27,6 +27,7 @@
|
||||
#### [Testing scenarios for enterprise data protection (EDP)](testing-scenarios-for-edp.md)
|
||||
## [Use Windows Event Forwarding to help with intrusion detection](use-windows-event-forwarding-to-assist-in-instrusion-detection.md)
|
||||
## [VPN profile options](vpn-profile-options.md)
|
||||
## [Windows security baselines](windows-security-baselines.md)
|
||||
## [Security technologies](security-technologies.md)
|
||||
### [Access Control Overview](access-control.md)
|
||||
#### [Dynamic Access Control Overview](dynamic-access-control.md)
|
||||
@ -679,7 +680,6 @@
|
||||
#### [Minimum requirements](minimum-requirements-windows-defender-advanced-threat-protection.md)
|
||||
#### [Data storage and privacy](data-storage-privacy-windows-defender-advanced-threat-protection.md)
|
||||
#### [Onboard endpoints and set up access](onboard-configure-windows-defender-advanced-threat-protection.md)
|
||||
<!--##### [Service onboarding](service-onboarding-windows-defender-advanced-threat-protection.md)-->
|
||||
##### [Configure endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md)
|
||||
##### [Configure proxy and Internet settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md)
|
||||
##### [Additional configuration settings](additional-configuration-windows-defender-advanced-threat-protection.md)
|
||||
|
||||
@ -19,6 +19,7 @@ This topic lists new and updated topics in the [Keep Windows 10 secure](index.md
|
||||
|[Create an enterprise data protection (EDP) policy using Microsoft Intune](create-edp-policy-using-intune.md) |Added an update about needing to reconfigure your enterprise data protection app rules after delivery of the June service update. |
|
||||
| [Windows Firewall with Advanced Security](windows-firewall-with-advanced-security.md) (multiple topics) | New |
|
||||
| [Advanced security audit policy settings](advanced-security-audit-policy-settings.md) (mutiple topics) | New security monitoring reference topics |
|
||||
| [Windows security baselines](windows-security-baselines.md) | New |
|
||||
|
||||
## May 2016
|
||||
|
||||
|
||||
@ -27,6 +27,7 @@ Learn about keeping Windows 10 and Windows 10 Mobile secure.
|
||||
| [Protect your enterprise data using enterprise data protection (EDP)](protect-enterprise-data-using-edp.md) | With the increase of employee-owned devices in the enterprise, there’s also an increasing risk of accidental data leak through apps and services, like email, social media, and the public cloud, which are outside of the enterprise’s control. For example, when an employee sends the latest engineering pictures from their personal email account, copies and pastes product info into a tweet, or saves an in-progress sales report to their public cloud storage. |
|
||||
| [Use Windows Event Forwarding to help with intrusion detection](use-windows-event-forwarding-to-assist-in-instrusion-detection.md) | Learn about an approach to collect events from devices in your organization. This article talks about events in both normal operations and when an intrusion is suspected. |
|
||||
| [VPN profile options](vpn-profile-options.md) | Virtual private networks (VPN) let you give your users secure remote access to your company network. Windows 10 adds useful new VPN profile options to help you manage how users connect. |
|
||||
| [Windows security baselines](windows-security-baselines.md) | Learn why you should use security baselines in your organization. |
|
||||
| [Security technologies](security-technologies.md) | Learn more about the different security technologies that are available in Windows 10 and Windows 10 Mobile. |
|
||||
| [Enterprise security guides](windows-10-enterprise-security-guides.md) | Get proven guidance to help you better secure and protect your enterprise by using technologies such as Credential Guard, Device Guard, Microsoft Passport, and Windows Hello. This section offers technology overviews and step-by-step guides. |
|
||||
|
||||
|
||||
56
windows/keep-secure/windows-security-baselines.md
Normal file
56
windows/keep-secure/windows-security-baselines.md
Normal file
@ -0,0 +1,56 @@
|
||||
---
|
||||
title: Windows security baselines (Windows 10)
|
||||
description: Use this topic to learn what security baselines are and how you can use them in your organization to help keep your devices secure.
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
author: brianlic-msft
|
||||
---
|
||||
|
||||
# Windows security baselines
|
||||
|
||||
Microsoft is dedicated to provide our customers with a secure operating system, such as Windows 10 and Windows Server, as well as secure apps, such as Microsoft Edge. In addition to the security assurance of its products, Microsoft also enables you to have fine control of your environments by providing various configuration capabilities. Even though Windows and Windows Server are designed to be secure out-of-the-box, a large number of organizations still want more granular control of their security configurations. To navigate these large number of controls, organizations need guidance for configuring various security features. Microsoft provides this guidance in the form of security baselines.
|
||||
|
||||
We recommend implementing an industry-standard configuration that is broadly known and well-tested, such as a Mirosoft security baseline, as opposed to creating one yourself. This helps increase flexibility and reduce costs.
|
||||
|
||||
## What are security baselines?
|
||||
|
||||
Every organization faces security threats. However, the types of security threats that are of most concern to one organization can be completely different from another organization. For example, an e-commerce company may focus on protecting their Internet-facing web apps, while a hospital may focus on protecting confidential patient information. The one thing that all organizations have in common is a need to keep their apps and devices secure. These devices must be compliant with the security standards (or security baselines) defined by the organization.
|
||||
|
||||
A security baseline is a collection of settings that have a security impact and include Microsoft’s recommended value for configuring those settings along with guidance on the security impact of those settings. These settings are based on feedback from Microsoft security engineering teams, product groups, partners, and
|
||||
customers.
|
||||
|
||||
## Why are security baselines needed?
|
||||
|
||||
Security baselines are an essential benefit to customers because they bring together expert knowlege from Microsoft, partners, and customers.
|
||||
|
||||
For example, there are over 3,000 Group Policy settings for Windows 10, which does not include over 1,800 Internet Explorer 11 settings. Of those 3,800 settings, only some of them are security-related. While Microsoft provides extensive guidance on different security features, going through each of them can take a long time. You would have to determine the security impact of each setting on your own. After you've done that, you still need to determine what values each of these settings should be.
|
||||
|
||||
In modern organizations, the security threat landscape is constantly evolving. IT pros and policy makers must keep current with security threats and changes to Windows security settings to help mitigate these threats.
|
||||
|
||||
To help faster deployments and increase the ease of managing Windows, Microsoft provides customers with security baselines that are available in formats that can be consumed, such as Group Policy Objects backups.
|
||||
|
||||
## How can you use security baselines?
|
||||
|
||||
You can use security baselines to:
|
||||
|
||||
- Ensure that user and device configuration settings are compliant with the baseline.
|
||||
- Set configuration settings. For example, you can use Group Policy, System Center Configuration Manager, or Microsoft Intune to configure a device with the setting values specified in the baseline.
|
||||
|
||||
|
||||
## Where can I get the security baselines?
|
||||
|
||||
Here's a list of security baselines that are currently available.
|
||||
|
||||
> **Note:** If you want to know what has changed with each security baseline, or if you want to stay up-to-date on what’s happening with them, check out the [Microsoft Security Guidance](http://blogs.technet.microsoft.com/secguide) blog.
|
||||
|
||||
### Windows 10 security baselines
|
||||
|
||||
- [Windows 10, Version 1511 security baseline](http://go.microsoft.com/fwlink/p/?LinkID=799381)
|
||||
- [Windows 10, Version 1507 security baseline](http://go.microsoft.com/fwlink/p/?LinkID=799380)
|
||||
|
||||
### Windows Server security baselines
|
||||
|
||||
- [Windows Server 2012 R2 security baseline](http://go.microsoft.com/fwlink/p/?LinkID=799382)
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user