From b5b2360aec9c39a0468dedf60f3dcd71f7b64f7e Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Thu, 10 Aug 2017 14:14:01 -0700 Subject: [PATCH 1/4] update proxy list --- ...xy-internet-windows-defender-advanced-threat-protection.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/threat-protection/windows-defender-atp/configure-proxy-internet-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/configure-proxy-internet-windows-defender-advanced-threat-protection.md index ab5af4aee7..9710d5a35b 100644 --- a/windows/threat-protection/windows-defender-atp/configure-proxy-internet-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/configure-proxy-internet-windows-defender-advanced-threat-protection.md @@ -82,8 +82,8 @@ If a proxy or firewall is blocking all traffic by default and allowing only spec Service location | .Microsoft.com DNS record :---|:--- - US |```*.blob.core.windows.net```
```crl.microsoft.com```
```us.vortex-win.data.microsoft.com```
```winatp-gw-cus.microsoft.com```
```winatp-gw-eus.microsoft.com``` -Europe |```*.blob.core.windows.net```
```crl.microsoft.com```
```eu.vortex-win.data.microsoft.com```
```winatp-gw-neu.microsoft.com```
```winatp-gw-weu.microsoft.com```
+ US |```*.blob.core.windows.net```
```crl.microsoft.com```
```ctldl.windowsupdate.com```
```us.vortex-win.data.microsoft.com```
```winatp-gw-cus.microsoft.com```
```winatp-gw-eus.microsoft.com``` +Europe |```*.blob.core.windows.net```
```crl.microsoft.com```
```ctldl.windowsupdate.com```
```eu.vortex-win.data.microsoft.com```
```winatp-gw-neu.microsoft.com```
```winatp-gw-weu.microsoft.com```
If a proxy or firewall is blocking anonymous traffic, as Windows Defender ATP sensor is connecting from system context, make sure anonymous traffic is permitted in the above listed URLs. From 01d8c1029745dc12a99c3df82679b0e1f6630006 Mon Sep 17 00:00:00 2001 From: John Tobin Date: Mon, 14 Aug 2017 12:19:51 -0700 Subject: [PATCH 2/4] Move cred guard topic from manage cg to requirements doc. Add content to Remote Cred Guard --- .../credential-guard/credential-guard-manage.md | 9 --------- .../credential-guard-requirements.md | 13 +++++++++++++ .../access-protection/remote-credential-guard.md | 13 ++++++++----- .../deploy-managed-installer-for-device-guard.md | 2 +- 4 files changed, 22 insertions(+), 15 deletions(-) diff --git a/windows/access-protection/credential-guard/credential-guard-manage.md b/windows/access-protection/credential-guard/credential-guard-manage.md index 67a4d93402..79307f8a3e 100644 --- a/windows/access-protection/credential-guard/credential-guard-manage.md +++ b/windows/access-protection/credential-guard/credential-guard-manage.md @@ -100,15 +100,6 @@ You can also enable Credential Guard by using the [Device Guard and Credential G DG_Readiness_Tool_v3.2.ps1 -Enable -AutoReboot ``` -### Credential Guard deployment in virtual machines - -Credential Guard can protect secrets in a Hyper-V virtual machine, just as it would on a physical machine. When Credential Guard is deployed on a VM, secrets are protected from attacks inside the VM. Credential Guard does not provide additional protection from privileged system attacks originating from the host. - -#### Requirements for running Credential Guard in Hyper-V virtual machines - -- The Hyper-V host must have an IOMMU, and run at least Windows Server 2016 or Windows 10 version 1607. -- The Hyper-V virtual machine must be Generation 2, have an enabled virtual TPM, and running at least Windows Server 2016 or Windows 10. - ### Review Credential Guard performance **Is Credential Guard running?** diff --git a/windows/access-protection/credential-guard/credential-guard-requirements.md b/windows/access-protection/credential-guard/credential-guard-requirements.md index 789d0e690d..443e6e1167 100644 --- a/windows/access-protection/credential-guard/credential-guard-requirements.md +++ b/windows/access-protection/credential-guard/credential-guard-requirements.md @@ -35,6 +35,19 @@ The Virtualization-based security requires: - CPU virtualization extensions plus extended page tables - Windows hypervisor +### Credential Guard deployment in virtual machines + +Credential Guard can protect secrets in a Hyper-V virtual machine, just as it would on a physical machine. When Credential Guard is deployed on a VM, secrets are protected from attacks inside the VM. Credential Guard does not provide additional protection from privileged system attacks originating from the host. + +#### Requirements for running Credential Guard in Hyper-V virtual machines + +- The Hyper-V host must have an IOMMU, and run at least Windows Server 2016 or Windows 10 version 1607. +- The Hyper-V virtual machine must be Generation 2, have an enabled virtual TPM, and be running at least Windows Server 2016 or Windows 10. + +For information about other host platforms, see [Enabling Windows Server 2016 and Hyper-V virtualization based security features on other platforms](https://blogs.technet.microsoft.com/windowsserver/2016/09/29/enabling-windows-server-2016-and-hyper-v-virtualization-based-security-features-on-other-platforms/) + +For information about Remote Credential Guard hardware and software requirements, see [Remote Credential Guard requirements](https://docs.microsoft.com/en-us/windows/access-protection/remote-credential-guard#hardware-and-software-requirements) + ## Application requirements When Credential Guard is enabled, specific authentication capabilities are blocked, so applications that require such capabilities will break. Applications should be tested prior to deployment to ensure compatiblity with the reduced functionality. diff --git a/windows/access-protection/remote-credential-guard.md b/windows/access-protection/remote-credential-guard.md index 0ae8111073..b53a7213e7 100644 --- a/windows/access-protection/remote-credential-guard.md +++ b/windows/access-protection/remote-credential-guard.md @@ -47,12 +47,15 @@ Use the following table to compare different security options for Remote Desktop ## Hardware and software requirements -The Remote Desktop client and server must meet the following requirements in order to use Remote Credential Guard: +To use Remote Credential Guard, the Remote Desktop client and server must meet the following requirements: -- They must be joined to an Active Directory domain - - Both devices must either joined to the same domain or the Remote Desktop server must be joined to a domain with a trust relationship to the client device's domain. -- They must use Kerberos authentication. -- They must be running at least Windows 10, version 1607 or Windows Server 2016. +- In order to connect using credentials other than signed-in credentials, the Remote Desktop client device must be running at least Windows 10, version 1703. + +> [!NOTE] +> Remote Desktop client devices running earlier versions, at minimum Windows 10 version 1607, only support signed-in credentials, so the client device must also be joined to an Active Directory domain. Both Remote Desktop client and server must either be joined to the same domain, or the Remote Desktop server can be joined to a domain that has a trust relationship to the client device's domain. + +- For Remote Credential Guard to be supported, the user must authenticate to the remote host using Kerberos authentication +- The remote host must be running at least Windows 10 version 1607, or Windows Server 2016. - The Remote Desktop classic Windows app is required. The Remote Desktop Universal Windows Platform app doesn't support Remote Credential Guard. ## Enable Remote Credential Guard diff --git a/windows/device-security/device-guard/deploy-managed-installer-for-device-guard.md b/windows/device-security/device-guard/deploy-managed-installer-for-device-guard.md index fcd0f46670..f5754dfb28 100644 --- a/windows/device-security/device-guard/deploy-managed-installer-for-device-guard.md +++ b/windows/device-security/device-guard/deploy-managed-installer-for-device-guard.md @@ -10,7 +10,7 @@ author: mdsakibMSFT # Deploy Managed Installer for Device Guard -Creating and maintaining application execution control policies has always been challenging and options for addressing this has been a frequently cited request for customers of AppLocker and Device Guard’s [configurable code integrity (CI)](device-guard-deployment-guide.md). +Creating and maintaining application execution control policies has always been challenging, and finding ways to address this issue has been a frequently-cited request for customers of AppLocker and Device Guard [configurable code integrity (CI)](device-guard-deployment-guide.md). This is especially true for enterprises with large, ever changing software catalogs. Windows 10, version 1703 (also known as the Windows 10 Creators Update) provides a new option, known as a managed installer, that allows IT administrators to automatically authorize applications deployed and installed by a designated software distribution solution, such as System Center Configuration Manager. From f5fc54060af7824ff380557920e1839009d5b6e9 Mon Sep 17 00:00:00 2001 From: Elizabeth Ross Date: Mon, 14 Aug 2017 20:07:04 +0000 Subject: [PATCH 3/4] Merged PR 2709: Updated to add Group Policy and clarify the registry steps --- .../block-untrusted-fonts-in-enterprise.md | 90 +++++++++++++------ 1 file changed, 63 insertions(+), 27 deletions(-) diff --git a/windows/threat-protection/block-untrusted-fonts-in-enterprise.md b/windows/threat-protection/block-untrusted-fonts-in-enterprise.md index e854d43efb..ebec2a5082 100644 --- a/windows/threat-protection/block-untrusted-fonts-in-enterprise.md +++ b/windows/threat-protection/block-untrusted-fonts-in-enterprise.md @@ -8,10 +8,13 @@ ms.mktglfcycl: deploy ms.pagetype: security ms.sitesec: library author: eross-msft +ms.author: lizross +ms.date: 08/14/2017 ms.localizationpriority: high --- # Block untrusted fonts in an enterprise + **Applies to:** - Windows 10 @@ -46,19 +49,44 @@ After you turn this feature on, your employees might experience reduced function - Using desktop Office to look at documents with embedded fonts. In this situation, content shows up using a default font picked by Office. ## Turn on and use the Blocking Untrusted Fonts feature +Use Group Policy or the registry to turn this feature on, off, or to use audit mode. + +**To turn on and use the Blocking Untrusted Fonts feature through Group Policy** +1. Open the Group Policy editor (gpedit.msc) and go to `Computer Configuration\Administrative Templates\System\Mitigation Options\Untrusted Font Blocking`. + +2. Click **Enabled** to turn the feature on, and then click one of the following **Migitation Options**: + + - **Block untrusted fonts and log events.** Turns the feature on, blocking untrusted fonts and logging installation attempts to the event log. + + - **Do not block untrusted fonts.** Turns the feature on, but doesn't block untrusted fonts nor does it log installation attempts to the event log. + + - **Log events without blocking untrusted fonts**. Turns the feature on, logging installation attempts to the event log, but not blocking untrusted fonts. + +3. Click **OK**. + +**To turn on and use the Blocking Untrusted Fonts feature through the registry** To turn this feature on, off, or to use audit mode: 1. Open the registry editor (regedit.exe) and go to `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Kernel\`. 2. If the **MitigationOptions** key isn't there, right-click and add a new **QWORD (64-bit) Value**, renaming it to **MitigationOptions**. -3. Update the **Value data** of the **MitigationOptions** key, making sure you keep your existing value, like in the important note below: +3. Right click on the **MitigationOptions** key, and then click **Modify**. + + The **Edit QWORD (64-bit) Value** box opens. + +4. Make sure the **Base** option is **Hexadecimal**, and then update the **Value data**, making sure you keep your existing value, like in the important note below: - **To turn this feature on.** Type **1000000000000**. - - **To turn this feature off.** Type **2000000000000**. - - **To audit with this feature.** Type **3000000000000**.

**Important**
Your existing **MitigationOptions** values should be saved during your update. For example, if the current value is *1000*, your updated value should be *1000000001000*.  -4. Restart your computer. + - **To turn this feature off.** Type **2000000000000**. + + - **To audit with this feature.** Type **3000000000000**. + + >[!Important] + >Your existing **MitigationOptions** values should be saved during your update. For example, if the current value is *1000*, your updated value should be *1000000001000*.  + +4. Restart your computer. ## View the event log After you turn this feature on, or start using Audit mode, you can look at your event logs for details. @@ -68,27 +96,33 @@ After you turn this feature on, or start using Audit mode, you can look at your 1. Open the event viewer (eventvwr.exe) and go to **Application and Service Logs/Microsoft/Windows/Win32k/Operational**. 2. Scroll down to **EventID: 260** and review the relevant events. -

-**Event Example 1 - MS Word**
-WINWORD.EXE attempted loading a font that is restricted by font loading policy.
-FontType: Memory
-FontPath:
-Blocked: true

-**Note**
Because the **FontType** is *Memory*, there’s no associated **FontPath.** -

-**Event Example 2 - Winlogon**
-Winlogon.exe attempted loading a font that is restricted by font loading policy.
-FontType: File
-FontPath: `\??\C:\PROGRAM FILES (X86)\COMMON FILES\MICROSOFT SHARED\EQUATION\MTEXTRA.TTF`
-Blocked: true

-**Note**
Because the **FontType** is *File*, there’s also an associated **FontPath.** -

-**Event Example 3 - Internet Explorer running in Audit mode**
-Iexplore.exe attempted loading a font that is restricted by font loading policy.
-FontType: Memory
-FontPath:
-Blocked: false

-**Note**
In Audit mode, the problem is recorded, but the font isn’t blocked. + + **Event Example 1 - MS Word**
+ WINWORD.EXE attempted loading a font that is restricted by font-loading policy.
+ FontType: Memory
+ FontPath:
+ Blocked: true + + >[!NOTE] + >Because the **FontType** is *Memory*, there’s no associated **FontPath**. + + **Event Example 2 - Winlogon**
+ Winlogon.exe attempted loading a font that is restricted by font-loading policy.
+ FontType: File
+ FontPath: `\??\C:\PROGRAM FILES (X86)\COMMON FILES\MICROSOFT SHARED\EQUATION\MTEXTRA.TTF`
+ Blocked: true + + >[!NOTE] + >Because the **FontType** is *File*, there’s also an associated **FontPath**. + + **Event Example 3 - Internet Explorer running in Audit mode**
+ Iexplore.exe attempted loading a font that is restricted by font-loading policy.
+ FontType: Memory
+ FontPath:
+ Blocked: false + + >[!NOTE] + >In Audit mode, the problem is recorded, but the font isn’t blocked. ## Fix apps having problems because of blocked fonts Your company may still need apps that are having problems because of blocked fonts, so we suggest that you first run this feature in Audit mode to determine which fonts are causing the problems. @@ -101,12 +135,14 @@ After you figure out the problematic fonts, you can try to fix your apps in 2 wa **To fix your apps by excluding processes** -1. On each computer with the app installed, open regedit.exe and go to `HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\`. Like, if you want to exclude Microsoft Word processes, you’d use `HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Winword.exe`. +1. On each computer with the app installed, open regedit.exe and go to `HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\`.

For example, if you want to exclude Microsoft Word processes, you’d use `HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Winword.exe`. -2. Add any additional processes that need to be excluded here, and then turn the Blocking untrusted fonts feature on, using steps 2 and 3 in [Turn on and use the Blocking Untrusted Fonts feature](#turn-on-and-use-the-blocking-untrusted-fonts-feature). +2. Add any additional processes that need to be excluded here, and then turn the Blocking untrusted fonts feature on, using the steps in the [Turn on and use the Blocking Untrusted Fonts feature](#turn-on-and-use-the-blocking-untrusted-fonts-feature) section of this topic.   +## Related content +- [Dropping the “Untrusted Font Blocking” setting](https://blogs.technet.microsoft.com/secguide/2017/06/15/dropping-the-untrusted-font-blocking-setting/)   From cf1019b14823a4a57485923fe6abdd4d4e23bba6 Mon Sep 17 00:00:00 2001 From: Maricia Alforque Date: Mon, 14 Aug 2017 22:05:59 +0000 Subject: [PATCH 4/4] Merged PR 2714: BitLocker CSP updated with ADMX-backed policies information --- .../client-management/mdm/bitlocker-csp.md | 303 ++++++++++++++++-- ...ew-in-windows-mdm-enrollment-management.md | 7 +- .../policy-configuration-service-provider.md | 26 +- .../mdm/policy-csp-bitlocker.md | 30 +- 4 files changed, 330 insertions(+), 36 deletions(-) diff --git a/windows/client-management/mdm/bitlocker-csp.md b/windows/client-management/mdm/bitlocker-csp.md index 82a438d517..979c1f9105 100644 --- a/windows/client-management/mdm/bitlocker-csp.md +++ b/windows/client-management/mdm/bitlocker-csp.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 07/06/2017 +ms.date: 08/14/2017 --- # BitLocker CSP @@ -91,8 +91,38 @@ The following diagram shows the BitLocker configuration service provider in tree

Data type is integer. Supported operations are Add, Get, Replace, and Delete.

-**EncryptionMethodByDriveType** -

Allows you to set the default encrytion method for each of the different drive types. This setting is a direct mapping to the Bitlocker Group Policy "Choose drive encryption method and cipher strength (Windows 10 [Version 1511] and later)" (Policy EncryptionMethodWithXts_Name).

+**EncryptionMethodByDriveType** +

Allows you to set the default encrytion method for each of the different drive types. This setting is a direct mapping to the Bitlocker Group Policy "Choose drive encryption method and cipher strength (Windows 10 [Version 1511] and later)".

+ + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck markcheck markcheck markcheck markcross markcross mark
+

ADMX Info:

+
    +
  • GP English name: *Choose drive encryption method and cipher strength (Windows 10 [Version 1511] and later)*
    • +
  • GP name: *EncryptionMethodWithXts_Name*
    • +
  • GP path: *Windows Components/Bitlocker Drive Encryption*
    • +
  • GP ADMX file name: *VolumeEncryption.admx*
    • +
+ +> [!Tip] +> For a step-by-step guide to enable ADMX-backed policies, see [Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md). For additional information, see [Understanding ADMX-backed policies](understanding-admx-backed-policies.md).

This setting allows you to configure the algorithm and cipher strength used by BitLocker Drive Encryption. This setting is applied when you turn on BitLocker. Changing the encryption method has no effect if the drive is already encrypted, or if encryption is in progress.

@@ -140,7 +170,37 @@ The following diagram shows the BitLocker configuration service provider in tree

Data type is string. Supported operations are Add, Get, Replace, and Delete.

**SystemDrivesRequireStartupAuthentication** -

This setting is a direct mapping to the Bitlocker Group Policy "Require additional authentication at startup" (ConfigureAdvancedStartup_Name ).

+

This setting is a direct mapping to the Bitlocker Group Policy "Require additional authentication at startup".

+ + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck markcheck markcheck markcheck markcross markcross mark
+

ADMX Info:

+
    +
  • GP English name: *Require additional authentication at startup*
    • +
  • GP name: *ConfigureAdvancedStartup_Name*
    • +
  • GP path: *Windows Components/Bitlocker Drive Encryption/Operating System Drives*
    • +
  • GP ADMX file name: *VolumeEncryption.admx*
    • +
+ +> [!Tip] +> For a step-by-step guide to enable ADMX-backed policies, see [Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md). For additional information, see [Understanding ADMX-backed policies](understanding-admx-backed-policies.md).

This setting allows you to configure whether BitLocker requires additional authentication each time the computer starts and whether you are using BitLocker with or without a Trusted Platform Module (TPM). This setting is applied when you turn on BitLocker.

@@ -204,7 +264,37 @@ The following diagram shows the BitLocker configuration service provider in tree

Data type is string. Supported operations are Add, Get, Replace, and Delete.

**SystemDrivesMinimumPINLength** -

This setting is a direct mapping to the Bitlocker Group Policy "Configure minimum PIN length for startup" (GP MinimumPINLength_Name).

+

This setting is a direct mapping to the Bitlocker Group Policy "Configure minimum PIN length for startup".

+ + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck markcheck markcheck markcheck markcross markcross mark
+

ADMX Info:

+
    +
  • GP English name:*Configure minimum PIN length for startup*
    • +
  • GP name: *MinimumPINLength_Name*
    • +
  • GP path: *Windows Components/Bitlocker Drive Encryption/Operating System Drives*
    • +
  • GP ADMX file name: *VolumeEncryption.admx*
    • +
+ +> [!Tip] +> For a step-by-step guide to enable ADMX-backed policies, see [Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md). For additional information, see [Understanding ADMX-backed policies](understanding-admx-backed-policies.md).

This setting allows you to configure a minimum length for a Trusted Platform Module (TPM) startup PIN. This setting is applied when you turn on BitLocker. The startup PIN must have a minimum length of 6 digits and can have a maximum length of 20 digits.

@@ -239,6 +329,36 @@ The following diagram shows the BitLocker configuration service provider in tree **SystemDrivesRecoveryMessage**

This setting is a direct mapping to the Bitlocker Group Policy "Configure pre-boot recovery message and URL" (PrebootRecoveryInfo_Name).

+ + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck markcheck markcheck markcheck markcross markcross mark
+

ADMX Info:

+
    +
  • GP English name: *Configure pre-boot recovery message and URL*
    • +
  • GP name: *PrebootRecoveryInfo_Name*
    • +
  • GP path: *Windows Components/Bitlocker Drive Encryption/Operating System Drives*
    • +
  • GP ADMX file name: *VolumeEncryption.admx*
    • +
+ +> [!Tip] +> For a step-by-step guide to enable ADMX-backed policies, see [Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md). For additional information, see [Understanding ADMX-backed policies](understanding-admx-backed-policies.md).

This setting lets you configure the entire recovery message or replace the existing URL that are displayed on the pre-boot key recovery screen when the OS drive is locked.

@@ -290,6 +410,36 @@ The following diagram shows the BitLocker configuration service provider in tree **SystemDrivesRecoveryOptions**

This setting is a direct mapping to the Bitlocker Group Policy "Choose how BitLocker-protected operating system drives can be recovered" (OSRecoveryUsage_Name).

+ + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck markcheck markcheck markcheck markcross markcross mark
+

ADMX Info:

+
    +
  • GP English name: *Choose how BitLocker-protected operating system drives can be recovered*
    • +
  • GP name: *OSRecoveryUsage_Name*
    • +
  • GP path: *Windows Components/Bitlocker Drive Encryption/Operating System Drives*
    • +
  • GP ADMX file name: *VolumeEncryption.admx*
    • +
+ +> [!Tip] +> For a step-by-step guide to enable ADMX-backed policies, see [Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md). For additional information, see [Understanding ADMX-backed policies](understanding-admx-backed-policies.md).

This setting allows you to control how BitLocker-protected operating system drives are recovered in the absence of the required startup key information. This setting is applied when you turn on BitLocker.

@@ -357,7 +507,37 @@ The following diagram shows the BitLocker configuration service provider in tree

Data type is string. Supported operations are Add, Get, Replace, and Delete.

**FixedDrivesRecoveryOptions** -

This setting is a direct mapping to the Bitlocker Group Policy "Choose how BitLocker-protected fixed drives can be recovered" (FDVRecoveryUsage_Name).

+

This setting is a direct mapping to the Bitlocker Group Policy "Choose how BitLocker-protected fixed drives can be recovered" ().

+ + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck markcheck markcheck markcheck markcross markcross mark
+

ADMX Info:

+
    +
  • GP English name: *Choose how BitLocker-protected fixed drives can be recovered*
    • +
  • GP name: *FDVRecoveryUsage_Name*
    • +
  • GP path: *Windows Components/Bitlocker Drive Encryption/Fixed Drives*
    • +
  • GP ADMX file name: *VolumeEncryption.admx*
    • +
+ +> [!Tip] +> For a step-by-step guide to enable ADMX-backed policies, see [Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md). For additional information, see [Understanding ADMX-backed policies](understanding-admx-backed-policies.md).

This setting allows you to control how BitLocker-protected fixed data drives are recovered in the absence of the required credentials. This setting is applied when you turn on BitLocker.

@@ -427,6 +607,36 @@ The following diagram shows the BitLocker configuration service provider in tree **FixedDrivesRequireEncryption**

This setting is a direct mapping to the Bitlocker Group Policy "Deny write access to fixed drives not protected by BitLocker" (FDVDenyWriteAccess_Name).

+ + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck markcheck markcheck markcheck markcross markcross mark
+

ADMX Info:

+
    +
  • GP English name: *Deny write access to fixed drives not protected by BitLocker*
    • +
  • GP name: *FDVDenyWriteAccess_Name*
    • +
  • GP path: *Windows Components/Bitlocker Drive Encryption/Fixed Drives*
    • +
  • GP ADMX file name: *VolumeEncryption.admx*
    • +
+ +> [!Tip] +> For a step-by-step guide to enable ADMX-backed policies, see [Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md). For additional information, see [Understanding ADMX-backed policies](understanding-admx-backed-policies.md).

This setting determines whether BitLocker protection is required for fixed data drives to be writable on a computer.

@@ -459,6 +669,36 @@ The following diagram shows the BitLocker configuration service provider in tree **RemovableDrivesRequireEncryption**

This setting is a direct mapping to the Bitlocker Group Policy "Deny write access to removable drives not protected by BitLocker" (RDVDenyWriteAccess_Name).

+ + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck markcheck markcheck markcheck markcross markcross mark
+

ADMX Info:

+
    +
  • GP English name: *Deny write access to removable drives not protected by BitLocker*
    • +
  • GP name: *RDVDenyWriteAccess_Name*
    • +
  • GP path: *Windows Components/Bitlocker Drive Encryption/Removeable Drives*
    • +
  • GP ADMX file name: *VolumeEncryption.admx*
    • +
+ +> [!Tip] +> For a step-by-step guide to enable ADMX-backed policies, see [Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md). For additional information, see [Understanding ADMX-backed policies](understanding-admx-backed-policies.md).

This setting configures whether BitLocker protection is required for a computer to be able to write data to a removable data drive.

@@ -500,6 +740,31 @@ The following diagram shows the BitLocker configuration service provider in tree ``` +**AllowWarningForOtherDiskEncryption** + +

Allows the Admin to disable the warning prompt for other disk encryption on the user machines.

+ +

The following list shows the supported values:

+ +- 0 – Disables the warning prompt. +- 1 (default) – Warning prompt allowed. + +

Admin should set the value to 0 to disable the warning. If you want to disable this policy use the following SyncML:

+ +``` syntax + + 110 + + + ./Device/Vendor/MSFT/BitLocker/AllowWarningForOtherDiskEncryption + + + int + + 0 + + +``` ### SyncML example @@ -664,29 +929,3 @@ The following example is provided to show proper format and should not be taken ``` - -**AllowWarningForOtherDiskEncryption** - -

Allows the Admin to disable the warning prompt for other disk encryption on the user machines.

- -

The following list shows the supported values:

- -- 0 – Disables the warning prompt. -- 1 (default) – Warning prompt allowed. - -

Admin should set the value to 0 to disable the warning. If you want to disable this policy use the following SyncML:

- -``` syntax - - 110 - - - ./Device/Vendor/MSFT/BitLocker/AllowWarningForOtherDiskEncryption - - - int - - 0 - - -``` \ No newline at end of file diff --git a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md index 7d908c4910..b84fdaa3fa 100644 --- a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md +++ b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md @@ -10,7 +10,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 08/11/2017 +ms.date: 08/14/2017 --- # What's new in MDM enrollment and management @@ -1364,6 +1364,10 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
  • Provider/_ProviderID_/EnrollmentInfo
    • + +[BitLocker CSP](bitlocker-csp.md) +Added information to the ADMX-backed policies. + [Policy CSP](policy-configuration-service-provider.md)

    Added the following new policies for Windows 10, version 1709:

    @@ -1394,6 +1398,7 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
  • LocalPoliciesSecurityOptions/UserAccountControl_VirtualizeFileAndRegistryWriteFailuresToPerUserLocations

    • Changed the name of new policy to CredentialProviders/DisableAutomaticReDeploymentCredentials from CredentialProviders/EnableWindowsAutoPilotResetCredentials.

    +

    Added links to the additional [ADMX-backed BitLocker policies](policy-csp-bitlocker.md).

    diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md index 23d468a09d..e8a815b1ca 100644 --- a/windows/client-management/mdm/policy-configuration-service-provider.md +++ b/windows/client-management/mdm/policy-configuration-service-provider.md @@ -7,7 +7,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 08/04/2017 +ms.date: 08/14/2017 --- # Policy CSP @@ -338,6 +338,30 @@ The following diagram shows the Policy configuration service provider in tree fo
    Bitlocker/EncryptionMethod
    +
    + BitLocker/EncryptionMethodByDriveType in BitLocker CSP +
    +
    + BitLocker/FixedDrivesRecoveryOptions in BitLocker CSP +
    +
    + BitLocker/FixedDrivesRequireEncryption in BitLocker CSP +
    +
    + BitLocker/RemovableDrivesRequireEncryption in BitLocker CSP +
    +
    + BitLocker/SystemDrivesMinimumPINLength in BitLocker CSP +
    +
    + BitLocker/SystemDrivesRecoveryMessage in BitLocker CSP +
    +
    + BitLocker/SystemDrivesRecoveryOptions in BitLocker CSP +
    +
    + BitLocker/SystemDrivesRequireStartupAuthentication in BitLocker CSP +
    ### Bluetooth policies diff --git a/windows/client-management/mdm/policy-csp-bitlocker.md b/windows/client-management/mdm/policy-csp-bitlocker.md index 70e825b78a..ea9430a79c 100644 --- a/windows/client-management/mdm/policy-csp-bitlocker.md +++ b/windows/client-management/mdm/policy-csp-bitlocker.md @@ -58,6 +58,33 @@ ms.date: 08/09/2017 - 6 - XTS-AES 128-bit (Desktop only) - 7 - XTS-AES 256-bit (Desktop only) +

    You can find the following policies in BitLocker CSP: +

    +
    + BitLocker/EncryptionMethodByDriveType +
    +
    + BitLocker/FixedDrivesRecoveryOptions +
    +
    + BitLocker/FixedDrivesRequireEncryption +
    +
    + BitLocker/RemovableDrivesRequireEncryption +
    +
    + BitLocker/SystemDrivesMinimumPINLength +
    +
    + BitLocker/SystemDrivesRecoveryMessage +
    +
    + BitLocker/SystemDrivesRecoveryOptions +
    +
    + BitLocker/SystemDrivesRequireStartupAuthentication +
    +
    @@ -68,5 +95,4 @@ Footnote: - 2 - Added in Windows 10, version 1703. - 3 - Added in Windows 10, version 1709. - - + \ No newline at end of file