From cccf8f2be8c905b76086f3a9de5aed45305f3548 Mon Sep 17 00:00:00 2001 From: JanKeller1 Date: Thu, 8 Sep 2016 17:21:37 -0700 Subject: [PATCH 1/5] Added an example in its own section near the end --- ...ntegrity-policies-policy-rules-and-file-rules.md | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/windows/keep-secure/deploy-code-integrity-policies-policy-rules-and-file-rules.md b/windows/keep-secure/deploy-code-integrity-policies-policy-rules-and-file-rules.md index a071720d2c..e61e798a6f 100644 --- a/windows/keep-secure/deploy-code-integrity-policies-policy-rules-and-file-rules.md +++ b/windows/keep-secure/deploy-code-integrity-policies-policy-rules-and-file-rules.md @@ -25,6 +25,7 @@ This topic includes the following sections: - [Overview of the process of creating code integrity policies](#overview-of-the-process-of-creating-code-integrity-policies): Helps familiarize you with the process described in this and related topics. - [Code integrity policy rules](#code-integrity-policy-rules): Describes one key element you specify in a policy, the *policy rules*, which control options such as audit mode or whether UMCI is enabled in a code integrity policy. - [Code integrity file rule levels](#code-integrity-file-rule-levels): Describes the other key element you specify in a policy, the *file rules* (or *file rule levels*), which specify the level at which applications will be identified and trusted. +- [Example of file rule levels in use](#example-of-file-rule-levels-in-use): Gives an example of how file rule levels can be applied. ## Overview of the process of creating code integrity policies @@ -97,8 +98,18 @@ Table 3. Code integrity policy - file rule levels > **Note**  When you create code integrity policies with the [New-CIPolicy](https://technet.microsoft.com/library/mt634473.aspx) cmdlet, you can specify a primary file rule level by including the **-Level** parameter. For discovered binaries that cannot be trusted based on the primary file rule criteria, use the **-Fallback** parameter. For example, if the primary file rule level is PCACertificate but you would like to trust the unsigned applications as well, using the Hash rule level as a fallback adds the hash values of binaries that did not have a signing certificate. +## Example of file rule levels in use + +For example, consider some IT professionals in a department that runs many servers. They decide they want their servers to run only software signed by the providers of their software and drivers, that is, the companies that provide their hardware, operating system, antivirus, and other important software. They know that their servers also run an internally written application that is unsigned but is rarely updated. They want to allow this application to run. + +To create the code integrity policy, they build a reference server on their standard hardware, and install all of the software that their servers are known to run. Then they run [New-CIPolicy](https://technet.microsoft.com/library/mt634473.aspx) with **-Level Publisher** (to allow software from their software providers, the "Publishers") and **-Fallback Hash** (to allow the internal, unsigned application). They enable the policy in auditing mode and gather information about any necessary software that was not included on the reference server. They merge code integrity policies into the original policy to allow that additional software to run. Then they enable the code integrity policy in enforced mode for their servers. + +As part of normal operations, they will eventually install software updates, or perhaps add software from the same software providers. Because the "Publisher" remains the same on those updates and software, they will not need to update their code integrity policy. If they come to a time when the internally-written, unsigned application must be updated, they must also update the code integrity policy so that the hash in the policy matches the hash of the updated internal application. + +They could also choose to create a catalog that captures information about the unsigned internal application, then sign and distribute the catalog. Then the internal application could be handled by code integrity policies in the same way as any other signed application. An update to the internal application would only require that the catalog be regenerated, signed, and distributed (no restarts would be required). + + ## Related topics - [How Device Guard features help protect against threats](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md#how-device-guard-features-help-protect-against-threats) - [Deploy code integrity policies: steps](deploy-code-integrity-policies-steps.md) - From 02ac768fa1d3e161e6b9c388ad653dae5360fa70 Mon Sep 17 00:00:00 2001 From: JanKeller1 Date: Thu, 8 Sep 2016 18:09:23 -0700 Subject: [PATCH 2/5] Added a link or folded in add'l info --- windows/keep-secure/active-directory-security-groups.md | 3 +++ windows/keep-secure/dynamic-access-control.md | 2 +- 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/windows/keep-secure/active-directory-security-groups.md b/windows/keep-secure/active-directory-security-groups.md index 0bf7a79a16..552c86b75a 100644 --- a/windows/keep-secure/active-directory-security-groups.md +++ b/windows/keep-secure/active-directory-security-groups.md @@ -2231,6 +2231,7 @@ The Key Admins group applies to versions of the Windows Server operating system | Default members | None | | Default member of | None | | Protected by ADMINSDHOLDER? | No | +| Safe to move out of default container? | Yes | | Safe to delegate management of this group to non-Service admins? | No | | Default User Rights | None | @@ -3351,6 +3352,7 @@ The Storage Replica Administrators group applies to versions of the Windows Serv | Default members | None | | Default member of | None | | Protected by ADMINSDHOLDER? | No | +| Safe to move out of default container? | Yes | | Safe to delegate management of this group to non-Service admins? | No | | Default User Rights | None | @@ -3371,6 +3373,7 @@ The System Managed Accounts group applies to versions of the Windows Server oper | Default members | Users | | Default member of | None | | Protected by ADMINSDHOLDER? | No | +| Safe to move out of default container? | Yes | | Safe to delegate management of this group to non-Service admins? | No | | Default User Rights | None | diff --git a/windows/keep-secure/dynamic-access-control.md b/windows/keep-secure/dynamic-access-control.md index 643a78aa1c..466562cc90 100644 --- a/windows/keep-secure/dynamic-access-control.md +++ b/windows/keep-secure/dynamic-access-control.md @@ -16,7 +16,7 @@ This overview topic for the IT professional describes Dynamic Access Control and Domain-based Dynamic Access Control enables administrators to apply access-control permissions and restrictions based on well-defined rules that can include the sensitivity of the resources, the job or role of the user, and the configuration of the device that is used to access these resources. -For example, a user might have different permissions when they access a resource from their office computer versus when they are using a portable computer over a virtual private network. Or access may be allowed only if a device meets the security requirements that are defined by the network administrators. When Dynamic Access Control is used, a user’s permissions change dynamically without additional administrator intervention if the user’s job or role changes (resulting in changes to the user’s account attributes in AD DS). +For example, a user might have different permissions when they access a resource from their office computer versus when they are using a portable computer over a virtual private network. Or access may be allowed only if a device meets the security requirements that are defined by the network administrators. When Dynamic Access Control is used, a user’s permissions change dynamically without additional administrator intervention if the user’s job or role changes (resulting in changes to the user’s account attributes in AD DS). For more detailed examples of Dynamic Access Control in use, see the scenarios described in [Dynamic Access Control: Scenario Overview](https://technet.microsoft.com/windows-server-docs/identity/solution-guides/dynamic-access-control--scenario-overview). Dynamic Access Control is not supported in Windows operating systems prior to Windows Server 2012 and Windows 8. When Dynamic Access Control is configured in environments with supported and non-supported versions of Windows, only the supported versions will implement the changes. From 6cbf1eb33b39d466eb4d90abed7bbe7108f97c4e Mon Sep 17 00:00:00 2001 From: Celeste de Guzman Date: Fri, 9 Sep 2016 12:26:20 -0700 Subject: [PATCH 3/5] Added new topic on using MS Forms to create tests and added link from parent topic --- .../create-tests-using-microsoft-forms.md | 29 +++++++++++++++++++ education/windows/take-tests-in-windows-10.md | 7 ++--- 2 files changed, 32 insertions(+), 4 deletions(-) create mode 100644 education/windows/create-tests-using-microsoft-forms.md diff --git a/education/windows/create-tests-using-microsoft-forms.md b/education/windows/create-tests-using-microsoft-forms.md new file mode 100644 index 0000000000..0d25a2780c --- /dev/null +++ b/education/windows/create-tests-using-microsoft-forms.md @@ -0,0 +1,29 @@ +--- +title: Create tests using Microsoft Forms +description: Learn how to use Microsoft Forms with the Take a Test app to prevent access to other computers or online resources while complete a test. +keywords: school, Take a Test, Microsoft Forms +ms.prod: w10 +ms.mktglfcycl: plan +ms.sitesec: library +ms.pagetype: edu +author: CelesteDG +--- + +# Create tests using Microsoft Forms +**Applies to:** + +- Windows 10 + + +For schools that have an Office 365 Education subscription, teachers can use [Microsoft Forms](https://support.office.com/article/What-is-Microsoft-Forms-6b391205-523c-45d2-b53a-fc10b22017c8) to create a test and then require that students use the Take a Test app to block access to other computers or online resources while completing the test created through Microsoft Forms. + +To do this, teachers can select a check box to make it a secure test. Microsoft Forms will generate a link that you can use to embed into your OneNote or class website. When students are ready to take a test, they can click on the link to start the test. + +Microsoft Forms will perform checks to ensure students are taking the test in a locked down Take a Test session. If not, students are not permitted access to the assessment. + +[Learn how block Internet access while students complete your form](https://support.office.com/article/6bd7e31d-5be0-47c9-a0dc-c0a74fc48959) + + +## Related topics + +[Take tests in Windows 10](take-tests-in-windows-10.md) diff --git a/education/windows/take-tests-in-windows-10.md b/education/windows/take-tests-in-windows-10.md index 6bf51bf7b2..40850cf578 100644 --- a/education/windows/take-tests-in-windows-10.md +++ b/education/windows/take-tests-in-windows-10.md @@ -9,7 +9,7 @@ ms.pagetype: edu author: jdeckerMS --- -# Take tests in Windows 10 +# Take tests in Windows 10 **Applies to:** - Windows 10 @@ -42,7 +42,6 @@ Many schools use online testing for formative and summative assessments. It's cr ## Related topics +[Create tests using Microsoft Forms](create-tests-using-microsoft-forms.md) + [Take a Test app technical reference](take-a-test-app-technical.md) - - - From 0a1f5427c6b0de4fe95d0b15c623ac231b5ba429 Mon Sep 17 00:00:00 2001 From: Celeste de Guzman Date: Fri, 9 Sep 2016 12:41:25 -0700 Subject: [PATCH 4/5] updated the TOC to include new topic --- education/windows/TOC.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/education/windows/TOC.md b/education/windows/TOC.md index b88d81df41..3f702ad3cc 100644 --- a/education/windows/TOC.md +++ b/education/windows/TOC.md @@ -12,9 +12,9 @@ ## [Take tests in Windows 10 ](take-tests-in-windows-10.md) ### [Set up Take a Test on a single PC ](take-a-test-single-pc.md) ### [Set up Take a Test on multiple PCs ](take-a-test-multiple-pcs.md) +### [Create tests using Microsoft Forms ](create-tests-using-microsoft-forms.md) ### [Take a Test app technical reference ](take-a-test-app-technical.md) ## [Deployment recommendations for school IT administrators](edu-deployment-recommendations.md) ## [Deploy Windows 10 in a school](deploy-windows-10-in-a-school.md) ## [Deploy Windows 10 in a school district](deploy-windows-10-in-a-school-district.md) ## [Chromebook migration guide](chromebook-migration-guide.md) - From 4c0e13418e312c2cd97c4167d4dc663246ffb027 Mon Sep 17 00:00:00 2001 From: Celeste de Guzman Date: Fri, 9 Sep 2016 12:53:35 -0700 Subject: [PATCH 5/5] updated the toc --- education/windows/TOC.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/education/windows/TOC.md b/education/windows/TOC.md index 3f702ad3cc..5011faf996 100644 --- a/education/windows/TOC.md +++ b/education/windows/TOC.md @@ -9,11 +9,11 @@ ## [Get Minecraft Education Edition](get-minecraft-for-education.md) ### [For teachers: get Minecraft Education Edition](teacher-get-minecraft.md) ### [For IT administrators: get Minecraft Education Edition](school-get-minecraft.md) -## [Take tests in Windows 10 ](take-tests-in-windows-10.md) -### [Set up Take a Test on a single PC ](take-a-test-single-pc.md) -### [Set up Take a Test on multiple PCs ](take-a-test-multiple-pcs.md) -### [Create tests using Microsoft Forms ](create-tests-using-microsoft-forms.md) -### [Take a Test app technical reference ](take-a-test-app-technical.md) +## [Take tests in Windows 10](take-tests-in-windows-10.md) +### [Set up Take a Test on a single PC](take-a-test-single-pc.md) +### [Set up Take a Test on multiple PCs](take-a-test-multiple-pcs.md) +### [Create tests using Microsoft Forms](create-tests-using-microsoft-forms.md) +### [Take a Test app technical reference](take-a-test-app-technical.md) ## [Deployment recommendations for school IT administrators](edu-deployment-recommendations.md) ## [Deploy Windows 10 in a school](deploy-windows-10-in-a-school.md) ## [Deploy Windows 10 in a school district](deploy-windows-10-in-a-school-district.md)