Windows 10 企业版 2015 LTSC 中的新增功能What's new in Windows 10 Enterprise 2015 LTSC

适用范围Applies to

  • Windows10 企业 2015 LTSCWindows10 Enterprise 2015 LTSC

本文列出了 Windows10 Enterprise 2015 LTSC (LTSB)的 IT 专业人士感兴趣的新增和更新的功能和内容。This article lists new and updated features and content that are of interest to IT Pros for Windows10 Enterprise 2015 LTSC (LTSB). 有关 LTSC 服务通道的简要说明,请参阅Windows 10 企业版 LTSCFor a brief description of the LTSC servicing channel, see Windows 10 Enterprise LTSC.

备注

Windows 10 企业版 2015 LTSC 中的功能等同于windows 10 版本 1507Features in Windows 10 Enterprise 2015 LTSC are equivalent to Windows 10, version 1507.

部署Deployment

使用 Windows 映像和配置设计器 (ICD) 预配设备Provisioning devices using Windows Imaging and Configuration Designer (ICD)

在 Windows 10 中,你可以创建预配包,以快速且高效地配置设备,而无需安装新映像。With Windows 10, you can create provisioning packages that let you quickly and efficiently configure a device without having to install a new image. 使用 Windows 预配,IT 管理员可以使用由向导驱动的用户界面轻松地指定将设备注册到管理所需的配置和设置,然后在几分钟内将此配置应用到目标设备。Using Windows Provisioning, an IT administrator can easily specify the configuration and settings required to enroll devices into management using a wizard-driven user interface, and then apply this configuration to target devices in a matter of minutes. 它最适合部署几十台到几百台计算机的小中型企业。It is best suited for small- to medium-sized businesses with deployments that range from tens to a few hundred computers.

了解有关 Windows 10 中的预配的详细信息Learn more about provisioning in Windows 10

安全Security

AppLockerAppLocker

AppLocker 适用于 Windows 8.1,并通过 Windows 10 进行了改进。AppLocker was available for Windows 8.1, and is improved with Windows 10. 有关操作系统要求的列表,请参阅使用 AppLocker 的要求See Requirements to use AppLocker for a list of operating system requirements.

Windows 10 中 AppLocker 的增强包括:Enhancements to AppLocker in Windows 10 include:

  • 已向 New-AppLockerPolicy Windows PowerShell cmdlet 添加了一个新参数,该参数可使你选择可执行文件和 DLL 规则集合是否适用于非交互过程。A new parameter was added to the New-AppLockerPolicy Windows PowerShell cmdlet that lets you choose whether executable and DLL rule collections apply to non-interactive processes. 若要启用此功能,请将 ServiceEnforcement 设置为已启用To enable this, set the ServiceEnforcement to Enabled.
  • 已添加了新的 AppLocker 配置服务提供程序来允许你使用 MDM 服务器启用 AppLocker 规则。A new AppLocker configuration service provider was add to allow you to enable AppLocker rules by using an MDM server.
  • 你可以使用新的 AppLocker 云解决方案提供商管理 Windows 10 移动版设备。You can manage Windows10 Mobile devices by using the new AppLocker CSP.

了解如何在组织内管理 AppLockerLearn how to manage AppLocker within your organization.

BitLockerBitLocker

Windows 10 中 AppLocker 的增强包括:Enhancements to AppLocker in Windows 10 include:

  • 使用 Azure Active Directory 加密和恢复设备Encrypt and recover your device with Azure Active Directory. 除了使用 Microsoft 帐户,自动 设备加密 现在可以对已加入 Azure Active Directory 域的设备进行加密。In addition to using a Microsoft Account, automatic Device Encryption can now encrypt your devices that are joined to an Azure Active Directory domain. 当设备已加密后,BitLocker 恢复密钥将自动托管到 Azure Active Directory。When the device is encrypted, the BitLocker recovery key is automatically escrowed to Azure Active Directory. 这将使联机恢复 BitLocker 密钥变得更加简单。This will make it easier to recover your BitLocker key online.
  • DMA 端口保护DMA port protection. 你可以使用 DataProtection/AllowDirectMemoryAccess MDM 策略在设备启动时阻止 DMA 端口。You can use the DataProtection/AllowDirectMemoryAccess MDM policy to block DMA ports when the device is starting up. 同样地,当设备锁定时,所有未使用的 DMA 端口都将关闭,但所有已插入 DMA 端口的设备将继续工作。Also, when a device is locked, all unused DMA ports are turned off, but any devices that are already plugged into a DMA port will continue to work. 解锁设备后,所有 DMA 端口将重新打开。When the device is unlocked, all DMA ports are turned back on.
  • 用于配置预启动恢复的新组策略New Group Policy for configuring pre-boot recovery. 你现在可以配置预启动恢复消息并恢复在预启动恢复屏幕上显示的 URL。You can now configure the pre-boot recovery message and recover URL that is shown on the pre-boot recovery screen. 有关详细信息,请参阅“BitLocker 组策略设置”中的配置预启动恢复消息和 URL部分。For more info, see the Configure pre-boot recovery message and URL section in "BitLocker Group Policy settings."

了解如何在组织内部署和管理 BitLockerLearn how to deploy and manage BitLocker within your organization.

证书管理Certificate management

对于基于 Windows 10 的设备,除了使用简单证书注册协议 (SCEP) 进行注册,你还可以通过 MDM 服务器使用个人信息交换 (PFX) 直接部署客户端身份验证证书,包括用于在企业中支持 Windows Hello 企业版的证书。For Windows10-based devices, you can use your MDM server to directly deploy client authentication certificates using Personal Information Exchange (PFX), in addition to enrolling using Simple Certificate Enrollment Protocol (SCEP), including certificates to enable Windows Hello for Business in your enterprise. 你将能够使用 MDM 注册、续订和删除证书。You'll be able to use MDM to enroll, renew, and delete certificates. 和在 Windows Phone 8.1 中一样,你可以使用证书应用查看设备上的证书详细信息。As in Windows Phone 8.1, you can use the Certificates app to review the details of certificates on your device. 了解如何在 Windows 10 移动版上安装数字证书。Learn how to install digital certificates on Windows 10 Mobile.

Microsoft PassportMicrosoft Passport

在 Windows 10 中,Microsoft Passport 将密码替换为由注册设备和 Windows Hello(生物识别)或 PIN 组成的强双因素身份验证。In Windows 10, Microsoft Passport replaces passwords with strong two-factor authentication that consists of an enrolled device and a Windows Hello (biometric) or PIN.

Microsoft Passport 允许用户对 Microsoft 帐户、Active Directory 帐户、Microsoft Azure Active Directory (AD) 帐户或支持 Fast ID Online (FIDO) 身份验证的非 Microsoft 服务进行身份验证。Microsoft Passport lets users authenticate to a Microsoft account, an Active Directory account, a Microsoft Azure Active Directory (AD) account, or non-Microsoft service that supports Fast ID Online (FIDO) authentication. 在 Microsoft Passport 注册期间的初始双重验证后,Microsoft Passport 在用户设备上完成设置,用户将获得一个手势,该手势可以是 Windows Hello 或 PIN。After an initial two-step verification during Microsoft Passport enrollment, a Microsoft Passport is set up on the user's device and the user sets a gesture, which can be Windows Hello or a PIN. 用户提供手势来验证身份;然后,Windows 使用 Microsoft Passport 对用户进行身份验证并帮助他们访问受保护的资源和服务。The user provides the gesture to verify identity; Windows then uses Microsoft Passport to authenticate users and help them to access protected resources and services.

安全审核Security auditing

在 Windows 10 中,安全审核添加了一些改进:In Windows10, security auditing has added some improvements:

新的审核子类别New audit subcategories

在 Windows 10 中,高级审核策略配置中添加了两项新的审核子类别以在审核事件中提供更高的精度:In Windows10, two new audit subcategories were added to the Advanced Audit Policy Configuration to provide greater granularity in audit events:

  • 审核组成员身份审核组成员身份子类别可在登录/注销审核类别中找到,它允许你审核用户登录令牌中的组成员身份信息。Audit Group Membership Found in the Logon/Logoff audit category, the Audit Group Membership subcategory allows you to audit the group membership information in a user's logon token. 当枚举组成员身份或在创建登录会话的电脑上查询时,将生成此子类别中的事件。Events in this subcategory are generated when group memberships are enumerated or queried on the PC where the logon session was created. 为实现交互式登录,将在用户登录的电脑上生成安全审核事件。For an interactive logon, the security audit event is generated on the PC that the user logged on to. 为实现网络登录,例如访问网络上的共享文件夹,将在托管资源的电脑上生成安全审核事件。For a network logon, such as accessing a shared folder on the network, the security audit event is generated on the PC hosting the resource. 在配置此设置时,每次成功登录会生成一项或多项安全审核事件。When this setting is configured, one or more security audit events are generated for each successful logon. 还必须在 Advanced Audit Policy Configuration\System Audit Policies\Logon/Logoff 下启用审核登录设置。You must also enable the Audit Logon setting under Advanced Audit Policy Configuration\System Audit Policies\Logon/Logoff. 如果组成员身份信息无法容纳于单个安全审核事件中,将会生成多个事件。Multiple events are generated if the group membership information cannot fit in a single security audit event.
  • 审核 PNP 活动审核 PNP 活动子类别可在详细追踪类别下找到,它允许你在即插即用检测到外部设备时进行审核。Audit PNP Activity Found in the Detailed Tracking category, the Audit PNP Activity subcategory allows you to audit when plug and play detects an external device. 对于此类别,仅记录“成功”审核。Only Success audits are recorded for this category. 如果未配置此策略设置,则在即插即用检测到外部设备时,将不会生成任何审核事件。If you do not configure this policy setting, no audit event is generated when an external device is detected by plug and play. PnP 审核事件可用于跟踪系统硬件的更改,并将记录在发生更改的电脑上。A PnP audit event can be used to track down changes in system hardware and will be logged on the PC where the change took place. 该事件包括了硬件供应商 ID 列表。A list of hardware vendor IDs are included in the event.

向现有审核事件添加了更多信息More info added to existing audit events

在 Windows 10 版本 1507 中,我们已向现有审核事件添加了更多信息,以使你能更轻松地将完整审核跟踪进行汇总,并获取保护企业所需的信息。With Windows10, version 1507, we've added more info to existing audit events to make it easier for you to put together a full audit trail and come away with the information you need to protect your enterprise. 对以下审核事件作了改进:Improvements were made to the following audit events:

更改了内核默认审核策略Changed the kernel default audit policy

在以前的版本中,内核依赖于本地安全颁发机构 (LSA) 来检索它的一些事件中的信息。In previous releases, the kernel depended on the Local Security Authority (LSA) to retrieve info in some of its events. 在 Windows 10 中,将自动启用进程创建事件审核策略,直到从 LSA 中接收到了实际审核策略。In Windows10, the process creation events audit policy is automatically enabled until an actual audit policy is received from LSA. 这将在 LSA 启动前更好地审核可能启动的服务。This results in better auditing of services that may start before LSA starts.

将默认进程 SACL 添加到了 LSASS.exeAdded a default process SACL to LSASS.exe

在 Windows 10 中,默认进程 SACL 添加到了 LSASS.exe,以记录尝试访问 LSASS.exe 的过程。In Windows10, a default process SACL was added to LSASS.exe to log processes attempting to access LSASS.exe. SACL 即 L"S:(AU;SAFA;0x0010;;;WD)"。The SACL is L"S:(AU;SAFA;0x0010;;;WD)". 你可以在 Advanced Audit Policy Configuration\Object Access\Audit Kernel Object 下启用它。You can enable this under Advanced Audit Policy Configuration\Object Access\Audit Kernel Object. 这可以帮助标识从某一进程的内存中盗取凭据的攻击。This can help identify attacks that steal credentials from the memory of a process.

登录事件中的新字段New fields in the logon event

登录事件 ID 4624 已更新为包括使其更易于分析的更为详细的信息。The logon event ID 4624 has been updated to include more verbose information to make them easier to analyze. 以下字段已添加到事件 4624:The following fields have been added to event 4624:

  1. MachineLogon 字符串:Yes 或 No 如果登录到电脑的帐户是计算机帐户,则此字段为“Yes”。MachineLogon String: yes or no If the account that logged into the PC is a computer account, this field will be yes. 否则,此字段为“No”。Otherwise, the field is no.
  2. ElevatedToken 字符串:Yes 或 No 如果登录到电脑的帐户是管理登录,则此字段为“Yes”。ElevatedToken String: yes or no If the account that logged into the PC is an administrative logon, this field will be yes. 否则,此字段为“No”。Otherwise, the field is no. 此外,如果这是拆分令牌的一部分,还将显示链接的登录 ID (LSAP_LOGON_SESSION)。Additionally, if this is part of a split token, the linked login ID (LSAP_LOGON_SESSION) will also be shown.
  3. TargetOutboundUserName 字符串 TargetOutboundUserDomain 字符串 使用 LogonUser 方法为出站流量创建的用户名和标识域。TargetOutboundUserName String TargetOutboundUserDomain String The username and domain of the identity that was created by the LogonUser method for outbound traffic.
  4. VirtualAccount 字符串:Yes 或 No 如果登录到电脑的帐户是虚拟帐户,则此字段为“Yes”。VirtualAccount String: yes or no If the account that logged into the PC is a virtual account, this field will be yes. 否则,此字段为“No”。Otherwise, the field is no.
  5. GroupMembership 字符串 用户令牌中所有组的列表。GroupMembership String A list of all of the groups in the user's token.
  6. RestrictedAdminMode 字符串:Yes 或 No 如果用户使用远程桌面登录处于受限管理员模式下的电脑,则此字段为“Yes”。RestrictedAdminMode String: yes or no If the user logs into the PC in restricted admin mode with Remote Desktop, this field will be yes. 有关受限管理员模式的详细信息,请参阅适用于 RDP 的受限管理员模式For more info on restricted admin mode, see Restricted Admin mode for RDP.

进程创建事件中的新字段New fields in the process creation event

登录事件 ID 4688 已更新为包括使其更易于分析的更为详细的信息。The logon event ID 4688 has been updated to include more verbose information to make them easier to analyze. 以下字段已添加到事件 4688:The following fields have been added to event 4688:

  1. TargetUserSid 字符串 目标主体的 SID。TargetUserSid String The SID of the target principal.
  2. TargetUserName 字符串 目标用户的帐户名称。TargetUserName String The account name of the target user.
  3. TargetDomainName 字符串 目标用户的域。TargetDomainName String The domain of the target user..
  4. TargetLogonId 字符串 目标用户的登录 ID。TargetLogonId String The logon ID of the target user.
  5. ParentProcessName 字符串 创建程序进程的名称。ParentProcessName String The name of the creator process.
  6. ParentProcessId 字符串 指向实际父进程的指针(如果它不同于创建者进程)。ParentProcessId String A pointer to the actual parent process if it's different from the creator process.

新安全帐户管理器事件New Security Account Manager events

在 Windows 10 中,添加了新 SAM 事件以包含用于执行读取/查询操作的 SAM API。In Windows10, new SAM events were added to cover SAM APIs that perform read/query operations. 在以前版本的 Windows 中,仅审核写入操作。In previous versions of Windows, only write operations were audited. 新事件为事件 ID 4798 和事件 ID 4799。The new events are event ID 4798 and event ID 4799. 现在将审核以下 API:The following APIs are now audited:

  • SamrEnumerateGroupsInDomainSamrEnumerateGroupsInDomain
  • SamrEnumerateUsersInDomainSamrEnumerateUsersInDomain
  • SamrEnumerateAliasesInDomainSamrEnumerateAliasesInDomain
  • SamrGetAliasMembershipSamrGetAliasMembership
  • SamrLookupNamesInDomainSamrLookupNamesInDomain
  • SamrLookupIdsInDomainSamrLookupIdsInDomain
  • SamrQueryInformationUserSamrQueryInformationUser
  • SamrQueryInformationGroupSamrQueryInformationGroup
  • SamrQueryInformationUserAliasSamrQueryInformationUserAlias
  • SamrGetMembersInGroupSamrGetMembersInGroup
  • SamrGetMembersInAliasSamrGetMembersInAlias
  • SamrGetUserDomainPasswordInformationSamrGetUserDomainPasswordInformation

新 BCD 事件New BCD events

添加了事件 ID 4826,以便跟踪启动配置数据库 (BCD) 所作的以下更改:Event ID 4826 has been added to track the following changes to the Boot Configuration Database (BCD):

  • DEP/NEX 设置DEP/NEX settings
  • 测试签名Test signing
  • PCAT SB 模拟PCAT SB simulation
  • 调试Debug
  • 启动调试Boot debug
  • 完整性服务Integrity Services
  • 禁用 Winload 调试菜单Disable Winload debugging menu

新的 PNP 事件New PNP events

添加了事件 ID 6416,以便在通过即插即用检测到外部设备时进行跟踪。Event ID 6416 has been added to track when an external device is detected through Plug and Play. 一个重要方案是,将包含恶意软件的外部设备插入到未预料到这种操作的高价值计算机(例如域控制器)中。One important scenario is if an external device that contains malware is inserted into a high-value machine that doesn’t expect this type of action, such as a domain controller.

了解如何在组织内管理安全审核策略Learn how to manage your security audit policies within your organization.

受信任的平台模块Trusted Platform Module

Windows10 中的新增 TPM 功能New TPM features in Windows10

以下部分介绍了 TPM 中适用于 Windows 10 的新的和更改的功能:The following sections describe the new and changed functionality in the TPM for Windows10:

设备运行状况证明Device health attestation

设备运行状况证明使企业能够根据托管设备的硬件和软件组件来建立信任。Device health attestation enables enterprises to establish trust based on hardware and software components of a managed device. 借助设备运行状况证明,你可以配置 MDM 服务器来查询运行状况证明服务,该服务可允许或拒绝托管设备对安全资源的访问。With device health attestation, you can configure an MDM server to query a health attestation service that will allow or deny a managed device access to a secure resource. 以下是你可以在设备上查看的一些事项:Some things that you can check on the device are:

  • 数据执行保护是否受支持并已启用?Is Data Execution Prevention supported and enabled?
  • BitLocker 驱动器加密是否受支持并已启用?Is BitLocker Drive Encryption supported and enabled?
  • SecureBoot 是否受支持并已启用?Is SecureBoot supported and enabled?

注意 设备必须运行 Windows 10,并且它必须至少支持 TPM 2.0。NoteThe device must be running Windows10 and it must support at least TPM 2.0.

了解如何在组织内部署和管理 TPMLearn how to deploy and manage TPM within your organization.

用户帐户控制User Account Control

用户帐户控制 (UAC) 有助于防止恶意软件损坏计算机并且有助于组织部署更易于管理的桌面环境。User Account Control (UAC) helps prevent malware from damaging a computer and helps organizations deploy a better-managed desktop environment.

你不应关闭 UAC,因为这对于运行 Windows 10 的设备而言不是受支持的方案。You should not turn off UAC because this is not a supported scenario for devices running Windows 10. 如果你关闭 UAC,所有通用 Windows 平台应用都将停止工作。If you do turn off UAC, all Univeral Windows Platform apps stop working. 必须始终将HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA注册表值设置为1。You must always set the HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA registry value to 1. 如果需要为编程访问或安装提供自动提升,则可以将HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin注册表值设置为0,这与设置 UAC 滑块从不通知的设置相同。If you need to provide auto elevation for programmatic access or installation, you could set the HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin registry value to 0, which is the same as setting the UAC slider Never Notify. 对于运行 Windows 10 的设备不建议此方法。This is not recommended for devices running Windows 10.

有关如何管理 UAC 的详细信息,请参阅 UAC 组策略设置和注册表项设置For more info about how manage UAC, see UAC Group Policy Settings and Registry Key Settings.

在 Windows10 中,用户帐户控制添加了一些改进:In Windows10, User Account Control has added some improvements:

  • 与反恶意软件扫描接口 (AMSI) 集成Integration with the Antimalware Scan Interface (AMSI). AMSI 扫描恶意软件的所有 UAC 提升权限请求。The AMSI scans all UAC elevation requests for malware. 一旦检测到恶意软件,将阻止管理员权限。If malware is detected, the admin privilege is blocked.

了解如何在组织内管理用户帐户控制Learn how to manage User Account Control within your organization.

VPN 配置文件选项VPN profile options

Windows 10 提供了一组 VPN 功能,可提高企业安全性并提供改进的用户体验,包括:Windows 10 provides a set of VPN features that both increase enterprise security and provide an improved user experience, including:

  • 始终可用自动连接行为Always-on auto connection behavior
  • 应用触发 VPNApp=triggered VPN
  • VPN 流量筛选器VPN traffic filters
  • 锁定 VPNLock down VPN
  • 与 Microsoft Passport for Work 集成Integration with Microsoft Passport for Work

了解有关 Windows 10 中的 VPN 选项的详细信息。Learn more about the VPN options in Windows 10.

管理Management

Windows 10 将为电脑、笔记本电脑、平板电脑和手机提供移动设备管理 (MDM) 功能,这些功能支持公司所拥有设备和个人设备的企业级管理。Windows10 provides mobile device management (MDM) capabilities for PCs, laptops, tablets, and phones that enable enterprise-level management of corporate-owned and personal devices.

MDM 支持MDM support

Windows 10 的 MDM 策略与 Windows 8.1 中支持的策略一致,并且经过了扩展,可以处理更多企业方案,例如管理多个具有 Microsoft Azure Active Directory (Azure AD) 帐户的用户、对 Microsoft Store 的完全控制、VPN 配置等。MDM policies for Windows10 align with the policies supported in Windows8.1 and are expanded to address even more enterprise scenarios, such as managing multiple users who have Microsoft Azure Active Directory (Azure AD) accounts, full control over the Microsoft Store, VPN configuration, and more.

Windows 10 中的 MDM 支持基于开放移动联盟 (OMA) 设备管理 (DM) 协议 1.2.1 规范。MDM support in Windows10 is based on Open Mobile Alliance (OMA) Device Management (DM) protocol 1.2.1 specification.

可以使用 Azure AD 为企业自动注册公司所拥有的设备。Corporate-owned devices can be enrolled automatically for enterprises using Azure AD. Windows 10 的移动设备管理参考Reference for Mobile device management for Windows 10

注销Unenrollment

当某人离开你的组织并且你注销该用户帐户或设备不再进行管理时,企业控制的配置和应用将从该设备中删除。When a person leaves your organization and you unenroll the user account or device from management, the enterprise-controlled configurations and apps are removed from the device. 你可以远程注销该设备,或者该人员可以通过手动从该设备中删除用户帐户来进行注销。You can unenroll the device remotely or the person can unenroll by manually removing the account from the device.

当注销某台个人设备时,用户的数据和应用保持不变,但将删除企业信息,例如证书、VPN 配置文件和企业应用。When a personal device is unenrolled, the user's data and apps are untouched, while enterprise information such as certificates, VPN profiles, and enterprise apps are removed.

基础结构Infrastructure

企业具有以下标识和管理选择。Enterprises have the following identity and management choices.

区域Area 选择Choices
标识Identity Active Directory;Azure ADActive Directory; Azure AD
分组Grouping 域加入; 工作组; Azure AD 加入Domain join; Workgroup; Azure AD join
设备管理Device management 组策略;Microsoft 终结点配置管理器;Microsoft Intune;其他 MDM 解决方案;Exchange ActiveSync;Windows PowerShell;Windows Management Instrumentation (WMI)Group Policy; Microsoft Endpoint Configuration Manager; Microsoft Intune; other MDM solutions; Exchange ActiveSync; Windows PowerShell; Windows Management Instrumentation (WMI)

请注意 ,windows Server 2012 R2 版本已弃用,并且 nap 客户端现已在 Windows 10 中删除。Note With the release of Windows Server 2012 R2, Network Access Protection (NAP) was deprecated and the NAP client has now been removed in Windows 10. 有关支持生命周期的详细信息,请参阅 Microsoft 支持生命周期For more information about support lifecycles, see Microsoft Support Lifecycle.

设备锁定Device lockdown

是否需要只能执行一种操作的计算机?Do you need a computer that can only do one thing? 例如:For example:

  • 大厅中客户可用于查看产品目录的设备。A device in the lobby that customers can use to view your product catalog.
  • 驾驶员可用于在地图上查看路线的便携式设备。A portable device that drivers can use to check a route on a map.
  • 临时工作人员用于输入数据的设备。A device that a temporary worker uses to enter data.

你可以配置永久的锁定状态来创建一个网亭类型的设备You can configure a persistent locked down state to create a kiosk-type device. 当登录锁定的帐户时,设备仅显示你选择的应用。When the locked-down account is logged on, the device displays only the app that you select.

你还可以配置锁定状态,该操作在给定用户帐户登录时生效。You can also configure a lockdown state that takes effect when a given user account logs on. 锁定将用户限制为仅使用你指定的应用。The lockdown restricts the user to only the apps that you specify.

还可以为设备外观配置锁定设置,例如某个主题或“开始”菜单上的自定义布局Lockdown settings can also be configured for device look and feel, such as a theme or a custom layout on the Start screen.

“开始”屏幕布局Start layout

对于通用于多个用户设备以及出于专用目的而锁定的设备,标准的“开始”菜单布局会非常有用。A standard Start layout can be useful on devices that are common to multiple users and devices that are locked down for specialized purposes. 从 Windows 10 版本 1511 开始,管理员可以配置部分“开始”菜单布局,这将在允许用户创建和自定义其自己的磁贴组时应用指定的磁贴组。Starting in Windows 10, version 1511, administrators can configure a partial Start layout, which applies specified tile groups while allowing users to create and customize their own tile groups. 了解如何自定义和导出“开始”菜单布局Learn how to customize and export Start layout.

管理员还可以使用移动设备管理 (MDM) 或组策略来禁用锁屏界面上的 Windows 聚焦的使用。Administrators can also use mobile device management (MDM) or Group Policy to disable the use of Windows Spotlight on the lock screen.

更新Updates

适用于企业的 Windows 更新使信息技术管理员通过将这些系统直接连接到 Microsoft 的 Windows 更新服务,使组织中基于 Windows 10 的设备始终保持最新,并具有最新的安全防护和 Windows 功能。Windows Update for Business enables information technology administrators to keep the Windows10-based devices in their organization always up to date with the latest security defenses and Windows features by directly connecting these systems to Microsoft’s Windows Update service.

通过使用组策略对象,适用于企业的 Windows 更新是一个轻松建立和实现的系统,它使组织和管理员可以对如何更新基于 Windows 10 的设备施以控制,方法是通过允许:By using Group Policy Objects, Windows Update for Business is an easily established and implemented system which enables organizations and administrators to exercise control on how their Windows10-based devices are updated, by allowing:

  • 部署和验证组;管理员可以指定哪些设备先进行第一波更新,以及哪些设备稍后更新(确保符合所有质量规定)。Deployment and validation groups; where administrators can specify which devices go first in an update wave, and which devices will come later (to ensure any quality bars are met).

  • 对等传递,管理员可以通过非常有效的有限带宽将更新传递到分支机构和远程站点。Peer-to-peer delivery, which administrators can enable to make delivery of updates to branch offices and remote sites with limited bandwidth very efficient.

  • 与 Microsoft 终结点配置管理器和企业移动性套件现有工具一起使用Use with existing tools such as Microsoft Endpoint Configuration Manager and the Enterprise Mobility Suite.

而且,这些适用于企业的 Windows 更新功能有助于持续降低设备管理成本、控制更新部署、更快速地访问安全更新以及访问 Microsoft 的最新创新。Together, these Windows Update for Business features help reduce device management costs, provide controls over update deployment, offer quicker access to security updates, as well as provide access to the latest innovations from Microsoft on an ongoing basis. 适用于所有 Windows 10 专业版、企业版和教育版的 windows 更新是一项免费服务,可与现有设备管理解决方案(如Windows Server Update Services (WSUS)Microsoft 终结点配置管理器)独立使用。Windows Update for Business is a free service for all Windows 10 Pro, Enterprise, and Education editions, and can be used independent of, or in conjunction with, existing device management solutions such as Windows Server Update Services (WSUS) and Microsoft Endpoint Configuration Manager.

了解有关适用于企业的 Windows 更新的详细信息。Learn more about Windows Update for Business.

有关更新 Windows 10 的详细信息,请参阅更新和升级的 Windows 10 服务选项For more information about updating Windows10, see Windows 10 servicing options for updates and upgrades.

Microsoft EdgeMicrosoft Edge

Microsoft Edge 在 Windows 10 的 LTSC 版本中不可用。Microsoft Edge is not available in the LTSC release of Windows 10.

另请参阅See Also

Windows 10 企业版 LTSC: LTSC 服务通道的说明,其中包含指向有关每个版本的信息的链接。Windows 10 Enterprise LTSC: A description of the LTSC servicing channel with links to information about each release.