deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-14 14:27:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge branch 'master' into behav-block-contain

Browse Source
This commit is contained in:
Denise Vangel-MSFT 2020-05-15 10:13:25 -07:00
commit 016c3a07d6
157 changed files with 1574 additions and 1381 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
.openpublishing.redirection.json
View File

@ -15917,6 +15917,11 @@
"redirect_document_id": false
},
{
"source_path": "surface/step-by-step-surface-deployment-accelerator.md",
"redirect_url": "https://docs.microsoft.com/surface/microsoft-surface-deployment-accelerator",
"redirect_document_id": true
},
{
"source_path": "windows/security/threat-protection/windows-defender-antivirus/shadow-protection.md",
"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode",
"redirect_document_id": true

3
devices/hololens/TOC.md
View File

@ -16,6 +16,7 @@
## [HoloLens (1st gen) fit and comfort FAQ](hololens1-fit-comfort-faq.md)
## [Install localized version of HoloLens (1st gen)](hololens1-install-localized.md)
## [Getting around HoloLens (1st gen)](hololens1-basic-usage.md)
## [HoloLens (1st Gen) release notes](hololens1-release-notes.md)
# Deploy HoloLens and mixed-reality apps in commercial environments
## [Commercial features](hololens-commercial-features.md)
@ -69,7 +70,7 @@
## [Use 3D Viewer on HoloLens (1st gen)](holographic-3d-viewer-beta.md)
## [Windows Autopilot for HoloLens 2 evaluation guide](hololens2-autopilot.md)
# [HoloLens release notes](hololens-release-notes.md)
# [HoloLens 2 release notes](hololens-release-notes.md)
# [Give us feedback](hololens-feedback.md)
# [Insider preview for Microsoft HoloLens](hololens-insider.md)
# [Change history for Microsoft HoloLens documentation](change-history-hololens.md)

18
devices/hololens/holographic-store-apps.md
View File

@ -33,12 +33,18 @@ Open the Microsoft Store from the **Start** menu. Then browse for apps and games
## Install apps
To download apps, you'll need to be signed in with a Microsoft account. To buy them, you'll need a payment method associated with the Microsoft account you use on your HoloLens. To set up a payment method, go to [account.microsoft.com](https://account.microsoft.com/) and select **Payment & billing** > **Payment options** > **Add a payment option**.
To download apps, you'll need to be signed in with a Microsoft account. Some apps are free and can be downloaded right away. Apps that require a purchase require you to be signed in to the Store with your Microsoft account and have a valid payment method.
> [!NOTE]
> The account you use on Microsoft Store does not have to be the same as the account you are signed in with. If you are using a Work or School account on your HoloLens then you'll need to sign in with your personal account in the Store App to make a purchase.
1. To open the [**Start** menu](holographic-home.md), perform a [bloom](hololens1-basic-usage.md) gesture or tap your wrist.
2. Select the Store app and then tap to place this tile into your world.
3. Once the Store app opens, use the search bar to look for any desired application.
4. Select **Get** or **Install** on the application's page (a purchase may be required).
To set up a payment method, go to [account.microsoft.com](https://account.microsoft.com/) and select **Payment & billing** > **Payment options** > **Add a payment option**.
1. To open the [**Start** menu](holographic-home.md), perform a [Start gesture](https://docs.microsoft.com/hololens/hololens2-basic-usage#start-gesture) or [bloom](hololens1-basic-usage.md) gesture on HoloLens 1.
1. Select the Store app. Once the Store app opens:
1. Use the search bar to look for any desired applications.
1. Select essential apps or apps made specifically for HoloLens from one of the curated categories.
1. On the top right of the Store app, select the **...** button and then select **My Library** to view any previously purchased apps.
1. Select **Get** or **Install** on the application's page (a purchase may be required).
## Uninstall apps
@ -46,7 +52,7 @@ There are two ways to uninstall applications. You can uninstall applications th
### Uninstall from the Start menu
On the **Start** menu or in the **All apps** list, gaze at the app. Tap and hold until the menu appears, then select **Uninstall**.
On the **Start** menu or in the **All apps** list, browse to the app. Air tap and hold until the menu appears, then select **Uninstall**.
### Uninstall from the Microsoft Store

3
devices/hololens/hololens-connect-devices.md
View File

@ -63,6 +63,9 @@ HoloLens 2 supports the following classes of USB-C devices:
- Wired keyboard
- Combination PD hubs (USB A plus PD charging)
> [!NOTE]
> Some mobile devices with USB-C connections present themselves to the HoloLens as ethernet adaptors, and therefore could be used in a tethering configuration, starting with the 20H1 OS. USB LTE modems that require a separate driver, and/or application installed for configuration are not supported
## Connect to Miracast
To use Miracast, follow these steps:

2
devices/hololens/hololens-identity.md
View File

@ -32,7 +32,7 @@ HoloLens supports several kinds of user identities. You can use one or more user
| Identity type | Accounts per device | Authentication options |
| --- | --- | --- |
| [Azure Active Directory (AAD)](https://docs.microsoft.com/azure/active-directory/) | 32 (see details) | <ul><li>Azure web credential provider</li><li>Azure Authenticator App</li><li>Biometric (Iris) &ndash; HoloLens 2 only</li><li>PIN &ndash; Optional for HoloLens (1st gen), required for HoloLens 2</li><li>Password</li></ul> |
| [Azure Active Directory (AAD)](https://docs.microsoft.com/azure/active-directory/) | 64 | <ul><li>Azure web credential provider</li><li>Azure Authenticator App</li><li>Biometric (Iris) &ndash; HoloLens 2 only</li><li>PIN &ndash; Optional for HoloLens (1st gen), required for HoloLens 2</li><li>Password</li></ul> |
| [Microsoft Account (MSA)](https://docs.microsoft.com/windows/security/identity-protection/access-control/microsoft-accounts) | 1 | <ul><li>Biometric (Iris) &ndash; HoloLens 2 only</li><li>PIN &ndash; Optional for HoloLens (1st gen), required for HoloLens 2</li><li>Password</li></ul> |
| [Local account](https://docs.microsoft.com/windows/security/identity-protection/access-control/local-accounts) | 1 | Password |

75
devices/hololens/hololens-insider.md
View File

@ -63,80 +63,9 @@ You are welcome and encouraged to try developing your applications using Insider
## Windows Insider Release Notes
HoloLens 2 Windows Insider builds are full of new features and improvements. Sign up for Windows Insider Fast or Slow flights to test them out!
Here's a quick summary of what's new:
As of our [Windows Holographic May 2020 Update](hololens-release-notes.md) release all of our release preview feautres are now generally avalible! Make sure to [update your HoloLens](hololens-update-hololens.md) to get all the latest features.
- Support for FIDO2 Security Keys to enable secure and easy authentication for shared devices
- Seamlessly apply a provisioning package from a USB drive to your HoloLens
- Use a provisioning packages to enroll your HoloLens to your Mobile Device Management system
- Use Windows Autopilot to set up and pre-configure new devices, quickly getting them ready for productive use. To participate in the program you'll need to meet a few requirements. While the program is in preview mode you'll need to be using Microsoft Intune. You'll need to use a tenant that is flighted for HoloLens. Lastly you'll need to have installed an insider preview buildon your HoloLens 2. To praticipate in the preview of this new program send a note to hlappreview@microsoft.com to join the preview.
- Dark Mode - HoloLens customers can now choose the default mode for apps that support both color schemes! Based on customer feedback, with this update we are setting the default app mode to "dark," but you can easily change this setting at any time.
- Support for additional system voice commands
- An updated Cortana app with a focus on productivity
- Hand Tracking improvements to reduce the tendency to close the index finger when pointing. This should make button pressing and 2D slate usage feel more accurate
- Performance and stability improvements across the product
- More information in settings on HoloLens about the policy pushed to the device
Once you've had a chance to explore these new capabilities, use the Feedback Hub app to let us know what you think. Feedback you provide in the Feedback Hub goes directly to our engineers.
### FIDO 2 support
Many of you share a HoloLens with lots of people in a work or school environment. Whether devices are shared between students in a classroom or they're checked out from a device locker, it's important to be able to change users quickly and easily without typing long user names and passwords. FIDO lets anyone in your organization (AAD tenant) seamlessly sign in to HoloLens without entering a username or password.
Read the [passwordless security docs](https://docs.microsoft.com/azure/active-directory/authentication/howto-authentication-passwordless-security-key) to get started.
### Provisioning package updates
Provisioning packages let you set HoloLens configuration through a config file rather than going through the HoloLens out of box experience. Previously, provisioning packages had to be copied onto HoloLens' internal memory, now they can be on a USB drive so they're easier to re-use on multiple HoloLens and so more people can provision HoloLens in parallel.
1. To try it out, download the latest version of the Windows Configuration Designer from the Windows store onto your PC.
1. Select **Provision HoloLens Devices** > Select **Provision HoloLens 2 devices**
1. Build your configuration profile and, when you're done, copy all files created to a USB-C storage device.
1. Plug it into any freshly flashed HoloLens and press **Volume down + Power** to apply your provisioning package.
### System voice commands
You can now access these commands with your voice:
- "Restart device"
- "Shutdown device"
- "Brightness up"
- "Brightness down"
- "Volume up"
- "Volume down"
- "What is my IP address?"
- "Take a picture"
- "Take a video" / "Stop recording"
If you're running your system with a different language, please try the appropriate commands in that language.
### Cortana updates
The updated app integrates with Microsoft 365, currently in English (United States) only, to help you get more done across your devices. On HoloLens 2, Cortana will no longer support certain device-specific commands like adjusting the volume or restarting the device, which are now supported with the new system voice commands above. Learn more about the new Cortana app and its direction on our blog [here](https://blogs.windows.com/windowsexperience/2020/02/28/cortana-in-the-upcoming-windows-10-release-focused-on-your-productivity-with-enhanced-security-and-privacy/).
There's currently an issue we're investigating that requires you to launch the app once after booting the device in order to use the "Hey Cortana" keyword activation, and if you updated from a 18362 build, you may see an app tile for the previous version of the Cortana app in Start that no longer works.
### Dark mode
Many Windows apps support both dark and light modes, and now HoloLens customers can choose the default mode for apps that support both. Once updated, the default app mode will be "dark," but can be changed easily. Navigate to **Settings > System > Colors to find "Choose your default app mode."**
Here are some of the in-box apps that support Dark mode!
- Settings
- Microsoft Store
- Mail
- Calendar
- File Explorer
- Feedback Hub
- OneDrive
- Photos
- 3D Viewer
- Movies & TV
### Windows Autopilot for HoloLens 2
This Autopilot program supports Autopilot self-deploying mode to provision HoloLens 2 devices as shared devices under your tenant. Self-deploying mode leverages the device's preinstalled OEM image and drivers during the provisioning process. A user can provision the device without putting the device on and going through the Out-of-the-box Experience (OOBE).
When a user starts the Autopilot self-deploying process, the process completes the following steps:
1. Join the device to Azure Active Directory (Azure AD).
2. Use Azure AD to enroll the device in Microsoft Intune (or another MDM service).
3. Download the device-targeted policies, certificates, and networking profiles.
4. Provision the device.
5. Present the sign-in screen to the user.
For full information about Autopilot, see [Windows Autopilot for HoloLens 2 evaluation guide](hololens2-autopilot.md).
We'll be updating this page again with new features again as we release them to Windows Insider builds.
### FFU download and flash directions
To test with a flight signed ffu, you first have to flight unlock your device prior to flashing the flight signed ffu.

244
devices/hololens/hololens-release-notes.md
View File

@ -1,5 +1,5 @@
---
title: HoloLens release notes
title: HoloLens 2 release notes
description: Learn about updates in each new HoloLens release.
author: scooley
ms.author: scooley
@ -8,25 +8,167 @@ ms.prod: hololens
ms.sitesec: library
ms.topic: article
ms.localizationpriority: medium
ms.date: 12/02/2019
ms.date: 05/12/2020
ms.custom:
- CI 111456
- CSSTroubleshooting
audience: ITPro
appliesto:
- HoloLens 1
- HoloLens 2
---
# HoloLens release notes
# HoloLens 2 release notes
## HoloLens 2
## Windows Holographic, version 2004
Build - 19041.1103
We are excited to announce our May 2020 major software update for HoloLens 2, **Windows Holographic, version 2004**. This release includes a host of exciting new capabilities, such as support for Windows Autopilot, app dark mode, USB Ethernet support for 5G/LTE hotspots, and much more. To update to the latest release, open the**Settingsapp**, go to**Update & Security**, then select the**Check for Updates**button.
| Feature | Description |
|--------------------------------------------------|-------------------------------------------------------------------------------------------------------------------|
| Windows Autopilot | Pre-configure and seamlessly set up new devices for production, with Windows AutoPilot |
| FIDO 2 support | Support for FIDO2 Security Keys to enable fast and secure authentication for shared devices |
| Improved provisioning | Seamlessly apply a provisioning package from a USB drive to your HoloLens |
| Application install status | Check install status for apps have been pushed to HoloLens 2 via MDM, in the Settings app |
| Configuration Service Providers (CSPs) | Added new Configuration Service Providers (CSPs) enhancing admin control capabilities. |
| USB 5G/LTE support | Expanded USB Ethernet capability enables support for 5G/LTE dongles |
| Dark App Mode | Dark App Mode for apps that support both dark and light modes, improving the viewing experience |
| Voice Commands | Support for additional system voice commands to control HoloLens, hands-free |
| Hand Tracking improvements | Hand Tracking improvements make buttons and 2D slate interactions more accurate |
| Quality improvements and fixes | Various system performance and reliability improvements across the platform |
> [!Note]
> HoloLens Emulator Release Notes can be found [here](https://docs.microsoft.com/windows/mixed-reality/hololens-emulator-archive).
### April Update - build 18362.1059
### Support for Windows Autopilot
Windows Autopilot for HoloLens 2 lets the device sales channel pre-enroll HoloLens into your Intune tenant. When devices arrive, theyre ready to self-deploy as shared devices under your tenant. To take advantage of self-deployment, devices will need to connect to a network during the first screen in setup using either a USB-C to ethernet dongle or USB-C to LTE dongle.
When a user starts the Autopilot self-deploying process, the process completes the following steps:
1. Join the device to Azure Active Directory (Azure AD).
1. Use Azure AD to enroll the device in Microsoft Intune (or another MDM service).
1. Download the device-targeted policies, certificates, and networking profiles.
1. Provision the device.
1. Present the sign-in screen to the user.
Learn more from the [Windows Autopilot for HoloLens 2 evaluation guide](https://docs.microsoft.com/hololens/hololens2-autopilot).
**Contact your Account Manager to join the AutoPilot preview now. Autopilot-ready devices will begin shipping soon.**
### FIDO2 Security Key support
Many of you share a HoloLens device with lots of people in a work or school environment. Whether devices are shared between students in a classroom or they're checked out from a device locker, it's important to be able to change users quickly and easily without typing long usernames and passwords.
FIDO lets anyone in your organization (AAD tenant) seamlessly sign into HoloLens without entering a username or password.
FIDO2 security keys are an unphishable standards-based passwordless authentication method that can come in any form factor. Fast Identity Online (FIDO) is an open standard for passwordless authentication. FIDO allows users and organizations to leverage the standard to sign-in to their resources without a username or password using an external security key or a platform key built into a device.
Read the [passwordless security docs](https://docs.microsoft.com/azure/active-directory/authentication/howto-authentication-passwordless-security-key) to get started.
### Improved MDM enrollment via provisioning package
Provisioning packages let you set HoloLens configuration through a config file rather than going through the HoloLens out of box experience. Previously, provisioning packages had to be copied onto HoloLens' internal memory, now they can be on a USB drive so they're easier to re-use on multiple HoloLens and so more people can provision HoloLens in parallel. In addition, provisioning packages support a new field to enroll in device management so there is no manual set up post-provisioning.
1. To try it out, download the latest version of the Windows Configuration Designer from the Windows store onto your PC.
1. Select **Provision HoloLens Devices** > Select **Provision HoloLens 2 devices**
1. Build your configuration profile and, when you're done, copy all files created to a USB-C storage device.
1. Plug it into any freshly flashed HoloLens and press **Volume down + Power** to apply your provisioning package.
### Line of Business application install status
MDM app deployment and management for Line of Business (LOB) apps is critical for our customers. Admins and users need to be able to view app install status, for auditing and diagnosis purposes. In this release we are adding more details in **Settings > Accounts > Access work or school > Click on your account > Info.**
### Additional CSPs and Policies
A [configuration service provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/configuration-service-provider-reference?redirectedfrom=MSDN) is an interface to read, set, modify, or delete configuration settings on a device. In this release, we are adding support for more policies, increasing the control administrators have over deployed HoloLens devices. For the list of CSPs supported by HoloLens, visit this [link](https://docs.microsoft.com/windows/client-management/mdm/networkqospolicy-csp). New in this release:
**Policy CSP**
The Policy configuration service provider enables the enterprise to configure policies on Windows devices. In this release, we are adding new policies for HoloLens, listed below. You can learn more about supported policies [here](https://docs.microsoft.com/windows/client-management/mdm/policies-supported-by-hololens2).
- LetAppsAccessCamera_ForceAllowTheseApps
- LetAppsAccessCamera_ForceDenyTheseApps
- LetAppsAccessCamera_UserInControlOfTheseApps
- LetAppsAccessGazeInput
- LetAppsAccessGazeInput_ForceAllowTheseApps
- LetAppsAccessGazeInput_ForceDenyTheseApps
- LetAppsAccessGazeInput_UserInControlOfTheseApps
- LetAppsAccessMicrophone_ForceAllowTheseApps
- LetAppsAccessMicrophone_ForceDenyTheseApps
- LetAppsAccessMicrophone_UserInControlOfTheseApps
- AllowWiFi
**NetworkQoSPolicy CSP**
The NetworkQoSPolicy configuration service provider creates network Quality of Service (QoS) policies. A QoS policy performs a set of actions on network traffic based on a set of matching conditions. You can learn more about this policy [here](https://docs.microsoft.com/windows/client-management/mdm/networkqospolicy-csp).
### Expanded USB Ethernet support for 5G/LTE tethered devices
Support has been added to enable certain mobile broadband devices, such as 5G/LTE phones and WiFi hotpots when tethered to the HoloLens 2 via USB. These devices will be displayed in network settings as another ethernet connection. Mobile broadband devices that require an external driver are not supported. This enables high bandwidth connections in scenarios where WiFi is not available, and WiFi tethering isnt performant enough. You can learn more about supported USB devices [here](https://docs.microsoft.com/hololens/hololens-connect-devices).
### Hand Tracking Improvements
Hand tracking has received several improvements in this release.
- **Pointing pose stability:** The system will now resist bending the index finger when it becomes occluded by the palm. This improves accuracy when pushing buttons, typing, scrolling content, and more!
- **Reduced accidental AirTaps:** Weve improved detection of the AirTap gesture. Now there are fewer accidental activations in several common cases, such as dropping your hands to your side.
- **User switch reliability:** The system is now faster and more reliable at updating the hand size when sharing a device back and forth.
- **Reduced hand stealing:** Weve improved handling of cases where there are more than 2 hands in view of the sensors. If multiple people are working close together, there is now a much lower chance that the tracked hand will jump from the user to the hand of someone else in the scene.
- **System reliability:** Fixed an issue that would cause hand tracking to stop working for a period if the device is under high load.
### Dark mode
Many Windows apps now support both dark and light modes, and HoloLens 2 customers can choose the default mode for apps that support both. Once updated, the default app mode will be "dark," but can be changed easily. Navigate to Settings > System > Colors to find "Choose your default app mode." Here are some of the in-box apps that support Dark mode:
- Settings
- Microsoft Store
- Mail
- Calendar
- File Explorer
- Feedback Hub
- OneDrive
- Photos
- 3D Viewer
- Movies & TV
![Dark mode windows tiled](images/hololens-darkmode-tiled-picture.jpg)
### System voice commands
You can now quickly access and use commands with your voice while using any app on the device. If you're running your system with a different language, please try the appropriate commands in that language. For more details on the commands and how to use them, see our documentation [here](https://docs.microsoft.com/hololens/hololens-cortana).
### Cortana updates
The updated app integrates with Microsoft 365, currently in English (United States) only, to help you get more done across your devices. On HoloLens 2, Cortana will no longer support certain device-specific commands like adjusting the volume or restarting the device, which are now supported with the new system voice commands mentioned above. Learn more about the new Cortana app and its direction on our blog [here](https://blogs.windows.com/windowsexperience/2020/02/28/cortana-in-the-upcoming-windows-10-release-focused-on-your-productivity-with-enhanced-security-and-privacy/).
> [!NOTE]
> There's currently an issue we're investigating that requires you to launch the app after booting the device in order to use the "Hey Cortana" keyword activation, and if you updated from a 18362 build, you may see an app tile for the previous version of the Cortana app in Start that no longer works.
### Quality improvements and fixes
Improvements and Fixes also in the update:
- The update introduces an active display calibration system. This improves the stability and alignment of holograms, which helps them stay in place when moving your head side-to-side.
- Fixed a bug where Wi-Fi streaming to HoloLens gets disrupted periodically. If an application indicates that it needs low latency streaming this fix is can be accomplished by calling [this function](https://docs.microsoft.com/windows/win32/api/socketapi/nf-socketapi-setsocketmediastreamingmode).
- Fixed an issue where the device could hang during streaming in research mode.
- Fixed bug where in some cases the right user would not be displayed on sign-in screen when resuming session.
- Fixed an issue where users could not export MDM logs through settings.
- Fixed an issue where the accuracy of eye tracking immediately following out-of-box-setup could be lower than specification.
- Fixed an issue where eye tracking subsystem would fail to initialize and/or perform calibration under certain conditions.
- Fixed an issue where eye calibration would be prompted for an already calibrated user.
- Fixed an issue where a driver would crash during eye calibration.
- Fixed an issue where repeated power button presses can cause a 60 second system time-out and shell crash.
- Improved stability for depth buffers.
- Added Share button in Feedback Hub so users can more easily share feedback.
- Fixed a bug where RoboRaid did not install correctly.
## Windows Holographic, version 1903 - May 2020 Update
- Build 18362.1061
This monthly quality update does not contain any changes of note because the team has been focused on providing you with the highest quality Feature Update now available in the Windows Holographic, version 2004 May Update detailed above. Please take this opportunity to move to the latest feature update to get a ton of exciting new changes.
## Windows Holographic, version 1903 - April 2020 Update
- Build 18362.1059
**Dark mode for supported apps**
@ -51,100 +193,50 @@ Here are some of the in-box apps that support dark mode:
- Improve hologram stability in mixed reality capture when the HolographicDepthReprojectionMethod DepthReprojection algorithm is used.
- Fixed WinRT IStreamSocketListener API Class Not Registered error on 32-bit ARM app.
### March Update - build 18362.1056
## Windows Holographic, version 1903 - March 2020 Update
- Build 18362.1056
Improvements and fixes in the update:
- Improve hologram stability in mixed reality capture when the HolographicDepthReprojectionMethod AutoPlanar algorithm is used.
- Ensures the coordinate system attached to a depth MF sample is consistent with public documentation.
- Developers productivity improvement by enabling customers to paste large amount of text through device portal.
### February Update - build 18362.1053
## Windows Holographic, version 1903 - February 2020 Update
- Build 18362.1053
Improvements and fixes in the update:
- Temporarily disabled the HolographicSpace.UserPresence API for Unity applications to avoid an issue which causes some apps to pause when the visor is flipped up, even if the setting to run in the background is enabled.
- Fixed a random HUP crash cased by hand tracking, in which user will notice an UI freeze then back to shell after several seconds.
- We made an improvement in hand tracking so that while poking using index finger, the upper part of that finger will be less likely to curl unexpectedly.
- Improved reliability of head tracking, spatial mapping, and other runtimes.
### January Update - build 18362.1043
## Windows Holographic, version 1903 - January 2020 Update
- Build 18362.1043
Improvement in the update:
- Stability improvements for exclusive apps when working with the HoloLens 2 emulator.
### December Update - build 18362.1042
## Windows Holographic, version 1903 - December 2019 Update
- Build 18362.1042
Improvements and fixes in the update:
- Introduces LSR (Last Stage Reproduction) fixes. Improves visual rendering of holograms to appear more stable and crisp by more accurately accounting for their depth. This will be more noticeable if apps do not set the depth of holograms correctly, after this update.
- Fixes stability of exclusive apps and navigation between exclusive apps.
- Resolves an issue where Mixed Reality Capture couldn't record video after device is left in standby state for multiple days.
- Improves hologram stability.
### November Update - build 18362.1039
## Windows Holographic, version 1903 - November 2019 Update
- Build 18362.1039
Improvements and fixes in the update:
- Fixes for **"Select"** voice commands during initial set-up for en-CA and en-AU.
- Improvements in visual quality of objects placed far away in latest Unity and MRTK versions.
- Fixes addressing issues with holographic applications being stuck in a paused state on launch until the pins panel is brought up and dismissed again.
- OpenXR runtime conformance fixes and improvements for HoloLens 2 and the emulator.
## HoloLens (1st gen)
### Windows 10 Holographic, version 1809
> **Applies to:** Hololens (1st gen)
| Feature | Details |
|---|---|
| **Quick actions menu** | When you're in an app, the Bloom gesture will now open a Quick actions menu to give you quick access to commonly used system features without having to leave the app. <br> See [Set up HoloLens in kiosk mode](hololens-kiosk.md) for information about the Quick actions menu in kiosk mode.<br><br>![sample of the Quick actions menu](images/minimenu.png) |
| **Stop video capture from the Start or quick actions menu** | If you start video capture from the Start menu or quick actions menu, you'll be able to stop recording from the same place. (Don't forget, you can always do this with voice commands too.) |
| **Project to a Miracast-enabled device** | Project your HoloLens content to a nearby Surface device or TV/Monitor if using Microsoft Display adapter. On **Start**, select **Connect**, and then select the device you want to project to. **Note:** You can deploy HoloLens to use Miracast projection without enabling developer mode. |
| **New notifications** | View and respond to notification toasts on HoloLens, just like you do on a PC. Gaze to respond to or dismiss them (or if you're in an immersive experience, use the bloom gesture). |
| **HoloLens overlays**<br>(file picker, keyboard, dialogs, etc.) | You'll now see overlays such as the keyboard, dialogs, file picker, etc. when using immersive apps. |
| **Visual feedback overlay UI for volume change** | When you use the volume up/down buttons on your HoloLens you'll see a visual display of the volume level. |
| **New UI for device boot** | A loading indicator was added during the boot process to provide visual feedback that the system is loading. Reboot your device to see the new loading indicator—it's between the "Hello" message and the Windows boot logo. |
| **Nearby sharing** | Addition of the Windows Nearby Sharing experience, allowing you to share a capture with a nearby Windows device. When you capture a photo or video on HoloLens (or use the share button from an app such as Microsoft Edge), select a nearby Windows device to share with. |
| **Share from Microsoft Edge** | Share button is now available on Microsoft Edge windows on HoloLens. In Microsoft Edge, select **Share**. Use the HoloLens share picker to share web content. |
#### For international customers
| Feature | Details |
| --- | --- |
| Localized Chinese and Japanese builds | Use HoloLens with localized user interface for Simplified Chinese or Japanese, including localized Pinyin keyboard, dictation, and voice commands.<br>[Learn how to install the Chinese and Japanese versions of HoloLens.](hololens1-install-localized.md) |
| Speech Synthesis (TTS) | Speech synthesis feature now supports Chinese, Japanese, and English. |
#### For administrators
| Feature | Details |
|---|----|
| [Enable post-setup provisioning](hololens-provisioning.md) | You can now apply a runtime provisioning package at any time using **Settings**. |
| Assigned access with Azure AD groups | You can now use Azure AD groups for configuration of Windows assigned access to set up single or multi-app kiosk configuration. |
| PIN sign-in on profile switch from sign-in screen | PIN sign-in is now available for **Other User**. |
| Sign in with Web Credential Provider using password | You can now select the Globe sign-in option to launch web sign-in with yourpassword. From the sign-in screen, select **Sign-In options** and select the Globe option to launch web sign-in. Enter your user name if needed, then your password. <br>**Note:** You can choose to bypass any PIN/Smartcard options when promptedduring web sign-in. |
| Read device hardware info through MDM so devices can be tracked by serial number | IT administrators can see and track HoloLens by device serial number in their MDM console. Refer toyour MDM documentationfor feature availability and instructions. |
| Set HoloLens device name through MDM (rename) |IT administrators can see and rename HoloLens devices in their MDM console. Refer toyour MDM documentationfor feature availability and instructions. |
### Windows 10, version 1803 for Microsoft HoloLens
> **Applies to:** Hololens (1st gen)
Windows 10, version 1803, is the first feature update to Windows Holographic for Business since its release in Windows 10, version 1607. This update introduces the following changes:
- Previously, you could only verify that upgrade license for Commercial Suite had been applied to your HoloLens device by checking to see if VPN was an available option on the device. Now, **Settings** > **System** will display **Windows Holographic for Business** after the upgrade license is applied. [Learn how to unlock Windows Holographic for Business features](hololens1-upgrade-enterprise.md).
- You can view the operating system build number in device properties in the File Explorer app and in the [Windows Device Recovery Tool (WDRT)](https://support.microsoft.com/help/12379/windows-10-mobile-device-recovery-tool-faq).
- Provisioning a HoloLens device is now easier with the new **Provision HoloLens devices** wizard in the Windows Configuration Designer tool. In the wizard, you can configure the setup experience and network connections, set developer mode, and obtain bulk Azure AD tokens. [Learn how to use the simple provisioning wizard for HoloLens](hololens-provisioning.md#provisioning-package-hololens-wizard).
![Provisioning HoloLens devices](images/provision-hololens-devices.png)
- When you create a local account in a provisioning package, the password no longer expires every 42 days.
- You can [configure HoloLens as a single-app or multi-app kiosk](hololens-kiosk.md). Multi-app kiosk mode lets you set up a HoloLens to only run the apps that you specify, and prevents users from making changes.
- Media Transfer Protocol (MTP) is enabled so that you can connect the HoloLens device to a PC by USB and transfer files between HoloLens and the PC. You can also use the File Explorer app to move and delete files from within HoloLens.
- Previously, after you signed in to the device with an Azure Active Directory (Azure AD) account, you then had to **Add work access** in **Settings** to get access to corporate resources. Now, you sign in with an Azure AD account and enrollment happens automatically.
- Before you sign in, you can choose the network icon below the password field to choose a different Wi-Fi network to connect to. You can also connect to a guest network, such as at a hotel, conference center, or business.
- You can now easily [share HoloLens with multiple people](hololens-multiple-users.md) using Azure AD accounts.
- When setup or sign-in fails, choose the new **Collect info** option to get diagnostic logs for troubleshooting.
- Individual users can sync their corporate email without enrolling their device in mobile device management (MDM). You can use the device with a Microsoft Account, download and install the Mail app, and add an email account directly.
- You can check the MDM sync status for a device in **Settings** > **Accounts** > **Access Work or School** > **Info**. In the **Device sync status** section, you can start a sync, see areas managed by MDM, and create and export an advanced diagnostics report.

84
devices/hololens/hololens1-release-notes.md Normal file
View File

@ -0,0 +1,84 @@
---
title: HoloLens 1st (Gen) release notes
description: Learn about updates in each new HoloLens release.
author: evmill
ms.author: v-evmill
manager: yannisle
ms.prod: hololens
ms.sitesec: library
ms.topic: article
ms.localizationpriority: medium
ms.date: 05/12/2020
ms.custom:
- CI 111456
- CSSTroubleshooting
audience: ITPro
appliesto:
- HoloLens 1
---
# HoloLens 1st (Gen) release notes
### Windows 10 Holographic, version 1809
> **Applies to:** Hololens (1st gen)
| Feature | Details |
|---|---|
| **Quick actions menu** | When you're in an app, the Bloom gesture will now open a Quick actions menu to give you quick access to commonly used system features without having to leave the app. <br> See [Set up HoloLens in kiosk mode](hololens-kiosk.md) for information about the Quick actions menu in kiosk mode.<br><br> |
| **Stop video capture from the Start or quick actions menu** | If you start video capture from the Start menu or quick actions menu, you'll be able to stop recording from the same place. (Don't forget, you can always do this with voice commands too.) |
| **Project to a Miracast-enabled device** | Project your HoloLens content to a nearby Surface device or TV/Monitor if using Microsoft Display adapter. On **Start**, select **Connect**, and then select the device you want to project to. **Note:** You can deploy HoloLens to use Miracast projection without enabling developer mode. |
| **New notifications** | View and respond to notification toasts on HoloLens, just like you do on a PC. Gaze to respond to or dismiss them (or if you're in an immersive experience, use the bloom gesture). |
| **HoloLens overlays**<br>(file picker, keyboard, dialogs, etc.) | You'll now see overlays such as the keyboard, dialogs, file picker, etc. when using immersive apps. |
| **Visual feedback overlay UI for volume change** | When you use the volume up/down buttons on your HoloLens you'll see a visual display of the volume level. |
| **New UI for device boot** | A loading indicator was added during the boot process to provide visual feedback that the system is loading. Reboot your device to see the new loading indicator—it's between the "Hello" message and the Windows boot logo. |
| **Nearby sharing** | Addition of the Windows Nearby Sharing experience, allowing you to share a capture with a nearby Windows device. When you capture a photo or video on HoloLens (or use the share button from an app such as Microsoft Edge), select a nearby Windows device to share with. |
| **Share from Microsoft Edge** | Share button is now available on Microsoft Edge windows on HoloLens. In Microsoft Edge, select **Share**. Use the HoloLens share picker to share web content. |
#### For international customers
| Feature | Details |
| --- | --- |
| Localized Chinese and Japanese builds | Use HoloLens with localized user interface for Simplified Chinese or Japanese, including localized Pinyin keyboard, dictation, and voice commands.<br>[Learn how to install the Chinese and Japanese versions of HoloLens.](hololens1-install-localized.md) |
| Speech Synthesis (TTS) | Speech synthesis feature now supports Chinese, Japanese, and English. |
#### For administrators
| Feature | Details |
|---|----|
| [Enable post-setup provisioning](hololens-provisioning.md) | You can now apply a runtime provisioning package at any time using **Settings**. |
| Assigned access with Azure AD groups | You can now use Azure AD groups for configuration of Windows assigned access to set up single or multi-app kiosk configuration. |
| PIN sign-in on profile switch from sign-in screen | PIN sign-in is now available for **Other User**. |
| Sign in with Web Credential Provider using password | You can now select the Globe sign-in option to launch web sign-in with yourpassword. From the sign-in screen, select **Sign-In options** and select the Globe option to launch web sign-in. Enter your user name if needed, then your password. <br>**Note:** You can choose to bypass any PIN/Smartcard options when promptedduring web sign-in. |
| Read device hardware info through MDM so devices can be tracked by serial number | IT administrators can see and track HoloLens by device serial number in their MDM console. Refer toyour MDM documentationfor feature availability and instructions. |
| Set HoloLens device name through MDM (rename) |IT administrators can see and rename HoloLens devices in their MDM console. Refer toyour MDM documentationfor feature availability and instructions. |
### Windows 10, version 1803 for Microsoft HoloLens
> **Applies to:** Hololens (1st gen)
Windows 10, version 1803, is the first feature update to Windows Holographic for Business since its release in Windows 10, version 1607. This update introduces the following changes:
- Previously, you could only verify that upgrade license for Commercial Suite had been applied to your HoloLens device by checking to see if VPN was an available option on the device. Now, **Settings** > **System** will display **Windows Holographic for Business** after the upgrade license is applied. [Learn how to unlock Windows Holographic for Business features](hololens1-upgrade-enterprise.md).
- You can view the operating system build number in device properties in the File Explorer app and in the [Windows Device Recovery Tool (WDRT)](https://support.microsoft.com/help/12379/windows-10-mobile-device-recovery-tool-faq).
- Provisioning a HoloLens device is now easier with the new **Provision HoloLens devices** wizard in the Windows Configuration Designer tool. In the wizard, you can configure the setup experience and network connections, set developer mode, and obtain bulk Azure AD tokens. [Learn how to use the simple provisioning wizard for HoloLens](hololens-provisioning.md#provisioning-package-hololens-wizard).
- When you create a local account in a provisioning package, the password no longer expires every 42 days.
- You can [configure HoloLens as a single-app or multi-app kiosk](hololens-kiosk.md). Multi-app kiosk mode lets you set up a HoloLens to only run the apps that you specify, and prevents users from making changes.
- Media Transfer Protocol (MTP) is enabled so that you can connect the HoloLens device to a PC by USB and transfer files between HoloLens and the PC. You can also use the File Explorer app to move and delete files from within HoloLens.
- Previously, after you signed in to the device with an Azure Active Directory (Azure AD) account, you then had to **Add work access** in **Settings** to get access to corporate resources. Now, you sign in with an Azure AD account and enrollment happens automatically.
- Before you sign in, you can choose the network icon below the password field to choose a different Wi-Fi network to connect to. You can also connect to a guest network, such as at a hotel, conference center, or business.
- You can now easily [share HoloLens with multiple people](hololens-multiple-users.md) using Azure AD accounts.
- When setup or sign-in fails, choose the new **Collect info** option to get diagnostic logs for troubleshooting.
- Individual users can sync their corporate email without enrolling their device in mobile device management (MDM). You can use the device with a Microsoft Account, download and install the Mail app, and add an email account directly.
- You can check the MDM sync status for a device in **Settings** > **Accounts** > **Access Work or School** > **Info**. In the **Device sync status** section, you can start a sync, see areas managed by MDM, and create and export an advanced diagnostics report.

6
devices/hololens/hololens2-hardware.md
View File

@ -133,7 +133,11 @@ In order to maintain/advance Internal Battery Charge Percentage while the device
### Safety
HoloLens 2 has been tested and conforms to the basic impact protection requirements of ANSI Z87.1, CSA Z94.3 and EN 166.
[Product Safety](https://support.microsoft.com/en-us/help/4023454/safety-information)
Eye safety: HoloLens 2 has been tested and conforms to the basic impact protection requirements of ANSI Z87.1, CSA Z94.3 and EN 166.
### Regulatory Information
[HoloLens Regulatory](https://support.microsoft.com/en-us/help/13761/hololens-regulatory-information)
## Next step

BIN
devices/hololens/images/hololens-darkmode-tiled-picture.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 58 KiB

10
devices/surface-hub/surface-hub-2s-recover-reset.md
View File

@ -60,16 +60,6 @@ Using Surface Hub 2S, you can reinstall the device by using a recovery image. By
When the first-time setup screen appears,remove the USB drive.
## Recover a locked Surface Hub
At the end of a session, Surface Hub 2S may occasionally encounter an error during the cleanup of user and app data at the end of a session. If this occurs, the device automatically reboots and resumes the data cleanup. However, if this operation repeatedly fails, the device automatically locks to protect user data.
**To unlock a Surface Hub 2S:** <br>
- Reset or recover the device from the Windows Recovery Environment. For more information, see [What is Windows RE?](https://technet.microsoft.com/library/cc765966.aspx)
> [!NOTE]
> To enter recovery mode, unplug the power cord and plug it in again three times.
## Contact Support
If you have questions or need help, you can [create a support request](https://support.microsoft.com/supportforbusiness/productselection).

17
devices/surface-hub/surface-hub-update-history.md
View File

@ -24,6 +24,23 @@ Please refer to the “[Surface Hub Important Information](https://support.micro
## Windows 10 Team Creators Update 1703
<details>
<summary>May 4, 2020—update for Surface Hub 2S</summary>
This update is specific to the Surface Hub 2S and provides the driver and firmware updates outlined below:
* Surface USB audio driver - 15.3.6.0
* Improves directional audio performance.
* Intel(R) display audio driver - 10.27.0.5
* Improves screen sharing scenarios.
* Intel(R) graphics driver - 26.20.100.7263
* Improves system stability.
* Surface System driver - 1.7.139.0
* Improves system stability.
* Surface SMC Firmware update - 1.173.139.0
* Improves system stability.
</details>
<details>
<summary>February 28, 2020—update for Surface Hub 2S</summary>

1
devices/surface/TOC.md
View File

@ -33,7 +33,6 @@
### [Surface Pro X app compatibility](surface-pro-arm-app-performance.md)
### [Manage and deploy Surface driver and firmware updates](manage-surface-driver-and-firmware-updates.md)
### [Surface Deployment Accelerator](microsoft-surface-deployment-accelerator.md)
### [Step by step: Surface Deployment Accelerator](step-by-step-surface-deployment-accelerator.md)
### [Deploy Windows 10 to Surface devices with MDT](deploy-windows-10-to-surface-devices-with-mdt.md)
### [Enable the Surface Laptop keyboard during MDT deployment](enable-surface-keyboard-for-windows-pe-deployment.md)
### [Upgrade Surface devices to Windows 10 with MDT](upgrade-surface-devices-to-windows-10-with-mdt.md)

5
devices/surface/ethernet-adapters-and-surface-device-deployment.md
View File

@ -28,7 +28,7 @@ Network deployment to Surface devices can pose some unique challenges for system
Before you can address the concerns of how you will boot to your deployment environment or how devices will be recognized by your deployment solution, you have to use a wired network adapter.
The primary concern when selecting an Ethernet adapter is how that adapter will boot your Surface device from the network. If you are pre-staging clients with Windows Deployment Services (WDS) or if you are using Microsoft Endpoint Configuration Manager, you may also want to consider whether the removable Ethernet adapters will be dedicated to a specific Surface device or shared among multiple devices. See the [Manage MAC addresses with removable Ethernet adapters](#manage-mac-addresses) section of this article for more information on potential conflicts with shared adapters.
The primary concern when selecting an Ethernet adapter is how that adapter will boot your Surface device from the network. If you are pre-staging clients with Windows Deployment Services (WDS) or if you are using Microsoft Endpoint Configuration Manager, you may also want to consider whether the removable Ethernet adapters will be dedicated to a specific Surface device or shared among multiple devices. For more information on potential conflicts with shared adapters, see [Manage MAC addresses with removable Ethernet adapters](#manage-mac-addresses) later in this article.
Booting from the network (PXE boot) is only supported when you use an Ethernet adapter or docking station from Microsoft. To boot from the network, the chipset in the Ethernet adapter or dock must be detected and configured as a boot device in the firmware of the Surface device. Microsoft Ethernet adapters, such as the Surface Ethernet Adapter and the [Surface Dock](https://www.microsoft.com/surface/accessories/surface-dock) use a chipset that is compatible with the Surface firmware.
@ -67,7 +67,6 @@ For Windows 10, version 1511 and later including the Windows Assessment and
## <a href="" id="manage-mac-addresses"></a>Manage MAC addresses with removable Ethernet adapters
Another consideration for administrators performing Windows deployment over the network is how you will identify computers when you use the same Ethernet adapter to deploy to more than one computer. A common identifier used by deployment technologies is the Media Access Control (MAC) address that is associated with each Ethernet adapter. However, when you use the same Ethernet adapter to deploy to multiple computers, you cannot use a deployment technology that inspects MAC addresses because there is no way to differentiate the MAC address of the removable adapter when used on the different computers.
The simplest solution to avoid MAC address conflicts is to provide a dedicated removable Ethernet adapter for each Surface device. This can make sense in many scenarios where the Ethernet adapter or the additional functionality of the docking station will be used regularly. However, not all scenarios call for the additional connectivity of a docking station or support for wired networks.
@ -85,7 +84,7 @@ To access the firmware of a Surface device, follow these steps:
When deploying with WDS, the MAC address is only used to identify a computer when the deployment server is configured to respond only to known, pre-staged clients. When pre-staging a client, an administrator creates a computer account in Active Directory and defines that computer by the MAC address or the System UUID. To avoid the identity conflicts caused by shared Ethernet adapters, you should use [System UUID to define pre-staged clients](https://technet.microsoft.com/library/cc742034). Alternatively, you can configure WDS to respond to unknown clients that do not require definition by either MAC address or System UUID by selecting the **Respond to all client computers (known and unknown)** option on the [**PXE Response** tab](https://technet.microsoft.com/library/cc732360) in **Windows Deployment Server Properties**.
The potential for conflicts with shared Ethernet adapters is much higher with Configuration Manager. Where WDS only uses MAC addresses to define individual systems when configured to do so, Configuration Manager uses the MAC address to define individual systems whenever performing a deployment to new or unknown computers. This can result in improperly configured devices or even the inability to deploy more than one system with a shared Ethernet adapter. There are several potential solutions for this situation that are described in detail in the [How to Use The Same External Ethernet Adapter For Multiple SCCM OSD](https://blogs.technet.microsoft.com/askpfeplat/2014/07/27/how-to-use-the-same-external-ethernet-adapter-for-multiple-sccm-osd/) blog post on the Ask Premier Field Engineering (PFE) Platforms TechNet blog.
The potential for conflicts with shared Ethernet adapters is much higher with Configuration Manager. Where WDS only uses MAC addresses to define individual systems when configured to do so, Configuration Manager uses the MAC address to define individual systems whenever performing a deployment to new or unknown computers. This can result in improperly configured devices or even the inability to deploy more than one system with a shared Ethernet adapter. There are several potential solutions for this situation that are described in detail in [How to Use The Same External Ethernet Adapter For Multiple SCCM OSD](https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/how-to-use-the-same-external-ethernet-adapter-for-multiple-sccm/ba-p/257374), a blog post on the Core Infrastructure and Security Blog.
 

51
devices/surface/get-started.yml
View File

@ -28,19 +28,8 @@ landingContent:
url: https://www.microsoft.com/surface/business/surface-go-2
- text: Surface Book 3 for Business
url: https://www.microsoft.com/surface/business/surface-book-3
- text: Surface Pro 7 for Business
url: https://www.microsoft.com/surface/business/surface-pro-7
- text: Surface Pro X for Business
url: https://www.microsoft.com/surface/business/surface-pro-x
- text: Surface Laptop 3 for Business
url: https://www.microsoft.com/surface/business/surface-laptop-3
- text: Surface Studio 2 for Business
url: https://www.microsoft.com/surface/business/surface-studio-2
- linkListType: video
links:
- text: Microsoft Mechanics Surface videos
url: https://www.youtube.com/watch?v=Uk2kJ5FUZxY&list=PLXtHYVsvn_b__1Baibdu4elN4SoF3JTBZ
- text: Explore all Surface family products
url: https://www.microsoft.com/surface/business
# Card (optional)
- title: Get started
@ -53,18 +42,14 @@ landingContent:
url: surface-book-quadro.md
- text: Whats new in Surface Dock 2
url: surface-dock-whats-new.md
- text: Surface and Endpoint Configuration Manager considerations
url: considerations-for-surface-and-system-center-configuration-manager.md
- text: Wake On LAN for Surface devices
url: wake-on-lan-for-surface-devices.md
# Card
- title: Deploy Surface devices
linkLists:
- linkListType: deploy
links:
- text: Manage and deploy Surface driver and firmware updates
url: manage-surface-driver-and-firmware-updates.md
- text: Surface Deployment Accelerator tool
url: microsoft-surface-deployment-accelerator.md
- text: Autopilot and Surface devices
url: windows-autopilot-and-surface-devices.md
- text: Deploying, managing, and servicing Surface Pro X
@ -75,15 +60,15 @@ landingContent:
linkLists:
- linkListType: how-to-guide
links:
- text: Optimize Wi-Fi connectivity for Surface devices
url: surface-wireless-connect.md
- text: Manage and deploy Surface driver and firmware updates
url: manage-surface-driver-and-firmware-updates.md
- text: Best practice power settings for Surface devices
url: maintain-optimal-power-settings-on-Surface-devices.md
- text: Manage battery limit with UEFI
url: battery-limit.md
- text: Optimize Wi-Fi connectivity for Surface devices
url: surface-wireless-connect.md
# Card
- title: Secure Surface devices
- title: Explore security guidance
linkLists:
- linkListType: how-to-guide
links:
@ -99,31 +84,33 @@ landingContent:
linkLists:
- linkListType: how-to-guide
links:
- text: Surface Dock Firmware Update
url: surface-dock-firmware-update.md
- text: Surface Diagnostic Toolkit for Business
url: surface-diagnostic-toolkit-for-business-intro.md
- text: SEMM and UEFI
url: surface-enterprise-management-mode.md
- text: Surface Brightness Control
url: microsoft-surface-brightness-control.md
- text: Battery Limit setting
url: battery-limit.md
# Card
- title: Support and community
- title: Browse support solutions
linkLists:
- linkListType: learn
links:
- text: Top support solutions
url: support-solutions-surface.md
- text: Maximize your Surface battery life
url: https://support.microsoft.com/help/4483194/maximize-surface-battery-life
- text: Protecting your data during Surface repair or service
url: https://support.microsoft.com/help/4023508/surface-faq-protecting-your-data-service
- text: Troubleshoot Surface Dock and docking stations
url: https://support.microsoft.com/help/4023468/surface-troubleshoot-surface-dock-and-docking-stations
- linkListType: reference
# Card
- title: Participate in Surface Community
linkLists:
- linkListType: learn
links:
- text: Surface IT Pro blog
url: https://techcommunity.microsoft.com/t5/Surface-IT-Pro-Blog/bg-p/SurfaceITPro
- text: Surface Devices Tech Community
url: https://techcommunity.microsoft.com/t5/Surface-Devices/ct-p/SurfaceDevices
- text: Microsoft Mechanics Surface videos
url: https://www.youtube.com/watch?v=Uk2kJ5FUZxY&list=PLXtHYVsvn_b__1Baibdu4elN4SoF3JTBZ

15
devices/surface/microsoft-surface-data-eraser.md
View File

@ -11,9 +11,10 @@ ms.mktglfcycl: manage
ms.pagetype: surface, devices, security
ms.sitesec: library
author: coveminer
ms.author: v-jokai
ms.author: greglin
ms.topic: article
ms.audience: itpro
audience: itpro
ms.date: 05/11/2020
---
# Microsoft Surface Data Eraser
@ -28,6 +29,8 @@ Find out how the Microsoft Surface Data Eraser tool can help you securely wipe d
Compatible Surface devices include:
* Surface Book 3
* Surface Go 2
* Surface Pro 7
* Surface Pro X
* Surface Laptop 3
@ -164,6 +167,14 @@ After you create a Microsoft Surface Data Eraser USB stick, you can boot a suppo
Microsoft Surface Data Eraser is periodically updated by Microsoft. For information about the changes provided in each new version, see the following:
### 3.30.139
*Release Date: 11 May 2020*
This version of Surface Data Eraser adds support for:
- Surface Book 3
- Surface Go 2
- New SSD in Surface Go
### 3.28.137
*Release Date: 11 Nov 2019*
This version of Surface Data Eraser:

410
devices/surface/step-by-step-surface-deployment-accelerator.md
View File

@ -1,410 +0,0 @@
---
title: Step by step Surface Deployment Accelerator (Surface)
description: This article shows you how to install Microsoft Surface Deployment Accelerator (SDA), configure a deployment share for the deployment of Windows to Surface devices, and perform a deployment to Surface devices.
ms.assetid: A944FB9C-4D81-4868-AFF6-B9D1F5CF1032
ms.reviewer:
manager: laurawi
ms.localizationpriority: medium
keywords: deploy, configure
ms.prod: w10
ms.mktglfcycl: deploy
ms.pagetype: surface, devices
ms.sitesec: library
author: coveminer
ms.author: v-jokai
ms.topic: article
ms.date: 10/31/2019
---
# Step by step: Surface Deployment Accelerator
This article shows you how to install Microsoft Surface Deployment Accelerator (SDA), configure a deployment share for the deployment of Windows to Surface devices, and perform a deployment to Surface devices. This article also contains instructions on how to perform these tasks without an Internet connection or without support for Windows Deployment Services network boot (PXE).
> [!NOTE]
> SDA is not supported on Surface Pro 7, Surface Pro X, and Surface Laptop 3. For more information refer to [Deploy Surface devices](deploy.md).
## How to install Surface Deployment Accelerator
For information about prerequisites and instructions for how to download and install SDA, see [Microsoft Surface Deployment Accelerator](microsoft-surface-deployment-accelerator.md).
1. Download SDA, which is included in [Surface Tools for IT](https://www.microsoft.com/download/details.aspx?id=46703) on the Microsoft Download Center.
2. Run the SDA installation file, named **Surface\_Deployment\_Accelerator\_*xxxx*.msi**, where *xxxx* is the current version number.
3. Accept the End User License Agreement (EULA) by selecting the check box, and then click **Install**, as shown in Figure 1.
![Surface Deployment Accelerator setup](images/sdasteps-fig1.png "Surface Deployment Accelerator setup")
*Figure 1. SDA setup*
4. Click **Finish** to complete the installation of SDA.
The tool installs in the SDA program group, as shown in Figure 2.
![SDA program group and icon](images/sdasteps-fig2.png "SDA program group and icon")
*Figure 2. The SDA program group and icon*
>[!NOTE]
>At this point, the tool has not yet prepared any deployment environment or downloaded any materials from the Internet.
## Create a deployment share
The following steps show you how to create a deployment share for Windows 10 that supports Surface 3, Surface Pro 3, Surface Pro 4, Surface Book, the Surface Firmware Tool, the Surface Asset Tag Tool, and Office 365. As you follow the steps below, make the selections that are applicable for your organization. For example, you could choose to deploy Windows 10 to Surface Book only, without any of the Surface apps.
>[!NOTE]
>SDA lets you create deployment shares for both Windows 8.1 and Windows 10 deployments, but you can only create a single deployment share at a time. Therefore, to create both Windows 8.1 and Windows 10 deployment shares, you will need to run the tool twice.
1. Open the SDA wizard by double-clicking the icon in the **Surface Deployment Accelerator** program group on the Start screen.
2. On the **Welcome** page, click **Next** to continue.
3. On the **Verify System** page, the SDA wizard verifies the prerequisites required for an SDA deployment share. This process also checks for the presence of the Windows Assessment and Deployment Kit (Windows ADK) for Windows 10 and the Microsoft Deployment Toolkit (MDT) 2013 Update 2. If these tools are not detected, they are downloaded and installed automatically. Click **Next** to continue.
>[!NOTE]
>As of SDA version 1.96.0405, SDA will install only the components of the Windows ADK that are required for deployment, as follows:
> * Deployment tools
> * User State Migration Tool (USMT)
> * Windows Preinstallation Environment (WinPE)
> [!NOTE]
> As of SDA version 1.96.0405, SDA will install and use MDT 2013 Update 2. Earlier versions of SDA are compatible only with MDT 2013 Update 1.
4. On the **Windows 8.1** page, to create a Windows 10 deployment share, do not select the **Would you like to support Windows 8.1** check box. Click **Next** to continue.
5. On the **Windows 10** page, to create a Windows 10 deployment share, select the **Would you like to support Windows 10** check box. Supply the following information before you click **Next** to continue:
- **Configure Deployment Share for Windows 10**
- **Local Path** Specify or browse to a location on the local storage device where you would like to store the deployment share files for the Windows 10 SDA deployment share. For example, **E:\\SDAWin10\\** is the location specified in Figure 3.
- **Share Name** Specify a name for the file share that will be used to access the deployment share on this server from the network. For example, **SDAWin10** is the deployment share name shown in Figure 3. The local path folder is automatically shared by the SDA scripts under this name to the group **Everyone** with a permission level of **Full Control**.
- **Windows 10 Deployment Services**
- Select the **Import boot media into the local Windows Deployment Service** check box if you would like to boot your Surface devices from the network to perform the Windows deployment. Windows Deployment Services must be installed and configured to respond to PXE boot requests. See [Windows Deployment Services Getting Started Guide for Windows Server 2012](https://technet.microsoft.com/library/jj648426.aspx) for more information about how to configure Windows Deployment Services for PXE boot.
- **Windows 10 Source Files**
- **Local Path** Specify or browse to the root directory of Windows 10 installation files. If you have an ISO file, mount it and browse to the root of the mounted drive. You must have a full set of source files, not just **Install.wim**.
![Specify Windows 10 deployment share options](images/sdasteps-fig3.png "Specify Windows 10 deployment share options")
*Figure 3. Specify Windows 10 deployment share options*
6. On the **Configure** page, select the check box next to each device or app that you want to include in your deployment share. Note that Surface Pro 4 and Surface Book only support Windows 10 and are not available for the deployment of Windows 8.1. The Surface Firmware Tool is only applicable to Surface 3 and Surface Pro 3 and cannot be selected unless Surface 3 or Surface Pro 3 drivers are selected, as shown in Figure 4. Click **Next** to continue.
![Firmware tool selection](images/sdasteps-fig4-select.png "Firmware tool selection")
*Figure 4. Selecting Surface Firmware Tool requires Surface Pro 3 drivers*
>[!NOTE]
>You cannot select both Surface 3 and Surface 3 LTE models at the same time.
7. On the **Summary** page confirm your selections and click **Finish** to begin the creation of your deployment share. The process can take several minutes as files are downloaded, the tools are installed, and the deployment share is created. While the SDA scripts are creating your deployment share, an **Installation Progress** window will be displayed, as shown in Figure 5. A typical SDA process includes:
- Download of Windows ADK
- Installation of Windows ADK
- Download of MDT
- Installation of MDT
- Download of Surface apps and drivers
- Creation of the deployment share
- Import of Windows installation files into the deployment share
- Import of the apps and drivers into the deployment share
- Creation of rules and task sequences for Windows deployment
![The installation progress window](images/sdasteps-fig5-installwindow.png "The installation progress window")
*Figure 5. The Installation Progress window*
### Optional: Workaround for Webclient exception
You may see this error message while installing the latest version of ADK or MDT: _An exception occurred during a WebClient request._ This is due to incompatibility between the Surface Deployment Accelerator (SDA) and Background Intelligent Transfer Service (BITS). To work around this issue, do the following.
In the two PowerShell scripts:
```PowerShell
%ProgramFiles%\Microsoft\Surface\Deployment Accelerator\Data\PowerShell\Install-MDT.ps1
%ProgramFiles%\Microsoft\Surface\Deployment Accelerator\Data\PowerShell\INSTALL-WindowsADK.ps1
```
Edit the $BITSTransfer variable in the input parameters to $False as shown below:
```PowerShell
Param(
[Parameter(
Position=0,
Mandatory=$False,
HelpMessage="Download via BITS bool true/false"
)]
[string]$BITSTransfer = $False
)
```
8. When the SDA process completes the creation of your deployment share, a **Success** window is displayed. Click **Finish** to close the window. At this point your deployment share is now ready to perform a Windows deployment to Surface devices.
### Optional: Create a deployment share without an Internet connection
If you are unable to connect to the Internet with your deployment server, or if you want to download the Surface drivers and apps separately, you can specify a local source for the driver and app files at the time of deployment share creation. On the **Configure** page of the SDA wizard, select the **Copy from a Local Directory** check box, as shown in Figure 6. The **Download from the Internet** check box will be automatically deselected. Enter the folder location where you have placed the driver and app files in the **Local Path** field, as shown in Figure 6.
>[!NOTE]
>All of the downloaded driver and applications files must be located in the same folder. If a required driver or application file is missing from the selected folder when you click **Next**, a warning is displayed and the wizard will not proceed to the next step.
>[!NOTE]
>The driver and app files do not need to be extracted from the downloaded .zip files.
>[!NOTE]
>Including Office 365 in your deployment share requires an Internet connection and cannot be performed if you use local files.
![Specify Surface driver and app files](images/sdasteps-fig6-specify-driver-app-files.png "Specify Surface driver and app files")
*Figure 6. Specify the Surface driver and app files from a local path*
>[!NOTE]
>The **Copy from a Local Directory** check box is only available in SDA version 1.90.0221 or later.
### <a href="" id="optional"></a>Optional: Prepare offline USB media
You can use USB media to perform an SDA deployment if your Surface device is unable to boot from the network. For example, if you do not have a Microsoft Surface Ethernet Adapter or Microsoft Surface dock to facilitate network boot (PXE boot). The USB drive produced by following these steps includes a complete copy of the SDA deployment share and can be run on a Surface device without a network connection.
>[!NOTE]
>The offline media files for the complete SDA deployment share are approximately 9 GB in size. Your USB drive must be at least 9 GB in size. A 16 GB USB drive is recommended.
Before you can create bootable media files within the MDT Deployment Workbench or copy those files to a USB drive, you must first configure that USB drive to be bootable. Using [DiskPart](https://go.microsoft.com/fwlink/p/?LinkId=761073), create a partition, format the partition as FAT32, and set the partition to be active. To run DiskPart, open an administrative PowerShell or Command Prompt window, and then run the following sequence of commands, as shown in Figure 7:
1. **diskpart** Opens DiskPart to manage disks and partitions.
2. **list disk** Displays a list of the disks available in your system; use this list to identify the disk number that corresponds with your USB drive.
3. **sel disk 2** Selects your USB drive; use the number that corresponds with the disk in your system.
4. **clean** Removes all configuration from your USB drive.
>[!WARNING]
>This step will remove all information from your drive. Verify that your USB drive does not contain any needed data before you perform the **clean** command.
5. **create part pri** Creates a primary partition on the USB drive.
6. **format fs=fat32 quick** Formats the partition with the FAT32 file system, performing a quick format. FAT32 is required to boot the device from UEFI systems like Surface devices.
7. **assign** Assigns the next available drive letter to the newly created FAT32 volume.
8. **active** Sets the partition to be active, which is required to boot the volume.
9. **exit** Exits DiskPart, after which you can close the PowerShell or Command Prompt window.
![Use DiskPart to prepare a USB drive for boot](images/sdasteps-fig7-diskpart.png "Use DiskPart to prepare a USB drive for boot")
*Figure 7. Use DiskPart to prepare a USB drive for boot*
>[!NOTE]
>You can format your USB drive with FAT32 from Disk Management, but you must still use DiskPart to set the partition as active for the drive to boot properly.
After you have prepared the USB drive for boot, the next step is to generate offline media from the SDA deployment share. To create this media, follow these steps:
1. Open the **Deployment Workbench** from the **Microsoft Deployment Toolkit** group on your Start screen.
2. Expand the **Deployment Shares** node and the **Microsoft Surface Deployment Accelerator** deployment share.
3. Expand the folder **Advanced Configuration** and select the **Media** folder.
4. Right-click the **Media** folder and click **New Media** as shown in Figure 8 to start the New Media Wizard.
![The Media folder of the SDA deployment share](images/sdasteps-fig8-mediafolder.png "The Media folder of the SDA deployment share")
*Figure 8. The Media folder of the SDA deployment share*
5. On the **General Settings** page in the **Media path** field, enter or browse to a folder where you will create the files for the new offline media. See the example **E:\\SDAMedia** in Figure 9. Leave the default profile **Everything** selected in the **Selection profile** drop-down menu, and then click **Next**.
![Specify a location and selection profile for your offline media](images/sdasteps-fig9-location.png "Specify a location and selection profile for your offline media")
*Figure 9. Specify a location and selection profile for your offline media*
6. On the **Summary** page verify your selections, and then click **Next** to begin creation of the media.
7. A **Progress** page is displayed while the media is created.
8. On the **Confirmation** page, click **Finish** to complete creation of the media.
9. Right-click the **Microsoft Surface Deployment Accelerator** deployment share folder, click **Properties**, and then click the **Rules** tab as shown in Figure 10.
![Rules of the SDA deployment share](images/sdasteps-fig10-rules.png "Rules of the SDA deployment share")
*Figure 10. Rules of the SDA deployment share*
10. Use your mouse to highlight all of the text displayed in the text box of the **Rules** tab, and then press **Ctrl+C** to copy the text.
11. Click **OK** to close the **Microsoft Surface Deployment Accelerator** deployment share properties.
12. Right-click the newly created **MEDIA001** item in the **Media** folder, click **Properties**, and then click the **Rules** tab.
13. Use your mouse to highlight all of the text displayed in the text box of the **Rules** tab, and then press **Ctrl+V** to paste the text you copied from the **Microsoft Surface Deployment Accelerator** deployment share rules.
14. Right-click the **Microsoft Surface Deployment Accelerator** deployment share folder, click **Properties**, and then click the **Rules** tab again. Click the **Bootstrap.ini** button to open Bootstrap.ini in Notepad.
15. Press **Ctrl+A** to select all of the text in the window, and then press **Ctrl+C** to copy the text.
16. Close Bootstrap.ini and click **OK** in **Microsoft Surface Deployment Accelerator** deployment share properties to close the window.
17. Right-click the newly created **MEDIA001** item in the **Media** folder, click **Properties**, and then click the **Rules** tab again. Click the **Bootstrap.ini** button to open Bootstrap.ini in Notepad.
18. Press **Ctrl+A** to select all of the text in the window, then press **Ctrl+V** to paste the text from the SDA deployment share Bootstrap.ini file.
19. Delete the following lines from the Bootstrap.ini as shown in Figure 11, and then save the file:
```PowerShell
UserID=
UserDomain=
UserPassword=
DeployRoot=\\SDASERVER\SDAWin10
UserID=
UserDomain=
UserPassword=
```
![The Bootstrap.ini file](images/sdasteps-fig11-bootstrap.ini.png "The Bootstrap.ini file")
*Figure 11. The Bootstrap.ini file of MEDIA001*
20. Close Bootstrap.ini and click **OK** in **MEDIA001** deployment share properties to close the window.
21. In the **Deployment Workbench** under the **Media** folder, right-click the newly created **MEDIA001** and click **Update Media Content**, as shown in Figure 12. This will update the media files with the content of the **Microsoft Surface Deployment Accelerator** deployment share.
![Select the Update Media Content option](images/sdasteps-fig12-updatemedia.png "Select the Update Media Content option")
*Figure 12. Select the Update Media Content option*
22. The **Update Media Content** window is displayed and shows the progress as the media files are created. When the process completes, click **Finish.**
The final step is to copy the offline media files to your USB drive.
1. In File Explorer, open the path you specified in Step 5, for example **E:\\SDAMedia**.
2. Copy all of the files from the Content folder to the root of the USB drive.
Your USB drive is now configured as bootable offline media that contains all of the resources required to perform a deployment to a Surface device.
## SDA task sequences
The SDA deployment share is configured with all of the resources required to perform a Windows deployment to a Surface device. These resources include Windows source files, image, Surface drivers, and Surface apps. The deployment share also contains two pre-configured task sequences, as shown in Figure 13. These task sequences contain the steps required to perform a deployment to a Surface device using the default Windows image from the installation media or to create a reference image complete with Windows updates and applications. To learn more about task sequences, see [MDT 2013 Update 2 Lite Touch components](https://technet.microsoft.com/itpro/windows/deploy/mdt-2013-lite-touch-components).
![Task sequences in the Deployment Workbench](images/sdasteps-fig13-taskseq.png "Task sequences in the Deployment Workbench")
*Figure 13. Task sequences in the Deployment Workbench*
### Deploy Microsoft Surface
The **1 Deploy Microsoft Surface** task sequence is used to perform a complete deployment of Windows to a Surface device. This task sequence is pre-configured by the SDA wizard and is ready to perform a deployment as soon as the wizard completes. Running this task sequence on a Surface device deploys the unaltered Windows image copied directly from the Windows installation media you specified in the SDA wizard, along with the Surface drivers for your device. The drivers for your Surface device will be automatically selected through the pre-configured deployment share rules.
When you run the task sequence, you will be prompted to provide the following information:
- A computer name
- Your domain information and the credentials required to join the domain
- A product key, if one is required
>[!NOTE]
>If you are deploying the same version of Windows as the version that came on your device, no product key is required.
- A time zone
- An Administrator password
The Surface apps you specified on the **Configure** page of the SDA wizard are automatically installed when you run this task sequence on a Surface device.
### Create Windows reference image
The **2 Create Windows Reference Image** task sequence is used to perform a deployment to a virtual machine for the purpose of capturing an image complete with Windows Updates for use in a deployment to Surface devices. By installing Windows Updates in your reference image, you eliminate the need to download and install those updates on each deployed Surface device. The deployment process with an up-to-date image is significantly faster and more efficient than performing a deployment first and then installing Windows Updates on each device.
Like the **1 Deploy Microsoft Surface** task sequence, the **2 Create Windows Reference Image** task sequence performs a deployment of the unaltered Windows image directly from the installation media. Creation of a reference image should always be performed on a virtual machine. Using a virtual machine as your reference system helps to ensure that the resulting image is compatible with different hardware configurations.
>[!NOTE]
>Using a virtual machine when you create a reference image for Windows deployment is a recommended practice for performing Windows deployments with Microsoft deployment tools including the Microsoft Deployment Toolkit and Microsoft Endpoint Configuration Manager. These Microsoft deployment technologies use the hardware agnostic images produced from a virtual machine and a collection of managed drivers to deploy to different configurations of hardware. For more information, see [Deploy a Windows 10 image using MDT 2013 Update 2](https://technet.microsoft.com/itpro/windows/deploy/deploy-a-windows-10-image-using-mdt).
In addition to the information required by the **1 Deploy Microsoft Surface** task sequence, you will also be prompted to capture an image when you run this task sequence on your reference virtual machine. The **Location** and **File name** fields are automatically populated with the proper information for your deployment share. All that you need to do is select the **Capture an image of this reference computer** option when you are prompted on the **Capture Image** page of the Windows Deployment Wizard.
## Deployment to Surface devices
To perform a deployment from the SDA deployment share, follow this process on the Surface device:
1. Boot the Surface device to MDT boot media for the SDA deployment share. You can do this over the network by using PXE boot, or from a USB drive as described in the [Optional: Prepare offline USB media](#optional) section of this article.
2. Select the deployment share for the version of Windows you intend to deploy and enter your credentials when you are prompted.
3. Select the task sequence you want to run, usually the **1 Deploy Microsoft Surface** task sequence.
4. Address the task sequence prompts to pick applications, supply a password, and so on.
5. The task sequence performs the automated deployment using the options specified.
### Boot the Surface device from the network
To boot the Surface device from the network, the Microsoft Surface Deployment Accelerator wizard must have been run on a Windows Server 2012 R2 or later environment that was configured with the Windows Deployment Services (WDS). WDS must have been configured to respond to network boot (PXE boot) requests and the boot files must have been imported into WDS. The SDA wizard will import these file automatically if the **Import boot media into the local Windows Deployment Service** check box was selected on the page for the version of Windows you intend to deploy.
To boot the Surface device from the network, you must also use a Microsoft Surface Ethernet Adapter or the Ethernet port on a Microsoft Surface Dock. Third-party Ethernet adapters are not supported for network boot (PXE boot). A keyboard is also required. Both the Microsoft Surface Type Cover and keyboards connected via USB to the device or dock are supported.
To instruct your Surface device to boot from the network, start with the device powered off and follow these steps:
1. Press and hold the **Volume Down** button, press and release the **Power** button. Continue holding the **Volume Down** button until the device has begun to boot from the network.
2. Press **Enter** when prompted by the dialog on the screen. This prompt indicates that your device has found the WDS PXE server over the network.
3. If you have configured more than one deployment share on this device, you will be prompted to select between the boot images for each deployment share. For example, if you created both a Windows 10 and a Windows 8.1 deployment share, you will be prompted to choose between these two options.
4. Enter the domain credentials that you use to log on to the server where SDA is installed when you are prompted, as shown in Figure 14.
![Prompt for credentials to the deployment share](images/sdasteps-fig14-credentials.png "Prompt for credentials to the deployment share")
*Figure 14. The prompt for credentials to the deployment share*
5. The Windows Deployment Wizard will start from the deployment share to walk you through the deployment process.
### Alternatively boot the devices from the USB stick
To boot a device from the USB stick:
1. Press and hold the **Volume Down** button, press and release the **Power** button. Continue holding the **Volume Down** button until the device has begun to boot from the USB drive.
2. The Windows Deployment Wizard will start from the deployment share to walk you through the deployment process.
### Run the Deploy Microsoft Surface task sequence
To run the Deploy Microsoft Surface task sequence:
1. On the **Task Sequence** page, select the **1 Deploy Microsoft Surface** task sequence as shown in Figure 15, and then click **Next.**
![Select the task sequence](images/sdasteps-fig15-deploy.png "Select the task sequence")
*Figure 15. Select the 1 Deploy Microsoft Surface task sequence*
2. On the **Computer Details** page, type a name for the Surface device in the **Computer Name** box. In the **Join a domain** section, type your domain name and credentials as shown in Figure 16, and then click **Next**.
![Computer name and domain credentials](images/sdasteps-fig16-computername.png "Computer name and domain credentials")
*Figure 16. Enter the computer name and domain information*
3. On the **Product Key** page, keep the **No product key is required** check box selected if you are deploying the same version and edition of Windows to your Surface devices as they came with from the factory. If you are deploying a different version or edition of Windows to the device, such as Windows Enterprise, select the licensing option that is applicable to your scenario.
4. On the **Locale and Time** page, select your desired **Language Settings** and **Time Zone**, and then click **Next.**
5. On the **Administrator Password** page, type a password for the local Administrator account on the Surface device, and then click **Next.**
6. On the **BitLocker** page, select the **Enable BitLocker** option along with your desired configuration of BitLocker protectors if you want to encrypt the device. Otherwise, keep the **Do not enable BitLocker for this computer** check box selected, and then click **Next.**
7. On the **Ready** page, verify your selections and then click **Begin** to start the automated deployment to this device. The deployment will not require user interaction again. The Windows Deployment Wizard will close and an **Installation Progress** window is displayed to show progress of the task sequence as the image is applied and applications are installed (Figure 17).
![Installation progress window](images/sdasteps-fig17-installprogresswindow.png "Installation progress window")
*Figure 17. The Installation Progress window*
8. When the deployment task sequence completes, a **Success** window is displayed. Click **Finish** to complete the deployment and begin using your Surface device.

22
devices/surface/surface-diagnostic-toolkit-business.md
View File

@ -6,12 +6,12 @@ ms.mktglfcycl: manage
ms.localizationpriority: medium
ms.sitesec: library
author: coveminer
ms.author: v-jokai
ms.author: greglin
ms.topic: article
ms.date: 10/31/2019
ms.date: 05/11/2020
ms.reviewer: hachidan
manager: laurawi
ms.audience: itpro
audience: itpro
---
# Deploy Surface Diagnostic Toolkit for Business
@ -41,6 +41,9 @@ Command line | Directly troubleshoot Surface devices remotely without user inter
SDT for Business is supported on Surface 3 and later devices, including:
- Surface Book 3
- Surface Go 2
- Surface Pro X
- Surface Pro 7
- Surface Laptop 3
- Surface Pro 6
@ -116,6 +119,7 @@ In addition to the .exe file, SDT installs a JSON file and an admin.dll file (mo
*Figure 2. Files installed by SDT*
<span id="create-custom-sdt" />
## Preparing the SDT package for distribution
Creating a custom package allows you to target the tool to specific known issues.
@ -170,6 +174,18 @@ You can select to run a wide range of logs across applications, drivers, hardwar
- [Use Surface Diagnostic Toolkit for Business using commands](surface-diagnostic-toolkit-command-line.md)
## Changes and updates
### Version 2.94.139.0
*Release date: May 11, 2020*<br>
This version of Surface Diagnostic Toolkit for Business adds support for the following:
- Ability to skip Windows Update to perform hardware check.
- Ability to receive notifications for about the latest version update
- Surface Go 2
- Surface Book 3
- Show progress indicator
### Version 2.43.139.0
*Release date: October 21, 2019*<br>
This version of Surface Diagnostic Toolkit for Business adds support for the following:

12
devices/surface/surface-enterprise-management-mode.md
View File

@ -7,12 +7,13 @@ ms.mktglfcycl: manage
ms.pagetype: surface, devices, security
ms.sitesec: library
author: coveminer
ms.author: v-jokai
ms.author: greglin
ms.topic: article
ms.reviewer: scottmca
manager: laurawi
ms.localizationpriority: medium
ms.audience: itpro
audience: itpro
ms.date: 05/11/2020
---
# Microsoft Surface Enterprise Management Mode
@ -95,7 +96,7 @@ The following list shows all the available devices you can manage in SEMM:
|Enable Battery limit| Allows you to manage Battery limit functionality. If you do not configure this setting, Battery limit is enabled |
| Security | Displays the Surface UEFI **Security** page. If you do not configure this setting, the Security page is displayed. |
| Devices | Displays the Surface UEFI **Devices** page. If you do not configure this setting, the Devices page is displayed. |
| Boot | Displays the Surface UEFI **Boot** page. If you do not configure this setting, the DateTime page is displayed. |
| Boot | Displays the Surface UEFI **Boot** page. If you do not configure this setting, the Boot page is displayed. |
| DateTime | Displays the Surface UEFI **DateTime** page. If you do not configure this setting, the DateTime page is displayed. |
@ -227,6 +228,11 @@ create a reset package using PowerShell to reset SEMM.
## Version History
The latest version of SEMM released May 11, 2020 includes:
- Support for Surface Go 2
- Support for Surface Book 3
- Bug fixes
### Version 2.59.
* Support to Surface Pro 7, Surface Pro X, and Surface Laptop 3 13.5" and 15" models with Intel processor. Note: Surface Laptop 3 15" AMD processor is not supported.
- Support to Wake on Power feature

41
mdop/appv-v5/deploying-the-app-v-51-server.md
View File

@ -13,37 +13,27 @@ ms.prod: w10
ms.date: 06/16/2016
---
# Deploying the App-V 5.1 Server
You can install the Microsoft Application Virtualization (App-V) 5.1 server features by using different deployment configurations, which described in this topic. Before you install the server features, review the server section of [App-V 5.1 Security Considerations](app-v-51-security-considerations.md).
For information about deploying the App-V Server, see [About App-V 5.1](about-app-v-51.md#bkmk-migrate-to-51).
**Important**  
Before you install and configure the App-V 5.1 servers, you must specify a port where each component will be hosted. You must also add the associated firewall rules to allow incoming requests to access the specified ports. The installer does not modify firewall settings.
> [!IMPORTANT]
> Before you install and configure the App-V 5.1 servers, you must specify a port where each component will be hosted. You must also add the associated firewall rules to allow incoming requests to access the specified ports. The installer does not modify firewall settings.
## <a href="" id="---------app-v-5-1-server-overview"></a> App-V 5.1 Server overview
The App-V 5.1 Server is made up of five components. Each component serves a different purpose within the App-V 5.1 environment. Each of the five components is briefly described here:
- Management Server provides overall management functionality for the App-V 5.1 infrastructure.
- Management Database facilitates database predeployments for App-V 5.1 management.
- Publishing Server provides hosting and streaming functionality for virtual applications.
- Reporting Server provides App-V 5.1 reporting services.
- Reporting Database facilitates database predeployments for App-V 5.1 reporting.
## <a href="" id="---------app-v-5-1-stand-alone-deployment"></a> App-V 5.1 stand-alone deployment
The App-V 5.1 standalone deployment provides a good topology for a small deployment or a test environment. When you use this type of implementation, all server components are deployed to a single computer. The services and associated databases will compete for the resources on the computer that runs the App-V 5.1 components. Therefore, you should not use this topology for larger deployments.
[How to Deploy the App-V 5.1 Server](how-to-deploy-the-app-v-51-server.md)
@ -52,7 +42,6 @@ The App-V 5.1 standalone deployment provides a good topology for a small deploym
## <a href="" id="---------app-v-5-1-server-distributed-deployment"></a> App-V 5.1 Server distributed deployment
The distributed deployment topology can support a large App-V 5.1 client base and it allows you to more easily manage and scale your environment. When you use this type of deployment, the App-V 5.1 Server components are deployed across multiple computers, based on the structure and requirements of the organization.
[How to Install the Management and Reporting Databases on Separate Computers from the Management and Reporting Services](how-to-install-the-management-and-reporting-databases-on-separate-computers-from-the-management-and-reporting-services51.md)
@ -67,19 +56,15 @@ The distributed deployment topology can support a large App-V 5.1 client base an
## Using an Enterprise Software Distribution (ESD) solution and App-V 5.1
You can also deploy the App-V 5.1 clients and packages by using an ESD without having to deploy App-V 5.1. The full capabilities for integration will vary depending on the ESD that you use.
**Note**  
The App-V 5.1 reporting server and reporting database can still be deployed alongside the ESD to collect the reporting data from the App-V 5.1 clients. However, the other three server components should not be deployed, because they will conflict with the ESD functionality.
> [!NOTE]
> The App-V 5.1 reporting server and reporting database can still be deployed alongside the ESD to collect the reporting data from the App-V 5.1 clients. However, the other three server components should not be deployed, because they will conflict with the ESD functionality.
[Deploying App-V 5.1 Packages by Using Electronic Software Distribution (ESD)](deploying-app-v-51-packages-by-using-electronic-software-distribution--esd-.md)
## <a href="" id="---------app-v-5-1-server-logs"></a> App-V 5.1 Server logs
You can use App-V 5.1 server log information to help troubleshoot the server installation and operational events while using App-V 5.1. The server-related log information can be reviewed with the **Event Viewer**. The following line displays the specific path for Server-related events:
**Event Viewer \\ Applications and Services Logs \\ Microsoft \\ App V**
@ -92,13 +77,10 @@ In App-V 5.0 SP3, some logs were consolidated and moved. See [About App-V 5.0 SP
## <a href="" id="---------app-v-5-1-reporting"></a> App-V 5.1 reporting
App-V 5.1 reporting allows App-V 5.1 clients to collect data and then send it back to be stored in a central repository. You can use this information to get a better view of the virtual application usage within your organization. The following list displays some of the types of information the App-V 5.1 client collects:
- Information about the computer that runs the App-V 5.1 client.
- Information about virtualized packages on a specific computer that runs the App-V 5.1 client.
- Information about package open and shutdown for a specific user.
The reporting information will be maintained until it is successfully sent to the reporting server database. After the data is in the database, you can use Microsoft SQL Server Reporting Services to generate any necessary reports.
@ -111,19 +93,4 @@ Use the following link for more information [About App-V 5.1 Reporting](about-ap
## Other resources for the App-V server
[Deploying App-V 5.1](deploying-app-v-51.md)

83
mdop/appv-v5/how-to-deploy-the-app-v-databases-by-using-sql-scripts51.md
View File

@ -13,75 +13,42 @@ ms.prod: w10
ms.date: 06/16/2016
---
# How to Deploy the App-V Databases by Using SQL Scripts
Use the following instructions to use SQL scripts, rather than the Windows Installer, to:
- Install the App-V 5.1 databases
- Upgrade the App-V databases to a later version
**Note**
If you have already deployed the App-V 5.0 SP3 database, the SQL scripts are not required to upgrade to App-V 5.1.
> [!NOTE]
> If you have already deployed the App-V 5.0 SP3 database, the SQL scripts are not required to upgrade to App-V 5.1.
**How to install the App-V databases by using SQL scripts**
## How to install the App-V databases by using SQL scripts
1. Before you install the database scripts, review and keep a copy of the App-V license terms. By running the database scripts, you are agreeing to the license terms. If you do not accept them, you should not use this software.
1. Copy the **appv\_server\_setup.exe** from the App-V release media to a temporary location.
1. From a command prompt, run **appv\_server\_setup.exe** and specify a temporary location for extracting the database scripts.
2. Copy the **appv\_server\_setup.exe** from the App-V release media to a temporary location.
Example: appv\_server\_setup.exe /layout c:\\&lt;_temporary location path_&gt;
3. From a command prompt, run **appv\_server\_setup.exe** and specify a temporary location for extracting the database scripts.
1. Browse to the temporary location that you created, open the extracted **DatabaseScripts** folder, and review the appropriate Readme.txt file for instructions:
Example: appv\_server\_setup.exe /layout c:\\&lt;temporary location path&gt;
| Database | Location of Readme.txt file to use |
|--|--|
| Management database | ManagementDatabase subfolder |
| Reporting database | ReportingDatabase subfolder |
4. Browse to the temporary location that you created, open the extracted **DatabaseScripts** folder, and review the appropriate Readme.txt file for instructions:
> [!CAUTION]
> The readme.txt file in the ManagementDatabase subfolder is out of date. The information in the updated readme files below is the most current and should supersede the readme information provided in the **DatabaseScripts** folders.
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Database</th>
<th align="left">Location of Readme.txt file to use</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>Management database</p></td>
<td align="left"><p>ManagementDatabase subfolder</p></td>
</tr>
<tr class="even">
<td align="left"><p>Reporting database</p></td>
<td align="left"><p>ReportingDatabase subfolder</p></td>
</tr>
</tbody>
</table>
~~~
**Caution**
The readme.txt file in the ManagementDatabase subfolder is out of date. The information in the updated readme files below is the most current and should supersede the readme information provided in the **DatabaseScripts** folders.
**Important**
The InsertVersionInfo.sql script is not required for versions of the App-V management database later than App-V 5.0 SP3.
> [!IMPORTANT]
> The InsertVersionInfo.sql script is not required for versions of the App-V management database later than App-V 5.0 SP3.
The Permissions.sql script should be updated according to **Step 2** in [KB article 3031340](https://support.microsoft.com/kb/3031340). **Step 1** is not required for versions of App-V later than App-V 5.0 SP3.
~~~
## Updated management database README file content
**Updated management database README file content**
``` syntax
```plaintext
******************************************************************
Before you install and use the Application Virtualization Database Scripts you must:
1.Review the Microsoft Application Virtualization Server 5.0 license terms.
@ -144,9 +111,9 @@ Steps to install "AppVManagement" schema in SQL SERVER.
```
**Updated reporting database README file content**
## Updated reporting database README file content
``` syntax
```plaintext
******************************************************************
Before you install and use the Application Virtualization Database Scripts you must:
1.Review the Microsoft Application Virtualization Server 5.0 license terms.
@ -222,20 +189,10 @@ Steps to install "AppVReporting" schema in SQL SERVER.
```
**Got a suggestion for App-V**? Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). **Got an App-V issue?** Use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv).
**Got an App-V issue?** Use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv).
## Related topics
[Deploying the App-V 5.1 Server](deploying-the-app-v-51-server.md)
[How to Deploy the App-V 5.1 Server](how-to-deploy-the-app-v-51-server.md)

27
mdop/appv-v5/how-to-install-the-app-v-databases-and-convert-the-associated-security-identifiers--by-using-powershell51.md
View File

@ -13,10 +13,8 @@ ms.prod: w10
ms.date: 06/16/2016
---
# How to Install the App-V Databases and Convert the Associated Security Identifiers by Using PowerShell
Use the following PowerShell procedure to convert any number of Active Directory Domain Services (AD DS) user or machine accounts into formatted Security Identifiers (SIDs) both in the standard format and in the hexadecimal format used by Microsoft SQL Server when running SQL scripts.
Before attempting this procedure, you should read and understand the information and examples displayed in the following list:
@ -33,13 +31,10 @@ Before attempting this procedure, you should read and understand the information
**.\\ConvertToSID.ps1 $accountsArray | Write-Output -FilePath .\\SIDs.txt -Width 200**
\#&gt;
**To convert any number of Active Directory Domain Services (AD DS) user or machine accounts into formatted Security Identifiers (SIDs)**
## To convert any number of Active Directory Domain Services (AD DS) user or machine accounts into formatted Security Identifiers (SIDs)
1. Copy the following script into a text editor and save it as a PowerShell script file, for example **ConvertToSIDs.ps1**.
2. To open a PowerShell console click **Start** and type **PowerShell**. Right-click **Windows PowerShell** and select **Run as Administrator**.
1. To open a PowerShell console click **Start** and type **PowerShell**. Right-click **Windows PowerShell** and select **Run as Administrator**.
```powershell
<#
@ -61,7 +56,7 @@ Before attempting this procedure, you should read and understand the information
function ConvertSIDToHexFormat
{
param(\[System.Security.Principal.SecurityIdentifier\]$sidToConvert)
param([System.Security.Principal.SecurityIdentifier]$sidToConvert)
$sb = New-Object System.Text.StringBuilder
[int] $binLength = $sidToConvert.BinaryLength
@ -79,7 +74,7 @@ Before attempting this procedure, you should read and understand the information
[string]::Format("{0}====== Description ======{0}{0}" +
" Converts any number of user or machine account names to string and hexadecimal SIDs.{0}" +
" Pass the account(s) as space separated command line parameters. (For example 'ConvertToSID.exe DOMAIN\\Account1 DOMAIN\\Account2 ...'){0}" +
" Pass the account(s) as space separated command line parameters. (For example 'ConvertToSID.ps1 DOMAIN\Account1 DOMAIN\Account2 ...'){0}" +
" The output is written to the console in the format 'Account name SID as string SID as hexadecimal'{0}" +
" And can be written out to a file using standard PowerShell redirection{0}" +
" Please specify user accounts in the format 'DOMAIN\username'{0}" +
@ -131,17 +126,21 @@ Before attempting this procedure, you should read and understand the information
Write-Output $SIDs
}
}
3. Run the script you saved in step one of this procedure passing the accounts to convert as arguments.
```
1. Run the script you saved in step one of this procedure passing the accounts to convert as arguments.
For example,
**.\\ConvertToSID.ps1 DOMAIN\\user\_account1 DOMAIN\\machine\_account1$ DOMAIN\\user\_account2 | Format-List” or “$accountsArray = @("DOMAIN\\user\_account1", "DOMAIN\\machine\_account1$", "DOMAIN\_user\_account2")**
**.\\ConvertToSID.ps1 DOMAIN\\user\_account1 DOMAIN\\machine\_account1$ DOMAIN\\user\_account2 | Format-List**
**.\\ConvertToSID.ps1 $accountsArray | Write-Output -FilePath .\\SIDs.txt -Width 200”**
or
**Got a suggestion for App-V**? Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). **Got an App-V issue?** Use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv).
**$accountsArray = @("DOMAIN\\user\_account1", "DOMAIN\\machine\_account1$", "DOMAIN\_user\_account2")**
**.\\ConvertToSID.ps1 $accountsArray | Write-Output -FilePath .\\SIDs.txt -Width 200**
**Got an App-V issue?** Use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv).
## Related topics
[Administering App-V 5.1 by Using PowerShell](administering-app-v-51-by-using-powershell.md)

108
mdop/appv-v5/how-to-install-the-management-and-reporting-databases-on-separate-computers-from-the-management-and-reporting-services51.md
View File

@ -13,114 +13,74 @@ ms.prod: w10
ms.date: 06/16/2016
---
# How to Install the Management and Reporting Databases on Separate Computers from the Management and Reporting Services
Use the following procedure to install the database server and management server on different computers. The computer you plan to install the database server on must be running a supported version of Microsoft SQL or the installation will fail.
**Note**
After you complete the deployment, the **Microsoft SQL Server name**, **instance name** and **database name** will be required by the administrator installing the service to be able to connect to these databases.
> [!NOTE]
> After you complete the deployment, the **Microsoft SQL Server name**, **instance name** and **database name** will be required by the administrator installing the service to be able to connect to these databases.
**To install the management database and the management server on separate computers**
## To install the management database and the management server on separate computers
1. Copy the App-V 5.1 server installation files to the computer on which you want to install it on. To start the App-V 5.1 server installation right-click and run **appv\_server\_setup.exe** as an administrator. Click **Install**.
1. On the **Getting Started** page, review and accept the license terms, and click **Next**.
1. On the **Use Microsoft Update to help keep your computer secure and up-to-date** page, to enable Microsoft updates, select **Use Microsoft Update when I check for updates (recommended).** To disable Microsoft updates, select **I don't want to use Microsoft Update**. Click **Next**.
1. On the **Feature Selection** page, select the components you want to install by selecting the **Management Server Database** checkbox and click **Next**.
1. On the **Installation Location** page, accept the default location and click **Next**.
1. On the initial **Create New Management Server Database page**, accept the default selections if appropriate, and click **Next**.
2. On the **Getting Started** page, review and accept the license terms, and click **Next**.
3. On the **Use Microsoft Update to help keep your computer secure and up-to-date** page, to enable Microsoft updates, select **Use Microsoft Update when I check for updates (recommended).** To disable Microsoft updates, select **I dont want to use Microsoft Update**. Click **Next**.
4. On the **Feature Selection** page, select the components you want to install by selecting the **Management Server Database** checkbox and click **Next**.
5. On the **Installation Location** page, accept the default location and click **Next**.
6. On the initial **Create New Management Server Database page**, accept the default selections if appropriate, and click **Next**.
If you are using a custom SQL Server instance, then select **Use a custom instance** and type the name of the instance.
If you are using a custom SQL Server instance, then select **Use a custom instance** and type the name of the instance.\
If you are using a custom database name, then select **Custom configuration** and type the database name.
7. On the next **Create New Management Server Database** page, select **Use a remote computer**, and type the remote machine account using the following format: **Domain\\MachineAccount**.
1. On the next **Create New Management Server Database** page, select **Use a remote computer**, and type the remote machine account using the following format: **Domain\\MachineAccount**.
**Note**
If you plan to deploy the management server on the same computer you must select **Use this local computer**.
> [!NOTE]
> If you plan to deploy the management server on the same computer you must select **Use this local computer**.
1. Specify the user name for the management server **Install Administrator** using the following format: **Domain\\AdministratorLoginName**. Click **Next**.
1. To start the installation, click **Install**.
~~~
Specify the user name for the management server **Install Administrator** using the following format: **Domain\\AdministratorLoginName**. Click **Next**.
~~~
8. To start the installation, click **Install**.
**To install the reporting database and the reporting server on separate computers**
## To install the reporting database and the reporting server on separate computers
1. Copy the App-V 5.1 server installation files to the computer on which you want to install it on. To start the App-V 5.1 server installation right-click and run **appv\_server\_setup.exe** as an administrator. Click **Install**.
2. On the **Getting Started** page, review and accept the license terms, and click **Next**.
3. On the **Use Microsoft Update to help keep your computer secure and up-to-date** page, to enable Microsoft updates, select **Use Microsoft Update when I check for updates (recommended).** To disable Microsoft updates, select **I dont want to use Microsoft Update**. Click **Next**.
4. On the **Feature Selection** page, select the components you want to install by selecting the **Reporting Server Database** checkbox and click **Next**.
5. On the **Installation Location** page, accept the default location and click **Next**.
6. On the initial **Create New Reporting Server Database** page, accept the default selections if appropriate, and click **Next**.
1. On the **Getting Started** page, review and accept the license terms, and click **Next**.
1. On the **Use Microsoft Update to help keep your computer secure and up-to-date** page, to enable Microsoft updates, select **Use Microsoft Update when I check for updates (recommended).** To disable Microsoft updates, select **I don't want to use Microsoft Update**. Click **Next**.
1. On the **Feature Selection** page, select the components you want to install by selecting the **Reporting Server Database** checkbox and click **Next**.
1. On the **Installation Location** page, accept the default location and click **Next**.
1. On the initial **Create New Reporting Server Database** page, accept the default selections if appropriate, and click **Next**.
If you are using a custom SQL Server instance, then select **Use a custom instance** and type the name of the instance.
If you are using a custom database name, then select **Custom configuration** and type the database name.
7. On the next **Create New Reporting Server Database** page, select **Use a remote computer**, and type the remote machine account using the following format: **Domain\\MachineAccount**.
1. On the next **Create New Reporting Server Database** page, select **Use a remote computer**, and type the remote machine account using the following format: **Domain\\MachineAccount**.
**Note**
If you plan to deploy the reporting server on the same computer you must select **Use this local computer**.
> [!NOTE]
> If you plan to deploy the reporting server on the same computer you must select **Use this local computer**.
1. Specify the user name for the reporting server **Install Administrator** using the following format: **Domain\\AdministratorLoginName**. Click **Next**.
1. To start the installation, click **Install**.
~~~
Specify the user name for the reporting server **Install Administrator** using the following format: **Domain\\AdministratorLoginName**. Click **Next**.
~~~
8. To start the installation, click **Install**.
**To install the management and reporting databases using App-V 5.1 database scripts**
## To install the management and reporting databases using App-V 5.1 database scripts
1. Copy the App-V 5.1 server installation files to the computer on which you want to install it on.
1. To extract the App-V 5.1 database scripts, open a command prompt and specify the location where the installation files are saved and run the following command:
2. To extract the App-V 5.1 database scripts, open a command prompt and specify the location where the installation files are saved and run the following command:
**appv\_server\_setup.exe** **/LAYOUT** **/LAYOUTDIR="InstallationExtractionLocation"**.
**appv\_server\_setup.exe** **/LAYOUT** **/LAYOUTDIR=”InstallationExtractionLocation”**.
3. After the extraction has been completed, to access the App-V 5.1 database scripts and instructions readme file:
1. After the extraction has been completed, to access the App-V 5.1 database scripts and instructions readme file:
- The App-V 5.1 Management Database scripts and instructions readme are located in the following folder: **InstallationExtractionLocation** \\ **Database Scripts** \\ **Management Database**.
- The App-V 5.1 Reporting Database scripts and instructions readme are located in the following folder: **InstallationExtractionLocation** \\ **Database Scripts** \\ **Reporting Database**.
4. For each database, copy the scripts to a share and modify them following the instructions in the readme file.
1. For each database, copy the scripts to a share and modify them following the instructions in the readme file.
**Note**
For more information about modifying the required SIDs contained in the scripts see, [How to Install the App-V Databases and Convert the Associated Security Identifiers by Using PowerShell](how-to-install-the-app-v-databases-and-convert-the-associated-security-identifiers--by-using-powershell51.md).
> [!NOTE]
> For more information about modifying the required SIDs contained in the scripts, see [How to Install the App-V Databases and Convert the Associated Security Identifiers by Using PowerShell](how-to-install-the-app-v-databases-and-convert-the-associated-security-identifiers--by-using-powershell51.md).
1. Run the scripts on the computer running Microsoft SQL Server.
5. Run the scripts on the computer running Microsoft SQL Server.
**Got a suggestion for App-V**? Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). **Got an App-V issue?** Use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv).
**Got an App-V issue?** Use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv).
## Related topics
[Deploying App-V 5.1](deploying-app-v-51.md)

3
store-for-business/index.md
View File

@ -2,6 +2,7 @@
title: Microsoft Store for Business and Education (Windows 10)
description: Welcome to the Microsoft Store for Business and Education. You can use Microsoft Store, to find, acquire, distribute, and manage apps for your organization or school.
ms.assetid: 527E611E-4D47-44F0-9422-DCC2D1ACBAB8
manager: dansimp
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
@ -10,7 +11,7 @@ author: TrudyHa
ms.author: TrudyHa
ms.topic: conceptual
ms.localizationpriority: high
ms.date: 10/17/2017
ms.date: 05/14/2020
---
# Microsoft Store for Business and Education

2
windows/application-management/app-v/appv-deploying-microsoft-office-2016-with-appv.md
View File

@ -1,6 +1,6 @@
---
title: Deploying Microsoft Office 2016 by using App-V (Windows 10)
description: Deploying Microsoft Office 2016 by using App-V
description: Use Application Virtualization (App-V) to deliver Microsoft Office 2016 as a virtualized application to computers in your organization.
author: lomayor
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy

2
windows/application-management/app-v/appv-evaluating-appv.md
View File

@ -1,6 +1,6 @@
---
title: Evaluating App-V (Windows 10)
description: Evaluating App-V for Windows 10
description: Learn how to evaluate App-V for Windows 10 in a lab environment before deploying into a production environment.
author: lomayor
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy

2
windows/application-management/app-v/appv-maintaining-appv.md
View File

@ -1,6 +1,6 @@
---
title: Maintaining App-V (Windows 10)
description: Maintaining App-V
description: After you have deployed App-V for Windows 10, you can use the following information to maintain the App-V infrastructure.
author: lomayor
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy

4
windows/application-management/app-v/appv-preparing-your-environment.md
View File

@ -1,13 +1,13 @@
---
title: Preparing Your Environment for App-V (Windows 10)
description: Preparing Your Environment for App-V
author: lomayor
description: Use this info to prepare for deployment configurations and prerequisites for Microsoft Application Virtualization (App-V).
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
ms.prod: w10
ms.date: 04/18/2018
ms.reviewer:
author: dansimp
manager: dansimp
ms.author: dansimp
ms.topic: article

2
windows/application-management/per-user-services-in-windows.md
View File

@ -1,6 +1,6 @@
---
title: Per-user services in Windows 10 and Windows Server
description: Learn about per-user services introduced in Windows 10.
description: Learn about per-user services, how to change the template service Startup Type, and manage per-user services through Group Policy and security templates.
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library

4
windows/client-management/advanced-troubleshooting-802-authentication.md
View File

@ -2,7 +2,7 @@
title: Advanced Troubleshooting 802.1X Authentication
ms.reviewer:
manager: dansimp
description: Learn how 802.1X Authentication works
description: Troubleshoot authentication flow by learning how 802.1X Authentication works for wired and wireless clients.
keywords: advanced troubleshooting, 802.1X authentication, troubleshooting, authentication, Wi-Fi
ms.prod: w10
ms.mktglfcycl:
@ -73,7 +73,7 @@ The following article explains how to analyze CAPI2 event logs:
When troubleshooting complex 802.1X authentication issues, it is important to understand the 802.1X authentication process. The following figure is an example of wireless connection process with 802.1X authentication:
![authenticatior flow chart](images/authenticator_flow_chart.png)
![authenticator flow chart](images/authenticator_flow_chart.png)
If you [collect a network packet capture](troubleshoot-tcpip-netmon.md) on both the client and the server (NPS) side, you can see a flow like the one below. Type **EAPOL** in the Display Filter in for a client side capture, and **EAP** for an NPS side capture. See the following examples:

2
windows/client-management/data-collection-for-802-authentication.md
View File

@ -2,7 +2,7 @@
title: Data collection for troubleshooting 802.1X authentication
ms.reviewer:
manager: dansimp
description: Data needed for reviewing 802.1X Authentication issues
description: Use the steps in this article to collect data that can be used to troubleshoot 802.1X authentication issues.
keywords: troubleshooting, data collection, data, 802.1X authentication, authentication, data
ms.prod: w10
ms.mktglfcycl:

2
windows/client-management/index.md
View File

@ -1,6 +1,6 @@
---
title: Client management (Windows 10)
description: Windows 10 client management
description: Learn about the administrative tools, tasks and best practices for managing Windows 10 and Windows 10 Mobile clients across your enterprise.
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library

86
windows/client-management/mandatory-user-profile.md
View File

@ -15,13 +15,10 @@ ms.topic: article
# Create mandatory user profiles
**Applies to**
- Windows 10
A mandatory user profile is a roaming user profile that has been pre-configured by an administrator to specify settings for users. Settings commonly defined in a mandatory profile include (but are not limited to): icons that appear on the desktop, desktop backgrounds, user preferences in Control Panel, printer selections, and more. Configuration changes made during a user's session that are normally saved to a roaming user profile are not saved when a mandatory user profile is assigned.
Mandatory user profiles are useful when standardization is important, such as on a kiosk device or in educational settings. Only system administrators can make changes to mandatory user profiles.
@ -30,8 +27,6 @@ When the server that stores the mandatory profile is unavailable, such as when t
User profiles become mandatory profiles when the administrator renames the NTuser.dat file (the registry hive) of each user's profile in the file system of the profile server from `NTuser.dat` to `NTuser.man`. The `.man` extension causes the user profile to be a read-only profile.
<span id="extension"/>
## Profile extension for each Windows version
The name of the folder in which you store the mandatory profile must use the correct extension for the operating system it will be applied to. The following table lists the correct extension for each operating system version.
@ -45,121 +40,112 @@ The name of the folder in which you store the mandatory profile must use the cor
| Windows 10, versions 1507 and 1511 | N/A | v5 |
| Windows 10, versions 1607, 1703, 1709, 1803, 1809 and 1903 | Windows Server 2016 and Windows Server 2019 | v6 |
For more information, see [Deploy Roaming User Profiles, Appendix B](https://technet.microsoft.com/library/jj649079.aspx) and [Roaming user profiles versioning in Windows 10 and Windows Server Technical Preview](https://support.microsoft.com/kb/3056198).
For more information, see [Deploy Roaming User Profiles, Appendix B](https://docs.microsoft.com/windows-server/storage/folder-redirection/deploy-roaming-user-profiles#appendix-b-profile-version-reference-information) and [Roaming user profiles versioning in Windows 10 and Windows Server Technical Preview](https://support.microsoft.com/kb/3056198).
## How to create a mandatory user profile
## Mandatory user profile
First, you create a default user profile with the customizations that you want, run Sysprep with CopyProfile set to **True** in the answer file, copy the customized default user profile to a network share, and then you rename the profile to make it mandatory.
**To create a default user profile**
### How to create a default user profile
1. Sign in to a computer running Windows 10 as a member of the local Administrator group. Do not use a domain account.
> [!NOTE]
> Use a lab or extra computer running a clean installation of Windows 10 to create a default user profile. Do not use a computer that is required for business (that is, a production computer). This process removes all domain accounts from the computer, including user profile folders.
2. Configure the computer settings that you want to include in the user profile. For example, you can configure settings for the desktop background, uninstall default apps, install line-of-business apps, and so on.
1. Configure the computer settings that you want to include in the user profile. For example, you can configure settings for the desktop background, uninstall default apps, install line-of-business apps, and so on.
>[!NOTE]
>Unlike previous versions of Windows, you cannot apply a Start and taskbar layout using a mandatory profile. For alternative methods for customizing the Start menu and taskbar, see [Related topics](#related-topics).
> [!NOTE]
> Unlike previous versions of Windows, you cannot apply a Start and taskbar layout using a mandatory profile. For alternative methods for customizing the Start menu and taskbar, see [Related topics](#related-topics).
3. [Create an answer file (Unattend.xml)](https://msdn.microsoft.com/library/windows/hardware/dn915085.aspx) that sets the [CopyProfile](https://msdn.microsoft.com/library/windows/hardware/dn922656.aspx) parameter to **True**. The CopyProfile parameter causes Sysprep to copy the currently signed-on users profile folder to the default user profile. You can use [Windows System Image Manager](https://msdn.microsoft.com/library/windows/hardware/dn922445.aspx), which is part of the Windows Assessment and Deployment Kit (ADK) to create the Unattend.xml file.
1. [Create an answer file (Unattend.xml)](https://docs.microsoft.com/windows-hardware/customize/desktop/wsim/create-or-open-an-answer-file) that sets the [CopyProfile](https://docs.microsoft.com/windows-hardware/customize/desktop/unattend/microsoft-windows-shell-setup-copyprofile) parameter to **True**. The CopyProfile parameter causes Sysprep to copy the currently signed-on users profile folder to the default user profile. You can use [Windows System Image Manager](https://docs.microsoft.com/windows-hardware/customize/desktop/wsim/windows-system-image-manager-technical-reference), which is part of the Windows Assessment and Deployment Kit (ADK) to create the Unattend.xml file.
3. Uninstall any application you do not need or want from the PC. For examples on how to uninstall Windows 10 Application see [Remove-AppxProvisionedPackage](https://docs.microsoft.com/powershell/module/dism/remove-appxprovisionedpackage?view=winserver2012-ps). For a list of uninstallable applications, see [Understand the different apps included in Windows 10](https://docs.microsoft.com/windows/application-management/apps-in-windows-10).
1. Uninstall any application you do not need or want from the PC. For examples on how to uninstall Windows 10 Application see [Remove-AppxProvisionedPackage](https://docs.microsoft.com/powershell/module/dism/remove-appxprovisionedpackage?view=win10-ps). For a list of uninstallable applications, see [Understand the different apps included in Windows 10](https://docs.microsoft.com/windows/application-management/apps-in-windows-10).
> [!NOTE]
> It is highly recommended to uninstall unwanted or unneeded apps as it will speed up user sign-in times.
>[!NOTE]
>It is highly recommended to uninstall unwanted or unneeded apps as it will speed up user sign-in times.
1. At a command prompt, type the following command and press **ENTER**.
3. At a command prompt, type the following command and press **ENTER**.
```dos
sysprep /oobe /reboot /generalize /unattend:unattend.xml
```
`sysprep /oobe /reboot /generalize /unattend:unattend.xml`
(Sysprep.exe is located at: C:\Windows\System32\sysprep. By default, Sysprep looks for unattend.xml in this same folder.)
(Sysprep.exe is located at: C:\\Windows\\System32\\sysprep. By default, Sysprep looks for unattend.xml in this same folder.)
> [!TIP]
> If you receive an error message that says "Sysprep was not able to validate your Windows installation", open %WINDIR%\System32\Sysprep\Panther\setupact.log and look for an entry like the following:
> If you receive an error message that says "Sysprep was not able to validate your Windows installation", open %WINDIR%\\System32\\Sysprep\\Panther\\setupact.log and look for an entry like the following:
>
> ![Microsoft Bing Translator package](images/sysprep-error.png)
>
> Use the [Remove-AppxProvisionedPackage](https://technet.microsoft.com/library/dn376476%28v=wps.620%29.aspx) and [Remove-AppxPackage -AllUsers](https://docs.microsoft.com/powershell/module/appx/remove-appxpackage?view=win10-ps) cmdlet in Windows PowerShell to uninstall the app that is listed in the log.
> Use the [Remove-AppxProvisionedPackage](https://docs.microsoft.com/powershell/module/dism/remove-appxprovisionedpackage?view=win10-ps) and [Remove-AppxPackage -AllUsers](https://docs.microsoft.com/powershell/module/appx/remove-appxpackage?view=win10-ps) cmdlet in Windows PowerShell to uninstall the app that is listed in the log.
4. The sysprep process reboots the PC and starts at the first-run experience screen. Complete the set up, and then sign in to the computer using an account that has local administrator privileges.
1. The sysprep process reboots the PC and starts at the first-run experience screen. Complete the set up, and then sign in to the computer using an account that has local administrator privileges.
5. Right-click Start, go to **Control Panel** (view by large or small icons) > **System** > **Advanced system settings**, and click **Settings** in the **User Profiles** section.
1. Right-click Start, go to **Control Panel** (view by large or small icons) > **System** > **Advanced system settings**, and click **Settings** in the **User Profiles** section.
6. In **User Profiles**, click **Default Profile**, and then click **Copy To**.
1. In **User Profiles**, click **Default Profile**, and then click **Copy To**.
![Example of UI](images/copy-to.png)
7. In **Copy To**, under **Permitted to use**, click **Change**.
1. In **Copy To**, under **Permitted to use**, click **Change**.
![Example of UI](images/copy-to-change.png)
8. In **Select User or Group**, in the **Enter the object name to select** field, type `everyone`, click **Check Names**, and then click **OK**.
1. In **Select User or Group**, in the **Enter the object name to select** field, type `everyone`, click **Check Names**, and then click **OK**.
9. In **Copy To**, in the **Copy profile to** field, enter the path and folder name where you want to store the mandatory profile. The folder name must use the correct [extension](#extension) for the operating system version. For example, the folder name must end with “.v6” to identify it as a user profile folder for Windows 10, version 1607.
1. In **Copy To**, in the **Copy profile to** field, enter the path and folder name where you want to store the mandatory profile. The folder name must use the correct [extension](#profile-extension-for-each-windows-version) for the operating system version. For example, the folder name must end with ".v6" to identify it as a user profile folder for Windows 10, version 1607.
- If the device is joined to the domain and you are signed in with an account that has permissions to write to a shared folder on the network, you can enter the shared folder path.
- If the device is not joined to the domain, you can save the profile locally and then copy it to the shared folder location.
![Example of UI](images/copy-to-path.png)
10. Click **OK** to copy the default user profile.
1. Click **OK** to copy the default user profile.
### How to make the user profile mandatory
**To make the user profile mandatory**
1. In File Explorer, open the folder where you stored the copy of the profile.
> [!NOTE]
> If the folder is not displayed, click **View** > **Options** > **Change folder and search options**. On the **View** tab, select **Show hidden files and folders**, clear **Hide protected operating system files**, click **Yes** to confirm that you want to show operating system files, and then click **OK** to save your changes.
3. In File Explorer, open the folder where you stored the copy of the profile.
1. Rename `Ntuser.dat` to `Ntuser.man`.
>[!NOTE]
>If the folder is not displayed, click **View** > **Options** > **Change folder and search options**. On the **View** tab, select **Show hidden files and folders**, clear **Hide protected operating system files**, click **Yes** to confirm that you want to show operating system files, and then click **OK** to save your changes.
4. Rename `Ntuser.dat` to `Ntuser.man`.
## How to apply a mandatory user profile to users
## Apply a mandatory user profile to users
In a domain, you modify properties for the user account to point to the mandatory profile in a shared folder residing on the server.
**To apply a mandatory user profile to users**
### How to apply a mandatory user profile to users
1. Open **Active Directory Users and Computers** (dsa.msc).
2. Navigate to the user account that you will assign the mandatory profile to.
1. Navigate to the user account that you will assign the mandatory profile to.
3. Right-click the user name and open **Properties**.
1. Right-click the user name and open **Properties**.
4. On the **Profile** tab, in the **Profile path** field, enter the path to the shared folder without the extension. For example, if the folder name is \\\\*server*\profile.v6, you would enter \\\\*server*\profile.
1. On the **Profile** tab, in the **Profile path** field, enter the path to the shared folder without the extension. For example, if the folder name is \\\\*server*\\profile.v6, you would enter \\\\*server*\\profile.
5. Click **OK**.
1. Click **OK**.
It may take some time for this change to replicate to all domain controllers.
## Apply policies to improve sign-in time
When a user is configured with a mandatory profile, Windows 10 starts as though it was the first sign-in each time the user signs in. To improve sign-in performance for users with mandatory user profiles, apply the Group Policy settings shown in the following table. (The table shows which operating system versions each policy setting can apply to.)
| Group Policy setting | Windows 10 | Windows Server 2016 | Windows 8.1 | Windows Server 2012 |
| --- | --- | --- | --- | --- |
| Computer Configuration > Administrative Templates > System > Logon > **Show first sign-in animation** = Disabled | ![supported](images/checkmark.png) | ![supported](images/checkmark.png) | ![supported](images/checkmark.png) | ![supported](images/checkmark.png) |
| Computer Configuration > Administrative Templates > Windows Components > Search > **Allow Cortana** = Disabled | ![supported](images/checkmark.png) | ![supported](images/checkmark.png) | ![not supported](images/crossmark.png) | ![not supported](images/crossmark.png) |
| Computer Configuration > Administrative Templates > Windows Components > Cloud Content > **Turn off Microsoft consumer experience** = Enabled | ![supported](images/checkmark.png) | ![not supported](images/crossmark.png) | ![not supported](images/crossmark.png) | ![not supported](images/crossmark.png) |
> [!Note]
> [!NOTE]
> The Group Policy settings above can be applied in Windows 10 Professional edition.
## Related topics
- [Manage Windows 10 Start layout and taskbar options](/windows/configuration/windows-10-start-layout-options-and-policies)
- [Lock down Windows 10 to specific apps](/windows/configuration/lock-down-windows-10-to-specific-apps)
- [Windows Spotlight on the lock screen](/windows/configuration/windows-spotlight)
- [Configure devices without MDM](/windows/configuration/configure-devices-without-mdm)

2
windows/client-management/mdm/applocker-ddf-file.md
View File

@ -1,6 +1,6 @@
---
title: AppLocker DDF file
description: AppLocker DDF file
description: See the OMA DM device description framework (DDF) for the AppLocker DDF file configuration service provider.
ms.assetid: 79E199E0-5454-413A-A57A-B536BDA22496
ms.reviewer:
manager: dansimp

2
windows/client-management/mdm/certificatestore-csp.md
View File

@ -1,6 +1,6 @@
---
title: CertificateStore CSP
description: CertificateStore CSP
description: Use the The CertificateStore configuration service provider (CSP) to add secure socket layers (SSL), intermediate, and self-signed certificates.
ms.assetid: 0fe28629-3cc3-42a0-91b3-3624c8462fd3
ms.reviewer:
manager: dansimp

2
windows/client-management/mdm/cm-cellularentries-csp.md
View File

@ -1,6 +1,6 @@
---
title: CM\_CellularEntries CSP
description: CM\_CellularEntries CSP
description: Configure the General Packet Radio Service (GPRS) entries using the CM\_CellularEntries CSP.
ms.assetid: f8dac9ef-b709-4b76-b6f5-34c2e6a3c847
ms.reviewer:
manager: dansimp

2
windows/client-management/mdm/cmpolicy-csp.md
View File

@ -1,6 +1,6 @@
---
title: CMPolicy CSP
description: CMPolicy CSP
description: Learn how the CMPolicy configuration service provider (CSP) is used to define rules that the Connection Manager uses to identify correct connections.
ms.assetid: 62623915-9747-4eb1-8027-449827b85e6b
ms.reviewer:
manager: dansimp

15
windows/client-management/mdm/configuration-service-provider-reference.md
View File

@ -9,7 +9,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: manikadhiman
ms.date: 05/13/2019
ms.date: 05/11/2020
---
# Configuration service provider reference
@ -2714,15 +2714,15 @@ The following list shows the CSPs supported in HoloLens devices:
| Configuration service provider | HoloLens (1st gen) Development Edition | HoloLens (1st gen) Commercial Suite | HoloLens 2 |
|------|--------|--------|--------|
| [AccountManagement CSP](accountmanagement-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png)4 | ![check mark](images/checkmark.png)
| [AccountManagement CSP](accountmanagement-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) <sup>4</sup> | ![check mark](images/checkmark.png)
| [Accounts CSP](accounts-csp.md) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) |
| [ApplicationControl CSP](applicationcontrol-csp.md) | ![cross mark](images/crossmark.png) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) |
| [AppLocker CSP](applocker-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) | ![cross mark](images/crossmark.png) |
| [AssignedAccess CSP](assignedaccess-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png)4 | ![check mark](images/checkmark.png) |
| [AssignedAccess CSP](assignedaccess-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) <sup>4</sup> | ![check mark](images/checkmark.png) |
| [CertificateStore CSP](certificatestore-csp.md) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png)| ![check mark](images/checkmark.png) |
| [ClientCertificateInstall CSP](clientcertificateinstall-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) |
| [DevDetail CSP](devdetail-csp.md) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) |
| [DeveloperSetup CSP](developersetup-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png)2 (runtime provisioning via provisioning packages only; no MDM support)| ![check mark](images/checkmark.png) |
| [DeveloperSetup CSP](developersetup-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) <sup>2</sup> (runtime provisioning via provisioning packages only; no MDM support)| ![check mark](images/checkmark.png) |
| [DeviceManageability CSP](devicemanageability-csp.md) | ![cross mark](images/crossmark.png) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) |
| [DeviceStatus CSP](devicestatus-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) |
| [DevInfo CSP](devinfo-csp.md) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) |
@ -2731,11 +2731,12 @@ The following list shows the CSPs supported in HoloLens devices:
| [DMClient CSP](dmclient-csp.md) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) |
| [EnterpriseModernAppManagement CSP](enterprisemodernappmanagement-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) |
| [NetworkProxy CSP](networkproxy-csp.md) | ![cross mark](images/crossmark.png) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) |
| [NetworkQoSPolicy CSP](networkqospolicy-csp.md) | ![cross mark](images/crossmark.png) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) <sup>8</sup>|
| [NodeCache CSP](nodecache-csp.md) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) |
[PassportForWork CSP](passportforwork-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) |
| [Policy CSP](policy-configuration-service-provider.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) |
| [RemoteFind CSP](remotefind-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png)4 | ![check mark](images/checkmark.png) |
| [RemoteWipe CSP](remotewipe-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png)4 | ![check mark](images/checkmark.png) |
| [RemoteFind CSP](remotefind-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) <sup>4</sup> | ![check mark](images/checkmark.png) |
| [RemoteWipe CSP](remotewipe-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) <sup>4</sup> | ![check mark](images/checkmark.png) |
| [RootCATrustedCertificates CSP](rootcacertificates-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) |
| [Update CSP](update-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) |
| [VPNv2 CSP](vpnv2-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) |
@ -2806,3 +2807,5 @@ The following list shows the CSPs supported in HoloLens devices:
- 4 - Added in Windows 10, version 1803.
- 5 - Added in Windows 10, version 1809.
- 6 - Added in Windows 10, version 1903.
- 7 - Added in Windows 10, version 1909.
- 8 - Added in the next major release of Windows 10.

2
windows/client-management/mdm/enable-admx-backed-policies-in-mdm.md
View File

@ -1,6 +1,6 @@
---
title: Enable ADMX-backed policies in MDM
description: Guide to configuring ADMX-backed policies in MDM
description: Use this is a step-by-step guide to configuring ADMX-backed policies in MDM.
ms.author: dansimp
ms.topic: article
ms.prod: w10

5
windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md
View File

@ -54,7 +54,6 @@ The following steps demonstrate required settings using the Intune service:
> [!IMPORTANT]
> For BYOD devices, the MAM user scope takes precedence if both MAM user scope and MDM user scope (automatic MDM enrollment) are enabled for all users (or the same groups of users). The device will use Windows Information Protection (WIP) Policies (if you configured them) rather than being MDM enrolled.
> For corporate devices, the MDM user scope takes precedence if both scopes are enabled. The devices get MDM enrolled.
3. Verify that the device OS version is Windows 10, version 1709 or later.
@ -117,7 +116,7 @@ Requirements:
5. Click **Enable**, then click **OK**.
> [!NOTE]
> In Windows 10, version 1903, the MDM.admx file was updated to include an option to select which credential is used to enroll the device. **Device Credential** is a new option that will only have an effect on clients that have the Windows 10, version 1903 feature update installed.
> In Windows 10, version 1903, the MDM.admx file was updated to include an option to select which credential is used to enroll the device. **Device Credential** is a new option that will only have an effect on clients that have installed Windows 10, version 1903 or later.
The default behavior for older releases is to revert to **User Credential**.
When a group policy refresh occurs on the client, a task is created and scheduled to run every 5 minutes for the duration of one day. The task is called " Schedule created by enrollment client for automatically enrolling in MDM from AAD."
@ -166,7 +165,7 @@ Requirements:
- Ensure that PCs belong to same computer group.
> [!IMPORTANT]
> If you do not see the policy, it may be because you dont have the ADMX installed for Windows 10, version 1803, version 1809, or version 1903. To fix the issue, follow these steps (Note: the latest MDM.admx is backwards compatible):
> If you do not see the policy, it may be because you dont have the ADMX for Windows 10, version 1803, version 1809, or version 1903 installed. To fix the issue, follow these steps (Note: the latest MDM.admx is backwards compatible):
> 1. Download:
> 1803 -->[Administrative Templates (.admx) for Windows 10 April 2018 Update (1803)](https://www.microsoft.com/download/details.aspx?id=56880) or
> 1809 --> [Administrative Templates for Windows 10 October 2018 Update (1809)](https://www.microsoft.com/download/details.aspx?id=57576) or

2
windows/client-management/mdm/enterprisemodernappmanagement-xsd.md
View File

@ -1,6 +1,6 @@
---
title: EnterpriseModernAppManagement XSD
description: Here is the XSD for the application parameters.
description: Use the EnterpriseModernAppManagement XSD for set application parameters.
ms.assetid: D393D094-25E5-4E66-A60F-B59CC312BF57
ms.reviewer:
manager: dansimp

2
windows/client-management/mdm/mobile-device-enrollment.md
View File

@ -1,6 +1,6 @@
---
title: Mobile device enrollment
description: Mobile device enrollment is the first phase of enterprise management.
description: Learn how mobile device enrollment verifies that only authenticated and authorized devices can be managed by their enterprise.
ms.assetid: 08C8B3DB-3263-414B-A368-F47B94F47A11
ms.reviewer:
manager: dansimp

2
windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
View File

@ -429,6 +429,7 @@ Policy, Policy/Channels, Policy/Channels/ChannelName, Policy/Channels/ChannelNam
<li>TextInput/TouchKeyboardSplitModeAvailability</li>
<li>TextInput/TouchKeyboardWideModeAvailability</li>
<li>Update/ConfigureFeatureUpdateUninstallPeriod</li>
<li>Update/TargetReleaseVersion</li>
<li>UserRights/AccessCredentialManagerAsTrustedCaller</li>
<li>UserRights/AccessFromNetwork</li>
<li>UserRights/ActAsPartOfTheOperatingSystem</li>
@ -2563,6 +2564,7 @@ How do I turn if off? | The service can be stopped from the "Services" console o
<li>LocalPoliciesSecurityOptions/NetworkAccess_RestrictClientsAllowedToMakeRemoteCallsToSAM</li>
<li>LocalPoliciesSecurityOptions/NetworkSecurity_DoNotStoreLANManagerHashValueOnNextPasswordChange</li>
<li>LocalPoliciesSecurityOptions/NetworkSecurity_LANManagerAuthenticationLevel</li>
<li>LocalPoliciesSecurityOptions/NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedClients</li>
<li>LocalPoliciesSecurityOptions/NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedServers</li>
<li>LocalPoliciesSecurityOptions/Shutdown_ClearVirtualMemoryPageFile</li>
<li>LocalPoliciesSecurityOptions/SystemObjects_RequireCaseInsensitivityForNonWindowsSubsystems</li>

2
windows/client-management/mdm/nodecache-csp.md
View File

@ -1,6 +1,6 @@
---
title: NodeCache CSP
description: NodeCache CSP
description: Use the NodeCache configuration service provider (CSP) to synchronize, monitor, and manage the client cache.
ms.assetid: b4dd2b0d-79ef-42ac-ab5b-ee07b3097876
ms.reviewer:
manager: dansimp

2
windows/client-management/mdm/oma-dm-protocol-support.md
View File

@ -1,6 +1,6 @@
---
title: OMA DM protocol support
description: OMA DM protocol support
description: See how the OMA DM client communicates with the server over HTTPS and uses DM Sync (OMA DM v1.2) as the message payload.
ms.assetid: e882aaae-447e-4bd4-9275-463824da4fa0
ms.reviewer:
manager: dansimp

2
windows/client-management/mdm/personalization-csp.md
View File

@ -1,6 +1,6 @@
---
title: Personalization CSP
description: Personalization CSP
description: Use the Personalization CSP to lock screen and desktop background images, prevent users from changing the image, and use the settings in a provisioning package.
ms.author: dansimp
ms.topic: article
ms.prod: w10

2
windows/client-management/mdm/personalization-ddf.md
View File

@ -1,6 +1,6 @@
---
title: Personalization DDF file
description: Personalization DDF file
description: Learn how to set the OMA DM device description framework (DDF) for the **Personalization** configuration service provider.
ms.author: dansimp
ms.topic: article
ms.prod: w10

7
windows/client-management/mdm/policy-configuration-service-provider.md
View File

@ -2399,6 +2399,9 @@ The following diagram shows the Policy configuration service provider in tree fo
<dd>
<a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networksecurity-lanmanagerauthenticationlevel" id="localpoliciessecurityoptions-networksecurity-lanmanagerauthenticationlevel">LocalPoliciesSecurityOptions/NetworkSecurity_LANManagerAuthenticationLevel</a>
</dd>
<dd>
<a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networksecurity-minimumsessionsecurityforntlmsspbasedclients" id="localpoliciessecurityoptions-networksecurity-minimumsessionsecurityforntlmsspbasedclients">LocalPoliciesSecurityOptions/NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedClients</a>
</dd>
<dd>
<a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networksecurity-minimumsessionsecurityforntlmsspbasedservers" id="localpoliciessecurityoptions-networksecurity-minimumsessionsecurityforntlmsspbasedservers">LocalPoliciesSecurityOptions/NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedServers</a>
</dd>
@ -3747,6 +3750,10 @@ The following diagram shows the Policy configuration service provider in tree fo
<dd>
<a href="./policy-csp-update.md#update-setedurestart" id="update-setedurestart">Update/SetEDURestart</a>
</dd>
<dd>
<a href="./policy-csp-update.md#update-targetreleaseversion"id="update-targetreleaseversion">Update/TargetReleaseVersion</a>
</dd>
<dd>
<dd>
<a href="./policy-csp-update.md#update-updatenotificationlevel" id="update-updatenotificationlevel">Update/UpdateNotificationLevel</a>
</dd>

2
windows/client-management/mdm/policy-csp-activexcontrols.md
View File

@ -1,6 +1,6 @@
---
title: Policy CSP - ActiveXControls
description: Policy CSP - ActiveXControls
description: Learn the ins and outs of various Policy CSP - ActiveXControls settings, including SyncML, for Windows 10.
ms.author: dansimp
ms.localizationpriority: medium
ms.topic: article

2
windows/client-management/mdm/policy-csp-appruntime.md
View File

@ -1,6 +1,6 @@
---
title: Policy CSP - AppRuntime
description: Policy CSP - AppRuntime
description: Control whether Microsoft accounts are optional for Windows Store apps that require an account to sign in.Policy CSP - AppRuntime.
ms.author: dansimp
ms.topic: article
ms.prod: w10

2
windows/client-management/mdm/policy-csp-bitlocker.md
View File

@ -1,6 +1,6 @@
---
title: Policy CSP - Bitlocker
description: Policy CSP - Bitlocker
description: Use the Policy configuration service provider (CSP) - Bitlocker to manage encryption of PCs and devices.
ms.author: dansimp
ms.topic: article
ms.prod: w10

2
windows/client-management/mdm/policy-csp-bits.md
View File

@ -1,6 +1,6 @@
---
title: Policy CSP - BITS
description: Policy CSP - BITS
description: Use StartTime, EndTime and Transfer rate together to define the BITS bandwidth-throttling schedule and transfer rate.
ms.author: dansimp
ms.topic: article
ms.prod: w10

2
windows/client-management/mdm/policy-csp-browser.md
View File

@ -1,6 +1,6 @@
---
title: Policy CSP - Browser
description: Policy CSP - Browser
description: Learn how to set the Policy CSP - Browser settings for Microsoft Edge, version 45 and earlier.
ms.topic: article
ms.prod: w10
ms.technology: windows

71
windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md
View File

@ -111,6 +111,9 @@ manager: dansimp
<dd>
<a href="#localpoliciessecurityoptions-networksecurity-lanmanagerauthenticationlevel">LocalPoliciesSecurityOptions/NetworkSecurity_LANManagerAuthenticationLevel</a>
</dd>
<dd>
<a href="#localpoliciessecurityoptions-networksecurity-minimumsessionsecurityforntlmsspbasedclients">LocalPoliciesSecurityOptions/NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedClients</a>
</dd>
<dd>
<a href="#localpoliciessecurityoptions-networksecurity-minimumsessionsecurityforntlmsspbasedservers">LocalPoliciesSecurityOptions/NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedServers</a>
</dd>
@ -2385,6 +2388,74 @@ GP Info:
<hr/>
<!--Policy-->
<a href="" id="localpoliciessecurityoptions-networksecurity-minimumsessionsecurityforntlmsspbasedclients"></a>**LocalPoliciesSecurityOptions/NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedClients**
<!--SupportedSKUs-->
<table>
<tr>
<th>Windows Edition</th>
<th>Supported?</th>
</tr>
<tr>
<td>Home</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
<tr>
<td>Pro</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
</tr>
<tr>
<td>Business</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
</tr>
<tr>
<td>Enterprise</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
</tr>
<tr>
<td>Education</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
</tr>
</table>
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
Network security: Minimum session security for NTLM SSP based (including secure RPC) clients.
This security setting allows a client device to require the negotiation of 128-bit encryption and/or NTLMv2 session security. These values are dependent on the LAN Manager Authentication Level security setting value. The options are:
- Require NTLMv2 session security: The connection will fail if message integrity is not negotiated.
- Require 128-bit encryption: The connection will fail if strong encryption (128-bit) is not negotiated.
Default:
Windows XP, Windows Vista, Windows 2000 Server, Windows Server 2003, and Windows Server 2008: No requirements.
Windows 7 and Windows Server 2008 R2: Require 128-bit encryption.
<!--/Description-->
<!--RegistryMapped-->
GP Info:
- GP English name: *Network security: Minimum session security for NTLM SSP based (including secure RPC) clients*
- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
<!--/RegistryMapped-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="localpoliciessecurityoptions-networksecurity-minimumsessionsecurityforntlmsspbasedservers"></a>**LocalPoliciesSecurityOptions/NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedServers**

2
windows/client-management/mdm/policy-csp-messaging.md
View File

@ -1,6 +1,6 @@
---
title: Policy CSP - Messaging
description: Policy CSP - Messaging
description: Enable, and disable, text message back up and restore as well as Messaging Everywhere by using the Policy CSP for messaging.
ms.author: dansimp
ms.topic: article
ms.prod: w10

2
windows/client-management/mdm/policy-csp-power.md
View File

@ -1,6 +1,6 @@
---
title: Policy CSP - Power
description: Policy CSP - Power
description: Learn the ins and outs of various Policy CSP - Power settings, including SyncML, for Windows 10.
ms.author: dansimp
ms.topic: article
ms.prod: w10

22
windows/client-management/mdm/policy-csp-restrictedgroups.md
View File

@ -8,14 +8,14 @@ ms.technology: windows
author: manikadhiman
ms.localizationpriority: medium
ms.date: 04/07/2020
ms.reviewer:
manager: dansimp
---
# Policy CSP - RestrictedGroups
> [!WARNING]
> Some information in this article relates to prereleased products, which may be substantially modified before they are commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
<hr/>
@ -86,7 +86,7 @@ For example, you can create a Restricted Groups policy to allow only specified u
> |----------|----------|----------|----------|
> | 0x55b (Hex) <br> 1371 (Dec) |ERROR_SPECIAL_ACCOUNT|Cannot perform this operation on built-in accounts.| winerror.h |
Starting in Windows 10, version 1809, you can use this schema for retrieval and application of the RestrictedGroups/ConfigureGroupMembership policy. A minimum occurrence of 0 members when applying the policy implies clearing the access group and should be used with caution.
Starting in Windows 10, version 1809, you can use this schema for retrieval and application of the RestrictedGroups/ConfigureGroupMembership policy. A minimum occurrence of zero members when applying the policy implies clearing the access group and should be used with caution.
```xml
<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema" version="1.0">
@ -145,8 +145,7 @@ Here's an example:
```
where:
- `<accessgroup desc>` contains the local group SID or group name to configure. If an SID is specified here, the policy uses the [LookupAccountName](https://docs.microsoft.com/windows/win32/api/winbase/nf-winbase-lookupaccountnamea) API to get the local group name. For best results, use names for `<accessgroup desc>`.
- `<member name>` contains the members to add to the group in `<accessgroup desc>`. If a name is specified here, the policy will try to get the corresponding SID using the [LookupAccountSID](https://docs.microsoft.com/windows/win32/api/winbase/nf-winbase-lookupaccountsida) API. (**Note:** This doesn't query Azure AD). For best results, use SID for `<member name>`. As groups can be renamed and account name lookups are limited to AD/local machine, hence SID is the best and most deterministic way to configure.
The member SID can be a user account or a group in AD, Azure AD, or on the local machine. Membership is configured using the [NetLocalGroupSetMembers](https://docs.microsoft.com/windows/win32/api/lmaccess/nf-lmaccess-netlocalgroupsetmembers) API.
- `<member name>` contains the members to add to the group in `<accessgroup desc>`. If a name is specified here, the policy will try to get the corresponding SID using the [LookupAccountSID](https://docs.microsoft.com/windows/win32/api/winbase/nf-winbase-lookupaccountsida) API. For best results, use SID for `<member name>`. The member SID can be a user account or a group in AD, Azure AD, or on the local machine. Membership is configured using the [NetLocalGroupSetMembers](https://docs.microsoft.com/windows/win32/api/lmaccess/nf-lmaccess-netlocalgroupsetmembers) API.
- In this example, `Group1` and `Group2` are local groups on the device being configured.
> [!Note]
@ -154,6 +153,19 @@ The member SID can be a user account or a group in AD, Azure AD, or on the local
<!--/Example-->
<!--Validation-->
### Policy timeline
The behavior of this policy setting differs in different Windows 10 versions. For Windows 10, version 1809 through version 1909, you can use name in `<accessgroup dec>` and SID in `<member name>`. For the latest release of Windows 10, you can use name or SID for both the elements, as described in this topic.
The following table describes how this policy setting behaves in different Windows 10 versions:
| Windows 10 version | Policy behavior |
| ------------------ | --------------- |
|Windows 10, version 1803 | Added this policy setting. <br> XML accepts group and member only by name. <br> Supports configuring the administrators group using the group name. <br> Expects member name to be in the account name format. |
| Windows 10, version 1809 <br> Windows 10, version 1903 <br> Windows 10, version 1909 | Supports configuring any local group. <br> `<accessgroup desc>` accepts only name. <br> `<member name>` accepts a name or an SID. <br> This is useful when you want to ensure a certain local group always has a well-known SID as member. |
| The latest release of Windows 10 | Behaves as described in this topic. <br> Accepts name or SID for group and members and translates as appropriate. |
<!--/Validation-->
<!--/Policy-->
<hr/>

90
windows/client-management/mdm/policy-csp-update.md
View File

@ -7,13 +7,16 @@ ms.prod: w10
ms.technology: windows
author: manikadhiman
ms.localizationpriority: medium
ms.date: 10/04/2019
ms.date: 02/10/2020
ms.reviewer:
manager: dansimp
---
# Policy CSP - Update
> [!WARNING]
> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
> [!NOTE]
> If the MSA service is disabled, Windows Update will no longer offer feature updates to devices running Windows 10 1709 or higher. See [Feature updates are not being offered while other updates are](https://docs.microsoft.com/windows/deployment/update/windows-update-troubleshooting#feature-updates-are-not-being-offered-while-other-updates-are).
@ -194,6 +197,9 @@ manager: dansimp
<dd>
<a href="#update-setedurestart">Update/SetEDURestart</a>
</dd>
<dd>
<a href="#update-targetreleaseversion">Update/TargetReleaseVersion</a>
</dd>
<dd>
<a href="#update-updatenotificationlevel">Update/UpdateNotificationLevel</a>
</dd>
@ -4130,6 +4136,74 @@ The following list shows the supported values:
<hr/>
<!--Policy-->
<a href="" id="update-targetreleaseversion"></a>**Update/TargetReleaseVersion**
<!--SupportedSKUs-->
<table>
<tr>
<th>Windows Edition</th>
<th>Supported?</th>
</tr>
<tr>
<td>Home</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
<tr>
<td>Pro</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
</tr>
<tr>
<td>Business</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
</tr>
<tr>
<td>Enterprise</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
</tr>
<tr>
<td>Education</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
</tr>
</table>
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
Available in Windows 10, version 1803 and later. Enables IT administrators to specify which version they would like their device(s) to move to and/or stay on until they reach end of service or reconfigure the policy. For details about different Windows 10 versions, see [Windows 10 release information](https://docs.microsoft.com/windows/release-information/).
<!--/Description-->
<!--ADMXMapped-->
ADMX Info:
- GP English name: *Select the target Feature Update version*
- GP name: *TargetReleaseVersion*
- GP element: *TargetReleaseVersionId*
- GP path: *Windows Components/Windows Update/Windows Update for Business*
- GP ADMX file name: *WindowsUpdate.admx*
<!--/ADMXMapped-->
<!--SupportedValues-->
Value type is a string containing Windows 10 version number. For example, 1809, 1903.
<!--/SupportedValues-->
<!--Example-->
<!--/Example-->
<!--Validation-->
<!--/Validation-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="update-updatenotificationlevel"></a>**Update/UpdateNotificationLevel**
@ -4371,11 +4445,13 @@ ADMX Info:
Footnotes:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
- 4 - Added in Windows 10, version 1803.
- 5 - Added in Windows 10, version 1809.
- 6 - Added in Windows 10, version 1903.
- 1 - Available in Windows 10, version 1607.
- 2 - Available in Windows 10, version 1703.
- 3 - Available in Windows 10, version 1709.
- 4 - Available in Windows 10, version 1803.
- 5 - Available in Windows 10, version 1809.
- 6 - Available in Windows 10, version 1903.
- 7 - Available in Windows 10, version 1909.
<!--/Policies-->

5
windows/client-management/mdm/policy-csp-userrights.md
View File

@ -1260,6 +1260,11 @@ GP Info:
- GP English name: *Increase scheduling priority*
- GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment*
> [!Warning]
> If you remove **Window Manager\Window Manager Group** from the **Increase scheduling priority** user right, certain applications and computers do not function correctly. In particular, the INK workspace does not function correctly on unified memory architecture (UMA) laptop and desktop computers that run Windows 10, version 1903 (or later) and that use the Intel GFX driver.
>
> On affected computers, the display blinks when users draw on INK workspaces such as those that are used by Microsoft Edge, Microsoft PowerPoint, or Microsoft OneNote. The blinking occurs because the inking-related processes repeatedly try to use the Real-Time priority, but are denied permission.
<!--/DbMapped-->
<!--/Policy-->

24
windows/client-management/mdm/policy-csps-supported-by-hololens2.md
View File

@ -9,7 +9,7 @@ ms.prod: w10
ms.technology: windows
author: manikadhiman
ms.localizationpriority: medium
ms.date: 07/18/2019
ms.date: 05/11/2020
---
# Policy CSPs supported by HoloLens 2
@ -59,9 +59,19 @@ ms.date: 07/18/2019
- [Privacy/LetAppsAccessBackgroundSpatialPerception_ForceAllowTheseApps](policy-csp-privacy.md#privacy-letappsaccessbackgroundspatialperception-forceallowtheseapps)
- [Privacy/LetAppsAccessBackgroundSpatialPerception_ForceDenyTheseApps](policy-csp-privacy.md#privacy-letappsaccessbackgroundspatialperception-forcedenytheseapps)
- [Privacy/LetAppsAccessBackgroundSpatialPerception_UserInControlOfTheseApps](policy-csp-privacy.md#privacy-letappsaccessbackgroundspatialperception-userincontroloftheseapps)
- [Privacy/LetAppsAccessCamera_ForceAllowTheseApps](policy-csp-privacy.md#privacy-letappsaccesscamera-forceallowtheseapps) <sup>8</sup>
- [Privacy/LetAppsAccessCamera_ForceDenyTheseApps](policy-csp-privacy.md#privacy-letappsaccesscamera-forcedenytheseapps) <sup>8</sup>
- [Privacy/LetAppsAccessCamera_UserInControlOfTheseApps](policy-csp-privacy.md#privacy-letappsaccesscamera-userincontroloftheseapps) <sup>8</sup>
- [Privacy/LetAppsAccessGazeInput](policy-csp-privacy.md#privacy-letappsaccessgazeinput) <sup>8</sup>
- [Privacy/LetAppsAccessGazeInput_ForceAllowTheseApps](policy-csp-privacy.md#privacy-letappsaccessgazeinput-forceallowtheseapps) <sup>8</sup>
- [Privacy/LetAppsAccessGazeInput_ForceDenyTheseApps](policy-csp-privacy.md#privacy-letappsaccessgazeinput-forcedenytheseapps) <sup>8</sup>
- [Privacy/LetAppsAccessGazeInput_UserInControlOfTheseApps](policy-csp-privacy.md#privacy-letappsaccessgazeinput-userincontroloftheseapps) <sup>8</sup>
- [Privacy/LetAppsAccessCamera](policy-csp-privacy.md#privacy-letappsaccesscamera)
- [Privacy/LetAppsAccessLocation](policy-csp-privacy.md#privacy-letappsaccesslocation)
- [Privacy/LetAppsAccessMicrophone](policy-csp-privacy.md#privacy-letappsaccessmicrophone)
- [Privacy/LetAppsAccessMicrophone_ForceAllowTheseApps](policy-csp-privacy.md#privacy-letappsaccessmicrophone-forceallowtheseapps) <sup>8</sup>
- [Privacy/LetAppsAccessMicrophone_ForceDenyTheseApps](policy-csp-privacy.md#privacy-letappsaccessmicrophone-forcedenytheseapps) <sup>8</sup>
- [Privacy/LetAppsAccessMicrophone_UserInControlOfTheseApps](policy-csp-privacy.md#privacy-letappsaccessmicrophone-userincontroloftheseapps) <sup>8</sup>
- [Search/AllowSearchToUseLocation](policy-csp-search.md#search-allowsearchtouselocation)
- [Security/RequireDeviceEncryption](policy-csp-security.md#security-requiredeviceencryption)
- [Settings/AllowDateTime](policy-csp-settings.md#settings-allowdatetime)
@ -83,6 +93,18 @@ ms.date: 07/18/2019
- [Update/ScheduledInstallTime](policy-csp-update.md#update-scheduledinstalltime)
- [Update/UpdateServiceUrl](policy-csp-update.md#update-updateserviceurl)
- [Wifi/AllowManualWiFiConfiguration](policy-csp-wifi.md#wifi-allowmanualwificonfiguration)
- [Wifi/AllowWiFi](policy-csp-wifi.md#wifi-allowwifi) <sup>8</sup>
Footnotes:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
- 4 - Added in Windows 10, version 1803.
- 5 - Added in Windows 10, version 1809.
- 6 - Added in Windows 10, version 1903.
- 7 - Added in Windows 10, version 1909.
- 8 - Added in the next major release of Windows 10.
## Related topics

2
windows/client-management/mdm/pxlogical-csp.md
View File

@ -1,6 +1,6 @@
---
title: PXLOGICAL configuration service provider
description: PXLOGICAL configuration service provider
description: The PXLOGICAL configuration service provider is used to add, remove, or modify WAP logical and physical proxies by using WAP or the standard Windows techniques.
ms.assetid: b5fc84d4-aa32-4edd-95f1-a6a9c0feb459
ms.reviewer:
manager: dansimp

2
windows/client-management/mdm/remotelock-csp.md
View File

@ -1,6 +1,6 @@
---
title: RemoteLock CSP
description: RemoteLock CSP
description: Learn how RemoteLock CSP supports the ability to lock a device that has a PIN set on the device or reset the PIN on a device that may or may not have a PIN set.
ms.assetid: c7889331-5aa3-4efe-9a7e-20d3f433659b
ms.reviewer:
manager: dansimp

2
windows/client-management/mdm/rest-api-reference-windows-store-for-business.md
View File

@ -1,6 +1,6 @@
---
title: REST API reference for Microsoft Store for Business
description: REST API reference for Microsoft Store for Business
description: REST API reference for Microsoft Store for Business--includes available operations and data structures.
MS-HAID:
- 'p\_phdevicemgmt.business\_store\_portal\_management\_rest\_api\_reference'
- 'p\_phDeviceMgmt.rest\_api\_reference\_windows\_store\_for\_Business'

2
windows/client-management/mdm/sharedpc-csp.md
View File

@ -1,6 +1,6 @@
---
title: SharedPC CSP
description: SharedPC CSP
description: Learn how the SharedPC configuration service provider is used to configure settings for Shared PC usage.
ms.assetid: 31273166-1A1E-4F96-B176-CB42ECB80957
ms.reviewer:
manager: dansimp

2
windows/client-management/mdm/win32appinventory-ddf-file.md
View File

@ -1,6 +1,6 @@
---
title: Win32AppInventory DDF file
description: Win32AppInventory DDF file
description: See the OMA DM device description framework (DDF) for the **Win32AppInventory** configuration service provider. DDF files are used only with OMA DM provisioning XML.
ms.assetid: F6BCC10B-BFE4-40AB-AEEE-34679A4E15B0
ms.reviewer:
manager: dansimp

2
windows/client-management/mdm/windowsdefenderapplicationguard-csp.md
View File

@ -1,6 +1,6 @@
---
title: WindowsDefenderApplicationGuard CSP
description: WindowsDefenderApplicationGuard CSP
description: Configure the settings in Windows Defender Application Guard by using the WindowsDefenderApplicationGuard configuration service provider (CSP).
ms.author: dansimp
ms.topic: article
ms.prod: w10

2
windows/client-management/mdm/windowsdefenderapplicationguard-ddf-file.md
View File

@ -1,6 +1,6 @@
---
title: WindowsDefenderApplicationGuard DDF file
description: WindowsDefenderApplicationGuard DDF file
description: See the OMA DM device description framework (DDF) for the WindowsDefenderApplicationGuard DDF file configuration service provider.
ms.author: dansimp
ms.topic: article
ms.prod: w10

20
windows/client-management/mdm/wirednetwork-csp.md
View File

@ -34,3 +34,23 @@ Supported operations are Add, Get, Replace, and Delete. Value type is string.
Optional. Enable block period (minutes), used to specify the duration for which automatic authentication attempts will be blocked from occurring after a failed authentication attempt.
Supported operations are Add, Get, Replace, and Delete. Value type is integer.
The following example shows how to add a wired network profile:
```xml
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<Add>
<CmdID>1</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/WiredNetwork/LanXML</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
</Meta>
<Data><?xml version="1.0"?><LANProfile xmlns="http://www.microsoft.com/networking/LAN/profile/v1"><MSM><security><OneXEnforced>false</OneXEnforced><OneXEnabled>true</OneXEnabled><OneX xmlns="http://www.microsoft.com/networking/OneX/v1"><EAPConfig><EapHostConfig xmlns="http://www.microsoft.com/provisioning/EapHostConfig"><EapMethod><Type xmlns="http://www.microsoft.com/provisioning/EapCommon">25</Type><VendorId xmlns="http://www.microsoft.com/provisioning/EapCommon">0</VendorId><VendorType xmlns="http://www.microsoft.com/provisioning/EapCommon">0</VendorType><AuthorId xmlns="http://www.microsoft.com/provisioning/EapCommon">0</AuthorId></EapMethod><Config xmlns="http://www.microsoft.com/provisioning/EapHostConfig"><Eap xmlns="http://www.microsoft.com/provisioning/BaseEapConnectionPropertiesV1"><Type>25</Type><EapType xmlns="http://www.microsoft.com/provisioning/MsPeapConnectionPropertiesV1"><ServerValidation><DisableUserPromptForServerValidation>false</DisableUserPromptForServerValidation><ServerNames></ServerNames></ServerValidation><FastReconnect>true</FastReconnect><InnerEapOptional>false</InnerEapOptional><Eap xmlns="http://www.microsoft.com/provisioning/BaseEapConnectionPropertiesV1"><Type>26</Type><EapType xmlns="http://www.microsoft.com/provisioning/MsChapV2ConnectionPropertiesV1"><UseWinLogonCredentials>false</UseWinLogonCredentials></EapType></Eap><EnableQuarantineChecks>false</EnableQuarantineChecks><RequireCryptoBinding>false</RequireCryptoBinding><PeapExtensions><PerformServerValidation xmlns="http://www.microsoft.com/provisioning/MsPeapConnectionPropertiesV2">true</PerformServerValidation><AcceptServerName xmlns="http://www.microsoft.com/provisioning/MsPeapConnectionPropertiesV2">false</AcceptServerName><PeapExtensionsV2 xmlns="http://www.microsoft.com/provisioning/MsPeapConnectionPropertiesV2"><AllowPromptingWhenServerCANotFound xmlns="http://www.microsoft.com/provisioning/MsPeapConnectionPropertiesV3">true</AllowPromptingWhenServerCANotFound></PeapExtensionsV2></PeapExtensions></EapType></Eap></Config></EapHostConfig></EAPConfig></OneX></security></MSM></LANProfile> </Data>
</Item>
</Add>
</SyncBody>
</SyncML>
```

2
windows/client-management/troubleshoot-tcpip.md
View File

@ -1,6 +1,6 @@
---
title: Advanced troubleshooting for TCP/IP issues
description: Learn how to troubleshoot TCP/IP issues.
description: Learn how to troubleshoot common problems in a TCP/IP network environment.
ms.prod: w10
ms.sitesec: library
ms.topic: troubleshooting

2
windows/client-management/troubleshoot-windows-freeze.md
View File

@ -2,7 +2,7 @@
title: Advanced troubleshooting for Windows-based computer freeze issues
ms.reviewer:
manager: dansimp
description: Learn how to troubleshoot computer freeze issues.
description: Learn how to troubleshoot computer freeze issues on Windows-based computers and servers.
ms.prod: w10
ms.mktglfcycl:
ms.sitesec: library

5
windows/configuration/kiosk-shelllauncher.md
View File

@ -20,10 +20,7 @@ ms.topic: article
**Applies to**
- Windows 10 Ent, Edu
>[!WARNING]
>Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
Using Shell Launcher, you can configure a device that runs an application as the user interface, replacing the default shell (explorer.exe). In **Shell Launcher v1**, available in Windows 10, version 1809 and earlier, you can only specify a Windows desktop application as the replacement shell. In **Shell Launcher v2**, available in the next feature update to Windows 10, you can also specify a UWP app as the replacement shell.
Using Shell Launcher, you can configure a device that runs an application as the user interface, replacing the default shell (explorer.exe). In **Shell Launcher v1**, available in Windows 10, you can only specify a Windows desktop application as the replacement shell. In **Shell Launcher v2**, available in Windows 10, version 1809 and above, you can also specify a UWP app as the replacement shell. To use **Shell Launcher v2** in version 1809, you need to install the [KB4551853](https://support.microsoft.com/help/4551853) update.
>[!NOTE]
>Shell Launcher controls which application the user sees as the shell after sign-in. It does not prevent the user from accessing other desktop applications and system components.

2
windows/configuration/kiosk-xml.md
View File

@ -1,6 +1,6 @@
---
title: Assigned Access configuration kiosk XML reference (Windows 10)
description: XML and XSD for kiosk device configuration.
description: Learn about the assigned access configuration (kiosk) for XML and XSD for kiosk device configuration in Windows 10.
ms.assetid: 14DDDC96-88C7-4181-8415-B371F25726C8
ms.reviewer:
manager: dansimp

2
windows/configuration/ue-v/uev-release-notes-1607.md
View File

@ -1,6 +1,6 @@
---
title: User Experience Virtualization (UE-V) Release Notes
description: User Experience Virtualization (UE-V) Release Notes
description: Read the latest information required to successfully install and use UE-V that is not included in the User Experience Virtualization (UE-V) documentation.
author: dansimp
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy

13
windows/configuration/ue-v/uev-upgrade-uev-from-previous-releases.md
View File

@ -1,6 +1,6 @@
---
title: Upgrade to UE-V for Windows 10
description: Explains how to upgrade to the latest version of UE-V.
description: Use these few adjustments to upgrade from User Experience Virtualization (UE-V) 2.x to the latest version of UE-V.
author: dansimp
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
@ -30,7 +30,8 @@ If youre already using UE-V 2.x and youre planning to upgrade user devices
5. Install the UE-V template generator if you want to synchronize application settings for custom applications.
> **Important**&nbsp;&nbsp;You can upgrade your existing UE-V installation to Windows 10, version 1607 from UE-V versions 2.1 or 2.0 only. If you are using a previous version of UE-V, youll need to upgrade from that version to UE-V 2.x before you upgrade to Windows 10, version 1607..
> [!IMPORTANT]
> You can upgrade your existing UE-V installation to Windows 10, version 1607 from UE-V versions 2.1 or 2.0 only. If you are using a previous version of UE-V, youll need to upgrade from that version to UE-V 2.x before you upgrade to Windows 10, version 1607.
## Upgrade user devices to Windows 10, version 1607
@ -38,7 +39,7 @@ Performing an in-place upgrade on user devices automatically installs the UE-V s
## Verify that UE-V settings were migrated correctly
After upgrading a user device to Windows 10, version 1607, its important to verify that UE-V settings and template registrations were migrated correctly during the upgrade. You can verify UE-V settings using Windows Powershell or the devices registry.
After upgrading a user device to Windows 10, version 1607, its important to verify that UE-V settings and template registrations were migrated correctly during the upgrade. You can verify UE-V settings using Windows PowerShell or the devices registry.
**To verify UE-V settings using Windows PowerShell**
@ -48,7 +49,8 @@ After upgrading a user device to Windows 10, version 1607, its important to v
3. Type **Get-UEVTemplate** and press ENTER to check that your templates are still registered.
> **Note** Youll need to register the NotePad template again after you upgrade the device to Windows 10.
> [!NOTE]
> Youll need to register the NotePad template again after you upgrade the device to Windows 10.
**To verify UE-V settings using the devices registry**
@ -68,7 +70,8 @@ The UE-V service is the client-side component that captures user-personalized ap
With Windows 10, version 1607 and later, the UE-V service replaces the UE-V Agent and no longer requires a separate download and installation. Enable the service on user devices to start using UE-V. You can enable the service with the Group Policy editor or with Windows PowerShell.
> **Important**&nbsp;&nbsp;The UE-V Agent used in prior releases of UE-V is replaced with the UE service. The UE-V service included with Windows 10, version 1607 and later releases, does not include the agent user interface and is configurable through cmdlets or registry settings only.
> [!IMPORTANT]
> The UE-V Agent used in prior releases of UE-V is replaced with the UE service. The UE-V service included with Windows 10, version 1607 and later releases, does not include the agent user interface and is configurable through cmdlets or registry settings only.
**To enable the UE-V service with Group Policy**

7
windows/configuration/ue-v/uev-working-with-custom-templates-and-the-uev-generator.md
View File

@ -1,6 +1,6 @@
---
title: Working with Custom UE-V Templates and the UE-V Template Generator
description: Working with Custom UE-V Templates and the UE-V Template Generator
description: Create your own custom settings location templates by working with Custom User Experience Virtualization (UE-V) Templates and the UE-V Template Generator.
author: dansimp
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
@ -98,9 +98,8 @@ Use the UE-V template generator to edit settings location templates. When the re
1. Create a local copy of the settings location template .xml file. UE-V settings location templates are .xml files that identify the locations where application store settings values.
>**Note**  
A settings location template is unique because of the template **ID**. If you copy the template and rename the .xml file, template registration fails because UE-V reads the template **ID** tag in the .xml file to determine the name, not the file name of the .xml file. UE-V also reads the **Version** number to know if anything has changed. If the version number is higher, UE-V updates the template.
> [!NOTE]
> A settings location template is unique because of the template **ID**. If you copy the template and rename the .xml file, template registration fails because UE-V reads the template **ID** tag in the .xml file to determine the name, not the file name of the .xml file. UE-V also reads the **Version** number to know if anything has changed. If the version number is higher, UE-V updates the template.
2. Open the settings location template file with an XML editor.

2
windows/deployment/planning/windows-10-removed-features.md
View File

@ -36,7 +36,7 @@ The following features and functionalities have been removed from the installed
|limpet.exe|We're releasing the limpet.exe tool, used to access TPM for Azure connectivity, as open source.| 1809 |
|Phone Companion|When you update to Windows 10, version 1809, the Phone Companion app will be removed from your PC. Use the **Phone** page in the Settings app to sync your mobile phone with your PC. It includes all the Phone Companion features.| 1809 |
|Future updates through [Windows Embedded Developer Update](https://docs.microsoft.com/previous-versions/windows/embedded/ff770079\(v=winembedded.60\)) for Windows Embedded Standard 7-SP1 (WES7-SP1) and Windows Embedded Standard 8 (WES8)|Were no longer publishing new updates to the WEDU server. Instead, you may secure any new updates from the [Microsoft Update Catalog](https://www.catalog.update.microsoft.com/Home.aspx). [Learn how](https://techcommunity.microsoft.com/t5/Windows-Embedded/Change-to-the-Windows-Embedded-Developer-Update/ba-p/285704) to get updates from the catalog.| 1809 |
|Groove Music Pass|[We ended the Groove streaming music service and music track sales through the Microsoft Store in 2017](https://support.microsoft.com/help/4046109/groove-music-and-spotify-faq). The Groove app is being updated to reflect this change. You can still use Groove Music to play the music on your PC or to stream music from OneDrive. You can use Spotify or other music services to stream music on Windows 10, or to buy music to own.| 1803 |
|Groove Music Pass|[We ended the Groove streaming music service and music track sales through the Microsoft Store in 2017](https://support.microsoft.com/help/4046109/groove-music-and-spotify-faq). The Groove app is being updated to reflect this change. You can still use Groove Music to play the music on your PC. You can use Spotify or other music services to stream music on Windows 10, or to buy music to own.| 1803 |
|People - Suggestions will no longer include unsaved contacts for non-Microsoft accounts|Manually save the contact details for people you send mail to or get mail from.| 1803 |
|Language control in the Control Panel| Use the Settings app to change your language settings.| 1803 |
|HomeGroup|We are removing [HomeGroup](https://support.microsoft.com/help/17145) but not your ability to share printers, files, and folders.<br><br>When you update to Windows 10, version 1803, you won't see HomeGroup in File Explorer, the Control Panel, or Troubleshoot (**Settings > Update & Security > Troubleshoot**). Any printers, files, and folders that you shared using HomeGroup **will continue to be shared**.<br><br>Instead of using HomeGroup, you can now share printers, files and folders by using features that are built into Windows 10: <br>- [Share your network printer](https://www.bing.com/search?q=share+printer+windows+10) <br>- [Share files in File Explorer](https://support.microsoft.com/help/4027674/windows-10-share-files-in-file-explorer) | 1803 |

4
windows/deployment/s-mode.md
View File

@ -18,11 +18,13 @@ ms.topic: article
---
# Windows 10 in S mode - What is it?
S mode is an evolution of the S SKU introduced with Windows 10 April 2018 Update. It's a configuration that's available on all Windows Editions when enabled at the time of manufacturing. The edition of Windows can be upgrade at any time as shown below. However, the switch from S mode is a onetime switch and can only be undone by a wipe and reload of the OS.
![Configuration and features of S mode](images/smodeconfig.png)
## S mode key features
**Microsoft-verified security**
With Windows 10 in S mode, youll find your favorite applications, such as Office, Evernote, and Spotify in the Microsoft Store where theyre Microsoft-verified for security. You can also feel secure when youre online. Microsoft Edge, your default browser, gives you protection against phishing and socially engineered malware.
@ -54,6 +56,6 @@ The [MSIX Packaging Tool](https://docs.microsoft.com/windows/application-managem
## Related links
- [Consumer applications for S mode](https://www.microsoft.com/windows/s-mode)
- [S mode devices](https://www.microsoft.com/windows/view-all-devices)
- [S mode devices](https://www.microsoft.com/en-us/windows/view-all-devices)
- [Windows Defender Application Control deployment guide](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide)
- [Windows Defender Advanced Threat Protection](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp)

2
windows/deployment/update/media-dynamic-update.md
View File

@ -42,7 +42,7 @@ You can obtain Dynamic Update packages from the [Microsoft Update Catalog](https
![Table with columns labeled Title, Products, Classification, Last Updated, Version, and Size and four rows listing various dynamic updates and associated KB articles](images/update-catalog.png)
The various Dynamic Update packages might not all be present in the results from a single search, so you might have to search with different keywords to find all of the s. And you'll need to check various parts of the results to be sure you've identified the needed files. This table shows in <em>bold</em> the key items to search for or look for in the results. For example, to find the relevant "Setup Dynamic Update," you'll have to check the detailed description for the download by selecting the link in the **Title** column of the search results.
The various Dynamic Update packages might not all be present in the results from a single search, so you might have to search with different keywords to find all of the updates. And you'll need to check various parts of the results to be sure you've identified the needed files. This table shows in <em>bold</em> the key items to search for or look for in the results. For example, to find the relevant "Setup Dynamic Update," you'll have to check the detailed description for the download by selecting the link in the **Title** column of the search results.
|To find this Dynamic Update packages, search for or check the results here--> |Title |Product |Description (select the **Title** link to see **Details**) |

2
windows/deployment/update/update-compliance-need-attention.md
View File

@ -35,7 +35,7 @@ The different issues are broken down by Device Issues and Update Issues:
* **Cancelled**: This issue occurs when a user cancels the update process.
* **Rollback**: This issue occurs when a fatal error occurs during a feature update, and the device is rolled back to the previous version.
* **Uninstalled**: This issue occurs when a feature update is uninstalled from a device by a user or an administrator. Note that this might not be a problem if the uninstallation was intentional, but is highlighted as it might need attention.
* **Progress stalled:** This issue occurs when an update is in progress, but has not completed over a period of 10 days.
* **Progress stalled:** This issue occurs when an update is in progress, but has not completed over a period of 7 days.
Selecting any of the issues will take you to a [Log Analytics](https://docs.microsoft.com/azure/log-analytics/query-language/get-started-analytics-portal) view with all devices that have the given issue.

8
windows/deployment/update/waas-servicing-strategy-windows-10-updates.md
View File

@ -28,17 +28,17 @@ In the past, traditional Windows deployments tended to be large, lengthy, and ex
Windows 10 spreads the traditional deployment effort of a Windows upgrade, which typically occurred every few years, over smaller, continuous updates. With this change, you must approach the ongoing deployment and servicing of Windows differently. A strong Windows 10 deployment strategy begins with establishing a simple, repeatable process for testing and deploying each feature update. Heres an example of what this process might look like:
- **Configure test devices.** Configure test devices in the Windows Insider Program so that Insiders can test feature updates before theyre available to the Semi-Annual Channel. Typically, this would be a small number of test devices that IT staff members use to evaluate pre-releas builds of Windows. Microsoft provides current development builds to Windows Insider members approximately every week so that interested users can see the functionality Microsoft is adding. See the section Windows Insider for details on how to enroll in the Windows Insider Program on a Windows 10 device.
- **Configure test devices.** Configure test devices in the Windows Insider Program so that Insiders can test feature updates before theyre available to the Semi-Annual Channel. Typically, this would be a small number of test devices that IT staff members use to evaluate pre-release builds of Windows. Microsoft provides current development builds to Windows Insider members approximately every week so that interested users can see the functionality Microsoft is adding. See the section Windows Insider for details on how to enroll in the Windows Insider Program on a Windows 10 device.
- **Identify excluded devices.** For some organizations, special-purpose devices such as those used to control factory or medical equipment or run ATMs require a stricter, less frequent feature update cycle than the Semi-annual Channel can offer. For those machines, you must install Windows 10 Enterprise LTSB to avoid feature updates for up to 10 years. Identify these devices, and separate them from the phased deployment and servicing cycles to help remove confusion for your administrators and ensure that devices are handled correctly.
- **Recruit volunteers.** The purpose of testing a deployment is to receive feedback. One effective way to recruit pilot users is to request volunteers. When doing so, clearly state that youre looking for feedback rather than people to just “try it out” and that there could be occasional issues involved with accepting feature updates right away. With Windows as a service, the expectation is that there should be few issues, but if an issue does arise, you want testers to let you know as soon as possible. When considering whom to recruit for pilot groups, be sure to include members who provide the broadest set of applications and devices to validate the largest number of apps and devices possible.
- **Update Group Policy.** Each feature update includes new group policies to manage new features. If you use Group Policy to manage devices, the Group Policy Admin for the Active Directory domain will need to download a .admx package and copy it to their [Central Store](https://support.microsoft.com/help/929841/how-to-create-the-central-store-for-group-policy-administrative-templa) (or to the [PolicyDefinitions](https://msdn.microsoft.com/library/bb530196.aspx) directory in the SYSVOL of a domain controller if not using a Central Store). Always manage new group polices from the version of Windows 10 they shipped with by using the Remote Server Administration Tools. The ADMX download package is created at the end of each development cycle and then posted for download. To find the ADMX download package for a given Windows build, search for “ADMX download for Windows build xxxx”. For details about Group Policy management, see [How to create and manage the Central Store for Group Policy Administrative Templates in Windows](https://support.microsoft.com/help/3087759/how-to-create-and-manage-the-central-store-for-group-policy-administra)
- **Choose a servicing tool.** Decide which product youll use to manage the Windows updates in your environment. If youre currently using Windows Server Update Services (WSUS) or Microsoft Endpoint Configuration Manager to manage your Windows updates, you can continue using those products to manage Windows 10 updates. Alternatively, you can use Windows Update for Business. In addition to which product youll use, consider how youll deliver the updates. With Windows 10, multiple peer-to-peer options are available to make update distribution faster. For a comparison of tools, see [Servicing tools](waas-overview.md#servicing-tools).
- **Prioritize applications.** First, create an application portfolio. This list should include everything installed in your organization and any webpages your organization hosts. Next, prioritize this list to identify those that are the most business critical. Because the expectation is that application compatibility with Windows 10 will be high, only the most business critical applications should be tested before the pilot phase; everything else can be tested afterwards. For more information about identifying compatibility issues withe applications, see [Manage Windows upgrades with Upgrade Analytics](../upgrade/manage-windows-upgrades-with-upgrade-readiness.md).
>[!NOTE]
>This strategy is applicable to approaching an environment in which Windows 10 already exists. For information about how to deploy or upgrade to Windows 10 where another version of Windows exists, see [Plan for Windows 10 deployment](../planning/index.md).
> [!NOTE]
> This strategy is applicable to approaching an environment in which Windows 10 already exists. For information about how to deploy or upgrade to Windows 10 where another version of Windows exists, see [Plan for Windows 10 deployment](../planning/index.md).
>
>>Windows 10 Enterprise LTSB is a separate Long Term Servicing Channel version.
> Windows 10 Enterprise LTSB is a separate Long Term Servicing Channel version.
Each time Microsoft releases a Windows 10 feature update, the IT department should use the following high-level process to help ensure that the broad deployment is successful:

2
windows/privacy/TOC.md
View File

@ -21,10 +21,12 @@
## Manage Windows 10 connection endpoints
### [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md)
### [Manage connections from Windows operating system components to Microsoft services using MDM](manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md)
### [Connection endpoints for Windows 10, version 2004](manage-windows-2004-endpoints.md)
### [Connection endpoints for Windows 10, version 1903](manage-windows-1903-endpoints.md)
### [Connection endpoints for Windows 10, version 1809](manage-windows-1809-endpoints.md)
### [Connection endpoints for Windows 10, version 1803](manage-windows-1803-endpoints.md)
### [Connection endpoints for Windows 10, version 1709](manage-windows-1709-endpoints.md)
### [Connection endpoints for non-Enterprise editions of Windows 10, version 2004](windows-endpoints-2004-non-enterprise-editions.md)
### [Connection endpoints for non-Enterprise editions of Windows 10, version 1903](windows-endpoints-1903-non-enterprise-editions.md)
### [Connection endpoints for non-Enterprise editions of Windows 10, version 1809](windows-endpoints-1809-non-enterprise-editions.md)
### [Connection endpoints for non-Enterprise editions of Windows 10, version 1803](windows-endpoints-1803-non-enterprise-editions.md)

9
windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
View File

@ -9,12 +9,12 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.localizationpriority: high
audience: ITPro
author: medgarmedgar
ms.author: robsize
author: linque1
ms.author: obezeajo
manager: robsize
ms.collection: M365-security-compliance
ms.topic: article
ms.date: 3/25/2020
ms.date: 5/14/2020
---
# Manage connections from Windows 10 operating system components to Microsoft services
@ -36,9 +36,6 @@ Microsoft provides a [Windows Restricted Traffic Limited Functionality Baseline]
> - It is recommended that you restart a device after making configuration changes to it.
> - The **Get Help** and **Give us Feedback** links no longer work after the Windows Restricted Traffic Limited Functionality Baseline is applied.
>[!Note]
>Regarding the Windows Restricted Traffic Limited Functionality Baseline, the 1903 settings (folder) are applicable to 1909 Windows >Enterprise devices. There were no additional settings required for the 1909 release.
> [!Warning]
> If a user executes the **Reset this PC** command (Settings -> Update & Security -> Recovery) with the **Keep my files option** (or the **Remove Everything** option) the Windows Restricted Traffic Limited Functionality Baseline settings will need to be re-applied in order to re-restrict the device. Egress traffic may occur prior to the re-application of the Restricted Traffic Limited Functionality Baseline settings.

135
windows/privacy/manage-windows-2004-endpoints.md Normal file
View File

@ -0,0 +1,135 @@
---
title: Connection endpoints for Windows 10 Enterprise, version 2004
description: Explains what Windows 10 endpoints are used for, how to turn off traffic to them, and the impact. Specific to Windows 10 Enterprise, version 2004.
keywords: privacy, manage connections to Microsoft, Windows 10
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.localizationpriority: high
audience: ITPro
author: linque1
ms.author: obezeajo
manager: robsize
ms.collection: M365-security-compliance
ms.topic: article
ms.date: 5/11/2020
---
# Manage connection endpoints for Windows 10 Enterprise, version 2004
**Applies to**
- Windows 10 Enterprise, version 2004
Some Windows components, app, and related services transfer data to Microsoft network endpoints. Some examples include:
- Connecting to Microsoft Office and Windows sites to download the latest app and security updates.
- Connecting to email servers to send and receive email.
- Connecting to the web for every day web browsing.
- Connecting to the cloud to store and access backups.
- Using your location to show a weather forecast.
Details about the different ways to control traffic to these endpoints are covered in [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md).
Where applicable, each endpoint covered in this topic includes a link to the specific details on how to control that traffic.
The following methodology was used to derive these network endpoints:
1. Set up the latest version of Windows 10 on a test virtual machine using the default settings.
2. Leave the device(s) running idle for a week ("idle" means a user is not interacting with the system/device).
3. Use globally accepted network protocol analyzer/capturing tools and log all background egress traffic.
4. Compile reports on traffic going to public IP addresses.
5. The test virtual machine(s) was logged into using a local account, and was not joined to a domain or Azure Active Directory.
6. All traffic was captured in our lab using a IPV4 network. Therefore, no IPV6 traffic is reported here.
7. These tests were conducted in an approved Microsoft lab. It's possible your results may be different.
8. These tests were conducted for one week, but if you capture traffic for longer you may have different results.
> [!NOTE]
> Microsoft uses global load balancers that can appear in network trace-routes. For example, an endpoint for *.akadns.net might be used to load balance requests to an Azure datacenter, which can change over time.
## Windows 10 2004 Enterprise connection endpoints
|Area|Description|Protocol|Destination|
|----------------|----------|----------|------------|
|Apps|||[Learn how to turn off traffic to the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore)|
||The following endpoint is used for the Weather app. To turn off traffic for this endpoint, either uninstall the Weather app or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|HTTPS|tile-service.weather.microsoft.com
||The following endpoint is used for OneNote Live Tile. To turn off traffic for this endpoint, either uninstall OneNote or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|HTTPS|cdn.onenote.net/*
||The following endpoint is used by the Photos app to download configuration files, and to connect to the Office 365 portal's shared infrastructure, including Office in a browser. To turn off traffic for this endpoint, either uninstall the Photos app or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|TLSv1.2|evoke-windowsservices-tas.msedge.net|
|Certificates|The following endpoint is used by the Automatic Root Certificates Update component to automatically check the list of trusted authorities on Windows Update to see if an update is available. It is possible turn off traffic to this endpoint, but that is not recommended because when root certificates are updated over time, applications and websites may stop working because they did not receive an updated root certificate the application uses. Additionally, it is used to download certificates that are publicly known to be fraudulent. These settings are critical for both Windows security and the overall security of the Internet. We do not recommend blocking this endpoint. If traffic to this endpoint is turned off, Windows no longer automatically downloads certificates known to be fraudulent, which increases the attack vector on the device.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#automatic-root-certificates-update)|
|||HTTP|ctldl.windowsupdate.com|
|Cortana and Search|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana)|
||The following endpoints are related to Cortana and Live Tiles. If you turn off traffic for this endpoint, you will block updates to Cortana greetings, tips, and Live Tiles.|TLSv1.2|www.bing.com*|
|Device metadata|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#4-device-metadata-retrieval)|
||The following endpoint is used to retrieve device metadata. If you turn off traffic for this endpoint, metadata will not be updated for the device.|HTTPS|dmd.metaservices.microsoft.com|
|Diagnostic Data|The following endpoints are used by the Connected User Experiences and Telemetry component and connects to the Microsoft Data Management service. If you turn off traffic for this endpoint, diagnostic and usage information, which helps Microsoft find and fix problems and improve our products and services, will not be sent back to Microsoft. ||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback)|
|||TLSv1.2|v10.events.data.microsoft.com|
|||TLSv1.2|v20.events.data.microsoft.com|
||The following endpoints are used by Windows Error Reporting. To turn off traffic for these endpoints, enable the following Group Policy: Administrative Templates > Windows Components > Windows Error Reporting > Disable Windows Error Reporting. This means error reporting information will not be sent back to Microsoft.|HTTPS|*.telecommand.telemetry.microsoft.com|
|||TLS v1.2|watson.*.microsoft.com|
|Licensing|The following endpoint is used for online activation and some app licensing. To turn off traffic for this endpoint, disable the Windows License Manager Service. This will also block online activation and app licensing may not work.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#9-license-manager)|
|||HTTPS|*licensing.mp.microsoft.com|
|Maps|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-offlinemaps)|
||The following endpoints are used to check for updates to maps that have been downloaded for offline use. If you turn off traffic for this endpoint, offline maps will not be updated.|TLSv1.2|*maps.windows.com|
|| The following endpoints are used to check for updates to maps that have been downloaded for offline use.|HTTP|fs.microsoft.com*|
|Microsoft Account|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-microsoft-account)|
||The following endpoints are used for Microsoft accounts to sign in. If you turn off traffic for these endpoints, users cannot sign in with Microsoft accounts. |TLSv1.2|*login.live.com|
|Microsoft Edge|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#13-microsoft-edge)|
||This traffic is related to the Microsoft Edge browser.|TLSv1.2|img-prod-cms-rt-microsoft-com*|
|Microsoft forward link redirection service (FWLink)|The following endpoint is used by the Microsoft forward link redirection service (FWLink) to redirect permanent web links to their actual, sometimes transitory, URL. FWlinks are similar to URL shorteners, just longer. If you disable this endpoint, Windows Defender won't be able to update its malware definitions; links from Windows and other Microsoft products to the Web won't work; and PowerShell updateable Help won't update. To disable the traffic, instead disable the traffic that's getting forwarded.|HTTPS|go.microsoft.com|
|Microsoft Store|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#26-microsoft-store)|
||The following endpoint is used for the Windows Push Notification Services (WNS). WNS enables third-party developers to send toast, tile, badge, and raw updates from their own cloud service. This provides a mechanism to deliver new updates to your users in a power-efficient and dependable way. If you turn off traffic for this endpoint, push notifications will no longer work, including MDM device management, mail synchronization, settings synchronization.|TLSv1.2|*.wns.windows.com|
||The following endpoint is used to revoke licenses for malicious apps in the Microsoft Store. To turn off traffic for this endpoint, either uninstall the app or disable the Microsoft Store. If you disable the Microsoft Store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.|TLSv1.2|storecatalogrevocation.storequality.microsoft.com|
||The following endpoints are used to communicate with Microsoft Store. If you turn off traffic for these endpoints, apps cannot be installed or updated from the Microsoft Store. |HTTP|*.dl.delivery.mp.microsoft.com|
||The following endpoint is used to get Microsoft Store analytics.|TLSv1.2|manage.devcenter.microsoft.com|
|Network Connection Status Indicator (NCSI)|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-ncsi)|
||Network Connection Status Indicator (NCSI) detects Internet connectivity and corporate network connectivity status. NCSI sends a DNS request and HTTP query to this endpoint to determine if the device can communicate with the Internet. If you turn off traffic for this endpoint, NCSI won't be able to determine if the device is connected to the Internet and the network status tray icon will show a warning.|HTTPS|www.msftconnecttest.com*|
|Office|The following endpoints are used to connect to the Office 365 portal's shared infrastructure, including Office in a browser. For more info, see Office 365 URLs and IP address ranges. You can turn this off by removing all Microsoft Office apps and the Mail and Calendar apps. If you turn off traffic for these endpoints, users won't be able to save documents to the cloud or see their recently used documents.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#26-microsoft-store)|
|||HTTPS|*ow1.res.office365.com|
|||HTTPS|office.com|
|||HTTPS|blobs.officehome.msocdn.com|
|OneDrive|The following endpoints are related to OneDrive. If you turn off traffic for these endpoints, anything that relies on g.live.com to get updated URL information will no longer work.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-onedrive)|
|||TLSv1.2|*g.live.com|
|||TLSv1.2|oneclient.sfx.ms|
|||HTTPS| logincdn.msauth.net|
|Settings|The following endpoint is used as a way for apps to dynamically update their configuration. Apps such as System Initiated User Feedback and the Xbox app use it. If you turn off traffic for this endpoint, an app that uses this endpoint may stop working.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback)|
|||TLSv1.2|settings-win.data.microsoft.com|
|Skype|The following endpoint is used to retrieve Skype configuration values. To turn off traffic for this endpoint, either uninstall the app or disable the Microsoft Store. If you disable the Microsoft store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore)|
|||HTTPS|*.pipe.aria.microsoft.com|
|||HTTPS|config.edge.skype.com|
|Teams|The following endpoint is used for Microsoft Teams application.||[Learn how to turn off traffic to all of the following endpoint(s).]( manage-connections-from-windows-operating-system-components-to-microsoft-services.md#26-microsoft-store)|
|||TLSv1.2|config.teams.microsoft.com|
|Windows Defender|The following endpoint is used for Windows Defender when Cloud-based Protection is enabled. If you turn off traffic for this endpoint, the device will not use Cloud-based Protection.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-defender)|
|||TLSv1.2|wdcp.microsoft.com|
|||HTTPS|go.microsoft.com|
||The following endpoints are used for Windows Defender SmartScreen reporting and notifications. If you turn off traffic for these endpoints, SmartScreen notifications will not appear.|HTTPS|*smartscreen-prod.microsoft.com|
|||HTTPS|checkappexec.microsoft.com|
|Windows Spotlight|The following endpoints are used to retrieve Windows Spotlight metadata that describes content, such as references to image locations, as well as suggested apps, Microsoft account notifications, and Windows tips. If you turn off traffic for these endpoints, Windows Spotlight will still try to deliver new lock screen images and updated content but it will fail; suggested apps, Microsoft account notifications, and Windows tips will not be downloaded. For more information, see Windows Spotlight.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-spotlight)|
|||TLSv1.2|arc.msn.com|
|Windows Update|The following endpoint is used for Windows Update downloads of apps and OS updates, including HTTP downloads or HTTP downloads blended with peers. If you turn off traffic for this endpoint, Windows Update downloads will not be managed, as critical metadata that is used to make downloads more resilient is blocked. Downloads may be impacted by corruption (resulting in re-downloads of full files). Additionally, downloads of the same update by multiple devices on the same local network will not use peer devices for bandwidth reduction.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-updates)|
|||TLSv1.2|*.prod.do.dsp.mp.microsoft.com|
|||HTTP|emdl.ws.microsoft.com|
||The following endpoints are used to download operating system patches, updates, and apps from Microsoft Store. If you turn off traffic for these endpoints, the device will not be able to download updates for the operating system.|HTTP|*.dl.delivery.mp.microsoft.com|
|||HTTP|*.windowsupdate.com|
||The following endpoints enable connections to Windows Update, Microsoft Update, and the online services of the Store. If you turn off traffic for these endpoints, the device will not be able to connect to Windows Update and Microsoft Update to help keep the device secure. Also, the device will not be able to acquire and update apps from the Store. These are dependent on also enabling "Device authentication" and "Microsoft Account" endpoints.|HTTPS|*.delivery.mp.microsoft.com|
|||TLSv1.2|*.update.microsoft.com|
||The following endpoint is used for content regulation. If you turn off traffic for this endpoint, the Windows Update Agent will be unable to contact the endpoint and fallback behavior will be used. This may result in content being either incorrectly.|TLSv1.2|tsfe.trafficshaping.dsp.mp.microsoft.com|
|Xbox Live|The following endpoint is used for Xbox Live.||[Learn how to turn off traffic to all of the following endpoint(s).]( manage-connections-from-windows-operating-system-components-to-microsoft-services.md#26-microsoft-store)|
|||TLSv1.2|dlassets-ssl.xboxlive.com|
## Other Windows 10 editions
To view endpoints for other versions of Windows 10 Enterprise, see:
- [Manage connection endpoints for Windows 10, version 1903](manage-windows-1903-endpoints.md)
- [Manage connection endpoints for Windows 10, version 1809](manage-windows-1809-endpoints.md)
- [Manage connection endpoints for Windows 10, version 1803](manage-windows-1803-endpoints.md)
- [Manage connection endpoints for Windows 10, version 1709](manage-windows-1709-endpoints.md)
To view endpoints for non-Enterprise Windows 10 editions, see:
- [Windows 10, version 1903, connection endpoints for non-Enterprise editions](windows-endpoints-1903-non-enterprise-editions.md)
- [Windows 10, version 1809, connection endpoints for non-Enterprise editions](windows-endpoints-1809-non-enterprise-editions.md)
- [Windows 10, version 1803, connection endpoints for non-Enterprise editions](windows-endpoints-1803-non-enterprise-editions.md)
- [Windows 10, version 1709, connection endpoints for non-Enterprise editions](windows-endpoints-1709-non-enterprise-editions.md)
## Related links
- [Office 365 URLs and IP address ranges](https://support.office.com/en-us/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US)
- [Network infrastructure requirements for Microsoft Intune](https://docs.microsoft.com/intune/get-started/network-infrastructure-requirements-for-microsoft-intune)

448
windows/privacy/windows-endpoints-1903-non-enterprise-editions.md
View File

@ -8,12 +8,13 @@ ms.sitesec: library
ms.localizationpriority: high
audience: ITPro
author: mikeedgar
ms.author: v-medgar
ms.author: sanashar
manager: sanashar
ms.collection: M365-security-compliance
ms.topic: article
ms.date: 5/9/2019
---
# Windows 10, version 1903, connection endpoints for non-Enterprise editions
**Applies to**
@ -31,7 +32,7 @@ The following methodology was used to derive the network endpoints:
3. Use globally accepted network protocol analyzer/capturing tools and log all background egress traffic.
4. Compile reports on traffic going to public IP addresses.
5. The test virtual machine(s) was logged into using a local account, and was not joined to a domain or Azure Active Directory.
6. All traffic was captured in our lab using a IPV4 network. Therefore, no IPV6 traffic is reported here.
6. All traffic was captured in our lab using an IPV4 network. Therefore, no IPV6 traffic is reported here.
7. These tests were conducted in an approved Microsoft lab. It's possible your results may be different.
8. These tests were conducted for one week, but if you capture traffic for longer you may have different results.
@ -41,234 +42,233 @@ The following methodology was used to derive the network endpoints:
## Windows 10 Family
| **Destination** | **Protocol** | **Description** |
| --- | --- | --- |
|\*.aria.microsoft.com*|HTTPS|Microsoft Office Telemetry
|\*.b.akamai*.net|HTTPS|Used to check for updates to Maps that have been downloaded for offline use
|\*.c-msedge.net|HTTP|Microsoft Office
|\*.dl.delivery.mp.microsoft.com*|HTTP|Enables connections to Windows Update
|\*.download.windowsupdate.com*|HTTP|Used to download operating system patches and updates
|\*.g.akamai*.net|HTTPS|Used to check for updates to Maps that have been downloaded for offline use
|\*.login.msa.*.net|HTTPS|Microsoft Account related
|\*.msn.com*|TLSv1.2/HTTPS|Windows Spotlight
|\*.skype.com|HTTP/HTTPS|Skype
|\*.smartscreen.microsoft.com*|HTTPS|Windows Defender Smartscreen
|\*.telecommand.telemetry.microsoft.com*|HTTPS|Used by Windows Error Reporting
|*cdn.onenote.net*|HTTP|OneNote
|*displaycatalog.*mp.microsoft.com*|HTTPS|Used to communicate with Microsoft Store
|*emdl.ws.microsoft.com*|HTTP|Windows Update
|*geo-prod.do.dsp.mp.microsoft.com*|TLSv1.2/HTTPS|Enables connections to Windows Update
|*hwcdn.net*|HTTP|Highwinds Content Delivery Network / Windows updates
|*img-prod-cms-rt-microsoft-com*|HTTPS|Microsoft Store or Inbox MSN Apps image download
|*licensing.*mp.microsoft.com*|HTTPS|Licensing
|*maps.windows.com*|HTTPS|Related to Maps application
|*msedge.net*|HTTPS|Used by Microsoft OfficeHub to get the metadata of Microsoft Office apps
|*nexusrules.officeapps.live.com*|HTTPS|Microsoft Office Telemetry
|*photos.microsoft.com*|HTTPS|Photos App
|*prod.do.dsp.mp.microsoft.com*|TLSv1.2/HTTPS|Used for Windows Update downloads of apps and OS updates
|*purchase.md.mp.microsoft.com.akadns.net|HTTPS|Used to communicate with Microsoft Store
|*settings.data.microsoft.com.akadns.net|HTTPS|Used for Windows apps to dynamically update their configuration
|*wac.phicdn.net*|HTTP|Windows Update
|*windowsupdate.com*|HTTP|Windows Update
|*wns.*windows.com*|TLSv1.2/HTTPS|Used for the Windows Push Notification Services (WNS)
|*wpc.v0cdn.net*|HTTP|Windows Telemetry
|arc.msn.com|HTTPS|Spotlight
|auth.gfx.ms*|HTTPS|MSA related
|cdn.onenote.net|HTTPS|OneNote Live Tile
|dmd.metaservices.microsoft.com*|HTTP|Device Authentication
|e-0009.e-msedge.net|HTTPS|Microsoft Office
|e10198.b.akamaiedge.net|HTTPS|Maps application
|evoke-windowsservices-tas.msedge*|HTTPS|Photos app
|fe2.update.microsoft.com*|TLSv1.2/HTTPS|Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store
|fe3.*.mp.microsoft.com.*|TLSv1.2/HTTPS|Windows Update, Microsoft Update, and Microsoft Store services
|g.live.com*|HTTPS|OneDrive
|go.microsoft.com|HTTP|Windows Defender
|iriscoremetadataprod.blob.core.windows.net|HTTPS|Windows Telemetry
|login.live.com|HTTPS|Device Authentication
|msagfx.live.com|HTTP|OneDrive
|ocsp.digicert.com*|HTTP|CRL and OCSP checks to the issuing certificate authorities
|officeclient.microsoft.com|HTTPS|Microsoft Office
|oneclient.sfx.ms*|HTTPS|Used by OneDrive for Business to download and verify app updates
|onecollector.cloudapp.aria.akadns.net|HTTPS|Microsoft Office
|ow1.res.office365.com|HTTP|Microsoft Office
|pti.store.microsoft.com|HTTPS|Microsoft Store
|purchase.mp.microsoft.com*|HTTPS|Used to communicate with Microsoft Store
|query.prod.cms.rt.microsoft.com*|HTTPS|Used to retrieve Windows Spotlight metadata
|ris.api.iris.microsoft.com*|TLSv1.2/HTTPS|Used to retrieve Windows Spotlight metadata
|ris-prod-atm.trafficmanager.net|HTTPS|Azure traffic manager
|s-0001.s-msedge.net|HTTPS|Microsoft Office
|self.events.data.microsoft.com|HTTPS|Microsoft Office
|settings.data.microsoft.com*|HTTPS|Used for Windows apps to dynamically update their configuration
|settings-win.data.microsoft.com*|HTTPS|Used for Windows apps to dynamically update their configuration
|share.microsoft.com|HTTPS|Microsoft Store
|skypeecs-prod-usw-0.cloudapp.net|HTTPS|Microsoft Store
|sls.update.microsoft.com*|TLSv1.2/HTTPS|Enables connections to Windows Update
|slscr.update.microsoft.com*|HTTPS|Enables connections to Windows Update
|store*.dsx.mp.microsoft.com*|HTTPS|Used to communicate with Microsoft Store
|storecatalogrevocation.storequality.microsoft.com|HTTPS|Microsoft Store
|storecatalogrevocation.storequality.microsoft.com*|HTTPS|Used to revoke licenses for malicious apps on the Microsoft Store
|store-images.*microsoft.com*|HTTP|Used to get images that are used for Microsoft Store suggestions
|storesdk.dsx.mp.microsoft.com|HTTP|Microsoft Store
|tile-service.weather.microsoft.com*|HTTP|Used to download updates to the Weather app Live Tile
|time.windows.com|HTTP|Microsoft Windows Time related
|tsfe.trafficshaping.dsp.mp.microsoft.com*|TLSv1.2/HTTPS|Used for content regulation
|v10.events.data.microsoft.com|HTTPS|Diagnostic Data
|watson.telemetry.microsoft.com|HTTPS|Diagnostic Data
|wdcp.microsoft.*|TLSv1.2, HTTPS|Used for Windows Defender when Cloud-based Protection is enabled
|wd-prod-cp-us-west-1-fe.westus.cloudapp.azure.com|HTTPS|Windows Defender
|wusofficehome.msocdn.com|HTTPS|Microsoft Office
|www.bing.com*|HTTP|Used for updates for Cortana, apps, and Live Tiles
|www.msftconnecttest.com|HTTP|Network Connection (NCSI)
|www.office.com|HTTPS|Microsoft Office
| Destination | Protocol | Description |
| ----------- | -------- | ----------- |
| \*.aria.microsoft.com\* | HTTPS | Microsoft Office Telemetry
| \*.b.akamai\*.net | HTTPS | Used to check for updates to Maps that have been downloaded for offline use
| \*.c-msedge.net | HTTP | Microsoft Office
| \*.dl.delivery.mp.microsoft.com\* | HTTP | Enables connections to Windows Update
| \*.download.windowsupdate.com\* | HTTP | Used to download operating system patches and updates
| \*.g.akamai\*.net | HTTPS | Used to check for updates to Maps that have been downloaded for offline use
| \*.login.msa.\*.net | HTTPS | Microsoft Account related
| \*.msn.com\* | TLSv1.2/HTTPS | Windows Spotlight
| \*.skype.com | HTTP/HTTPS | Skype
| \*.smartscreen.microsoft.com\* | HTTPS | Windows Defender Smartscreen
| \*.telecommand.telemetry.microsoft.com\* | HTTPS | Used by Windows Error Reporting
| \*cdn.onenote.net\* | HTTP | OneNote
| \*displaycatalog.\*mp.microsoft.com\* | HTTPS | Used to communicate with Microsoft Store
| \*emdl.ws.microsoft.com\* | HTTP | Windows Update
| \*geo-prod.do.dsp.mp.microsoft.com\* | TLSv1.2/HTTPS | Enables connections to Windows Update
| \*hwcdn.net\* | HTTP | Highwinds Content Delivery Network / Windows updates
| \*img-prod-cms-rt-microsoft-com\* | HTTPS | Microsoft Store or Inbox MSN Apps image download
| \*licensing.\*mp.microsoft.com\* | HTTPS | Licensing
| \*maps.windows.com\* | HTTPS | Related to Maps application
| \*msedge.net\* | HTTPS | Used by Microsoft OfficeHub to get the metadata of Microsoft Office apps
| \*nexusrules.officeapps.live.com\* | HTTPS | Microsoft Office Telemetry
| \*photos.microsoft.com\* | HTTPS | Photos App
| \*prod.do.dsp.mp.microsoft.com* | TLSv1.2/HTTPS | Used for Windows Update downloads of apps and OS updates
| \*purchase.md.mp.microsoft.com.akadns.net | HTTPS | Used to communicate with Microsoft Store
| \*settings.data.microsoft.com.akadns.net | HTTPS | Used for Windows apps to dynamically update their configuration
| \*wac.phicdn.net\* | HTTP | Windows Update
| \*windowsupdate.com\* | HTTP | Windows Update
| \*wns.\*windows.com\* | TLSv1.2/HTTPS | Used for the Windows Push Notification Services (WNS)
| \*wpc.v0cdn.net\* | HTTP | Windows Telemetry
| arc.msn.com | HTTPS | Spotlight
| auth.gfx.ms\* | HTTPS | MSA related
| cdn.onenote.net | HTTPS | OneNote Live Tile
| dmd.metaservices.microsoft.com\* | HTTP | Device Authentication
| e-0009.e-msedge.net | HTTPS | Microsoft Office
| e10198.b.akamaiedge.net | HTTPS | Maps application
| evoke-windowsservices-tas.msedge\* | HTTPS | Photos app
| fe2.update.microsoft.com\* | TLSv1.2/HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store
| fe3.\*.mp.microsoft.com.\* | TLSv1.2/HTTPS | Windows Update, Microsoft Update, and Microsoft Store services
| g.live.com\* | HTTPS | OneDrive
| go.microsoft.com | HTTP | Windows Defender
| iriscoremetadataprod.blob.core.windows.net | HTTPS | Windows Telemetry
| login.live.com | HTTPS | Device Authentication
| msagfx.live.com | HTTP | OneDrive
| ocsp.digicert.com\* | HTTP | CRL and OCSP checks to the issuing certificate authorities
| officeclient.microsoft.com | HTTPS | Microsoft Office
| oneclient.sfx.ms\* | HTTPS | Used by OneDrive for Business to download and verify app updates
| onecollector.cloudapp.aria.akadns.net | HTTPS | Microsoft Office
| ow1.res.office365.com | HTTP | Microsoft Office
| pti.store.microsoft.com | HTTPS | Microsoft Store
| purchase.mp.microsoft.com\* | HTTPS | Used to communicate with Microsoft Store
| query.prod.cms.rt.microsoft.com\* | HTTPS | Used to retrieve Windows Spotlight metadata
| ris.api.iris.microsoft.com\* | TLSv1.2/HTTPS | Used to retrieve Windows Spotlight metadata
| ris-prod-atm.trafficmanager.net | HTTPS | Azure traffic manager
| s-0001.s-msedge.net | HTTPS | Microsoft Office
| self.events.data.microsoft.com | HTTPS | Microsoft Office
| settings.data.microsoft.com\* | HTTPS | Used for Windows apps to dynamically update their configuration
| settings-win.data.microsoft.com\* | HTTPS | Used for Windows apps to dynamically update their configuration
| share.microsoft.com | HTTPS | Microsoft Store
| skypeecs-prod-usw-0.cloudapp.net | HTTPS | Microsoft Store
| sls.update.microsoft.com\* | TLSv1.2/HTTPS | Enables connections to Windows Update
| slscr.update.microsoft.com\* | HTTPS | Enables connections to Windows Update
| store*.dsx.mp.microsoft.com\* | HTTPS | Used to communicate with Microsoft Store
| storecatalogrevocation.storequality.microsoft.com | HTTPS | Microsoft Store
| storecatalogrevocation.storequality.microsoft.com\* | HTTPS | Used to revoke licenses for malicious apps on the Microsoft Store
| store-images.\*microsoft.com\* | HTTP | Used to get images that are used for Microsoft Store suggestions
| storesdk.dsx.mp.microsoft.com | HTTP | Microsoft Store
| tile-service.weather.microsoft.com\* | HTTP | Used to download updates to the Weather app Live Tile
| time.windows.com | HTTP | Microsoft Windows Time related
| tsfe.trafficshaping.dsp.mp.microsoft.com\* | TLSv1.2/HTTPS | Used for content regulation
| v10.events.data.microsoft.com | HTTPS | Diagnostic Data
| watson.telemetry.microsoft.com | HTTPS | Diagnostic Data
| wdcp.microsoft.\* | TLSv1.2, HTTPS | Used for Windows Defender when Cloud-based Protection is enabled
| wd-prod-cp-us-west-1-fe.westus.cloudapp.azure.com | HTTPS | Windows Defender
| wusofficehome.msocdn.com | HTTPS | Microsoft Office
| `www.bing.com`* | HTTP | Used for updates for Cortana, apps, and Live Tiles
| `www.msftconnecttest.com` | HTTP | Network Connection (NCSI)
| `www.office.com` | HTTPS | Microsoft Office
## Windows 10 Pro
| **Destination** | **Protocol** | **Description** |
| --- | --- | --- |
|\*.cloudapp.azure.com|HTTPS|Azure
|\*.delivery.dsp.mp.microsoft.com.nsatc.net|HTTPS|Windows Update, Microsoft Update, and Microsoft Store services
|\*.displaycatalog.md.mp.microsoft.com.akadns.net|HTTPS|Microsoft Store
|\*.dl.delivery.mp.microsoft.com*|HTTP|Enables connections to Windows Update
|\*.e-msedge.net|HTTPS|Used by OfficeHub to get the metadata of Office apps
|\*.g.akamaiedge.net|HTTPS|Used to check for updates to maps that have been downloaded for offline use
|\*.s-msedge.net|HTTPS|Used by OfficeHub to get the metadata of Office apps
|\*.windowsupdate.com*|HTTP|Enables connections to Windows Update
|\*.wns.notify.windows.com.akadns.net|HTTPS|Used for the Windows Push Notification Services (WNS)
|\*dsp.mp.microsoft.com.nsatc.net|HTTPS|Enables connections to Windows Update
|\*c-msedge.net|HTTP|Office
|a1158.g.akamai.net|HTTP|Maps application
|arc.msn.com*|HTTP / HTTPS|Used to retrieve Windows Spotlight metadata
|blob.mwh01prdstr06a.store.core.windows.net|HTTPS|Microsoft Store
|browser.pipe.aria.microsoft.com|HTTPS|Microsoft Office
|bubblewitch3mobile.king.com|HTTPS|Bubble Witch application
|candycrush.king.com|HTTPS|Candy Crush application
|cdn.onenote.net|HTTP|Microsoft OneNote
|cds.p9u4n2q3.hwcdn.net|HTTP|Highwinds Content Delivery Network traffic for Windows updates
|client.wns.windows.com|HTTPS|Winddows Notification System
|co4.telecommand.telemetry.microsoft.com.akadns.net|HTTPS|Windows Error Reporting
|config.edge.skype.com|HTTPS|Microsoft Skype
|cs11.wpc.v0cdn.net|HTTP|Windows Telemetry
|cs9.wac.phicdn.net|HTTP|Windows Update
|cy2.licensing.md.mp.microsoft.com.akadns.net|HTTPS|Used to communicate with Microsoft Store
|cy2.purchase.md.mp.microsoft.com.akadns.net|HTTPS|Used to communicate with Microsoft Store
|cy2.settings.data.microsoft.com.akadns.net|HTTPS|Used to communicate with Microsoft Store
|dmd.metaservices.microsoft.com.akadns.net|HTTP|Device Authentication
|e-0009.e-msedge.net|HTTPS|Microsoft Office
|e10198.b.akamaiedge.net|HTTPS|Maps application
|fe3.update.microsoft.com|HTTPS|Windows Update
|g.live.com|HTTPS|Microsoft OneDrive
|g.msn.com.nsatc.net|HTTPS|Used to retrieve Windows Spotlight metadata
|geo-prod.do.dsp.mp.microsoft.com|HTTPS|Windows Update
|go.microsoft.com|HTTP|Windows Defender
|iecvlist.microsoft.com|HTTPS|Microsoft Edge
|img-prod-cms-rt-microsoft-com.akamaized.net|HTTP / HTTPS|Microsoft Store
|ipv4.login.msa.akadns6.net|HTTPS|Used for Microsoft accounts to sign in
|licensing.mp.microsoft.com|HTTP|Licensing
|location-inference-westus.cloudapp.net|HTTPS|Used for location data
|login.live.com|HTTP|Device Authentication
|maps.windows.com|HTTP|Maps application
|modern.watson.data.microsoft.com.akadns.net|HTTPS|Used by Windows Error Reporting
|msagfx.live.com|HTTP|OneDrive
|nav.smartscreen.microsoft.com|HTTPS|Windows Defender
|ocsp.digicert.com*|HTTP|CRL and OCSP checks to the issuing certificate authorities
|oneclient.sfx.ms|HTTP|OneDrive
|pti.store.microsoft.com|HTTPS|Microsoft Store
|ris.api.iris.microsoft.com.akadns.net|HTTPS|Used to retrieve Windows Spotlight metadata
|ris-prod-atm.trafficmanager.net|HTTPS|Azure
|s2s.config.skype.com|HTTP|Microsoft Skype
|settings-win.data.microsoft.com|HTTPS|Application settings
|share.microsoft.com|HTTPS|Microsoft Store
|skypeecs-prod-usw-0.cloudapp.net|HTTPS|Microsoft Skype
|slscr.update.microsoft.com|HTTPS|Windows Update
|storecatalogrevocation.storequality.microsoft.com|HTTPS|Microsoft Store
|store-images.microsoft.com|HTTPS|Microsoft Store
|tile-service.weather.microsoft.com/*|HTTP|Used to download updates to the Weather app Live Tile
|time.windows.com|HTTP|Windows time
|tsfe.trafficshaping.dsp.mp.microsoft.com|HTTPS|Used for content regulation
|v10.events.data.microsoft.com*|HTTPS|Microsoft Office
|vip5.afdorigin-prod-am02.afdogw.com|HTTPS|Used to serve office 365 experimentation traffic
|watson.telemetry.microsoft.com|HTTPS|Telemetry
|wdcp.microsoft.com|HTTPS|Windows Defender
|wusofficehome.msocdn.com|HTTPS|Microsoft Office
|www.bing.com|HTTPS|Cortana and Search
|www.microsoft.com|HTTP|Diagnostic
|www.msftconnecttest.com|HTTP|Network connection
|www.office.com|HTTPS|Microsoft Office
| Destination | Protocol | Description |
| ----------- | -------- | ----------- |
| \*.cloudapp.azure.com | HTTPS | Azure
| \*.delivery.dsp.mp.microsoft.com.nsatc.net | HTTPS | Windows Update, Microsoft Update, and Microsoft Store services
| \*.displaycatalog.md.mp.microsoft.com.akadns.net | HTTPS | Microsoft Store
| \*.dl.delivery.mp.microsoft.com\* | HTTP | Enables connections to Windows Update
| \*.e-msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps
| \*.g.akamaiedge.net | HTTPS | Used to check for updates to maps that have been downloaded for offline use
| \*.s-msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps
| \*.windowsupdate.com\* | HTTP | Enables connections to Windows Update
| \*.wns.notify.windows.com.akadns.net | HTTPS | Used for the Windows Push Notification Services (WNS)
| \*dsp.mp.microsoft.com.nsatc.net | HTTPS | Enables connections to Windows Update
| \*c-msedge.net | HTTP | Office
| a1158.g.akamai.net | HTTP | Maps application
| arc.msn.com\* | HTTP / HTTPS | Used to retrieve Windows Spotlight metadata
| blob.mwh01prdstr06a.store.core.windows.net | HTTPS | Microsoft Store
| browser.pipe.aria.microsoft.com | HTTPS | Microsoft Office
| bubblewitch3mobile.king.com | HTTPS | Bubble Witch application
| candycrush.king.com | HTTPS | Candy Crush application
| cdn.onenote.net | HTTP | Microsoft OneNote
| cds.p9u4n2q3.hwcdn.net | HTTP | Highwinds Content Delivery Network traffic for Windows updates
| client.wns.windows.com | HTTPS | Windows Notification System
| co4.telecommand.telemetry.microsoft.com.akadns.net | HTTPS | Windows Error Reporting
| config.edge.skype.com | HTTPS | Microsoft Skype
| cs11.wpc.v0cdn.net | HTTP | Windows Telemetry
| cs9.wac.phicdn.net | HTTP | Windows Update
| cy2.licensing.md.mp.microsoft.com.akadns.net | HTTPS | Used to communicate with Microsoft Store
| cy2.purchase.md.mp.microsoft.com.akadns.net | HTTPS | Used to communicate with Microsoft Store
| cy2.settings.data.microsoft.com.akadns.net | HTTPS | Used to communicate with Microsoft Store
| dmd.metaservices.microsoft.com.akadns.net | HTTP | Device Authentication
| e-0009.e-msedge.net | HTTPS | Microsoft Office
| e10198.b.akamaiedge.net | HTTPS | Maps application
| fe3.update.microsoft.com | HTTPS | Windows Update
| g.live.com | HTTPS | Microsoft OneDrive
| g.msn.com.nsatc.net | HTTPS | Used to retrieve Windows Spotlight metadata
| geo-prod.do.dsp.mp.microsoft.com | HTTPS | Windows Update
| go.microsoft.com | HTTP | Windows Defender
| iecvlist.microsoft.com | HTTPS | Microsoft Edge
| img-prod-cms-rt-microsoft-com.akamaized.net | HTTP / HTTPS | Microsoft Store
| ipv4.login.msa.akadns6.net | HTTPS | Used for Microsoft accounts to sign in
| licensing.mp.microsoft.com | HTTP | Licensing
| location-inference-westus.cloudapp.net | HTTPS | Used for location data
| login.live.com | HTTP | Device Authentication
| maps.windows.com | HTTP | Maps application
| modern.watson.data.microsoft.com.akadns.net | HTTPS | Used by Windows Error Reporting
| msagfx.live.com | HTTP | OneDrive
| nav.smartscreen.microsoft.com | HTTPS | Windows Defender
| ocsp.digicert.com\* | HTTP | CRL and OCSP checks to the issuing certificate authorities
| oneclient.sfx.ms | HTTP | OneDrive
| pti.store.microsoft.com | HTTPS | Microsoft Store
| ris.api.iris.microsoft.com.akadns.net | HTTPS | Used to retrieve Windows Spotlight metadata
| ris-prod-atm.trafficmanager.net | HTTPS | Azure
| s2s.config.skype.com | HTTP | Microsoft Skype
| settings-win.data.microsoft.com | HTTPS | Application settings
| share.microsoft.com | HTTPS | Microsoft Store
| skypeecs-prod-usw-0.cloudapp.net | HTTPS | Microsoft Skype
| slscr.update.microsoft.com | HTTPS | Windows Update
| storecatalogrevocation.storequality.microsoft.com | HTTPS | Microsoft Store
| store-images.microsoft.com | HTTPS | Microsoft Store
| tile-service.weather.microsoft.com/\* | HTTP | Used to download updates to the Weather app Live Tile
| time.windows.com | HTTP | Windows time
| tsfe.trafficshaping.dsp.mp.microsoft.com | HTTPS | Used for content regulation
| v10.events.data.microsoft.com\* | HTTPS | Microsoft Office
| vip5.afdorigin-prod-am02.afdogw.com | HTTPS | Used to serve office 365 experimentation traffic
| watson.telemetry.microsoft.com | HTTPS | Telemetry
| wdcp.microsoft.com | HTTPS | Windows Defender
| wusofficehome.msocdn.com | HTTPS | Microsoft Office
| `www.bing.com` | HTTPS | Cortana and Search
| `www.microsoft.com` | HTTP | Diagnostic
| `www.msftconnecttest.com` | HTTP | Network connection
| `www.office.com` | HTTPS | Microsoft Office
## Windows 10 Education
| **Destination** | **Protocol** | **Description** |
| --- | --- | --- |
|\*.b.akamaiedge.net|HTTPS|Used to check for updates to maps that have been downloaded for offline use
|\*.c-msedge.net|HTTP|Used by OfficeHub to get the metadata of Office apps
|\*.dl.delivery.mp.microsoft.com*|HTTP|Windows Update
|\*.e-msedge.net|HTTPS|Used by OfficeHub to get the metadata of Office apps
|\*.g.akamaiedge.net|HTTPS|Used to check for updates to Maps that have been downloaded for offline use
|\*.licensing.md.mp.microsoft.com.akadns.net|HTTPS|Microsoft Store
|\*.settings.data.microsoft.com.akadns.net|HTTPS|Microsoft Store
|\*.skype.com*|HTTPS|Used to retrieve Skype configuration values
|\*.smartscreen*.microsoft.com|HTTPS|Windows Defender
|\*.s-msedge.net|HTTPS|Used by OfficeHub to get the metadata of Office apps
|\*.telecommand.telemetry.microsoft.com*|HTTPS|Used by Windows Error Reporting
|\*.wac.phicdn.net|HTTP|Windows Update
|\*.windowsupdate.com*|HTTP|Windows Update
|\*.wns.windows.com|HTTPS|Windows Notifications Service
|\*.wpc.*.net|HTTP|Diagnostic Data
|\*displaycatalog.md.mp.microsoft.com.akadns.net|HTTPS|Microsoft Store
|\*dsp.mp.microsoft.com|HTTPS|Windows Update
|a1158.g.akamai.net|HTTP|Maps
|a122.dscg3.akamai.net|HTTP|Maps
|a767.dscg3.akamai.net|HTTP|Maps
|au.download.windowsupdate.com*|HTTP|Windows Update
|bing.com/*|HTTPS|Used for updates for Cortana, apps, and Live Tiles
|blob.dz5prdstr01a.store.core.windows.net|HTTPS|Microsoft Store
|browser.pipe.aria.microsoft.com|HTTP|Used by OfficeHub to get the metadata of Office apps
|cdn.onenote.net/livetile/*|HTTPS|Used for OneNote Live Tile
|cds.p9u4n2q3.hwcdn.net|HTTP|Used by the Highwinds Content Delivery Network to perform Windows updates
|client-office365-tas.msedge.net/*|HTTPS|Microsoft 365 admin center and Office in a browser
|ctldl.windowsupdate.com*|HTTP|Used to download certificates that are publicly known to be fraudulent
|displaycatalog.mp.microsoft.com/*|HTTPS|Microsoft Store
|dmd.metaservices.microsoft.com*|HTTP|Device Authentication
|download.windowsupdate.com*|HTTPS|Windows Update
|emdl.ws.microsoft.com/*|HTTP|Used to download apps from the Microsoft Store
|evoke-windowsservices-tas.msedge.net|HTTPS|Photo app
|fe2.update.microsoft.com*|HTTPS|Windows Update, Microsoft Update, Microsoft Store services
|fe3.delivery.dsp.mp.microsoft.com.nsatc.net|HTTPS|Windows Update, Microsoft Update, Microsoft Store services
|fe3.delivery.mp.microsoft.com*|HTTPS|Windows Update, Microsoft Update, Microsoft Store services
|g.live.com*|HTTPS|Used by OneDrive for Business to download and verify app updates
|g.msn.com.nsatc.net|HTTPS|Used to retrieve Windows Spotlight metadata
|go.microsoft.com|HTTP|Windows Defender
|iecvlist.microsoft.com|HTTPS|Microsoft Edge browser
|ipv4.login.msa.akadns6.net|HTTPS|Used for Microsoft accounts to sign in
|licensing.mp.microsoft.com*|HTTPS|Used for online activation and some app licensing
|login.live.com|HTTPS|Device Authentication
|maps.windows.com/windows-app-web-link|HTTPS|Maps application
|modern.watson.data.microsoft.com.akadns.net|HTTPS|Used by Windows Error Reporting
|msagfx.live.com|HTTPS|OneDrive
|ocos-office365-s2s.msedge.net/*|HTTPS|Used to connect to the Microsoft 365 admin center's shared infrastructure
|ocsp.digicert.com*|HTTP|CRL and OCSP checks to the issuing certificate authorities
|oneclient.sfx.ms/*|HTTPS|Used by OneDrive for Business to download and verify app updates
|onecollector.cloudapp.aria.akadns.net|HTTPS|Microsoft Office
|pti.store.microsoft.com|HTTPS|Microsoft Store
|settings-win.data.microsoft.com/settings/*|HTTPS|Used as a way for apps to dynamically update their configuration
|share.microsoft.com|HTTPS|Microsoft Store
|skypeecs-prod-usw-0.cloudapp.net|HTTPS|Skype
|sls.update.microsoft.com*|HTTPS|Windows Update
|storecatalogrevocation.storequality.microsoft.com*|HTTPS|Used to revoke licenses for malicious apps on the Microsoft Store
|tile-service.weather.microsoft.com*|HTTP|Used to download updates to the Weather app Live Tile
|tsfe.trafficshaping.dsp.mp.microsoft.com|HTTPS|Windows Update
|v10.events.data.microsoft.com*|HTTPS|Diagnostic Data
|vip5.afdorigin-prod-ch02.afdogw.com|HTTPS|Used to serve Office 365 experimentation traffic
|watson.telemetry.microsoft.com*|HTTPS|Used by Windows Error Reporting
|wdcp.microsoft.com|HTTPS|Windows Defender
|wd-prod-cp-us-east-1-fe.eastus.cloudapp.azure.com|HTTPS|Azure
|wusofficehome.msocdn.com|HTTPS|Microsoft Office
|www.bing.com|HTTPS|Cortana and Search
|www.microsoft.com|HTTP|Diagnostic Data
|www.microsoft.com/pkiops/certs/*|HTTP|CRL and OCSP checks to the issuing certificate authorities
|www.msftconnecttest.com|HTTP|Network Connection
|www.office.com|HTTPS|Microsoft Office
| Destination | Protocol | Description |
| ----------- | -------- | ----------- |
| \*.b.akamaiedge.net | HTTPS | Used to check for updates to maps that have been downloaded for offline use
| \*.c-msedge.net | HTTP | Used by OfficeHub to get the metadata of Office apps
| \*.dl.delivery.mp.microsoft.com\* | HTTP | Windows Update
| \*.e-msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps
| \*.g.akamaiedge.net | HTTPS | Used to check for updates to Maps that have been downloaded for offline use
| \*.licensing.md.mp.microsoft.com.akadns.net | HTTPS | Microsoft Store
| \*.settings.data.microsoft.com.akadns.net | HTTPS | Microsoft Store
| \*.skype.com\* | HTTPS | Used to retrieve Skype configuration values
| \*.smartscreen\*.microsoft.com | HTTPS | Windows Defender
| \*.s-msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps
| \*.telecommand.telemetry.microsoft.com\* | HTTPS | Used by Windows Error Reporting
| \*.wac.phicdn.net | HTTP | Windows Update
| \*.windowsupdate.com\* | HTTP | Windows Update
| \*.wns.windows.com | HTTPS | Windows Notifications Service
| \*.wpc.\*.net | HTTP | Diagnostic Data
| \*displaycatalog.md.mp.microsoft.com.akadns.net | HTTPS | Microsoft Store
| \*dsp.mp.microsoft.com | HTTPS | Windows Update
| a1158.g.akamai.net | HTTP | Maps
| a122.dscg3.akamai.net | HTTP | Maps
| a767.dscg3.akamai.net | HTTP | Maps
| au.download.windowsupdate.com\* | HTTP | Windows Update
| bing.com/\* | HTTPS | Used for updates for Cortana, apps, and Live Tiles
| blob.dz5prdstr01a.store.core.windows.net | HTTPS | Microsoft Store
| browser.pipe.aria.microsoft.com | HTTP | Used by OfficeHub to get the metadata of Office apps
| cdn.onenote.net/livetile/\* | HTTPS | Used for OneNote Live Tile
| cds.p9u4n2q3.hwcdn.net | HTTP | Used by the Highwinds Content Delivery Network to perform Windows updates
| client-office365-tas.msedge.net/\* | HTTPS | Microsoft 365 admin center and Office in a browser
| ctldl.windowsupdate.com\* | HTTP | Used to download certificates that are publicly known to be fraudulent
| displaycatalog.mp.microsoft.com/\* | HTTPS | Microsoft Store
| dmd.metaservices.microsoft.com\* | HTTP | Device Authentication
| download.windowsupdate.com\* | HTTPS | Windows Update
| emdl.ws.microsoft.com/\* | HTTP | Used to download apps from the Microsoft Store
| evoke-windowsservices-tas.msedge.net | HTTPS | Photo app
| fe2.update.microsoft.com\* | HTTPS | Windows Update, Microsoft Update, Microsoft Store services
| fe3.delivery.dsp.mp.microsoft.com.nsatc.net | HTTPS | Windows Update, Microsoft Update, Microsoft Store services
| fe3.delivery.mp.microsoft.com\* | HTTPS | Windows Update, Microsoft Update, Microsoft Store services
| g.live.com\* | HTTPS | Used by OneDrive for Business to download and verify app updates
| g.msn.com.nsatc.net | HTTPS | Used to retrieve Windows Spotlight metadata
| go.microsoft.com | HTTP | Windows Defender
| iecvlist.microsoft.com | HTTPS | Microsoft Edge browser
| ipv4.login.msa.akadns6.net | HTTPS | Used for Microsoft accounts to sign in
| licensing.mp.microsoft.com\* | HTTPS | Used for online activation and some app licensing
| login.live.com | HTTPS | Device Authentication
| maps.windows.com/windows-app-web-link | HTTPS | Maps application
| modern.watson.data.microsoft.com.akadns.net | HTTPS | Used by Windows Error Reporting
| msagfx.live.com | HTTPS | OneDrive
| ocos-office365-s2s.msedge.net/\* | HTTPS | Used to connect to the Microsoft 365 admin center's shared infrastructure
| ocsp.digicert.com\* | HTTP | CRL and OCSP checks to the issuing certificate authorities
| oneclient.sfx.ms/\* | HTTPS | Used by OneDrive for Business to download and verify app updates
| onecollector.cloudapp.aria.akadns.net | HTTPS | Microsoft Office
| pti.store.microsoft.com | HTTPS | Microsoft Store
| settings-win.data.microsoft.com/settings/\* | HTTPS | Used as a way for apps to dynamically update their configuration
| share.microsoft.com | HTTPS | Microsoft Store
| skypeecs-prod-usw-0.cloudapp.net | HTTPS | Skype
| sls.update.microsoft.com\* | HTTPS | Windows Update
| storecatalogrevocation.storequality.microsoft.com\* | HTTPS | Used to revoke licenses for malicious apps on the Microsoft Store
| tile-service.weather.microsoft.com\* | HTTP | Used to download updates to the Weather app Live Tile
| tsfe.trafficshaping.dsp.mp.microsoft.com | HTTPS | Windows Update
| v10.events.data.microsoft.com\* | HTTPS | Diagnostic Data
| vip5.afdorigin-prod-ch02.afdogw.com | HTTPS | Used to serve Office 365 experimentation traffic
| watson.telemetry.microsoft.com\* | HTTPS | Used by Windows Error Reporting
| wdcp.microsoft.com | HTTPS | Windows Defender
| wd-prod-cp-us-east-1-fe.eastus.cloudapp.azure.com | HTTPS | Azure
| wusofficehome.msocdn.com | HTTPS | Microsoft Office
| `www.bing.com` | HTTPS | Cortana and Search
| `www.microsoft.com` | HTTP | Diagnostic Data
| `www.microsoft.com/pkiops/certs/`* | HTTP | CRL and OCSP checks to the issuing certificate authorities
| `www.msftconnecttest.com` | HTTP | Network Connection
| `www.office.com` | HTTPS | Microsoft Office

203
windows/privacy/windows-endpoints-2004-non-enterprise-editions.md Normal file
View File

@ -0,0 +1,203 @@
---
title: Windows 10, version 2004, connection endpoints for non-Enterprise editions
description: Explains what Windows 10 endpoints are used in non-Enterprise editions. Specific to Windows 10, version 2004.
keywords: privacy, manage connections to Microsoft, Windows 10, Windows Server 2016
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.localizationpriority: high
audience: ITPro
author: linque1
ms.author: obezeajo
manager: robsize
ms.collection: M365-security-compliance
ms.topic: article
ms.date: 5/11/2020
---
# Windows 10, version 2004, connection endpoints for non-Enterprise editions
**Applies to**
- Windows 10 Home, version 2004
- Windows 10 Professional, version 2004
- Windows 10 Education, version 2004
In addition to the endpoints listed for [Windows 10 Enterprise](manage-windows-2004-endpoints.md), the following endpoints are available on other non-Enterprise editions of Windows 10, version 2004.
The following methodology was used to derive the network endpoints:
1. Set up the latest version of Windows 10 on a test virtual machine using the default settings.
2. Leave the device(s) running idle for a week ("idle" means a user is not interacting with the system/device).
3. Use globally accepted network protocol analyzer/capturing tools and log all background egress traffic.
4. Compile reports on traffic going to public IP addresses.
5. The test virtual machine(s) was logged into using a local account, and was not joined to a domain or Azure Active Directory.
6. All traffic was captured in our lab using a IPV4 network. Therefore, no IPV6 traffic is reported here.
7. These tests were conducted in an approved Microsoft lab. It's possible your results may be different.
8. These tests were conducted for one week. If you capture traffic for longer you may have different results.
> [!NOTE]
> Microsoft uses global load balancers that can appear in network trace-routes. For example, an endpoint for *.akadns.net might be used to load balance requests to an Azure datacenter, which can change over time.
## Windows 10 Family
| **Destination** | **Protocol** | **Description** |
| --- | --- | --- |
|*.delivery.mp.microsoft.com|HTTP|Used to download operating system patches, updates, and apps from Microsoft
|*.prod.do.dsp.mp.microsoft.com|TLSv1.2|Windows Update
|*.smartscreen.microsoft.com|HTTPS|Windows Defender SmartScreen
|*.smartscreen-prod.microsoft.com|HTTPS|Windows Defender SmartScreen
|*.update.microsoft.com|TLSv1.2|Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store
|*.windowsupdate.com|HTTP|Used to download operating system patches and updates
|*dl.delivery.mp.microsoft.com|HTTP|Used to download operating system patches, updates, and apps from Microsoft
|*storecatalogrevocation.storequality.microsoft.com|TLSv1.2|Used to revoke licenses for malicious apps on the Microsoft Store
|arc.msn.com|TLSv1.2|Windows Spotlight
|cdn.onenote.net|HTTPS|OneNote
|config.edge.skype.com|HTTPS|Skype
|config.teams.microsoft.com|HTTPS|Skype
|crl.microsoft.com|HTTPS|Skype
|ctldl.windowsupdate.com|HTTP|Certificate Trust List
|da.xboxservices.com|HTTPS|Microsoft Edge
|displaycatalog.mp.microsoft.com|HTTPS|Microsoft Store
|dmd.metaservices.microsoft.com|HTTP|Device Authentication
|evoke-windowsservices-tas.msedge.net|TLSv1.2|Photos app
|fs.microsoft.com|TLSv1.2|Maps application
|g.live.com|TLSv1.2|OneDrive
|go.microsoft.com|HTTPS|Windows Defender
|img-prod-cms-rt-microsoft-com|TLSv1.2|This endpoint is related to Microsoft Edge
|licensing.mp.microsoft.com|HTTPS|Licensing
|login.live.com|TLSv1.2|Device Authentication
|logincdn.msauth.net|TLSv1.2|Device Authentication
|manage.devcenter.microsoft.com|TLSv1.2|Microsoft Store analytics
|maps.windows.com|TLSv1.2|Related to Maps application
|ocsp.digicert.com|HTTPS|CRL and OCSP checks to the issuing certificate authorities
|oneclient.sfx.ms|HTTPS|Used by OneDrive for Business to download and verify app updates
|pipe.aria.microsoft.com|HTTPS|Used to retrieve Skype configuration values
|ris.api.iris.microsoft.com|TLSv1.2|Windows Telemetry
|settings-win.data.microsoft.com|TLSv1.2|Used for Windows apps to dynamically update their configuration
|storesdk.dsx.mp.microsoft.com|HTTPS|Used to communicate with Microsoft Store
|telecommand.telemetry.microsoft.com|TLSv1.2|Used by Windows Error Reporting
|tile-service.weather.microsoft.com|HTTPS|Used to download updates to the Weather app Live Tile
|tsfe.trafficshaping.dsp.mp.microsoft.com|TLSv1.2|Used for content regulation
|v10.events.data.microsoft.com|TLSv1.2|Diagnostic Data
|v20.events.data.microsoft.com|TLSv1.2|Diagnostic Data
|watson.telemetry.microsoft.com|HTTPS|Diagnostic Data
|wdcp.microsoft.com|TLSv1.2|Used for Windows Defender when Cloud-based Protection is enabled
|www.bing.com|TLSv1.2|Used for updates for Cortana, apps, and Live Tiles
|www.msftconnecttest.com|HTTPS|Network Connection (NCSI)
|www.office.com|HTTPS|Microsoft Office
## Windows 10 Pro
| **Destination** | **Protocol** | **Description** |
| --- | --- | --- |
|*.delivery.mp.microsoft.com|HTTP|Used to download operating system patches, updates, and apps from Microsoft
|*.prod.do.dsp.mp.microsoft.com|TLSv1.2|Windows Update
|*.smartscreen.microsoft.com|HTTPS|Windows Defender SmartScreen
|*.smartscreen-prod.microsoft.com|HTTPS|Windows Defender SmartScreen
|*.update.microsoft.com|TLSv1.2|Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store
|*.windowsupdate.com|HTTP|Used to download operating system patches and updates
|*.wns.windows.com|TLSv1.2|Used for the Windows Push Notification Services (WNS)
|*dl.delivery.mp.microsoft.com|HTTP|Used to download operating system patches, updates, and apps from Microsoft
|*msn-com.akamaized.net|HTTPS|This endpoint is related to Microsoft Edge
|*ring.msedge.net|HTTPS|Used by Microsoft OfficeHub to get the metadata of Microsoft Office apps
|*storecatalogrevocation.storequality.microsoft.com|TLSv1.2|Used to revoke licenses for malicious apps on the Microsoft Store
|arc.msn.com|TLSv1.2|Windows Spotlight
|blobs.officehome.msocdn.com|HTTPS|OneNote
|cdn.onenote.net|HTTPS|OneNote
|checkappexec.microsoft.com|HTTPS|OneNote
|config.edge.skype.com|HTTPS|Skype
|config.teams.microsoft.com|HTTPS|Skype
|crl.microsoft.com|HTTPS|Skype
|ctldl.windowsupdate.com|HTTP|Certificate Trust List
|d2i2wahzwrm1n5.cloudfront.net|HTTPS|Microsoft Edge
|da.xboxservices.com|HTTPS|Microsoft Edge
|displaycatalog.mp.microsoft.com|HTTPS|Microsoft Store
|dlassets-ssl.xboxlive.com|HTTPS|Xbox Live
|dmd.metaservices.microsoft.com|HTTP|Device Authentication
|emdl.ws.microsoft.com|HTTP|Windows Update
|evoke-windowsservices-tas.msedge.net|TLSv1.2|Photos app
|fp.msedge.net|HTTPS|Cortana and Live Tiles
|fs.microsoft.com|TLSv1.2|Maps application
|g.live.com|TLSv1.2|OneDrive
|go.microsoft.com|HTTPS|Windows Defender
|img-prod-cms-rt-microsoft-com*|TLSv1.2|This endpoint is related to Microsoft Edge
|licensing.mp.microsoft.com|HTTPS|Licensing
|login.live.com|TLSv1.2|Device Authentication
|manage.devcenter.microsoft.com|TLSv1.2|Microsoft Store analytics
|maps.windows.com|TLSv1.2|Related to Maps application
|ocsp.digicert.com|HTTPS|CRL and OCSP checks to the issuing certificate authorities
|oneclient.sfx.ms|HTTPS|Used by OneDrive for Business to download and verify app updates
|pipe.aria.microsoft.com|HTTPS|Used to retrieve Skype configuration values
|ris.api.iris.microsoft.com|TLSv1.2|Windows Telemetry
|s1325.t.eloqua.com|HTTPS|Microsoft Edge
|self.events.data.microsoft.com|HTTPS|Microsoft Office
|settings-win.data.microsoft.com|TLSv1.2|Used for Windows apps to dynamically update their configuration
|store-images.*microsoft.com|HTTPS|Used to get images that are used for Microsoft Store suggestions
|storesdk.dsx.mp.microsoft.com|HTTPS|Microsoft Store
|telecommand.telemetry.microsoft.com|TLSv1.2|Used by Windows Error Reporting
|tile-service.weather.microsoft.com|HTTPS|Used to download updates to the Weather app Live Tile
|time.windows.com|HTTPS|Fetch the time
|tsfe.trafficshaping.dsp.mp.microsoft.com|HTTPS|The following endpoint is used for content regulation
|v10.events.data.microsoft.com|TLSv1.2|Diagnostic Data
|watson.telemetry.microsoft.com|HTTPS|Diagnostic Data
|wdcp.microsoft.com|TLSv1.2|Used for Windows Defender when Cloud-based Protection is enabled
|www.bing.com|TLSv1.2|Used for updates for Cortana, apps, and Live Tiles
|www.msftconnecttest.com|HTTPS|Network Connection (NCSI)
|www.msn.com|HTTPS|Network Connection (NCSI)
|www.office.com|HTTPS|Microsoft Office
## Windows 10 Education
| **Destination** | **Protocol** | **Description** |
| --- | --- | --- |
|*.delivery.mp.microsoft.com|HTTP|Used to download operating system patches, updates, and apps from Microsoft
|*.prod.do.dsp.mp.microsoft.com|TLSv1.2|Windows Update
|*.smartscreen.microsoft.com|HTTPS|Windows Defender SmartScreen
|*.smartscreen-prod.microsoft.com|HTTPS|Windows Defender SmartScreen
|*.update.microsoft.com|TLSv1.2|Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store
|*.windowsupdate.com|HTTP|Used to download operating system patches and updates
|*.wns.windows.com|TLSv1.2|Used for the Windows Push Notification Services (WNS)
|*dl.delivery.mp.microsoft.com|HTTP|Used to download operating system patches, updates, and apps from Microsoft
|*ring.msedge.net|HTTPS|Used by Microsoft OfficeHub to get the metadata of Microsoft Office apps
|*storecatalogrevocation.storequality.microsoft.com|TLSv1.2|Used to revoke licenses for malicious apps on the Microsoft Store
|arc.msn.com|TLSv1.2|Windows Spotlight
|blobs.officehome.msocdn.com|HTTPS|OneNote
|cdn.onenote.net|HTTPS|OneNote
|checkappexec.microsoft.com|HTTPS|OneNote
|config.edge.skype.com|HTTPS|Skype
|config.teams.microsoft.com|HTTPS|Skype
|crl.microsoft.com|HTTPS|Skype
|ctldl.windowsupdate.com|HTTP|Certificate Trust List
|da.xboxservices.com|HTTPS|Microsoft Edge
|dmd.metaservices.microsoft.com|HTTP|Device Authentication
|emdl.ws.microsoft.com|HTTP|Windows Update
|evoke-windowsservices-tas.msedge.net|TLSv1.2|Photos app
|fp.msedge.net|HTTPS|Cortana and Live Tiles
|fs.microsoft.com|TLSv1.2|Maps application
|g.live.com|TLSv1.2|OneDrive
|go.microsoft.com|HTTPS|Windows Defender
|licensing.mp.microsoft.com|HTTPS|Licensing
|login.live.com|TLSv1.2|Device Authentication
|logincdn.msauth.net|HTTPS|Device Authentication
|manage.devcenter.microsoft.com|TLSv1.2|Microsoft Store analytics
|ocsp.digicert.com|HTTPS|CRL and OCSP checks to the issuing certificate authorities
|ocsp.msocsp.com|HTTPS|CRL and OCSP checks to the issuing certificate authorities
|ow1.res.office365.com|HTTPS|Microsoft Office
|pipe.aria.microsoft.com|HTTPS|Used to retrieve Skype configuration values
|ris.api.iris.microsoft.com|TLSv1.2|Windows Telemetry
|s1325.t.eloqua.com|HTTPS|Microsoft Edge
|settings-win.data.microsoft.com|TLSv1.2|Used for Windows apps to dynamically update their configuration
|telecommand.telemetry.microsoft.com|TLSv1.2|Used by Windows Error Reporting
|tile-service.weather.microsoft.com|HTTPS|Used to download updates to the Weather app Live Tile
|v10.events.data.microsoft.com|TLSv1.2|Diagnostic Data
|v20.events.data.microsoft.com|HTTPS|Diagnostic Data
|watson.telemetry.microsoft.com|HTTPS|Diagnostic Data
|wdcp.microsoft.com|TLSv1.2|Used for Windows Defender when Cloud-based Protection is enabled
|www.bing.com|TLSv1.2|Used for updates for Cortana, apps, and Live Tiles
|www.microsoft.com|HTTP|Connected User Experiences and Telemetry, Microsoft Data Management service
|www.msftconnecttest.com|HTTPS|Network Connection (NCSI)
|www.office.com|HTTPS|Microsoft Office

8
windows/security/identity-protection/access-control/active-directory-security-groups.md
View File

@ -1345,7 +1345,7 @@ This security group has not changed since Windows Server 2008.
Members of the DnsUpdateProxy group are DNS clients. They are permitted to perform dynamic updates on behalf of other clients (such as DHCP servers). A DNS server can develop stale resource records when a DHCP server is configured to dynamically register host (A) and pointer (PTR) resource records on behalf of DHCP clients by using dynamic update. Adding clients to this security group mitigates this scenario.
However, to protect against unsecured records or to permit members of the DnsUpdateProxy group to register records in zones that allow only secured dynamic updates, you must create a dedicated user account and configure DHCP servers to perform DNS dynamic updates by using the credentials of this account (user name, password, and domain). Multiple DHCP servers can use the credentials of one dedicated user account.
However, to protect against unsecured records or to permit members of the DnsUpdateProxy group to register records in zones that allow only secured dynamic updates, you must create a dedicated user account and configure DHCP servers to perform DNS dynamic updates by using the credentials of this account (user name, password, and domain). Multiple DHCP servers can use the credentials of one dedicated user account. This group exists only if the DNS server role is or was once installed on a domain controller in the domain.
For information, see [DNS Record Ownership and the DnsUpdateProxy Group](https://technet.microsoft.com/library/dd334715.aspx).
@ -1365,7 +1365,7 @@ This security group has not changed since Windows Server 2008.
<tbody>
<tr class="odd">
<td><p>Well-Known SID/RID</p></td>
<td><p>S-1-5-21-&lt;domain&gt;-1103</p></td>
<td><p>S-1-5-21-&lt;domain&gt;-&lt;variable RID&gt;</p></td>
</tr>
<tr class="even">
<td><p>Type</p></td>
@ -1406,7 +1406,7 @@ This security group has not changed since Windows Server 2008.
### <a href="" id="bkmk-dnsadmins"></a>DnsAdmins
Members of DNSAdmins group have access to network DNS information. The default permissions are as follows: Allow: Read, Write, Create All Child objects, Delete Child objects, Special Permissions.
Members of DNSAdmins group have access to network DNS information. The default permissions are as follows: Allow: Read, Write, Create All Child objects, Delete Child objects, Special Permissions. This group exists only if the DNS server role is or was once installed on a domain controller in the domain.
For more information about security and DNS, see [DNSSEC in Windows Server 2012](https://technet.microsoft.com/library/dn593694(v=ws.11).aspx).
@ -1426,7 +1426,7 @@ This security group has not changed since Windows Server 2008.
<tbody>
<tr class="odd">
<td><p>Well-Known SID/RID</p></td>
<td><p>S-1-5-21-&lt;domain&gt;-1102</p></td>
<td><p>S-1-5-21-&lt;domain&gt;-&lt;variable RID&gt;</p></td>
</tr>
<tr class="even">
<td><p>Type</p></td>

2
windows/security/identity-protection/access-control/local-accounts.md
View File

@ -1,6 +1,6 @@
---
title: Local Accounts (Windows 10)
description: Local Accounts
description: Learn how to secure and manage access to the resources on a standalone or member server for services or users.
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library

2
windows/security/identity-protection/credential-guard/additional-mitigations.md
View File

@ -18,7 +18,7 @@ ms.reviewer:
# Additional mitigations
Windows Defender Credential Guard can provide mitigation against attacks on derived credentials and prevent the use of stolen credentials elsewhere. However, PCs can still be vulnerable to certain attacks, even if the derived credentials are protected by Windows Defender Credential Guard. These attacks can include abusing privileges and use of derived credentials directly from a compromised device, re-using previously stolen credentials prior to Hypervisor-Protected Code Integrity, and abuse of management tools and weak application configurations. Because of this, additional mitigation also must be deployed to make the domain environment more robust.
Windows Defender Credential Guard can provide mitigation against attacks on derived credentials and prevent the use of stolen credentials elsewhere. However, PCs can still be vulnerable to certain attacks, even if the derived credentials are protected by Windows Defender Credential Guard. These attacks can include abusing privileges and use of derived credentials directly from a compromised device, re-using previously stolen credentials prior to Windows Defender Credential Guard, and abuse of management tools and weak application configurations. Because of this, additional mitigation also must be deployed to make the domain environment more robust.
## Restricting domain users to specific domain-joined devices

27
windows/security/identity-protection/credential-guard/credential-guard-manage.md
View File

@ -24,7 +24,7 @@ ms.reviewer:
## Enable Windows Defender Credential Guard
Windows Defender Credential Guard can be enabled either by using [Group Policy](#enable-windows-defender-credential-guard-by-using-group-policy), the [registry](#enable-windows-defender-credential-guard-by-using-the-registry), or the Hypervisor-Protected Code Integrity and Windows Defender Credential Guard [hardware readiness tool](https://www.microsoft.com/download/details.aspx?id=53337). Windows Defender Credential Guard can also protect secrets in a Hyper-V virtual machine, just as it would on a physical machine.
Windows Defender Credential Guard can be enabled either by using [Group Policy](#enable-windows-defender-credential-guard-by-using-group-policy), the [registry](#enable-windows-defender-credential-guard-by-using-the-registry), or the Hypervisor-Protected Code Integrity (HVCI) and Windows Defender Credential Guard [hardware readiness tool](https://www.microsoft.com/download/details.aspx?id=53337). Windows Defender Credential Guard can also protect secrets in a Hyper-V virtual machine, just as it would on a physical machine.
The same set of procedures used to enable Windows Defender Credential Guard on physical machines applies also to virtual machines.
@ -36,10 +36,11 @@ You can use Group Policy to enable Windows Defender Credential Guard. This will
2. Double-click **Turn On Virtualization Based Security**, and then click the **Enabled** option.
3. In the **Select Platform Security Level** box, choose **Secure Boot** or **Secure Boot and DMA Protection**.
4. In the **Credential Guard Configuration** box, click **Enabled with UEFI lock**, and then click **OK**. If you want to be able to turn off Windows Defender Credential Guard remotely, choose **Enabled without lock**.
5. In the **Secure Launch Configuration** box, choose **Not Configured**, **Enabled** or **Disabled**. Check [this article](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection) for more details.
![Windows Defender Credential Guard Group Policy setting](images/credguard-gp.png)
![Windows Defender Credential Guard Group Policy setting](images/credguard-gp-2.png)
5. Close the Group Policy Management Console.
6. Close the Group Policy Management Console.
To enforce processing of the group policy, you can run ```gpupdate /force```.
@ -112,15 +113,15 @@ You can do this by using either the Control Panel or the Deployment Image Servic
<span id="hardware-readiness-tool"/>
### Enable Windows Defender Credential Guard by using the Hypervisor-Protected Code Integrity and Windows Defender Credential Guard hardware readiness tool
### Enable Windows Defender Credential Guard by using the HVCI and Windows Defender Credential Guard hardware readiness tool
You can also enable Windows Defender Credential Guard by using the [Hypervisor-Protected Code Integrity and Windows Defender Credential Guard hardware readiness tool](dg-readiness-tool.md).
You can also enable Windows Defender Credential Guard by using the [HVCI and Windows Defender Credential Guard hardware readiness tool](dg-readiness-tool.md).
```
DG_Readiness_Tool.ps1 -Enable -AutoReboot
```
> [!IMPORTANT]
> When running the Hypervisor-Protected Code Integrity and Windows Defender Credential Guard hardware readiness tool on a non-English operating system, within the script, change `$OSArch = $(gwmi win32_operatingsystem).OSArchitecture` to be `$OSArch = $((gwmi win32_operatingsystem).OSArchitecture).tolower()` instead, in order for the tool to work.
> When running the HVCI and Windows Defender Credential Guard hardware readiness tool on a non-English operating system, within the script, change `$OSArch = $(gwmi win32_operatingsystem).OSArchitecture` to be `$OSArch = $((gwmi win32_operatingsystem).OSArchitecture).tolower()` instead, in order for the tool to work.
> This is a known issue.
### Review Windows Defender Credential Guard performance
@ -137,13 +138,13 @@ You can view System Information to check that Windows Defender Credential Guard
![System Information](images/credguard-msinfo32.png)
You can also check that Windows Defender Credential Guard is running by using the [Hypervisor-Protected Code Integrity and Windows Defender Credential Guard hardware readiness tool](dg-readiness-tool.md).
You can also check that Windows Defender Credential Guard is running by using the [HVCI and Windows Defender Credential Guard hardware readiness tool](dg-readiness-tool.md).
```
DG_Readiness_Tool_v3.6.ps1 -Ready
```
> [!IMPORTANT]
> When running the Hypervisor-Protected Code Integrity and Windows Defender Credential Guard hardware readiness tool on a non-English operating system, within the script, change `*$OSArch = $(gwmi win32_operatingsystem).OSArchitecture` to be `$OSArch = $((gwmi win32_operatingsystem).OSArchitecture).tolower()` instead, in order for the tool to work.
> When running the HVCI and Windows Defender Credential Guard hardware readiness tool on a non-English operating system, within the script, change `*$OSArch = $(gwmi win32_operatingsystem).OSArchitecture` to be `$OSArch = $((gwmi win32_operatingsystem).OSArchitecture).tolower()` instead, in order for the tool to work.
> This is a known issue.
> [!NOTE]
@ -208,20 +209,20 @@ To disable Windows Defender Credential Guard, you can use the following set of p
> [!NOTE]
> Credential Guard and Device Guard are not currently supported when using Azure IaaS VMs. These options will be made available with future Gen 2 VMs.
For more info on virtualization-based security and Hypervisor-Protected Code Integrity, see [Enable virtualization-based protection of code integrity](/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity
For more info on virtualization-based security and HVCI, see [Enable virtualization-based protection of code integrity](/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity
).
<span id="turn-off-with-hardware-readiness-tool"/>
#### Disable Windows Defender Credential Guard by using the Hypervisor-Protected Code Integrity and Windows Defender Credential Guard hardware readiness tool
#### Disable Windows Defender Credential Guard by using the HVCI and Windows Defender Credential Guard hardware readiness tool
You can also disable Windows Defender Credential Guard by using the [Hypervisor-Protected Code Integrity and Windows Defender Credential Guard hardware readiness tool](dg-readiness-tool.md).
You can also disable Windows Defender Credential Guard by using the [HVCI and Windows Defender Credential Guard hardware readiness tool](dg-readiness-tool.md).
```
DG_Readiness_Tool_v3.6.ps1 -Disable -AutoReboot
```
> [!IMPORTANT]
> When running the Hypervisor-Protected Code Integrity and Windows Defender Credential Guard hardware readiness tool on a non-English operating system, within the script, change `*$OSArch = $(gwmi win32_operatingsystem).OSArchitecture` to be `$OSArch = $((gwmi win32_operatingsystem).OSArchitecture).tolower()` instead, in order for the tool to work.
> When running the HVCI and Windows Defender Credential Guard hardware readiness tool on a non-English operating system, within the script, change `*$OSArch = $(gwmi win32_operatingsystem).OSArchitecture` to be `$OSArch = $((gwmi win32_operatingsystem).OSArchitecture).tolower()` instead, in order for the tool to work.
> This is a known issue.
#### Disable Windows Defender Credential Guard for a virtual machine
@ -234,5 +235,3 @@ Set-VMSecurity -VMName <VMName> -VirtualizationBasedSecurityOptOut $true

BIN
windows/security/identity-protection/credential-guard/images/credguard-gp-2.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 432 KiB

2
windows/security/identity-protection/hello-for-business/hello-feature-conditional-access.md
View File

@ -1,6 +1,6 @@
---
title: Conditional Access
description: Learn more about conditional access in Azure Active Directory.
description: Ensure that only approved users can access your devices, applications, and services from anywhere by enabling single sign-on with Azure Active Directory.
keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, cert-trust, device, registration, unlock, conditional access
ms.prod: w10
ms.mktglfcycl: deploy

6
windows/security/identity-protection/hello-for-business/hello-how-it-works-device-registration.md
View File

@ -63,11 +63,11 @@ Device Registration is a prerequisite to Windows Hello for Business provisioning
| Phase | Description |
| :----: | :----------- |
| A | The user signs in to a domain joined Windows 10 computers using domain credentials. This can be user name and password or smart card authentication. The user sign-in triggers the Automatic Device Join task.|
| A | The user signs in to a domain joined Windows 10 computers using domain credentials. This can be user name and password or smart card authentication. The user sign-in triggers the Automatic Device Join task. Note: the Automatic Device Join tasks is triggered on domain join as well as retried every hour. It does not solely depend on the user sign-in.|
|B | The task queries Active Directory using the LDAP protocol for the keywords attribute on service connection point stored in the configuration partition in Active Directory (CN=62a0ff2e-97b9-4513-943f-0d221bd30080,CN=Device Registration Configuration,CN=Services,CN=Configuration,DC=corp,DC=contoso,DC=com). The value returned in the keywords attribute determines if device registration is directed to Azure Device Registration Service (ADRS) or the enterprise device registration service hosted on-premises.|
|C | For the managed environment, the task creates an initial authentication credential in the form of a self-signed certificate. The task write the certificate to the userCertificate attribute on the computer object in Active Directory using LDAP.
|D |The computer cannot authenticate to Azure DRS until a device object representing the computer that includes the certificate on the userCertificate attribute is created in Azure Active Directory. Azure AD Connect detects an attribute change. On the next synchronization cycle, Azure AD Connect sends the userCertificate, object GUID, and computer SID to Azure DRS. Azure DRS uses the attribute information to create a device object in Azure Active Directory.|
|E | The Automatic Device Join task triggers with each user sign-in and tries to authenticate the computer to Azure Active Directory using the corresponding private key of the public key in the userCertificate attribute. Azure Active Directory authenticates the computer and issues a ID token to the computer.|
|E | The Automatic Device Join task triggers with each user sign-in or every hour, and tries to authenticate the computer to Azure Active Directory using the corresponding private key of the public key in the userCertificate attribute. Azure Active Directory authenticates the computer and issues a ID token to the computer.|
|F | The task creates TPM bound (preferred) RSA 2048 bit key-pair known as the device key (dkpub/dkpriv). The application create a certificate request using dkpub and the public key and signs the certificate request with using dkpriv. Next, the application derives second key pair from the TPM's storage root key. This is the transport key (tkpub/tkpriv).|
|G | The task sends a device registration request to Azure DRS that includes the ID token, certificate request, tkpub, and attestation data. Azure DRS validates the ID token, creates a device ID, and creates a certificate based on the included certificate request. Azure DRS then updates the device object in Azure Active Directory and sends the device ID and the device certificate to the client.|
|H | Device registration completes by receiving the device ID and the device certificate from Azure DRS. The device ID is saved for future reference (viewable from dsregcmd.exe /status), and the device certificate is installed in the Personal store of the computer. With device registration complete, the task exits.|
@ -78,7 +78,7 @@ Device Registration is a prerequisite to Windows Hello for Business provisioning
| Phase | Description |
| :----: | :----------- |
| A | The user signs in to a domain joined Windows 10 computers using domain credentials. This can be user name and password or smart card authentication. The user sign-in triggers the Automatic Device Join task.|
| A | The user signs in to a domain joined Windows 10 computers using domain credentials. This can be user name and password or smart card authentication. The user sign-in triggers the Automatic Device Join task. Note: the Automatic Device Join tasks is triggered on domain join as well as retried every hour. It does not solely depend on the user sign-in. |
|B | The task queries Active Directory using the LDAP protocol for the keywords attribute on service connection point stored in the configuration partition in Active Directory (CN=62a0ff2e-97b9-4513-943f-0d221bd30080,CN=Device Registration Configuration,CN=Services,CN=Configuration,DC=corp,DC=contoso,DC=com). The value returned in the keywords attribute determines if device registration is directed to Azure Device Registration Service (ADRS) or the enterprise device registration service hosted on-premises.|
|C | For the federated environments, the computer authenticates the enterprise device registration endpoint using Windows integrated authentication. The enterprise device registration service creates and returns a token that includes claims for the object GUID, computer SID, and domain joined state. The task submits the token and claims to Azure Active Directory where it is validated. Azure Active Directory returns an ID token to the running task.
|D | The application creates TPM bound (preferred) RSA 2048 bit key-pair known as the device key (dkpub/dkpriv). The application create a certificate request using dkpub and the public key and signs the certificate request with using dkpriv. Next, the application derives second key pair from the TPM's storage root key. This is the transport key (tkpub/tkpriv).|

1
windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md
View File

@ -33,6 +33,7 @@ Before adding Azure Active Directory (Azure AD) joined devices to your existing
- Certificate Revocation List (CRL) Distribution Point (CDP)
- 2016 Domain Controllers
- Domain Controller certificate
- Network infrastructure in place to reach your on-premises domain controller. If the machines are external, this can be achieved using any VPN solution.
### Azure Active Directory Connect synchronization
Azure AD join, as well as hybrid Azure AD join devices register the user's Windows Hello for Business credential with Azure. To enable on-premises authentication, the credential must be synchronized to the on-premises Active Directory, regardless whether you are using a key or a certificate. Ensure you have Azure AD Connect installed and functioning properly. To learn more about Azure AD Connect, read [Integrate your on-premises directories with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/connect/active-directory-aadconnect).

2
windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md
View File

@ -1,6 +1,6 @@
---
title: Windows Hello for Business Key Trust New Installation
description: Learn how to perform a hybrid key trust deployment of Windows Hello for Business, for systems with no previous installations.
description: Learn how to configure a hybrid key trust deployment of Windows Hello for Business, for systems with no previous installations.
keywords: identity, PIN, biometric, Hello, passport, WHFB
ms.prod: w10
ms.mktglfcycl: deploy

2
windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md
View File

@ -66,7 +66,7 @@ Key trust deployments do not need client issued certificates for on-premises aut
The minimum required enterprise certificate authority that can be used with Windows Hello for Business is Windows Server 2012, but you can also use a third-party enterprise certification authority. The detailed requirements for the Domain Controller certificate are shown below.
* The certificate must have a Certificate Revocation List (CRL) distribution point extension that points to a valid CRL.
* Optionally, the certificate Subject section should contain the directory path of the server object (the distinguished name).
* The certificate Subject section should contain the directory path of the server object (the distinguished name).
* The certificate Key Usage section must contain Digital Signature and Key Encipherment.
* Optionally, the certificate Basic Constraints section should contain: [Subject Type=End Entity, Path Length Constraint=None].
* The certificate Enhanced Key Usage section must contain Client Authentication (1.3.6.1.5.5.7.3.2), Server Authentication (1.3.6.1.5.5.7.3.1), and KDC Authentication (1.3.6.1.5.2.3.5).

4
windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md
View File

@ -80,8 +80,8 @@ Sign-in a certificate authority or management workstations with _Enterprise Admi
The certificate template is configured to supersede all the certificate templates provided in the certificate templates superseded templates list. However, the certificate template and the superseding of certificate templates is not active until you publish the certificate template to one or more certificate authorities.
>[!NOTE]
>The Domain Controller Certificate must be present in the NTAuth store. By default, Microsoft Enterprise CAs are added to the NTAuth store. If you are using a 3rd party CA, this may not be done by default. If the Domain Controller Certificate is not present in the NTAuth store, user authentication will fail.
> [!NOTE]
> The domain controller's certificate must chain to a root in the NTAuth store. By default, the Active Directory Certificate Authority's root certificate is added to the NTAuth store. If you are using a third-party CA, this may not be done by default. If the domain controller certificate does not chain to a root in the NTAuth store, user authentication will fail.
### Publish Certificate Templates to a Certificate Authority

7
windows/security/identity-protection/remote-credential-guard.md
View File

@ -143,11 +143,12 @@ Beginning with Windows 10 version 1703, you can enable Windows Defender Remote C
![Windows Defender Remote Credential Guard Group Policy](images/remote-credential-guard-gp.png)
3. Under **Use the following restricted mode**:
- If you want to require either [Restricted Admin mode](https://social.technet.microsoft.com/wiki/contents/articles/32905.how-to-enable-restricted-admin-mode-for-remote-desktop.aspx) or Windows Defender Remote Credential Guard, choose **Prefer Windows Defender Remote Credential Guard**. In this configuration, Windows Defender Remote Credential Guard is preferred, but it will use Restricted Admin mode (if supported) when Windows Defender Remote Credential Guard cannot be used.
- If you want to require either [Restricted Admin mode](https://social.technet.microsoft.com/wiki/contents/articles/32905.remote-desktop-services-enable-restricted-admin-mode.aspx) or Windows Defender Remote Credential Guard, choose **Restrict Credential Delegation**. In this configuration, Windows Defender Remote Credential Guard is preferred, but it will use Restricted Admin mode (if supported) when Windows Defender Remote Credential Guard cannot be used.
> **Note:** Neither Windows Defender Remote Credential Guard nor Restricted Admin mode will send credentials in clear text to the Remote Desktop server.
> [!NOTE]
> Neither Windows Defender Remote Credential Guard nor Restricted Admin mode will send credentials in clear text to the Remote Desktop server.
- If you want to require Windows Defender Remote Credential Guard, choose **Require Windows Defender Remote Credential Guard**. With this setting, a Remote Desktop connection will succeed only if the remote computer meets the [requirements](#reqs) listed earlier in this topic.
- If you want to require Windows Defender Remote Credential Guard, choose **Require Remote Credential Guard**. With this setting, a Remote Desktop connection will succeed only if the remote computer meets the [requirements](#reqs) listed earlier in this topic.
- If you want to require Restricted Admin mode, choose **Require Restricted Admin**. For information about Restricted Admin mode, see the table in [Comparing Windows Defender Remote Credential Guard with other Remote Desktop connection options](#comparing-remote-credential-guard-with-other-remote-desktop-connection-options), earlier in this topic.

2
windows/security/identity-protection/vpn/vpn-connection-type.md
View File

@ -1,6 +1,6 @@
---
title: VPN connection types (Windows 10)
description: tbd
description: Learn about Windows VPN platform clients and the VPN connection-type features that can be configured.
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library

14
windows/security/identity-protection/vpn/vpn-office-365-optimization.md
View File

@ -239,12 +239,12 @@ if ($VPNprofilefile -ne "" -and $FileExtension -eq ".ps1")
# Extract the Profile XML from the ps1 file #
$regex = '(?sm).*^*.<VPNPROFILE>\r?\n(.*?)\r?\n</VPNProfile>.*'
$regex = '(?sm).*^*.<VPNProfile>\r?\n(.*?)\r?\n</VPNProfile>.*'
# Create xml format variable to compare with the optimize list #
$xmlbody=(Get-Content -Raw $VPNprofilefile) -replace $regex, '$1'
[xml]$VPNprofilexml="<VPNPROFILE>"+$xmlbody+"</VPNPROFILE>"
[xml]$VPNprofilexml="<VPNProfile>"+$xmlbody+"</VPNProfile>"
# Loop through each address found in VPNPROFILE XML section #
foreach ($Route in $VPNprofilexml.VPNProfile.Route)
@ -349,7 +349,7 @@ if ($VPNprofilefile -ne "" -and $FileExtension -eq ".xml")
$In_VPN_Only=$null # Variable to hold IP Addresses that only appear in the VPN profile XML file #
# Extract the Profile XML from the XML file #
$regex = '(?sm).*^*.<VPNPROFILE>\r?\n(.*?)\r?\n</VPNProfile>.*'
$regex = '(?sm).*^*.<VPNProfile>\r?\n(.*?)\r?\n</VPNProfile>.*'
# Create xml format variable to compare with optimize list #
$xmlbody=(Get-Content -Raw $VPNprofilefile) -replace $regex, '$1'
@ -367,7 +367,7 @@ if ($VPNprofilefile -ne "" -and $FileExtension -eq ".xml")
# In VPN list only #
$In_VPN_only =$ARRVPN | Where {$optimizeIpsv4 -NotContains $_}
[array]$Inpfile = get-content $VPNprofilefile
[System.Collections.ArrayList]$Inpfile = get-content $VPNprofilefile
if ($In_Opt_Only.Count -gt 0 )
{
@ -377,10 +377,10 @@ if ($VPNprofilefile -ne "" -and $FileExtension -eq ".xml")
{
# Add the missing IP address(es) #
$IPInfo=$NewIP.Split("/")
$inspoint = $Inpfile[0].IndexOf("</VPNProfile")
$routes += "<Route>"+"<Address>"+$IPInfo[0].Trim()+"</Address>"+"<PrefixSize>"+$IPInfo[1].Trim()+"</PrefixSize>"+"<ExclusionRoute>true</ExclusionRoute>"+"</Route>"
$routes += "<Route>`n"+"`t<Address>"+$IPInfo[0].Trim()+"</Address>`n"+"`t<PrefixSize>"+$IPInfo[1].Trim()+"</PrefixSize>`n"+"`t<ExclusionRoute>true</ExclusionRoute>`n"+"</Route>`n"
}
$Inpfile = $Inpfile[0].Insert($inspoint,$routes)
$inspoint = $Inpfile.IndexOf("</VPNProfile>")
$Inpfile.Insert($inspoint,$routes)
# Update filename and write new XML file #
$NewFileName=(Get-Item $VPNprofilefile).Basename + "-NEW.xml"

2
windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md
View File

@ -81,6 +81,8 @@ Microsoft still has apps that are unenlightened, but which have been tested and
- Skype for Business
- Microsoft Teams (build 1.3.00.12058 and later)
## Adding enlightened Microsoft apps to the allowed apps list
> [!NOTE]

Some files were not shown because too many files have changed in this diff Show More