From 0bb3a3b960a7c178c94f626b9b44b6e73264b539 Mon Sep 17 00:00:00 2001 From: Chris Jackson Date: Mon, 8 Jul 2019 16:32:55 -0500 Subject: [PATCH 01/14] Move IE password manager to Level 3 Inconsistency: IE password manager was Level 2, while Edge password manager was level 3. Moving IE up to align with thinking that password managers add security (while also potentially increasing risk) - particularly with pending introduction of password generation --- .../level-3-enterprise-high-security.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/windows/security/threat-protection/windows-security-configuration-framework/level-3-enterprise-high-security.md b/windows/security/threat-protection/windows-security-configuration-framework/level-3-enterprise-high-security.md index e7cc86bf0e..d1673ce03b 100644 --- a/windows/security/threat-protection/windows-security-configuration-framework/level-3-enterprise-high-security.md +++ b/windows/security/threat-protection/windows-security-configuration-framework/level-3-enterprise-high-security.md @@ -53,6 +53,11 @@ a level of security commensurate with the risks facing targeted organizations. M | Windows Components / Internet Explorer / Internet Control Panel / Security Page | Intranet Sites: Include all network paths (UNCs) | Disabled | This policy setting controls whether URLs representing UNCs are mapped into the local Intranet security zone. | | Windows Components / Microsoft Edge | Configure Password Manager | Disabled | This policy setting lets you decide whether employees can save their passwords locally using Password Manager. By default, Password Manager is turned on. if you enable this setting, employees can use Password Manager to save their passwords locally. If you disable this setting employees can't use Password Manager to save their passwords locally. If you don't configure this setting employees can choose whether to use Password Manager to save their passwords locally. | +### User Policies +| Feature | Policy Setting | Policy Value | Description | +|----------|-----------------|---------------|--------------| +| Windows Components / Internet Explorer | Turn on the auto-complete feature for user names and passwords on forms | Disabled | This AutoComplete feature can remember and suggest User names and passwords on Forms. If you enable this setting, the user cannot change "User name and passwords on forms" or "prompt me to save passwords". The Auto Complete feature for User names and passwords on Forms will be turned on. You have to decide whether to select "prompt me to save passwords". If you disable this setting the user cannot change "User name and passwords on forms" or "prompt me to save passwords". The Auto Complete feature for User names and passwords on Forms is turned off. The user also cannot opt to be prompted to save passwords. If you do not configure this setting, the user has the freedom of turning on Auto complete for User name and passwords on forms and the option of prompting to save passwords. To display this option, the users open the Internet Options dialog box, click the Contents Tab and click the Settings button. | + ## Controls The controls enforced in level 3 implement complex security configuration and controls. From d28b38ca368b6c8f662113c59f48fd2b0a80b6c4 Mon Sep 17 00:00:00 2001 From: Chris Jackson Date: Mon, 8 Jul 2019 16:33:47 -0500 Subject: [PATCH 02/14] Remove IE password manager from Level 2 Moved to Level 3, to align with Edge password manager positioning --- .../level-2-enterprise-enhanced-security.md | 1 - 1 file changed, 1 deletion(-) diff --git a/windows/security/threat-protection/windows-security-configuration-framework/level-2-enterprise-enhanced-security.md b/windows/security/threat-protection/windows-security-configuration-framework/level-2-enterprise-enhanced-security.md index 6cf7155a9a..3671675351 100644 --- a/windows/security/threat-protection/windows-security-configuration-framework/level-2-enterprise-enhanced-security.md +++ b/windows/security/threat-protection/windows-security-configuration-framework/level-2-enterprise-enhanced-security.md @@ -83,7 +83,6 @@ than the process in level 1. |---------|----------------|--------------|-------------| | Start Menu and Taskbar / Notifications | Turn off toast notifications on the lock screen | Enabled | Turns off toast notifications on the lock screen. | | Windows Components / Cloud Content | Do not suggest third-party content in the Windows spotlight | Enabled | Windows spotlight features like lock screen spotlight, suggested apps in Start menu or Windows tips will no longer suggest apps and content from third-party software publishers | -| Windows Components / Internet Explorer | Turn on the auto-complete feature for user names and passwords on forms | Disabled | This AutoComplete feature can remember and suggest User names and passwords on Forms. If you enable this setting, the user cannot change "User name and passwords on forms" or "prompt me to save passwords". The Auto Complete feature for User names and passwords on Forms will be turned on. You have to decide whether to select "prompt me to save passwords". If you disable this setting the user cannot change "User name and passwords on forms" or "prompt me to save passwords". The Auto Complete feature for User names and passwords on Forms is turned off. The user also cannot opt to be prompted to save passwords. If you do not configure this setting, the user has the freedom of turning on Auto complete for User name and passwords on forms and the option of prompting to save passwords. To display this option, the users open the Internet Options dialog box, click the Contents Tab and click the Settings button. | ### Services From 088ae79f9cde64d439ac39caeacd4ee9175a81f6 Mon Sep 17 00:00:00 2001 From: v-miegge <49650192+v-miegge@users.noreply.github.com> Date: Tue, 9 Jul 2019 10:19:13 -0700 Subject: [PATCH 03/14] HoloLens - Added date, and missing file --- devices/hololens/TOC.md | 1 + .../hololens-clicker-restart-recover.md | 1 + devices/hololens/hololens-clicker.md | 1 + devices/hololens/hololens-cortana.md | 1 + .../hololens/hololens-find-and-save-files.md | 1 + devices/hololens/hololens-get-apps.md | 1 + devices/hololens/hololens-offline.md | 1 + devices/hololens/hololens-restart-recover.md | 55 +++++++++++++++++++ .../hololens/hololens-spaces-on-hololens.md | 1 + devices/hololens/hololens-use-apps.md | 1 + 10 files changed, 64 insertions(+) create mode 100644 devices/hololens/hololens-restart-recover.md diff --git a/devices/hololens/TOC.md b/devices/hololens/TOC.md index fe3ef6c693..b49858b838 100644 --- a/devices/hololens/TOC.md +++ b/devices/hololens/TOC.md @@ -11,6 +11,7 @@ ## [Manage updates to HoloLens](hololens-updates.md) ## [Restore HoloLens 2 using Advanced Recovery Companion](hololens-recovery.md) ## [Use the HoloLens Clicker](hololens-clicker.md) +## [Restart or recover the HoloLens](hololens-restart-recover.md) ## [Restart or recover the HoloLens clicker](hololens-clicker-restart-recover.md) # Application Management diff --git a/devices/hololens/hololens-clicker-restart-recover.md b/devices/hololens/hololens-clicker-restart-recover.md index 8559ec009a..81c7ffc704 100644 --- a/devices/hololens/hololens-clicker-restart-recover.md +++ b/devices/hololens/hololens-clicker-restart-recover.md @@ -3,6 +3,7 @@ title: Restart or recover the HoloLens clicker description: Things to try if the HoloLens clicker is unresponsive or isn’t working well. ms.assetid: 13406eca-e2c6-4cfc-8ace-426ff8f837f4 ms.reviewer: jarrettrenshaw +ms.date: 07/01/2019 manager: v-miegge keywords: hololens ms.prod: hololens diff --git a/devices/hololens/hololens-clicker.md b/devices/hololens/hololens-clicker.md index 576637493f..8ec7e8077b 100644 --- a/devices/hololens/hololens-clicker.md +++ b/devices/hololens/hololens-clicker.md @@ -3,6 +3,7 @@ title: Use the HoloLens Clicker description: ms.assetid: 7d4a30fd-cf1d-4c9a-8eb1-1968ccecbe59 ms.reviewer: jarrettrenshaw +ms.date: 07/01/2019 manager: v-miegge keywords: hololens ms.prod: hololens diff --git a/devices/hololens/hololens-cortana.md b/devices/hololens/hololens-cortana.md index db38dfe10d..8c74b3b97e 100644 --- a/devices/hololens/hololens-cortana.md +++ b/devices/hololens/hololens-cortana.md @@ -3,6 +3,7 @@ title: Cortana on HoloLens description: Cortana can help you do all kinds of things on your HoloLens ms.assetid: fd96fb0e-6759-4dbe-be1f-58bedad66fed ms.reviewer: jarrettrenshaw +ms.date: 07/01/2019 manager: v-miegge keywords: hololens ms.prod: hololens diff --git a/devices/hololens/hololens-find-and-save-files.md b/devices/hololens/hololens-find-and-save-files.md index 61d53e606d..ba459eff13 100644 --- a/devices/hololens/hololens-find-and-save-files.md +++ b/devices/hololens/hololens-find-and-save-files.md @@ -3,6 +3,7 @@ title: Find and save files on HoloLens description: Use File Explorer on HoloLens to view and manage files on your device ms.assetid: 77d2e357-f65f-43c8-b62f-6cd9bf37070a ms.reviewer: jarrettrenshaw +ms.date: 07/01/2019 manager: v-miegge keywords: hololens ms.prod: hololens diff --git a/devices/hololens/hololens-get-apps.md b/devices/hololens/hololens-get-apps.md index 4f1542e495..cd14341075 100644 --- a/devices/hololens/hololens-get-apps.md +++ b/devices/hololens/hololens-get-apps.md @@ -3,6 +3,7 @@ title: Get apps for HoloLens description: The Microsoft Store is your source for apps and games that work with HoloLens. ms.assetid: cbe9aa3a-884f-4a92-bf54-8d4917bc3435 ms.reviewer: jarrettrenshaw +ms.date: 07/01/2019 manager: v-miegge keywords: hololens ms.prod: hololens diff --git a/devices/hololens/hololens-offline.md b/devices/hololens/hololens-offline.md index f55b6d68f9..49190e6907 100644 --- a/devices/hololens/hololens-offline.md +++ b/devices/hololens/hololens-offline.md @@ -3,6 +3,7 @@ title: Use HoloLens offline description: To set up HoloLens, you'll need to connect to a Wi-Fi network ms.assetid: b86f603c-d25f-409b-b055-4bbc6edcd301 ms.reviewer: jarrettrenshaw +ms.date: 07/01/2019 manager: v-miegge keywords: hololens ms.prod: hololens diff --git a/devices/hololens/hololens-restart-recover.md b/devices/hololens/hololens-restart-recover.md new file mode 100644 index 0000000000..9bf0cddb37 --- /dev/null +++ b/devices/hololens/hololens-restart-recover.md @@ -0,0 +1,55 @@ +--- +title: Restart, reset, or recover HoloLens +description: Restart, reset, or recover HoloLens +ms.assetid: 9a546416-1648-403c-9e0c-742171b8812e +ms.reviewer: jarrettrenshaw +ms.date: 07/01/2019 +manager: v-miegge +keywords: hololens +ms.prod: hololens +ms.sitesec: library +author: v-miegge +ms.author: v-miegge +ms.topic: article +ms.localizationpriority: medium +--- + +# Restart, reset, or recover HoloLens + +Here are some things to try if your HoloLens is unresponsive, isn’t running well, or is experiencing software or update problems. + +## Restart your HoloLens + +If your HoloLens isn’t running well or is unresponsive, try the following things. + +First, try restarting the device: say, "Hey Cortana, restart the device." + +If you’re still having problems, press the power button for 4 seconds, until all of the battery indicators fade out. Wait 1 minute, then press the power button again to turn on the device. + +If neither of those things works, force restart the device. Hold down the power button for 10 seconds. Release it and wait 30 seconds, then press the power button again to turn on the device. + +## Reset or recover your HoloLens + +If restarting your HoloLens doesn’t help, another option is to reset it. If resetting it doesn’t fix the problem, the Windows Device Recovery Tool can help you recover your device. + +>[!IMPORTANT] +>Resetting or recovering your HoloLens will erase all of your personal data, including apps, games, photos, and settings. You won’t be able to restore a backup once the reset is complete. + +## Reset + +Resetting your HoloLens keeps the version of the Windows Holographic software that’s installed on it and returns everything else to factory settings. + +To reset your HoloLens, go to **Settings** > **Update** > **Reset** and select **Reset device**. The battery will need to have at least a 40 percent charge remaining to reset. + +## Recover using the Windows Device Recovery Tool + +Before you use this tool, determine if restarting or resetting your HoloLens fixes the problem. The recovery process may take some time, and the latest version of the Windows Holographic software approved for your HoloLens will be installed. + +To use the tool, you’ll need a computer running Windows 10 or later, with at least 4 GB of free storage space. Please note that you can’t run this tool on a virtual machine. +To recover your HoloLens + +1. Download and install the [Windows Device Recovery Tool](https://dev.azure.com/ContentIdea/ContentIdea/_queries/query/8a004dbe-73f8-4a32-94bc-368fc2f2a895/) on your computer. +1. Connect the clicker to your computer using the Micro USB cable that came with your HoloLens. +1. Run the Windows Device Recovery Tool and follow the instructions. + +If the clicker isn’t automatically detected, select **My device was not detected** and follow the instructions to put your device into recovery mode. diff --git a/devices/hololens/hololens-spaces-on-hololens.md b/devices/hololens/hololens-spaces-on-hololens.md index a0d70ecd96..5c04bb7c3e 100644 --- a/devices/hololens/hololens-spaces-on-hololens.md +++ b/devices/hololens/hololens-spaces-on-hololens.md @@ -3,6 +3,7 @@ title: Spaces on HoloLens description: HoloLens blends holograms with your world ms.assetid: bd55ecd1-697a-4b09-8274-48d1499fcb0b ms.reviewer: jarrettrenshaw +ms.date: 07/01/2019 manager: v-miegge keywords: hololens ms.prod: hololens diff --git a/devices/hololens/hololens-use-apps.md b/devices/hololens/hololens-use-apps.md index 9ea95c1da9..e3d0aba0a9 100644 --- a/devices/hololens/hololens-use-apps.md +++ b/devices/hololens/hololens-use-apps.md @@ -3,6 +3,7 @@ title: Use apps on HoloLens description: Apps on HoloLens use either 2D view or holographic view. ms.assetid: 6bd124c4-731c-4bcc-86c7-23f9b67ff616 ms.reviewer: jarrettrenshaw +ms.date: 07/01/2019 manager: v-miegge keywords: hololens ms.prod: hololens From 93a89cdf54e43d5d5790d9e70c1f36eefe036aa7 Mon Sep 17 00:00:00 2001 From: v-miegge <49650192+v-miegge@users.noreply.github.com> Date: Tue, 9 Jul 2019 10:21:17 -0700 Subject: [PATCH 04/14] Updated title on line 14. --- devices/hololens/TOC.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/devices/hololens/TOC.md b/devices/hololens/TOC.md index b49858b838..d50c95d74f 100644 --- a/devices/hololens/TOC.md +++ b/devices/hololens/TOC.md @@ -11,7 +11,7 @@ ## [Manage updates to HoloLens](hololens-updates.md) ## [Restore HoloLens 2 using Advanced Recovery Companion](hololens-recovery.md) ## [Use the HoloLens Clicker](hololens-clicker.md) -## [Restart or recover the HoloLens](hololens-restart-recover.md) +## [Restart, reset, or recover the HoloLens](hololens-restart-recover.md) ## [Restart or recover the HoloLens clicker](hololens-clicker-restart-recover.md) # Application Management From 89d37888e229460f59e81b28c1d90d75a3cf1cd8 Mon Sep 17 00:00:00 2001 From: lomayor Date: Tue, 9 Jul 2019 12:42:18 -0700 Subject: [PATCH 05/14] Update configure-machines.md --- .../microsoft-defender-atp/configure-machines.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-machines.md b/windows/security/threat-protection/microsoft-defender-atp/configure-machines.md index 62140b2d6d..02b3162b75 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-machines.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-machines.md @@ -49,6 +49,8 @@ Machine configuration management works closely with Intune device management to Before you can ensure your machines are configured properly, enroll them to Intune management. Intune enrollment is robust and has several enrollment options for Windows 10 machines. For more information about Intune enrollment options, read [Set up enrollment for Windows devices](https://docs.microsoft.com/en-us/intune/windows-enroll). +>[!NOTE] To enroll Windows devices to Intune, administrators must have already been assigned licenses. [Read about assigning licenses for device enrollment](licenses-assign.md). + >[!TIP] >To optimize machine management through Intune, [connect Intune to Microsoft Defender ATP](https://docs.microsoft.com/en-us/intune/advanced-threat-protection#enable-windows-defender-atp-in-intune). From 6a06e139539daae02e1092f5ab856381511772d3 Mon Sep 17 00:00:00 2001 From: lomayor Date: Tue, 9 Jul 2019 12:48:52 -0700 Subject: [PATCH 06/14] Update configure-machines.md --- .../microsoft-defender-atp/configure-machines.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-machines.md b/windows/security/threat-protection/microsoft-defender-atp/configure-machines.md index 02b3162b75..ed88448254 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-machines.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-machines.md @@ -54,11 +54,11 @@ Before you can ensure your machines are configured properly, enroll them to Intu >[!TIP] >To optimize machine management through Intune, [connect Intune to Microsoft Defender ATP](https://docs.microsoft.com/en-us/intune/advanced-threat-protection#enable-windows-defender-atp-in-intune). ->[!NOTE] ->During preview, you might encounter a few known limitations: ->- You might experience discrepancies in aggregated data displayed on the machine configuration management page and those displayed on overview screens in Intune. ->- The count of onboarded machines tracked by machine configuration management might not include machines onboarded using Security Center Configuration Manager, the onboarding script, or other onboarding methods that don’t use Intune profiles. To include these machines, create a corresponding Intune configuration profile for Microsoft Defender ATP onboarding and assign that profile to these machines. ->- The Microsoft Defender ATP security baseline currently doesn’t cover settings for all Microsoft Defender ATP security controls, including settings for exploit protection and Application Guard. +## Known issues and limitations in this preview +During preview, you might encounter a few known limitations: +- You might experience discrepancies in aggregated data displayed on the machine configuration management page and those displayed on overview screens in Intune. +- The count of onboarded machines tracked by machine configuration management might not include machines onboarded using Security Center Configuration Manager, the onboarding script, or other onboarding methods that don’t use Intune profiles. To include these machines, create a corresponding Intune configuration profile for Microsoft Defender ATP onboarding and assign that profile to these machines. +- The Microsoft Defender ATP security baseline currently doesn’t cover settings for all Microsoft Defender ATP security controls, including settings for exploit protection and Application Guard. ## In this section From 198c109bfd6dd04c3a925bf8d9cbc087ff0756fa Mon Sep 17 00:00:00 2001 From: lomayor Date: Tue, 9 Jul 2019 13:02:42 -0700 Subject: [PATCH 07/14] Sec Conf Mgmt updates --- .../microsoft-defender-atp/configure-machines-onboarding.md | 2 ++ .../configure-machines-security-baseline.md | 2 ++ 2 files changed, 4 insertions(+) diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-machines-onboarding.md b/windows/security/threat-protection/microsoft-defender-atp/configure-machines-onboarding.md index ad42b1bcd9..36245748ca 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-machines-onboarding.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-machines-onboarding.md @@ -28,6 +28,8 @@ ms.topic: procedural Each onboarded machine adds an additional endpoint detection and response (EDR) sensor and increases visibility over breach activity in your network. Onboarding also ensures that a machine can be checked for vulnerable components as well security configuration issues and can receive critical remediation actions during attacks. +>[!NOTE] Before you can track and manage onboarding of machines, [enroll your machines to Intune management](configure-machines.md#enroll-machines-to-intune-management). + ## Discover and track unprotected machines The **Onboarding** card provides a high-level overview of your onboarding rate by comparing the number of Windows 10 machines that have actually onboarded to Microsoft Defender ATP against the total number of Intune-managed Windows 10 machines. diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-machines-security-baseline.md b/windows/security/threat-protection/microsoft-defender-atp/configure-machines-security-baseline.md index b7a5c0bf30..d913fd8672 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-machines-security-baseline.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-machines-security-baseline.md @@ -30,6 +30,8 @@ Security baselines ensure that security features are configured according to gui To understand security baselines and how they are assigned on Intune using configuration profiles, [read this FAQ](https://docs.microsoft.com/intune/security-baselines#q--a). +>[!NOTE] Before you can track and manage compliance to the Microsoft Defender ATP security baseline, [enroll your machines to Intune management](configure-machines.md#enroll-machines-to-intune-management). + ## Compare the Microsoft Defender ATP and the Windows Intune security baselines The Windows Intune security baseline provides a comprehensive set of recommended settings needed to securely configure machines running Windows, including browser settings, PowerShell settings, as well as settings for some security features like Windows Defender Antivirus. In contrast, the Microsoft Defender ATP baseline provides settings that optimize all the security controls in the Microsoft Defender ATP stack, including settings for endpoint detection and response (EDR) as well as settings also found in the Windows Intune security baseline. For more information about each baseline, see: From f651366d23bf467e1e2d4bee7dff80b850d1975a Mon Sep 17 00:00:00 2001 From: lomayor Date: Tue, 9 Jul 2019 14:10:56 -0700 Subject: [PATCH 08/14] Fixed note text --- .../microsoft-defender-atp/configure-machines-onboarding.md | 3 ++- .../configure-machines-security-baseline.md | 3 ++- .../microsoft-defender-atp/configure-machines.md | 3 ++- 3 files changed, 6 insertions(+), 3 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-machines-onboarding.md b/windows/security/threat-protection/microsoft-defender-atp/configure-machines-onboarding.md index 36245748ca..f09ddf1096 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-machines-onboarding.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-machines-onboarding.md @@ -28,7 +28,8 @@ ms.topic: procedural Each onboarded machine adds an additional endpoint detection and response (EDR) sensor and increases visibility over breach activity in your network. Onboarding also ensures that a machine can be checked for vulnerable components as well security configuration issues and can receive critical remediation actions during attacks. ->[!NOTE] Before you can track and manage onboarding of machines, [enroll your machines to Intune management](configure-machines.md#enroll-machines-to-intune-management). +>[!NOTE] +>Before you can track and manage onboarding of machines, [enroll your machines to Intune management](configure-machines.md#enroll-machines-to-intune-management). ## Discover and track unprotected machines diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-machines-security-baseline.md b/windows/security/threat-protection/microsoft-defender-atp/configure-machines-security-baseline.md index d913fd8672..d91d24bb04 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-machines-security-baseline.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-machines-security-baseline.md @@ -30,7 +30,8 @@ Security baselines ensure that security features are configured according to gui To understand security baselines and how they are assigned on Intune using configuration profiles, [read this FAQ](https://docs.microsoft.com/intune/security-baselines#q--a). ->[!NOTE] Before you can track and manage compliance to the Microsoft Defender ATP security baseline, [enroll your machines to Intune management](configure-machines.md#enroll-machines-to-intune-management). +>[!NOTE] +>Before you can track and manage compliance to the Microsoft Defender ATP security baseline, [enroll your machines to Intune management](configure-machines.md#enroll-machines-to-intune-management). ## Compare the Microsoft Defender ATP and the Windows Intune security baselines The Windows Intune security baseline provides a comprehensive set of recommended settings needed to securely configure machines running Windows, including browser settings, PowerShell settings, as well as settings for some security features like Windows Defender Antivirus. In contrast, the Microsoft Defender ATP baseline provides settings that optimize all the security controls in the Microsoft Defender ATP stack, including settings for endpoint detection and response (EDR) as well as settings also found in the Windows Intune security baseline. For more information about each baseline, see: diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-machines.md b/windows/security/threat-protection/microsoft-defender-atp/configure-machines.md index ed88448254..9c507ffa37 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-machines.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-machines.md @@ -49,7 +49,8 @@ Machine configuration management works closely with Intune device management to Before you can ensure your machines are configured properly, enroll them to Intune management. Intune enrollment is robust and has several enrollment options for Windows 10 machines. For more information about Intune enrollment options, read [Set up enrollment for Windows devices](https://docs.microsoft.com/en-us/intune/windows-enroll). ->[!NOTE] To enroll Windows devices to Intune, administrators must have already been assigned licenses. [Read about assigning licenses for device enrollment](licenses-assign.md). +>[!NOTE] +>To enroll Windows devices to Intune, administrators must have already been assigned licenses. [Read about assigning licenses for device enrollment](licenses-assign.md). >[!TIP] >To optimize machine management through Intune, [connect Intune to Microsoft Defender ATP](https://docs.microsoft.com/en-us/intune/advanced-threat-protection#enable-windows-defender-atp-in-intune). From 239f7b28237c873296e7870c8847619e3f88ce01 Mon Sep 17 00:00:00 2001 From: lomayor Date: Tue, 9 Jul 2019 14:20:49 -0700 Subject: [PATCH 09/14] Update configure-machines.md --- .../microsoft-defender-atp/configure-machines.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-machines.md b/windows/security/threat-protection/microsoft-defender-atp/configure-machines.md index 9c507ffa37..31fbc743c6 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-machines.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-machines.md @@ -50,7 +50,7 @@ Machine configuration management works closely with Intune device management to Before you can ensure your machines are configured properly, enroll them to Intune management. Intune enrollment is robust and has several enrollment options for Windows 10 machines. For more information about Intune enrollment options, read [Set up enrollment for Windows devices](https://docs.microsoft.com/en-us/intune/windows-enroll). >[!NOTE] ->To enroll Windows devices to Intune, administrators must have already been assigned licenses. [Read about assigning licenses for device enrollment](licenses-assign.md). +>To enroll Windows devices to Intune, administrators must have already been assigned licenses. [Read about assigning licenses for device enrollment](https://docs.microsoft.com/en-us/intune/licenses-assign). >[!TIP] >To optimize machine management through Intune, [connect Intune to Microsoft Defender ATP](https://docs.microsoft.com/en-us/intune/advanced-threat-protection#enable-windows-defender-atp-in-intune). From 63def2376d96cd977dba879c684d22e0f14b58db Mon Sep 17 00:00:00 2001 From: Mike Edgar <49731348+medgarmedgar@users.noreply.github.com> Date: Tue, 9 Jul 2019 16:54:46 -0700 Subject: [PATCH 10/14] Update manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md --- ...ponents-to-microsoft-services-using-MDM.md | 21 ++++++++++++++++++- 1 file changed, 20 insertions(+), 1 deletion(-) diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md index 9f89972a1f..196f6860cf 100644 --- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md +++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md @@ -70,6 +70,8 @@ For Windows 10, the following MDM policies are available in the [Policy CSP](htt | 14. Offline maps | [AllowOfflineMapsDownloadOverMeteredConnection](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-maps)|Allows the download and update of map data over metered connections.
**Set to 0 (zero)** | | [EnableOfflineMapsAutoUpdate](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-maps#maps-enableofflinemapsautoupdate)|Disables the automatic download and update of map data. **Set to 0 (zero)** | 15. OneDrive | [DisableOneDriveFileSync](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-system#system-disableonedrivefilesync)| Allows IT Admins to prevent apps and features from working with files on OneDrive. **Set to 1 (one)** +| 15.1 Injest the ADMX | To get the latest OneDrive ADMX file you need an up-to-date Windows 10 client. | The ADMX files are located under the following path: %LocalAppData%\Microsoft\OneDrive\ there's a folder with the current OneDrive build (e.g. "18.162.0812.0001"). +| 15.2 Prevent Network Traffic before User SignIn | PreventNetworkTrafficPreUserSignIn | The OMA-URI value is: ./Device/Vendor/MSFT/Policy/Config/OneDriveNGSC\~Policy\~OneDriveNGSC/PreventNetworkTrafficPreUserSignIn | 16. Preinstalled apps | N/A | N/A | 17. Privacy settings | | Except for the Feedback & Diagnostics page, these settings must be configured for every user account that signs into the PC. | 17.1 General | [TextInput/AllowLinguisticDataCollection](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-textinput#textinput-allowlinguisticdatacollection) | This policy setting controls the ability to send inking and typing data to Microsoft. **Set to 0 (zero)** @@ -106,13 +108,30 @@ For Windows 10, the following MDM policies are available in the [Policy CSP](htt | | [Defender/SubmitSamplesConsent](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-submitsamplesconsent) | Stop sending file samples back to Microsoft. **Set to 2 (two)** | 23.1 Windows Defender Smartscreen | [Browser/AllowSmartScreen](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowsmartscreen) | Disable Windows Defender Smartscreen. **Set to 0 (zero)** | 23.2 Windows Defender Smartscreen EnableAppInstallControl | [SmartScreen/EnableAppInstallControl](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-smartscreen#smartscreen-enableappinstallcontrol) | Controls whether users are allowed to install apps from places other than the Microsoft Store. **Set to 0 (zero)** +| 23.3 Windows Defender Potentially Unwanted Applications(PUA) Protection | [Defender/PUAProtection](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#defender-puaprotection) | Specifies the level of detection for potentially unwanted applications (PUAs). **Set to 1 (one)** | 24. Windows Spotlight | [Experience/AllowWindowsSpotlight](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-experience#experience-allowwindowsspotlight) | Disable Windows Spotlight. **Set to 0 (zero)** | 25. Microsoft Store | [ApplicationManagement/DisableStoreOriginatedApps](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-applicationmanagement#applicationmanagement-disablestoreoriginatedapps)| Boolean value that disables the launch of all apps from Microsoft Store that came pre-installed or were downloaded. **Set to 1 (one)** | | [ApplicationManagement/AllowAppStoreAutoUpdate](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-applicationmanagement#applicationmanagement-allowappstoreautoupdate)| Specifies whether automatic update of apps from Microsoft Store are allowed. **Set to 0 (zero)** | 25.1 Apps for websites | [ApplicationDefaults/EnableAppUriHandlers](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-applicationdefaults#applicationdefaults-enableappurihandlers) | This policy setting determines whether Windows supports web-to-app linking with app URI handlers. **Set to 0 (zero)** | 26. Windows Update Delivery Optimization | | The following Delivery Optimization MDM policies are available in the [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx). | | [DeliveryOptimization/DODownloadMode](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deliveryoptimization#deliveryoptimization-dodownloadmode)| Lets you choose where Delivery Optimization gets or sends updates and apps. **Set to 100 (one hundred)** -| 27. Windows Update | [Update/AllowAutoUpdate](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-allowautoupdate) | Control automatic updates. **Set to 5 (five)** +| 27. Windows Update | [Update/AllowAutoUpdate](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-allowautoupdate) | Control automatic updates. **Set to 5 (five)** +| 27.1 Windows Update Allow Update Service | [Update/AllowUpdateService](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-update#update-allowupdateservice) | Specifies whether the device could use Microsoft Update, Windows Server Update Services (WSUS), or Microsoft Store. **Set to 0 (zero)** +| 27.2 Windows Update Service URL| [Update/UpdateServiceUrl](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-update#update-updateserviceurl) | Allows the device to check for updates from a WSUS server instead of Microsoft Update. **Set to String** with this Value: + + + $CmdID$ + + + chr + text/plain + + + ./Vendor/MSFT/Policy/Config/Update/UpdateServiceUrl + + http://abcd-srv:8530 + + ### Allowed traffic ("Whitelisted traffic") for Microsoft InTune / MDM configurations From b3744d4d051f52f4428cdc8f022646f1f9354efa Mon Sep 17 00:00:00 2001 From: Mike Edgar <49731348+medgarmedgar@users.noreply.github.com> Date: Tue, 9 Jul 2019 16:58:59 -0700 Subject: [PATCH 11/14] Update manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md --- ...erating-system-components-to-microsoft-services-using-MDM.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md index 196f6860cf..ff08bb3eca 100644 --- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md +++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md @@ -9,7 +9,7 @@ ms.sitesec: library ms.localizationpriority: medium author: medgarmedgar ms.author: v-medgar -ms.date: 3/1/2019 +ms.date: 7/9/2019 --- # Manage connections from Windows operating system components to Microsoft services using Microsoft Intune MDM Server From 8ae79ca1b2e8c72b8496c02246f8f23d2b0c7ee6 Mon Sep 17 00:00:00 2001 From: Mike Edgar <49731348+medgarmedgar@users.noreply.github.com> Date: Tue, 9 Jul 2019 17:10:49 -0700 Subject: [PATCH 12/14] Update manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md --- ...rating-system-components-to-microsoft-services-using-MDM.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md index ff08bb3eca..843d0975aa 100644 --- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md +++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md @@ -78,8 +78,7 @@ For Windows 10, the following MDM policies are available in the [Policy CSP](htt | 17.2 Location | [System/AllowLocation](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-system#system-allowlocation) | Specifies whether to allow app access to the Location service. **Set to 0 (zero)** | 17.3 Camera | [Camera/AllowCamera](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-camera#camera-allowcamera) | Disables or enables the camera. **Set to 0 (zero)** | 17.4 Microphone | [Privacy/LetAppsAccessMicrophone](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccessmicrophone) | Specifies whether Windows apps can access the microphone. **Set to 2 (two)** -| 17.5 Notifications | [Notifications/DisallowCloudNotification](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-notifications#notifications-disallowcloudnotification) | Turn off notifications network usage. **DO NOT TURN OFF WNS Notifications if you want manage your device(s) using Microsoft InTune** -| | [Privacy/LetAppsAccessNotifications](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccessnotifications) | Specifies whether Windows apps can access notifications. **Set to 2 (two)** +| 17.5 Notifications | [Privacy/LetAppsAccessNotifications](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccessnotifications) | Specifies whether Windows apps can access notifications. **Set to 2 (two)** | | [Settings/AllowOnlineTips]( https://docs.microsoft.com/windows/client-management/mdm/policy-csp-settings#settings-allowonlinetips) | Enables or disables the retrieval of online tips and help for the Settings app. **Set to Disabled** | 17.6 Speech, Inking, & Typing | [Privacy/AllowInputPersonalization](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-privacy#privacy-allowinputpersonalization) | This policy specifies whether users on the device have the option to enable online speech recognition. **Set to 0 (zero)** | | [TextInput/AllowLinguisticDataCollection](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-textinput#textinput-allowlinguisticdatacollection)| This policy setting controls the ability to send inking and typing data to Microsoft **Set to 0 (zero)** From c5653eb93c7727de359a39223bf1fba81e5ede79 Mon Sep 17 00:00:00 2001 From: Mike Edgar <49731348+medgarmedgar@users.noreply.github.com> Date: Tue, 9 Jul 2019 17:12:42 -0700 Subject: [PATCH 13/14] Update manage-connections-from-windows-operating-system-components-to-microsoft-services.md --- ...indows-operating-system-components-to-microsoft-services.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index 903c748516..0922c7def1 100644 --- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -69,8 +69,7 @@ The following table lists management options for each setting, beginning with Wi | [11. Mail synchronization](#bkmk-mailsync) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | [12. Microsoft Account](#bkmk-microsoft-account) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | [13. Microsoft Edge](#bkmk-edge) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | -| [14. Network Connection Status Indicator](#bkmk-ncsi) -) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | +| [14. Network Connection Status Indicator](#bkmk-ncsi) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | [15. Offline maps](#bkmk-offlinemaps) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | [16. OneDrive](#bkmk-onedrive) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | [17. Preinstalled apps](#bkmk-preinstalledapps) | ![Check mark](images/checkmark.png) | | | From 27b6a8823e8d2475fb9896e98cbd917df731984d Mon Sep 17 00:00:00 2001 From: Mike Edgar <49731348+medgarmedgar@users.noreply.github.com> Date: Tue, 9 Jul 2019 17:17:14 -0700 Subject: [PATCH 14/14] Update manage-connections-from-windows-operating-system-components-to-microsoft-services.md --- ...-operating-system-components-to-microsoft-services.md | 9 +-------- 1 file changed, 1 insertion(+), 8 deletions(-) diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index 0922c7def1..fe82aa66b7 100644 --- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -547,14 +547,7 @@ To turn off the Windows Mail app: ### 12. Microsoft Account -To prevent communication to the Microsoft Account cloud authentication service. Many apps and system components that depend on Microsoft Account authentication may lose functionality. Some of them could be in unexpected ways. For example, Windows Update will no longer offer feature updates to devices running Windows 10 1709 or higher. See [Feature updates are not being offered while other updates are](https://docs.microsoft.com/windows/deployment/update/windows-update-troubleshooting#feature-updates-are-not-being-offered-while-other-updates-are). - -- **Enable** the Group Policy: **Computer Configuration** > **Windows Settings** > **Security Settings** > **Local Policies** > **Security Options** > **Accounts: Block Microsoft Accounts** and set it to **Users can't add Microsoft accounts**. - - -or- - -- Create a REG_DWORD registry setting named **NoConnectedUser** in **HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System** with a **value of 3**. - +Use the below setting to prevent communication to the Microsoft Account cloud authentication service. Many apps and system components that depend on Microsoft Account authentication may lose functionality. Some of them could be in unexpected ways. For example, Windows Update will no longer offer feature updates to devices running Windows 10 1709 or higher. See [Feature updates are not being offered while other updates are](https://docs.microsoft.com/windows/deployment/update/windows-update-troubleshooting#feature-updates-are-not-being-offered-while-other-updates-are). To disable the Microsoft Account Sign-In Assistant: