Performs diagnostics on the Windows 8.1 systems that participate in the Windows Customer Experience Improvement Program. These diagnostics help determine whether compatibility issues may be encountered when the latest Windows operating system is installed.
For more information about this KB, see
[KB 3150513](https://catalog.update.microsoft.com/v7/site/Search.aspx?q=3150513)
Provides updated configuration and definitions for compatibility diagnostics performed on the system.
For more information about this KB, see
NOTE: KB2976978 must be installed before you can download and install KB3150513. | -| Windows 7 SP1 | [KB2952664](http://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB2952664)
Performs diagnostics on the Windows 7 SP1 systems that participate in the Windows Customer Experience Improvement Program. These diagnostics help determine whether compatibility issues may be encountered when the latest Windows operating system is installed.
For more information about this KB, see
[KB 3150513](https://catalog.update.microsoft.com/v7/site/Search.aspx?q=3150513)
Provides updated configuration and definitions for compatibility diagnostics performed on the system.
For more information about this KB, see
NOTE: KB2976978 must be installed before you can download and install KB3150513. | - -| Site discovery | KB | -|------------------------------------------------------|----| -| Internet Explorer data collection |[KB3170106](https://support.microsoft.com/kb/3170106) or later
Provides the capability for [site discovery](upgrade-analytics-review-site-discovery.md).
For more information about this KB, see
Performs diagnostics on the Windows 8.1 systems that participate in the Windows Customer Experience Improvement Program. These diagnostics help determine whether compatibility issues may be encountered when the latest Windows operating system is installed.
For more information about this KB, see
[KB 3150513](https://catalog.update.microsoft.com/v7/site/Search.aspx?q=3150513)
Provides updated configuration and definitions for compatibility diagnostics performed on the system.
For more information about this KB, see
NOTE: KB2976978 must be installed before you can download and install KB3150513. | +| Windows 7 SP1 | [KB2952664](http://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB2952664)
Performs diagnostics on the Windows 7 SP1 systems that participate in the Windows Customer Experience Improvement Program. These diagnostics help determine whether compatibility issues may be encountered when the latest Windows operating system is installed.
For more information about this KB, see
[KB 3150513](https://catalog.update.microsoft.com/v7/site/Search.aspx?q=3150513)
Provides updated configuration and definitions for compatibility diagnostics performed on the system.
For more information about this KB, see
NOTE: KB2976978 must be installed before you can download and install KB3150513. | IMPORTANT: Restart user computers after you install the compatibility update KBs for the first time. @@ -133,8 +129,6 @@ The Upgrade Analytics deployment script does the following: 7. If enabled, displays the script’s progress in a cmd window, providing you immediate visibility into issues (success or fail for each step) and/or writes to log file. -8. If enabled, collects Internet Explorer data. By default, Internet Explorer data collection is disabled. - To run the Upgrade Analytics deployment script: 1. Download the [Upgrade Analytics deployment script](https://go.microsoft.com/fwlink/?LinkID=822966&clcid=0x409) and extract UpgradeAnalytics.zip. The files in the Diagnostics folder are necessary only if you plan to run the script in troubleshooting mode. @@ -157,16 +151,6 @@ To run the Upgrade Analytics deployment script: 3. For troubleshooting, set isVerboseLogging to $true to generate log information that can help with diagnosing issues. By default, isVerboseLogging is set to $false. Ensure the Diagnostics folder is installed in the same directory as the script to use this mode. -4. To enable Internet Explorer data collection, set AllowIEData to IEDataOptIn. By default, AllowIEData is set to Disable. Then use one of the following options to determine what Internet Explorer data can be collected: - - > *IEOptInLevel = 0 Internet Explorer data collection is disabled* -> - > *IEOptInLevel = 1 Data collection is enabled for sites in the Local intranet + Trusted sites + Machine local zones* -> - > *IEOptInLevel = 2 Data collection is enabled for sites in the Internet + Restricted sites zones* -> - > *IEOptInLevel = 3 Data collection is enabled for all sites* - 4. Notify users if they need to restart their computers. By default, this is set to off. 5. After you finish editing the parameters in RunConfig.bat, run the script as an administrator. diff --git a/windows/deploy/upgrade-analytics-review-site-discovery.md b/windows/deploy/upgrade-analytics-review-site-discovery.md deleted file mode 100644 index 0a0dc34cd3..0000000000 --- a/windows/deploy/upgrade-analytics-review-site-discovery.md +++ /dev/null @@ -1,63 +0,0 @@ ---- -title: Review site discovery -description: Explains how to review internet web site discovery with Upgrade Analytics. -ms.prod: w10 -author: Justinha ---- - -# Review site discovery - -This section of the Upgrade Analytics workflow provides an inventory of web sites that are being used by client computers that run Internet Explorer on Windows 8.1 and Windows 7 in your environment. This inventory information is provided as optional data related to upgrading to Windows 10 and Internet Explorer 11, and is meant to help prioritize compatibility testing for web applications. You can make more informed decisions about testing based on usage data. Data from Edge browser is not collected. - -## Install prerequisite security update for Internet Explorer - -Ensure the following prerequisites are met before using site discovery: - -1. Install the latest Internet Explorer 11 Cumulative Update. This update provides the capability for site discovery and is available in the [July 2016 cumulative update (KB3170106)](https://support.microsoft.com/kb/3170106) and later. -2. Install the update for customer experience and diagnostic telemetery ([KB3080149](https://support.microsoft.com/kb/3080149)). -3. Enable Internet Explorer data collection, which is disabled by default. To enable it, modify the [Upgrade Analytics deployment script](upgrade-analytics-get-started.md#run-the-upgrade-analytics-deployment-script) to allow Internet Explorer data collection before you run it, or you can enable it by creating the following registry entry: - - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\DataCollection - - Entry name: IEDataOptIn - - Data type: DWORD - - Values: - - 0 – Internet Explorer data collection is disabled - - 1 – Data collection is enabled for sites in the Local intranet + Trusted sites + Machine local zones - - 2 – Data collection is enabled for sites in the Internet + Restricted sites zones - - 3 – Data collection is enabled for all sites - - For more information about Internet Explorer Security Zones, see [About URL Security Zones](https://msdn.microsoft.com/library/ms537183.aspx). - -  - -## Review most active sites - -This blade indicates the most visited sites by computers in your environment. Review this list to determine which web applications and sites are used most frequently. The number of visits is based on the total number of views, and not by the number of unique devices accessing a page. - -For each site, the fully qualified domain name will be listed. You can sort the data by domain name or by URL. - - - -Click the name of any site in the list to drill down into more details about the visits, including the time of each visit and the computer name. - - - -## Review document modes in use - -This blade provides information about which document modes are used in the sites that are visited in your environment. Document modes are used to provide compatibility with older versions of Internet Explorer. Sites that use older technologies may require additional testing and are less likely to be compatible with Microsoft Edge. Counts are based on total page views and not the number of unique devices. For more information about document modes, see [Deprecated document modes](https://technet.microsoft.com/itpro/internet-explorer/ie11-deploy-guide/deprecated-document-modes). - - - -## Run browser-related queries - -You can run predefined queries to capture more info, such as sites that have Enterprise Mode enabled, or the number of unique computers that have visited a site. For example, this query returns the most used ActiveX controls. You can modify and save the predefined queries. - - - diff --git a/windows/deploy/upgrade-to-windows-10-with-system-center-configuraton-manager.md b/windows/deploy/upgrade-to-windows-10-with-system-center-configuraton-manager.md index 2a854e9a3b..1739910931 100644 --- a/windows/deploy/upgrade-to-windows-10-with-system-center-configuraton-manager.md +++ b/windows/deploy/upgrade-to-windows-10-with-system-center-configuraton-manager.md @@ -4,6 +4,7 @@ description: The simplest path to upgrade PCs currently running Windows 7, Wind ms.assetid: F8DF6191-0DB0-4EF5-A9B1-6A11D5DE4878 keywords: upgrade, update, task sequence, deploy ms.prod: w10 +localizationpriority: high ms.mktglfcycl: deploy author: mtniehaus --- diff --git a/windows/deploy/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md b/windows/deploy/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md index feaabb3fa4..a57de8573f 100644 --- a/windows/deploy/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md +++ b/windows/deploy/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md @@ -5,6 +5,7 @@ ms.assetid: B8993151-3C1E-4F22-93F4-2C5F2771A460 keywords: upgrade, update, task sequence, deploy ms.prod: w10 ms.mktglfcycl: deploy +localizationpriority: high ms.sitesec: library ms.pagetype: mdt author: mtniehaus diff --git a/windows/deploy/upgrade-windows-phone-8-1-to-10.md b/windows/deploy/upgrade-windows-phone-8-1-to-10.md index f79c20d4ba..8270ef2a4e 100644 --- a/windows/deploy/upgrade-windows-phone-8-1-to-10.md +++ b/windows/deploy/upgrade-windows-phone-8-1-to-10.md @@ -4,6 +4,7 @@ description: This article describes how to upgrade eligible Windows Phone 8.1 de keywords: upgrade, update, windows, phone, windows 10, mdm, mobile ms.prod: w10 ms.mktglfcycl: deploy +localizationpriority: high ms.sitesec: library ms.pagetype: mdt author: Jamiejdt diff --git a/windows/deploy/use-orchestrator-runbooks-with-mdt-2013.md b/windows/deploy/use-orchestrator-runbooks-with-mdt-2013.md index da3cbd9940..5e93439f0c 100644 --- a/windows/deploy/use-orchestrator-runbooks-with-mdt-2013.md +++ b/windows/deploy/use-orchestrator-runbooks-with-mdt-2013.md @@ -5,6 +5,7 @@ ms.assetid: 68302780-1f6f-4a9c-9407-b14371fdce3f keywords: web services, database ms.prod: w10 ms.mktglfcycl: deploy +localizationpriority: high ms.sitesec: library ms.pagetype: mdt author: mtniehaus diff --git a/windows/deploy/use-the-mdt-database-to-stage-windows-10-deployment-information.md b/windows/deploy/use-the-mdt-database-to-stage-windows-10-deployment-information.md index 32208d3e25..38ae49c0e7 100644 --- a/windows/deploy/use-the-mdt-database-to-stage-windows-10-deployment-information.md +++ b/windows/deploy/use-the-mdt-database-to-stage-windows-10-deployment-information.md @@ -6,6 +6,7 @@ ms.pagetype: mdt keywords: database, permissions, settings, configure, deploy ms.prod: w10 ms.mktglfcycl: deploy +localizationpriority: high ms.sitesec: library author: mtniehaus --- diff --git a/windows/deploy/use-web-services-in-mdt-2013.md b/windows/deploy/use-web-services-in-mdt-2013.md index 2f6f9bf239..33f1c9a3a7 100644 --- a/windows/deploy/use-web-services-in-mdt-2013.md +++ b/windows/deploy/use-web-services-in-mdt-2013.md @@ -5,6 +5,7 @@ ms.assetid: 8f47535e-0551-4ccb-8f02-bb97539c6522 keywords: deploy, web apps ms.prod: w10 ms.mktglfcycl: deploy +localizationpriority: high ms.pagetype: mdt ms.sitesec: library author: mtniehaus diff --git a/windows/deploy/windows-10-deployment-scenarios.md b/windows/deploy/windows-10-deployment-scenarios.md index d3b797865f..b33db65cc8 100644 --- a/windows/deploy/windows-10-deployment-scenarios.md +++ b/windows/deploy/windows-10-deployment-scenarios.md @@ -5,6 +5,7 @@ ms.assetid: 7A29D546-52CC-482C-8870-8123C7DC04B5 keywords: upgrade, in-place, configuration, deploy ms.prod: w10 ms.mktglfcycl: deploy +localizationpriority: high ms.sitesec: library author: mtniehaus --- diff --git a/windows/deploy/windows-10-edition-upgrades.md b/windows/deploy/windows-10-edition-upgrades.md index 5ef0592258..5a17250306 100644 --- a/windows/deploy/windows-10-edition-upgrades.md +++ b/windows/deploy/windows-10-edition-upgrades.md @@ -4,6 +4,7 @@ description: With Windows 10, you can quickly upgrade from one edition of Windo ms.assetid: A7642E90-A3E7-4A25-8044-C4E402DC462A ms.prod: w10 ms.mktglfcycl: deploy +localizationpriority: high ms.sitesec: library ms.pagetype: mobile author: greg-lindsay diff --git a/windows/deploy/windows-10-enterprise-e3-overview.md b/windows/deploy/windows-10-enterprise-e3-overview.md new file mode 100644 index 0000000000..c3861f8fe5 --- /dev/null +++ b/windows/deploy/windows-10-enterprise-e3-overview.md @@ -0,0 +1,396 @@ +--- +title: Windows 10 Enterprise E3 in CSP Overview +description: Describes Windows 10 Enterprise E3, an offering that delivers, by subscription, the features of Windows 10 Enterprise edition. +keywords: upgrade, update, task sequence, deploy +ms.prod: w10 +ms.mktglfcycl: deploy +localizationpriority: high +ms.sitesec: library +ms.pagetype: mdt +author: greg-lindsay +--- + +# Windows 10 Enterprise E3 in CSP Overview + +Windows 10 Enterprise E3 launched in the Cloud Solution Provider (CSP) channel on September 1, 2016. Windows 10 Enterprise E3 in CSP is a new offering that delivers, by subscription, exclusive features reserved for Windows 10 Enterprise edition. This offering is available through the Cloud Solution Provider (CSP) channel via the Partner Center as an online service. Windows 10 Enterprise E3 in CSP provides a flexible, per-user subscription for small- and medium-sized organizations (from one to hundreds of users). To take advantage of this offering, you must have the following: + +- Windows 10 Pro, version 1607 (also known as Windows 10 Anniversary Update) or later installed on the devices to be upgraded + +- Azure Active Directory (Azure AD) available for identity management + +Starting with Windows 10, version 1607 (Windows 10 Anniversary Update), you can move from Windows 10 Pro to Windows 10 Enterprise more easily than ever before—no keys and no reboots. After one of your users enters the Azure AD credentials associated with a Windows 10 Enterprise E3 license, the operating system turns from Windows 10 Pro to Windows 10 Enterprise and all the appropriate Windows 10 Enterprise features are unlocked. When a subscription license expires or is transferred to another user, the Windows 10 Enterprise device seamlessly steps back down to Windows 10 Pro. + +Previously, only organizations with a Microsoft Volume Licensing Agreement could deploy Windows 10 Enterprise to their users. Now, with Windows 10 Enterprise E3 in CSP, small- and medium-sized organizations can more easily take advantage of Windows 10 Enterprise features. + +When you purchase Windows 10 Enterprise E3 via a partner, you get the following benefits: + +- **Windows 10 Enterprise edition**. Devices currently running Windows 10 Pro, version 1607 can get Windows 10 Enterprise Current Branch (CB) or Current Branch for Business (CBB). This benefit does not include Long Term Service Branch (LTSB). + +- **Support from one to hundreds of users**. Although the Windows 10 Enterprise E3 in CSP program does not have a limitation on the number of licenses an organization can have, the program is designed for small- and medium-sized organizations. + +- **Deploy on up to five devices**. For each user covered by the license, you can deploy Windows 10 Enterprise edition on up to five devices. + +- **Roll back to Windows 10 Pro at any time**. When a user’s subscription expires or is transferred to another user, the Windows 10 Enterprise device reverts seamlessly to Windows 10 Pro edition (after a grace period of up to 90 days). + +- **Monthly, per-user pricing model**. This makes Windows 10 Enterprise E3 affordable for any organization. + +- **Move licenses between users**. Licenses can be quickly and easily reallocated from one user to another user, allowing you to optimize your licensing investment against changing needs. + +How does the Windows 10 Enterprise E3 in CSP program compare with Microsoft Volume Licensing Agreements and Software Assurance? + +- [Microsoft Volume Licensing](http://www.microsoft.com/en-us/licensing/default.aspx) programs are broader in scope, providing organizations with access to licensing for all Microsoft products. + +- [Software Assurance](http://www.microsoft.com/en-us/Licensing/licensing-programs/software-assurance-default.aspx) provides organizations with the following categories of benefits: + + - **Deployment and management**. These benefits include planning services, Microsoft Desktop Optimization (MDOP), Windows Virtual Desktop Access Rights, Windows-To-Go Rights, Windows Roaming Use Rights, Windows Thin PC, Windows RT Companion VDA Rights, and other benefits. + + - **Training**. These benefits include training vouchers, online e-learning, and a home use program. + + - **Support**. These benefits include 24x7 problem resolution support, backup capabilities for disaster recovery, System Center Global Service Monitor, and a passive secondary instance of SQL Server. + + - **Specialized**. These benefits include step-up licensing availability (which enables you to migrate software from an earlier edition to a higher-level edition) and to spread license and Software Assurance payments across three equal, annual sums. + + In addition, in Windows 10 Enterprise E3 in CSP, a partner can manage your licenses for you. With Software Assurance, you, the customer, manage your own licenses. + +In summary, the Windows 10 Enterprise E3 in CSP program is an upgrade offering that provides small- and medium-sized organizations easier, more flexible access to the benefits of Windows 10 Enterprise edition, whereas Microsoft Volume Licensing programs and Software Assurance are broader in scope and provide benefits beyond access to Windows 10 Enterprise edition. + +## Compare Windows 10 Pro and Enterprise editions + +Windows 10 Enterprise edition has a number of features that are unavailable in Windows 10 Pro. Table 1 lists the Windows 10 Enterprise features not found in Windows 10 Pro. Many of these features are security-related, whereas others enable finer-grained device management. + +*Table 1. Windows 10 Enterprise features not found in Windows 10 Pro* + +
| Feature | +Description | +
|---|---|
Credential Guard\* |
+This feature uses virtualization-based security to help protect security secrets (for example, NTLM password hashes, Kerberos Ticket Granting Tickets) so that only privileged system software can access them. This helps prevent Pass-the-Hash or Pass-the-Ticket attacks. +Credential Guard has the following features: +
For more information, see [Protect derived domain credentials with Credential Guard](http://technet.microsoft.com/itpro/windows/keep-secure/credential-guard). +\* Credential Guard requires UEFI 2.3.1 or greater with Trusted Boot; Virtualization Extensions such as Intel VT-x, AMD-V, and SLAT must be enabled; x64 version of Windows; IOMMU, such as Intel VT-d, AMD-Vi; BIOS Lockdown; TPM 2.0 recommended for device health attestation (will use software if TPM 2.0 not present) |
+
Device Guard |
+This feature is a combination of hardware and software security features that allows only trusted applications to run on a device. Even if an attacker manages to get control of the Windows kernel, he or she will be much less likely to run executable code. Device Guard can use virtualization-based security (VBS) in Windows 10 Enterprise edition to isolate the Code Integrity service from the Windows kernel itself. With VBS, even if malware gains access to the kernel, the effects can be severely limited, because the hypervisor can prevent the malware from executing code. +Device Guard does the following: +
For more information, see [Introduction to Device Guard](https://technet.microsoft.com/itpro/windows/keep-secure/introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies). |
+
AppLocker management |
+This feature helps IT pros determine which applications and files users can run on a device (also known as “whitelisting”). The applications and files that can be managed include executable files, scripts, Windows Installer files, dynamic-link libraries (DLLs), packaged apps, and packaged app installers. +For more information, see [AppLocker](https://technet.microsoft.com/itpro/windows/keep-secure/applocker-overview). |
+
Application Virtualization (App-V) |
+This feature makes applications available to end users without installing the applications directly on users’ devices. App-V transforms applications into centrally managed services that are never installed and don't conflict with other applications. This feature also helps ensure that applications are kept current with the latest security updates. +For more information, see [Getting Started with App-V for Windows 10](https://technet.microsoft.com/itpro/windows/manage/appv-getting-started). |
+
User Experience Virtualization (UE-V) |
+With this feature, you can capture user-customized Windows and application settings and store them on a centrally managed network file share. When users log on, their personalized settings are applied to their work session, regardless of which device or virtual desktop infrastructure (VDI) sessions they log on to. +UE-V provides the ability to do the following: +
For more information, see [User Experience Virtualization (UE-V) for Windows 10 overview](https://technet.microsoft.com/itpro/windows/manage/uev-for-windows). |
+
Managed User Experience |
+This feature helps customize and lock down a Windows device’s user interface to restrict it to a specific task. For example, you can configure a device for a controlled scenario such as a kiosk or classroom device. The user experience would be automatically reset once a user signs off. You can also restrict access to services including Cortana or the Windows Store, and manage Start layout options, such as: +
|
+
+ **Figure 2. The “Who owns this PC?” page in initial Windows 10 setup**
+
+2. On the **Choose how you’ll connect** page, select **Join Azure AD**, and then click **Next**, as illustrated in **Figure 3**.
+
+ 
+
+ **Figure 3. The “Choose how you’ll connect” page in initial Windows 10 setup**
+
+3. On the **Let’s get you signed in** page, enter the Azure AD credentials, and then click **Sign in**, as illustrated in **Figure 4**.
+
+ 
+
+ **Figure 4. The “Let’s get you signed in” page in initial Windows 10 setup**
+
+Now the device is Azure AD joined to the company’s subscription.
+
+**To join a device to Azure AD when the device already has Windows 10 Pro, version 1607 installed and set up**
+
+1. Go to **Settings > Accounts > Access work or school**, as illustrated in **Figure 5**.
+
+ 
+
+ **Figure 5. Connect to work or school configuration in Settings**
+
+2. In **Set up a work or school account**, click **Join this device to Azure Active Directory**, as illustrated in **Figure 6**.
+
+ 
+
+ **Figure 6. Set up a work or school account**
+
+3. On the **Let’s get you signed in** page, enter the Azure AD credentials, and then click **Sign in**, as illustrated in **Figure 7**.
+
+ 
+
+ **Figure 7. The “Let’s get you signed in” dialog box**
+
+Now the device is Azure AD joined to the company’s subscription.
+
+### Step 2: Sign in using Azure AD account
+
+Once the device is joined to your Azure AD subscription, the user will sign in by using his or her Azure AD account, as illustrated in **Figure 8**. The Windows 10 Enterprise E3 license associated with the user will enable Windows 10 Enterprise edition capabilities on the device.
+
+
+
+**Figure 8. Sign in by using Azure AD account**
+
+### Step 3: Verify that Enterprise edition is enabled
+
+You can verify the Windows 10 Enterprise E3 subscription in **Settings > Update & Security > Activation**, as illustrated in **Figure 9**.
+
+
+#### Figure 9 - Windows 10 Enterprise E3 subscription in Settings
+
+
+
+If there are any problems with the Windows 10 Enterprise E3 license or the activation of the license, the **Activation** panel will display the appropriate error message or status. You can use this information to help you diagnose the licensing and activation process.
+
+## Troubleshoot the user experience
+
+In some instances, users may experience problems with the Windows 10 Enterprise E3 subscription. The most common problems that users may experience are as follows:
+
+- The existing Windows 10 Pro, version 1607 operating system is not activated.
+
+- The Windows 10 Enterprise E3 subscription has lapsed or has been removed.
+
+Use the following figures to help you troubleshoot when users experience these common problems:
+
+- [Figure 9](#win-10-activated-subscription-active) illustrates a device in a healthy state, where Windows 10 Pro, version 1607 is activated and the Windows 10 Enterprise E3 subscription is active.
+
+- [Figure 10](#win-10-not-activated) illustrates a device on which Windows 10 Pro, version 1607 is not activated, but the Windows 10 Enterprise E3 subscription is active.
+
+- [Figure 11](#subscription-not-active) illustrates a device on which Windows 10 Pro, version 1607 is activated, but the Windows 10 Enterprise E3 subscription is lapsed or removed.
+
+- [Figure 12](#win-10-not-activated-subscription-not-active) illustrates a device on which Windows 10 Pro, version 1607 license is not activated and the Windows 10 Enterprise E3 subscription is lapsed or removed.
+
+
+### Figure 10 - Windows 10 Pro, version 1607 edition not activated in Settings
+
+
+ + +### Figure 11 - Windows 10 Enterprise E3 subscription lapsed or removed in Settings + +
+ + +### Figure 12 - Windows 10 Pro, version 1607 edition not activated and Windows 10 Enterprise E3 subscription lapsed or removed in Settings + +
+ +### Review requirements on devices + +Devices must be running Windows 10 Pro, version 1607, and be Azure Active Directory joined, or domain joined with Azure AD Connect. Customers who are federated with Azure Active Directory are also eligible. You can use the following procedures to review whether a particular device meets requirements. + +**To determine if a device is Azure Active Directory joined:** + +1. Open a command prompt and type **dsregcmd /status**. + +2. Review the output under Device State. If the **AzureAdJoined** status is YES, the device is Azure Active Directory joined. + +**To determine the version of Windows 10:** + +- At a command prompt, type: + **winver** + + A popup window will display the Windows 10 version number and detailed OS build information. + + If a device is running a previous version of Windows 10 Pro (for example, version 1511), it will not be upgraded to Windows 10 Enterprise when a user signs in, even if the user has been assigned a subscription in the CSP portal. + +## Deploy Windows 10 Enterprise features + +Now that you have Windows 10 Enterprise edition running on devices, how do you take advantage of the Enterprise edition features and capabilities? What are the next steps that need to be taken for each of the features discussed in [Table 1](#compare-windows-10-pro-and-enterprise-editions)? + +The following sections provide you with the high-level tasks that need to be performed in your environment to help users take advantage of the Windows 10 Enterprise edition features. + +### Credential Guard\* + +You can implement Credential Guard on Windows 10 Enterprise devices by turning on Credential Guard on these devices. Credential Guard uses Windows 10 virtualization-based security features (Hyper-V features) that must be enabled on each device before you can turn on Credential Guard. You can turn on Credential Guard by using one of the following methods: + +- **Automated**. You can automatically turn on Credential Guard for one or more devices by using Group Policy. The Group Policy settings automatically add the virtualization-based security features and configure the Credential Guard registry settings on managed devices. + +- **Manual**. You can manually turn on Credential Guard by doing the following: + + - Add the virtualization-based security features by using Programs and Features or Deployment Image Servicing and Management (DISM). + + - Configure Credential Guard registry settings by using the Registry Editor or the [Device Guard and Credential Guard hardware readiness tool](http://www.microsoft.com/download/details.aspx?id=53337). + + You can automate these manual steps by using a management tool such as System Center Configuration Manager. + +For more information about implementing Credential Guard, see the following resources: + +- [Protect derived domain credentials with Credential Guard](http://technet.microsoft.com/itpro/windows/keep-secure/credential-guard) +- [PC OEM requirements for Device Guard and Credential Guard](http://msdn.microsoft.com/library/windows/hardware/mt767514(v=vs.85).aspx) +- [Device Guard and Credential Guard hardware readiness tool](http://www.microsoft.com/download/details.aspx?id=53337) + +\* *Requires UEFI 2.3.1 or greater with Trusted Boot; Virtualization Extensions such as Intel VT-x, AMD-V, and SLAT must be enabled; x64 version of Windows; IOMMU, such as Intel VT-d, AMD-Vi; BIOS Lockdown; TPM 2.0 recommended for device health attestation (will use software if TPM 2.0 not present)* + +### Device Guard + +Now that the devices have Windows 10 Enterprise, you can implement Device Guard on the Windows 10 Enterprise devices by performing the following steps: + +1. **Optionally, create a signing certificate for code integrity policies**. As you deploy code integrity policies, you might need to sign catalog files or code integrity policies internally. To do this, you will either need a publicly issued code signing certificate (that you purchase) or an internal certificate authority (CA). If you choose to use an internal CA, you will need to create a code signing certificate. + +2. **Create code integrity policies from “golden” computers**. When you have identified departments or roles that use distinctive or partly distinctive sets of hardware and software, you can set up “golden” computers containing that software and hardware. In this respect, creating and managing code integrity policies to align with the needs of roles or departments can be similar to managing corporate images. From each “golden” computer, you can create a code integrity policy and decide how to manage that policy. You can merge code integrity policies to create a broader policy or a master policy, or you can manage and deploy each policy individually. + +3. **Audit the code integrity policy and capture information about applications that are outside the policy**. We recommend that you use “audit mode” to carefully test each code integrity policy before you enforce it. With audit mode, no application is blocked—the policy just logs an event whenever an application outside the policy is started. Later, you can expand the policy to allow these applications, as needed. + +4. **Create a “catalog file” for unsigned line-of-business (LOB) applications**. Use the Package Inspector tool to create and sign a catalog file for your unsigned LOB applications. In later steps, you can merge the catalog file's signature into your code integrity policy so that applications in the catalog will be allowed by the policy. + +5. **Capture needed policy information from the event log, and merge information into the existing policy as needed**. After a code integrity policy has been running for a time in audit mode, the event log will contain information about applications that are outside the policy. To expand the policy so that it allows for these applications, use Windows PowerShell commands to capture the needed policy information from the event log, and then merge that information into the existing policy. You can merge code integrity policies from other sources also, for flexibility in how you create your final code integrity policies. + +6. **Deploy code integrity policies and catalog files**. After you confirm that you have completed all the preceding steps, you can begin deploying catalog files and taking code integrity policies out of audit mode. We strongly recommend that you begin this process with a test group of users. This provides a final quality-control validation before you deploy the catalog files and code integrity policies more broadly. + +7. **Enable desired hardware security features**. Hardware-based security features—also called virtualization-based security (VBS) features—strengthen the protections offered by code integrity policies. + +For more information about implementing Device Guard, see: + +- [Planning and getting started on the Device Guard deployment process](https://technet.microsoft.com/itpro/windows/keep-secure/planning-and-getting-started-on-the-device-guard-deployment-process) +- [Device Guard deployment guide](http://technet.microsoft.com/itpro/windows/keep-secure/device-guard-deployment-guide) + +### AppLocker management + +You can manage AppLocker in Windows 10 Enterprise by using Group Policy. Group Policy requires that the you have AD DS and that the Windows 10 Enterprise devices are joined to the your AD DS domain. You can create AppLocker rules by using Group Policy, and then target those rules to the appropriate devices. + +For more information about AppLocker management by using Group Policy, see [AppLocker deployment guide](https://technet.microsoft.com/itpro/windows/keep-secure/applocker-policies-deployment-guide). + +### App-V + +App-V requires an App-V server infrastructure to support App-V clients. The primary App-V components that the you must have are as follows: + +- **App-V server**. The App-V server provides App-V management, virtualized app publishing, app streaming, and reporting services. Each of these services can be run on one server or can be run individually on multiple servers. For example, you could have multiple streaming servers. App-V clients contact App-V servers to determine which apps are published to the user or device, and then run the virtualized app from the server. + +- **App-V sequencer**. The App-V sequencer is a typical client device that is used to sequence (capture) apps and prepare them for hosting from the App-V server. You install apps on the App-V sequencer, and the App-V sequencer software determines the files and registry settings that are changed during app installation. Then the sequencer captures these settings to create a virtualized app. + +- **App-V client**. The App-V client must be enabled on any client device on which apps will be run from the App-V server. These will be the Windows 10 Enterprise E3 devices. + +For more information about implementing the App-V server, App-V sequencer, and App-V client, see the following resources: + +- [Getting Started with App-V for Windows 10](https://technet.microsoft.com/itpro/windows/manage/appv-getting-started) +- [Deploying the App-V server](https://technet.microsoft.com/itpro/windows/manage/appv-deploying-the-appv-server) +- [Deploying the App-V Sequencer and Configuring the Client](https://technet.microsoft.com/itpro/windows/manage/appv-deploying-the-appv-sequencer-and-client) + +### UE-V +UE-V requires server- and client-side components that you you’ll need to download, activate, and install. These components include: + +- **UE-V service**. The UE-V service (when enabled on devices) monitors registered applications and Windows for any settings changes, then synchronizes those settings between devices. + +- **Settings packages**. Settings packages created by the UE-V service store application settings and Windows settings. Settings packages are built, locally stored, and copied to the settings storage location. + +- **Settings storage location**. This location is a standard network share that your users can access. The UE-V service verifies the location and creates a hidden system folder in which to store and retrieve user settings. + +- **Settings location templates**. Settings location templates are XML files that UE-V uses to monitor and synchronize desktop application settings and Windows desktop settings between user computers. By default, some settings location templates are included in UE-V. You can also create, edit, or validate custom settings location templates by using the UE-V template generator. Settings location templates are not required for Windows applications. + +- **Universal Windows applications list**. UE-V determines which Windows applications are enabled for settings synchronization using a managed list of applications. By default, this list includes most Windows applications. + +For more information about deploying UE-V, see the following resources: + +- [User Experience Virtualization (UE-V) for Windows 10 overview](https://technet.microsoft.com/itpro/windows/manage/uev-for-windows) +- [Get Started with UE-V](https://technet.microsoft.com/itpro/windows/manage/uev-getting-started) +- [Prepare a UE-V Deployment](https://technet.microsoft.com/itpro/windows/manage/uev-prepare-for-deployment) + +### Managed User Experience + +The Managed User Experience feature is a set of Windows 10 Enterprise edition features and corresponding settings that you can use to manage user experience. Table 2 describes the Managed User Experience settings (by category), which are only available in Windows 10 Enterprise edition. The management methods used to configure each feature depend on the feature. Some features are configured by using Group Policy, while others are configured by using Windows PowerShell, Deployment Image Servicing and Management (DISM), or other command-line tools. For the Group Policy settings, you must have AD DS with the Windows 10 Enterprise devices joined to your AD DS domain. + +*Table 2. Managed User Experience features* + +| Feature | Description | +|------------------|-----------------| +| Start layout customization | You can deploy a customized Start layout to users in a domain. No reimaging is required, and the Start layout can be updated simply by overwriting the .xml file that contains the layout. This enables you to customize Start layouts for different departments or organizations, with minimal management overhead.
For more information on these settings, see [Customize Windows 10 Start and taskbar with Group Policy](http://technet.microsoft.com/itpro/windows/manage/customize-windows-10-start-screens-by-using-group-policy). | +| Unbranded boot | You can suppress Windows elements that appear when Windows starts or resumes and can suppress the crash screen when Windows encounters an error from which it cannot recover.
For more information on these settings, see [Unbranded Boot](http://msdn.microsoft.com/library/windows/hardware/mt571997(v=vs.85).aspx). | +| Custom logon | You can use the Custom Logon feature to suppress Windows 10 UI elements that relate to the Welcome screen and shutdown screen. For example, you can suppress all elements of the Welcome screen UI and provide a custom logon UI. You can also suppress the Blocked Shutdown Resolver (BSDR) screen and automatically end applications while the OS waits for applications to close before a shutdown.
For more information on these settings, see [Custom Logon](http://msdn.microsoft.com/library/windows/hardware/mt571990(v=vs.85).aspx). | +| Shell launcher | Enables Assigned Access to run only a classic Windows app via Shell Launcher to replace the shell.
For more information on these settings, see [Shell Launcher](http://msdn.microsoft.com/library/windows/hardware/mt571994(v=vs.85).aspx). | +| Keyboard filter | You can use Keyboard Filter to suppress undesirable key presses or key combinations. Normally, users can use certain Windows key combinations like Ctrl+Alt+Delete or Ctrl+Shift+Tab to control a device by locking the screen or using Task Manager to close a running application. This is not desirable on devices intended for a dedicated purpose.
For more information on these settings, see [Keyboard Filter](http://msdn.microsoft.com/library/windows/hardware/mt587088(v=vs.85).aspx). | +| Unified write filter | You can use Unified Write Filter (UWF) on your device to help protect your physical storage media, including most standard writable storage types that are supported by Windows, such as physical hard disks, solid-state drives, internal USB devices, external SATA devices, and so on. You can also use UWF to make read-only media appear to the OS as a writable volume.
For more information on these settings, see [Unified Write Filter](http://msdn.microsoft.com/library/windows/hardware/mt572001(v=vs.85).aspx). | + +## Related topics + +[Connect domain-joined devices to Azure AD for Windows 10 experiences](https://azure.microsoft.com/en-us/documentation/articles/active-directory-azureadjoin-devices-group-policy/) + +[Compare Windows 10 editions](https://www.microsoft.com/en-us/WindowsForBusiness/Compare) + +[Windows for business](https://www.microsoft.com/en-us/windowsforbusiness/default.aspx) diff --git a/windows/deploy/windows-10-poc-mdt.md b/windows/deploy/windows-10-poc-mdt.md deleted file mode 100644 index 04cb2496e2..0000000000 --- a/windows/deploy/windows-10-poc-mdt.md +++ /dev/null @@ -1,28 +0,0 @@ ---- -title: Placeholder (Windows 10) -description: Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: deploy -author: greg-lindsay ---- - -# Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit - -**Applies to** - -- Windows 10 - -## In this guide - -## Related Topics - - - - - - - - - diff --git a/windows/deploy/windows-10-poc-sccm.md b/windows/deploy/windows-10-poc-sccm.md deleted file mode 100644 index 3e43d7c402..0000000000 --- a/windows/deploy/windows-10-poc-sccm.md +++ /dev/null @@ -1,28 +0,0 @@ ---- -title: Placeholder (Windows 10) -description: Deploy Windows 10 in a test lab using System Center Configuration Manager -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: deploy -author: greg-lindsay ---- - -# Deploy Windows 10 in a test lab using System Center Configuration Manager - -**Applies to** - -- Windows 10 - -## In this guide - -## Related Topics - - - - - - - - - diff --git a/windows/deploy/windows-10-upgrade-paths.md b/windows/deploy/windows-10-upgrade-paths.md index 7ee695086b..b6c196f4d1 100644 --- a/windows/deploy/windows-10-upgrade-paths.md +++ b/windows/deploy/windows-10-upgrade-paths.md @@ -4,6 +4,7 @@ description: You can upgrade to Windows 10 from a previous version of Windows if ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library +localizationpriority: high ms.pagetype: mobile author: greg-lindsay --- diff --git a/windows/deploy/windows-adk-scenarios-for-it-pros.md b/windows/deploy/windows-adk-scenarios-for-it-pros.md index 19c048877c..89c15460f6 100644 --- a/windows/deploy/windows-adk-scenarios-for-it-pros.md +++ b/windows/deploy/windows-adk-scenarios-for-it-pros.md @@ -4,6 +4,7 @@ description: The Windows Assessment and Deployment Kit (Windows ADK) contains to ms.assetid: FC4EB39B-29BA-4920-87C2-A00D711AE48B ms.prod: w10 ms.mktglfcycl: deploy +localizationpriority: high ms.sitesec: library author: greg-lindsay --- diff --git a/windows/keep-secure/active-directory-security-groups.md b/windows/keep-secure/active-directory-security-groups.md index 0bf7a79a16..552c86b75a 100644 --- a/windows/keep-secure/active-directory-security-groups.md +++ b/windows/keep-secure/active-directory-security-groups.md @@ -2231,6 +2231,7 @@ The Key Admins group applies to versions of the Windows Server operating system | Default members | None | | Default member of | None | | Protected by ADMINSDHOLDER? | No | +| Safe to move out of default container? | Yes | | Safe to delegate management of this group to non-Service admins? | No | | Default User Rights | None | @@ -3351,6 +3352,7 @@ The Storage Replica Administrators group applies to versions of the Windows Serv | Default members | None | | Default member of | None | | Protected by ADMINSDHOLDER? | No | +| Safe to move out of default container? | Yes | | Safe to delegate management of this group to non-Service admins? | No | | Default User Rights | None | @@ -3371,6 +3373,7 @@ The System Managed Accounts group applies to versions of the Windows Server oper | Default members | Users | | Default member of | None | | Protected by ADMINSDHOLDER? | No | +| Safe to move out of default container? | Yes | | Safe to delegate management of this group to non-Service admins? | No | | Default User Rights | None | diff --git a/windows/keep-secure/alerts-queue-windows-defender-advanced-threat-protection.md b/windows/keep-secure/alerts-queue-windows-defender-advanced-threat-protection.md index 02d66f7c0d..09000d467d 100644 --- a/windows/keep-secure/alerts-queue-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/alerts-queue-windows-defender-advanced-threat-protection.md @@ -16,7 +16,7 @@ localizationpriority: high **Applies to:** - Windows 10 Enterprise -- Windows 10 Enterprise for Education +- Windows 10 Education - Windows 10 Pro - Windows 10 Pro Education - Windows Defender Advanced Threat Protection (Windows Defender ATP) diff --git a/windows/keep-secure/assign-portal-access-windows-defender-advanced-threat-protection.md b/windows/keep-secure/assign-portal-access-windows-defender-advanced-threat-protection.md index 30b45491f9..4e5ae1d646 100644 --- a/windows/keep-secure/assign-portal-access-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/assign-portal-access-windows-defender-advanced-threat-protection.md @@ -15,7 +15,7 @@ localizationpriority: high **Applies to:** - Windows 10 Enterprise -- Windows 10 Enterprise for Education +- Windows 10 Education - Windows 10 Pro - Windows 10 Pro Education - Azure Active Directory diff --git a/windows/keep-secure/bitlocker-how-to-enable-network-unlock.md b/windows/keep-secure/bitlocker-how-to-enable-network-unlock.md index 1884657372..d4d9a55257 100644 --- a/windows/keep-secure/bitlocker-how-to-enable-network-unlock.md +++ b/windows/keep-secure/bitlocker-how-to-enable-network-unlock.md @@ -141,7 +141,15 @@ To enroll a certificate from an existing certification authority (CA), do the fo 2. Select **Yes, export the private key**. 3. Complete the wizard to create the .pfx file. -To create a self-signed certificate, do the following: +To create a self-signed certificate, you can either use the New-SelfSignedCertificate cmdlet in Windows PowerShell or use Certreq. + +Windows PowerShell example: + +```syntax +New-SelfSignedCertificate -CertStoreLocation Cert:\LocalMachine\My -Subject "CN=BitLocker Network Unlock certificate" -KeyUsage KeyEncipherment -KeyUsageProperty Decrypt -KeyLength 2048 -KeySpec KeyExchange -HashAlgorithm sha512 -TextExtension @("1.3.6.1.4.1.311.21.10={text}OID=1.3.6.1.4.1.311.67.1.1","2.5.29.37={text}1.3.6.1.4.1.311.67.1.1") +``` + +Certreq example: 1. Create a text file with an .inf extension. For example, notepad.exe BitLocker-NetworkUnlock.inf 2. Add the following contents to the previously created file: @@ -150,6 +158,7 @@ To create a self-signed certificate, do the following: [NewRequest] Subject="CN=BitLocker Network Unlock certificate" ProviderType=0 + MachineKeySet=True Exportable=true RequestType=Cert KeyUsage="CERT_KEY_ENCIPHERMENT_KEY_USAGE" @@ -180,7 +189,7 @@ To create a self-signed certificate, do the following: With the certificate and key created, deploy them to the infrastructure to properly unlock systems. To deploy the certificates, do the following: 1. On the WDS server, open a new MMC and add the certificates snap-in. Select the computer account and local computer when given the options. -2. Right-click the Certificates (Local Computer) - BitLocker Drive Encryption Network Unlock item, choose All Tasks, then **Import** +2. Right-click the Certificates (Local Computer) - BitLocker Drive Encryption Network Unlock item, choose All Tasks, then **Import**. 3. In the **File to Import** dialog, choose the .pfx file created previously. 4. Enter the password used to create the .pfx and complete the wizard. diff --git a/windows/keep-secure/configure-aad-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-aad-windows-defender-advanced-threat-protection.md index 51c6a67f78..65dcdf6805 100644 --- a/windows/keep-secure/configure-aad-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/configure-aad-windows-defender-advanced-threat-protection.md @@ -17,7 +17,7 @@ localizationpriority: high - Azure Active Directory - Windows 10 Enterprise -- Windows 10 Enterprise for Education +- Windows 10 Education - Windows 10 Pro - Windows 10 Pro Education - Windows Defender Advanced Threat Protection (Windows Defender ATP) diff --git a/windows/keep-secure/configure-arcsight-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-arcsight-windows-defender-advanced-threat-protection.md index cb5fb08c28..614004d2dc 100644 --- a/windows/keep-secure/configure-arcsight-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/configure-arcsight-windows-defender-advanced-threat-protection.md @@ -16,7 +16,7 @@ localizationpriority: high **Applies to:** - Windows 10 Enterprise -- Windows 10 Enterprise for Education +- Windows 10 Education - Windows 10 Pro - Windows 10 Pro Education - Windows Defender Advanced Threat Protection (Windows Defender ATP) diff --git a/windows/keep-secure/configure-endpoints-gp-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-endpoints-gp-windows-defender-advanced-threat-protection.md index 0dc00ad4ef..6978b1a8f6 100644 --- a/windows/keep-secure/configure-endpoints-gp-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/configure-endpoints-gp-windows-defender-advanced-threat-protection.md @@ -17,7 +17,7 @@ localizationpriority: high - Group Policy - Windows 10 Enterprise -- Windows 10 Enterprise for Education +- Windows 10 Education - Windows 10 Pro - Windows 10 Pro Education - Windows Defender Advanced Threat Protection (Windows Defender ATP) diff --git a/windows/keep-secure/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md index 04ba717eb7..f667ac1b36 100644 --- a/windows/keep-secure/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md @@ -16,7 +16,7 @@ localizationpriority: high **Applies to:** - Windows 10 Enterprise -- Windows 10 Enterprise for Education +- Windows 10 Education - Windows 10 Pro - Windows 10 Pro Education - Windows Defender Advanced Threat Protection (Windows Defender ATP) diff --git a/windows/keep-secure/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md index c7493e5656..e7e9a27b13 100644 --- a/windows/keep-secure/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md @@ -16,7 +16,7 @@ localizationpriority: high **Applies to:** - Windows 10 Enterprise -- Windows 10 Enterprise for Education +- Windows 10 Education - Windows 10 Pro - Windows 10 Pro Education - Windows Defender Advanced Threat Protection (Windows Defender ATP) diff --git a/windows/keep-secure/configure-endpoints-script-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-endpoints-script-windows-defender-advanced-threat-protection.md index bc8fe33b4f..a2643013c6 100644 --- a/windows/keep-secure/configure-endpoints-script-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/configure-endpoints-script-windows-defender-advanced-threat-protection.md @@ -16,7 +16,7 @@ localizationpriority: high **Applies to:** - Windows 10 Enterprise -- Windows 10 Enterprise for Education +- Windows 10 Education - Windows 10 Pro - Windows 10 Pro Education - Windows Defender Advanced Threat Protection (Windows Defender ATP) diff --git a/windows/keep-secure/configure-endpoints-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-endpoints-windows-defender-advanced-threat-protection.md index fd3f14562f..18864595b3 100644 --- a/windows/keep-secure/configure-endpoints-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/configure-endpoints-windows-defender-advanced-threat-protection.md @@ -16,7 +16,7 @@ localizationpriority: high **Applies to:** - Windows 10 Enterprise -- Windows 10 Enterprise for Education +- Windows 10 Education - Windows 10 Pro - Windows 10 Pro Education - Windows Defender Advanced Threat Protection (Windows Defender ATP) diff --git a/windows/keep-secure/configure-proxy-internet-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-proxy-internet-windows-defender-advanced-threat-protection.md index 18dff61270..5aaa60e929 100644 --- a/windows/keep-secure/configure-proxy-internet-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/configure-proxy-internet-windows-defender-advanced-threat-protection.md @@ -17,7 +17,7 @@ localizationpriority: high **Applies to:** - Windows 10 Enterprise -- Windows 10 Enterprise for Education +- Windows 10 Education - Windows 10 Pro - Windows 10 Pro Education - Windows Defender Advanced Threat Protection (Windows Defender ATP) diff --git a/windows/keep-secure/configure-siem-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-siem-windows-defender-advanced-threat-protection.md index 75a1c0f0a0..f8f22a049a 100644 --- a/windows/keep-secure/configure-siem-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/configure-siem-windows-defender-advanced-threat-protection.md @@ -16,7 +16,7 @@ localizationpriority: high **Applies to:** - Windows 10 Enterprise -- Windows 10 Enterprise for Education +- Windows 10 Education - Windows 10 Pro - Windows 10 Pro Education - Windows Defender Advanced Threat Protection (Windows Defender ATP) diff --git a/windows/keep-secure/configure-splunk-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-splunk-windows-defender-advanced-threat-protection.md index 8033431e7e..60e1c00469 100644 --- a/windows/keep-secure/configure-splunk-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/configure-splunk-windows-defender-advanced-threat-protection.md @@ -16,7 +16,7 @@ localizationpriority: high **Applies to:** - Windows 10 Enterprise -- Windows 10 Enterprise for Education +- Windows 10 Education - Windows 10 Pro - Windows 10 Pro Education - Windows Defender Advanced Threat Protection (Windows Defender ATP) diff --git a/windows/keep-secure/credential-guard.md b/windows/keep-secure/credential-guard.md index 16ffd75334..55180bcbe5 100644 --- a/windows/keep-secure/credential-guard.md +++ b/windows/keep-secure/credential-guard.md @@ -36,10 +36,6 @@ Here's a high-level overview on how the LSA is isolated by using virtualization-  -## New and changed functionality - -To see what was added or changed in Credential Guard, see [What's new in Credential Guard?](../whats-new/credential-guard.md). - ## Hardware and software requirements The PC must meet the following hardware and software requirements to use Credential Guard: @@ -221,14 +217,23 @@ If you have to remove Credential Guard on a PC, you need to do the following: 1. From an elevated command prompt, type the following commands: ``` syntax + mountvol X: /s + copy %WINDIR%\System32\SecConfig.efi X:\EFI\Microsoft\Boot\SecConfig.efi /Y + bcdedit /create {0cb3b571-2f2e-4343-a879-d86a476d7215} /d "DebugTool" /application osloader + bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} path "\EFI\Microsoft\Boot\SecConfig.efi" + bcdedit /set {bootmgr} bootsequence {0cb3b571-2f2e-4343-a879-d86a476d7215} + bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} loadoptions DISABLE-LSA-ISO + bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} device partition=X: + mountvol X: /d + ``` 2. Restart the PC. 3. Accept the prompt to disable Credential Guard. @@ -290,8 +295,8 @@ DG_Readiness_Tool_v2.0.ps1 -Ready ### NTLM & CHAP Considerations -When you enable Credential Guard, you can no longer use NTLM v1 authetnication. If you are using Wi-Fi and VPN end points that are based on MS-CHAPv2, they are subject to similar attacks as NTLMv1. We recommend that organizations use certificated-based authentication for Wi-Fi and VPN connections. -- +When you enable Credential Guard, you can no longer use NTLM v1 authentication. If you are using WiFi and VPN endpoints that are based on MS-CHAPv2, they are subject to similar attacks as NTLMv1. We recommend that organizations use certificated-based authentication for WiFi and VPN connections. + ### Kerberos Considerations When you enable Credential Guard, you can no longer use Kerberos unconstrained delegation or DES encryption. Unconstrained delegation could allow attackers to extract Kerberos keys from the isolated LSA process. You must use constrained or resource-based Kerberos delegation instead. @@ -315,34 +320,39 @@ Some ways to store credentials are not protected by Credential Guard, including: Credential Guard can provide mitigations against attacks on derived credentials and prevent the use of stolen credentials elsewhere. However, PCs can still be vulnerable to certain attacks, even if the derived credentials are protected by Credential Guard. These attacks can include abusing privileges and use of derived credentials directly from a compromised device, reusing previously stolen credentials prior to Device Guard, and abuse of management tools and weak application configurations. Because of this, additional mitigations also need to be deployed to make the domain environment more robust. -Credential theft attacks allow the attacker to steal secrets from one device and use them from another device. By deploying authentication policies with compound authentication in Windows Server 2012 R2 or later domains, users can be restricted to only sign on from specific domain-joined devices. However, since devices also use shared secrets for authentication, attackers can steal those secrets as well. By deploying device certificates with Credential Guard, authentication policies can require that the device authenticates with its private key. This prevents shared secrets on stolen devices to be used with stolen user passwords or Kerberos secret keys to sign on as the user. +### Restricting domain users to specific domain-joined devices -Device certificate authentication has the following requirements: +Credential theft attacks allow the attacker to steal secrets from one device and use them from another device. If a user can sign on multiple devices then any device could be used to steal credentials. How do you ensure that users only sign on with devices with Credential Guard? By deploying authentication policies which restrict them to specific domain-joined device that have been configured with Credential Guard. For the domain controller to know what device a user is signing on from, Kerberos armoring must be used. -- Device domains are Windows Server 2012 or higher and all domain controllers have certificates, which satisfy strict KDC validation (KDC EKU present and the DNS domain name matches the DNSName field of the SubjectAltName (SAN) extension). +#### Kerberos armoring + +Kerberos armoring is part of RFC 6113. When a device supports Kerberos armoring, its TGT is used to protect the user's proof of possession which can mitigate offline dictionary attacks. Kerberos armoring also provides the additional benefit of signed KDC errors this mitigates tampering which can result in things such as downgrade attacks. + +**To enable Kerberos armoring for restricting domain users to specific domain-joined devices** + +- Users need to be in domains which are running Windows Server 2012 R2 or higher +- All the domain controllers in these domains must be configured to support Kerberos armoring. Set the **KDC support for claims, compound authentication, and Kerberos armoring** Group Policy setting to either **Supported** or **Always provide claims**. +- All the devices with Credential Guard which the users will be restricted to must be configured to support Kerberos armoring. Enable the **Kerberos client support for claims, compound authentication and Kerberos armoring** Group Policy settings under **Computer Configuration** -> **Administrative Templates** -> **System** -> **Kerberos**. + +#### Protecting domain-joined device secrets + +Since domain-joined devices also use shared secrets for authentication, attackers can steal those secrets as well. By deploying device certificates with Credential Guard, the private key can be protected. Then authentication policies can require that users sign on devices which authenticate using those certificates. This prevents shared secrets on stolen from the device to be used with stolen user credentials to sign on as the user. + +Domain-joined device certificate authentication has the following requirements: +- Devices' accounts are in Windows Server 2012 domain funcational level or higher domains. +- All domain controllers in those domains have KDC certificates which satisfy strict KDC validation certificate requirements: + - KDC EKU present + - DNS domain name matches the DNSName field of the SubjectAltName (SAN) extension - Windows 10 devices have the CA issuing the domain controller certificates in the enterprise store. - A process is established to ensure the identity and trustworthiness of the device in a similar manner as you would establish the identity and trustworthiness of a user before issuing them a smartcard. -### Additional Group Policy settings +##### Deploying domain-joined device certificates -There are a few Group Policy settings that you can enable that provide more protection against credential attacks: +To guarantee that certificates with the issuance policy required are only on the devices these users must use, they must be deployed manually on each device. The same security procedures used for issuing smart cards to users should be applied to device certificates. -- On the domain controllers, configure the KDC support for claims, compound authentication, and Kerberos armoring system by using Group Policy. Set the **KDC support for claims, compound authentication, and Kerberos armoring** Group Policy setting to either **Supported** or **Always provide claims**. -- On devices running Windows 10, you can turn it on by using Group Policy as well. To do this, enable the **Kerberos client support for claims, compound authentication and Kerberos armoring** & **Always send compound authentication first system** Group Policy settings under **Computer Configuration** -> **Administrative Templates** -> **System** -> **Kerberos**. +For example, let's say you wanted to use the High Assurance policy only on these devices. Using a Windows Server Enterprise certificate authority, you would create a new template. -### Compound authentication - -Compound authentication adds the device identity to the user’s during authentication to the domain and resources. Without compound authentication, only the user’s secrets are validated. With compound authentication, the Kerberos client has to have both the user’s and device’s secrets. -Enabling compound authentication also enables Kerberos armoring, which provides two additional benefits: - -- User authentication on domain-joined devices will be armored. This means that network captures will contain encrypted Kerberos initial authentication. Without the appropriate device key, Kerberos AS-REQs are protected against offline dictionary attacks. -- KDC errors are signed, which provides protection against error spoofing attacks. - -### Deploying machine certificates - -If the domain controllers in your organization are running Windows Server 2016, devices running Windows 10 will automatically enroll a machine certificate when Credential Guard is enabled and the PC is joined to the domain. -If the domain controllers are running Windows Server 2012 R2, the machine certificates must be provisioned manually on each device. You can do this by creating a certificate template on the domain controller or certificate authority and deploying the machine certificates to each device. -The same security procedures used for issuing smart cards to users should be applied to machine certificates. +**Creating a new certificate template** 1. From the Certificate Manager console, right-click **Certificate Templates**, and then click **Manage.** 2. Right-click **Workstation Authentication**, and then click **Duplicate Template**. @@ -356,7 +366,11 @@ The same security procedures used for issuing smart cards to users should be app 8. Under **Issuance Policies**, click**High Assurance**. 9. On the **Subject name** tab, clear the **DNS name** check box, and then select the **User Principal Name (UPN)** check box. -On devices that are running Credential Guard, enroll the devices using the machine authentication certificate by running the following command: +Then on the devices that are running Credential Guard, enroll the devices using the certificate you just created. + +**Enrolling devices in a certificate** + +Run the following command: ``` syntax CertReq -EnrollCredGuardCert MachineAuthentication ``` @@ -364,53 +378,69 @@ CertReq -EnrollCredGuardCert MachineAuthentication > [!NOTE] > You must restart the device after enrolling the machine authentication certificate. -### Link the issuance policies to a group +#### How a certificate issuance policy can be used for access control + +Beginning with the Windows Server 2008 R2 domain functional level, domain controllers support for authentication mechanism assurance provides a way to map certificate issuance policy OIDs to universal security groups. Windows Server 2012 domain controllers with claim support can map them to claims. To learn more about authentication mechanism assurance, see [Authentication Mechanism Assurance for AD DS in Windows Server 2008 R2 Step-by-Step Guide](https://technet.microsoft.com/en-us/library/dd378897(v=ws.10).aspx) on TechNet. + +**To see the issuance policies available** -By using an authentication policy, you can ensure that users only sign into devices that are running Credential Guard. Before you deploy the authentication policy though, you must first run a couple of scripts that set up your environment. - The [get-IssuancePolicy.ps1](#bkmk-getscript) shows all of the issuance policies that are available on the certificate authority. From a Windows PowerShell command prompt, run the following command: + ``` syntax .\get-IssuancePolicy.ps1 –LinkedToGroup:All ``` + +**To link a issuance policy to a universal security group** + - The [set-IssuancePolicyToGroupLink.ps1](#bkmk-setscript) creates a Universal security group, creates an organizational unit, and links the issuance policy to that Universal security group. From a Windows PowerShell command prompt, run the following command: + ``` syntax - .\set-IssuancePolicyToGroupLink.ps1 –IssuancePolicyName:”
Default: Disabled| -| Don't search the web or display web results in Search| Choose whether to search the web from Cortana. | -| Set what information is shared in Search | Control what information is shared with Bing in Search. | - -When you enable the **Don't search the web or display web results in Search** Group Policy, you can control the behavior of whether Cortana searches the web to display web results. However, this policy only covers whether or not web search is performed. There could still be a small amount of network traffic to Bing.com to evaluate if certain Cortana components are up-to-date or not. In order to turn off that network activity completely, you can create a Windows Firewall rule to prevent outbound traffic. - -1. Expand **Computer Configuration** > **Windows Settings** > **Security Settings** > **Windows Firewall with Advanced Security** > **Windows Firewall with Advanced Security - <LDAP name>**, and then click **Outbound Rules**. - -2. Right-click **Outbound Rules**, and then click **New Rule**. The **New Outbound Rule Wizard** starts. - -3. On the **Rule Type** page, click **Program**, and then click **Next**. - -4. On the **Program** page, click **This program path**, type **%windir%\\systemapps\\Microsoft.Windows.Cortana\_cw5n1h2txyewy\\SearchUI.exe**, and then click **Next**. - -5. On the **Action** page, click **Block the connection**, and then click **Next**. - -6. On the **Profile** page, ensure that the **Domain**, **Private**, and **Public** check boxes are selected, and then click **Next**. - -7. On the **Name** page, type a name for the rule, such as **Cortana firewall configuration**, and then click **Finish.** - -8. Right-click the new rule, click **Properties**, and then click **Protocols and Ports**. - -9. Configure the **Protocols and Ports** page with the following info, and then click **OK**. - - - For **Protocol type**, choose **TCP**. - - - For **Local port**, choose **All Ports**. - - - For **Remote port**, choose **All ports**. - -> **Note:** If your organization tests network traffic, you should not use Fiddler to test Windows Firewall settings. Fiddler is a network proxy and Windows Firewall does not block proxy traffic. You should use a network traffic analyzer, such as WireShark or Message Analyzer. - -### 1.2 Cortana MDM policies - -The following Cortana MDM policies are available in the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx). - -| Policy | Description | -|------------------------------------------------------|-----------------------------------------------------------------------------------------------------| -| Experience/AllowCortana | Choose whether to let Cortana install and run on the device. | -| Search/AllowSearchToUseLocation | Choose whether Cortana and Search can provide location-aware search results.
Default: Allowed| - -### 1.3 Cortana Windows Provisioning - -To use Windows Imaging and Configuration Designer (ICD) to create a provisioning package with the settings for these policies, go to **Runtime settings** > **Policies** to find **Experience** > **AllowCortana** and **Search** > **AllowSearchToUseLocation**. - -### 2. Date & Time - -You can prevent Windows from setting the time automatically. - -- To turn off the feature in the UI: **Settings** > **Time & language** > **Date & time** > **Set time automatically** - - -or- - -- Create a REG\_SZ registry setting in **HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\W32Time\\Parameters** with a value of **NoSync**. - -### 3. Device metadata retrieval - -To prevent Windows from retrieving device metadata from the Internet, apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **Device Installation** > **Prevent device metadata retrieval from the Internet**. - -### 4. Font streaming - -Starting with Windows 10, fonts that are included in Windows but that are not stored on the local device can be downloaded on demand. - -To turn off font streaming, create a REG\_DWORD registry setting called **DisableFontProviders** in **HKEY\_LOCAL\_MACHINE\\System\\CurrentControlSet\\Services\\FontCache\\Parameters**, with a value of 1. - -> **Note:** This may change in future versions of Windows. - -### 5. Insider Preview builds - -To turn off Insider Preview builds if you're running a released version of Windows 10. If you're running a preview version of Windows 10, you must roll back to a released version before you can turn off Insider Preview builds. - -- Turn off the feature in the UI: **Settings** > **Update & security** > **Windows Update** > **Advanced options** > **Stop Insider builds**. - - -or- - -- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Data Collection and Preview Builds** > **Toggle user control over Insider builds**. - - -or- - -- Apply the System/AllowBuildPreview MDM policy from the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) where: - - - **0**. Users cannot make their devices available for downloading and installing preview software. - - - **1**. Users can make their devices available for downloading and installing preview software. - - - **2**. (default) Not configured. Users can make their devices available for download and installing preview software. - - -or- - -- Create a provisioning package: **Runtime settings** > **Policies** > **System** > **AllowBuildPreview**, where: - - - **0**. Users cannot make their devices available for downloading and installing preview software. - - - **1**. Users can make their devices available for downloading and installing preview software. - - - **2**. (default) Not configured. Users can make their devices available for download and installing preview software. - -### 6. Internet Explorer - -Use Group Policy to manage settings for Internet Explorer. - -### 6.1 Internet Explorer Group Policies - -Find the Internet Explorer Group Policy objects under **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Internet Explorer**. - -| Policy | Description | -|------------------------------------------------------|-----------------------------------------------------------------------------------------------------| -| Turn on Suggested Sites| Choose whether an employee can configure Suggested Sites.
Default: Enabled
You can also turn this off in the UI by clearing the **Internet Options** > **Advanced** > **Enable Suggested Sites** check box.| -| Allow Microsoft services to provide enhanced suggestions as the user types in the Address Bar | Choose whether an employee can configure enhanced suggestions, which are presented to the employee as they type in the address bar.
Default: Enabled| -| Turn off the auto-complete feature for web addresses | Choose whether auto-complete suggests possible matches when employees are typing web address in the address bar.
Default: Disabled You can also turn this off in the UI by clearing the Internet Options > **Advanced** > **Use inline AutoComplete in the Internet Explorer Address Bar and Open Dialog** check box.| -| Disable Periodic Check for Internet Explorer software updates| Choose whether Internet Explorer periodically checks for a new version.
Default: Enabled | -| Turn off browser geolocation | Choose whether websites can request location data from Internet Explorer.
Default: Disabled| - -### 6.2 ActiveX control blocking - -ActiveX control blocking periodically downloads a new list of out-of-date ActiveX controls that should be blocked. You can turn this off by changing the REG\_DWORD registry setting **HKEY\_CURRENT\_USER\\Software\\Microsoft\\Internet Explorer\\VersionManager\\DownloadVersionList** to 0 (zero). - -For more info, see [Out-of-date ActiveX control blocking](http://technet.microsoft.com/library/dn761713.aspx). - -### 7. Live Tiles - -To turn off Live Tiles: - -- Apply the Group Policy: **User Configuration** > **Administrative Templates** > **Start Menu and Taskbar** > **Notifications** > **Turn Off notifications network usage** - -### 8. Mail synchronization - -To turn off mail synchronization for Microsoft Accounts that are configured on a device: - -- In **Settings** > **Accounts** > **Your email and accounts**, remove any connected Microsoft Accounts. - - -or- - -- Remove any Microsoft Accounts from the Mail app. - - -or- - -- Apply the Accounts/AllowMicrosoftAccountConnection MDM policy from the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) where 0 is not allowed and 1 is allowed. This does not apply to Microsoft Accounts that have already been configured on the device. - -To turn off the Windows Mail app: - -- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Mail** > **Turn off Windows Mail application** - -### 9. Microsoft Edge - -Use either Group Policy or MDM policies to manage settings for Microsoft Edge. For more info, see [Microsoft Edge and privacy: FAQ](https://go.microsoft.com/fwlink/p/?LinkId=730682). - -### 9.1 Microsoft Edge Group Policies - -Find the Microsoft Edge Group Policy objects under **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Edge**. - -> **Note:** The Microsoft Edge Group Policy names were changed in Windows 10, version 1511. The table below reflects those changes. - -| Policy | Description | -|------------------------------------------------------|-----------------------------------------------------------------------------------------------------| -| Turn off autofill | Choose whether employees can use autofill on websites.
Default: Enabled | -| Allow employees to send Do Not Track headers | Choose whether employees can send Do Not Track headers.
Default: Disabled | -| Turn off password manager | Choose whether employees can save passwords locally on their devices.
Default: Enabled | -| Turn off address bar search suggestions | Choose whether the address bar shows search suggestions.
Default: Enabled | -| Turn off the SmartScreen Filter | Choose whether SmartScreen is turned on or off.
Default: Enabled | -| Open a new tab with an empty tab | Choose whether a new tab page appears.
Default: Enabled | -| Configure corporate Home pages | Choose the corporate Home page for domain-joined devices.
Set this to **about:blank** | - -### 9.2 Microsoft Edge MDM policies - -The following Microsoft Edge MDM policies are available in the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx). - -| Policy | Description | -|------------------------------------------------------|-----------------------------------------------------------------------------------------------------| -| Browser/AllowAutoFill | Choose whether employees can use autofill on websites.
Default: Allowed | -| Browser/AllowDoNotTrack | Choose whether employees can send Do Not Track headers.
Default: Not allowed | -| Browser/AllowPasswordManager | Choose whether employees can save passwords locally on their devices.
Default: Allowed | -| Browser/AllowSearchSuggestionsinAddressBar | Choose whether the address bar shows search suggestions..
Default: Allowed | -| Browser/AllowSmartScreen | Choose whether SmartScreen is turned on or off.
Default: Allowed | - -### 9.3 Microsoft Edge Windows Provisioning - -Use Windows ICD to create a provisioning package with the settings for these policies, go to **Runtime settings** > **Policies**. - -For a complete list of the Microsoft Edge policies, see [Available policies for Microsoft Edge](http://technet.microsoft.com/library/mt270204.aspx). - -### 10. Network Connection Status Indicator - -Network Connection Status Indicator (NCSI) detects Internet connectivity and corporate network connectivity status. NCSI sends a DNS request and HTTP query to http://www.msftncsi.com to determine if the device can communicate with the Internet. For more info about NCIS, see [The Network Connection Status Icon](http://blogs.technet.com/b/networking/archive/2012/12/20/the-network-connection-status-icon.aspx). - -You can turn off NCSI through Group Policy: - -- Enable the Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **Internet Communication Management** > **Internet Communication Settings** > **Turn off Windows Network Connectivity Status Indicator active tests** - -> **Note** After you apply this policy, you must restart the device for the policy setting to take effect. - -### 11. Offline maps - -You can turn off the ability to download and update offline maps. - -- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Maps** > **Turn off Automatic Download and Update of Map Data** - -### 12. OneDrive - -To turn off OneDrive in your organization: - -- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **OneDrive** > **Prevent the usage of OneDrive for file storage** - -### 13. Preinstalled apps - -Some preinstalled apps get content before they are opened to ensure a great experience. You can remove these using the steps in this section. - -To remove the News app: - -- Right-click the app in Start, and then click **Uninstall**. - - -or- - -- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.BingNews"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}** - - -and- - - Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxPackage Microsoft.BingNews | Remove-AppxPackage** - -To remove the Weather app: - -- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.BingWeather"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}** - - -and- - - Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxPackage Microsoft.BingWeather | Remove-AppxPackage** - -To remove the Money app: - -- Right-click the app in Start, and then click **Uninstall**. - - -or- - -- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.BingFinance"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}** - - -and- - - Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxPackage Microsoft.BingFinance | Remove-AppxPackage** - -To remove the Sports app: - -- Right-click the app in Start, and then click **Uninstall**. - - -or- - -- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.BingSports"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}** - - -and- - - Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxPackage Microsoft.BingSports | Remove-AppxPackage** - -To remove the Twitter app: - -- Right-click the app in Start, and then click **Uninstall**. - - -or- - -- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "\*.Twitter"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}** - - -and- - - Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxPackage \*.Twitter | Remove-AppxPackage** - -To remove the XBOX app: - -- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.XboxApp"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}** - - -and- - - Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxPackage Microsoft.XboxApp | Remove-AppxPackage** - -To remove the Sway app: - -- Right-click the app in Start, and then click **Uninstall**. - - -or- - -- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.Office.Sway"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}** - - -and- - - Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxPackage Microsoft.Office.Sway | Remove-AppxPackage** - -To remove the OneNote app: - -- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.Office.OneNote"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}** - - -and- - - Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxPackage Microsoft.Office.OneNote | Remove-AppxPackage** - -To remove the Get Office app: - -- Right-click the app in Start, and then click **Uninstall**. - - -or- - -- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.MicrosoftOfficeHub"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}** - - -and- - - Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxPackage Microsoft.MicrosoftOfficeHub | Remove-AppxPackage** - -To remove the Get Skype app: - -- Right-click the Sports app in Start, and then click **Uninstall**. - - -or- - -- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.SkypeApp"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}** - - -and- - - Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxPackage Microsoft.SkypeApp | Remove-AppxPackage** - -### 14. Settings > Privacy - -Use Settings > Privacy to configure some settings that may be important to your organization. Except for the Feedback & Diagnostics page, these settings must be configured for every user account that signs into the PC. - -- [14.1 General](#bkmk-general) - -- [14.2 Location](#bkmk-priv-location) - -- [14.3 Camera](#bkmk-priv-camera) - -- [14.4 Microphone](#bkmk-priv-microphone) - -- [14.5 Speech, inking, & typing](#bkmk-priv-speech) - -- [14.6 Account info](#bkmk-priv-accounts) - -- [14.7 Contacts](#bkmk-priv-contacts) - -- [14.8 Calendar](#bkmk-priv-calendar) - -- [14.9 Call history](#bkmk-priv-callhistory) - -- [14.10 Email](#bkmk-priv-email) - -- [14.11 Messaging](#bkmk-priv-messaging) - -- [14.12 Radios](#bkmk-priv-radios) - -- [14.13 Other devices](#bkmk-priv-other-devices) - -- [14.14 Feedback & diagnostics](#bkmk-priv-feedback) - -- [14.15 Background apps](#bkmk-priv-background) - -### 14.1 General - -**General** includes options that don't fall into other areas. - -To turn off **Let apps use my advertising ID for experiences across apps (turning this off will reset your ID)**: - -> **Note:** When you turn this feature off in the UI, it turns off the advertising ID, not just resets it. - -- Turn off the feature in the UI. - - -or- - -- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **User Profiles** > **Turn off the advertising ID**. - - -or- - -- Create a REG\_DWORD registry setting called **Enabled** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AdvertisingInfo**, with a value of 0 (zero). - -To turn off **Turn on SmartScreen Filter to check web content (URLs) that Windows Store apps use**: - -- Turn off the feature in the UI. - - -or- - -- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Edge** > **Turn off the SmartScreen Filter**. - - Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **File Explorer** > **Configure Windows SmartScreen**. - - -or- - -- Apply the Browser/AllowSmartScreen MDM policy from the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) where 0 is turned off and 1 is turned on. - - -or- - -- Create a provisioning package, using: - - - For Internet Explorer: **Runtime settings** > **Policies** > **Browser** > **AllowSmartScreen** - - - For Microsoft Edge: **Runtime settings** > **Policies** > **MicrosoftEdge** > **AllowSmartScreen** - - -or- - -- Create a REG\_DWORD registry setting called **Enabled** in **HKEY\_CURRENT\_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppHost\\EnableWebContentEvaluation**, with a value of 0 (zero). - -To turn off **Send Microsoft info about how I write to help us improve typing and writing in the future**: - -> **Note: ** If the telemetry level is set to either **Basic** or **Security**, this is turned off automatically. - - - -- Turn off the feature in the UI. - - -or- - -- Apply the TextInput/AllowLinguisticDataCollection MDM policy from the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) where: - - - **0**. Not allowed - - - **1**. Allowed (default) - -To turn off **Let websites provide locally relevant content by accessing my language list**: - -- Turn off the feature in the UI. - - -or- - -- Create a new REG\_DWORD registry setting called **HttpAcceptLanguageOptOut** in **HKEY\_CURRENT\_USER\\Control Panel\\International\\User Profile**, with a value of 1. - -### 14.2 Location - -In the **Location** area, you choose whether devices have access to location-specific sensors and which apps have access to the device's location. - -To turn off **Location for this device**: - -- Click the **Change** button in the UI. - - -or- - -- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Location and Sensors** > **Turn off location**. - - -or- - -- Apply the System/AllowLocation MDM policy from the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx), where: - - - **0**. Turned off and the employee can't turn it back on. - - - **1**. Turned on, but lets the employee choose whether to use it. (default) - - - **2**. Turned on and the employee can't turn it off. - - **Note** - You can also set this MDM policy in System Center Configuration Manager using the [WMI Bridge Provider](http://msdn.microsoft.com/library/dn905224.aspx). - - -or- - -- Create a provisioning package, using **Runtime settings** > **Policies** > **System** > **AllowLocation**, where - - - **No**. Turns off location service. - - - **Yes**. Turns on location service. (default) - -To turn off **Location**: - -- Turn off the feature in the UI. - -- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access location** - - - Set the **Select a setting** box to **Force Deny**. - - -or- - -To turn off **Location history**: - -- Erase the history using the **Clear** button in the UI. - -To turn off **Choose apps that can use your location**: - -- Turn off each app using the UI. - -### 14.3 Camera - -In the **Camera** area, you can choose which apps can access a device's camera. - -To turn off **Let apps use my camera**: - -- Turn off the feature in the UI. - - -or- - -- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access the camera** - - - Set the **Select a setting** box to **Force Deny**. - - -or- - -- Apply the Camera/AllowCamera MDM policy from the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx), where: - - - **0**. Apps can't use the camera. - - - **1**. Apps can use the camera. - - **Note** - You can also set this MDM policy in System Center Configuration Manager using the [WMI Bridge Provider](http://msdn.microsoft.com/library/dn905224.aspx). - - -or- - -- Create a provisioning package with use Windows ICD, using **Runtime settings** > **Policies** > **Camera** > **AllowCamera**, where: - - - **0**. Apps can't use the camera. - - - **1**. Apps can use the camera. - -To turn off **Choose apps that can use your camera**: - -- Turn off the feature in the UI for each app. - -### 14.4 Microphone - -In the **Microphone** area, you can choose which apps can access a device's microphone. - -To turn off **Let apps use my microphone**: - -- Turn off the feature in the UI. - - -or- - -- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access the microphone** - - - Set the **Select a setting** box to **Force Deny**. - -To turn off **Choose apps that can use your microphone**: - -- Turn off the feature in the UI for each app. - -### 14.5 Speech, inking, & typing - -In the **Speech, Inking, & Typing** area, you can let Windows and Cortana better understand your employee's voice and written input by sampling their voice and writing, and by comparing verbal and written input to contact names and calendar entrees. - -> **Note:** For more info on how to disable Cortana in your enterprise, see [Cortana](#bkmk-cortana) in this article. - - - -To turn off the functionality: - -- Click the **Stop getting to know me** button, and then click **Turn off**. - - -or- - -- Enable the Group Policy: **Computer Configuration** > **Administrative Templates** > **Control Panel** > **Regional and Language Options** > **Handwriting personalization** > **Turn off automatic learning** - - -or- - -- Create a REG\_DWORD registry setting called **AcceptedPrivacyPolicy** in **HKEY\_CURRENT\_USER\\SOFTWARE\\Microsoft\\Personalization\\Settings**, with a value of 0 (zero). - - -and- - - Create a REG\_DWORD registry setting called **HarvestContacts** in **HKEY\_CURRENT\_USER\\SOFTWARE\\Microsoft\\InputPersonalization\\TrainedDataStore**, with a value of 0 (zero). - -### 14.6 Account info - -In the **Account Info** area, you can choose which apps can access your name, picture, and other account info. - -To turn off **Let apps access my name, picture, and other account info**: - -- Turn off the feature in the UI. - - -or- - -- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access account information** - - - Set the **Select a setting** box to **Force Deny**. - -To turn off **Choose the apps that can access your account info**: - -- Turn off the feature in the UI for each app. - -### 14.7 Contacts - -In the **Contacts** area, you can choose which apps can access an employee's contacts list. - -To turn off **Choose apps that can access contacts**: - -- Turn off the feature in the UI for each app. - - -or- - -- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access contacts** - - - Set the **Select a setting** box to **Force Deny**. - -### 14.8 Calendar - -In the **Calendar** area, you can choose which apps have access to an employee's calendar. - -To turn off **Let apps access my calendar**: - -- Turn off the feature in the UI. - - -or- - -- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access the calendar** - - - Set the **Select a setting** box to **Force Deny**. - -To turn off **Choose apps that can access calendar**: - -- Turn off the feature in the UI for each app. - -### 14.9 Call history - -In the **Call history** area, you can choose which apps have access to an employee's call history. - -To turn off **Let apps access my call history**: - -- Turn off the feature in the UI. - - -or- - -- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access call history** - - - Set the **Select a setting** box to **Force Deny**. - -### 14.10 Email - -In the **Email** area, you can choose which apps have can access and send email. - -To turn off **Let apps access and send email**: - -- Turn off the feature in the UI. - - -or- - -- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access email** - - - Set the **Select a setting** box to **Force Deny**. - -### 14.11 Messaging - -In the **Messaging** area, you can choose which apps can read or send messages. - -To turn off **Let apps read or send messages (text or MMS)**: - -- Turn off the feature in the UI. - - -or- - -- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access messaging** - - - Set the **Select a setting** box to **Force Deny**. - -To turn off **Choose apps that can read or send messages**: - -- Turn off the feature in the UI for each app. - -### 14.12 Radios - -In the **Radios** area, you can choose which apps can turn a device's radio on or off. - -To turn off **Let apps control radios**: - -- Turn off the feature in the UI. - - -or- - -- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps control radios** - - - Set the **Select a setting** box to **Force Deny**. - -To turn off **Choose apps that can control radios**: - -- Turn off the feature in the UI for each app. - -### 14.13 Other devices - -In the **Other Devices** area, you can choose whether devices that aren't paired to PCs, such as an Xbox One, can share and sync info. - -To turn off **Let apps automatically share and sync info with wireless devices that don't explicitly pair with your PC, tablet, or phone**: - -- Turn off the feature in the UI. - -To turn off **Let your apps use your trusted devices (hardware you've already connected, or comes with your PC, tablet, or phone)**: - -- Turn off the feature in the UI. - - -or- - -- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access trusted devices** - - - Set the **Select a setting** box to **Force Deny**. - -### 14.14 Feedback & diagnostics - -In the **Feedback & Diagnostics** area, you can choose how often you're asked for feedback and how much diagnostic and usage information is sent to Microsoft. - -To change how frequently **Windows should ask for my feedback**: - -**Note** -Feedback frequency only applies to user-generated feedback, not diagnostic and usage data sent from the device. - - - -- To change from **Automatically (Recommended)**, use the drop-down list in the UI. - - -or- - -- Enable the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Data Collection and Preview Builds** > **Do not show feedback notifications** - - -or- - -- Create the registry keys (REG\_DWORD type): - - - HKEY\_CURRENT\_USER\\Software\\Microsoft\\Siuf\\Rules\\PeriodInNanoSeconds - - - HKEY\_CURRENT\_USER\\Software\\Microsoft\\Siuf\\Rules\\NumberOfSIUFInPeriod - - Based on these settings: - - | Setting | PeriodInNanoSeconds | NumberOfSIUFInPeriod | - |---------------|-----------------------------|-----------------------------| - | Automatically | Delete the registry setting | Delete the registry setting | - | Never | 0 | 0 | - | Always | 100000000 | Delete the registry setting | - | Once a day | 864000000000 | 1 | - | Once a week | 6048000000000 | 1 | - - - -To change the level of diagnostic and usage data sent when you **Send your device data to Microsoft**: - -- To change from **Enhanced**, use the drop-down list in the UI. The other levels are **Basic** and **Full**. - - > **Note:** You can't use the UI to change the telemetry level to **Security**. - - - - -or- - -- Apply the Group Policy: **Computer Configuration\\Administrative Templates\\Windows Components\\Data Collection And Preview Builds\\Allow Telemetry** - - -or- - -- Apply the System/AllowTelemetry MDM policy from the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx), where: - - - **0**. Maps to the **Security** level. - - - **1**. Maps to the **Basic** level. - - - **2**. Maps to the **Enhanced** level. - - - **3**. Maps to the **Full** level. - - -or- - -- Create a provisioning package, using **Runtime settings** > **Policies** > **System** > **AllowTelemetry**, where: - - - **0**. Maps to the **Security** level. - - - **1**. Maps to the **Basic** level. - - - **2**. Maps to the **Enhanced** level. - - - **3**. Maps to the **Full** level. - -### 14.15 Background apps - -In the **Background Apps** area, you can choose which apps can run in the background. - -To turn off **Let apps run in the background**: - -- Turn off the feature in the UI for each app. - -### 15. Software Protection Platform - -Enterprise customers can manage their Windows activation status with volume licensing using an on-premise Key Management Server. You can opt out of sending KMS client activation data to Microsoft automatically by applying the following Group Policy: - -**Computer Configuration** > **Administrative Templates** > **Windows Components** > **Software Protection Platform** > **Turn off KMS Client Online AVS Activation** - -The Windows activation status will be valid for a rolling period of 180 days with weekly activation status checks to the KMS. - -### 16. Sync your settings - -You can control if your settings are synchronized: - -- In the UI: **Settings** > **Accounts** > **Sync your settings** - - -or- - -- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Sync your settings** > **Do not sync** - - -or- - -- Apply the Experience/AllowSyncMySettings MDM policy from the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) where 0 is not allowed and 1 is allowed. - - -or- - -- Create a provisioning package, using **Runtime settings** > **Policies** > **Experience** > **AllowSyncMySettings**, where - - - **No**. Settings are not synchronized. - - - **Yes**. Settings are synchronized. (default) - -To turn off Messaging cloud sync: - -- Create a REG\_DWORD registry setting called **CloudServiceSyncEnabled** in **HKEY\_CURRENT\_USER\\SOFTWARE\\Microsoft\\Messaging**, with a value of 0 (zero). - -### 17. Teredo - -You can disable Teredo by using the netsh.exe command. For more info on Teredo, see [Internet Protocol Version 6, Teredo, and Related Technologies](http://technet.microsoft.com/library/cc722030.aspx). - -- From an elevated command prompt, run **netsh interface teredo set state disabled** - -### 18. Wi-Fi Sense - -Wi-Fi Sense automatically connects devices to known hotspots and to the wireless networks the person’s contacts have shared with them. - -To turn off **Connect to suggested open hotspots** and **Connect to networks shared by my contacts**: - -- Turn off the feature in the UI. - - -or- - -- Disable the Group Policy: **Computer Configuration** > **Administrative Templates** > **Network** > **WLAN Service** > **WLAN Settings** > **Allow Windows to automatically connect to suggested open hotspots, to networks shared by contacts, and to hotspots offering paid services**. - - -or- - -- Create a new REG\_DWORD registry setting called **AutoConnectAllowedOEM** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\WcmSvc\\wifinetworkmanager\\config**, with a value of 0 (zero). - - -or- - -- Change the Windows Provisioning setting, WiFISenseAllowed, to 0 (zero). For more info, see the Windows Provisioning Settings reference doc, [WiFiSenseAllowed](https://go.microsoft.com/fwlink/p/?LinkId=620909). - - -or- - -- Use the Unattended settings to set the value of WiFiSenseAllowed to 0 (zero). For more info, see the Unattended Windows Setup reference doc, [WiFiSenseAllowed](https://go.microsoft.com/fwlink/p/?LinkId=620910). - -When turned off, the Wi-Fi Sense settings still appear on the Wi-Fi Settings screen, but they’re non-functional and they can’t be controlled by the employee. - -### 19. Windows Defender - -You can opt out of the Microsoft Antimalware Protection Service. - -- Disable the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Defender** > **MAPS** > **Join Microsoft MAPS** - - -or- - -- Apply the Defender/AllowClouldProtection MDM policy from the [Defender CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx). - - -or- - -- Use the registry to set the REG\_DWORD value **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows Defender\\Spynet\\SpyNetReporting** to 0 (zero). - - -and- - - From an elevated Windows PowerShell prompt, run **set-mppreference -Mapsreporting 0** - -You can stop sending file samples back to Microsoft. - -- Set the Group Policy **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Defender** > **MAPS** > **Send file samples when further analysis is required** to **Always Prompt** or **Never Send**. - - -or- - -- Apply the Defender/SubmitSamplesConsent MDM policy from the [Defender CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx), where: - - - **0**. Always prompt. - - - **1**. (default) Send safe samples automatically. - - - **2**. Never send. - - - **3**. Send all samples automatically. - - -or- - -- Use the registry to set the REG\_DWORD value **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows Defender\\Spynet\\SubmitSamplesConsent** to 0 (zero) to always prompt or 2 to never send. - -You can stop downloading definition updates: - -- Enable the Group Policy **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Defender** > **Signature Updates** > **Define the order of sources for downloading definition updates** and set it to **FileShares**. - - -and- - -- Enable the Group Policy **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Defender** > **Signature Updates** > **Define file shares for downloading definition updates** and set it to nothing. - -You can also use the registry to turn off Malicious Software Reporting Tool telemetry by setting the REG\_DWORD value **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\MRT\\DontReportInfectionInformation** to 1. - -### 20. Windows Media Player - -To remove Windows Media Player: - -- From the **Programs and Features** control panel, click **Turn Windows features on or off**, under **Media Features**, clear the **Windows Media Player** check box, and then click **OK**. - - -or- - -- Run the following DISM command from an elevated command prompt: **dism /online /Disable-Feature /FeatureName:WindowsMediaPlayer** - -### 21. Windows spotlight - -Windows spotlight provides different background images and text on the lock screen. You can control it by using the user interface or through Group Policy. - -- Configure the following in **Settings**: - - - **Personalization** > **Lock screen** > **Background** > **Windows spotlight**, select a different background, and turn off **Show me tips, tricks, and more on the lock screen**. - - - **Personalization** > **Start** > **Occasionally show suggestions in Start**. - - - **System** > **Notifications & actions** > **Show me tips about Windows**. - - -or- - -- Apply the Group Policies: - - - **Computer Configuration** > **Administrative Templates** > **Control Panel** > **Personalization** > **Force a specific default lock screen image**. - - Add a location in the **Path to local lock screen image** box. - - - Set the **Turn off fun facts, tips, tricks, and more on lock screen** check box. - - **Note** This will only take effect if the policy is applied before the first logon. If you cannot apply the **Force a specific default lock screen image** policy before the first logon to the device, you can apply this policy: **Computer Configuration** > **Administrative Templates** > **Control Panel** > **Personalization** > **Do not display the lock screen**. - - - - - **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Cloud Content** > **Do not show Windows Tips**. - - - **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Cloud Content** > **Turn off Microsoft consumer experiences**. - -For more info, see [Windows spotlight on the lock screen](../whats-new/windows-spotlight.md). - -### 22. Windows Store - -You can turn off the ability to launch apps from the Windows Store that were preinstalled or downloaded. This will also turn off automatic app updates, and the Windows Store will be disabled. - -- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Store** > **Disable all apps from Windows Store**. - -### 23. Windows Update Delivery Optimization - -Windows Update Delivery Optimization lets you get Windows updates and Windows Store apps from sources in addition to Microsoft, which not only helps when you have a limited or unreliable Internet connection, but can also help you reduce the amount of bandwidth needed to keep all of your organization's PCs up-to-date. If you have Delivery Optimization turned on, PCs on your network may send and receive updates and apps to other PCs on your local network, if you choose, or to PCs on the Internet. - -By default, PCs running Windows 10 Enterprise and Windows 10 Education will only use Delivery Optimization to get and receive updates for PCs and apps on your local network. - -Use the UI, Group Policy, MDM policies, or Windows Provisioning to set up Delivery Optimization. - -### 23.1 Settings > Update & security - -You can set up Delivery Optimization from the **Settings** UI. - -- Go to **Settings** > **Update & security** > **Windows Update** > **Advanced options** > **Choose how updates are delivered**. - -### 23.2 Delivery Optimization Group Policies - -You can find the Delivery Optimization Group Policy objects under **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Delivery Optimization**. - -| Policy | Description | -|---------------------------|-----------------------------------------------------------------------------------------------------| -| Download Mode | Lets you choose where Delivery Optimization gets or sends updates and apps, including
None. Turns off Delivery Optimization.
Group. Gets or sends updates and apps to PCs on the same local network domain.
Internet. Gets or sends updates and apps to PCs on the Internet.
LAN. Gets or sends updates and apps to PCs on the same NAT only.
** Note** This ID must be a GUID.| -| Max Cache Age | Lets you specify the maximum time (in seconds) that a file is held in the Delivery Optimization cache.
The default value is 259200 seconds (3 days).| -| Max Cache Size | Lets you specify the maximum cache size as a percentage of disk size.
The default value is 20, which represents 20% of the disk.| -| Max Upload Bandwidth | Lets you specify the maximum upload bandwidth (in KB/second) that a device uses across all concurrent upload activity.
The default value is 0, which means unlimited possible bandwidth.| - -### 23.3 Delivery Optimization MDM policies - -The following Delivery Optimization MDM policies are available in the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx). - -| Policy | Description | -|---------------------------|-----------------------------------------------------------------------------------------------------| -| DeliveryOptimization/DODownloadMode | Lets you choose where Delivery Optimization gets or sends updates and apps, including
0. Turns off Delivery Optimization.
1. Gets or sends updates and apps to PCs on the same NAT only.
2. Gets or sends updates and apps to PCs on the same local network domain.
3. Gets or sends updates and apps to PCs on the Internet.
** Note** This ID must be a GUID.| -| DeliveryOptimization/DOMaxCacheAge | Lets you specify the maximum time (in seconds) that a file is held in the Delivery Optimization cache.
The default value is 259200 seconds (3 days).| -| DeliveryOptimization/DOMaxCacheSize | Lets you specify the maximum cache size as a percentage of disk size.
The default value is 20, which represents 20% of the disk.| -| DeliveryOptimization/DOMaxUploadBandwidth | Lets you specify the maximum upload bandwidth (in KB/second) that a device uses across all concurrent upload activity.
The default value is 0, which means unlimited possible bandwidth.| - - -### 23.4 Delivery Optimization Windows Provisioning - -If you don't have an MDM server in your enterprise, you can use Windows Provisioning to configure the Delivery Optimization policies - -Use Windows ICD, included with the [Windows Assessment and Deployment Kit (Windows ADK)](https://go.microsoft.com/fwlink/p/?LinkId=526803), to create a provisioning package for Delivery Optimization. - -1. Open Windows ICD, and then click **New provisioning package**. - -2. In the **Name** box, type a name for the provisioning package, and then click **Next.** - -3. Click the **Common to all Windows editions** option, click **Next**, and then click **Finish**. - -4. Go to **Runtime settings** > **Policies** > **DeliveryOptimization** to configure the policies. - -For more info about Delivery Optimization in general, see [Windows Update Delivery Optimization: FAQ](https://go.microsoft.com/fwlink/p/?LinkId=730684). - -### 24. Windows Update - -You can turn off Windows Update by setting the following registry entries: - -- Add a REG\_DWORD value called **DoNotConnectToWindowsUpdateInternetLocations** to **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\WindowsUpdate** and set the value to 1. - - -and- - -- Add a REG\_DWORD value called **DisableWindowsUpdateAccess** to **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\WindowsUpdate** and set the value to 1. - -You can turn off automatic updates by doing one of the following. This is not recommended. - -- Add a REG\_DWORD value called **AutoDownload** to **HKEY\_LOCAL\_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\WindowsStore\\WindowsUpdate** and set the value to 5. - - -or- - -- Apply the Update/AllowAutoUpdate MDM policy from the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx), where: - - - **0**. Notify the user before downloading the update. - - - **1**. Auto install the update and then notify the user to schedule a device restart. - - - **2** (default). Auto install and restart. - - - **3**. Auto install and restart at a specified time. - - - **4**. Auto install and restart without end-user control. - - - **5**. Turn off automatic updates. - -To learn more, see [Device update management](http://msdn.microsoft.com/library/windows/hardware/dn957432.aspx) and [Configure Automatic Updates by using Group Policy](http://technet.microsoft.com/library/cc720539.aspx). +--- \ No newline at end of file diff --git a/windows/manage/images/settings-table.png b/windows/manage/images/settings-table.png deleted file mode 100644 index ada56513fc..0000000000 Binary files a/windows/manage/images/settings-table.png and /dev/null differ diff --git a/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index 31f3370680..eae421589e 100644 --- a/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -2,7 +2,7 @@ title: Manage connections from Windows operating system components to Microsoft services (Windows 10) description: If you want to minimize connections from Windows to Microsoft services, or configure particular privacy settings, this article covers the settings that you could consider. ms.assetid: ACCEB0DD-BC6F-41B1-B359-140B242183D9 -keywords: privacy, manage connections to Microsoft +keywords: privacy, manage connections to Microsoft, Windows 10, Windows Server 2016 ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library @@ -12,9 +12,12 @@ author: brianlic-msft # Manage connections from Windows operating system components to Microsoft services +[Some information relates to pre-released product, which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.] + **Applies to** - Windows 10 +- Windows Server 2016 If you're looking for content on what each telemetry level means and how to configure it in your organization, see [Configure Windows telemetry in your organization](configure-windows-telemetry-in-your-organization.md). @@ -22,127 +25,14 @@ Learn about the network connections that Windows components make to Microsoft an If you want to minimize connections from Windows to Microsoft services, or configure particular privacy settings, this article covers the settings that you could consider. You can configure telemetry at the lowest level for your edition of Windows, and also evaluate which other connections Windows makes to Microsoft services you want to turn off in your environment from the list in this article. -Some of the network connections discussed in this article can be managed in Windows 10 Mobile, Windows 10 Mobile Enterprise, Windows 10, version 1507, and Windows 10, version 1511. However, you must use Windows 10 Enterprise, version 1607 or Windows 10 Education, version 1607 to manage them all. +You can configure telemetry at the Security level, turn off Windows Defender telemetry and MSRT reporting, and turn off all other connections to Microsoft network endpoints as described in this article to help prevent Windows from sending any data to Microsoft. There are many reason why these communications are enabled by default, such as updating malware definitions and maintain current certificate revocation lists, which is why we strongly recommend against this. This data helps us deliver a secure, reliable, and more delightful personalized experience. -You can configure telemetry at the Security level, turn off Windows Defender telemetry and MSRT reporting, and turn off all other connections to Microsoft services as described in this article to prevent Windows from sending any data to Microsoft. We strongly recommend against this, as this data helps us deliver a secure, reliable, and more delightful personalized experience. +We are always striving to improve our documentation and welcome your feedback. You can provide feedback by contacting telmhelp@microsoft.com. -We are always working on improving Windows 10 for our customers. We invite IT pros to join the [Windows Insider Program](http://insider.windows.com) to give us feedback on what we can do to make Windows 10 work better for your organization. -Here's what's covered in this article: +## What's new in Windows 10, version 1607 and Windows Server 2016 -- [Info management settings](#bkmk-othersettings) - - - [1. Certificate trust lists](#certificate-trust-lists) - - - [2. Cortana](#bkmk-cortana) - - - [2.1 Cortana Group Policies](#bkmk-cortana-gp) - - - [2.2 Cortana MDM policies](#bkmk-cortana-mdm) - - - [2.3 Cortana Windows Provisioning](#bkmk-cortana-prov) - - - [3. Date & Time](#bkmk-datetime) - - - [4. Device metadata retrieval](#bkmk-devinst) - - - [5. Font streaming](#font-streaming) - - - [6. Insider Preview builds](#bkmk-previewbuilds) - - - [7. Internet Explorer](#bkmk-ie) - - - [7.1 Internet Explorer Group Policies](#bkmk-ie-gp) - - - [7.2 ActiveX control blocking](#bkmk-ie-activex) - - - [8. Live Tiles](#live-tiles) - - - [9. Mail synchronization](#bkmk-mailsync) - - - [10. Microsoft Account](#bkmk-microsoft-account) - - - [11. Microsoft Edge](#bkmk-edge) - - - [11.1 Microsoft Edge Group Policies](#bkmk-edgegp) - - - [11.2 Microsoft Edge MDM policies](#bkmk-edge-mdm) - - - [11.3 Microsoft Edge Windows Provisioning](#bkmk-edge-prov) - - - [12. Network Connection Status Indicator](#bkmk-ncsi) - - - [13. Offline maps](#bkmk-offlinemaps) - - - [14. OneDrive](#bkmk-onedrive) - - - [15. Preinstalled apps](#bkmk-preinstalledapps) - - - [16. Settings > Privacy](#bkmk-settingssection) - - - [16.1 General](#bkmk-priv-general) - - - [16.2 Location](#bkmk-priv-location) - - - [16.3 Camera](#bkmk-priv-camera) - - - [16.4 Microphone](#bkmk-priv-microphone) - - - [16.5 Notifications](#bkmk-priv-notifications) - - - [16.6 Speech, inking, & typing](#bkmk-priv-speech) - - - [16.7 Account info](#bkmk-priv-accounts) - - - [16.8 Contacts](#bkmk-priv-contacts) - - - [16.9 Calendar](#bkmk-priv-calendar) - - - [16.10 Call history](#bkmk-priv-callhistory) - - - [16.11 Email](#bkmk-priv-email) - - - [16.12 Messaging](#bkmk-priv-messaging) - - - [16.13 Radios](#bkmk-priv-radios) - - - [16.14 Other devices](#bkmk-priv-other-devices) - - - [16.15 Feedback & diagnostics](#bkmk-priv-feedback) - - - [16.16 Background apps](#bkmk-priv-background) - - - [17. Software Protection Platform](#bkmk-spp) - - - [18. Sync your settings](#bkmk-syncsettings) - - - [19. Teredo](#bkmk-teredo) - - - [20. Wi-Fi Sense](#bkmk-wifisense) - - - [21. Windows Defender](#bkmk-defender) - - - [22. Windows Media Player](#bkmk-wmp) - - - [23. Windows spotlight](#bkmk-spotlight) - - - [24. Windows Store](#bkmk-windowsstore) - - - [25. Windows Update Delivery Optimization](#bkmk-updates) - - - [25.1 Settings > Update & security](#bkmk-wudo-ui) - - - [25.2 Delivery Optimization Group Policies](#bkmk-wudo-gp) - - - [25.3 Delivery Optimization MDM policies](#bkmk-wudo-mdm) - - - [25.4 Delivery Optimization Windows Provisioning](#bkmk-wudo-prov) - - - [26. Windows Update](#bkmk-wu) - -## What's new in Windows 10, version 1607 - -Here's a list of changes that were made to this article for Windows 10, version 1607: +Here's a list of changes that were made to this article for Windows 10, version 1607 and Windows Server 2016: - Added instructions on how to turn off speech recognition and speech synthesis model updates in [14.5 Speech, inking, & typing](#bkmk-priv-speech). - Added instructions on how to turn off flip ahead with an Internet Explorer Group Policy. @@ -156,17 +46,117 @@ Here's a list of changes that were made to this article for Windows 10, version - Turn off unsolicited network traffic on the Offline Maps settings page - Turn off all Windows spotlight features -## Info management settings +## Settings -This section lists the components that make network connections to Microsoft services automatically. You can configure these settings to control the data that is sent to Microsoft. To prevent Windows from sending any data to Microsoft, configure telemetry at the Security level, turn off Windows Defender telemetry and MSRT reporting, and turn off all of these connections. We strongly recommend against this, as this data helps us deliver a secure, reliable, and more delightful personalized experience. +The following sections list the components that make network connections to Microsoft services by default. You can configure these settings to control the data that is sent to Microsoft. To prevent Windows from sending any data to Microsoft, configure telemetry at the Security level, turn off Windows Defender telemetry and MSRT reporting, and turn off all of these connections. -The settings in this section assume you are using Windows 10, version 1607. They will also be included in the next update for the Long Term Servicing Branch. +If you're running Windows 10, they will be included in the next update for the Long Term Servicing Branch. -See the following table for a summary of the management settings. For more info, see its corresponding section. +### Settings for Windows 10 Enterprise, version 1607 - +See the following table for a summary of the management settings for Windows 10 Enterprise, version 1607. +| Setting | UI | Group Policy | MDM policy | Registry | Command line | +| - | :-: | :-: | :-: | :-: | :-: | +| [1. Certificate trust lists](#certificate-trust-lists) | |  | | | | +| [2. Cortana and Search](#bkmk-cortana) |  |  |  | |  | +| [3. Date & Time](#bkmk-datetime) |  | | |  | | +| [4. Device metadata retrieval](#bkmk-devinst) | |  | | | | +| [5. Font streaming](#font-streaming) | | | |  | | +| [6. Insider Preview builds](#bkmk-previewbuilds) |  |  |  | |  | +| [7. Internet Explorer](#bkmk-ie) |  |  | | | | +| [8. Live Tiles](#live-tiles) | |  | | | | +| [9. Mail synchronization](#bkmk-mailsync) |  | |  | | | +| [10. Microsoft Account](#bkmk-microsoft-account) | | | |  | | +| [11. Microsoft Edge](#bkmk-edge) |  |  |  | |  | +| [12. Network Connection Status Indicator](#bkmk-ncsi) | |  | | | | +| [13. Offline maps](#bkmk-offlinemaps) |  |  | | | | +| [14. OneDrive](#bkmk-onedrive) | |  | |  | | +| [15. Preinstalled apps](#bkmk-preinstalledapps) |  | | | |  | +| [16. Settings > Privacy](#bkmk-settingssection) | | | | | | +| [16.1 General](#bkmk-priv-general) |  |  |  |  | | +| [16.2 Location](#bkmk-priv-location) |  |  |  | | | +| [16.3 Camera](#bkmk-priv-camera) |  |  |  | | | +| [16.4 Microphone](#bkmk-priv-microphone) |  |  | | | | +| [16.5 Notifications](#bkmk-priv-notifications) |  |  | | | | +| [16.6 Speech, inking, & typing](#bkmk-priv-speech) |  |  |  |  | | +| [16.7 Account info](#bkmk-priv-accounts) |  |  | | | | +| [16.8 Contacts](#bkmk-priv-contacts) |  |  | | | | +| [16.9 Calendar](#bkmk-priv-calendar) |  |  | | | | +| [16.10 Call history](#bkmk-priv-callhistory) |  |  | | | | +| [16.11 Email](#bkmk-priv-email) |  |  | | | | +| [16.12 Messaging](#bkmk-priv-messaging) |  |  | | | | +| [16.13 Radios](#bkmk-priv-radios) |  |  | | | | +| [16.14 Other devices](#bkmk-priv-other-devices) |  |  | |  | | +| [16.15 Feedback & diagnostics](#bkmk-priv-feedback) |  |  |  |  | | +| [16.16 Background apps](#bkmk-priv-background) |  | | | | | +| [17. Software Protection Platform](#bkmk-spp) | |  |  | | | +| [18. Sync your settings](#bkmk-syncsettings) |  |  |  | | | +| [19. Teredo](#bkmk-teredo) | | | | |  | +| [20. Wi-Fi Sense](#bkmk-wifisense) |  |  | |  | | +| [21. Windows Defender](#bkmk-defender) | |  |  |  | | +| [22. Windows Media Player](#bkmk-wmp) |  | | | |  | +| [23. Windows spotlight](#bkmk-spotlight) |  |  | | | | +| [24. Windows Store](#bkmk-windowsstore) | |  | | | | +| [25. Windows Update Delivery Optimization](#bkmk-updates) |  |  |  | | | +| [26. Windows Update](#bkmk-wu) |  |  |  | | | + +### Settings for Windows Server 2016 with Desktop Experience + +See the following table for a summary of the management settings for Windows Server 2016 with Desktop Experience. + +| Setting | UI | Group Policy | Registry | Command line | +| - | :-: | :-: | :-: | :-: | +| [1. Certificate trust lists](#certificate-trust-lists) | |  |  | | +| [2. Cortana and Search](#bkmk-cortana) |  |  | | | +| [3. Date & Time](#bkmk-datetime) |  | |  | | +| [4. Device metadata retrieval](#bkmk-devinst) | |  | | | +| [5. Font streaming](#font-streaming) | | |  | | +| [6. Insider Preview builds](#bkmk-previewbuilds) |  |  | | | +| [7. Internet Explorer](#bkmk-ie) |  |  | | | +| [8. Live Tiles](#live-tiles) | |  | | | +| [10. Microsoft Account](#bkmk-microsoft-account) | | |  | | +| [12. Network Connection Status Indicator](#bkmk-ncsi) | |  | | | +| [14. OneDrive](#bkmk-onedrive) | |  | | | +| [16. Settings > Privacy](#bkmk-settingssection) | | | | | +| [16.1 General](#bkmk-priv-general) |  |  |  | | +| [17. Software Protection Platform](#bkmk-spp) | |  | | | +| [19. Teredo](#bkmk-teredo) | | | |  | +| [21. Windows Defender](#bkmk-defender) | |  |  | | +| [22. Windows Media Player](#bkmk-wmp) | | | |  | +| [24. Windows Store](#bkmk-windowsstore) | |  | | | +| [26. Windows Update](#bkmk-wu) | |  |  | | + +### Settings for Windows Server 2016 Server Core + +See the following table for a summary of the management settings for Windows Server 2016 Server Core. + +| Setting | Group Policy | Registry | Command line | +| - | :-: | :-: | :-: | :-: | :-: | +| [1. Certificate trust lists](#certificate-trust-lists) |  |  | | +| [3. Date & Time](#bkmk-datetime) | |  | | +| [5. Font streaming](#font-streaming) | |  | | +| [12. Network Connection Status Indicator](#bkmk-ncsi) |  | | | +| [17. Software Protection Platform](#bkmk-spp) |  | | | +| [19. Teredo](#bkmk-teredo) | | |  | +| [21. Windows Defender](#bkmk-defender) |  |  | | +| [26. Windows Update](#bkmk-wu) |  |  | | + +### Settings for Windows Server 2016 Nano Server + +See the following table for a summary of the management settings for Windows Server 2016 Nano Server. + +| Setting | Registry | Command line | +| - | :-: | :-: | :-: | :-: | :-: | +| [1. Certificate trust lists](#certificate-trust-lists) |  | | +| [3. Date & Time](#bkmk-datetime) |  | | +| [19. Teredo](#bkmk-teredo) | |  | +| [26. Windows Update](#bkmk-wu) |  | | + +## Settings + +Use the following sections for more information about how to configure each setting. ### 1. Certificate trust lists @@ -174,40 +164,45 @@ A certificate trust list is a predefined list of items, such as a list of certif To turn off the automatic download of an updated certificate trust list, you can turn off automatic root updates, which also includes the disallowed certificate list and the pin rules list. +For Windows 10, Windows Server 2016 with Desktop Experience, and Windows Server 2016 Server Core: + - Enable the Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **Internet Communication Management** > **Internet Communication Settings** > **Turn off Automatic Root Certificates Update** -or- -- Create a REG\_DWORD registry setting called **DisableRootAutoUpdate** in **HKEY\_LOCAL\_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\AuthRoot\DisableRootAutoUpdate**, with a value of 1. +- Create the registry path **HKEY\_LOCAL\_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\AuthRoot** and then add a REG\_DWORD registry setting, called **DisableRootAutoUpdate**, with a value of 1. -After that, do the following in a Group Policy: + -or- 1. Navigate to **Computer Configuration** > **Windows Settings** > **Security Settings** > **Public Key Policies**. 2. Double-click **Certificate Path Validation Settings**. 3. On the **Network Retrieval** tab, select the **Define these policy settings** check box. 4. Clear the **Automatically update certificates in the Microsoft Root Certificate Program (recommended)** check box, and then click **OK**. +On Windows Server 2016 Nano Server: -### 2. Cortana +- Create the registry path **HKEY\_LOCAL\_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\AuthRoot** and then add a REG\_DWORD registry setting, called **DisableRootAutoUpdate**, with a value of 1. + +### 2. Cortana and Search Use either Group Policy or MDM policies to manage settings for Cortana. For more info, see [Cortana, Search, and privacy: FAQ](https://go.microsoft.com/fwlink/p/?LinkId=730683). -### 2.1 Cortana Group Policies +### 2.1 Cortana and Search Group Policies Find the Cortana Group Policy objects under **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Search**. | Policy | Description | |------------------------------------------------------|---------------------------------------------------------------------------------------| -| Allow Cortana | Choose whether to let Cortana install and run on the device. | -| Allow search and Cortana to use location | Choose whether Cortana and Search can provide location-aware search results. | -| Do not allow web search | Choose whether to search the web from Windows Desktop Search.
Default: Disabled| -| Don't search the web or display web results in Search| Choose whether to search the web from Cortana. | -| Set what information is shared in Search | Control what information is shared with Bing in Search. | +| Allow Cortana | Choose whether to let Cortana install and run on the device.
Disable this policy to turn off Cortana. | +| Allow search and Cortana to use location | Choose whether Cortana and Search can provide location-aware search results.
Disable this policy to block access to location information for Cortana. | +| Do not allow web search | Choose whether to search the web from Windows Desktop Search.
Enable this policy to remove the option to search the Internet from Cortana. | +| Don't search the web or display web results in Search| Choose whether to search the web from Cortana.
Enable this policy to stop web queries and results from showing in Search. | +| Set what information is shared in Search | Control what information is shared with Bing in Search.
If you enable this policy and set it to **Anonymous info**, usage information will be shared but not search history, Microsoft Account information, or specific location. | -In Windows 10, version 1507 and Windows 10, version 1511, When you enable the **Don't search the web or display web results in Search** Group Policy, you can control the behavior of whether Cortana searches the web to display web results. However, this policy only covers whether or not web search is performed. There could still be a small amount of network traffic to Bing.com to evaluate if certain Cortana components are up-to-date or not. In order to turn off that network activity completely, you can create a Windows Firewall rule to prevent outbound traffic. +In Windows 10, version 1507 and Windows 10, version 1511, when you enable the **Don't search the web or display web results in Search** Group Policy, you can control the behavior of whether Cortana searches the web to display web results. However, this policy only covers whether or not web search is performed. There could still be a small amount of network traffic to Bing.com to evaluate if certain Cortana components are up-to-date or not. In order to turn off that network activity completely, you can create a Windows Firewall rule to prevent outbound traffic. >[!IMPORTANT] ->These steps are not required for devices running Windows 10, version 1607. +>These steps are not required for devices running Windows 10, version 1607 or Windows Server 2016. 1. Expand **Computer Configuration** > **Windows Settings** > **Security Settings** > **Windows Firewall with Advanced Security** > **Windows Firewall with Advanced Security - <LDAP name>**, and then click **Outbound Rules**. @@ -235,19 +230,15 @@ In Windows 10, version 1507 and Windows 10, version 1511, When you enable the ** If your organization tests network traffic, you should not use Fiddler to test Windows Firewall settings. Fiddler is a network proxy and Windows Firewall does not block proxy traffic. You should use a network traffic analyzer, such as WireShark or Message Analyzer. -### 2.2 Cortana MDM policies +### 2.2 Cortana and Search MDM policies -The following Cortana MDM policies are available in the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx). +For Windows 10 only, the following Cortana MDM policies are available in the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx). | Policy | Description | |------------------------------------------------------|-----------------------------------------------------------------------------------------------------| | Experience/AllowCortana | Choose whether to let Cortana install and run on the device. | | Search/AllowSearchToUseLocation | Choose whether Cortana and Search can provide location-aware search results.
Default: Allowed| -### 2.3 Cortana Windows Provisioning - -To use Windows Imaging and Configuration Designer (ICD) to create a provisioning package with the settings for these policies, go to **Runtime settings** > **Policies** to find **Experience** > **AllowCortana** and **Search** > **AllowSearchToUseLocation**. - ### 3. Date & Time You can prevent Windows from setting the time automatically. @@ -264,20 +255,23 @@ To prevent Windows from retrieving device metadata from the Internet, apply the ### 5. Font streaming -Starting with Windows 10, fonts that are included in Windows but that are not stored on the local device can be downloaded on demand. +Fonts that are included in Windows but that are not stored on the local device can be downloaded on demand. To turn off font streaming, create a REG\_DWORD registry setting called **DisableFontProviders** in **HKEY\_LOCAL\_MACHINE\\System\\CurrentControlSet\\Services\\FontCache\\Parameters**, with a value of 1. -> [!NOTE] -> This may change in future versions of Windows. ### 6. Insider Preview builds +The Windows Insider Preview program lets you help shape the future of Windows, be part of the community, and get early access to releases of Windows 10. + +> [!NOTE] +> This setting stops communication with the Windows Insider Preview service that checks for new builds. Windows Insider Preview builds only apply to Windows 10 and are not available for Windows Server 2016. + To turn off Insider Preview builds for a released version of Windows 10: - Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Data Collection and Preview Builds** > **Toggle user control over Insider builds**. -To turn off Insider Preview builds for an Insider Preview version of Windows 10: +To turn off Insider Preview builds for Windows 10: > [!NOTE] > If you're running a preview version of Windows 10, you must roll back to a released version before you can turn off Insider Preview builds. @@ -310,11 +304,7 @@ To turn off Insider Preview builds for an Insider Preview version of Windows 10: ### 7. Internet Explorer -Use Group Policy to manage settings for Internet Explorer. - -### 7.1 Internet Explorer Group Policies - -Find the Internet Explorer Group Policy objects under **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Internet Explorer**. +Use Group Policy to manage settings for Internet Explorer. You can find the Internet Explorer Group Policy objects under **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Internet Explorer**. | Policy | Description | |------------------------------------------------------|-----------------------------------------------------------------------------------------------------| @@ -331,7 +321,7 @@ There are two more Group Policy objects that are used by Internet Explorer: | **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Internet Explorer** > **Internet Control Panel** > **Advanced Page** | Turn off the flip ahead with page prediction feature | Choose whether an employee can swipe across a screen or click forward to go to the next pre-loaded page of a website.
Default: Enabled | | **Computer Configuration** > **Administrative Templates** > **Windows Components** > **RSS Feeds** | Turn off background synchronization for feeds and Web Slices | Choose whether to have background synchronization for feeds and Web Slices.
Default: Enabled | -### 7.2 ActiveX control blocking +### 7.1 ActiveX control blocking ActiveX control blocking periodically downloads a new list of out-of-date ActiveX controls that should be blocked. You can turn this off by changing the REG\_DWORD registry setting **HKEY\_CURRENT\_USER\\Software\\Microsoft\\Internet Explorer\\VersionManager\\DownloadVersionList** to 0 (zero). @@ -414,9 +404,6 @@ The following Microsoft Edge MDM policies are available in the [Policy CSP](http | Browser/AllowSearchSuggestionsinAddressBar | Choose whether the address bar shows search suggestions..
Default: Allowed | | Browser/AllowSmartScreen | Choose whether SmartScreen is turned on or off.
Default: Allowed | -### 11.3 Microsoft Edge Windows Provisioning - -Use Windows ICD to create a provisioning package with the settings for these policies, go to **Runtime settings** > **Policies**. For a complete list of the Microsoft Edge policies, see [Available policies for Microsoft Edge](http://technet.microsoft.com/library/mt270204.aspx). @@ -424,7 +411,7 @@ For a complete list of the Microsoft Edge policies, see [Available policies for Network Connection Status Indicator (NCSI) detects Internet connectivity and corporate network connectivity status. NCSI sends a DNS request and HTTP query to http://www.msftconnecttest.com/connecttest.txt to determine if the device can communicate with the Internet. For more info about NCSI, see [The Network Connection Status Icon](http://blogs.technet.com/b/networking/archive/2012/12/20/the-network-connection-status-icon.aspx). -In versions of Windows 10 prior to Windows 10, version 1607, the URL was http://www.msftncsi.com. +In versions of Windows 10 prior to Windows 10, version 1607 and Windows Server 2016, the URL was http://www.msftncsi.com. You can turn off NCSI through Group Policy: @@ -671,6 +658,10 @@ To turn off **Let apps on my other devices open apps and continue experiences on - Turn off the feature in the UI. + -or- + +- Disable the Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **Group Policy** > **Continue experiences on this device**. + To turn off **Let apps on my other devices use Bluetooth to open apps and continue experiences on this device**: - Turn off the feature in the UI. @@ -1048,12 +1039,18 @@ To turn off **Let apps run in the background**: Enterprise customers can manage their Windows activation status with volume licensing using an on-premise Key Management Server. You can opt out of sending KMS client activation data to Microsoft automatically by doing one of the following: +For Windows 10: + - Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Software Protection Platform** > **Turn off KMS Client Online AVS Activation** -or- - Apply the Licensing/DisallowKMSClientOnlineAVSValidation MDM policy from the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) where 0 is disabled (default) and 1 is enabled. +For Windows Server 2016 with Desktop Experience or Windows Server 2016 Server Core: + +- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Software Protection Platform** > **Turn off KMS Client Online AVS Activation** + The Windows activation status will be valid for a rolling period of 180 days with weekly activation status checks to the KMS. ### 18. Sync your settings @@ -1122,7 +1119,7 @@ You can disconnect from the Microsoft Antimalware Protection Service. -or- -- Apply the Defender/AllowClouldProtection MDM policy from the [Defender CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx). +- For Windows 10 only, apply the Defender/AllowClouldProtection MDM policy from the [Defender CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx). -or- @@ -1138,7 +1135,7 @@ You can stop sending file samples back to Microsoft. -or- -- Apply the Defender/SubmitSamplesConsent MDM policy from the [Defender CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx), where: +- For Windows 10 only, apply the Defender/SubmitSamplesConsent MDM policy from the [Defender CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx), where: - **0**. Always prompt. @@ -1160,7 +1157,7 @@ You can stop downloading definition updates: - Disable the Group Policy **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Defender** > **Signature Updates** > **Define file shares for downloading definition updates** and set it to nothing. -You can stop Enhanced Notifications: +For Windows 10 only, you can stop Enhanced Notifications: - Turn off the feature in the UI. @@ -1168,7 +1165,7 @@ You can also use the registry to turn off Malicious Software Reporting Tool tele ### 22. Windows Media Player -To remove Windows Media Player: +To remove Windows Media Player on Windows 10: - From the **Programs and Features** control panel, click **Turn Windows features on or off**, under **Media Features**, clear the **Windows Media Player** check box, and then click **OK**. @@ -1176,6 +1173,10 @@ To remove Windows Media Player: - Run the following DISM command from an elevated command prompt: **dism /online /Disable-Feature /FeatureName:WindowsMediaPlayer** +To remove Windows Media Player on Windows Server 2016: + +- Run the following DISM command from an elevated command prompt: **dism /online /Disable-Feature /FeatureName:WindowsMediaPlayer** + ### 23. Windows spotlight Windows spotlight provides features such as different background images and text on the lock screen, suggested apps, Microsoft account notifications, and Windows tips. You can control it by using the user interface or through Group Policy. @@ -1219,7 +1220,7 @@ For more info, see [Windows Spotlight on the lock screen](../manage/windows-spot ### 24. Windows Store -You can turn off the ability to launch apps from the Windows Store that were preinstalled or downloaded. This will also turn off automatic app updates, and the Windows Store will be disabled. +You can turn off the ability to launch apps from the Windows Store that were preinstalled or downloaded. This will also turn off automatic app updates, and the Windows Store will be disabled. On Windows Server 2016, this will block Windows Store calls from Universal Windows Apps. - Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Store** > **Disable all apps from Windows Store**. @@ -1301,7 +1302,7 @@ You can turn off automatic updates by doing one of the following. This is not re -or- -- Apply the Update/AllowAutoUpdate MDM policy from the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx), where: +- For Windows 10 only, apply the Update/AllowAutoUpdate MDM policy from the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx), where: - **0**. Notify the user before downloading the update. diff --git a/windows/manage/mandatory-user-profile.md b/windows/manage/mandatory-user-profile.md index 0fae89f325..5a19dddc3e 100644 --- a/windows/manage/mandatory-user-profile.md +++ b/windows/manage/mandatory-user-profile.md @@ -37,8 +37,8 @@ The name of the folder in which you store the mandatory profile must use the cor | Windows VistaWindows 7 | Windows Server 2008Windows Server 2008 R2 | v2 | | Windows 8 | Windows Server 2012 | v3 | | Windows 8.1 | Windows Server 2012 R2 | v4 | -| Windows 10, versions 1507 and 1511 | Windows Server 2016 | v5 | -| Windows 10, version 1607 (also known as the Anniversary Update) | N/A | v6 | +| Windows 10, versions 1507 and 1511 | N/A | v5 | +| Windows 10, version 1607 (also known as the Anniversary Update) | Windows Server 2016 | v6 | For more information, see [Deploy Roaming User Profiles, Appendix B](https://technet.microsoft.com/library/jj649079.aspx) and [Roaming user profiles versioning in Windows 10 and Windows Server Technical Preview](https://support.microsoft.com/kb/3056198). diff --git a/windows/manage/uev-administering-uev-with-windows-powershell-and-wmi.md b/windows/manage/uev-administering-uev-with-windows-powershell-and-wmi.md index 1d0ac589ef..3b0c73a34d 100644 --- a/windows/manage/uev-administering-uev-with-windows-powershell-and-wmi.md +++ b/windows/manage/uev-administering-uev-with-windows-powershell-and-wmi.md @@ -16,8 +16,7 @@ ms.prod: w10 User Experience Virtualization (UE-V) provides Windows PowerShell cmdlets to help administrators perform various UE-V tasks. The following sections provide more information about using Windows PowerShell in UE-V. -**Note**
-Administering UE-V with Windows PowerShell requires PowerShell 3.0 or higher. For a complete list of UE-V PowerShell cmdlets, see [UE-V Cmdlet Reference](https://technet.microsoft.com/library/dn520275.aspx). +> **Note** Administering UE-V with Windows PowerShell requires PowerShell 3.0 or higher. For a complete list of UE-V cmdlets, see [User Experience Virtualization in Windows PowerShell](https://technet.microsoft.com/library/mt772286.aspx). ## Managing the UE-V service and packages by using Windows PowerShell and WMI @@ -38,4 +37,6 @@ Add or vote on suggestions on the [User Experience Virtualization feedback site] ## Related topics -[Administering UE-V](uev-administering-uev.md) +- [Administering UE-V](uev-administering-uev.md) + +- [User Experience Virtualization in Windows PowerShell](https://technet.microsoft.com/library/mt772286.aspx) \ No newline at end of file diff --git a/windows/manage/uev-configuring-uev-with-system-center-configuration-manager.md b/windows/manage/uev-configuring-uev-with-system-center-configuration-manager.md index 29e09b7499..e18bff1e74 100644 --- a/windows/manage/uev-configuring-uev-with-system-center-configuration-manager.md +++ b/windows/manage/uev-configuring-uev-with-system-center-configuration-manager.md @@ -160,7 +160,7 @@ It might be necessary to change the PowerShell execution policy to allow these s 3. Run this command on a machine running the ConfigMgr Admin Console: ``` syntax - C:\Program Files (x86)\Microsoft User Experience Virtualization\ConfigPack\UevAgentPolicyGenerator.exe –Site ABC –CabFilePath “C:\MyCabFiles\UevPolicyItem.cab” –ConfigurationFile “c:\AgentConfiguration.xml” + C:\Program Files (x86)\Microsoft User Experience Virtualization\ConfigPack\UevAgentPolicyGenerator.exe -Site ABC -CabFilePath "C:\MyCabFiles\UevPolicyItem.cab" -ConfigurationFile "c:\AgentConfiguration.xml" ``` 4. Import the CAB file using ConfigMgr console or PowerShell Import-CMConfigurationItem @@ -205,7 +205,7 @@ The result is a baseline CAB file that is ready for import into Configuration Ma 3. Add the command and parameters to the .bat file that will generate the baseline. The following example creates a baseline that distributes Notepad and Calculator: ``` syntax - C:\Program Files (x86)\Microsoft User Experience Virtualization\ConfigPack\UevTemplateBaselineGenerator.exe –Site “ABC” –TemplateFolder “C:\ProductionUevTemplates” –Register “MicrosoftNotepad.xml, MicrosoftCalculator.xml” –CabFilePath “C:\MyCabFiles\UevTemplateBaseline.cab” + C:\Program Files (x86)\Microsoft User Experience Virtualization\ConfigPack\UevTemplateBaselineGenerator.exe -Site "ABC" -TemplateFolder "C:\ProductionUevTemplates" -Register "MicrosoftNotepad.xml, MicrosoftCalculator.xml" -CabFilePath "C:\MyCabFiles\UevTemplateBaseline.cab" ``` 4. Run the .bat file to create UevTemplateBaseline.cab ready for import into Configuration Manager. diff --git a/windows/manage/uev-manage-administrative-backup-and-restore.md b/windows/manage/uev-manage-administrative-backup-and-restore.md index 1bf9c198d2..4b70595e59 100644 --- a/windows/manage/uev-manage-administrative-backup-and-restore.md +++ b/windows/manage/uev-manage-administrative-backup-and-restore.md @@ -34,7 +34,7 @@ When replacing a user’s device, UE-V automatically restores settings if the us You can also use the Windows PowerShell cmdlet, Restore-UevBackup, to restore settings from a different device. To clone the settings packages for the new device, use the following cmdlet in Windows PowerShell: ``` syntax -Restore-UevBackup –Machine
Lists all the settings location templates that are registered on the computer.
Get-UevTemplate –Application <string>
Get-UevTemplate -Application <string>
Lists all the settings location templates that are registered on the computer where the application name or template name contains <string>.
Get-UevTemplate –TemplateID <string>
Get-UevTemplate -TemplateID <string>
Lists all the settings location templates that are registered on the computer where the template ID contains <string>.
Registers one or more settings location template with UE-V by using relative paths and/or wildcard characters in file paths. After a template is registered, UE-V synchronizes the settings that are defined in the template between computers that have the template registered.
Register-UevTemplate –LiteralPath <template file path>[,<template file path>]
Register-UevTemplate -LiteralPath <template file path>[,<template file path>]
Registers one or more settings location template with UE-V by using literal paths, where no characters can be interpreted as wildcard characters. After a template is registered, UE-V synchronizes the settings that are defined in the template between computers that have the template registered.
Updates one or more settings location templates with a more recent version of the template. Use relative paths and/or wildcard characters in the file paths. The new template should be a newer version than the existing template.
Update-UevTemplate –LiteralPath <template file path>[,<template file path>]
Update-UevTemplate -LiteralPath <template file path>[,<template file path>]
Updates one or more settings location templates with a more recent version of the template. Use full paths to template files, where no characters can be interpreted as wildcard characters. The new template should be a newer version than the existing template.
Clear-UevAppXPackage –Computer [-PackageFamilyName] <package family name>[,<package family name>]
Clear-UevAppXPackage -Computer [-PackageFamilyName] <package family name>[,<package family name>]
Removes one or more Windows apps from the computer Windows app list.
Removes Windows app from the current user Windows app list.
Clear-UevAppXPackage –Computer -All
Clear-UevAppXPackage -Computer -All
Removes all Windows apps from the computer Windows app list.
Clear-UevAppXPackage [–CurrentComputerUser] [-PackageFamilyName] <package family name>[,<package family name>]
Clear-UevAppXPackage [-CurrentComputerUser] [-PackageFamilyName] <package family name>[,<package family name>]
Removes one or more Windows apps from the current user Windows app list.
Clear-UevAppXPackage [–CurrentComputerUser] -All
Clear-UevAppXPackage [-CurrentComputerUser] -All
Removes all Windows apps from the current user Windows app list.
Disables a settings location template for the current user of the computer.
Disable-UevAppXPackage –Computer [-PackageFamilyName] <package family name>[,<package family name>]
Disable-UevAppXPackage -Computer [-PackageFamilyName] <package family name>[,<package family name>]
Disables one or more Windows apps in the computer Windows app list.
Disable-UevAppXPackage [–CurrentComputerUser] [-PackageFamilyName] <package family name>[,<package family name>]
Disable-UevAppXPackage [-CurrentComputerUser] [-PackageFamilyName] <package family name>[,<package family name>]
Disables one or more Windows apps in the current user Windows app list.
Enables a settings location template for the current user of the computer.
Enable-UevAppXPackage –Computer [-PackageFamilyName] <package family name>[,<package family name>]
Enable-UevAppXPackage -Computer [-PackageFamilyName] <package family name>[,<package family name>]
Enables one or more Windows apps in the computer Windows app list.
Enable-UevAppXPackage [–CurrentComputerUser] [-PackageFamilyName] <package family name>[,<package family name>]
Enable-UevAppXPackage [-CurrentComputerUser] [-PackageFamilyName] <package family name>[,<package family name>]
Enables one or more Windows apps in the current user Windows app list.
Determines whether one or more settings location templates comply with its XML schema. Can use relative paths and wildcard characters.
Test-UevTemplate –LiteralPath <template file path>[,<template file path>]
Test-UevTemplate -LiteralPath <template file path>[,<template file path>]
Determines whether one or more settings location templates comply with its XML schema. The path must be a full path to the template file, but does not include wildcard characters.
Lists all the settings location templates that are registered for the computer.
Invoke-WmiMethod –Namespace root\Microsoft\UEV –Class SettingsLocationTemplate –Name GetProcessInfoByTemplateId <template Id>
Invoke-WmiMethod -Namespace root\Microsoft\UEV -Class SettingsLocationTemplate -Name GetProcessInfoByTemplateId <template Id>
Gets the name of the program and version information, which depends on the template name.
Gets the details for each configuration setting. Displays where the setting is configured or if it uses the default value. Is displayed if the current setting is valid.
Set-UevConfiguration -Computer –EnableDontSyncWindows8AppSettings
Set-UevConfiguration -Computer -EnableDontSyncWindows8AppSettings
Configures the UE-V service to not synchronize any Windows apps for all users on the computer.
Set-UevConfiguration -CurrentComputerUser – EnableDontSyncWindows8AppSettings
Set-UevConfiguration -CurrentComputerUser -EnableDontSyncWindows8AppSettings
Configures the UE-V service to not synchronize any Windows apps for the current computer user.
Set-UevConfiguration -Computer –EnableFirstUseNotification
Set-UevConfiguration -Computer -EnableFirstUseNotification
Configures the UE-V service to display notification the first time the service runs for all users on the computer.
Set-UevConfiguration -Computer –DisableFirstUseNotification
Set-UevConfiguration -Computer -DisableFirstUseNotification
Configures the UE-V service to not display notification the first time that the service runs for all users on the computer.
Set-UevConfiguration -Computer –EnableSettingsImportNotify
Set-UevConfiguration -Computer -EnableSettingsImportNotify
Configures the UE-V service to notify all users on the computer when settings synchronization is delayed.
Use the DisableSettingsImportNotify parameter to disable notification.
Use the DisableSettingsImportNotify parameter to disable notification.
Set-UevConfiguration -Computer –EnableSyncUnlistedWindows8Apps
Configures the UE-V service to synchronize all Windows apps that are not explicitly disabled by the Windows app list for all users of the computer. For more information, see "Get-UevAppxPackage" in [Managing UE-V 2.x Settings Location Templates Using Windows PowerShell and WMI](uev-managing-settings-location-templates-using-windows-powershell-and-wmi.md).
+Set-UevConfiguration -Computer -EnableSyncUnlistedWindows8Apps
Configures the UE-V service to synchronize all Windows apps that are not explicitly disabled by the Windows app list for all users of the computer. For more information, see "Get-UevAppxPackage" in [Managing UE-V Settings Location Templates Using Windows PowerShell and WMI](uev-managing-settings-location-templates-using-windows-powershell-and-wmi.md).
Use the DisableSyncUnlistedWindows8Apps parameter to configure the UE-V service to synchronize only Windows apps that are explicitly enabled by the Windows App List.
Set-UevConfiguration -CurrentComputerUser - EnableSyncUnlistedWindows8Apps
Configures the UE-V service to synchronize all Windows apps that are not explicitly disabled by the Windows app list for the current user on the computer. For more information, see "Get-UevAppxPackage" in [Managing UE-V 2.x Settings Location Templates Using Windows PowerShell and WMI](uev-managing-settings-location-templates-using-windows-powershell-and-wmi.md).
+Configures the UE-V service to synchronize all Windows apps that are not explicitly disabled by the Windows app list for the current user on the computer. For more information, see "Get-UevAppxPackage" in [Managing UE-V Settings Location Templates Using Windows PowerShell and WMI](uev-managing-settings-location-templates-using-windows-powershell-and-wmi.md).
Use the DisableSyncUnlistedWindows8Apps parameter to configure the UE-V service to synchronize only Windows apps that are explicitly enabled by the Windows App List.
Set-UevConfiguration –Computer –DisableSync
Set-UevConfiguration -Computer -DisableSync
Disables UE-V for all the users on the computer.
Use the EnableSync parameter to enable or re-enable.
Set-UevConfiguration –CurrentComputerUser -DisableSync
Set-UevConfiguration -CurrentComputerUser -DisableSync
Disables UE-V for the current user on the computer.
Use the EnableSync parameter to enable or re-enable.
Set-UevConfiguration -Computer –EnableTrayIcon
Set-UevConfiguration -Computer -EnableTrayIcon
Enables the UE-V icon in the notification area for all users of the computer.
Use the DisableTrayIcon parameter to disable the icon.
Defines a per-user settings storage location.
Set-UevConfiguration –Computer –SettingsTemplateCatalogPath <path to catalog>
Set-UevConfiguration -Computer -SettingsTemplateCatalogPath <path to catalog>
Sets the settings template catalog path for all users of the computer.
Set the synchronization time-out for the current user.
Clear-UevConfiguration –Computer -<setting name>
Clear-UevConfiguration -Computer -<setting name>
Clears the specified setting for all users on the computer.
Clear-UevConfiguration –CurrentComputerUser -<setting name>
Clear-UevConfiguration -CurrentComputerUser -<setting name>
Clears the specified setting for the current user only.
Displays the UE-V service configuration that is defined for a computer.
Get-WmiObject –Namespace root\Microsoft\Uev ConfigurationItem
Get-WmiObject -Namespace root\Microsoft\Uev ConfigurationItem
Displays the details for each configuration item.
+>At this time, only the English (en-us) content is available for editing. + +**To edit a topic** + +1. All contributors who are ***not*** a Microsoft employee must [sign a Microsoft Contribution Licensing Agreement (CLA)](https://cla.microsoft.com/) before contributing to any Microsoft repositories. +If you've already contributed to Microsoft repositories in the past, congratulations! +You've already completed this step. + +2. Go to the page on TechNet that you want to update, and then click **Contribute**. + +  + +3. Log into (or sign up for) a GitHub account. + + You must have a GitHub account to get to the page that lets you edit a topic. + +4. Click the **Pencil** icon (in the red box) to edit the content. + +  + +5. Using markdown language, make your changes to the topic. For info about how to edit content using markdown, see: + - **If you're linked to the Microsoft organization in GitHub:** [Windows Open Publishing Guide Home](http://aka.ms/windows-op-guide) + + - **If you're external to Microsoft:** [Mastering Markdown](https://guides.github.com/features/mastering-markdown/) + +6. Make your suggested change, and then click **Preview Changes** to make sure it looks correct. + +  + +7. When you’re done editing the topic, scroll to the bottom of the page, and then click **Propose file change** to create a fork in your personal GitHub account. + +  + + The **Comparing changes** screen appears to see what the changes are between your fork and the original content. + +8. On the **Comparing changes** screen, you’ll see if there are any problems with the file you’re checking in. + + If there are no problems, you’ll see the message, **Able to merge**. + +  + +9. Click **Create pull request**. + +10. Enter a title and description to give the approver the appropriate context about what’s in the request. + +11. Scroll to the bottom of the page, making sure that only your changed files are in this pull request. Otherwise, you could overwrite changes from other people. + +12. Click **Create pull request** again to actually submit the pull request. + + The pull request is sent to the writer of the topic and your edits are reviewed. If your request is accepted, updates are published to one of the following places: + + - [Windows 10](https://technet.microsoft.com/itpro/windows) + - [Internet Explorer 11](https://technet.microsoft.com/itpro/internet-explorer) + - [Microsoft Edge](https://technet.microsoft.com/itpro/microsoft-edge) + - [Surface](https://technet.microsoft.com/itpro/surface) + - [Surface Hub](https://technet.microsoft.com/itpro/surface-hub) + - [Windows 10 for Education](https://technet.microsoft.com/edu/windows) + - [Microsoft Desktop Optimization Pack](https://technet.microsoft.com/itpro/mdop) \ No newline at end of file diff --git a/windows/whats-new/images/compare-changes.png b/windows/whats-new/images/compare-changes.png new file mode 100644 index 0000000000..0d86db70f5 Binary files /dev/null and b/windows/whats-new/images/compare-changes.png differ diff --git a/windows/whats-new/images/contribute-link.png b/windows/whats-new/images/contribute-link.png new file mode 100644 index 0000000000..6b17e6dd56 Binary files /dev/null and b/windows/whats-new/images/contribute-link.png differ diff --git a/windows/whats-new/images/pencil-icon.png b/windows/whats-new/images/pencil-icon.png new file mode 100644 index 0000000000..82fe7852dd Binary files /dev/null and b/windows/whats-new/images/pencil-icon.png differ diff --git a/windows/whats-new/images/preview-changes.png b/windows/whats-new/images/preview-changes.png new file mode 100644 index 0000000000..f98b2c6443 Binary files /dev/null and b/windows/whats-new/images/preview-changes.png differ diff --git a/windows/whats-new/images/propose-file-change.png b/windows/whats-new/images/propose-file-change.png new file mode 100644 index 0000000000..aedbc07b16 Binary files /dev/null and b/windows/whats-new/images/propose-file-change.png differ diff --git a/windows/whats-new/index.md b/windows/whats-new/index.md index 5c04da963b..ff170bce3b 100644 --- a/windows/whats-new/index.md +++ b/windows/whats-new/index.md @@ -2,7 +2,7 @@ title: What's new in Windows 10 (Windows 10) description: Learn about new features in Windows 10 for IT professionals, such as Enterprise Data Protection, Microsoft Passport, Device Guard, and more. ms.assetid: F1867017-76A1-4761-A200-7450B96AEF44 -keywords: ["What's new in Windows 10", "Windows 10", "anniversary update"] +keywords: ["What's new in Windows 10", "Windows 10", "anniversary update", "contribute", "edit topic"] ms.prod: w10 author: TrudyHa localizationpriority: high @@ -19,8 +19,7 @@ Windows 10 provides IT professionals with advanced protection against modern sec - [What's new in Windows 10, versions 1507 and 1511](whats-new-windows-10-version-1507-and-1511.md) - - +- [Edit an existing topic using the Contribute link](contribute-to-a-topic.md) ## Learn more