- **Desktop:** Windows 10, version 1703
- **Mobile:** Windows 10 Mobile, version 1703 (with limited functionality)
|
|Azure Active Directory (Azure AD) |While all employees signing into Cortana need an Azure AD account; an Azure AD premium tenant isn’t required. |
|Additional policies (Group Policy and Mobile Device Management (MDM)) |There is a rich set of policies that can be used to manage various aspects of Cortana. Most of these policies will limit the abilities of Cortana, but won't turn Cortana off.For example:
If you turn **Location** off, Cortana won't be able to provide location-based reminders, such as reminding you to visit the mail room when you get to work.
If you turn **Speech** off, your employees won't be able to use “Hello Cortana” for hands free usage or voice commands to easily ask for help. |
|Windows Information Protection (WIP) (optional) |If you want to secure the calendar, email, and contact info provided to Cortana on a device, you can use WIP. For more info about WIP, see [Protect your enterprise data using Windows Information Protection (WIP)](../keep-secure/protect-enterprise-data-using-wip.md)
If you decide to use WIP, you must also have a management solution. This can be Microsoft Intune, Microsoft System Center Configuration Manager (version 1606 or later), or your current company-wide 3rd party mobile device management (MDM) solution.|
diff --git a/windows/configure/cortana-at-work-policy-settings.md b/windows/configure/cortana-at-work-policy-settings.md
index 5a347b3245..fabe225293 100644
--- a/windows/configure/cortana-at-work-policy-settings.md
+++ b/windows/configure/cortana-at-work-policy-settings.md
@@ -11,11 +11,8 @@ localizationpriority: high
# Use Group Policy and mobile device management (MDM) settings to configure Cortana in your organization
**Applies to:**
-- Windows 10, Windows Insider Program
-- Windows 10 Mobile, Windows Insider Program
-
->[!IMPORTANT]
->Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+- Windows 10, version 1703
+- Windows 10 Mobile, version 1703
>[!NOTE]
>For specific info about how to set, manage, and use each of these MDM policies to configure Cortana in your enterprise, see the [Policy CSP](http://go.microsoft.com/fwlink/p/?LinkId=717380) topic, located in the configuration service provider reference topics. For specific info about how to set, manage, and use each of these Group Policies to configure Cortana in your enterprise, see the [Group Policy TechCenter](http://go.microsoft.com/fwlink/p/?LinkId=717381).
diff --git a/windows/configure/cortana-at-work-powerbi.md b/windows/configure/cortana-at-work-powerbi.md
index b69282afa7..a4245062b7 100644
--- a/windows/configure/cortana-at-work-powerbi.md
+++ b/windows/configure/cortana-at-work-powerbi.md
@@ -11,11 +11,8 @@ localizationpriority: high
# Set up and test Cortana for Power BI in your organization
**Applies to:**
-- Windows 10, Windows Insider Program
-- Windows 10 Mobile, Windows Insider Program
-
->[!IMPORTANT]
->Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+- Windows 10, version 1703
+- Windows 10 Mobile, version 1703
Integration between Cortana and Power BI shows how Cortana can work with custom business analytics solutions to enable you to get answers directly from your key business data, including introducing new features that let you create custom Cortana “answers” using the full capabilities of Power BI Desktop.
@@ -25,7 +22,7 @@ Integration between Cortana and Power BI shows how Cortana can work with custom
## Before you begin
To use this walkthrough, you’ll need:
-- **Windows 10**. You’ll need to be running at least Windows 10 with the latest version from the Windows Insider Program.
+- **Windows 10**. You’ll need to be running at least Windows 10, version 1703.
- **Cortana**. You need to have Cortana turned on and be logged into your account.
diff --git a/windows/configure/cortana-at-work-scenario-1.md b/windows/configure/cortana-at-work-scenario-1.md
index f8c78aeb5c..869f6285f7 100644
--- a/windows/configure/cortana-at-work-scenario-1.md
+++ b/windows/configure/cortana-at-work-scenario-1.md
@@ -10,11 +10,8 @@ localizationpriority: high
# Test scenario 1 - Sign-in to Azure AD and use Cortana to manage the notebook
-- Windows 10, Windows Insider Program
-- Windows 10 Mobile, Windows Insider Program
-
->[!IMPORTANT]
->Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+- Windows 10, version 1703
+- Windows 10 Mobile, version 1703
>[!IMPORTANT]
>The data created as part of these scenarios will be uploaded to Microsoft’s Cloud to help Cortana learn and help your employees. This is the same info that Cortana uses in the consumer offering.
diff --git a/windows/configure/cortana-at-work-scenario-2.md b/windows/configure/cortana-at-work-scenario-2.md
index 9afdab45ec..0ae41c64a4 100644
--- a/windows/configure/cortana-at-work-scenario-2.md
+++ b/windows/configure/cortana-at-work-scenario-2.md
@@ -10,11 +10,8 @@ localizationpriority: high
# Test scenario 2 - Perform a quick search with Cortana at work
-- Windows 10, Windows Insider Program
-- Windows 10 Mobile, Windows Insider Program
-
->[!IMPORTANT]
->Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+- Windows 10, version 1703
+- Windows 10 Mobile, version 1703
>[!IMPORTANT]
>The data created as part of these scenarios will be uploaded to Microsoft’s Cloud to help Cortana learn and help your employees. This is the same info that Cortana uses in the consumer offering.
diff --git a/windows/configure/cortana-at-work-scenario-3.md b/windows/configure/cortana-at-work-scenario-3.md
index 2e187eb725..2200f6b5f9 100644
--- a/windows/configure/cortana-at-work-scenario-3.md
+++ b/windows/configure/cortana-at-work-scenario-3.md
@@ -10,11 +10,8 @@ localizationpriority: high
# Test scenario 3 - Set a reminder for a specific location using Cortana at work
-- Windows 10, Windows Insider Program
-- Windows 10 Mobile, Windows Insider Program
-
->[!IMPORTANT]
->Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+- Windows 10, version 1703
+- Windows 10 Mobile, version 1703
>[!IMPORTANT]
>The data created as part of these scenarios will be uploaded to Microsoft’s Cloud to help Cortana learn and help your employees. This is the same info that Cortana uses in the consumer offering.
diff --git a/windows/configure/cortana-at-work-scenario-4.md b/windows/configure/cortana-at-work-scenario-4.md
index 203093cb15..736de5db9f 100644
--- a/windows/configure/cortana-at-work-scenario-4.md
+++ b/windows/configure/cortana-at-work-scenario-4.md
@@ -10,11 +10,8 @@ localizationpriority: high
# Test scenario 4 - Use Cortana at work to find your upcoming meetings
-- Windows 10, Windows Insider Program
-- Windows 10 Mobile, Windows Insider Program
-
->[!IMPORTANT]
->Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+- Windows 10, version 1703
+- Windows 10 Mobile, version 1703
>[!IMPORTANT]
>The data created as part of these scenarios will be uploaded to Microsoft’s Cloud to help Cortana learn and help your employees. This is the same info that Cortana uses in the consumer offering.
diff --git a/windows/configure/cortana-at-work-scenario-5.md b/windows/configure/cortana-at-work-scenario-5.md
index 820acedc37..a662de7d04 100644
--- a/windows/configure/cortana-at-work-scenario-5.md
+++ b/windows/configure/cortana-at-work-scenario-5.md
@@ -10,11 +10,8 @@ localizationpriority: high
# Test scenario 5 - Use Cortana to send email to a co-worker
-- Windows 10, Windows Insider Program
-- Windows 10 Mobile, Windows Insider Program
-
->[!IMPORTANT]
->Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+- Windows 10, version 1703
+- Windows 10 Mobile, version 1703
>[!IMPORTANT]
>The data created as part of these scenarios will be uploaded to Microsoft’s Cloud to help Cortana learn and help your employees. This is the same info that Cortana uses in the consumer offering.
diff --git a/windows/configure/cortana-at-work-scenario-6.md b/windows/configure/cortana-at-work-scenario-6.md
index 2ad1c7cb5c..8c7e307ed1 100644
--- a/windows/configure/cortana-at-work-scenario-6.md
+++ b/windows/configure/cortana-at-work-scenario-6.md
@@ -10,11 +10,8 @@ localizationpriority: high
# Test scenario 6 - Review a reminder suggested by Cortana based on what you’ve promised in email
-- Windows 10, Windows Insider Program
-- Windows 10 Mobile, Windows Insider Program
-
->[!IMPORTANT]
->Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+- Windows 10, version 1703
+- Windows 10 Mobile, version 1703
>[!IMPORTANT]
>The data created as part of these scenarios will be uploaded to Microsoft’s Cloud to help Cortana learn and help your employees. This is the same info that Cortana uses in the consumer offering. For more info, see the [Microsoft Privacy Statement](https://privacy.microsoft.com/privacystatement) and the [Microsoft Services Agreement](https://www.microsoft.com/en-us/servicesagreement).
diff --git a/windows/configure/cortana-at-work-scenario-7.md b/windows/configure/cortana-at-work-scenario-7.md
index e8d6cfd3ff..4c2451c969 100644
--- a/windows/configure/cortana-at-work-scenario-7.md
+++ b/windows/configure/cortana-at-work-scenario-7.md
@@ -10,11 +10,8 @@ localizationpriority: high
# Test scenario 7 - Use Cortana and Windows Information Protection (WIP) to help protect your organization’s data on a device
-- Windows 10, Windows Insider Program
-- Windows 10 Mobile, Windows Insider Program
-
->[!IMPORTANT]
->Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+- Windows 10, version 1703
+- Windows 10 Mobile, version 1703
>[!IMPORTANT]
>The data created as part of these scenarios will be uploaded to Microsoft’s Cloud to help Cortana learn and help your employees. This is the same info that Cortana uses in the consumer offering.
diff --git a/windows/configure/cortana-at-work-testing-scenarios.md b/windows/configure/cortana-at-work-testing-scenarios.md
index d58e3e41e7..fa88b44c54 100644
--- a/windows/configure/cortana-at-work-testing-scenarios.md
+++ b/windows/configure/cortana-at-work-testing-scenarios.md
@@ -11,11 +11,8 @@ localizationpriority: high
# Testing scenarios using Cortana in your business or organization
**Applies to:**
-- Windows 10, Windows Insider Program
-- Windows 10 Mobile, Windows Insider Program
-
->[!IMPORTANT]
->Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+- Windows 10, version 1703
+- Windows 10 Mobile, version 1703
We've come up with a list of suggested testing scenarios that you can use to test Cortana in your organization. After you complete all the scenarios, you should be able to:
diff --git a/windows/configure/cortana-at-work-voice-commands.md b/windows/configure/cortana-at-work-voice-commands.md
index 1f081e3222..e15752085d 100644
--- a/windows/configure/cortana-at-work-voice-commands.md
+++ b/windows/configure/cortana-at-work-voice-commands.md
@@ -11,11 +11,8 @@ localizationpriority: high
# Set up and test custom voice commands in Cortana for your organization
**Applies to:**
-- Windows 10, Windows Insider Program
-- Windows 10 Mobile, Windows Insider Program
-
->[!IMPORTANT]
->Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+- Windows 10, version 1703
+- Windows 10 Mobile, version 1703
Working with a developer, you can create voice commands that use Cortana to perform voice-enabled actions in your line-of-business (LOB) Universal Windows Platform (UWP) apps. These voice-enabled actions can reduce the time necessary to access your apps and to complete simple actions.
diff --git a/windows/configure/customize-and-export-start-layout.md b/windows/configure/customize-and-export-start-layout.md
index cbff20b284..a7c154e348 100644
--- a/windows/configure/customize-and-export-start-layout.md
+++ b/windows/configure/customize-and-export-start-layout.md
@@ -76,6 +76,9 @@ To prepare a Start layout for export, you simply customize the Start layout on a
When you have the Start layout that you want your users to see, use the [Export-StartLayout](https://go.microsoft.com/fwlink/p/?LinkId=620879) cmdlet in Windows PowerShell to export the Start layout to an .xml file.
+>[!IMPORTANT]
+>If you include secondary Microsoft Edge tiles (tiles that link to specific websites in Microsoft Edge), see [Add custom images to Microsoft Edge secondary tiles](start-secondary-tiles.md) for instructions.
+
**To export the Start layout to an .xml file**
1. From Start, open **Windows PowerShell**.
@@ -148,19 +151,14 @@ If the Start layout is applied by Group Policy or MDM, and the policy is removed
## Related topics
-[Manage Windows 10 Start layout options](windows-10-start-layout-options-and-policies.md)
-
-[Configure Windows 10 taskbar](configure-windows-10-taskbar.md)
-
-[Customize Windows 10 Start and taskbar with Group Policy](customize-windows-10-start-screens-by-using-group-policy.md)
-
-[Customize Windows 10 Start and taskbar with ICD and provisioning packages](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md)
-
-[Customize Windows 10 Start with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md)
-
-[Changes to Group Policy settings for Windows 10 Start](changes-to-start-policies-in-windows-10.md)
-
-
+- [Manage Windows 10 Start and taskbar layout](windows-10-start-layout-options-and-policies.md)
+- [Configure Windows 10 taskbar](configure-windows-10-taskbar.md)
+- [Add image for secondary tiles](start-secondary-tiles.md)
+- [Start layout XML for desktop editions of Windows 10 (reference)](start-layout-xml-desktop.md)
+- [Customize Windows 10 Start and taskbar with Group Policy](customize-windows-10-start-screens-by-using-group-policy.md)
+- [Customize Windows 10 Start and taskbar with provisioning packages](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md)
+- [Customize Windows 10 Start and tasbkar with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md)
+- [Changes to Start policies in Windows 10](changes-to-start-policies-in-windows-10.md)
diff --git a/windows/configure/customize-windows-10-start-screens-by-using-group-policy.md b/windows/configure/customize-windows-10-start-screens-by-using-group-policy.md
index 5a2c3940fa..170d81d10d 100644
--- a/windows/configure/customize-windows-10-start-screens-by-using-group-policy.md
+++ b/windows/configure/customize-windows-10-start-screens-by-using-group-policy.md
@@ -119,14 +119,14 @@ After you use Group Policy to apply a customized Start and taskbar layout on a c
## Related topics
-[Manage Windows 10 Start and taskbar layout](windows-10-start-layout-options-and-policies.md)
-
-[Customize and export Start layout](customize-and-export-start-layout.md)
-
-[Customize Windows 10 Start and taskbar with ICD and provisioning packages](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md)
-
-[Customize Windows 10 Start with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md)
-
+- [Manage Windows 10 Start and taskbar layout](windows-10-start-layout-options-and-policies.md)
+- [Configure Windows 10 taskbar](configure-windows-10-taskbar.md)
+- [Customize and export Start layout](customize-and-export-start-layout.md)
+- [Add image for secondary tiles](start-secondary-tiles.md)
+- [Start layout XML for desktop editions of Windows 10 (reference)](start-layout-xml-desktop.md)
+- [Customize Windows 10 Start and taskbar with provisioning packages](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md)
+- [Customize Windows 10 Start and tasbkar with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md)
+- [Changes to Start policies in Windows 10](changes-to-start-policies-in-windows-10.md)
diff --git a/windows/configure/customize-windows-10-start-screens-by-using-mobile-device-management.md b/windows/configure/customize-windows-10-start-screens-by-using-mobile-device-management.md
index 16f95659b2..5bbbcc8808 100644
--- a/windows/configure/customize-windows-10-start-screens-by-using-mobile-device-management.md
+++ b/windows/configure/customize-windows-10-start-screens-by-using-mobile-device-management.md
@@ -129,18 +129,14 @@ This example uses Microsoft Intune to configure an MDM policy that applies a cus
## Related topics
-[Manage Windows 10 Start and taskbar layout](windows-10-start-layout-options-and-policies.md)
-
-[Customize and export Start layout](customize-and-export-start-layout.md)
-
-[Configure Windows 10 taskbar](configure-windows-10-taskbar.md)
-
-[Customize Windows 10 Start and taskbar with Group Policy](customize-windows-10-start-screens-by-using-group-policy.md)
-
-[Customize Windows 10 Start and taskbar with ICD and provisioning packages](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md)
-
-[Use Windows 10 custom policies to manage device settings with Microsoft Intune](https://go.microsoft.com/fwlink/p/?LinkID=616316)
-
+- [Manage Windows 10 Start and taskbar layout](windows-10-start-layout-options-and-policies.md)
+- [Configure Windows 10 taskbar](configure-windows-10-taskbar.md)
+- [Customize and export Start layout](customize-and-export-start-layout.md)
+- [Add image for secondary tiles](start-secondary-tiles.md)
+- [Start layout XML for desktop editions of Windows 10 (reference)](start-layout-xml-desktop.md)
+- [Customize Windows 10 Start and taskbar with Group Policy](customize-windows-10-start-screens-by-using-group-policy.md)
+- [Customize Windows 10 Start and taskbar with provisioning packages](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md)
+- [Changes to Start policies in Windows 10](changes-to-start-policies-in-windows-10.md)
diff --git a/windows/configure/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md b/windows/configure/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md
index 8c7153b1ce..07d5c016a8 100644
--- a/windows/configure/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md
+++ b/windows/configure/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md
@@ -44,18 +44,12 @@ Three features enable Start and taskbar layout control:
## Prepare the Start layout XML file
-Before you paste the contents of the .xml file in the **Policies/Start/StartLayout** setting, you must remove all line breaks and replace markup characters with escape characters.
+The **Export-StartLayout** cmdlet produces an XML file. Because Windows Configuration Designer produces a customizations.xml file that contains the configuration settings, adding the Start layout section to the customizations.xml file directly would result in an XML file embedded in an XML file. Before you add the Start layout section to the customizations.xml file, you must replace the markup characters in your layout.xml with escape characters.
-1. In PowerShell, run the following script:
- ```
- $path="layout.xml"
- (Get-Content $path -Raw).Replace("'r'n","") | Set-Content $path -Force
- ```
+1. Copy the contents of layout.xml into an online tool that escapes characters.
-2. Copy the contents of layout.xml into an online tool that escapes characters.
-
-3. Copy the text with the escape characters and paste it in the **Polilcies/Start/StartLayout** setting in your provisioning package.
+3. During the procedure to create a provisioning package, you will copy the text with the escape characters and paste it in the customizations.xml file for your project.
## Create a provisioning package that contains a customized Start layout
@@ -69,18 +63,32 @@ Use the Windows Configuration Designer tool to create a provisioning package. [L
2. Choose **Advanced provisioning**.
-3. Name your project, and click **Next**.
+3. Name your project, and click **Next**.
-4. Choose **All Windows desktop editions** and click **Next**.
+4. Choose **All Windows desktop editions** and click **Next**.
-5. On **New project**, click **Finish**. The workspace for your package opens.
+5. On **New project**, click **Finish**. The workspace for your package opens.
-6. Expand **Runtime settings** > **Policies** > **Start**, and click **StartLayout**.
+6. Expand **Runtime settings** > **Policies** > **Start**, and click **StartLayout**.
- >[!TIP]
- >If **Start** is not listed, check the type of settings you selected in step 4. You must create the project using settings for **All Windows desktop editions**.
+ >[!TIP]
+ >If **Start** is not listed, check the type of settings you selected in step 4. You must create the project using settings for **All Windows desktop editions**.
-7. Paste the text from the layout.xml file, [with line breaks removed and markup characters replaced with escape characters](#escape).
+7. Enter **layout.xml**. This value creates a placeholder in the customizations.xml file that you will replace with the contents of the layout.xml file in a later step.
+
+7. Save your project and close Windows Configuration Designer.
+
+7. In File Explorer, open the project's directory. (The default location is C:\Users\\*user name*\Documents\Windows Imaging and Configuration Designer (WICD)\\*project name*)
+
+7. Open the customizations.xml file in a text editor. The **<Customizations>** section will look like this:
+
+ 
+
+7. Replace **layout.xml** with the text from the layout.xml file, [with markup characters replaced with escape characters](#escape).
+
+8. Save and close the customizations.xml file.
+
+8. Open Windows Configuration Designer and open your project.
8. On the **File** menu, select **Save.**
@@ -118,13 +126,14 @@ Use the Windows Configuration Designer tool to create a provisioning package. [L
## Related topics
-[Manage Windows 10 Start and taskbar layout](windows-10-start-layout-options-and-policies.md)
-
-[Customize and export Start layout](customize-and-export-start-layout.md)
-
-[Customize Windows 10 Start and taskbar with Group Policy](customize-windows-10-start-screens-by-using-group-policy.md)
-
-[Customize Windows 10 Start with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md)
+- [Manage Windows 10 Start and taskbar layout](windows-10-start-layout-options-and-policies.md)
+- [Configure Windows 10 taskbar](configure-windows-10-taskbar.md)
+- [Customize and export Start layout](customize-and-export-start-layout.md)
+- [Add image for secondary tiles](start-secondary-tiles.md)
+- [Start layout XML for desktop editions of Windows 10 (reference)](start-layout-xml-desktop.md)
+- [Customize Windows 10 Start and taskbar with Group Policy](customize-windows-10-start-screens-by-using-group-policy.md)
+- [Customize Windows 10 Start and tasbkar with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md)
+- [Changes to Start policies in Windows 10](changes-to-start-policies-in-windows-10.md)
diff --git a/windows/configure/images/customization-start-edge.PNG b/windows/configure/images/customization-start-edge.PNG
new file mode 100644
index 0000000000..333833d8c0
Binary files /dev/null and b/windows/configure/images/customization-start-edge.PNG differ
diff --git a/windows/configure/images/customization-start.PNG b/windows/configure/images/customization-start.PNG
new file mode 100644
index 0000000000..4942338181
Binary files /dev/null and b/windows/configure/images/customization-start.PNG differ
diff --git a/windows/configure/images/edge-with-logo.png b/windows/configure/images/edge-with-logo.png
new file mode 100644
index 0000000000..cc3504a678
Binary files /dev/null and b/windows/configure/images/edge-with-logo.png differ
diff --git a/windows/configure/images/edge-without-logo.png b/windows/configure/images/edge-without-logo.png
new file mode 100644
index 0000000000..52085a2d68
Binary files /dev/null and b/windows/configure/images/edge-without-logo.png differ
diff --git a/windows/configure/lockdown-xml.md b/windows/configure/lockdown-xml.md
index 9398934ee7..36fa6806f7 100644
--- a/windows/configure/lockdown-xml.md
+++ b/windows/configure/lockdown-xml.md
@@ -91,7 +91,7 @@ The following example is a complete lockdown XML file that disables Action Cente
The Apps setting serves as an allow list and specifies the applications that will be available in the All apps list. Apps that are not included in this setting are hidden from the user and blocked from running.
-You provide the product ID for each app in your file. The product ID identifies an app package, and an app package can contain multiple apps, so you should also provide the App User Model ID (AUMID) to differentiate the app. Optionally, you can set an app to run automatically. [Get product ID and AUMID for apps in Windows 10 Mobile.](product-ids-in-windows-10-mobile.md)
+You provide the App User Model ID (AUMID) and product ID for each app in your file. The product ID identifies an app package, and an app package can contain multiple apps, so you also provide the ADUMID to differentiate the app. Optionally, you can set an app to run automatically. [Get product ID and AUMID for apps in Windows 10 Mobile.](product-ids-in-windows-10-mobile.md)
The following example makes Outlook Calendar available on the device.
diff --git a/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
index e0cfbed2c9..86503c42e8 100644
--- a/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
+++ b/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
@@ -29,21 +29,32 @@ To help make it easier to deploy settings to restrict connections from Windows 1
We are always striving to improve our documentation and welcome your feedback. You can provide feedback by contacting telmhelp@microsoft.com.
-## What's new in Windows 10, version 1607 and Windows Server 2016
+## What's new in Windows 10, version 1703
-Here's a list of changes that were made to this article for Windows 10, version 1607 and Windows Server 2016:
+Here's a list of changes that were made to this article for Windows 10, version 1703:
-- Added instructions on how to turn off speech recognition and speech synthesis model updates in [14.5 Speech, inking, & typing](#bkmk-priv-speech).
-- Added instructions on how to turn off flip ahead with an Internet Explorer Group Policy.
-- Added a section on how to turn off automatic root updates to stop updating the certificate trust list in [1. Certificate trust lists](#certificate-trust-lists).
-- Added a new setting in [25. Windows Update](#bkmk-wu).
-- Changed the NCSI URL in [11. Network Connection Status Indicator](#bkmk-ncsi).
-- Added a section on how to turn off features that depend on Microsoft Account cloud authentication service [10. Microsoft Account](#bkmk-microsoft-account).
+- Added an MDM policy for Font streaming.
+- Added an MDM policy for Network Connection Status Indicator.
+- Added an MDM policy for the Micosoft Account Sign-In Assistant.
+- Added instructions for removing the Sticky Notes app.
+- Added registry paths for some Group Policies
+- Added the Find My Device section
+- Added the Tasks section
+- Added the App Diagnostics section
- Added the following Group Policies:
- - Turn off unsolicited network traffic on the Offline Maps settings page
- - Turn off all Windows spotlight features
+ - Prevent managing SmartScreen Filter
+ - Turn off Compatibility View
+ - Turn off Automatic Download and Install of updates
+ - Do not connect to any Windows Update locations
+ - Turn off access to all Windows Update features
+ - Specify Intranet Microsoft update service location
+ - Enable Windows NTP client
+ - Turn off Automatic download of the ActiveX VersionList
+ - Allow Automatic Update of Speech Data
+ - Accounts: Block Microsoft Accounts
+ - Do not use diagnostic data for tailored experiences
## Settings
@@ -52,55 +63,58 @@ The following sections list the components that make network connections to Micr
If you're running Windows 10, they will be included in the next update for the Long Term Servicing Branch.
-### Settings for Windows 10 Enterprise, version 1607
+### Settings for Windows 10 Enterprise, version 1703
-See the following table for a summary of the management settings for Windows 10 Enterprise, version 1607.
+See the following table for a summary of the management settings for Windows 10 Enterprise, version 1703.
| Setting | UI | Group Policy | MDM policy | Registry | Command line |
| - | :-: | :-: | :-: | :-: | :-: |
| [1. Certificate trust lists](#certificate-trust-lists) | |  | | | |
-| [2. Cortana and Search](#bkmk-cortana) |  |  |  | |  |
-| [3. Date & Time](#bkmk-datetime) |  | | |  | |
-| [4. Device metadata retrieval](#bkmk-devinst) | |  | | | |
-| [5. Font streaming](#font-streaming) | |  | |  | |
-| [6. Insider Preview builds](#bkmk-previewbuilds) |  |  |  | |  |
-| [7. Internet Explorer](#bkmk-ie) |  |  | | | |
-| [8. Live Tiles](#live-tiles) | |  | | | |
-| [9. Mail synchronization](#bkmk-mailsync) |  | |  | | |
-| [10. Microsoft Account](#bkmk-microsoft-account) | | | |  | |
-| [11. Microsoft Edge](#bkmk-edge) |  |  |  | |  |
-| [12. Network Connection Status Indicator](#bkmk-ncsi) | |  | | | |
-| [13. Offline maps](#bkmk-offlinemaps) |  |  | | | |
-| [14. OneDrive](#bkmk-onedrive) | |  | |  | |
-| [15. Preinstalled apps](#bkmk-preinstalledapps) |  | | | |  |
-| [16. Settings > Privacy](#bkmk-settingssection) | | | | | |
-| [16.1 General](#bkmk-general) |  |  |  |  | |
-| [16.2 Location](#bkmk-priv-location) |  |  |  | | |
-| [16.3 Camera](#bkmk-priv-camera) |  |  |  | | |
-| [16.4 Microphone](#bkmk-priv-microphone) |  |  | | | |
-| [16.5 Notifications](#bkmk-priv-notifications) |  |  | | | |
-| [16.6 Speech, inking, & typing](#bkmk-priv-speech) |  |  |  |  | |
-| [16.7 Account info](#bkmk-priv-accounts) |  |  | | | |
-| [16.8 Contacts](#bkmk-priv-contacts) |  |  | | | |
-| [16.9 Calendar](#bkmk-priv-calendar) |  |  | | | |
-| [16.10 Call history](#bkmk-priv-callhistory) |  |  | | | |
-| [16.11 Email](#bkmk-priv-email) |  |  | | | |
-| [16.12 Messaging](#bkmk-priv-messaging) |  |  | | | |
-| [16.13 Radios](#bkmk-priv-radios) |  |  | | | |
-| [16.14 Other devices](#bkmk-priv-other-devices) |  |  | |  | |
-| [16.15 Feedback & diagnostics](#bkmk-priv-feedback) |  |  |  |  | |
-| [16.16 Background apps](#bkmk-priv-background) |  | | | | |
-| [16.17 Motion](#bkmk-priv-motion) |  |  | | | |
-| [17. Software Protection Platform](#bkmk-spp) | |  |  | | |
-| [18. Sync your settings](#bkmk-syncsettings) |  |  |  | | |
-| [19. Teredo](#bkmk-teredo) | |  | | |  |
-| [20. Wi-Fi Sense](#bkmk-wifisense) |  |  | |  | |
-| [21. Windows Defender](#bkmk-defender) | |  |  |  | |
-| [22. Windows Media Player](#bkmk-wmp) |  | | | |  |
-| [23. Windows spotlight](#bkmk-spotlight) |  |  | | | |
-| [24. Windows Store](#bkmk-windowsstore) | |  | | | |
-| [25. Windows Update Delivery Optimization](#bkmk-updates) |  |  |  | | |
-| [26. Windows Update](#bkmk-wu) |  |  |  | | |
+| [2. Cortana and Search](#bkmk-cortana) |  |  |  |  |  |
+| [3. Date & Time](#bkmk-datetime) |  |  | |  | |
+| [4. Device metadata retrieval](#bkmk-devinst) | |  | |  | |
+| [5. Find My Device](#find-my-device) | |  | | | |
+| [6. Font streaming](#font-streaming) | |  | |  | |
+| [7. Insider Preview builds](#bkmk-previewbuilds) |  |  |  |  |  |
+| [8. Internet Explorer](#bkmk-ie) |  |  | |  | |
+| [9. Live Tiles](#live-tiles) | |  | |  | |
+| [10. Mail synchronization](#bkmk-mailsync) |  | |  |  | |
+| [11. Microsoft Account](#bkmk-microsoft-account) | | |  |  | |
+| [12. Microsoft Edge](#bkmk-edge) |  |  |  |  |  |
+| [13. Network Connection Status Indicator](#bkmk-ncsi) | |  | |  | |
+| [14. Offline maps](#bkmk-offlinemaps) |  |  | |  | |
+| [15. OneDrive](#bkmk-onedrive) | |  | |  | |
+| [16. Preinstalled apps](#bkmk-preinstalledapps) |  | | | |  |
+| [17. Settings > Privacy](#bkmk-settingssection) | | | | | |
+| [17.1 General](#bkmk-general) |  |  |  |  | |
+| [17.2 Location](#bkmk-priv-location) |  |  |  |  | |
+| [17.3 Camera](#bkmk-priv-camera) |  |  |  |  | |
+| [17.4 Microphone](#bkmk-priv-microphone) |  |  | |  | |
+| [17.5 Notifications](#bkmk-priv-notifications) |  |  | |  | |
+| [17.6 Speech, inking, & typing](#bkmk-priv-speech) |  |  |  |  | |
+| [17.7 Account info](#bkmk-priv-accounts) |  |  | |  | |
+| [17.8 Contacts](#bkmk-priv-contacts) |  |  | |  | |
+| [17.9 Calendar](#bkmk-priv-calendar) |  |  | |  | |
+| [17.10 Call history](#bkmk-priv-callhistory) |  |  | |  | |
+| [17.11 Email](#bkmk-priv-email) |  |  | |  | |
+| [17.12 Messaging](#bkmk-priv-messaging) |  |  | |  | |
+| [17.13 Radios](#bkmk-priv-radios) |  |  | |  | |
+| [17.14 Other devices](#bkmk-priv-other-devices) |  |  | |  | |
+| [17.15 Feedback & diagnostics](#bkmk-priv-feedback) |  |  |  |  | |
+| [17.16 Background apps](#bkmk-priv-background) |  | | | | |
+| [17.17 Motion](#bkmk-priv-motion) |  |  | |  | |
+| [17.18 Tasks](#bkmk-priv-tasks) |  |  | |  | |
+| [17.19 App Diagnostics](#bkmk-priv-diag) |  |  | |  | |
+| [18. Software Protection Platform](#bkmk-spp) | |  |  |  | |
+| [19. Sync your settings](#bkmk-syncsettings) |  |  |  |  | |
+| [20. Teredo](#bkmk-teredo) | |  | |  |  |
+| [21. Wi-Fi Sense](#bkmk-wifisense) |  |  | |  | |
+| [22. Windows Defender](#bkmk-defender) | |  |  |  | |
+| [23. Windows Media Player](#bkmk-wmp) |  | | | |  |
+| [24. Windows spotlight](#bkmk-spotlight) |  |  | |  | |
+| [25. Windows Store](#bkmk-windowsstore) | |  | |  | |
+| [26. Windows Update Delivery Optimization](#bkmk-updates) |  |  |  |  | |
+| [27. Windows Update](#bkmk-wu) |  |  |  | | |
### Settings for Windows Server 2016 with Desktop Experience
@@ -109,24 +123,24 @@ See the following table for a summary of the management settings for Windows Ser
| Setting | UI | Group Policy | Registry | Command line |
| - | :-: | :-: | :-: | :-: |
| [1. Certificate trust lists](#certificate-trust-lists) | |  |  | |
-| [2. Cortana and Search](#bkmk-cortana) |  |  | | |
-| [3. Date & Time](#bkmk-datetime) |  | |  | |
-| [4. Device metadata retrieval](#bkmk-devinst) | |  | | |
-| [5. Font streaming](#font-streaming) | |  |  | |
-| [6. Insider Preview builds](#bkmk-previewbuilds) |  |  | | |
-| [7. Internet Explorer](#bkmk-ie) |  |  | | |
-| [8. Live Tiles](#live-tiles) | |  | | |
-| [10. Microsoft Account](#bkmk-microsoft-account) | | |  | |
-| [12. Network Connection Status Indicator](#bkmk-ncsi) | |  | | |
-| [14. OneDrive](#bkmk-onedrive) | |  | | |
-| [16. Settings > Privacy](#bkmk-settingssection) | | | | |
-| [16.1 General](#bkmk-general) |  |  |  | |
-| [17. Software Protection Platform](#bkmk-spp) | |  | | |
-| [19. Teredo](#bkmk-teredo) | |  | |  |
-| [21. Windows Defender](#bkmk-defender) | |  |  | |
-| [22. Windows Media Player](#bkmk-wmp) | | | |  |
-| [24. Windows Store](#bkmk-windowsstore) | |  | | |
-| [26. Windows Update](#bkmk-wu) | |  |  | |
+| [2. Cortana and Search](#bkmk-cortana) |  |  |  | |
+| [3. Date & Time](#bkmk-datetime) |  |  |  | |
+| [4. Device metadata retrieval](#bkmk-devinst) | |  |  | |
+| [6. Font streaming](#font-streaming) | |  |  | |
+| [7. Insider Preview builds](#bkmk-previewbuilds) |  |  |  | |
+| [8. Internet Explorer](#bkmk-ie) |  |  |  | |
+| [9. Live Tiles](#live-tiles) | |  |  | |
+| [11. Microsoft Account](#bkmk-microsoft-account) | | |  | |
+| [13. Network Connection Status Indicator](#bkmk-ncsi) | |  |  | |
+| [15. OneDrive](#bkmk-onedrive) | |  | | |
+| [17. Settings > Privacy](#bkmk-settingssection) | | | | |
+| [17.1 General](#bkmk-general) |  |  |  | |
+| [18. Software Protection Platform](#bkmk-spp) | |  |  | |
+| [20. Teredo](#bkmk-teredo) | |  |  |  |
+| [22. Windows Defender](#bkmk-defender) | |  |  | |
+| [23. Windows Media Player](#bkmk-wmp) | | | |  |
+| [25. Windows Store](#bkmk-windowsstore) | |  |  | |
+| [27. Windows Update](#bkmk-wu) | |  |  | |
### Settings for Windows Server 2016 Server Core
@@ -135,13 +149,13 @@ See the following table for a summary of the management settings for Windows Ser
| Setting | Group Policy | Registry | Command line |
| - | :-: | :-: | :-: | :-: | :-: |
| [1. Certificate trust lists](#certificate-trust-lists) |  |  | |
-| [3. Date & Time](#bkmk-datetime) | |  | |
-| [5. Font streaming](#font-streaming) |  |  | |
-| [12. Network Connection Status Indicator](#bkmk-ncsi) |  | | |
-| [17. Software Protection Platform](#bkmk-spp) |  | | |
-| [19. Teredo](#bkmk-teredo) |  | |  |
-| [21. Windows Defender](#bkmk-defender) |  |  | |
-| [26. Windows Update](#bkmk-wu) |  |  | |
+| [3. Date & Time](#bkmk-datetime) |  |  | |
+| [6. Font streaming](#font-streaming) |  |  | |
+| [13. Network Connection Status Indicator](#bkmk-ncsi) |  | | |
+| [18. Software Protection Platform](#bkmk-spp) |  | | |
+| [20. Teredo](#bkmk-teredo) |  | |  |
+| [22. Windows Defender](#bkmk-defender) |  |  | |
+| [27. Windows Update](#bkmk-wu) |  |  | |
### Settings for Windows Server 2016 Nano Server
@@ -151,8 +165,8 @@ See the following table for a summary of the management settings for Windows Ser
| - | :-: | :-: | :-: | :-: | :-: |
| [1. Certificate trust lists](#certificate-trust-lists) |  | |
| [3. Date & Time](#bkmk-datetime) |  | |
-| [19. Teredo](#bkmk-teredo) | |  |
-| [26. Windows Update](#bkmk-wu) |  | |
+| [20. Teredo](#bkmk-teredo) | |  |
+| [27. Windows Update](#bkmk-wu) |  | |
## Settings
@@ -164,6 +178,10 @@ A certificate trust list is a predefined list of items, such as a list of certif
To turn off the automatic download of an updated certificate trust list, you can turn off automatic root updates, which also includes the disallowed certificate list and the pin rules list.
+> [!CAUTION]
+> By not automatically downloading the root certificates, the device might have not be able to connect to some websites.
+
+
For Windows 10, Windows Server 2016 with Desktop Experience, and Windows Server 2016 Server Core:
- Enable the Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **Internet Communication Management** > **Internet Communication Settings** > **Turn off Automatic Root Certificates Update**
@@ -209,6 +227,16 @@ Find the Cortana Group Policy objects under **Computer Configuration** > **Ad
| Don't search the web or display web results in Search| Choose whether to search the web from Cortana.
Enable this policy to stop web queries and results from showing in Search. |
| Set what information is shared in Search | Control what information is shared with Bing in Search.
If you enable this policy and set it to **Anonymous info**, usage information will be shared but not search history, Microsoft Account information, or specific location. |
+You can also apply the Group Policies using the following registry keys:
+
+| Policy | Registry Path |
+|------------------------------------------------------|---------------------------------------------------------------------------------------|
+| Allow Cortana | HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Search!AllowCortana
REG_DWORD: 0|
+| Allow search and Cortana to use location | HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Search!AllowSearchToUseLocation
REG_DWORD: 0 |
+| Do not allow web search | HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Search!DisableWebSearch
REG_DWORD: 1 |
+| Don't search the web or display web results in Search| HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Search!ConnectedSearchUseWeb
REG_DWORD: 0 |
+| Set what information is shared in Search | HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Search!ConnectedSearchPrivacy
REG_DWORD: 3 |
+
In Windows 10, version 1507 and Windows 10, version 1511, when you enable the **Don't search the web or display web results in Search** Group Policy, you can control the behavior of whether Cortana searches the web to display web results. However, this policy only covers whether or not web search is performed. There could still be a small amount of network traffic to Bing.com to evaluate if certain Cortana components are up-to-date or not. In order to turn off that network activity completely, you can create a Windows Firewall rule to prevent outbound traffic.
>[!IMPORTANT]
@@ -258,17 +286,47 @@ You can prevent Windows from setting the time automatically.
-or-
+- Disable the Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **Enable Windows NTP Server** > **Windows Time Service** > **Enable Windows NTP Client**
+
+ -or -
+
+- Create a new REG\_DWORD registry setting **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\W32time\\TimeProviders\\NtpClient!Enabled** to 0 (zero).
+
+ -or-
+
- Create a REG\_SZ registry setting in **HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\W32Time\\Parameters\\Type** with a value of **NoSync**.
### 4. Device metadata retrieval
To prevent Windows from retrieving device metadata from the Internet, apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **Device Installation** > **Prevent device metadata retrieval from the Internet**.
-### 5. Font streaming
+You can also create a new REG\_DWORD registry setting **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\Device Metadata!PreventDeviceMetadataFromNetwork** to 1 (one).
+
+### 5. Find My Device
+
+To turn off Find My Device:
+
+- Turn off the feature in the UI
+
+ -or
+
+- Disable the Group Policy: **Computer Configuration** > **Administrative Template** > **Windows Components** > **Find My Device** > **Turn On/Off Find My Device**
+
+You can also create a new REG\_DWORD registry setting **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\Device Metadata!PreventDeviceMetadataFromNetwork** to 1 (one).
+
+### 6. Font streaming
Fonts that are included in Windows but that are not stored on the local device can be downloaded on demand.
-If you're running Windows 10, version 1607 or Windows Server 2016, disable the Group Policy: **Computer Configuration** > **Administrative Templates** > **Network** > **Fonts** > **Enable Font Providers**.
+If you're running Windows 10, version 1607, Windows Server 2016, or later:
+
+- Disable the Group Policy: **Computer Configuration** > **Administrative Templates** > **Network** > **Fonts** > **Enable Font Providers**.
+
+- In Windows 10, version 1703, you can apply the System/AllowFontProviders MDM policy from the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) where:
+
+ - **false**. Font streaming is disabled.
+
+ - **true**. Font streaming is enabled.
If you're running Windows 10, version 1507 or Windows 10, version 1511, create a REG\_DWORD registry setting called **DisableFontProviders** in **HKEY\_LOCAL\_MACHINE\\System\\CurrentControlSet\\Services\\FontCache\\Parameters**, with a value of 1.
@@ -276,7 +334,7 @@ If you're running Windows 10, version 1507 or Windows 10, version 1511, create a
> After you apply this policy, you must restart the device for it to take effect.
-### 6. Insider Preview builds
+### 7. Insider Preview builds
The Windows Insider Preview program lets you help shape the future of Windows, be part of the community, and get early access to releases of Windows 10.
@@ -298,6 +356,10 @@ To turn off Insider Preview builds for Windows 10:
- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Data Collection and Preview Builds** > **Toggle user control over Insider builds**.
+ -or -
+
+- Create a new REG\_DWORD registry setting **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\PreviewBuilds!AllowBuildPreview** to 0 (zero)
+
-or-
- Apply the System/AllowBuildPreview MDM policy from the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) where:
@@ -318,7 +380,7 @@ To turn off Insider Preview builds for Windows 10:
- **2**. (default) Not configured. Users can make their devices available for download and installing preview software.
-### 7. Internet Explorer
+### 8. Internet Explorer
Use Group Policy to manage settings for Internet Explorer. You can find the Internet Explorer Group Policy objects under **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Internet Explorer**.
@@ -329,27 +391,61 @@ Use Group Policy to manage settings for Internet Explorer. You can find the Int
| Turn off the auto-complete feature for web addresses | Choose whether auto-complete suggests possible matches when employees are typing web address in the address bar.
Default: Disabled You can also turn this off in the UI by clearing the Internet Options > **Advanced** > **Use inline AutoComplete in the Internet Explorer Address Bar and Open Dialog** check box.|
| Disable Periodic Check for Internet Explorer software updates| Choose whether Internet Explorer periodically checks for a new version.
Default: Enabled |
| Turn off browser geolocation | Choose whether websites can request location data from Internet Explorer.
Default: Disabled|
+| Prevent managing SmartScreen filter | Choose whether employees can manage the SmartScreen Filter in Internet Explorer.
Default: Disabled |
-There are two more Group Policy objects that are used by Internet Explorer:
+Alternatively, you could use the registry to set the Group Policies.
+
+| Policy | Registry path |
+|------------------------------------------------------|-----------------------------------------------------------------------------------------------------|
+| Turn on Suggested Sites| HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Internet Explorer\\Suggested Sites!Enabled
REG_DWORD: 0|
+| Allow Microsoft services to provide enhanced suggestions as the user types in the Address Bar | HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Internet Explorer\\AllowServicePoweredQSA
REG_DWORD: 0|
+| Turn off the auto-complete feature for web addresses | HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Explorer\\AutoComplete!AutoSuggest
REG_SZ: **No** |
+| Disable Periodic Check for Internet Explorer software updates| HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Internet Explorer\\Infodelivery\\Restrictions!NoUpdateCheck
REG_DWORD: 1 |
+| Turn off browser geolocation | HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Internet Explorer\\Geolocation!PolicyDisableGeolocation
REG_DWORD: 1 |
+| Prevent managing SmartScreen filter | HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\ Internet Explorer\\PhishingFilter!EnabledV9
REG_DWORD: 0 |
+
+There are three more Group Policy objects that are used by Internet Explorer:
| Path | Policy | Description |
| - | - | - |
+| **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Internet Explorer** > **Compatibility View** > **Turn off Compatibility View** | Choose whether employees can configure Compatibility View. | Choose whether an employee can swipe across a screen or click forward to go to the next pre-loaded page of a website.
Default: Disabled |
| **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Internet Explorer** > **Internet Control Panel** > **Advanced Page** | Turn off the flip ahead with page prediction feature | Choose whether an employee can swipe across a screen or click forward to go to the next pre-loaded page of a website.
Default: Enabled |
| **Computer Configuration** > **Administrative Templates** > **Windows Components** > **RSS Feeds** | Turn off background synchronization for feeds and Web Slices | Choose whether to have background synchronization for feeds and Web Slices.
Default: Enabled |
-### 7.1 ActiveX control blocking
+You can also use registry entries to set these Group Policies.
-ActiveX control blocking periodically downloads a new list of out-of-date ActiveX controls that should be blocked. You can turn this off by changing the REG\_DWORD registry setting **HKEY\_CURRENT\_USER\\Software\\Microsoft\\Internet Explorer\\VersionManager\\DownloadVersionList** to 0 (zero).
+| Policy | Registry path |
+|------------------------------------------------------|-----------------------------------------------------------------------------------------------------|
+| Choose whether employees can configure Compatibility View. | HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\BrowserEmulation!MSCompatibilityMode
REG_DWORD: 0|
+| Turn off the flip ahead with page prediction feature | HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Internet Explorer\\FlipAhead!Enabled
REG_DWORD: 0|
+| Turn off background synchronization for feeds and Web Slices | HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Internet Explorer\\Feeds!BackgroundSyncStatus
DWORD:0 |
+
+
+### 8.1 ActiveX control blocking
+
+ActiveX control blocking periodically downloads a new list of out-of-date ActiveX controls that should be blocked.
+
+You can turn this off by:
+
+- Apply the Group Policy: **User Configuration** > **Administrative Templates** > **Windows Components** > **Internet Explorer** > **Security Features** > **Add-on Management** > **Turn off Automatic download of the ActiveX VersionList**
+
+ -or -
+
+- Changing the REG\_DWORD registry setting **HKEY\_CURRENT\_USER\\Software\\Microsoft\\Internet Explorer\\VersionManager\\DownloadVersionList** to 0 (zero).
For more info, see [Out-of-date ActiveX control blocking](http://technet.microsoft.com/library/dn761713.aspx).
-### 8. Live Tiles
+### 9. Live Tiles
To turn off Live Tiles:
- Apply the Group Policy: **User Configuration** > **Administrative Templates** > **Start Menu and Taskbar** > **Notifications** > **Turn Off notifications network usage**
-### 9. Mail synchronization
+ -or-
+
+- Create a REG\_DWORD registry setting called **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\CurrentVersion\\PushNotifications!NoCloudApplicationNotification**, with a value of 1 (one).
+
+### 10. Mail synchronization
To turn off mail synchronization for Microsoft Accounts that are configured on a device:
@@ -367,31 +463,37 @@ To turn off the Windows Mail app:
- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Mail** > **Turn off Windows Mail application**
-### 10. Microsoft Account
+ -or-
+
+- Create a REG\_DWORD registry setting called **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows Mail!ManualLaunchAllowed**, with a value of 0 (zero).
+
+### 11. Microsoft Account
To prevent communication to the Microsoft Account cloud authentication service. Many apps and system components that depend on Microsoft Account authentication may lose functionality. Some of them could be in unexpected ways.
-- Change the **Start** REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\System\\CurrentControlSet\\Services\\wlidsvc** to 4.
+- Apply the Group Policy: **Computer Configuration** > **Windows Settings** > **Security Settings** > **Local Policies** > **Security Options** > **Accounts: Block Microsoft Accounts** and set it to **Users can't add Microsoft accounts**.
+
+To disable the Microsoft Account Sign-In Assistant:
+
+- Apply the Accounts/AllowMicrosoftAccountSignInAssistant MDM policy from the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) where 0 is turned off and 1 is turned on.
-### 11. Microsoft Edge
+### 12. Microsoft Edge
Use either Group Policy or MDM policies to manage settings for Microsoft Edge. For more info, see [Microsoft Edge and privacy: FAQ](https://go.microsoft.com/fwlink/p/?LinkId=730682).
-### 11.1 Microsoft Edge Group Policies
+### 12.1 Microsoft Edge Group Policies
Find the Microsoft Edge Group Policy objects under **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Edge**.
-> [!NOTE]
-> The Microsoft Edge Group Policy names were changed in Windows 10, version 1607. The table below reflects those changes.
| Policy | Description |
|------------------------------------------------------|-----------------------------------------------------------------------------------------------------|
-| Configure autofill | Choose whether employees can use autofill on websites.
Default: Enabled |
+| Configure Autofill | Choose whether employees can use autofill on websites.
Default: Enabled |
| Configure Do Not Track | Choose whether employees can send Do Not Track headers.
Default: Disabled |
-| Configure password manager | Choose whether employees can save passwords locally on their devices.
Default: Enabled |
+| Configure Password Manager | Choose whether employees can save passwords locally on their devices.
Default: Enabled |
| Configure search suggestions in Address bar | Choose whether the address bar shows search suggestions.
Default: Enabled |
-| Configure SmartScreen Filter | Choose whether SmartScreen is turned on or off.
Default: Enabled |
+| Configure Windows Defender SmartScreen Filter (Windows 10, version 1703)
Configure SmartScreen Filter (Windows Server 2016) | Choose whether Windows Defender SmartScreen is turned on or off.
Default: Enabled |
| Allow web content on New Tab page | Choose whether a new tab page appears.
Default: Enabled |
| Configure Home pages | Choose the corporate Home page for domain-joined devices.
Set this to **about:blank** |
@@ -408,7 +510,20 @@ The Windows 10, version 1511 Microsoft Edge Group Policy names are:
| Open a new tab with an empty tab | Choose whether a new tab page appears.
Default: Enabled |
| Configure corporate Home pages | Choose the corporate Home page for domain-joined devices.
Set this to **about:blank** |
-### 11.2 Microsoft Edge MDM policies
+Alternatively, you can configure the Microsoft Group Policies using the following registry entries:
+
+| Policy | Registry path |
+| - | - |
+| Configure Autofill | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\Main!Use FormSuggest
REG_SZ: **about:blank** |
+| Configure Do Not Track | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\Main!DoNotTrack
REG_DWORD: 1 |
+| Configure Password Manager | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\Main!FormSuggest Passwords
REG_SZ: **no** |
+| Configure search suggestions in Address bar | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\SearchScopes!ShowSearchSuggestionsGlobal
REG_DWORD: 0|
+| Configure Windows Defender SmartScreen Filter (Windows 10, version 1703) | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\PhishingFilter!EnabledV9
REG_DWORD: 0 |
+| Allow web content on New Tab page | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\SearchScopes!AllowWebContentOnNewTabPage
REG_DWORD: 0 |
+| Configure corporate Home pages | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\ServiceUI!ProvisionedHomePages
REG_DWORD: 0|
+
+
+### 12.2 Microsoft Edge MDM policies
The following Microsoft Edge MDM policies are available in the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx).
@@ -423,36 +538,54 @@ The following Microsoft Edge MDM policies are available in the [Policy CSP](http
For a complete list of the Microsoft Edge policies, see [Available policies for Microsoft Edge](http://technet.microsoft.com/library/mt270204.aspx).
-### 12. Network Connection Status Indicator
+### 13. Network Connection Status Indicator
Network Connection Status Indicator (NCSI) detects Internet connectivity and corporate network connectivity status. NCSI sends a DNS request and HTTP query to http://www.msftconnecttest.com/connecttest.txt to determine if the device can communicate with the Internet. For more info about NCSI, see [The Network Connection Status Icon](http://blogs.technet.com/b/networking/archive/2012/12/20/the-network-connection-status-icon.aspx).
In versions of Windows 10 prior to Windows 10, version 1607 and Windows Server 2016, the URL was http://www.msftncsi.com.
-You can turn off NCSI through Group Policy:
+You can turn off NCSI by doing one of the following:
- Enable the Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **Internet Communication Management** > **Internet Communication Settings** > **Turn off Windows Network Connectivity Status Indicator active tests**
+- In Windows 10, version 1703 and later, apply the Connectivity/DisallowNetworkConnectivityActiveTests MDM policy.
+
> [!NOTE]
> After you apply this policy, you must restart the device for the policy setting to take effect.
-### 13. Offline maps
+-or-
+
+- Create a REG\_DWORD registry setting called **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\NetworkConnectivityStatusIndicator!NoActiveProbe**, with a value of 0 (zero).
+
+### 14. Offline maps
You can turn off the ability to download and update offline maps.
- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Maps** > **Turn off Automatic Download and Update of Map Data**
+ -or-
+
+- Create a REG\_DWORD registry setting called **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\Maps!AutoDownloadAndUpdateMapData**, with a value of 0 (zero).
+
-and-
- In Windows 10, version 1607 and later, apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Maps** > **Turn off unsolicited network traffic on the Offline Maps settings page**
-### 14. OneDrive
+ -or-
+
+- Create a REG\_DWORD registry setting called **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\Maps!AllowUntriggeredNetworkTrafficOnSettingsPage**, with a value of 0 (zero).
+
+### 15. OneDrive
To turn off OneDrive in your organization:
- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **OneDrive** > **Prevent the usage of OneDrive for file storage**
-### 15. Preinstalled apps
+ -or-
+
+- Create a REG\_DWORD registry setting called **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\OneDrive!DisableFileSyncNGSC**, with a value of 1 (one).
+
+### 16. Preinstalled apps
Some preinstalled apps get content before they are opened to ensure a great experience. You can remove these using the steps in this section.
@@ -564,48 +697,99 @@ To remove the Get Skype app:
Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxPackage Microsoft.SkypeApp | Remove-AppxPackage**
-### 16. Settings > Privacy
+To remove the Sticky notes app:
+
+- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.MicrosoftStickyNotes"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}**
+
+ -and-
+
+ Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxPackage Microsoft.MicrosoftStickyNotes | Remove-AppxPackage**
+
+### 17. Settings > Privacy
Use Settings > Privacy to configure some settings that may be important to your organization. Except for the Feedback & Diagnostics page, these settings must be configured for every user account that signs into the PC.
-- [16.1 General](#bkmk-general)
+- [17.1 General](#bkmk-general)
-- [16.2 Location](#bkmk-priv-location)
+- [17.2 Location](#bkmk-priv-location)
-- [16.3 Camera](#bkmk-priv-camera)
+- [17.3 Camera](#bkmk-priv-camera)
-- [16.4 Microphone](#bkmk-priv-microphone)
+- [17.4 Microphone](#bkmk-priv-microphone)
-- [16.5 Notifications](#bkmk-priv-notifications)
+- [17.5 Notifications](#bkmk-priv-notifications)
-- [16.6 Speech, inking, & typing](#bkmk-priv-speech)
+- [17.6 Speech, inking, & typing](#bkmk-priv-speech)
-- [16.7 Account info](#bkmk-priv-accounts)
+- [17.7 Account info](#bkmk-priv-accounts)
-- [16.8 Contacts](#bkmk-priv-contacts)
+- [17.8 Contacts](#bkmk-priv-contacts)
-- [16.9 Calendar](#bkmk-priv-calendar)
+- [17.9 Calendar](#bkmk-priv-calendar)
-- [16.10 Call history](#bkmk-priv-callhistory)
+- [17.10 Call history](#bkmk-priv-callhistory)
-- [16.11 Email](#bkmk-priv-email)
+- [17.11 Email](#bkmk-priv-email)
-- [16.12 Messaging](#bkmk-priv-messaging)
+- [17.12 Messaging](#bkmk-priv-messaging)
-- [16.13 Radios](#bkmk-priv-radios)
+- [17.13 Radios](#bkmk-priv-radios)
-- [16.14 Other devices](#bkmk-priv-other-devices)
+- [17.14 Other devices](#bkmk-priv-other-devices)
-- [16.15 Feedback & diagnostics](#bkmk-priv-feedback)
+- [17.15 Feedback & diagnostics](#bkmk-priv-feedback)
-- [16.16 Background apps](#bkmk-priv-background)
+- [17.16 Background apps](#bkmk-priv-background)
-- [16.17 Motion](#bkmk-priv-motion)
+- [17.17 Motion](#bkmk-priv-motion)
-### 16.1 General
+- [17.18 Tasks](#bkmk-priv-tasks)
+
+- [17.19 App Diagnostics](#bkmk-priv-diag)
+
+### 17.1 General
**General** includes options that don't fall into other areas.
+#### Windows 10, version 1703 options
+
+To turn off **Let apps use advertising ID to make ads more interesting to you based on your app usage (turning this off will reset your ID)**:
+
+> [!NOTE]
+> When you turn this feature off in the UI, it turns off the advertising ID, not just resets it.
+
+- Turn off the feature in the UI.
+
+ -or-
+
+- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **User Profiles** > **Turn off the advertising ID**.
+
+ -or-
+
+- Create a REG\_DWORD registry setting called **Enabled** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AdvertisingInfo**, with a value of 0 (zero).
+
+ -or-
+
+- Create a REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\AdvertisingInfo!DisabledByGroupPolicy**, with a value of 1 (one).
+
+To turn off **Let websites provide locally relevant content by accessing my language list**:
+
+- Turn off the feature in the UI.
+
+ -or-
+
+- Create a new REG\_DWORD registry setting called **HttpAcceptLanguageOptOut** in **HKEY\_CURRENT\_USER\\Control Panel\\International\\User Profile**, with a value of 1.
+
+To turn off **Let Windows track app launches to improve Start and search results**:
+
+- Turn off the feature in the UI.
+
+ -or-
+
+- Create a REG_DWORD registry setting called **Start_TrackProgs** with value of 0 (zero) in **HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced**
+
+#### Windows Server 2016 and Windows 10, version 1607 and earlier options
+
To turn off **Let apps use my advertising ID for experiences across apps (turning this off will reset your ID)**:
> [!NOTE]
@@ -621,15 +805,21 @@ To turn off **Let apps use my advertising ID for experiences across apps (turnin
- Create a REG\_DWORD registry setting called **Enabled** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AdvertisingInfo**, with a value of 0 (zero).
+ -or-
+
+- Create a REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\AdvertisingInfo!DisabledByGroupPolicy**, with a value of 1 (one).
+
To turn off **Turn on SmartScreen Filter to check web content (URLs) that Windows Store apps use**:
- Turn off the feature in the UI.
-or-
-- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Edge** > **Configure SmartScreen Filter**.
+- In Windows Server 2016, apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Edge** > **Configure SmartScreen Filter**.
+ In Windows 10, version 1703, apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Edge** > **Configure Windows Defender SmartScreen Filter**.
- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **File Explorer** > **Configure Windows SmartScreen**.
+ In Windows Server 2016, apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **File Explorer** > **Configure Windows SmartScreen**.
+ In Windows 10, version 1703 , apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **File Explorer** > **Configure Windows Defender SmartScreen**.
-or-
@@ -647,6 +837,10 @@ To turn off **Turn on SmartScreen Filter to check web content (URLs) that Window
- Create a REG\_DWORD registry setting called **EnableWebContentEvaluation** in **HKEY\_CURRENT\_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppHost**, with a value of 0 (zero).
+ -or-
+
+- Create a REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\System!EnableSmartScreen**, with a value of 0 (zero).
+
To turn off **Send Microsoft info about how I write to help us improve typing and writing in the future**:
> [!NOTE]
@@ -680,11 +874,16 @@ To turn off **Let apps on my other devices open apps and continue experiences on
- Disable the Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **Group Policy** > **Continue experiences on this device**.
+ -or-
+
+- Create a REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\System!EnableCdp**, with a value of 0 (zero).
+
To turn off **Let apps on my other devices use Bluetooth to open apps and continue experiences on this device**:
- Turn off the feature in the UI.
-### 16.2 Location
+
+### 17.2 Location
In the **Location** area, you choose whether devices have access to location-specific sensors and which apps have access to the device's location.
@@ -696,6 +895,10 @@ To turn off **Location for this device**:
- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Location and Sensors** > **Turn off location**.
+ -or-
+
+- Create a REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\AppPrivacy!LetAppsAccessLocation**, with a value of 2 (two).
+
-or-
- Apply the System/AllowLocation MDM policy from the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx), where:
@@ -725,6 +928,10 @@ To turn off **Location**:
- Set the **Select a setting** box to **Force Deny**.
+ -or-
+
+- Create a REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\LocationAndSensors!DisableLocation**, with a value of 1 (one).
+
-or-
To turn off **Location history**:
@@ -735,7 +942,7 @@ To turn off **Choose apps that can use your location**:
- Turn off each app using the UI.
-### 16.3 Camera
+### 17.3 Camera
In the **Camera** area, you can choose which apps can access a device's camera.
@@ -749,6 +956,10 @@ To turn off **Let apps use my camera**:
- Set the **Select a setting** box to **Force Deny**.
+ -or-
+
+- Create a REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\AppPrivacy!LetAppsAccessCamera**, with a value of 2 (two).
+
-or-
- Apply the Camera/AllowCamera MDM policy from the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx), where:
@@ -772,7 +983,7 @@ To turn off **Choose apps that can use your camera**:
- Turn off the feature in the UI for each app.
-### 16.4 Microphone
+### 17.4 Microphone
In the **Microphone** area, you can choose which apps can access a device's microphone.
@@ -786,11 +997,15 @@ To turn off **Let apps use my microphone**:
- Set the **Select a setting** box to **Force Deny**.
+ -or-
+
+- Create a REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\AppPrivacy!LetAppsAccessMicrophone**, with a value of 2 (two)
+
To turn off **Choose apps that can use your microphone**:
- Turn off the feature in the UI for each app.
-### 16.5 Notifications
+### 17.5 Notifications
In the **Notifications** area, you can choose which apps have access to notifications.
@@ -800,11 +1015,15 @@ To turn off **Let apps access my notifications**:
-or-
-- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access my notifications**
+- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access notifications**
- Set the **Select a setting** box to **Force Deny**.
-### 16.6 Speech, inking, & typing
+ -or-
+
+- Create a REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\AppPrivacy!LetAppsAccessNotifications**, with a value of 2 (two)
+
+### 17.6 Speech, inking, & typing
In the **Speech, Inking, & Typing** area, you can let Windows and Cortana better understand your employee's voice and written input by sampling their voice and writing, and by comparing verbal and written input to contact names and calendar entrees.
@@ -819,6 +1038,10 @@ To turn off the functionality:
- Enable the Group Policy: **Computer Configuration** > **Administrative Templates** > **Control Panel** > **Regional and Language Options** > **Handwriting personalization** > **Turn off automatic learning**
+ -or-
+
+- Create a REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\InputPersonalization!RestrictImplicitInkCollection**, with a value of 1 (one).
+
-or-
- Create a REG\_DWORD registry setting called **AcceptedPrivacyPolicy** in **HKEY\_CURRENT\_USER\\SOFTWARE\\Microsoft\\Personalization\\Settings**, with a value of 0 (zero).
@@ -827,6 +1050,9 @@ To turn off the functionality:
- Create a REG\_DWORD registry setting called **HarvestContacts** in **HKEY\_CURRENT\_USER\\SOFTWARE\\Microsoft\\InputPersonalization\\TrainedDataStore**, with a value of 0 (zero).
+If you're running at least Windows 10, version 1703, you can turn off updates to the speech recognition and speech synthesis models:
+
+- Disable the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Speech** > **Allow automatically update of Speech Data**
If you're running at least Windows 10, version 1607, you can turn off updates to the speech recognition and speech synthesis models:
@@ -839,7 +1065,7 @@ Apply the Speech/AllowSpeechModelUpdate MDM policy from the [Policy CSP](https:/
- Create a REG\_DWORD registry setting called **ModelDownloadAllowed** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\Speech_OneCore\\Preferences**, with a value of 0 (zero).
-### 16.7 Account info
+### 17.7 Account info
In the **Account Info** area, you can choose which apps can access your name, picture, and other account info.
@@ -852,12 +1078,16 @@ To turn off **Let apps access my name, picture, and other account info**:
- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access account information**
- Set the **Select a setting** box to **Force Deny**.
+
+ -or-
+
+- Create a REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\Windows\\AppPrivacy!LetAppsAccessContacts**, with a value of 2 (two).
To turn off **Choose the apps that can access your account info**:
- Turn off the feature in the UI for each app.
-### 16.8 Contacts
+### 17.8 Contacts
In the **Contacts** area, you can choose which apps can access an employee's contacts list.
@@ -871,7 +1101,7 @@ To turn off **Choose apps that can access contacts**:
- Set the **Select a setting** box to **Force Deny**.
-### 16.9 Calendar
+### 17.9 Calendar
In the **Calendar** area, you can choose which apps have access to an employee's calendar.
@@ -885,11 +1115,15 @@ To turn off **Let apps access my calendar**:
- Set the **Select a setting** box to **Force Deny**.
+ -or-
+
+- Create a REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\Windows\\AppPrivacy!LetAppsAccessCalendar**, with a value of 2 (two).
+
To turn off **Choose apps that can access calendar**:
- Turn off the feature in the UI for each app.
-### 16.10 Call history
+### 17.10 Call history
In the **Call history** area, you can choose which apps have access to an employee's call history.
@@ -903,7 +1137,11 @@ To turn off **Let apps access my call history**:
- Set the **Select a setting** box to **Force Deny**.
-### 16.11 Email
+ -or-
+
+- Create a REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\AppPrivacy!LetAppsAccessCallHistory**, with a value of 2 (two).
+
+### 17.11 Email
In the **Email** area, you can choose which apps have can access and send email.
@@ -917,7 +1155,11 @@ To turn off **Let apps access and send email**:
- Set the **Select a setting** box to **Force Deny**.
-### 16.12 Messaging
+ -or-
+
+- Create a REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\AppPrivacy!LetAppsAccessEmail**, with a value of 2 (two).
+
+### 17.12 Messaging
In the **Messaging** area, you can choose which apps can read or send messages.
@@ -931,11 +1173,15 @@ To turn off **Let apps read or send messages (text or MMS)**:
- Set the **Select a setting** box to **Force Deny**.
+ -or-
+
+- Create a REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\AppPrivacy!LetAppsAccessMessaging**, with a value of 2 (two).
+
To turn off **Choose apps that can read or send messages**:
- Turn off the feature in the UI for each app.
-### 16.13 Radios
+### 17.13 Radios
In the **Radios** area, you can choose which apps can turn a device's radio on or off.
@@ -948,12 +1194,17 @@ To turn off **Let apps control radios**:
- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps control radios**
- Set the **Select a setting** box to **Force Deny**.
+
+ -or-
+
+- Create a REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\AppPrivacy!LetAppsAccessRadios**, with a value of 2 (two).
+
To turn off **Choose apps that can control radios**:
- Turn off the feature in the UI for each app.
-### 16.14 Other devices
+### 17.14 Other devices
In the **Other Devices** area, you can choose whether devices that aren't paired to PCs, such as an Xbox One, can share and sync info.
@@ -965,6 +1216,10 @@ To turn off **Let apps automatically share and sync info with wireless devices t
- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps sync with devices**
+ -or-
+
+- Create a REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\AppPrivacy!LetAppsSyncWithDevices**, with a value of 2 (two).
+
To turn off **Let your apps use your trusted devices (hardware you've already connected, or comes with your PC, tablet, or phone)**:
- Turn off the feature in the UI.
@@ -975,7 +1230,7 @@ To turn off **Let your apps use your trusted devices (hardware you've already co
- Set the **Select a setting** box to **Force Deny**.
-### 16.15 Feedback & diagnostics
+### 17.15 Feedback & diagnostics
In the **Feedback & Diagnostics** area, you can choose how often you're asked for feedback and how much diagnostic and usage information is sent to Microsoft.
@@ -994,6 +1249,10 @@ To change how frequently **Windows should ask for my feedback**:
-or-
+- Create a REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\DataCollection!DoNotShowFeedbackNotifications**, with a value of 1 (one).
+
+ -or-
+
- Create the registry keys (REG\_DWORD type):
- HKEY\_CURRENT\_USER\\Software\\Microsoft\\Siuf\\Rules\\PeriodInNanoSeconds
@@ -1014,12 +1273,7 @@ To change how frequently **Windows should ask for my feedback**:
To change the level of diagnostic and usage data sent when you **Send your device data to Microsoft**:
-- To change from **Enhanced**, use the drop-down list in the UI. The other levels are **Basic** and **Full**.
-
- > [!NOTE]
- > You can't use the UI to change the telemetry level to **Security**.
-
-
+- Click either the **Basic** or **Full** options.
-or-
@@ -1027,6 +1281,10 @@ To change the level of diagnostic and usage data sent when you **Send your devic
-or-
+- Create a REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\DataCollection!AllowTelemetry**, with a value of 0 (zero).
+
+ -or-
+
- Apply the System/AllowTelemetry MDM policy from the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx), where:
- **0**. Maps to the **Security** level.
@@ -1049,17 +1307,29 @@ To change the level of diagnostic and usage data sent when you **Send your devic
- **3**. Maps to the **Full** level.
-### 16.16 Background apps
+To turn off tailored experiences with relevant tips and recommendations by using your diagnostics data:
+
+- Turn off the feature in the UI.
+
+ -or-
+
+- Apply the Group Policy: **User Configuration** > **Administrative Templates** > **Windows Components** > **Cloud Content** > **Do not use diagnostic data for tailored experiences**
+
+### 17.16 Background apps
In the **Background Apps** area, you can choose which apps can run in the background.
To turn off **Let apps run in the background**:
- Turn off the feature in the UI for each app.
+
+ -or-
+
+- Apply the Group Policy (only applicable for Windows 10, version 1703): **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps run in the background**
- Set the **Select a setting** box to **Force Deny**.
-### 16.17 Motion
+### 17.17 Motion
In the **Motion** area, you can choose which apps have access to your motion data.
@@ -1071,25 +1341,63 @@ To turn off **Let Windows and your apps use your motion data and collect motion
- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access motion**
-### 17. Software Protection Platform
+ -or-
+
+- Create a REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\AppPrivacy!LetAppsAccessMotion**, with a value of 2 (two).
+
+### 17.18 Tasks
+
+In the **Tasks** area, you can choose which apps have access to your tasks.
+
+To turn this off:
+
+- Turn off the feature in the UI.
+
+ -or-
+
+- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access Tasks**
+
+ - Set the **Select a setting** box to **Force Deny**.
+
+### 17.19 App Diagnostics
+
+In the **App diagnostics** area, you can choose which apps have access to your diagnostic information.
+
+To turn this off:
+
+- Turn off the feature in the UI.
+
+ -or-
+
+- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access dignostic information about other apps**
+
+### 18. Software Protection Platform
Enterprise customers can manage their Windows activation status with volume licensing using an on-premise Key Management Server. You can opt out of sending KMS client activation data to Microsoft automatically by doing one of the following:
For Windows 10:
-- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Software Protection Platform** > **Turn off KMS Client AVS Validation**
+- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Software Protection Platform** > **Turn off KMS Client Online AVS Validation**
-or-
+- Create a REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\Windows\\AppPrivacy!LetAppsAccessContacts**, with a value of 2 (two).
+
+ -or-
+
- Apply the Licensing/DisallowKMSClientOnlineAVSValidation MDM policy from the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) where 0 is disabled (default) and 1 is enabled.
For Windows Server 2016 with Desktop Experience or Windows Server 2016 Server Core:
-- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Software Protection Platform** > **Turn off KMS Client AVS Validation**
+- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Software Protection Platform** > **Turn off KMS Client Online AVS Validation**
+
+ -or-
+
+- Create a REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows NT\\CurrentVersion\\Software Protection Platform!NoGenTicket**, with a value of 1 (one).
The Windows activation status will be valid for a rolling period of 180 days with weekly activation status checks to the KMS.
-### 18. Sync your settings
+### 19. Sync your settings
You can control if your settings are synchronized:
@@ -1101,6 +1409,10 @@ You can control if your settings are synchronized:
-or-
+- Create a REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\SettingSync!DisableSettingSync**, with a value of 2 (two) and **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\SettingSync!DisableSettingSyncUserOverride**, with a value of 1 (one).
+
+ -or-
+
- Apply the Experience/AllowSyncMySettings MDM policy from the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) where 0 is not allowed and 1 is allowed.
-or-
@@ -1115,7 +1427,7 @@ To turn off Messaging cloud sync:
- Create a REG\_DWORD registry setting called **CloudServiceSyncEnabled** in **HKEY\_CURRENT\_USER\\SOFTWARE\\Microsoft\\Messaging**, with a value of 0 (zero).
-### 19. Teredo
+### 20. Teredo
You can disable Teredo by using Group Policy or by using the netsh.exe command. For more info on Teredo, see [Internet Protocol Version 6, Teredo, and Related Technologies](http://technet.microsoft.com/library/cc722030.aspx).
@@ -1126,9 +1438,13 @@ You can disable Teredo by using Group Policy or by using the netsh.exe command.
-or-
+- Create a new REG\_SZ registry setting called in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\TCPIP\\v6Transition!Teredo_State**, with a value of **Disabled**.
+
+ -or-
+
- From an elevated command prompt, run **netsh interface teredo set state disabled**
-### 20. Wi-Fi Sense
+### 21. Wi-Fi Sense
Wi-Fi Sense automatically connects devices to known hotspots and to the wireless networks the person’s contacts have shared with them.
@@ -1154,11 +1470,15 @@ To turn off **Connect to suggested open hotspots** and **Connect to networks sha
When turned off, the Wi-Fi Sense settings still appear on the Wi-Fi Settings screen, but they’re non-functional and they can’t be controlled by the employee.
-### 21. Windows Defender
+### 22. Windows Defender
You can disconnect from the Microsoft Antimalware Protection Service.
-- Disable the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Defender** > **MAPS** > **Join Microsoft MAPS**
+- Disable the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Defender Antivirus** > **MAPS** > **Join Microsoft MAPS**
+
+ -or-
+
+- Delete the registry setting **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\Updates!DefinitionUpdateFileSharesSources**.
-or-
@@ -1172,9 +1492,11 @@ You can disconnect from the Microsoft Antimalware Protection Service.
From an elevated Windows PowerShell prompt, run **set-mppreference -Mapsreporting 0**
+
+
You can stop sending file samples back to Microsoft.
-- Set the Group Policy **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Defender** > **MAPS** > **Send file samples when further analysis is required** to **Always Prompt** or **Never Send**.
+- Set the Group Policy **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Defender Antivirus** > **MAPS** > **Send file samples when further analysis is required** to **Always Prompt** or **Never Send**.
-or-
@@ -1194,11 +1516,15 @@ You can stop sending file samples back to Microsoft.
You can stop downloading definition updates:
-- Enable the Group Policy **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Defender** > **Signature Updates** > **Define the order of sources for downloading definition updates** and set it to **FileShares**.
+- Enable the Group Policy **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Defender Antivirus** > **Signature Updates** > **Define the order of sources for downloading definition updates** and set it to **FileShares**.
-and-
-- Disable the Group Policy **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Defender** > **Signature Updates** > **Define file shares for downloading definition updates** and set it to nothing.
+- Disable the Group Policy **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Defender Antivirus** > **Signature Updates** > **Define file shares for downloading definition updates** and set it to nothing.
+
+ -or-
+
+- Create a new REG\_SZ registry setting in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\Updates!FallbackOrder**, with a value of **FileShares**.
For Windows 10 only, you can stop Enhanced Notifications:
@@ -1206,7 +1532,7 @@ For Windows 10 only, you can stop Enhanced Notifications:
You can also use the registry to turn off Malicious Software Reporting Tool telemetry by setting the REG\_DWORD value **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\MRT\\DontReportInfectionInformation** to 1.
-### 22. Windows Media Player
+### 23. Windows Media Player
To remove Windows Media Player on Windows 10:
@@ -1220,7 +1546,7 @@ To remove Windows Media Player on Windows Server 2016:
- Run the following DISM command from an elevated command prompt: **dism /online /Disable-Feature /FeatureName:WindowsMediaPlayer**
-### 23. Windows spotlight
+### 24. Windows spotlight
Windows spotlight provides features such as different background images and text on the lock screen, suggested apps, Microsoft account notifications, and Windows tips. You can control it by using the user interface or through Group Policy.
@@ -1228,6 +1554,10 @@ If you're running Windows 10, version 1607 or later, you only need to enable the
- **User Configuration** > **Administrative Templates** > **Windows Components** > **Cloud Content** > **Turn off all Windows spotlight features**
+ -or-
+
+ - Create a new REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CloudContent!DisableWindowsSpotlightFeatures**, with a value of 1 (one).
+
If you're not running Windows 10, version 1607 or later, you can use the other options in this section.
- Configure the following in **Settings**:
@@ -1251,23 +1581,42 @@ If you're not running Windows 10, version 1607 or later, you can use the other o
- Set the **Turn off fun facts, tips, tricks, and more on lock screen** check box.
> [!NOTE]
- > This will only take effect if the policy is applied before the first logon. If you cannot apply the **Force a specific default lock screen image** policy before the first logon to the device, you can apply this policy: **Computer Configuration** > **Administrative Templates** > **Control Panel** > **Personalization** > **Do not display the lock screen**.
+ > This will only take effect if the policy is applied before the first logon. If you cannot apply the **Force a specific default lock screen image** policy before the first logon to the device, you can apply this policy: **Computer Configuration** > **Administrative Templates** > **Control Panel** > **Personalization** > **Do not display the lock screen**. Alternatively, you can create a new REG\_SZ registry setting in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Personalization!LockScreenImage**, with a value of **C:\\windows\\web\\screen\\lockscreen.jpg** and create a new REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Personalization!LockScreenOverlaysDisabled**, with a value of 1 (one).
+
-
+ - **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Cloud Content** > **Do not show Windows tips**.
- - **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Cloud Content** > **Do not show Windows Tips**.
+ -or-
+
+ - Create a new REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CloudContent!DisableSoftLanding**, with a value of 1 (one).
- **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Cloud Content** > **Turn off Microsoft consumer experiences**.
+ -or-
+
+ - Create a new REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CloudContent!DisableWindowsConsumerFeatures**, with a value of 1 (one).
+
For more info, see [Windows Spotlight on the lock screen](../configure/windows-spotlight.md).
-### 24. Windows Store
+### 25. Windows Store
You can turn off the ability to launch apps from the Windows Store that were preinstalled or downloaded. This will also turn off automatic app updates, and the Windows Store will be disabled. On Windows Server 2016, this will block Windows Store calls from Universal Windows Apps.
- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Store** > **Disable all apps from Windows Store**.
-### 25. Windows Update Delivery Optimization
+ -or-
+
+ - Create a new REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\WindowsStore!DisableStoreApps**, with a value of 1 (one).
+
+- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Store** > **Turn off Automatic Download and Install of updates**.
+
+ -or-
+
+ - Create a new REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\WindowsStore!AutoDownload**, with a value of 2 (two).
+
+Disable the Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **Group Policy** > **Configure web-to-app linking with URI handlers**
+
+### 26. Windows Update Delivery Optimization
Windows Update Delivery Optimization lets you get Windows updates and Windows Store apps from sources in addition to Microsoft, which not only helps when you have a limited or unreliable Internet connection, but can also help you reduce the amount of bandwidth needed to keep all of your organization's PCs up-to-date. If you have Delivery Optimization turned on, PCs on your network may send and receive updates and apps to other PCs on your local network, if you choose, or to PCs on the Internet.
@@ -1277,13 +1626,13 @@ Use the UI, Group Policy, MDM policies, or Windows Provisioning to set up Delive
In Windows 10, version 1607, you can stop network traffic related to Windows Update Delivery Optimization by setting **Download Mode** to **Simple** (99) or **Bypass** (100), as described below.
-### 25.1 Settings > Update & security
+### 26.1 Settings > Update & security
You can set up Delivery Optimization from the **Settings** UI.
- Go to **Settings** > **Update & security** > **Windows Update** > **Advanced options** > **Choose how updates are delivered**.
-### 25.2 Delivery Optimization Group Policies
+### 26.2 Delivery Optimization Group Policies
You can find the Delivery Optimization Group Policy objects under **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Delivery Optimization**.
@@ -1295,7 +1644,9 @@ You can find the Delivery Optimization Group Policy objects under **Computer Con
| Max Cache Size | Lets you specify the maximum cache size as a percentage of disk size.
The default value is 20, which represents 20% of the disk.|
| Max Upload Bandwidth | Lets you specify the maximum upload bandwidth (in KB/second) that a device uses across all concurrent upload activity.
The default value is 0, which means unlimited possible bandwidth.|
-### 25.3 Delivery Optimization MDM policies
+You can also set the **Download Mode** policy by creating a new REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DeliveryOptimization!DODownloadMode**, with a value of 100 (one hundred).
+
+### 26.3 Delivery Optimization MDM policies
The following Delivery Optimization MDM policies are available in the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx).
@@ -1308,7 +1659,7 @@ The following Delivery Optimization MDM policies are available in the [Policy CS
| DeliveryOptimization/DOMaxUploadBandwidth | Lets you specify the maximum upload bandwidth (in KB/second) that a device uses across all concurrent upload activity.
The default value is 0, which means unlimited possible bandwidth.|
-### 25.4 Delivery Optimization Windows Provisioning
+### 26.4 Delivery Optimization Windows Provisioning
If you don't have an MDM server in your enterprise, you can use Windows Provisioning to configure the Delivery Optimization policies
@@ -1324,7 +1675,7 @@ Use Windows ICD, included with the [Windows Assessment and Deployment Kit (Windo
For more info about Delivery Optimization in general, see [Windows Update Delivery Optimization: FAQ](https://go.microsoft.com/fwlink/p/?LinkId=730684).
-### 26. Windows Update
+### 27. Windows Update
You can turn off Windows Update by setting the following registry entries:
@@ -1338,6 +1689,18 @@ You can turn off Windows Update by setting the following registry entries:
- Add a REG\_DWORD value called **UseWUServer** to **HKEY\_LOCAL\_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU** and set the value to 1.
+ -or-
+
+- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Update** > **Do not connect to any Windows Update Internet locations**.
+
+ -and-
+
+- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **Intenet Communication Management** > **Internet Communication Settings** > **Turn off access to all Windows Update features**.
+
+ -and-
+
+- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Update** > **Specify intranet Microsoft update service location** and set the **Set the alternate download server** to "".
+
You can turn off automatic updates by doing one of the following. This is not recommended.
diff --git a/windows/configure/product-ids-in-windows-10-mobile.md b/windows/configure/product-ids-in-windows-10-mobile.md
index 6fd085952b..f2a3295ba9 100644
--- a/windows/configure/product-ids-in-windows-10-mobile.md
+++ b/windows/configure/product-ids-in-windows-10-mobile.md
@@ -230,21 +230,8 @@ The following table lists the product ID and AUMID for each app that is included
-## Get product ID and AUMID for other apps
-To get the product ID and AUMID for apps that are installed from Windows Store or installed locally ([side-loaded](https://go.microsoft.com/fwlink/p/?LinkID=623433)), use the following steps.
-
-**Prerequisites**: a device with an SD card inserted and all apps installed that you want to get IDs for
-
-1. On Start , swipe over to the App list, then tap **Settings**  > **Accounts** > **Apps Corner**.
-
-2. Tap **Apps**, tap to select the app that you want to get IDs for, and then tap done 
-
-3. Tap **advanced**, and then **tap export to SD card**.
-
-4. Connect the device to a PC using USB, and then open the WEHLockdown.xml file on the SD card of the device to view the product ID and AUMID for each app.
-
## Related topics
diff --git a/windows/configure/provisioning-apply-package.md b/windows/configure/provisioning-apply-package.md
index 2fa9efb09a..2725bb140c 100644
--- a/windows/configure/provisioning-apply-package.md
+++ b/windows/configure/provisioning-apply-package.md
@@ -46,7 +46,7 @@ Provisioning packages can be applied to a device during the first-run experience
### After setup, from a USB drive, network folder, or SharePoint site
-On a desktop computer, navigate to **Settings** > **Accounts** > **Access work or school** > **Add or remove a provisioning package** > **Add a package**, and select the package to install.
+Insert the USB drive to a desktop computer, navigate to **Settings** > **Accounts** > **Access work or school** > **Add or remove a provisioning package** > **Add a package**, and select the package to install. For a provisioning package stored on a network forlder or on a SharePoint site, navigate to the provisioning package and double-click it to begin installation.
diff --git a/windows/configure/provisioning-script-to-install-app.md b/windows/configure/provisioning-script-to-install-app.md
index 639ca1ea2f..0e47014f47 100644
--- a/windows/configure/provisioning-script-to-install-app.md
+++ b/windows/configure/provisioning-script-to-install-app.md
@@ -16,7 +16,7 @@ localizationpriority: high
- Windows 10
- Windows 10 Mobile
-This walkthrough describes how to leverage the ability to include scripts in a Windows 10 provisioning package to install Win32 applications. Scripted operations other than installing apps can also be performed, however, some care is needed in order to avoid unintended behavior during script execution (see Remarks below).
+This walkthrough describes how to leverage the ability to include scripts in a Windows 10 provisioning package to install Win32 applications. Scripted operations other than installing apps can also be performed, however, some care is needed in order to avoid unintended behavior during script execution (see [Remarks](#remarks) below).
>**Prerequisite**: [Windows Assessment and Deployment Kit (ADK) for Windows 10](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit), version 1511 or higher
diff --git a/windows/configure/start-layout-xml-desktop.md b/windows/configure/start-layout-xml-desktop.md
index 2a8a20dfd2..b8a3205aa6 100644
--- a/windows/configure/start-layout-xml-desktop.md
+++ b/windows/configure/start-layout-xml-desktop.md
@@ -475,13 +475,14 @@ Once you have created the LayoutModification.xml file and it is present in the d
## Related topics
-
-- [Manage Windows 10 Start layout options](windows-10-start-layout-options-and-policies.md)
+- [Manage Windows 10 Start and taskbar layout](windows-10-start-layout-options-and-policies.md)
- [Configure Windows 10 taskbar](configure-windows-10-taskbar.md)
+- [Customize and export Start layout](customize-and-export-start-layout.md)
+- [Add image for secondary tiles](start-secondary-tiles.md)
- [Customize Windows 10 Start and taskbar with Group Policy](customize-windows-10-start-screens-by-using-group-policy.md)
-- [Customize Windows 10 Start and taskbar with ICD and provisioning packages](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md)
-- [Customize Windows 10 Start with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md)
-- [Changes to Group Policy settings for Windows 10 Start](changes-to-start-policies-in-windows-10.md)
+- [Customize Windows 10 Start and taskbar with provisioning packages](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md)
+- [Customize Windows 10 Start and tasbkar with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md)
+- [Changes to Start policies in Windows 10](changes-to-start-policies-in-windows-10.md)
- [Start layout XML for mobile editions of Windows 10 (reference)](start-layout-xml-mobile.md)
diff --git a/windows/configure/start-secondary-tiles.md b/windows/configure/start-secondary-tiles.md
new file mode 100644
index 0000000000..4e9328e91b
--- /dev/null
+++ b/windows/configure/start-secondary-tiles.md
@@ -0,0 +1,187 @@
+---
+title: Add image for secondary Microsoft Edge tiles (Windows 10)
+description:
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+localizationpriority: high
+author: jdeckerMS
+---
+
+# Add image for secondary Microsoft Edge tiles
+
+**Applies to**
+
+- Windows 10
+- Windows 10 Mobile
+
+App tiles are the Start screen tiles that represent and launch an app. A tile that allows a user to go to a specific location in an app is a *secondary tile*. Some examples of secondary tiles include:
+
+- Weather updates for a specific city in a weather app
+- A summary of upcoming events in a calendar app
+- Status and updates from an important contact in a social app
+- A website in Microsoft Edge
+
+In a Start layout for Windows 10, version 1703, you can include secondary tiles for Microsoft Edge that display a custom image, rather than a tile with the standard Microsoft Edge logo.
+
+Suppose that the [Start layout that you export](customize-and-export-start-layout.md) had two secondary tiles, such as in the following image:
+
+
+
+In prior versions of Windows 10, when you applied the Start layout to a device, the tiles would display as shown in the following image:
+
+
+
+In Windows 10, version 1703, by using the PowerShell cmdlet `export-StartLayoutEdgeAssets` and the policy setting `ImportEdgeAssets`, the tiles will now display the same as they did on the device from which you exported the Start layout.
+
+
+
+
+## Export Start layout and assets
+
+1. Follow the instructions in [Customize and export Start layout](customize-and-export-start-layout.md#bkmkcustomizestartscreen) to customize the Start screen on your test computer.
+2. Open Windows PowerShell and enter the following command:
+
+ ```
+ Export-StartLayout -path .xml
+ ```
+ In the previous command, `-path` is a required parameter that specifies the path and file name for the export file. You can specify a local path or a UNC path (for example, \\\\FileServer01\\StartLayouts\\StartLayoutMarketing.xml).
+
+ Use a file name of your choice—for example, StartLayoutMarketing.xml. Include the .xml file name extension. The [Export-StartLayout](https://go.microsoft.com/fwlink/p/?LinkId=620879) cmdlet does not append the file name extension, and the policy settings require the extension.
+
+3. If you’d like to change the image for a secondary tile to your own custom image, open the layout.xml file, and look for the images that the tile references.
+ - For example, your layout.xml contains `Square150x150LogoUri="ms-appdata:///local/PinnedTiles/21581260870/hires.png" Wide310x150LogoUri="ms-appx:///"`
+ - Open `C:\Users\\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState` and replace those images with your customized images
+ >[!TIP]
+ >A quick method for getting appropriately sized images for each tile size is to upload your image at [BuildMyPinnedSite](http://www.buildmypinnedsite.com/) and then download the resized tile images.
+
+ 4. In Windows PowerShell, enter the following command:
+
+ ```
+ Export-StartLayoutEdgeAssets assets.xml
+ ```
+
+## Configure policy settings
+
+You can apply the customized Start layout with images for secondary tiles by using [mobile device management](customize-windows-10-start-screens-by-using-mobile-device-management.md) or [a provisioning package](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md). However, because you are including the images for secondary tiles, you must configure an additional policy to import the Edge assets.
+
+### Using MDM
+
+Follow the instructions to [create a custom policy](customize-windows-10-start-screens-by-using-mobile-device-management.md#bkmk-domaingpodeployment). Replace the markup characters with escape characters in both the layout.xml and the assets.xml.
+
+In addition to the `./User/Vendor/MSFT/Policy/Config/Start/StartLayout` setting, you must also add the `ImportEdgeAssets` setting.
+
+| Item | Information |
+|----|----|
+| **Setting name** | Enter a unique name for the OMA-URI setting to help you identify it in the list of settings. |
+| **Setting description** | Provide a description that gives an overview of the setting and other relevant information to help you locate it. |
+| **Data type** | **String** |
+| **OMA-URI (case sensitive)** | **./User/Vendor/MSFT/Policy/Config/Start/ImportEdgeAssets**
+| **Value** | Paste the contents of the assets.xml file that you created. |
+
+### Using a provisioning package
+
+
+#### Prepare the Start layout and Edge assets XML files
+
+The **export-StartLayout** and **export-StartLayoutEdgeAssets** cmdlets produce XML files. Because Windows Configuration Designer produces a customizations.xml file that contains the configuration settings, adding the Start layout and Edge assets sections to the customizations.xml file directly would result in an XML file embedded in an XML file. Before you add the Start layout and Edge assets sections to the customizations.xml file, you must replace the markup characters in your layout.xml with escape characters.
+
+
+1. Copy the contents of layout.xml into an online tool that escapes characters.
+
+2. Copy the contents of assets.xml into an online tool that escapes characters.
+
+3. During the procedure to create a provisioning package, you will copy the text with the escape characters and paste it in the customizations.xml file for your project.
+
+#### Create a provisioning package that contains a customized Start layout
+
+
+Use the Windows Configuration Designer tool to create a provisioning package. [Learn how to install Windows Configuration Designer.](provisioning-install-icd.md)
+
+>[!IMPORTANT]
+>When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when they are no longer needed.
+
+1. Open Windows Configuration Designer (by default, %systemdrive%\\Program Files (x86)\\Windows Kits\\10\\Assessment and Deployment Kit\\Imaging and Configuration Designer\\x86\\ICD.exe).
+
+2. Choose **Advanced provisioning**.
+
+3. Name your project, and click **Next**.
+
+4. Choose **All Windows desktop editions** and click **Next**.
+
+5. On **New project**, click **Finish**. The workspace for your package opens.
+
+6. Expand **Runtime settings** > **Policies** > **Start**, and click **StartLayout**.
+
+ >[!TIP]
+ >If **Start** is not listed, check the type of settings you selected in step 4. You must create the project using settings for **All Windows desktop editions**.
+
+7. Enter **layout.xml**. This value creates a placeholder in the customizations.xml file that you will replace with the contents of the layout.xml file in a later step.
+
+8. In the **Available customizations** pane, select **ImportEdgeAssets**.
+
+9. Enter **assets.xml**. This value creates a placeholder in the customizations.xml file that you will replace with the contents of the assets.xml file in a later step.
+
+7. Save your project and close Windows Configuration Designer.
+
+7. In File Explorer, open the project's directory. (The default location is C:\Users\\*user name*\Documents\Windows Imaging and Configuration Designer (WICD)\\*project name*)
+
+7. Open the customizations.xml file in a text editor. The **<Customizations>** section will look like this:
+
+ 
+
+7. Replace **layout.xml** with the text from the layout.xml file, [with markup characters replaced with escape characters](#escape).
+
+8. Replace **assets.xml** with the text from the assets.xml file, [with markup characters replaced with escape characters](#escape).
+
+8. Save and close the customizations.xml file.
+
+8. Open Windows Configuration Designer and open your project.
+
+8. On the **File** menu, select **Save.**
+
+9. On the **Export** menu, select **Provisioning package**.
+
+10. Change **Owner** to **IT Admin**, which will set the precedence of this provisioning package higher than provisioning packages applied to this device from other sources, and then select **Next.**
+
+11. Optional. In the **Provisioning package security** window, you can choose to encrypt the package and enable package signing.
+
+ - **Enable package encryption** - If you select this option, an auto-generated password will be shown on the screen.
+
+ - **Enable package signing** - If you select this option, you must select a valid certificate to use for signing the package. You can specify the certificate by clicking **Select...** and choosing the certificate you want to use to sign the package.
+
+12. Click **Next** to specify the output location where you want the provisioning package to go when it's built. By default, Windows Imaging and Configuration Designer (ICD) uses the project folder as the output location.
+
+ Optionally, you can click **Browse** to change the default output location.
+
+13. Click **Next**.
+
+14. Click **Build** to start building the package. The provisioning package doesn't take long to build. The project information is displayed in the build page and the progress bar indicates the build status.
+
+ If you need to cancel the build, click **Cancel**. This cancels the current build process, closes the wizard, and takes you back to the **Customizations Page**.
+
+15. If your build fails, an error message will show up that includes a link to the project folder. You can scan the logs to determine what caused the error. Once you fix the issue, try building the package again.
+
+ If your build is successful, the name of the provisioning package, output directory, and project directory will be shown.
+
+ - If you choose, you can build the provisioning package again and pick a different path for the output package. To do this, click **Back** to change the output package name and path, and then click **Next** to start another build.
+ - If you are done, click **Finish** to close the wizard and go back to the **Customizations Page**.
+
+16. Copy the provisioning package to the target device.
+
+17. Double-click the ppkg file and allow it to install.
+
+ ## Related topics
+
+- [Manage Windows 10 Start and taskbar layout](windows-10-start-layout-options-and-policies.md)
+- [Configure Windows 10 taskbar](configure-windows-10-taskbar.md)
+- [Customize and export Start layout](customize-and-export-start-layout.md)
+- [Start layout XML for desktop editions of Windows 10 (reference)](start-layout-xml-desktop.md)
+- [Customize Windows 10 Start and taskbar with Group Policy](customize-windows-10-start-screens-by-using-group-policy.md)
+- [Customize Windows 10 Start and taskbar with provisioning packages](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md)
+- [Customize Windows 10 Start and tasbkar with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md)
+- [Changes to Start policies in Windows 10](changes-to-start-policies-in-windows-10.md)
+
+
+
diff --git a/windows/configure/windows-10-start-layout-options-and-policies.md b/windows/configure/windows-10-start-layout-options-and-policies.md
index 258d6c4418..b43919e728 100644
--- a/windows/configure/windows-10-start-layout-options-and-policies.md
+++ b/windows/configure/windows-10-start-layout-options-and-policies.md
@@ -102,13 +102,14 @@ The new taskbar layout for upgrades to Windows 10, version 1607 or later, will a
## Related topics
+- [Configure Windows 10 taskbar](configure-windows-10-taskbar.md)
- [Customize and export Start layout](customize-and-export-start-layout.md)
+- [Add image for secondary tiles](start-secondary-tiles.md)
+- [Start layout XML for desktop editions of Windows 10 (reference)](start-layout-xml-desktop.md)
- [Customize Windows 10 Start and taskbar with Group Policy](customize-windows-10-start-screens-by-using-group-policy.md)
-- [Customize Windows 10 Start with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md)
-- [Customize Windows 10 Start and taskbar with ICD and provisioning packages](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md)
-- [Changes to Group Policy settings for Windows 10 Start](changes-to-start-policies-in-windows-10.md)
-
-
+- [Customize Windows 10 Start and taskbar with provisioning packages](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md)
+- [Customize Windows 10 Start and tasbkar with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md)
+- [Changes to Start policies in Windows 10](changes-to-start-policies-in-windows-10.md)
diff --git a/windows/configure/windows-diagnostic-data.md b/windows/configure/windows-diagnostic-data.md
new file mode 100644
index 0000000000..9cc018cf4f
--- /dev/null
+++ b/windows/configure/windows-diagnostic-data.md
@@ -0,0 +1,119 @@
+---
+title: Windows 10, version 1703 Diagnostic Data (Windows 10)
+description: Use this article to learn about the types of that is collected the the Full telemetry level.
+keywords: privacy,Windows 10
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+localizationpriority: high
+author: brianlic-msft
+---
+
+# Windows 10, version 1703 Diagnostic Data
+
+Microsoft collects Windows diagnostic data to keep Windows up-to-date, secure, and operating properly. It also helps us improve Windows and, for users who have turned on tailored experiences, can be used to provide relevant tips and recommendations to tailor Microsoft products to the user's needs. In keeping with our efforts to be transparent about diagnostic data Windows collects, as described in Terry Myerson's [blog post](https://blogs.windows.com/windowsexperience/2017/01/10/continuing-commitment-privacy-windows-10/) in January 2017, this article includes descriptions of the diagnostic data that is collected by Windows at the Full telemetry level. A small subset of this data is collected at the [Basic level](https://go.microsoft.com/fwlink/?linkid=845809).
+
+
+The data covered in this article is grouped into the following categories:
+
+- Device, Connectivity, and Configuration data
+- Product and Service Usage data
+- Product and Service Performance data
+- Software Setup and Inventory data
+- Content Consumption data
+- Browsing History data
+- Search Requests and Query data
+- Inking, Typing, and Speech Utterance data
+- Licensing and Purchase data
+
+> [!NOTE]
+> The majority of diagnostic data falls into the first four categories.
+
+## Common data
+
+Most diagnostic events contain a header of common data:
+
+| Category Name | Examples |
+| - | - |
+| Common Data | Information that is added to most diagnostic events, if relevant and available:
- OS name, version, build, and [locale](https://msdn.microsoft.com/en-us/library/windows/desktop/dd318716.aspx)
- User ID -- a unique identifier associated with the user's Microsoft Account (if one is used) or local account. The user's Microsoft Account identifier is not collected from devices configured to send Basic Diagnostic data; Xbox UserID
- Environment from which the event was logged -- Application ID of app or component that logged the event, Session GUID. Used to track events over a given period of time such the period an app is running or between boots of the OS.
- The diagnostic event name, Event ID, [ETW](https://msdn.microsoft.com/en-us/library/windows/desktop/bb968803.aspx) opcode, version, schema signature, keywords, and flags
- HTTP header information including
- IP address. This is not the IP address of the device but the source address in the network packet header received by the diagnostics ingestion service.
- Various IDs that are used to correlate and sequence related events together.
- Device ID. This is not the user provided device name, but an ID that is unique for that device.
- Device class -- Desktop, Server, or Mobile
- Event collection time
- Diagnostic level eg. Basic or Full, Sample level -- for sampled data, what sample level is this machine opted into
|
+
+## Device, Connectivity, and Configuration data
+
+This type of data includes details about the device, its configuration and connectivity capabilities, and status.
+
+| Category Name | Examples |
+| - | - |
+| Device properties | Information about the OS and device hardware, such as:
- OS - version name, Edition
- Installation type, subscription status, and genuine OS status
- Processor architecture, speed, number of cores, manufacturer, and model
- OEM details --manufacturer, model, and serial number
- Device identifier and Xbox serial number
- Firmware/BIOS -- type, manufacturer, model, and version
- Memory. total memory, video memory, speed, and how much memory is available after the device has reserved memory
- Storage -- total capacity and disk type
- Battery -- charge capacity and InstantOn support
- Hardware chassis type, color, and form factor
- Is this a virtual machine?
|
+| Device capabilities | Information about the specific device capabilities such as:
- Camera -- whether the device has a front facing, a rear facing camera, or both.
- Touch screen -- does the device include a touch screen? If so, how many hardware touch points are supported?
- Processor capabilities -- CompareExchange128, LahfSahf, NX, PrefetchW, and SSE2
- Trusted Platform Module (TPM) – whether present and what version
- Virtualization hardware -- whether an IOMMU is present, SLAT support, is virtualization enabled in the firmware
- Voice – whether voice interaction is supported and the number of active microphones
- Number of displays, resolutions, DPI
- Wireless capabilities
- OEM or platform face detection
- OEM or platform video stabilization and quality level set
- Advanced Camera Capture mode (HDR vs. LowLight), OEM vs. platform implementation, HDR probability, and Low Light probability
|
+| Device preferences and settings | Information about the device settings and user preferences such as:
- User Settings – System, Device, Network & Internet, Personalization, Cortana, Apps, Accounts, Time & Language, Gaming, Ease of Access, Privacy, Update & Security
- Device Name
- Whether device is domain-joined, or cloud-domain joined (i.e. part of a company-managed network)
- Hashed representation of the domain name
- MDM (mobile device management) enrollment settings and status
- BitLocker, Secure Boot, encryption settings, and status
- Windows Update settings and status
- Developer Unlock settings and status
- Default app choices
- Default browser choice
- Default language settings for app, input, keyboard, speech, and display
- App store update settings
- Enterprise OrganizationID, Commercial ID
|
+| Device peripherals | Information about the device peripherals such as:
- Peripheral name, device model, class, manufacturer and description
- Peripheral device state, install state, and checksum
- name, package name, version, and manufacturer
- HWID - A hardware vendor defined ID to match a device to a driver [INF file](https://msdn.microsoft.com/windows/hardware/drivers/install/hardware-ids)
- Driver state, problem code, and checksum
- Whether driver is kernel mode, signed, and image size
|
+| Device network info | Information about the device network configuration such as:
- Network system capabilities
- Local or Internet connectivity status
- Proxy, gateway, DHCP, DNS details and addresses
- Paid or free network
- Wireless driver is emulated or not
- Access point mode capable
- Access point manufacturer, model, and MAC address
- WDI Version
- Name of networking driver service
- Wi-Fi Direct details
- Wi-Fi device hardware ID and manufacturer
- Wi-Fi scan attempt counts and item counts
- Mac randomization is supported/enabled or not
- Number of spatial streams and channel frequencies supported
- Manual or Auto Connect enabled
- Time and result of each connection attempt
- Airplane mode status and attempts
- Interface description provided by the manufacturer
- Data transfer rates
- Cipher algorithm
- Mobile Equipment ID (IMEI) and Mobile Country Code (MCCO)
- Mobile operator and service provider name
- Available SSIDs and BSSIDs
- IP Address type -- IPv4 or IPv6
- Signal Quality percentage and changes
- Hotspot presence detection and success rate
- TCP connection performance
- Miracast device names
- Hashed IP address
+
+## Product and Service Performance data
+
+This type of data includes details about the health of the device, operating system, apps and drivers.
+
+### Product and Service Performance
+
+| Category Name | Description and Examples |
+| - | - |
+| Device health and crash data | Information about the device and software health such as:
- Error codes and error messages, name and ID of the app, and process reporting the error
- DLL library predicted to be the source of the error e.g. xyz.dll
- System generated files -- app or product logs and trace files to help diagnose a crash or hang
- System settings such as registry keys
- User generated files – .doc, .ppt, .csv files where they are indicated as a potential cause for a crash or hang
- Details and counts of abnormal shutdowns, hangs, and crashes
- Crash failure data – OS, OS component, driver, device, 1st and 3rd party app data
- Crash and Hang dumps
- The recorded state of the working memory at the point of the crash.
- Memory in use by the kernel at the point of the crash.
- Memory in use by the application at the point of the crash.
- All the physical memory used by Windows at the point of the crash.
- Class and function name within the module that failed.
|
+| Device performance and reliability data | Information about the device and software performance such as:
- User Interface interaction durations -- Start Menu display times, browser tab switch times, app launch and switch times, and Cortana and search performance and reliability.
- Device on/off performance -- Device boot, shutdown, power on/off, lock/unlock times, and user authentication times (fingerprint and face recognition durations).
- In-app responsiveness -- time to set alarm, time to fully render in-app navigation menus, time to sync reading list, time to start GPS navigation, time to attach picture MMS, and time to complete a Windows Store transaction.
- User input responsiveness – onscreen keyboard invocation times for different languages, time to show auto-complete words, pen or touch latencies, latency for handwriting recognition to words, Narrator screen reader responsiveness, and CPU score.
- UI and media performance and glitches/smoothness -- video playback frame rate, audio glitches, animation glitches (stutter when bringing up Start), graphics score, time to first frame, play/pause/stop/seek responsiveness, time to render PDF, dynamic streaming of video from OneDrive performance
- Disk footprint -- Free disk space, out of memory conditions, and disk score.
- Excessive resource utilization – components impacting performance or battery life through high CPU usage during different screen and power states
- Background task performance -- download times, Windows Update scan duration, Windows Defender Antivirus scan times, disk defrag times, mail fetch times, service startup and state transition times, and time to index on-device files for search results
- Peripheral and devices -- USB device connection times, time to connect to a wireless display, printing times, network availability and connection times (time to connect to Wi-Fi, time to get an IP address from DHCP etc.), smart card authentication times, automatic brightness environmental response times
- Device setup -- first setup experience times (time to install updates, install apps, connect to network etc.), time to recognize connected devices (printer and monitor), and time to setup Microsoft Account.
- Power and Battery life – power draw by component (Process/CPU/GPU/Display), hours of screen off time, sleep state transition details, temperature and thermal throttling, battery drain in a power state (screen off or screen on), processes and components requesting power use during screen off, auto-brightness details, time device is plugged into AC vs. battery, battery state transitions
- Service responsiveness - Service URI, operation, latency, service success/error codes, and protocol.
- Diagnostic heartbeat – regular signal to validate the health of the diagnostics system
+
+## Software Setup and Inventory data
+
+| Category Name | Data Examples |
+| - | - |
+| Installed Applications and Install History | Information about apps, drivers, update packages, or OS components installed on the device such as:
- App, driver, update package, or component’s Name, ID, or Package Family Name
- Product, SKU, availability, catalog, content, and Bundle IDs
- OS component, app or driver publisher, language, version and type (Win32 or UWP)
- Install date, method, and install directory, count of install attempts
- MSI package code and product code
- Original OS version at install time
- User or administrator or mandatory installation/update
- Installation type – clean install, repair, restore, OEM, retail, upgrade, and update
|
+| Device update information | Information about Windows Update such as:
- Update Readiness analysis of device hardware, OS components, apps, and drivers (progress, status, and results)
- Number of applicable updates, importance, type
- Update download size and source -- CDN or LAN peers
- Delay upgrade status and configuration
- OS uninstall and rollback status and count
- Windows Update server and service URL
- Windows Update machine ID
- Windows Insider build details
+
+## Content Consumption data
+
+This type of data includes diagnostic details about the applications and services that provide media consumption functionality, not the details of content consumed by users.
+
+### Content Consumption
+
+| Category Name | Examples |
+| - | - |
+| Movie Media Consumption | Information about movie consumption on the device such as:
- Video Width, height, color pallet, encoding (compression) type, and encryption type
- Instructions for how to stream content for the user eg the smooth streaming manifest of chunks of content files that must be pieced together to stream the content based on screen resolution and bandwidth
- URL for a specific two-second chunk of content if there is an error
- Full screen viewing mode details
|
+| Music & TV Media Consumption | Information about music and TV consumption on the device such as:
- Service URL for song being downloaded from the music service – collected when an error occurs to facilitate restoration of service
- Content type (video, audio, surround audio)
- Local media library collection statistics -- number of purchased tracks, number of playlists
- Region mismatch -- User OS Region, and Xbox Live region
|
+| Reading Media Consumption | Information about reading material consumption on the device such as:
- App accessing content and status and options used to open a Windows Store book
- Language of the book
- Time spent reading content
- Content type and size details
|
+| Photos App Media Consumption | Information about photos usage on the device such as:
- File source data -- local, SD card, network device, and OneDrive
- Image & video resolution, video length, file sizes types and encoding
- Collection view or full screen viewer use and duration of view
- Data about item tags that are analyzed to identify subjects in them -- _dog_ or _outdoors_
+
+## Browsing History data
+
+This type of data includes details about web browsing activity in Microsoft browsers on the device.
+
+### Browse History
+
+| Category Name | Description and Examples |
+| - | - |
+| Browse history | Information about browsing on the device such as:
- BrowserId - an anonymous random unique number collected in addition to the identifiers in Common Data. Allows us to only use BrowserID when other identifiers are not necessary for troubleshooting and product improvement purposes.
- URLs visited
- Page title
|
+
+## Search Requests and Query data
+
+This type of data includes diagnostic details about the web search activity in Edge and Cortana, and local file searches on the device.
+
+### Search performance diagnostics
+
+| Category Name | Description and Examples |
+| - | - |
+| Microsoft Edge queries | Information about Address bar and search box performance on the device such as:
- Text typed in address bar and search box
- Text selected for Ask Cortana search
- Service response time
- Auto-completed text if there was an auto-complete
- Navigation suggestions provided based on local history and favorites
|
+| On-device file Query | Information about local search activity on the device such as:
- Kind of query issued and index type (ConstraintIndex, SystemIndex)
- Number of items requested and retrieved
- File extension of search result user interacted with
- Launched item kind, file extension, index of origin, and the App ID of the opening app.
- Name of process calling the indexer and time to service the query.
- A hash of the search scope (file, Outlook, OneNote, IE history )
- The state of the indices (fully optimized, partially optimized, being built)
|
+
+## Inking Typing and Speech Utterance data
+
+This type of data gathers details about the voice, inking, and typing input features on the device.
+
+| Category Name | Description and Examples |
+| - | - |
+| Voice, inking, and typing | Information about voice, inking and typing features such as:
- Type of pen used (highlighter, ball point, pencil), pen color, stroke height and width, and how long it is used
- Pen gestures (click, double click, pan, zoom, rotate)
- Palm Touch x,y coordinates
- Input latency, missed pen signals, number of frames, strokes, first frame commit time, sample rate
- Ink strokes written, text before and after the ink insertion point, recognized text entered, Input language - processed to remove identifiers, sequencing information, and other data (such as names, email addresses, and numeric values) which could be used to reconstruct the original content or associate the input to the user.
- Text of the Cortana recognition results and the text of what Cortana says to the user. This is critical diagnostics to improve service
- Speech recognition results, result codes, and recognized text
- Language and model of the recognizer, System Speech language
- App ID using speech features
- Whether user is known to be a child
- Confidence and Success/Failure of speech recognition
|
+
+## Licensing and Purchase data
+
+This type of data includes diagnostic details about the purchase and entitlement activity on the device.
+
+| Category Name | Data Examples |
+| - | - |
+| Purchase history | Information about purchases made on the device such as:
- Product ID, edition ID and product URI
- Offer details -- price
- Device location settings and IP address based location of purchase
- Order placed date/time and the charge date/time
- Store client type -- web or native client
- App ID and version for in-app purchases
- Purchaser ID and beneficiary ID
- Purchase quantity and price
- Paid amount before and after tax, in local currency
- Payment type -- credit card type and PayPal
|
+| Entitlements | Information about entitlements on the device such as:
- Service subscription status and errors
- DRM and license rights details --Groove subscription or OS volume license
- Entitlement ID, lease ID, and package ID of the install package
- Entitlement revocation
- License type (trial, offline vs online) and duration
- License usage session
|
\ No newline at end of file
diff --git a/windows/deploy/mbr-to-gpt.md b/windows/deploy/mbr-to-gpt.md
index e0c160b723..76aa003b02 100644
--- a/windows/deploy/mbr-to-gpt.md
+++ b/windows/deploy/mbr-to-gpt.md
@@ -29,7 +29,9 @@ You can use MBR2GPT to perform the following:
You can use MBR2GPT to convert an MBR disk with BitLocker-encrypted volumes as long as protection has been suspended. To resume BitLocker after conversion, you will need to delete the existing protectors and recreate them.
-The MBR2GPT tool can convert operating system disks that have earlier versions of Windows installed, such as Windows 10 versions 1507, 1511, and 1607. However, you must run the tool while booted into Windows 10 version 1703 or later, and perform an offline conversion.
+The MBR2GPT tool can convert operating system disks that have earlier versions of Windows 10 installed, such as versions 1507, 1511, and 1607. However, you must run the tool while booted into Windows 10 version 1703 or later, and perform an offline conversion.
+
+Offline conversion of system disks with earlier versions of Windows installed, such as Windows 7, 8, or 8.1 are not officially supported. The recommended method to convert these disks is to upgrade the operating system to Windows 10 first, then perform the MBR to GPT conversion.
>[!IMPORTANT]
>After the disk has been converted to GPT partition style, the firmware must be reconfigured to boot in UEFI mode.
Make sure that your device supports UEFI before attempting to convert the disk.
diff --git a/windows/deploy/upgrade-readiness-deployment-script.md b/windows/deploy/upgrade-readiness-deployment-script.md
index 0206b5764e..f8d311cd6b 100644
--- a/windows/deploy/upgrade-readiness-deployment-script.md
+++ b/windows/deploy/upgrade-readiness-deployment-script.md
@@ -42,9 +42,9 @@ To run the Upgrade Readiness deployment script:
3. By default, the script sends log information to both the console and the log file. To change the default behavior, use one of the following options:
> *logMode = 0 log to console only*
->
+ >
> *logMode = 1 log to file and console*
->
+ >
> *logMode = 2 log to file only*
3. To enable Internet Explorer data collection, set AllowIEData to IEDataOptIn. By default, AllowIEData is set to Disable. Then use one of the following options to determine what Internet Explorer data can be collected:
@@ -57,7 +57,16 @@ To run the Upgrade Readiness deployment script:
>
> *IEOptInLevel = 3 Data collection is enabled for all sites*
-4. After you finish editing the parameters in RunConfig.bat, you are ready to run the script. If you are using the Pilot version, run RunConfig.bat from an elevated command prompt. If you are using the Deployment version, use ConfigMgr or other software deployment service to run RunConfig.bat as system.
+4. The latest version (03.02.17) of the deployment script is configured to collect and send diagnostic and debugging data to Microsoft. If you wish to disable sending diagnostic and debugging data to Microsoft, set **AppInsightsOptIn = false**. By default, **AppInsightsOptIn** is set to **true**.
+
+ The data that is sent is the same data that is collected in the text log file that captures the events and error codes while running the script. This file is named in the following format: **UA_yyyy_mm_dd_hh_mm_ss_machineID.txt**. Log files are created in the drive that is specified in the RunConfig.bat file. By default this is set to: **%SystemDrive%\UADiagnostics**.
+
+ This data gives us the ability to determine the status of your machines and to help troubleshoot issues. If you choose to opt-in to and send this data to Microsoft, you must also allow https traffic to be sent to the following wildcard endpoints:
+
+ \*vortex\*.data.microsoft.com
+ \*settings\*.data.microsoft.com
+
+5. After you finish editing the parameters in RunConfig.bat, you are ready to run the script. If you are using the Pilot version, run RunConfig.bat from an elevated command prompt. If you are using the Deployment version, use ConfigMgr or other software deployment service to run RunConfig.bat as system.
The deployment script displays the following exit codes to let you know if it was successful, or if an error was encountered.
diff --git a/windows/deploy/upgrade-readiness-get-started.md b/windows/deploy/upgrade-readiness-get-started.md
index 4829baa632..7cb98c4cf2 100644
--- a/windows/deploy/upgrade-readiness-get-started.md
+++ b/windows/deploy/upgrade-readiness-get-started.md
@@ -79,7 +79,7 @@ For Upgrade Readiness to receive and display upgrade readiness data from Microso
To enable data sharing, whitelist the following endpoints. Note that you may need to get approval from your security group to do this.
-Note: The compatibility update KB runs under the computer’s system account. If you are using user authenticated proxies, read [this blog post](https://go.microsoft.com/fwlink/?linkid=838688) to learn what you need to do to run it under the logged on user account.
+Note: The compatibility update KB runs under the computer’s system account. If you are using user authenticated proxies, read [this blog post](https://blogs.technet.microsoft.com/upgradeanalytics/2017/03/10/understanding-connectivity-scenarios-and-the-deployment-script/) to learn what you need to do to run it under the logged on user account.
| **Endpoint** | **Function** |
|---------------------------------------------------------|-----------|
diff --git a/windows/deploy/upgrade-readiness-requirements.md b/windows/deploy/upgrade-readiness-requirements.md
index 5f706bab59..5593a4eb72 100644
--- a/windows/deploy/upgrade-readiness-requirements.md
+++ b/windows/deploy/upgrade-readiness-requirements.md
@@ -78,8 +78,6 @@ See [Windows 7, Windows 8, and Windows 8.1 appraiser telemetry events and fields
Before you get started configuring Upgrade Anatlyics, review the following tips and limitations about this release.
-**User authenticated proxies are not supported in this release.** User computers communicate with Microsoft through Windows telemetry. The Windows telemetry client runs in System context and requires a connection to various Microsoft telemetry endpoints. User authenticated proxies are not supported at this time. Work with your Network Administrator to ensure that user computers can communicate with telemetry endpoints.
-
**Upgrade Readiness does not support on-premises Windows deployments.** Upgrade Readiness is built as a cloud service, which allows Upgrade Readiness to provide you with insights based on the data from user computers and other Microsoft compatibility services. Cloud services are easy to get up and running and are cost-effective because there is no requirement to physically implement and maintain services on-premises.
**In-region data storage requirements.** Windows telemetry data from user computers is encrypted, sent to, and processed at Microsoft-managed secure data centers located in the US. Our analysis of the upgrade readiness-related data is then provided to you through the Upgrade Readiness solution in the Microsoft Operations Management Suite (OMS) portal. At the time this topic is being published, only OMS workspaces created in the East US and West Europe are supported. We’re adding support for additional regions and we’ll update this information when new international regions are supported.
diff --git a/windows/images/w10-evaluation.png b/windows/images/w10-evaluation.png
new file mode 100644
index 0000000000..19d690b694
Binary files /dev/null and b/windows/images/w10-evaluation.png differ
diff --git a/windows/images/w10-whatsnew-highlight.png b/windows/images/w10-whatsnew-highlight.png
new file mode 100644
index 0000000000..b8534ef41d
Binary files /dev/null and b/windows/images/w10-whatsnew-highlight.png differ
diff --git a/windows/index.md b/windows/index.md
index 1509edd168..50d0140341 100644
--- a/windows/index.md
+++ b/windows/index.md
@@ -13,30 +13,29 @@ This library provides the core content that IT pros need to evaluate, plan, depl
-
-
- 
+
+ 
What's New?
|
-
+
Plan
|
-
+
Deploy
|
-
+
Manage
@@ -45,50 +44,47 @@ This library provides the core content that IT pros need to evaluate, plan, depl
|
-
+
Keep Secure
|
-
+
Configure
|
-
+
Update
|
-
-
+
+ 
Try it
|
-
-
-# Get to know Windows as a Service (WaaS)
+## Get to know Windows as a Service (WaaS)
- | The Windows 10 operating system introduces a new way to build, deploy, and service Windows: Windows as a service. Microsoft has reimagined each part of the process, to simplify the lives of IT pros and maintain a consistent Windows 10 experience for its customers.
+ | The Windows 10 operating system introduces a new way to build, deploy, and service Windows: Windows as a service. Microsoft has reimagined each part of the process, to simplify the lives of IT pros and maintain a consistent Windows 10 experience for its customers.
These improvements focus on maximizing customer involvement in Windows development, simplifying the deployment and servicing of Windows client computers, and leveling out the resources needed to deploy and maintain Windows over time.
+ - [Read more about Windows as a Service](manage/waas-overview.md)
-
- * [Read more about Windows as a Service]()
- * [Download the WaaS infographic]()
+ - Download the WaaS infographic
|
-  |
+ |
diff --git a/windows/keep-secure/TOC.md b/windows/keep-secure/TOC.md
index 4680d2fe2c..bc1d1edae3 100644
--- a/windows/keep-secure/TOC.md
+++ b/windows/keep-secure/TOC.md
@@ -23,6 +23,12 @@
### [Deploy Device Guard: enable virtualization-based security](deploy-device-guard-enable-virtualization-based-security.md)
## [Mitigate threats by using Windows 10 security features](overview-of-threat-mitigations-in-windows-10.md)
## [Protect derived domain credentials with Credential Guard](credential-guard.md)
+### [How Credential Guard works](credential-guard-how-it-works.md)
+### [Credential Guard Requirements](credential-guard-requirements.md)
+### [Manage Credential Guard](credential-guard-manage.md)
+### [Scenarios not protected by Credential Guard](credential-guard-not-protected-scenarios.md)
+### [Considerations when using Credential Guard](credential-guard-considerations.md)
+### [Scripts for Certificate Authority Issuance Policies](credential-guard-scripts.md)
## [Protect Remote Desktop credentials with Remote Credential Guard](remote-credential-guard.md)
## [Protect your enterprise data using Windows Information Protection (WIP)](protect-enterprise-data-using-wip.md)
### [Create a Windows Information Protection (WIP) policy](overview-create-wip-policy.md)
@@ -801,9 +807,13 @@
#### [Windows Defender ATP service status](service-status-windows-defender-advanced-threat-protection.md)
#### [Troubleshoot Windows Defender ATP](troubleshoot-windows-defender-advanced-threat-protection.md)
#### [Review events and errors on endpoints with Event Viewer](event-error-codes-windows-defender-advanced-threat-protection.md)
-#### [Windows Defender compatibility](defender-compatibility-windows-defender-advanced-threat-protection.md)
+#### [Windows Defender Antivirus compatibility](defender-compatibility-windows-defender-advanced-threat-protection.md)
+
+
### [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
#### [Windows Defender AV in the Windows Defender Security Center app](windows-defender-security-center-antivirus.md)
+#### [Windows Defender Antivirus on Windows Server](windows-defender-antivirus-on-windows-server-2016.md)
+#### [Windows Defender Antivirus and Advanced Threat Protection: Better together](windows-defender-antivirus-compatibility.md)
#### [Evaluate Windows Defender Antivirus protection](evaluate-windows-defender-antivirus.md)
#### [Deploy, manage updates, and report on Windows Defender Antivirus](deploy-manage-report-windows-defender-antivirus.md)
##### [Deploy and enable Windows Defender Antivirus](deploy-windows-defender-antivirus.md)
@@ -830,8 +840,11 @@
###### [Prevent users from seeing or interacting with the user interface](prevent-end-user-interaction-windows-defender-antivirus.md)
###### [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-windows-defender-antivirus.md)
#### [Customize, initiate, and review the results of scans and remediation](customize-run-review-remediate-scans-windows-defender-antivirus.md)
-##### [Exclude files and processes from scans](configure-exclusions-windows-defender-antivirus.md)
-##### [Configure email, removable storage, network, reparse point, and archive scanning](configure-advanced-scan-types-windows-defender-antivirus.md)
+##### [Configure and validate exclusions in Windows Defender AV scans](configure-exclusions-windows-defender-antivirus.md)
+###### [Configure and validate exclusions based on file name, extension, and folder location](configure-extension-file-exclusions-windows-defender-antivirus.md)
+###### [Configure and validate exclusions for files opened by processes](configure-process-opened-file-exclusions-windows-defender-antivirus.md)
+###### [Configure exclusions in Windows Defender AV on Windows Server 2016](configure-server-exclusions-windows-defender-antivirus.md)
+##### [Configure scanning options in Windows Defender AV](configure-advanced-scan-types-windows-defender-antivirus.md)
##### [Configure remediation for scans](configure-remediation-windows-defender-antivirus.md)
##### [Configure scheduled scans](scheduled-catch-up-scans-windows-defender-antivirus.md)
##### [Configure and run scans](run-scan-windows-defender-antivirus.md)
diff --git a/windows/keep-secure/add-apps-to-protected-list-using-custom-uri.md b/windows/keep-secure/add-apps-to-protected-list-using-custom-uri.md
index 9176b41ff8..ca83fa4210 100644
--- a/windows/keep-secure/add-apps-to-protected-list-using-custom-uri.md
+++ b/windows/keep-secure/add-apps-to-protected-list-using-custom-uri.md
@@ -14,7 +14,7 @@ localizationpriority: high
# Add apps to your Windows Information Protection (WIP) policy by using the Microsoft Intune custom URI functionality
**Applies to:**
-- Windows 10, version 1607
+- Windows 10, version 1607 and later
- Windows 10 Mobile
You can add apps to your Windows Information Protection (WIP) protected app list using the Microsoft Intune custom URI functionality and AppLocker. For more info about how to create a custom URI using Intune, [Windows 10 custom policy settings in Microsoft Intune](https://go.microsoft.com/fwlink/p/?LinkID=691330).
@@ -39,15 +39,14 @@ You can add apps to your Windows Information Protection (WIP) protected app list
5. In the **Rules Preferences** screen, keep the default settings, and then click **Next** to start generating the rules.
- >[!NOTE]
+
>We recommend that you use **Publisher** rules because they only work with apps you've specifically defined and they can be configured to not require updating simply because a new version came out.If you can't use **Publisher** rules, we then recommend that you use **File hash** rules. **File hash** rules are a secure alternative that can be used on unsigned code. The primary disadvantage to **File hash** is that every time a binary changes (such as, through servicing updates or upgrades), you'll need to create a new rule.
6. In the **Review Rules** screen, look over your rules to make sure they’re right, and then click **Create** to add them to your collection of rules.
7. In the left pane, right-click **AppLocker**, click **Export Policies**, go to where you want to save the XML file and type a file name, click **Save**, and then clear your AppLocker rules.
- >[!IMPORTANT]
- >Be aware that what you're saving are the actual AppLocker rules using your local policy. You don't want to apply these rules to your employee devices, you just want to use them to create and export the XML content. You must delete the AppLocker rules before you apply your policy.
+ >**Important**
Be aware that what you're saving are the actual AppLocker rules using your local policy. You don't want to apply these rules to your employee devices, you just want to use them to create and export the XML content. You must delete the AppLocker rules before you apply your policy.
8. Open the Intune administration console, and go to the **Policy** node, click **Add Policy** from the **Tasks** area, go to **Windows**, click the **Custom Configuration (Windows 10 Desktop and Mobile and later)** policy, click **Create and Deploy a Custom Policy**, and then click **Create Policy**.
@@ -87,18 +86,15 @@ After saving the policy, you’ll need to deploy it to your employee’s devices
5. In the **Rules Preferences** screen, keep the default settings, and then click **Next** to start generating the rules.
- >[!IMPORTANT]
- >You can also use **Path** rules instead of the **File hash** if you have concerns about unsigned files potentially changing the hash value if they're updated in the future.
+ >**Important**
You can also use **Path** rules instead of the **File hash** if you have concerns about unsigned files potentially changing the hash value if they're updated in the future.
- >[!NOTE]
- >We recommend that you use **Publisher** rules because they only work with apps you've specifically defined and they can be configured to not require updating simply because a new version came out.
If you can't use **Publisher** rules, we then recommend that you use **File hash** rules. **File hash** rules are a secure alternative that can be used on unsigned code. The primary disadvantage to **File hash** is that every time a binary changes (such as, through servicing updates or upgrades), you'll need to create a new rule.
Finally, there's **Path** rules. **Path** rules are easier to set up and maintain, but can let apps bypass Windows Information Protection (WIP) by simply renaming and moving an unallowed file to match one of the apps on the **Protected App** list. For example, if your **Path** rule says to allow `%PROGRAMFILES%/NOTEPAD.EXE`, it becomes possible to rename DisallowedApp.exe to Notepad.exe, move it into the specified path above, and have it suddenly be allowed.
+ >**Note**
We recommend that you use **Publisher** rules because they only work with apps you've specifically defined and they can be configured to not require updating simply because a new version came out.
If you can't use **Publisher** rules, we then recommend that you use **File hash** rules. **File hash** rules are a secure alternative that can be used on unsigned code. The primary disadvantage to **File hash** is that every time a binary changes (such as, through servicing updates or upgrades), you'll need to create a new rule.
Finally, there's **Path** rules. **Path** rules are easier to set up and maintain, but can let apps bypass Windows Information Protection (WIP) by simply renaming and moving an unallowed file to match one of the apps on the **Protected App** list. For example, if your **Path** rule says to allow `%PROGRAMFILES%/NOTEPAD.EXE`, it becomes possible to rename DisallowedApp.exe to Notepad.exe, move it into the specified path above, and have it suddenly be allowed.
6. In the **Review Rules** screen, look over your rules to make sure they’re right, and then click **Create** to add them to your collection of rules.
7. In the left pane, right-click **AppLocker**, click **Export Policies**, go to where you want to save the XML file and type a file name, click **Save**, and then clear your AppLocker rules.
- >[!IMPORTANT]
- >Be aware that what you're saving are the actual AppLocker rules using your local policy. You don't want to apply these rules to your employee devices, you just want to use them to create and export the XML content. You must delete the AppLocker rules before you apply your policy.
+ >**Important**
Be aware that what you're saving are the actual AppLocker rules using your local policy. You don't want to apply these rules to your employee devices, you just want to use them to create and export the XML content. You must delete the AppLocker rules before you apply your policy.
8. Open the Intune administration console, and go to the **Policy** node, click **Add Policy** from the **Tasks** area, go to **Windows**, click the **Custom Configuration (Windows 10 Desktop and Mobile and later)** policy, click **Create and Deploy a Custom Policy**, and then click **Create Policy**.
diff --git a/windows/keep-secure/advanced-features-windows-defender-advanced-threat-protection.md b/windows/keep-secure/advanced-features-windows-defender-advanced-threat-protection.md
index d7678c4832..1bcbb15c46 100644
--- a/windows/keep-secure/advanced-features-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/advanced-features-windows-defender-advanced-threat-protection.md
@@ -1,5 +1,5 @@
---
-title: Turn on advanced features in Windows Defender Advanced Threat Protection
+title: Turn on advanced features in Windows Defender ATP
description: Turn on advanced features such as block file in Windows Defender Advanced Threat Protection.
keywords: advanced features, preferences setup, block file
search.product: eADQiWindows 10XVcnh
diff --git a/windows/keep-secure/api-portal-mapping-windows-defender-advanced-threat-protection.md b/windows/keep-secure/api-portal-mapping-windows-defender-advanced-threat-protection.md
index d551629b2e..580f3684c9 100644
--- a/windows/keep-secure/api-portal-mapping-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/api-portal-mapping-windows-defender-advanced-threat-protection.md
@@ -24,7 +24,7 @@ localizationpriority: high
Understand what data fields are exposed as part of the alerts API and how they map to the Windows Defender ATP portal.
-# Alert API fields and portal mapping
+## Alert API fields and portal mapping
Field numbers match the numbers in the images below.
Portal label | SIEM field name | Description
@@ -75,6 +75,6 @@ Portal label | SIEM field name | Description
## Related topics
- [Enable SIEM integration in Windows Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md)
-- [Configure Splunk](configure-splunk-windows-defender-advanced-threat-protection.md)
-- [Configure ArcSight](configure-arcsight-windows-defender-advanced-threat-protection.md)
+- [Configure Splunk to pull Windows Defender ATP alerts](configure-splunk-windows-defender-advanced-threat-protection.md)
+- [Configure ArcSight to pull Windows Defender ATP alerts](configure-arcsight-windows-defender-advanced-threat-protection.md)
- [Pull Windows Defender ATP alerts using REST API](pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md)
diff --git a/windows/keep-secure/app-behavior-with-wip.md b/windows/keep-secure/app-behavior-with-wip.md
index edf4af5b1b..d436e1e7a7 100644
--- a/windows/keep-secure/app-behavior-with-wip.md
+++ b/windows/keep-secure/app-behavior-with-wip.md
@@ -13,7 +13,7 @@ localizationpriority: high
# Unenlightened and enlightened app behavior while using Windows Information Protection (WIP)
**Applies to:**
-- Windows 10, version 1607
+- Windows 10, version 1607 and later
- Windows 10 Mobile
Windows Information Protection (WIP) classifies apps into two categories: enlightened and unenlightened. Enlighted apps can differentiate between corporate and personal data, correctly determining which to protect based on internal policies. Corporate data is encrypted on the managed device and attempts to copy/paste or share this information with non-corporate apps or people will fail. Unenlightened apps, when marked as corporate-managed, consider all data corporate and encrypt everything by default.
diff --git a/windows/keep-secure/assign-portal-access-windows-defender-advanced-threat-protection.md b/windows/keep-secure/assign-portal-access-windows-defender-advanced-threat-protection.md
index 95c54414fa..429ac0c65b 100644
--- a/windows/keep-secure/assign-portal-access-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/assign-portal-access-windows-defender-advanced-threat-protection.md
@@ -22,10 +22,23 @@ localizationpriority: high
- Office 365
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
-Windows Defender ATP users and access permissions are managed in Azure Active Directory (AAD). You can assign users with one of the following levels of permissions:
+Windows Defender ATP users and access permissions are managed in Azure Active Directory (AAD). Use the following methods to assign security roles.
+
+## Assign user access using Azure PowerShell
+You can assign users with one of the following levels of permissions:
- Full access (Read and Write)
- Read only access
+### Before you begin
+- Install Azure PowerShell. For more information see, [How to install and configure Azure PowerShell](https://azure.microsoft.com/documentation/articles/powershell-install-configure/).
+
+ > [!NOTE]
+ > You need to run the PowerShell cmdlets in an elevated command-line.
+
+- Connect to your Azure Active Directory. For more information see, [Connect-MsolService](https://msdn.microsoft.com/library/dn194123.aspx).
+
+
+
**Full access**
Users with full access can log in, view all system information and resolve alerts, submit files for deep analysis, and download the onboarding package.
Assigning full access rights requires adding the users to the “Security Administrator” or “Global Administrator” AAD built-in roles.
@@ -36,13 +49,7 @@ They will not be able to change alert states, submit files for deep analysis or
Assigning read only access rights requires adding the users to the “Security Reader” AAD built-in role.
Use the following steps to assign security roles:
-- Preparations:
- - Install Azure PowerShell. For more information see, [How to install and configure Azure PowerShell](https://azure.microsoft.com/documentation/articles/powershell-install-configure/).
- > [!NOTE]
- > You need to run the PowerShell cmdlets in an elevated command-line.
-
-- Connect to your Azure Active Directory. For more information see, [Connect-MsolService](https://msdn.microsoft.com/library/dn194123.aspx).
- For **read and write** access, assign users to the security administrator role by using the following command:
```text
Add-MsolRoleMember -RoleName "Security Administrator" -RoleMemberEmailAddress "secadmin@Contoso.onmicrosoft.com"
@@ -53,3 +60,21 @@ Add-MsolRoleMember -RoleName "Security Reader" -RoleMemberEmailAddress “reader
```
For more information see, [Manage Azure AD group and role membership](https://technet.microsoft.com/library/321d532e-407d-4e29-a00a-8afbe23008dd#BKMK_ManageGroups).
+
+## Assign user access using the Azure portal
+
+1. Go to the [Azure portal](https://portal.azure.com).
+
+2. Select **Azure Active Directory**.
+
+3. Select **Manage** > **Users and groups**.
+
+4. Select **Manage** > **All users**.
+
+5. Search or select the user you want to assign the role to.
+
+6. Select **Manage** > **Directory role**.
+
+7. Under **Directory role**, select **Limited administrator**, then **Security Reader** or **Security Administrator**.
+
+
diff --git a/windows/keep-secure/bitlocker-group-policy-settings.md b/windows/keep-secure/bitlocker-group-policy-settings.md
index c0112dcf47..8f5aa0a1af 100644
--- a/windows/keep-secure/bitlocker-group-policy-settings.md
+++ b/windows/keep-secure/bitlocker-group-policy-settings.md
@@ -32,7 +32,7 @@ The following sections provide a comprehensive list of BitLocker Group Policy se
The following policy settings can be used to determine how a BitLocker-protected drive can be unlocked.
-- [Allow devices with Secure Boot and protect DMS ports to opt out of preboot PIN](#bkmk-hstioptout)
+- [Allow devices with Secure Boot and protected DMA ports to opt out of preboot PIN](#bkmk-hstioptout)
- [Allow network unlock at startup](#bkmk-netunlock)
- [Require additional authentication at startup](#bkmk-unlockpol1)
- [Allow enhanced PINs for startup](#bkmk-unlockpol2)
@@ -86,7 +86,7 @@ The following policies are used to support customized deployment scenarios in yo
- [Allow access to BitLocker-protected fixed data drives from earlier versions of Windows](#bkmk-depopt4)
- [Allow access to BitLocker-protected removable data drives from earlier versions of Windows](#bkmk-depopt5)
-### Allow devices with Secure Boot and protect DMS ports to opt out of preboot PIN
+### Allow devices with Secure Boot and protected DMA ports to opt out of preboot PIN
This policy setting allows users on devices that are compliant with InstantGo or the Microsoft Hardware Security Test Interface (HSTI) to not have a PIN for preboot authentication.
@@ -137,7 +137,8 @@ This setting enables an exception to the PIN-required policy on secure hardware.
### Allow network unlock at startup
-This policy controls a portion of the behavior of the Network Unlock feature in BitLocker. This policy is required to enable BitLocker Network Unlock on a network because it allows clients running BitLocker to create the necessary network key protector during encryption. This policy is used in addition to the BitLocker Drive Encryption Network Unlock Certificate security policy (located in the **Public Key Policies** folder of Local Computer Policy) to allow systems that are connected to a trusted network to properly utilize the Network Unlock feature.
+This policy controls a portion of the behavior of the Network Unlock feature in BitLocker. This policy is required to enable BitLocker Network Unlock on a network because it allows clients running BitLocker to create the necessary network key protector during encryption.
+This policy is used in addition to the BitLocker Drive Encryption Network Unlock Certificate security policy (located in the **Public Key Policies** folder of Local Computer Policy) to allow systems that are connected to a trusted network to properly utilize the Network Unlock feature.
diff --git a/windows/keep-secure/change-history-for-keep-windows-10-secure.md b/windows/keep-secure/change-history-for-keep-windows-10-secure.md
index 6cd59dffcb..18f2048095 100644
--- a/windows/keep-secure/change-history-for-keep-windows-10-secure.md
+++ b/windows/keep-secure/change-history-for-keep-windows-10-secure.md
@@ -16,6 +16,10 @@ This topic lists new and updated topics in the [Keep Windows 10 secure](index.md
## March 2017
|New or changed topic |Description |
|---------------------|------------|
+|[Mandatory tasks and settings required to turn on Windows Information Protection (WIP)](mandatory-settings-for-wip.md) |Updated based on Windows 10, version 1703. |
+|[Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune.md) |Added new content about Azure Rights Management. |
+|[Limitations while using Windows Information Protection (WIP)](limitations-with-wip.md) |Added additional limitations for Windows 10, version 1703. |
+|[Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](create-and-verify-an-efs-dra-certificate.md)|Added content about recovering data from a cloud environment.|
|[Protect derived domain credentials with Credential Guard](credential-guard.md) |Updated to include additional security qualifications starting with Window 10, version 1703.|
|[Requirements and deployment planning guidelines for Device Guard](requirements-and-deployment-planning-guidelines-for-device-guard.md) |Updated to include additional security qualifications starting with Window 10, version 1703.|
|[Windows Defender SmartScreen overview](windows-defender-smartscreen-overview.md)|New |
@@ -30,7 +34,6 @@ This topic lists new and updated topics in the [Keep Windows 10 secure](index.md
|[Overview of threat mitigations in Windows 10](overview-of-threat-mitigations-in-windows-10.md) | Reorganized from existing content, to provide a better overview of threat mitigations. Added information that maps the Enhanced Mitigation Experience Toolkit (EMET) to Windows 10 features. |
-
## January 2017
|New or changed topic |Description |
|---------------------|------------|
diff --git a/windows/keep-secure/check-sensor-status-windows-defender-advanced-threat-protection.md b/windows/keep-secure/check-sensor-status-windows-defender-advanced-threat-protection.md
index f00f86053f..22861fbaa2 100644
--- a/windows/keep-secure/check-sensor-status-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/check-sensor-status-windows-defender-advanced-threat-protection.md
@@ -1,6 +1,6 @@
---
-title: Check sensor health state in Windows Defender ATP
-description: Check sensor health on machines to see if they are misconfigured or inactive.
+title: Check the health state of the sensor in Windows Defender ATP
+description: Check the sensor health on machines to identify which ones are misconfigured, inactive, or are not reporting sensor data.
keywords: sensor, sensor health, misconfigured, inactive, no sensor data, sensor data, impaired communication, communication
search.product: eADQiWindows 10XVcnh
ms.prod: w10
diff --git a/windows/keep-secure/command-line-arguments-windows-defender-antivirus.md b/windows/keep-secure/command-line-arguments-windows-defender-antivirus.md
index ea9f0e7d05..90098f1ce1 100644
--- a/windows/keep-secure/command-line-arguments-windows-defender-antivirus.md
+++ b/windows/keep-secure/command-line-arguments-windows-defender-antivirus.md
@@ -19,10 +19,14 @@ author: iaanw
- Windows 10
+**Audience**
+
+- Enterprise security administrators
+
You can use a dedicated command-line tool to perform various functions in Windows Defender Antivirus.
-This utility can be handy when you want to automate the use of Windows Defender Antivirus.
+This utility can be useful when you want to automate the use of Windows Defender Antivirus.
The utility is available in _%Program Files%\Windows Defender\MpCmdRun.exe_ and must be run from a command prompt.
diff --git a/windows/keep-secure/configure-advanced-scan-types-windows-defender-antivirus.md b/windows/keep-secure/configure-advanced-scan-types-windows-defender-antivirus.md
index 369450238d..1f2fa78b86 100644
--- a/windows/keep-secure/configure-advanced-scan-types-windows-defender-antivirus.md
+++ b/windows/keep-secure/configure-advanced-scan-types-windows-defender-antivirus.md
@@ -1,5 +1,5 @@
---
-title: Configure advanced scanning types for Windows Defender AV
+title: Configure scanning options for Windows Defender AV
description: You can configure Windows Defender AV to scan email storage files, back-up or reparse points, network files, and archived files (such as .zip files).
keywords: advanced scans, scanning, email, archive, zip, rar, archive, reparse scanning
search.product: eADQiWindows 10XVcnh
@@ -12,7 +12,7 @@ localizationpriority: medium
author: iaanw
---
-# Configure email, removable storage, network, reparse point, and archive scanning in Windows Defender AV
+# Configure scanning options in Windows Defender AV
**Applies to**
@@ -25,147 +25,79 @@ author: iaanw
**Manageability available with**
- Group Policy
-- System Center Configuration Manager
- PowerShell
- Windows Management Instrumentation (WMI)
+- System Center Configuration Manager
- Microsoft Intune
+To configure the Group Policy settings described in the following table:
-Scan Turn on e-mail scanning
-Scan Turn on reparse point scanning
+1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+
+3. In the **Group Policy Management Editor** go to **Computer configuration**.
+
+4. Click **Policies** then **Administrative templates**.
+
+5. Expand the tree to **Windows components > Windows Defender Antivirus** and then the **Location** specified in the table below.
+
+6. Double-click the policy **Setting** as specified in the table below, and set the option to your desired configuration. Click **OK**, and repeat for any other settings.
+
+See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus.
+
+For using WMI classes, see [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/en-us/library/dn439477(v=vs.85).aspx).
+
+Description | Location and setting | Default setting (if not configured) | PowerShell `Set-MpPreference` parameter or WMI property for `MSFT_MpPreference` class
+---|---|---|---
+See [Email scanning limitations](#ref1)) below | Scan > Turn on e-mail scanning | Disabled | `-DisableEmailScanning`
+Scan [reparse points](https://msdn.microsoft.com/library/windows/desktop/aa365503.aspx) | Scan > Turn on reparse point scanning | Disabled | `-DisableRestorePoint`
+Scan mapped network drives | Scan > Run full scan on mapped network drives | Disabled | `-DisableScanningMappedNetworkDrivesForFullScan`
+ Scan archive files (such as .zip or .rar files). The [extensions exclusion list](configure-extension-file-exclusions-windows-defender-antivirus.md) will take precendence over this setting. | Scan > Scan archive files | Enabled | `-DisableArchiveScanning`
+Scan files on the network | Scan > Scan network files | Disabled | `-DisableScanningNetworkFiles`
+Scan packed executables | Scan > Scan packed executables | Enabled | Not available
+Scan removable drives during full scans only | Scan > Scan removable drives | Disabled | `-DisableRemovableDriveScanning`
+Specify the level of subfolders within an archive folder to scan | Scan > Specify the maximum depth to scan archive files | 0 | Not available
+ Specify the maximum CPU load (as a percentage) during a scan. This a theoretical maximum - scans will not always use the maximum load defined here, but they will never exceed it | Scan > Specify the maximum percentage of CPU utilization during a scan | 50 | `-ScanAvgCPULoadFactor`
+ Specify the maximum size (in kilobytes) of archive files that should be scanned. The default, **0**, applies not limit | Scan > Specify the maximum size of archive files to be scanned | No limit | Not available
+
+**Use Configuration Manager to configure scanning options:**
+
+See [How to create and deploy antimalware policies: Scan settings]( https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#scan-settings) for details on configuring System Center Configuration Manager (current branch).
+
+
+**Use Microsoft Intune to configure scanning options**
-## Manage email scans in Windows Defender
-
-You can use Windows Defender to scan email files. Malware can install itself and hide in email files, and although real-time protection offers you the best protection from email malware, you can also scan emails stored on your PC or server with Windows Defender.
-> **Important:** Mail scanning only applies to on-demand and scheduled scans, not on-access scans.
+See [Help secure Windows PCs with Endpoint Protection for Microsoft Intune: Scan options](https://docs.microsoft.com/en-us/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune#specify-scan-options-settings) and [Windows Defender policy settings in Windows 10](https://docs.microsoft.com/en-us/intune/deploy-use/windows-10-policy-settings-in-microsoft-intune#windows-defender-1) for more details.
-Windows Defender scans Microsoft Office Outlook 2003 and older email files. We identify the file type at run-time based on the content of the file, not on location or extension.
-> **Note: ** Scanning email files might increase the time required to complete a scan.
-
-Windows Defender can extract embedded objects within a file (attachments and archived files, for example) and scan internally.
-> **Note:** While Windows Defender can be configured to scan email files, it can only remediate threats detected inside certain files, for example:
-- DBX
-- MBX
-- MIME
-
-You can configure Windows Defender to scan PST files used by Outlook 2003 or older versions (where the archive type is set to non-uni-code), but Windows Defender cannot remediate threats detected inside PST files. We recommend using real-time protection to protect against email malware.
+
+
+
+### Email scanning limitations
+We recommend using [always-on real-time protection](configure-real-time-protection-windows-defender-antivirus.md) to protect against email-based malware.
+
+Always-on protection scans emails as they arrive and as they are manipulated, just like normal files in the operating system. This provides the strongest form of protection and is the recommended method for scanning emails.
+
+You can use this Group Policy to also enable scanning of older email files used by Outlook 2003 and older during on-demand and scheduled scans. Embedded objects within an email file (such as attachments and archived files) are also scanned. The following file format types can be scanned and remediated:
+- DBX
+- MBX
+- MIME
+
+PST files used by Outlook 2003 or older (where the archive type is set to non-uni-code) can also be scanned, but Windows Defender cannot remediate threats detected inside PST files. This is another reason why we recommend using [always-on real-time protection](configure-real-time-protection-windows-defender-antivirus.md) to protect against email-based malware.
If Windows Defender detects a threat inside an email, it will show you the following information to assist you in identifying the compromised email, so you can remediate the threat:
- Email subject
- Attachment name
-Email scanning in Windows Defender is turned off by default. There are three ways you can manage scans through Windows Defender:
-- *Group Policy* settings
-- WMI
-- PowerShell
-> **Important:** There are some risks associated with scanning some Microsoft Outlook files and email messages. You can read about tips and risks associated with scanning Outlook files and email messages in the following articles:
+
+>[!WARNING]
+>There are some risks associated with scanning some Microsoft Outlook files and email messages. You can read about tips and risks associated with scanning Outlook files and email messages in the following articles:
- [Scanning Outlook files in Outlook 2013](https://technet.microsoft.com/library/dn769141.aspx#bkmk-1)
- [Scanning email messages in Outlook 2013](https://technet.microsoft.com/library/dn769141.aspx#bkmk-2)
-
-## Use *Group Policy* settings to enable email scans
-This policy setting allows you to turn on email scanning. When email scanning is enabled, the engine will parse the mailbox and mail files to analyze the mail bodies and attachments.
+## Related topics
-Turn on email scanning with the following *Group Policy* settings:
-1. Open the **Group Policy Editor**.
-2. In the **Local Computer Policy** tree, expand **Computer Configuration**, then **Administrative Templates**, then **Windows Components**, then **Windows Defender**.
-3. Click **Scan**.
-4. Double-click **Turn on e-mail scanning**.
-
- This will open the **Turn on e-mail scanning** window:
-
- 
-
-5. Select **Enabled**.
-6. Click **OK** to apply changes.
-
-## Use WMI to disable email scans
-
-You can write a WMI script or application to disable email scanning. Read more about [WMI in this article](https://msdn.microsoft.com/library/windows/desktop/dn439477.aspx), and read about [Windows Preference classes in this article](https://msdn.microsoft.com/library/windows/desktop/dn455323.aspx).
-
-Use the **DisableEmailScanning** property of the **MSFT\_MpPreference** class (part of the Windows DefenderWMI provider) to enable or disable this setting:
-**DisableEmailScanning**
-Data type: **boolean**
-Access type: Read-only
-Disable email scanning.
-
-## Use PowerShell to enable email scans
-
-You can also enable email scanning using the following PowerShell parameter:
-1. Open PowerShell or PowerShellIntegrated Scripting Environment (ISE).
-2. Type **Set-MpPreference -DisableEmailScanning $false**.
-
-Read more about this in:
-- [Scripting with Windows PowerShell](https://technet.microsoft.com/library/bb978526.aspx)
-- [Defender Cmdlets](https://technet.microsoft.com/library/dn433280.aspx)
-
-## Manage archive scans in Windows Defender
-
-You can use Windows Defender to scan archive files. Malware can install itself and hide in archive files, and although real-time protection offers you the best protection from malware, you can also scan archives stored on your PC or server with Windows Defender.
-> **Important:** Archive scanning only applies to on-demand and scheduled scans, not on-access scans.
-
-Archive scanning in Windows Defender is turned on by default. There are four ways you can manage scans through Windows Defender:
-- *Group Policy* settings
-- WMI
-- PowerShell
-- Endpoint Protection
-> **Note:** Scanning archive files might increase the time required to complete a scan.
-
-If you exclude an archive file type by using the **Extensions** box, Windows Defender will not scan files with that extension (no matter what the content is), even when you have selected the **Scan archive files** check box. For example, if you exclude .rar files but theres a .r00 file thats actually .rar content, it will still be scanned if archive scanning is enabled.
-
-## Use *Group Policy* settings to enable archive scans
-
-This policy setting allows you to turn on archive scanning.
-
-Turn on email scanning with the following *Group Policy* settings:
-1. Open the **Group Policy Editor**.
-2. In the **Local Computer Policy** tree, expand **Computer Configuration**, then **Administrative Templates**, then **Windows Components**, then **Windows Defender**.
-3. Click **Scan**.
-4. Double-click **Scan archive files**.
-
- This will open the **Scan archive files** window:
-
- 
-
-5. Select **Enabled**.
-6. Click **OK** to apply changes.
-
-There are a number of archive scan settings in the **Scan** repository you can configure through *Group Policy*, for example:
-- Maximum directory depth level into which archive files are unpacked during scanning
-
- 
-
-- Maximum size of archive files that will be scanned
-
- 
-
-- Maximum percentage CPU utilization permitted during a scan
-
- 
-
-## Use WMI to disable archive scans
-
-You can write a WMI script or application to disable archive scanning. Read more about [WMI in this article](https://msdn.microsoft.com/library/windows/desktop/dn439477.aspx), and read about [Windows Preference classes in this article](https://msdn.microsoft.com/library/windows/desktop/dn455323.aspx).
-
-Use the **DisableArchiveScanning** property of the **MSFT\_MpPreference** class (part of the Windows DefenderWMI provider) to enable or disable this setting:
-**DisableArchiveScanning**
-Data type: **boolean**
-Access type: Read-only
-Disable archive scanning.
-
-## Use PowerShell to enable archive scans
-
-You can also enable archive scanning using the following PowerShell parameter:
-1. Open PowerShell or PowerShellISE.
-2. Type **Set-MpPreference -DisableArchiveScanning $false**.
-
-Read more about this in:
-- [Scripting with Windows PowerShell](https://technet.microsoft.com/library/bb978526.aspx)
-- [Defender Cmdlets](https://technet.microsoft.com/library/dn433280.aspx)
-
-## Use Endpoint Protection to configure archive scans
-
-In Endpoint Protection, you can use the advanced scanning options to configure archive scanning. For more information, see [What are advanced scanning options?](https://technet.microsoft.com/library/ff823807.aspx)
-
+- [Customize, initiate, and review the results of Windows Defender AV scans and remediation](customize-run-review-remediate-scans-windows-defender-antivirus.md)
+- [Configure and run on-demand Windows Defender AV scans](run-scan-windows-defender-antivirus.md)
+- [Configure scheduled scans for Windows Defender AV](scheduled-catch-up-scans-windows-defender-antivirus.md)
+- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
\ No newline at end of file
diff --git a/windows/keep-secure/configure-arcsight-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-arcsight-windows-defender-advanced-threat-protection.md
index 21b8b172ec..636c697802 100644
--- a/windows/keep-secure/configure-arcsight-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/configure-arcsight-windows-defender-advanced-threat-protection.md
@@ -180,6 +180,5 @@ Windows Defender ATP alerts will appear as discrete events, with "Microsoft” a
## Related topics
- [Enable SIEM integration in Windows Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md)
-- [Configure Splunk](configure-splunk-windows-defender-advanced-threat-protection.md)
-- [Windows Defender ATP alert API fields](api-portal-mapping-windows-defender-advanced-threat-protection.md)
+- [Configure Splunk to pull Windows Defender ATP alerts](configure-splunk-windows-defender-advanced-threat-protection.md)
- [Pull Windows Defender ATP alerts using REST API](pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md)
diff --git a/windows/keep-secure/configure-block-at-first-sight-windows-defender-antivirus.md b/windows/keep-secure/configure-block-at-first-sight-windows-defender-antivirus.md
index 7bd0777196..0321537068 100644
--- a/windows/keep-secure/configure-block-at-first-sight-windows-defender-antivirus.md
+++ b/windows/keep-secure/configure-block-at-first-sight-windows-defender-antivirus.md
@@ -135,7 +135,7 @@ You may choose to disable the Block at First Sight feature if you want to retain
5. Expand the tree through **Windows components > Windows Defender Antivirus > MAPS**.
-1. Double-click the **Configure the Block at First Sight feature** setting and set the option to **Disabled**.
+1. Double-click the **Configure the 'Block at First Sight' feature** setting and set the option to **Disabled**.
> [!NOTE]
> Disabling the Block at First Sight feature will not disable or alter the pre-requisite group policies.
@@ -143,7 +143,7 @@ You may choose to disable the Block at First Sight feature if you want to retain
## Related topics
-- [Windows Defender in Windows 10](windows-defender-in-windows-10.md)
+- [Windows Defender in Windows 10](windows-defender-antivirus-in-windows-10.md)
- [Enable cloud-delivered protection](enable-cloud-protection-windows-defender-antivirus.md)
diff --git a/windows/keep-secure/configure-cloud-block-timeout-period-windows-defender-antivirus.md b/windows/keep-secure/configure-cloud-block-timeout-period-windows-defender-antivirus.md
index 8846515965..ab5f73d845 100644
--- a/windows/keep-secure/configure-cloud-block-timeout-period-windows-defender-antivirus.md
+++ b/windows/keep-secure/configure-cloud-block-timeout-period-windows-defender-antivirus.md
@@ -57,14 +57,14 @@ You can use Group Policy to specify an extended timeout for cloud checks.
4. Expand the tree to **Windows components > Windows Defender Antivirus > MpEngine**
-5. Double-click the **Configure extended cloud check** setting and ensure the option is enabled. Specify the additional amount of time to prevent the file from running while waiting for a cloud determination. You can specify the additional time, in seconds, from 1 second to 50 seconds. This time will be added to the default 10 seconds.
+5. Double-click the **Configure extended cloud check** setting and ensure the option is enabled. Specify the additional amount of time to prevent the file from running while waiting for a cloud determination. You can specify the additional time, in seconds, from 1 second to 50 seconds. This time will be added to the default 10 seconds.
6. Click **OK**.
## Related topics
-- [Windows Defender in Windows 10](windows-defender-in-windows-10.md)
+- [Windows Defender in Windows 10](windows-defender-antivirus-in-windows-10.md)
- [Utilize Microsoft cloud-delivered protection in Windows Defender Antivirus](utilize-microsoft-cloud-protection-windows-defender-antivirus.md)
- [Configure the Block at First Sight feature](configure-block-at-first-sight-windows-defender-antivirus.md)
- [Enable cloud-delivered protection](enable-cloud-protection-windows-defender-antivirus.md)
diff --git a/windows/keep-secure/configure-endpoints-gp-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-endpoints-gp-windows-defender-advanced-threat-protection.md
index 59f309b4ab..c6e02becaf 100644
--- a/windows/keep-secure/configure-endpoints-gp-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/configure-endpoints-gp-windows-defender-advanced-threat-protection.md
@@ -84,7 +84,9 @@ For security reasons, the package used to offboard endpoints will expire 30 days
a. Click **Endpoint Management** on the **Navigation pane**.
- b. Under **Endpoint offboarding** section, select **Group Policy**, click **Download package** and save the .zip file.
+ b. Click the **Endpoint offboarding** section.
+
+ c. Select **Group Policy**, click **Download package** and save the .zip file.
2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the endpoints. You should have a file named *WindowsDefenderATPOffboardingScript_valid_until_YYYY-MM-DD.cmd*.
diff --git a/windows/keep-secure/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md
index d5fb36ac0b..058966943e 100644
--- a/windows/keep-secure/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md
@@ -108,7 +108,9 @@ For security reasons, the package used to offboard endpoints will expire 30 days
a. Click **Endpoint Management** on the **Navigation pane**.
- b. Under **Endpoint offboarding** section, select **Mobile Device Management /Microsoft Intune**, click **Download package** and save the .zip file.
+ b. Click the **Endpoint offboarding** section.
+
+ c. Select **Mobile Device Management /Microsoft Intune**, click **Download package** and save the .zip file.
2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the network administrators who will deploy the package. You should have a file named *WindowsDefenderATP_valid_until_YYYY-MM-DD.offboarding*.
diff --git a/windows/keep-secure/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md
index 49e9d275ab..89f4c7887d 100644
--- a/windows/keep-secure/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md
@@ -88,7 +88,9 @@ For security reasons, the package used to offboard endpoints will expire 30 days
a. Click **Endpoint Management** on the **Navigation pane**.
- b. Under **Endpoint offboarding** section, select **System Center Configuration Manager System Center Configuration Manager 2012/2012 R2/1511/1602**, click **Download package**, and save the .zip file.
+ b. Click the **Endpoint offboarding** section.
+
+ c. Select **System Center Configuration Manager System Center Configuration Manager 2012/2012 R2/1511/1602**, click **Download package**, and save the .zip file.
2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the network administrators who will deploy the package. You should have a file named *WindowsDefenderATPOffboardingScript_valid_until_YYYY-MM-DD.cmd*.
diff --git a/windows/keep-secure/configure-endpoints-script-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-endpoints-script-windows-defender-advanced-threat-protection.md
index 50903ddc26..31b9b673c4 100644
--- a/windows/keep-secure/configure-endpoints-script-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/configure-endpoints-script-windows-defender-advanced-threat-protection.md
@@ -78,7 +78,9 @@ For security reasons, the package used to offboard endpoints will expire 30 days
a. Click **Endpoint Management** on the **Navigation pane**.
- b. Under **Endpoint offboarding** section, select **Group Policy**, click **Download package** and save the .zip file.
+ b. Click the **Endpoint offboarding** section.
+
+ c. Select **Group Policy**, click **Download package** and save the .zip file.
2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the endpoints. You should have a file named *WindowsDefenderATPOffboardingScript_valid_until_YYYY-MM-DD.cmd*.
diff --git a/windows/keep-secure/configure-exclusions-windows-defender-antivirus.md b/windows/keep-secure/configure-exclusions-windows-defender-antivirus.md
index 8d08d5f71b..874d94951f 100644
--- a/windows/keep-secure/configure-exclusions-windows-defender-antivirus.md
+++ b/windows/keep-secure/configure-exclusions-windows-defender-antivirus.md
@@ -12,7 +12,7 @@ localizationpriority: medium
author: iaanw
---
-# Configure and validate file and folder exclusions in Windows Defender AV scans
+# Configure and validate file, folder, and process-opened file exclusions in Windows Defender AV scans
**Applies to:**
@@ -33,314 +33,20 @@ author: iaanw
- Microsoft Intune
- Windows Defender Security Center
-You can exclude certain files, folders, processes, and process-modified files from being scanned by Windows Defender AV. The exclusions apply to [scheduled scans](scheduled-catch-up-scans-windows-defender-antivirus.md), [on-demand scans](run-scan-windows-defender-antivirus.md), and [always-on real-time protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md).
+You can exclude certain files, folders, processes, and process-opened files from being scanned by Windows Defender Antivirus.
-Changes made via Group Policy to the exclusion lists **will show** in the lists in the [Windows Defender Security Center app](windows-defender-security-center-antivirus.md#exclusions). However, changes made in the Windows Defender Security Center app **will not show** in the Group Policy lists.
+The exclusions apply to [scheduled scans](scheduled-catch-up-scans-windows-defender-antivirus.md), [on-demand scans](run-scan-windows-defender-antivirus.md), and [always-on real-time protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md). Exclusions for process-opened files only aply to real-time protection.
-You can add, remove, and review the lists for exclusions in [Group Policy](#gp), [System Center Configuration Manager, Microsoft Intune, and with the Windows Defender Security Center app](#man-tools).
+Exclusions can be useful to avoid incorrect detections on files or software that are unique or customized to your organization.
-You can also [use PowerShell cmdlets and WMI to configure the exclusion lists](#ps), although you will need to use several different cmdlets.
+>[!WARNING]
+>Defining exclusions lowers the protection offered by Windows Defender AV. You should always evaluate the risks that are associated with implementing exclusions, and you should only exclude files that you are confident are not malicious.
-By default, local changes made to the lists (by users with administrator privileges) will be merged with the lists as defined (and deployed) by Group Policy, Configuration Manager, Intune, PowerShell, or WMI. The Group Policy lists will take precedence in the case of conflicts. You can [configure how locally and globally defined exclusions lists are merged](configure-local-policy-overrides-windows-defender-antivirus.md#merge-lists) to disable this setting.
+## In this section
-PowerShell can be used to [validate that your exclusion lists are working as expected](#validate).
+Topic | Description
+---|---
+[Configure and validate exclusions based on file name, extension, and folder location](configure-extension-file-exclusions-windows-defender-antivirus.md) | Exclude files from Windows Defender AV scans based on their file extension, file name, or location
+[Configure and validate exclusions for files opened by processes](configure-process-opened-file-exclusions-windows-defender-antivirus.md) | You can exclude files from scans that have been opened by a specific process
+[Configure exclusions in Windows Defender AV on Windows Server](configure-server-exclusions-windows-defender-antivirus.md) | Windows Server 2016 includes automatic exclusions, based on the defined Server Role. You can also add custom exclusions
-
-## Use Group Policy to configure exclusion lists
-
-**Use Group Policy to configure file extension exclusions:**
-
-1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
-
-3. In the **Group Policy Management Editor** go to **Computer configuration**.
-
-4. Click **Policies** then **Administrative templates**.
-
-5. Expand the tree to **Windows components > Windows Defender Antivirus > Exclusions**.
-
-
-6. Double-click the **Extension Exclusions** setting and add the exclusions:
-
- 1. Set the option to **Enabled**.
- 2. Under the **Options** section, click **Show...**
- 3. Enter each file extension on its own line under the **Value name** column. Enter **0** in the **Value** column for all processes.
-
-7. Click **OK**.
-
-
-
-**Use Group Policy to exclude specified files or folders from scans:**
-
->[!NOTE]
->The exclusion will apply to any file with the defined file name - regardless of its location. If a folder is defined in the exclusion, then all files and subdirectories under that folder will be excluded.
-
-1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
-
-3. In the **Group Policy Management Editor** go to **Computer configuration**.
-
-4. Click **Policies** then **Administrative templates**.
-
-5. Expand the tree to **Windows components > Windows Defender Antivirus > Exclusions**.
-
-
-6. Double-click the **Path Exclusions** setting and add the exclusions:
-
- 1. Set the option to **Enabled**.
- 2. Under the **Options** section, click **Show...**
- 3. Enter each path or file on its own line under the **Value name** column. If you are entering a file, ensure you enter a fully qualified path to the file, including the drive letter, folder path, filename, and extension. Enter **0** in the **Value** column for all processes.
-
-7. Click **OK**.
-
-
-
-**Use Group Policy to exclude files that have been used or modified by specified processes from scans:**
-
->[!NOTE]
->You can exclude files that are opened by specified processes from being scanned. The specified process won't be excluded - but any files that are opened by that process (regardless of where they are or what they are named) will be excluded. If you need to exclude the process itself, [exclude it as a file](#exclude-paths-files).
->You can only exclude files modified by processes if the process is an executable.
-
-
-1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
-
-3. In the **Group Policy Management Editor** go to **Computer configuration**.
-
-4. Click **Policies** then **Administrative templates**.
-
-5. Expand the tree to **Windows components > Windows Defender Antivirus > Exclusions**.
-
-
-6. Double-click the **Process Exclusions** setting and add the exclusions:
-
- 1. Set the option to **Enabled**.
- 2. Under the **Options** section, click **Show...**
- 3. Enter each process on its own line under the **Value name** column. Ensure you enter a fully qualified path to the process, including the drive letter, folder path, filename, and extension. The process must be an executable. Enter **0** in the **Value** column for all processes.
-
-7. Click **OK**.
-
-
-
-
-## Use PowerShell cmdlets and WMI to configure exclusion lists
-
-Excluding and reviewing file extensions, paths and files (including processes), and files opened by processes with PowerShell requires using a combination of four cmdlets and the appropriate exclusion list parameter. The cmdlets are all in the [Defender module](https://technet.microsoft.com/en-us/itpro/powershell/windows/defender/defender).
-
-There are three exclusion lists:
-- ExclusionExtension
-- ExclusionPath
-- ExclusionProcess
-
-You can modify each of the lists with the following cmdlets:
-- Set-MpPreference to create or overwrite the defined list
-- Add-MpPreference to add new items to the defined list
-- Remove-MpPreference to remove or delete items from the defined list
-- Get-MpPreference to review the items in the list, either all at once with all other Windows Defender AV settings, or individually for each of the lists
-
->[!IMPORTANT]
->If you have created a list, either with `Set-MpPreference` or `Add-MpPreference`, using the `Set-MpPreference` cmdlet again will overwrite the existing list.
-
-The following matrix provides sample commands based on what you want to exclude, and whether you want to create a list, add to the list, or remove items from the list.
-
-
-| Configuration action | Type of exclusion | PowerShell command |
|---|
-
-
-| Create or overwrite a list | File extensions that should be excluded from scans |
-Set-MpPreference -ExclusionExtension ".extension1, .extension2, .extension3" |
-
-| Files (including processes) and paths that should be excluded from scans |
-Set-MpPreference -ExclusionPath "c:\example, d:\test\process.exe, c:\test\file.bat" |
-
-| Files opened by the specified processes (executables) |
-Set-MpPreference -ExclusionProcess "c:\example\test.exe" |
-
-
-
-| Add to a list | File extensions that should be excluded from scans |
-Add-MpPreference -ExclusionExtension ".extension4, .extension5" |
-
-| Files (including processes) and paths that should be excluded from scans |
-Add-MpPreference -ExclusionPath "d:\test, d:\example\file.png" |
-
-| Files opened by specified processes (executables) |
-Add-MpPreference -ExclusionProcess "f:\test\sample.exe" |
-
-
-
-
-| Remove items from a list | File extensions that should be excluded from scans |
-Remove-MpPreference -ExclusionExtension ".extension1, .extension4, .extension5" |
-
-| Files (including processes) and paths that should be excluded from scans |
-Remove-MpPreference -ExclusionPath "c:\example, d:\example\file.png" |
-
-| Files opened by specified processes (executables) |
-Remove-MpPreference -ExclusionProcess "c:\example\test.exe" |
-
-
-### Review the exclusion lists with PowerShell
-
-You can retrieve the items in any of the lists in two ways:
-- Retrieve the status of all Windows Defender AV preferences. Each of the three lists will be displayed on separate lines, but the items within the list will be combined into the same line.
-- Write the status of all preferences to a variable, and only call the specific list you are interested in. Each use of `Add-MpPreference` is written to a new line.
-
-In both instances the items are sorted alphabetically.
-
-The following sequence of code examples helps to show how this works.
-
-1. Create an example list of extensions that should be excluded from scans:
- ```PowerShell
- PS C:\> Set-MpPreference -ExclusionExtension ".test1, .test2"
- ```
-
-2. Add some additional extensions:
-
- ```PowerShell
- PS C:\> Add-MpPreference -ExclusionExtension ".test40, test50"
- ```
-
-3. Add another set of extensions:
-
- ```PowerShell
- PS C:\> Add-MpPreference -ExclusionExtension ".secondadd1, .secondadd2"
- ```
-
-4. Review the list as a combined list:
- ```PowerShell
- PS C:\> Get-MpPreference
- ```
-
- 
-
-
-5. Use a variable to store and retrieve only the exclusions list:
-
- ```PowerShell
- PS C:\> $WDAVprefs = Get-MpPreference
- PS C:\> $WDAVprefs.ExclusionExtension
- ```
-
- 
-
-
-See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus.
-
-### Use Windows Management Instruction (WMI) to configure file extension exclusions
-
-Use the [ **Set**, **Add**, and **Remove** methods of the **MSFT_MpPreference**](https://msdn.microsoft.com/en-us/library/dn455323(v=vs.85).aspx) class for the following properties:
-
-```WMI
-ExclusionExtension
-ExclusionPath
-ExclusionProcess
-```
-
-The use of **Set**, **Add**, and **Remove** are analogous to their counterparts in PowerShell: `Set-MpPreference`, `Add-MpPreference`, and `Remove-MpPreference`.
-
-See the following for more information and allowed parameters:
-- [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/en-us/library/dn439477(v=vs.85).aspx)
-
-
-## Use System Center Configuration Manager, Intune, or the Windows Defender Security Center app to configure exclusion lists
-
-
-**Use Configuration Manager to configure file extension exclusions:**
-
-See [How to create and deploy antimalware policies: Exclusion settings](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#exclusion-settings) for details on configuring System Center Configuration Manager (current branch).
-
-
-**Use Microsoft Intune to configure file extension exclusions:**
-
-
-See [Help secure Windows PCs with Endpoint Protection for Microsoft Intune](https://docs.microsoft.com/en-us/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune) and [Windows Defender policy settings in Windows 10](https://docs.microsoft.com/en-us/intune/deploy-use/windows-10-policy-settings-in-microsoft-intune#windows-defender-1) for more details.
-
-
-**Use the Windows Defender Security app to add exclusions to Windows Defender AV:**
-
-See [Add exclusions in the Windows Defender Security Center app](windows-defender-security-center-antivirus.md#exclusions) for instructions.
-
-
-
- ## Configure auto exclusions lists for Windows Server deployments
-
-If you are using Windows Defender AV to protect Windows Server endpoints or machines, you are [automatically enrolled in certain exclusions](https://technet.microsoft.com/en-us/windows-server-docs/security/windows-defender/automatic-exclusions-for-windows-defender), as defined by your specified Windows Server Role.
-
-These exclusions will not appear in the standard exclusion lists shown in the [Windows Defender Security Center app](windows-defender-security-center-antivirus.md#exclusions).
-
-You can still add or remove custom exclusions (in addition to the Server Role-defined auto exclusions) as described in the other sections in this topic.
-
-You can also disable the auto-exclusions lists with Group Policy, PowerShell cmdlets, and WMI.
-
-**Use Group Policy to disable the auto-exclusions list on Windows Server 2016:**
-
-1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
-
-3. In the **Group Policy Management Editor** go to **Computer configuration**.
-
-4. Click **Policies** then **Administrative templates**.
-
-5. Expand the tree to **Windows components > Windows Defender Antivirus > Exclusions**.
-
-6. Double-click the **Turn off Auto Exclusions** setting and set the option to **Enabled**. Click **OK**.
-
-**Use PowerShell cmdlets to disable the auto-exclusions list on Windows Server 2016:**
-
-Use the following cmdlets:
-
-```PowerShell
-Set-MpPreference -DisableAutoExclusions
-```
-
-See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus.
-
-**Use Windows Management Instruction (WMI) to disable the auto-exclusions list on Windows Server 2016:**
-
-Use the [**Set** method of the **MSFT_MpPreference**](https://msdn.microsoft.com/en-us/library/dn455323(v=vs.85).aspx) class for the following properties:
-
-```WMI
-DisableAutoExclusions
-```
-
-See the following for more information and allowed parameters:
-- [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/en-us/library/dn439477(v=vs.85).aspx)
-
-## Use wildcards in exclusion lists
-
-You can use the asterisk **\***, question mark **?**, or environment variables (such as %APPDATA%) as wildcards when defining items in the exclusion lists.
-
-You cannot use a wildcard in place of a drive letter.
-
-
-The following table describes how the wildcards can be used and provides some examples.
-
-Wildcard | Use | Example use | Example matches
----|---|---|---
-**\*** (asterisk) | Replaces any number of chararacters | - C:\MyData\my\*.zip
- C:\somepath\\\*\Data
- .t\*t
| - C:\MyData\my-archived-files-43.zip
- C:\somepath\folder1\folder2\Data
- .test
-**?** (question mark) | Replaces a single character | - C:\MyData\my\*.zip
- C:\somepath\\\*\Data
- .t\*t
| - C:\MyData\my1.zip
- C:\somepath\P\Data
- .txt
-Environment variables | The defined variable will be populated as a path when the exclusion is evaluated | - %ALLUSERSPROFILE%\CustomLogFiles
- %APPDATA%\Data\file.png
| - C:\ProgramData\CustomLogFiles\Folder1\file1.txt
- C:\Users\username\AppData\Roaming\Data\file.png
-
-
-
-## Validate exclusions lists with the EICAR test file
-
-You can validate that your exclusion lists are working by using PowerShell with either the `Invoke-WebRequest` cmdlet or the .NET WebClient class to download a test file.
-
-In the following PowerShell snippet, replace *test.txt* with a file that conforms to your exclusion rules. For example, if you have excluded the .testing extension, replace *test.txt* with *test.testing*. If you are testing a path, ensure you run the cmdlet within that path.
-
-```PowerShell
-Invoke-WebRequest "http://www.eicar.org/download/eicar.com.txt" -OutFile "test.txt"
-```
-
-If Windows Defender AV reports malware, then the rule is not working. If there is no report of malware, and the downloaded file exists, then the exclusion is working. You can open the file to confirm the contents are the same as what is described on the [EICAR testfile website](http://www.eicar.org/86-0-Intended-use.html).
-
-You can also use the following PowerShell code, which calls the .NET WebClient class to download the testfile - as with the `Invoke-WebRequest` cmdlet, replace *c:\test.txt* with a file that conforms to the rule you are validating:
-
-```PowerShell
-$client = new-object System.Net.WebClient
-$client.DownloadFile("http://www.eicar.org/download/eicar.com.txt","c:\test.txt")
-```
-
-
-## Related topics
-
-- [Customize, initiate, and review the results of Windows Defender AV scans and remediation](customize-run-review-remediate-scans-windows-defender-antivirus.md)
-- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
\ No newline at end of file
diff --git a/windows/keep-secure/configure-extension-file-exclusions-windows-defender-antivirus.md b/windows/keep-secure/configure-extension-file-exclusions-windows-defender-antivirus.md
new file mode 100644
index 0000000000..3d78deccde
--- /dev/null
+++ b/windows/keep-secure/configure-extension-file-exclusions-windows-defender-antivirus.md
@@ -0,0 +1,281 @@
+---
+title: Configure and validate exclusions based on extension, name, or location
+description: Exclude files from Windows Defender AV scans based on their file extension, file name, or location.
+keywords: exclusions, files, extension, file type, folder name, file name, scans
+search.product: eADQiWindows 10XVcnh
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+localizationpriority: medium
+author: iaanw
+---
+
+# Configure and validate exclusions based on file extension and folder location
+
+
+**Applies to:**
+
+- Windows 10
+
+**Audience**
+
+- Enterprise security administrators
+
+
+**Manageability available with**
+
+- Group Policy
+- PowerShell
+- Windows Management Instrumentation (WMI)
+- System Center Configuration Manager
+- Microsoft Intune
+- Windows Defender Security Center
+
+You can exclude certain files from being scanned by Windows Defender AV by modifying exclusion lists.
+
+This topic describes how to configure exclusion lists for the following:
+
+Exclusion | Examples | Exclusion list
+---|---|---
+Any file with a specific extension | All files with the .test extension, anywhere on the machine | Extension exclusions
+Any file under a specific folder | All files under the c:\test\sample folder | File and folder exclusions
+A specific file in a specific folder | The file c:\sample\sample.test only | File and folder exclusions
+A specific process | The executable file c:\test\process.exe | File and folder exclusions
+
+This means the exclusion lists have the following characteristics:
+- Folder exclusions will apply to all files and folders under that folder.
+- File extensions will apply to any file name with the defined extension, regardless of where the file is located.
+
+
+To exclude files opened by a specific process, see the [Configure and validate exclusions for files opened by processes](configure-process-opened-file-exclusions-windows-defender-antivirus.md) topic.
+
+
+The exclusions apply to [scheduled scans](scheduled-catch-up-scans-windows-defender-antivirus.md), [on-demand scans](run-scan-windows-defender-antivirus.md), and [always-on real-time protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md).
+
+Changes made via Group Policy to the exclusion lists **will show** in the lists in the [Windows Defender Security Center app](windows-defender-security-center-antivirus.md#exclusions). However, changes made in the Windows Defender Security Center app **will not show** in the Group Policy lists.
+
+You can add, remove, and review the lists for exclusions in [Group Policy](#gp), [System Center Configuration Manager, Microsoft Intune, and with the Windows Defender Security Center app](#man-tools), and you can [use wildcards](#wildcards) to further customize the lists.
+
+You can also [use PowerShell cmdlets and WMI to configure the exclusion lists](#ps), including [reviewing](#review) and [validating](#validate) your lists.
+
+
+By default, local changes made to the lists (by users with administrator privileges; this includes changes made with PowerShell and WMI) will be merged with the lists as defined (and deployed) by Group Policy, Configuration Manager, or Intune. The Group Policy lists will take precedence in the case of conflicts.
+
+You can [configure how locally and globally defined exclusions lists are merged](configure-local-policy-overrides-windows-defender-antivirus.md#merge-lists) to allow local changes to override managed deployment settings.
+
+
+
+
+
+
+## Configure the list of exclusions based on folder name or file extension
+
+
+**Use Group Policy to configure folder or file extension exclusions:**
+
+>[!NOTE]
+>If you include a fully qualified path to a file, then only that file will be excluded. If a folder is defined in the exclusion, then all files and subdirectories under that folder will be excluded.
+
+1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+
+3. In the **Group Policy Management Editor** go to **Computer configuration**.
+
+4. Click **Policies** then **Administrative templates**.
+
+5. Expand the tree to **Windows components > Windows Defender Antivirus > Exclusions**.
+
+
+6. Double-click the **Path Exclusions** setting and add the exclusions:
+
+ 1. Set the option to **Enabled**.
+ 2. Under the **Options** section, click **Show...**
+ 3. Enter each folder on its own line under the **Value name** column. If you are entering a file, ensure you enter a fully qualified path to the file, including the drive letter, folder path, filename, and extension. Enter **0** in the **Value** column for all processes.
+
+7. Click **OK**.
+
+
+
+8. Double-click the **Extension Exclusions** setting and add the exclusions:
+
+ 1. Set the option to **Enabled**.
+ 2. Under the **Options** section, click **Show...**
+ 3. Enter each file extension on its own line under the **Value name** column. Enter **0** in the **Value** column for all processes.
+
+
+9. Click **OK**.
+
+
+
+
+
+**Use PowerShell cmdlets to configure file name, folder, or file extension exclusions:**
+
+Using PowerShell to add or remove exclusions for files based on the extension, location, or file name requires using a combination of three cmdlets and the appropriate exclusion list parameter. The cmdlets are all in the [Defender module](https://technet.microsoft.com/en-us/itpro/powershell/windows/defender/defender).
+
+The format for the cmdlets is:
+
+```PowerShell
+ - "- "
+```
+
+The following are allowed as the \:
+
+Configuration action | PowerShell cmdlet
+---|---
+Create or overwrite the list | `Set-MpPreference`
+Add to the list | `Add-MpPreference`
+Remove item from the list | `Remove-MpPreference`
+
+The following are allowed as the \:
+
+Exclusion type | PowerShell parameter
+---|---
+All files with a specified file extension | `-ExclusionExtension`
+All files under a folder (including files in subdirectories), or a specific file | `-ExclusionPath`
+
+
+>[!IMPORTANT]
+>If you have created a list, either with `Set-MpPreference` or `Add-MpPreference`, using the `Set-MpPreference` cmdlet again will overwrite the existing list.
+
+
+For example, the following code snippet would cause Windows Defender AV scans to exclude any file with the **.test** file extension:
+
+```PowerShell
+Add-MpPreference -ExclusionExtension ".test"
+```
+
+See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus.
+
+
+**Use Windows Management Instruction (WMI) to configure file name, folder, or file extension exclusions:**
+
+Use the [ **Set**, **Add**, and **Remove** methods of the **MSFT_MpPreference**](https://msdn.microsoft.com/en-us/library/dn455323(v=vs.85).aspx) class for the following properties:
+
+```WMI
+ExclusionExtension
+ExclusionPath
+```
+
+The use of **Set**, **Add**, and **Remove** is analogous to their counterparts in PowerShell: `Set-MpPreference`, `Add-MpPreference`, and `Remove-MpPreference`.
+
+See the following for more information and allowed parameters:
+- [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/en-us/library/dn439477(v=vs.85).aspx)
+
+
+**Use Configuration Manager to configure file name, folder, or file extension exclusions:**
+
+See [How to create and deploy antimalware policies: Exclusion settings](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#exclusion-settings) for details on configuring System Center Configuration Manager (current branch).
+
+
+**Use Microsoft Intune to configure file name, folder, or file extension exclusions:**
+
+
+See [Help secure Windows PCs with Endpoint Protection for Microsoft Intune](https://docs.microsoft.com/en-us/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune) and [Windows Defender policy settings in Windows 10](https://docs.microsoft.com/en-us/intune/deploy-use/windows-10-policy-settings-in-microsoft-intune#windows-defender-1) for more details.
+
+
+**Use the Windows Defender Security Center app to configure file name, folder, or file extension exclusions:**
+
+See [Add exclusions in the Windows Defender Security Center app](windows-defender-security-center-antivirus.md#exclusions) for instructions.
+
+
+
+
+## Use wildcards in the file name and folder path or extension exclusion lists
+
+You can use the asterisk \*, question mark ?, or environment variables (such as %ALLUSERSPROFILE%) as wildcards when defining items in the file name or folder path exclusion list.
+
+>[!IMPORTANT]
+>Environment variable usage is limited to machine variables and those applicable to processes running as an NT AUTHORITY\SYSTEM account.
+
+You cannot use a wildcard in place of a drive letter.
+
+
+The following table describes how the wildcards can be used and provides some examples.
+
+Wildcard | Use | Example use | Example matches
+---|---|---|---
+\* (asterisk) | Replaces any number of characters |
- C:\MyData\my\*.zip
- C:\somepath\\\*\Data
| - C:\MyData\my-archived-files-43.zip
- Any file in C:\somepath\folder1\folder2\Data
+? (question mark) | Replaces a single character | - C:\MyData\my\?.zip
- C:\somepath\\\?\Data
| - C:\MyData\my1.zip
- Any file in C:\somepath\P\Data
+Environment variables | The defined variable will be populated as a path when the exclusion is evaluated | - %ALLUSERSPROFILE%\CustomLogFiles
| - C:\ProgramData\CustomLogFiles\Folder1\file1.txt
+
+
+
+
+
+## Review the list of exclusions
+
+You can retrieve the items in the exclusion list with PowerShell, [System Center Configuration Manager](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#exclusion-settings), [Intune](https://docs.microsoft.com/en-us/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune), or the [Windows Defender Security Center app](windows-defender-security-center-antivirus.md#exclusions).
+
+If you use PowerShell, you can retrieve the list in two ways:
+
+- Retrieve the status of all Windows Defender AV preferences. Each of the lists will be displayed on separate lines, but the items within each list will be combined into the same line.
+- Write the status of all preferences to a variable, and use that variable to only call the specific list you are interested in. Each use of `Add-MpPreference` is written to a new line.
+
+**Review the list of exclusions alongside all other Windows Defender AV preferences:**
+
+Use the following cmdlet:
+
+```PowerShell
+Get-MpPreference
+```
+
+In the following example, the items contained in the `ExclusionExtension` list are highlighted:
+
+
+
+
+See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus.
+
+
+**Retrieve a specific exclusions list:**
+
+Use the following code snippet (enter each line as a separate command); replace **WDAVprefs** with whatever label you want to name the variable:
+
+```PowerShell
+$WDAVprefs = Get-MpPreference
+$WDAVprefs.ExclusionExtension
+$WDAVprefs.ExclusionPath
+```
+
+In the following example, the list is split into new lines for each use of the `Add-MpPreference` cmdlet:
+
+
+
+
+See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus.
+
+
+
+
+
+
+## Validate exclusions lists with the EICAR test file
+
+You can validate that your exclusion lists are working by using PowerShell with either the `Invoke-WebRequest` cmdlet or the .NET WebClient class to download a test file.
+
+In the following PowerShell snippet, replace *test.txt* with a file that conforms to your exclusion rules. For example, if you have excluded the .testing extension, replace *test.txt* with *test.testing*. If you are testing a path, ensure you run the cmdlet within that path.
+
+```PowerShell
+Invoke-WebRequest "http://www.eicar.org/download/eicar.com.txt" -OutFile "test.txt"
+```
+
+If Windows Defender AV reports malware, then the rule is not working. If there is no report of malware, and the downloaded file exists, then the exclusion is working. You can open the file to confirm the contents are the same as what is described on the [EICAR testfile website](http://www.eicar.org/86-0-Intended-use.html).
+
+You can also use the following PowerShell code, which calls the .NET WebClient class to download the testfile - as with the `Invoke-WebRequest` cmdlet; replace *c:\test.txt* with a file that conforms to the rule you are validating:
+
+```PowerShell
+$client = new-object System.Net.WebClient
+$client.DownloadFile("http://www.eicar.org/download/eicar.com.txt","c:\test.txt")
+```
+
+
+
+## Related topics
+
+- [Configure and validate exclusions in Windows Defender AV scans](configure-exclusions-windows-defender-antivirus.md)
+- [Configure and validate exclusions for files opened by processes](configure-process-opened-file-exclusions-windows-defender-antivirus.md)
+- [Configure exclusions in Windows Defender AV on Windows Server](configure-server-exclusions-windows-defender-antivirus.md)
+- [Customize, initiate, and review the results of Windows Defender AV scans and remediation](customize-run-review-remediate-scans-windows-defender-antivirus.md)
+- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
diff --git a/windows/keep-secure/configure-local-policy-overrides-windows-defender-antivirus.md b/windows/keep-secure/configure-local-policy-overrides-windows-defender-antivirus.md
index 6e7a6b7927..58d8075e0c 100644
--- a/windows/keep-secure/configure-local-policy-overrides-windows-defender-antivirus.md
+++ b/windows/keep-secure/configure-local-policy-overrides-windows-defender-antivirus.md
@@ -53,21 +53,21 @@ To configure these settings:
7. Deploy the Group Policy Object as usual.
-Location | Setting | Impact if **Enabled** | Configuration topic
+Location | Setting | Configuration topic
---|---|---|---
-MAPS | Configure local setting override for reporting to Microsoft MAPS | User can disable cloud protection | [Enable cloud-delivered protection](enable-cloud-protection-windows-defender-antivirus.md)
-Quarantine | Configure local setting override for the removal of items from Quarantine folder | User can change the number of days threats are kept in the quarantine folder before being removed |[Configure remediation for scans](configure-remediation-windows-defender-antivirus.md)
-Real-time protection | Configure local setting override for monitoring file and program activity on your computer | User can disable real-time protection | [Enable and configure Windows Defender AV always-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md)
-Real-time protection | Configure local setting override for monitoring for incoming and outgoing file activity | User can change direction for file activity monitoring | [Enable and configure Windows Defender AV always-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md)
-Real-time protection | Configure local setting override for scanning all downloaded files and attachments | Allow user to disable scans of downloaded files and attachments | [Enable and configure Windows Defender AV always-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md)
-Real-time protection | Configure local setting override for turn on behavior monitoring | User | [Enable and configure Windows Defender AV always-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md)
-Real-time protection | Configure local setting override to turn on real-time protection | xxx | [Enable and configure Windows Defender AV always-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md)
-Remediation | Configure local setting override for the time of day to run a scheduled full scan to complete remediation | xxx | [Configure remediation for scans](configure-remediation-windows-defender-antivirus.md)
-Scan | Configure local setting override for maximum percentage of CPU utilization | xxx | [Configure and run scans](run-scan-windows-defender-antivirus.md)
-Scan | Configure local setting override for schedule scan day | xxx | [Configure scheduled scans](scheduled-catch-up-scans-windows-defender-antivirus.md)
-Scan | Configure local setting override for scheduled quick scan time | xxx | [Configure scheduled scans](scheduled-catch-up-scans-windows-defender-antivirus.md)
-Scan | Configure local setting override for scheduled scan time | xxx | [Configure scheduled scans](scheduled-catch-up-scans-windows-defender-antivirus.md)
-Scan | Configure local setting override for the scan type to use for a scheduled scan | xxx | [Configure scheduled scans](scheduled-catch-up-scans-windows-defender-antivirus.md)
+MAPS | Configure local setting override for reporting to Microsoft MAPS | [Enable cloud-delivered protection](enable-cloud-protection-windows-defender-antivirus.md)
+Quarantine | Configure local setting override for the removal of items from Quarantine folder | [Configure remediation for scans](configure-remediation-windows-defender-antivirus.md)
+Real-time protection | Configure local setting override for monitoring file and program activity on your computer | [Enable and configure Windows Defender AV always-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md)
+Real-time protection | Configure local setting override for monitoring for incoming and outgoing file activity | [Enable and configure Windows Defender AV always-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md)
+Real-time protection | Configure local setting override for scanning all downloaded files and attachments | [Enable and configure Windows Defender AV always-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md)
+Real-time protection | Configure local setting override for turn on behavior monitoring | [Enable and configure Windows Defender AV always-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md)
+Real-time protection | Configure local setting override to turn on real-time protection | [Enable and configure Windows Defender AV always-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md)
+Remediation | Configure local setting override for the time of day to run a scheduled full scan to complete remediation | [Configure remediation for scans](configure-remediation-windows-defender-antivirus.md)
+Scan | Configure local setting override for maximum percentage of CPU utilization | [Configure and run scans](run-scan-windows-defender-antivirus.md)
+Scan | Configure local setting override for schedule scan day | [Configure scheduled scans](scheduled-catch-up-scans-windows-defender-antivirus.md)
+Scan | Configure local setting override for scheduled quick scan time | [Configure scheduled scans](scheduled-catch-up-scans-windows-defender-antivirus.md)
+Scan | Configure local setting override for scheduled scan time | [Configure scheduled scans](scheduled-catch-up-scans-windows-defender-antivirus.md)
+Scan | Configure local setting override for the scan type to use for a scheduled scan | [Configure scheduled scans](scheduled-catch-up-scans-windows-defender-antivirus.md)
diff --git a/windows/keep-secure/configure-network-connections-windows-defender-antivirus.md b/windows/keep-secure/configure-network-connections-windows-defender-antivirus.md
index 4bba9f4ec2..21303b1d7c 100644
--- a/windows/keep-secure/configure-network-connections-windows-defender-antivirus.md
+++ b/windows/keep-secure/configure-network-connections-windows-defender-antivirus.md
@@ -191,9 +191,7 @@ The Windows event log will also show [Windows Defender client event ID 2050](tro
## Related topics
-- [Windows Defender Antivirus in Windows 10](windows-defender-in-windows-10.md)
+- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
- [Enable cloud-delivered protection](enable-cloud-protection-windows-defender-antivirus.md)
- [Run a Windows Defender scan from the command line](command-line-arguments-windows-defender-antivirus.md) and [Command line arguments](command-line-arguments-windows-defender-antivirus.md)
- [Important changes to Microsoft Active Protection Services endpoint](https://blogs.technet.microsoft.com/enterprisemobility/2016/05/31/important-changes-to-microsoft-active-protection-service-maps-endpoint/)
-
-
diff --git a/windows/keep-secure/configure-process-opened-file-exclusions-windows-defender-antivirus.md b/windows/keep-secure/configure-process-opened-file-exclusions-windows-defender-antivirus.md
new file mode 100644
index 0000000000..e1043e17fc
--- /dev/null
+++ b/windows/keep-secure/configure-process-opened-file-exclusions-windows-defender-antivirus.md
@@ -0,0 +1,217 @@
+---
+title: Configure exclusions for files opened by specific processes
+description: You can exclude files from scans if they have been opened by a specific process.
+keywords: process, exclusion, files, scans
+search.product: eADQiWindows 10XVcnh
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+localizationpriority: medium
+author: iaanw
+---
+
+# Configure exclusions for files opened by processes
+
+**Applies to:**
+
+- Windows 10
+
+**Audience**
+
+- Enterprise security administrators
+
+
+**Manageability available with**
+
+- Group Policy
+- PowerShell
+- Windows Management Instrumentation (WMI)
+- System Center Configuration Manager
+- Microsoft Intune
+- Windows Defender Security Center
+
+You can exclude files that have been opened by specific processes from being scanned by Windows Defender AV.
+
+This topic describes how to configure exclusion lists for the following:
+
+
+
+Exclusion | Example
+---|---
+Any file on the machine that is opened by any process with a specific file name | Specifying "test.exe" would exclude files opened by: - c:\sample\test.exe
- d:\internal\files\test.exe
+Any file on the machine that is opened by any process under a specific folder | Specifying "c:\test\sample\\*" would exclude files opened by:- c:\test\sample\test.exe
- c:\test\sample\test2.exe
- c:\test\sample\utility.exe
+Any file on the machine that is opened by a specific process in a specific folder | Specifying "c:\test\process.exe" would exclude files only opened by c:\test\process.exe
+
+When you add a process to the process exclusion list, Windows Defender AV will not scan files opened by that process, no matter where the files are located. The process itself, however, will be scanned unless it has also been added to the [file exclusion list](configure-extension-file-exclusions-windows-defender-antivirus.md).
+
+The exclusions only apply to [always-on real-time protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md). They do not apply to scheduled or on-demand scans.
+
+Changes made via Group Policy to the exclusion lists **will show** in the lists in the [Windows Defender Security Center app](windows-defender-security-center-antivirus.md#exclusions). However, changes made in the Windows Defender Security Center app **will not show** in the Group Policy lists.
+
+You can add, remove, and review the lists for exclusions in [Group Policy](#gp), [System Center Configuration Manager, Microsoft Intune, and with the Windows Defender Security Center app](#man-tools), and you can [use wildcards](#wildcards) to further customize the lists.
+
+You can also [use PowerShell cmdlets and WMI to configure the exclusion lists](#ps), including [reviewing](#review) your lists.
+
+
+By default, local changes made to the lists (by users with administrator privileges; this includes changes made with PowerShell and WMI) will be merged with the lists as defined (and deployed) by Group Policy, Configuration Manager, or Intune. The Group Policy lists will take precedence in the case of conflicts.
+
+You can [configure how locally and globally defined exclusions lists are merged](configure-local-policy-overrides-windows-defender-antivirus.md#merge-lists) to allow local changes to override managed deployment settings.
+
+
+## Configure the list of exclusions for files opened by specified processes
+
+
+
+**Use Group Policy to exclude files that have been opened by specified processes from scans:**
+
+1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+
+3. In the **Group Policy Management Editor** go to **Computer configuration**.
+
+4. Click **Policies** then **Administrative templates**.
+
+5. Expand the tree to **Windows components > Windows Defender Antivirus > Exclusions**.
+
+
+6. Double-click the **Process Exclusions** setting and add the exclusions:
+
+ 1. Set the option to **Enabled**.
+ 2. Under the **Options** section, click **Show...**
+ 3. Enter each process on its own line under the **Value name** column. See the [example table](#examples) for the different types of process exclusions. Enter **0** in the **Value** column for all processes.
+
+7. Click **OK**.
+
+
+
+
+
+**Use PowerShell cmdlets to exclude files that have been opened by specified processes from scans:**
+
+Using PowerShell to add or remove exclusions for files that have been opened by processes requires using a combination of three cmdlets with the `-ExclusionProcess' parameter. The cmdlets are all in the [Defender module](https://technet.microsoft.com/en-us/itpro/powershell/windows/defender/defender).
+
+The format for the cmdlets is:
+
+```PowerShell
+ -ExclusionProcess "- "
+```
+
+The following are allowed as the \:
+
+Configuration action | PowerShell cmdlet
+---|---
+Create or overwrite the list | `Set-MpPreference`
+Add to the list | `Add-MpPreference`
+Remove items from the list | `Remove-MpPreference`
+
+
+>[!IMPORTANT]
+>If you have created a list, either with `Set-MpPreference` or `Add-MpPreference`, using the `Set-MpPreference` cmdlet again will overwrite the existing list.
+
+
+For example, the following code snippet would cause Windows Defender AV scans to exclude any file that is opened by the specified process:
+
+```PowerShell
+Add-MpPreference -ExclusionProcess "c:\internal\test.exe"
+```
+
+
+See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus.
+
+
+**Use Windows Management Instruction (WMI) to exclude files that have been opened by specified processes from scans:**
+
+Use the [ **Set**, **Add**, and **Remove** methods of the **MSFT_MpPreference**](https://msdn.microsoft.com/en-us/library/dn455323(v=vs.85).aspx) class for the following properties:
+
+```WMI
+ExclusionProcess
+```
+
+The use of **Set**, **Add**, and **Remove** is analogous to their counterparts in PowerShell: `Set-MpPreference`, `Add-MpPreference`, and `Remove-MpPreference`.
+
+See the following for more information and allowed parameters:
+- [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/en-us/library/dn439477(v=vs.85).aspx)
+
+
+**Use Configuration Manager to exclude files that have been opened by specified processes from scans:**
+
+See [How to create and deploy antimalware policies: Exclusion settings](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#exclusion-settings) for details on configuring System Center Configuration Manager (current branch).
+
+
+**Use Microsoft Intune to exclude files that have been opened by specified processes from scans:**
+
+
+See [Help secure Windows PCs with Endpoint Protection for Microsoft Intune](https://docs.microsoft.com/en-us/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune) and [Windows Defender policy settings in Windows 10](https://docs.microsoft.com/en-us/intune/deploy-use/windows-10-policy-settings-in-microsoft-intune#windows-defender-1) for more details.
+
+
+**Use the Windows Defender Security Center app to exclude files that have been opened by specified processes from scans:**
+
+See [Add exclusions in the Windows Defender Security Center app](windows-defender-security-center-antivirus.md#exclusions) for instructions.
+
+
+
+
+## Use wildcards in the process exclusion list
+
+The use of wildcards in the process exclusion list is different from their use in other exclusion lists.
+
+In particular, you cannot use the question mark ? wildcard, and the asterisk \* wildcard can only be used at the end of a complete path. You can still use environment variables (such as %ALLUSERSPROFILE%) as wildcards when defining items in the process exclusion list.
+
+The following table describes how the wildcards can be used in the process exclusion list:
+
+Wildcard | Use | Example use | Example matches
+---|---|---|---
+\* (asterisk) | Replaces any number of characters | |
- Any file opened by C:\MyData\file.exe
+? (question mark) | Not available | \- | \-
+Environment variables | The defined variable will be populated as a path when the exclusion is evaluated | - %ALLUSERSPROFILE%\CustomLogFiles\file.exe
| - Any file opened by C:\ProgramData\CustomLogFiles\file.exe
+
+
+
+
+
+## Review the list of exclusions
+
+You can retrieve the items in the exclusion list with PowerShell, [System Center Configuration Manager](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#exclusion-settings), [Intune](https://docs.microsoft.com/en-us/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune), or the [Windows Defender Security Center app](windows-defender-security-center-antivirus.md#exclusions).
+
+If you use PowerShell, you can retrieve the list in two ways:
+
+- Retrieve the status of all Windows Defender AV preferences. Each of the lists will be displayed on separate lines, but the items within each list will be combined into the same line.
+- Write the status of all preferences to a variable, and use that variable to only call the specific list you are interested in. Each use of `Add-MpPreference` is written to a new line.
+
+**Review the list of exclusions alongside all other Windows Defender AV preferences:**
+
+Use the following cmdlet:
+
+```PowerShell
+Get-MpPreference
+```
+
+
+See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus.
+
+
+**Retrieve a specific exclusions list:**
+
+Use the following code snippet (enter each line as a separate command); replace **WDAVprefs** with whatever label you want to name the variable:
+
+```PowerShell
+$WDAVprefs = Get-MpPreference
+$WDAVprefs.ExclusionProcess
+```
+
+
+
+See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus.
+
+
+
+
+
+## Related topics
+
+- [Configure and validate exclusions in Windows Defender AV scans](configure-exclusions-windows-defender-antivirus.md)
+- [Configure and validate exclusions based on file name, extension, and folder location](configure-extension-file-exclusions-windows-defender-antivirus.md)
+- [Configure exclusions in Windows Defender AV on Windows Server](configure-server-exclusions-windows-defender-antivirus.md)
+- [Customize, initiate, and review the results of Windows Defender AV scans and remediation](customize-run-review-remediate-scans-windows-defender-antivirus.md)
+- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
\ No newline at end of file
diff --git a/windows/keep-secure/configure-proxy-internet-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-proxy-internet-windows-defender-advanced-threat-protection.md
index 5e69d804c4..8ef29a6be5 100644
--- a/windows/keep-secure/configure-proxy-internet-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/configure-proxy-internet-windows-defender-advanced-threat-protection.md
@@ -37,8 +37,8 @@ The WinHTTP configuration setting is independent of the Windows Internet (WinINe
- Manual static proxy configuration:
- - WinHTTP configured using netsh command
- Registry based configuration
+ - WinHTTP configured using netsh command – Suitable only for desktops in a stable topology (for example: a desktop in a corporate network behind the same proxy)
## Configure the proxy server manually using a registry-based static proxy
Configure a registry-based static proxy to allow only Windows Defender ATP sensor to report telemetry and communicate with Windows Defender ATP services if a computer is not be permitted to connect to the Internet.
@@ -61,7 +61,8 @@ The registry value `DisableEnterpriseAuthProxy` should be set to 1.
Use netsh to configure a system-wide static proxy.
> [!NOTE]
-> This will affect all applications including Windows services which use WinHTTP with default proxy.
+> - This will affect all applications including Windows services which use WinHTTP with default proxy.
+> - Laptops that are changing topology (for example: from office to home) will malfunction with netsh. Use the registry-based static proxy configuration.
1. Open an elevated command-line:
diff --git a/windows/keep-secure/configure-real-time-protection-windows-defender-antivirus.md b/windows/keep-secure/configure-real-time-protection-windows-defender-antivirus.md
index edaa9c351d..6b0d0a8a25 100644
--- a/windows/keep-secure/configure-real-time-protection-windows-defender-antivirus.md
+++ b/windows/keep-secure/configure-real-time-protection-windows-defender-antivirus.md
@@ -42,7 +42,7 @@ These activities include events such as processes making unusual changes to exis
## Configure and enable always-on protection
-You can configure how always-on protection works with the following Group Policy settings described in this section.
+You can configure how always-on protection works with the Group Policy settings described in this section.
To configure these settings:
@@ -69,6 +69,8 @@ Real-time protection | Turn on raw volume write notifications | Information abou
Real-time protection | Define the maximum size of downloaded files and attachments to be scanned | You can define the size in kilobytes | Enabled
Real-time protection | Configure monitoring for incoming and outgoing file and program activity | Specify whether monitoring should occur on incoming, outgoing, both, or neither direction. This is relevant for Windows Server installations where you have defined specific servers or Server Roles that see large amounts of file changes in only one direction and you want to improve network performance. Note that fully updated endpoints (and servers) on a network will see little performance impact irrespective of the number or direction of file changes.
Scan | Turn on heuristics | Heuristic protection will disable or block suspicious activity immediately before the AV engine is asked to detect the activity | Enabled (both directions)
+Root | Allow antimalware service to startup with normal priority | You can lower the priority of the AV engine, which may be useful in lightweight deployments where you want to have as lean a startup process as possible. This may impact protection on the endpoint. | Enabled
+Root | Allow antimalware service to remain running always | If protection updates have been disabled, you can set Windows Defender AV to still run. This lowers the protection on the endpoint. | Disabled
diff --git a/windows/keep-secure/configure-remediation-windows-defender-antivirus.md b/windows/keep-secure/configure-remediation-windows-defender-antivirus.md
index bfc941c20c..ea6dd93746 100644
--- a/windows/keep-secure/configure-remediation-windows-defender-antivirus.md
+++ b/windows/keep-secure/configure-remediation-windows-defender-antivirus.md
@@ -1,7 +1,7 @@
---
title: Remediate and resolve infections detected by Windows Defender AV
description: Configure what Windows Defender AV should do when it detects a threat, and how long quarantined files should be retained in the quarantine folder
-keywords:
+keywords: remediation, fix, remove, threats, quarantine, scan, restore
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
ms.prod: w10
@@ -14,4 +14,64 @@ author: iaanw
-# Configure remediation for Windows Defender AV scans
\ No newline at end of file
+# Configure remediation for Windows Defender AV scans
+
+**Applies to**
+- Windows 10
+
+**Audience**
+
+- Enterprise security administrators
+
+**Manageability available with**
+
+- Group Policy
+- System Center Configuration Manager
+- PowerShell
+- Windows Management Instrumentation (WMI)
+- Microsoft Intune
+
+When Windows Defender Antivirus runs a scan, it will attempt to remediate or remove threats that it finds. You can configure how Windows Defender AV should react to certain threats, whether it should create a restore point before remediating, and when it should remove remediated threats.
+
+This topic describes how to configure these settings with Group Policy, but you can also use [System Center Configuration Manager](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#threat-overrides-settings) and [Microsoft Intune](https://docs.microsoft.com/en-us/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune#choose-default-actions-settings).
+
+You can also use the [`Set-MpPreference` PowerShell cmdlet](https://technet.microsoft.com/itpro/powershell/windows/defender/set-mppreference) or [`MSFT_MpPreference` WMI class](https://msdn.microsoft.com/en-us/library/dn439477(v=vs.85).aspx) to configure these settings.
+
+## Configure remediation options
+
+You can configure how remediation with the Group Policy settings described in this section.
+
+To configure these settings:
+
+1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+
+3. In the **Group Policy Management Editor** go to **Computer configuration**.
+
+4. Click **Policies** then **Administrative templates**.
+
+5. Expand the tree to **Windows components > Windows Defender Antivirus** and then the **Location** specified in the table below.
+
+6. Double-click the policy **Setting** as specified in the table below, and set the option to your desired configuration. Click **OK**, and repeat for any other settings.
+
+
+Location | Setting | Description | Default setting (if not configured)
+---|---|---|---
+Scan | Create a system restore point | A system restore point will be created each day before cleaning or scanning is attempted | Disabled
+Scan | Turn on removal of items from scan history folder | Specify how many days items should be kept in the scan history | 30 days
+Root | Turn off routine remediation | You can specify whether Windows Defender AV automatically remediates threats, or if it should ask the endpoint user what to do. | Disabled (threats are remediated automatically)
+Quarantine | Configure removal of items from Quarantine folder | Specify how many days items should be kept in quarantine before being removed | Never removed
+Threats | Specify threat alert levels at which default action should not be taken when detected | Every threat that is detected by Windows Defender AV is assigned a threat level (low, medium, high, or severe). You can use this setting to define how all threats for each of the threat levels should be remediated (quarantined, removed, or ignored) | Not applicable
+Threats | Specify threats upon which default action should not be taken when detected | Specify how specific threats (using their threat ID) should be remediated. You can specify whether the specific threat should be quarantined, removed, or ignored | Not applicable
+
+
+Also see the [Configure remediation-required scheduled full scans for Windows Defender AV](scheduled-catch-up-scans-windows-defender-antivirus.md#remed) topic for more remediation-related settings.
+
+## Related topics
+
+- [Configure scanning options in Windows Defender AV](configure-advanced-scan-types-windows-defender-antivirus.md)
+- [Configure scheduled scans for Windows Defender AV](scheduled-catch-up-scans-windows-defender-antivirus.md)
+- [Configure and run on-demand Windows Defender AV scans](run-scan-windows-defender-antivirus.md)
+- [Configure the notifications that appear on endpoints](configure-notifications-windows-defender-antivirus.md)
+- [Configure end-user interaction with Windows Defender AV](configure-end-user-interaction-windows-defender-antivirus.md)
+- [Customize, initiate, and review the results of Windows Defender AV scans and remediation](customize-run-review-remediate-scans-windows-defender-antivirus.md)
+- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
\ No newline at end of file
diff --git a/windows/keep-secure/configure-server-exclusions-windows-defender-antivirus.md b/windows/keep-secure/configure-server-exclusions-windows-defender-antivirus.md
new file mode 100644
index 0000000000..c293dd3358
--- /dev/null
+++ b/windows/keep-secure/configure-server-exclusions-windows-defender-antivirus.md
@@ -0,0 +1,84 @@
+---
+title: Automatic and customized exclusions for Windows Defender AV on Windows Server 2016
+description: Windows Server 2016 includes automatic exclusions, based on Server Role. You can also add custom exclusions.
+keywords: exclusions, server, auto-exclusions, automatic, custom, scans
+search.product: eADQiWindows 10XVcnh
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+localizationpriority: medium
+author: iaanw
+---
+
+# Configure exclusions in Windows Defender AV on Windows Server 2016
+
+
+**Applies to:**
+
+- Windows Server 2016
+
+**Audience**
+
+- Enterprise security administrators
+
+
+**Manageability available with**
+
+- Group Policy
+- PowerShell
+- Windows Management Instrumentation (WMI)
+
+If you are using Windows Defender Antivirus to protect Windows Server 2016 machines, you are [automatically enrolled in certain exclusions](https://technet.microsoft.com/en-us/windows-server-docs/security/windows-defender/automatic-exclusions-for-windows-defender), as defined by your specified Windows Server Role.
+
+These exclusions will not appear in the standard exclusion lists shown in the [Windows Defender Security Center app](windows-defender-security-center-antivirus.md#exclusions).
+
+You can still add or remove custom exclusions (in addition to the Server Role-defined auto exclusions) as described in the other exclusion-related topics:
+- [Configure and validate exclusions based on file name, extension, and folder location](configure-extension-file-exclusions-windows-defender-antivirus.md)
+- [Configure and validate exclusions for files opened by processes](configure-process-opened-file-exclusions-windows-defender-antivirus.md)
+
+
+You can disable the auto-exclusions lists with Group Policy, PowerShell cmdlets, and WMI.
+
+**Use Group Policy to disable the auto-exclusions list on Windows Server 2016:**
+
+1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+
+3. In the **Group Policy Management Editor** go to **Computer configuration**.
+
+4. Click **Policies** then **Administrative templates**.
+
+5. Expand the tree to **Windows components > Windows Defender Antivirus > Exclusions**.
+
+6. Double-click the **Turn off Auto Exclusions** setting and set the option to **Enabled**. Click **OK**.
+
+**Use PowerShell cmdlets to disable the auto-exclusions list on Windows Server 2016:**
+
+Use the following cmdlets:
+
+```PowerShell
+Set-MpPreference -DisableAutoExclusions
+```
+
+See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus.
+
+**Use Windows Management Instruction (WMI) to disable the auto-exclusions list on Windows Server 2016:**
+
+Use the [**Set** method of the **MSFT_MpPreference**](https://msdn.microsoft.com/en-us/library/dn455323(v=vs.85).aspx) class for the following properties:
+
+```WMI
+DisableAutoExclusions
+```
+
+See the following for more information and allowed parameters:
+- [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/en-us/library/dn439477(v=vs.85).aspx)
+
+
+## Related topics
+
+- [Configure and validate exclusions in Windows Defender AV scans](configure-exclusions-windows-defender-antivirus.md)
+- [Configure and validate exclusions based on file name, extension, and folder location](configure-extension-file-exclusions-windows-defender-antivirus.md)
+- [Configure and validate exclusions for files opened by processes](configure-process-opened-file-exclusions-windows-defender-antivirus.md)
+- [Customize, initiate, and review the results of Windows Defender AV scans and remediation](customize-run-review-remediate-scans-windows-defender-antivirus.md)
+- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
\ No newline at end of file
diff --git a/windows/keep-secure/configure-splunk-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-splunk-windows-defender-advanced-threat-protection.md
index f40c7d579d..708ddc8854 100644
--- a/windows/keep-secure/configure-splunk-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/configure-splunk-windows-defender-advanced-threat-protection.md
@@ -135,6 +135,6 @@ Use the solution explorer to view alerts in Splunk.
## Related topics
- [Enable SIEM integration in Windows Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md)
-- [Configure ArcSight](configure-arcsight-windows-defender-advanced-threat-protection.md)
+- [Configure ArcSight to pull Windows Defender ATP alerts](configure-arcsight-windows-defender-advanced-threat-protection.md)
- [Windows Defender ATP alert API fields](api-portal-mapping-windows-defender-advanced-threat-protection.md)
- [Pull Windows Defender ATP alerts using REST API](pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md)
diff --git a/windows/keep-secure/configure-windows-defender-in-windows-10.md b/windows/keep-secure/configure-windows-defender-in-windows-10.md
deleted file mode 100644
index 32dc5bdf7d..0000000000
--- a/windows/keep-secure/configure-windows-defender-in-windows-10.md
+++ /dev/null
@@ -1,16 +0,0 @@
----
-title: Configure and use Windows Defender in Windows 10
-description: IT professionals can configure definition updates and cloud-based protection in Windows Defender in Windows 10 through Microsoft Active Directory and Windows Server Update Services (WSUS).
-ms.assetid: 22649663-AC7A-40D8-B1F7-5CAD9E49653D
-ms.prod: w10
-ms.mktglfcycl: manage
-ms.sitesec: library
-ms.pagetype: security
-localizationpriority: medium
-author: jasesso
-redirect_url: /itpro/windows/keep-secure/deploy-manage-report-windows-defender-antivirus/
----
-
-# Configure Windows Defender in Windows 10
-
-This page has been redirected to *Windows Defender Antivirus in Windows 10*.
diff --git a/windows/keep-secure/create-and-verify-an-efs-dra-certificate.md b/windows/keep-secure/create-and-verify-an-efs-dra-certificate.md
index 079086758f..e24a68abfe 100644
--- a/windows/keep-secure/create-and-verify-an-efs-dra-certificate.md
+++ b/windows/keep-secure/create-and-verify-an-efs-dra-certificate.md
@@ -13,8 +13,8 @@ localizationpriority: high
# Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate
**Applies to:**
-- Windows 10, version 1607
-- Windows 10 Mobile
+- Windows 10, version 1703
+- Windows 10 Mobile, version 1703
If you don’t already have an EFS DRA certificate, you’ll need to create and extract one from your system before you can use Windows Information Protection (WIP), formerly known as enterprise data protection (EDP), in your organization. For the purposes of this section, we’ll use the file name EFSDRA; however, this name can be replaced with anything that makes sense to you.
@@ -29,20 +29,20 @@ The recovery process included in this topic only works for desktop devices. WIP
2. Run this command:
- `cipher /r:`
+ cipher /r:EFSRA
- Where *<EFSRA>* is the name of the .cer and .pfx files that you want to create.
+ Where *EFSRA* is the name of the .cer and .pfx files that you want to create.
3. When prompted, type and confirm a password to help protect your new Personal Information Exchange (.pfx) file.
The EFSDRA.cer and EFSDRA.pfx files are created in the location you specified in Step 1.
- >[!IMPORTANT]
+ >[!Important]
>Because the private keys in your DRA .pfx files can be used to decrypt any WIP file, you must protect them accordingly. We highly recommend storing these files offline, keeping copies on a smart card with strong protection for normal use and master copies in a secured physical location.
-4. Add your EFS DRA certificate to your WIP policy using a deployment tool, such as Microsoft Intune or System Center Configuration Manager.
+4. Add your EFS DRA certificate to your WIP policy using a deployment tool, such as Microsoft Intune or System Center Configuration Manager.
- >[!NOTE]
+ >[!Note]
>To add your EFS DRA certificate to your policy by using Microsoft Intune, see the [Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune.md) topic. To add your EFS DRA certificate to your policy by using System Center Configuration Manager, see the [Create a Windows Information Protection (WIP) policy using System Center Configuration Manager](create-wip-policy-using-sccm.md) topic.
**To verify your data recovery certificate is correctly set up on a WIP client computer**
@@ -53,9 +53,9 @@ The recovery process included in this topic only works for desktop devices. WIP
3. Open a command prompt with elevated rights, navigate to where you stored the file you just created, and then run this command:
- `cipher /c `
+ cipher /c file_name
- Where *<filename>* is the name of the file you created in Step 1.
+ Where *file_name* is the name of the file you created in Step 1.
4. Make sure that your data recovery certificate is listed in the **Recovery Certificates** list.
@@ -67,9 +67,9 @@ The recovery process included in this topic only works for desktop devices. WIP
3. Open a command prompt with elevated rights, navigate to the encrypted file, and then run this command:
- `cipher /d `
+ cipher /d encryptedfile.extension>
- Where *<encryptedfile.extension>* is the name of your encrypted file. For example, corporatedata.docx.
+ Where *encryptedfile.extension* is the name of your encrypted file. For example, corporatedata.docx.
**To quickly recover WIP-protected desktop data after unenrollment**
It's possible that you might revoke data from an unenrolled device only to later want to restore it all. This can happen in the case of a missing device being returned or if an unenrolled employee enrolls again. If the employee enrolls again using the original user profile, and the revoked key store is still on the device, all of the revoked data can be restored at once, by following these steps.
@@ -79,24 +79,50 @@ It's possible that you might revoke data from an unenrolled device only to later
1. Have your employee sign in to the unenrolled device, open a command prompt, and type:
- `Robocopy “%localappdata%\Microsoft\EDP\Recovery” <“new_location”> /EFSRAW`
+ Robocopy “%localappdata%\Microsoft\EDP\Recovery” “new_location” /EFSRAW
- Where *<”new_location”>* is in a different directory. This can be on the employee’s device or on a Windows 8 or Windows Server 2012 or newer server file share that can be accessed while you're logged in as a data recovery agent.
+ Where ”*new_location*" is in a different directory. This can be on the employee’s device or on a Windows 8 or Windows Server 2012 or newer server file share that can be accessed while you're logged in as a data recovery agent.
2. Sign in to a different device with administrator credentials that have access to your organization's DRA certificate, and perform the file decryption and recovery by typing:
- `cipher.exe /D <“new_location”>`
+ cipher.exe /D "new_location"
3. Have your employee sign in to the unenrolled device, and type:
- `Robocopy <”new_location”> “%localappdata%\Microsoft\EDP\Recovery\Input”`
+ Robocopy "new_location" “%localappdata%\Microsoft\EDP\Recovery\Input”
4. Ask the employee to lock and unlock the device.
- The Windows Credential service automatically recovers the employee’s previously revoked keys from the `Recovery\Input` location.
+ The Windows Credential service automatically recovers the employee’s previously revoked keys from the Recovery\Input location.
->[!NOTE]
->Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md).
+**To quickly recover WIP-protected desktop data in a cloud-based environment**
+If you use a cloud environment in your organization, you may still want to restore an employee's data after revocation. While much of the process is the same as when you're not in a cloud environment, there are a couple of differences.
+
+>[!IMPORTANT]
+>To maintain control over your enterprise data, and to be able to revoke again in the future, you must only perform this process after the employee has re-enrolled the device.
+
+1. Have your employee sign in to the device that has revoked data for you to restore, open the **Run** command (Windows logo key + R), and type one of the following commands:
+
+ - If the keys are still stored within the employee's profile, type: Robocopy “%localappdata%\Microsoft\EDP\Recovery” “new_location” * /EFSRAW
+
+ -or-
+
+ - If the employee performed a clean installation over the operating system and you need to recover the keys from the System Volume folder, type: Robocopy “drive_letter:\System Volume Information\EDP\Recovery\” "new_location” * /EFSRAW>
+
+ >[!Important]
+ >The “*new_location*” must be in a different directory, either on the employee’s device or on a Windows 8 or Windows Server 2012 or newer server file share, which can be accessed while you're logged in as a data recovery agent.
+
+2. Sign in to a different device with administrator credentials that have access to your organization's DRA certificate private key, and perform the file decryption and recovery by typing:
+
+ cipher.exe /D “new_location”
+
+3. Have your employee sign in to the device again, open the **Run** command, and type:
+
+ Robocopy “new_location” “%localappdata%\Microsoft\EDP\Recovery\Input”
+
+4. Ask the employee to lock and unlock the device.
+
+ The Windows Credential service automatically recovers the employee’s previously revoked keys from the Recovery\Input location. All your company’s previously revoked files should be accessible to the employee again.
## Related topics
- [Security Watch Deploying EFS: Part 1](https://technet.microsoft.com/magazine/2007.02.securitywatch.aspx)
@@ -109,5 +135,5 @@ It's possible that you might revoke data from an unenrolled device only to later
- [Creating a Domain-Based Recovery Agent](https://msdn.microsoft.com/library/cc875821.aspx#EJAA)
-
+**Note**
Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md).
diff --git a/windows/keep-secure/create-wip-policy-using-intune.md b/windows/keep-secure/create-wip-policy-using-intune.md
index f0c94d6dba..76ded492c6 100644
--- a/windows/keep-secure/create-wip-policy-using-intune.md
+++ b/windows/keep-secure/create-wip-policy-using-intune.md
@@ -11,20 +11,14 @@ localizationpriority: high
---
# Create a Windows Information Protection (WIP) policy using Microsoft Intune
+
**Applies to:**
-- Windows 10, version 1607
-- Windows 10 Mobile
+- Windows 10, version 1703
+- Windows 10 Mobile (except Microsoft Azure Rights Management, which is only available on the desktop)
Microsoft Intune helps you create and deploy your Windows Information Protection (WIP) policy, including letting you choose your allowed apps, your WIP-protection level, and how to find enterprise data on the network.
-## Important note about the June service update for Insider Preview
-We've received some great feedback from you, our Windows 10 Insider Preview customers, about our Windows Information Protection experiences and processes. Because of that feedback, we're delighted to deliver an enhanced apps policy experience with the June service update. This means that when you open an existing Windows Information Protection policy after we release the June service update in your test environment, your existing Windows 10 Windows Information Protection app rules (formerly in the **Protected Apps** area) will be removed.
To prepare for this change, we recommend that you make an immediate backup of your current app rules as they are today, so you can use them to help reconfigure your app rules with the enhanced experience. When you open an existing Windows Information Protection policy after we release the June service update, you'll get a dialog box telling you about this change. Click the **OK** button to close the box and to begin reconfiguring your app rules.
-
-
-
-Note that if you exit the **Policy** page before you've saved your new policy, your existing deployments won't be affected. However, if you save the policy without reconfiguring your apps, an updated policy will be deployed to your employees with an empty app rules list.
-
## Add a WIP policy
After you’ve set up Intune for your organization, you must create a WIP-specific policy.
@@ -44,10 +38,11 @@ During the policy-creation process in Intune, you can choose the apps you want t
The steps to add your app rules are based on the type of rule template being applied. You can add a store app (also known as a Universal Windows Platform (UWP) app), a signed Windows desktop app, or an AppLocker policy file.
->[!IMPORTANT]
+>[!Important]
>WIP-aware apps are expected to prevent enterprise data from going to unprotected network locations and to avoid encrypting personal data. On the other hand, WIP-unaware apps might not respect the corporate network boundary, and WIP-unaware apps will encrypt all files they create or modify. This means that they could encrypt personal data and cause data loss during the revocation process.
Care must be taken to get a support statement from the software provider that their app is safe with WIP before adding it to your **App Rules** list. If you don’t get this statement, it’s possible that you could experience app compat issues due to an app losing the ability to access a necessary file after revocation.
->[!NOTE]
+
+>[!Note]
>If you want to use **File hash** or **Path** rules, instead of **Publisher** rules, you must follow the steps in the [Add apps to your Windows Information Protection (WIP) policy by using the Microsoft Intune custom URI functionality](add-apps-to-protected-list-using-custom-uri.md) topic.
#### Add a store app rule to your policy
@@ -77,8 +72,7 @@ If you don't know the publisher or product name, you can find them for both desk
**To find the Publisher and Product Name values for Store apps without installing them**
1. Go to the [Windows Store for Business](https://go.microsoft.com/fwlink/p/?LinkID=722910) website, and find your app. For example, *Microsoft OneNote*.
- >[!NOTE]
- >If your app is already installed on desktop devices, you can use the AppLocker local security policy MMC snap-in to gather the info for adding the app to the protected apps list. For info about how to do this, see the [Add apps to your Windows Information Protection (WIP) policy by using the Microsoft Intune custom URI functionality](add-apps-to-protected-list-using-custom-uri.md) topic.
+ >**Note**
If your app is already installed on desktop devices, you can use the AppLocker local security policy MMC snap-in to gather the info for adding the app to the protected apps list. For info about how to do this, see the [Add apps to your Windows Information Protection (WIP) policy by using the Microsoft Intune custom URI functionality](add-apps-to-protected-list-using-custom-uri.md) topic.
2. Copy the ID value from the app URL. For example, Microsoft OneNote's ID URL is https://www.microsoft.com/store/apps/onenote/9wzdncrfhvjl, and you'd copy the ID value, `9wzdncrfhvjl`.
@@ -95,11 +89,8 @@ If you don't know the publisher or product name, you can find them for both desk
4. Copy the `publisherCertificateName` value into the **Publisher Name** box and copy the `packageIdentityName` value into the **Product Name** box of Intune.
- >[!IMPORTANT]
- >The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app that’s using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as `CN=` followed by the `windowsPhoneLegacyId`.
-
- For example:
-
+ >[!Important]
+ >The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app that’s using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as `CN=` followed by the `windowsPhoneLegacyId`.
For example:
```json
{
"windowsPhoneLegacyId": "ca05b3ab-f157-450c-8c49-a1f127f5e71d",
@@ -109,8 +100,7 @@ If you don't know the publisher or product name, you can find them for both desk
**To find the Publisher and Product Name values for apps installed on Windows 10 mobile phones**
1. If you need to add mobile apps that aren't distributed through the Store for Business, you must use the **Windows Device Portal** feature.
- >[!NOTE]
- >Your PC and phone must be on the same wireless network.
+ >**Note**
Your PC and phone must be on the same wireless network.
2. On the Windows Phone, go to **Settings**, choose **Update & security**, and then choose **For developers**.
@@ -126,15 +116,12 @@ If you don't know the publisher or product name, you can find them for both desk
8. Copy the `publisherCertificateName` value and paste it into the **Publisher Name** box and the `packageIdentityName` value into the **Product Name** box of Intune.
- >[!IMPORTANT]
- >The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app that’s using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as `CN=` followed by the `windowsPhoneLegacyId`.
-
- For example:
-
- ``` json
+ >[!Important]
+ >The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app that’s using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as `CN=` followed by the `windowsPhoneLegacyId`.
For example:
+ ```json
{
- "windowsPhoneLegacyId": "ca05b3ab-f157-450c-8c49-a1f127f5e71d",
- }
+ "windowsPhoneLegacyId": "ca05b3ab-f157-450c-8c49-a1f127f5e71d",
+ }
```
#### Add a desktop app rule to your policy
@@ -367,49 +354,49 @@ There are no default locations included with WIP, you must add each of your netw
2. Type a name for your corporate network element into the **Name** box, and then pick what type of network element it is, from the **Network element** drop-down box. This can include any of the options in the following table.
-
+
-
- | Network location type |
- Format |
- Description |
-
-
- | Enterprise Cloud Resources |
- With proxy: contoso.sharepoint.com,contoso.internalproxy1.com|
contoso.visualstudio.com,contoso.internalproxy2.comWithout proxy: contoso.sharepoint.com|contoso.visualstudio.com |
- Specify the cloud resources to be treated as corporate and protected by WIP. For each cloud resource, you may also optionally specify a proxy server from your Enterprise Internal Proxy Servers list to route traffic for this cloud resource. Be aware that all traffic routed through your Enterprise Internal Proxy Servers is considered enterprise. If you have multiple resources, you must separate them using the "|" delimiter. If you don’t use proxy servers, you must also include the "," delimiter just before the "|". For example: URL <,proxy>|URL <,proxy>. If Windows is unable to determine whether an app should be allowed to connect to a network resource, it will automatically block the connection. If instead you want Windows to allow the connections to happen, you can add the /*AppCompat*/ string to this setting. For example: URL <,proxy>|URL <,proxy>|/*AppCompat*/ |
-
-
- | Enterprise Network Domain Names (Required) |
- corp.contoso.com,region.contoso.com |
- Specify the DNS suffixes used in your environment. All traffic to the fully-qualified domains appearing in this list will be protected. This setting works with the IP ranges settings to detect whether a network endpoint is enterprise or personal on private networks. If you have multiple resources, you must separate them using the "," delimiter. |
-
-
- | Enterprise Proxy Servers |
- proxy.contoso.com:80;proxy2.contoso.com:443 |
- Specify your externally-facing proxy server addresses, along with the port through which traffic accesses the Internet. This list must not include any servers listed in the Enterprise Internal Proxy Servers list, because they’re used for WIP-protected traffic. This setting is also required if there’s a chance you could end up behind a proxy server on another network. In this situation, if you don't have a proxy server pre-defined, you might find that enterprise resources are unavailable to your client device, such as when you’re visiting another company and not on the guest network. To make sure this doesn’t happen, the client device also needs to be able to reach the pre-defined proxy server through the VPN network. If you have multiple resources, you must separate them using the ";" delimiter. |
-
-
- | Enterprise Internal Proxy Servers |
- contoso.internalproxy1.com;contoso.internalproxy2.com |
- Specify the proxy servers your devices will go through to reach your cloud resources. Using this server type indicates that the cloud resources you’re connecting to are enterprise resources. This list shouldn’t include any servers listed in the Enterprise Proxy Servers list, which are used for non-WIP-protected traffic. If you have multiple resources, you must separate them using the ";" delimiter. |
-
-
- | Enterprise IPv4 Range (Required, if not using IPv6) |
- **Starting IPv4 Address:** 3.4.0.1
**Ending IPv4 Address:** 3.4.255.254
**Custom URI:** 3.4.0.1-3.4.255.254,
10.0.0.1-10.255.255.254 |
- Specify the addresses for a valid IPv4 value range within your intranet. These addresses, used with your Enterprise Network Domain Names, define your corporate network boundaries. If you have multiple ranges, you must separate them using the "," delimiter. |
-
-
- | Enterprise IPv6 Range (Required, if not using IPv4) |
- **Starting IPv6 Address:** 2a01:110::
**Ending IPv6 Address:** 2a01:110:7fff:ffff:ffff:ffff:ffff:ffff
**Custom URI:** 2a01:110:7fff:ffff:ffff:ffff:ffff:ffff,
fd00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff |
- Specify the addresses for a valid IPv6 value range within your intranet. These addresses, used with your Enterprise Network Domain Names, define your corporate network boundaries. If you have multiple ranges, you must separate them using the "," delimiter. |
-
-
- | Neutral Resources |
- sts.contoso.com,sts.contoso2.com |
- Specify your authentication redirection endpoints for your company. These locations are considered enterprise or personal, based on the context of the connection before the redirection. If you have multiple resources, you must separate them using the "," delimiter. |
-
-
+
+ | Network location type |
+ Format |
+ Description |
+
+
+ | Enterprise Cloud Resources |
+ With proxy: contoso.sharepoint.com,contoso.internalproxy1.com|
contoso.visualstudio.com,contoso.internalproxy2.comWithout proxy: contoso.sharepoint.com|contoso.visualstudio.com |
+ Specify the cloud resources to be treated as corporate and protected by WIP. For each cloud resource, you may also optionally specify a proxy server from your Enterprise Internal Proxy Servers list to route traffic for this cloud resource. Be aware that all traffic routed through your Enterprise Internal Proxy Servers is considered enterprise. If you have multiple resources, you must separate them using the "|" delimiter. If you don’t use proxy servers, you must also include the "," delimiter just before the "|". For example: URL <,proxy>|URL <,proxy>. Important
In some cases, such as when an app connects directly to a cloud resource through an IP address, Windows can’t tell whether it’s attempting to connect to an enterprise cloud resource or to a personal site. In this case, Windows blocks the connection by default. To stop Windows from automatically blocking these connections, you can add the /*AppCompat*/ string to the setting. For example: URL <,proxy>|URL <,proxy>|/*AppCompat*/. When using this string, we recommend that you also turn on [Azure Active Directory Conditional Access](https://docs.microsoft.com/en-us/azure/active-directory/active-directory-conditional-access), using the Domain joined or marked as compliant option, which blocks apps from accessing any enterprise cloud resources that are protected by conditional access. |
+
+
+ | Enterprise Network Domain Names (Required) |
+ corp.contoso.com,region.contoso.com |
+ Specify the DNS suffixes used in your environment. All traffic to the fully-qualified domains appearing in this list will be protected. This setting works with the IP ranges settings to detect whether a network endpoint is enterprise or personal on private networks. If you have multiple resources, you must separate them using the "," delimiter. |
+
+
+ | Enterprise Proxy Servers |
+ proxy.contoso.com:80;proxy2.contoso.com:443 |
+ Specify your externally-facing proxy server addresses, along with the port through which traffic accesses the Internet. This list must not include any servers listed in the Enterprise Internal Proxy Servers list, because they’re used for WIP-protected traffic. This setting is also required if there’s a chance you could end up behind a proxy server on another network. In this situation, if you don't have a proxy server pre-defined, you might find that enterprise resources are unavailable to your client device, such as when you’re visiting another company and not on the guest network. To make sure this doesn’t happen, the client device also needs to be able to reach the pre-defined proxy server through the VPN network. If you have multiple resources, you must separate them using the ";" delimiter. |
+
+
+ | Enterprise Internal Proxy Servers |
+ contoso.internalproxy1.com;contoso.internalproxy2.com |
+ Specify the proxy servers your devices will go through to reach your cloud resources. Using this server type indicates that the cloud resources you’re connecting to are enterprise resources. This list shouldn’t include any servers listed in the Enterprise Proxy Servers list, which are used for non-WIP-protected traffic. If you have multiple resources, you must separate them using the ";" delimiter. |
+
+
+ | Enterprise IPv4 Range (Required, if not using IPv6) |
+ **Starting IPv4 Address:** 3.4.0.1
**Ending IPv4 Address:** 3.4.255.254
**Custom URI:** 3.4.0.1-3.4.255.254,
10.0.0.1-10.255.255.254 |
+ Specify the addresses for a valid IPv4 value range within your intranet. These addresses, used with your Enterprise Network Domain Names, define your corporate network boundaries. If you have multiple ranges, you must separate them using the "," delimiter. |
+
+
+ | Enterprise IPv6 Range (Required, if not using IPv4) |
+ **Starting IPv6 Address:** 2a01:110::
**Ending IPv6 Address:** 2a01:110:7fff:ffff:ffff:ffff:ffff:ffff
**Custom URI:** 2a01:110:7fff:ffff:ffff:ffff:ffff:ffff,
fd00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff |
+ Specify the addresses for a valid IPv6 value range within your intranet. These addresses, used with your Enterprise Network Domain Names, define your corporate network boundaries. If you have multiple ranges, you must separate them using the "," delimiter. |
+
+
+ | Neutral Resources |
+ sts.contoso.com,sts.contoso2.com |
+ Specify your authentication redirection endpoints for your company. These locations are considered enterprise or personal, based on the context of the connection before the redirection. If you have multiple resources, you must separate them using the "," delimiter. |
+
+
3. Add as many locations as you need, and then click **OK**.
@@ -431,6 +418,16 @@ There are no default locations included with WIP, you must add each of your netw
For more info about how to find and export your data recovery certificate, see the [Data Recovery and Encrypting File System (EFS)](https://go.microsoft.com/fwlink/p/?LinkId=761462) topic. For more info about creating and verifying your EFS DRA certificate, see the [Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](create-and-verify-an-efs-dra-certificate.md).
+### Choose to set up Azure Rights Management with WIP
+WIP can integrate with Microsoft Azure Rights Management to enable secure sharing of files via removable drives such as USB drives. For more info about Azure Rights Management, see [Microsoft Azure Rights Management](https://products.office.com/en-us/business/microsoft-azure-rights-management). To integrate Azure Rights Management with WIP, you must already have Azure Rights Management set up.
+
+To configure WIP to use Azure Rights Management, you must set the **AllowAzureRMSForEDP** MDM setting to **1** in Microsoft Intune. This setting tells WIP to encrypt files copied to removable drives with Azure Rights Management, so they can be shared amongst your employees on computers running at least Windows 10, version 1703.
+
+Optionally, if you don’t want everyone in your organization to be able to share your enterprise data, you can set the **RMSTemplateIDForEDP** MDM setting to the **TemplateID** of the Azure Rights Management template used to encrypt the data. You must make sure to mark the template with the **EditRightsData** option.
+
+>[!NOTE]
+>For more info about setting the **AllowAzureRMSForEDP** and the **RMSTemplateIDForEDP** MDM settings, see the [EnterpriseDataProtection CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/enterprisedataprotection-csp) topic. For more info about setting up and using a custom template, see [Configuring custom templates for the Azure Rights Management service](https://docs.microsoft.com/en-us/information-protection/deploy-use/configure-custom-templates) topic.
+
### Choose your optional WIP-related settings
After you've decided where your protected apps can access enterprise data on your network, you’ll be asked to decide if you want to add any optional WIP settings.
@@ -471,11 +468,13 @@ After you've decided where your protected apps can access enterprise data on you
2. Click **Save Policy**.
->[!NOTE]
->Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md).
-
## Related topics
- [Add apps to your Windows Information Protection (WIP) policy by using the Microsoft Intune custom URI functionality](add-apps-to-protected-list-using-custom-uri.md)
- [Deploy your Windows Information Protection (WIP) policy](deploy-wip-policy-using-intune.md)
- [Create and deploy a VPN policy for Windows Information Protection (WIP) using Microsoft Intune](create-vpn-and-wip-policy-using-intune.md)
-- [General guidance and best practices for Windows Information Protection (WIP)](guidance-and-best-practices-wip.md)
\ No newline at end of file
+- [General guidance and best practices for Windows Information Protection (WIP)](guidance-and-best-practices-wip.md)
+- [Azure RMS Documentation Update for May 2016](https://blogs.technet.microsoft.com/enterprisemobility/2016/05/31/azure-rms-documentation-update-for-may-2016/)
+- [What is Azure Rights Management?]( https://docs.microsoft.com/en-us/information-protection/understand-explore/what-is-azure-rms)
+
+>[!NOTE]
+>Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md).
\ No newline at end of file
diff --git a/windows/keep-secure/create-wip-policy-using-sccm.md b/windows/keep-secure/create-wip-policy-using-sccm.md
index 49801ae337..5a51f50d60 100644
--- a/windows/keep-secure/create-wip-policy-using-sccm.md
+++ b/windows/keep-secure/create-wip-policy-using-sccm.md
@@ -94,8 +94,7 @@ If you don't know the publisher or product name, you can find them for both desk
1. Go to the [Windows Store for Business](https://go.microsoft.com/fwlink/p/?LinkID=722910) website, and find your app. For example, Microsoft OneNote.
- >[!NOTE]
- >If your app is already installed on desktop devices, you can use the AppLocker local security policy MMC snap-in to gather the info for adding the app to the protected apps list. For info about how to do this, see the steps in the [Add an AppLocker policy file](#add-an-applocker-policy-file) section.
+ >**Note**
If your app is already installed on desktop devices, you can use the AppLocker local security policy MMC snap-in to gather the info for adding the app to the protected apps list. For info about how to do this, see the steps in the [Add an AppLocker policy file](#add-an-applocker-policy-file) section.
2. Copy the ID value from the app URL. For example, Microsoft OneNote's ID URL is https://www.microsoft.com/store/apps/onenote/9wzdncrfhvjl, and you'd copy the ID value, `9wzdncrfhvjl`.
@@ -112,10 +111,7 @@ If you don't know the publisher or product name, you can find them for both desk
4. Copy the `publisherCertificateName` value and paste them into the **Publisher Name** box, copy the `packageIdentityName` value into the **Product Name** box of Intune.
- >[!IMPORTANT]
- >The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app that’s using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as “CN=” followed by the `windowsPhoneLegacyId`.
- >For example:
-
+ >**Important**
The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app that’s using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as “CN=” followed by the `windowsPhoneLegacyId`.
For example:
```json
{
"windowsPhoneLegacyId": "ca05b3ab-f157-450c-8c49-a1f127f5e71d",
@@ -125,8 +121,7 @@ If you don't know the publisher or product name, you can find them for both desk
**To find the Publisher and Product Name values for apps installed on Windows 10 mobile phones**
1. If you need to add mobile apps that aren't distributed through the Store for Business, you must use the **Windows Device Portal** feature.
- >[!NOTE]
- >Your PC and phone must be on the same wireless network.
+ >**Note**
Your PC and phone must be on the same wireless network.
2. On the Windows Phone, go to **Settings**, choose **Update & security**, and then choose **For developers**.
@@ -142,10 +137,8 @@ If you don't know the publisher or product name, you can find them for both desk
8. Copy the `publisherCertificateName` value and paste it into the **Publisher Name** box and the `packageIdentityName` value into the **Product Name** box of Intune.
- >[!IMPORTANT]
- >The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app that’s using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as “CN=” followed by the `windowsPhoneLegacyId`.
+ >**Important**
The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app that’s using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as “CN=” followed by the `windowsPhoneLegacyId`.
>For example:
-
```json
{
"windowsPhoneLegacyId": "ca05b3ab-f157-450c-8c49-a1f127f5e71d",
diff --git a/windows/keep-secure/credential-guard-considerations.md b/windows/keep-secure/credential-guard-considerations.md
new file mode 100644
index 0000000000..c2bc39226d
--- /dev/null
+++ b/windows/keep-secure/credential-guard-considerations.md
@@ -0,0 +1,55 @@
+---
+title: Considerations when using Credential Guard (Windows 10)
+description: Considerations and recommendations for certain scenarios when using Credential Guard in Windows 10.
+ms.prod: w10
+ms.mktglfcycl: explore
+ms.sitesec: library
+ms.pagetype: security
+localizationpriority: high
+author: brianlic-msft
+---
+
+# Considerations when using Credential Guard
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+Prefer video? See [Credentials Protected by Credential Guard](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=mD3geLJyC_8304300474)
+in the Deep Dive into Credential Guard video series.
+
+- If Credential Guard is enabled on a device after it's joined to a domain, the user and device secrets may already be compromised. We recommend that Credential Guard is enabled before the PC is joined to a domain.
+- You should perform regular reviews of the PCs that have Credential Guard enabled. This can be done with security audit policies or WMI queries. Here's a list of WinInit event IDs to look for:
+ - **Event ID 13** Credential Guard (LsaIso.exe) was started and will protect LSA credentials.
+ - **Event ID 14** Credential Guard (LsaIso.exe) configuration: 0x1, 0
+ - The first variable: 0x1 means Credential Guard is configured to run. 0x0 means it’s not configured to run.
+ - The second variable: 0 means it’s configured to run in protect mode. 1 means it's configured to run in test mode. This variable should always be 0.
+ - **Event ID 15** Credential Guard (LsaIso.exe) is configured but the secure kernel is not running; continuing without Credential Guard.
+ - **Event ID 16** Credential Guard (LsaIso.exe) failed to launch: \[error code\]
+ - **Event ID 17** Error reading Credential Guard (LsaIso.exe) UEFI configuration: \[error code\]
+ You can also verify that TPM is being used for key protection by checking the following event in the **Microsoft** -> **Windows** -> **Kernel-Boot** event source. If you are running with a TPM, the TPM PCR mask value will be something other than 0.
+ - **Event ID 51** VSM Master Encryption Key Provisioning. Using cached copy status: 0x0. Unsealing cached copy status: 0x1. New key generation status: 0x1. Sealing status: 0x1. TPM PCR mask: 0x0.
+- Passwords are still weak so we recommend that your organization deploy Credential Guard and move away from passwords and to other authentication methods, such as physical smart cards, virtual smart cards, or Windows Hello for Business.
+- Some 3rd party Security Support Providers (SSPs and APs) might not be compatible with Credential Guard. Credential Guard does not allow 3rd party SSPs to ask for password hashes from LSA. However, SSPs and APs still get notified of the password when a user logs on and/or changes their password. Any use of undocumented APIs within custom SSPs and APs are not supported. We recommend that custom implementations of SSPs/APs are tested against Credential Guard to ensure that the SSPs and APs do not depend on any undocumented or unsupported behaviors. For example, using the KerbQuerySupplementalCredentialsMessage API is not supported. You should not replace the NTLM or Kerberos SSPs with custom SSPs and APs. For more info, see [Restrictions around Registering and Installing a Security Package](http://msdn.microsoft.com/library/windows/desktop/dn865014.aspx) on MSDN.
+- As the depth and breadth of protections provided by Credential Guard are increased, subsequent releases of Windows 10 with Credential Guard running may impact scenarios that were working in the past. For example, Credential Guard may block the use of a particular type of credential or a particular component to prevent malware from taking advantage of vulnerabilities. Therefore, we recommend that scenarios required for operations in an organization are tested before upgrading a device that has Credential Guard running.
+
+- Starting with Windows 10, version 1511, domain credentials that are stored with Credential Manager are protected with Credential Guard. Credential Manager allows you to store credentials, such as user names and passwords that you use to log on to websites or other computers on a network. The following considerations apply to the Credential Guard protections for Credential Manager:
+ - Credentials saved by Remote Desktop Services cannot be used to remotely connect to another machine without supplying the password. Attempts to use saved credentials will fail, displaying the error message "Logon attempt failed".
+ - Applications that extract derived domain credentials from Credential Manager will no longer be able to use those credentials.
+ - You cannot restore credentials using the Credential Manager control panel if the credentials were backed up from a PC that has Credential Guard turned on. If you need to back up your credentials, you must do this before you enable Credential Guard. Otherwise, you won't be able to restore those credentials.
+ - Credential Guard uses hardware security so some features, such as Windows To Go, are not supported.
+
+
+## NTLM and CHAP Considerations
+
+When you enable Credential Guard, you can no longer use NTLM v1 authentication. If you are using WiFi and VPN endpoints that are based on MS-CHAPv2, they are subject to similar attacks as NTLMv1. We recommend that organizations use certificated-based authentication for WiFi and VPN connections.
+
+## Kerberos Considerations
+
+When you enable Credential Guard, you can no longer use Kerberos unconstrained delegation or DES encryption. Unconstrained delegation could allow attackers to extract Kerberos keys from the isolated LSA process. You must use constrained or resource-based Kerberos delegation instead.
+
+## See also
+
+**Deep Dive into Credential Guard: Related videos**
+
+[Virtualization-based security](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=1CoELLJyC_6704300474)
diff --git a/windows/keep-secure/credential-guard-how-it-works.md b/windows/keep-secure/credential-guard-how-it-works.md
new file mode 100644
index 0000000000..da731369ea
--- /dev/null
+++ b/windows/keep-secure/credential-guard-how-it-works.md
@@ -0,0 +1,44 @@
+---
+title: How Credential Guard works
+description: Using virtualization-based security, Credential Guard features a new component called the isolated LSA process, which stores and protects secrets, isolating them from the rest of the operating system, so that only privileged system software can access them.
+ms.prod: w10
+ms.mktglfcycl: explore
+ms.sitesec: library
+ms.pagetype: security
+localizationpriority: high
+author: brianlic-msft
+---
+
+# How Credential Guard works
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+
+Prefer video? See [Credential Guard Design](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=mD3geLJyC_8304300474) in the Deep Dive into Credential Guard video series.
+
+
+Kerberos, NTLM, and Credential manager isolate secrets by using virtualization-based security. Previous versions of Windows stored secrets in the Local Security Authority (LSA). Prior to Windows 10, the LSA stored secrets used by the operating system in its process memory. With Credential Guard enabled, the LSA process in the operating system talks to a new component called the isolated LSA process that stores and protects those secrets. Data stored by the isolated LSA process is protected using virtualization-based security and is not accessible to the rest of the operating system. LSA uses remote procedure calls to communicate with the isolated LSA process.
+
+For security reasons, the isolated LSA process doesn't host any device drivers. Instead, it only hosts a small subset of operating system binaries that are needed for security and nothing else. All of these binaries are signed with a certificate that is trusted by virtualization-based security and these signatures are validated before launching the file in the protected environment.
+
+When Credential Guard is enabled, NTLMv1, MS-CHAPv2, Digest, and CredSSP cannot use the signed-in credentials. Thus, single sign-on does not work with these protocols. However, applications can prompt for credentials or use credentials stored in the Windows Vault which are not protected by Credential Guard with any of these protocols. It is strongly recommended that valuable credentials, such as the sign-in credentials, not be used with any of these protocols. If these protocols must be used by domain or Azure AD users, secondary credentials should be provisioned for these use cases.
+
+When Credential Guard is enabled, Kerberos does not allow unconstrained Kerberos delegation or DES encryption, not only for signed-in credentials, but also prompted or saved credentials.
+
+Here's a high-level overview on how the LSA is isolated by using virtualization-based security:
+
+
+
+
+
+## See also
+
+**Deep Dive into Credential Guard: Related videos**
+
+[Credential Theft and Lateral Traversal](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=cfGBPlIyC_9404300474)
+
+[Virtualization-based security](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=1CoELLJyC_6704300474)
+
+[Credentials protected by Credential Guard](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=pdc37LJyC_1204300474)
\ No newline at end of file
diff --git a/windows/keep-secure/credential-guard-manage.md b/windows/keep-secure/credential-guard-manage.md
new file mode 100644
index 0000000000..a70d85eb17
--- /dev/null
+++ b/windows/keep-secure/credential-guard-manage.md
@@ -0,0 +1,192 @@
+---
+title: Manage Credential Guard (Windows 10)
+description: Deploying and managing Credential Guard using Group Policy, the registry, or the Device Guard and Credential Guard hardware readiness tool.
+ms.prod: w10
+ms.mktglfcycl: explore
+ms.sitesec: library
+ms.pagetype: security
+localizationpriority: high
+author: brianlic-msft
+---
+
+# Manage Credential Guard
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+Prefer video? See [Protecting privileged users with Credential Guard](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=JNbjYMJyC_8104300474)
+in the Deep Dive into Credential Guard video series.
+
+## Enable Credential Guard
+Credential Guard can be enabled by using [Group Policy](#turn-on-credential-guard-by-using-group-policy), the [registry](#turn-on-credential-guard-by-using-the-registry), or the Device Guard and Credential Guard [hardware readiness tool](#hardware-readiness-tool).
+
+### Enable Credential Guard by using Group Policy
+
+You can use Group Policy to enable Credential Guard. This will add and enable the virtualization-based security features for you if needed.
+
+1. From the Group Policy Management Console, go to **Computer Configuration** -> **Administrative Templates** -> **System** -> **Device Guard**.
+2. Double-click **Turn On Virtualization Based Security**, and then click the **Enabled** option.
+3. **Select Platform Security Level** box, choose **Secure Boot** or **Secure Boot and DMA Protection**.
+4. In the **Credential Guard Configuration** box, click **Enabled with UEFI lock**, and then click **OK**. If you want to be able to turn off Credential Guard remotely, choose **Enabled without lock**.
+
+ 
+
+5. Close the Group Policy Management Console.
+
+To enforce processing of the group policy, you can run ```gpupdate /force```.
+
+
+### Enable Credential Guard by using the registry
+
+If you don't use Group Policy, you can enable Credential Guard by using the registry. Credential Guard uses virtualization-based security features which have to be enabled first on some operating systems.
+
+### Add the virtualization-based security features
+
+Starting with Windows 10, version 1607 and Windows Server 2016, enabling Windows features to use virtualization-based security is not necessary and this step can be skipped.
+
+If you are using Windows 10, version 1507 (RTM) or Windows 10, version 1511, Windows features have to be enabled to use virtualization-based security.
+You can do this by using either the Control Panel or the Deployment Image Servicing and Management tool (DISM).
+> [!NOTE]
+If you enable Credential Guard by using Group Policy, the steps to enable Windows features through Control Panel or DISM are not required. Group Policy will install Windows features for you.
+
+
+**Add the virtualization-based security features by using Programs and Features**
+
+1. Open the Programs and Features control panel.
+2. Click **Turn Windows feature on or off**.
+3. Go to **Hyper-V** -> **Hyper-V Platform**, and then select the **Hyper-V Hypervisor** check box.
+4. Select the **Isolated User Mode** check box at the top level of the feature selection.
+5. Click **OK**.
+
+**Add the virtualization-based security features to an offline image by using DISM**
+
+1. Open an elevated command prompt.
+2. Add the Hyper-V Hypervisor by running the following command:
+ ```
+ dism /image: /Enable-Feature /FeatureName:Microsoft-Hyper-V-Hypervisor /all
+ ```
+3. Add the Isolated User Mode feature by running the following command:
+ ```
+ dism /image: /Enable-Feature /FeatureName:IsolatedUserMode
+ ```
+
+> [!NOTE]
+> You can also add these features to an online image by using either DISM or Configuration Manager.
+
+### Enable virtualization-based security and Credential Guard
+
+1. Open Registry Editor.
+2. Enable virtualization-based security:
+ - Go to HKEY\_LOCAL\_MACHINE\\System\\CurrentControlSet\\Control\\DeviceGuard.
+ - Add a new DWORD value named **EnableVirtualizationBasedSecurity**. Set the value of this registry setting to 1 to enable virtualization-based security and set it to 0 to disable it.
+ - Add a new DWORD value named **RequirePlatformSecurityFeatures**. Set the value of this registry setting to 1 to use **Secure Boot** only or set it to 3 to use **Secure Boot and DMA protection**.
+3. Enable Credential Guard:
+ - Go to HKEY\_LOCAL\_MACHINE\\System\\CurrentControlSet\\Control\\LSA.
+ - Add a new DWORD value named **LsaCfgFlags**. Set the value of this registry setting to 1 to enable Credential Guard with UEFI lock, set it to 2 to enable Credential Guard without lock, and set it to 0 to disable it.
+4. Close Registry Editor.
+
+
+> [!NOTE]
+> You can also enable Credential Guard by setting the registry entries in the [FirstLogonCommands](http://msdn.microsoft.com/library/windows/hardware/dn922797.aspx) unattend setting.
+
+
+### Enable Credential Guard by using the Device Guard and Credential Guard hardware readiness tool
+
+You can also enable Credential Guard by using the [Device Guard and Credential Guard hardware readiness tool](https://www.microsoft.com/download/details.aspx?id=53337).
+
+```
+DG_Readiness_Tool_v3.0.ps1 -Enable -AutoReboot
+```
+
+### Credential Guard deployment in virtual machines
+
+Credential Guard can protect secrets in a Hyper-V virtual machine, just as it would on a physical machine. The enablement steps are the same from within the virtual machine.
+
+Credential Guard protects secrets from non-privileged access inside the VM. It does not provide additional protection from the host administrator. From the host, you can disable Credential Guard for a virtual machine:
+
+``` PowerShell
+Set-VMSecurity -VMName -VirtualizationBasedSecurityOptOut $true
+```
+
+Requirements for running Credential Guard in Hyper-V virtual machines
+- The Hyper-V host must have an IOMMU, and run at least Windows Server 2016 or Windows 10 version 1607.
+- The Hyper-V virtual machine must be Generation 2, have an enabled virtual TPM, and running at least Windows Server 2016 or Windows 10.
+
+
+### Check that Credential Guard is running
+
+You can use System Information to ensure that Credential Guard is running on a PC.
+
+1. Click **Start**, type **msinfo32.exe**, and then click **System Information**.
+2. Click **System Summary**.
+3. Confirm that **Credential Guard** is shown next to **Device Guard Security Services Running**.
+
+ Here's an example:
+
+ 
+
+You can also check that Credential Guard is running by using the [Device Guard and Credential Guard hardware readiness tool](https://www.microsoft.com/download/details.aspx?id=53337).
+
+```
+DG_Readiness_Tool_v3.0.ps1 -Ready
+```
+
+
+### Remove Credential Guard
+
+If you have to remove Credential Guard on a PC, you can use the following set of procedures, or you can [use the Device Guard and Credential Guard hardware readiness tool](#turn-off-with-hardware-readiness-tool).
+
+1. If you used Group Policy, disable the Group Policy setting that you used to enable Credential Guard (**Computer Configuration** -> **Administrative Templates** -> **System** -> **Device Guard** -> **Turn on Virtualization Based Security**).
+2. Delete the following registry settings:
+ - HKEY\_LOCAL\_MACHINE\\System\\CurrentControlSet\\Control\\LSA\LsaCfgFlags
+ - HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\DeviceGuard\\EnableVirtualizationBasedSecurity
+ - HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\DeviceGuard\\RequirePlatformSecurityFeatures
+
+ > [!IMPORTANT]
+ > If you manually remove these registry settings, make sure to delete them all. If you don't remove them all, the device might go into BitLocker recovery.
+
+3. Delete the Credential Guard EFI variables by using bcdedit.
+
+**Delete the Credential Guard EFI variables**
+
+1. From an elevated command prompt, type the following commands:
+ ``` syntax
+
+ mountvol X: /s
+
+ copy %WINDIR%\System32\SecConfig.efi X:\EFI\Microsoft\Boot\SecConfig.efi /Y
+
+ bcdedit /create {0cb3b571-2f2e-4343-a879-d86a476d7215} /d "DebugTool" /application osloader
+
+ bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} path "\EFI\Microsoft\Boot\SecConfig.efi"
+
+ bcdedit /set {bootmgr} bootsequence {0cb3b571-2f2e-4343-a879-d86a476d7215}
+
+ bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} loadoptions DISABLE-LSA-ISO
+
+ bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} device partition=X:
+
+ mountvol X: /d
+
+ ```
+2. Restart the PC.
+3. Accept the prompt to disable Credential Guard.
+4. Alternatively, you can disable the virtualization-based security features to turn off Credential Guard.
+
+> [!NOTE]
+> The PC must have one-time access to a domain controller to decrypt content, such as files that were encrypted with EFS. If you want to turn off both Credential Guard and virtualization-based security, run the following bcdedit command after turning off all virtualization-based security Group Policy and registry settings: bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} loadoptions DISABLE-LSA-ISO,DISABLE-VBS
+
+For more info on virtualization-based security and Device Guard, see [Device Guard deployment guide](device-guard-deployment-guide.md).
+
+
+#### Turn off Credential Guard by using the Device Guard and Credential Guard hardware readiness tool
+
+You can also disable Credential Guard by using the [Device Guard and Credential Guard hardware readiness tool](https://www.microsoft.com/download/details.aspx?id=53337).
+
+```
+DG_Readiness_Tool_v3.0.ps1 -Disable -AutoReboot
+```
+
+
+
diff --git a/windows/keep-secure/credential-guard-not-protected-scenarios.md b/windows/keep-secure/credential-guard-not-protected-scenarios.md
new file mode 100644
index 0000000000..6206dbe532
--- /dev/null
+++ b/windows/keep-secure/credential-guard-not-protected-scenarios.md
@@ -0,0 +1,159 @@
+---
+title: Scenarios not protected by Credential Guard (Windows 10)
+description: Scenarios not protected by Credential Guard in Windows 10.
+ms.prod: w10
+ms.mktglfcycl: explore
+ms.sitesec: library
+ms.pagetype: security
+localizationpriority: high
+author: brianlic-msft
+---
+
+# Scenarios not protected by Credential Guard
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+Prefer video? See [Credentials protected by Credential Guard](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=pdc37LJyC_1204300474)
+in the Deep Dive into Credential Guard video series.
+
+Some ways to store credentials are not protected by Credential Guard, including:
+
+- Software that manages credentials outside of Windows feature protection
+- Local accounts and Microsoft Accounts
+- Credential Guard does not protect the Active Directory database running on Windows Server 2016 domain controllers. It also does not protect credential input pipelines, such as Windows Server 2016 servers running Remote Desktop Gateway. If you're using a Windows Server 2016 server as a client PC, it will get the same protection as it would when running Windows 10 Enterprise.
+- Key loggers
+- Physical attacks
+- Does not prevent an attacker with malware on the PC from using the privileges associated with any credential. We recommend using dedicated PCs for high value accounts, such as IT Pros and users with access to high value assets in your organization.
+- Third-party security packages
+- Digest and CredSSP credentials
+ - When Credential Guard is enabled, neither Digest nor CredSSP have access to users' logon credentials. This implies no Single Sign-On use for these protocols.
+- Supplied credentials for NTLM authentication are not protected. If a user is prompted for and enters credentials for NTLM authentication, these credentials are vulnerable to be read from LSASS memory. Note that these same credentials are vulnerable to key loggers as well.
+
+For further information, see video: [Credentials Protected by Credential Guard](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=pdc37LJyC_1204300474)
+
+## Additional mitigations
+
+Credential Guard can provide mitigations against attacks on derived credentials and prevent the use of stolen credentials elsewhere. However, PCs can still be vulnerable to certain attacks, even if the derived credentials are protected by Credential Guard. These attacks can include abusing privileges and use of derived credentials directly from a compromised device, reusing previously stolen credentials prior to Device Guard, and abuse of management tools and weak application configurations. Because of this, additional mitigations also must be deployed to make the domain environment more robust.
+
+### Restricting domain users to specific domain-joined devices
+
+Credential theft attacks allow the attacker to steal secrets from one device and use them from another device. If a user can sign on to multiple devices then any device could be used to steal credentials. How do you ensure that users only sign on using devices that have Credential Guard enabled? By deploying authentication policies that restrict them to specific domain-joined devices that have been configured with Credential Guard. For the domain controller to know what device a user is signing on from, Kerberos armoring must be used.
+
+### Kerberos armoring
+
+Kerberos armoring is part of RFC 6113. When a device supports Kerberos armoring, its TGT is used to protect the user's proof of possession which can mitigate offline dictionary attacks. Kerberos armoring also provides the additional benefit of signed KDC errors this mitigates tampering which can result in things such as downgrade attacks.
+
+**To enable Kerberos armoring for restricting domain users to specific domain-joined devices**
+
+- Users need to be in domains that are running Windows Server 2012 R2 or higher
+- All the domain controllers in these domains must be configured to support Kerberos armoring. Set the **KDC support for claims, compound authentication, and Kerberos armoring** Group Policy setting to either **Supported** or **Always provide claims**.
+- All the devices with Credential Guard that the users will be restricted to must be configured to support Kerberos armoring. Enable the **Kerberos client support for claims, compound authentication and Kerberos armoring** Group Policy settings under **Computer Configuration** -> **Administrative Templates** -> **System** -> **Kerberos**.
+
+### Protecting domain-joined device secrets
+
+Since domain-joined devices also use shared secrets for authentication, attackers can steal those secrets as well. By deploying device certificates with Credential Guard, the private key can be protected. Then authentication policies can require that users sign on devices that authenticate using those certificates. This prevents shared secrets stolen from the device to be used with stolen user credentials to sign on as the user.
+
+Domain-joined device certificate authentication has the following requirements:
+- Devices' accounts are in Windows Server 2012 domain functional level or higher.
+- All domain controllers in those domains have KDC certificates which satisfy strict KDC validation certificate requirements:
+ - KDC EKU present
+ - DNS domain name matches the DNSName field of the SubjectAltName (SAN) extension
+- Windows 10 devices have the CA issuing the domain controller certificates in the enterprise store.
+- A process is established to ensure the identity and trustworthiness of the device in a similar manner as you would establish the identity and trustworthiness of a user before issuing them a smartcard.
+
+#### Deploying domain-joined device certificates
+
+To guarantee that certificates with the required issuance policy are only installed on the devices these users must use, they must be deployed manually on each device. The same security procedures used for issuing smart cards to users should be applied to device certificates.
+
+For example, let's say you wanted to use the High Assurance policy only on these devices. Using a Windows Server Enterprise certificate authority, you would create a new template.
+
+**Creating a new certificate template**
+
+1. From the Certificate Manager console, right-click **Certificate Templates**, and then click **Manage.**
+2. Right-click **Workstation Authentication**, and then click **Duplicate Template**.
+3. Right-click the new template, and then click **Properties**.
+4. On the **Extensions** tab, click **Application Policies**, and then click **Edit**.
+5. Click **Client Authentication**, and then click **Remove**.
+6. Add the ID-PKInit-KPClientAuth EKU. Click **Add**, click **New**, and then specify the following values:
+ - Name: Kerberos Client Auth
+ - Object Identifier: 1.3.6.1.5.2.3.4
+7. On the **Extensions** tab, click **Issuance Policies**, and then click **Edit**.
+8. Under **Issuance Policies**, click**High Assurance**.
+9. On the **Subject name** tab, clear the **DNS name** check box, and then select the **User Principal Name (UPN)** check box.
+
+Then on the devices that are running Credential Guard, enroll the devices using the certificate you just created.
+
+**Enrolling devices in a certificate**
+
+Run the following command:
+``` syntax
+CertReq -EnrollCredGuardCert MachineAuthentication
+```
+
+> [!NOTE]
+> You must restart the device after enrolling the machine authentication certificate.
+
+#### How a certificate issuance policy can be used for access control
+
+Beginning with the Windows Server 2008 R2 domain functional level, domain controllers support for authentication mechanism assurance provides a way to map certificate issuance policy OIDs to universal security groups. Windows Server 2012 domain controllers with claim support can map them to claims. To learn more about authentication mechanism assurance, see [Authentication Mechanism Assurance for AD DS in Windows Server 2008 R2 Step-by-Step Guide](https://technet.microsoft.com/en-us/library/dd378897(v=ws.10).aspx) on TechNet.
+
+**To see the issuance policies available**
+
+- The [get-IssuancePolicy.ps1](#bkmk-getscript) shows all of the issuance policies that are available on the certificate authority.
+ From a Windows PowerShell command prompt, run the following command:
+
+ ``` syntax
+ .\get-IssuancePolicy.ps1 –LinkedToGroup:All
+ ```
+
+**To link an issuance policy to a universal security group**
+
+- The [set-IssuancePolicyToGroupLink.ps1](#bkmk-setscript) creates a Universal security group, creates an organizational unit, and links the issuance policy to that Universal security group.
+ From a Windows PowerShell command prompt, run the following command:
+
+ ``` syntax
+ .\set-IssuancePolicyToGroupLink.ps1 –IssuancePolicyName:"" –groupOU:"" –groupName:”"
+ ```
+
+### Restricting user sign on
+
+So we now have completed the following:
+
+- Created a special certificate issuance policy to identify devices that meet the deployment criteria required for the user to be able to sign on
+- Mapped that policy to a universal security group or claim
+- Provided a way for domain controllers to get the device authorization data during user sign on using Kerberos armoring. Now what is left to do is to configure the access check on the domain controllers. This is done using authentication policies.
+
+Authentication policies have the following requirements:
+- User accounts are in a Windows Server 2012 domain functional level or higher domain.
+
+**Creating an authentication policy restricting users to the specific universal security group**
+
+1. Open Active Directory Administrative Center.
+2. Click **Authentication**, click **New**, and then click **Authentication Policy**.
+3. In the **Display name** box, enter a name for this authentication policy.
+4. Under the **Accounts** heading, click **Add**.
+5. In the **Select Users, Computers, or Service Accounts** dialog box, type the name of the user account you wish to restrict, and then click **OK**.
+6. Under the **User Sign On** heading, click the **Edit** button.
+7. Click **Add a condition**.
+8. In the **Edit Access Control Conditions** box, ensure that it reads **User** > **Group** > **Member of each** > **Value**, and then click **Add items**.
+9. In the **Select Users, Computers, or Service Accounts** dialog box, type the name of the universal security group that you created with the set-IssuancePolicyToGroupLink script, and then click **OK**.
+10. Click **OK** to close the **Edit Access Control Conditions** box.
+11. Click **OK** to create the authentication policy.
+12. Close Active Directory Administrative Center.
+
+> [!NOTE]
+> When the authentication policy enforces policy restrictions, users will not be able to sign on using devices that do not have a certificate with the appropriate issuance policy deployed. This applies to both local and remote sign on scenarios. Therefore, it is strongly recommended to first only audit policy restrictions to ensure you don't have unexpected failures.
+
+#### Discovering authentication failures due to authentication policies
+
+To make tracking authentication failures due to authentication policies easier, an operational log exists with just those events. To enable the logs on the domain controllers, in Event Viewer, navigate to **Applications and Services Logs\\Microsoft\\Windows\\Authentication, right-click AuthenticationPolicyFailures-DomainController**, and then click **Enable Log**.
+
+To learn more about authentication policy events, see [Authentication Policies and Authentication Policy Silos](https://technet.microsoft.com/en-us/library/dn486813(v=ws.11).aspx).
+
+## See also
+
+**Deep Dive into Credential Guard: Related videos**
+
+[Protecting privileged users with Credential Guard](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=JNbjYMJyC_8104300474)
diff --git a/windows/keep-secure/credential-guard-requirements.md b/windows/keep-secure/credential-guard-requirements.md
new file mode 100644
index 0000000000..e87463063e
--- /dev/null
+++ b/windows/keep-secure/credential-guard-requirements.md
@@ -0,0 +1,120 @@
+---
+title: Credential Guard Requirements (Windows 10)
+description: Credential Guard baseline hardware, firmware, and software requirements, and additional protections for improved security associated with available hardware and firmware options.
+ms.prod: w10
+ms.mktglfcycl: explore
+ms.sitesec: library
+ms.pagetype: security
+localizationpriority: high
+author: brianlic-msft
+---
+
+# Credential Guard: Requirements
+
+**Applies to**
+- Windows 10
+- Windows Server 2016
+
+Prefer video? See
+[Credential Guard Deployment](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=sRcyvLJyC_3304300474)
+in the Deep Dive into Credential Guard video series.
+
+For Credential Guard to provide protections, the computers you are protecting must meet certain baseline hardware, firmware, and software requirements which we will refer to as [Hardware and software requirements](#hardware-and-software-requirements). Additionally, Credential Guard blocks specific authentication capabilities, so applications that require such capabilities will break. We will refer to this as [Application requirements](#application-requirements). Beyond that, computers can meet additional hardware and firmware qualifications, and receive additional protections. Those computers will be more hardened against certain threats. For detailed information on baseline protections, plus protections for improved security that are associated with hardware and firmware options available in 2015, 2016, and 2017, refer to the tables in [Security Considerations](#security-considerations).
+
+
+
+## Hardware and software requirements
+
+To provide basic protection against OS level attempts to read Credential Manager domain credentials, NTLM and Kerberos derived credentials, Credential Manager uses:
+- Support for Virtualization-based security (required)
+- Secure boot (required)
+- TPM 2.0 either discrete or firmware (preferred - provides binding to hardware)
+- UEFI lock (preferred - prevents attacker from disabling with a simple registry key change)
+
+The Virtualization-based security requires:
+- 64-bit CPU
+- CPU virtualization extensions plus extended page tables
+- Windows hypervisor
+
+## Application requirements
+
+When Credential Guard is enabled, specific authentication capabilities are blocked, so applications that require such capabilities will break. Applications should be tested prior to deployment to ensure compatiblity with the reduced functionality.
+
+>[!WARNING]
+> Enabling Credential Guard on domain controllers is not supported.
+> The domain controller hosts authentication services which integrate with processes isolated when Credential Guard is enabled, causing crashes.
+
+>[!NOTE]
+> Credential Guard does not provide protections for the Active Directory database or the Security Accounts Manager (SAM). The credentials protected by Kerberos and NTLM when Credential Guard is enabled are also in the Active Directory database (on domain controllers) and the SAM (for local accounts).
+
+Applications will break if they require:
+- Kerberos DES encryption support
+- Kerberos unconstrained delegation
+- Extracting the Kerberos TGT
+- NTLMv1
+
+Applications will prompt and expose credentials to risk if they require:
+- Digest authentication
+- Credential delegation
+- MS-CHAPv2
+
+Applications may cause performance issues when they attempt to hook the isolated Credential Guard process.
+
+See this video: [Credentials Protected by Credential Guard](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=pdc37LJyC_1204300474)
+
+
+## Security considerations
+
+All computers that meet baseline protections for hardware, firmware, and software can use Credential Guard.
+Computers that meet additional qualifications can provide additional protections to further reduce the attack surface.
+The following tables describe baseline protections, plus protections for improved security that are associated with hardware and firmware options available in 2015, 2016, and 2017.
+
+> [!NOTE]
+> Beginning with Windows 10, version 1607, Trusted Platform Module (TPM 2.0) must be enabled by default on new shipping computers.
+> If you are an OEM, see [PC OEM requirements for Device Guard and Credential Guard](https://msdn.microsoft.com/library/windows/hardware/mt767514.aspx).
+
+### Baseline protections
+
+|Baseline Protections | Description |
+|---------------------------------------------|----------------------------------------------------|
+| Hardware: **64-bit CPU** | A 64-bit computer is required for the Windows hypervisor to provide VBS. |
+| Hardware: **CPU virtualization extensions**,
plus **extended page tables** | **Requirements**: These hardware features are required for VBS:
One of the following virtualization extensions:
• VT-x (Intel) or
• AMD-V
And:
• Extended page tables, also called Second Level Address Translation (SLAT).
**Security benefits**: VBS provides isolation of secure kernel from normal operating system. Vulnerabilities and Day 0s in normal operating system cannot be exploited because of this isolation. |
+| Hardware: **Trusted Platform Module (TPM)** | **Requirement**: TPM 1.2 or TPM 2.0, either discrete or firmware.
[TPM recommendations](https://technet.microsoft.com/itpro/windows/keep-secure/tpm-recommendations)
**Security benefits**: A TPM provides protection for VBS encryption keys that are stored in the firmware. This helps protect against attacks involving a physically present user with BIOS access. |
+| Firmware: **UEFI firmware version 2.3.1.c or higher with UEFI Secure Boot** | **Requirements**: See the following Windows Hardware Compatibility Program requirement: [System.Fundamentals.Firmware.UEFISecureBoot](http://msdn.microsoft.com/library/windows/hardware/dn932805.aspx#system-fundamentals-firmware-uefisecureboot)
**Security benefits**: UEFI Secure Boot helps ensure that the device boots only authorized code. This can prevent boot kits and root kits from installing and persisting across reboots. |
+| Firmware: **Secure firmware update process** | **Requirements**: UEFI firmware must support secure firmware update found under the following Windows Hardware Compatibility Program requirement: [System.Fundamentals.Firmware.UEFISecureBoot](http://msdn.microsoft.com/library/windows/hardware/dn932805.aspx#system-fundamentals-firmware-uefisecureboot).
**Security benefits**: UEFI firmware just like software can have security vulnerabilities that, when found, need to be patched through firmware updates. Patching helps prevent root kits from getting installed. |
+| Software: Qualified **Windows operating system** | **Requirement**: Windows 10 Enterprise, Windows 10 Education, Windows Server 2016, or Windows 10 IoT Enterprise
Important:
Windows Server 2016 running as a domain controller does not support Credential Guard. Only Device Guard is supported in this configuration.
**Security benefits**: Support for VBS and for management features that simplify configuration of Credential Guard. |
+
+> [!IMPORTANT]
+> The following tables list additional qualifications for improved security. We strongly recommend meeting the additional qualifications to significantly strengthen the level of security that Credential Guard can provide.
+
+### 2015 Additional security qualifications starting with Windows 10, version 1507, and Windows Server 2016 Technical Preview 4
+
+| Protections for Improved Security | Description |
+|---------------------------------------------|----------------------------------------------------|
+| Hardware: **IOMMU** (input/output memory management unit) | **Requirement**: VT-D or AMD Vi IOMMU
**Security benefits**: An IOMMU can enhance system resiliency against memory attacks. For more information, see [ACPI description tables](https://msdn.microsoft.com/windows/hardware/drivers/bringup/acpi-system-description-tables). |
+| Firmware: **Securing Boot Configuration and Management** | **Requirements**:
• BIOS password or stronger authentication must be supported.
• In the BIOS configuration, BIOS authentication must be set.
• There must be support for protected BIOS option to configure list of permitted boot devices (for example, “Boot only from internal hard drive”) and boot device order, overriding BOOTORDER modification made by operating system.
• In the BIOS configuration, BIOS options related to security and boot options (list of permitted boot devices, boot order) must be secured to prevent other operating systems from starting and to prevent changes to the BIOS settings.
**Security benefits**:
• BIOS password or stronger authentication helps ensure that only authenticated Platform BIOS administrators can change BIOS settings. This helps protect against a physically present user with BIOS access.
• Boot order when locked provides protection against the computer being booted into WinRE or another operating system on bootable media. |
+| Firmware: **Secure MOR, revision 2 implementation** | **Requirement**: Secure MOR, revision 2 implementation
**Security benefits**: A secure MOR bit prevents advanced memory attacks. For more information, see [Secure MOR implementation](https://msdn.microsoft.com/windows/hardware/drivers/bringup/device-guard-requirements). |
+
+
+
+### 2016 Additional security qualifications starting with Windows 10, version 1607, and Windows Server 2016
+
+> [!IMPORTANT]
+> The following tables list additional qualifications for improved security. Systems that meet these additional qualifications can provide more protections.
+
+| Protections for Improved Security | Description |
+|---------------------------------------------|----------------------------------------------------|
+| Firmware: **Hardware Rooted Trust Platform Secure Boot** | **Requirements**:
Boot Integrity (Platform Secure Boot) must be supported. See the Windows Hardware Compatibility Program requirements under [System.Fundamentals.Firmware.CS.UEFISecureBoot.ConnectedStandby](https://msdn.microsoft.com/library/windows/hardware/dn932807(v=vs.85).aspx#system_fundamentals_firmware_cs_uefisecureboot_connectedstandby)
• The Hardware Security Test Interface (HSTI) must be implemented. See [Hardware Security Testability Specification](https://msdn.microsoft.com/en-us/library/windows/hardware/mt712332(v=vs.85).aspx).
**Security benefits**:
• Boot Integrity (Platform Secure Boot) from Power-On provides protections against physically present attackers, and defense-in-depth against malware.
• HSTI provides additional security assurance for correctly secured silicon and platform. |
+| Firmware: **Firmware Update through Windows Update** | **Requirements**: Firmware must support field updates through Windows Update and UEFI encapsulation update.
**Security benefits**: Helps ensure that firmware updates are fast, secure, and reliable. |
+| Firmware: **Securing Boot Configuration and Management** | **Requirements**:
• Required BIOS capabilities: Ability of OEM to add ISV, OEM, or Enterprise Certificate in Secure Boot DB at manufacturing time.
• Required configurations: Microsoft UEFI CA must be removed from Secure Boot DB. Support for 3rd-party UEFI modules is permitted but should leverage ISV-provided certificates or OEM certificate for the specific UEFI software.
**Security benefits**:
• Enterprises can choose to allow proprietary EFI drivers/applications to run.
• Removing Microsoft UEFI CA from Secure Boot DB provides full control to enterprises over software that runs before the operating system boots. |
+
+
+
+### 2017 Additional security qualifications starting with Windows 10, version 1703
+
+The following table lists qualifications for Windows 10, version 1703, which are in addition to all preceding qualifications.
+
+| Protection for Improved Security | Description |
+|---------------------------------------------|----------------------------------------------------|
+| Firmware: **VBS enablement of NX protection for UEFI runtime services** | **Requirements**:
• VBS will enable No-Execute (NX) protection on UEFI runtime service code and data memory regions. UEFI runtime service code must support read-only page protections, and UEFI runtime service data must not be executable.
• UEFI runtime service must meet these requirements:
- Implement UEFI 2.6 EFI_MEMORY_ATTRIBUTES_TABLE. All UEFI runtime service memory (code and data) must be described by this table.
- PE sections need to be page-aligned in memory (not required for in non-volatile storage).
- The Memory Attributes Table needs to correctly mark code and data as RO/NX for configuration by the OS:
- All entries must include attributes EFI_MEMORY_RO, EFI_MEMORY_XP, or both
- No entries may be left with neither of the above attributes, indicating memory that is both executable and writable. Memory must be either readable and executable or writeable and non-executable.
Notes:
• This only applies to UEFI runtime service memory, and not UEFI boot service memory.
• This protection is applied by VBS on OS page tables.
Please also note the following:
• Do not use sections that are both writeable and executable
• Do not attempt to directly modify executable system memory
• Do not use dynamic code
**Security benefits**:
• Vulnerabilities in UEFI runtime, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable)
• Reduces the attack surface to VBS from system firmware. |
+| Firmware: **Firmware support for SMM protection** | **Requirements**: The [Windows SMM Security Mitigations Table (WSMT) specification](http://download.microsoft.com/download/1/8/A/18A21244-EB67-4538-BAA2-1A54E0E490B6/WSMT.docx) contains details of an Advanced Configuration and Power Interface (ACPI) table that was created for use with Windows operating systems that support Windows virtualization-based security (VBS) features.
**Security benefits**:
• Protects against potential vulnerabilities in UEFI runtime services, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable)
• Reduces the attack surface to VBS from system firmware.
• Blocks additional security attacks against SMM. |
diff --git a/windows/keep-secure/credential-guard-scripts.md b/windows/keep-secure/credential-guard-scripts.md
new file mode 100644
index 0000000000..991d0010f2
--- /dev/null
+++ b/windows/keep-secure/credential-guard-scripts.md
@@ -0,0 +1,488 @@
+---
+title: Scripts for Certificate Issuance Policies in Credential Guard (Windows 10)
+description: Scripts listed in this topic for obtaining the available issuance policies on the certificate authority for Credential Guard on Windows 10.
+ms.prod: w10
+ms.mktglfcycl: explore
+ms.sitesec: library
+ms.pagetype: security
+localizationpriority: high
+author: brianlic-msft
+---
+
+# Credential Guard: Scripts for Certificate Authority Issuance Policies
+
+
+Here is a list of scripts mentioned in this topic.
+
+## Get the available issuance policies on the certificate authority
+
+Save this script file as get-IssuancePolicy.ps1.
+
+``` syntax
+#######################################
+## Parameters to be defined ##
+## by the user ##
+#######################################
+Param (
+$Identity,
+$LinkedToGroup
+)
+#######################################
+## Strings definitions ##
+#######################################
+Data getIP_strings {
+# culture="en-US"
+ConvertFrom-StringData -stringdata @'
+help1 = This command can be used to retrieve all available Issuance Policies in a forest. The forest of the currently logged on user is targeted.
+help2 = Usage:
+help3 = The following parameter is mandatory:
+help4 = -LinkedToGroup:
+help5 = "yes" will return only Issuance Policies that are linked to groups. Checks that the linked Issuance Policies are linked to valid groups.
+help6 = "no" will return only Issuance Policies that are not currently linked to any group.
+help7 = "all" will return all Issuance Policies defined in the forest. Checks that the linked Issuance policies are linked to valid groups.
+help8 = The following parameter is optional:
+help9 = -Identity:. If you specify an identity, the option specified in the "-LinkedToGroup" parameter is ignored.
+help10 = Output: This script returns the Issuance Policy objects meeting the criteria defined by the above parameters.
+help11 = Examples:
+errorIPNotFound = Error: no Issuance Policy could be found with Identity "{0}"
+ErrorNotSecurity = Error: Issuance Policy "{0}" is linked to group "{1}" which is not of type "Security".
+ErrorNotUniversal = Error: Issuance Policy "{0}" is linked to group "{1}" whose scope is not "Universal".
+ErrorHasMembers = Error: Issuance Policy "{0}" is linked to group "{1}" which has a non-empty membership. The group has the following members:
+LinkedIPs = The following Issuance Policies are linked to groups:
+displayName = displayName : {0}
+Name = Name : {0}
+dn = distinguishedName : {0}
+ InfoName = Linked Group Name: {0}
+ InfoDN = Linked Group DN: {0}
+NonLinkedIPs = The following Issuance Policies are NOT linked to groups:
+'@
+}
+##Import-LocalizedData getIP_strings
+import-module ActiveDirectory
+#######################################
+## Help ##
+#######################################
+function Display-Help {
+ ""
+ $getIP_strings.help1
+ ""
+$getIP_strings.help2
+""
+$getIP_strings.help3
+" " + $getIP_strings.help4
+" " + $getIP_strings.help5
+ " " + $getIP_strings.help6
+ " " + $getIP_strings.help7
+""
+$getIP_strings.help8
+ " " + $getIP_strings.help9
+ ""
+ $getIP_strings.help10
+""
+""
+$getIP_strings.help11
+ " " + '$' + "myIPs = .\get-IssuancePolicy.ps1 -LinkedToGroup:All"
+ " " + '$' + "myLinkedIPs = .\get-IssuancePolicy.ps1 -LinkedToGroup:yes"
+ " " + '$' + "myIP = .\get-IssuancePolicy.ps1 -Identity:""Medium Assurance"""
+""
+}
+$root = get-adrootdse
+$domain = get-addomain -current loggedonuser
+$configNCDN = [String]$root.configurationNamingContext
+if ( !($Identity) -and !($LinkedToGroup) ) {
+display-Help
+break
+}
+if ($Identity) {
+ $OIDs = get-adobject -Filter {(objectclass -eq "msPKI-Enterprise-Oid") -and ((name -eq $Identity) -or (displayname -eq $Identity) -or (distinguishedName -like $Identity)) } -searchBase $configNCDN -properties *
+ if ($OIDs -eq $null) {
+$errormsg = $getIP_strings.ErrorIPNotFound -f $Identity
+write-host $errormsg -ForegroundColor Red
+ }
+ foreach ($OID in $OIDs) {
+ if ($OID."msDS-OIDToGroupLink") {
+# In case the Issuance Policy is linked to a group, it is good to check whether there is any problem with the mapping.
+ $groupDN = $OID."msDS-OIDToGroupLink"
+ $group = get-adgroup -Identity $groupDN
+ $groupName = $group.Name
+# Analyze the group
+ if ($group.groupCategory -ne "Security") {
+$errormsg = $getIP_strings.ErrorNotSecurity -f $Identity, $groupName
+ write-host $errormsg -ForegroundColor Red
+ }
+ if ($group.groupScope -ne "Universal") {
+ $errormsg = $getIP_strings.ErrorNotUniversal -f $Identity, $groupName
+write-host $errormsg -ForegroundColor Red
+ }
+ $members = Get-ADGroupMember -Identity $group
+ if ($members) {
+ $errormsg = $getIP_strings.ErrorHasMembers -f $Identity, $groupName
+write-host $errormsg -ForegroundColor Red
+ foreach ($member in $members) {
+ write-host " " $member -ForeGroundColor Red
+ }
+ }
+ }
+ }
+ return $OIDs
+ break
+}
+if (($LinkedToGroup -eq "yes") -or ($LinkedToGroup -eq "all")) {
+ $LDAPFilter = "(&(objectClass=msPKI-Enterprise-Oid)(msDS-OIDToGroupLink=*)(flags=2))"
+ $LinkedOIDs = get-adobject -searchBase $configNCDN -LDAPFilter $LDAPFilter -properties *
+ write-host ""
+ write-host "*****************************************************"
+ write-host $getIP_strings.LinkedIPs
+ write-host "*****************************************************"
+ write-host ""
+ if ($LinkedOIDs -ne $null){
+ foreach ($OID in $LinkedOIDs) {
+# Display basic information about the Issuance Policies
+ ""
+ $getIP_strings.displayName -f $OID.displayName
+ $getIP_strings.Name -f $OID.Name
+ $getIP_strings.dn -f $OID.distinguishedName
+# Get the linked group.
+ $groupDN = $OID."msDS-OIDToGroupLink"
+ $group = get-adgroup -Identity $groupDN
+ $getIP_strings.InfoName -f $group.Name
+ $getIP_strings.InfoDN -f $groupDN
+# Analyze the group
+ $OIDName = $OID.displayName
+ $groupName = $group.Name
+ if ($group.groupCategory -ne "Security") {
+ $errormsg = $getIP_strings.ErrorNotSecurity -f $OIDName, $groupName
+ write-host $errormsg -ForegroundColor Red
+ }
+ if ($group.groupScope -ne "Universal") {
+ $errormsg = $getIP_strings.ErrorNotUniversal -f $OIDName, $groupName
+ write-host $errormsg -ForegroundColor Red
+ }
+ $members = Get-ADGroupMember -Identity $group
+ if ($members) {
+ $errormsg = $getIP_strings.ErrorHasMembers -f $OIDName, $groupName
+ write-host $errormsg -ForegroundColor Red
+ foreach ($member in $members) {
+ write-host " " $member -ForeGroundColor Red
+ }
+ }
+ write-host ""
+ }
+ }else{
+write-host "There are no issuance policies that are mapped to a group"
+ }
+ if ($LinkedToGroup -eq "yes") {
+ return $LinkedOIDs
+ break
+ }
+}
+if (($LinkedToGroup -eq "no") -or ($LinkedToGroup -eq "all")) {
+ $LDAPFilter = "(&(objectClass=msPKI-Enterprise-Oid)(!(msDS-OIDToGroupLink=*))(flags=2))"
+ $NonLinkedOIDs = get-adobject -searchBase $configNCDN -LDAPFilter $LDAPFilter -properties *
+ write-host ""
+ write-host "*********************************************************"
+ write-host $getIP_strings.NonLinkedIPs
+ write-host "*********************************************************"
+ write-host ""
+ if ($NonLinkedOIDs -ne $null) {
+ foreach ($OID in $NonLinkedOIDs) {
+# Display basic information about the Issuance Policies
+write-host ""
+$getIP_strings.displayName -f $OID.displayName
+$getIP_strings.Name -f $OID.Name
+$getIP_strings.dn -f $OID.distinguishedName
+write-host ""
+ }
+ }else{
+write-host "There are no issuance policies which are not mapped to groups"
+ }
+ if ($LinkedToGroup -eq "no") {
+ return $NonLinkedOIDs
+ break
+ }
+}
+```
+> [!NOTE]
+> If you're having trouble running this script, try replacing the single quote after the ConvertFrom-StringData parameter.
+
+## Link an issuance policy to a group
+
+Save the script file as set-IssuancePolicyToGroupLink.ps1.
+
+``` syntax
+#######################################
+## Parameters to be defined ##
+## by the user ##
+#######################################
+Param (
+$IssuancePolicyName,
+$groupOU,
+$groupName
+)
+#######################################
+## Strings definitions ##
+#######################################
+Data ErrorMsg {
+# culture="en-US"
+ConvertFrom-StringData -stringdata @'
+help1 = This command can be used to set the link between a certificate issuance policy and a universal security group.
+help2 = Usage:
+help3 = The following parameters are required:
+help4 = -IssuancePolicyName:
+help5 = -groupName:. If no name is specified, any existing link to a group is removed from the Issuance Policy.
+help6 = The following parameter is optional:
+help7 = -groupOU:. If this parameter is not specified, the group is looked for or created in the Users container.
+help8 = Examples:
+help9 = This command will link the issuance policy whose display name is "High Assurance" to the group "HighAssuranceGroup" in the Organizational Unit "OU_FOR_IPol_linked_groups". If the group or the Organizational Unit do not exist, you will be prompted to create them.
+help10 = This command will unlink the issuance policy whose name is "402.164959C40F4A5C12C6302E31D5476062" from any group.
+MultipleIPs = Error: Multiple Issuance Policies with name or display name "{0}" were found in the subtree of "{1}"
+NoIP = Error: no issuance policy with name or display name "{0}" could be found in the subtree of "{1}".
+IPFound = An Issuance Policy with name or display name "{0}" was successfully found: {1}
+MultipleOUs = Error: more than 1 Organizational Unit with name "{0}" could be found in the subtree of "{1}".
+confirmOUcreation = Warning: The Organizational Unit that you specified does not exist. Do you want to create it?
+OUCreationSuccess = Organizational Unit "{0}" successfully created.
+OUcreationError = Error: Organizational Unit "{0}" could not be created.
+OUFoundSuccess = Organizational Unit "{0}" was successfully found.
+multipleGroups = Error: More than one group with name "{0}" was found in Organizational Unit "{1}".
+confirmGroupCreation = Warning: The group that you specified does not exist. Do you want to create it?
+groupCreationSuccess = Univeral Security group "{0}" successfully created.
+groupCreationError = Error: Univeral Security group "{0}" could not be created.
+GroupFound = Group "{0}" was successfully found.
+confirmLinkDeletion = Warning: The Issuance Policy "{0}" is currently linked to group "{1}". Do you really want to remove the link?
+UnlinkSuccess = Certificate issuance policy successfully unlinked from any group.
+UnlinkError = Removing the link failed.
+UnlinkExit = Exiting without removing the link from the issuance policy to the group.
+IPNotLinked = The Certificate issuance policy is not currently linked to any group. If you want to link it to a group, you should specify the -groupName option when starting this script.
+ErrorNotSecurity = Error: You cannot link issuance Policy "{0}" to group "{1}" because this group is not of type "Security".
+ErrorNotUniversal = Error: You cannot link issuance Policy "{0}" to group "{1}" because the scope of this group is not "Universal".
+ErrorHasMembers = Error: You cannot link issuance Policy "{0}" to group "{1}" because it has a non-empty membership. The group has the following members:
+ConfirmLinkReplacement = Warning: The Issuance Policy "{0}" is currently linked to group "{1}". Do you really want to update the link to point to group "{2}"?
+LinkSuccess = The certificate issuance policy was successfully linked to the specified group.
+LinkError = The certificate issuance policy could not be linked to the specified group.
+ExitNoLinkReplacement = Exiting without setting the new link.
+'@
+}
+# import-localizeddata ErrorMsg
+function Display-Help {
+""
+write-host $ErrorMsg.help1
+""
+write-host $ErrorMsg.help2
+""
+write-host $ErrorMsg.help3
+write-host "`t" $ErrorMsg.help4
+write-host "`t" $ErrorMsg.help5
+""
+write-host $ErrorMsg.help6
+write-host "`t" $ErrorMsg.help7
+""
+""
+write-host $ErrorMsg.help8
+""
+write-host $ErrorMsg.help9
+".\Set-IssuancePolicyToGroupMapping.ps1 -IssuancePolicyName ""High Assurance"" -groupOU ""OU_FOR_IPol_linked_groups"" -groupName ""HighAssuranceGroup"" "
+""
+write-host $ErrorMsg.help10
+'.\Set-IssuancePolicyToGroupMapping.ps1 -IssuancePolicyName "402.164959C40F4A5C12C6302E31D5476062" -groupName $null '
+""
+}
+# Assumption: The group to which the Issuance Policy is going
+# to be linked is (or is going to be created) in
+# the domain the user running this script is a member of.
+import-module ActiveDirectory
+$root = get-adrootdse
+$domain = get-addomain -current loggedonuser
+if ( !($IssuancePolicyName) ) {
+display-Help
+break
+}
+#######################################
+## Find the OID object ##
+## (aka Issuance Policy) ##
+#######################################
+$searchBase = [String]$root.configurationnamingcontext
+$OID = get-adobject -searchBase $searchBase -Filter { ((displayname -eq $IssuancePolicyName) -or (name -eq $IssuancePolicyName)) -and (objectClass -eq "msPKI-Enterprise-Oid")} -properties *
+if ($OID -eq $null) {
+$tmp = $ErrorMsg.NoIP -f $IssuancePolicyName, $searchBase
+write-host $tmp -ForeGroundColor Red
+break;
+}
+elseif ($OID.GetType().IsArray) {
+$tmp = $ErrorMsg.MultipleIPs -f $IssuancePolicyName, $searchBase
+write-host $tmp -ForeGroundColor Red
+break;
+}
+else {
+$tmp = $ErrorMsg.IPFound -f $IssuancePolicyName, $OID.distinguishedName
+write-host $tmp -ForeGroundColor Green
+}
+#######################################
+## Find the container of the group ##
+#######################################
+if ($groupOU -eq $null) {
+# default to the Users container
+$groupContainer = $domain.UsersContainer
+}
+else {
+$searchBase = [string]$domain.DistinguishedName
+$groupContainer = get-adobject -searchBase $searchBase -Filter { (Name -eq $groupOU) -and (objectClass -eq "organizationalUnit")}
+if ($groupContainer.count -gt 1) {
+$tmp = $ErrorMsg.MultipleOUs -f $groupOU, $searchBase
+write-host $tmp -ForegroundColor Red
+break;
+}
+elseif ($groupContainer -eq $null) {
+$tmp = $ErrorMsg.confirmOUcreation
+write-host $tmp " ( (y)es / (n)o )" -ForegroundColor Yellow -nonewline
+$userChoice = read-host
+if ( ($userChoice -eq "y") -or ($userChoice -eq "yes") ) {
+new-adobject -Name $groupOU -displayName $groupOU -Type "organizationalUnit" -ProtectedFromAccidentalDeletion $true -path $domain.distinguishedName
+if ($?){
+$tmp = $ErrorMsg.OUCreationSuccess -f $groupOU
+write-host $tmp -ForegroundColor Green
+}
+else{
+$tmp = $ErrorMsg.OUCreationError -f $groupOU
+write-host $tmp -ForeGroundColor Red
+break;
+}
+$groupContainer = get-adobject -searchBase $searchBase -Filter { (Name -eq $groupOU) -and (objectClass -eq "organizationalUnit")}
+}
+else {
+break;
+}
+}
+else {
+$tmp = $ErrorMsg.OUFoundSuccess -f $groupContainer.name
+write-host $tmp -ForegroundColor Green
+}
+}
+#######################################
+## Find the group ##
+#######################################
+if (($groupName -ne $null) -and ($groupName -ne "")){
+##$searchBase = [String]$groupContainer.DistinguishedName
+$searchBase = $groupContainer
+$group = get-adgroup -Filter { (Name -eq $groupName) -and (objectClass -eq "group") } -searchBase $searchBase
+if ($group -ne $null -and $group.gettype().isarray) {
+$tmp = $ErrorMsg.multipleGroups -f $groupName, $searchBase
+write-host $tmp -ForeGroundColor Red
+break;
+}
+elseif ($group -eq $null) {
+$tmp = $ErrorMsg.confirmGroupCreation
+write-host $tmp " ( (y)es / (n)o )" -ForegroundColor Yellow -nonewline
+$userChoice = read-host
+if ( ($userChoice -eq "y") -or ($userChoice -eq "yes") ) {
+new-adgroup -samAccountName $groupName -path $groupContainer.distinguishedName -GroupScope "Universal" -GroupCategory "Security"
+if ($?){
+$tmp = $ErrorMsg.GroupCreationSuccess -f $groupName
+write-host $tmp -ForegroundColor Green
+}else{
+$tmp = $ErrorMsg.groupCreationError -f $groupName
+write-host $tmp -ForeGroundColor Red
+break
+}
+$group = get-adgroup -Filter { (Name -eq $groupName) -and (objectClass -eq "group") } -searchBase $searchBase
+}
+else {
+break;
+}
+}
+else {
+$tmp = $ErrorMsg.GroupFound -f $group.Name
+write-host $tmp -ForegroundColor Green
+}
+}
+else {
+#####
+## If the group is not specified, we should remove the link if any exists
+#####
+if ($OID."msDS-OIDToGroupLink" -ne $null) {
+$tmp = $ErrorMsg.confirmLinkDeletion -f $IssuancePolicyName, $OID."msDS-OIDToGroupLink"
+write-host $tmp " ( (y)es / (n)o )" -ForegroundColor Yellow -nonewline
+$userChoice = read-host
+if ( ($userChoice -eq "y") -or ($userChoice -eq "yes") ) {
+set-adobject -Identity $OID -Clear "msDS-OIDToGroupLink"
+if ($?) {
+$tmp = $ErrorMsg.UnlinkSuccess
+write-host $tmp -ForeGroundColor Green
+}else{
+$tmp = $ErrorMsg.UnlinkError
+write-host $tmp -ForeGroundColor Red
+}
+}
+else {
+$tmp = $ErrorMsg.UnlinkExit
+write-host $tmp
+break
+}
+}
+else {
+$tmp = $ErrorMsg.IPNotLinked
+write-host $tmp -ForeGroundColor Yellow
+}
+break;
+}
+#######################################
+## Verify that the group is ##
+## Universal, Security, and ##
+## has no members ##
+#######################################
+if ($group.GroupScope -ne "Universal") {
+$tmp = $ErrorMsg.ErrorNotUniversal -f $IssuancePolicyName, $groupName
+write-host $tmp -ForeGroundColor Red
+break;
+}
+if ($group.GroupCategory -ne "Security") {
+$tmp = $ErrorMsg.ErrorNotSecurity -f $IssuancePolicyName, $groupName
+write-host $tmp -ForeGroundColor Red
+break;
+}
+$members = Get-ADGroupMember -Identity $group
+if ($members -ne $null) {
+$tmp = $ErrorMsg.ErrorHasMembers -f $IssuancePolicyName, $groupName
+write-host $tmp -ForeGroundColor Red
+foreach ($member in $members) {write-host " $member.name" -ForeGroundColor Red}
+break;
+}
+#######################################
+## We have verified everything. We ##
+## can create the link from the ##
+## Issuance Policy to the group. ##
+#######################################
+if ($OID."msDS-OIDToGroupLink" -ne $null) {
+$tmp = $ErrorMsg.ConfirmLinkReplacement -f $IssuancePolicyName, $OID."msDS-OIDToGroupLink", $group.distinguishedName
+write-host $tmp "( (y)es / (n)o )" -ForegroundColor Yellow -nonewline
+$userChoice = read-host
+if ( ($userChoice -eq "y") -or ($userChoice -eq "yes") ) {
+$tmp = @{'msDS-OIDToGroupLink'= $group.DistinguishedName}
+set-adobject -Identity $OID -Replace $tmp
+if ($?) {
+$tmp = $Errormsg.LinkSuccess
+write-host $tmp -Foreground Green
+}else{
+$tmp = $ErrorMsg.LinkError
+write-host $tmp -Foreground Red
+}
+} else {
+$tmp = $Errormsg.ExitNoLinkReplacement
+write-host $tmp
+break
+}
+}
+else {
+$tmp = @{'msDS-OIDToGroupLink'= $group.DistinguishedName}
+set-adobject -Identity $OID -Add $tmp
+if ($?) {
+$tmp = $Errormsg.LinkSuccess
+write-host $tmp -Foreground Green
+}else{
+$tmp = $ErrorMsg.LinkError
+write-host $tmp -Foreground Red
+}
+}
+```
+
+> [!NOTE]
+> If you're having trouble running this script, try replacing the single quote after the ConvertFrom-StringData parameter.
\ No newline at end of file
diff --git a/windows/keep-secure/credential-guard.md b/windows/keep-secure/credential-guard.md
index f36732aa45..b36d3a7301 100644
--- a/windows/keep-secure/credential-guard.md
+++ b/windows/keep-secure/credential-guard.md
@@ -16,6 +16,8 @@ author: brianlic-msft
- Windows 10
- Windows Server 2016
+Prefer video? See [Credential Theft and Lateral Traversal](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=cfGBPlIyC_9404300474) in the Deep Dive into Credential Guard video series.
+
Introduced in Windows 10 Enterprise and Windows Server 2016, Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them. Unauthorized access to these secrets can lead to credential theft attacks, such as Pass-the-Hash or Pass-The-Ticket. Credential Guard prevents these attacks by protecting NTLM password hashes, Kerberos Ticket Granting Tickets, and credentials stored by applications as domain credentials.
By enabling Credential Guard, the following features and solutions are provided:
@@ -24,928 +26,6 @@ By enabling Credential Guard, the following features and solutions are provided:
- **Virtualization-based security** Windows NTLM and Kerberos derived credentials and other secrets run in a protected environment that is isolated from the running operating system.
- **Better protection against advanced persistent threats** When Credential Manager domain credentials, NTLM, and Kerberos derived credentials are protected using virtualization-based security, the credential theft attack techniques and tools used in many targeted attacks are blocked. Malware running in the operating system with administrative privileges cannot extract secrets that are protected by virtualization-based security. While Credential Guard is a powerful mitigation, persistent threat attacks will likely shift to new attack techniques and you should also incorporate Device Guard and other security strategies and architectures.
-## How it works
-
-Kerberos, NTLM, and Credential manager isolate secrets that previous versions of Windows stored in the Local Security Authority (LSA) by using virtualization-based security. Prior to Windows 10, the LSA stored secrets used by the operating system in its process memory. With Credential Guard enabled, the LSA process in the operating system talks to a new component called the isolated LSA process that stores and protects those secrets. Data stored by the isolated LSA process is protected using virtualization-based security and is not accessible to the rest of the operating system. LSA uses remote procedure calls to communicate with the isolated LSA process.
-
-For security reasons, the isolated LSA process doesn't host any device drivers. Instead, it only hosts a small subset of operating system binaries that are needed for security and nothing else. All of these binaries are signed with a certificate that is trusted by virtualization-based security and these signatures are validated before launching the file in the protected environment.
-
-When Credential Guard is enabled, NTLMv1, MS-CHAPv2, Digest, and CredSSP cannot use the signed-in credentials. Thus, single sign-on does not work with these protocols. However, applications can prompt for credentials or use credentials stored in the Windows Vault which are not protected by Credential Guard with any of these protocol. It is strongly recommended that valuable credentials, such as the sign-in credentials, not be used with any of these protocols. If these protocols must be used by domain or Azure AD users, secondary credentials should be provisioned for these use cases.
-
-When Credential Guard is enabled, Kerberos does not allow unconstrained Kerberos delegation or DES encryption, not only for signed-in credentials, but also prompted or saved credentials.
-
-Here's a high-level overview on how the LSA is isolated by using virtualization-based security:
-
-
-
-## Requirements
-
-For Credential Guard to provide protections, the computers you are protecting must meet certain baseline hardware, firmware, and software requirements which we will refer to as [Hardware and software requirements](#hardware-and-software-requirements). Additionally Credential Guard blocks specific authentication capabilities, so applications which require blocked capabilities will break. We will refer to this as [Application requirements](#application-requirements). Beyond that, computers can meet additional hardware and firmware qualifications, and receive additional protection—those computers will be more hardened against certain threats. To keep this section brief, those will be in [Security Considerations](#security-considerations).
-
-### Hardware and software requirements
-
-To provide basic protection against OS level attempts to read Credential Manager domain credentials, NTLM and Kerberos derived credentials, Credential Manager uses:
-- Support for Virtualization-based security (required)
-- Secure boot (required)
-- TPM 2.0 either discrete or firmware (preferred - provides binding to hardware)
-- UEFI lock (preferred - prevents attacker from disabling with a simple registry key change)
-
-The Virtualization-based security requires:
-- 64 bit CPU
-- CPU virtualization extensions plus extended page tables
-- Windows hypervisor
-
-### Application requirements
-
-When Credential Guard is enabled, specific authentication capabilities are blocked, so applications which require blocked capabilities will break. Applications should be tested prior to deployment to ensure compatiblity with the reduced functionality.
-
->[!WARNING]
-> Enabling Credential Guard on domain controllers is not supported.
-> The domain controller hosts authentication services which integrate with processes isolated when Credential Guard is enabled, causing crashes.
-
->[!NOTE]
-> Credential Guard does not provide protections for the Active Directory database or the Security Accounts Manager (SAM). The credentials protected by Kerberos and NTLM when Credential Guard is enabled are also in the Active Directory database (on domain controllers) and the SAM (for local accounts).
-
-Applications will break if they require:
-- Kerberos DES encryption support
-- Kerberos unconstrained delegation
-- Extracting the Kerberos TGT
-- NTLMv1
-
-Applications will prompt & expose credentials to risk if they require:
-- Digest authentication
-- Credential delegation
-- MS-CHAPv2
-
-Applications may cause performance issues when they attempt to hook the isolated Credential Guard process.
-
-### Security considerations
-
-All computers that meet baseline protections for hardware, firmware, and software can use Credential Guard.
-Computers that meet additional qualifications can provide additional protections to further reduce the attack surface.
-The following tables describe baseline protections, plus protections for improved security that are associated with hardware and firmware options available in 2015, 2016, and 2017.
-
-> [!NOTE]
-> Beginning with Windows 10, version 1607, Trusted Platform Module (TPM 2.0) must be enabled by default on new shipping computers.
-> If you are an OEM, see [PC OEM requirements for Device Guard and Credential Guard](https://msdn.microsoft.com/library/windows/hardware/mt767514.aspx).
-
-#### Baseline protections
-
-|Baseline Protections | Description |
-|---------------------------------------------|----------------------------------------------------|
-| Hardware: **64-bit CPU** | A 64-bit computer is required for the Windows hypervisor to provide VBS. |
-| Hardware: **CPU virtualization extensions**,
plus **extended page tables** | **Requirements**: These hardware features are required for VBS:
One of the following virtualization extensions:
• VT-x (Intel) or
• AMD-V
And:
• Extended page tables, also called Second Level Address Translation (SLAT).
**Security benefits**: VBS provides isolation of secure kernel from normal operating system. Vulnerabilities and Day 0s in normal operating system cannot be exploited because of this isolation. |
-| Hardware: **Trusted Platform Module (TPM)** | **Requirement**: TPM 1.2 or TPM 2.0, either discrete or firmware.
[TPM recommendations](https://technet.microsoft.com/itpro/windows/keep-secure/tpm-recommendations)
**Security benefits**: A TPM provides protection for VBS encryption keys that are stored in the firmware. This helps protect against attacks involving a physically present user with BIOS access. |
-| Firmware: **UEFI firmware version 2.3.1.c or higher with UEFI Secure Boot** | **Requirements**: See the following Windows Hardware Compatibility Program requirement: [System.Fundamentals.Firmware.UEFISecureBoot](http://msdn.microsoft.com/library/windows/hardware/dn932805.aspx#system-fundamentals-firmware-uefisecureboot)
**Security benefits**: UEFI Secure Boot helps ensure that the device boots only authorized code. This can prevent boot kits and root kits from installing and persisting across reboots. |
-| Firmware: **Secure firmware update process** | **Requirements**: UEFI firmware must support secure firmware update found under the following Windows Hardware Compatibility Program requirement: [System.Fundamentals.Firmware.UEFISecureBoot](http://msdn.microsoft.com/library/windows/hardware/dn932805.aspx#system-fundamentals-firmware-uefisecureboot).
**Security benefits**: UEFI firmware just like software can have security vulnerabilities that, when found, need to be patched through firmware updates. Patching helps prevent root kits from getting installed. |
-| Software: Qualified **Windows operating system** | **Requirement**: Windows 10 Enterprise, Windows 10 Education, Windows Server 2016, or Windows 10 IoT Enterprise
Important:
Windows Server 2016 running as a domain controller does not support Credential Guard. Only Device Guard is supported in this configuration.
**Security benefits**: Support for VBS and for management features that simplify configuration of Credential Guard. |
-
-> [!IMPORTANT]
-> The following tables list additional qualifications for improved security. We strongly recommend meeting the additional qualifications to significantly strengthen the level of security that Credential Guard can provide.
-
-#### 2015 Additional security qualifications starting with Windows 10, version 1507, and Windows Server 2016 Technical Preview 4
-
-| Protections for Improved Security | Description |
-|---------------------------------------------|----------------------------------------------------|
-| Hardware: **IOMMU** (input/output memory management unit) | **Requirement**: VT-D or AMD Vi IOMMU
**Security benefits**: An IOMMU can enhance system resiliency against memory attacks. For more information, see [ACPI description tables](https://msdn.microsoft.com/windows/hardware/drivers/bringup/acpi-system-description-tables). |
-| Firmware: **Securing Boot Configuration and Management** | **Requirements**:
• BIOS password or stronger authentication must be supported.
• In the BIOS configuration, BIOS authentication must be set.
• There must be support for protected BIOS option to configure list of permitted boot devices (for example, “Boot only from internal hard drive”) and boot device order, overriding BOOTORDER modification made by operating system.
• In the BIOS configuration, BIOS options related to security and boot options (list of permitted boot devices, boot order) must be secured to prevent other operating systems from starting and to prevent changes to the BIOS settings.
**Security benefits**:
• BIOS password or stronger authentication helps ensure that only authenticated Platform BIOS administrators can change BIOS settings. This helps protect against a physically present user with BIOS access.
• Boot order when locked provides protection against the computer being booted into WinRE or another operating system on bootable media. |
-| Firmware: **Secure MOR, revision 2 implementation** | **Requirement**: Secure MOR, revision 2 implementation
**Security benefits**: A secure MOR bit prevents advanced memory attacks. For more information, see [Secure MOR implementation](https://msdn.microsoft.com/windows/hardware/drivers/bringup/device-guard-requirements). |
-
-
-
-#### 2016 Additional security qualifications starting with Windows 10, version 1607, and Windows Server 2016
-
-> [!IMPORTANT]
-> The following tables list additional qualifications for improved security. Systems that meet these additional qualifications can provide more protections.
-
-| Protections for Improved Security | Description |
-|---------------------------------------------|----------------------------------------------------|
-| Firmware: **Hardware Rooted Trust Platform Secure Boot** | **Requirements**:
Boot Integrity (Platform Secure Boot) must be supported. See the Windows Hardware Compatibility Program requirements under [System.Fundamentals.Firmware.CS.UEFISecureBoot.ConnectedStandby](https://msdn.microsoft.com/library/windows/hardware/dn932807(v=vs.85).aspx#system_fundamentals_firmware_cs_uefisecureboot_connectedstandby)
• The Hardware Security Test Interface (HSTI) must be implemented. See [Hardware Security Testability Specification](https://msdn.microsoft.com/en-us/library/windows/hardware/mt712332(v=vs.85).aspx).
**Security benefits**:
• Boot Integrity (Platform Secure Boot) from Power-On provides protections against physically present attackers, and defense-in-depth against malware.
• HSTI provides additional security assurance for correctly secured silicon and platform. |
-| Firmware: **Firmware Update through Windows Update** | **Requirements**: Firmware must support field updates through Windows Update and UEFI encapsulation update.
**Security benefits**: Helps ensure that firmware updates are fast, secure, and reliable. |
-| Firmware: **Securing Boot Configuration and Management** | **Requirements**:
• Required BIOS capabilities: Ability of OEM to add ISV, OEM, or Enterprise Certificate in Secure Boot DB at manufacturing time.
• Required configurations: Microsoft UEFI CA must be removed from Secure Boot DB. Support for 3rd-party UEFI modules is permitted but should leverage ISV-provided certificates or OEM certificate for the specific UEFI software.
**Security benefits**:
• Enterprises can choose to allow proprietary EFI drivers/applications to run.
• Removing Microsoft UEFI CA from Secure Boot DB provides full control to enterprises over software that runs before the operating system boots. |
-
-
-
-#### 2017 Additional security qualifications starting in 2017
-
-The following table lists qualifications for 2017, which are in addition to all preceding qualifications.
-
-| Protection for Improved Security | Description |
-|---------------------------------------------|----------------------------------------------------|
-| Firmware: **VBS enablement of NX protection for UEFI runtime services** | **Requirements**:
• VBS will enable No-Execute (NX) protection on UEFI runtime service code and data memory regions. UEFI runtime service code must support read-only page protections, and UEFI runtime service data must not be exceutable.
• UEFI runtime service must meet these requirements:
- Implement UEFI 2.6 EFI_MEMORY_ATTRIBUTES_TABLE. All UEFI runtime service memory (code and data) must be described by this table.
- PE sections need to be page-aligned in memory (not required for in non-volitile storage).
- The Memory Attributes Table needs to correctly mark code and data as RO/NX for configuration by the OS:
- All entries must include attributes EFI_MEMORY_RO, EFI_MEMORY_XP, or both
- No entries may be left with neither of the above attributes, indicating memory that is both exceutable and writable. Memory must be either readable and executable or writeable and non-executable.
Notes:
• This only applies to UEFI runtime service memory, and not UEFI boot service memory.
• This protection is applied by VBS on OS page tables.
Please also note the following:
• Do not use sections that are both writeable and exceutable
• Do not attempt to directly modify executable system memory
• Do not use dynamic code
**Security benefits**:
• Vulnerabilities in UEFI runtime, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable)
• Reduces the attack surface to VBS from system firmware. |
-| Firmware: **Firmware support for SMM protection** | **Requirements**: The [Windows SMM Security Mitigations Table (WSMT) specification](http://download.microsoft.com/download/1/8/A/18A21244-EB67-4538-BAA2-1A54E0E490B6/WSMT.docx) contains details of an Advanced Configuration and Power Interface (ACPI) table that was created for use with Windows operating systems that support Windows virtualization-based security (VBS) features.
**Security benefits**:
• Protects against potential vulnerabilities in UEFI runtime services, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable)
• Reduces the attack surface to VBS from system firmware.
• Blocks additional security attacks against SMM. |
-
-## Manage Credential Guard
-
-### Enable Credential Guard
-Credential Guard can be enabled by using [Group Policy](#turn-on-credential-guard-by-using-group-policy), the [registry](#turn-on-credential-guard-by-using-the-registry), or the Device Guard and Credential Guard [hardware readiness tool](#hardware-readiness-tool).
-
-#### Turn on Credential Guard by using Group Policy
-
-You can use Group Policy to enable Credential Guard. This will add and enable the virtualization-based security features for you if needed.
-
-1. From the Group Policy Management Console, go to **Computer Configuration** -> **Administrative Templates** -> **System** -> **Device Guard**.
-2. Double-click **Turn On Virtualization Based Security**, and then click the **Enabled** option.
-3. **Select Platform Security Level** box, choose **Secure Boot** or **Secure Boot and DMA Protection**.
-4. In the **Credential Guard Configuration** box, click **Enabled with UEFI lock**, and then click **OK**. If you want to be able to turn off Credential Guard remotely, choose **Enabled without lock**.
-
- 
-
-5. Close the Group Policy Management Console.
-
-To enforce processing of the group policy, you can run ```gpupdate /force```.
-
-#### Turn on Credential Guard by using the registry
-
-If you don't use Group Policy, you can enable Credential Guard by using the registry. Credential Guard uses virtualization-based security features which have to be enabled first on some operating systems.
-
-#### Add the virtualization-based security features
-
-Starting with Windows 10, version 1607 and Windows Server 2016, enabling Windows features to use virtualization-based security is not necessary and this step can be skipped.
-
-If you are using Windows 10, version 1507 (RTM) or Windows 10, version 1511, Windows features have to be enabled to use virtualization-based security.
-You can do this by using either the Control Panel or the Deployment Image Servicing and Management tool (DISM).
-> [!NOTE]
-> If you enable Credential Guard by using Group Policy, these steps are not required. Group Policy will install the features for you.
-
-
-**Add the virtualization-based security features by using Programs and Features**
-
-1. Open the Programs and Features control panel.
-2. Click **Turn Windows feature on or off**.
-3. Go to **Hyper-V** -> **Hyper-V Platform**, and then select the **Hyper-V Hypervisor** check box.
-4. Select the **Isolated User Mode** check box at the top level of the feature selection.
-5. Click **OK**.
-
-**Add the virtualization-based security features to an offline image by using DISM**
-
-1. Open an elevated command prompt.
-2. Add the Hyper-V Hypervisor by running the following command:
- ```
- dism /image: /Enable-Feature /FeatureName:Microsoft-Hyper-V-Hypervisor /all
- ```
-3. Add the Isolated User Mode feature by running the following command:
- ```
- dism /image: /Enable-Feature /FeatureName:IsolatedUserMode
- ```
-
-> [!NOTE]
-> You can also add these features to an online image by using either DISM or Configuration Manager.
-
-#### Enable virtualization-based security and Credential Guard
-
-1. Open Registry Editor.
-2. Enable virtualization-based security:
- - Go to HKEY\_LOCAL\_MACHINE\\System\\CurrentControlSet\\Control\\DeviceGuard.
- - Add a new DWORD value named **EnableVirtualizationBasedSecurity**. Set the value of this registry setting to 1 to enable virtualization-based security and set it to 0 to disable it.
- - Add a new DWORD value named **RequirePlatformSecurityFeatures**. Set the value of this registry setting to 1 to use **Secure Boot** only or set it to 3 to use **Secure Boot and DMA protection**.
-3. Enable Credential Guard:
- - Go to HKEY\_LOCAL\_MACHINE\\System\\CurrentControlSet\\Control\\LSA.
- - Add a new DWORD value named **LsaCfgFlags**. Set the value of this registry setting to 1 to enable Credential Guard with UEFI lock, set it to 2 to enable Credential Guard without lock, and set it to 0 to disable it.
-4. Close Registry Editor.
-
-
-> [!NOTE]
-> You can also turn on Credential Guard by setting the registry entries in the [FirstLogonCommands](http://msdn.microsoft.com/library/windows/hardware/dn922797.aspx) unattend setting.
-
-
-#### Turn on Credential Guard by using the Device Guard and Credential Guard hardware readiness tool
-
-You can also enable Credential Guard by using the [Device Guard and Credential Guard hardware readiness tool](https://www.microsoft.com/download/details.aspx?id=53337).
-
-```
-DG_Readiness_Tool_v3.0.ps1 -Enable -AutoReboot
-```
-
-#### Credential Guard deployment in virtual machines
-
-Credential Guard can protect secrets in a Hyper-V virtual machine, just as it would on a physical machine. The enablement steps are the same from within the virtual machine.
-
-Credential Guard protects secrets from non-priviledged access inside the VM. It does not provide additional protection from the host administrator. From the host, you can disable Credential Guard for a virtual machine:
-
-``` PowerShell
-Set-VMSecurity -VMName -VirtualizationBasedSecurityOptOut $true
-```
-
-Requirements for running Credential Guard in Hyper-V virtual machines
-- The Hyper-V host must have an IOMMU, and run at least Windows Server 2016 or Windows 10 version 1607.
-- The Hyper-V virtual machine must be Generation 2, have an enabled virtual TPM, and running at least Windows Server 2016 or Windows 10.
-
-### Remove Credential Guard
-
-If you have to remove Credential Guard on a PC, you can use the following set of procedures, or you can [use the Device Guard and Credential Guard hardware readiness tool](#turn-off-with-hardware-readiness-tool).
-
-1. If you used Group Policy, disable the Group Policy setting that you used to enable Credential Guard (**Computer Configuration** -> **Administrative Templates** -> **System** -> **Device Guard** -> **Turn on Virtualization Based Security**).
-2. Delete the following registry settings:
- - HKEY\_LOCAL\_MACHINE\\System\\CurrentControlSet\\Control\\LSA\LsaCfgFlags
- - HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\DeviceGuard\\EnableVirtualizationBasedSecurity
- - HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\DeviceGuard\\RequirePlatformSecurityFeatures
-
- > [!IMPORTANT]
- > If you manually remove these registry settings, make sure to delete them all. If you don't remove them all, the device might go into BitLocker recovery.
-
-3. Delete the Credential Guard EFI variables by using bcdedit.
-
-**Delete the Credential Guard EFI variables**
-
-1. From an elevated command prompt, type the following commands:
- ``` syntax
-
- mountvol X: /s
-
- copy %WINDIR%\System32\SecConfig.efi X:\EFI\Microsoft\Boot\SecConfig.efi /Y
-
- bcdedit /create {0cb3b571-2f2e-4343-a879-d86a476d7215} /d "DebugTool" /application osloader
-
- bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} path "\EFI\Microsoft\Boot\SecConfig.efi"
-
- bcdedit /set {bootmgr} bootsequence {0cb3b571-2f2e-4343-a879-d86a476d7215}
-
- bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} loadoptions DISABLE-LSA-ISO
-
- bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} device partition=X:
-
- mountvol X: /d
-
- ```
-2. Restart the PC.
-3. Accept the prompt to disable Credential Guard.
-4. Alternatively, you can disable the virtualization-based security features to turn off Credential Guard.
-
-> [!NOTE]
-> The PC must have one-time access to a domain controller to decrypt content, such as files that were encrypted with EFS. If you want to turn off both Credential Guard and virtualization-based security, run the following bcdedit command after turning off all virtualization-based security Group Policy and registry settings: bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} loadoptions DISABLE-LSA-ISO,DISABLE-VBS
-
-For more info on virtualization-based security and Device Guard, see [Device Guard deployment guide](device-guard-deployment-guide.md).
-
-
-#### Turn off Credential Guard by using the Device Guard and Credential Guard hardware readiness tool
-
-You can also disable Credential Guard by using the [Device Guard and Credential Guard hardware readiness tool](https://www.microsoft.com/download/details.aspx?id=53337).
-
-```
-DG_Readiness_Tool_v3.0.ps1 -Disable -AutoReboot
-```
-
-### Check that Credential Guard is running
-
-You can use System Information to ensure that Credential Guard is running on a PC.
-
-1. Click **Start**, type **msinfo32.exe**, and then click **System Information**.
-2. Click **System Summary**.
-3. Confirm that **Credential Guard** is shown next to **Device Guard Security Services Running**.
-
- Here's an example:
-
- 
-
-You can also check that Credential Guard is running by using the [Device Guard and Credential Guard hardware readiness tool](https://www.microsoft.com/download/details.aspx?id=53337).
-
-```
-DG_Readiness_Tool_v3.0.ps1 -Ready
-```
-
-## Considerations when using Credential Guard
-
-- If Credential Guard is enabled on a device after it's joined to a domain, the user and device secrets may already be compromised. We recommend that Credential Guard is enabled before the PC is joined to a domain.
-- You should perform regular reviews of the PCs that have Credential Guard enabled. This can be done with security audit policies or WMI queries. Here's a list of WinInit event IDs to look for:
- - **Event ID 13** Credential Guard (LsaIso.exe) was started and will protect LSA credentials.
- - **Event ID 14** Credential Guard (LsaIso.exe) configuration: 0x1, 0
- - The first variable: 0x1 means Credential Guard is configured to run. 0x0 means it’s not configured to run.
- - The second variable: 0 means it’s configured to run in protect mode. 1 means it's configured to run in test mode. This variable should always be 0.
- - **Event ID 15** Credential Guard (LsaIso.exe) is configured but the secure kernel is not running; continuing without Credential Guard.
- - **Event ID 16** Credential Guard (LsaIso.exe) failed to launch: \[error code\]
- - **Event ID 17** Error reading Credential Guard (LsaIso.exe) UEFI configuration: \[error code\]
- You can also verify that TPM is being used for key protection by checking the following event in the **Microsoft** -> **Windows** -> **Kernel-Boot** event source. If you are running with a TPM, the TPM PCR mask value will be something other than 0.
- - **Event ID 51** VSM Master Encryption Key Provisioning. Using cached copy status: 0x0. Unsealing cached copy status: 0x1. New key generation status: 0x1. Sealing status: 0x1. TPM PCR mask: 0x0.
-- Passwords are still weak so we recommend that your organization deploy Credential Guard and move away from passwords and to other authentication methods, such as physical smart cards, virtual smart cards, or Windows Hello for Business.
-- Some 3rd party Security Support Providers (SSPs and APs) might not be compatible with Credential Guard. Credential Guard does not allow 3rd party SSPs to ask for password hashes from LSA. However, SSPs and APs still get notified of the password when a user logs on and/or changes their password. Any use of undocumented APIs within custom SSPs and APs are not supported. We recommend that custom implementations of SSPs/APs are tested against Credential Guard to ensure that the SSPs and APs do not depend on any undocumented or unsupported behaviors. For example, using the KerbQuerySupplementalCredentialsMessage API is not supported. You should not replace the NTLM or Kerberos SSPs with custom SSPs and APs. For more info, see [Restrictions around Registering and Installing a Security Package](http://msdn.microsoft.com/library/windows/desktop/dn865014.aspx) on MSDN.
-- As the depth and breadth of protections provided by Credential Guard are increased, subsequent releases of Windows 10 with Credential Guard running may impact scenarios that were working in the past. For example, Credential Guard may block the use of a particular type of credential or a particular component to prevent malwar efrom taking advantage of vulnerabilities. Therefore, we recommend that scenarios required for operations in an organization are tested before upgrading a device that has Credential Guard running.
-
-- Starting with Windows 10, version 1511, domain credentials that are stored with Credential Manager are protected with Credential Guard. Credential Manager allows you to store credentials, such as user names and passwords that you use to log on to websites or other computers on a network. The following considerations apply to the Credential Guard protections for Credential Manager:
- - Credentials saved by Remote Desktop Services cannot be used to remotely connect to another machine without supplying the password. Attempts to use saved credentials will fail, displaying the error message "Logon attempt failed".
- - Applications that extract derived domain credentials from Credential Manager will no longer be able to use those credentials.
- - You cannot restore credentials using the Credential Manager control panel if the credentials were backed up from a PC that has Credential Guard turned on. If you need to back up your credentials, you must do this before you enable Credential Guard. Otherwise, you won't be able to restore those credentials.
- - Credential Guard uses hardware security so some features, such as Windows To Go, are not supported.
-
-### NTLM & CHAP Considerations
-
-When you enable Credential Guard, you can no longer use NTLM v1 authentication. If you are using WiFi and VPN endpoints that are based on MS-CHAPv2, they are subject to similar attacks as NTLMv1. We recommend that organizations use certificated-based authentication for WiFi and VPN connections.
-
-### Kerberos Considerations
-
-When you enable Credential Guard, you can no longer use Kerberos unconstrained delegation or DES encryption. Unconstrained delegation could allow attackers to extract Kerberos keys from the isolated LSA process. You must use constrained or resource-based Kerberos delegation instead.
-
-## Scenarios not protected by Credential Guard
-
-Some ways to store credentials are not protected by Credential Guard, including:
-
-- Software that manages credentials outside of Windows feature protection
-- Local accounts and Microsoft Accounts
-- Credential Guard does not protect the Active Directory database running on Windows Server 2016 domain controllers. It also does not protect credential input pipelines, such as Windows Server 2016 servers running Remote Desktop Gateway. If you're using a Windows Server 2016 server as a client PC, it will get the same protection as it would be running Windows 10 Enterprise.
-- Key loggers
-- Physical attacks
-- Does not prevent an attacker with malware on the PC from using the privileges associated with any credential. We recommend using dedicated PCs for high value accounts, such as IT Pros and users with access high value assets in your organization.
-- Third-party security packages
-- Digest and CredSSP credentials
- - When Credential Guard is enabled, neither Digest nor CredSSP have access to users' logon credentials. This implies no Single Sign-On use for these protocols.
-- Supplied credentials for NTLM authentication are not protected. If a user is prompted for and enters credentials for NTLM authentication, these credentials are vulnerable to be read from LSASS memory. Note that these same credentials are vulnerable to key loggers as well.
-
-## Additional mitigations
-
-Credential Guard can provide mitigations against attacks on derived credentials and prevent the use of stolen credentials elsewhere. However, PCs can still be vulnerable to certain attacks, even if the derived credentials are protected by Credential Guard. These attacks can include abusing privileges and use of derived credentials directly from a compromised device, reusing previously stolen credentials prior to Device Guard, and abuse of management tools and weak application configurations. Because of this, additional mitigations also need to be deployed to make the domain environment more robust.
-
-### Restricting domain users to specific domain-joined devices
-
-Credential theft attacks allow the attacker to steal secrets from one device and use them from another device. If a user can sign on multiple devices then any device could be used to steal credentials. How do you ensure that users only sign on with devices with Credential Guard? By deploying authentication policies which restrict them to specific domain-joined device that have been configured with Credential Guard. For the domain controller to know what device a user is signing on from, Kerberos armoring must be used.
-
-#### Kerberos armoring
-
-Kerberos armoring is part of RFC 6113. When a device supports Kerberos armoring, its TGT is used to protect the user's proof of possession which can mitigate offline dictionary attacks. Kerberos armoring also provides the additional benefit of signed KDC errors this mitigates tampering which can result in things such as downgrade attacks.
-
-**To enable Kerberos armoring for restricting domain users to specific domain-joined devices**
-
-- Users need to be in domains which are running Windows Server 2012 R2 or higher
-- All the domain controllers in these domains must be configured to support Kerberos armoring. Set the **KDC support for claims, compound authentication, and Kerberos armoring** Group Policy setting to either **Supported** or **Always provide claims**.
-- All the devices with Credential Guard which the users will be restricted to must be configured to support Kerberos armoring. Enable the **Kerberos client support for claims, compound authentication and Kerberos armoring** Group Policy settings under **Computer Configuration** -> **Administrative Templates** -> **System** -> **Kerberos**.
-
-#### Protecting domain-joined device secrets
-
-Since domain-joined devices also use shared secrets for authentication, attackers can steal those secrets as well. By deploying device certificates with Credential Guard, the private key can be protected. Then authentication policies can require that users sign on devices which authenticate using those certificates. This prevents shared secrets on stolen from the device to be used with stolen user credentials to sign on as the user.
-
-Domain-joined device certificate authentication has the following requirements:
-- Devices' accounts are in Windows Server 2012 domain funcational level or higher domains.
-- All domain controllers in those domains have KDC certificates which satisfy strict KDC validation certificate requirements:
- - KDC EKU present
- - DNS domain name matches the DNSName field of the SubjectAltName (SAN) extension
-- Windows 10 devices have the CA issuing the domain controller certificates in the enterprise store.
-- A process is established to ensure the identity and trustworthiness of the device in a similar manner as you would establish the identity and trustworthiness of a user before issuing them a smartcard.
-
-##### Deploying domain-joined device certificates
-
-To guarantee that certificates with the issuance policy required are only on the devices these users must use, they must be deployed manually on each device. The same security procedures used for issuing smart cards to users should be applied to device certificates.
-
-For example, let's say you wanted to use the High Assurance policy only on these devices. Using a Windows Server Enterprise certificate authority, you would create a new template.
-
-**Creating a new certificate template**
-
-1. From the Certificate Manager console, right-click **Certificate Templates**, and then click **Manage.**
-2. Right-click **Workstation Authentication**, and then click **Duplicate Template**.
-3. Right-click the new template, and then click **Properties**.
-4. On the **Extensions** tab, click **Application Policies**, and then click **Edit**.
-5. Click **Client Authentication**, and then click **Remove**.
-6. Add the ID-PKInit-KPClientAuth EKU. Click **Add**, click **New**, and then specify the following values:
- - Name: Kerberos Client Auth
- - Object Identifier: 1.3.6.1.5.2.3.4
-7. On the **Extensions** tab, click **Issuance Policies**, and then click **Edit**.
-8. Under **Issuance Policies**, click**High Assurance**.
-9. On the **Subject name** tab, clear the **DNS name** check box, and then select the **User Principal Name (UPN)** check box.
-
-Then on the devices that are running Credential Guard, enroll the devices using the certificate you just created.
-
-**Enrolling devices in a certificate**
-
-Run the following command:
-``` syntax
-CertReq -EnrollCredGuardCert MachineAuthentication
-```
-
-> [!NOTE]
-> You must restart the device after enrolling the machine authentication certificate.
-
-#### How a certificate issuance policy can be used for access control
-
-Beginning with the Windows Server 2008 R2 domain functional level, domain controllers support for authentication mechanism assurance provides a way to map certificate issuance policy OIDs to universal security groups. Windows Server 2012 domain controllers with claim support can map them to claims. To learn more about authentication mechanism assurance, see [Authentication Mechanism Assurance for AD DS in Windows Server 2008 R2 Step-by-Step Guide](https://technet.microsoft.com/en-us/library/dd378897(v=ws.10).aspx) on TechNet.
-
-**To see the issuance policies available**
-
-- The [get-IssuancePolicy.ps1](#bkmk-getscript) shows all of the issuance policies that are available on the certificate authority.
- From a Windows PowerShell command prompt, run the following command:
-
- ``` syntax
- .\get-IssuancePolicy.ps1 –LinkedToGroup:All
- ```
-
-**To link a issuance policy to a universal security group**
-
-- The [set-IssuancePolicyToGroupLink.ps1](#bkmk-setscript) creates a Universal security group, creates an organizational unit, and links the issuance policy to that Universal security group.
- From a Windows PowerShell command prompt, run the following command:
-
- ``` syntax
- .\set-IssuancePolicyToGroupLink.ps1 –IssuancePolicyName:"" –groupOU:"" –groupName:”"
- ```
-
-#### Restricting user sign on
-
-So we now have the following:
-
-- Created a special certificate issuance policy to identify devices which meet the deployment criteria required for the user to be able to sign on
-- Mapped that policy to a universal security group or claim
-- Provided a way for domain controllers to get the device authorization data during user sign on using Kerberos armoring-
-so what is left to do is configuring the access check on the domain controllers. This is done with authentication policies.
-
-Authentication policies have the following requirements:
-- User accounts are in a Windows Server 2012 domain functional level or higher domain.
-
-**Creating an authentication policy restricting to the specific universal security group**
-
-1. Open Active Directory Administrative Center.
-2. Click **Authentication**, click **New**, and then click **Authentication Policy**.
-3. In the **Display name** box, enter a name for this authentication policy.
-4. Under the **Accounts** heading, click **Add**.
-5. In the **Select Users, Computers, or Service Accounts** dialog box, type the name of the user account you with to restrict, and then click **OK**.
-6. Under the **User Sign On** heading, click the **Edit** button.
-7. Click **Add a condition**.
-8. In the **Edit Access Control Conditions** box, ensure that it reads **User** > **Group** > **Member of each** > **Value**, and then click **Add items**.
-9. In the **Select Users, Computers, or Service Accounts** dialog box, type the name of the universal security group that you created with the set-IssuancePolicyToGroupLink script, and then click **OK**.
-10. Click **OK** to close the **Edit Access Control Conditions** box.
-11. Click **OK** to create the authentication policy.
-12. Close Active Directory Administrative Center.
-
-> [!NOTE]
-> When the authentication policy enforces policy restrictions, users will not be able to sign on using devices that do not have a certificate with the appropriate issuance policy deployed. This applies to both local and remote sign on scenarios. Therefore, it is strongly recommended to first only audit policy restrictions to ensure you don't have unexpected failures.
-
-#### Discovering authentication failures due to authentication policies
-
-To make tracking authentication failures due to authentication policies easier, an operational log exists with just those events. To enable the logs on the domain controllers, in Event Viewer, navigate to **Applications and Services Logs\\Microsoft\\Windows\\Authentication, right-click AuthenticationPolicyFailures-DomainController**, and then click **Enable Log**.
-
-To learn more about authentication policy events, see [Authentication Policies and Authentication Policy Silos](https://technet.microsoft.com/en-us/library/dn486813(v=ws.11).aspx).
-
-## Appendix: Scripts
-
-Here is a list of scripts that are mentioned in this topic.
-
-### Get the available issuance policies on the certificate authority
-
-Save this script file as get-IssuancePolicy.ps1.
-
-``` syntax
-#######################################
-## Parameters to be defined ##
-## by the user ##
-#######################################
-Param (
-$Identity,
-$LinkedToGroup
-)
-#######################################
-## Strings definitions ##
-#######################################
-Data getIP_strings {
-# culture="en-US"
-ConvertFrom-StringData -stringdata @'
-help1 = This command can be used to retrieve all available Issuance Policies in a forest. The forest of the currently logged on user is targetted.
-help2 = Usage:
-help3 = The following parameter is mandatory:
-help4 = -LinkedToGroup:
-help5 = "yes" will return only Issuance Policies that are linked to groups. Checks that the linked Issuance Policies are linked to valid groups.
-help6 = "no" will return only Issuance Policies that are not currently linked to any group.
-help7 = "all" will return all Issuance Policies defined in the forest. Checks that the linked Issuance policies are linked to valid groups.
-help8 = The following parameter is optional:
-help9 = -Identity:. If you specify an identity, the option specified in the "-LinkedToGroup" parameter is ignored.
-help10 = Output: This script returns the Issuance Policy objects meeting the criteria defined by the above parameters.
-help11 = Examples:
-errorIPNotFound = Error: no Issuance Policy could be found with Identity "{0}"
-ErrorNotSecurity = Error: Issuance Policy "{0}" is linked to group "{1}" which is not of type "Security".
-ErrorNotUniversal = Error: Issuance Policy "{0}" is linked to group "{1}" whose scope is not "Universal".
-ErrorHasMembers = Error: Issuance Policy "{0}" is linked to group "{1}" which has a non-empty membership. The group has the following members:
-LinkedIPs = The following Issuance Policies are linked to groups:
-displayName = displayName : {0}
-Name = Name : {0}
-dn = distinguishedName : {0}
- InfoName = Linked Group Name: {0}
- InfoDN = Linked Group DN: {0}
-NonLinkedIPs = The following Issuance Policies are NOT linked to groups:
-'@
-}
-##Import-LocalizedData getIP_strings
-import-module ActiveDirectory
-#######################################
-## Help ##
-#######################################
-function Display-Help {
- ""
- $getIP_strings.help1
- ""
-$getIP_strings.help2
-""
-$getIP_strings.help3
-" " + $getIP_strings.help4
-" " + $getIP_strings.help5
- " " + $getIP_strings.help6
- " " + $getIP_strings.help7
-""
-$getIP_strings.help8
- " " + $getIP_strings.help9
- ""
- $getIP_strings.help10
-""
-""
-$getIP_strings.help11
- " " + '$' + "myIPs = .\get-IssuancePolicy.ps1 -LinkedToGroup:All"
- " " + '$' + "myLinkedIPs = .\get-IssuancePolicy.ps1 -LinkedToGroup:yes"
- " " + '$' + "myIP = .\get-IssuancePolicy.ps1 -Identity:""Medium Assurance"""
-""
-}
-$root = get-adrootdse
-$domain = get-addomain -current loggedonuser
-$configNCDN = [String]$root.configurationNamingContext
-if ( !($Identity) -and !($LinkedToGroup) ) {
-display-Help
-break
-}
-if ($Identity) {
- $OIDs = get-adobject -Filter {(objectclass -eq "msPKI-Enterprise-Oid") -and ((name -eq $Identity) -or (displayname -eq $Identity) -or (distinguishedName -like $Identity)) } -searchBase $configNCDN -properties *
- if ($OIDs -eq $null) {
-$errormsg = $getIP_strings.ErrorIPNotFound -f $Identity
-write-host $errormsg -ForegroundColor Red
- }
- foreach ($OID in $OIDs) {
- if ($OID."msDS-OIDToGroupLink") {
-# In case the Issuance Policy is linked to a group, it is good to check whether there is any problem with the mapping.
- $groupDN = $OID."msDS-OIDToGroupLink"
- $group = get-adgroup -Identity $groupDN
- $groupName = $group.Name
-# Analyze the group
- if ($group.groupCategory -ne "Security") {
-$errormsg = $getIP_strings.ErrorNotSecurity -f $Identity, $groupName
- write-host $errormsg -ForegroundColor Red
- }
- if ($group.groupScope -ne "Universal") {
- $errormsg = $getIP_strings.ErrorNotUniversal -f $Identity, $groupName
-write-host $errormsg -ForegroundColor Red
- }
- $members = Get-ADGroupMember -Identity $group
- if ($members) {
- $errormsg = $getIP_strings.ErrorHasMembers -f $Identity, $groupName
-write-host $errormsg -ForegroundColor Red
- foreach ($member in $members) {
- write-host " " $member -ForeGroundColor Red
- }
- }
- }
- }
- return $OIDs
- break
-}
-if (($LinkedToGroup -eq "yes") -or ($LinkedToGroup -eq "all")) {
- $LDAPFilter = "(&(objectClass=msPKI-Enterprise-Oid)(msDS-OIDToGroupLink=*)(flags=2))"
- $LinkedOIDs = get-adobject -searchBase $configNCDN -LDAPFilter $LDAPFilter -properties *
- write-host ""
- write-host "*****************************************************"
- write-host $getIP_strings.LinkedIPs
- write-host "*****************************************************"
- write-host ""
- if ($LinkedOIDs -ne $null){
- foreach ($OID in $LinkedOIDs) {
-# Display basic information about the Issuance Policies
- ""
- $getIP_strings.displayName -f $OID.displayName
- $getIP_strings.Name -f $OID.Name
- $getIP_strings.dn -f $OID.distinguishedName
-# Get the linked group.
- $groupDN = $OID."msDS-OIDToGroupLink"
- $group = get-adgroup -Identity $groupDN
- $getIP_strings.InfoName -f $group.Name
- $getIP_strings.InfoDN -f $groupDN
-# Analyze the group
- $OIDName = $OID.displayName
- $groupName = $group.Name
- if ($group.groupCategory -ne "Security") {
- $errormsg = $getIP_strings.ErrorNotSecurity -f $OIDName, $groupName
- write-host $errormsg -ForegroundColor Red
- }
- if ($group.groupScope -ne "Universal") {
- $errormsg = $getIP_strings.ErrorNotUniversal -f $OIDName, $groupName
- write-host $errormsg -ForegroundColor Red
- }
- $members = Get-ADGroupMember -Identity $group
- if ($members) {
- $errormsg = $getIP_strings.ErrorHasMembers -f $OIDName, $groupName
- write-host $errormsg -ForegroundColor Red
- foreach ($member in $members) {
- write-host " " $member -ForeGroundColor Red
- }
- }
- write-host ""
- }
- }else{
-write-host "There are no issuance policies that are mapped to a group"
- }
- if ($LinkedToGroup -eq "yes") {
- return $LinkedOIDs
- break
- }
-}
-if (($LinkedToGroup -eq "no") -or ($LinkedToGroup -eq "all")) {
- $LDAPFilter = "(&(objectClass=msPKI-Enterprise-Oid)(!(msDS-OIDToGroupLink=*))(flags=2))"
- $NonLinkedOIDs = get-adobject -searchBase $configNCDN -LDAPFilter $LDAPFilter -properties *
- write-host ""
- write-host "*********************************************************"
- write-host $getIP_strings.NonLinkedIPs
- write-host "*********************************************************"
- write-host ""
- if ($NonLinkedOIDs -ne $null) {
- foreach ($OID in $NonLinkedOIDs) {
-# Display basic information about the Issuance Policies
-write-host ""
-$getIP_strings.displayName -f $OID.displayName
-$getIP_strings.Name -f $OID.Name
-$getIP_strings.dn -f $OID.distinguishedName
-write-host ""
- }
- }else{
-write-host "There are no issuance policies which are not mapped to groups"
- }
- if ($LinkedToGroup -eq "no") {
- return $NonLinkedOIDs
- break
- }
-}
-```
-> [!NOTE]
-> If you're having trouble running this script, try replacing the single quote after the ConvertFrom-StringData parameter.
-
-### Link an issuance policy to a group
-
-Save the script file as set-IssuancePolicyToGroupLink.ps1.
-
-``` syntax
-#######################################
-## Parameters to be defined ##
-## by the user ##
-#######################################
-Param (
-$IssuancePolicyName,
-$groupOU,
-$groupName
-)
-#######################################
-## Strings definitions ##
-#######################################
-Data ErrorMsg {
-# culture="en-US"
-ConvertFrom-StringData -stringdata @'
-help1 = This command can be used to set the link between a certificate issuance policy and a universal security group.
-help2 = Usage:
-help3 = The following parameters are required:
-help4 = -IssuancePolicyName:
-help5 = -groupName:. If no name is specified, any existing link to a group is removed from the Issuance Policy.
-help6 = The following parameter is optional:
-help7 = -groupOU:. If this parameter is not specified, the group is looked for or created in the Users container.
-help8 = Examples:
-help9 = This command will link the issuance policy whose display name is "High Assurance" to the group "HighAssuranceGroup" in the Organizational Unit "OU_FOR_IPol_linked_groups". If the group or the Organizational Unit do not exist, you will be prompted to create them.
-help10 = This command will unlink the issuance policy whose name is "402.164959C40F4A5C12C6302E31D5476062" from any group.
-MultipleIPs = Error: Multiple Issuance Policies with name or display name "{0}" were found in the subtree of "{1}"
-NoIP = Error: no issuance policy with name or display name "{0}" could be found in the subtree of "{1}".
-IPFound = An Issuance Policy with name or display name "{0}" was successfully found: {1}
-MultipleOUs = Error: more than 1 Organizational Unit with name "{0}" could be found in the subtree of "{1}".
-confirmOUcreation = Warning: The Organizational Unit that you specified does not exist. Do you want to create it?
-OUCreationSuccess = Organizational Unit "{0}" successfully created.
-OUcreationError = Error: Organizational Unit "{0}" could not be created.
-OUFoundSuccess = Organizational Unit "{0}" was successfully found.
-multipleGroups = Error: More than one group with name "{0}" was found in Organizational Unit "{1}".
-confirmGroupCreation = Warning: The group that you specified does not exist. Do you want to create it?
-groupCreationSuccess = Univeral Security group "{0}" successfully created.
-groupCreationError = Error: Univeral Security group "{0}" could not be created.
-GroupFound = Group "{0}" was successfully found.
-confirmLinkDeletion = Warning: The Issuance Policy "{0}" is currently linked to group "{1}". Do you really want to remove the link?
-UnlinkSuccess = Certificate issuance policy successfully unlinked from any group.
-UnlinkError = Removing the link failed.
-UnlinkExit = Exiting without removing the link from the issuance policy to the group.
-IPNotLinked = The Certificate issuance policy is not currently linked to any group. If you want to link it to a group, you should specify the -groupName option when starting this script.
-ErrorNotSecurity = Error: You cannot link issuance Policy "{0}" to group "{1}" because this group is not of type "Security".
-ErrorNotUniversal = Error: You cannot link issuance Policy "{0}" to group "{1}" because the scope of this group is not "Universal".
-ErrorHasMembers = Error: You cannot link issuance Policy "{0}" to group "{1}" because it has a non-empty membership. The group has the following members:
-ConfirmLinkReplacement = Warning: The Issuance Policy "{0}" is currently linked to group "{1}". Do you really want to update the link to point to group "{2}"?
-LinkSuccess = The certificate issuance policy was successfully linked to the specified group.
-LinkError = The certificate issuance policy could not be linked to the specified group.
-ExitNoLinkReplacement = Exiting without setting the new link.
-'@
-}
-# import-localizeddata ErrorMsg
-function Display-Help {
-""
-write-host $ErrorMsg.help1
-""
-write-host $ErrorMsg.help2
-""
-write-host $ErrorMsg.help3
-write-host "`t" $ErrorMsg.help4
-write-host "`t" $ErrorMsg.help5
-""
-write-host $ErrorMsg.help6
-write-host "`t" $ErrorMsg.help7
-""
-""
-write-host $ErrorMsg.help8
-""
-write-host $ErrorMsg.help9
-".\Set-IssuancePolicyToGroupMapping.ps1 -IssuancePolicyName ""High Assurance"" -groupOU ""OU_FOR_IPol_linked_groups"" -groupName ""HighAssuranceGroup"" "
-""
-write-host $ErrorMsg.help10
-'.\Set-IssuancePolicyToGroupMapping.ps1 -IssuancePolicyName "402.164959C40F4A5C12C6302E31D5476062" -groupName $null '
-""
-}
-# Assumption: The group to which the Issuance Policy is going
-# to be linked is (or is going to be created) in
-# the domain the user running this script is a member of.
-import-module ActiveDirectory
-$root = get-adrootdse
-$domain = get-addomain -current loggedonuser
-if ( !($IssuancePolicyName) ) {
-display-Help
-break
-}
-#######################################
-## Find the OID object ##
-## (aka Issuance Policy) ##
-#######################################
-$searchBase = [String]$root.configurationnamingcontext
-$OID = get-adobject -searchBase $searchBase -Filter { ((displayname -eq $IssuancePolicyName) -or (name -eq $IssuancePolicyName)) -and (objectClass -eq "msPKI-Enterprise-Oid")} -properties *
-if ($OID -eq $null) {
-$tmp = $ErrorMsg.NoIP -f $IssuancePolicyName, $searchBase
-write-host $tmp -ForeGroundColor Red
-break;
-}
-elseif ($OID.GetType().IsArray) {
-$tmp = $ErrorMsg.MultipleIPs -f $IssuancePolicyName, $searchBase
-write-host $tmp -ForeGroundColor Red
-break;
-}
-else {
-$tmp = $ErrorMsg.IPFound -f $IssuancePolicyName, $OID.distinguishedName
-write-host $tmp -ForeGroundColor Green
-}
-#######################################
-## Find the container of the group ##
-#######################################
-if ($groupOU -eq $null) {
-# default to the Users container
-$groupContainer = $domain.UsersContainer
-}
-else {
-$searchBase = [string]$domain.DistinguishedName
-$groupContainer = get-adobject -searchBase $searchBase -Filter { (Name -eq $groupOU) -and (objectClass -eq "organizationalUnit")}
-if ($groupContainer.count -gt 1) {
-$tmp = $ErrorMsg.MultipleOUs -f $groupOU, $searchBase
-write-host $tmp -ForegroundColor Red
-break;
-}
-elseif ($groupContainer -eq $null) {
-$tmp = $ErrorMsg.confirmOUcreation
-write-host $tmp " ( (y)es / (n)o )" -ForegroundColor Yellow -nonewline
-$userChoice = read-host
-if ( ($userChoice -eq "y") -or ($userChoice -eq "yes") ) {
-new-adobject -Name $groupOU -displayName $groupOU -Type "organizationalUnit" -ProtectedFromAccidentalDeletion $true -path $domain.distinguishedName
-if ($?){
-$tmp = $ErrorMsg.OUCreationSuccess -f $groupOU
-write-host $tmp -ForegroundColor Green
-}
-else{
-$tmp = $ErrorMsg.OUCreationError -f $groupOU
-write-host $tmp -ForeGroundColor Red
-break;
-}
-$groupContainer = get-adobject -searchBase $searchBase -Filter { (Name -eq $groupOU) -and (objectClass -eq "organizationalUnit")}
-}
-else {
-break;
-}
-}
-else {
-$tmp = $ErrorMsg.OUFoundSuccess -f $groupContainer.name
-write-host $tmp -ForegroundColor Green
-}
-}
-#######################################
-## Find the group ##
-#######################################
-if (($groupName -ne $null) -and ($groupName -ne "")){
-##$searchBase = [String]$groupContainer.DistinguishedName
-$searchBase = $groupContainer
-$group = get-adgroup -Filter { (Name -eq $groupName) -and (objectClass -eq "group") } -searchBase $searchBase
-if ($group -ne $null -and $group.gettype().isarray) {
-$tmp = $ErrorMsg.multipleGroups -f $groupName, $searchBase
-write-host $tmp -ForeGroundColor Red
-break;
-}
-elseif ($group -eq $null) {
-$tmp = $ErrorMsg.confirmGroupCreation
-write-host $tmp " ( (y)es / (n)o )" -ForegroundColor Yellow -nonewline
-$userChoice = read-host
-if ( ($userChoice -eq "y") -or ($userChoice -eq "yes") ) {
-new-adgroup -samAccountName $groupName -path $groupContainer.distinguishedName -GroupScope "Universal" -GroupCategory "Security"
-if ($?){
-$tmp = $ErrorMsg.GroupCreationSuccess -f $groupName
-write-host $tmp -ForegroundColor Green
-}else{
-$tmp = $ErrorMsg.groupCreationError -f $groupName
-write-host $tmp -ForeGroundColor Red
-break
-}
-$group = get-adgroup -Filter { (Name -eq $groupName) -and (objectClass -eq "group") } -searchBase $searchBase
-}
-else {
-break;
-}
-}
-else {
-$tmp = $ErrorMsg.GroupFound -f $group.Name
-write-host $tmp -ForegroundColor Green
-}
-}
-else {
-#####
-## If the group is not specified, we should remove the link if any exists
-#####
-if ($OID."msDS-OIDToGroupLink" -ne $null) {
-$tmp = $ErrorMsg.confirmLinkDeletion -f $IssuancePolicyName, $OID."msDS-OIDToGroupLink"
-write-host $tmp " ( (y)es / (n)o )" -ForegroundColor Yellow -nonewline
-$userChoice = read-host
-if ( ($userChoice -eq "y") -or ($userChoice -eq "yes") ) {
-set-adobject -Identity $OID -Clear "msDS-OIDToGroupLink"
-if ($?) {
-$tmp = $ErrorMsg.UnlinkSuccess
-write-host $tmp -ForeGroundColor Green
-}else{
-$tmp = $ErrorMsg.UnlinkError
-write-host $tmp -ForeGroundColor Red
-}
-}
-else {
-$tmp = $ErrorMsg.UnlinkExit
-write-host $tmp
-break
-}
-}
-else {
-$tmp = $ErrorMsg.IPNotLinked
-write-host $tmp -ForeGroundColor Yellow
-}
-break;
-}
-#######################################
-## Verify that the group is ##
-## Universal, Security, and ##
-## has no members ##
-#######################################
-if ($group.GroupScope -ne "Universal") {
-$tmp = $ErrorMsg.ErrorNotUniversal -f $IssuancePolicyName, $groupName
-write-host $tmp -ForeGroundColor Red
-break;
-}
-if ($group.GroupCategory -ne "Security") {
-$tmp = $ErrorMsg.ErrorNotSecurity -f $IssuancePolicyName, $groupName
-write-host $tmp -ForeGroundColor Red
-break;
-}
-$members = Get-ADGroupMember -Identity $group
-if ($members -ne $null) {
-$tmp = $ErrorMsg.ErrorHasMembers -f $IssuancePolicyName, $groupName
-write-host $tmp -ForeGroundColor Red
-foreach ($member in $members) {write-host " $member.name" -ForeGroundColor Red}
-break;
-}
-#######################################
-## We have verified everything. We ##
-## can create the link from the ##
-## Issuance Policy to the group. ##
-#######################################
-if ($OID."msDS-OIDToGroupLink" -ne $null) {
-$tmp = $ErrorMsg.ConfirmLinkReplacement -f $IssuancePolicyName, $OID."msDS-OIDToGroupLink", $group.distinguishedName
-write-host $tmp "( (y)es / (n)o )" -ForegroundColor Yellow -nonewline
-$userChoice = read-host
-if ( ($userChoice -eq "y") -or ($userChoice -eq "yes") ) {
-$tmp = @{'msDS-OIDToGroupLink'= $group.DistinguishedName}
-set-adobject -Identity $OID -Replace $tmp
-if ($?) {
-$tmp = $Errormsg.LinkSuccess
-write-host $tmp -Foreground Green
-}else{
-$tmp = $ErrorMsg.LinkError
-write-host $tmp -Foreground Red
-}
-} else {
-$tmp = $Errormsg.ExitNoLinkReplacement
-write-host $tmp
-break
-}
-}
-else {
-$tmp = @{'msDS-OIDToGroupLink'= $group.DistinguishedName}
-set-adobject -Identity $OID -Add $tmp
-if ($?) {
-$tmp = $Errormsg.LinkSuccess
-write-host $tmp -Foreground Green
-}else{
-$tmp = $ErrorMsg.LinkError
-write-host $tmp -Foreground Red
-}
-}
-```
-
-> [!NOTE]
-> If you're having trouble running this script, try replacing the single quote after the ConvertFrom-StringData parameter.
## Related topics
@@ -959,4 +39,9 @@ write-host $tmp -Foreground Red
- [Authentication Mechanism Assurance for AD DS in Windows Server 2008 R2 Step-by-Step Guide](http://technet.microsoft.com/library/dd378897.aspx)
- [Trusted Platform Module](trusted-platform-module-overview.md)
-
+
+## See also
+
+**Deep Dive into Credential Guard: Related videos**
+
+[Credentials protected by Credential Guard](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=pdc37LJyC_1204300474)
\ No newline at end of file
diff --git a/windows/keep-secure/custom-ti-api-windows-defender-advanced-threat-protection.md b/windows/keep-secure/custom-ti-api-windows-defender-advanced-threat-protection.md
index 18a8804998..3f71267756 100644
--- a/windows/keep-secure/custom-ti-api-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/custom-ti-api-windows-defender-advanced-threat-protection.md
@@ -1,5 +1,5 @@
---
-title: Create threat intelligence using REST API in Windows Defender ATP
+title: Create custom alerts using the threat intelligence API
description: Create your custom alert definitions and indicators of compromise in Windows Defender ATP using the available APIs in Windows Enterprise, Education, and Pro editions.
keywords: alert definitions, indicators of compromise, threat intelligence, custom threat intelligence, rest api, api
search.product: eADQiWindows 10XVcnh
@@ -389,7 +389,8 @@ The following articles provide detailed code examples that demonstrate how to us
## Related topics
- [Understand threat intelligence concepts](threat-indicator-concepts-windows-defender-advanced-threat-protection.md)
-- [Enable the custom threat intelligence application](enable-custom-ti-windows-defender-advanced-threat-protection.md)
-- [PowerShell code examples](powershell-example-code-windows-defender-advanced-threat-protection.md)
-- [Python code examples](python-example-code-windows-defender-advanced-threat-protection.md)
+- [Enable the custom threat intelligence API in Windows Defender ATP](enable-custom-ti-windows-defender-advanced-threat-protection.md)
+- [PowerShell code examples for the custom threat intelligence API](powershell-example-code-windows-defender-advanced-threat-protection.md)
+- [Python code examples for the custom threat intelligence API](python-example-code-windows-defender-advanced-threat-protection.md)
+- [Experiment with custom threat intelligence alerts](experiment-custom-ti-windows-defender-advanced-threat-protection.md)
- [Troubleshoot custom threat intelligence issues](troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md)
diff --git a/windows/keep-secure/defender-compatibility-windows-defender-advanced-threat-protection.md b/windows/keep-secure/defender-compatibility-windows-defender-advanced-threat-protection.md
index de668b5c69..314ccc9c79 100644
--- a/windows/keep-secure/defender-compatibility-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/defender-compatibility-windows-defender-advanced-threat-protection.md
@@ -30,4 +30,4 @@ Windows Defender Antivirus will continue to receive updates, and the *mspeng.exe
The Windows Defender Antivirus interface will be disabled, and users on the endpoint will not be able to use Windows Defender Antivirus to perform on-demand scans or configure most options.
-For more information, see the **Compatibility** section in the [Windows Defender Antivirus in Windows 10 topic](windows-defender-in-windows-10.md).
+For more information, see the [Windows Defender Antivirus and Windows Defender ATP compatibility topic](windows-defender-antivirus-compatibility.md).
diff --git a/windows/keep-secure/deploy-device-guard-enable-virtualization-based-security.md b/windows/keep-secure/deploy-device-guard-enable-virtualization-based-security.md
index b03c8c1332..68ae726ace 100644
--- a/windows/keep-secure/deploy-device-guard-enable-virtualization-based-security.md
+++ b/windows/keep-secure/deploy-device-guard-enable-virtualization-based-security.md
@@ -144,7 +144,7 @@ reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "EnableVirtualiza
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "RequirePlatformSecurityFeatures" /t REG_DWORD /d 1 /f
```
-> To enable **VBS with Secure Boot and DMA (value 2)**, in the preceding command, change **/d 1** to **/d 2**.
+> To enable **VBS with Secure Boot and DMA (value 3)**, in the preceding command, change **/d 1** to **/d 3**.
**To enable VBS without UEFI lock (value 0)**
@@ -196,7 +196,7 @@ reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "EnableVirtualiza
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "RequirePlatformSecurityFeatures" /t REG_DWORD /d 1 /f
```
-> To enable **VBS with Secure Boot and DMA (value 2)**, in the preceding command, change **/d 1** to **/d 2**.
+> To enable **VBS with Secure Boot and DMA (value 3)**, in the preceding command, change **/d 1** to **/d 3**.
**To enable virtualization-based protection of Code Integrity policies (with the default, UEFI lock)**
diff --git a/windows/keep-secure/deploy-manage-report-windows-defender-antivirus.md b/windows/keep-secure/deploy-manage-report-windows-defender-antivirus.md
index d2905c2bab..56578ebbbb 100644
--- a/windows/keep-secure/deploy-manage-report-windows-defender-antivirus.md
+++ b/windows/keep-secure/deploy-manage-report-windows-defender-antivirus.md
@@ -45,11 +45,11 @@ PowerShell|Deploy with Group Policy, System Center Configuration Manager, or man
Group Policy and Active Directory (domain-joined)|Use a Group Policy Object to deploy configuration changes and ensure Windows Defender Antivirus is enabled.|Use Group Policy Objects (GPOs) to [Configure update options for Windows Defender Antivirus][] and [Configure Windows Defender features][]|Endpoint reporting is not available with Group Policy. You can generate a list of [Group Policies to determine if any settings or policies are not applied][]
Microsoft Azure|Deploy Microsoft Antimalware for Azure in the [Azure portal, by using Visual Studio virtual machine configuration, or using Azure PowerShell cmdlets](https://docs.microsoft.com/en-us/azure/security/azure-security-antimalware#antimalware-deployment-scenarios). You can also [Install Endpoint protection in Azure Security Center](https://docs.microsoft.com/en-us/azure/security-center/security-center-install-endpoint-protection)|Configure [Microsoft Antimalware for Virtual Machines and Cloud Services with Azure PowerShell cmdlets](https://docs.microsoft.com/en-us/powershell/servicemanagement/azure.antimalware/v3.4.0/azure.antimalware) or [use code samples](https://gallery.technet.microsoft.com/Antimalware-For-Azure-5ce70efe)|Use [Microsoft Antimalware for Virtual Machines and Cloud Services with Azure PowerShell cmdlets](https://docs.microsoft.com/en-us/powershell/servicemanagement/azure.antimalware/v3.4.0/azure.antimalware) to enable monitoring. You can also review usage reports in Azure Active Directory to determine suspicious activity, including the [Possibly infected devices][] report and configure an SIEM tool to report on [Windows Defender Antivirus events][] and add that tool as an app in AAD.
-1. The availability of some functions and features, especially related to cloud-delivered protection, differ between System Center Configuration Manager, current branch (for example, System Center Configuration Manager 2016) and System Center Configuration Manager 2012. In this library, we've focused on Windows 10, Windows Server 2016, and System Center Configuration Manager, current branch (2016). See the [Utilize Microsoft cloud-provided protection in Windows Defender Antivirus](utilize-microsoft-cloud-protection-windows-defender-antivirus.md) topic for a table that describes the major differences. [(Return to table)](#ref1)
+1. The availability of some functions and features, especially related to cloud-delivered protection, differ between System Center Configuration Manager, current branch (for example, System Center Configuration Manager 2016) and System Center Configuration Manager 2012. In this library, we've focused on Windows 10, Windows Server 2016, and System Center Configuration Manager, current branch (2016). See the [Utilize Microsoft cloud-provided protection in Windows Defender Antivirus](utilize-microsoft-cloud-protection-windows-defender-antivirus.md) topic for a table that describes the major differences. [(Return to table)](#ref1)
-1. Configuration of features and protection, including configuring product and protection updates, are further described in the [Configure Windows Defender Antivirus features](configure-notifications-windows-defender-antivirus.md) section in this library. [(Return to table)](#ref2)
+1. Configuration of features and protection, including configuring product and protection updates, are further described in the [Configure Windows Defender Antivirus features](configure-notifications-windows-defender-antivirus.md) section in this library. [(Return to table)](#ref2)
-1. In Windows 10, Windows Defender Antivirus is a component available without installation or deployment of an additional client or service. It will automatically be enabled when third-party antivirus products are either uninstalled or out of date ([except on Windows Server 2016](windows-defender-antivirus-on-windows-server-2016.md). Traditional deployment therefore is not required. Deployment here refers to ensuring the Windows Defender Antivirus component is available and enabled on endpoints or servers. [(Return to table)](#ref3)
+1. In Windows 10, Windows Defender Antivirus is a component available without installation or deployment of an additional client or service. It will automatically be enabled when third-party antivirus products are either uninstalled or out of date ([except on Windows Server 2016](windows-defender-antivirus-on-windows-server-2016.md). Traditional deployment therefore is not required. Deployment here refers to ensuring the Windows Defender Antivirus component is available and enabled on endpoints or servers. [(Return to table)](#ref3)
@@ -88,7 +88,4 @@ Topic | Description
[Manage Windows Defender Antivirus updates and apply baselines](manage-updates-baselines-windows-defender-antivirus.md) | There are two parts to updating Windows Defender Antivirus: updating the client on endpoints (product updates), and updating definitions (protection updates). You can update definitions in a number of ways, using System Center Configuration Manager, Group Policy, PowerShell, and WMI.
[Monitor and report on Windows Defender Antivirus protection](report-monitor-windows-defender-antivirus.md) | You can use System Center Configuration Manager, a third-party SIEM product (by consuming Windows event logs), or Microsoft Intune to monitor protection status and create reports about endpoint protection
-## Related topics
-- [Windows Defender Antivirus in Windows 10](windows-defender-in-windows-10.md)
-- [Configure Windows Defender Antivirus features](configure-windows-defender-antivirus-features.md)
diff --git a/windows/keep-secure/deploy-windows-defender-antivirus.md b/windows/keep-secure/deploy-windows-defender-antivirus.md
index 6f98f62d52..f81ce50c65 100644
--- a/windows/keep-secure/deploy-windows-defender-antivirus.md
+++ b/windows/keep-secure/deploy-windows-defender-antivirus.md
@@ -35,6 +35,6 @@ The remaining topic in this section provides end-to-end advice and best practice
## Related topics
-- [Windows Defender Antivirus in Windows 10](windows-defender-in-windows-10.md)
+- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
- [Deploy, manage updates, and report on Windows Defender Antivirus](deploy-manage-report-windows-defender-antivirus.md)
- [Deployment guide for Windows Defender Antivirus in a virtual desktop infrasructure (VDI) environment](deployment-vdi-windows-defender-antivirus.md)
\ No newline at end of file
diff --git a/windows/keep-secure/deployment-vdi-windows-defender-antivirus.md b/windows/keep-secure/deployment-vdi-windows-defender-antivirus.md
index 50d37bfe9d..6c2984299b 100644
--- a/windows/keep-secure/deployment-vdi-windows-defender-antivirus.md
+++ b/windows/keep-secure/deployment-vdi-windows-defender-antivirus.md
@@ -20,7 +20,7 @@ author: iaanw
**Audience**
-- IT professionals
+- Enterprise security administrators
**Manageability available with**
@@ -31,7 +31,20 @@ author: iaanw
In addition to standard on-premises or hardware configurations, you can also use Windows Defender Antivirus (Windows Defender AV) in a remote desktop (RDS) or virtual desktop infrastructure (VDI) environment.
-Boot storms can be a problem in large-scale VDIs; this guide will help reduce the overall network bandwidth and performance impact on your hardware. For more details on the best configuration options to ensure a good balance between performance and protection, see the [Configure endpoints for optimal performance](#configure-endpoints-for-optimal-performance) section.
+Boot storms can be a problem in large-scale VDIs; this guide will help reduce the overall network bandwidth and performance impact on your hardware.
+
+We recommend setting the following when deploying Windows Defender AV in a VDI environment:
+
+Location | Setting | Suggested configuration
+---|---|---
+Client interface | Enable headless UI mode | Enabled
+Client interface | Suppress all notifications | Enabled
+Scan | Specify the scan type to use for a scheduled scan | Enabled - Quick
+Root | Randomize scheduled task times | Enabled
+Signature updates | Turn on scan after signature update | Enabled
+Scan | Turn on catch up quick scan | Enabled
+
+For more details on the best configuration options to ensure a good balance between performance and protection, including detailed instructions for Group Policy and System Center Configuration Manager, see the [Configure endpoints for optimal performance](#configure-endpoints-for-optimal-performance) section.
See the [Microsoft Desktop virtualization site](https://www.microsoft.com/en-us/server-cloud/products/virtual-desktop-infrastructure/) for more details on Microsoft Remote Desktop Services and VDI support.
@@ -54,8 +67,6 @@ There are three main steps in this guide to help roll out Windows Defender AV pr
>[!NOTE]
>When you manage Windows with System Center Configuration Manager, Windows Defender AV protection will be referred to as Endpoint Protection or System Center Endpoint Protection. See the [Endpoint Protection section at the Configuration Manager library]( https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-protection) for more information.
-The following table lists the configuration settings that we recommend when deploying Windows Defender AV in a VDI environment:
-
## Create and deploy the base image
@@ -85,7 +96,7 @@ You can run a quick scan [from the command line](command-line-arguments-windows-
### Deploy the base image
-You’ll then need to deploy the base image across your VDI. For example, you can create or clone a VHD from your base image, and then use that VHD when you create or start your VMs.
+You'll then need to deploy the base image across your VDI. For example, you can create or clone a VHD from your base image, and then use that VHD when you create or start your VMs.
The following references provide ways you can create and deploy the base image across your VDI:
@@ -102,7 +113,7 @@ The following references provide ways you can create and deploy the base image a
## Manage your VMs and base image
How you manage your VDI will affect the performance impact of Windows Defender AV on your VMs and infrastructure.
-Because Windows Defender AV downloads protection updates every day, [or based on your protection update settings](manage-protection-updates-windows-defender-antivirus.md), network bandwidth can be a problem if multiple VMs attempt to download updates at the same time.
+Because Windows Defender AV downloads protection updates every day, or [based on your protection update settings](manage-protection-updates-windows-defender-antivirus.md), network bandwidth can be a problem if multiple VMs attempt to download updates at the same time.
Following the guidelines in this means the VMs will only need to download “delta” updates, which are the differences between an existing definition set and the next one. Delta updates are typically much smaller (a few kilobytes) than a full definition download (which can average around 150 mb).
@@ -114,7 +125,7 @@ If you are using a persistent VDI, you should update the base image monthly, and
2. Set up a scheduled task on your VM host to automatically download updates from the MMPC website or Microsoft Update and save them to the file share (the [SignatureDownloadCustomTask PowerShell script](https://www.powershellgallery.com/packages/SignatureDownloadCustomTask/1.4/DisplayScript) can help with this).
3. [Configure the VMs to pull protection updates from the file share](manage-protection-updates-windows-defender-antivirus.md).
4. Disable or delay automatic Microsoft updates on your VMs. See [Update Windows 10 in the enterprise](https://technet.microsoft.com/en-us/itpro/windows/manage/waas-update-windows-10) for information on managing operating system updates with WSUS, SCCM, and others.
-5. On or just after each Patch Tuesday (the second Tuesday of each month), update your base image with [the latest protection updates from the MMPC website, WSUS, or Microsoft Update](manage-protection-updates-windows-defender-antivirus.md). Also apply all other Windows patches and fixes that were delivered on the Patch Tuesday. You can automate this by following the instructions in [Orchestrated offline VM Patching using Service Management Automation](https://blogs.technet.microsoft.com/privatecloud/2013/12/06/orchestrated-offline-vm-patching-using-service-management-automation/).
+5. On or just after each Patch Tuesday (the second Tuesday of each month), [update your base image with the latest protection updates from the MMPC website, WSUS, or Microsoft Update](manage-protection-updates-windows-defender-antivirus.md) Also apply all other Windows patches and fixes that were delivered on the Patch Tuesday. You can automate this by following the instructions in [Orchestrated offline VM Patching using Service Management Automation](https://blogs.technet.microsoft.com/privatecloud/2013/12/06/orchestrated-offline-vm-patching-using-service-management-automation/).
5. [Run a quick scan](run-scan-windows-defender-antivirus.md) on your base image before deploying it to your VMs.
A benefit to aligning your image update to the monthly Microsoft Update is that you ensure your VMs will have the latest Windows security patches and other important Microsoft updates without each VM needing to individually download them.
@@ -125,7 +136,7 @@ A benefit to aligning your image update to the monthly Microsoft Update is that
If you are using a non-persistent VDI, you can update the base image daily (or nightly) and directly apply the latest updates to the image.
An example:
-1. Every night or other time when you can safely take your VMs offline, update your base image with t[the latest protection updates from the MMPC website, WSUS, or Microsoft Update](manage-protection-updates-windows-defender-antivirus.md).
+1. Every night or other time when you can safely take your VMs offline, update your base image with the latest [protection updates from the MMPC website, WSUS, or Microsoft Update](manage-protection-updates-windows-defender-antivirus.md).
2. [Run a quick scan](run-scan-windows-defender-antivirus.md) on your base image before deploying it to your VMs.
@@ -152,7 +163,7 @@ Scheduled scans run in addition to [real-time protection and scanning](configure
The start time of the scan itself is still based on the scheduled scan policy – ScheduleDay, ScheduleTime, ScheduleQuickScanTime.
-
+
**Use Group Policy to randomize scheduled scan start times:**
@@ -192,9 +203,7 @@ Quick scans are the preferred approach as they are designed to look in all place
See [How to create and deploy antimalware policies: Scheduled scans settings]( https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#scheduled-scans-settings) for details on configuring System Center Configuration Manager (current branch).
-
+See [Schedule scans](scheduled-catch-up-scans-windows-defender-antivirus.md) for other configuration options available for scheduled scans.
### Prevent notifications
@@ -229,7 +238,7 @@ Sometimes, Windows Defender AV notifications may be sent to or persist across mu
### Disable scans after an update
-This setting will prevent a scan from occurring after receiving an update. You can apply this when creating the base image if you have also run a quick scan. This prevents the newly updated VM from performing a scan again (as you’ve already scanned it when you created the base image).
+This setting will prevent a scan from occurring after receiving an update. You can apply this when creating the base image if you have also run a quick scan. This prevents the newly updated VM from performing a scan again (as you've already scanned it when you created the base image).
>[!IMPORTANT]
>Running scans after an update will help ensure your VMs are protected with the latest definition updates. Disabling this option will reduce the protection level of your VMs and should only be used when first creating or deploying the base image.
@@ -267,9 +276,6 @@ This setting will prevent a scan from occurring after receiving an update. You c
This setting will help ensure protection for a VM that has been offline for some time or has otherwise missed a scheduled scan.
-DisableCatchupQuickScan, is the setting that I use (set to OFF) to ensure that a quick scan is performed on a VM which has been offline and has missed a schedule scan.
-
-
**Use Group Policy to enable a catch-up scan:**
1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
@@ -283,6 +289,8 @@ DisableCatchupQuickScan, is the setting that I use (set to OFF) to ensure that a
1. Double-click the **Turn on catch-up quick scan** setting and set the option to **Enabled**. Click **OK**. This forces a scan if the VM has missed two or more consecutive scheduled scans.
+
+
**Use Configuration Manager to disable scans after an update:**
1. On your System Center Configuration Manager console, open the antimalware policy you want to change (click **Assets and Compliance** in the navigation pane on the left, then expand the tree to **Overview** > **Endpoint Protection** > **Antimalware Policies**)
diff --git a/windows/keep-secure/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md b/windows/keep-secure/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md
index 30d7011a23..296bbd7013 100644
--- a/windows/keep-secure/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md
+++ b/windows/keep-secure/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md
@@ -46,7 +46,7 @@ PUAs are blocked when a user attempts to download or install the detected file,
- The file is in the %downloads% folder
- The file is in the %temp% folder
-The file is placed in the quarantine section so it won’t run.
+The file is placed in the quarantine section so it won't run.
When a PUA is detected on an endpoint, the endpoint will present a notification to the user ([unless notifications have been disabled](configure-notifications-windows-defender-antivirus.md)) in the same format as normal threat detections (prefaced with "PUA:").
@@ -66,7 +66,7 @@ You can enable the PUA protection feature with System Center Configuration Manag
You can also use the PUA audit mode to detect PUA without blocking them. The detections will be captured in the Windows event log.
-This feature is useful if your company is conducting an internal software security compliance check and you’d like to avoid any false positives.
+This feature is useful if your company is conducting an internal software security compliance check and you'd like to avoid any false positives.
**Use Configuration Manager to configure the PUA protection feature:**
diff --git a/windows/keep-secure/enable-cloud-protection-windows-defender-antivirus.md b/windows/keep-secure/enable-cloud-protection-windows-defender-antivirus.md
index ddb0ce57ac..abdb360aef 100644
--- a/windows/keep-secure/enable-cloud-protection-windows-defender-antivirus.md
+++ b/windows/keep-secure/enable-cloud-protection-windows-defender-antivirus.md
@@ -127,7 +127,7 @@ See [Help secure Windows PCs with Endpoint Protection for Microsoft Intune](http
**Enable cloud-delivered protection on individual clients with the Windows Defender Security Center app**
> [!NOTE]
-> If the **Configure local setting override for reporting Microsoft MAPS** GP setting is set to **Disabled**, then the **Cloud-based protection** setting in Windows Settings will be greyed-out and unavailable. Changes made through a Group Policy Object must first be deployed to individual endpoints before the setting will be updated in Windows Settings.
+> If the **Configure local setting override for reporting Microsoft MAPS** Group Policy setting is set to **Disabled**, then the **Cloud-based protection** setting in Windows Settings will be greyed-out and unavailable. Changes made through a Group Policy Object must first be deployed to individual endpoints before the setting will be updated in Windows Settings.
1. Open the Windows Defender Security Center app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
@@ -139,15 +139,15 @@ See [Help secure Windows PCs with Endpoint Protection for Microsoft Intune](http
3. Confirm that **Cloud-based Protection** and **Automatic sample submission** are switched to **On**.
>[!NOTE]
->If automatic sample submission has been configured with GP then the setting will be greyed-out and unavailble.
+>If automatic sample submission has been configured with Group Policy then the setting will be greyed-out and unavailble.
## Related topics
-- [Windows Defender Antivirus in Windows 10](windows-defender-in-windows-10.md)
- [Configure the cloud block timeout period](configure-cloud-block-timeout-period-windows-defender-antivirus.md)
- [Configure the block at first sight feature](configure-block-at-first-sight-windows-defender-antivirus.md)
- [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md)
- [Help secure Windows PCs with Endpoint Protection for Microsoft Intune](https://docs.microsoft.com/en-us/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune)]
- [Defender cmdlets](https://technet.microsoft.com/en-us/library/dn433280.aspx)
- [Utilize Microsoft cloud-delivered protection in Windows Defender Antivirus](utilize-microsoft-cloud-protection-windows-defender-antivirus.md)
-- [How to create and deploy antimalware policies: Cloud-protection service](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#cloud-protection-service)
\ No newline at end of file
+- [How to create and deploy antimalware policies: Cloud-protection service](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#cloud-protection-service)
+- - [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
\ No newline at end of file
diff --git a/windows/keep-secure/enable-custom-ti-windows-defender-advanced-threat-protection.md b/windows/keep-secure/enable-custom-ti-windows-defender-advanced-threat-protection.md
index dd97cca65e..da53066333 100644
--- a/windows/keep-secure/enable-custom-ti-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/enable-custom-ti-windows-defender-advanced-threat-protection.md
@@ -41,7 +41,8 @@ You’ll need to use the access token in the Authorization header when doing RES
## Related topics
- [Understand threat intelligence concepts](threat-indicator-concepts-windows-defender-advanced-threat-protection.md)
-- [Create custom threat intelligence alerts](custom-ti-api-windows-defender-advanced-threat-protection.md)
-- [PowerShell code examples](powershell-example-code-windows-defender-advanced-threat-protection.md)
-- [Python code examples](python-example-code-windows-defender-advanced-threat-protection.md)
+- [Enable the custom threat intelligence API in Windows Defender ATP](enable-custom-ti-windows-defender-advanced-threat-protection.md)
+- [PowerShell code examples for the custom threat intelligence API](powershell-example-code-windows-defender-advanced-threat-protection.md)
+- [Python code examples for the custom threat intelligence API](python-example-code-windows-defender-advanced-threat-protection.md)
+- [Experiment with custom threat intelligence alerts](experiment-custom-ti-windows-defender-advanced-threat-protection.md)
- [Troubleshoot custom threat intelligence issues](troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md)
diff --git a/windows/keep-secure/enable-pua-windows-defender-for-windows-10.md b/windows/keep-secure/enable-pua-windows-defender-for-windows-10.md
deleted file mode 100644
index 0feb3a91f8..0000000000
--- a/windows/keep-secure/enable-pua-windows-defender-for-windows-10.md
+++ /dev/null
@@ -1,18 +0,0 @@
----
-title: Detect and block Potentially Unwanted Application with Windows Defender
-description: In Windows 10, you can enable the Potentially Unwanted Application (PUA) feature in Managed Windows Defender to identify and block unwanted software during download and install time.
-keywords: pua, enable, detect pua, block pua, windows defender and pua
-search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
-ms.prod: w10
-ms.mktglfcycl: detect
-ms.sitesec: library
-ms.pagetype: security
-localizationpriority: medium
-author: dulcemv
-redirect_url: /detect-block-potentially-unwanted-apps-windows-defender-antivirus/
----
-
-# Detect and block Potentially Unwanted Application in Windows 10
-
-This page has been redirected to *Detect and block unwanted applications*.
\ No newline at end of file
diff --git a/windows/keep-secure/enable-siem-integration-windows-defender-advanced-threat-protection.md b/windows/keep-secure/enable-siem-integration-windows-defender-advanced-threat-protection.md
index a645f8ccad..9c83ea0f99 100644
--- a/windows/keep-secure/enable-siem-integration-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/enable-siem-integration-windows-defender-advanced-threat-protection.md
@@ -1,5 +1,5 @@
---
-title: Enable SIEM integration in Windows Defender Advanced Threat Protection
+title: Enable SIEM integration in Windows Defender ATP
description: Enable SIEM integration to receive alerts in your security information and event management (SIEM) solution.
keywords: enable siem connector, siem, connector, security information and events
search.product: eADQiWindows 10XVcnh
@@ -49,7 +49,7 @@ Enable security information and event management (SIEM) integration so you can p
You can now proceed with configuring your SIEM solution or connecting to the alerts REST API through programmatic access. You'll need to use the tokens when configuring your SIEM solution to allow it to receive alerts from the Windows Defender ATP portal.
## Related topics
-- [Configure Splunk](configure-splunk-windows-defender-advanced-threat-protection.md)
-- [Configure ArcSight](configure-arcsight-windows-defender-advanced-threat-protection.md)
+- [Configure Splunk to pull Windows Defender ATP alerts](configure-splunk-windows-defender-advanced-threat-protection.md)
+- [Configure ArcSight to pull Windows Defender ATP alerts](configure-arcsight-windows-defender-advanced-threat-protection.md)
- [Windows Defender ATP alert API fields](api-portal-mapping-windows-defender-advanced-threat-protection.md)
- [Pull Windows Defender ATP alerts using REST API](pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md)
diff --git a/windows/keep-secure/enlightened-microsoft-apps-and-wip.md b/windows/keep-secure/enlightened-microsoft-apps-and-wip.md
index f2e1b3c91c..5555cd3892 100644
--- a/windows/keep-secure/enlightened-microsoft-apps-and-wip.md
+++ b/windows/keep-secure/enlightened-microsoft-apps-and-wip.md
@@ -15,7 +15,7 @@ localizationpriority: high
**Applies to:**
-- Windows 10, version 1607
+- Windows 10, version 1607 and later
- Windows 10 Mobile
Learn the difference between enlightened and unenlightened apps, and then review the list of enlightened apps provided by Microsoft along with the text you will need to use to add them to your allowed apps list.
diff --git a/windows/keep-secure/evaluate-windows-defender-antivirus.md b/windows/keep-secure/evaluate-windows-defender-antivirus.md
index af84e29eb5..4f51b16a7a 100644
--- a/windows/keep-secure/evaluate-windows-defender-antivirus.md
+++ b/windows/keep-secure/evaluate-windows-defender-antivirus.md
@@ -24,7 +24,7 @@ author: iaanw
- Enterprise security administrators
-If youre an enterprise security administrator, and you want to determine how well Windows Defender Antivirus protects you from viruses, malware, and potentially unwanted applications, then you can use this guide to help you evaluate Microsoft protection.
+If you're an enterprise security administrator, and you want to determine how well Windows Defender Antivirus protects you from viruses, malware, and potentially unwanted applications, then you can use this guide to help you evaluate Microsoft protection.
It explains the important features available for both small and large enterprises in Windows Defender, and how they will increase malware detection and protection across your network.
@@ -44,7 +44,7 @@ You can also download a PowerShell that will enable all the settings described i
## Related topics
-- [Windows Defender Antivirus](windows-defender-in-windows-10.md)
+- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
- [Deploy, manage, and report](deploy-manage-report-windows-defender-antivirus.md)
diff --git a/windows/keep-secure/experiment-custom-ti-windows-defender-advanced-threat-protection.md b/windows/keep-secure/experiment-custom-ti-windows-defender-advanced-threat-protection.md
index 670b72a6d5..b7f9bce85f 100644
--- a/windows/keep-secure/experiment-custom-ti-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/experiment-custom-ti-windows-defender-advanced-threat-protection.md
@@ -82,3 +82,11 @@ This step will guide you in exploring the custom alert in the portal.
> [!NOTE]
> It can take up to 15 minutes for the alert to appear in the portal.
+
+## Related topics
+- [Understand threat intelligence concepts](threat-indicator-concepts-windows-defender-advanced-threat-protection.md)
+- [Create custom alerts using the threat intelligence API](custom-ti-api-windows-defender-advanced-threat-protection.md)
+- [Enable the custom threat intelligence API in Windows Defender ATP](enable-custom-ti-windows-defender-advanced-threat-protection.md)
+- [PowerShell code examples for the custom threat intelligence API](powershell-example-code-windows-defender-advanced-threat-protection.md)
+- [Python code examples for the custom threat intelligence API](python-example-code-windows-defender-advanced-threat-protection.md)
+- [Troubleshoot custom threat intelligence issues](troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md)
diff --git a/windows/keep-secure/fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md b/windows/keep-secure/fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md
index 0e7e6fa111..a301137ca4 100644
--- a/windows/keep-secure/fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md
@@ -1,6 +1,6 @@
---
title: Fix unhealthy sensors in Windows Defender ATP
-description: Fix machine sensors that are reporting as misconfigured or inactive.
+description: Fix machine sensors that are reporting as misconfigured or inactive so that the service receives data from the machine.
keywords: misconfigured, inactive, fix sensor, sensor health, no sensor data, sensor data, impaired communication, communication
search.product: eADQiWindows 10XVcnh
ms.prod: w10
diff --git a/windows/keep-secure/general-settings-windows-defender-advanced-threat-protection.md b/windows/keep-secure/general-settings-windows-defender-advanced-threat-protection.md
index d53c76fc27..aca26a9b12 100644
--- a/windows/keep-secure/general-settings-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/general-settings-windows-defender-advanced-threat-protection.md
@@ -1,6 +1,6 @@
---
title: Update general Windows Defender Advanced Threat Protection settings
-description: Update your general Windows Defender Advanced Threat Protection settings after onboarding.
+description: Update your general Windows Defender Advanced Threat Protection settings such as data retention or industry after onboarding.
keywords: general settings, settings, update settings
search.product: eADQiWindows 10XVcnh
ms.prod: w10
diff --git a/windows/keep-secure/get-started-with-windows-defender-for-windows-10.md b/windows/keep-secure/get-started-with-windows-defender-for-windows-10.md
deleted file mode 100644
index e9c2b82470..0000000000
--- a/windows/keep-secure/get-started-with-windows-defender-for-windows-10.md
+++ /dev/null
@@ -1,16 +0,0 @@
----
-title: Update and manage Windows Defender in Windows 10 (Windows 10)
-description: IT professionals can manage Windows Defender on Windows 10 endpoints in their organization using Microsoft Active Directory or Windows Server Update Services (WSUS), apply updates to endpoints, and manage scans using Group Policy SettingsWindows Management Instrumentation (WMI)PowerShell.
-ms.assetid: 045F5BF2-87D7-4522-97E1-C1D508E063A7
-ms.prod: w10
-ms.mktglfcycl: manage
-ms.sitesec: library
-ms.pagetype: security
-localizationpriority: medium
-author: jasesso
-redirect_url: /deploy-manage-report-windows-defender-antivirus/
----
-
-# Update and manage Windows Defender in Windows 10
-
-This page has been redirected to *Windows Defender Antivirus in Windows 10*.
diff --git a/windows/keep-secure/guidance-and-best-practices-wip.md b/windows/keep-secure/guidance-and-best-practices-wip.md
index ff64be6d0f..3294599cd2 100644
--- a/windows/keep-secure/guidance-and-best-practices-wip.md
+++ b/windows/keep-secure/guidance-and-best-practices-wip.md
@@ -14,7 +14,7 @@ localizationpriority: high
# General guidance and best practices for Windows Information Protection (WIP)
**Applies to:**
-- Windows 10, version 1607
+- Windows 10, version 1607 and later
- Windows 10 Mobile
This section includes info about the enlightened Microsoft apps, including how to add them to your allowed apps list in Microsoft Intune. It also includes some testing scenarios that we recommend running through with Windows Information Protection (WIP).
diff --git a/windows/keep-secure/hello-why-pin-is-better-than-password.md b/windows/keep-secure/hello-why-pin-is-better-than-password.md
index 9c24738397..516d264bef 100644
--- a/windows/keep-secure/hello-why-pin-is-better-than-password.md
+++ b/windows/keep-secure/hello-why-pin-is-better-than-password.md
@@ -54,17 +54,44 @@ You can provide additional protection for laptops that don't have TPM by enablng
**Configure BitLocker without TPM**
1. Use the Local Group Policy Editor (gpedit.msc) to enable the following policy:
- **Computer Configuration** > **Administrative Templates** > **Windows Components** > **BitLocker Drive Encryption** > **Operating System Drives** > **Require additional authentication at startup**
+ **Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives > Require additional authentication at startup**
2. In the policy option, select **Allow BitLocker without a compatible TPM**, and then click **OK.**
-3. Go to Control Panel > **System and Security** > **BitLocker Drive Encryption** and select the operating system drive to protect.
+3. Go to Control Panel > **System and Security > BitLocker Drive Encryption** and select the operating system drive to protect.
**Set account lockout threshold**
1. Use the Local Group Policy Editor (gpedit.msc) to enable the following policy:
- **Computer Configuration** >**Windows Settings** ?**Security Settings** >**Account Policies** > **Account Lockout Policy** > **Account lockout threshold**
+ **Computer Configuration > Windows Settings > Security Settings > Account Policies > Account Lockout Policy > Account lockout threshold**
2. Set the number of invalid logon attempts to allow, and then click OK.
+
+## What if I forget my PIN?
+
+Starting with Windows 10, version 1703, devices managed by [Microsoft Intune](https://www.microsoft.com/cloud-platform/microsoft-intune), are be able to reset a forgotten PIN without deleting company managed data or apps.
+
+### Reset forgotten PIN on Windows Phone
+
+To reset a forgotten pin on a Windows Phone, you will need to locate the device in the Intune portal. Once you've selected the device, click on **More > New passcode** to generate a new PIN.
+
+
+
+Once you've done that, the device will receive a notification to unlock the device and you will have to provide them with the generated PIN in order to unlock the device. With the device unlocked, they user can now reset the PIN.
+
+
+
+### Reset forgotten PIN on desktop
+
+Users can reset a forgotten PIN from any Intune managed desktop device. They will need to unlock the device by other means (Password \ Smart Card \ Biometric).
+
+Once the device is unlocked, go to **Settings > Accounts > Sign-in options** and under **PIN** select **I forgot my PIN**.
+
+
+
+After signing-in, you will be prompted to change your PIN.
+
+
+
## Why do you need a PIN to use biometrics?
Windows Hello enables biometric sign-in for Windows 10: fingerprint, iris, or facial recognition. When you set up Windows Hello, you're asked to create a PIN first. This PIN enables you to sign in using the PIN when you can’t use your preferred biometric because of an injury or because the sensor is unavailable or not working properly.
diff --git a/windows/keep-secure/images/atp-azure-ui-user-access.png b/windows/keep-secure/images/atp-azure-ui-user-access.png
new file mode 100644
index 0000000000..dd7fe7dc4d
Binary files /dev/null and b/windows/keep-secure/images/atp-azure-ui-user-access.png differ
diff --git a/windows/keep-secure/images/atp-disableantispyware-regkey.png b/windows/keep-secure/images/atp-disableantispyware-regkey.png
index ae3d800c69..ed34f9dc65 100644
Binary files a/windows/keep-secure/images/atp-disableantispyware-regkey.png and b/windows/keep-secure/images/atp-disableantispyware-regkey.png differ
diff --git a/windows/keep-secure/images/atp-users-at-risk.png b/windows/keep-secure/images/atp-users-at-risk.png
index 4e86dbb2f5..cd43cdf607 100644
Binary files a/windows/keep-secure/images/atp-users-at-risk.png and b/windows/keep-secure/images/atp-users-at-risk.png differ
diff --git a/windows/keep-secure/images/defender/wdav-get-mpthreat.png b/windows/keep-secure/images/defender/wdav-get-mpthreat.png
new file mode 100644
index 0000000000..e1671237a6
Binary files /dev/null and b/windows/keep-secure/images/defender/wdav-get-mpthreat.png differ
diff --git a/windows/keep-secure/images/defender/wdav-get-mpthreatdetection.png b/windows/keep-secure/images/defender/wdav-get-mpthreatdetection.png
new file mode 100644
index 0000000000..3e5de6552f
Binary files /dev/null and b/windows/keep-secure/images/defender/wdav-get-mpthreatdetection.png differ
diff --git a/windows/keep-secure/images/defender/wdav-powershell-get-exclusions-variable.png b/windows/keep-secure/images/defender/wdav-powershell-get-exclusions-variable.png
index adf6c2b661..68b455b5a3 100644
Binary files a/windows/keep-secure/images/defender/wdav-powershell-get-exclusions-variable.png and b/windows/keep-secure/images/defender/wdav-powershell-get-exclusions-variable.png differ
diff --git a/windows/keep-secure/images/mva_videos.png b/windows/keep-secure/images/mva_videos.png
new file mode 100644
index 0000000000..2a785874bd
Binary files /dev/null and b/windows/keep-secure/images/mva_videos.png differ
diff --git a/windows/keep-secure/images/whfb-intune-reset-pin.jpg b/windows/keep-secure/images/whfb-intune-reset-pin.jpg
new file mode 100644
index 0000000000..0eae3a4546
Binary files /dev/null and b/windows/keep-secure/images/whfb-intune-reset-pin.jpg differ
diff --git a/windows/keep-secure/images/whfb-pin-reset-phone-notification.png b/windows/keep-secure/images/whfb-pin-reset-phone-notification.png
new file mode 100644
index 0000000000..f86101b1e8
Binary files /dev/null and b/windows/keep-secure/images/whfb-pin-reset-phone-notification.png differ
diff --git a/windows/keep-secure/images/whfb-reset-pin-prompt.jpg b/windows/keep-secure/images/whfb-reset-pin-prompt.jpg
new file mode 100644
index 0000000000..d9acfd8170
Binary files /dev/null and b/windows/keep-secure/images/whfb-reset-pin-prompt.jpg differ
diff --git a/windows/keep-secure/images/whfb-reset-pin-settings.jpg b/windows/keep-secure/images/whfb-reset-pin-settings.jpg
new file mode 100644
index 0000000000..21d37405a7
Binary files /dev/null and b/windows/keep-secure/images/whfb-reset-pin-settings.jpg differ
diff --git a/windows/keep-secure/initialize-and-configure-ownership-of-the-tpm.md b/windows/keep-secure/initialize-and-configure-ownership-of-the-tpm.md
index 813dde388c..152eec4793 100644
--- a/windows/keep-secure/initialize-and-configure-ownership-of-the-tpm.md
+++ b/windows/keep-secure/initialize-and-configure-ownership-of-the-tpm.md
@@ -112,7 +112,7 @@ Membership in the local Administrators group, or equivalent, is the minimum requ
5. After the PC restarts, your TPM will be automatically prepared for use by Windows 10.
-## Turn on or turn off the TPM (TPM 1.2 with Windows 10, version 1507 or 1511)
+## Turn on or turn off the TPM (available only with TPM 1.2 with Windows 10, version 1507 or 1511)
Normally, the TPM is turned on as part of the TPM initialization process. You do not normally need to turn the TPM on or off. However, if necessary you can do so by using the TPM MMC.
@@ -147,6 +147,20 @@ If you want to stop using the services that are provided by the TPM, you can use
- If you do not have the removable storage device with your saved TPM owner password, click **I want to enter the password**. In the **Type your TPM owner password** dialog box, type your password (including hyphens), and then click **Turn TPM Off**.
- If you did not save your TPM owner password or no longer know it, click **I do not have the TPM owner password**, and follow the instructions that are provided in the dialog box and subsequent UEFI screens to turn off the TPM without entering the password.
+
+### Change the TPM Owner Password (available only with Windows 10, version 1607 and earlier versions)
+
+If you have the [owner password](https://technet.microsoft.com/itpro/windows/keep-secure/change-the-tpm-owner-password) available, you can use TPM.msc to change the TPM Owner Password.
+
+1. Open the TPM MMC (tpm.msc).
+
+2. In the **Action** pane, click **Change the Owner Password**
+
+ - If you saved your TPM owner password on a removable storage device, insert it, and then click **I have the owner password file**. In the **Select backup file with the TPM owner password** dialog box, click **Browse** to locate the .tpm file that is saved on your removable storage device, click **Open**, and then click **Turn TPM Off**.
+
+ - If you do not have the removable storage device with your saved TPM owner password, click **I want to enter the password**. In the **Type your TPM owner password** dialog box, type your password (including hyphens), and then click **Turn TPM Off**.
+
+This capability was fully removed from TPM.msc in later versions of Windows.
## Use the TPM cmdlets
diff --git a/windows/keep-secure/investigate-user-windows-defender-advanced-threat-protection.md b/windows/keep-secure/investigate-user-windows-defender-advanced-threat-protection.md
index 276cb49632..e0b1346b9e 100644
--- a/windows/keep-secure/investigate-user-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/investigate-user-windows-defender-advanced-threat-protection.md
@@ -1,6 +1,6 @@
---
-title: Investigate user account in Windows Defender Advanced Threat Protection
-description: Investigate a user account in Windows Defender Advanced Threat Protection for potential compromised credentials or pivot on the associated user account during an investigation.
+title: Investigate a user account in Windows Defender ATP
+description: Investigate a user account for potential compromised credentials or pivot on the associated user account during an investigation.
keywords: investigate, account, user, user entity, alert, windows defender atp
search.product: eADQiWindows 10XVcnh
ms.prod: w10
diff --git a/windows/keep-secure/limitations-with-wip.md b/windows/keep-secure/limitations-with-wip.md
index 39aaeb8dc5..edb6564532 100644
--- a/windows/keep-secure/limitations-with-wip.md
+++ b/windows/keep-secure/limitations-with-wip.md
@@ -13,7 +13,8 @@ localizationpriority: high
# Limitations while using Windows Information Protection (WIP)
**Applies to:**
-- Windows 10, version 1607
+
+- Windows 10, version 1703
- Windows 10 Mobile
This table provides info about the most common problems you might encounter while running WIP in your organization.
@@ -26,7 +27,7 @@ This table provides info about the most common problems you might encounter whil
| Your enterprise data on USB drives might be tied to the device it was protected on, based on your Azure RMS configuration. |
- If you’re using Azure RMS: Authenticated users can open enterprise data on USB drives, on computers running the latest build from the Windows Insider Program. If you’re not using Azure RMS: Data in the new location remains encrypted, but becomes inaccessible on other devices and for other users. For example, the file won't open or the file opens, but doesn't contain readable text. |
+ If you’re using Azure RMS: Authenticated users can open enterprise data on USB drives, on computers running Windows 10, version 1703. If you’re not using Azure RMS: Data in the new location remains encrypted, but becomes inaccessible on other devices and for other users. For example, the file won't open or the file opens, but doesn't contain readable text. |
Share files with fellow employees through enterprise file servers or enterprise cloud locations. If data must be shared via USB, employees can decrypt protected files, but it will be audited. We strongly recommend educating employees about how to limit or eliminate the need for this decryption. |
@@ -79,6 +80,27 @@ This table provides info about the most common problems you might encounter whil
| Webpages that use ActiveX controls can potentially communicate with other outside processes that aren’t protected by using WIP. |
We recommend that you switch to using Microsoft Edge, the more secure and safer browser that prevents the use of ActiveX controls. We also recommend that you limit the usage of Internet Explorer 11 to only those line-of-business apps that require legacy technology. For more info, see [Out-of-date ActiveX control blocking](https://technet.microsoft.com/en-us/itpro/internet-explorer/ie11-deploy-guide/out-of-date-activex-control-blocking). |
+
+ WIP isn’t turned on if any of the following folders have the MakeFolderAvailableOfflineDisabled option set to False:
+
+ - AppDataRoaming
+ - Desktop
+ - StartMenu
+ - Documents
+ - Pictures
+ - Music
+ - Videos
+ - Favorites
+ - Contacts
+ - Downloads
+ - Links
+ - Searches
+ - SavedGames
+
+ |
+ WIP isn’t turned on for employees in your organization. |
+ Don’t set the MakeFolderAvailableOfflineDisabled option to False for any of the specified folders. If you currently use redirected folders, we recommend that you migrate to a file synchronization solution that supports WIP, such as Work Folders or OneDrive for Business. Additionally, if you apply redirected folders after WIP is already in place, you might be unable to open your files offline. For more info about these potential access errors, see [Can't open files offline when you use Offline Files and Windows Information Protection](https://support.microsoft.com/en-us/help/3187045/can-t-open-files-offline-when-you-use-offline-files-and-windows-information-protection). |
+
>[!NOTE]
diff --git a/windows/keep-secure/machines-view-overview-windows-defender-advanced-threat-protection.md b/windows/keep-secure/machines-view-overview-windows-defender-advanced-threat-protection.md
index 73f0e86007..4537784b7b 100644
--- a/windows/keep-secure/machines-view-overview-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/machines-view-overview-windows-defender-advanced-threat-protection.md
@@ -1,6 +1,6 @@
---
title: View and organize the Windows Defender ATP machines list
-description: Learn about the available features that you can use from the Machines list such as sorting, filtering, and exporting the machine list which can enhance investigations.
+description: Learn about the available features that you can use from the Machines list such as sorting, filtering, and exporting the list to enhance investigations.
keywords: sort, filter, export, csv, machine name, domain, last seen, internal IP, health state, active alerts, active malware detections, threat category, review alerts, network, connection, malware, type, password stealer, ransomware, exploit, threat, general malware, unwanted software
search.product: eADQiWindows 10XVcnh
ms.prod: w10
diff --git a/windows/keep-secure/manage-event-based-updates-windows-defender-antivirus.md b/windows/keep-secure/manage-event-based-updates-windows-defender-antivirus.md
index 39ecd14409..e1142eb8e3 100644
--- a/windows/keep-secure/manage-event-based-updates-windows-defender-antivirus.md
+++ b/windows/keep-secure/manage-event-based-updates-windows-defender-antivirus.md
@@ -124,7 +124,7 @@ You can also use Group Policy, PowerShell, or WMI to configure Windows Defender
**Use PowerShell cmdlets to download updates when Windows Defender AV is not present:**
-Use the following cmdlets to enable cloud-delivered protection:
+Use the following cmdlets:
```PowerShell
Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine
@@ -171,9 +171,13 @@ If you have enabled cloud-delivered protection, Windows Defender AV will send fi
## Related topics
+- [Deploy, manage updates, and report on Windows Defender Antivirus](deploy-manage-report-windows-defender-antivirus.md)
- [Manage Windows Defender Antivirus updates and apply baselines](manage-updates-baselines-windows-defender-antivirus.md)
-- [Update and manage Windows Defender in Windows 10](get-started-with-windows-defender-for-windows-10.md)
-- [Troubleshoot Windows Defender in Windows 10](troubleshoot-windows-defender-in-windows-10.md)
+- [Manage Windows Defender Antivirus protection and definition updates](manage-protection-updates-windows-defender-antivirus.md)
+- [Manage when protection updates should be downloaded and applied](manage-protection-update-schedule-windows-defender-antivirus.md)
+- [Manage updates for endpoints that are out of date](manage-outdated-endpoints-windows-defender-antivirus.md)
+- [Manage updates for mobile devices and virtual machines (VMs)](manage-updates-mobile-devices-vms-windows-defender-antivirus.md)
+- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
diff --git a/windows/keep-secure/manage-outdated-endpoints-windows-defender-antivirus.md b/windows/keep-secure/manage-outdated-endpoints-windows-defender-antivirus.md
index 87b9ad4cbd..7228604795 100644
--- a/windows/keep-secure/manage-outdated-endpoints-windows-defender-antivirus.md
+++ b/windows/keep-secure/manage-outdated-endpoints-windows-defender-antivirus.md
@@ -56,7 +56,7 @@ If Windows Defender AV did not download protection updates for a specified perio
**Use PowerShell cmdlets to configure catch-up protection updates:**
-Use the following cmdlets to enable cloud-delivered protection:
+Use the following cmdlets:
```PowerShell
Set-MpPreference -SignatureUpdateCatchupInterval
@@ -145,11 +145,11 @@ This feature can be enabled for both full and quick scans.
4. Enter the number of scans that can be missed before a scan will be automatically run when the user next logs on to the PC. The type of scan that is run is determined by the **Specify the scan type to use for a scheduled scan** (see the [Schedule scans](scheduled-catch-up-scans-windows-defender-antivirus.md) topic). Click **OK**.
> [!NOTE]
-> The GP setting title refers to the number of days. The setting, however, is applied to the number of scans (not days) before the catch-up scan will be run.
+> The Group Policy setting title refers to the number of days. The setting, however, is applied to the number of scans (not days) before the catch-up scan will be run.
-**Use PowerShell cmdlets to XX:**
+**Use PowerShell cmdlets to configure catch-up scans:**
-Use the following cmdlets to enable cloud-delivered protection:
+Use the following cmdlets:
```PowerShell
Set-MpPreference -DisableCatchupFullScan
@@ -185,6 +185,10 @@ See the following for more information and allowed parameters:
## Related topics
+- [Deploy, manage updates, and report on Windows Defender Antivirus](deploy-manage-report-windows-defender-antivirus.md)
- [Manage Windows Defender Antivirus updates and apply baselines](manage-updates-baselines-windows-defender-antivirus.md)
-- [Update and manage Windows Defender in Windows 10](get-started-with-windows-defender-for-windows-10.md)
-- [Troubleshoot Windows Defender in Windows 10](troubleshoot-windows-defender-in-windows-10.md)
+- [Manage Windows Defender Antivirus protection and definition updates](manage-protection-updates-windows-defender-antivirus.md)
+- [Manage when protection updates should be downloaded and applied](manage-protection-update-schedule-windows-defender-antivirus.md)
+- [Manage event-based forced updates](manage-event-based-updates-windows-defender-antivirus.md)
+- [Manage updates for mobile devices and virtual machines (VMs)](manage-updates-mobile-devices-vms-windows-defender-antivirus.md)
+- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
\ No newline at end of file
diff --git a/windows/keep-secure/manage-protection-update-schedule-windows-defender-antivirus.md b/windows/keep-secure/manage-protection-update-schedule-windows-defender-antivirus.md
index 8112758cdd..28197fc0c6 100644
--- a/windows/keep-secure/manage-protection-update-schedule-windows-defender-antivirus.md
+++ b/windows/keep-secure/manage-protection-update-schedule-windows-defender-antivirus.md
@@ -74,7 +74,7 @@ You can also randomize the times when each endpoint checks and downloads protect
**Use PowerShell cmdlets to schedule protection updates:**
-Use the following cmdlets to enable cloud-delivered protection:
+Use the following cmdlets:
```PowerShell
Set-MpPreference -SignatureScheduleDay
@@ -100,9 +100,13 @@ See the following for more information and allowed parameters:
## Related topics
+- [Deploy, manage updates, and report on Windows Defender Antivirus](deploy-manage-report-windows-defender-antivirus.md)
- [Manage Windows Defender Antivirus updates and apply baselines](manage-updates-baselines-windows-defender-antivirus.md)
-- [Update and manage Windows Defender in Windows 10](get-started-with-windows-defender-for-windows-10.md)
-- [Troubleshoot Windows Defender in Windows 10](troubleshoot-windows-defender-in-windows-10.md)
+- [Manage Windows Defender Antivirus protection and definition updates](manage-protection-updates-windows-defender-antivirus.md)
+- [Manage updates for endpoints that are out of date](manage-outdated-endpoints-windows-defender-antivirus.md)
+- [Manage event-based forced updates](manage-event-based-updates-windows-defender-antivirus.md)
+- [Manage updates for mobile devices and virtual machines (VMs)](manage-updates-mobile-devices-vms-windows-defender-antivirus.md)
+- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
diff --git a/windows/keep-secure/manage-protection-updates-windows-defender-antivirus.md b/windows/keep-secure/manage-protection-updates-windows-defender-antivirus.md
index 00e332bca1..a9cc36fc65 100644
--- a/windows/keep-secure/manage-protection-updates-windows-defender-antivirus.md
+++ b/windows/keep-secure/manage-protection-updates-windows-defender-antivirus.md
@@ -131,6 +131,11 @@ See the following for more information:
## Related topics
+- [Deploy, manage updates, and report on Windows Defender Antivirus](deploy-manage-report-windows-defender-antivirus.md)
+- [Manage Windows Defender Antivirus updates and apply baselines](manage-updates-baselines-windows-defender-antivirus.md)
+- [Manage when protection updates should be downloaded and applied](manage-protection-update-schedule-windows-defender-antivirus.md)
+- [Manage updates for endpoints that are out of date](manage-outdated-endpoints-windows-defender-antivirus.md)
+- [Manage event-based forced updates](manage-event-based-updates-windows-defender-antivirus.md)
+- [Manage updates for mobile devices and virtual machines (VMs)](manage-updates-mobile-devices-vms-windows-defender-antivirus.md)
+- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
-- [Update and manage Windows Defender in Windows 10](get-started-with-windows-defender-for-windows-10.md)
-- [Troubleshoot Windows Defender in Windows 10](troubleshoot-windows-defender-in-windows-10.md)
diff --git a/windows/keep-secure/mandatory-settings-for-wip.md b/windows/keep-secure/mandatory-settings-for-wip.md
index f92c5cee6a..856216aac1 100644
--- a/windows/keep-secure/mandatory-settings-for-wip.md
+++ b/windows/keep-secure/mandatory-settings-for-wip.md
@@ -13,13 +13,13 @@ localizationpriority: high
# Mandatory tasks and settings required to turn on Windows Information Protection (WIP)
**Applies to:**
-- Windows 10, version 1607
+- Windows 10, version 1607 and later
- Windows 10 Mobile
This list provides all of the tasks and settings that are required for the operating system to turn on Windows Information Protection (WIP), formerly known as enterprise data protection (EDP), in your enterprise.
>[!IMPORTANT]
->All sections provided for more info appear in either the [Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune.md) or [Create a Windows Information Protection (WIP) policy using System Center Configuration Manager](create-wip-policy-using-sccm.md), based on the tool you're using in your enterprise.
+>All sections provided for more info appear in either the [Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune.md) or [Create a Windows Information Protection (WIP) policy using System Center Configuration Manager](create-wip-policy-using-sccm.md), based on the tool you're using in your organization.
|Task |Description |
diff --git a/windows/keep-secure/minimum-requirements-windows-defender-advanced-threat-protection.md b/windows/keep-secure/minimum-requirements-windows-defender-advanced-threat-protection.md
index b8c5694f12..5498802fbb 100644
--- a/windows/keep-secure/minimum-requirements-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/minimum-requirements-windows-defender-advanced-threat-protection.md
@@ -53,10 +53,7 @@ The hardware requirements for Windows Defender ATP on endpoints is the same as t
#### Internet connectivity
Internet connectivity on endpoints is required.
-SENSE can utilize up to 5MB daily of bandwidth to communicate with the Windows Defender ATP cloud service and report cyber data.
-
-> [!NOTE]
-> SENSE is the internal name used to refer to the behavioral sensor that powers Windows Defender ATP.
+The Windows Defender ATP sensor can utilize up to 5MB daily of bandwidth to communicate with the Windows Defender ATP cloud service and report cyber data.
For more information on additional proxy configuration settings see, [Configure Windows Defender ATP endpoint proxy and Internet connectivity settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md) .
diff --git a/windows/keep-secure/overview-create-wip-policy.md b/windows/keep-secure/overview-create-wip-policy.md
index c3ad6bf5a3..b2b23e5275 100644
--- a/windows/keep-secure/overview-create-wip-policy.md
+++ b/windows/keep-secure/overview-create-wip-policy.md
@@ -13,7 +13,7 @@ localizationpriority: high
# Create a Windows Information Protection (WIP) policy
**Applies to:**
-- Windows 10, version 1607
+- Windows 10, version 1607 and later
- Windows 10 Mobile
Microsoft Intune and System Center Configuration Manager helps you create and deploy your enterprise data protection (WIP) policy, including letting you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network.
diff --git a/windows/keep-secure/overview-of-threat-mitigations-in-windows-10.md b/windows/keep-secure/overview-of-threat-mitigations-in-windows-10.md
index 2e7af88cf4..718ca488fb 100644
--- a/windows/keep-secure/overview-of-threat-mitigations-in-windows-10.md
+++ b/windows/keep-secure/overview-of-threat-mitigations-in-windows-10.md
@@ -365,17 +365,33 @@ to Windows 10 features
### Converting an EMET XML settings file into Windows 10 mitigation policies
-One of EMET’s strengths is that it allows you to import and export configuration settings for EMET mitigations as an XML settings file, thus enabling a straightforward deployment workflow. To aid with security configuration and deployment of Windows 10 devices, you can download a set of EMET Policy Converter cmdlets. With these cmdlets, you can use an EMET XML settings file to generate mitigation policies for Windows 10.
+One of EMET’s strengths is that it allows you to import and export configuration settings for EMET mitigations as an XML settings file for straightforward deployment. To generate mitigation policies for Windows 10 from an EMET XML settings file, you can install the ProcessMitigations PowerShell module. In an elevated PowerShell session, run this cmdlet:
-The Converter feature is currently available as a Windows PowerShell cmdlet, **Set-ProcessMitigations -c** (instead of **-c**, you can also type **-Convert**). This cmdlet, and the Process Mitigation Management Tool collection of cmdlets, provides the following capabilities:
+```powershell
+Install-Module -Name ProcessMitigations
+```
-- **Converting EMET settings to Windows 10 settings**: You can run **Set-ProcessMitigations -Convert** and provide an EMET XML settings file as input, which will generate an output file of Windows 10 mitigation settings.
+The ConvertTo-ProcessMitigationPolicy cmdlet can:
-- **Auditing and modifying the converted settings (the output file)**: After you create the output file, you can apply and manually audit the mitigation settings by running cmdlets, through which you can Apply, Enumerate, Enable, Disable, and Save settings (see the Process Mitigation Management Tool documentation).
+- **Convert EMET settings to Windows 10 settings**: You can run ConvertTo-ProcessMitigationPolicy and provide an EMET XML settings file as input, which will generate an output file of Windows 10 mitigation settings. For example:
+
+ ```powershell
+ ConvertTo-ProcessMitigationPolicy -EMETfile emetpolicy.xml -output newconfiguration.xml
+ ```
-- **Converting Attack Surface Reduction (ASR) settings to a Code Integrity policy file**: If the input file contains any settings for EMET’s Attack Surface Reduction (ASR) mitigation, the converter will also create a Code Integrity policy file. In this case, you can complete the merging, auditing, and deployment process for the Code Integrity policy, as described in [Deploy Device Guard: deploy code integrity policies](deploy-device-guard-deploy-code-integrity-policies.md). This will enable protections on Windows 10 equivalent to EMET’s ASR protections.
+- **Audit and modify the converted settings (the output file)**: Additional cmdlets let you apply, enumerate, enable, disable, and save settings in the output file. For example, this cmdlet enables SEHOP and disables MandatoryASLR and DEPATL registry settings for Notepad:
-- **Converting Certificate Trust settings to enterprise certificate pinning rules**: If you have an EMET “Certificate Trust” XML file (pinning rules file), you can also use **Set-ProcessMitigations -Convert** to convert the pinning rules file into an enterprise certificate pinning rules file. Then you can finish enabling that file as described in [Enterprise Certificate Pinning](enterprise-certificate-pinning.md).
+ ```powershell
+ Set-ProcessMitigation -Name notepad.exe -Enable SEHOP -Disable MandatoryASLR,DEPATL
+ ```
+
+- **Convert Attack Surface Reduction (ASR) settings to a Code Integrity policy file**: If the input file contains any settings for EMET’s Attack Surface Reduction (ASR) mitigation, the converter will also create a Code Integrity policy file. In this case, you can complete the merging, auditing, and deployment process for the Code Integrity policy, as described in [Deploy Device Guard: deploy code integrity policies](deploy-device-guard-deploy-code-integrity-policies.md). This will enable protections on Windows 10 equivalent to EMET’s ASR protections.
+
+- **Convert Certificate Trust settings to enterprise certificate pinning rules**: If you have an EMET “Certificate Trust” XML file (pinning rules file), you can also use ConvertTo-ProcessMitigationPolicy to convert the pinning rules file into an enterprise certificate pinning rules file. Then you can finish enabling that file as described in [Enterprise Certificate Pinning](enterprise-certificate-pinning.md). For example:
+
+ ```powershell
+ ConvertTo-ProcessMitigationPolicy -EMETfile certtrustrules.xml -output enterprisecertpinningrules.xml
+ ```
#### EMET-related products
diff --git a/windows/keep-secure/powershell-example-code-windows-defender-advanced-threat-protection.md b/windows/keep-secure/powershell-example-code-windows-defender-advanced-threat-protection.md
index 1e062c51a0..b41b8bdaae 100644
--- a/windows/keep-secure/powershell-example-code-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/powershell-example-code-windows-defender-advanced-threat-protection.md
@@ -71,7 +71,8 @@ You can use the complete code to create calls to the API.
## Related topics
- [Understand threat intelligence concepts](threat-indicator-concepts-windows-defender-advanced-threat-protection.md)
-- [Enable the custom threat intelligence application](enable-custom-ti-windows-defender-advanced-threat-protection.md)
-- [Create custom threat intelligence alerts](custom-ti-api-windows-defender-advanced-threat-protection.md)
-- [Python code examples](python-example-code-windows-defender-advanced-threat-protection.md)
+- [Create custom alerts using the threat intelligence API](custom-ti-api-windows-defender-advanced-threat-protection.md)
+- [Enable the custom threat intelligence API in Windows Defender ATP](enable-custom-ti-windows-defender-advanced-threat-protection.md)
+- [Python code examples for the custom threat intelligence API](python-example-code-windows-defender-advanced-threat-protection.md)
+- [Experiment with custom threat intelligence alerts](experiment-custom-ti-windows-defender-advanced-threat-protection.md)
- [Troubleshoot custom threat intelligence issues](troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md)
diff --git a/windows/keep-secure/preferences-setup-windows-defender-advanced-threat-protection.md b/windows/keep-secure/preferences-setup-windows-defender-advanced-threat-protection.md
index 1523930b5c..dab6725222 100644
--- a/windows/keep-secure/preferences-setup-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/preferences-setup-windows-defender-advanced-threat-protection.md
@@ -1,5 +1,5 @@
---
-title: Configure Windows Defender Advanced Threat Protection preferences settings
+title: Configure Windows Defender ATP preferences settings
description: Use the preferences setup to configure and update your preferences settings such as enabling advanced features, preview experience, email notifications, or custom threat intelligence.
keywords: preferences settings, settings, advanced features, preview experience, email notifications, custom threat intelligence
search.product: eADQiWindows 10XVcnh
diff --git a/windows/keep-secure/preview-settings-windows-defender-advanced-threat-protection.md b/windows/keep-secure/preview-settings-windows-defender-advanced-threat-protection.md
index f1e4b41964..8ae02a81bb 100644
--- a/windows/keep-secure/preview-settings-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/preview-settings-windows-defender-advanced-threat-protection.md
@@ -1,5 +1,5 @@
---
-title: Turn on the preview experience in Windows Defender Advanced Threat Protection
+title: Turn on the preview experience in Windows Defender ATP
description: Turn on the preview experience in Windows Defender Advanced Threat Protection to try upcoming features.
keywords: advanced features, preferences setup, block file
search.product: eADQiWindows 10XVcnh
diff --git a/windows/keep-secure/protect-enterprise-data-using-wip.md b/windows/keep-secure/protect-enterprise-data-using-wip.md
index a37553eb2c..0a8a8d62ea 100644
--- a/windows/keep-secure/protect-enterprise-data-using-wip.md
+++ b/windows/keep-secure/protect-enterprise-data-using-wip.md
@@ -14,7 +14,7 @@ localizationpriority: high
# Protect your enterprise data using Windows Information Protection (WIP)
**Applies to:**
-- Windows 10, version 1607
+- Windows 10, version 1607 and later
- Windows 10 Mobile
>Learn more about what features and functionality are supported in each Windows edition at [Compare Windows 10 Editions](https://www.microsoft.com/en-us/WindowsForBusiness/Compare).
@@ -28,7 +28,7 @@ You’ll need this software to run WIP in your enterprise:
|Operating system | Management solution |
|-----------------|---------------------|
-|Windows 10, version 1607 | Microsoft Intune
-OR-
System Center Configuration Manager
-OR-
Your current company-wide 3rd party mobile device management (MDM) solution. For info about 3rd party MDM solutions, see the documentation that came with your product. If your 3rd party MDM does not have UI support for the policies, refer to the [EnterpriseDataProtection CSP](https://msdn.microsoft.com/en-us/library/windows/hardware/mt697634.aspx) documentation.|
+|Windows 10, version 1607 or later | Microsoft Intune
-OR-
System Center Configuration Manager
-OR-
Your current company-wide 3rd party mobile device management (MDM) solution. For info about 3rd party MDM solutions, see the documentation that came with your product. If your 3rd party MDM does not have UI support for the policies, refer to the [EnterpriseDataProtection CSP](https://msdn.microsoft.com/en-us/library/windows/hardware/mt697634.aspx) documentation.|
## What is enterprise data control?
Effective collaboration means that you need to share data with others in your enterprise. This sharing can be from one extreme where everyone has access to everything without any security, all the way to the other extreme where people can’t share anything and it’s all highly secured. Most enterprises fall somewhere in between the two extremes, where success is balanced between providing the necessary access with the potential for improper data disclosure.
@@ -93,8 +93,8 @@ WIP gives you a new way to manage data policy enforcement for apps and documents
- **Helping prevent accidental data disclosure to removable media.** WIP helps prevent enterprise data from leaking when it's copied or transferred to removable media. For example, if an employee puts enterprise data on a Universal Serial Bus (USB) drive that also has personal data, the enterprise data remains encrypted while the personal data doesn’t.
- **Remove access to enterprise data from enterprise-protected devices.** WIP gives admins the ability to revoke enterprise data from one or many MDM-enrolled devices, while leaving personal data alone. This is a benefit when an employee leaves your company, or in the case of a stolen device. After determining that the data access needs to be removed, you can use Microsoft Intune to unenroll the device so when it connects to the network, the user's encryption key for the device is revoked and the enterprise data becomes unreadable.
- >[!NOTE]
- >For management of Surface devices it is recommended that you use the Current Branch of System Center Configuration Manager.
System Center Configuration Manager also allows you to revoke enterprise data. However, it does it by performing a factory reset of the device.
+
+ >**Note**
For management of Surface devices it is recommended that you use the Current Branch of System Center Configuration Manager.
System Center Configuration Manager also allows you to revoke enterprise data. However, it does it by performing a factory reset of the device.
## How WIP works
WIP helps address your everyday challenges in the enterprise. Including:
diff --git a/windows/keep-secure/pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md b/windows/keep-secure/pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md
index 670143cd10..5e04c5302d 100644
--- a/windows/keep-secure/pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md
@@ -190,6 +190,6 @@ HTTP error code | Description
## Related topics
- [Enable SIEM integration in Windows Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md)
-- [Configure Splunk](configure-splunk-windows-defender-advanced-threat-protection.md)
-- [Configure ArcSight](configure-arcsight-windows-defender-advanced-threat-protection.md)
+- [Configure Splunk to pull Windows Defender ATP alerts](configure-splunk-windows-defender-advanced-threat-protection.md)
+- [Configure ArcSight to pull Windows Defender ATP alerts](configure-arcsight-windows-defender-advanced-threat-protection.md)
- [Windows Defender ATP alert API fields](api-portal-mapping-windows-defender-advanced-threat-protection.md)
diff --git a/windows/keep-secure/python-example-code-windows-defender-advanced-threat-protection.md b/windows/keep-secure/python-example-code-windows-defender-advanced-threat-protection.md
index fb4e54687b..a67b250923 100644
--- a/windows/keep-secure/python-example-code-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/python-example-code-windows-defender-advanced-threat-protection.md
@@ -73,8 +73,9 @@ You can use the complete code to create calls to the API.
[!code[CustomTIAPI](./code/example.py#L1-L53)]
## Related topics
-- [Understand threat intelligence](threat-indicator-concepts-windows-defender-advanced-threat-protection.md)
-- [Create custom threat intelligence alerts](custom-ti-api-windows-defender-advanced-threat-protection.md)
-- [Enable the custom threat intelligence application](enable-custom-ti-windows-defender-advanced-threat-protection.md)
-- [PowerShell code examples](powershell-example-code-windows-defender-advanced-threat-protection.md)
+- [Understand threat intelligence concepts](threat-indicator-concepts-windows-defender-advanced-threat-protection.md)
+- [Create custom alerts using the threat intelligence API](custom-ti-api-windows-defender-advanced-threat-protection.md)
+- [Enable the custom threat intelligence API in Windows Defender ATP](enable-custom-ti-windows-defender-advanced-threat-protection.md)
+- [PowerShell code examples for the custom threat intelligence API](powershell-example-code-windows-defender-advanced-threat-protection.md)
+- [Experiment with custom threat intelligence alerts](experiment-custom-ti-windows-defender-advanced-threat-protection.md)
- [Troubleshoot custom threat intelligence issues](troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md)
diff --git a/windows/keep-secure/recommended-network-definitions-for-wip.md b/windows/keep-secure/recommended-network-definitions-for-wip.md
index b7b8ab7a18..ca34c042a9 100644
--- a/windows/keep-secure/recommended-network-definitions-for-wip.md
+++ b/windows/keep-secure/recommended-network-definitions-for-wip.md
@@ -14,7 +14,7 @@ localizationpriority: high
**Applies to:**
-- Windows 10, version 1607
+- Windows 10, version 1607 and later
- Windows 10 Mobile
>Learn more about what features and functionality are supported in each Windows edition at [Compare Windows 10 Editions](https://www.microsoft.com/en-us/WindowsForBusiness/Compare).
diff --git a/windows/keep-secure/respond-file-alerts-windows-defender-advanced-threat-protection.md b/windows/keep-secure/respond-file-alerts-windows-defender-advanced-threat-protection.md
index b7812a0ba4..e9d223c9d6 100644
--- a/windows/keep-secure/respond-file-alerts-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/respond-file-alerts-windows-defender-advanced-threat-protection.md
@@ -1,5 +1,5 @@
---
-title: Take response actions on a file in Windows Defender Advanced Threat Protection
+title: Take response actions on a file in Windows Defender ATP
description: Take response actions on file related alerts by stopping and quarantining a file or blocking a file and checking activity details.
keywords: respond, stop and quarantine, block file, deep analysis
search.product: eADQiWindows 10XVcnh
@@ -85,7 +85,7 @@ You can roll back and remove a file from quarantine if you’ve determined that
```
“%ProgramFiles%\Windows Defender\MpCmdRun.exe” –Restore –Name EUS:Win32/CustomEnterpriseBlock –All
```
-
+
> [!NOTE]
> Windows Defender ATP will remove all files that were quarantined on this machine in the last 30 days.
diff --git a/windows/keep-secure/respond-machine-alerts-windows-defender-advanced-threat-protection.md b/windows/keep-secure/respond-machine-alerts-windows-defender-advanced-threat-protection.md
index 0e2b10168f..d0c899983f 100644
--- a/windows/keep-secure/respond-machine-alerts-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/respond-machine-alerts-windows-defender-advanced-threat-protection.md
@@ -1,5 +1,5 @@
---
-title: Take response actions on a machine in Windows Defender Advanced Threat Protection
+title: Take response actions on a machine in Windows Defender ATP
description: Take response actions on a machine by isolating machines, collecting an investigation package, and checking activity details.
keywords: respond, isolate, isolate machine, collect investigation package, action center
search.product: eADQiWindows 10XVcnh
diff --git a/windows/keep-secure/response-actions-windows-defender-advanced-threat-protection.md b/windows/keep-secure/response-actions-windows-defender-advanced-threat-protection.md
index 22b507a210..a22e882c62 100644
--- a/windows/keep-secure/response-actions-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/response-actions-windows-defender-advanced-threat-protection.md
@@ -1,5 +1,5 @@
---
-title: Take response actions on files and machines in Windows Defender Advanced Threat Protection
+title: Take response actions on files and machines in Windows Defender ATP
description: Take response actions on files and machines by stopping and quarantining files, blocking a file, isolating machines, or collecting an investigation package.
keywords: respond, stop and quarantine, block file, deep analysis, isolate machine, collect investigation package, action center
search.product: eADQiWindows 10XVcnh
diff --git a/windows/keep-secure/review-scan-results-windows-defender-antivirus.md b/windows/keep-secure/review-scan-results-windows-defender-antivirus.md
index 7147c968b9..aa7ec15eef 100644
--- a/windows/keep-secure/review-scan-results-windows-defender-antivirus.md
+++ b/windows/keep-secure/review-scan-results-windows-defender-antivirus.md
@@ -1,7 +1,7 @@
---
title: Review the results of Windows Defender AV scans
description: Review the results of scans using System Center Configuration Manager, Microsoft Intune, or the Windows Defender Security Center app
-keywords:
+keywords: scan results, remediation, full scan, quick scan
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
ms.prod: w10
@@ -13,3 +13,79 @@ author: iaanw
---
# Review Windows Defender AV scan results
+
+
+**Applies to:**
+
+- Windows 10
+
+**Audience**
+
+- Enterprise security administrators
+
+**Manageability available with**
+
+- PowerShell
+- Windows Management Instrumentation (WMI)
+- System Center Configuration Manager
+- Microsoft Intune
+- Windows Defender Security Center app
+
+
+After Windows Defender Antivirus has completed a scan, whether it is an [on-demand](run-scan-windows-defender-antivirus.md) or [scheduled scan](scheduled-catch-up-scans-windows-defender-antivirus.md), the results are recorded and you can view the results. You can also define
+
+
+**Use Configuration Manager to review Windows Defender AV scan results:**
+
+See [How to monitor Endpoint Protection status](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/monitor-endpoint-protection).
+
+
+**Use the Windows Defender Security Center app to review Windows Defender AV scan results:**
+
+1. Open the Windows Defender Security Center by clicking the shield icon in the task bar or searching the start menu for **Defender**.
+
+2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then the **Scan history** label.
+
+ - Click **See full history** for any of the sections to see previous detections and the action taken. You can also clear the list.
+ - Information about the last scan is displayed at the bottom of the page.
+
+
+
+
+**Use PowerShell cmdlets to review Windows Defender AV scan results:**
+
+The following cmdlet will return each detection on the endpoint. If there are multiple detection of the same threat, each detection will be listed separately, based on the time of each detection:
+
+```PowerShell
+Get-MpThreatDetection
+```
+
+
+
+You can specify `-ThreatID` to limit the output to only show the detections for a specific threat.
+
+If you want to list threat detections, but combine detections of the same threat into a single item, you can use the following cmdlet:
+
+```PowerShell
+Get-MpThreat
+```
+
+
+
+See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus.
+
+**Use Windows Management Instruction (WMI) to review Windows Defender AV scan results:**
+
+Use the [**Get** method of the **MSFT_MpThreat** and **MSFT_MpThreatDetection**](https://msdn.microsoft.com/en-us/library/dn439477(v=vs.85).aspx) classes.
+
+
+**Use Microsoft Intune to review Windows Defender AV scan results:**
+
+See [Help secure Windows PCs with Endpoint Protection for Microsoft Intune: Monitor Endpoint Protection](https://docs.microsoft.com/en-us/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune#monitor-endpoint-protection).
+
+
+
+## Related topics
+
+- [Customize, initiate, and review the results of Windows Defender AV scans and remediation](customize-run-review-remediate-scans-windows-defender-antivirus.md)
+- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
\ No newline at end of file
diff --git a/windows/keep-secure/run-cmd-scan-windows-defender-for-windows-10.md b/windows/keep-secure/run-cmd-scan-windows-defender-for-windows-10.md
deleted file mode 100644
index f8f3682a5d..0000000000
--- a/windows/keep-secure/run-cmd-scan-windows-defender-for-windows-10.md
+++ /dev/null
@@ -1,18 +0,0 @@
----
-title: Learn how to run a scan from command line in Windows Defender (Windows 10)
-description: Windows Defender utility enables IT professionals to use command line to run antivirus scans.
-keywords: run windows defender scan, run antivirus scan from command line, run windows defender scan from command line, mpcmdrun, defender
-search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
-ms.prod: w10
-ms.mktglfcycl: manage
-ms.sitesec: library
-ms.pagetype: security
-localizationpriority: medium
-author: mjcaparas
-redirect_url: /command-line-arguments-windows-defender-antivirus/
----
-
-# Run a Windows Defender scan from the command line
-
-This page has been redirected to *Usethempcmdrun.execommandlinetooltoconfigureandmanageWindowsDefenderAntivirus*.
\ No newline at end of file
diff --git a/windows/keep-secure/run-scan-windows-defender-antivirus.md b/windows/keep-secure/run-scan-windows-defender-antivirus.md
index 2c09909c04..f494c10f93 100644
--- a/windows/keep-secure/run-scan-windows-defender-antivirus.md
+++ b/windows/keep-secure/run-scan-windows-defender-antivirus.md
@@ -1,7 +1,7 @@
---
title: Run and customize on-demand scans in Windows Defender AV
description: Run and configure on-demand scans using PowerShell, Windows Management Instrumentation, or individually on endpoints with the Windows Defender Security Center app
-keywords:
+keywords: scan, on-demand, dos, intune, instant scan
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
ms.prod: w10
@@ -16,44 +16,93 @@ author: iaanw
-# Configure and run Windows Defender AV scans
+# Configure and run on-demand Windows Defender AV scans
**Applies to:**
- Windows 10
-IT professionals can use a command-line utility to run a Windows Defender scan.
+**Audience**
-The utility is available in _%Program Files%\Windows Defender\MpCmdRun.exe_.
+- Enterprise security administrators
-This utility can be handy when you want to automate the use of Windows Defender.
+**Manageability available with**
-**To run a quick scan from the command line**
+- Windows Defender AV mpcmdrun utility
+- PowerShell
+- Windows Management Instrumentation (WMI)
+- System Center Configuration Manager
+- Microsoft Intune
+- Windows Defender Security Center app
-1. Click **Start**, type **cmd**, and press **Enter**.
-2. Navigate to _%ProgramFiles%\Windows Defender_ and enter the following command, and press **Enter**:
-
-```
-C:\Program Files\Windows Defender\mpcmdrun.exe -scan -scantype 1
-```
-The quick scan will start. When the scan completes, you'll see a message indicating that the scan is finished.
+You can run an on-demand scan on individual endpoints. These scans will start immediately, and you can define parameters for the scan, such as the location or type.
-The utility also provides other commands that you can run:
+## Quick scan versus full scan
-```
-MpCmdRun.exe [command] [-options]
+Quick scan looks at all the locations where there could be malware registered to start with the system, such as registry keys and known Windows startup folders.
+
+Combined with [always-on real-time protection capability](configure-real-time-protection-windows-defender-antivirus.md) - which reviews files when they are opened and closed, and whenever a user navigates to a folder - a quick scan helps provide strong coverage both for malware that starts with the system and kernel-level malware.
+
+In most instances, this means a quick scan is adequate to find malware that wasn't picked up by real-time protection.
+
+A full scan can be useful on endpoints that have encountered a malware threat to identify if there are any inactive components that require a more thorough clean-up, and can be ideal when running on-demand scans.
+
+
+**Use the mpcmdrum.exe command-line utility to run a scan:**
+
+Use the following `-scan` parameter:
+
+```DOS
+mpcmdrun.exe -scan -scantype 1
```
-Command | Description
-:---|:---
-\- ? / -h | Displays all available options for the tool
-\-Scan [-ScanType #] [-File [-DisableRemediation] [-BootSectorScan]][-Timeout ] | Scans for malicious software
-\-Trace [-Grouping #] [-Level #]| Starts diagnostic tracing
-\-GetFiles | Collects support information
-\-RemoveDefinitions [-All] | Restores the installed signature definitions to a previous backup copy or to the original default set of signatures
-\-AddDynamicSignature [-Path] | Loads a dynamic signature
-\-ListAllDynamicSignature [-Path] | Lists the loaded dynamic signatures
-\-RemoveDynamicSignature [-SignatureSetID] | Removes a dynamic signature
-
-The command-line utility provides detailed information on the other commands supported by the tool.
+
+
+See [Use the mpcmdrun.exe commandline tool to configure and manage Windows Defender Antivirus](command-line-arguments-windows-defender-antivirus.md) for more information on how to use the tool and additional parameters, including starting a full scan or defining paths.
+
+
+
+**Use Configuration Manager to run a scan:**
+
+See [Antimalware and firewall tasks: How to perform an on-demance scan](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-firewall#how-to-perform-an-on-demand-scan-of-computers) for details on using System Center Configuration Manager (current branch) to run a scan.
+
+
+
+**Use the Windows Defender Security Center app to run a scan:**
+
+See [Run a scan in the Windows Defender Security Center app](windows-defender-security-center-antivirus.md#scan) for instructions on running a scan on individual endpoints.
+
+
+
+**Use PowerShell cmdlets to run a scan:**
+
+Use the following cmdlet:
+
+```PowerShell
+Start-MpScan
+```
+
+
+See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus.
+
+**Use Windows Management Instruction (WMI) to run a scan:**
+
+Use the [**Start** method of the **MSFT_MpScan**](https://msdn.microsoft.com/en-us/library/dn455324(v=vs.85).aspx#methods) class.
+
+See the following for more information and allowed parameters:
+- [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/en-us/library/dn439477(v=vs.85).aspx)
+
+
+**Use Microsoft Intune to run a scan:**
+
+
+See [Help secure Windows PCs with Endpoint Protection for Microsoft Intune: Run a malware scan](https://docs.microsoft.com/en-us/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune#run-a-malware-scan-or-update-malware-definitions-on-a-computer) and [Windows Defender policy settings in Windows 10](https://docs.microsoft.com/en-us/intune/deploy-use/windows-10-policy-settings-in-microsoft-intune#windows-defender-1) for more details.
+
+
+## Related topics
+
+
+- [Configure scanning options in Windows Defender AV](configure-advanced-scan-types-windows-defender-antivirus.md)
+- [Configure scheduled scans for Windows Defender AV](scheduled-catch-up-scans-windows-defender-antivirus.md)
+- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
\ No newline at end of file
diff --git a/windows/keep-secure/scheduled-catch-up-scans-windows-defender-antivirus.md b/windows/keep-secure/scheduled-catch-up-scans-windows-defender-antivirus.md
index 0c16327c23..50ca1d5359 100644
--- a/windows/keep-secure/scheduled-catch-up-scans-windows-defender-antivirus.md
+++ b/windows/keep-secure/scheduled-catch-up-scans-windows-defender-antivirus.md
@@ -1,7 +1,7 @@
---
title: Schedule regular scans with Windows Defender AV
description: Set up recurring (scheduled) scans, including when they should run and whether they run as full or quick scans
-keywords:
+keywords: schedule scan, daily, weekly, time, scheduled, recurring, regular
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
ms.prod: w10
@@ -22,7 +22,7 @@ author: iaanw
**Audience**
-- Network administrators
+- Enterprise security administrators
**Manageability available with**
@@ -37,7 +37,197 @@ author: iaanw
> By default, Windows Defender AV will check for an update 15 minutes before the time of any scheduled scans. You can [Manage the schedule for when protection updates should be downloaded and applied](manage-protection-update-schedule-windows-defender-antivirus.md) to override this default.
-RANDOMIZE
+In addition to always-on real-time protection and [on-demand](run-scan-windows-defender-antivirus.md) scans, you can set up regular, scheduled scans.
+
+You can configure the type of scan, when the scan should occur, and if the scan should occur after a [protection update](manage-protection-updates-windows-defender-antivirus.md) or if the endpoint is being used. You can also specify when special scans to complete remediation should occur.
+
+This topic describes how to configure scheduled scans with Group Policy, PowerShell cmdlets, and WMI. You can also configure schedules scans with [System Center Configuration Manager](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#scheduled-scans-settings) or [Microsoft Intune](https://docs.microsoft.com/en-us/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intunespecify-scan-schedule-settings).
+
+To configure the Group Policy settings described in this topic:
+
+1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+
+3. In the **Group Policy Management Editor** go to **Computer configuration**.
+
+4. Click **Policies** then **Administrative templates**.
+
+5. Expand the tree to **Windows components > Windows Defender Antivirus** and then the **Location** specified in the table below.
+
+6. Double-click the policy **Setting** as specified in the table below, and set the option to your desired configuration. Click **OK**, and repeat for any other settings.
+
+
+Also see the [Manage when protection updates should be downloaded and applied](manage-protection-update-schedule-windows-defender-antivirus.md) and [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-windows-defender-antivirus.md) topics.
+
+## Quick scan versus full scan
+
+When you set up scheduled scans, you can set up whether the scan should be a full or quick scan.
+
+Quick scans look at all the locations where there could be malware registered to start with the system, such as registry keys and known Windows startup folders.
+
+Combined with [always-on real-time protection capability](configure-real-time-protection-windows-defender-antivirus.md) - which reviews files when they are opened and closed, and whenever a user navigates to a folder - a quick scan helps provide strong coverage both for malware that starts with the system and kernel-level malware.
+
+In most instances, this means a quick scan is adequate to find malware that wasn't picked up by real-time protection.
+
+A full scan can be useful on endpoints that have encountered a malware threat to identify if there are any inactive components that require a more thorough clean-up. In this instance, you may want to use a full scan when running an [on-demand scan](run-scan-windows-defender-antivirus.md).
+
+## Set up scheduled scans
+
+Scheduled scans will run at the day and time you specify. You can use Group Policy, PowerShell, and WMI to configure scheduled scans.
+
+
+**Use Group Policy to schedule scans:**
+
+Location | Setting | Description | Default setting (if not configured)
+---|---|---|---
+Scan | Specify the scan type to use for a scheduled scan | Quick scan
+Scan | Specify the day of the week to run a scheduled scan | Specify the day (or never) to run a scan. | Never
+Scan | Specify the time of day to run a scheduled scan | Specify the number of minutes after midnight (for example, enter **60** for 1 am) | 2 am
+Root | Randomize scheduled task times | Randomize the start time of the scan to any interval plus or minus 30 minutes. This can be useful in VM or VDI deployments | Enabled
+
+**Use PowerShell cmdlets to schedule scans:**
+
+Use the following cmdlets:
+
+```PowerShell
+Set-MpPreference -ScanParameters
+Set-MpPreference -ScanScheduleDay
+Set-MpPreference -ScanScheduleTime
+Set-MpPreference -RandomizeScheduleTaskTimes
+
+```
+
+See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus.
+
+**Use Windows Management Instruction (WMI) to schedule scans:**
+
+Use the [**Set** method of the **MSFT_MpPreference**](https://msdn.microsoft.com/en-us/library/dn455323(v=vs.85).aspx) class for the following properties:
+
+```WMI
+SignatureFallbackOrder
+SignatureDefinitionUpdateFileSharesSouce
+```
+
+See the following for more information and allowed parameters:
+- [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/en-us/library/dn439477(v=vs.85).aspx)
+
+
+
+
+## Start scheduled scans only when the endpoint is not in use
+
+You can set the scheduled scan to only occur when the endpoint is turned on but not in use with Group Policy, PowerShell, or WMI.
+
+**Use Group Policy to schedule scans**
+
+Location | Setting | Description | Default setting (if not configured)
+---|---|---|---
+Scan | Start the scheduled scan only when computer is on but not in use | Scheduled scans will not run, unless the computer is on but not in use | Enabled
+
+**Use PowerShell cmdlets:**
+
+Use the following cmdlets:
+
+```PowerShell
+Set-MpPreference -ScanOnlyIfIdleEnabled
+```
+
+See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus.
+
+**Use Windows Management Instruction (WMI):**
+
+Use the [**Set** method of the **MSFT_MpPreference**](https://msdn.microsoft.com/en-us/library/dn455323(v=vs.85).aspx) class for the following properties:
+
+```WMI
+SignatureFallbackOrder
+SignatureDefinitionUpdateFileSharesSouce
+```
+
+See the following for more information and allowed parameters:
+- [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/en-us/library/dn439477(v=vs.85).aspx)
+
+
+## Configure when full scans should be run to complete remediation
+
+Some threats may require a full scan to complete their removal and remediation. You can schedule when these scans should occur with Group Policy, PowerShell, or WMI.
+
+
+**Use Group Policy to schedule remediation-required scans**
+
+Location | Setting | Description | Default setting (if not configured)
+---|---|---|---
+Remediation | Specify the day of the week to run a scheduled full scan to complete remediation | Specify the day (or never) to run a scan. | Never
+Remediation | Specify the time of day to run a scheduled full scan to complete remediation | Specify the number of minutes after midnight (for example, enter **60** for 1 am) | 2 am
+
+**Use PowerShell cmdlets:**
+
+Use the following cmdlets:
+
+```PowerShell
+Set-MpPreference -RemediationScheduleDay
+Set-MpPreference -RemediationScheduleTime
+```
+
+See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus.
+
+**Use Windows Management Instruction (WMI):**
+
+Use the [**Set** method of the **MSFT_MpPreference**](https://msdn.microsoft.com/en-us/library/dn455323(v=vs.85).aspx) class for the following properties:
+
+```WMI
+SignatureFallbackOrder
+SignatureDefinitionUpdateFileSharesSouce
+```
+
+See the following for more information and allowed parameters:
+- [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/en-us/library/dn439477(v=vs.85).aspx)
+
+
+
+
+## Set up daily quick scans
+
+You can enable a daily quick scan that can be run in addition to your other scheduled scans with Group Policy, PowerShell, or WMI.
+
+
+**Use Group Policy to schedule daily scans:**
+
+Location | Setting | Description | Default setting (if not configured)
+---|---|---|---
+Scan | Specify the interval to run quick scans per day | Specify how many hours should elapse before the next quick scan. For example, to run every two hours, enter **2**, for once a day, enter **24**. Enter **0** to never run a daily quick scan. | Never
+Scan | Specify the time for a daily quick scan | Specify the number of minutes after midnight (for example, enter **60** for 1 am) | 2 am
+
+**Use PowerShell cmdlets to schedule daily scans:**
+
+Use the following cmdlets:
+
+```PowerShell
+Set-MpPreference Set-MpPreference -ScanScheduleQuickTime
+```
+
+See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus.
+
+**Use Windows Management Instruction (WMI) to schedule daily scans:**
+
+Use the [**Set** method of the **MSFT_MpPreference**](https://msdn.microsoft.com/en-us/library/dn455323(v=vs.85).aspx) class for the following properties:
+
+```WMI
+SignatureFallbackOrder
+SignatureDefinitionUpdateFileSharesSouce
+```
+
+See the following for more information and allowed parameters:
+- [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/en-us/library/dn439477(v=vs.85).aspx)
+
+
+## Enable scans after protection updates
+
+You can force a scan to occur after every [protection update](manage-protection-updates-windows-defender-antivirus.md) with Group Policy.
+
+**Use Group Policy to schedule scans after protection updates**
+
+Location | Setting | Description | Default setting (if not configured)
+---|---|---|---
+Signature updates | Turn on scan after signature update | A scan will occur immediately after a new protection update is downloaded | Enabled
@@ -45,6 +235,10 @@ RANDOMIZE
## Related topics
+
+- [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-windows-defender-antivirus.md)
+- [Configure and run on-demand Windows Defender AV scans](run-scan-windows-defender-antivirus.md)
+- [Configure scanning options in Windows Defender AV](configure-advanced-scan-types-windows-defender-antivirus.md)
- [Manage Windows Defender Antivirus updates and apply baselines](manage-updates-baselines-windows-defender-antivirus.md)
-- [Update and manage Windows Defender in Windows 10](get-started-with-windows-defender-for-windows-10.md)
-- [Troubleshoot Windows Defender in Windows 10](troubleshoot-windows-defender-in-windows-10.md)
+- [Manage when protection updates should be downloaded and applied](manage-protection-update-schedule-windows-defender-antivirus.md)
+- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
diff --git a/windows/keep-secure/specify-cloud-protection-level-windows-defender-antivirus.md b/windows/keep-secure/specify-cloud-protection-level-windows-defender-antivirus.md
index 923b49d30a..321924a398 100644
--- a/windows/keep-secure/specify-cloud-protection-level-windows-defender-antivirus.md
+++ b/windows/keep-secure/specify-cloud-protection-level-windows-defender-antivirus.md
@@ -40,7 +40,7 @@ You can specify the level of cloud-protection offered by Windows Defender Antivi
1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
-3. In the **Group Policy Management Editor** go to **Computer configuration**.
+3. In the **Group Policy Management Editor** go to **Computer configuration**.
4. Click **Policies** then **Administrative templates**.
@@ -48,7 +48,7 @@ You can specify the level of cloud-protection offered by Windows Defender Antivi
1. Double-click the **Select cloud protection level** setting and set it to **Enabled**. Select the level of protection:
1. Setting to **Default Windows Defender Antivirus blocking level** will provide strong detection without increasing the risk of detecting legitimate files.
- 2. Setting to **High blocking level** will apply a strong level of detection. While unlikely, some legitimate files may be detected (although you will have the option to unblock or dispute that detection).
+ 2. Setting to **High blocking level** will apply a strong level of detection. While unlikely, some legitimate files may be detected (although you will have the option to unblock or dispute that detection).
1. Click **OK**.
@@ -62,7 +62,7 @@ You can specify the level of cloud-protection offered by Windows Defender Antivi
## Related topics
-- [Windows Defender Antivirus in Windows 10](windows-defender-in-windows-10.md)
+- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
- [Enable cloud-delivered protection](enable-cloud-protection-windows-defender-antivirus.md)
- [How to create and deploy antimalware policies: Cloud-protection service](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#cloud-protection-service)
diff --git a/windows/keep-secure/testing-scenarios-for-wip.md b/windows/keep-secure/testing-scenarios-for-wip.md
index cca0a2fa52..81e9282bd3 100644
--- a/windows/keep-secure/testing-scenarios-for-wip.md
+++ b/windows/keep-secure/testing-scenarios-for-wip.md
@@ -14,7 +14,7 @@ localizationpriority: high
# Testing scenarios for Windows Information Protection (WIP)
**Applies to:**
-- Windows 10, version 1607
+- Windows 10, version 1607 and later
- Windows 10 Mobile
We've come up with a list of suggested testing scenarios that you can use to test Windows Information Protection (WIP) in your company.
diff --git a/windows/keep-secure/threat-indicator-concepts-windows-defender-advanced-threat-protection.md b/windows/keep-secure/threat-indicator-concepts-windows-defender-advanced-threat-protection.md
index 96e53b49bd..d1968d5761 100644
--- a/windows/keep-secure/threat-indicator-concepts-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/threat-indicator-concepts-windows-defender-advanced-threat-protection.md
@@ -46,8 +46,9 @@ Here is an example of an IOC:
IOCs have a many-to-one relationship with alert definitions such that an alert definition can have many IOCs that correspond to it.
## Related topics
-- [Enable the custom threat intelligence application](enable-custom-ti-windows-defender-advanced-threat-protection.md)
-- [Create custom threat intelligence alerts](custom-ti-api-windows-defender-advanced-threat-protection.md)
-- [PowerShell code examples](powershell-example-code-windows-defender-advanced-threat-protection.md)
-- [Python code examples](python-example-code-windows-defender-advanced-threat-protection.md)
+- [Create custom alerts using the threat intelligence API](custom-ti-api-windows-defender-advanced-threat-protection.md)
+- [Enable the custom threat intelligence API in Windows Defender ATP](enable-custom-ti-windows-defender-advanced-threat-protection.md)
+- [PowerShell code examples for the custom threat intelligence API](powershell-example-code-windows-defender-advanced-threat-protection.md)
+- [Python code examples for the custom threat intelligence API](python-example-code-windows-defender-advanced-threat-protection.md)
+- [Experiment with custom threat intelligence alerts](experiment-custom-ti-windows-defender-advanced-threat-protection.md)
- [Troubleshoot custom threat intelligence issues](troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md)
diff --git a/windows/keep-secure/troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md b/windows/keep-secure/troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md
index d1a50e1df1..40fc971abf 100644
--- a/windows/keep-secure/troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md
@@ -46,8 +46,9 @@ If your client secret expires or if you've misplaced the copy provided when you
## Related topics
-- [Understand threat intelligence](threat-indicator-concepts-windows-defender-advanced-threat-protection.md)
-- [Enable the custom threat intelligence application](enable-custom-ti-windows-defender-advanced-threat-protection.md)
-- [Create custom threat intelligence](custom-ti-api-windows-defender-advanced-threat-protection.md)
-- [PowerShell code examples](powershell-example-code-windows-defender-advanced-threat-protection.md)
-- [Python code examples](python-example-code-windows-defender-advanced-threat-protection.md)
+- [Understand threat intelligence concepts](threat-indicator-concepts-windows-defender-advanced-threat-protection.md)
+- [Create custom alerts using the threat intelligence API](custom-ti-api-windows-defender-advanced-threat-protection.md)
+- [Enable the custom threat intelligence API in Windows Defender ATP](enable-custom-ti-windows-defender-advanced-threat-protection.md)
+- [PowerShell code examples for the custom threat intelligence API](powershell-example-code-windows-defender-advanced-threat-protection.md)
+- [Python code examples for the custom threat intelligence API](python-example-code-windows-defender-advanced-threat-protection.md)
+- [Experiment with custom threat intelligence alerts](experiment-custom-ti-windows-defender-advanced-threat-protection.md)
diff --git a/windows/keep-secure/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md b/windows/keep-secure/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md
index 3a2b9f8868..f05e878db5 100644
--- a/windows/keep-secure/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md
@@ -229,22 +229,21 @@ If the verification fails and your environment is using a proxy to connect to th
**Solution**: If your endpoints are running a third-party antimalware client, the Windows Defender ATP agent needs the Windows Defender Early Launch Antimalware (ELAM) driver to be enabled. You must ensure that it's not disabled in system policy.
-- Depending on the tool that you use to implement policies, you'll need to verify that the following Windows Defender policies are set to ```0``` or that the settings are cleared:
+- Depending on the tool that you use to implement policies, you'll need to verify that the following Windows Defender policies are cleared:
- - ```DisableAntiSpyware```
- - ```DisableAntiVirus```
+ - DisableAntiSpyware
+ - DisableAntiVirus
- For example, in Group Policy:
+ For example, in Group Policy there should be no entries such as the following values:
- ```
- ```
+ - ``````
+ - ``````
- After clearing the policy, run the onboarding steps again on the endpoint.
- You can also check the following registry key values to verify that the policy is disabled:
- 1. Open the registry ```key HKEY_LOCAL_MACHINE\ SOFTWARE\Policies\Microsoft\Windows Defender```.
- 2. Find the value ```DisableAntiSpyware```.
- 3. Ensure that the value is set to 0.
+ 1. Open the registry ```key HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender```.
+ 2. Ensure that the value ```DisableAntiSpyware``` is not present.
diff --git a/windows/keep-secure/troubleshoot-windows-defender-antivirus.md b/windows/keep-secure/troubleshoot-windows-defender-antivirus.md
index 0006cde7b3..ebca8b01c8 100644
--- a/windows/keep-secure/troubleshoot-windows-defender-antivirus.md
+++ b/windows/keep-secure/troubleshoot-windows-defender-antivirus.md
@@ -2,7 +2,8 @@
title: Windows Defender AV event IDs and error codes
description: Look up the causes and solutions for Windows Defender Antivirus event IDs and errors
keywords: event, error code, siem, logging, troubleshooting, wef, windows event forwarding
-ms.assetid: EE488CC1-E340-4D47-B50B-35BD23CB4D70
+search.product: eADQiWindows 10XVcnh
+ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
@@ -2283,9 +2284,9 @@ Description of the error.
User action:
- You should restart the system then run a full scan because it’s possible the system was not protected for some time.
+ You should restart the system then run a full scan because it's possible the system was not protected for some time.
-The Windows Defender client’s real-time protection feature encountered an error because one of the services failed to start.
+ The Windows Defender client's real-time protection feature encountered an error because one of the services failed to start.
If it is followed by a 3007 event ID, the failure was temporary and the antimalware client recovered from the failure.
diff --git a/windows/keep-secure/troubleshoot-windows-defender-in-windows-10.md b/windows/keep-secure/troubleshoot-windows-defender-in-windows-10.md
deleted file mode 100644
index 2c5e7c8ce8..0000000000
--- a/windows/keep-secure/troubleshoot-windows-defender-in-windows-10.md
+++ /dev/null
@@ -1,16 +0,0 @@
----
-title: Troubleshoot Windows Defender in Windows 10 (Windows 10)
-description: IT professionals can review information about event IDs in Windows Defender for Windows 10 and see any relevant action they can take.
-ms.assetid: EE488CC1-E340-4D47-B50B-35BD23CB4D70
-ms.prod: w10
-ms.mktglfcycl: manage
-ms.sitesec: library
-ms.pagetype: security
-localizationpriority: medium
-author: jasesso
-redirect_url: /troubleshoot-windows-defender-antivirus/
----
-
-# Troubleshoot Windows Defender in Windows 10
-
-This page has been redirected to *Troubleshoot Windows Defender Antivirus*.
\ No newline at end of file
diff --git a/windows/keep-secure/use-custom-ti-windows-defender-advanced-threat-protection.md b/windows/keep-secure/use-custom-ti-windows-defender-advanced-threat-protection.md
index c155873b90..ba2be9225a 100644
--- a/windows/keep-secure/use-custom-ti-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/use-custom-ti-windows-defender-advanced-threat-protection.md
@@ -1,5 +1,5 @@
---
-title: Use the custom threat intelligence API to create custom alerts for your organization
+title: Use the custom threat intelligence API to create custom alerts
description: Use the threat intelligence API in Windows Defender Advanced Threat Protection to create custom alerts
keywords: threat intelligence, alert definitions, indicators of compromise
search.product: eADQiWindows 10XVcnh
diff --git a/windows/keep-secure/use-group-policy-windows-defender-antivirus.md b/windows/keep-secure/use-group-policy-windows-defender-antivirus.md
index 07133adfb1..b9a28ec92a 100644
--- a/windows/keep-secure/use-group-policy-windows-defender-antivirus.md
+++ b/windows/keep-secure/use-group-policy-windows-defender-antivirus.md
@@ -12,4 +12,139 @@ localizationpriority: medium
author: iaanw
---
-# Use Group Policy settings to configure and manage Windows Defender AV
\ No newline at end of file
+# Use Group Policy settings to configure and manage Windows Defender AV
+
+**Applies to:**
+
+- Windows 10, version 1703
+
+You can use [Group Policy](https://msdn.microsoft.com/en-us/library/ee663280(v=vs.85).aspx) to configure and manage Windows Defender Antivirus on your endpoints.
+
+In general, you can use the following procedure to configure or change Windows Defender AV group policy settings:
+
+1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object (GPO) you want to configure and click **Edit**.
+
+3. In the **Group Policy Management Editor** go to **Computer configuration**.
+
+4. Click **Policies** then **Administrative templates**.
+
+5. Expand the tree to **Windows components > Windows Defender Antivirus**.
+
+6. Expand the section (referred to as **Location** in the table in this topic) that contains the setting you want to configure, double-click the setting to open it, and make configuration changes.
+
+7. [Deploy the updated GPO as you normally do](https://msdn.microsoft.com/en-us/library/ee663280(v=vs.85).aspx).
+
+The following table in this topic lists the Group Policy settings available in Windows 10, version 1703, and provides links to the appropriate topic in this documentation library (where applicable).
+
+
+Location | Setting | Documented in topic
+---|---|---
+Client interface | Enable headless UI mode | [Prevent users from seeing or interacting with the Windows Defender AV user interface](prevent-end-user-interaction-windows-defender-antivirus.md)
+Client interface | Display additional text to clients when they need to perform an action | [Configurethenotificationsthatappearonendpoints](configure-notifications-windows-defender-antivirus.md)
+Client interface | Suppress all notifications | [Configurethenotificationsthatappearonendpoints](configure-notifications-windows-defender-antivirus.md)
+Client interface | Suppresses reboot notifications | [Configurethenotificationsthatappearonendpoints](configure-notifications-windows-defender-antivirus.md)
+Exclusions | Extension Exclusions | [ConfigureandvalidateexclusionsinWindowsDefenderAVscans](configure-exclusions-windows-defender-antivirus.md)
+Exclusions | Path Exclusions | [ConfigureandvalidateexclusionsinWindowsDefenderAVscans](configure-exclusions-windows-defender-antivirus.md)
+Exclusions | Process Exclusions | [ConfigureandvalidateexclusionsinWindowsDefenderAVscans](configure-exclusions-windows-defender-antivirus.md)
+Exclusions | Turn off Auto Exclusions | [ConfigureandvalidateexclusionsinWindowsDefenderAVscans](configure-exclusions-windows-defender-antivirus.md)
+MAPS | Configure the 'Block at First Sight' feature | [Enable the Block at First Sight feature](configure-block-at-first-sight-windows-defender-antivirus.md)
+MAPS | Join Microsoft MAPS | [Enable cloud-delivered protection](enable-cloud-protection-windows-defender-antivirus.md)
+MAPS | Send file samples when further analysis is required | [Enable cloud-delivered protection](enable-cloud-protection-windows-defender-antivirus.md)
+MAPS | Configure local setting override for reporting to Microsoft MAPS | [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-windows-defender-antivirus.md)
+MpEngine | Configure extended cloud check | [Configure the cloud block timeout period](configure-cloud-block-timeout-period-windows-defender-antivirus.md)
+MpEngine | Select cloud protection level | [Specify the cloud-delivered protection level](specify-cloud-protection-level-windows-defender-antivirus.md)
+Network inspection system | Specify additional definition sets for network traffic inspection | Not used
+Network inspection system | Turn on definition retirement | Not used
+Network inspection system | Turn on protocol recognition | Not used
+Quarantine | Configure local setting override for the removal of items from Quarantine folder | [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-windows-defender-antivirus.md)
+Quarantine | Configure removal of items from Quarantine folder | [Configure remediation for Windows Defender AV scans](configure-remediation-windows-defender-antivirus.md)
+Real-time protection | Configure local setting override for monitoring file and program activity on your computer | [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-windows-defender-antivirus.md)
+Real-time protection | Configure local setting override for monitoring for incoming and outgoing file activity | [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-windows-defender-antivirus.md)
+Real-time protection | Configure local setting override for scanning all downloaded files and attachments | [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-windows-defender-antivirus.md)
+Real-time protection | Configure local setting override for turn on behavior monitoring | [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-windows-defender-antivirus.md)
+Real-time protection | Configure local setting override to turn on real-time protection | [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-windows-defender-antivirus.md)
+Real-time protection | Define the maximum size of downloaded files and attachments to be scanned | [EnableandconfigureWindowsDefenderAValways-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md)
+Real-time protection | Monitor file and program activity on your computer | [EnableandconfigureWindowsDefenderAValways-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md)
+Real-time protection | Scan all downloaded files and attachments | [EnableandconfigureWindowsDefenderAValways-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md)
+Real-time protection | Turn off real-time protection | [EnableandconfigureWindowsDefenderAValways-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md)
+Real-time protection | Turn on behavior monitoring | [EnableandconfigureWindowsDefenderAValways-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md)
+Real-time protection | Turn on process scanning whenever real-time protection is enabled | [EnableandconfigureWindowsDefenderAValways-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md)
+Real-time protection | Turn on raw volume write notifications | [EnableandconfigureWindowsDefenderAValways-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md)
+Real-time protection | Configure monitoring for incoming and outgoing file and program activity | [EnableandconfigureWindowsDefenderAValways-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md)
+Remediation | Configure local setting override for the time of day to run a scheduled full scan to complete remediation | [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-windows-defender-antivirus.md)
+Remediation | Specify the day of the week to run a scheduled full scan to complete remediation | [Configure scheduled scans for Windows Defender AV](scheduled-catch-up-scans-windows-defender-antivirus.md)
+Remediation | Specify the time of day to run a scheduled full scan to complete remediation | [Configure scheduled scans for Windows Defender AV](scheduled-catch-up-scans-windows-defender-antivirus.md)
+Reporting | Configure Watson events | Not used
+Reporting | Configure Windows software trace preprocessor components | Not used
+Reporting | Configure WPP tracing level | Not used
+Reporting | Configure time out for detections in critically failed state | Not used
+Reporting | Configure time out for detections in non-critical failed state | Not used
+Reporting | Configure time out for detections in recently remediated state | Not used
+Reporting | Configure time out for detections requiring additional action | Not used
+Reporting | Turn off enhanced notifications | [Configurethenotificationsthatappearonendpoints](configure-notifications-windows-defender-antivirus.md)
+Root | Turn off Windows Defender Antivirus | Not used
+Root | Define addresses to bypass proxy server | Not used
+Root | Define proxy auto-config (.pac) for connecting to the network | Not used
+Root | Define proxy server for connecting to the network | Not used
+Root | Configure local administrator merge behavior for lists | [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-windows-defender-antivirus.md)
+Root | Allow antimalware service to startup with normal priority | [Configure remediation for Windows Defender AV scans](configure-remediation-windows-defender-antivirus.md)
+Root | Allow antimalware service to remain running always | [Configure remediation for Windows Defender AV scans](configure-remediation-windows-defender-antivirus.md)
+Root | Turn off routine remediation | [Configure remediation for Windows Defender AV scans](configure-remediation-windows-defender-antivirus.md)
+Root | Randomize scheduled task times | [Configure scheduled scans for Windows Defender AV](scheduled-catch-up-scans-windows-defender-antivirus.md)
+Scan | Allow users to pause scan | [Prevent users from seeing or interacting with the Windows Defender AV user interface](prevent-end-user-interaction-windows-defender-antivirus.md)
+Scan | Check for the latest virus and spyware definitions before running a scheduled scan | [Manage event-based forced updates](manage-event-based-updates-windows-defender-antivirus.md)
+Scan | Define the number of days after which a catch-up scan is forced | [Manage updates for endpoints that are out of date](manage-outdated-endpoints-windows-defender-antivirus.md)
+Scan | Turn on catch up full scan | [Manage updates for endpoints that are out of date](manage-outdated-endpoints-windows-defender-antivirus.md)
+Scan | Turn on catch up quick scan | [Manage updates for endpoints that are out of date](manage-outdated-endpoints-windows-defender-antivirus.md)
+Scan | Configure local setting override for maximum percentage of CPU utilization | [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-windows-defender-antivirus.md)
+Scan | Configure local setting override for schedule scan day | [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-windows-defender-antivirus.md)
+Scan | Configure local setting override for scheduled quick scan time | [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-windows-defender-antivirus.md)
+Scan | Configure local setting override for scheduled scan time | [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-windows-defender-antivirus.md)
+Scan | Configure local setting override for the scan type to use for a scheduled scan | [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-windows-defender-antivirus.md)
+Scan | Create a system restore point | [Configure remediation for Windows Defender AV scans](configure-remediation-windows-defender-antivirus.md)
+Scan | Turn on removal of items from scan history folder | [Configure remediation for Windows Defender AV scans](configure-remediation-windows-defender-antivirus.md)
+Scan | Turn on heuristics | [EnableandconfigureWindowsDefenderAValways-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md)
+Scan | Turn on e-mail scanning | [Configure scanning options in Windows Defender AV](configure-advanced-scan-types-windows-defender-antivirus.md)
+Scan | Turn on reparse point scanning | [Configure scanning options in Windows Defender AV](configure-advanced-scan-types-windows-defender-antivirus.md)
+Scan | Run full scan on mapped network drives | [Configure scanning options in Windows Defender AV](configure-advanced-scan-types-windows-defender-antivirus.md)
+Scan | Scan archive files | [Configure scanning options in Windows Defender AV](configure-advanced-scan-types-windows-defender-antivirus.md)
+Scan | Scan network files | [Configure scanning options in Windows Defender AV](configure-advanced-scan-types-windows-defender-antivirus.md)
+Scan | Scan packed executables | [Configure scanning options in Windows Defender AV](configure-advanced-scan-types-windows-defender-antivirus.md)
+Scan | Scan removable drives | [Configure scanning options in Windows Defender AV](configure-advanced-scan-types-windows-defender-antivirus.md)
+Scan | Specify the maximum depth to scan archive files | [Configure scanning options in Windows Defender AV](configure-advanced-scan-types-windows-defender-antivirus.md)
+Scan | Specify the maximum percentage of CPU utilization during a scan | [Configure scanning options in Windows Defender AV](configure-advanced-scan-types-windows-defender-antivirus.md)
+Scan | Specify the maximum size of archive files to be scanned | [Configure scanning options in Windows Defender AV](configure-advanced-scan-types-windows-defender-antivirus.md)
+Scan | Specify the day of the week to run a scheduled scan | [Configure scheduled scans for Windows Defender AV](scheduled-catch-up-scans-windows-defender-antivirus.md)
+Scan | Specify the interval to run quick scans per day | [Configure scheduled scans for Windows Defender AV](scheduled-catch-up-scans-windows-defender-antivirus.md)
+Scan | Specify the scan type to use for a scheduled scan | [Configure scheduled scans for Windows Defender AV](scheduled-catch-up-scans-windows-defender-antivirus.md)
+Scan | Specify the time for a daily quick scan | [Configure scheduled scans for Windows Defender AV](scheduled-catch-up-scans-windows-defender-antivirus.md)
+Scan | Specify the time of day to run a scheduled scan | [Configure scheduled scans for Windows Defender AV](scheduled-catch-up-scans-windows-defender-antivirus.md)
+Scan | Start the scheduled scan only when computer is on but not in use | [Configure scheduled scans for Windows Defender AV](scheduled-catch-up-scans-windows-defender-antivirus.md)
+Signature updates | Allow definition updates from Microsoft Update | [Manage updates for mobile devices and virtual machines (VMs)](manage-updates-mobile-devices-vms-windows-defender-antivirus.md)
+Signature updates | Allow definition updates when running on battery power | [Manage updates for mobile devices and virtual machines (VMs)](manage-updates-mobile-devices-vms-windows-defender-antivirus.md)
+Signature updates | Allow notifications to disable definitions based repots to Microsoft MAPS | [Manage event-based forced updates](manage-event-based-updates-windows-defender-antivirus.md)
+Signature updates | Allow real-time definition updates based on reports to Microsoft MAPS | [Manage event-based forced updates](manage-event-based-updates-windows-defender-antivirus.md)
+Signature updates | Check for the latest virus and spyware definitions on startup | [Manage event-based forced updates](manage-event-based-updates-windows-defender-antivirus.md)
+Signature updates | Define file shares for downloading definition updates | [Manage Windows Defender Antivirus protection and definition updates](manage-protection-updates-windows-defender-antivirus.md)
+Signature updates | Define the number of days after which a catch up definition update is required | [Manage updates for endpoints that are out of date](manage-outdated-endpoints-windows-defender-antivirus.md)
+Signature updates | Define the number of days before spyware definitions are considered out of date | [Manage updates for endpoints that are out of date](manage-outdated-endpoints-windows-defender-antivirus.md)
+Signature updates | Define the number of days before virus definitions are considered out of date | [Manage updates for endpoints that are out of date](manage-outdated-endpoints-windows-defender-antivirus.md)
+Signature updates | Define the order of sources for downloading definition updates | [Manage Windows Defender Antivirus protection and definition updates](manage-protection-updates-windows-defender-antivirus.md)
+Signature updates | Initiate definition update on startup | [Manage event-based forced updates](manage-event-based-updates-windows-defender-antivirus.md)
+Signature updates | Specify the day of the week to check for definition updates | [Manage when protection updates should be downloaded and applied](manage-protection-update-schedule-windows-defender-antivirus.md)
+Signature updates | Specify the interval to check for definition updates | [Manage when protection updates should be downloaded and applied](manage-protection-update-schedule-windows-defender-antivirus.md)
+Signature updates | Specify the time to check for definition updates | [Manage when protection updates should be downloaded and applied](manage-protection-update-schedule-windows-defender-antivirus.md)
+Signature updates | Turn on scan after signature update | [Configure scheduled scans for Windows Defender AV](scheduled-catch-up-scans-windows-defender-antivirus.md)
+Threats | Specify threat alert levels at which default action should not be taken when detected | [Configure remediation for Windows Defender AV scans](configure-remediation-windows-defender-antivirus.md)
+Threats | Specify threats upon which default action should not be taken when detected | [Configure remediation for Windows Defender AV scans](configure-remediation-windows-defender-antivirus.md)
+
+
+
+
+
+
+
+## Related topics
+
+- [Reference topics for management and configuration tools](configuration-management-reference-windows-defender-antivirus.md)
+- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
\ No newline at end of file
diff --git a/windows/keep-secure/use-intune-config-manager-windows-defender-antivirus.md b/windows/keep-secure/use-intune-config-manager-windows-defender-antivirus.md
index 9f6c3a09b5..2cf071feeb 100644
--- a/windows/keep-secure/use-intune-config-manager-windows-defender-antivirus.md
+++ b/windows/keep-secure/use-intune-config-manager-windows-defender-antivirus.md
@@ -12,4 +12,18 @@ localizationpriority: medium
author: iaanw
---
-# Use System Center Configuration Manager and Microsoft Intune to configure and manage Windows Defender AV
\ No newline at end of file
+# Use System Center Configuration Manager and Microsoft Intune to configure and manage Windows Defender AV
+
+If you are using System Center Configuration Manager or Microsoft Intune to manage the endpoints on your network, you can also use them to manage Windows Defender AV.
+
+In both cases, the protection will be labelled as Endpoint Protection, although the engine is the same as that used by Windows Defender AV.
+
+See the [Endpoint Protection](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-protection) library on docs.microsoft.com for information on using Configuration Manager.
+
+For Microsoft Intune, consult the [Help secure Windows PCs with Endpoint Protection for Microsoft Intune library](https://docs.microsoft.com/en-us/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune).
+
+
+## Related topics
+
+- [Reference topics for management and configuration tools](configuration-management-reference-windows-defender-antivirus.md)
+- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
\ No newline at end of file
diff --git a/windows/keep-secure/use-powershell-cmdlets-windows-defender-antivirus.md b/windows/keep-secure/use-powershell-cmdlets-windows-defender-antivirus.md
index 7d975adcd1..d3d65aa3ad 100644
--- a/windows/keep-secure/use-powershell-cmdlets-windows-defender-antivirus.md
+++ b/windows/keep-secure/use-powershell-cmdlets-windows-defender-antivirus.md
@@ -27,10 +27,14 @@ PowerShell cmdlets are most useful in Windows Server environments that don't rel
> [!NOTE]
> PowerShell cmdlets should not be used as a replacement for a full network policy management infrastructure, such as [System Center Configuration Manager](https://technet.microsoft.com/en-us/library/gg682129.aspx), [Group Policy Management Console](https://technet.microsoft.com/en-us/library/cc731212.aspx), or [Windows Defender Group Policy ADMX templates](https://support.microsoft.com/en-us/kb/927367).
+Changes made with PowerShell will affect local settings on the endpoint where the changes are deployed or made. This means that dployments of policy with Group Policy, System Center Configuration Manager, or Microsoft Intune can overwrite changes made with PowerShell.
+
+You can [configure which settings can be overriden locally with local policy overrides](configure-local-policy-overrides-windows-defender-antivirus.md).
+
PowerShell is typically installed under the folder _%SystemRoot%\system32\WindowsPowerShell_.
-**Use Windows Defender PowerShell cmdlets**
+**Use Windows Defender AV PowerShell cmdlets:**
1. Click **Start**, type **powershell**, and press **Enter**.
2. Click **Windows PowerShell** to open the interface.
diff --git a/windows/keep-secure/use-powershell-cmdlets-windows-defender-for-windows-10.md b/windows/keep-secure/use-powershell-cmdlets-windows-defender-for-windows-10.md
deleted file mode 100644
index dec540347e..0000000000
--- a/windows/keep-secure/use-powershell-cmdlets-windows-defender-for-windows-10.md
+++ /dev/null
@@ -1,18 +0,0 @@
----
-title: Use PowerShell cmdlets to configure and run Windows Defender in Windows 10
-description: In Windows 10, you can use PowerShell cmdlets to run scans, update definitions, and change settings in Windows Defender.
-keywords: scan, command line, mpcmdrun, defender
-search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
-ms.prod: w10
-ms.mktglfcycl: manage
-ms.sitesec: library
-ms.pagetype: security
-localizationpriority: medium
-author: iaanw
-redirect_url: /use-powershell-cmdlets-windows-defender-antivirus/
----
-
-# Use PowerShell cmdlets to configure and run Windows Defender
-
-This page has been redirected to *Use PowerShell cmdlets to configure and run Windows Defender Antivirus*.
\ No newline at end of file
diff --git a/windows/keep-secure/use-wmi-windows-defender-antivirus.md b/windows/keep-secure/use-wmi-windows-defender-antivirus.md
index 0d0a20403d..cc74e07307 100644
--- a/windows/keep-secure/use-wmi-windows-defender-antivirus.md
+++ b/windows/keep-secure/use-wmi-windows-defender-antivirus.md
@@ -1,6 +1,6 @@
---
title: Configure Windows Defender AV with WMI
-description: Use WMI scripts to configure Windows Defender AV
+description: Use WMI scripts to configure Windows Defender AV.
keywords: wmi, scripts, windows management instrumentation, configuration
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
@@ -12,5 +12,25 @@ localizationpriority: medium
author: iaanw
---
-# Use System Center Configuration Manager and Microsoft Intune to configure and manage Windows Defender AV
+# Use Windows Management Instrumentation (WMI) to configure and manage Windows Defender AV
+**Applies to:**
+
+- Windows 10
+
+Windows Management Instrumentation (WMI) is a scripting interface that allows you to retrieve, modify, and update settings.
+
+Read more about WMI at the [Microsoft Develop Network System Administration library](https://msdn.microsoft.com/en-us/library/aa394582(v=vs.85).aspx).
+
+Windows Defender AV has a number of specific WMI classes that can be used to perform most of the same functions as Group Policy and other management tools. Many of the classes are analogous to [Defender PowerShell cmdlets](use-powershell-cmdlets-windows-defender-antivirus.md).
+
+The [MSDN Windows Defender WMIv2 Provider reference library](https://msdn.microsoft.com/en-us/library/dn439477(v=vs.85).aspx) lists the available WMI classes for Windows Defender AV, and includes example scripts.
+
+Changes made with WMI will affect local settings on the endpoint where the changes are deployed or made. This means that dployments of policy with Group Policy, System Center Configuration Manager, or Microsoft Intune can overwrite changes made with WMI.
+
+You can [configure which settings can be overriden locally with local policy overrides](configure-local-policy-overrides-windows-defender-antivirus.md).
+
+## Related topics
+
+- [Reference topics for management and configuration tools](configuration-management-reference-windows-defender-antivirus.md)
+- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
\ No newline at end of file
diff --git a/windows/keep-secure/using-owa-with-wip.md b/windows/keep-secure/using-owa-with-wip.md
index 9ebb14e657..daa6be5167 100644
--- a/windows/keep-secure/using-owa-with-wip.md
+++ b/windows/keep-secure/using-owa-with-wip.md
@@ -13,7 +13,7 @@ localizationpriority: high
# Using Outlook Web Access with Windows Information Protection (WIP)
**Applies to:**
-- Windows 10, version 1607
+- Windows 10, version 1607 and later
- Windows 10 Mobile
>Learn more about what features and functionality are supported in each Windows edition at [Compare Windows 10 Editions](https://www.microsoft.com/en-us/WindowsForBusiness/Compare).
diff --git a/windows/keep-secure/windows-defender-antivirus-compatibility.md b/windows/keep-secure/windows-defender-antivirus-compatibility.md
new file mode 100644
index 0000000000..23e1a82978
--- /dev/null
+++ b/windows/keep-secure/windows-defender-antivirus-compatibility.md
@@ -0,0 +1,43 @@
+---
+title: Windows Defender Antivirus and Windows Defender ATP
+description: Windows Defender AV and Windows Defender ATP work together to provide threat detection, remediation, and investigation.
+keywords: windows defender, atp, advanced threat protection, compatibility, passive mode
+search.product: eADQiWindows 10XVcnh
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+localizationpriority: medium
+author: iaanw
+---
+
+
+# Windows Defender Antivirus and Advanced Threat Protection: Better together
+
+
+**Applies to:**
+
+- Windows 10
+
+**Audience**
+
+- Enterprise security administrators
+
+
+
+Windows Defender Advanced Threat Protection (ATP) is an additional service beyond Windows Defender Antivirus that helps enterprises detect, investigate, and respond to advanced persistent threats on their network.
+See the [Windows Defender Advanced Threat Protection](windows-defender-advanced-threat-protection.md) topics for more information about the service.
+
+If you are enrolled in Windows Defender ATP, and you are not using Windows Defender AV as your real-time protection service on your endpoints, Windows Defender will automatically enter into a passive mode. On Windows Server 2016 SKUs, Windows Defender AV will not enter into the passive mode and will run alongisde your other antivirus product.
+
+In passive mode, Windows Defender will continue to run (using the *msmpeng.exe* process), and will continue to be updated, however there will be no Windows Defender user interface, scheduled scans won't run, and Windows Defender will not provide real-time protection from malware.
+
+You can still [manage updates for Windows Defender](manage-updates-baselines-windows-defender-antivirus.md), however you can't move Windows Defender into the normal active mode if your endpoints have an up-to-date third-party product providing real-time protection from malware.
+
+If you uninstall the other product, and choose to use Windows Defender to provide protection to your endpoints, Windows Defender will automatically return to its normal active mode.
+
+
+## Related topics
+
+- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
\ No newline at end of file
diff --git a/windows/keep-secure/windows-defender-antivirus-in-windows-10.md b/windows/keep-secure/windows-defender-antivirus-in-windows-10.md
index f319c7029d..a9cdcf6735 100644
--- a/windows/keep-secure/windows-defender-antivirus-in-windows-10.md
+++ b/windows/keep-secure/windows-defender-antivirus-in-windows-10.md
@@ -2,7 +2,8 @@
title: Windows Defender Antivirus
description: Learn how to manage, configure, and use Windows Defender AV, the built-in antimalware and antivirus product available in Windows 10.
keywords: windows defender antivirus, windows defender, antimalware, scep, system center endpoint protection, system center configuration manager, virus, malware, threat, detection, protection, security
-ms.assetid: 6A9EB85E-1F3A-40AC-9A47-F44C4A2B55E2
+search.product: eADQiWindows 10XVcnh
+ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
@@ -22,6 +23,22 @@ This library of documentation is aimed for enterprise security administrators wh
For more important information about running Windows Defender on a server platform, see [Windows Defender Overview for Windows Server](https://technet.microsoft.com/library/dn765478.aspx).
+Windows Defender AV can be managed with:
+- System Center Configuration Manager (as System Center Endpoint Protection, or SCEP)
+- Microsoft Intune
+
+It can be configured with:
+- System Center Configuration Manager (as System Center Endpoint Protection, or SCEP)
+- Microsoft Intune
+- PowerShell
+- Windows Management Instrumentation (WMI)
+- Group Policy
+
+Some of the highlights of Windows Defender AV include:
+- [Cloud-delivered protection](utilize-microsoft-cloud-protection-windows-defender-antivirus.md) for near-instant detection and blocking of new and emerging threats
+- [Always-on scanning](configure-real-time-protection-windows-defender-antivirus.md), using advanced file and process behavior monitoring and other heuristics (also known as "real-time protection")
+- [Dedicated protection updates](manage-updates-baselines-windows-defender-antivirus.md) based on machine-learning, human and automated big-data analysis, and in-depth threat resistance research
+
## What's new in Windows 10, version 1703
New features for Windows Defender AV in Windows 10, version 1703 include:
@@ -35,6 +52,8 @@ We've expanded this documentation library to cover end-to-end deployment, manage
See the [In this library](#in-this-library) list at the end of this topic for links to each of the updated sections in this library.
+
+
## Minimum system requirements
@@ -47,19 +66,7 @@ Some features require a certain version of Windows 10 - the minimum version requ
Functionality, configuration, and management is largely the same when using Windows Defender Antivirus on Windows Server 2016, however [there are some differences](windows-defender-antivirus-on-windows-server-2016.md).
-## Compatibility with Windows Defender Advanced Threat Protection
-
-Windows Defender Advanced Threat Protection (ATP) is an additional service that helps enterprises to detect, investigate, and respond to advanced persistent threats on their network.
-
-See the [Windows Defender Advanced Threat Protection](windows-defender-advanced-threat-protection.md) topics for more information about the service.
-
-If you are enrolled in Windows Defender ATP, and you are not using Windows Defender AV as your real-time protection service on your endpoints, Windows Defender will automatically enter into a passive mode. On Windows Server 2016 SKUs, Windows Defender AV will not enter into the passive mode and will run alongisde your other antivirus product.
-
-In passive mode, Windows Defender will continue to run (using the *msmpeng.exe* process), and will continue to be updated, however there will be no Windows Defender user interface, scheduled scans won’t run, and Windows Defender will not provide real-time protection from malware.
-
-You can still [manage updates for Windows Defender](manage-updates-baselines-windows-defender-antivirus.md), however you can't move Windows Defender into the normal active mode if your endpoints have an up-to-date third-party product providing real-time protection from malware.
-
-If you uninstall the other product, and choose to use Windows Defender to provide protection to your endpoints, Windows Defender will automatically return to its normal active mode.
+#
@@ -67,10 +74,10 @@ If you uninstall the other product, and choose to use Windows Defender to provid
Topic | Description
:---|:---
-[Evaluate Windows Defender Antivirus protection](evaluate-windows-defender-antivirus.md) | Evaluate the protection capabilities of Windows Defender Antivirus with a specialized evaluation guide and powershell script.
-[Deploy, manage updates, and report on Windows Defender Antivirus](deploy-manage-report-windows-defender-antivirus.md) | While traditional client deployment is not required for Windows Defender AV, you will need to enable the service. You can also manage how protection and product updates are applies, and receive reports from Configuration Manager, Intune, and with some security information and event monitoring (SIEM) tools.
-[Configure Windows Defender features](configure-windows-defender-antivirus-features.md) | Windows Defender AV has a large set of configurable features and options. You can use a number of management tools, including Group Policy, System Center Configuration Manager, Microsoft Intune, PowerShell cmdlets, and Windows Management Instrumentation (WMI). You can configure options such as cloud-delivered protection, always-on monitoring and scanning, and how end-users can interact or override global policy settings.
-[Customize, initiate, and review the results of scans and remediation](customize-run-review-remediate-scans-windows-defender-antivirus.md) | You can set up scheduled scans, run on-demand scans, and configure how remediation works when threats are detected.
-[Troubleshoot Windows Defender in Windows 10](troubleshoot-windows-defender-antivirus.md)|Review event IDs in Windows Defender Antivirus and take the appropriate actions.
-[Reference topics for management and configuration tools](configuration-management-reference-windows-defender-antivirus.md)|The management and configuration tools that you can use with Windows Defender AV are listed and described here.
+[Evaluate Windows Defender Antivirus protection](evaluate-windows-defender-antivirus.md) | Evaluate the protection capabilities of Windows Defender Antivirus with a specialized evaluation guide and powershell script
+[Deploy, manage updates, and report on Windows Defender Antivirus](deploy-manage-report-windows-defender-antivirus.md) | While traditional client deployment is not required for Windows Defender AV, you will need to enable the service. You can also manage how protection and product updates are applies, and receive reports from Configuration Manager, Intune, and with some security information and event monitoring (SIEM) tools
+[Configure Windows Defender features](configure-windows-defender-antivirus-features.md) | Windows Defender AV has a large set of configurable features and options. You can configure options such as cloud-delivered protection, always-on monitoring and scanning, and how end-users can interact or override global policy settings
+[Customize, initiate, and review the results of scans and remediation](customize-run-review-remediate-scans-windows-defender-antivirus.md) | You can set up scheduled scans, run on-demand scans, and configure how remediation works when threats are detected
+[Troubleshoot Windows Defender in Windows 10](troubleshoot-windows-defender-antivirus.md)|Review event IDs and error codes in Windows Defender Antivirus to determine causes of problems and troubleshoot issues
+[Reference topics for management and configuration tools](configuration-management-reference-windows-defender-antivirus.md)|The management and configuration tools that you can use with Windows Defender AV are listed and described here
diff --git a/windows/keep-secure/windows-defender-antivirus-on-windows-server-2016.md b/windows/keep-secure/windows-defender-antivirus-on-windows-server-2016.md
index 9c5a224709..3510bcb390 100644
--- a/windows/keep-secure/windows-defender-antivirus-on-windows-server-2016.md
+++ b/windows/keep-secure/windows-defender-antivirus-on-windows-server-2016.md
@@ -40,7 +40,7 @@ See [Windows Defender Overview for Windows Server](https://technet.microsoft.com
While the functionality, configuration, and management is largely the same for Windows Defender AV either on Windows 10 or Windows Server 2016, there are a few key differences:
-- In Windows Server 2016, [automatic exclusions](configure-exclusions-windows-defender-antivirus.md) are applied based on your defined Server Role.
+- In Windows Server 2016, [automatic exclusions](configure-server-exclusions-windows-defender-antivirus.md) are applied based on your defined Server Role.
- In Windows Server 2016, [Windows Defender AV will not disable itself if you are running another antivirus product](windows-defender-antivirus-on-windows-server-2016.md#sysreq).
diff --git a/windows/keep-secure/windows-defender-block-at-first-sight.md b/windows/keep-secure/windows-defender-block-at-first-sight.md
deleted file mode 100644
index 4c9af5e903..0000000000
--- a/windows/keep-secure/windows-defender-block-at-first-sight.md
+++ /dev/null
@@ -1,19 +0,0 @@
----
-title: Enable the Block at First Sight feature to detect malware within seconds
-description: In Windows 10 the Block at First Sight feature determines and blocks new malware variants in seconds. You can enable the feature with Group Policy.
-keywords: scan, BAFS, malware, first seen, first sight, cloud, MAPS, defender
-search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
-ms.prod: w10
-ms.mktglfcycl: manage
-ms.sitesec: library
-ms.pagetype: security
-localizationpriority: medium
-author: iaanw
-redirect_url: /configure-block-at-first-sight-windows-defender-antivirus/
-
----
-
-# Block at First Sight
-
-This page has been redirected to *Configure the Block at First Sight feature*.
\ No newline at end of file
diff --git a/windows/keep-secure/windows-defender-enhanced-notifications.md b/windows/keep-secure/windows-defender-enhanced-notifications.md
deleted file mode 100644
index b63c67e65f..0000000000
--- a/windows/keep-secure/windows-defender-enhanced-notifications.md
+++ /dev/null
@@ -1,18 +0,0 @@
----
-title: Configure enhanced notifications for Windows Defender
-description: In Windows 10, you can enable advanced notifications for endpoints throughout your enterprise network.
-keywords: notifications, defender, endpoint, management, admin
-search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
-ms.prod: w10
-ms.mktglfcycl: manage
-ms.sitesec: library
-ms.pagetype: security
-localizationpriority: medium
-author: iaanw
-redirect_url: /configure-notifications-windows-defender-antivirus/
----
-
-# Configure enhanced notifications for Windows Defender in Windows 10
-
-This page has been redirected to *Configure notifications*.
\ No newline at end of file
diff --git a/windows/keep-secure/windows-defender-in-windows-10.md b/windows/keep-secure/windows-defender-in-windows-10.md
deleted file mode 100644
index 4eb81e6c4e..0000000000
--- a/windows/keep-secure/windows-defender-in-windows-10.md
+++ /dev/null
@@ -1,16 +0,0 @@
----
-title: Windows Defender in Windows 10 (Windows 10)
-description: This topic provides an overview of Windows Defender, including a list of system requirements and new features.
-ms.assetid: 6A9EB85E-1F3A-40AC-9A47-F44C4A2B55E2
-ms.prod: w10
-ms.mktglfcycl: manage
-ms.sitesec: library
-ms.pagetype: security
-localizationpriority: medium
-author: jasesso
-redirect_url: /windows-defender-antivirus-in-windows-10/
----
-
-# Windows Defender in Windows 10
-
-This page has been redirected to *Windows Defender Antivirus in Windows 10*.
\ No newline at end of file
diff --git a/windows/keep-secure/windows-defender-security-center-antivirus.md b/windows/keep-secure/windows-defender-security-center-antivirus.md
index 971dd16747..dec5bc9ff3 100644
--- a/windows/keep-secure/windows-defender-security-center-antivirus.md
+++ b/windows/keep-secure/windows-defender-security-center-antivirus.md
@@ -55,7 +55,7 @@ The app also includes the settings and status of:
## Comparison of settings and functions of the old app and the new app
-All of the previous functions and settings from the Windows Defender app (in versions of Windows 10 before version 1703) are now found in the new Windows Defender Security app. Settings that were previously located in Windows Settings under **Update & security** > **Windows Defender** are also now in the new app.
+All of the previous functions and settings from the Windows Defender app (in versions of Windows 10 before version 1703) are now found in the new Windows Defender Security Center app. Settings that were previously located in Windows Settings under **Update & security** > **Windows Defender** are also now in the new app.
The following diagrams compare the location of settings and functions between the old and new apps:
@@ -74,11 +74,12 @@ Item | Windows 10, before version 1703 | Windows 10, version 1703 | Description
## Common tasks
-This section describes how to perform some of the most common tasks when reviewing or interacting with the threat protection provided by Windows Defender Antivirus in the new Windows Defender Security app.
+This section describes how to perform some of the most common tasks when reviewing or interacting with the threat protection provided by Windows Defender Antivirus in the new Windows Defender Security Center app.
> [!NOTE]
> If these settings are configured and deployed using Group Policy, the settings described in this section will be greyed-out and unavailable for use on individual endpoints. Changes made through a Group Policy Object must first be deployed to individual endpoints before the setting will be updated in Windows Settings. The [Configure end-user interaction with Windows Defender Antivirus](configure-end-user-interaction-windows-defender-antivirus.md) topic describes how local policy override settings can be configured.
+
**Run a scan with the Windows Defender Security Center app**
1. Open the Windows Defender Security Center app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
@@ -108,12 +109,11 @@ This section describes how to perform some of the most common tasks when reviewi
3. Click **Virus & threat protection settings**.
-4. Toggle the switches to **On** for the following settings:
- 1. **Real-time protection**
- 2. **Cloud-based protection**
- 3. **Automatic sample submission**
-
+4. Toggle the **Real-time protection** switch to **On**.
+>[!NOTE]
+>If you switch **Real-time protection** off, it will automatically turn back on after a short delay. This is to ensure you are protected from malware and threats.
+>If you install another antivirus product, Windows Defender AV will automatically disable itself and will indicate this in the Windows Defender Security Center app. A setting will appear that will allow you to enable limited periodic scanning.
diff --git a/windows/keep-secure/wip-app-enterprise-context.md b/windows/keep-secure/wip-app-enterprise-context.md
index 98ee046b77..107cfa5c1f 100644
--- a/windows/keep-secure/wip-app-enterprise-context.md
+++ b/windows/keep-secure/wip-app-enterprise-context.md
@@ -13,7 +13,7 @@ localizationpriority: high
# Determine the Enterprise Context of an app running in Windows Information Protection (WIP)
**Applies to:**
-- Windows 10, version 1607
+- Windows 10, version 1607 and later
- Windows 10 Mobile
>Learn more about what features and functionality are supported in each Windows edition at [Compare Windows 10 Editions](https://www.microsoft.com/en-us/WindowsForBusiness/Compare).
@@ -46,8 +46,7 @@ The **Enterprise Context** column shows you what each app can do with your enter
- **Exempt.** Shows the text, *Exempt*. WIP policies don't apply to these apps (such as, system components).
- >[!IMPORTANT]
- >Enlightened apps can change between Work and Personal, depending on the data being touched. For example, Microsoft Word 2016 shows as **Personal** when an employee opens a personal letter, but changes to **Work** when that same employee opens the company financials.
+ >**Important**
Enlightened apps can change between Work and Personal, depending on the data being touched. For example, Microsoft Word 2016 shows as **Personal** when an employee opens a personal letter, but changes to **Work** when that same employee opens the company financials.
diff --git a/windows/manage/new-policies-for-windows-10.md b/windows/manage/new-policies-for-windows-10.md
index 873c393efd..311f3f125f 100644
--- a/windows/manage/new-policies-for-windows-10.md
+++ b/windows/manage/new-policies-for-windows-10.md
@@ -74,6 +74,8 @@ Mobile device management (MDM) for Windows 10 Pro, Windows 10 Enterprise, Wind
- Consumer experiences, such as suggested apps in Start and app tiles from Microsoft dynamically inserted in the default Start menu
+Windows 10, version 1703, adds a number of [ADMX-backed policies to MDM](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-admx-backed).
+
If you use Microsoft Intune for MDM, you can [configure custom policies](https://go.microsoft.com/fwlink/p/?LinkId=616316) to deploy Open Mobile Alliance Uniform Resource Identifier (OMA-URI) settings that can be used to control features on Windows 10. For a list of OMA-URI settings, see [Custom URI settings for Windows 10 devices](https://go.microsoft.com/fwlink/p/?LinkId=616317).
No new [Exchange ActiveSync policies](https://go.microsoft.com/fwlink/p/?LinkId=613264). For more information, see the [ActiveSync configuration service provider](https://go.microsoft.com/fwlink/p/?LinkId=618944) technical reference.
diff --git a/windows/manage/roles-and-permissions-windows-store-for-business.md b/windows/manage/roles-and-permissions-windows-store-for-business.md
index 9542529fbe..8985c21e1c 100644
--- a/windows/manage/roles-and-permissions-windows-store-for-business.md
+++ b/windows/manage/roles-and-permissions-windows-store-for-business.md
@@ -26,72 +26,15 @@ Store for Business has a set of roles that help admins and employees manage acce
This table lists the global user accounts and the permissions they have in the Store for Business.
-
-
-
-
-
-
-
-
-
-
-
-
-Sign up for Store for Business |
-X |
- |
- |
-
-
-Assign roles |
-X |
-X |
- |
-
-
-Modify company profile settings |
-X |
- |
- |
-
-
-Manage Store for Business settings |
-X |
- |
- |
-
-
-Acquire apps |
-X |
- |
-X |
-
-
-Distribute apps |
-X |
- |
-X |
-
-
-Sign policies and catalogs |
-X |
- |
- |
-
-
-
-
+| | Global Administrator | Billing Administrator |
+| ------------------------------ | --------------------- | --------------------- |
+| Sign up for Store for Business | X | |
+| Modify company profile settings | X | |
+| Acquire apps | X | X |
+| Distribute apps | X | X |
-- **Global Administrator** - IT Pros with this account have full access to Store for Business. They can do everything allowed in the Store for Business Admin role, plus they can sign up for the Store for Business, and assign Store for Business roles to other employees.
-
-- **User Administrator** - IT Pros with this account can assign Store for Business roles to other employees, as long as the User Administrator also has the Store for Business Admin role.
+- **Global Administrator** - IT Pros with this account have full access to Store for Business. They can do everything allowed in the Store for Business Admin role, plus they can sign up for the Store for Business.
- **Billing Administrator** - IT Pros with this account have the same permissions as the Store for Business Purchaser role.
@@ -101,74 +44,15 @@ Store for Business has a set of roles that help IT admins and employees manage a
This table lists the roles and their permissions.
-
-
-
-
-
-
-
-
-
-
-
-
-Sign up for Store for Business |
- |
- |
- |
-
-
-Assign roles |
- |
- |
- |
-
-
-Modify company profile settings |
- |
- |
- |
-
-
-Manage Store for Business settings |
-X |
- |
- |
-
-
-Acquire apps |
-X |
-X |
- |
-
-
-Distribute apps |
-X |
-X |
- |
-
-
-Sign policies and catalogs |
-X |
- |
- |
-
-
-Sign Device Guard changes |
- |
- |
-X |
-
-
-
+| | Admin | Purchaser | Device Guard signer |
+| ------------------------------ | ------ | -------- | ------------------- |
+| Assign roles | X | | |
+| Manage Store for Business settings | X | | |
+| Acquire apps | X | X | |
+| Distribute apps | X | X | |
+| Sign policies and catalogs | X | | |
+| Sign Device Guard changes | X | | X |
-
These permissions allow people to:
@@ -184,7 +68,7 @@ These permissions allow people to:
- Offline licensing
- - Permissions (view only)
+ - Permissions
- Private store
@@ -196,12 +80,10 @@ These permissions allow people to:
1. Sign in to Store for Business.
- **Note**
- You need to be a Global Administrator, or have the Store for Business Admin role to access the **Permissions** page.
-
- To assign roles, you need to be a Global Administrator or a Store Administrator that is also a User Administrator.
-
-
+ >[!Note]
+ >You need to be a Global Administrator, or have the Store for Business Admin role to access the **Permissions** page.
+
+ To assign roles, you need to be a Global Administrator or a Store Administrator.
2. Click **Settings**, and then choose **Permissions**.
@@ -211,9 +93,7 @@ These permissions allow people to:
-4.
-
- If you are not finding the name you want, you might need to add people to your Azure AD directory. For more information, see [Manage user accounts in the Windows Store for Business.](manage-users-and-groups-windows-store-for-business.md)
+4. If you are not finding the name you want, you might need to add people to your Azure AD directory. For more information, see [Manage user accounts in the Windows Store for Business.](manage-users-and-groups-windows-store-for-business.md)
diff --git a/windows/plan/windows-10-enterprise-faq-itpro.md b/windows/plan/windows-10-enterprise-faq-itpro.md
index 192d0910c6..60a48fef2f 100644
--- a/windows/plan/windows-10-enterprise-faq-itpro.md
+++ b/windows/plan/windows-10-enterprise-faq-itpro.md
@@ -49,7 +49,7 @@ Many existing Win32 and Win64 applications already run reliably on Windows 10 wi
### Is there an easy way to assess if my organization’s devices are ready to upgrade to Windows 10?
-[Windows Upgrade Readiness](https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics) (formerly known as Upgrade Analytics) provides powerful insights and recommendations about the computers, applications, and drivers in your organization, at no extra cost and without additional infrastructure requirements. This new service guides you through your upgrade and feature update projects using a workflow based on Microsoft recommended practices. Up-to-date inventory data allows you to balance cost and risk in your upgrade projects.
+[Windows Analytics Upgrade Readiness](https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics) (formerly known as Upgrade Analytics) provides powerful insights and recommendations about the computers, applications, and drivers in your organization, at no extra cost and without additional infrastructure requirements. This new service guides you through your upgrade and feature update projects using a workflow based on Microsoft recommended practices. Up-to-date inventory data allows you to balance cost and risk in your upgrade projects. You can find additional product information at [Windows Analytics](https://www.microsoft.com/en-us/WindowsForBusiness/Windows-Analytics).
## Administration and deployment
@@ -64,15 +64,9 @@ Updated versions of Microsoft deployment tools, including MDT, Configuration Man
Computers running Windows 7 or Windows 8.1 can be upgraded directly to Windows 10 through the in-place upgrade process without a need to reimage the device using MDT and/or Configuration Manager. For more information, see [Upgrade to Windows 10 with System Center Configuration Manager](https://technet.microsoft.com/itpro/windows/deploy/upgrade-to-windows-10-with-system-center-configuraton-manager) or [Upgrade to Windows 10 with the Microsoft Deployment Toolkit](https://technet.microsoft.com/itpro/windows/deploy/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit).
-### Are there any deployment tools available to support Windows 10?
-
-Updated versions of Microsoft deployment tools, including Configuration Manager, MDT, and the Windows Assessment and Deployment Kit (Windows ADK) have been released adding support for Windows 10. For most organizations currently using MDT or Configuration Manager to deploy Windows, deployment of Windows 10 will change very little.
-
-For more information on deployment methods for Windows 10, see [Windows 10 deployment tools](https://technet.microsoft.com/library/mt297512.aspx) and [Windows 10 deployment scenarios](https://technet.microsoft.com/library/mt282208.aspx).
-
### Can I upgrade from Windows 7 Enterprise or Windows 8.1 Enterprise to Windows 10 Enterprise for free?
-If you have Windows 7 Enterprise or Windows 8.1 Enterprise and current Software Assurance, you are entitled to the upgrade to Windows 10 Enterprise through the rights of Software Assurance. You can find your product keys and installation media at the [Volume Licensing Service Center](https://www.microsoft.com/Licensing/servicecenter/default.aspx).
+If you have Windows 7 Enterprise or Windows 8.1 Enterprise and current Windows 10 Enterprise E3 or E5 subscription, you are entitled to the upgrade to Windows 10 Enterprise through the rights of Software Assurance. You can find your product keys and installation media at the [Volume Licensing Service Center](https://www.microsoft.com/Licensing/servicecenter/default.aspx).
For devices that are licensed under a volume license agreement for Windows that does not include Software Assurance, new licenses will be required to upgrade these devices to Windows 10.
@@ -104,12 +98,7 @@ For more information on pros and cons for these tools, see [Servicing Tools](htt
### Where can I find information about new features and changes in Windows 10 Enterprise?
-For an overview of the new enterprise features in Windows 10 Enterprise, see [What's new in Windows 10](https://technet.microsoft.com/itpro/windows/whats-new/index) and [What's new in Windows 10, version 1703](https://tnstage.redmond.corp.microsoft.com/itpro/windows/whats-new/whats-new-windows-10-version-1703?branch=rs2) in the TechNet library. You can find information You'll find info on features like these:
-- Modern deployment - Zero-touch deployment, bulk AD enrollment with provisioning, UEFI conversion tooland
-- Windows Analytics - Upgrade Readiness, and Update Compliance
-- Windows as a service enhancements - Differential feature update support, express update support for System Center Configuration Manager and third-party management software
-- Mobile application management (MAM) and enhanced MDM
-- Advanced security with Windows Defender - App Guard, Credential Guard, App Control, ATP) and Windows Hello
+For an overview of the new enterprise features in Windows 10 Enterprise, see [What's new in Windows 10](https://technet.microsoft.com/itpro/windows/whats-new/index) and [What's new in Windows 10, version 1703](https://tnstage.redmond.corp.microsoft.com/itpro/windows/whats-new/whats-new-windows-10-version-1703?branch=rs2) in the TechNet library.
Another place to track the latest information about new features of interest to IT professionals is the [Windows for IT Pros blog](https://blogs.technet.microsoft.com/windowsitpro/). Here you’ll find announcements of new features, information on updates to the Windows servicing model, and details about the latest resources to help you more easily deploy and manage Windows 10.
diff --git a/windows/update/TOC.md b/windows/update/TOC.md
index cb2e9787f8..b16ed8c89e 100644
--- a/windows/update/TOC.md
+++ b/windows/update/TOC.md
@@ -19,5 +19,8 @@
## [Manage Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)
## [Manage Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md)
## [Manage device restarts after updates](waas-restart.md)
+## [Windows Insider Program for Business](waas-windows-insider-for-business.md)
+### [Windows Insider Program for Business using Azure Active Directory](waas-windows-insider-for-business-aad.md)
+### [Windows Insider Program for Business Frequently Asked Questions](waas-windows-insider-for-business-faq.md)
## [Change history for Update Windows 10](change-history-for-update-windows-10.md)
diff --git a/windows/update/images/waas-wipfb-accounts.png b/windows/update/images/waas-wipfb-accounts.png
new file mode 100644
index 0000000000..27387e3e7b
Binary files /dev/null and b/windows/update/images/waas-wipfb-accounts.png differ
diff --git a/windows/update/images/waas-wipfb-change-user.png b/windows/update/images/waas-wipfb-change-user.png
new file mode 100644
index 0000000000..bf6fe39beb
Binary files /dev/null and b/windows/update/images/waas-wipfb-change-user.png differ
diff --git a/windows/update/images/waas-wipfb-work-account.jpg b/windows/update/images/waas-wipfb-work-account.jpg
new file mode 100644
index 0000000000..4b34385b18
Binary files /dev/null and b/windows/update/images/waas-wipfb-work-account.jpg differ
diff --git a/windows/update/waas-configure-wufb.md b/windows/update/waas-configure-wufb.md
index f6029dff92..0bfbe6c026 100644
--- a/windows/update/waas-configure-wufb.md
+++ b/windows/update/waas-configure-wufb.md
@@ -90,7 +90,7 @@ Starting with version 1703, when configuring pause through policy, a start date
In cases where the pause policy is first applied after the configured start date has passed, administrators will be able to extend the pause period up to a total of 60 days by configuring a later start date.
-With version 1703, pause will provide a more consistent experience:
+With version 1703, pausing through the settings app will provide a more consistent experience:
- Any active restart notification are cleared or closed
- Any pending restarts are canceled
- Any pending update installations are canceled
@@ -235,11 +235,11 @@ In the Windows Update for Business policies in version 1511, all the deferral ru
Group Policy keys| Version 1511 GPO keys | Version 1607 GPO keys |
| **DeferUpgrade**: *enable/disable*
-Enabling allows user to set deferral periods for upgrades and updates. It also puts the device on CBB (no ability to defer updates while on the CB branch).**DeferUpgradePeriod**: *0 - 8 months***DeferUpdatePeriod**: *1 – 4 weeks***Pause**: *enable/disable* Enabling will pause both upgrades and updates for a max of 35 days | **DeferFeatureUpdates**: *enable/disable***BranchReadinessLevel** Set device on CB or CBB**DeferFeatureUpdatesPeriodinDays**: *1 - 180 days***PauseFeatureUpdates**: *enable/disable* Enabling will pause Feature updates for a max of 60 days**DeferQualityUpdates**: *Enable/disable***DeferQualityUpdatesPeriodinDays**: *0 - 30 days***PauseQualityUpdates**: *enable/disable* Enabling will pause Quality updates for a max of 35 days**ExcludeWUDrivers**: *enable/disable* |
+Enabling allows user to set deferral periods for upgrades and updates. It also puts the device on CBB (no ability to defer updates while on the CB branch).**DeferUpgradePeriod**: *0 - 8 months***DeferUpdatePeriod**: *1 – 4 weeks***Pause**: *enable/disable* Enabling will pause both upgrades and updates for a max of 35 days**DeferFeatureUpdates**: *enable/disable***BranchReadinessLevel** Set device on CB or CBB**DeferFeatureUpdatesPeriodinDays**: *1 - 180 days***PauseFeatureUpdates**: *enable/disable* Enabling will pause Feature updates for a max of 60 days**DeferQualityUpdates**: *Enable/disable***DeferQualityUpdatesPeriodinDays**: *0 - 35 days***PauseQualityUpdates**: *enable/disable* Enabling will pause Quality updates for a max of 35 days**ExcludeWUDrivers**: *enable/disable* |
MDM keys| Version 1511 MDM keys | Version 1607 MDM keys |
-| **RequireDeferUpgade**: *bool* Puts the device on CBB (no ability to defer updates while on the CB branch).**DeferUpgradePeriod**: *0 - 8 months***DeferUpdatePeriod**: *1 – 4 weeks***PauseDeferrals**: *bool* Enabling will pause both upgrades and updates for a max of 35 days | **BranchReadinessLevel** Set system on CB or CBB**DeferFeatureUpdatesPeriodinDays**: *1 - 180 days***PauseFeatureUpdates**: *enable/disable* Enabling will pause Feature updates for a max of 60 days**DeferQualityUpdatesPeriodinDays**: *0 - 30 days***PauseQualityUpdates**: *enable/disable* Enabling will pause Quality updates for a max of 35 days**ExcludeWUDriversInQualityUpdate**: *enable/disable<*/td> |
+| **RequireDeferUpgade**: *bool* Puts the device on CBB (no ability to defer updates while on the CB branch).**DeferUpgradePeriod**: *0 - 8 months***DeferUpdatePeriod**: *1 – 4 weeks***PauseDeferrals**: *bool* Enabling will pause both upgrades and updates for a max of 35 days | **BranchReadinessLevel** Set system on CB or CBB**DeferFeatureUpdatesPeriodinDays**: *1 - 180 days***PauseFeatureUpdates**: *enable/disable* Enabling will pause Feature updates for a max of 60 days**DeferQualityUpdatesPeriodinDays**: *0 - 35 days***PauseQualityUpdates**: *enable/disable* Enabling will pause Quality updates for a max of 35 days**ExcludeWUDriversInQualityUpdate**: *enable/disable<*/td> |
### Comparing the version 1607 keys to the version 1703 keys
diff --git a/windows/update/waas-windows-insider-for-business-aad.md b/windows/update/waas-windows-insider-for-business-aad.md
new file mode 100644
index 0000000000..f749ef1c36
--- /dev/null
+++ b/windows/update/waas-windows-insider-for-business-aad.md
@@ -0,0 +1,72 @@
+---
+title: Windows Insider Program for Business using Azure Active Directory
+description: Benefits and configuration of corporate accounts in the Windows Insider Program
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+author: DaniHalfin
+localizationpriority: high
+---
+
+# Windows Insider Program for Business using Azure Active Directory
+
+
+**Applies to**
+
+- Windows 10
+
+> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
+
+We recently added features and benefits to better support the IT Professionals and business users in our Insider community. This includes the option to download Windows 10 Insider Preview builds using your corporate credentials in Azure Active Directory (AAD). By enrolling devices in AAD, you increase the visibility of feedback submitted by users in your organization – especially on features that support your specific business needs.
+
+>[!NOTE]
+>At this point, the Windows Insider Program for Business only supports Azure Active Directory (and not Active Directory on premises) as a corporate authentication method.
+
+>[!TIP]
+>New to Azure Active Directory? Go here for [an introduction to AAD](https://docs.microsoft.com/azure/active-directory/connect/active-directory-aadconnect), including guidance for [adding users](https://docs.microsoft.com/azure/active-directory/active-directory-users-create-azure-portal), [device registration](https://docs.microsoft.com/azure/active-directory/active-directory-device-registration-overview) and [integrating your on-premises directories with Azure AD](https://docs.microsoft.com/azure/active-directory/connect/active-directory-aadconnect).
+>
+>If your company is currently not using AAD – but has a paid subscription to Office 365, Microsoft Dynamics CRM Online, Enterprise Mobility Suite, or other Microsoft services – you have a free subscription to Microsoft Azure Active Directory. This subscription can be used to create users for enrollment in the Windows Insider Program for Business.
+
+In order to get the most benefit out of the Windows Insider Program for Business, organizations should not use a test tenant of AAD. There will be no modifications to the AAD tenant to support the Windows Insider Program as it will only be used as an authentication method.
+
+## Check if a device is connected to your company’s Azure Active Directory subscription
+Simply go to **Settings > Accounts > Access work or school**. If a corporate account is on Azure Active Directory and it is connected to the device, you will see the account listed as highlighted in the image below.
+
+
+
+## Enroll a device with an Azure Active Directory account
+1. Visit [insider.windows.com](https://insider.windows.com). Sign-in with your corporate account in AAD and follow the on-screen registration directions.
+2. On your Windows 10 device, go to **Settings > Updates & Security > Windows Insider Program**.
+
+>[!NOTE]
+>Make sure that you have administrator rights to the machine and that it has latest Windows updates.
+
+3. Enter the AAD account that you used to register and follow the on-screen directions.
+
+## Switch device enrollment from your Microsoft account to your AAD account
+1. Visit [insider.windows.com](https://insider.windows.com) to register your AAD account. If you are signed in with your Microsoft account, sign out, then sign back in with your corporate AAD account.
+2. Click **Get started**, read and accept the privacy statement and program terms and click **Submit**.
+3. On your Windows 10 PC, go to **Settings > Updates & Security > Windows Insider Program**.
+4. Under Windows Insider account, click your Microsoft account, then **Change** to open a Sign In box.
+5. Select your corporate account and click Continue to change your account.
+
+
+
+>[!NOTE]
+>Your device must be connected to your corporate account in AAD for the account to appear in the account list.
+
+## Frequently Asked Questions
+
+### Will my test machines be affected by automatic registration?
+All devices enrolled in the Windows Insider Program (physical or virtual) will receive Windows 10 Insider Preview builds (regardless of registration with MSA or AAD).
+
+### Once I register with my corporate account in AAD, do I need to keep my Microsoft account for the Windows Insider Program?
+No, once you set up your device using AAD credentials – all feedback and flighting on that machine will be under your AAD account. You may need MSA for other machines that aren’t being used on your corporate network or to get Windows store app updates.
+
+### How do I stop receiving updates?
+You can simply “unlink” your account by going to **Settings > Updates & Security > Windows Insider Program**, select Windows Insider Account and click **Unlink**.
+
+
+## Related Topics
+- [Windows Insider Program for Business](waas-windows-insider-for-business.md)
+- [Windows Insider Program for Business Frequently Asked Questions](waas-windows-insider-for-business-faq.md)
diff --git a/windows/update/waas-windows-insider-for-business-faq.md b/windows/update/waas-windows-insider-for-business-faq.md
new file mode 100644
index 0000000000..653d6d5c93
--- /dev/null
+++ b/windows/update/waas-windows-insider-for-business-faq.md
@@ -0,0 +1,90 @@
+---
+title: Windows Insider Program for Business Frequently Asked Questions
+description: Frequently Asked Questions and answers about the Windows Insider Program
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+author: DaniHalfin
+localizationpriority: high
+---
+
+# Windows Insider Program for Business Frequently Asked Questions
+
+
+**Applies to**
+
+- Windows 10
+
+> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
+
+### Are the Windows Insider Program and Windows Insider Program for Business separate programs?
+No, in fact just the opposite. The Windows Insider Program was created in 2014 to help Microsoft engage with Windows Fans worldwide. Windows Insiders are the first to be able to try new Windows features that we introduce through Windows 10 Insider Preview Builds. At the same time, they can provide feedback through the Feedback Hub App which helps create even better versions of Windows for all users. The Windows Insider Program for Business enables you to incorporate Insider Preview builds into your deployment plans using your corporate credentials, deepen connections with the IT Pro community, collect feedback within your organization, and increase the visibility of your organization’s feedback – especially on features that support productivity and business needs. Together we can resolve blocking or critical issues to better support your organization’s needs sooner. Incorporating the Windows Insider Program for Business into your deployment plans enables you to prepare your organization for the next update of Windows 10, to deploy new services and tools more quickly, to help secure your applications, and to increase productivity and confidence in the stability of your environment. Windows Insider Program for Business participants collaborate with the Windows team to build and document features, infuse innovation, and plan for what’s around the bend. We’ve architected some great features together, received amazing feedback, and we’re not done.
+
+### What Languages are available?
+Insider Preview builds are available in the following languages: English (United States), English (United Kingdom), Chinese (Simplified), Chinese (Traditional), Portuguese (Brazilian), Japanese,Russian, German, French, French (Canada), Korean, Italian, Spanish, Spanish (Latin America), Swedish, Finnish, Turkish, Arabic, Dutch, Czech, Polish, Thai, Catalan, Hindi, and Vietnamese.
+
+If your Windows build is not in one of the available base languages, you will not receive Insider Preview builds.
+
+Hindi, Catalan, and Vietnamese can only be installed as a language pack over [supported base languages](https://support.microsoft.com/help/14236/language-packs).
+
+>[!NOTE]
+> To learn how to install a language pack, see [How to add an input language to your PC Additional](https://support.microsoft.com/instantanswers/60f32ff8-8697-4452-af7d-647439c38433/how-to-add-and-switch-input-languages-on-your-pc).
+
+### How do I register for the Windows Insider Program for Business?
+To register for the Windows Insider Program for Business, follow the steps below using your corporate account in Azure Active Directory (AAD). This account is the same account \that you use for Office 365 and other Microsoft services.
+
+1. Visit https://insider.windows.com and click **Get Started**.
+2. Sign-in with your corporate account in AAD (username/password) and follow the on-screen registration directions.
+3. Enroll your Windows 10 PC to get the latest Windows 10 Insider Preview builds. Go to **Settings > Updates & Security > Windows Insider Program**. Click **Get Started**, enter your corporate credentials that you used to register, then follow the on-screen directions.
+>[!NOTE]
+>Make sure that you have administrator rights to your machine and that it has latest Windows updates.
+
+### How can I find out if my corporate account is on Azure Active Directory?
+On your PC, go to **Settings > Accounts > Access work or school**. If your organization has set up your corporate account in Azure Active Directory and it is connected to your PC, you will see the account listed.
+
+### I have more than one Azure Active Directory account. Which should I use?
+Register for Windows Insider Program for Business with the same active account that you use to access your corporate email in Office 365 and other Microsoft services. To ensure you get the most benefit out of the Windows Insider Program for Business and that your company is fully represented, do not set up a separate tenant for testing activities. There will be no modifications to the AAD tenant to support Windows Insider Program for Business, and it will only be used as an authentication method.
+
+### My account is listed in Active Directory but not Azure Active Directory. Can I still register using my Active Directory credentials?
+No. At this point, we are only supporting Azure Active Directory as a corporate authentication method. If you’d like to suggest or upvote another authentication method, please visit this [forum](https://answers.microsoft.com/en-us/insider/forum/insider_wintp).
+
+### I just want to participate as a Windows Insider. Do I still need to register with my corporate account in Azure Active Directory?
+No. You can join using your Microsoft account (MSA) by following the steps below. However, please note that if you want to access the benefits of the Windows Insider Program for Business, you will need to sign-up using your corporate account in Azure Active Directory.
+
+1. Visit https://insider.windows.com and click Get Started.
+2. Register with your Microsoft account and follow the on-screen registration directions.
+3. Enroll your Windows 10 PC to get the latest Windows 10 Insider Preview builds by going to **Settings > Updates & Security > Windows Insider Program** and entering your Microsoft account that you used to register. Now follow the on-screen directions.
+
+>[!NOTE]
+>Make sure that you have administrator rights to your machine and that it has latest Windows updates.
+
+### I am already a Windows Insider. I want to switch my account from my Microsoft account to my corporate account in Azure Active Directory. How do I do this?
+In just a few steps, you can switch your existing program registration from your Microsoft account to your corporate account in Azure Active Directory.
+
+1. Visit https://insider.windows.com. If you are signed in with your Microsoft account, sign out then sign back in to register with your corporate account in AAD.
+2. On your Windows 10 PC, go to **Settings > Updates & Security > Windows Insider Program**.
+3. In your account Under Windows Insider account, click **Change** to open a pop-up box.
+4. Select your corporate account and click Continue to change your account.
+
+>[!NOTE]
+>Your corporate account must be connected to the device for it to appear in the account list.
+
+### How do I sign into the Feedback Hub with my corporate credentials?
+Sign in to the Feedback Hub using the same AAD account you are using to flight builds.
+
+### Am I going to lose all the feedback I submitted and badges I earned with my MSA?
+No. However, your feedback will not be transferred from your MSA to your AAD account. You can switch back to your MSA account in the Feedback Hub to access feedback you’ve submitted and badge you’ve earned.
+
+### How is licensing handled for Windows 10 Insider builds?
+All PCs need to have a valid Windows 10 license. This requirement applies whether the device is joined to the Windows Insider Program using a Microsoft account or an Azure Active Directory account.
+
+### Can I use the Software in a live operating environment?
+The software is a pre-release version, and we do not recommend that organizations run Windows Insider Preview builds outside of their test environments. This software may not work the way a final version of the software will. We may change it for the final, commercial version. We also may not release a commercial version.
+
+### Can a single MSA or AAD account be used to register more than one PC in the program?
+Yes. If each PC has a valid Windows 10 or Windows 10 Mobile license you can use your MSA on as many devices as you’d like. However, the main concern would be that within the feedback it all looks like it comes from a single user. If multiple devices are experiencing problems with a build, you’d want the ability to submit the same feedback from multiple people (or upvote the same piece of feedback).
+
+
+## Related Topics
+- [Windows Insider Program for Business](waas-windows-insider-for-business.md)
+- [Windows Insider Program for Business using Azure Active Directory](waas-windows-insider-for-business-aad.md)
\ No newline at end of file
diff --git a/windows/update/waas-windows-insider-for-business.md b/windows/update/waas-windows-insider-for-business.md
new file mode 100644
index 0000000000..b25fa5f18b
--- /dev/null
+++ b/windows/update/waas-windows-insider-for-business.md
@@ -0,0 +1,166 @@
+---
+title: Windows Insider Program for Business
+description: Overview of the Windows Insider Program for Business
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+author: DaniHalfin
+localizationpriority: high
+---
+
+# Windows Insider Program for Business
+
+
+**Applies to**
+
+- Windows 10
+
+> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
+
+For many IT pros, gaining visibility into feature updates early—before they’re available to the CB servicing branch—can be both intriguing and valuable for future end user communications as well as provide additional prestaging for CB machines. With Windows 10, feature flighting enables Windows Insiders to consume and deploy preproduction code to their test machines, gaining early visibility into the next build. Testing the early builds of Windows 10 helps both Microsoft and its customers because they have the opportunity to discover possible issues before the update is ever publicly available and can report it to Microsoft. Also, as flighted builds get closer to their release to CB, organizations can test their deployment on test devices for compatibility validation.
+
+The Windows Insider Program for Business gives you the opportunity to:
+* Get early access to Windows Insider Preview Builds
+* Provide feedback to Microsoft in real-time via the Feedback Hub app.
+* Sign-in with coproate credentials (Azure Active Directory) and increase the visibility of your organization's feedback with Microsoft – especially on features that support your productivity and business needs.
+
+
+Microsoft recommends that all organizations have at least a few PCs enrolled in the Windows Insider Program, to include the Windows Insider Program in their deployment plans and to provide feedback on any issues they encounter to Microsoft via our Feedback Hub app.
+
+The Windows Insider Program isn’t intended to replace CB deployments in an organization. Rather, it provides IT pros and other interested parties with pre-release Windows builds that they can test and ultimately provide feedback on to Microsoft.
+
+## Getting started with Windows Insider Program for Business
+
+To get started with the Windows Insider Program for Business, you will need to follow a few simple steps:
+
+1. Navigate to [insider.windows.com](https://insider.windows.com) and go to **Get Started**.
+2. Sign-in with you desired account. It can be either a Microsoft Account or your organizational Azure Active Directory Account.
+
+
+
+3. Enroll your device by going to **Start > Settings > Update & security > Windows Insider Program** and selecting **Get Started**. Sign-in using the account you used to register for the Windows Insider Program.
+4. After reading the privacy statement and clicking **Next**, **Confirm** and schedule a restart.
+
+## Install your first preview build from the Windows Insider Program
+
+After enrolling your devices, you are ready to install your first preview build. To do so, go to **Start** > **Settings** > **Update & security** > **Windows Insider Program** to select your Insider level. The device receives the most recent Windows Insider build for the Insider level you select.
+
+>[!TIP]
+>Flighting rings are used to evaluate the quality of our software as it is released to progressively larger audiences. We will flight a Feature Update, application, etc. to the first ring if it passes all required automated testing in the lab. The flight will continue to be evaluated against a set of criteria to ensure it is ready to progress to the next ring.
+
+The options for Insider level are:
+
+### Release Preview
+
+Best for Insiders who enjoy getting early access to updates for the Current Branch, Microsoft applications, and drivers, with minimal risk to their devices, and still want to provide feedback to make Windows devices great.
+
+Insiders on this level receive builds of Windows just before Microsoft releases them for CB. Although these builds aren’t final, they are the most complete and stable builds available to Windows Insider Program participants. This level provides the best testing platform for organizations that conduct early application compatibility testing on Windows Insider PCs.
+
+* The Release Preview Ring will only be visible when your Windows build version is the same as the Current Branch
+* The easiest way to go between the Development Branch to the Current Branch is to use the [Media Creation Tool](http://go.microsoft.com/fwlink/?LinkId=691209) (for PC) or [Windows Device Recovery Tool](http://go.microsoft.com/fwlink/p/?LinkId=522381) (for Mobile) to reinstall Windows
+Ring
+
+### Slow
+
+The Slow Windows Insider level is for users who enjoy seeing new builds of Windows with minimal risk to their devices but still want to provide feedback to Microsoft about their experience with the new build.
+
+* Builds are sent to the Slow Ring after feedback has been received from Insiders within the Fast Ring and analyzed by our Engineering teams.
+* These builds will include updates to fix key issues that would prevent many Windows Insiders from being able to use the build on a daily basis.
+* These builds are still may have issues that would be addressed in a future flight.
+
+### Fast
+
+Best for Insiders who enjoy being the first to get access to builds and feature upgrades, with some risk to their devices in order to identify issues, and provide suggestions and ideas to make Windows software and devices great
+
+* Windows Insiders with devices in the Fast Ring should be prepared for more issues that may block key activities that are important to you or may require significant workarounds.
+* Because we are also validating a build on a smaller set of devices before going to Fast, there is also a chance that some features may work on some devices but may fail in other device configurations.
+* Windows Insiders should be ready to reinstall Windows using the [Media Creation Tool](http://go.microsoft.com/fwlink/?LinkId=691209) or [Windows Device Recovery Tool](http://go.microsoft.com/fwlink/p/?LinkId=522381) when you are significantly blocked. • Please remember to report any issue to us through the Windows Insider Feedback Hub or the Windows Insider community Forum
+
+>[!NOTE]
+>Once your machine is updated to Windows 10 and you select your desired flight ring, the process known as "Compatibility check" will need to run in the background. There is no manual way to force this process to run. This process allows for the discovery of your OS type (32-bit, 64-bit), build edition (Home, Pro, Enterprise), country and language settings, and other required information. Once this process is complete, your machine will be auto-targeted for the next available flight for your selected ring. For the first build on any given machine, this may take up to 24 hours to complete.
+
+## How to switch between flight rings
+
+During your time in the Windows Insider Program, you may want to change between flight rings for any number of reasons. Changing rings is a simple process that requires only a few clicks:
+
+1. Go to **Settings > Updates & Security > Windows Insider Program**
+2. Under **Choose your level**, select between the following rings -
+ * [Windows Insider Fast](#fast)
+ * [Windows Insider Slow](#slow)
+ * [Release Preview](#release-preview)
+
+## How to switch between you MSA and your Corporate AAD account
+
+The Windows Insider Program for Business now gives users the option to register and enroll devices using a corporate account in [Azure Active Directory](https://azure.microsoft.com/services/active-directory/) (AAD) as well as their Microsoft Account (MSA).
+
+To switch between accounts, go to **Settings > Updates & Security > Windows Insider Program**, and under **Windows Insider account** select **Change**.
+
+
+>[!NOTE]
+>If you would like to use your corporate account, your device must be connected to your corporate account in AAD for the account to appear in the account list.
+
+## Sharing Feedback Via the Feedback Hub
+As you know a key benefit to being a Windows Insider is Feedback. It’s definitely a benefit to us, and we hope it’s a benefit to you. Feedback is vital for making changes and improvements in Windows 10. Receiving quality and actionable feedback is key in achieving these goals.
+
+When providing feedback, please consider the following:
+1. Please use the **Feedback Hub** app to submit your feedback to Microsoft.
+2. Check for existing feedback on the topic you are preparing to log. Another user may have already shared the same feedback. If they have, please “upvote” the existing feedback to help prevent duplicate submissions. Adding additional comments to existing feedback can help others by providing clarity to existing information or additional scenarios to review.
+3. Provide as much information to us as possible: include reproduction steps, screenshots, any detail you think would help us experience the issue as you have, so that we can work on a fix and get it into a new build as soon as possible.
+
+### How to use your corporate AAD account for additional Feedback Hub benefits
+Get even more out of the Feedback Hub by signing in to the Feedback Hub using the same corporate account in AAD that are using to flight builds. One of the benefits of submitting feedback using your AAD account is the addition of a page to the Feedback Hub for your organization. Simply click the **My Company** page in the feedback hub to see and upvote all feedback submitted by other Insiders in your organization.
+
+>[!NOTE]
+>If you signed into the Feedback Hub previously with your MSA, your feedback and badges will not be transferred to your AAD sing-in. However, you can switch back to your MSA account in the Feedback Hub to access feedback you’ve submitted and badges you’ve earned.
+
+## Not receiving Windows 10 Insider Preview build updates?
+
+In some cases, your PC may not update to the latest Insider Preview build as expected. Here are items that you can review to troubleshoot this issue:
+
+### Perform a manual check for updates
+Go to **Settings > Updates & Security**. Review available updates or select **Check for updates**.
+
+>[!NOTE]
+>If you have set Active Hours, ensure your device is left turned on and signed in during the off-hours so the install process can complete.
+
+### Make sure Windows is activated
+Go to **Settings > Updates & Security > Activation** to verify Windows is activated.
+
+### Make sure your coporate account in AAD is connected to your device
+Open **Settings \ Accounts \ Access work or school**. If your PC is not listed as connected to your account in AAD, click Connect and enter your AAD account.
+
+### Make sure you have selected a flight ring
+Open **Settings > Update & Security > Windows Insider Program** and select your flight ring.
+
+### Have you recently done a roll-back?
+If so, please double-check your flight settings under **Settings > Update & Security > Windows Insider Program**.
+
+### Did you do a clean install?
+After a clean-install and initial setup of a Microsoft or coporate account (even one that has been used previously for flighting) the appropriate targeting needs to take place for your PC. This background process is known as Compatibility Checker and will run during idle time on your PC. This process may take up to 24 hours. Please leave your PC turned on to ensure this occurs in timely manner.
+
+### Are there known issues for your current build?
+On rare occasion, there may be an issue with a build that could lead to issues with updates being received. Please check the most recent Blog Post or reach out to the Windows Insider team on Twitter for verification (*@WindowsInsider*). You can also check the **Feedback Hub** for announcments and known issues.
+
+## Exiting flighting
+
+After you’ve tried the latest Insider Preview builds, you may want to opt out. In order to do that, go to **Settings > Update & Security > Windows Insider Program** and select **Stop Insider Preview Builds**. Follow the on-screen instructions to stop flighting to your device.
+
+## Additional help resources
+
+* [**Windows Blog**](https://blogs.windows.com/blog/tag/windows-insider-program/) - With each new build release we publish a Windows Blog post that outlines key feature changes as well as known issues that Insiders may encounter while using the build.
+* [**Windows Insider Preview community forum**](https://answers.microsoft.com/en-us/insider/forum/insider_wintp) - Answers is Microsoft’s forum platform and there is an entire area dedicated to the Windows Insider Program. Insiders can filter between PC, Office, Edge, and many others.
+
+## Learn More
+- [Windows Insider Program for Business using Azure Active Directory](waas-windows-insider-for-business-aad.md)
+- [Windows Insider Program for Business Frequently Asked Questions](waas-windows-insider-for-business-faq.md)
+
+
+## Related Topics
+- [Overview of Windows as a service](waas-overview.md)
+- [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md)
+- [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md)
+- [Assign devices to servicing branches for Windows 10 updates](waas-servicing-branches-windows-10-updates.md)
+- [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md)
+- [Manage updates using Windows Update for Business](waas-manage-updates-wufb.md)
+- [Manage Windows 10 updates using Windows Server Update Services (WSUS)](waas-manage-updates-wsus.md)
+- [Manage Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md)
\ No newline at end of file
diff --git a/windows/whats-new/images/wcd-cleanpc.PNG b/windows/whats-new/images/wcd-cleanpc.PNG
new file mode 100644
index 0000000000..434eb55cb0
Binary files /dev/null and b/windows/whats-new/images/wcd-cleanpc.PNG differ
diff --git a/windows/whats-new/whats-new-windows-10-version-1703.md b/windows/whats-new/whats-new-windows-10-version-1703.md
index 19a8d2140a..73a74e3409 100644
--- a/windows/whats-new/whats-new-windows-10-version-1703.md
+++ b/windows/whats-new/whats-new-windows-10-version-1703.md
@@ -1,6 +1,6 @@
---
title: What's in Windows 10, version 1703
-description: New and updated IT Pro content about new features in Windows 10, version 1703 (also known as the Creators Updated).
+description: New and updated IT pro content about new features in Windows 10, version 1703 (also known as the Creators Updated).
keywords: ["What's new in Windows 10", "Windows 10", "creators update"]
ms.prod: w10
ms.mktglfcycl: deploy
@@ -10,14 +10,14 @@ localizationpriority: high
ms.assetid: dca7c655-c4f6-45f8-aa02-64187b202617
---
-# What's new in Windows 10, version 1703 IT Pro content
+# What's new in Windows 10, version 1703 IT pro content
-Below is a list of some of the new and updated content that discusses Information Technology (IT) Pro features in Windows 10, version 1703 (also known as the Creators Update).
+Below is a list of some of the new and updated content that discusses Information Technology (IT) pro features in Windows 10, version 1703 (also known as the Creators Update).
For more general info about Windows 10 features, see [Features available only on Windows 10](https://www.microsoft.com/windows/features). For info about previous versions of Windows 10, see [What's New in Windows 10](index.md).
>[!NOTE]
->For release dates and servicing options for each version, see [Windows 10 release information](https://technet.microsoft.com/en-us/windows/release-info). For a list of removed features, see [Features that are removed or deprecated in Windows 10 Creators Update](https://support.microsoft.com/help/4014193/features-that-are-removed-or-deprecated-in-windows-10-creators-update).
+>Windows 10, version 1703 contains all fixes included in previous cumulative updates to Windows 10, version 1607. For info about each version, see [Windows 10 release information](https://technet.microsoft.com/en-us/windows/release-info). For a list of removed features, see [Features that are removed or deprecated in Windows 10 Creators Update](https://support.microsoft.com/help/4014193/features-that-are-removed-or-deprecated-in-windows-10-creators-update).
## Configuration
@@ -27,7 +27,11 @@ Previously known as *Windows Imaging and Configuration Designer (ICD)*, the tool
Windows Configuration Designer in Windows 10, version 1703, includes several new wizards to make it easier to create provisioning packages.
-
+
+
+Both the desktop and kiosk wizards include an option to remove pre-installed software, based on the new [CleanPC configuration service provider (CSP)](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/cleanpc-csp).
+
+
[Learn more about Windows Configuration Designer.](../configure/provisioning-packages.md)
@@ -36,7 +40,7 @@ Windows Configuration Designer in Windows 10, version 1703, includes several new
Using the new wizards in Windows Configuration Designer, you can [create provisioning packages to enroll devices in Azure Active Directory](../configure/provisioning-packages.md#configuration-designer-wizards). Bulk enrollment in Azure AD is available in the desktop, mobile, kiosk, and Surface Hub wizards.
-
+
### Windows Spotlight
@@ -52,19 +56,18 @@ The following new Group Policy and mobile device management (MDM) settings are a
### Start and taskbar layout
-Enterprises have been able to apply customized Start and taskbar layouts to devices running Windows 10 Enterprise and Education. In Windows 10, version 1703, customized Start and taskbar layout can also be applied to Windows 10 Pro.
-
-Additional MDM policy settings are available for Start and taskbar layout. For details, see [Manage Windows 10 Start and taskbar layout](../configure/windows-10-start-layout-options-and-policies.md).
+Enterprises have been able to apply customized Start and taskbar layouts to devices running Windows 10 Enterprise and Education. In Windows 10, version 1703, customized Start and taskbar layout can also be applied to Windows 10 Pro.
Previously, the customized taskbar could only be deployed using Group Policy or provisioning packages. Windows 10, version 1703, adds support for customized taskbars to [MDM](../configure/customize-windows-10-start-screens-by-using-mobile-device-management.md).
-### Lockdown Designer for Windows 10 Mobile lockdown files
+[Additional MDM policy settings are available for Start and taskbar layout](../configure/windows-10-start-layout-options-and-policies.md). New MDM policy settings include:
+
+- Settings for the User tile: [**Start/HideUserTile**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hideusertile), [**Start/HideSwitchAccount**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hideswitchaccount), [**Start/HideSignOut**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hidesignout), [**Start/HideLock**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hidelock), and [**Start/HideChangeAccountSettings**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hidechangeaccountsettings)
+- Settings for Power: [**Start/HidePowerButton**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hidepowerbutton), [**Start/HideHibernate**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hidehibernate), [**Start/HideRestart**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hiderestart), [**Start/HideShutDown**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hideshutdown), and [**Start/HideSleep**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hidesleep)
+- Additional new settings: [**Start/HideFrequentlyUsedApps**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hidefrequentlyusedapps), [**Start/HideRecentlyAddedApps**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hiderecentlyaddedapps), **AllowPinnedFolder**, **ImportEdgeAssets**, [**Start/HideRecentJumplists**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hiderecentjumplists), [**Start/NoPinningToTaskbar**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-nopinningtotaskbar), [**Settings/PageVisibilityList**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#settings-pagevisibilitylist), and [**Start/HideAppsList**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hideapplist).
-The Lockdown Designer app helps you configure and create a lockdown XML file to apply to devices running Windows 10 Mobile, and includes a remote simulation to help you determine the layout for tiles on the Start screen. Using Lockdown Designer is easier than [manually creating a lockdown XML file](../configure/lockdown-xml.md).
-
-[Learn more about the Lockdown Designer app.](../configure/mobile-lockdown-designer.md)
### Cortana at work
@@ -79,7 +82,7 @@ Using Azure AD also means that you can remove an employee’s profile (for examp
MBR2GPT.EXE is a new command-line tool available in Windows 10 version 1703 and later versions. MBR2GPT converts a disk from Master Boot Record (MBR) to GUID Partition Table (GPT) partition style without modifying or deleting data on the disk. The tool is designed to be run from a Windows Preinstallation Environment (Windows PE) command prompt, but can also be run from the full Windows 10 operating system (OS).
-The GPT partition format is newer and enables the use of larger and more disk partitions. It also provides added data reliability, supports additional partition types, and enables faster boot and shutdown speeds. If you convert the system disk on a computer from MBR to GPT, you must also configure the computer to boot in UEFI mode, so make sure that your device supports UEFI before attempting to convert the system disk.
+The GPT partition format is newer and enables the use of larger and more disk partitions. It also provides added data reliability, supports additional partition types, and enables faster boot and shutdown speeds. If you convert the system disk on a computer from MBR to GPT, you must also configure the computer to boot in UEFI mode, so make sure that your device supports UEFI before attempting to convert the system disk.
Additional security features of Windows 10 that are enabled when you boot in UEFI mode include: Secure Boot, Early Launch Anti-malware (ELAM) driver, Windows Trusted Boot, Measured Boot, Device Guard, Credential Guard, and BitLocker Network Unlock.
@@ -87,7 +90,7 @@ For details, see [MBR2GPT.EXE](../deploy/mbr-to-gpt.md).
## Security
-### Windows Defender Advanced Threat Protection
+### Windows Defender Advanced Threat Protection
New features in Windows Defender Advanced Threat Protection (ATP) for Windows 10, version 1703 include:
- **Detection**
@@ -95,7 +98,7 @@ New features in Windows Defender Advanced Threat Protection (ATP) for Windows 10
- [Use the threat intelligence API to create custom alerts](../keep-secure/use-custom-ti-windows-defender-advanced-threat-protection.md) - Understand threat intelligence concepts, enable the threat intel application, and create custom threat intelligence alerts for your organization.
- Improvements on OS memory and kernel sensors to enable detection of attackers who are using in-memory and kernel-level attacks
- Upgraded detections of ransomware and other advanced attacks
- - Historical detection capability ensures new detection rules apply to up to six months of stored data to detect attacks that previously went unnoticed
+ - Historical detection capability ensures new detection rules apply to up to six months of stored data to detect previous attacks that might not have been noticed
- **Investigation**
Enterprise customers can now take advantage of the entire Windows security stack with Windows Defender Antivirus detections and Device Guard blocks being surfaced in the Windows Defender ATP portal. Other capabilities have been added to help you gain a holistic view on investigations.
@@ -114,16 +117,10 @@ New features in Windows Defender Advanced Threat Protection (ATP) for Windows 10
- **Other features**
- [Check sensor health state](../keep-secure/check-sensor-status-windows-defender-advanced-threat-protection.md) - Check an endpoint's ability to provide sensor data and communicate with the Windows Defender ATP service and fix known issues.
-
+You can read more about ransomware mitigations and detection capability in Windows Defender Advanced Threat Protection in the blog: [Averting ransomware epidemics in corporate networks with Windows Defender ATP](https://blogs.technet.microsoft.com/mmpc/2017/01/30/averting-ransomware-epidemics-in-corporate-networks-with-windows-defender-atp/).
### Windows Defender Antivirus
-New features for Windows Defender Antivirus (AV) in Windows 10, version 1703 include:
-
-- [Updates to how the Block at First Sight feature can be configured](../keep-secure/configure-block-at-first-sight-windows-defender-antivirus.md)
-- [The ability to specify the level of cloud-protection](../keep-secure/specify-cloud-protection-level-windows-defender-antivirus.md)
-- [Windows Defender Antivirus protection in the Windows Defender Security Center app](../keep-secure/windows-defender-security-center-antivirus.md)
-
-Windows Defender is now called Windows Defender Antivirus, and we've [increased the breadth of the documentation library for enterprise security admins](../keep-secure/windows-defender-antivirus-in-windows-10.md).
+Windows Defender is now called Windows Defender Antivirus, and we've [increased the breadth of the documentation library for enterprise security admins](../keep-secure/windows-defender-antivirus-in-windows-10.md).
The new library includes information on:
- [Deploying and enabling AV protection](../keep-secure/deploy-windows-defender-antivirus.md)
@@ -136,32 +133,56 @@ Some of the highlights of the new library include:
- [Evaluation guide for Windows Defender AV](../keep-secure/evaluate-windows-defender-antivirus.md)
- [Deployment guide for Windows Defender AV in a virtual desktop infrastructure environment](../keep-secure/deployment-vdi-windows-defender-antivirus.md)
+New features for Windows Defender AV in Windows 10, version 1703 include:
+
+- [Updates to how the Block at First Sight feature can be configured](../keep-secure/configure-block-at-first-sight-windows-defender-antivirus.md)
+- [The ability to specify the level of cloud-protection](../keep-secure/specify-cloud-protection-level-windows-defender-antivirus.md)
+- [Windows Defender Antivirus protection in the Windows Defender Security Center app](../keep-secure/windows-defender-security-center-antivirus.md)
+
+In Windows 10, version 1607, we [invested heavily in helping to protect against ransomware](https://blogs.windows.com/business/2016/11/11/defending-against-ransomware-with-windows-10-anniversary-update/#UJlHc6SZ2Zm44jCt.97), and we continue that investment in version 1703 with [updated beahvior monitoring and always-on real-time protection](../keep-secure/configure-real-time-protection-windows-defender-antivirus.md).
+
+
+You can read more about ransomware mitigations and detection capability in Windows Defender AV in the [Ransomware Protection in Windows 10 Anniversary Update whitepaper (PDF)](http://wincom.blob.core.windows.net/documents/Ransomware_protection_in_Windows_10_Anniversary_Update.pdf) and at the [Microsoft Malware Protection Center blog](https://blogs.technet.microsoft.com/mmpc/category/research/ransomware/).
### Device Guard and Credential Guard
-Additional security qualifications for Device Guard and Credential Guard help protect vulnerabilities in UEFI runtime.
-For more information, see [Device Guard Requirements](../keep-secure/requirements-and-deployment-planning-guidelines-for-device-guard.md#device-guard-requirements-for-improved-security) and [Credential Guard Security Considerations](../keep-secure/credential-guard.md#security-considerations).
+Additional security qualifications for Device Guard and Credential Guard help protect vulnerabilities in UEFI runtime.
+For more information, see [Device Guard Requirements](../keep-secure/requirements-and-deployment-planning-guidelines-for-device-guard.md#device-guard-requirements-for-improved-security) and [Credential Guard Security Considerations](../keep-secure/credential-guard-requirements.md#security-considerations).
### Group Policy Security Options
-The security setting [**Interactive logon: Display user information when the session is locked**](../keep-secure/interactive-logon-display-user-information-when-the-session-is-locked.md) has been updated to work in conjunction with the **Privacy** setting in **Settings** > **Accounts** > **Sign-in options**.
+The security setting [**Interactive logon: Display user information when the session is locked**](../keep-secure/interactive-logon-display-user-information-when-the-session-is-locked.md) has been updated to work in conjunction with the **Privacy** setting in **Settings** > **Accounts** > **Sign-in options**.
-A new security policy setting
+A new security policy setting
[**Interactive logon: Don't display username at sign-in**](../keep-secure/interactive-logon-dont-display-username-at-sign-in.md) has been introduced in Windows 10 version 1703. This security policy setting determines whether the username is displayed during sign in. It works in conjunction with the **Privacy** setting in **Settings** > **Accounts** > **Sign-in options**. The setting only affects the **Other user** tile.
+### Windows Hello for Business
+
+You can now reset a forgotten PIN without deleting company managed data or apps on devices managed by [Microsoft Intune](https://www.microsoft.com/cloud-platform/microsoft-intune).
+
+For Windows Phone devices, an adminisrator is able to initiate a remote PIN reset through the Intune portal.
+
+For Windows desktops, users are able to reset a forgotten PIN through **Settings > Accounts > Sign-in options**.
+
+For more details, check out [What if I forget my PIN?](../keep-secure/hello-why-pin-is-better-than-password.md#what-if-i-forget-my-pin).
+
## Update
### Windows Update for Business
The pause feature has been changed, and now requires a start date to set up. Users are now able to pause through **Settings > Update & security > Windows Update > Advanced options** in case a policy has not been configured. We have also increased the pause limit on quality updates to 35 days. You can find more information on pause in [Pause Feature Updates](../update/waas-configure-wufb.md#pause-feature-updates) and [Pause Quality Updates](../update/waas-configure-wufb.md#pause-quality-updates).
-Windows Update for Business managed devices are now able to defer feature update installation by up to 365 days. In settings, users are able to select their branch readiness level and update deferal periods. See [Configure devices for Current Branch (CB) or Current Branch for Business (CBB)](../update/waas-configure-wufb.md#configure-devices-for-current-branch-or-current-branch-for-business), [Configure when devices receive Feature Updates](../update/waas-configure-wufb.md#configure-when-devices-receive-feature-updates) and [Configure when devices receive Quality Updates](../update/waas-configure-wufb.md#configure-when-devices-receive-quality-updates) for details.
+Windows Update for Business managed devices are now able to defer feature update installation by up to 365 days (it used to be 180 days). In settings, users are able to select their branch readiness level and update deferal periods. See [Configure devices for Current Branch (CB) or Current Branch for Business (CBB)](../update/waas-configure-wufb.md#configure-devices-for-current-branch-or-current-branch-for-business), [Configure when devices receive Feature Updates](../update/waas-configure-wufb.md#configure-when-devices-receive-feature-updates) and [Configure when devices receive Quality Updates](../update/waas-configure-wufb.md#configure-when-devices-receive-quality-updates) for details.
+
+### Windows Insider for Business
+
+We recently added the option to download Windows 10 Insider Preview builds using your corporate credentials in Azure Active Directory (AAD). By enrolling devices in AAD, you increase the visibility of feedback submitted by users in your organization – especially on features that support your specific business needs. For details, see [Windows Insider Program for Business](../update/waas-windows-insider-for-business.md).
### Optimize update delivery
[Express updates](../update/waas-optimize-windows-10-updates.md#express-update-delivery) are now supported on System Center Configuration Manager, starting with version 1702 of Configuration Manager, in addition to current Express support on Windows Update, Windows Update for Business and WSUS.
-Delivery Optimization policies now enable you to configure additional restrictions to have more control in various scenarios.
+Delivery Optimization policies now enable you to configure additional restrictions to have more control in various scenarios.
Added policies include:
- [Allow uploads while the device is on battery while under set Battery level](../update/waas-delivery-optimization.md#allow-uploads-while-the-device-is-on-battery-while-under-set-battery-level)
@@ -172,13 +193,19 @@ Added policies include:
To check out all the details, see [Configure Delivery Optimization for Windows 10 updates](../update/waas-delivery-optimization.md)
+### Uninstalled in-box apps no longer automatically reinstall
+
+When upgrading to Windows 10, version 1703, in-box apps that were uninstalled by the user won't automatically reinstall as part of the feature update installation process. (Apps de-provisioned by IT administrators will still be reinstalled.)
+
## Management
### New MDM capabilities
-Windows 10, version 1703 adds several new [configuration service providers (CSPs)](../configure/how-it-pros-can-use-configuration-service-providers.md) that provide new capabilities for managing Windows 10 devices using MDM. Some of the new CSPs are:
+Windows 10, version 1703 adds many new [configuration service providers (CSPs)](../configure/how-it-pros-can-use-configuration-service-providers.md) that provide new capabilities for managing Windows 10 devices using MDM or provisioning packages. Among other things, these CSPs enable you to configure a few hundred of the most useful Group Policy settings via MDM - see [Policy CSP - ADMX-backed policies](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-admx-backed).
-- The [DynamicManagement CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/dynamicmanagement-csp) allows you to manage devices differently depending on location, network, or time. For example, managed devices can have cameras disabled when at a work location, the cellular service can be disabled when outside the country to avoid roaming charges, or the wireless network can be disabled when the device is not within the corporate building or campus. Once configured, these settings will be enforced even if the device can’t reach the management server when the location or network changes. The Dynamic Management CSP enables configuration of policies that change how the device is managed in addition to setting the conditions on which the change occurs.
+Some of the other new CSPs are:
+
+- The [DynamicManagement CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/dynamicmanagement-csp) allows you to manage devices differently depending on location, network, or time. For example, managed devices can have cameras disabled when at a work location, the cellular service can be disabled when outside the country to avoid roaming charges, or the wireless network can be disabled when the device is not within the corporate building or campus. Once configured, these settings will be enforced even if the device can’t reach the management server when the location or network changes. The Dynamic Management CSP enables configuration of policies that change how the device is managed in addition to setting the conditions on which the change occurs.
- The [CleanPC CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/cleanpc-csp) allows removal of user-installed and pre-installed applications, with the option to persist user data.
@@ -186,6 +213,11 @@ Windows 10, version 1703 adds several new [configuration service providers (CSPs
- The [NetworkProxy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/networkproxy-csp) is used to configure a proxy server for ethernet and Wi-Fi connections.
+- The [Office CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/office-csp) enables a Microsoft Office client to be installed on a device via the Office Deployment Tool. For more information, see [Configuration options for the Office Deployment Tool](https://technet.microsoft.com/library/jj219426.aspx).
+
+- The [EnterpriseAppVManagement CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/enterpriseappvmanagement-csp) is used to manage virtual applications in Windows 10 PCs (Enterprise and Education editions) and enables App-V sequenced apps to be streamed to PCs even when managed by MDM.
+
+
[Learn more about new MDM capabilities.](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/new-in-windows-mdm-enrollment-management#whatsnew10)
### Mobile application management support for Windows 10
@@ -205,12 +237,38 @@ For more info, see the following topics:
- [Automatically update multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer)](../manage/appv-auto-batch-updating.md)
- [Automatically cleanup unpublished packages on the App-V client](../manage/appv-auto-clean-unpublished-packages.md)
+## Windows 10 Mobile enhancements
+
+### Lockdown Designer
+
+The Lockdown Designer app helps you configure and create a lockdown XML file to apply to devices running Windows 10 Mobile, and includes a remote simulation to help you determine the layout for tiles on the Start screen. Using Lockdown Designer is easier than [manually creating a lockdown XML file](../configure/lockdown-xml.md).
+
+
+
+[Learn more about the Lockdown Designer app.](../configure/mobile-lockdown-designer.md)
+
+### Other enhancements
+
+Windows 10 Mobile, version 1703 also includes the following enhancements:
+
+- SD card encryption
+- Remote PIN resets for Azure Active Directory accounts
+- SMS text message archiving
+- WiFi Direct management
+- OTC update tool
+- Continuum display management
+ - Individually turn off the monitor or phone screen when not in use
+ - Indivudally adjust screen time-out settings
+- Continuum docking solutions
+ - Set Ethernet port properties
+ - Set proxy properties for the Ethernet port
+
## New features in related products
The following new features aren't part of Windows 10, but help you make the most of it.
### Upgrade Readiness
-Upgrade Readiness helps you ensure that applications and drivers are ready for a Windows 10 upgrade. The solution provides up-to-date application and driver inventory, information about known issues, troubleshooting guidance, and per-device readiness and tracking details. The Upgrade Readiness tool moved from public preview to general availability on March 2, 2017.
+Upgrade Readiness helps you ensure that applications and drivers are ready for a Windows 10 upgrade. The solution provides up-to-date application and driver inventory, information about known issues, troubleshooting guidance, and per-device readiness and tracking details. The Upgrade Readiness tool moved from public preview to general availability on March 2, 2017.
The development of Upgrade Readiness has been heavily influenced by input from the community the development of new features is ongoing. To begin using Upgrade Readiness, add it to an existing Operation Management Suite (OMS) workspace or sign up for a new OMS workspace with the Upgrade Readiness solution enabled.
@@ -224,7 +282,6 @@ For more information about Upgrade Readiness, see the following topics:
Update Compliance helps you to keep Windows 10 devices in your organization secure and up-to-date.
-Update Compliance is a solution built using OMS Logs and Analytics that provides information about installation status of monthly quality and feature updates. Details are provided about the deployment progress of existing updates and the status of future updates. Information is also provided about devices that might need attention to resolve issues.
+Update Compliance is a solution built using OMS Log Analytics that provides information about installation status of monthly quality and feature updates. Details are provided about the deployment progress of existing updates and the status of future updates. Information is also provided about devices that might need attention to resolve issues.
For more information about Update Compliance, see [Monitor Windows Updates with Update Compliance](../manage/update-compliance-monitor.md).
-
|