deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-14 14:27:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge branch 'master' of https://github.com/MicrosoftDocs/windows-docs-pr into apr28-addl

Browse Source
This commit is contained in:
LauraKellerGitHub 2020-05-04 16:31:53 -07:00
commit 08c55b07db
27 changed files with 923 additions and 516 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
devices/hololens/TOC.md
View File

@ -37,7 +37,7 @@
# User management and access management # User management and access management
## [Manage user identity and sign-in for HoloLens](hololens-identity.md) ## [Manage user identity and sign-in for HoloLens](hololens-identity.md)
## [Share your HoloLens with multiple people](hololens-multiple-users.md) ## [Share your HoloLens with multiple people](hololens-multiple-users.md)
## [Set up HoloLens as a kiosk for specific applications](hololens-kiosk.md) ## [Set up HoloLens as a kiosk](hololens-kiosk.md)
# Holographic applications # Holographic applications
## [Use 3D Viewer on HoloLens](holographic-3d-viewer-beta.md) ## [Use 3D Viewer on HoloLens](holographic-3d-viewer-beta.md)

14
devices/hololens/hololens-commercial-infrastructure.md
View File

@ -56,7 +56,7 @@ Make sure that [this list](hololens-offline.md) of endpoints are allowed on your
### Remote Assist Specific Network Requirements ### Remote Assist Specific Network Requirements
1. The recommended bandwidth for optimal performance of Remote Assist is 1.5Mbps. Detailed network requirements and additional information can be found [here](https://docs.microsoft.com/MicrosoftTeams/prepare-network). 1. The recommended bandwidth for optimal performance of Remote Assist is 1.5Mbps. Detailed network requirements and additional information can be found [here](https://docs.microsoft.com/MicrosoftTeams/prepare-network).
**(Please note, if you dont network have network speeds of at least 1.5Mbps, Remote Assist will still work. However, quality may suffer).** **(Please note, if you don't network have network speeds of at least 1.5Mbps, Remote Assist will still work. However, quality may suffer).**
1. Make sure that these ports and URLs are allowed on your network firewall. This will enable Microsoft Teams to function. The latest list can be found [here](https://docs.microsoft.com/office365/enterprise/urls-and-ip-address-ranges#skype-for-business-online-and-microsoft-teams). 1. Make sure that these ports and URLs are allowed on your network firewall. This will enable Microsoft Teams to function. The latest list can be found [here](https://docs.microsoft.com/office365/enterprise/urls-and-ip-address-ranges#skype-for-business-online-and-microsoft-teams).
### Guides Specific Network Requirements ### Guides Specific Network Requirements
@ -73,18 +73,18 @@ Please [HoloLens Licenses Requirements](hololens-licenses-requirements.md) for a
1. If you plan on using Auto Enrollment, you will have to [Configure Azure AD enrollment.](https://docs.microsoft.com/intune/deploy-use/.set-up-windows-device-management-with-microsoft-intune#azure-active-directory-enrollment) 1. If you plan on using Auto Enrollment, you will have to [Configure Azure AD enrollment.](https://docs.microsoft.com/intune/deploy-use/.set-up-windows-device-management-with-microsoft-intune#azure-active-directory-enrollment)
1. Ensure that your companys users are in Azure Active Directory (Azure AD). 1. Ensure that your company's users are in Azure Active Directory (Azure AD).
Instructions for adding users can be found [here](https://docs.microsoft.com/azure/active-directory/fundamentals/add-users-azure-active-directory). Instructions for adding users can be found [here](https://docs.microsoft.com/azure/active-directory/fundamentals/add-users-azure-active-directory).
1. We suggest that users who need similar licenses are added to the same group. 1. We suggest that users who need similar licenses are added to the same group.
1. [Create a Group](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-groups-create-azure-portal) 1. [Create a Group](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-groups-create-azure-portal)
1. [Add users to groups](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-groups-members-azure-portal) 1. [Add users to groups](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-groups-members-azure-portal)
1. Ensure that your companys users (or group of users) are assigned the necessary licenses. 1. Ensure that your company's users (or group of users) are assigned the necessary licenses.
Directions for assigning licenses can be found [here](https://docs.microsoft.com/azure/active-directory/fundamentals/license-users-groups). Directions for assigning licenses can be found [here](https://docs.microsoft.com/azure/active-directory/fundamentals/license-users-groups).
1. Only do this step if users are expected to enroll their HoloLens/Mobile device into you (There are three options) 1. Only do this step if users are expected to enroll their HoloLens/Mobile device into you (There are three options)
These steps ensure that your companys users (or a group of users) can add devices. These steps ensure that your company's users (or a group of users) can add devices.
1. **Option 1:** Give all users permission to join devices to Azure AD. 1. **Option 1:** Give all users permission to join devices to Azure AD.
**Sign in to the Azure portal as an administrator** > **Azure Active Directory** > **Devices** > **Device Settings** > **Sign in to the Azure portal as an administrator** > **Azure Active Directory** > **Devices** > **Device Settings** >
**Set Users may join devices to Azure AD to *All*** **Set Users may join devices to Azure AD to *All***
@ -163,7 +163,7 @@ Directions for upgrading to the commercial suite can be found [here](https://doc
1. Check your app settings 1. Check your app settings
1. Log into your Microsoft Store Business account 1. Log into your Microsoft Store Business account
1. **Manage > Products and Services > Apps and Software > Select the app you want to sync > Private Store Availability > Select “Everyone” or “Specific Groups”** 1. **Manage > Products and Services > Apps and Software > Select the app you want to sync > Private Store Availability > Select "Everyone" or "Specific Groups"**
>[!NOTE] >[!NOTE]
>If you don't see the app you want, you will have to "get" the app by searching the store for your app. **Click the "Search" bar in the upper right-hand corner > type in the name of the app > click on the app > select "Get"**. >If you don't see the app you want, you will have to "get" the app by searching the store for your app. **Click the "Search" bar in the upper right-hand corner > type in the name of the app > click on the app > select "Get"**.
1. If you do not see your apps in **Intune > Client Apps > Apps** , you may have to [sync your apps](https://docs.microsoft.com/intune/apps/windows-store-for-business#synchronize-apps) again. 1. If you do not see your apps in **Intune > Client Apps > Apps** , you may have to [sync your apps](https://docs.microsoft.com/intune/apps/windows-store-for-business#synchronize-apps) again.
@ -171,11 +171,11 @@ Directions for upgrading to the commercial suite can be found [here](https://doc
1. [Create a device profile for Kiosk mode](https://docs.microsoft.com/intune/configuration/kiosk-settings#create-the-profile) 1. [Create a device profile for Kiosk mode](https://docs.microsoft.com/intune/configuration/kiosk-settings#create-the-profile)
> [!NOTE] > [!NOTE]
> You can configure different users to have different Kiosk Mode experiences by using “Azure AD” as the “User logon type”. However, this option is only available in Multi-App kiosk mode. Multi-App kiosk mode will work with only one app as well as multiple apps. > You can configure different users to have different Kiosk Mode experiences by using "Azure AD" as the "User logon type". However, this option is only available in Multi-App kiosk mode. Multi-App kiosk mode will work with only one app as well as multiple apps.
![Image that shows Configuration of Kiosk Mode in Intune](images/aad-kioskmode.png) ![Image that shows Configuration of Kiosk Mode in Intune](images/aad-kioskmode.png)
For other MDM services, check your provider's documentation for instructions. If you need to use a custom setting and full XML configuration to set up a kiosk in your MDM service, additional directions can be found [here](hololens-kiosk.md#set-up-kiosk-mode-using-microsoft-intune-or-mdm-windows-10-version-1803) For other MDM services, check your provider's documentation for instructions. If you need to use a custom setting and full XML configuration to set up a kiosk in your MDM service, additional directions can be found [here](hololens-kiosk.md#use-microsoft-intune-or-other-mdm-to-set-up-a-single-app-or-multi-app-kiosk)
## Certificates and Authentication ## Certificates and Authentication

549
devices/hololens/hololens-kiosk.md
View File

@ -1,5 +1,5 @@
--- ---
title: Set up HoloLens as a kiosk for specific applications title: Set up HoloLens as a kiosk
description: Use a kiosk configuration to lock down the apps on HoloLens. description: Use a kiosk configuration to lock down the apps on HoloLens.
ms.prod: hololens ms.prod: hololens
ms.sitesec: library ms.sitesec: library
@ -7,8 +7,9 @@ author: dansimp
ms.author: dansimp ms.author: dansimp
ms.topic: article ms.topic: article
ms.localizationpriority: medium ms.localizationpriority: medium
ms.date: 11/13/2018 ms.date: 04/27/2020
ms.custom: ms.custom:
- CI 115262
- CI 111456 - CI 111456
- CSSTroubleshooting - CSSTroubleshooting
ms.reviewer: ms.reviewer:
@ -18,71 +19,347 @@ appliesto:
- HoloLens 2 - HoloLens 2
--- ---
# Set up HoloLens as a kiosk for specific applications # Set up HoloLens as a kiosk
In Windows 10, version 1803, you can configure your HoloLens devices to run as multi-app or single-app kiosks. You can also configure guest access for a HoloLens kiosk device by [designating a SpecialGroup account in your XML file.](#add-guest-access-to-the-kiosk-configuration-optional) You can configure a HoloLens device to function as a fixed-purpose device, also called a *kiosk*, by configuring the device to run in kiosk mode. Kiosk mode limits the applications (or users) that are available on the device. Kiosk mode is a convenient feature that you can use to dedicate a HoloLens device to business apps, or to use the HoloLens device in an app demo.
When HoloLens is configured as a multi-app kiosk, only the allowed apps are available to the user. The benefit of a multi-app kiosk, or fixed-purpose device, is to provide an easy-to-understand experience for individuals by putting in front of them only the things they need to use, and removing from their view the things they don't need to access. This article provides information about aspects of kiosk configuration that are specific to HoloLens devices. For general information about the different types of Windows-based kiosks and how to configure them, see [Configure kiosks and digital signs on Windows desktop editions](https://docs.microsoft.com/windows/configuration/kiosk-methods).
Single-app kiosk mode starts the specified app when the user signs in, and restricts the user's ability to launch new apps or change the running app. When single-app kiosk mode is enabled for HoloLens, the [start gestures](https://docs.microsoft.com/hololens/hololens2-basic-usage#start-gesture) (including [Bloom](https://docs.microsoft.com/hololens/hololens1-basic-usage) on HoloLens (1st Gen)) and Cortana are disabled, and placed apps aren't shown in the user's surroundings. > [!IMPORTANT]
> Kiosk mode determines which apps are available when a user signs in to the device. However, kiosk mode is not a security method. It does not stop an "allowed" app from opening another app that is not allowed. In order to block apps or processes from opening, use [Windows Defender Application Control (WDAC) CSP](https://docs.microsoft.com/windows/client-management/mdm/applicationcontrol-csp) to create appropriate policies.
The following table lists the device capabilities in the different kiosk modes. You can use kiosk mode in either a single-app or a multi-app configuration, and you can use one of three processes to set up and deploy the kiosk configuration.
Kiosk mode | Voice and Bloom commands | Quick actions menu | Camera and video | Miracast > [!IMPORTANT]
--- | --- | --- | --- | --- > Deleting the multi-app configuration removes the user lockdown profiles that the assigned access feature created. However, it does not revert all the policy changes. To revert these policies, you have to reset the device to the factory settings.
Single-app kiosk | ![no](images/crossmark.png) | ![no](images/crossmark.png) | ![no](images/crossmark.png) | ![no](images/crossmark.png)
Multi-app kiosk | ![yes](images/checkmark.png) | ![yes](images/checkmark.png) with **Home** and **Volume** (default)<br><br>Photo and video buttons shown in Quick actions menu if the Camera app is enabled in the kiosk configuration.<br><br>Miracast is shown if the Camera app and device picker app are enabled in the kiosk configuration. | ![yes](images/checkmark.png) if the Camera app is enabled in the kiosk configuration. | ![yes](images/checkmark.png) if the Camera app and device picker app are enabled in the kiosk configuration.
> [!NOTE] ## Plan the kiosk deployment
> Use the Application User Model ID (AUMID) to allow apps in your kiosk configuration. The Camera app AUMID is `HoloCamera_cw5n1h2txyewy!HoloCamera`. The device picker app AUMID is `HoloDevicesFlow_cw5n1h2txyewy!HoloDevicesFlow`.
The [AssignedAccess Configuration Service Provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/assignedaccess-csp) enables kiosk configuration. ### Kiosk mode requirements
> [!WARNING] You can configure any HoloLens 2 device to use kiosk mode.
> The assigned access feature which enables kiosk mode is intended for corporate-owned fixed-purpose devices. When the multi-app assigned access configuration is applied on the device, certain policies are enforced system-wide, and will impact other users on the device. Deleting the multi-app configuration will remove the assigned access lockdown profiles associated with the users, but it cannot revert all [the enforced policies](https://docs.microsoft.com/windows/configuration/lock-down-windows-10-to-specific-apps#policies-set-by-multi-app-kiosk-configuration). A factory reset is needed to clear all the policies enforced via assigned access.
To configure a HoloLens (1st gen) device to use kiosk mode, you must first make sure that the device runs Windows 10, version 1803, or a later version. If you have used the Windows Device Recovery Tool to recover your HoloLens (1st gen) device to its default build, or if you have installed the most recent updates, your device is ready to configure.
> [!IMPORTANT]
> To help protect devices that run in kiosk mode, consider adding device management policies that turn off features such as USB connectivity. Additionally, check your update ring settings to make sure that automatic updates do not occur during business hours.
### Decide between a single-app kiosk or a multi-app kiosk
A single-app kiosk starts the specified app when the user signs in to the device. The Start menu is disabled, as is Cortana. A HoloLens 2 device does not respond to the [Start](hololens2-basic-usage.md#start-gesture) gesture. A HoloLens (1st gen) device does not respond to the [bloom](hololens1-basic-usage.md) gesture. Because only one app can run, the user cannot place other apps.
A multi-app kiosk displays the Start menu when the user signs in to the device. The kiosk configuration determines which apps are available on the Start menu. You can use a multi-app kiosk to provide an easy-to-understand experience for users by presenting to them only the things that they have to use, and removing the things they don't need to use.
The following table lists the feature capabilities in the different kiosk modes.
| &nbsp; |Start menu |Quick Actions menu |Camera and video |Miracast |Cortana |Built-in voice commands |
| --- | --- | --- | --- | --- | --- | --- | --- | --- | --- |
|Single-app kiosk |Disabled |Disabled |Disabled |Disabled |Disabled |Enabled<sup>1</sup> |
|Multi-app kiosk |Enabled |Enabled<sup>2</sup> |Available<sup>2</sup> |Available<sup>2</sup> |Available<sup>2, 3</sup> |Enabled<sup>1</sup> |
> <sup>1</sup> Voice commands that relate to disabled features do not function.
> <sup>2</sup> For more information about how to configure these features, see [Select kiosk apps](#plan-kiosk-apps).
> <sup>3</sup> Even if Cortana is disabled, the built-in voice commands are enabled.
The following table lists the user support features of the different kiosk modes.
| &nbsp; |Supported user types | Automatic sign-in | Multiple access levels |
| --- | --- | --- | --- |
|Single-app kiosk |Managed Service Account (MSA) in Azure Active Directory (AAD) or local account |Yes |No |
|Multi-app kiosk |AAD account |No |Yes |
For examples of how to use these capabilities, see the following table.
|Use a single-app kiosk for: |Use a multi-app kiosk for: |
| --- | --- |
|A device that runs only a Dynamics 365 Guide for new employees. |A device that runs both Guides and Remote Assistance for a range of employees. |
|A device that runs only a custom app. |A device that functions as a kiosk for most users (running only a custom app), but functions as a standard device for a specific group of users. |
### Plan kiosk apps
For general information about how to choose kiosk apps, see [Guidelines for choosing an app for assigned access (kiosk mode)](https://docs.microsoft.com/windows/configuration/guidelines-for-assigned-access-app).
If you use the Windows Device Portal to configure a single-app kiosk, you select the app during the setup process.
If you use a Mobile Device Management (MDM) system or a provisioning package to configure kiosk mode, you use the [AssignedAccess Configuration Service Provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/assignedaccess-csp) to specify applications. The CSP uses [Application User Model IDs (AUMIDs)](https://docs.microsoft.com/windows/configuration/find-the-application-user-model-id-of-an-installed-app) to identify applications. The following table lists the AUMIDs of some in-box applications that you can use in a multi-app kiosk.
> [!CAUTION]
> You cannot select the Shell app as a kiosk app. Addition, we recommend that you do **not** select Microsoft Edge, Microsoft Store, or File Explorer as a kiosk app.
<a id="aumids"></a>
|App Name |AUMID |
| --- | --- |
|3D Viewer |Microsoft.Microsoft3DViewer\_8wekyb3d8bbwe\!Microsoft.Microsoft3DViewer |
|Calendar |microsoft.windowscommunicationsapps\_8wekyb3d8bbwe\!microsoft.windowslive.calendar |
|Camera<sup>1, 2</sup> |HoloCamera\_cw5n1h2txyewy\!HoloCamera |
|Cortana<sup>3</sup> |Microsoft.549981C3F5F10\_8wekyb3d8bbwe\!App |
|Device Picker |HoloDevicesFlow\_cw5n1h2txyewy\!HoloDevicesFlow |
|Dynamics 365 Guides |Microsoft.Dynamics365.Guides\_8wekyb3d8bbwe\!MicrosoftGuides |
|Dynamics 365 Remote Assist |Microsoft.MicrosoftRemoteAssist\_8wekyb3d8bbwe\!Microsoft.RemoteAssist |
|Feedback&nbsp;Hub |Microsoft.WindowsFeedbackHub\_8wekyb3d8bbwe\!App |
|Mail |c5e2524a-ea46-4f67-841f-6a9465d9d515\_cw5n1h2txyewy\!App |
|Miracast<sup>4</sup> |&nbsp; |
|Movies & TV |Microsoft.ZuneVideo\_8wekyb3d8bbwe\!Microsoft.ZuneVideo |
|OneDrive |microsoft.microsoftskydrive\_8wekyb3d8bbwe\!App |
|Photos |Microsoft.Windows.Photos\_8wekyb3d8bbwe\!App |
|Settings |HolographicSystemSettings\_cw5n1h2txyewy\!App |
|Tips |Microsoft.HoloLensTips\_8wekyb3d8bbwe\!HoloLensTips |
> <sup>1</sup> To enable photo or video capture, you have to enable the Camera app as a kiosk app.
> <sup>2</sup> When you enable the Camera app, be aware of the following conditions:
> - The Quick Actions menu includes the Photo and Video buttons.
> - You should also enable an app (such as Photos, Mail, or OneDrive) that can interact with or retrieve pictures.
> >
> Be aware that voice commands are enabled for kiosk mode configured in Microsoft Intune or provisioning packages, even if the Cortana app is not selected as a kiosk app. > <sup>3</sup> Even if you do not enable Cortana as a kiosk app, built-in voice commands are enabled. However, commands that are related to disabled features have no effect.
> <sup>4</sup> You cannot enable Miracast directly. To enable Miracast as a kiosk app, enable the Camera app and the Device Picker app.
For HoloLens devices running Windows 10, version 1803, there are three methods that you can use to configure the device as a kiosk: ### Plan user and device groups
- You can use [Microsoft Intune or other mobile device management (MDM) service](#set-up-kiosk-mode-using-microsoft-intune-or-mdm-windows-10-version-1803) to configure single-app and multi-app kiosks.
- You can [use a provisioning package](#set-up-kiosk-mode-using-a-provisioning-package-windows-10-version-1803) to configure single-app and multi-app kiosks.
- You can [use the Windows Device Portal](#set-up-kiosk-mode-using-the-windows-device-portal-windows-10-version-1607-and-version-1803) to configure single-app kiosks. This method is recommended only for demonstrations, as it requires that developer mode be enabled on the device.
For HoloLens devices running Windows 10, version 1607, you can [use the Windows Device Portal](#set-up-kiosk-mode-using-the-windows-device-portal-windows-10-version-1607-and-version-1803) to configure single-app kiosks. In an MDM environment, you use groups to manage device configurations and user access.
## Start layout for HoloLens The kiosk configuration profile includes the **User logon type** setting. **User logon type** identifies the user (or group that contains the users) who can use the app or apps that you add. If a user signs in by using an account that is not included in the configuration profile, that user cannot use apps on the kiosk.
If you use [MDM, Microsoft Intune](#set-up-kiosk-mode-using-microsoft-intune-or-mdm-windows-10-version-1803), or a [provisioning package](#set-up-kiosk-mode-using-a-provisioning-package-windows-10-version-1803) to configure a multi-app kiosk, the procedure requires a Start layout. Start layout customization isn't supported in Holographic for Business, so you'll need to use a placeholder Start layout.
> [!NOTE] > [!NOTE]
> Because a single-app kiosk launches the kiosk app when a user signs in, there is no Start screen displayed. > The **User logon type** of a single-app kiosk specifies a single user account. This is the user context under which the kiosk runs. The **User logon type** of a multi-app kiosk can specify one or more user accounts or groups that can use the kiosk.
### Start layout file for MDM (Intune and others) Before you can deploy the kiosk configuration to a device, you have to *assign* the kiosk configuration profile to a group that contains the device or a user who can sign in to the device. This setting produces behavior such as the following.
Save the following sample as an XML file. You can use this file when you configure the multi-app kiosk in Microsoft Intune (or in another MDM service that provides a kiosk profile). - If the device is a member of the assigned group, the kiosk configuration deploys to the device the first time that any user signs in on the device.
- If the device is not a member of the assigned group, but a user who is a member of that group signs in, the kiosk configuration deploys to the device at that time.
For a full discussion of the effects of assigning configuration profiles in Intune, see [Assign user and device profiles in Microsoft Intune](https://docs.microsoft.com/intune/configuration/device-profile-assign).
> [!NOTE] > [!NOTE]
> If you need to use a custom setting and full XML configuration to set up a kiosk in your MDM service, use the [Start layout instructions for a provisioning package](#start-layout-for-a-provisioning-package). > The following examples describe multi-app kiosks. Single-app kiosks behave in a similar manner, but only one user account gets the kiosk experience.
**Example 1**
You use a single group (Group 1) for both devices and users. One device and users A, B, and C are members of this group. You configure the kiosk configuration profile as follows:
- **User logon type**: Group 1
- **Assigned group**: Group 1
Regardless of which user signs on to the device first (and goes through the Out-of-Box Experience, or OOBE), the kiosk configuration deploys to the device. Users A, B, and C can all sign in to the device and get the kiosk experience.
**Example 2**
You contract out devices to two different vendors who need different kiosk experiences. Both vendors have users, and you want all the users to have access to kiosks from both their own vendor and the other vendor. You configure groups as follows:
- Device Group 1:
- Device 1 (Vendor 1)
- Device 2 (Vendor 1)
- Device Group 2:
- Device 3 (Vendor 2)
- Device 4 (Vendor 2)
- User Group:
- User A (Vendor 1)
- User B (Vendor 2)
You create two kiosk configuration profiles that have the following settings:
- Kiosk Profile 1:
- **User logon type**: User Group
- **Assigned group**: Device Group 1
- Kiosk Profile 2:
- **User logon type**: User Group
- **Assigned group**: Device Group 2
These configurations produce the following results:
- When any user signs in to Device 1 or Device 2, Intune deploys Kiosk Profile 1 to that device.
- When any user signs in to Device 3 or Device 4, Intune deploys Kiosk Profile 2 to that device.
- User A and user B can sign in to any of the four devices. If they sign in to Device 1 or Device 2, they see the Vendor 1 kiosk experience. If they sign in to Device 3 or Device 4, they see the Vendor 2 kiosk experience.
#### Profile conflicts
If two or more kiosk configuration profiles target the same device, they conflict. In the case of Intune-managed devices, Intune does not apply any of the conflicting profiles.
Other kinds of profiles and policies, such as device restrictions that are not related to the kiosk configuration profile, do not conflict with the kiosk configuration profile.
### Select a deployment method
You can select one of the following methods to deploy kiosk configurations:
- [Microsoft Intune or other mobile device management (MDM) service](#use-microsoft-intune-or-other-mdm-to-set-up-a-single-app-or-multi-app-kiosk)
- [Provisioning package](#use-a-provisioning-package-to-set-up-a-single-app-or-multi-app-kiosk)
- [Windows Device Portal](#use-the-windows-device-portal-to-set-up-a-single-app-kiosk)
> [!NOTE]
> Because this method requires that Developer Mode be enabled on the device, we recommend that you use it only for demonstrations.
The following table lists the capabilities and benefits of each of the deployment methods.
| &nbsp; |Deploy by using Windows Device Portal |Deploy by using a provisioning package |Deploy by using MDM |
| --------------------------- | ------------- | -------------------- | ---- |
|Deploy single-app kiosks | Yes | Yes | Yes |
|Deploy multi-app kiosks | No | Yes | Yes |
|Deploy to local devices only | Yes | Yes | No |
|Deploy by using Developer Mode |Required | Not required | Not required |
|Deploy by using Azure Active Directory (AAD) | Not required | Not required | Required |
|Deploy automatically | No | No | Yes |
|Deployment speed | Fastest | Fast | Slow |
|Deploy at scale | Not recommended | Not recommended | Recommended |
## Use Microsoft Intune or other MDM to set up a single-app or multi-app kiosk
To set up kiosk mode by using Microsoft Intune or another MDM system, follow these steps.
1. [Prepare to enroll the devices](#mdmenroll).
1. [Create a kiosk configuration profile](#mdmprofile).
1. Configure the kiosk.
- [Configure the settings for a single-app kiosk](#mdmconfigsingle).
- [Configure the settings for a multi-app kiosk](#mdmconfigmulti).
1. [Assign the kiosk configuration profile to a group](#mdmassign).
1. Deploy the devices.
- [Deploy a single-app kiosk](#mdmsingledeploy).
- [Deploy a multi-app kiosk](#mdmmultideploy).
### <a id="mdmenroll"></a>MDM, step 1 &ndash; Prepare to enroll the devices
You can configure your MDM system to enroll HoloLens devices automatically when the user first signs in, or have users enroll devices manually. The devices also have to be joined to your Azure AD domain, and assigned to the appropriate groups.
For more information about how to enroll the devices, see [Enroll HoloLens in MDM](hololens-enroll-mdm.md) and [Intune enrollment methods for Windows devices](https://docs.microsoft.com/mem/intune/enrollment/windows-enrollment-methods).
### <a id="mdmprofile"></a>MDM, step 2 &ndash; Create a kiosk configuration profile
1. Open the [Azure](https://portal.azure.com/) portal and sign in to your Intune administrator account.
1. Select **Microsoft Intune** > **Device configuration - Profiles** > **Create profile**.
1. Enter a profile name.
1. Select **Platform** > **Windows 10 and later**, and then select **Profile type** >**Device restrictions**.
1. Select **Configure** > **Kiosk**, and then select one of the following:
- To create a single-app kiosk, select **Kiosk Mode** > **Single-app kiosk**.
- To create a multi-app kiosk, select **Kiosk Mode** > **Multi-app kiosk**.
1. To start configuring the kiosk, select **Add**.
Your next steps differ depending on the type of kiosk that you want. For more information, select one of the following options:
- [Single-app kiosk](#mdmconfigsingle)
- [Multi-app kiosk](#mdmconfigmulti)
For more information about how to create a kiosk configuration profile, see [Windows 10 and Windows Holographic for Business device settings to run as a dedicated kiosk using Intune](https://docs.microsoft.com/intune/configuration/kiosk-settings).
### <a id="mdmconfigsingle"></a>MDM, step 3 (single-app) &ndash; Configure the settings for a single-app kiosk
This section summarizes the settings that a single-app kiosk requires. For more details, see the following articles:
- For information about how to configure a kiosk configuration profile in Intune, see [How to Configure Kiosk Mode Using Microsoft Intune](hololens-commercial-infrastructure.md#how-to-configure-kiosk-mode-using-microsoft-intune).
- For more information about the available settings for single-app kiosks in Intune, see [Single full-screen app kiosks](https://docs.microsoft.com/intune/configuration/kiosk-settings-holographic#single-full-screen-app-kiosks)
- For other MDM services, check your provider's documentation for instructions. If you have to use a custom XML configuration to set up a kiosk in your MDM service, [create an XML file that defines the kiosk configuration](#ppkioskconfig).
1. Select **User logon type** > **Local user account**, and then enter the user name of the local (device) account or Microsoft Account (MSA) that can sign in to the kiosk.
> [!NOTE]
> **Autologon** user account types aren't supported on Windows Holographic for Business.
1. Select **Application type** > **Store app**, and then select an app from the list.
Your next step is to [assign](#mdmassign) the profile to a group.
### <a id="mdmconfigmulti"></a>MDM, step 3 (multi-app) &ndash; Configure the settings for a multi-app kiosk
This section summarizes the settings that a multi-app kiosk requires. For more detailed information, see the following articles:
- For information about how to configure a kiosk configuration profile in Intune, see [How to Configure Kiosk Mode Using Microsoft Intune](hololens-commercial-infrastructure.md#how-to-configure-kiosk-mode-using-microsoft-intune).
- For more information about the available settings for multi-app kiosks in Intune, see [Multi-app kiosks](https://docs.microsoft.com/mem/intune/configuration/kiosk-settings-holographic#multi-app-kiosks)
- For other MDM services, check your provider's documentation for instructions. If you need to use a custom XML configuration to set up a kiosk in your MDM service, [create an XML file that defines the kiosk configuration](#ppkioskconfig). If you use an XML file, make sure to include the [Start layout](#start-layout-for-hololens).
- You can optionally use a custom Start layout with Intune or other MDM services. For more information, see [Start layout file for MDM (Intune and others)](#start-layout-file-for-mdm-intune-and-others).
1. Select **Target Windows 10 in S mode devices** > **No**.
>[!NOTE]
> S mode isn't supported on Windows Holographic for Business.
1. Select **User logon type** > **Azure AD user or group** or **User logon type** > **HoloLens visitor**, and then add one or more user groups or accounts.
Only users who belong to the groups or accounts that you specify in **User logon type** can use the kiosk experience.
1. Select one or more apps by using the following options:
- To add an uploaded line-of-business app, select **Add store app** and then select the app that you want.
- To add an app by specifying its AUMID, select **Add by AUMID** and then enter the AUMID of the app. [See the list of available AUMIDs](#aumids)
Your next step is to [assign](#mdmassign) the profile to a group.
### <a id="mdmassign"></a>MDM, step 4 &ndash; Assign the kiosk configuration profile to a group
Use the **Assignments** page of the kiosk configuration profile to set where you want the kiosk configuration to deploy. In the simplest case, you assign the kiosk configuration profile to a group that will contain the HoloLens device when the device enrolls in MDM.
### <a id="mdmsingledeploy"></a>MDM, step 5 (single-app) &ndash; Deploy a single-app kiosk
When you use an MDM system, you can enroll the device in MDM during OOBE. After OOBE finishes, signing in to the device is easy.
During OOBE, follow these steps:
1. Sign in by using the account that you specified in the kiosk configuration profile.
1. Enroll the device. Make sure that the device is added to the group that the kiosk configuration profile is assigned to.
1. Wait for OOBE to finish, for the store app to download and install, and for policies to be applied. Then restart the device.
The next time you sign in to the device, the kiosk app should automatically start.
If you don't see your kiosk configuration at this point, [check the assignment status](https://docs.microsoft.com/intune/configuration/device-profile-monitor).
### <a id="mdmmultideploy"></a>MDM, step 5 (multi-app) &ndash; Deploy a multi-app kiosk
When you use an MDM system, you can join the device to your Azure AD tenant and enroll the device in MDM during OOBE. If appropriate, provide the enrollment information to the users so that they have it available during the OOBE process.
> [!NOTE]
> If you have assigned the kiosk configuration profile to a group that contains users, make sure that one of those user accounts is the first account to sign in to the device.
During OOBE, follow these steps:
1. Sign in by using the account that belongs to the **User logon type** group.
1. Enroll the device.
1. Wait for any apps that are part of the kiosk configuration profile to download and install. Also, wait for policies to be applied.
1. After OOBE finishes, you can install additional apps from the Microsoft store or by sideloading. [Required apps](https://docs.microsoft.com/mem/intune/apps/apps-deploy#assign-an-app) for the group that the device belongs to install automatically.
1. After the installation finishes, restart the device.
The next time you sign in to the device by using an account that belongs to the **User logon type**, the kiosk app should automatically launch.
If you don't see your kiosk configuration at this point, [check the assignment status](https://docs.microsoft.com/intune/configuration/device-profile-monitor).
## Use a provisioning package to set up a single-app or multi-app kiosk
To set up kiosk mode by using a provisioning package, follow these steps.
1. [Create an XML file that defines the kiosk configuration.](#ppkioskconfig), including a [Start layout](#start-layout-for-hololens).
2. [Add the XML file to a provisioning package.](#ppconfigadd)
3. [Apply the provisioning package to HoloLens.](#ppapply)
### <a id="ppkioskconfig"></a>Provisioning package, step 1 &ndash; Create a kiosk configuration XML file
Follow [the general instructions to create a kiosk configuration XML file for Windows desktop](https://docs.microsoft.com/windows/configuration/lock-down-windows-10-to-specific-apps#create-xml-file), except for the following:
- Do not include Classic Windows applications (Win32). HoloLens does not support these applications.
- Use the [placeholder Start layout XML](#start-layout-for-hololens) for HoloLens.
- Optional: Add guest access to the kiosk configuration
#### <a id="ppkioskguest"></a>Optional: Add guest access to the kiosk configuration
In the [**Configs** section of the XML file](https://docs.microsoft.com/windows/configuration/lock-down-windows-10-to-specific-apps#configs), you can configure a special group named **Visitor** to allow guests to use the kiosk. When the kiosk is configured to support the **Visitor** special group, a "**Guest**" option is added to the sign-in page. The **Guest** account does not require a password, and any data that is associated with the account is deleted when the account signs out.
To enable the **Guest** account, add the following snippet to your kiosk configuration XML:
```xml ```xml
<LayoutModificationTemplate <Configs>
xmlns="http://schemas.microsoft.com/Start/2014/LayoutModification" <Config>
xmlns:defaultlayout="http://schemas.microsoft.com/Start/2014/FullDefaultLayout" <SpecialGroup Name="Visitor" />
xmlns:start="http://schemas.microsoft.com/Start/2014/StartLayout" <DefaultProfile Id="enter a profile ID"/>
Version="1"> </Config>
<RequiredStartGroupsCollection> </Configs>
<RequiredStartGroups>
<AppendGroup Name="">
<start:Tile Size="2x2" Column="0" Row="0" AppUserModelID="placeholderpackagename_kzf8qxf38zg5c!App" />
</AppendGroup>
</RequiredStartGroups>
</RequiredStartGroupsCollection>
</LayoutModificationTemplate>
``` ```
### Start layout for a provisioning package #### <a id="start-layout-for-hololens"></a>Placeholder Start layout for HoloLens
You will [create an XML file](#set-up-kiosk-mode-using-a-provisioning-package-windows-10-version-1803) to define the kiosk configuration to be included in a provisioning package. Use the following sample in the `StartLayout` section of your XML file. If you use a [provisioning package](##use-a-provisioning-package-to-set-up-a-single-app-or-multi-app-kiosk) to configure a multi-app kiosk, the procedure requires a Start layout. Start layout customization isn't supported in Windows Holographic for Business. Therefore, you'll have to use a placeholder Start layout.
> [!NOTE]
> Because a single-app kiosk starts the kiosk app when a user signs in, it does not use a Start menu and does not have to have a Start layout.
> [!NOTE]
> If you use [MDM](#use-microsoft-intune-or-other-mdm-to-set-up-a-single-app-or-multi-app-kiosk) to set up a multi-app kiosk, you can optionally use a Start layout. For more information, see [Placeholder Start layout file for MDM (Intune and others)](#start-layout-file-for-mdm-intune-and-others).
For the Start layout, add the following **StartLayout** section to the kiosk provisioning XML file:
```xml ```xml
<!-- This section is required for parity with Desktop Assigned Access. It is not currently used on HoloLens --> <!-- This section is required for parity with Desktop Assigned Access. It is not currently used on HoloLens -->
@ -104,116 +381,94 @@ You will [create an XML file](#set-up-kiosk-mode-using-a-provisioning-package-wi
<!-- This section is required for parity with Desktop Assigned Access. It is not currently used on HoloLens --> <!-- This section is required for parity with Desktop Assigned Access. It is not currently used on HoloLens -->
``` ```
## Set up kiosk mode using Microsoft Intune or MDM (Windows 10, version 1803) #### <a id="start-layout-file-for-mdm-intune-and-others"></a>Placeholder Start layout file for MDM (Intune and others)
For HoloLens devices that are managed by Microsoft Intune, directions can be found [here](hololens-commercial-infrastructure.md#how-to-configure-kiosk-mode-using-microsoft-intune). Save the following sample as an XML file. You can use this file when you configure the multi-app kiosk in Microsoft Intune (or in another MDM service that provides a kiosk profile).
For other MDM services, check your provider's documentation for instructions. If you need to use a custom setting and full XML configuration to set up a kiosk in your MDM service, [create an XML file that defines the kiosk configuration](#create-a-kiosk-configuration-xml-file), and make sure to include the [Start layout](#start-layout-for-a-provisioning-package) in the XML file.
## Set up kiosk mode using a provisioning package (Windows 10, version 1803)
Process:
1. [Create an XML file that defines the kiosk configuration.](#create-a-kiosk-configuration-xml-file)
2. [Add the XML file to a provisioning package.](#add-the-kiosk-configuration-xml-file-to-a-provisioning-package)
3. [Apply the provisioning package to HoloLens.](#apply-the-provisioning-package-to-hololens)
### Create a kiosk configuration XML file
Follow [the instructions for creating a kiosk configuration XML file for desktop](https://docs.microsoft.com/windows/configuration/lock-down-windows-10-to-specific-apps#configure-a-kiosk-using-a-provisioning-package), with the following exceptions:
- Do not include Classic Windows applications (Win32) since they aren't supported on HoloLens.
- Use the [placeholder Start XML](#start-layout-for-hololens) for HoloLens.
#### Add guest access to the kiosk configuration (optional)
In the [Configs section of the XML file](https://docs.microsoft.com/windows/configuration/lock-down-windows-10-to-specific-apps#configs), you can configure a special group named **Visitor** to allow guests to use the kiosk. When the kiosk is configured with the **Visitor** special group, a "**Guest**" option is added to the sign-in page. The **Guest** account does not require a password, and any data associated with the account is deleted when the account signs out.
Use the following snippet in your kiosk configuration XML to enable the **Guest** account:
```xml
<Configs>
<Config>
<SpecialGroup Name="Visitor" />
<DefaultProfile Id="enter a profile ID"/>
</Config>
</Configs>
```
### Add the kiosk configuration XML file to a provisioning package
1. Open [Windows Configuration Designer](https://www.microsoft.com/store/apps/9nblggh4tx22).
2. Choose **Advanced provisioning**.
3. Name your project, and click **Next**.
4. Choose **Windows 10 Holographic** and click **Next**.
5. Select **Finish**. The workspace for your package opens.
6. Expand **Runtime settings** &gt; **AssignedAccess** &gt; **MultiAppAssignedAccessSettings**.
7. In the center pane, click **Browse** to locate and select the kiosk configuration XML file that you created.
![Screenshot of the MultiAppAssignedAccessSettings field in Windows Configuration Designer](images/multiappassignedaccesssettings.png)
8. (**Optional**: If you want to apply the provisioning package after device initial setup and there is an admin user already available on the kiosk device, skip this step.) Create an admin user account in **Runtime settings** &gt; **Accounts** &gt; **Users**. Provide a **UserName** and **Password**, and select **UserGroup** as **Administrators**. With this account, you can view the provisioning status and logs if needed.
9. (**Optional**: If you already have a non-admin account on the kiosk device, skip this step.) Create a local standard user account in **Runtime settings** &gt; **Accounts** &gt; **Users**. Make sure the **UserName** is the same as the account that you specify in the configuration XML. Select **UserGroup** as **Standard Users**.
10. On the **File** menu, select **Save.**
11. On the **Export** menu, select **Provisioning package**.
12. Change **Owner** to **IT Admin**, which will set the precedence of this provisioning package higher than provisioning packages applied to this device from other sources, and then select **Next.**
13. On the **Provisioning package security** page, do not select **Enable package encryption** or provisioning will fail on HoloLens. You can choose to enable package signing.
- **Enable package signing** - If you select this option, you must select a valid certificate to use for signing the package. You can specify the certificate by clicking **Browse** and choosing the certificate you want to use to sign the package.
14. Click **Next** to specify the output location where you want the provisioning package to go when it's built. By default, Windows Configuration Designer uses the project folder as the output location. Optionally, you can click **Browse** to change the default output location.
15. Click **Next**.
16. Click **Build** to start building the package. The provisioning package doesn't take long to build. The project information is displayed in the build page and the progress bar indicates the build status.
### Apply the provisioning package to HoloLens
1. Connect HoloLens via USB to a PC and start the device, but do not continue past the **Fit** page of OOBE (the first page with the blue box).
3. HoloLens will show up as a device in File Explorer on the PC.
4. In File Explorer, drag and drop the provisioning package (.ppkg) onto the device storage.
5. Briefly press and release the **Volume Down** and **Power** buttons simultaneously again while on the **fit** page.
6. The device will ask you if you trust the package and would like to apply it. Confirm that you trust the package.
7. You will see whether the package was applied successfully or not. If it failed, you can fix your package and try again. If it succeeded, proceed with OOBE.
## Set up kiosk mode using the Windows Device Portal (Windows 10, version 1607 and version 1803)
1. [Set up the HoloLens to use the Windows Device Portal](https://developer.microsoft.com/windows/mixed-reality/using_the_windows_device_portal#setting_up_hololens_to_use_windows_device_portal). The Device Portal is a web server on your HoloLens that you can connect to from a web browser on your PC.
> [!IMPORTANT]
> When you set up HoloLens to use the Device Portal, you must enable **Developer Mode** on the device. **Developer Mode** on a device that has been upgraded to Windows Holographic for Business enables side-loading of apps, which risks the installation of apps that have not been certified by the Microsoft Store. Administrators can block the ability to enable **Developer Mode** using the **ApplicationManagement/AllowDeveloper Unlock** setting in the [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx). [Learn more about Developer Mode.](https://msdn.microsoft.com/windows/uwp/get-started/enable-your-device-for-development#developer-mode)
2. On a PC, connect to the HoloLens using [Wi-Fi](https://developer.microsoft.com/windows/mixed-reality/Using_the_Windows_Device_Portal.html#connecting_over_wi-fi) or [USB](https://developer.microsoft.com/windows/mixed-reality/Using_the_Windows_Device_Portal.html#connecting_over_usb).
3. [Create a user name and password](https://developer.microsoft.com/windows/mixed-reality/Using_the_Windows_Device_Portal.html#creating_a_username_and_password) if this is the first time you connect to the Windows Device Portal, or enter the user name and password that you previously set up.
> [!TIP]
> If you see a certificate error in the browser, follow [these troubleshooting steps](https://developer.microsoft.com/windows/mixed-reality/Using_the_Windows_Device_Portal.html#security_certificate).
4. In the Windows Device Portal, click **Kiosk Mode**.
![Kiosk Mode](images/kiosk.png)
> [!NOTE] > [!NOTE]
> The kiosk mode option will be available if the device is [enrolled in device management](hololens-enroll-mdm.md) and has a [license to upgrade to Windows Holographic for Business](hololens1-upgrade-enterprise.md). > If you have to use a custom setting and full XML configuration to set up a kiosk in your MDM service, use the [Start layout instructions for a provisioning package](#start-layout-for-hololens).
5. Select **Enable Kiosk Mode**, choose an app to run when the device starts, and click **Save**. ```xml
<LayoutModificationTemplate
xmlns="http://schemas.microsoft.com/Start/2014/LayoutModification"
xmlns:defaultlayout="http://schemas.microsoft.com/Start/2014/FullDefaultLayout"
xmlns:start="http://schemas.microsoft.com/Start/2014/StartLayout"
Version="1">
<RequiredStartGroupsCollection>
<RequiredStartGroups>
<AppendGroup Name="">
<start:Tile Size="2x2" Column="0" Row="0" AppUserModelID="placeholderpackagename_kzf8qxf38zg5c!App" />
</AppendGroup>
</RequiredStartGroups>
</RequiredStartGroupsCollection>
</LayoutModificationTemplate>
```
## Kiosk app recommendations ### <a id="ppconfigadd"></a>Prov. package, step 2 &ndash; Add the kiosk configuration XML file to a provisioning package
- You cannot select Microsoft Edge, Microsoft Store, or the Shell app as a kiosk app. 1. Open [Windows Configuration Designer](https://www.microsoft.com/store/apps/9nblggh4tx22).
- We recommend that you do **not** select the Settings app and the File Explorer app as a kiosk app. 1. Select **Advanced provisioning**, enter a name for your project, and then select **Next**.
- You can select Cortana as a kiosk app. 1. Select **Windows 10 Holographic**, and then select **Next**.
- To enable photo or video capture, the HoloCamera app must be enabled as a kiosk app. 1. Select **Finish**. The workspace for your package opens.
1. Select **Runtime settings** > **AssignedAccess** > **MultiAppAssignedAccessSettings**.
1. In the center pane, select **Browse** to locate and select the kiosk configuration XML file that you created.
![Screenshot of the MultiAppAssignedAccessSettings field in Windows Configuration Designer](./images/multiappassignedaccesssettings.png)
1. **Optional**. (If you want to apply the provisioning package after the initial setup of the device, and there is an admin user already available on the kiosk device, skip this step.) Select **Runtime settings** &gt; **Accounts** &gt; **Users**, and then create a user account. Provide a user name and password, and then select **UserGroup** > **Administrators**.
By using this account, you can view the provisioning status and logs.
1. **Optional**. (If you already have a non-admin account on the kiosk device, skip this step.) Select **Runtime settings** &gt; **Accounts** &gt; **Users**, and then create a local user account. Make sure that the user name is the same as for the account that you specify in the configuration XML. Select **UserGroup** > **Standard Users**.
1. Select **File** > **Save**.
1. Select **Export** > **Provisioning package**, and then select **Owner** > **IT Admin**. This sets the precedence of this provisioning package higher than provisioning packages that are applied to this device from other sources.
1. Select **Next**.
1. On the **Provisioning package security** page, select a security option.
> [!IMPORTANT]
> If you select **Enable package signing**, you also have to select a valid certificate to use for signing the package. To do this, select **Browse** and select the certificate that you want to use to sign the package.
> [!CAUTION]
> Do not select **Enable package encryption**. On HoloLens devices, this setting causes provisioning to fail.
1. Select **Next**.
1. Specify the output location where you want the provisioning package to go when it's built. By default, Windows Configuration Designer uses the project folder as the output location. If you want to change the output location, select **Browse**. When you are finished, select **Next**.
1. Select **Build** to start building the package. The provisioning package doesn't take long to build. The build page displays the project information, and the progress bar indicates the build status.
### <a id="ppapply"></a>Provisioning package, step 3 &ndash; Apply the provisioning package to HoloLens
The "Configure HoloLens by using a provisioning package" article provides detailed instructions to apply the provisioning package under the following circumstances:
- You can initially [apply a provisioning package to HoloLens during setup](hololens-provisioning.md#apply-a-provisioning-package-to-hololens-during-setup).
- You can also [apply a provisioning package to HoloLens after setup](hololens-provisioning.md#4-apply-a-provisioning-package-to-hololens-after-setup).
## Use the Windows Device Portal to set up a single-app kiosk
To set up kiosk mode by using the Windows Device Portal, follow these steps.
> [!IMPORTANT]
> Kiosk mode is available only if the device has [Windows Holographic for Business](hololens1-upgrade-enterprise.md) installed.
1. [Set up the HoloLens device to use the Windows Device Portal](https://developer.microsoft.com/windows/mixed-reality/using_the_windows_device_portal#setting_up_hololens_to_use_windows_device_portal). The Device Portal is a web server on your HoloLens that you can connect to from a web browser on your PC.
> [!CAUTION]
> When you set up HoloLens to use the Device Portal, you have to enable Developer Mode on the device. Developer Mode on a device that has Windows Holographic for Business enables you to side-load apps. However, this setting creates a risk that a user can install apps that have not been certified by the Microsoft Store. Administrators can block the ability to enable Developer Mode by using the **ApplicationManagement/AllowDeveloper Unlock** setting in the [Policy CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider). [Learn more about Developer Mode.](https://docs.microsoft.com/windows/uwp/get-started/enable-your-device-for-development#developer-mode)
1. On a computer, connect to the HoloLens by using [Wi-Fi](https://developer.microsoft.com/windows/mixed-reality/Using_the_Windows_Device_Portal#connecting_over_wi-fi) or [USB](https://developer.microsoft.com/windows/mixed-reality/Using_the_Windows_Device_Portal#connecting_over_usb).
1. Do one of the following:
- If you are connecting to the Windows Device Portal for the first time, [create a user name and password](https://developer.microsoft.com/windows/mixed-reality/Using_the_Windows_Device_Portal#creating_a_username_and_password)
- Enter the user name and password that you previously set up.
> [!TIP]
> If you see a certificate error in the browser, follow [these troubleshooting steps](https://developer.microsoft.com/windows/mixed-reality/Using_the_Windows_Device_Portal#security_certificate).
1. In the Windows Device Portal, select **Kiosk Mode**.
1. Select **Enable Kiosk Mode**, select an app to run when the device starts, and then select **Save**.
![Kiosk Mode](images/kiosk.png)
1. Restart HoloLens. If you still have your Device Portal page open, you can select **Restart** at the top of the page.
## More information ## More information
Watch how to configure a kiosk in a provisioning package. Watch how to configure a kiosk by using a provisioning package.
> [!VIDEO https://www.microsoft.com/videoplayer/embed/fa125d0f-77e4-4f64-b03e-d634a4926884?autoplay=false] > [!VIDEO https://www.microsoft.com/videoplayer/embed/fa125d0f-77e4-4f64-b03e-d634a4926884?autoplay=false]

4
devices/hololens/hololens-provisioning.md
View File

@ -33,7 +33,7 @@ Some of the HoloLens configurations that you can apply in a provisioning package
- Set up a Wi-Fi connection - Set up a Wi-Fi connection
- Apply certificates to the device - Apply certificates to the device
- Enable Developer Mode - Enable Developer Mode
- Configure Kiosk mode (Detailed instructions for configuring kiosk mode can be found [here](hololens-kiosk.md#set-up-kiosk-mode-using-a-provisioning-package-windows-10-version-1803). - Configure Kiosk mode (Detailed instructions for configuring kiosk mode can be found [here](hololens-kiosk.md#use-a-provisioning-package-to-set-up-a-single-app-or-multi-app-kiosk).
## Provisioning package HoloLens wizard ## Provisioning package HoloLens wizard
@ -49,7 +49,7 @@ The HoloLens wizard helps you configure the following settings in a provisioning
- Enroll the device in Azure Active Directory, or create a local account - Enroll the device in Azure Active Directory, or create a local account
- Add certificates - Add certificates
- Enable Developer Mode - Enable Developer Mode
- Configure kiosk mode (for detailed instructions,see [Set up kiosk mode using a provisioning package](hololens-kiosk.md#set-up-kiosk-mode-using-a-provisioning-package-windows-10-version-1803) - Configure kiosk mode. (Detailed instructions for configuring kiosk mode can be found [here](hololens-kiosk.md##use-a-provisioning-package-to-set-up-a-single-app-or-multi-app-kiosk)).
> [!WARNING] > [!WARNING]
> You must run Windows Configuration Designer on Windows 10 to configure Azure Active Directory enrollment using any of the wizards. > You must run Windows Configuration Designer on Windows 10 to configure Azure Active Directory enrollment using any of the wizards.

2
devices/hololens/hololens-requirements.md
View File

@ -66,7 +66,7 @@ There are two types of Kiosk Modes: Single app and multi-app. Single app kiosk m
**How to Configure Kiosk Mode:** **How to Configure Kiosk Mode:**
There are two main ways ([provisioning packages](hololens-kiosk.md#set-up-kiosk-mode-using-a-provisioning-package-windows-10-version-1803) and [MDM](hololens-kiosk.md#set-up-kiosk-mode-using-microsoft-intune-or-mdm-windows-10-version-1803)) to deploy kiosk mode for HoloLens. These options will be discussed later in the document; however, you can use the links above to jump to the respective sections in this doc. There are two main ways ([provisioning packages](hololens-kiosk.md#use-a-provisioning-package-to-set-up-a-single-app-or-multi-app-kiosk) and [MDM](hololens-kiosk.md#use-microsoft-intune-or-other-mdm-to-set-up-a-single-app-or-multi-app-kiosk)) to deploy kiosk mode for HoloLens. These options will be discussed later in the document; however, you can use the links above to jump to the respective sections in this doc.
### Apps and App Specific Scenarios ### Apps and App Specific Scenarios

4
devices/surface/enroll-and-configure-surface-devices-with-semm.md
View File

@ -24,7 +24,7 @@ For a more high-level overview of SEMM, see [Microsoft Surface Enterprise Manage
A streamlined method of managing firmware from the cloud on Surface Pro 7,Surface Pro X and Surface Laptop 3 is now available via public preview. For more information,refer to [Intune management of Surface UEFI settings](surface-manage-dfci-guide.md). A streamlined method of managing firmware from the cloud on Surface Pro 7,Surface Pro X and Surface Laptop 3 is now available via public preview. For more information,refer to [Intune management of Surface UEFI settings](surface-manage-dfci-guide.md).
> [!NOTE] > [!NOTE]
> SEMM is not supported on Surface Pro X. For more information, refer to [Deploying, managing, and servicing Surface Pro X](surface-pro-arm-app-management.md). > SEMM is supported on Surface Pro X via the UEFI Manager only. For more information, refer to [Deploying, managing, and servicing Surface Pro X](surface-pro-arm-app-management.md).
#### Download and install Microsoft Surface UEFI Configurator #### Download and install Microsoft Surface UEFI Configurator
The tool used to create SEMM packages is Microsoft Surface UEFI Configurator. You can download Microsoft Surface UEFI Configurator from the [Surface Tools for IT](https://www.microsoft.com/download/details.aspx?id=46703) page in the Microsoft Download Center. The tool used to create SEMM packages is Microsoft Surface UEFI Configurator. You can download Microsoft Surface UEFI Configurator from the [Surface Tools for IT](https://www.microsoft.com/download/details.aspx?id=46703) page in the Microsoft Download Center.
@ -107,7 +107,7 @@ To enroll a Surface device in SEMM with a Surface UEFI configuration package, fo
3. Click **Finish** to complete the Surface UEFI configuration package installation and restart the Surface device when you are prompted to do so. 3. Click **Finish** to complete the Surface UEFI configuration package installation and restart the Surface device when you are prompted to do so.
4. Surface UEFI will load the configuration file and determine that SEMM is not enabled on the device. Surface UEFI will then begin the SEMM enrollment process, as follows: 4. Surface UEFI will load the configuration file and determine that SEMM is not enabled on the device. Surface UEFI will then begin the SEMM enrollment process, as follows:
* Surface UEFI will verify that the SEMM configuration file contains a SEMM certificate. * Surface UEFI will verify that the SEMM configuration file contains a SEMM certificate.
* Surface UEFI will prompt you to enter to enter the last two characters of the certificate thumbprint to confirm enrollment of the Surface device in SEMM, as shown in Figure 8. * Surface UEFI will prompt you to enter the last two characters of the certificate thumbprint to confirm enrollment of the Surface device in SEMM, as shown in Figure 8.
![SEMM enrollment requires last two characters of certificate thumbprint](images/surface-semm-enroll-fig8.png "SEMM enrollment requires last two characters of certificate thumbprint") ![SEMM enrollment requires last two characters of certificate thumbprint](images/surface-semm-enroll-fig8.png "SEMM enrollment requires last two characters of certificate thumbprint")

4
devices/surface/surface-pro-arm-app-management.md
View File

@ -139,10 +139,10 @@ The following tables show the availability of selected key features on Surface P
| Endpoint Configuration Manager | Yes | Yes | | | Endpoint Configuration Manager | Yes | Yes | |
| Power on When AC Restore | Yes | Yes | | | Power on When AC Restore | Yes | Yes | |
| Surface Diagnostic Toolkit (SDT) for Business | Yes | Yes | | | Surface Diagnostic Toolkit (SDT) for Business | Yes | Yes | |
| Surface Dock Firmware Update | Yes | Yes | | | Surface Dock Firmware Update | Yes | No | |
| Asset Tag Utility | Yes | Yes | | | Asset Tag Utility | Yes | Yes | |
| Surface Enterprise management Mode (SEMM) | Yes | Partial | No option to disable hardware on Surface Pro X at the firmware level. | | Surface Enterprise management Mode (SEMM) | Yes | Partial | No option to disable hardware on Surface Pro X at the firmware level. |
| Surface UEFI Configurator | Yes | | No option to disable hardware. on Surface Pro X at the firmware level. | | Surface UEFI Configurator | Yes | No | No option to disable hardware. on Surface Pro X at the firmware level. |
| Surface UEFI Manager | Yes | Partial | No option to disable hardware on Surface Pro X at the firmware level. | | Surface UEFI Manager | Yes | Partial | No option to disable hardware on Surface Pro X at the firmware level. |

201
windows/client-management/mdm/bitlocker-csp.md
View File

@ -7,15 +7,12 @@ ms.prod: w10
ms.technology: windows ms.technology: windows
author: lomayor author: lomayor
ms.localizationpriority: medium ms.localizationpriority: medium
ms.date: 09/27/2019 ms.date: 04/16/2020
ms.reviewer: ms.reviewer:
manager: dansimp manager: dansimp
--- ---
# BitLocker CSP # BitLocker CSP
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
The BitLocker configuration service provider (CSP) is used by the enterprise to manage encryption of PCs and devices. This CSP was added in Windows 10, version 1703. Starting in Windows 10, version 1809, it is also supported in Windows 10 Pro. The BitLocker configuration service provider (CSP) is used by the enterprise to manage encryption of PCs and devices. This CSP was added in Windows 10, version 1703. Starting in Windows 10, version 1809, it is also supported in Windows 10 Pro.
> [!NOTE] > [!NOTE]
@ -25,7 +22,7 @@ The BitLocker configuration service provider (CSP) is used by the enterprise to
A Get operation on any of the settings, except for RequireDeviceEncryption and RequireStorageCardEncryption, returns A Get operation on any of the settings, except for RequireDeviceEncryption and RequireStorageCardEncryption, returns
the setting configured by the admin. the setting configured by the admin.
For RequireDeviceEncryption and RequireStorageCardEncryption, the Get operation returns the actual status of enforcement to the admin, such as if TPM protection is required and if encryption is required. And if the device has BitLocker enabled but with password protector, the status reported is 0. A Get operation on RequireDeviceEncryption does not verify that the a minimum PIN length is enforced (SystemDrivesMinimumPINLength). For RequireDeviceEncryption and RequireStorageCardEncryption, the Get operation returns the actual status of enforcement to the admin, such as if Trusted Platform Module (TPM) protection is required and if encryption is required. And if the device has BitLocker enabled but with password protector, the status reported is 0. A Get operation on RequireDeviceEncryption does not verify that the a minimum PIN length is enforced (SystemDrivesMinimumPINLength).
The following diagram shows the BitLocker configuration service provider in tree format. The following diagram shows the BitLocker configuration service provider in tree format.
@ -162,7 +159,7 @@ If you want to disable this policy, use the following SyncML:
<!--Policy--> <!--Policy-->
<a href="" id="encryptionmethodbydrivetype"></a>**EncryptionMethodByDriveType** <a href="" id="encryptionmethodbydrivetype"></a>**EncryptionMethodByDriveType**
<!--Description--> <!--Description-->
Allows you to set the default encryption method for each of the different drive types: operating system drives, fixed data drives, and removable data drives. Hidden, system, and recovery partitions are skipped from encryption. This setting is a direct mapping to the Bitlocker Group Policy &quot;Choose drive encryption method and cipher strength (Windows 10 [Version 1511] and later)&quot;. Allows you to set the default encryption method for each of the different drive types: operating system drives, fixed data drives, and removable data drives. Hidden, system, and recovery partitions are skipped from encryption. This setting is a direct mapping to the Bitlocker Group Policy "Choose drive encryption method and cipher strength (Windows 10 [Version 1511] and later)".
<!--/Description--> <!--/Description-->
<!--SupportedValues--> <!--SupportedValues-->
<table> <table>
@ -215,7 +212,7 @@ EncryptionMethodWithXtsOsDropDown_Name = Select the encryption method for operat
EncryptionMethodWithXtsFdvDropDown_Name = Select the encryption method for fixed data drives. EncryptionMethodWithXtsFdvDropDown_Name = Select the encryption method for fixed data drives.
EncryptionMethodWithXtsRdvDropDown_Name = Select the encryption method for removable data drives. EncryptionMethodWithXtsRdvDropDown_Name = Select the encryption method for removable data drives.
<!--SupportedValues--> <!--SupportedValues-->
The possible values for &#39;xx&#39; are: The possible values for 'xx' are:
- 3 = AES-CBC 128 - 3 = AES-CBC 128
- 4 = AES-CBC 256 - 4 = AES-CBC 256
@ -237,7 +234,7 @@ EncryptionMethodWithXtsRdvDropDown_Name = Select the encryption method for remov
<Meta> <Meta>
<Format xmlns="syncml:metinf">chr</Format> <Format xmlns="syncml:metinf">chr</Format>
</Meta> </Meta>
<Data>&lt;disabled/&gt;</Data> <Data><disabled/></Data>
</Item> </Item>
</Replace> </Replace>
``` ```
@ -247,7 +244,7 @@ Data type is string. Supported operations are Add, Get, Replace, and Delete.
<!--Policy--> <!--Policy-->
<a href="" id="systemdrivesrequirestartupauthentication"></a>**SystemDrivesRequireStartupAuthentication** <a href="" id="systemdrivesrequirestartupauthentication"></a>**SystemDrivesRequireStartupAuthentication**
<!--Description--> <!--Description-->
This setting is a direct mapping to the Bitlocker Group Policy &quot;Require additional authentication at startup&quot;. This setting is a direct mapping to the Bitlocker Group Policy "Require additional authentication at startup".
<!--/Description--> <!--/Description-->
<!--SupportedSKUs--> <!--SupportedSKUs-->
<table> <table>
@ -284,12 +281,12 @@ ADMX Info:
> [!TIP] > [!TIP]
> For a step-by-step guide to enable ADMX-backed policies, see [Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md). For additional information, see [Understanding ADMX-backed policies](understanding-admx-backed-policies.md). > For a step-by-step guide to enable ADMX-backed policies, see [Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md). For additional information, see [Understanding ADMX-backed policies](understanding-admx-backed-policies.md).
This setting allows you to configure whether BitLocker requires additional authentication each time the computer starts and whether you are using BitLocker with or without a Trusted Platform Module (TPM). This setting is applied when you turn on BitLocker. This setting allows you to configure whether BitLocker requires additional authentication each time the computer starts and whether you are using BitLocker with or without a TPM. This setting is applied when you turn on BitLocker.
> [!NOTE] > [!NOTE]
> Only one of the additional authentication options can be required at startup, otherwise an error occurs. > Only one of the additional authentication options can be required at startup, otherwise an error occurs.
If you want to use BitLocker on a computer without a TPM, set the &quot;ConfigureNonTPMStartupKeyUsage_Name&quot; data. In this mode either a password or a USB drive is required for start-up. When using a startup key, the key information used to encrypt the drive is stored on the USB drive, creating a USB key. When the USB key is inserted the access to the drive is authenticated and the drive is accessible. If the USB key is lost or unavailable or if you have forgotten the password then you will need to use one of the BitLocker recovery options to access the drive. If you want to use BitLocker on a computer without a TPM, set the "ConfigureNonTPMStartupKeyUsage_Name" data. In this mode either a password or a USB drive is required for start-up. When using a startup key, the key information used to encrypt the drive is stored on the USB drive, creating a USB key. When the USB key is inserted the access to the drive is authenticated and the drive is accessible. If the USB key is lost or unavailable or if you have forgotten the password then you will need to use one of the BitLocker recovery options to access the drive.
On a computer with a compatible TPM, four types of authentication methods can be used at startup to provide added protection for encrypted data. When the computer starts, it can use only the TPM for authentication, or it can also require insertion of a USB flash drive containing a startup key, the entry of a 6-digit to 20-digit personal identification number (PIN), or both. On a computer with a compatible TPM, four types of authentication methods can be used at startup to provide added protection for encrypted data. When the computer starts, it can use only the TPM for authentication, or it can also require insertion of a USB flash drive containing a startup key, the entry of a 6-digit to 20-digit personal identification number (PIN), or both.
@ -317,13 +314,13 @@ Data id:
<li>ConfigureTPMUsageDropDown_Name = (for computer with TPM) Configure TPM startup.</li> <li>ConfigureTPMUsageDropDown_Name = (for computer with TPM) Configure TPM startup.</li>
</ul> </ul>
<!--SupportedValues--> <!--SupportedValues-->
The possible values for &#39;xx&#39; are: The possible values for 'xx' are:
<ul> <ul>
<li>true = Explicitly allow</li> <li>true = Explicitly allow</li>
<li>false = Policy not set</li> <li>false = Policy not set</li>
</ul> </ul>
The possible values for &#39;yy&#39; are: The possible values for 'yy' are:
<ul> <ul>
<li>2 = Optional</li> <li>2 = Optional</li>
<li>1 = Required</li> <li>1 = Required</li>
@ -342,7 +339,7 @@ Disabling the policy will let the system choose the default behaviors. If you wa
<Meta> <Meta>
<Format xmlns="syncml:metinf">chr</Format> <Format xmlns="syncml:metinf">chr</Format>
</Meta> </Meta>
<Data>&lt;disabled/&gt;</Data> <Data><disabled/></Data>
</Item> </Item>
</Replace> </Replace>
``` ```
@ -351,7 +348,7 @@ Data type is string. Supported operations are Add, Get, Replace, and Delete.
<!--Policy--> <!--Policy-->
<a href="" id="systemdrivesminimumpinlength"></a>**SystemDrivesMinimumPINLength** <a href="" id="systemdrivesminimumpinlength"></a>**SystemDrivesMinimumPINLength**
<!--Description--> <!--Description-->
This setting is a direct mapping to the Bitlocker Group Policy &quot;Configure minimum PIN length for startup&quot;. This setting is a direct mapping to the Bitlocker Group Policy "Configure minimum PIN length for startup".
<!--/Description--> <!--/Description-->
<!--SupportedSKUs--> <!--SupportedSKUs-->
<table> <table>
@ -417,7 +414,7 @@ Disabling the policy will let the system choose the default behaviors. If you wa
<Meta> <Meta>
<Format xmlns="syncml:metinf">chr</Format> <Format xmlns="syncml:metinf">chr</Format>
</Meta> </Meta>
<Data>&lt;disabled/&gt;</Data> <Data><disabled/></Data>
</Item> </Item>
</Replace> </Replace>
``` ```
@ -427,7 +424,7 @@ Data type is string. Supported operations are Add, Get, Replace, and Delete.
<!--Policy--> <!--Policy-->
<a href="" id="systemdrivesrecoverymessage"></a>**SystemDrivesRecoveryMessage** <a href="" id="systemdrivesrecoverymessage"></a>**SystemDrivesRecoveryMessage**
<!--Description--> <!--Description-->
This setting is a direct mapping to the Bitlocker Group Policy &quot;Configure pre-boot recovery message and URL&quot; This setting is a direct mapping to the Bitlocker Group Policy "Configure pre-boot recovery message and URL"
(PrebootRecoveryInfo_Name). (PrebootRecoveryInfo_Name).
<!--/Description--> <!--/Description-->
<!--SupportedSKUs--> <!--SupportedSKUs-->
@ -468,11 +465,11 @@ ADMX Info:
This setting lets you configure the entire recovery message or replace the existing URL that are displayed on the pre-boot key recovery screen when the OS drive is locked. This setting lets you configure the entire recovery message or replace the existing URL that are displayed on the pre-boot key recovery screen when the OS drive is locked.
If you set the value to &quot;1&quot; (Use default recovery message and URL), the default BitLocker recovery message and URL will be displayed in the pre-boot key recovery screen. If you have previously configured a custom recovery message or URL and want to revert to the default message, you must keep the policy enabled and set the value &quot;1&quot; (Use default recovery message and URL).</o> If you set the value to "1" (Use default recovery message and URL), the default BitLocker recovery message and URL will be displayed in the pre-boot key recovery screen. If you have previously configured a custom recovery message or URL and want to revert to the default message, you must keep the policy enabled and set the value "1" (Use default recovery message and URL).</o>
If you set the value to &quot;2&quot; (Use custom recovery message), the message you set in the &quot;RecoveryMessage_Input&quot; data field will be displayed in the pre-boot key recovery screen. If a recovery URL is available, include it in the message. If you set the value to "2" (Use custom recovery message), the message you set in the "RecoveryMessage_Input" data field will be displayed in the pre-boot key recovery screen. If a recovery URL is available, include it in the message.
If you set the value to &quot;3&quot; (Use custom recovery URL), the URL you type in the &quot;RecoveryUrl_Input&quot; data field will replace the default URL in the default recovery message, which will be displayed in the pre-boot key recovery screen. If you set the value to "3" (Use custom recovery URL), the URL you type in the "RecoveryUrl_Input" data field will replace the default URL in the default recovery message, which will be displayed in the pre-boot key recovery screen.
Sample value for this node to enable this policy is: Sample value for this node to enable this policy is:
@ -480,7 +477,7 @@ Sample value for this node to enable this policy is:
<enabled/><data id="PrebootRecoveryInfoDropDown_Name" value="xx"/><data id="RecoveryMessage_Input" value="yy"/><data id="RecoveryUrl_Input" value="zz"/> <enabled/><data id="PrebootRecoveryInfoDropDown_Name" value="xx"/><data id="RecoveryMessage_Input" value="yy"/><data id="RecoveryUrl_Input" value="zz"/>
``` ```
<!--SupportedValues--> <!--SupportedValues-->
The possible values for &#39;xx&#39; are: The possible values for 'xx' are:
- 0 = Empty - 0 = Empty
- 1 = Use default recovery message and URL (in this case you don't need to specify a value for "RecoveryMessage_Input" or "RecoveryUrl_Input"). - 1 = Use default recovery message and URL (in this case you don't need to specify a value for "RecoveryMessage_Input" or "RecoveryUrl_Input").
@ -504,7 +501,7 @@ Disabling the policy will let the system choose the default behaviors. If you w
<Meta> <Meta>
<Format xmlns="syncml:metinf">chr</Format> <Format xmlns="syncml:metinf">chr</Format>
</Meta> </Meta>
<Data>&lt;disabled/&gt;</Data> <Data><disabled/></Data>
</Item> </Item>
</Replace> </Replace>
``` ```
@ -517,7 +514,7 @@ Data type is string. Supported operations are Add, Get, Replace, and Delete.
<!--Policy--> <!--Policy-->
<a href="" id="systemdrivesrecoveryoptions"></a>**SystemDrivesRecoveryOptions** <a href="" id="systemdrivesrecoveryoptions"></a>**SystemDrivesRecoveryOptions**
<!--Description--> <!--Description-->
This setting is a direct mapping to the Bitlocker Group Policy &quot;Choose how BitLocker-protected operating system drives can be recovered&quot; (OSRecoveryUsage_Name). This setting is a direct mapping to the Bitlocker Group Policy "Choose how BitLocker-protected operating system drives can be recovered" (OSRecoveryUsage_Name).
<!--/Description--> <!--/Description-->
<!--SupportedSKUs--> <!--SupportedSKUs-->
<table> <table>
@ -556,18 +553,18 @@ ADMX Info:
This setting allows you to control how BitLocker-protected operating system drives are recovered in the absence of the required startup key information. This setting is applied when you turn on BitLocker. This setting allows you to control how BitLocker-protected operating system drives are recovered in the absence of the required startup key information. This setting is applied when you turn on BitLocker.
The &quot;OSAllowDRA_Name&quot; (Allow certificate-based data recovery agent) data field is used to specify whether a data recovery agent can be used with BitLocker-protected operating system drives. Before a data recovery agent can be used it must be added from the Public Key Policies item in either the Group Policy Management Console or the Local Group Policy Editor. Consult the BitLocker Drive Encryption Deployment Guide on Microsoft TechNet for more information about adding data recovery agents. The "OSAllowDRA_Name" (Allow certificate-based data recovery agent) data field is used to specify whether a data recovery agent can be used with BitLocker-protected operating system drives. Before a data recovery agent can be used it must be added from the Public Key Policies item in either the Group Policy Management Console or the Local Group Policy Editor. Consult the BitLocker Drive Encryption Deployment Guide on Microsoft TechNet for more information about adding data recovery agents.
In &quot;OSRecoveryPasswordUsageDropDown_Name&quot; and &quot;OSRecoveryKeyUsageDropDown_Name&quot; (Configure user storage of BitLocker recovery information) set whether users are allowed, required, or not allowed to generate a 48-digit recovery password or a 256-bit recovery key. In "OSRecoveryPasswordUsageDropDown_Name" and "OSRecoveryKeyUsageDropDown_Name" (Configure user storage of BitLocker recovery information) set whether users are allowed, required, or not allowed to generate a 48-digit recovery password or a 256-bit recovery key.
Set &quot;OSHideRecoveryPage_Name&quot; (Omit recovery options from the BitLocker setup wizard) to prevent users from specifying recovery options when they turn on BitLocker on a drive. This means that you will not be able to specify which recovery option to use when you turn on BitLocker, instead BitLocker recovery options for the drive are determined by the policy setting. Set "OSHideRecoveryPage_Name" (Omit recovery options from the BitLocker setup wizard) to prevent users from specifying recovery options when they turn on BitLocker on a drive. This means that you will not be able to specify which recovery option to use when you turn on BitLocker, instead BitLocker recovery options for the drive are determined by the policy setting.
Set &quot;OSActiveDirectoryBackup_Name&quot; (Save BitLocker recovery information to Active Directory Domain Services), to choose which BitLocker recovery information to store in AD DS for operating system drives (OSActiveDirectoryBackupDropDown_Name). If you set &quot;1&quot; (Backup recovery password and key package), both the BitLocker recovery password and key package are stored in AD DS. Storing the key package supports recovering data from a drive that has been physically corrupted. If you set &quot;2&quot; (Backup recovery password only), only the recovery password is stored in AD DS. Set "OSActiveDirectoryBackup_Name" (Save BitLocker recovery information to Active Directory Domain Services), to choose which BitLocker recovery information to store in AD DS for operating system drives (OSActiveDirectoryBackupDropDown_Name). If you set "1" (Backup recovery password and key package), both the BitLocker recovery password and key package are stored in AD DS. Storing the key package supports recovering data from a drive that has been physically corrupted. If you set "2" (Backup recovery password only), only the recovery password is stored in AD DS.
Set the &quot;OSRequireActiveDirectoryBackup_Name&quot; (Do not enable BitLocker until recovery information is stored in AD DS for operating system drives) data field if you want to prevent users from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds. Set the "OSRequireActiveDirectoryBackup_Name" (Do not enable BitLocker until recovery information is stored in AD DS for operating system drives) data field if you want to prevent users from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds.
> [!Note] > [!NOTE]
> If the &quot;OSRequireActiveDirectoryBackup_Name&quot; (Do not enable BitLocker until recovery information is stored in AD DS for operating system drives) data field is set, a recovery password is automatically generated. > If the "OSRequireActiveDirectoryBackup_Name" (Do not enable BitLocker until recovery information is stored in AD DS for operating system drives) data field is set, a recovery password is automatically generated.
If you enable this setting, you can control the methods available to users to recover data from BitLocker-protected operating system drives. If you enable this setting, you can control the methods available to users to recover data from BitLocker-protected operating system drives.
@ -579,16 +576,16 @@ Sample value for this node to enable this policy is:
<enabled/><data id="OSAllowDRA_Name" value="xx"/><data id="OSRecoveryPasswordUsageDropDown_Name" value="yy"/><data id="OSRecoveryKeyUsageDropDown_Name" value="yy"/><data id="OSHideRecoveryPage_Name" value="xx"/><data id="OSActiveDirectoryBackup_Name" value="xx"/><data id="OSActiveDirectoryBackupDropDown_Name" value="zz"/><data id="OSRequireActiveDirectoryBackup_Name" value="xx"/> <enabled/><data id="OSAllowDRA_Name" value="xx"/><data id="OSRecoveryPasswordUsageDropDown_Name" value="yy"/><data id="OSRecoveryKeyUsageDropDown_Name" value="yy"/><data id="OSHideRecoveryPage_Name" value="xx"/><data id="OSActiveDirectoryBackup_Name" value="xx"/><data id="OSActiveDirectoryBackupDropDown_Name" value="zz"/><data id="OSRequireActiveDirectoryBackup_Name" value="xx"/>
``` ```
<!--SupportedValues--> <!--SupportedValues-->
The possible values for &#39;xx&#39; are: The possible values for 'xx' are:
- true = Explicitly allow - true = Explicitly allow
- false = Policy not set - false = Policy not set
The possible values for &#39;yy&#39; are: The possible values for 'yy' are:
- 2 = Allowed - 2 = Allowed
- 1 = Required - 1 = Required
- 0 = Disallowed - 0 = Disallowed
The possible values for &#39;zz&#39; are: The possible values for 'zz' are:
- 2 = Store recovery passwords only - 2 = Store recovery passwords only
- 1 = Store recovery passwords and key packages - 1 = Store recovery passwords and key packages
<!--/SupportedValues--> <!--/SupportedValues-->
@ -604,7 +601,7 @@ Disabling the policy will let the system choose the default behaviors. If you wa
<Meta> <Meta>
<Format xmlns="syncml:metinf">chr</Format> <Format xmlns="syncml:metinf">chr</Format>
</Meta> </Meta>
<Data>&lt;disabled/&gt;</Data> <Data><disabled/></Data>
</Item> </Item>
</Replace> </Replace>
``` ```
@ -614,7 +611,7 @@ Data type is string. Supported operations are Add, Get, Replace, and Delete.
<!--Policy--> <!--Policy-->
<a href="" id="fixeddrivesrecoveryoptions"></a>**FixedDrivesRecoveryOptions** <a href="" id="fixeddrivesrecoveryoptions"></a>**FixedDrivesRecoveryOptions**
<!--Description--> <!--Description-->
This setting is a direct mapping to the Bitlocker Group Policy &quot;Choose how BitLocker-protected fixed drives can be recovered&quot; (). This setting is a direct mapping to the Bitlocker Group Policy "Choose how BitLocker-protected fixed drives can be recovered" ().
<!--/Description--> <!--/Description-->
<!--SupportedSKUs--> <!--SupportedSKUs-->
<table> <table>
@ -653,19 +650,20 @@ ADMX Info:
This setting allows you to control how BitLocker-protected fixed data drives are recovered in the absence of the required credentials. This setting is applied when you turn on BitLocker. This setting allows you to control how BitLocker-protected fixed data drives are recovered in the absence of the required credentials. This setting is applied when you turn on BitLocker.
The &quot;FDVAllowDRA_Name&quot; (Allow data recovery agent) data field is used to specify whether a data recovery agent can be used with BitLocker-protected fixed data drives. Before a data recovery agent can be used it must be added from the Public Key Policies item in either the Group Policy Management Console or the Local Group Policy Editor. Consult the BitLocker Drive Encryption Deployment Guide on Microsoft TechNet for more information about adding data recovery agents. The "FDVAllowDRA_Name" (Allow data recovery agent) data field is used to specify whether a data recovery agent can be used with BitLocker-protected fixed data drives. Before a data recovery agent can be used it must be added from the Public Key Policies item in either the Group Policy Management Console or the Local Group Policy Editor. Consult the BitLocker Drive Encryption Deployment Guide on Microsoft TechNet for more information about adding data recovery agents.
In &quot;FDVRecoveryPasswordUsageDropDown_Name&quot; (Configure user storage of BitLocker recovery information) set whether users are allowed, required, or not allowed to generate a 48-digit recovery password or a 256-bit recovery key. In "FDVRecoveryPasswordUsageDropDown_Name" (Configure user storage of BitLocker recovery information) set whether users are allowed, required, or not allowed to generate a 48-digit recovery password or a 256-bit recovery key.
Set &quot;FDVHideRecoveryPage_Name&quot; (Omit recovery options from the BitLocker setup wizard) to prevent users from specifying recovery options when they turn on BitLocker on a drive. This means that you will not be able to specify which recovery option to use when you turn on BitLocker, instead BitLocker recovery options for the drive are determined by the policy setting. Set "FDVHideRecoveryPage_Name" (Omit recovery options from the BitLocker setup wizard) to prevent users from specifying recovery options when they turn on BitLocker on a drive. This means that you will not be able to specify which recovery option to use when you turn on BitLocker, instead BitLocker recovery options for the drive are determined by the policy setting.
Set &quot;FDVActiveDirectoryBackup_Name&quot; (Save BitLocker recovery information to Active Directory Domain Services) to enable saving the recovery key to AD. Set "FDVActiveDirectoryBackup_Name" (Save BitLocker recovery information to Active Directory Domain Services) to enable saving the recovery key to AD.
Set the &quot;FDVRequireActiveDirectoryBackup_Name&quot; (Do not enable BitLocker until recovery information is stored in AD DS for fixed data drives) data field if you want to prevent users from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds. Set the "FDVRequireActiveDirectoryBackup_Name" (Do not enable BitLocker until recovery information is stored in AD DS for fixed data drives) data field if you want to prevent users from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds.
Set the &quot;FDVActiveDirectoryBackupDropDown_Name&quot; (Configure storage of BitLocker recovery information to AD DS) to choose which BitLocker recovery information to store in AD DS for fixed data drives. If you select &quot;1&quot; (Backup recovery password and key package), both the BitLocker recovery password and key package are stored in AD DS. Storing the key package supports recovering data from a drive that has been physically corrupted. If you select &quot;2&quot; (Backup recovery password only) only the recovery password is stored in AD DS. Set the "FDVActiveDirectoryBackupDropDown_Name" (Configure storage of BitLocker recovery information to AD DS) to choose which BitLocker recovery information to store in AD DS for fixed data drives. If you select "1" (Backup recovery password and key package), both the BitLocker recovery password and key package are stored in AD DS. Storing the key package supports recovering data from a drive that has been physically corrupted. If you select "2" (Backup recovery password only) only the recovery password is stored in AD DS.
&gt; [!Note]<br/>&gt; If the &quot;FDVRequireActiveDirectoryBackup_Name&quot; (Do not enable BitLocker until recovery information is stored in AD DS for fixed data drives) data field is set, a recovery password is automatically generated. > [!NOTE]
> If the "FDVRequireActiveDirectoryBackup_Name" (Do not enable BitLocker until recovery information is stored in AD DS for fixed data drives) data field is set, a recovery password is automatically generated.
If you enable this setting, you can control the methods available to users to recover data from BitLocker-protected fixed data drives. If you enable this setting, you can control the methods available to users to recover data from BitLocker-protected fixed data drives.
@ -677,13 +675,13 @@ Sample value for this node to enable this policy is:
<enabled/><data id="FDVAllowDRA_Name" value="xx"/><data id="FDVRecoveryPasswordUsageDropDown_Name" value="yy"/><data id="FDVRecoveryKeyUsageDropDown_Name" value="yy"/><data id="FDVHideRecoveryPage_Name" value="xx"/><data id="FDVActiveDirectoryBackup_Name" value="xx"/><data id="FDVActiveDirectoryBackupDropDown_Name" value="zz"/><data id="FDVRequireActiveDirectoryBackup_Name" value="xx"/> <enabled/><data id="FDVAllowDRA_Name" value="xx"/><data id="FDVRecoveryPasswordUsageDropDown_Name" value="yy"/><data id="FDVRecoveryKeyUsageDropDown_Name" value="yy"/><data id="FDVHideRecoveryPage_Name" value="xx"/><data id="FDVActiveDirectoryBackup_Name" value="xx"/><data id="FDVActiveDirectoryBackupDropDown_Name" value="zz"/><data id="FDVRequireActiveDirectoryBackup_Name" value="xx"/>
``` ```
<!--SupportedValues--> <!--SupportedValues-->
The possible values for &#39;xx&#39; are: The possible values for 'xx' are:
<ul> <ul>
<li>true = Explicitly allow</li> <li>true = Explicitly allow</li>
<li>false = Policy not set</li> <li>false = Policy not set</li>
</ul> </ul>
The possible values for &#39;yy&#39; are: The possible values for 'yy' are:
<ul> <ul>
<li>2 = Allowed</li> <li>2 = Allowed</li>
<li>1 = Required</li> <li>1 = Required</li>
@ -691,7 +689,7 @@ The possible values for &#39;yy&#39; are:
</ul> </ul>
The possible values for &#39;zz&#39; are: The possible values for 'zz' are:
<ul> <ul>
<li>2 = Store recovery passwords only</li> <li>2 = Store recovery passwords only</li>
<li>1 = Store recovery passwords and key packages</li> <li>1 = Store recovery passwords and key packages</li>
@ -709,7 +707,7 @@ Disabling the policy will let the system choose the default behaviors. If you wa
<Meta> <Meta>
<Format xmlns="syncml:metinf">chr</Format> <Format xmlns="syncml:metinf">chr</Format>
</Meta> </Meta>
<Data>&lt;disabled/&gt;</Data> <Data><disabled/></Data>
</Item> </Item>
</Replace> </Replace>
``` ```
@ -719,7 +717,7 @@ Data type is string. Supported operations are Add, Get, Replace, and Delete.
<!--Policy--> <!--Policy-->
<a href="" id="fixeddrivesrequireencryption"></a>**FixedDrivesRequireEncryption** <a href="" id="fixeddrivesrequireencryption"></a>**FixedDrivesRequireEncryption**
<!--Description--> <!--Description-->
This setting is a direct mapping to the Bitlocker Group Policy &quot;Deny write access to fixed drives not protected by BitLocker&quot; (FDVDenyWriteAccess_Name). This setting is a direct mapping to the Bitlocker Group Policy "Deny write access to fixed drives not protected by BitLocker" (FDVDenyWriteAccess_Name).
<!--/Description--> <!--/Description-->
<!--SupportedSKUs--> <!--SupportedSKUs-->
<table> <table>
@ -778,7 +776,7 @@ If you disable or do not configure this setting, all fixed data drives on the co
<Meta> <Meta>
<Format xmlns="syncml:metinf">chr</Format> <Format xmlns="syncml:metinf">chr</Format>
</Meta> </Meta>
<Data>&lt;disabled/&gt;</Data> <Data><disabled/></Data>
</Item> </Item>
</Replace> </Replace>
``` ```
@ -788,7 +786,7 @@ Data type is string. Supported operations are Add, Get, Replace, and Delete.
<!--Policy--> <!--Policy-->
<a href="" id="removabledrivesrequireencryption"></a>**RemovableDrivesRequireEncryption** <a href="" id="removabledrivesrequireencryption"></a>**RemovableDrivesRequireEncryption**
<!--Description--> <!--Description-->
This setting is a direct mapping to the Bitlocker Group Policy &quot;Deny write access to removable drives not protected by BitLocker&quot; (RDVDenyWriteAccess_Name). This setting is a direct mapping to the Bitlocker Group Policy "Deny write access to removable drives not protected by BitLocker" (RDVDenyWriteAccess_Name).
<!--/Description--> <!--/Description-->
<!--SupportedSKUs--> <!--SupportedSKUs-->
<table> <table>
@ -829,11 +827,12 @@ This setting configures whether BitLocker protection is required for a computer
If you enable this setting, all removable data drives that are not BitLocker-protected will be mounted as read-only. If the drive is protected by BitLocker, it will be mounted with read and write access. If you enable this setting, all removable data drives that are not BitLocker-protected will be mounted as read-only. If the drive is protected by BitLocker, it will be mounted with read and write access.
If the &quot;RDVCrossOrg&quot; (Deny write access to devices configured in another organization) option is set, only drives with identification fields matching the computer&#39;s identification fields will be given write access. When a removable data drive is accessed it will be checked for valid identification field and allowed identification fields. These fields are defined by the &quot;Provide the unique identifiers for your organization&quot; group policy setting. If the "RDVCrossOrg" (Deny write access to devices configured in another organization) option is set, only drives with identification fields matching the computer's identification fields will be given write access. When a removable data drive is accessed it will be checked for valid identification field and allowed identification fields. These fields are defined by the "Provide the unique identifiers for your organization" group policy setting.
If you disable or do not configure this policy setting, all removable data drives on the computer will be mounted with read and write access. If you disable or do not configure this policy setting, all removable data drives on the computer will be mounted with read and write access.
&gt; [!Note]<br/>&gt; This policy setting can be overridden by the group policy settings under User Configuration\Administrative Templates\System\Removable Storage Access. If the &quot;Removable Disks: Deny write access&quot; group policy setting is enabled this policy setting will be ignored. > [!NOTE]
> This policy setting can be overridden by the group policy settings under User Configuration\Administrative Templates\System\Removable Storage Access. If the "Removable Disks: Deny write access" group policy setting is enabled this policy setting will be ignored.
Sample value for this node to enable this policy is: Sample value for this node to enable this policy is:
@ -841,7 +840,7 @@ Sample value for this node to enable this policy is:
<enabled/><data id="RDVCrossOrg" value="xx"/> <enabled/><data id="RDVCrossOrg" value="xx"/>
``` ```
<!--SupportedValues--> <!--SupportedValues-->
The possible values for &#39;xx&#39; are: The possible values for 'xx' are:
<ul> <ul>
<li>true = Explicitly allow</li> <li>true = Explicitly allow</li>
<li>false = Policy not set</li> <li>false = Policy not set</li>
@ -859,7 +858,7 @@ Disabling the policy will let the system choose the default behaviors. If you wa
<Meta> <Meta>
<Format xmlns="syncml:metinf">chr</Format> <Format xmlns="syncml:metinf">chr</Format>
</Meta> </Meta>
<Data>&lt;disabled/&gt;</Data> <Data><disabled/></Data>
</Item> </Item>
</Replace> </Replace>
``` ```
@ -1084,12 +1083,33 @@ This node reports compliance state of device encryption on the system.
<!--/SupportedSKUs--> <!--/SupportedSKUs-->
<!--SupportedValues--> <!--SupportedValues-->
Value type is int. Supported operation is Get.
Supported values: Supported values:
- 0 - Indicates that the device is compliant. - 0 - Indicates that the device is compliant.
- Any other value represents a non-compliant device. - Any non-zero value - Indicates that the device is not compliant. This value represents a bitmask with each bit and the corresponding error code described in the following table:
| Bit | Error Code |
|-----|------------|
| 0 |The BitLocker policy requires user consent to launch the BitLocker Drive Encryption Wizard to start encryption of the OS volume but the user didn't consent.|
| 1 |The encryption method of the OS volume doesn't match the BitLocker policy.|
| 2 |The BitLocker policy requires a TPM protector to protect the OS volume, but a TPM isn't used.|
| 3 |The BitLocker policy requires a TPM-only protector for the OS volume, but TPM protection isn't used.|
| 4 |The BitLocker policy requires TPM+PIN protection for the OS volume, but a TPM+PIN protector isn't used.|
| 5 |The BitLocker policy requires TPM+startup key protection for the OS volume, but a TPM+startup key protector isn't used.|
| 6 |The BitLocker policy requires TPM+PIN+startup key protection for the OS volume, but a TPM+PIN+startup key protector isn't used.|
| 7 |The OS volume is unprotected.|
| 8 |Recovery key backup failed.|
| 9 |A fixed drive is unprotected.|
| 10 |The encryption method of the fixed drive doesn't match the BitLocker policy.|
| 11 |To encrypt drives, the BitLocker policy requires either the user to sign in as an Administrator or, if the device is joined to Azure AD, the AllowStandardUserEncryption policy must be set to 1.|
| 12 |Windows Recovery Environment (WinRE) isn't configured.|
| 13 |A TPM isn't available for BitLocker, either because it isn't present, it has been made unavailable in the Registry, or the OS is on a removable drive. |
| 14 |The TPM isn't ready for BitLocker.|
| 15 |The network isn't available, which is required for recovery key backup. |
| 16-31 |For future use.|
<!--/SupportedValues--> <!--/SupportedValues-->
Value type is int. Supported operation is Get.
<!--/Policy--> <!--/Policy-->
@ -1211,10 +1231,10 @@ The following example is provided to show proper format and should not be taken
<LocURI>./Device/Vendor/MSFT/BitLocker/EncryptionMethodByDriveType</LocURI> <LocURI>./Device/Vendor/MSFT/BitLocker/EncryptionMethodByDriveType</LocURI>
</Target> </Target>
<Data> <Data>
&lt;enabled/&gt; <enabled/>
&lt;data id=&quot;EncryptionMethodWithXtsOsDropDown_Name&quot; value=&quot;4&quot;/&gt; <data id="EncryptionMethodWithXtsOsDropDown_Name" value="4"/>
&lt;data id=&quot;EncryptionMethodWithXtsFdvDropDown_Name&quot; value=&quot;7&quot;/&gt; <data id="EncryptionMethodWithXtsFdvDropDown_Name" value="7"/>
&lt;data id=&quot;EncryptionMethodWithXtsRdvDropDown_Name&quot; value=&quot;4&quot;/&gt; <data id="EncryptionMethodWithXtsRdvDropDown_Name" value="4"/>
</Data> </Data>
</Item> </Item>
</Replace> </Replace>
@ -1226,12 +1246,12 @@ The following example is provided to show proper format and should not be taken
<LocURI>./Device/Vendor/MSFT/BitLocker/SystemDrivesRequireStartupAuthentication</LocURI> <LocURI>./Device/Vendor/MSFT/BitLocker/SystemDrivesRequireStartupAuthentication</LocURI>
</Target> </Target>
<Data> <Data>
&lt;enabled/&gt; <enabled/>
&lt;data id=&quot;ConfigureNonTPMStartupKeyUsage_Name&quot; value=&quot;true&quot;/&gt; <data id="ConfigureNonTPMStartupKeyUsage_Name" value="true"/>
&lt;data id=&quot;ConfigureTPMStartupKeyUsageDropDown_Name&quot; value=&quot;2&quot;/&gt; <data id="ConfigureTPMStartupKeyUsageDropDown_Name" value="2"/>
&lt;data id=&quot;ConfigurePINUsageDropDown_Name&quot; value=&quot;2&quot;/&gt; <data id="ConfigurePINUsageDropDown_Name" value="2"/>
&lt;data id=&quot;ConfigureTPMPINKeyUsageDropDown_Name&quot; value=&quot;2&quot;/&gt; <data id="ConfigureTPMPINKeyUsageDropDown_Name" value="2"/>
&lt;data id=&quot;ConfigureTPMUsageDropDown_Name&quot; value=&quot;2&quot;/&gt; <data id="ConfigureTPMUsageDropDown_Name" value="2"/>
</Data> </Data>
</Item> </Item>
</Replace> </Replace>
@ -1243,8 +1263,8 @@ The following example is provided to show proper format and should not be taken
<LocURI>./Device/Vendor/MSFT/BitLocker/SystemDrivesMinimumPINLength</LocURI> <LocURI>./Device/Vendor/MSFT/BitLocker/SystemDrivesMinimumPINLength</LocURI>
</Target> </Target>
<Data> <Data>
&lt;enabled/&gt; <enabled/>
&lt;data id=&quot;MinPINLength&quot; value=&quot;6&quot;/&gt; <data id="MinPINLength" value="6"/>
</Data> </Data>
</Item> </Item>
</Replace> </Replace>
@ -1256,10 +1276,10 @@ The following example is provided to show proper format and should not be taken
<LocURI>./Device/Vendor/MSFT/BitLocker/SystemDrivesRecoveryMessage</LocURI> <LocURI>./Device/Vendor/MSFT/BitLocker/SystemDrivesRecoveryMessage</LocURI>
</Target> </Target>
<Data> <Data>
&lt;enabled/&gt; <enabled/>
&lt;data id=&quot;RecoveryMessage_Input&quot; value=&quot;blablablabla&quot;/&gt; <data id="RecoveryMessage_Input" value="blablablabla"/>
&lt;data id=&quot;PrebootRecoveryInfoDropDown_Name&quot; value=&quot;2&quot;/&gt; <data id="PrebootRecoveryInfoDropDown_Name" value="2"/>
&lt;data id=&quot;RecoveryUrl_Input&quot; value=&quot;blablabla&quot;/&gt; <data id="RecoveryUrl_Input" value="blablabla"/>
</Data> </Data>
</Item> </Item>
</Replace> </Replace>
@ -1271,14 +1291,14 @@ The following example is provided to show proper format and should not be taken
<LocURI>./Device/Vendor/MSFT/BitLocker/SystemDrivesRecoveryOptions</LocURI> <LocURI>./Device/Vendor/MSFT/BitLocker/SystemDrivesRecoveryOptions</LocURI>
</Target> </Target>
<Data> <Data>
&lt;enabled/&gt; <enabled/>
&lt;data id=&quot;OSAllowDRA_Name&quot; value=&quot;true&quot;/&gt; <data id="OSAllowDRA_Name" value="true"/>
&lt;data id=&quot;OSRecoveryPasswordUsageDropDown_Name&quot; value=&quot;2&quot;/&gt; <data id="OSRecoveryPasswordUsageDropDown_Name" value="2"/>
&lt;data id=&quot;OSRecoveryKeyUsageDropDown_Name&quot; value=&quot;2&quot;/&gt; <data id="OSRecoveryKeyUsageDropDown_Name" value="2"/>
&lt;data id=&quot;OSHideRecoveryPage_Name&quot; value=&quot;true&quot;/&gt; <data id="OSHideRecoveryPage_Name" value="true"/>
&lt;data id=&quot;OSActiveDirectoryBackup_Name&quot; value=&quot;true&quot;/&gt; <data id="OSActiveDirectoryBackup_Name" value="true"/>
&lt;data id=&quot;OSActiveDirectoryBackupDropDown_Name&quot; value=&quot;2&quot;/&gt; <data id="OSActiveDirectoryBackupDropDown_Name" value="2"/>
&lt;data id=&quot;OSRequireActiveDirectoryBackup_Name&quot; value=&quot;true&quot;/&gt; <data id="OSRequireActiveDirectoryBackup_Name" value="true"/>
</Data> </Data>
</Item> </Item>
</Replace> </Replace>
@ -1290,14 +1310,14 @@ The following example is provided to show proper format and should not be taken
<LocURI>./Device/Vendor/MSFT/BitLocker/FixedDrivesRecoveryOptions</LocURI> <LocURI>./Device/Vendor/MSFT/BitLocker/FixedDrivesRecoveryOptions</LocURI>
</Target> </Target>
<Data> <Data>
&lt;enabled/&gt; <enabled/>
&lt;data id=&quot;FDVAllowDRA_Name&quot; value=&quot;true&quot;/&gt; <data id="FDVAllowDRA_Name" value="true"/>
&lt;data id=&quot;FDVRecoveryPasswordUsageDropDown_Name&quot; value=&quot;2&quot;/&gt; <data id="FDVRecoveryPasswordUsageDropDown_Name" value="2"/>
&lt;data id=&quot;FDVRecoveryKeyUsageDropDown_Name&quot; value=&quot;2&quot;/&gt; <data id="FDVRecoveryKeyUsageDropDown_Name" value="2"/>
&lt;data id=&quot;FDVHideRecoveryPage_Name&quot; value=&quot;true&quot;/&gt; <data id="FDVHideRecoveryPage_Name" value="true"/>
&lt;data id=&quot;FDVActiveDirectoryBackup_Name&quot; value=&quot;true&quot;/&gt; <data id="FDVActiveDirectoryBackup_Name" value="true"/>
&lt;data id=&quot;FDVActiveDirectoryBackupDropDown_Name&quot; value=&quot;2&quot;/&gt; <data id="FDVActiveDirectoryBackupDropDown_Name" value="2"/>
&lt;data id=&quot;FDVRequireActiveDirectoryBackup_Name&quot; value=&quot;true&quot;/&gt; <data id="FDVRequireActiveDirectoryBackup_Name" value="true"/>
</Data> </Data>
</Item> </Item>
</Replace> </Replace>
@ -1309,7 +1329,7 @@ The following example is provided to show proper format and should not be taken
<LocURI>./Device/Vendor/MSFT/BitLocker/FixedDrivesRequireEncryption</LocURI> <LocURI>./Device/Vendor/MSFT/BitLocker/FixedDrivesRequireEncryption</LocURI>
</Target> </Target>
<Data> <Data>
&lt;enabled/&gt; <enabled/>
</Data> </Data>
</Item> </Item>
</Replace> </Replace>
@ -1321,8 +1341,8 @@ The following example is provided to show proper format and should not be taken
<LocURI>./Device/Vendor/MSFT/BitLocker/RemovableDrivesRequireEncryption</LocURI> <LocURI>./Device/Vendor/MSFT/BitLocker/RemovableDrivesRequireEncryption</LocURI>
</Target> </Target>
<Data> <Data>
&lt;enabled/&gt; <enabled/>
&lt;data id=&quot;RDVCrossOrg&quot; value=&quot;true&quot;/&gt; <data id="RDVCrossOrg" value="true"/>
</Data> </Data>
</Item> </Item>
</Replace> </Replace>
@ -1331,4 +1351,5 @@ The following example is provided to show proper format and should not be taken
</SyncBody> </SyncBody>
</SyncML> </SyncML>
``` ```
<!--/Policy--> <!--/Policy-->

4
windows/client-management/mdm/get-offline-license.md
View File

@ -1,6 +1,6 @@
--- ---
title: Get offline license title: Get offline license
description: The Get offline license operation retrieves the offline license information of a product from the Micosoft Store for Business. description: The Get offline license operation retrieves the offline license information of a product from the Microsoft Store for Business.
ms.assetid: 08DAD813-CF4D-42D6-A783-994A03AEE051 ms.assetid: 08DAD813-CF4D-42D6-A783-994A03AEE051
ms.reviewer: ms.reviewer:
manager: dansimp manager: dansimp
@ -14,7 +14,7 @@ ms.date: 09/18/2017
# Get offline license # Get offline license
The **Get offline license** operation retrieves the offline license information of a product from the Micosoft Store for Business. The **Get offline license** operation retrieves the offline license information of a product from the Microsoft Store for Business.
## Request ## Request

8
windows/client-management/mdm/remotewipe-csp.md
View File

@ -48,16 +48,16 @@ Supported operation is Exec.
Added in Windows 10, version 1709. Exec on this node will perform a remote reset on the device and persist user accounts and data. The return status code shows whether the device accepted the Exec command. Added in Windows 10, version 1709. Exec on this node will perform a remote reset on the device and persist user accounts and data. The return status code shows whether the device accepted the Exec command.
<a href="" id="automaticredeployment"></a>**AutomaticRedeployment** <a href="" id="automaticredeployment"></a>**AutomaticRedeployment**
Added in Windows 10, next major update. Node for the Autopilot Reset operation. Added in Windows 10, version 1809. Node for the Autopilot Reset operation.
<a href="" id="doautomaticredeployment"></a>**AutomaticRedeployment/doAutomaticRedeployment** <a href="" id="doautomaticredeployment"></a>**AutomaticRedeployment/doAutomaticRedeployment**
Added in Windows 10, next major update. Exec on this node triggers Autopilot Reset operation. This works like PC Reset, similar to other existing nodes in this RemoteWipe CSP, except that it keeps the device enrolled in Azure AD and MDM, keeps Wi-Fi profiles, and a few other settings like region, language, keyboard. Added in Windows 10, version 1809. Exec on this node triggers Autopilot Reset operation. This works like PC Reset, similar to other existing nodes in this RemoteWipe CSP, except that it keeps the device enrolled in Azure AD and MDM, keeps Wi-Fi profiles, and a few other settings like region, language, keyboard.
<a href="" id="lasterror"></a>**AutomaticRedeployment/LastError** <a href="" id="lasterror"></a>**AutomaticRedeployment/LastError**
Added in Windows 10, next major update. Error value, if any, associated with Autopilot Reset operation (typically an HRESULT). Added in Windows 10, version 1809. Error value, if any, associated with Autopilot Reset operation (typically an HRESULT).
<a href="" id="status"></a>**AutomaticRedeployment/Status** <a href="" id="status"></a>**AutomaticRedeployment/Status**
Added in Windows 10, next major update. Status value indicating current state of an Autopilot Reset operation. Added in Windows 10, version 1809. Status value indicating current state of an Autopilot Reset operation.
Supported values: Supported values:

3
windows/client-management/troubleshoot-inaccessible-boot-device.md
View File

@ -113,7 +113,7 @@ To verify the BCD entries:
2. In the **Windows Boot Loader** that has the **{default}** identifier, make sure that **device** , **path** , **osdevice,** and **systemroot** point to the correct device or partition, winload file, OS partition or device, and OS folder. 2. In the **Windows Boot Loader** that has the **{default}** identifier, make sure that **device** , **path** , **osdevice,** and **systemroot** point to the correct device or partition, winload file, OS partition or device, and OS folder.
> [!NOTE] > [!NOTE]
>If the computer is UEFI-based, the **bootmgr** and **winload** entires under **{default}** will contain an **.efi** extension. > If the computer is UEFI-based, the **bootmgr** and **winload** entries under **{default}** will contain an **.efi** extension.
![bcdedit](images/screenshot1.png) ![bcdedit](images/screenshot1.png)
@ -279,4 +279,3 @@ The reason that these entries may affect us is because there may be an entry in
* `sfc /scannow /offbootdir=OsDrive:\ /offwindir=OsDrive:\Windows` * `sfc /scannow /offbootdir=OsDrive:\ /offwindir=OsDrive:\Windows`
![SFC scannow](images/sfc-scannow.png) ![SFC scannow](images/sfc-scannow.png)

1
windows/deployment/update/windows-update-error-reference.md
View File

@ -45,6 +45,7 @@ This section lists the error codes for Microsoft Windows Update.
| 0x80243FFD | `WU_E_NON_UI_MODE` | Unable to show UI when in non-UI mode; WU client UI modules may not be installed. | | 0x80243FFD | `WU_E_NON_UI_MODE` | Unable to show UI when in non-UI mode; WU client UI modules may not be installed. |
| 0x80243FFE | `WU_E_WUCLTUI_UNSUPPORTED_VERSION` | Unsupported version of WU client UI exported functions. | | 0x80243FFE | `WU_E_WUCLTUI_UNSUPPORTED_VERSION` | Unsupported version of WU client UI exported functions. |
| 0x80243FFF | `WU_E_AUCLIENT_UNEXPECTED` | There was a user interface error not covered by another `WU_E_AUCLIENT_*` error code. | | 0x80243FFF | `WU_E_AUCLIENT_UNEXPECTED` | There was a user interface error not covered by another `WU_E_AUCLIENT_*` error code. |
| 0x8024043D | `WU_E_SERVICEPROP_NOTAVAIL` | The requested service property is not available. |
## Inventory errors ## Inventory errors

18
windows/deployment/update/wufb-compliancedeadlines.md
View File

@ -19,8 +19,7 @@ Deploying feature or quality updates for many organizations is only part of the
The compliance options have changed for devices on Windows 10, version 1709 and above: The compliance options have changed for devices on Windows 10, version 1709 and above:
- [For Windows 10, version 1709 and above](#for-windows-10-version-1709-and-above) - [For Windows 10, version 1709 and above](#for-windows-10-version-1709-and-above)
- [For prior to Windows 10, version 1709](#prior-to-windows-10-version-1709) - [Prior to Windows 10, version 1709](#prior-to-windows-10-version-1709)
## For Windows 10, version 1709 and above ## For Windows 10, version 1709 and above
@ -37,23 +36,19 @@ The policy also includes a configurable grace period to allow, for example, user
Further, the policy includes the option to opt out of automatic restarts until the deadline is reached by presenting the "engaged restart experience" until the deadline has actually expired. At this point the device will automatically schedule a restart regardless of active hours. Further, the policy includes the option to opt out of automatic restarts until the deadline is reached by presenting the "engaged restart experience" until the deadline has actually expired. At this point the device will automatically schedule a restart regardless of active hours.
### Policy setting overview ### Policy setting overview
|Policy|Description | |Policy|Description |
|-|-| |-|-|
| (For Windows 10, version 1709 and above) Specify deadlines for automatic updates and restarts | Similar to the older "Specify deadline before auto-restart for update installation," but starts the deadline countdown from when the update was published. Also introduces a configurable grace period and the option to opt out of automatic restarts until the deadline is reached. | | (Windows 10, version 1709 and above) Specify deadlines for automatic updates and restarts | Similar to the older "Specify deadline before auto-restart for update installation," but starts the deadline countdown from when the update was published. Also introduces a configurable grace period and the option to opt out of automatic restarts until the deadline is reached. |
### Suggested configurations ### Suggested configurations
|Policy|Location|Quality update deadline in days|Feature update deadline in days|Grace period in days| |Policy|Location|Quality update deadline in days|Feature update deadline in days|Grace period in days|
|-|-|-|-|-| |-|-|-|-|-|
|(For Windows 10, version 1709 and above) Specify deadlines for automatic updates and restarts | GPO: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Specify deadlines for automatic updates and restarts | 7 | 7 | 2 | |(Windows 10, version 1709 and above) Specify deadlines for automatic updates and restarts | GPO: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Specify deadlines for automatic updates and restarts | 7 | 7 | 2 |
When **Specify deadlines for automatic updates and restarts** is set (For Windows 10, version 1709 and above): When **Specify deadlines for automatic updates and restarts** is set (Windows 10, version 1709 and above):
- **While restart is pending, before the deadline occurs:** - **While restart is pending, before the deadline occurs:**
@ -80,7 +75,6 @@ When **Specify deadlines for automatic updates and restarts** is set (For Window
## Prior to Windows 10, version 1709 ## Prior to Windows 10, version 1709
Two compliance flows are available: Two compliance flows are available:
- [Deadline only](#deadline-only) - [Deadline only](#deadline-only)
@ -104,9 +98,6 @@ Once the device is in the pending restart state, it will attempt to restart the
|Specify deadline before auto-restart for update installation|Governs the update experience once the device has entered pending restart state. It specifies a deadline, in days, to enforce compliance (such as imminent installation).| |Specify deadline before auto-restart for update installation|Governs the update experience once the device has entered pending restart state. It specifies a deadline, in days, to enforce compliance (such as imminent installation).|
|Configure Auto-restart warning notification schedule for updates|Configures the reminder notification and the warning notification for a scheduled installation. The user can dismiss a reminder, but not the warning.| |Configure Auto-restart warning notification schedule for updates|Configures the reminder notification and the warning notification for a scheduled installation. The user can dismiss a reminder, but not the warning.|
#### Suggested configuration #### Suggested configuration
|Policy|Location|3-day compliance|5-day compliance|7-day compliance| |Policy|Location|3-day compliance|5-day compliance|7-day compliance|
@ -174,4 +165,3 @@ Notification users get for a feature update deadline:
![The notification users get for an impending feature update deadline](images/wufb-feature-update-deadline-notification.png) ![The notification users get for an impending feature update deadline](images/wufb-feature-update-deadline-notification.png)

33
windows/deployment/volume-activation/configure-client-computers-vamt.md
View File

@ -4,14 +4,14 @@ description: Configure Client Computers
ms.assetid: a48176c9-b05c-4dd5-a9ef-83073e2370fc ms.assetid: a48176c9-b05c-4dd5-a9ef-83073e2370fc
ms.reviewer: ms.reviewer:
manager: laurawi manager: laurawi
author: greg-lindsay
ms.author: greglin ms.author: greglin
ms.prod: w10 ms.prod: w10
ms.mktglfcycl: deploy ms.mktglfcycl: deploy
ms.sitesec: library ms.sitesec: library
ms.pagetype: activation ms.pagetype: activation
audience: itpro audience: itpro
author: greg-lindsay ms.date: 04/30/2020
ms.date: 04/25/2017
ms.topic: article ms.topic: article
--- ---
@ -24,12 +24,13 @@ To enable the Volume Activation Management Tool (VAMT) to function correctly, ce
Organizations where the VAMT will be widely used may benefit from making these changes inside the master image for Windows. Organizations where the VAMT will be widely used may benefit from making these changes inside the master image for Windows.
**Important**   > [IMPORTANT]  
This procedure only applies to clients running Windows Vista or later. For clients running Windows XP Service Pack 1, see [Connecting Through Windows Firewall](https://go.microsoft.com/fwlink/p/?LinkId=182933). > This procedure only applies to clients running Windows Vista or later. For clients running Windows XP Service Pack 1, see [Connecting Through Windows Firewall](https://docs.microsoft.com/windows/win32/wmisdk/connecting-to-wmi-remotely-with-vbscript).
## Configuring the Windows Firewall to allow VAMT access ## Configuring the Windows Firewall to allow VAMT access
Enable the VAMT to access client computers using the **Windows Firewall** Control Panel: Enable the VAMT to access client computers using the **Windows Firewall** Control Panel:
1. Open Control Panel and double-click **System and Security**. 1. Open Control Panel and double-click **System and Security**.
2. Click **Windows Firewall**. 2. Click **Windows Firewall**.
3. Click **Allow a program or feature through Windows Firewall**. 3. Click **Allow a program or feature through Windows Firewall**.
@ -49,6 +50,7 @@ Enable the VAMT to access client computers across multiple subnets using the **W
1. Open the Control Panel and double-click **Administrative Tools**. 1. Open the Control Panel and double-click **Administrative Tools**.
2. Click **Windows Firewall with Advanced Security**. 2. Click **Windows Firewall with Advanced Security**.
3. Make your changes for each of the following three WMI items, for the applicable Network Profile (Domain, Public, Private): 3. Make your changes for each of the following three WMI items, for the applicable Network Profile (Domain, Public, Private):
- Windows Management Instrumentation (ASync-In) - Windows Management Instrumentation (ASync-In)
- Windows Management Instrumentation (DCOM-In) - Windows Management Instrumentation (DCOM-In)
- Windows Management Instrumentation (WMI-In) - Windows Management Instrumentation (WMI-In)
@ -62,34 +64,37 @@ Enable the VAMT to access client computers across multiple subnets using the **W
- On the **Advanced** tab, verify selection of all profiles that are applicable to the network (Domain or Private/Public). - On the **Advanced** tab, verify selection of all profiles that are applicable to the network (Domain or Private/Public).
In certain scenarios, only a limited set of TCP/IP ports are allowed through a hardware firewall. Administrators must ensure that WMI (which relies on RPC over TCP/IP) is allowed through these types of firewalls. By default, the WMI port is a dynamically allocated random port above 1024. The following Microsoft knowledge article discusses how administrators can limit the range of dynamically-allocated ports. This is useful if, for example, the hardware firewall only allows traffic in a certain range of ports. In certain scenarios, only a limited set of TCP/IP ports are allowed through a hardware firewall. Administrators must ensure that WMI (which relies on RPC over TCP/IP) is allowed through these types of firewalls. By default, the WMI port is a dynamically allocated random port above 1024. The following Microsoft knowledge article discusses how administrators can limit the range of dynamically-allocated ports. This is useful if, for example, the hardware firewall only allows traffic in a certain range of ports.
For more info, see [How to configure RPC dynamic port allocation to work with firewalls](https://go.microsoft.com/fwlink/p/?LinkId=182911).
For more info, see [How to configure RPC dynamic port allocation to work with firewalls](https://support.microsoft.com/help/929851).
## Create a registry value for the VAMT to access workgroup-joined computer ## Create a registry value for the VAMT to access workgroup-joined computer
**Caution**   > [WARNING]  
This section contains information about how to modify the registry. Make sure to back up the registry before you modify it; in addition, ensure that you know how to restore the registry, if a problem occurs. For more information about how to back up, restore, and modify the registry, see [Windows registry information for advanced users](https://go.microsoft.com/fwlink/p/?LinkId=182912). > This section contains information about how to modify the registry. Make sure to back up the registry before you modify it; in addition, ensure that you know how to restore the registry, if a problem occurs. For more information about how to back up, restore, and modify the registry, see [Windows registry information for advanced users](https://support.microsoft.com/help/256986).
On the client computer, create the following registry key using regedit.exe. On the client computer, create the following registry key using regedit.exe.
1. Navigate to `HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system` 1. Navigate to `HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system`
2. Enter the following details: 2. Enter the following details:
**Value Name: LocalAccountTokenFilterPolicy**
**Type: DWORD** - **Value Name: LocalAccountTokenFilterPolicy**
**Value Data: 1** - **Type: DWORD**
**Note**   - **Value Data: 1**
To discover VAMT-manageable Windows computers in workgroups, you must enable network discovery on each client.
> [NOTE]
> To discover VAMT-manageable Windows computers in workgroups, you must enable network discovery on each client.
## Deployment options ## Deployment options
There are several options for organizations to configure the WMI firewall exception for computers: There are several options for organizations to configure the WMI firewall exception for computers:
- **Image.** Add the configurations to the master Windows image deployed to all clients. - **Image.** Add the configurations to the master Windows image deployed to all clients.
- **Group Policy.** If the clients are part of a domain, then all clients can be configured using Group Policy. The Group Policy setting for the WMI firewall exception is found in GPMC.MSC at: **Computer Configuration\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Inbound Rules**. - **Group Policy.** If the clients are part of a domain, then all clients can be configured using Group Policy. The Group Policy setting for the WMI firewall exception is found in GPMC.MSC at: **Computer Configuration\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Inbound Rules**.
- **Script.** Execute a script using Microsoft Endpoint Configuration Manager or a third-party remote script execution facility. - **Script.** Execute a script using Microsoft Endpoint Configuration Manager or a third-party remote script execution facility.
- **Manual.** Configure the WMI firewall exception individually on each client. - **Manual.** Configure the WMI firewall exception individually on each client.
The above configurations will open an additional port through the Windows Firewall on target computers and should be performed on computers that are protected by a network firewall. In order to allow VAMT to query the up-to-date licensing status, the WMI exception must be maintained. We recommend administrators consult their network security policies and make clear decisions when creating the WMI exception. The above configurations will open an additional port through the Windows Firewall on target computers and should be performed on computers that are protected by a network firewall. In order to allow VAMT to query the up-to-date licensing status, the WMI exception must be maintained. We recommend administrators consult their network security policies and make clear decisions when creating the WMI exception.
## Related topics ## Related topics
- [Install and Configure VAMT](install-configure-vamt.md) - [Install and Configure VAMT](install-configure-vamt.md)

BIN
windows/security/information-protection/windows-information-protection/images/wip-azure-add-user-groups.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 21 KiB

After

Width:  |  Height:  |  Size: 33 KiB

13
windows/security/threat-protection/auditing/monitor-the-use-of-removable-storage-devices.md
View File

@ -14,7 +14,7 @@ manager: dansimp
audience: ITPro audience: ITPro
ms.collection: M365-security-compliance ms.collection: M365-security-compliance
ms.topic: conceptual ms.topic: conceptual
ms.date: 04/19/2017 ms.date:
--- ---
# Monitor the use of removable storage devices # Monitor the use of removable storage devices
@ -28,7 +28,10 @@ If you configure this policy setting, an audit event is generated each time a us
Use the following procedures to monitor the use of removable storage devices and to verify that the devices are being monitored. Use the following procedures to monitor the use of removable storage devices and to verify that the devices are being monitored.
>**Note:**  Your server might function differently based on the version and edition of the operating system that is installed, your account permissions, and your menu settings. Your server might function differently based on the version and edition of the operating system that is installed, your account permissions, and your menu settings.
> [!NOTE]
> When a policy to audit removable storage is pushed to a computer, a new [Security Descriptor](https://docs.microsoft.com/windows/win32/secauthz/audit-generation) needs to be applied to all removable storage devices with the audit settings. The [security descriptor for a device](https://docs.microsoft.com/windows-hardware/drivers/kernel/controlling-device-access) can be set up either when the device is installed, or by setting up the [device properties in the registry](https://docs.microsoft.com/windows-hardware/drivers/kernel/setting-device-object-registry-properties-after-installation), which is done by calling a [device installation function](https://docs.microsoft.com/previous-versions/ff541299). This may require the device to restart to apply the new security descriptor.
**To configure settings to monitor removable storage devices** **To configure settings to monitor removable storage devices**
@ -46,7 +49,8 @@ After you configure the settings to monitor removable storage devices, use the f
1. Sign in to the computer that hosts the resources that you want to monitor. Press the Windows key + R, and then type **cmd** to open a Command Prompt window. 1. Sign in to the computer that hosts the resources that you want to monitor. Press the Windows key + R, and then type **cmd** to open a Command Prompt window.
>**Note:**  If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click **Yes**. > [!NOTE]
> If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click **Yes**.
2. Type **gpupdate /force**, and press ENTER. 2. Type **gpupdate /force**, and press ENTER.
3. Connect a removable storage device to the targeted computer and attempt to copy a file that is protected with the Removable Storage Audit policy. 3. Connect a removable storage device to the targeted computer and attempt to copy a file that is protected with the Removable Storage Audit policy.
@ -56,7 +60,8 @@ After you configure the settings to monitor removable storage devices, use the f
Key information to look for includes the name and account domain of the user who attempted to access the file, the object that the user is attempting to access, resource attributes of the resource, and the type of access that was attempted. Key information to look for includes the name and account domain of the user who attempted to access the file, the object that the user is attempting to access, resource attributes of the resource, and the type of access that was attempted.
>**Note:**  We do not recommend that you enable this category on a file server that hosts file shares on a removable storage device. When Removable Storage Auditing is configured, any attempt to access the removable storage device will generate an audit event. > [!NOTE]
> We do not recommend that you enable this category on a file server that hosts file shares on a removable storage device. When Removable Storage Auditing is configured, any attempt to access the removable storage device will generate an audit event.
### Related resource ### Related resource

8
windows/security/threat-protection/index.md
View File

@ -77,11 +77,11 @@ The attack surface reduction set of capabilities provide the first line of defen
**[Next generation protection](windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md)**<br> **[Next generation protection](windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md)**<br>
To further reinforce the security perimeter of your network, Microsoft Defender ATP uses next generation protection designed to catch all types of emerging threats. To further reinforce the security perimeter of your network, Microsoft Defender ATP uses next generation protection designed to catch all types of emerging threats.
- [Behavior monitoring](/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md) - [Behavior monitoring](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus)
- [Cloud-based protection](/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md) - [Cloud-based protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-protection-features-windows-defender-antivirus)
- [Machine learning](windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus.md) - [Machine learning](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus)
- [URL Protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus) - [URL Protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus)
- [Automated sandbox service](windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md) - [Automated sandbox service](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus)
<a name="edr"></a> <a name="edr"></a>

4
windows/security/threat-protection/microsoft-defender-atp/configure-microsoft-threat-experts.md
View File

@ -71,7 +71,8 @@ You'll start receiving targeted attack notification from Microsoft Threat Expert
You can partner with Microsoft Threat Experts who can be engaged directly from within the Microsoft Defender Security Center for timely and accurate response. Experts provide insights to better understand complex threats, targeted attack notifications that you get, or if you need more information about the alerts, a potentially compromised machine, or a threat intelligence context that you see on your portal dashboard. You can partner with Microsoft Threat Experts who can be engaged directly from within the Microsoft Defender Security Center for timely and accurate response. Experts provide insights to better understand complex threats, targeted attack notifications that you get, or if you need more information about the alerts, a potentially compromised machine, or a threat intelligence context that you see on your portal dashboard.
> [!NOTE] > [!NOTE]
>Alert inquiries related to your organization's customized threat intelligence data are currently not supported. Consult your security operations or incident response team for details. > - Alert inquiries related to your organization's customized threat intelligence data are currently not supported. Consult your security operations or incident response team for details.
> - You will need to have the "Manage security settings" permission in the Security Center portal to be able to submit a "Consult a threat expert" inquiry.
1. Navigate to the portal page with the relevant information that you'd like to investigate, for example, the **Incident** page. Ensure that the page for the relevant alert or machine is in view before you send an investigation request. 1. Navigate to the portal page with the relevant information that you'd like to investigate, for example, the **Incident** page. Ensure that the page for the relevant alert or machine is in view before you send an investigation request.
@ -130,4 +131,3 @@ It is crucial to respond in a timely manner to keep the investigation moving.
## Related topic ## Related topic
- [Microsoft Threat Experts overview](microsoft-threat-experts.md) - [Microsoft Threat Experts overview](microsoft-threat-experts.md)

15
windows/security/threat-protection/microsoft-defender-atp/data-storage-privacy.md
View File

@ -46,15 +46,18 @@ Microsoft does not use your data for advertising.
## Data protection and encryption ## Data protection and encryption
The Microsoft Defender ATP service utilizes state of the art data protection technologies which are based on Microsoft Azure infrastructure. The Microsoft Defender ATP service utilizes state of the art data protection technologies which are based on Microsoft Azure infrastructure.
There are various aspects relevant to data protection that our service takes care of. Encryption is one of the most critical and it includes data encryption at rest, encryption in flight, and key management with Key Vault. For more information on other technologies used by the Microsoft Defender ATP service, see [Azure encryption overview](https://docs.microsoft.com/azure/security/security-azure-encryption-overview). There are various aspects relevant to data protection that our service takes care of. Encryption is one of the most critical and it includes data encryption at rest, encryption in flight, and key management with Key Vault. For more information on other technologies used by the Microsoft Defender ATP service, see [Azure encryption overview](https://docs.microsoft.com/azure/security/security-azure-encryption-overview).
In all scenarios, data is encrypted using 256-bit [AES encryption](https://en.wikipedia.org/wiki/Advanced_Encryption_Standard) at the minimum. In all scenarios, data is encrypted using 256-bit [AES encryption](https://en.wikipedia.org/wiki/Advanced_Encryption_Standard) at the minimum.
## Do I have the flexibility to select where to store my data? ## Data storage location
When onboarding the service for the first time, you can choose to store your data in Microsoft Azure datacenters in the European Union, the United Kingdom, or the United States, or dedicated Azure Government data centers (soon to be in preview). Once configured, you cannot change the location where your data is stored. This provides a convenient way to minimize compliance risk by actively selecting the geographic locations where your data will reside. Customer data in pseudonymized form may also be stored in the central storage and processing systems in the United States. Microsoft Defender ATP operates in the Microsoft Azure datacenters in the European Union, the United Kingdom, or in the United States. Customer data collected by the service may be stored in: (a) the geo-location of the tenant as identified during provisioning or, (b) if Microsoft Defender ATP uses another Microsoft online service to process such data, the geolocation as defined by the data storage rules of that other online service.
Customer data in pseudonymized form may also be stored in the central storage and processing systems in the United States.
Once configured, you cannot change the location where your data is stored. This provides a convenient way to minimize compliance risk by actively selecting the geographic locations where your data will reside.
## Is my data isolated from other customer data? ## Is my data isolated from other customer data?
Yes, your data is isolated through access authentication and logical segregation based on customer identifier. Each customer can only access data collected from its own organization and generic data that Microsoft provides. Yes, your data is isolated through access authentication and logical segregation based on customer identifier. Each customer can only access data collected from its own organization and generic data that Microsoft provides.
@ -84,12 +87,10 @@ Your data will be kept and will be available to you while the license is under g
## Can Microsoft help us maintain regulatory compliance? ## Can Microsoft help us maintain regulatory compliance?
Microsoft provides customers with detailed information about Microsoft's security and compliance programs, including audit reports and compliance packages, to help customers assess Microsoft Defender ATP services against their own legal and regulatory requirements. Microsoft Defender ATP is ISO 27001 certified and has a roadmap for obtaining national, regional and industry-specific certifications. Microsoft provides customers with detailed information about Microsoft's security and compliance programs, including audit reports and compliance packages, to help customers assess Microsoft Defender ATP services against their own legal and regulatory requirements. Microsoft Defender ATP has achieved a number of certifications including ISO, SOC, FedRAMP High, and PCI and continues to pursue additional national, regional and industry-specific certifications.
Microsoft Defender ATP for Government (soon to be in preview) is currently undergoing audit for achieving FedRAMP High accreditation as well as Provisional Authorization (PA) at Impact Levels 4 and 5.
By providing customers with compliant, independently-verified services, Microsoft makes it easier for customers to achieve compliance for the infrastructure and applications they run. By providing customers with compliant, independently-verified services, Microsoft makes it easier for customers to achieve compliance for the infrastructure and applications they run.
For more information on the Microsoft Defender ATP ISO certification reports, see [Microsoft Trust Center](https://www.microsoft.com/trustcenter/compliance/iso-iec-27001). For more information on the Microsoft Defender ATP certification reports, see [Microsoft Trust Center](https://servicetrust.microsoft.com/).
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-datastorage-belowfoldlink) >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-datastorage-belowfoldlink)

5
windows/security/threat-protection/microsoft-defender-atp/linux-install-manually.md
View File

@ -231,7 +231,7 @@ unzip WindowsDefenderATPOnboardingPackage.zip
2. Run WindowsDefenderATPOnboarding.py, and note that, in order to run this command, you must have `python` installed on the device: 2. Run WindowsDefenderATPOnboarding.py, and note that, in order to run this command, you must have `python` installed on the device:
```bash ```bash
python WindowsDefenderATPOnboarding.py sudo python WindowsDefenderATPOnboarding.py
``` ```
3. Verify that the machine is now associated with your organization and reports a valid organization identifier: 3. Verify that the machine is now associated with your organization and reports a valid organization identifier:
@ -247,7 +247,8 @@ unzip WindowsDefenderATPOnboardingPackage.zip
``` ```
> [!IMPORTANT] > [!IMPORTANT]
> When the product starts for the first time, it downloads the latest antimalware definitions. Depending on your Internet connection, this can take up to a few minutes. During this time the above command returns a value of `0`. > When the product starts for the first time, it downloads the latest antimalware definitions. Depending on your Internet connection, this can take up to a few minutes. During this time the above command returns a value of `0`.<br>
> Please note that you may also need to configure a proxy after completing the initial installation. See [Configure Microsoft Defender ATP for Linux for static proxy discovery: Post-installation configuration](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/linux-static-proxy-configuration#post-installation-configuration).
5. Run a detection test to verify that the machine is properly onboarded and reporting to the service. Perform the following steps on the newly onboarded machine: 5. Run a detection test to verify that the machine is properly onboarded and reporting to the service. Perform the following steps on the newly onboarded machine:

5
windows/security/threat-protection/microsoft-defender-atp/live-response.md
View File

@ -284,7 +284,10 @@ Each command is tracked with full details such as:
- Large scale command execution is not supported. - Large scale command execution is not supported.
- A user can only initiate one session at a time. - A user can only initiate one session at a time.
- A device can only be in one session at a time. - A device can only be in one session at a time.
- There is a file size limit of 750mb when downloading files from a device. - The following file size limits apply:
- `getfile` limit: 3 GB
- `fileinfo` limit: 10 GB
- `library` limit: 250 MB
## Related article ## Related article
- [Live response command examples](live-response-command-examples.md) - [Live response command examples](live-response-command-examples.md)

2
windows/security/threat-protection/microsoft-defender-atp/respond-machine-alerts.md
View File

@ -97,7 +97,7 @@ The package contains the following folders:
|:---|:---------| |:---|:---------|
|Autoruns | Contains a set of files that each represent the content of the registry of a known auto start entry point (ASEP) to help identify attackers persistency on the machine. </br></br> NOTE: If the registry key is not found, the file will contain the following message: “ERROR: The system was unable to find the specified registry key or value.” | |Autoruns | Contains a set of files that each represent the content of the registry of a known auto start entry point (ASEP) to help identify attackers persistency on the machine. </br></br> NOTE: If the registry key is not found, the file will contain the following message: “ERROR: The system was unable to find the specified registry key or value.” |
|Installed programs | This .CSV file contains the list of installed programs that can help identify what is currently installed on the machine. For more information, see [Win32_Product class](https://go.microsoft.com/fwlink/?linkid=841509). | |Installed programs | This .CSV file contains the list of installed programs that can help identify what is currently installed on the machine. For more information, see [Win32_Product class](https://go.microsoft.com/fwlink/?linkid=841509). |
|Network connections | This folder contains a set of data points related to the connectivity information which can help in identifying connectivity to suspicious URLs, attackers command and control (C&C) infrastructure, any lateral movement, or remote connections.</br></br> - ActiveNetConnections.txt Displays protocol statistics and current TCP/IP network connections. Provides the ability to look for suspicious connectivity made by a process. </br></br> - Arp.txt Displays the current address resolution protocol (ARP) cache tables for all interfaces. </br></br> ARP cache can reveal additional hosts on a network that have been compromised or suspicious systems on the network that night have been used to run an internal attack.</br></br> - DnsCache.txt - Displays the contents of the DNS client resolver cache, which includes both entries preloaded from the local Hosts file and any recently obtained resource records for name queries resolved by the computer. This can help in identifying suspicious connections. </br></br> - IpConfig.txt Displays the full TCP/IP configuration for all adapters. Adapters can represent physical interfaces, such as installed network adapters, or logical interfaces, such as dial-up connections. </br></br> - FirewassExecutionLog.txt and pfirewall.log | |Network connections | This folder contains a set of data points related to the connectivity information which can help in identifying connectivity to suspicious URLs, attackers command and control (C&C) infrastructure, any lateral movement, or remote connections.</br></br> - ActiveNetConnections.txt Displays protocol statistics and current TCP/IP network connections. Provides the ability to look for suspicious connectivity made by a process. </br></br> - Arp.txt Displays the current address resolution protocol (ARP) cache tables for all interfaces. </br></br> ARP cache can reveal additional hosts on a network that have been compromised or suspicious systems on the network that night have been used to run an internal attack.</br></br> - DnsCache.txt - Displays the contents of the DNS client resolver cache, which includes both entries preloaded from the local Hosts file and any recently obtained resource records for name queries resolved by the computer. This can help in identifying suspicious connections. </br></br> - IpConfig.txt Displays the full TCP/IP configuration for all adapters. Adapters can represent physical interfaces, such as installed network adapters, or logical interfaces, such as dial-up connections. </br></br> - FirewallExecutionLog.txt and pfirewall.log |
| Prefetch files| Windows Prefetch files are designed to speed up the application startup process. It can be used to track all the files recently used in the system and find traces for applications that might have been deleted but can still be found in the prefetch file list. </br></br> - Prefetch folder Contains a copy of the prefetch files from `%SystemRoot%\Prefetch`. NOTE: It is suggested to download a prefetch file viewer to view the prefetch files. </br></br> - PrefetchFilesList.txt Contains the list of all the copied files which can be used to track if there were any copy failures to the prefetch folder. | | Prefetch files| Windows Prefetch files are designed to speed up the application startup process. It can be used to track all the files recently used in the system and find traces for applications that might have been deleted but can still be found in the prefetch file list. </br></br> - Prefetch folder Contains a copy of the prefetch files from `%SystemRoot%\Prefetch`. NOTE: It is suggested to download a prefetch file viewer to view the prefetch files. </br></br> - PrefetchFilesList.txt Contains the list of all the copied files which can be used to track if there were any copy failures to the prefetch folder. |
| Processes| Contains a .CSV file listing the running processes which provides the ability to identify current processes running on the machine. This can be useful when identifying a suspicious process and its state. | | Processes| Contains a .CSV file listing the running processes which provides the ability to identify current processes running on the machine. This can be useful when identifying a suspicious process and its state. |
| Scheduled tasks| Contains a .CSV file listing the scheduled tasks which can be used to identify routines performed automatically on a chosen machine to look for suspicious code which was set to run automatically. | | Scheduled tasks| Contains a .CSV file listing the scheduled tasks which can be used to identify routines performed automatically on a chosen machine to look for suspicious code which was set to run automatically. |

2
windows/security/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus.md
View File

@ -42,7 +42,7 @@ MpCmdRun.exe -scan -2
| Command | Description | | Command | Description |
|:----|:----| |:----|:----|
| `-?` **or** `-h` | Displays all available options for this tool | | `-?` **or** `-h` | Displays all available options for this tool |
| `-Scan [-ScanType [0\|1\|2\|3]] [-File <path> [-DisableRemediation] [-BootSectorScan] [-CpuThrottling]] [-Timeout <days>] [-Cancel]` | Scans for malicious software. Values for **ScanType** are: **0** Default, according to your configuration, **-1** Quick scan, **-2** Full scan, **-3** File and directory custom scan. | | `-Scan [-ScanType [0\|1\|2\|3]] [-File <path> [-DisableRemediation] [-BootSectorScan] [-CpuThrottling]] [-Timeout <days>] [-Cancel]` | Scans for malicious software. Values for **ScanType** are: **0** Default, according to your configuration, **-1** Quick scan, **-2** Full scan, **-3** File and directory custom scan. CpuThrottling will honor the configured CPU throttling from policy |
| `-Trace [-Grouping #] [-Level #]` | Starts diagnostic tracing | | `-Trace [-Grouping #] [-Level #]` | Starts diagnostic tracing |
| `-GetFiles` | Collects support information | | `-GetFiles` | Collects support information |
| `-GetFilesDiagTrack` | Same as `-GetFiles`, but outputs to temporary DiagTrack folder | | `-GetFilesDiagTrack` | Same as `-GetFiles`, but outputs to temporary DiagTrack folder |

18
windows/security/threat-protection/windows-defender-antivirus/configure-advanced-scan-types-windows-defender-antivirus.md
View File

@ -47,7 +47,7 @@ To configure the Group Policy settings described in the following table:
Description | Location and setting | Default setting (if not configured) | PowerShell `Set-MpPreference` parameter or WMI property for `MSFT_MpPreference` class Description | Location and setting | Default setting (if not configured) | PowerShell `Set-MpPreference` parameter or WMI property for `MSFT_MpPreference` class
---|---|---|--- ---|---|---|---
See [Email scanning limitations](#ref1)) below | Scan > Turn on e-mail scanning | Disabled | `-DisableEmailScanning` Email scanning See [Email scanning limitations](#ref1)| Scan > Turn on e-mail scanning | Disabled | `-DisableEmailScanning`
Scan [reparse points](https://msdn.microsoft.com/library/windows/desktop/aa365503.aspx) | Scan > Turn on reparse point scanning | Disabled | Not available Scan [reparse points](https://msdn.microsoft.com/library/windows/desktop/aa365503.aspx) | Scan > Turn on reparse point scanning | Disabled | Not available
Scan mapped network drives | Scan > Run full scan on mapped network drives | Disabled | `-DisableScanningMappedNetworkDrivesForFullScan` Scan mapped network drives | Scan > Run full scan on mapped network drives | Disabled | `-DisableScanningMappedNetworkDrivesForFullScan`
Scan archive files (such as .zip or .rar files). The [extensions exclusion list](configure-extension-file-exclusions-windows-defender-antivirus.md) will take precedence over this setting. | Scan > Scan archive files | Enabled | `-DisableArchiveScanning` Scan archive files (such as .zip or .rar files). The [extensions exclusion list](configure-extension-file-exclusions-windows-defender-antivirus.md) will take precedence over this setting. | Scan > Scan archive files | Enabled | `-DisableArchiveScanning`
@ -72,29 +72,19 @@ For using WMI classes, see [Windows Defender WMIv2 APIs](https://msdn.microsoft.
## Email scanning limitations ## Email scanning limitations
We recommend using [always-on real-time protection](configure-real-time-protection-windows-defender-antivirus.md) to protect against email-based malware. Email scanning enables scanning of email files used by Outlook and other mail clients during on-demand and scheduled scans. Embedded objects within an email file (such as attachments and archived files) are also scanned. The following file format types can be scanned and remediated:
Always-on protection scans emails as they arrive and as they are manipulated, just like normal files in the operating system. This provides the strongest form of protection and is the recommended setting for scanning emails.
You can also use this Group Policy to enable scanning of older email files used by Outlook 2003 and older during on-demand and scheduled scans. Embedded objects within an email file (such as attachments and archived files) are also scanned. The following file format types can be scanned and remediated:
- DBX - DBX
- MBX - MBX
- MIME - MIME
PST files used by Outlook 2003 or older (where the archive type is set to non-unicode) can also be scanned, but Windows Defender cannot remediate threats detected inside PST files. This is another reason why we recommend using [always-on real-time protection](configure-real-time-protection-windows-defender-antivirus.md) to protect against email-based malware. PST files used by Outlook 2003 or older (where the archive type is set to non-unicode) will also be scanned, but Windows Defender cannot remediate threats detected inside PST files.
If Windows Defender Antivirus detects a threat inside an email, it will show you the following information to assist you in identifying the compromised email, so you can remediate the threat: If Windows Defender Antivirus detects a threat inside an email, it will show you the following information to assist you in identifying the compromised email, so you can remediate the threat manually:
- Email subject - Email subject
- Attachment name - Attachment name
>[!WARNING]
>There are some risks associated with scanning some Microsoft Outlook files and email messages. You can read about tips and risks associated with scanning Outlook files and email messages in the following articles:
>
> - [Scanning Outlook files in Outlook 2013](https://technet.microsoft.com/library/dn769141.aspx#bkmk-1)
> - [Scanning email messages in Outlook 2013](https://technet.microsoft.com/library/dn769141.aspx#bkmk-2)
## Related topics ## Related topics
- [Customize, initiate, and review the results of Windows Defender Antivirus scans and remediation](customize-run-review-remediate-scans-windows-defender-antivirus.md) - [Customize, initiate, and review the results of Windows Defender Antivirus scans and remediation](customize-run-review-remediate-scans-windows-defender-antivirus.md)

38
windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md
View File

@ -35,9 +35,9 @@ See [Use Microsoft cloud-delivered protection](utilize-microsoft-cloud-protectio
There are specific network-connectivity requirements to ensure your endpoints can connect to the cloud-delivered protection service. See [Configure and validate network connections](configure-network-connections-windows-defender-antivirus.md) for more details. There are specific network-connectivity requirements to ensure your endpoints can connect to the cloud-delivered protection service. See [Configure and validate network connections](configure-network-connections-windows-defender-antivirus.md) for more details.
> [!NOTE] > [!NOTE]
>In Windows 10, there is no difference between the **Basic** and **Advanced** options described in this topic. This is a legacy distinction and choosing either setting will result in the same level of cloud-delivered protection. There is no difference in the type or amount of information that is shared. See the [Microsoft Privacy Statement](https://go.microsoft.com/fwlink/?linkid=521839) for more information on what we collect. > In Windows 10, there is no difference between the **Basic** and **Advanced** reporting options described in this topic. This is a legacy distinction and choosing either setting will result in the same level of cloud-delivered protection. There is no difference in the type or amount of information that is shared. See the [Microsoft Privacy Statement](https://go.microsoft.com/fwlink/?linkid=521839) for more information on what we collect.
**Use Intune to enable cloud-delivered protection** ## Use Intune to enable cloud-delivered protection
1. Sign in to the [Azure portal](https://portal.azure.com). 1. Sign in to the [Azure portal](https://portal.azure.com).
2. Select **All services > Intune**. 2. Select **All services > Intune**.
@ -51,59 +51,62 @@ There are specific network-connectivity requirements to ensure your endpoints ca
- **Send all samples automatically** - **Send all samples automatically**
>[!NOTE] >[!NOTE]
>**Send safe samples automatically** option means that most samples will be sent automatically. Files that are likely to contain personal information will still prompt and require additional confirmation. > The **Send safe samples automatically** option means that most samples will be sent automatically. Files that are likely to contain personal information will still prompt and require additional confirmation.
> [!WARNING] > [!WARNING]
> Setting to **Always Prompt** will lower the protection state of the device. Setting to **Never send** means the [Block at First Sight](configure-block-at-first-sight-windows-defender-antivirus.md) feature will not function. > Setting to **Always Prompt** will lower the protection state of the device. Setting to **Never send** means the [Block at First Sight](configure-block-at-first-sight-windows-defender-antivirus.md) feature of Microsoft Defender ATP won't work.
8. Click **OK** to exit the **Windows Defender Antivirus** settings pane, click **OK** to exit the **Device restrictions** pane, and then click **Save** to save the changes to your **Device restrictions** profile. 8. Click **OK** to exit the **Windows Defender Antivirus** settings pane, click **OK** to exit the **Device restrictions** pane, and then click **Save** to save the changes to your **Device restrictions** profile.
For more information about Intune device profiles, including how to create and configure their settings, see [What are Microsoft Intune device profiles?](https://docs.microsoft.com/intune/device-profiles) For more information about Intune device profiles, including how to create and configure their settings, see [What are Microsoft Intune device profiles?](https://docs.microsoft.com/intune/device-profiles)
**Use Configuration Manager to enable cloud-delivered protection:** ## Use Configuration Manager to enable cloud-delivered protection
See [How to create and deploy antimalware policies: Cloud-protection service](https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-antimalware-policies#cloud-protection-service) for details on configuring Microsoft Endpoint Configuration Manager (current branch). See [How to create and deploy antimalware policies: Cloud-protection service](https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-antimalware-policies#cloud-protection-service) for details on configuring Microsoft Endpoint Configuration Manager (current branch).
**Use Group Policy to enable cloud-delivered protection:** ## Use Group Policy to enable cloud-delivered protection
1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. 1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
2. In the **Group Policy Management Editor** go to **Computer configuration**. 2. In the **Group Policy Management Editor** go to **Computer configuration**.
3. Click **Administrative templates**. 3. Select **Administrative templates**.
4. Expand the tree to **Windows components > Windows Defender Antivirus > MAPS** 4. Expand the tree to **Windows components > Windows Defender Antivirus > MAPS**
5. Double-click **Join Microsoft MAPS** and ensure the option is enabled and set to **Basic MAPS** or **Advanced MAPS**. Click **OK**. 5. Double-click **Join Microsoft MAPS**. Ensure the option is enabled and set to **Basic MAPS** or **Advanced MAPS**. Select **OK**.
6. Double-click **Send file samples when further analysis is required** and ensure the option is set to **Enabled** and the additional options are either of the following: 6. Double-click **Send file samples when further analysis is required**. Ensure that the option is set to **Enabled** and that the other options are either of the following:
1. **Send safe samples** (1) 1. **Send safe samples** (1)
2. **Send all samples** (3) 2. **Send all samples** (3)
>[!NOTE] >[!NOTE]
>**Send safe samples automatically** option means that most samples will be sent automatically. Files that are likely to contain personal information will still prompt and require additional confirmation. > The **Send safe samples** (1) option means that most samples will be sent automatically. Files that are likely to contain personal information will still prompt and require additional confirmation.
> [!WARNING] > [!WARNING]
> Setting to 0 (Always Prompt) will lower the protection state of the device. Setting to 2 (Never send) means the [Block at First Sight](configure-block-at-first-sight-windows-defender-antivirus.md) feature will not function. > Setting the option to **Always Prompt** (0) will lower the protection state of the device. Setting it to **Never send** (2) means that the [Block at First Sight](configure-block-at-first-sight-windows-defender-antivirus.md) feature of Microsoft Defender ATP won't work.
7. Click **OK**. 7. Click **OK**.
**Use PowerShell cmdlets to enable cloud-delivered protection:** ## Use PowerShell cmdlets to enable cloud-delivered protection
Use the following cmdlets to enable cloud-delivered protection: Use the following cmdlets to enable cloud-delivered protection:
```PowerShell ```PowerShell
Set-MpPreference -MAPSReporting Advanced Set-MpPreference -MAPSReporting Advanced
Set-MpPreference -SubmitSamplesConsent AlwaysPrompt Set-MpPreference -SubmitSamplesConsent SendAllSamples
``` ```
See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/library/dn433280.aspx) for more information on how to use PowerShell with Windows Defender Antivirus. [Policy CSP - Defender](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender) also has more information specifically on [-SubmitSamplesConsent](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-submitsamplesconsent).
>[!NOTE] >[!NOTE]
>You can also set -SubmitSamplesConsent to `None`. Setting it to `Never` will lower the protection state of the device, and setting it to 2 means the [Block at First Sight](configure-block-at-first-sight-windows-defender-antivirus.md) feature will not function. > You can also set **-SubmitSamplesConsent** to `SendSafeSamples` (the default setting), `NeverSend`, or `AlwaysPrompt`. The `SendSafeSamples` setting means that most samples will be sent automatically. Files that are likely to contain personal information will still prompt and require additional confirmation.
See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/library/dn433280.aspx) for more information on how to use PowerShell with Windows Defender Antivirus. >[!WARNING]
> Setting **-SubmitSamplesConsent** to `NeverSend` or `AlwaysPrompt` will lower the protection level of the device. In addition, setting it to `NeverSend` means that the [Block at First Sight](configure-block-at-first-sight-windows-defender-antivirus.md) feature of Microsoft Defender ATP won't work.
**Use Windows Management Instruction (WMI) to enable cloud-delivered protection:** ## Use Windows Management Instruction (WMI) to enable cloud-delivered protection
Use the [**Set** method of the **MSFT_MpPreference**](https://msdn.microsoft.com/library/dn439474(v=vs.85).aspx) class for the following properties: Use the [**Set** method of the **MSFT_MpPreference**](https://msdn.microsoft.com/library/dn439474(v=vs.85).aspx) class for the following properties:
@ -113,9 +116,10 @@ SubmitSamplesConsent
``` ```
See the following for more information and allowed parameters: See the following for more information and allowed parameters:
- [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/library/dn439477(v=vs.85).aspx) - [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/library/dn439477(v=vs.85).aspx)
**Enable cloud-delivered protection on individual clients with the Windows Security app** ## Enable cloud-delivered protection on individual clients with the Windows Security app
> [!NOTE] > [!NOTE]
> If the **Configure local setting override for reporting Microsoft MAPS** Group Policy setting is set to **Disabled**, then the **Cloud-based protection** setting in Windows Settings will be greyed-out and unavailable. Changes made through a Group Policy Object must first be deployed to individual endpoints before the setting will be updated in Windows Settings. > If the **Configure local setting override for reporting Microsoft MAPS** Group Policy setting is set to **Disabled**, then the **Cloud-based protection** setting in Windows Settings will be greyed-out and unavailable. Changes made through a Group Policy Object must first be deployed to individual endpoints before the setting will be updated in Windows Settings.

194
windows/security/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md
View File

@ -12,7 +12,6 @@ ms.localizationpriority: medium
author: denisebmsft author: denisebmsft
ms.author: deniseb ms.author: deniseb
ms.custom: nextgen ms.custom: nextgen
ms.date: 03/04/2020
ms.reviewer: ms.reviewer:
manager: dansimp manager: dansimp
--- ---
@ -25,48 +24,181 @@ manager: dansimp
There are two types of updates related to keeping Windows Defender Antivirus up to date: There are two types of updates related to keeping Windows Defender Antivirus up to date:
1. Protection updates - Security intelligence updates
2. Product updates - Product updates
You can also apply [Windows security baselines](https://technet.microsoft.com/itpro/windows/keep-secure/windows-security-baselines) to quickly bring your endpoints up to a uniform level of protection. > [!IMPORTANT]
> Keeping Windows Defender Antivirus up to date is critical to assure your devices have the latest technology and features needed to protect against new malware and attack techniques.
> This also applies to devices where Windows Defender Antivirus is running in [passive mode](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility).
## Protection updates ## Security intelligence updates
Windows Defender Antivirus uses both [cloud-delivered protection](utilize-microsoft-cloud-protection-windows-defender-antivirus.md) (also called the Microsoft Advanced Protection Service or MAPS) and periodically downloaded protection updates to provide protection. These protection updates are also known as Security intelligence updates. Windows Defender Antivirus uses [cloud-delivered protection](utilize-microsoft-cloud-protection-windows-defender-antivirus.md) (also called the Microsoft Advanced Protection Service or MAPS) and periodically downloads security intelligence updates to provide protection.
The cloud-delivered protection is always on and requires an active connection to the Internet to function, while the protection updates generally occur once a day (although this can be configured). See the [Utilize Microsoft cloud-provided protection in Windows Defender Antivirus](utilize-microsoft-cloud-protection-windows-defender-antivirus.md) topic for more details about enabling and configuring cloud-provided protection. The cloud-delivered protection is always on and requires an active connection to the Internet to function, while the security intelligence updates occur on a scheduled cadence (configurable via policy). See the [Utilize Microsoft cloud-provided protection in Windows Defender Antivirus](utilize-microsoft-cloud-protection-windows-defender-antivirus.md) topic for more details about enabling and configuring cloud-provided protection.
Engine updates are included with the Security intelligence updates and are released on a monthly cadence. Engine updates are included with the security intelligence updates and are released on a monthly cadence.
## Product updates ## Product updates
Windows Defender Antivirus requires [monthly updates](https://support.microsoft.com/help/4052623/update-for-windows-defender-antimalware-platform) (known as "platform updates"), and will receive major feature updates alongside Windows 10 releases. Windows Defender Antivirus requires [monthly updates (KB4052623)](https://support.microsoft.com/help/4052623/update-for-windows-defender-antimalware-platform) (known as "platform updates"), and will receive major feature updates alongside Windows 10 releases.
You can manage the distribution of updates through Windows Server Update Service (WSUS), with [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/sum/understand/software-updates-introduction), or in the normal manner that you deploy Microsoft and Windows updates to endpoints in your network. You can manage the distribution of updates through [Windows Server Update Service (WSUS)](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/endpoint-definitions-wsus#to-synchronize-endpoint-protection-definition-updates-in-standalone-wsus), with [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/sum/understand/software-updates-introduction), or in the normal manner that you deploy Microsoft and Windows updates to endpoints in your network.
For more information, see [Manage the sources for Windows Defender Antivirus protection updates](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/endpoint-definitions-wsus#to-synchronize-endpoint-protection-definition-updates-in-standalone-wsus).
## Released platform and engine versions > [!NOTE]
> We release these monthly updates in phases. This results in multiple packages showing up in your WSUS server.
Only the main version is listed in the following table as reference information: ## Monthly platform and engine versions
Month | Platform/Client | Engine For information how to update or how to install the platform update, please see [Update for Windows Defender antimalware platform](https://support.microsoft.com/help/4052623/update-for-windows-defender-antimalware-platform).
---|---|---
Apr-2020 | 4.18.2004.x | 1.1.17000.x All our updates contain:
Mar-2020 | 4.18.2003.x | 1.1.16900.x * performance improvements
Feb-2020 | - | 1.1.16800.x * serviceability improvements
Jan-2020 | 4.18.2001.x | 1.1.16700.x * integration improvements (Cloud, MTP)
Dec-2019 | - | - | <br/>
Nov-2019 | 4.18.1911.x | 1.1.16600.x
Oct-2019 | 4.18.1910.x | 1.1.16500.x <details>
Sep-2019 | 4.18.1909.x | 1.1.16400.x <summary> April-2020 (Platform: 4.18.2004.6 | Engine: 1.1.17000.2)</summary>
Aug-2019 | 4.18.1908.x | 1.1.16300.x
Jul-2019 | 4.18.1907.x | 1.1.16200.x &ensp;Security intelligence update version: **TBD**
Jun-2019 | 4.18.1906.x | 1.1.16100.x &ensp;Released: **April 30, 2020**
May-2019 | 4.18.1905.x | 1.1.16000.x &ensp;Platform: **4.18.2004.6**
Apr-2019 | 4.18.1904.x | 1.1.15900.x &ensp;Engine: **1.1.17000.2**
Mar-2019 | 4.18.1903.x | 1.1.15800.x &ensp;Support phase: **Security and Critical Updates**
Feb-2019 | 4.18.1902.x | 1.1.15700.x
Jan-2019 | 4.18.1901.x | 1.1.15600.x ### What's new
Dec-18 | 4.18.1812.X | 1.1.15500.x * WDfilter improvements
* Add more actionable event data to ASR detection events
* Fixed version information in diagnostic data and WMI
* Fixed incorrect platform version in UI after platform update
* Dynamic URL intel for Fileless threat protection
* UEFI scan capability
* Extend logging for updates
### Known Issues
No known issues
<br/>
</details>
<details>
<summary> March-2020 (Platform: 4.18.2003.8 | Engine: 1.1.16900.2)</summary>
&ensp;Security intelligence update version: **1.313.8.0**
&ensp;Released: **March 24, 2020**
&ensp;Platform: **4.18.2003.8**
&ensp;Engine: **1.1.16900.4**
&ensp;Support phase: **Technical upgrade Support (Only)**
### What's new
* CPU Throttling option added to [MpCmdRun](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus)
* Improve diagnostic capability
* reduce Security intelligence timeout (5min)
* Extend AMSI engine internal log capability
* Improve notification for process blocking
### Known Issues
[**Fixed**] Windows Defender Antivirus is skipping files when running a scan.
<br/>
</details>
<details>
<summary> February-2020 (Platform: - | Engine: 1.1.16800.2)</summary>
Security intelligence update version: **1.311.4.0**
Released: **February 25, 2020**
Platform/Client: **-**
Engine: **1.1.16800.2**
Support phase: **N/A**
### What's new
### Known Issues
No known issues
<br/>
</details>
<details>
<summary> January-2020 (Platform: 4.18.2001.10 | Engine: 1.1.16700.2)</summary>
Security intelligence update version: **1.309.32.0**
Released: **January 30, 2020**
Platform/Client: **4.18.2001.10**
Engine: **1.1.16700.2**
Support phase: **Technical upgrade Support (Only)**
### What's new
* Fixed BSOD on WS2016 with Exchange
* Support platform updates when TMP is redirected to network path
* Platform and engine versions are added to [WDSI](https://www.microsoft.com/wdsi/defenderupdates)
* extend Emergency signature update to [passive mode](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility)
* Fix 4.18.1911.10 hang
### Known Issues
[**Fixed**] devices utilizing [modern standby mode](https://docs.microsoft.com/windows-hardware/design/device-experiences/modern-standby) may experience a hang with the Windows Defender filter driver that results in a gap of protection. Affected machines appear to the customer as having not updated to the latest antimalware platform.
<br/>
> [!IMPORTANT]
> This updates is needed by RS1 devices running lower version of the platform to support SHA2. <br/>This update has reboot flag for systems that are experiencing the hang issue.<br/> the This update is re-released in April 2020 and will not be superseded by newer updates to keep future availability.
<br/>
</details>
<details>
<summary> November-2019 (Platform: 4.18.1911.2 | Engine: 1.1.16600.7)</summary>
Security intelligence update version: **1.307.13.0**
Released: **December 7, 2019**
Platform: **4.18.1911.2**
Engine: **1.1.17000.7**
Support phase: **No support**
### What's new
* Fixed MpCmdRun tracing level
* Fixed WDFilter version info
* Improve notifications (PUA)
* add MRT logs to support files
### Known Issues
No known issues
<br/>
</details>
## Windows Defender Antivirus platform support
As stated above, platform and engine updates are provided on a monthly cadence.
Customers must stay current with the latest platform update to be fully supported. Our support structure is now dynamic, evolving into two phases depending on the availability of the latest platform version:
* **Security and Critical Updates servicing phase** - When running the latest platform version, you will be eligible to receive both Security and Critical updates to the anti-malware platform.
* **Technical Support (Only) phase** - After a new platform version is released, support for older versions (N-2) will reduce to technical support only. Platform versions older than N-2 will no longer be supported.*
\* Technical support will continue to be provided for upgrades from the Windows 10 release version (see [Platform version included with Windows 10 releases](#platform-version-included-with-windows-10-releases)) to the latest platform version.
During the technical support (only) phase, commercially reasonable support incidents will be provided through Microsoft Customer Service & Support and Microsofts managed support offerings (such as Premier Support). If a support incident requires escalation to development for further guidance, requires a non-security update, or requires a security update, customers will be asked to upgrade to the latest platform version or an intermediate update (*).
### Platform version included with Windows 10 releases
The below table provides the Windows Defender Antivirus platform and engine versions that are shipped with the latest Windows 10 releases:
|Windows 10 release |Platform version |Engine version |Support phase |
|-|-|-|-|
|1909 (19H2) |4.18.1902.5 |1.1.16700.3 | Technical upgrade Support (Only) |
|1903 (19H1) |4.18.1902.5 |1.1.15600.4 | Technical upgrade Support (Only) |
|1809 (RS5) |4.18.1807.18075 |1.1.15000.2 | Technical upgrade Support (Only) |
|1803 (RS4) |4.13.17134.1 |1.1.14600.4 | Technical upgrade Support (Only) |
|1709 (RS3) |4.12.16299.15 |1.1.14104.0 | Technical upgrade Support (Only) |
|1703 (RS2) |4.11.15603.2 |1.1.13504.0 | Technical upgrade Support (Only) |
|1607 (RS1) |4.10.14393.3683 |1.1.12805.0 | Technical upgrade Support (Only) |
Windows 10 release info: [Windows lifecycle fact sheet](https://support.microsoft.com/help/13853/windows-lifecycle-fact-sheet).
## In this section ## In this section