From 8acf5994725441506f024dc89773edb32bd39547 Mon Sep 17 00:00:00 2001 From: danhwang1 <40180973+danhwang1@users.noreply.github.com> Date: Mon, 11 Jun 2018 11:45:40 -0700 Subject: [PATCH 01/30] Update supl-ddf-file.md We have recently made a change in our Location Platform pertaining to SUPL to increase the max number of root certificates from 3 to 6 (as mandated). As a result, we will need to update the necessary public documentation here: https://docs.microsoft.com/en-us/windows/client-management/mdm/supl-ddf-file --- .../client-management/mdm/supl-ddf-file.md | 198 +++++++++++++++++- 1 file changed, 197 insertions(+), 1 deletion(-) diff --git a/windows/client-management/mdm/supl-ddf-file.md b/windows/client-management/mdm/supl-ddf-file.md index e6ed98d713..4ee4e4ad1d 100644 --- a/windows/client-management/mdm/supl-ddf-file.md +++ b/windows/client-management/mdm/supl-ddf-file.md @@ -171,7 +171,7 @@ The XML below is the current version for this CSP. - MCCMNPairs + MCCMNCPairs @@ -482,6 +482,201 @@ The XML below is the current version for this CSP. + + RootCertificate4 + + + + + Required. Specifies the root certificate for the H-SLP server. Windows Phone does not support a non-secure mode. If this node is not included, the configuration service provider will fail but may not return a specific error. + + + + + + + + + + + + + + + Name + + + + + + Specifies the name of the H-SLP root certificate as a string, in the format name.cer. + + + + + + + + + + + text/plain + + + + + Data + + + + + + The base 64 encoded blob of the H-SLP root certificate. + + + + + + + + + + + + + + + + + RootCertificate5 + + + + + Required. Specifies the root certificate for the H-SLP server. Windows Phone does not support a non-secure mode. If this node is not included, the configuration service provider will fail but may not return a specific error. + + + + + + + + + + + + + + + Name + + + + + + Specifies the name of the H-SLP root certificate as a string, in the format name.cer. + + + + + + + + + + + text/plain + + + + + Data + + + + + + The base 64 encoded blob of the H-SLP root certificate. + + + + + + + + + + + + + + + + + RootCertificate6 + + + + + Required. Specifies the root certificate for the H-SLP server. Windows Phone does not support a non-secure mode. If this node is not included, the configuration service provider will fail but may not return a specific error. + + + + + + + + + + + + + + + Name + + + + + + Specifies the name of the H-SLP root certificate as a string, in the format name.cer. + + + + + + + + + + + text/plain + + + + + Data + + + + + + The base 64 encoded blob of the H-SLP root certificate. + + + + + + + + + + + + + + + V2UPL1 @@ -662,6 +857,7 @@ The XML below is the current version for this CSP. + ```   From 2e791f3bf1304fc2ad71c51c5a9f4b2aa7063454 Mon Sep 17 00:00:00 2001 From: Benjamin Howorth Date: Mon, 11 Jun 2018 21:27:30 +0000 Subject: [PATCH 02/30] Updated inclusive-classroom-it-admin.md --- education/get-started/inclusive-classroom-it-admin.md | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/education/get-started/inclusive-classroom-it-admin.md b/education/get-started/inclusive-classroom-it-admin.md index 16b5c8a0e2..6d3bb808df 100644 --- a/education/get-started/inclusive-classroom-it-admin.md +++ b/education/get-started/inclusive-classroom-it-admin.md @@ -37,10 +37,10 @@ ms.date: 03/18/2018 | Creating accessible content features | Available in which apps|Office 2016 MSI|Office 2019| Office 365 ProPlus Monthly (C2R) | Office 365 ProPlus Semi Annual (C2R) | Office 365 ProPlus Annual (C2R) | Office 365 Web | Office Mac | Office iPad | |---|---|---|---|---|---|---|---|---|---| -| Accessibility Checker | | | | | | | | | | -| Accessible Templates | | | | | | | | | | -| Ability to add alt-text for images | | | | | | | | | | -| Ability to add captions to videos | | | | | | | | | | +| Accessibility Checker | | |

X

| | | | | | | +| Accessible Templates | | |

X

| | | | | | | +| Ability to add alt-text for images | | |

X

| | | | | | | +| Ability to add captions to videos | | |

X

| | | | | | | | Export as tagged PDF | | | | | | | | | | | Ability to request accessible content | | | | | | | | | |
@@ -48,6 +48,5 @@ ms.date: 03/18/2018 | Communication features | Available in which apps|Office 2016 MSI|Office 2019| Office 365 ProPlus Monthly (C2R) | Office 365 ProPlus Semi Annual (C2R) | Office 365 ProPlus Annual (C2R) | Office 365 Web | Office Mac | Office iPad | |---|---|---|---|---|---|---|---|---|---| -| Translate Language of Document | | | | | | | | | | -| PowerPoint Translator | | | | | | | | | | +| Microsoft Translator | |

X

|

X

|

X

|

X

|

X

| | | |
\ No newline at end of file From 691fcc8adcef630ede24ab5336814e0586e0a4ba Mon Sep 17 00:00:00 2001 From: jaimeo Date: Tue, 12 Jun 2018 10:23:42 -0700 Subject: [PATCH 03/30] first pass fixing links to dead OMS marketing page --- .../update/device-health-get-started.md | 13 ++++++++----- .../update/update-compliance-get-started.md | 8 ++++++-- .../upgrade/upgrade-readiness-get-started.md | 15 +++++++++------ .../upgrade/upgrade-readiness-requirements.md | 14 +++++++------- 4 files changed, 30 insertions(+), 20 deletions(-) diff --git a/windows/deployment/update/device-health-get-started.md b/windows/deployment/update/device-health-get-started.md index 81a57be6d4..5b3a7b3474 100644 --- a/windows/deployment/update/device-health-get-started.md +++ b/windows/deployment/update/device-health-get-started.md @@ -5,7 +5,7 @@ keywords: Device Health, oms, operations management suite, prerequisites, requir ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.date: 03/20/2018 +ms.date: 06/12/2018 ms.pagetype: deploy author: jaimeo ms.author: jaimeo @@ -24,13 +24,16 @@ Steps are provided in sections that follow the recommended setup process: -## Add Device Health to Microsoft Operations Management Suite +## Add Device Health to Microsoft Operations Management Suite or Azure Log Analytics -Device Health is offered as a solution in the Microsoft Operations Management Suite (OMS), a collection of cloud-based servicing for monitoring and automating your on-premise and cloud environments. For more information about OMS, see [Operations Management Suite overview](https://azure.microsoft.com/en-us/documentation/articles/operations-management-suite-overview/). +Device Health is offered as a solution in the Microsoft Operations Management Suite (OMS) and Azure Log Analytics, a collection of cloud-based servicing for monitoring and automating your on-premise and cloud environments. For more information about OMS, see [Operations Management Suite overview](https://azure.microsoft.com/en-us/documentation/articles/operations-management-suite-overview/) or the Azure [Log Analytics overview](https://azure.microsoft.com/services/log-analytics/). -**If you are already using Windows Analytics**, you should use the same Azure Log Analytics workspace you're already using. find Device Health in the Solutions Gallery. Select the **Device Health** tile in the gallery and then click **Add** on the solution's details page. Device Health is now visible in your workspace. While you're in the Solutions Gallery, you should consider installing the [Upgrade Readiness](../upgrade/use-upgrade-readiness-to-manage-windows-upgrades.md) and [Update Compliance](update-compliance-monitor.md) solutions as well, if you haven't already. +**If you are already using Windows Analytics**, you should use the same Azure Log Analytics workspace you're already using. Find Device Health in the Solutions Gallery. Select the **Device Health** tile in the gallery and then click **Add** on the solution's details page. Device Health is now visible in your workspace. While you're in the Solutions Gallery, you should consider installing the [Upgrade Readiness](../upgrade/use-upgrade-readiness-to-manage-windows-upgrades.md) and [Update Compliance](update-compliance-monitor.md) solutions as well, if you haven't already. -**If you are not yet using Windows Analytics or Azure Log Analytics**, use the following steps to subscribe: +>[!NOTE] +>If you are already using OMS, you can also follow [this link](https://portal.mms.microsoft.com/#Workspace/ipgallery/details/details/index?IPId=DeviceHealthProd) to go directly to the Device Health solution and add it to your workspace. + +**If you are not yet using Windows Analytics or Azure Log Analytics**, follow these steps to subscribe: 1. Go to [Operations Management Suite](https://www.microsoft.com/en-us/cloud-platform/operations-management-suite) on Microsoft.com and click **Sign in**. [![Operations Management Suite bar with sign-in button](images/uc-02a.png)](images/uc-02.png) diff --git a/windows/deployment/update/update-compliance-get-started.md b/windows/deployment/update/update-compliance-get-started.md index 6cfecd1c73..9887546277 100644 --- a/windows/deployment/update/update-compliance-get-started.md +++ b/windows/deployment/update/update-compliance-get-started.md @@ -23,12 +23,16 @@ Steps are provided in sections that follow the recommended setup process: -## Add Update Compliance to Microsoft Operations Management Suite +## Add Update Compliance to Microsoft Operations Management Suite or Azure Log Analytics -Update Compliance is offered as a solution in the Microsoft Operations Management Suite (OMS), a collection of cloud-based servicing for monitoring and automating your on-premise and cloud environments. For more information about OMS, see [Operations Management Suite overview](https://azure.microsoft.com/en-us/documentation/articles/operations-management-suite-overview/). +Update Compliance is offered as a solution in the Microsoft Operations Management Suite (OMS), a collection of cloud-based servicing for monitoring and automating your on-premise and cloud environments. For more information about OMS, see [Operations Management Suite overview](https://azure.microsoft.com/en-us/documentation/articles/operations-management-suite-overview/) or the Azure [Log Analytics overview](https://azure.microsoft.com/services/log-analytics/). If you are already using OMS, skip to step **6** to add Update Compliance to your workspace. +>[!NOTE] +>If you are already using OMS, you can also follow [this link](https://portal.mms.microsoft.com/#Workspace/ipgallery/details/details/index?IPId=WaaSUpdateInsights) to go directly to the Device Health solution and add it to your workspace. + + If you are not yet using OMS, use the following steps to subscribe to OMS Update Compliance: 1. Go to [Operations Management Suite](https://www.microsoft.com/en-us/cloud-platform/operations-management-suite) on Microsoft.com and click **Sign in**. diff --git a/windows/deployment/upgrade/upgrade-readiness-get-started.md b/windows/deployment/upgrade/upgrade-readiness-get-started.md index e80d01d273..3ee8a1a528 100644 --- a/windows/deployment/upgrade/upgrade-readiness-get-started.md +++ b/windows/deployment/upgrade/upgrade-readiness-get-started.md @@ -8,7 +8,7 @@ ms.sitesec: library ms.pagetype: deploy author: jaimeo ms.author: jaimeo -ms.date: 03/20/2018 +ms.date: 06/12/2018 ms.localizationpriority: high --- @@ -35,7 +35,7 @@ When you are ready to begin using Upgrade Readiness, perform the following steps To enable system, application, and driver data to be shared with Microsoft, you must configure user computers to send data. For information about what diagnostic data Microsoft collects and how that data is used and protected by Microsoft, see the following topics, refer to [Frequently asked questions and troubleshooting Windows Analytics](https://docs.microsoft.com/windows/deployment/update/windows-analytics-FAQ-troubleshooting), which discusses the issues and provides links to still more detailed information. -## Add Upgrade Readiness to Operations Management Suite +## Add Upgrade Readiness to Operations Management Suite or Azure Log Analytics Upgrade Readiness is offered as a solution in the Microsoft Operations Management Suite (OMS), a collection of cloud based services for managing your on-premises and cloud environments. For more information about OMS, see [Operations Management Suite overview](http://azure.microsoft.com/documentation/articles/operations-management-suite-overview/). @@ -44,11 +44,14 @@ Upgrade Readiness is offered as a solution in the Microsoft Operations Managemen If you are already using OMS, you’ll find Upgrade Readiness in the Solutions Gallery. Select the **Upgrade Readiness** tile in the gallery and then click **Add** on the solution's details page. Upgrade Readiness is now visible in your workspace. While you have this dialog open, you should also consider adding the [Device Health](../update/device-health-monitor.md) and [Update Compliance](../update/update-compliance-monitor.md) solutions as well, if you haven't already. To do so, just select the check boxes for those solutions. -If you are not using OMS: +>[!NOTE] +>If you are already using OMS, you can also follow [this link](https://portal.mms.microsoft.com/#Workspace/ipgallery/details/details/index?IPId=CompatibilityAssessment) to go directly to the Upgrade Readiness solution and add it to your workspace. -1. Go to the [Upgrade Readiness page on Microsoft.com](https://go.microsoft.com/fwlink/?LinkID=799190&clcid=0x409) and select **New Customers >** to start the process. -2. Sign in to Operations Management Suite (OMS). You can use either a Microsoft Account or a Work or School account to create a workspace. If your company is already using Azure Active Directory (Azure AD), use a Work or School account when you sign in to OMS. Using a Work or School account allows you to use identities from your Azure AD to manage permissions in OMS. -3. Create a new OMS workspace. Enter a name for the workspace, select the workspace region, and provide the email address that you want associated with this workspace. Select **Create**. +If you are not using OMS or Azure Log Analytics: + +1. Go to [Log Analytics](https://azure.microsoft.com/services/log-analytics/) on Microsoft.com and select **Start free** to start the setup process. During the process, you’ll create a workspace and add the Upgrade Readiness solution to it. +2. Sign in to Operations Management Suite (OMS or Azure Log Analytics You can use either a Microsoft Account or a Work or School account to create a workspace. If your company is already using Azure Active Directory (Azure AD), use a Work or School account when you sign in to OMS. Using a Work or School account allows you to use identities from your Azure AD to manage permissions in OMS. +3. Create a new workspace. Enter a name for the workspace, select the workspace region, and provide the email address that you want associated with this workspace. Select **Create**. 4. If your organization already has an Azure subscription, you can link it to your workspace. Note that you may need to request access from your organization’s Azure administrator. > If your organization does not have an Azure subscription, create a new one or select the default OMS Azure subscription from the list. Your workspace opens. diff --git a/windows/deployment/upgrade/upgrade-readiness-requirements.md b/windows/deployment/upgrade/upgrade-readiness-requirements.md index 21dfb741d1..538d13cb2a 100644 --- a/windows/deployment/upgrade/upgrade-readiness-requirements.md +++ b/windows/deployment/upgrade/upgrade-readiness-requirements.md @@ -5,7 +5,7 @@ keywords: windows analytics, oms, operations management suite, prerequisites, re ms.prod: w10 author: jaimeo ms.author: -ms.date: 03/15/2018 +ms.date: 06/12/2018 ms.localizationpriority: high --- @@ -32,19 +32,19 @@ See [Windows 10 Specifications](http://www.microsoft.com/en-US/windows/windows-1 ### Windows 10 Keeping Windows 10 up to date involves deploying a feature update, and Upgrade Readiness tools help you prepare and plan for these Windows updates. -The latest cumulative updates must be installed on Windows 10 computers to make sure that the required compatibility updates are installed. You can find the latest cumulative update on the [Microsoft Update Catalog](https://catalog.update.microsoft.com). +The latest cumulative updates must be installed on Windows 10 computers to make sure that the required compatibility updates are installed. You can find the latest cumulative update on the [Microsoft Update Catalog](https://catalog.update.microsoft.com). While Upgrade Readiness can be used to assist with updating devices from Windows 10 Long-Term Servicing Channel (LTSC) to Windows 10 Semi-Annual Channel, Upgrade Readiness does not support updates to Windows 10 LTSC. The Long-Term Servicing Channel of Windows 10 is not intended for general deployment, and does not receive feature updates, therefore it is not a supported target with Upgrade Readiness. See [Windows as a service overview](../update/waas-overview.md#long-term-servicing-channel) to understand more about LTSC. -## Operations Management Suite +## Operations Management Suite or Azure Log Analytics -Upgrade Readiness is offered as a solution in the Microsoft Operations Management Suite (OMS), a collection of cloud based services for managing on premise and cloud computing environments. For more information about OMS, see [Operations Management Suite overview](http://azure.microsoft.com/en-us/documentation/articles/operations-management-suite-overview/). +Upgrade Readiness is offered as a solution in Microsoft Operations Management Suite (OMS) and Azure Log Analytics, a collection of cloud based services for managing on premise and cloud computing environments. For more information about OMS, see [Operations Management Suite overview](http://azure.microsoft.com/en-us/documentation/articles/operations-management-suite-overview/) or the Azure [Log Analytics overview](https://azure.microsoft.com/services/log-analytics/). -If you’re already using OMS, you’ll find Upgrade Readiness in the Solutions Gallery. Click the Upgrade Readiness tile in the gallery and then click Add on the solution’s details page. Upgrade Readiness is now visible in your workspace. +If you’re already using OMS or Azure Log Analytics, you’ll find Upgrade Readiness in the Solutions Gallery. Click the **Upgrade Readiness** tile in the gallery and then click **Add** on the solution’s details page. Upgrade Readiness is now visible in your workspace. You can also -If you are not using OMS, go to the [Upgrade Readiness page](https://www.microsoft.com/en-us/windowsforbusiness/simplified-updates) on Microsoft.com and select **Sign up** to kick off the OMS onboarding process. During the onboarding process, you’ll create an OMS workspace and add the Upgrade Readiness solution to it. +If you are not using OMS or Azure Log Analytics, go to [Log Analytics](https://azure.microsoft.com/services/log-analytics/) on Microsoft.com and select **Start free** to start the setup process. During the process, you’ll create a workspace and add the Upgrade Readiness solution to it. -Important: You can use either a Microsoft Account or a Work or School account to create a workspace. If your company is already using Azure Active Directory, use a Work or School account when you sign in to OMS. Using a Work or School account allows you to use identities from your Azure AD to manage permissions in OMS. You also need an Azure subscription to link to your OMS workspace. The account you used to create the workspace must have administrator permissions on the Azure subscription in order to link the workspace to the Azure account. Once the link has been established, you can revoke the administrator permissions. +>[!IMPORTANT] You can use either a Microsoft Account or a Work or School account to create a workspace. If your company is already using Azure Active Directory, use a Work >or School account when you sign in to OMS. Using a Work or School account allows you to use identities from your Azure AD to manage permissions in OMS. You also need an Azure subscription to link to your OMS workspace. The account you used to create the workspace must have administrator permissions on the Azure subscription in order to link the workspace to the Azure account. Once the link has been established, you can revoke the administrator permissions. ## System Center Configuration Manager integration From cdebda815d631819f1d4ac932d5c0c99abd2a3e4 Mon Sep 17 00:00:00 2001 From: Benjamin Howorth Date: Tue, 12 Jun 2018 17:40:24 +0000 Subject: [PATCH 04/30] Updated inclusive-classroom-it-admin.md --- education/get-started/inclusive-classroom-it-admin.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/education/get-started/inclusive-classroom-it-admin.md b/education/get-started/inclusive-classroom-it-admin.md index 6d3bb808df..bcff2649a4 100644 --- a/education/get-started/inclusive-classroom-it-admin.md +++ b/education/get-started/inclusive-classroom-it-admin.md @@ -16,7 +16,7 @@ ms.date: 03/18/2018 |Reading features|Available in which apps|Office 2016 MSI|Office 2019| Office 365 ProPlus Monthly (C2R) | Office 365 ProPlus Semi Annual (C2R) | Office 365 ProPlus Annual (C2R) | Office 365 Web | Office Mac | Office iPad | |---|---|---|---|---|---|---|---|---|---| -| Read aloud with simultaneous highlighting |
  • OneNote 2016 (add-in), OneNote Online, OneNote for Windows 10, OneNote for iPad, OneNote Mac
  • Word 2016, Word Online, Word Mac, Word for iOS
  • Outlook 2016, Outlook Web Access
  • Office Lens on iOS
| |

X

|

X

|

X

| |

X

| | | +| Read aloud with simultaneous highlighting | OneNote 2016 (add-in), OneNote Online, OneNote for Windows 10, OneNote for iPad, OneNote Mac
Word 2016, Word Online, Word Mac, Word for iOS
Outlook 2016, Outlook Web Access
Office Lens on iOS | |

X

|

X

|

X

| |

X

| | | | Adjustable text spacing and font size |
  • OneNote 2016 (add-in), OneNote Online, OneNote for Windows 10, OneNote for iPad, OneNote Mac
  • Word 2016, Word Online, Word Mac, Word for iPad
  • Outlook Web Access
  • Office Lens on iOS
| |

X

|

X

|

X

| |

X

| | | | Syllabification |
  • OneNote 2016 (add-in), OneNote Online, OneNote for Windows 10, OneNote for iPad, OneNote Mac
  • Word Online
  • Outlook Web Access
| |

X

|

X

|

X

| |

X

| | | | Parts of speech identification |
  • OneNote 2016 (add-in), OneNote Online, OneNote for Windows 10, OneNote for iPad, OneNote Mac
  • Word 2016, Word Online, Word Mac, Word for iOS
  • Outlook 2016, Outlook Web Access
  • Office Lens on iOS
| |

X

| | | |

X

| |

X

| From 73311e46a1db5125647ccfac28e05eb1b1b5b579 Mon Sep 17 00:00:00 2001 From: Benjamin Howorth Date: Tue, 12 Jun 2018 17:46:51 +0000 Subject: [PATCH 05/30] Updated inclusive-classroom-it-admin.md, testing headings --- education/get-started/inclusive-classroom-it-admin.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/education/get-started/inclusive-classroom-it-admin.md b/education/get-started/inclusive-classroom-it-admin.md index bcff2649a4..4ce644acdc 100644 --- a/education/get-started/inclusive-classroom-it-admin.md +++ b/education/get-started/inclusive-classroom-it-admin.md @@ -14,6 +14,9 @@ ms.author: alhughes ms.date: 03/18/2018 --- +# Inclusive Classroom IT Admin Guide + +## Inclusive Classroom features |Reading features|Available in which apps|Office 2016 MSI|Office 2019| Office 365 ProPlus Monthly (C2R) | Office 365 ProPlus Semi Annual (C2R) | Office 365 ProPlus Annual (C2R) | Office 365 Web | Office Mac | Office iPad | |---|---|---|---|---|---|---|---|---|---| | Read aloud with simultaneous highlighting | OneNote 2016 (add-in), OneNote Online, OneNote for Windows 10, OneNote for iPad, OneNote Mac
Word 2016, Word Online, Word Mac, Word for iOS
Outlook 2016, Outlook Web Access
Office Lens on iOS | |

X

|

X

|

X

| |

X

| | | @@ -45,7 +48,6 @@ ms.date: 03/18/2018 | Ability to request accessible content |
  • Outlook Web Access
| | | | | | | | |
- | Communication features | Available in which apps|Office 2016 MSI|Office 2019| Office 365 ProPlus Monthly (C2R) | Office 365 ProPlus Semi Annual (C2R) | Office 365 ProPlus Annual (C2R) | Office 365 Web | Office Mac | Office iPad | |---|---|---|---|---|---|---|---|---|---| | Microsoft Translator |
  • Word 2016
  • Excel 2016
  • "Translator for Outlook" Add-in
  • PowerPoint 2016 (and PowerPoint Garage Add-in
|

X

|

X

|

X

|

X

|

X

| | | | From 13238fcf3e90753450b81f1c31ca00d5833af540 Mon Sep 17 00:00:00 2001 From: Benjamin Howorth Date: Tue, 12 Jun 2018 17:54:09 +0000 Subject: [PATCH 06/30] Updated inclusive-classroom-it-admin.md --- .../get-started/inclusive-classroom-it-admin.md | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/education/get-started/inclusive-classroom-it-admin.md b/education/get-started/inclusive-classroom-it-admin.md index 4ce644acdc..1367c70c95 100644 --- a/education/get-started/inclusive-classroom-it-admin.md +++ b/education/get-started/inclusive-classroom-it-admin.md @@ -17,14 +17,14 @@ ms.date: 03/18/2018 # Inclusive Classroom IT Admin Guide ## Inclusive Classroom features -|Reading features|Available in which apps|Office 2016 MSI|Office 2019| Office 365 ProPlus Monthly (C2R) | Office 365 ProPlus Semi Annual (C2R) | Office 365 ProPlus Annual (C2R) | Office 365 Web | Office Mac | Office iPad | +|Reading features|Available in which apps|Office 2016 MSI|Office 2019| Office 365 ProPlus Monthly (C2R) | Office 365 ProPlus Semi Annual (C2R) | Office 365 ProPlus Annual (C2R) | |---|---|---|---|---|---|---|---|---|---| -| Read aloud with simultaneous highlighting | OneNote 2016 (add-in), OneNote Online, OneNote for Windows 10, OneNote for iPad, OneNote Mac
Word 2016, Word Online, Word Mac, Word for iOS
Outlook 2016, Outlook Web Access
Office Lens on iOS | |

X

|

X

|

X

| |

X

| | | -| Adjustable text spacing and font size |
  • OneNote 2016 (add-in), OneNote Online, OneNote for Windows 10, OneNote for iPad, OneNote Mac
  • Word 2016, Word Online, Word Mac, Word for iPad
  • Outlook Web Access
  • Office Lens on iOS
| |

X

|

X

|

X

| |

X

| | | -| Syllabification |
  • OneNote 2016 (add-in), OneNote Online, OneNote for Windows 10, OneNote for iPad, OneNote Mac
  • Word Online
  • Outlook Web Access
| |

X

|

X

|

X

| |

X

| | | -| Parts of speech identification |
  • OneNote 2016 (add-in), OneNote Online, OneNote for Windows 10, OneNote for iPad, OneNote Mac
  • Word 2016, Word Online, Word Mac, Word for iOS
  • Outlook 2016, Outlook Web Access
  • Office Lens on iOS
| |

X

| | | |

X

| |

X

| -| Line focus mode |
  • OneNote 2016 (add-in), OneNote Online, OneNote for Windows 10, OneNote for iPad, OneNote Mac
  • Word 2016, Word Online, Word Mac, Word for iOS
  • Outlook 2016, Outlook Web Access
  • Office Lens on iOS
| | | | | |

X

| | | -| Picture Dictionary |
  • OneNote 2016 (add-in), OneNote Online, OneNote for Windows 10, OneNote for iPad, OneNote Mac
  • Word 2016, Word Online, Word Mac, Word for iOS
  • Outlook 2016, Outlook Web Access
  • Office Lens on iOS
| | | | | |

X

| |

X

| +| Read aloud with simultaneous highlighting | OneNote 2016 (add-in), OneNote Online, OneNote for Windows 10, OneNote for iPad, OneNote Mac
Word 2016, Word Online, Word Mac, Word for iOS
Outlook 2016, Outlook Web Access
Office Lens on iOS | |

X

|

X

|

X

| | +| Adjustable text spacing and font size |
  • OneNote 2016 (add-in), OneNote Online, OneNote for Windows 10, OneNote for iPad, OneNote Mac
  • Word 2016, Word Online, Word Mac, Word for iPad
  • Outlook Web Access
  • Office Lens on iOS
| |

X

|

X

|

X

| | +| Syllabification |
  • OneNote 2016 (add-in), OneNote Online, OneNote for Windows 10, OneNote for iPad, OneNote Mac
  • Word Online
  • Outlook Web Access
| |

X

|

X

|

X

| | +| Parts of speech identification |
  • OneNote 2016 (add-in), OneNote Online, OneNote for Windows 10, OneNote for iPad, OneNote Mac
  • Word 2016, Word Online, Word Mac, Word for iOS
  • Outlook 2016, Outlook Web Access
  • Office Lens on iOS
| |

X

| | | | +| Line focus mode |
  • OneNote 2016 (add-in), OneNote Online, OneNote for Windows 10, OneNote for iPad, OneNote Mac
  • Word 2016, Word Online, Word Mac, Word for iOS
  • Outlook 2016, Outlook Web Access
  • Office Lens on iOS
| | | | | | +| Picture Dictionary |
  • OneNote 2016 (add-in), OneNote Online, OneNote for Windows 10, OneNote for iPad, OneNote Mac
  • Word 2016, Word Online, Word Mac, Word for iOS
  • Outlook 2016, Outlook Web Access
  • Office Lens on iOS
| | | | | |
| Writing and proofing features | Available in which apps|Office 2016 MSI|Office 2019| Office 365 ProPlus Monthly (C2R) | Office 365 ProPlus Semi Annual (C2R) | Office 365 ProPlus Annual (C2R) | Office 365 Web | Office Mac | Office iPad | From 3a2606394c93471343771cc38fcc355844beec6a Mon Sep 17 00:00:00 2001 From: Benjamin Howorth Date: Tue, 12 Jun 2018 19:23:14 +0000 Subject: [PATCH 07/30] Updated inclusive-classroom-it-admin.md, fixed up the tables --- .../inclusive-classroom-it-admin.md | 54 +++++++++---------- 1 file changed, 27 insertions(+), 27 deletions(-) diff --git a/education/get-started/inclusive-classroom-it-admin.md b/education/get-started/inclusive-classroom-it-admin.md index 1367c70c95..0deaac12fc 100644 --- a/education/get-started/inclusive-classroom-it-admin.md +++ b/education/get-started/inclusive-classroom-it-admin.md @@ -18,37 +18,37 @@ ms.date: 03/18/2018 ## Inclusive Classroom features |Reading features|Available in which apps|Office 2016 MSI|Office 2019| Office 365 ProPlus Monthly (C2R) | Office 365 ProPlus Semi Annual (C2R) | Office 365 ProPlus Annual (C2R) | -|---|---|---|---|---|---|---|---|---|---| -| Read aloud with simultaneous highlighting | OneNote 2016 (add-in), OneNote Online, OneNote for Windows 10, OneNote for iPad, OneNote Mac
Word 2016, Word Online, Word Mac, Word for iOS
Outlook 2016, Outlook Web Access
Office Lens on iOS | |

X

|

X

|

X

| | -| Adjustable text spacing and font size |
  • OneNote 2016 (add-in), OneNote Online, OneNote for Windows 10, OneNote for iPad, OneNote Mac
  • Word 2016, Word Online, Word Mac, Word for iPad
  • Outlook Web Access
  • Office Lens on iOS
| |

X

|

X

|

X

| | -| Syllabification |
  • OneNote 2016 (add-in), OneNote Online, OneNote for Windows 10, OneNote for iPad, OneNote Mac
  • Word Online
  • Outlook Web Access
| |

X

|

X

|

X

| | -| Parts of speech identification |
  • OneNote 2016 (add-in), OneNote Online, OneNote for Windows 10, OneNote for iPad, OneNote Mac
  • Word 2016, Word Online, Word Mac, Word for iOS
  • Outlook 2016, Outlook Web Access
  • Office Lens on iOS
| |

X

| | | | -| Line focus mode |
  • OneNote 2016 (add-in), OneNote Online, OneNote for Windows 10, OneNote for iPad, OneNote Mac
  • Word 2016, Word Online, Word Mac, Word for iOS
  • Outlook 2016, Outlook Web Access
  • Office Lens on iOS
| | | | | | -| Picture Dictionary |
  • OneNote 2016 (add-in), OneNote Online, OneNote for Windows 10, OneNote for iPad, OneNote Mac
  • Word 2016, Word Online, Word Mac, Word for iOS
  • Outlook 2016, Outlook Web Access
  • Office Lens on iOS
| | | | | | +|---|---|---|---|---|---|---| +| Read aloud with simultaneous highlighting |
  • OneNote 2016 (add-in), OneNote Online, OneNote for Windows 10, OneNote for iPad, OneNote Mac
  • Word 2016, Word Online, Word Mac, Word for iOS
  • Outlook 2016, Outlook Web Access
  • Office Lens on iOS, Android
| |

X

(Not including Word for iOS, Word Online, Outlook Web Access, or Office Lens)

|

X

|

X

(Not including Outlook PC)

|

X

(Not including any OneNote apps or Outlook PC)

| +| Adjustable text spacing and font size |
  • OneNote 2016 (add-in), OneNote Online, OneNote for Windows 10, OneNote for iPad, OneNote Mac
  • Word 2016, Word Online, Word Mac, Word for iPad
  • Outlook Web Access
  • Office Lens on iOS, Android
| |

X

(Not including Word for iOS, Word Online, Outlook Web Access, or Office Lens)

|

X

|

X

|

X

(Not including any OneNote apps)

| +| Syllabification |
  • OneNote 2016 (add-in), OneNote Online, OneNote for Windows 10, OneNote for iPad, OneNote Mac
  • Word Online
  • Outlook Web Access
| |

X

(Not including Word for iOS, Word Online, Outlook Web Access)

|

X

(Not including Word iOS)

|

X

(Not including Word iOS)

|

X

(Not including any OneNote apps or Word iOS)

| +| Parts of speech identification |
  • OneNote 2016 (add-in), OneNote Online, OneNote for Windows 10, OneNote for iPad, OneNote Mac
  • Word 2016, Word Online, Word Mac, Word for iOS
  • Outlook 2016, Outlook Web Access
  • Office Lens on iOS, Android
| |

X

(Not including Word Online, Outlook Web Access)

|

X

(Not including any OneNote apps)

|

X

(Not including any OneNote apps)

|

X

(Not including any OneNote apps)

| +| Line focus mode |
  • Word 2016, Word Online, Word Mac, Word for iOS
  • Outlook 2016, Outlook Web Access
  • Office Lens on iOS, Android
| |

X

(Not including Word Online, Outlook Web Access)

|

X

(Not including any OneNote apps)

|

X

(Not including any OneNote apps)

|

X

(Not including any OneNote apps)

| +| Picture Dictionary |
  • Word 2016, Word Online, Word Mac, Word for iOS
  • Outlook 2016, Outlook Web Access
  • Office Lens on iOS, Android
| |

X

(Not including Word Online, Outlook Web Access)

|

X

(Not including any OneNote apps)

|

X

(Not including any OneNote apps)

|

X

(Not including any OneNote apps)

|
-| Writing and proofing features | Available in which apps|Office 2016 MSI|Office 2019| Office 365 ProPlus Monthly (C2R) | Office 365 ProPlus Semi Annual (C2R) | Office 365 ProPlus Annual (C2R) | Office 365 Web | Office Mac | Office iPad | -|---|---|---|---|---|---|---|---|---|---| -| Dictation |
  • OneNote 2016, OneNote for Windows 10
  • Word 2016
  • Outlook 2016
  • PowerPoint 2016
| |

X

|

X

| | | | | | -| Spelling suggestions for phonetic misspellings |
  • Word 2016, Word Online, Word for Mac
  • Outlook 2016
| |

X

|

X

|

X

| | | | | -| Synonyms alongside spelling suggestions that can be read aloud |
  • Word 2016
  • Outlook 2016
| |

X

|

X

|

X

| | | | | -| Grammar checks |
  • Word 2016, Word Online, Word for Mac
  • Outlook 2016
| |

X

|

X

| | | | | | -| Customizable writing critiques |
  • Word 2016, Word for Mac
  • Outlook 2016
| |

X

|

X

| | | | | | -| Tell me what you want to do |
  • Office 2016
  • Office Online
  • Office on iOS, Android, Windows 10
| |

X

|

X

|

X

| |

X

| | | -| Editor |
  • Word 2016
| |

X

|

X

| | | | | | +| Writing and proofing features | Available in which apps|Office 2016 MSI|Office 2019| Office 365 ProPlus Monthly (C2R) | Office 365 ProPlus Semi Annual (C2R) | Office 365 ProPlus Annual (C2R) | +|---|---|---|---|---|---|---| +| Dictation |
  • OneNote 2016, OneNote for Windows 10
  • Word 2016
  • Outlook 2016
  • PowerPoint 2016
| |

X

|

X

| | | +| Spelling suggestions for phonetic misspellings |
  • Word 2016, Word Online, Word for Mac
  • Outlook 2016
| |

X

|

X

|

X

| | +| Synonyms alongside spelling suggestions that can be read aloud |
  • Word 2016
  • Outlook 2016
| |

X

|

X

|

X

| | +| Grammar checks |
  • Word 2016, Word Online, Word for Mac
  • Outlook 2016
| |

X

|

X

| | | +| Customizable writing critiques |
  • Word 2016, Word for Mac
  • Outlook 2016
| |

X

|

X

| | | +| Tell me what you want to do |
  • Office 2016
  • Office Online
  • Office on iOS, Android, Windows 10
| |

X

|

X

|

X

| | +| Editor |
  • Word 2016
| |

X

|

X

| | |
-| Creating accessible content features | Available in which apps|Office 2016 MSI|Office 2019| Office 365 ProPlus Monthly (C2R) | Office 365 ProPlus Semi Annual (C2R) | Office 365 ProPlus Annual (C2R) | Office 365 Web | Office Mac | Office iPad | -|---|---|---|---|---|---|---|---|---|---| -| Accessibility Checker |
  • All Office 365 authoring applications on PC, Mac, Web
| |

X

| | | | | | | -| Accessible Templates |
  • Word for PCs, Mac
  • Excel for PCs, Mac
  • PowerPoint for PCs, Mac
  • Sway on iOS, Web, Windows 10
| |

X

| | | | | | | -| Ability to add alt-text for images |
  • Word for PCs (includes automatic suggestions for image descriptions)
  • SharePoint Online (includes automatic suggestions for image descriptions)
  • PowerPoint for PCs (includes automatic suggestions for image descriptions)
  • OneNote (includes automatic extraction of text in images)
  • All Office 365 authoring applications (include ability to add alt-text manually)
| |

X

| | | | | | | -| Ability to add captions to videos |
  • PowerPoint for PCs
  • Sway on iOS, Web, Windows 10
| |

X

| | | | | | | -| Export as tagged PDF |
  • Word for PCs, Mac
  • Sway on iOS, Web, Windows 10
| | | | | | | | | -| Ability to request accessible content |
  • Outlook Web Access
| | | | | | | | | +| Creating accessible content features | Available in which apps|Office 2016 MSI|Office 2019| Office 365 ProPlus Monthly (C2R) | Office 365 ProPlus Semi Annual (C2R) | Office 365 ProPlus Annual (C2R) | +|---|---|---|---|---|---|---| +| Accessibility Checker |
  • All Office 365 authoring applications on PC, Mac, Web
| |

X

| | | | +| Accessible Templates |
  • Word for PCs, Mac
  • Excel for PCs, Mac
  • PowerPoint for PCs, Mac
  • Sway on iOS, Web, Windows 10
| |

X

| | | | +| Ability to add alt-text for images |
  • Word for PCs (includes automatic suggestions for image descriptions)
  • SharePoint Online (includes automatic suggestions for image descriptions)
  • PowerPoint for PCs (includes automatic suggestions for image descriptions)
  • OneNote (includes automatic extraction of text in images)
  • All Office 365 authoring applications (include ability to add alt-text manually)
| |

X

| | | | +| Ability to add captions to videos |
  • PowerPoint for PCs
  • Sway on iOS, Web, Windows 10
| |

X

| | | | +| Export as tagged PDF |
  • Word for PCs, Mac
  • Sway on iOS, Web, Windows 10
| | | | | | +| Ability to request accessible content |
  • Outlook Web Access
| | | | | |
-| Communication features | Available in which apps|Office 2016 MSI|Office 2019| Office 365 ProPlus Monthly (C2R) | Office 365 ProPlus Semi Annual (C2R) | Office 365 ProPlus Annual (C2R) | Office 365 Web | Office Mac | Office iPad | -|---|---|---|---|---|---|---|---|---|---| -| Microsoft Translator |
  • Word 2016
  • Excel 2016
  • "Translator for Outlook" Add-in
  • PowerPoint 2016 (and PowerPoint Garage Add-in
|

X

|

X

|

X

|

X

|

X

| | | | +| Communication features | Available in which apps|Office 2016 MSI|Office 2019| Office 365 ProPlus Monthly (C2R) | Office 365 ProPlus Semi Annual (C2R) | Office 365 ProPlus Annual (C2R) | +|---|---|---|---|---|---|---| +| Microsoft Translator |
  • Word 2016
  • Excel 2016
  • "Translator for Outlook" Add-in
  • PowerPoint 2016 (and PowerPoint Garage Add-in)
|

X

|

X

|

X

|

X

|

X

|
\ No newline at end of file From 26a9473445983b5435f5f1ff17a105b4f4a6b8da Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Tue, 12 Jun 2018 13:03:25 -0700 Subject: [PATCH 08/30] added new topic for isg --- .../TOC.md | 1 + ...control-with-intelligent-security-graph.md | 142 ++++++++++++++++++ 2 files changed, 143 insertions(+) create mode 100644 windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md diff --git a/windows/security/threat-protection/windows-defender-application-control/TOC.md b/windows/security/threat-protection/windows-defender-application-control/TOC.md index 4bf7c5ff89..1d9c033045 100644 --- a/windows/security/threat-protection/windows-defender-application-control/TOC.md +++ b/windows/security/threat-protection/windows-defender-application-control/TOC.md @@ -18,6 +18,7 @@ ### [Merge WDAC policies](merge-windows-defender-application-control-policies.md) ### [Enforce WDAC policies](enforce-windows-defender-application-control-policies.md) ### [Deploy WDAC with a managed installer](use-windows-defender-application-control-with-managed-installer.md) +### [Deploy WDAC with Intelligent Security Graph (ISG)](use-windows-defender-application-control-with-intelligent-security-graph.md) ### [Deploy WDAC policies using Group Policy](deploy-windows-defender-application-control-policies-using-group-policy.md) ### [Deploy WDAC policies using Intune](deploy-windows-defender-application-control-policies-using-intune.md) ### [Use code signing to simplify application control for classic Windows applications](use-code-signing-to-simplify-application-control-for-classic-windows-applications.md) diff --git a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md new file mode 100644 index 0000000000..57f5838a42 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md @@ -0,0 +1,142 @@ +--- +title: Deploy Windows Defender Application Control with Intelligent Security Graph (ISG) (Windows 10) +description: Automatically authorize applications that Microsoft’s ISG recognizes as having known good reputation. +ms.prod: w10 +ms.mktglfcycl: deploy +ms.localizationpriority: high +author: mdsakibMSFT +ms.date: 03/01/2018 +--- + +# Use Windows Defender Application Control (WDAC) with the Microsoft Intelligent Security Graph + +**Applies to:** + +- Windows 10 +- Windows Server 2016 + + +```code + + + + + + + + + + + + + + + + + + + + + + + +``` + +## Enable service enforcement in AppLocker policy + +Since many installation processes rely on services, it is typically necessary to enable tracking of services. +Correct tracking of services requires the presence of at least one rule in the rule collection – a simple audit only rule will suffice. +For example: + +```code + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +``` + +### Enable the managed installer option in WDAC policy + +In order to enable trust for the binaries laid down by managed installers, the Allow: Managed Installer option must be specified in your WDAC policy. +This can be done by using the [Set-RuleOption cmdlet](https://docs.microsoft.com/powershell/module/configci/set-ruleoption). +An example of the managed installer option being set in policy is shown below. + +```code + + + + + + + + + + + + + + + + + +``` + +## Security considerations with managed installer + +Since managed installer is a heuristic-based mechanism, it does not provide the same security guarantees that explicit allow or deny rules do. +It is best suited for deployment to systems where each user is configured as a standard user and where all software is deployed and installed by a software distribution solution, such as System Center Configuration Manager. + +Users with administrator privileges or malware running as an administrator user on the system may be able to circumvent the intent of Windows Defender Application Control when the managed installer option is allowed. +If the authorized managed installer process performs installations in the context of a user with standard privileges, then it is possible that standard users or malware running as standard user may be able to circumvent the intent of Windows Defender Application Control. +Some application installers include an option to automatically run the application at the end of the installation process. If this happens when the installer is run by a managed installer, then the managed installer's heuristic tracking and authorization may continue to apply to all files created during the first run of the application. This could result in over-authorization for executables that were not intended. +To avoid this, ensure that the application deployment solution being used as a managed installer limits running applications as part of installation. + +## Known limitations with managed installer + +- Application execution control based on managed installer does not support applications that self-update. +If an application deployed by a managed installer subsequently updates itself, the updated application files will no longer include the managed installer origin information and will not be authorized to run. +Enterprises should deploy and install all application updates using the managed installer. +In some cases, it may be possible to also designate an application binary that performs the self-updates as a managed installer. +Proper review for functionality and security should be performed for the application before using this method. + +- Although WDAC policies can be deployed in both audit and enforced mode, the managed installer option is currently only recommended for use with policies set to enforced except in lab environments. +Using the managed installer option with WDAC policies set to audit only may result in unexpected behavior if the policy is subsequently changed to enforced mode. + +- Modern apps deployed through a managed installer will not be tracked by the managed installer heuristic and will need to be separately authorized in your WDAC policy. + +- Executables that extract files and then attempt to execute may not be allowed by the managed installer heuristic. +In some cases, it may be possible to also designate an application binary that performs such an operation as a managed installer. +Proper review for functionality and security should be performed for the application before using this method. + +- The managed installer heuristic does not authorize drivers. +The WDAC policy must have rules that allow the necessary drivers to run. + +- In some cases, the code integrity logs where WDAC errors and warnings are written will contain error events for native images generated for .NET assemblies. +Typically, the error is functionally benign as a blocked native image will result in the corresponding assembly being re-interpreted. +Review for functionality and performance for the related applications using the native images maybe necessary in some cases. From 1b3717b4e850e9916028733b3cf8cd0f2e666b80 Mon Sep 17 00:00:00 2001 From: jaimeo Date: Tue, 12 Jun 2018 13:27:24 -0700 Subject: [PATCH 09/30] fixing some typos --- windows/deployment/update/update-compliance-get-started.md | 2 +- windows/deployment/upgrade/upgrade-readiness-get-started.md | 2 +- windows/deployment/upgrade/upgrade-readiness-requirements.md | 5 +++-- 3 files changed, 5 insertions(+), 4 deletions(-) diff --git a/windows/deployment/update/update-compliance-get-started.md b/windows/deployment/update/update-compliance-get-started.md index 9887546277..9d1b01ce0f 100644 --- a/windows/deployment/update/update-compliance-get-started.md +++ b/windows/deployment/update/update-compliance-get-started.md @@ -30,7 +30,7 @@ Update Compliance is offered as a solution in the Microsoft Operations Managemen If you are already using OMS, skip to step **6** to add Update Compliance to your workspace. >[!NOTE] ->If you are already using OMS, you can also follow [this link](https://portal.mms.microsoft.com/#Workspace/ipgallery/details/details/index?IPId=WaaSUpdateInsights) to go directly to the Device Health solution and add it to your workspace. +>If you are already using OMS, you can also follow [this link](https://portal.mms.microsoft.com/#Workspace/ipgallery/details/details/index?IPId=WaaSUpdateInsights) to go directly to the Update Compliance solution and add it to your workspace. If you are not yet using OMS, use the following steps to subscribe to OMS Update Compliance: diff --git a/windows/deployment/upgrade/upgrade-readiness-get-started.md b/windows/deployment/upgrade/upgrade-readiness-get-started.md index 3ee8a1a528..2972c0ff9c 100644 --- a/windows/deployment/upgrade/upgrade-readiness-get-started.md +++ b/windows/deployment/upgrade/upgrade-readiness-get-started.md @@ -50,7 +50,7 @@ If you are already using OMS, you’ll find Upgrade Readiness in the Solutions G If you are not using OMS or Azure Log Analytics: 1. Go to [Log Analytics](https://azure.microsoft.com/services/log-analytics/) on Microsoft.com and select **Start free** to start the setup process. During the process, you’ll create a workspace and add the Upgrade Readiness solution to it. -2. Sign in to Operations Management Suite (OMS or Azure Log Analytics You can use either a Microsoft Account or a Work or School account to create a workspace. If your company is already using Azure Active Directory (Azure AD), use a Work or School account when you sign in to OMS. Using a Work or School account allows you to use identities from your Azure AD to manage permissions in OMS. +2. Sign in to Operations Management Suite (OMS) or Azure Log Analytics. You can use either a Microsoft Account or a Work or School account to create a workspace. If your company is already using Azure Active Directory (Azure AD), use a Work or School account when you sign in to OMS. Using a Work or School account allows you to use identities from your Azure AD to manage permissions in OMS. 3. Create a new workspace. Enter a name for the workspace, select the workspace region, and provide the email address that you want associated with this workspace. Select **Create**. 4. If your organization already has an Azure subscription, you can link it to your workspace. Note that you may need to request access from your organization’s Azure administrator. diff --git a/windows/deployment/upgrade/upgrade-readiness-requirements.md b/windows/deployment/upgrade/upgrade-readiness-requirements.md index 538d13cb2a..7695e28a28 100644 --- a/windows/deployment/upgrade/upgrade-readiness-requirements.md +++ b/windows/deployment/upgrade/upgrade-readiness-requirements.md @@ -21,7 +21,7 @@ To perform an in-place upgrade, user computers must be running the latest versio The compatibility update that sends diagnostic data from user computers to Microsoft data centers works with Windows 7 SP1 and Windows 8.1 only. Upgrade Readiness cannot evaluate Windows XP or Windows Vista for upgrade eligibility. - + If you need to update user computers to Windows 7 SP1 or Windows 8.1, use Windows Update or download and deploy the applicable package from the Microsoft Download Center. @@ -44,7 +44,8 @@ If you’re already using OMS or Azure Log Analytics, you’ll find Upgrade Read If you are not using OMS or Azure Log Analytics, go to [Log Analytics](https://azure.microsoft.com/services/log-analytics/) on Microsoft.com and select **Start free** to start the setup process. During the process, you’ll create a workspace and add the Upgrade Readiness solution to it. ->[!IMPORTANT] You can use either a Microsoft Account or a Work or School account to create a workspace. If your company is already using Azure Active Directory, use a Work >or School account when you sign in to OMS. Using a Work or School account allows you to use identities from your Azure AD to manage permissions in OMS. You also need an Azure subscription to link to your OMS workspace. The account you used to create the workspace must have administrator permissions on the Azure subscription in order to link the workspace to the Azure account. Once the link has been established, you can revoke the administrator permissions. +>[!IMPORTANT] +>You can use either a Microsoft Account or a Work or School account to create a workspace. If your company is already using Azure Active Directory, use a Work or School account when you sign in to OMS. Using a Work or School account allows you to use identities from your Azure AD to manage permissions in OMS. You also need an Azure subscription to link to your OMS workspace. The account you used to create the workspace must have administrator permissions on the Azure subscription in order to link the workspace to the Azure account. Once the link has been established, you can revoke the administrator permissions. ## System Center Configuration Manager integration From c0fa70b9c025b0cfb0377a9708071550d405376c Mon Sep 17 00:00:00 2001 From: Benjamin Howorth Date: Tue, 12 Jun 2018 21:44:36 +0000 Subject: [PATCH 10/30] Updated inclusive-classroom-it-admin.md, added final 3 sections --- .../inclusive-classroom-it-admin.md | 36 ++++++++++++++++--- 1 file changed, 32 insertions(+), 4 deletions(-) diff --git a/education/get-started/inclusive-classroom-it-admin.md b/education/get-started/inclusive-classroom-it-admin.md index 0deaac12fc..4daed3a54b 100644 --- a/education/get-started/inclusive-classroom-it-admin.md +++ b/education/get-started/inclusive-classroom-it-admin.md @@ -1,7 +1,7 @@ --- title: Inclusive Classroom IT Admin Guide description: Learning which Inclusive Classroom features are available in which apps and in which versions of Microsoft Office. -keywords: Test +keywords: Inclusive Classroom, Admin, Administrator, Microsoft Intune, Intune, Ease of Access, Office 365, account ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library @@ -11,12 +11,19 @@ ms.pagetype: edu ROBOTS: noindex,nofollow author: alhughes ms.author: alhughes -ms.date: 03/18/2018 +ms.date: 06/12/2018 --- # Inclusive Classroom IT Admin Guide +The following guide will show you what Inclusive Classroom features are available in which apps and which versions of Office. +You will also learn how to deploy apps using Intune, turn on or off Ease of access settings for users, and change how you pay for your Office 365 subscription. -## Inclusive Classroom features +1. [Inclusive Classroom features](#features) +2. [Deploying apps with Microsoft Intune](#intune) +3. [How to disable the Ease of Accesss settings for text in Windows 10](#ease) +4. [How to change your Office 365 account from monthly, semi-annual, or yearly](#account) + +## Inclusive Classroom features |Reading features|Available in which apps|Office 2016 MSI|Office 2019| Office 365 ProPlus Monthly (C2R) | Office 365 ProPlus Semi Annual (C2R) | Office 365 ProPlus Annual (C2R) | |---|---|---|---|---|---|---| | Read aloud with simultaneous highlighting |
  • OneNote 2016 (add-in), OneNote Online, OneNote for Windows 10, OneNote for iPad, OneNote Mac
  • Word 2016, Word Online, Word Mac, Word for iOS
  • Outlook 2016, Outlook Web Access
  • Office Lens on iOS, Android
| |

X

(Not including Word for iOS, Word Online, Outlook Web Access, or Office Lens)

|

X

|

X

(Not including Outlook PC)

|

X

(Not including any OneNote apps or Outlook PC)

| @@ -51,4 +58,25 @@ ms.date: 03/18/2018 | Communication features | Available in which apps|Office 2016 MSI|Office 2019| Office 365 ProPlus Monthly (C2R) | Office 365 ProPlus Semi Annual (C2R) | Office 365 ProPlus Annual (C2R) | |---|---|---|---|---|---|---| | Microsoft Translator |
  • Word 2016
  • Excel 2016
  • "Translator for Outlook" Add-in
  • PowerPoint 2016 (and PowerPoint Garage Add-in)
|

X

|

X

|

X

|

X

|

X

| -
\ No newline at end of file +
+ +## Deploying apps with Microsoft Intune +Microsoft Intune can be used to deploy apps such as Immersive Reader and Mirosoft Translator to all the computers connected in the same groups. +1. Go to the Intune for Education portal and login with your account. +2. Select the **Apps** page. +3. Find the app your looking for either in the included list or if it's not there you can select **Add app** and download it from the Microsoft Store. +4. Selecting your app will show you if it has been deployed to any of the groups that have been set up. From the **Groups** page you can select **Change group assignment** and choose which groups you want to deploy the app(s) to. + +## How to disable the Ease of Accesss settings for text in Windows 10 +The Ease of Access settings in Windows 10 are very useful accessibility tools, but not every one needs them activated for their computer. With the following instructions you can turn off users ability to get to the Ease of access settings. +1. Go to the Intune for Education portal and login with your account. +2. Select the **Groups** page and then select your desired group. +3. Select **Settings** and under the **User access and device settings** section you find the toggle to set Ease of access to **Blocked** or **Not blocked**. +4. Select **Save** after making your selection. + +## How to change your Office 365 account from monthly, semi-annual, or yearly +Depending on how you plan to do billing, you can have Office 365 accounts that are set to renew monthly, semi-annually, or yearly. +1. Sign in to your services and subscriptions with your Microsoft account. +2. Find the subscription in the list, then select **Change how you pay**. + >**Note:** If you don't see **Change how you pay**, it could be because auto-renew is not turned on. You won't be able to change how you pay if auto-renew is off because the subscription has already been paid and will end when its duration expires. +3. Choose a new way to pay from the list or select **Add a new way to pay** and follow the instructions. \ No newline at end of file From d2bb6ad6664ece3cdacfe3b75056256968e7961c Mon Sep 17 00:00:00 2001 From: Benjamin Howorth Date: Tue, 12 Jun 2018 23:40:56 +0000 Subject: [PATCH 11/30] Updated inclusive-classroom-it-admin.md --- .../get-started/inclusive-classroom-it-admin.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/education/get-started/inclusive-classroom-it-admin.md b/education/get-started/inclusive-classroom-it-admin.md index 4daed3a54b..e095d037d3 100644 --- a/education/get-started/inclusive-classroom-it-admin.md +++ b/education/get-started/inclusive-classroom-it-admin.md @@ -15,8 +15,8 @@ ms.date: 06/12/2018 --- # Inclusive Classroom IT Admin Guide -The following guide will show you what Inclusive Classroom features are available in which apps and which versions of Office. -You will also learn how to deploy apps using Intune, turn on or off Ease of access settings for users, and change how you pay for your Office 365 subscription. +The following guide will show you what Inclusive Classroom features are available in which apps and which versions of Microsoft Office. +You will also learn how to deploy apps using Microsoft Intune, turn on or off Ease of access settings for users, and change how you pay for your Office 365 subscription. 1. [Inclusive Classroom features](#features) 2. [Deploying apps with Microsoft Intune](#intune) @@ -64,19 +64,19 @@ You will also learn how to deploy apps using Intune, turn on or off Ease of acce Microsoft Intune can be used to deploy apps such as Immersive Reader and Mirosoft Translator to all the computers connected in the same groups. 1. Go to the Intune for Education portal and login with your account. 2. Select the **Apps** page. -3. Find the app your looking for either in the included list or if it's not there you can select **Add app** and download it from the Microsoft Store. +3. Find the app you're looking for either in the included list or, if it's not there, you can select **Add app** and download it from the Microsoft Store. 4. Selecting your app will show you if it has been deployed to any of the groups that have been set up. From the **Groups** page you can select **Change group assignment** and choose which groups you want to deploy the app(s) to. -## How to disable the Ease of Accesss settings for text in Windows 10 +## How to disable the Ease of Access settings for text in Windows 10 The Ease of Access settings in Windows 10 are very useful accessibility tools, but not every one needs them activated for their computer. With the following instructions you can turn off users ability to get to the Ease of access settings. 1. Go to the Intune for Education portal and login with your account. 2. Select the **Groups** page and then select your desired group. -3. Select **Settings** and under the **User access and device settings** section you find the toggle to set Ease of access to **Blocked** or **Not blocked**. +3. Select **Settings** and under the **User access and device settings** section you will find the toggle to set **Ease of access** to **Blocked** or **Not blocked**. 4. Select **Save** after making your selection. ## How to change your Office 365 account from monthly, semi-annual, or yearly Depending on how you plan to do billing, you can have Office 365 accounts that are set to renew monthly, semi-annually, or yearly. -1. Sign in to your services and subscriptions with your Microsoft account. +1. Sign-in to your services and subscriptions with your Microsoft account. 2. Find the subscription in the list, then select **Change how you pay**. >**Note:** If you don't see **Change how you pay**, it could be because auto-renew is not turned on. You won't be able to change how you pay if auto-renew is off because the subscription has already been paid and will end when its duration expires. 3. Choose a new way to pay from the list or select **Add a new way to pay** and follow the instructions. \ No newline at end of file From 99c0736647e9edddff7cbc6cfaec77009de4bbaa Mon Sep 17 00:00:00 2001 From: Martin Adler <1208749+EagleIJoe@users.noreply.github.com> Date: Wed, 13 Jun 2018 12:51:37 +0200 Subject: [PATCH 12/30] Corrected examples XML syntax Upper case boolean values caused parser error Ending XML closing tag invalidates file --- .../app-v/appv-auto-batch-updating.md | 92 +++++++++---------- 1 file changed, 45 insertions(+), 47 deletions(-) diff --git a/windows/application-management/app-v/appv-auto-batch-updating.md b/windows/application-management/app-v/appv-auto-batch-updating.md index 1d96b18fb8..ff99b0273a 100644 --- a/windows/application-management/app-v/appv-auto-batch-updating.md +++ b/windows/application-management/app-v/appv-auto-batch-updating.md @@ -41,29 +41,28 @@ Updating multiple apps at the same time requires that you create a **ConfigFile* **Example:** ```XML - - - Skype for Windows Update - D:\Install\Update\SkypeforWindows - SkypeSetup.exe - /S - C:\App-V_Package\Microsoft_Apps\skypeupdate.appv - 20 - True - True - - - Microsoft Power BI Update - D:\Install\Update\PowerBI - PBIDesktop.msi - /S - C:\App-V_Package\MS_Apps\powerbiupdate.appv - 20 - True - True - - - + + + Skype for Windows Update + D:\Install\Update\SkypeforWindows + SkypeSetup.exe + /S + C:\App-V_Package\Microsoft_Apps\skypeupdate.appv + 20 + true + true + + + Microsoft Power BI Update + D:\Install\Update\PowerBI + PBIDesktop.msi + /S + C:\App-V_Package\MS_Apps\powerbiupdate.appv + 20 + true + true + + ``` 3. Save your completed file under the name **ConfigFile**. @@ -101,29 +100,28 @@ Updating multipe apps at the same time requires that you create a **ConfigFile** ```XML - - - Skype for Windows Update - D:\Install\Update\SkypeforWindows - SkypeSetup.exe - /S - C:\App-V_Package\Microsoft_Apps\skypeupdate.appv - 20 - False - True - - - Microsoft Power BI Update - D:\Install\Update\PowerBI - PBIDesktop.msi - /S - C:\App-V_Package\MS_Apps\powerbiupdate.appv - 20 - False - True - - - + + + Skype for Windows Update + D:\Install\Update\SkypeforWindows + SkypeSetup.exe + /S + C:\App-V_Package\Microsoft_Apps\skypeupdate.appv + 20 + false + true + + + Microsoft Power BI Update + D:\Install\Update\PowerBI + PBIDesktop.msi + /S + C:\App-V_Package\MS_Apps\powerbiupdate.appv + 20 + false + true + + ``` ### Start the App-V Sequencer interface and app installation process @@ -157,4 +155,4 @@ There are three types of log files that occur when you sequence multiple apps at ## Have a suggestion for App-V? -Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization). \ No newline at end of file +Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization). From 18f3d7f9b13a10de950050a888ccd3deb47c0780 Mon Sep 17 00:00:00 2001 From: Christopher McClister Date: Wed, 13 Jun 2018 08:26:54 -0700 Subject: [PATCH 13/30] Added ms.collection meta data to Education hub per Lauren Moynihan --- education/index.md | 1 + 1 file changed, 1 insertion(+) diff --git a/education/index.md b/education/index.md index 424b52680d..c78b456b9e 100644 --- a/education/index.md +++ b/education/index.md @@ -6,6 +6,7 @@ description: Learn about product documentation and resources available for schoo author: CelesteDG ms.topic: hub-page ms.author: celested +ms.collection: ITAdminEDU ms.date: 10/30/2017 ---
From 436fe714e3178bc5f9be0c3b65482a4cacdac780 Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Wed, 13 Jun 2018 09:56:48 -0700 Subject: [PATCH 14/30] added bold to code snippet --- ...control-with-intelligent-security-graph.md | 151 ++++++------------ 1 file changed, 53 insertions(+), 98 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md index 57f5838a42..c5c738cc8e 100644 --- a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md +++ b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md @@ -15,11 +15,39 @@ ms.date: 03/01/2018 - Windows 10 - Windows Server 2016 +Application execution control can be difficult to implement in enterprises that do not have processes to effectively control the deployment of applications centrally through an IT managed system. +In such environments, users are empowered to acquire the applications they need for work, making accounting for all the applications that would need to be authorized for execution control a daunting task. -```code +Windows 10, version 1709 (also known as the Windows 10 Fall Creators Update) provides a new option, known as Intelligent Security Graph (ISG) authorization, that allows IT administrators to automatically authorize applications that Microsoft’s ISG recognizes as having known good reputation. The ISG option helps IT organizations take a significant first step towards going from having no application control at all to a simple means of preventing the execution of unknown and known bad software. + +## How does the integration between WDAC and the Intelligent Security Graph work? + +The ISG relies on Microsoft’s vast security intelligence and machine learning analytics to help classify applications as having known good reputation. When users download applications on a system with WDAC enabled with the ISG authorization option specified, the reputation of the downloaded file, commonly an installer, is used to determine whether to run the installer and then that original reputation information is passed along to any files that were written by the installer. When any of these files try to execute after they are installed the reputation data is used to help make the right policy authorization decision. + +After that initial download and installation, the WDAC component will check for the presence of the positive reputation information when evaluating other application execution control rules specified in the policy. If there are no deny rules present for the file, it will be authorized based on the known good reputation classification. + +The reputation data on the client is rechecked periodically and enterprises can also specify that any cached reputation results are flushed on reboot. + +>[!NOTE] +>Admins needs to ensure that there is a WDAC policy in place to allow the system to boot and run any other authorized applications that may not be classified as being known good by the Intelligent Security Graph, for example custom line-of-business (LOB) apps. Since the Intelligent Security Graph is powered by global prevalence data, internal LOB apps may not be recognized as being known good. Other mechanisms like managed installer and explicit rules will help cover internal applications. Both System Center Configuration Manager (SCCM) and Microsoft Intune can be used to create and push a WDAC policy to your client machines. + +Other examples of WDAC policies are available in C:\Windows\schemas\CodeIntegrity\ExamplePolicies and can help authorize Windows OS components, WHQL signed drivers and all Store apps. Admins can reference and customize them as needed for their Windows Defender Application Control deployment or [create a custom WDAC policy](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/create-initial-default-policy). + +## Configuring Intelligent Security Graph authorization for Windows Defender Application Control + +Setting up the ISG authorization is easy regardless of what management solution you use. Configuring the ISG option involves these basic steps: + +- [Ensure that the ISG option is enabled in the WDAC policy XML](#ensure-that-the-intelligent-security-graph-option-is-enabled-in-the-wdac-policy-xml) +- [Enable the necessary services to allow WDAC to use the ISG correctly on the client](#enable-the-necessary-services-to-allow-wdac-to-use-the-isg-correctly-on-the-client) + +### Ensure that the Intelligent Security Graph option is enabled in the WDAC policy XML + +In order to enable trust for executables based on classifications in the ISG, the Enabled: Intelligent Security Graph authorization option must be specified in the WDAC policy. This can be done with the Set-RuleOption cmdlet. In addition it is recommended from a security perspective to also enable the Enabled:Invalidate EAs on Reboot option to invalidate the cached ISG results on reboot to force rechecking of applications against the ISG. Caution is advised if devices will regularly transition to and from environments that may not be able to access the ISG. An example of both options being set is shown below. + +
  
      
-       
+       
      
      
        
@@ -27,12 +55,12 @@ ms.date: 03/01/2018
      
        
      
-     
-       
-     
-     
-       
-     
+     
+       
+     
+     
+       
+     
      
        
      
@@ -40,103 +68,30 @@ ms.date: 03/01/2018
        
      
  
+
+ +### Enable the necessary services to allow WDAC to use the ISG correctly on the client + +In order for the heuristics used by the ISG to function properly, a number of component in Windows need to be enabled. The easiest way to do this is to run the appidtel executable in c:\windows\system32. + +``` +appidtel start ``` -## Enable service enforcement in AppLocker policy +For WDAC policies deployed over MDM using the AppLocker CSP this step is not required as the CSP will enable the necessary components. ISG enabled through the SCCM WDAC UX will not need this step but if custom policies are being deployed outside of the WDAC UX through SCCM then this step is required. -Since many installation processes rely on services, it is typically necessary to enable tracking of services. -Correct tracking of services requires the presence of at least one rule in the rule collection – a simple audit only rule will suffice. -For example: +## Security considerations with using the Intelligent Security Graph -```code - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -``` +Since the ISG is a heuristic-based mechanism, it does not provide the same security guarantees that explicit allow or deny rules do. It is best suited for deployment to systems where each user is configured as a standard user and there are other monitoring systems in place like Windows Defender Advanced Threat Protection to help provide optics into what users are doing. -### Enable the managed installer option in WDAC policy +Users with administrator privileges or malware running as an administrator user on the system may be able to circumvent the intent of WDAC when the ISG option is allowed by circumventing or corrupting the heuristics used to assign reputation to application executables. The ISG option uses the same heuristic tracking as managed installer and so for application installers that include an option to automatically run the application at the end of the installation process the heuristic may over-authorize. -In order to enable trust for the binaries laid down by managed installers, the Allow: Managed Installer option must be specified in your WDAC policy. -This can be done by using the [Set-RuleOption cmdlet](https://docs.microsoft.com/powershell/module/configci/set-ruleoption). -An example of the managed installer option being set in policy is shown below. +## Known limitations with using the Intelligent Security Graph -```code - - - - - - - - - - - - - - - - - -``` +Since the ISG relies on identifying executables as being known good there are cases where it may classify legitimate executables as unknown leading to blocks that need to be resolved either with a rule in the WDAC policy, a catalog signed by a certificate trusted in WDAC policy or by deployment through a WDAC managed installer. Typically this is due to an installer or application using a dynamic file as part of execution. These files do not tend to build up known good reputation. Auto-updating applications have also been observed using this mechanism and may be flagged by the ISG. -## Security considerations with managed installer +Modern apps are not supported with the ISG heuristic and will need to be separately authorized in your WDAC policy. As modern apps are signed by the Microsoft Store and Microsoft Store for Business it is straightforward to authorize modern apps with signer rules in the WDAC policy. -Since managed installer is a heuristic-based mechanism, it does not provide the same security guarantees that explicit allow or deny rules do. -It is best suited for deployment to systems where each user is configured as a standard user and where all software is deployed and installed by a software distribution solution, such as System Center Configuration Manager. +The ISG heuristic does not authorize kernel mode drivers. The WDAC policy must have rules that allow the necessary drivers to run. -Users with administrator privileges or malware running as an administrator user on the system may be able to circumvent the intent of Windows Defender Application Control when the managed installer option is allowed. -If the authorized managed installer process performs installations in the context of a user with standard privileges, then it is possible that standard users or malware running as standard user may be able to circumvent the intent of Windows Defender Application Control. -Some application installers include an option to automatically run the application at the end of the installation process. If this happens when the installer is run by a managed installer, then the managed installer's heuristic tracking and authorization may continue to apply to all files created during the first run of the application. This could result in over-authorization for executables that were not intended. -To avoid this, ensure that the application deployment solution being used as a managed installer limits running applications as part of installation. - -## Known limitations with managed installer - -- Application execution control based on managed installer does not support applications that self-update. -If an application deployed by a managed installer subsequently updates itself, the updated application files will no longer include the managed installer origin information and will not be authorized to run. -Enterprises should deploy and install all application updates using the managed installer. -In some cases, it may be possible to also designate an application binary that performs the self-updates as a managed installer. -Proper review for functionality and security should be performed for the application before using this method. - -- Although WDAC policies can be deployed in both audit and enforced mode, the managed installer option is currently only recommended for use with policies set to enforced except in lab environments. -Using the managed installer option with WDAC policies set to audit only may result in unexpected behavior if the policy is subsequently changed to enforced mode. - -- Modern apps deployed through a managed installer will not be tracked by the managed installer heuristic and will need to be separately authorized in your WDAC policy. - -- Executables that extract files and then attempt to execute may not be allowed by the managed installer heuristic. -In some cases, it may be possible to also designate an application binary that performs such an operation as a managed installer. -Proper review for functionality and security should be performed for the application before using this method. - -- The managed installer heuristic does not authorize drivers. -The WDAC policy must have rules that allow the necessary drivers to run. - -- In some cases, the code integrity logs where WDAC errors and warnings are written will contain error events for native images generated for .NET assemblies. -Typically, the error is functionally benign as a blocked native image will result in the corresponding assembly being re-interpreted. -Review for functionality and performance for the related applications using the native images maybe necessary in some cases. +In some cases, the code integrity logs where WDAC errors and warnings are written will contain error events for native images generated for .NET assemblies. Typically, the error is functionally benign as a blocked native image will result in the corresponding assembly being re-interpreted. Review for functionality and performance for the related applications using the native images maybe necessary in some cases. \ No newline at end of file From a33af7a063e817c9dd78174e6b196fd2c63e774d Mon Sep 17 00:00:00 2001 From: "Andrea Bichsel (Aquent LLC)" Date: Wed, 13 Jun 2018 13:32:24 -0700 Subject: [PATCH 15/30] Corrected ASR rule functions. --- .../attack-surface-reduction-exploit-guard.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md index 4085972ad5..ef39fda490 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md @@ -11,7 +11,7 @@ ms.pagetype: security localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 06/12/2018 +ms.date: 06/13/2018 --- @@ -174,7 +174,6 @@ This rule attempts to block Office files that contain macro code that is capable This rule blocks the following file types from being run or launched unless they meet prevalence or age criteria set by admins, or they are in a trusted list or exclusion list: - Executable files (such as .exe, .dll, or .scr) -- Script files (such as a PowerShell .ps, VisualBasic .vbs, or JavaScript .js file) ### Rule: Use advanced protection against ransomware From e7903a90bbcc957f988d2d36f2e6274084f47ae4 Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Wed, 13 Jun 2018 13:52:18 -0700 Subject: [PATCH 16/30] fixed formatting --- ...control-with-intelligent-security-graph.md | 24 +++++++++---------- 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md index c5c738cc8e..f5dfca7d37 100644 --- a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md +++ b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md @@ -22,7 +22,7 @@ Windows 10, version 1709 (also known as the Windows 10 Fall Creators Update) pro ## How does the integration between WDAC and the Intelligent Security Graph work? -The ISG relies on Microsoft’s vast security intelligence and machine learning analytics to help classify applications as having known good reputation. When users download applications on a system with WDAC enabled with the ISG authorization option specified, the reputation of the downloaded file, commonly an installer, is used to determine whether to run the installer and then that original reputation information is passed along to any files that were written by the installer. When any of these files try to execute after they are installed the reputation data is used to help make the right policy authorization decision. +The ISG relies on Microsoft’s vast security intelligence and machine learning analytics to help classify applications as having known good reputation. When users download applications on a system with WDAC enabled with the ISG authorization option specified, the reputation of the downloaded file, commonly an installer, is used to determine whether to run the installer and then that original reputation information is passed along to any files that were written by the installer. When any of these files try to execute after they are installed, the reputation data is used to help make the right policy authorization decision. After that initial download and installation, the WDAC component will check for the presence of the positive reputation information when evaluating other application execution control rules specified in the policy. If there are no deny rules present for the file, it will be authorized based on the known good reputation classification. @@ -42,9 +42,9 @@ Setting up the ISG authorization is easy regardless of what management solution ### Ensure that the Intelligent Security Graph option is enabled in the WDAC policy XML -In order to enable trust for executables based on classifications in the ISG, the Enabled: Intelligent Security Graph authorization option must be specified in the WDAC policy. This can be done with the Set-RuleOption cmdlet. In addition it is recommended from a security perspective to also enable the Enabled:Invalidate EAs on Reboot option to invalidate the cached ISG results on reboot to force rechecking of applications against the ISG. Caution is advised if devices will regularly transition to and from environments that may not be able to access the ISG. An example of both options being set is shown below. +In order to enable trust for executables based on classifications in the ISG, the **Enabled: Intelligent Security Graph authorization** option must be specified in the WDAC policy. This can be done with the Set-RuleOption cmdlet. In addition, it is recommended from a security perspective to also enable the **Enabled:Invalidate EAs on Reboot** option to invalidate the cached ISG results on reboot to force rechecking of applications against the ISG. Caution is advised if devices will regularly transition to and from environments that may not be able to access the ISG. The following example shows both options being set. -
+```code
  
      
        
@@ -55,12 +55,12 @@ In order to enable trust for executables based on classifications in the ISG, th
      
        
      
-     
-       
-     
-     
-       
-     
+    
+      
+    
+    
+       
+    
      
        
      
@@ -68,7 +68,7 @@ In order to enable trust for executables based on classifications in the ISG, th
        
      
  
-
+``` ### Enable the necessary services to allow WDAC to use the ISG correctly on the client @@ -88,9 +88,9 @@ Users with administrator privileges or malware running as an administrator user ## Known limitations with using the Intelligent Security Graph -Since the ISG relies on identifying executables as being known good there are cases where it may classify legitimate executables as unknown leading to blocks that need to be resolved either with a rule in the WDAC policy, a catalog signed by a certificate trusted in WDAC policy or by deployment through a WDAC managed installer. Typically this is due to an installer or application using a dynamic file as part of execution. These files do not tend to build up known good reputation. Auto-updating applications have also been observed using this mechanism and may be flagged by the ISG. +Since the ISG relies on identifying executables as being known good, there are cases where it may classify legitimate executables as unknown, leading to blocks that need to be resolved either with a rule in the WDAC policy, a catalog signed by a certificate trusted in the WDAC policy or by deployment through a WDAC managed installer. Typically, this is due to an installer or application using a dynamic file as part of execution. These files do not tend to build up known good reputation. Auto-updating applications have also been observed using this mechanism and may be flagged by the ISG. -Modern apps are not supported with the ISG heuristic and will need to be separately authorized in your WDAC policy. As modern apps are signed by the Microsoft Store and Microsoft Store for Business it is straightforward to authorize modern apps with signer rules in the WDAC policy. +Modern apps are not supported with the ISG heuristic and will need to be separately authorized in your WDAC policy. As modern apps are signed by the Microsoft Store and Microsoft Store for Business. it is straightforward to authorize modern apps with signer rules in the WDAC policy. The ISG heuristic does not authorize kernel mode drivers. The WDAC policy must have rules that allow the necessary drivers to run. From a84f2885449ccb019c65048e9c19d06cf8b925ca Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Wed, 13 Jun 2018 13:56:08 -0700 Subject: [PATCH 17/30] fixed formatting --- ...ndows-defender-application-control-with-managed-installer.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-managed-installer.md b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-managed-installer.md index efb071bcb1..badaf77f39 100644 --- a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-managed-installer.md +++ b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-managed-installer.md @@ -6,7 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.localizationpriority: high author: mdsakibMSFT -ms.date: 03/01/2018 +ms.date: 06/13/2018 --- # Deploy Managed Installer for Windows Defender Application Control From 1650ac230c4b901630c9680ebb31c309a2e57356 Mon Sep 17 00:00:00 2001 From: "Andrea Bichsel (Aquent LLC)" Date: Wed, 13 Jun 2018 14:01:22 -0700 Subject: [PATCH 18/30] Incorp review --- .../attack-surface-reduction-exploit-guard.md | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md index 4085972ad5..c1ad13b4dd 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md @@ -11,7 +11,7 @@ ms.pagetype: security localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 06/12/2018 +ms.date: 06/13/2018 --- @@ -187,6 +187,9 @@ Local Security Authority Subsystem Service (LSASS) authenticates users who log i >[!IMPORTANT] >[Exclusions do not apply to this rule](customize-attack-surface-reduction.md#exclude-files-and-folders). + >[!NOTE] + >Some apps are coded to enumerate all running processes and to attempt opening them with exhaustive permissions. This results in the app accessing LSASS even when it's not necessary. ASR will deny the app's process open action and log the details to the security event log. Entry in the event log for access denial by itself is not an indication of the presence of a malicious threat. + ### Rule: Block process creations originating from PSExec and WMI commands This rule blocks processes through PsExec and WMI commands from running, to prevent remote code execution that can spread malware attacks. From facc92390c2c008d60e772efc1edc7fe874b90ec Mon Sep 17 00:00:00 2001 From: Zane <34351912+zburtondbrs@users.noreply.github.com> Date: Wed, 13 Jun 2018 16:02:17 -0500 Subject: [PATCH 19/30] Update set-the-default-browser-using-group-policy.md The KB does not specify that this is a computer policy. Since there is not an equivalent user policy, I think that this should be explicitly stated. --- .../set-the-default-browser-using-group-policy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/browsers/internet-explorer/ie11-deploy-guide/set-the-default-browser-using-group-policy.md b/browsers/internet-explorer/ie11-deploy-guide/set-the-default-browser-using-group-policy.md index 899c3da6e3..900f6cbb17 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/set-the-default-browser-using-group-policy.md +++ b/browsers/internet-explorer/ie11-deploy-guide/set-the-default-browser-using-group-policy.md @@ -17,7 +17,7 @@ You can use the Group Policy setting, **Set a default associations configuration **To set the default browser as Internet Explorer 11** -1. Open your Group Policy editor and go to the **Administrative Templates\\Windows Components\\File Explorer\\Set a default associations configuration file** setting.

+1. Open your Group Policy editor and go to the **Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\File Explorer\\Set a default associations configuration file** setting.

Turning this setting on also requires you to create and store a default associations configuration file, locally or on a network share. For more information about creating this file, see [Export or Import Default Application Associations]( https://go.microsoft.com/fwlink/p/?LinkId=618268). ![set default associations group policy setting](images/setdefaultbrowsergp.png) From 3f87dc491dbdba52acb699e5b5c0926809cefd10 Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Wed, 13 Jun 2018 14:02:51 -0700 Subject: [PATCH 20/30] minor updates --- ...privacy-windows-defender-advanced-threat-protection.md | 6 +++--- ...censing-windows-defender-advanced-threat-protection.md | 2 +- ...rements-windows-defender-advanced-threat-protection.md | 6 +++--- ...ot-siem-windows-defender-advanced-threat-protection.md | 8 ++++---- 4 files changed, 11 insertions(+), 11 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-atp/data-storage-privacy-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/data-storage-privacy-windows-defender-advanced-threat-protection.md index 7a7abff824..1f6735881b 100644 --- a/windows/security/threat-protection/windows-defender-atp/data-storage-privacy-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/data-storage-privacy-windows-defender-advanced-threat-protection.md @@ -10,7 +10,7 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: high -ms.date: 03/06/2018 +ms.date: 06/13/2018 --- # Windows Defender ATP data storage and privacy @@ -27,7 +27,7 @@ This section covers some of the most frequently asked questions regarding privac ## What data does Windows Defender ATP collect? -Microsoft will collect and store information from your configured machines in a database specific to the service for administration, tracking, and reporting purposes. +Windows Defender ATP will collect and store information from your configured machines in a customer dedicate and segregated tenant specific to the service for administration, tracking, and reporting purposes. Information collected includes file data (such as file names, sizes, and hashes), process data (running processes, hashes), registry data, network connection data (host IPs and ports), and machine details (such as machine identifiers, names, and the operating system version). @@ -51,7 +51,7 @@ In all scenarios, data is encrypted using 256-bit [AES encyption](https://en.wik ## Do I have the flexibility to select where to store my data? -When onboarding the service for the first time, you can choose to store your data in Microsoft Azure datacenters in the United Kingdom, Europe, or in the United States. Once configured, you cannot change the location where your data is stored. This provides a convenient way to minimize compliance risk by actively selecting the geographic locations where your data will reside. Customer data in de-identified form may also be stored in the central storage and processing systems in the United States. +When onboarding the service for the first time, you can choose to store your data in Microsoft Azure datacenters in the European Union, the United Kingdom, or the United States. Once configured, you cannot change the location where your data is stored. This provides a convenient way to minimize compliance risk by actively selecting the geographic locations where your data will reside. Customer data in de-identified form may also be stored in the central storage and processing systems in the United States. ## Is my data isolated from other customer data? Yes, your data is isolated through access authentication and logical segregation based on customer identifier. Each customer can only access data collected from its own organization and generic data that Microsoft provides. diff --git a/windows/security/threat-protection/windows-defender-atp/licensing-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/licensing-windows-defender-advanced-threat-protection.md index e64acc561c..30c94ffd40 100644 --- a/windows/security/threat-protection/windows-defender-atp/licensing-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/licensing-windows-defender-advanced-threat-protection.md @@ -66,7 +66,7 @@ When accessing the [Windows Defender ATP portal](https://SecurityCenter.Windows. You will need to set up your preferences for the Windows Defender ATP portal. -3. When onboarding the service for the first time, you can choose to store your data in the Microsoft Azure datacenters in the United Kingdom, Europe, or The United States. Once configured, you cannot change the location where your data is stored. This provides a convenient way to minimize compliance risk by actively selecting the geographic locations where your data will reside. Microsoft will not transfer the data from the specified geolocation. +3. When onboarding the service for the first time, you can choose to store your data in the Microsoft Azure datacenters in the European Union, the United Kingdom, or the United States. Once configured, you cannot change the location where your data is stored. This provides a convenient way to minimize compliance risk by actively selecting the geographic locations where your data will reside. Microsoft will not transfer the data from the specified geolocation. > [!WARNING] > This option cannot be changed without completely offboarding from Windows Defender ATP and completing a new enrollment process. diff --git a/windows/security/threat-protection/windows-defender-atp/minimum-requirements-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/minimum-requirements-windows-defender-advanced-threat-protection.md index c4a8127477..bd53b3a21d 100644 --- a/windows/security/threat-protection/windows-defender-atp/minimum-requirements-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/minimum-requirements-windows-defender-advanced-threat-protection.md @@ -36,14 +36,14 @@ For more information, see [Windows 10 Enterprise edition](https://www.microsoft. ### Licensing requirements Windows Defender Advanced Threat Protection requires one of the following Microsoft Volume Licensing offers: -- Windows 10 Enterprise E5 -- Windows 10 Education E5 +- Windows 10 Enterprise E5 +- Windows 10 Education E5 - Microsoft 365 E5 (M365 E5) which includes Windows 10 Enterprise E5 For more information, see [Windows 10 Licensing](https://www.microsoft.com/en-us/Licensing/product-licensing/windows10.aspx#tab=2). ### Network and data storage and configuration requirements -When you run the onboarding wizard for the first time, you must choose where your Windows Defender Advanced Threat Protection-related information is stored: in the United Kingdom, Europe, or United States datacenter. +When you run the onboarding wizard for the first time, you must choose where your Windows Defender Advanced Threat Protection-related information is stored: in the European Union, the United Kingdom, or the United States datacenter. > [!NOTE] > - You cannot change your data storage location after the first-time setup. diff --git a/windows/security/threat-protection/windows-defender-atp/troubleshoot-siem-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/troubleshoot-siem-windows-defender-advanced-threat-protection.md index ba867a62e4..eb4b206317 100644 --- a/windows/security/threat-protection/windows-defender-atp/troubleshoot-siem-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/troubleshoot-siem-windows-defender-advanced-threat-protection.md @@ -63,10 +63,10 @@ If you encounter an error when trying to get a refresh token when using the thre - For Threat intelligence API: `https://WindowsDefenderATPCustomerTiConnector` 5. Add the following URL: - - For US: `https://winatpmanagement-us.securitycenter.windows.com/UserAuthenticationCallback`. - - For Europe: `https://winatpmanagement-eu.securitycenter.windows.com/UserAuthenticationCallback` - - For United Kingdom: `https://winatpmanagement-uk.securitycenter.windows.com/UserAuthenticationCallback` - + - For the European Union: `https://winatpmanagement-eu.securitycenter.windows.com/UserAuthenticationCallback` + - For the United Kingdom: `https://winatpmanagement-uk.securitycenter.windows.com/UserAuthenticationCallback` + - For the United States: `https://winatpmanagement-us.securitycenter.windows.com/UserAuthenticationCallback`. + 6. Click **Save**. >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-troubleshootsiem-belowfoldlink) From 71d2e1e786e30009f3965a6be272a1a3b8300ad6 Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Wed, 13 Jun 2018 14:17:05 -0700 Subject: [PATCH 21/30] typo --- ...orage-privacy-windows-defender-advanced-threat-protection.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-atp/data-storage-privacy-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/data-storage-privacy-windows-defender-advanced-threat-protection.md index 1f6735881b..872a54ee9b 100644 --- a/windows/security/threat-protection/windows-defender-atp/data-storage-privacy-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/data-storage-privacy-windows-defender-advanced-threat-protection.md @@ -27,7 +27,7 @@ This section covers some of the most frequently asked questions regarding privac ## What data does Windows Defender ATP collect? -Windows Defender ATP will collect and store information from your configured machines in a customer dedicate and segregated tenant specific to the service for administration, tracking, and reporting purposes. +Windows Defender ATP will collect and store information from your configured machines in a customer dedicated and segregated tenant specific to the service for administration, tracking, and reporting purposes. Information collected includes file data (such as file names, sizes, and hashes), process data (running processes, hashes), registry data, network connection data (host IPs and ports), and machine details (such as machine identifiers, names, and the operating system version). From 3d417b579cb5b4eb36bb5138848946614ce23637 Mon Sep 17 00:00:00 2001 From: Patti Short <35278231+shortpatti@users.noreply.github.com> Date: Wed, 13 Jun 2018 14:24:29 -0700 Subject: [PATCH 22/30] Revert "Update supl-ddf-file.md" --- .../client-management/mdm/supl-ddf-file.md | 198 +----------------- 1 file changed, 1 insertion(+), 197 deletions(-) diff --git a/windows/client-management/mdm/supl-ddf-file.md b/windows/client-management/mdm/supl-ddf-file.md index 4ee4e4ad1d..e6ed98d713 100644 --- a/windows/client-management/mdm/supl-ddf-file.md +++ b/windows/client-management/mdm/supl-ddf-file.md @@ -171,7 +171,7 @@ The XML below is the current version for this CSP. - MCCMNCPairs + MCCMNPairs @@ -482,201 +482,6 @@ The XML below is the current version for this CSP. - - RootCertificate4 - - - - - Required. Specifies the root certificate for the H-SLP server. Windows Phone does not support a non-secure mode. If this node is not included, the configuration service provider will fail but may not return a specific error. - - - - - - - - - - - - - - - Name - - - - - - Specifies the name of the H-SLP root certificate as a string, in the format name.cer. - - - - - - - - - - - text/plain - - - - - Data - - - - - - The base 64 encoded blob of the H-SLP root certificate. - - - - - - - - - - - - - - - - - RootCertificate5 - - - - - Required. Specifies the root certificate for the H-SLP server. Windows Phone does not support a non-secure mode. If this node is not included, the configuration service provider will fail but may not return a specific error. - - - - - - - - - - - - - - - Name - - - - - - Specifies the name of the H-SLP root certificate as a string, in the format name.cer. - - - - - - - - - - - text/plain - - - - - Data - - - - - - The base 64 encoded blob of the H-SLP root certificate. - - - - - - - - - - - - - - - - - RootCertificate6 - - - - - Required. Specifies the root certificate for the H-SLP server. Windows Phone does not support a non-secure mode. If this node is not included, the configuration service provider will fail but may not return a specific error. - - - - - - - - - - - - - - - Name - - - - - - Specifies the name of the H-SLP root certificate as a string, in the format name.cer. - - - - - - - - - - - text/plain - - - - - Data - - - - - - The base 64 encoded blob of the H-SLP root certificate. - - - - - - - - - - - - - - - V2UPL1 @@ -857,7 +662,6 @@ The XML below is the current version for this CSP. - ```   From 57d57e319c5160365e228cfcea219843476ecf32 Mon Sep 17 00:00:00 2001 From: Luis Masieri <32968351+lmasieri@users.noreply.github.com> Date: Wed, 13 Jun 2018 14:29:15 -0700 Subject: [PATCH 23/30] Update whats-new-microsoft-store-business-education.md --- .../whats-new-microsoft-store-business-education.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/store-for-business/whats-new-microsoft-store-business-education.md b/store-for-business/whats-new-microsoft-store-business-education.md index fc29d300b3..e2988a84c9 100644 --- a/store-for-business/whats-new-microsoft-store-business-education.md +++ b/store-for-business/whats-new-microsoft-store-business-education.md @@ -68,7 +68,7 @@ We’ve been working on bug fixes and performance improvements to provide you a - Bug fixes and performance improvements [October 2017](release-history-microsoft-store-business-education.md#october-2017) -- Bug fixes and permformance improvements +- Bug fixes and performance improvements [September 2017](release-history-microsoft-store-business-education.md#september-2017) - Manage Windows device deployment with Windows Autopilot Deployment From 8d57c7fd279afa47296b097d02db39f7b2052b9d Mon Sep 17 00:00:00 2001 From: Benjamin Howorth Date: Wed, 13 Jun 2018 22:38:16 +0000 Subject: [PATCH 24/30] Updated inclusive-classroom-it-admin.md, final changes before pull request --- .../inclusive-classroom-it-admin.md | 26 +++++++++---------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/education/get-started/inclusive-classroom-it-admin.md b/education/get-started/inclusive-classroom-it-admin.md index e095d037d3..63c0d3cb23 100644 --- a/education/get-started/inclusive-classroom-it-admin.md +++ b/education/get-started/inclusive-classroom-it-admin.md @@ -20,18 +20,18 @@ You will also learn how to deploy apps using Microsoft Intune, turn on or off Ea 1. [Inclusive Classroom features](#features) 2. [Deploying apps with Microsoft Intune](#intune) -3. [How to disable the Ease of Accesss settings for text in Windows 10](#ease) +3. [How to show/hide the Ease of Accesss settings for text in Windows 10](#ease) 4. [How to change your Office 365 account from monthly, semi-annual, or yearly](#account) ## Inclusive Classroom features |Reading features|Available in which apps|Office 2016 MSI|Office 2019| Office 365 ProPlus Monthly (C2R) | Office 365 ProPlus Semi Annual (C2R) | Office 365 ProPlus Annual (C2R) | |---|---|---|---|---|---|---| -| Read aloud with simultaneous highlighting |

  • OneNote 2016 (add-in), OneNote Online, OneNote for Windows 10, OneNote for iPad, OneNote Mac
  • Word 2016, Word Online, Word Mac, Word for iOS
  • Outlook 2016, Outlook Web Access
  • Office Lens on iOS, Android
| |

X

(Not including Word for iOS, Word Online, Outlook Web Access, or Office Lens)

|

X

|

X

(Not including Outlook PC)

|

X

(Not including any OneNote apps or Outlook PC)

| -| Adjustable text spacing and font size |
  • OneNote 2016 (add-in), OneNote Online, OneNote for Windows 10, OneNote for iPad, OneNote Mac
  • Word 2016, Word Online, Word Mac, Word for iPad
  • Outlook Web Access
  • Office Lens on iOS, Android
| |

X

(Not including Word for iOS, Word Online, Outlook Web Access, or Office Lens)

|

X

|

X

|

X

(Not including any OneNote apps)

| -| Syllabification |
  • OneNote 2016 (add-in), OneNote Online, OneNote for Windows 10, OneNote for iPad, OneNote Mac
  • Word Online
  • Outlook Web Access
| |

X

(Not including Word for iOS, Word Online, Outlook Web Access)

|

X

(Not including Word iOS)

|

X

(Not including Word iOS)

|

X

(Not including any OneNote apps or Word iOS)

| -| Parts of speech identification |
  • OneNote 2016 (add-in), OneNote Online, OneNote for Windows 10, OneNote for iPad, OneNote Mac
  • Word 2016, Word Online, Word Mac, Word for iOS
  • Outlook 2016, Outlook Web Access
  • Office Lens on iOS, Android
| |

X

(Not including Word Online, Outlook Web Access)

|

X

(Not including any OneNote apps)

|

X

(Not including any OneNote apps)

|

X

(Not including any OneNote apps)

| -| Line focus mode |
  • Word 2016, Word Online, Word Mac, Word for iOS
  • Outlook 2016, Outlook Web Access
  • Office Lens on iOS, Android
| |

X

(Not including Word Online, Outlook Web Access)

|

X

(Not including any OneNote apps)

|

X

(Not including any OneNote apps)

|

X

(Not including any OneNote apps)

| -| Picture Dictionary |
  • Word 2016, Word Online, Word Mac, Word for iOS
  • Outlook 2016, Outlook Web Access
  • Office Lens on iOS, Android
| |

X

(Not including Word Online, Outlook Web Access)

|

X

(Not including any OneNote apps)

|

X

(Not including any OneNote apps)

|

X

(Not including any OneNote apps)

| +| Read aloud with simultaneous highlighting |
  • OneNote 2016 (add-in), OneNote Online, OneNote for Windows 10, OneNote for iPad, OneNote Mac
  • Word 2016, Word Online, Word Mac, Word for iOS
  • Outlook 2016, Outlook Web Access
  • Office Lens on iOS, Android
| |

X

(N/A for Word for iOS, Word Online, Outlook Web Access, or Office Lens)

|

X

|

X

(N/A for Outlook PC)

|

X

(N/A for any OneNote apps or Outlook PC)

| +| Adjustable text spacing and font size |
  • OneNote 2016 (add-in), OneNote Online, OneNote for Windows 10, OneNote for iPad, OneNote Mac
  • Word 2016, Word Online, Word Mac, Word for iPad
  • Outlook Web Access
  • Office Lens on iOS, Android
| |

X

(N/A for Word for iOS, Word Online, Outlook Web Access, or Office Lens)

|

X

|

X

|

X

(N/A for any OneNote apps)

| +| Syllabification |
  • OneNote 2016 (add-in), OneNote Online, OneNote for Windows 10, OneNote for iPad, OneNote Mac
  • Word Online
  • Outlook Web Access
| |

X

(N/A for Word for iOS, Word Online, Outlook Web Access)

|

X

(N/A for Word iOS)

|

X

(N/A for Word iOS)

|

X

(N/A for any OneNote apps or Word iOS)

| +| Parts of speech identification |
  • OneNote 2016 (add-in), OneNote Online, OneNote for Windows 10, OneNote for iPad, OneNote Mac
  • Word 2016, Word Online, Word Mac, Word for iOS
  • Outlook 2016, Outlook Web Access
  • Office Lens on iOS, Android
| |

X

(N/A for Word Online, Outlook Web Access)

|

X

(ot includingN any OneNote apps)

|

X

(N/A for any OneNote apps)

|

X

(N/A for any OneNote apps)

| +| Line focus mode |
  • Word 2016, Word Online, Word Mac, Word for iOS
  • Outlook 2016, Outlook Web Access
  • Office Lens on iOS, Android
| |

X

(N/A for Word Online, Outlook Web Access)

|

X

(N/A for any OneNote apps)

|

X

(N/A for any OneNote apps)

|

X

(N/A for any OneNote apps)

| +| Picture Dictionary |
  • Word 2016, Word Online, Word Mac, Word for iOS
  • Outlook 2016, Outlook Web Access
  • Office Lens on iOS, Android
| |

X

(N/A for Word Online, Outlook Web Access)

|

X

(N/A for any OneNote apps)

|

X

(N/A for any OneNote apps)

|

X

(N/A for any OneNote apps)

|
| Writing and proofing features | Available in which apps|Office 2016 MSI|Office 2019| Office 365 ProPlus Monthly (C2R) | Office 365 ProPlus Semi Annual (C2R) | Office 365 ProPlus Annual (C2R) | @@ -50,7 +50,7 @@ You will also learn how to deploy apps using Microsoft Intune, turn on or off Ea | Accessibility Checker |
  • All Office 365 authoring applications on PC, Mac, Web
| |

X

| | | | | Accessible Templates |
  • Word for PCs, Mac
  • Excel for PCs, Mac
  • PowerPoint for PCs, Mac
  • Sway on iOS, Web, Windows 10
| |

X

| | | | | Ability to add alt-text for images |
  • Word for PCs (includes automatic suggestions for image descriptions)
  • SharePoint Online (includes automatic suggestions for image descriptions)
  • PowerPoint for PCs (includes automatic suggestions for image descriptions)
  • OneNote (includes automatic extraction of text in images)
  • All Office 365 authoring applications (include ability to add alt-text manually)
| |

X

| | | | -| Ability to add captions to videos |
  • PowerPoint for PCs
  • Sway on iOS, Web, Windows 10
| |

X

| | | | +| Ability to add captions to videos |
  • PowerPoint for PCs
  • Sway on iOS, Web, Windows 10
  • Microsoft Stream (includes ability to have captions auto-generated for videos in English and Spanish)
| |

X

| | | | | Export as tagged PDF |
  • Word for PCs, Mac
  • Sway on iOS, Web, Windows 10
| | | | | | | Ability to request accessible content |
  • Outlook Web Access
| | | | | |
@@ -61,14 +61,14 @@ You will also learn how to deploy apps using Microsoft Intune, turn on or off Ea
## Deploying apps with Microsoft Intune -Microsoft Intune can be used to deploy apps such as Immersive Reader and Mirosoft Translator to all the computers connected in the same groups. -1. Go to the Intune for Education portal and login with your account. +Microsoft Intune can be used to deploy apps such as Immersive Reader and Microsoft Translator to all the devices connected in the same groups. +1. Go to the Intune for Education portal and log in with your account. 2. Select the **Apps** page. -3. Find the app you're looking for either in the included list or, if it's not there, you can select **Add app** and download it from the Microsoft Store. +3. Find the app you're looking for in the included list (if it's not there, you can select **Add app** and download it from the Microsoft Store). 4. Selecting your app will show you if it has been deployed to any of the groups that have been set up. From the **Groups** page you can select **Change group assignment** and choose which groups you want to deploy the app(s) to. -## How to disable the Ease of Access settings for text in Windows 10 -The Ease of Access settings in Windows 10 are very useful accessibility tools, but not every one needs them activated for their computer. With the following instructions you can turn off users ability to get to the Ease of access settings. +## How to show/hide the Ease of access settings for text in Windows 10 +The Ease of access settings in Windows 10 are very useful accessibility tools, but having those options could be a bit much for everyone in a group to have in their device. With the following instructions you can chose to hide or show the Ease of access settings on users' devices. 1. Go to the Intune for Education portal and login with your account. 2. Select the **Groups** page and then select your desired group. 3. Select **Settings** and under the **User access and device settings** section you will find the toggle to set **Ease of access** to **Blocked** or **Not blocked**. From aee53922e55ffb6f767a3a81744308ceacfeafe4 Mon Sep 17 00:00:00 2001 From: Dani Halfin Date: Thu, 14 Jun 2018 13:16:03 +0000 Subject: [PATCH 25/30] Merged PR 9058: fixing formatting --- windows/privacy/manage-windows-endpoints.md | 20 +++++++------------- 1 file changed, 7 insertions(+), 13 deletions(-) diff --git a/windows/privacy/manage-windows-endpoints.md b/windows/privacy/manage-windows-endpoints.md index e43a9ddff4..ba3adcb3c4 100644 --- a/windows/privacy/manage-windows-endpoints.md +++ b/windows/privacy/manage-windows-endpoints.md @@ -34,7 +34,7 @@ We used the following methodology to derive these network endpoints: 2. Leave the devices running idle for a week (that is, a user is not interacting with the system/device). 3. Use globally accepted network protocol analyzer/capturing tools and log all background egress traffic. 4. Compile reports on traffic going to public IP addresses. -5. The test virtual machine was logged in using a local account and was not joined to a domain or Azure Active Directory. +5. The test virtual machine was logged in using a local account and was not joined to a domain or Azure Active Directory. > [!NOTE] > Microsoft uses global load balancers that can appear in network trace-routes. For example, an endpoint for *.akadns.net might be used to load balance requests to an Azure datacenter, which can change over time. @@ -529,8 +529,7 @@ In addition to the endpoints listed for Windows 10 Enterprise, the following end | dual-a-0001.a-msedge.net | TLSv1.2 | Used by OfficeHub to get the metadata of Office apps. | | fe2.update.microsoft.com | HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. | | fe2.update.microsoft.com.nsatc.net | TLSv1.2 | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. | -| fe3.delivery.dsp.mp.microsoft.com.nsatc.net | TLSv1.2/ -HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. | +| fe3.delivery.dsp.mp.microsoft.com.nsatc.net | TLSv1.2\/HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. | | fg.download.windowsupdate.com.c.footprint.net | HTTP | Used to download operating system patches and updates. | | fp.msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. | | g.live.com/1rewlive5skydrive/ | HTTPS | Used by a redirection service to automatically update URLs. | @@ -552,11 +551,9 @@ HTTPS | Enables connections to Windows Update, Microsoft Update, and the online | pti.store.microsoft.com | HTTPS | Used to communicate with Microsoft Store. | | pti.store.microsoft.com.unistore.akadns.net | TLSv1.2 | Used to communicate with Microsoft Store. | | purchase.mp.microsoft.com | HTTPS | Used to communicate with Microsoft Store. | -| ris.api.iris.microsoft.com.akadns.net | TLSv1.2/ -HTTPS | Used to retrieve Windows Spotlight metadata. | +| ris.api.iris.microsoft.com.akadns.net | TLSv1.2\/HTTPS | Used to retrieve Windows Spotlight metadata. | | settings-win.data.microsoft.com | HTTPS | Used for Windows apps to dynamically update their configuration. | -| sls.update.microsoft.com.nsatc.net | TLSv1.2/ -HTTPS | Enables connections to Windows Update. | +| sls.update.microsoft.com.nsatc.net | TLSv1.2\/HTTPS | Enables connections to Windows Update. | | star-mini.c10r.facebook.com | TLSv1.2 | Used for the Facebook Live Tile. | | storecatalogrevocation.storequality.microsoft.com | HTTPS | Used to revoke licenses for malicious apps on the Microsoft Store. | | storeedgefd.dsx.mp.microsoft.com | HTTPS | Used to communicate with Microsoft Store. | @@ -578,8 +575,7 @@ HTTPS | Enables connections to Windows Update. | | **Destination** | **Protocol** | **Description** | | --- | --- | --- | | *.*.akamai.net | HTTP | Used to download content. | -| *.*.akamaiedge.net | HTTP/ -TLSv1.2 | Used to check for updates to maps that have been downloaded for offline use. | +| *.*.akamaiedge.net | TLSv1.2\/HTTP | Used to check for updates to maps that have been downloaded for offline use. | | *.a-msedge.net | TLSv1.2 | Used by OfficeHub to get the metadata of Office apps. | | *.blob.core.windows.net | HTTPS | Used by Windows Update to update words used for language input methods. | | *.c-msedge.net | HTTP | Used by OfficeHub to get the metadata of Office apps. | @@ -618,8 +614,7 @@ TLSv1.2 | Used to check for updates to maps that have been downloaded for offlin | evoke-windowsservices-tas.msedge.net | HTTPS | Used by the Photos app to download configuration files, and to connect to the Office 365 portal’s shared infrastructure, including Office Online. | | fe2.update.microsoft.com | HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. | | fe2.update.microsoft.com.nsatc.net | TLSv1.2 | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. | -| fe3.delivery.dsp.mp.microsoft.com.nsatc.net | TLSv1.2/ -HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. | +| fe3.delivery.dsp.mp.microsoft.com.nsatc.net | TLSv1.2\/HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. | | fe3.delivery.mp.microsoft.com | HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. | | fg.download.windowsupdate.com.c.footprint.net | HTTP | Used to download operating system patches and updates. | | fp.msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. | @@ -704,8 +699,7 @@ HTTPS | Enables connections to Windows Update, Microsoft Update, and the online | fe3.delivery.dsp.mp.microsoft.com.nsatc.net | TLSv1.2 | Enables connections to Windows Update. | | fg.download.windowsupdate.com.c.footprint.net | HTTP | Used to download operating system patches and updates. | | fp.msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. | -| g.msn.com.nsatc.net | HTTP/ -TLSv1.2 | Used to retrieve Windows Spotlight metadata. | +| g.msn.com.nsatc.net | TLSv1.2\/HTTP | Used to retrieve Windows Spotlight metadata. | | geo-prod.do.dsp.mp.microsoft.com.nsatc.net | TLSv1.2 | Enables connections to Windows Update. | | geover-prod.do.dsp.mp.microsoft.com | HTTPS | Enables connections to Windows Update. | | go.microsoft.com | HTTPS | Used by a redirection service to automatically update URLs. | From c7b5756f6843a2fece5d8b4a69c5b33cbe369f75 Mon Sep 17 00:00:00 2001 From: Jeanie Decker Date: Thu, 14 Jun 2018 14:42:13 +0000 Subject: [PATCH 26/30] Merged PR 9060: Fixed heading --- devices/hololens/hololens-kiosk.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/devices/hololens/hololens-kiosk.md b/devices/hololens/hololens-kiosk.md index 0abcc7ac79..745543c41c 100644 --- a/devices/hololens/hololens-kiosk.md +++ b/devices/hololens/hololens-kiosk.md @@ -42,7 +42,8 @@ If you use [MDM, Microsoft Intune](#intune-kiosk), or a [provisioning package](# >[!NOTE] >Because a single-app kiosk launches the kiosk app when a user signs in, there is no Start screen displayed. -### Start layout file for Intune + +### Start layout file for MDM (Intune and others) Save the following sample as an XML file. You will select this file when you configure the kiosk in Microsoft Intune (or in another MDM service that provides a kiosk profile). From 4e484666e0081fa699d83a97ed82149fc7d2bd30 Mon Sep 17 00:00:00 2001 From: Jeanie Decker Date: Thu, 14 Jun 2018 20:21:21 +0000 Subject: [PATCH 27/30] Merged PR 9074: update Intune kiosk instructions for HoloLens --- devices/hololens/hololens-kiosk.md | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/devices/hololens/hololens-kiosk.md b/devices/hololens/hololens-kiosk.md index 745543c41c..9b54f8a335 100644 --- a/devices/hololens/hololens-kiosk.md +++ b/devices/hololens/hololens-kiosk.md @@ -93,7 +93,7 @@ You will [create an XML file](#ppkg-kiosk) to define the kiosk configuration to ## Set up kiosk mode using Microsoft Intune or MDM (Windows 10, version 1803) -For HoloLens devices that are managed by Microsoft Intune, you [create a device restriction profile](https://docs.microsoft.com/intune/device-profile-create) and configure the [Kiosk (Preview) settings](https://docs.microsoft.com/intune/device-restrictions-windows-holographic#kiosk-preview). +For HoloLens devices that are managed by Microsoft Intune, you [create a device profile](https://docs.microsoft.com/intune/device-profile-create) and configure the [Kiosk settings](https://docs.microsoft.com/intune/kiosk-settings). For other MDM services, check your provider's documentation for instructions. If you need to use a custom setting and full XML configuration to set up a kiosk in your MDM service, [create an XML file that defines the kiosk configuration](#create-xml-file), and make sure to include the [Start layout](#start-layout-for-a-provisioning-package) in the XML file. @@ -213,8 +213,7 @@ Use the following snippet in your kiosk configuration XML to enable the **Guest* ## More information -Watch how to configure a kiosk in Microsoft Intune. ->[!VIDEO https://www.microsoft.com/videoplayer/embed/ce9992ab-9fea-465d-b773-ee960b990c4a?autoplay=false] + Watch how to configure a kiosk in a provisioning package. >[!VIDEO https://www.microsoft.com/videoplayer/embed/fa125d0f-77e4-4f64-b03e-d634a4926884?autoplay=false] \ No newline at end of file From b16e9511dadc13693353b005cc91c44179f0c52d Mon Sep 17 00:00:00 2001 From: Benjamin Howorth Date: Thu, 14 Jun 2018 20:56:50 +0000 Subject: [PATCH 28/30] Updated inclusive-classroom-it-admin.md, fixing text issue --- education/get-started/inclusive-classroom-it-admin.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/education/get-started/inclusive-classroom-it-admin.md b/education/get-started/inclusive-classroom-it-admin.md index 63c0d3cb23..856e1c3a19 100644 --- a/education/get-started/inclusive-classroom-it-admin.md +++ b/education/get-started/inclusive-classroom-it-admin.md @@ -29,7 +29,7 @@ You will also learn how to deploy apps using Microsoft Intune, turn on or off Ea | Read aloud with simultaneous highlighting |
  • OneNote 2016 (add-in), OneNote Online, OneNote for Windows 10, OneNote for iPad, OneNote Mac
  • Word 2016, Word Online, Word Mac, Word for iOS
  • Outlook 2016, Outlook Web Access
  • Office Lens on iOS, Android
| |

X

(N/A for Word for iOS, Word Online, Outlook Web Access, or Office Lens)

|

X

|

X

(N/A for Outlook PC)

|

X

(N/A for any OneNote apps or Outlook PC)

| | Adjustable text spacing and font size |
  • OneNote 2016 (add-in), OneNote Online, OneNote for Windows 10, OneNote for iPad, OneNote Mac
  • Word 2016, Word Online, Word Mac, Word for iPad
  • Outlook Web Access
  • Office Lens on iOS, Android
| |

X

(N/A for Word for iOS, Word Online, Outlook Web Access, or Office Lens)

|

X

|

X

|

X

(N/A for any OneNote apps)

| | Syllabification |
  • OneNote 2016 (add-in), OneNote Online, OneNote for Windows 10, OneNote for iPad, OneNote Mac
  • Word Online
  • Outlook Web Access
| |

X

(N/A for Word for iOS, Word Online, Outlook Web Access)

|

X

(N/A for Word iOS)

|

X

(N/A for Word iOS)

|

X

(N/A for any OneNote apps or Word iOS)

| -| Parts of speech identification |
  • OneNote 2016 (add-in), OneNote Online, OneNote for Windows 10, OneNote for iPad, OneNote Mac
  • Word 2016, Word Online, Word Mac, Word for iOS
  • Outlook 2016, Outlook Web Access
  • Office Lens on iOS, Android
| |

X

(N/A for Word Online, Outlook Web Access)

|

X

(ot includingN any OneNote apps)

|

X

(N/A for any OneNote apps)

|

X

(N/A for any OneNote apps)

| +| Parts of speech identification |
  • OneNote 2016 (add-in), OneNote Online, OneNote for Windows 10, OneNote for iPad, OneNote Mac
  • Word 2016, Word Online, Word Mac, Word for iOS
  • Outlook 2016, Outlook Web Access
  • Office Lens on iOS, Android
| |

X

(N/A for Word Online, Outlook Web Access)

|

X

(N/A for any OneNote apps)

|

X

(N/A for any OneNote apps)

|

X

(N/A for any OneNote apps)

| | Line focus mode |
  • Word 2016, Word Online, Word Mac, Word for iOS
  • Outlook 2016, Outlook Web Access
  • Office Lens on iOS, Android
| |

X

(N/A for Word Online, Outlook Web Access)

|

X

(N/A for any OneNote apps)

|

X

(N/A for any OneNote apps)

|

X

(N/A for any OneNote apps)

| | Picture Dictionary |
  • Word 2016, Word Online, Word Mac, Word for iOS
  • Outlook 2016, Outlook Web Access
  • Office Lens on iOS, Android
| |

X

(N/A for Word Online, Outlook Web Access)

|

X

(N/A for any OneNote apps)

|

X

(N/A for any OneNote apps)

|

X

(N/A for any OneNote apps)

|
From eda252e46e8678735d766bd9d59dff4366b42805 Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Thu, 14 Jun 2018 14:28:17 -0700 Subject: [PATCH 29/30] added new block list --- .../microsoft-recommended-block-rules.md | 549 +++++++++++++++++- ...control-with-intelligent-security-graph.md | 4 +- 2 files changed, 547 insertions(+), 6 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md index ae37d52989..0dbc282f16 100644 --- a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md +++ b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md @@ -6,7 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.localizationpriority: high author: jsuther1974 -ms.date: 06/08/2018 +ms.date: 06/14/2018 --- # Microsoft recommended block rules @@ -384,7 +384,278 @@ Microsoft recommends that you block the following Microsoft-signed applications - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +