deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-17 19:33:37 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'refs/remotes/origin/master' into sfb-11375502

Browse Source
This commit is contained in:
Trudy Hakala
2017-03-29 12:45:18 -07:00
parent 0b49514f89 caa6b9289f
commit 0b17c57651
21 changed files with 117 additions and 38 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
devices/surface-hub/change-history-surface-hub.md
View File

@ -14,6 +14,12 @@ localizationpriority: medium
This topic lists new and updated topics in the [Surface Hub Admin Guide]( surface-hub-administrators-guide.md).
## March 2017
| New or changed topic | Description |
| --- | --- |
| [Prepare your environment for Microsoft Surface Hub](prepare-your-environment-for-surface-hub.md) | Added proxy configuration. |
## February 2017
| New or changed topic | Description |

18
devices/surface-hub/prepare-your-environment-for-surface-hub.md
View File

@ -27,7 +27,9 @@ Review these dependencies to make sure Surface Hub features will work in your IT
| Skype for Business (Lync Server 2013 or later, or Skype for Business Online) | Skype for Business is used for various conferencing features, like video calls, instant messaging, and screen sharing.</br></br>If screen sharing on a Surface Hub fails and the error message **An error occurred during the screen presentation** is displayed, see [Video Based Screen Sharing not working on Surface Hub](https://support.microsoft.com/help/3179272/video-based-screen-sharing-not-working-on-surface-hub) for help. |
| Mobile device management (MDM) solution (Microsoft Intune, System Center Configuration Manager, or supported third-party MDM provider) | If you want to apply settings and install apps remotely, and to multiple devices at a time, you must set up a MDM solution and enroll the device to that solution. See [Manage settings with an MDM provider](manage-settings-with-mdm-for-surface-hub.md) for details. |
| Microsoft Operations Managmement Suite (OMS) | OMS is used to monitor the health of Surface Hub devices. See [Monitor your Surface Hub](monitor-surface-hub.md) for details. |
| Network and Internet access | <p>In order to function properly, the Surface Hub should have access to a wired or wireless network. Overall, a wired connection is preferred.</p><p>**Dynamic IP:** The Surface Hub cannot be configured to use a static IP. It must use DHCP to assign an IP address.</p>**Proxy servers:** If your topology requires a connection to a proxy server to reach Internet services, then you can configure it during first run, or in Settings. |
| Network and Internet access | <p>To function properly, the Surface Hub should have internet access via a wired or wireless network. Overall, a wired connection is preferred.</p><p>**Dynamic IP:** The Surface Hub cannot be configured to use a static IP. It must use DHCP to assign an IP address.</p>**Proxy servers:** If your topology requires a connection to a proxy server to reach Internet services, then you can configure it during first run, or in Settings. See [Proxy configuration](#proxy-configuration) for additional requirements. |
### Port and endpoint requirements
Additionally, note that Surface Hub requires the following open ports:
- HTTPS: 443
@ -41,6 +43,20 @@ Microsoft collects telemetry to help improve your Surface Hub experience. Add th
- Telemetry client endpoint: `https://vortex.data.microsoft.com/`
- Telemetry settings endpoint: `https://settings.data.microsoft.com/`
### Proxy configuration
If your organization restricts computers on your network from connecting to the Internet, there is a set of URLs that need to be available for devices to use Store for Business. Some of the Store for Business features use Windows Store app and Windows Store services. Devices using Store for Business either to acquire, install, or update apps will need access to these URLs. If you use a proxy server to block traffic, your configuration needs to allow these URLs:
- login.live.com
- login.windows.net
- account.live.com
- clientconfig.passport.net
- windowsphone.com
- *.wns.windows.com
- *.microsoft.com
- www.msftncsi.com (prior to Windows 10, version 1607)
- www.msftconnecttest.com/connecttest.txt (replaces www.msftncsi.com starting with Windows 10, version 1607)
## Work with other admins

2
devices/surface-hub/troubleshoot-surface-hub.md
View File

@ -622,7 +622,9 @@ This section lists status codes, mapping, user messages, and actions an admin ca
 
 
## Related content
- [Troubleshooting Miracast connection to the Surface Hub](https://blogs.msdn.microsoft.com/surfacehub/2017/01/30/troubleshooting-miracast-connection-to-the-surface-hub/)
 

2
windows/deploy/provisioning-apply-package.md
View File

@ -64,7 +64,7 @@ Provisioning packages can be applied to a device during the first-run experience
### After setup, from a USB drive, network folder, or SharePoint site
On a desktop computer, navigate to **Settings** > **Accounts** > **Access work or school** > **Add or remove a provisioning package** > **Add a package**, and select the package to install.
Insert the USB drive to a desktop computer, navigate to **Settings** > **Accounts** > **Access work or school** > **Add or remove a provisioning package** > **Add a package**, and select the package to install. For a provisioning package stored on a network forlder or on a SharePoint site, navigate to the provisioning package and double-click it to begin installation.
![add a package option](images/package.png)

15
windows/deploy/upgrade-readiness-deployment-script.md
View File

@ -42,9 +42,9 @@ To run the Upgrade Readiness deployment script:
3. By default, the script sends log information to both the console and the log file. To change the default behavior, use one of the following options:
> *logMode = 0 log to console only*
>
>
> *logMode = 1 log to file and console*
>
>
> *logMode = 2 log to file only*
3. To enable Internet Explorer data collection, set AllowIEData to IEDataOptIn. By default, AllowIEData is set to Disable. Then use one of the following options to determine what Internet Explorer data can be collected:
@ -57,7 +57,16 @@ To run the Upgrade Readiness deployment script:
>
> *IEOptInLevel = 3 Data collection is enabled for all sites*
4. After you finish editing the parameters in RunConfig.bat, you are ready to run the script. If you are using the Pilot version, run RunConfig.bat from an elevated command prompt. If you are using the Deployment version, use ConfigMgr or other software deployment service to run RunConfig.bat as system.
4. The latest version (03.02.17) of the deployment script is configured to collect and send diagnostic and debugging data to Microsoft. If you wish to disable sending diagnostic and debugging data to Microsoft, set **AppInsightsOptIn = false**. By default, **AppInsightsOptIn** is set to **true**.
The data that is sent is the same data that is collected in the text log file that captures the events and error codes while running the script. This file is named in the following format: **UA_yyyy_mm_dd_hh_mm_ss_machineID.txt**. Log files are created in the drive that is specified in the RunConfig.bat file. By default this is set to: **%SystemDrive%\UADiagnostics**.
This data gives us the ability to determine the status of your machines and to help troubleshoot issues. If you choose to opt-in to and send this data to Microsoft, you must also allow https traffic to be sent to the following wildcard endpoints:
\*vortex\*.data.microsoft.com<BR>
\*settings\*.data.microsoft.com
5. After you finish editing the parameters in RunConfig.bat, you are ready to run the script. If you are using the Pilot version, run RunConfig.bat from an elevated command prompt. If you are using the Deployment version, use ConfigMgr or other software deployment service to run RunConfig.bat as system.
The deployment script displays the following exit codes to let you know if it was successful, or if an error was encountered.

2
windows/deploy/upgrade-readiness-get-started.md
View File

@ -79,7 +79,7 @@ For Upgrade Readiness to receive and display upgrade readiness data from Microso
To enable data sharing, whitelist the following endpoints. Note that you may need to get approval from your security group to do this.
Note: The compatibility update KB runs under the computers system account. If you are using user authenticated proxies, read [this blog post](https://go.microsoft.com/fwlink/?linkid=838688) to learn what you need to do to run it under the logged on user account.
Note: The compatibility update KB runs under the computers system account. If you are using user authenticated proxies, read [this blog post](https://blogs.technet.microsoft.com/upgradeanalytics/2017/03/10/understanding-connectivity-scenarios-and-the-deployment-script/) to learn what you need to do to run it under the logged on user account.
| **Endpoint** | **Function** |
|---------------------------------------------------------|-----------|

2
windows/deploy/upgrade-readiness-requirements.md
View File

@ -78,8 +78,6 @@ See [Windows 7, Windows 8, and Windows 8.1 appraiser telemetry events and fields
Before you get started configuring Upgrade Anatlyics, review the following tips and limitations about this release.
**User authenticated proxies are not supported in this release.** User computers communicate with Microsoft through Windows telemetry. The Windows telemetry client runs in System context and requires a connection to various Microsoft telemetry endpoints. User authenticated proxies are not supported at this time. Work with your Network Administrator to ensure that user computers can communicate with telemetry endpoints.
**Upgrade Readiness does not support on-premises Windows deployments.** Upgrade Readiness is built as a cloud service, which allows Upgrade Readiness to provide you with insights based on the data from user computers and other Microsoft compatibility services. Cloud services are easy to get up and running and are cost-effective because there is no requirement to physically implement and maintain services on-premises.
**In-region data storage requirements.** Windows telemetry data from user computers is encrypted, sent to, and processed at Microsoft-managed secure data centers located in the US. Our analysis of the upgrade readiness-related data is then provided to you through the Upgrade Readiness solution in the Microsoft Operations Management Suite (OMS) portal. At the time this topic is being published, only OMS workspaces created in the East US and West Europe are supported. Were adding support for additional regions and well update this information when new international regions are supported.

39
windows/keep-secure/assign-portal-access-windows-defender-advanced-threat-protection.md
View File

@ -22,10 +22,23 @@ localizationpriority: high
- Office 365
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
Windows Defender ATP users and access permissions are managed in Azure Active Directory (AAD). You can assign users with one of the following levels of permissions:
Windows Defender ATP users and access permissions are managed in Azure Active Directory (AAD). Use the following methods to assign security roles.
## Assign user access using Azure PowerShell
You can assign users with one of the following levels of permissions:
- Full access (Read and Write)
- Read only access
### Before you begin
- Install Azure PowerShell. For more information see, [How to install and configure Azure PowerShell](https://azure.microsoft.com/documentation/articles/powershell-install-configure/).<br>
> [!NOTE]
> You need to run the PowerShell cmdlets in an elevated command-line.
- Connect to your Azure Active Directory. For more information see, [Connect-MsolService](https://msdn.microsoft.com/library/dn194123.aspx).
**Full access** <br>
Users with full access can log in, view all system information and resolve alerts, submit files for deep analysis, and download the onboarding package.
Assigning full access rights requires adding the users to the “Security Administrator” or “Global Administrator” AAD built-in roles.
@ -36,13 +49,7 @@ They will not be able to change alert states, submit files for deep analysis or
Assigning read only access rights requires adding the users to the “Security Reader” AAD built-in role.
Use the following steps to assign security roles:
- Preparations:
- Install Azure PowerShell. For more information see, [How to install and configure Azure PowerShell](https://azure.microsoft.com/documentation/articles/powershell-install-configure/).<br>
> [!NOTE]
> You need to run the PowerShell cmdlets in an elevated command-line.
- Connect to your Azure Active Directory. For more information see, [Connect-MsolService](https://msdn.microsoft.com/library/dn194123.aspx).
- For **read and write** access, assign users to the security administrator role by using the following command:
```text
Add-MsolRoleMember -RoleName "Security Administrator" -RoleMemberEmailAddress "secadmin@Contoso.onmicrosoft.com"
@ -53,3 +60,21 @@ Add-MsolRoleMember -RoleName "Security Reader" -RoleMemberEmailAddress “reader
```
For more information see, [Manage Azure AD group and role membership](https://technet.microsoft.com/library/321d532e-407d-4e29-a00a-8afbe23008dd#BKMK_ManageGroups).
## Assign user access using the Azure portal
1. Go to the [Azure portal](https://portal.azure.com).
2. Select **Azure Active Directory**.
3. Select **Manage** > **Users and groups**.
4. Select **Manage** > **All users**.
5. Search or select the user you want to assign the role to.
6. Select **Manage** > **Directory role**.
7. Under **Directory role**, select **Limited administrator**, then **Security Reader** or **Security Administrator**.
![Image of Microsoft Azure portal](images/atp-azure-ui-user-access.png)

7
windows/keep-secure/bitlocker-group-policy-settings.md
View File

@ -32,7 +32,7 @@ The following sections provide a comprehensive list of BitLocker Group Policy se
The following policy settings can be used to determine how a BitLocker-protected drive can be unlocked.
- [Allow devices with Secure Boot and protect DMS ports to opt out of preboot PIN](#bkmk-hstioptout)
- [Allow devices with Secure Boot and protect DMA ports to opt out of preboot PIN](#bkmk-hstioptout)
- [Allow network unlock at startup](#bkmk-netunlock)
- [Require additional authentication at startup](#bkmk-unlockpol1)
- [Allow enhanced PINs for startup](#bkmk-unlockpol2)
@ -86,7 +86,7 @@ The following policies are used to support customized deployment scenarios in yo
- [Allow access to BitLocker-protected fixed data drives from earlier versions of Windows](#bkmk-depopt4)
- [Allow access to BitLocker-protected removable data drives from earlier versions of Windows](#bkmk-depopt5)
### <a href="" id="bkmk-hstioptout"></a>Allow devices with Secure Boot and protect DMS ports to opt out of preboot PIN
### <a href="" id="bkmk-hstioptout"></a>Allow devices with Secure Boot and protect DMA ports to opt out of preboot PIN
This policy setting allows users on devices that are compliant with InstantGo or the Microsoft Hardware Security Test Interface (HSTI) to not have a PIN for preboot authentication.
@ -137,7 +137,8 @@ This setting enables an exception to the PIN-required policy on secure hardware.
### <a href="" id="bkmk-netunlock"></a>Allow network unlock at startup
This policy controls a portion of the behavior of the Network Unlock feature in BitLocker. This policy is required to enable BitLocker Network Unlock on a network because it allows clients running BitLocker to create the necessary network key protector during encryption. This policy is used in addition to the BitLocker Drive Encryption Network Unlock Certificate security policy (located in the **Public Key Policies** folder of Local Computer Policy) to allow systems that are connected to a trusted network to properly utilize the Network Unlock feature.
This policy controls a portion of the behavior of the Network Unlock feature in BitLocker. This policy is required to enable BitLocker Network Unlock on a network because it allows clients running BitLocker to create the necessary network key protector during encryption.
This policy is used in addition to the BitLocker Drive Encryption Network Unlock Certificate security policy (located in the **Public Key Policies** folder of Local Computer Policy) to allow systems that are connected to a trusted network to properly utilize the Network Unlock feature.
<table>
<colgroup>

5
windows/keep-secure/choose-the-right-bitlocker-countermeasure.md
View File

@ -117,9 +117,10 @@ Tables 1 and 2 summarize the recommended mitigations for different types of atta
**Table 2.**&nbsp;&nbsp;How to choose the best countermeasures for Windows 10
The latest InstantGo devices, primarily tablets, are designed to be secure by default against all attacks that might compromise the BitLocker encryption key. Other Windows devices can be, too. DMA portbased attacks, which represent the attack vector of choice, are not possible on InstantGo devices, because these port types are prohibited. The inclusion of DMA ports on even non-InstantGo devices is extremely rare on recent devices, particularly on mobile ones. This could change if Thunderbolt is broadly adopted, so IT should consider this when purchasing new devices. In any case DMA ports can be disabled entirely, which is an increasingly popular option because the use of
DMA ports is infrequent in the non-developer space.
The latest InstantGo devices, primarily tablets, are designed to be secure by default against all attacks that might compromise the BitLocker encryption key. Other Windows devices can be secure by default too. DMA portbased attacks, which represent the attack vector of choice, are not possible on InstantGo devices because these port types are prohibited. The inclusion of DMA ports on even non-InstantGo devices is extremely rare on recent devices, particularly on mobile ones. This could change if Thunderbolt is broadly adopted, so IT should consider this when purchasing new devices. In any case, DMA ports can be disabled entirely, which is an increasingly popular option because the use of DMA ports is infrequent in the non-developer space. To prevent DMA port usage unless an authorized user is signed in, you can set the DataProtection/AllowDirectMemoryAccess policy by using Mobile Device Management (MDM) or the Group Policy setting **Disable new DMA devices when this computer is locked** (beginning with Windows 10, version 1703). This setting is **Not configured** by default. The path to the Group Policy setting is:
**Computer Configuration|Administrative Templates|Windows Components|BitLocker Drive Encryption**
Memory remanence attacks can be mitigated with proper configuration; in cases where the system memory is fixed and non-removable, they are not possible using published techniques. Even in cases where system memory can be removed and loaded into another device, attackers will find the attack vector extremely unreliable, as has been shown in the DRDC Valcartier groups analysis (see [An In-depth Analysis of the Cold Boot Attack](http://www.dtic.mil/cgi-bin/GetTRDoc?AD=ADA545078)).
Windows 7 PCs share the same security risks as newer devices but are far more vulnerable to DMA and memory remanence attacks, because Windows 7 devices are more likely to include DMA ports, lack support for UEFI-based Secure Boot, and rarely have fixed memory. To eliminate the need for pre-boot authentication on Windows 7 devices, disable the ability to boot to external media, password-protect the BIOS configuration, and disable the DMA ports. If you believe that your devices may be a target of a memory remanence attack, where the system memory may be removed and put into another computer to gain access to its contents, consider testing your devices to determine whether they are susceptible to this type of attack.

4
windows/keep-secure/configure-endpoints-gp-windows-defender-advanced-threat-protection.md
View File

@ -84,7 +84,9 @@ For security reasons, the package used to offboard endpoints will expire 30 days
a. Click **Endpoint Management** on the **Navigation pane**.
b. Under **Endpoint offboarding** section, select **Group Policy**, click **Download package** and save the .zip file.
b. Click the **Endpoint offboarding** section.
c. Select **Group Policy**, click **Download package** and save the .zip file.
2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the endpoints. You should have a file named *WindowsDefenderATPOffboardingScript_valid_until_YYYY-MM-DD.cmd*.

4
windows/keep-secure/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md
View File

@ -108,7 +108,9 @@ For security reasons, the package used to offboard endpoints will expire 30 days
a. Click **Endpoint Management** on the **Navigation pane**.
b. Under **Endpoint offboarding** section, select **Mobile Device Management /Microsoft Intune**, click **Download package** and save the .zip file.
b. Click the **Endpoint offboarding** section.
c. Select **Mobile Device Management /Microsoft Intune**, click **Download package** and save the .zip file.
2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the network administrators who will deploy the package. You should have a file named *WindowsDefenderATP_valid_until_YYYY-MM-DD.offboarding*.

4
windows/keep-secure/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md
View File

@ -88,7 +88,9 @@ For security reasons, the package used to offboard endpoints will expire 30 days
a. Click **Endpoint Management** on the **Navigation pane**.
b. Under **Endpoint offboarding** section, select **System Center Configuration Manager System Center Configuration Manager 2012/2012 R2/1511/1602**, click **Download package**, and save the .zip file.
b. Click the **Endpoint offboarding** section.
c. Select **System Center Configuration Manager System Center Configuration Manager 2012/2012 R2/1511/1602**, click **Download package**, and save the .zip file.
2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the network administrators who will deploy the package. You should have a file named *WindowsDefenderATPOffboardingScript_valid_until_YYYY-MM-DD.cmd*.

4
windows/keep-secure/configure-endpoints-script-windows-defender-advanced-threat-protection.md
View File

@ -78,7 +78,9 @@ For security reasons, the package used to offboard endpoints will expire 30 days
a. Click **Endpoint Management** on the **Navigation pane**.
b. Under **Endpoint offboarding** section, select **Group Policy**, click **Download package** and save the .zip file.
b. Click the **Endpoint offboarding** section.
c. Select **Group Policy**, click **Download package** and save the .zip file.
2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the endpoints. You should have a file named *WindowsDefenderATPOffboardingScript_valid_until_YYYY-MM-DD.cmd*.

4
windows/keep-secure/deploy-device-guard-enable-virtualization-based-security.md
View File

@ -144,7 +144,7 @@ reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "EnableVirtualiza
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "RequirePlatformSecurityFeatures" /t REG_DWORD /d 1 /f
```
> To enable **VBS with Secure Boot and DMA (value 2)**, in the preceding command, change **/d 1** to **/d 2**.
> To enable **VBS with Secure Boot and DMA (value 3)**, in the preceding command, change **/d 1** to **/d 3**.
**To enable VBS without UEFI lock (value 0)**
@ -196,7 +196,7 @@ reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "EnableVirtualiza
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "RequirePlatformSecurityFeatures" /t REG_DWORD /d 1 /f
```
> To enable **VBS with Secure Boot and DMA (value 2)**, in the preceding command, change **/d 1** to **/d 2**.
> To enable **VBS with Secure Boot and DMA (value 3)**, in the preceding command, change **/d 1** to **/d 3**.
**To enable virtualization-based protection of Code Integrity policies (with the default, UEFI lock)**

BIN
windows/keep-secure/images/atp-azure-ui-user-access.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 676 KiB

BIN
windows/keep-secure/images/atp-disableantispyware-regkey.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 49 KiB

After

Width:  |  Height:  |  Size: 38 KiB

16
windows/keep-secure/initialize-and-configure-ownership-of-the-tpm.md
View File

@ -112,7 +112,7 @@ Membership in the local Administrators group, or equivalent, is the minimum requ
5. After the PC restarts, your TPM will be automatically prepared for use by Windows 10.
## <a href="" id="turn-on-or-turn-off"></a>Turn on or turn off the TPM (TPM 1.2 with Windows 10, version 1507 or 1511)
## <a href="" id="turn-on-or-turn-off"></a>Turn on or turn off the TPM (available only with TPM 1.2 with Windows 10, version 1507 or 1511)
Normally, the TPM is turned on as part of the TPM initialization process. You do not normally need to turn the TPM on or off. However, if necessary you can do so by using the TPM MMC.
@ -147,6 +147,20 @@ If you want to stop using the services that are provided by the TPM, you can use
- If you do not have the removable storage device with your saved TPM owner password, click **I want to enter the password**. In the **Type your TPM owner password** dialog box, type your password (including hyphens), and then click **Turn TPM Off**.
- If you did not save your TPM owner password or no longer know it, click **I do not have the TPM owner password**, and follow the instructions that are provided in the dialog box and subsequent UEFI screens to turn off the TPM without entering the password.
### Change the TPM Owner Password (available only with Windows 10, version 1607 and earlier versions)
If you have the [owner password](https://technet.microsoft.com/itpro/windows/keep-secure/change-the-tpm-owner-password) available, you can use TPM.msc to change the TPM Owner Password.
1. Open the TPM MMC (tpm.msc).
2. In the **Action** pane, click **Change the Owner Password**
- If you saved your TPM owner password on a removable storage device, insert it, and then click **I have the owner password file**. In the **Select backup file with the TPM owner password** dialog box, click **Browse** to locate the .tpm file that is saved on your removable storage device, click **Open**, and then click **Turn TPM Off**.
- If you do not have the removable storage device with your saved TPM owner password, click **I want to enter the password**. In the **Type your TPM owner password** dialog box, type your password (including hyphens), and then click **Turn TPM Off**.
This capability was fully removed from TPM.msc in later versions of Windows.
## Use the TPM cmdlets

2
windows/keep-secure/requirements-and-deployment-planning-guidelines-for-device-guard.md
View File

@ -62,7 +62,7 @@ The following tables provide more information about the hardware, firmware, and
The following tables describes additional hardware and firmware requirements, and the improved security that is available when those requirements are met.
### Additional security qualificationqs starting with Windows 10, version 1507, and Windows Server 2016, Technical Preview 4
### Additional security qualifications starting with Windows 10, version 1507, and Windows Server 2016, Technical Preview 4
| Protections for Improved Security - requirement | Description |
|---------------------------------------------|----------------------------------------------------|

17
windows/keep-secure/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md
View File

@ -229,22 +229,21 @@ If the verification fails and your environment is using a proxy to connect to th
**Solution**: If your endpoints are running a third-party antimalware client, the Windows Defender ATP agent needs the Windows Defender Early Launch Antimalware (ELAM) driver to be enabled. You must ensure that it's not disabled in system policy.
- Depending on the tool that you use to implement policies, you'll need to verify that the following Windows Defender policies are set to ```0``` or that the settings are cleared:
- Depending on the tool that you use to implement policies, you'll need to verify that the following Windows Defender policies are cleared:
- ```DisableAntiSpyware```
- ```DisableAntiVirus```
- DisableAntiSpyware
- DisableAntiVirus
For example, in Group Policy:
For example, in Group Policy there should be no entries such as the following values:
```<Key Path="SOFTWARE\Policies\Microsoft\Windows Defender"><KeyValue Value="0" ValueKind="DWord" Name="DisableAntiSpyware"/></Key>
```
- ```<Key Path="SOFTWARE\Policies\Microsoft\Windows Defender"><KeyValue Value="0" ValueKind="DWord" Name="DisableAntiSpyware"/></Key>```
- ```<Key Path="SOFTWARE\Policies\Microsoft\Windows Defender"><KeyValue Value="0" ValueKind="DWord" Name="DisableAntiSpyware"/></Key>```
- After clearing the policy, run the onboarding steps again on the endpoint.
- You can also check the following registry key values to verify that the policy is disabled:
1. Open the registry ```key HKEY_LOCAL_MACHINE\ SOFTWARE\Policies\Microsoft\Windows Defender```.
2. Find the value ```DisableAntiSpyware```.
3. Ensure that the value is set to 0.
1. Open the registry ```key HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender```.
2. Ensure that the value ```DisableAntiSpyware``` is not present.
![Image of registry key for Windows Defender](images/atp-disableantispyware-regkey.png)

2
windows/manage/lockdown-xml.md
View File

@ -90,7 +90,7 @@ The following example is a complete lockdown XML file that disables Action Cente
The Apps setting serves as an allow list and specifies the applications that will be available in the All apps list. Apps that are not included in this setting are hidden from the user and blocked from running.
You provide the product ID for each app in your file. The product ID identifies an app package, and an app package can contain multiple apps, so you should also provide the App User Model ID (AUMID) to differentiate the app. Optionally, you can set an app to run automatically. [Get product ID and AUMID for apps in Windows 10 Mobile.](product-ids-in-windows-10-mobile.md)
You provide the App User Model ID (AUMID) and product ID for each app in your file. The product ID identifies an app package, and an app package can contain multiple apps, so you also provide the ADUMID to differentiate the app. Optionally, you can set an app to run automatically. [Get product ID and AUMID for apps in Windows 10 Mobile.](product-ids-in-windows-10-mobile.md)
The following example makes Outlook Calendar available on the device.