mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-06-23 06:13:41 +00:00
Merge remote-tracking branch 'refs/remotes/origin/master' into jdsb
This commit is contained in:
Jeanie Decker
@ -61,7 +61,7 @@ Here are the provisioned Windows apps in Windows 10 versions 1703, 1709, 1803 an
|
||||
| Microsoft.OneConnect | [Paid Wi-Fi & Cellular](ms-windows-store://pdp/?PFN=Microsoft.OneConnect_8wekyb3d8bbwe) | x | x | x | x | No |
|
||||
| Microsoft.People | [Microsoft People](ms-windows-store://pdp/?PFN=Microsoft.People_8wekyb3d8bbwe) | x | x | x | x | No |
|
||||
| Microsoft.Print3D | [Print 3D](ms-windows-store://pdp/?PFN=Microsoft.Print3D_8wekyb3d8bbwe) | | x | x | x | No |
|
||||
| Microsoft.SkreenSketch | [Snip & Sketch](ms-windows-store://pdp/?PFN=Microsoft.ScreenSketch_8wekyb3d8bbwe) | | | | x | No |
|
||||
| Microsoft.ScreenSketch | [Snip & Sketch](ms-windows-store://pdp/?PFN=Microsoft.ScreenSketch_8wekyb3d8bbwe) | | | | x | No |
|
||||
| Microsoft.SkypeApp | [Skype](ms-windows-store://pdp/?PFN=Microsoft.SkypeApp_kzf8qxf38zg5c) | x | x | x | x | No |
|
||||
| Microsoft.StorePurchaseApp | [Store Purchase App](ms-windows-store://pdp/?PFN=Microsoft.StorePurchaseApp_8wekyb3d8bbwe) | x | x | x | x | No |
|
||||
| Microsoft.VP9VideoExtensions | | | | | x | No |
|
||||
@ -181,4 +181,4 @@ Here are the typical installed Windows apps in Windows 10 versions 1709, 1803, a
|
||||
| | Microsoft.VCLibs.140.00 | x | x | x | Yes |
|
||||
| | Microsoft.VCLibs.120.00.Universal | x | | | Yes |
|
||||
| | Microsoft.VCLibs.140.00.UWPDesktop | | x | | Yes |
|
||||
---
|
||||
---
|
||||
|
||||
@ -17,17 +17,20 @@ When you update a computer running Windows 10, version 1703 or 1709, you might s
|
||||
>[!NOTE]
|
||||
>* This issue only occurs after a feature update (from one version to the next), not monthly updates or security-related updates.
|
||||
>* This only applies to first-party apps that shipped with Windows 10. This doesn't apply to third-party apps, Microsoft Store apps, or LOB apps.
|
||||
>* This issue can occur whether you removed the app using `Remove-appxprovisionedpackage` or `Get-AppxPackage -allusers | Remove-AppxPackage -Allusers`.
|
||||
|
||||
To remove a provisioned app, you need to remove the provisioning package. The apps might reappear if you removed the packages in one of the following ways:
|
||||
To remove a provisioned app, you need to remove the provisioning package. The apps might reappear if you [removed the packages](https://docs.microsoft.com/powershell/module/dism/remove-appxprovisionedpackage) in one of the following ways:
|
||||
|
||||
* If you removed the packages while the wim file was mounted when the device was offline.
|
||||
* If you removed the packages by running a PowerShell cmdlet on the device while Windows was online. Although the apps won't appear for new users, you'll still see the apps for the user account you signed in as.
|
||||
|
||||
When you remove a provisioned app, we create a registry key that tells Windows not to reinstall or update that app the next time Windows is updated. If the computer isn't online when you deprovision the app, then we don't create that registry key. (This behavior is fixed in Windows 10, version 1803. If you're running Windows 10, version 1709, apply the latest security update to fix it.)
|
||||
When you [remove a provisioned app](https://docs.microsoft.com/powershell/module/dism/remove-appxprovisionedpackage), we create a registry key that tells Windows not to reinstall or update that app the next time Windows is updated. If the computer isn't online when you deprovision the app, then we don't create that registry key. (This behavior is fixed in Windows 10, version 1803. If you're running Windows 10, version 1709, apply the latest security update to fix it.)
|
||||
|
||||
|
||||
>[!NOTE]
|
||||
>If you remove a provisioned app while Windows is online, it's only removed for *new users*—the user that you signed in as will still have that provisioned app. That's because the registry key created when you deprovision the app only applies to new users created *after* the key is created. This doesn't happen if you remove the provisioned app while Windows is offline.
|
||||
|
||||
|
||||
To prevent these apps from reappearing at the next update, manually create a registry key for each app, then update the computer.
|
||||
|
||||
## Create registry keys for deprovisioned apps
|
||||
@ -38,7 +41,7 @@ Use the following steps to create a registry key:
|
||||
2. Create a .reg file to generate a registry key for each app. Use [this list of Windows 10, version 1709 registry keys](#registry-keys-for-provisioned-apps) as your starting point.
|
||||
1. Paste the list of registry keys into Notepad (or a text editor).
|
||||
2. Remove the registry keys belonging to the apps you want to keep. For example, if you want to keep the Bing Weather app, delete this registry key:
|
||||
```
|
||||
```yaml
|
||||
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx\A ppxAllUserStore\Deprovisioned\Microsoft.BingWeather_8wekyb3d8bbwe]
|
||||
```
|
||||
3. Save the file with a .txt extension, then right-click the file and change the extension to .reg.
|
||||
@ -158,3 +161,9 @@ Windows Registry Editor Version 5.00
|
||||
|
||||
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore\Deprovisioned\Microsoft.ZuneVideo_8wekyb3d8bbwe]
|
||||
```
|
||||
|
||||
|
||||
|
||||
[Get-AppxPackage](https://docs.microsoft.com/powershell/module/appx/get-appxpackage)
|
||||
[Get-AppxPackage -allusers](https://docs.microsoft.com/powershell/module/appx/get-appxpackage)
|
||||
[Remove-AppxPackage](https://docs.microsoft.com/powershell/module/appx/remove-appxpackage)
|
||||
|
||||
@ -666,6 +666,13 @@ The following list shows the supported values:
|
||||
Enabling this policy prevents context menus from being invoked in the Start Menu.
|
||||
|
||||
<!--/Description-->
|
||||
<!--SupportedValues-->
|
||||
The following list shows the supported values:
|
||||
|
||||
- 0 (default) – False (Do not disable).
|
||||
- 1 - True (disable).
|
||||
|
||||
<!--/SupportedValues-->
|
||||
<!--ADMXMapped-->
|
||||
ADMX Info:
|
||||
- GP English name: *Disable context menus in the Start Menu*
|
||||
@ -1091,6 +1098,13 @@ Added in Windows 10, version 1709. Enabling this policy removes the people icon
|
||||
Value type is integer.
|
||||
|
||||
<!--/Description-->
|
||||
<!--SupportedValues-->
|
||||
The following list shows the supported values:
|
||||
|
||||
- 0 (default) – False (do not hide).
|
||||
- 1 - True (hide).
|
||||
|
||||
<!--/SupportedValues-->
|
||||
<!--ADMXMapped-->
|
||||
ADMX Info:
|
||||
- GP English name: *Remove the People Bar from the taskbar*
|
||||
|
||||
@ -288,7 +288,7 @@ When Storage Sense runs, it can dehydrate cloud-backed content that hasn’t bee
|
||||
|
||||
If the Storage/AllowStorageSenseGlobal policy is disabled, then this policy does not have any effect.
|
||||
|
||||
If you enable this policy setting, you must provide the number of days since a cloud-backed file has been opened before Storage Sense will dehydrate it. Supported values are: 0–365.
|
||||
If you enable this policy setting, you must provide the minimum number of days a cloud-backed file can remain unopened before Storage Sense dehydrates it. Supported values are: 0–365.
|
||||
|
||||
If you set this value to zero, Storage Sense will not dehydrate any cloud-backed content. The default value is 0, which never dehydrates cloud-backed content.
|
||||
|
||||
@ -357,7 +357,7 @@ When Storage Sense runs, it can delete files in the user’s Downloads folder if
|
||||
|
||||
If the Storage/AllowStorageSenseGlobal policy is disabled, then this policy does not have any effect.
|
||||
|
||||
If you enable this policy setting, you must provide the number of days since a file in the Downloads folder has been opened before Storage Sense will delete it. Supported values are: 0–365.
|
||||
If you enable this policy setting, you must provide the minimum number of days a file can remain unopened before Storage Sense deletes it from the Downloads folder. Supported values are: 0-365.
|
||||
|
||||
If you set this value to zero, Storage Sense will not delete files in the user’s Downloads folder. The default is 0, or never deleting files in the Downloads folder.
|
||||
|
||||
|
||||
@ -151,7 +151,7 @@ If set to True, this DomainName rule will trigger the VPN
|
||||
|
||||
By default, this value is false.
|
||||
|
||||
Value type is bool. Persistent
|
||||
Value type is bool.
|
||||
|
||||
<a href="" id="vpnv2-profilename-domainnameinformationlist-dnirowid-persistent"></a>**VPNv2/***ProfileName***/DomainNameInformationList/***dniRowId***/Persistent**
|
||||
Added in Windows 10, version 1607. A boolean value that specifies if the rule being added should persist even when the VPN is not connected. Value values:
|
||||
@ -624,10 +624,10 @@ Profile example
|
||||
</Authentication>
|
||||
<RoutingPolicyType>SplitTunnel</RoutingPolicyType>
|
||||
</NativeProfile>
|
||||
<DomainNameInformation>
|
||||
<DomainNameInformationList>
|
||||
<DomainName>.contoso.com</DomainName>
|
||||
<DNSServers>10.5.5.5</DNSServers>
|
||||
</DomainNameInformation>
|
||||
</DomainNameInformationList>
|
||||
<TrafficFilter>
|
||||
<App>%ProgramFiles%\Internet Explorer\iexplore.exe</App>
|
||||
</TrafficFilter>
|
||||
|
||||
@ -13,7 +13,7 @@ ms.date: 06/26/2017
|
||||
# WindowsSecurityAuditing CSP
|
||||
|
||||
|
||||
The WindowsSecurityAuditing configuration service provider (CSP) is used to enable logging of security audit events. This CSP was added in Windows 10, version 1511.
|
||||
The WindowsSecurityAuditing configuration service provider (CSP) is used to enable logging of security audit events. This CSP was added in Windows 10, version 1511 for Mobile and Mobile Enterprise. Make sure to consult the [Configuration service provider reference](https://docs.microsoft.com/windows/client-management/mdm/configuration-service-provider-reference) to see if this CSP and others are supported on your Windows installation.
|
||||
|
||||
The following diagram shows the WindowsSecurityAuditing configuration service provider in tree format.
|
||||
|
||||
|
||||
@ -516,8 +516,6 @@ Provisioning packages can be applied to a device during the first-run experience
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
<span id="alternate-methods" />
|
||||
### Use MDM to deploy the multi-app configuration
|
||||
|
||||
|
||||
@ -73,7 +73,6 @@
|
||||
###### [Using the Sdbinst.exe Command-Line Tool](planning/using-the-sdbinstexe-command-line-tool.md)
|
||||
##### [Compatibility Fixes for Windows 10, Windows 8, Windows 7, and Windows Vista](planning/compatibility-fixes-for-windows-8-windows-7-and-windows-vista.md)
|
||||
|
||||
#### [Change history for Plan for Windows 10 deployment](planning/change-history-for-plan-for-windows-10-deployment.md)
|
||||
|
||||
### [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md)
|
||||
#### [Get started with the Microsoft Deployment Toolkit (MDT)](deploy-windows-mdt/get-started-with-the-microsoft-deployment-toolkit.md)
|
||||
@ -211,7 +210,6 @@
|
||||
####### [XML Elements Library](usmt/usmt-xml-elements-library.md)
|
||||
###### [Offline Migration Reference](usmt/offline-migration-reference.md)
|
||||
### [Install fonts in Windows 10](windows-10-missing-fonts.md)
|
||||
### [Change history for deploy Windows 10](change-history-for-deploy-windows-10.md)
|
||||
|
||||
## [Update Windows 10](update/index.md)
|
||||
### [Windows as a service](update/windows-as-a-service.md)
|
||||
@ -250,7 +248,6 @@
|
||||
### [Manage device restarts after updates](update/waas-restart.md)
|
||||
### [Manage additional Windows Update settings](update/waas-wu-settings.md)
|
||||
### [Determine the source of Windows updates](update/windows-update-sources.md)
|
||||
### [Change history for Update Windows 10](update/change-history-for-update-windows-10.md)
|
||||
|
||||
## [Windows Analytics](update/windows-analytics-overview.md)
|
||||
### [Windows Analytics in the Azure Portal](update/windows-analytics-azure-portal.md)
|
||||
|
||||
@ -52,7 +52,7 @@ Examples of these two deployment advisors are shown below.
|
||||
|
||||
|
||||
## Windows Analytics deployment advisor example
|
||||
|
||||
|
||||
|
||||
## M365 Enterprise poster
|
||||
|
||||
|
||||
@ -488,7 +488,7 @@ Like the MDT Build Lab deployment share, the MDT Production deployment share nee
|
||||
|
||||
## <a href="" id="sec08"></a>Step 8: Deploy the Windows 10 client image
|
||||
|
||||
These steps will walk you throug the process of using task sequences to deploy Windows 10 images through a fully automated process. First, you need to add the boot image to Windows Deployment Services (WDS) and then start the deployment. In contrast with deploying images from the MDT Build Lab deployment share, we recommend using the Pre-Installation Execution Environment (PXE) to start the full deployments in the datacenter, even though you technically can use an ISO/CD or USB to start the process.
|
||||
These steps will walk you through the process of using task sequences to deploy Windows 10 images through a fully automated process. First, you need to add the boot image to Windows Deployment Services (WDS) and then start the deployment. In contrast with deploying images from the MDT Build Lab deployment share, we recommend using the Pre-Installation Execution Environment (PXE) to start the full deployments in the datacenter, even though you technically can use an ISO/CD or USB to start the process.
|
||||
|
||||
### Configure Windows Deployment Services
|
||||
|
||||
|
||||
@ -3,17 +3,13 @@
|
||||
## [Windows 10 deployment considerations](windows-10-deployment-considerations.md)
|
||||
## [Windows 10 compatibility](windows-10-compatibility.md)
|
||||
## [Windows 10 infrastructure requirements](windows-10-infrastructure-requirements.md)
|
||||
## [Windows 10, version 1809 - Features removed or planned for replacement](windows-10-1809-removed-features.md)
|
||||
## [Windows 10, version 1803 - Features removed or planned for replacement](windows-10-1803-removed-features.md)
|
||||
## [Fall Creators update (version 1709) - deprecated features](windows-10-fall-creators-deprecation.md)
|
||||
## [Creators update (version 1703) - deprecated features](windows-10-creators-update-deprecation.md)
|
||||
|
||||
## [Windows To Go: feature overview](windows-to-go-overview.md)
|
||||
### [Best practice recommendations for Windows To Go](best-practice-recommendations-for-windows-to-go.md)
|
||||
### [Deployment considerations for Windows To Go](deployment-considerations-for-windows-to-go.md)
|
||||
### [Prepare your organization for Windows To Go](prepare-your-organization-for-windows-to-go.md)
|
||||
### [Security and data protection considerations for Windows To Go](security-and-data-protection-considerations-for-windows-to-go.md)
|
||||
### [Windows To Go: frequently asked questions](windows-to-go-frequently-asked-questions.md)
|
||||
## Features removed or planned for replacement
|
||||
### [Windows 10, version 1809](windows-10-1809-removed-features.md)
|
||||
### [Windows 10, version 1803](windows-10-1803-removed-features.md)
|
||||
### [Windows 10, version 1709](windows-10-fall-creators-deprecation.md)
|
||||
### [Windows 10, version 1703](windows-10-creators-update-deprecation.md)
|
||||
|
||||
## [Application Compatibility Toolkit (ACT) Technical Reference](act-technical-reference.md)
|
||||
### [SUA User's Guide](sua-users-guide.md)
|
||||
#### [Using the SUA Wizard](using-the-sua-wizard.md)
|
||||
@ -39,4 +35,10 @@
|
||||
##### [Testing Your Application Mitigation Packages](testing-your-application-mitigation-packages.md)
|
||||
#### [Using the Sdbinst.exe Command-Line Tool](using-the-sdbinstexe-command-line-tool.md)
|
||||
### [Compatibility Fixes for Windows 10, Windows 8, Windows 7, and Windows Vista](compatibility-fixes-for-windows-8-windows-7-and-windows-vista.md)
|
||||
## [Change history for Plan for Windows 10 deployment](change-history-for-plan-for-windows-10-deployment.md)
|
||||
|
||||
## [Windows To Go: feature overview](windows-to-go-overview.md)
|
||||
### [Best practice recommendations for Windows To Go](best-practice-recommendations-for-windows-to-go.md)
|
||||
### [Deployment considerations for Windows To Go](deployment-considerations-for-windows-to-go.md)
|
||||
### [Prepare your organization for Windows To Go](prepare-your-organization-for-windows-to-go.md)
|
||||
### [Security and data protection considerations for Windows To Go](security-and-data-protection-considerations-for-windows-to-go.md)
|
||||
### [Windows To Go: frequently asked questions](windows-to-go-frequently-asked-questions.md)
|
||||
@ -109,7 +109,7 @@ To find out which version of Windows 10 is right for your organization, you can
|
||||
|
||||
### How will people in my organization adjust to using Windows 10 Enterprise after upgrading from Windows 7 or Windows 8.1?
|
||||
|
||||
Windows 10 combines the best aspects of the user experience from Windows 8.1 and Windows 7 to make using Windows simple and straightforward. Users of Windows 7 will find the Start menu in the same location as they always have. In the same place, users of Windows 8.1 will find the live tiles from their Start screen, accessible by the Start button in the same way as they were accessed in Windows 8.1. To help you make the transition a seamless one, download the [Windows 10 for Business Onboarding Kit](https://blogs.technet.microsoft.com/windowsitpro/2016/06/28/windows-10-for-business-onboarding-kit/) and see our [end user readiness](https://technet.microsoft.com/windows/dn621092) resources.
|
||||
Windows 10 combines the best aspects of the user experience from Windows 8.1 and Windows 7 to make using Windows simple and straightforward. Users of Windows 7 will find the Start menu in the same location as they always have. In the same place, users of Windows 8.1 will find the live tiles from their Start screen, accessible by the Start button in the same way as they were accessed in Windows 8.1. To help you make the transition a seamless one, download the [Windows 10 Adoption Planning Kit](https://info.microsoft.com/Windows10AdoptionPlanningKit) and see our [end user readiness](https://technet.microsoft.com/windows/dn621092) resources.
|
||||
|
||||
### How does Windows 10 help people work with applications and data across a variety of devices?
|
||||
|
||||
@ -127,4 +127,4 @@ Use the following resources for additional information about Windows 10.
|
||||
- If you are an IT professional or if you have a question about administering, managing, or deploying Windows 10 in your organization or business, visit the [Windows 10 IT Professional forums](https://social.technet.microsoft.com/forums/home?category=windows10itpro) on TechNet.
|
||||
- If you are an end user or if you have a question about using Windows 10, visit the [Windows 10 forums on Microsoft Community](https://answers.microsoft.com/windows/forum/windows_10).
|
||||
- If you are a developer or if you have a question about making apps for Windows 10, visit the [Windows Desktop Development forums](https://social.msdn.microsoft.com/forums/en-us/home?category=windowsdesktopdev) or [Windows and Windows phone apps forums](https://social.msdn.microsoft.com/forums/en-us/home?category=windowsapps) on MSDN.
|
||||
- If you have a question about Internet Explorer, visit the [Internet Explorer forums](https://social.technet.microsoft.com/forums/ie/en-us/home) on TechNet.
|
||||
- If you have a question about Internet Explorer, visit the [Internet Explorer forums](https://social.technet.microsoft.com/forums/ie/en-us/home) on TechNet.
|
||||
|
||||
@ -46,7 +46,7 @@ Device Health is offered as a *solution* which you link to a new or existing [Az
|
||||
- Choose a workspace name which reflects the scope of planned usage in your organization, for example *PC-Analytics*.
|
||||
- For the resource group setting select **Create new** and use the same name you chose for your new workspace.
|
||||
- For the location setting, choose the Azure region where you would prefer the data to be stored.
|
||||
- For the pricing tier select **Free**.
|
||||
- For the pricing tier select **per GB**.
|
||||
4. Now that you have selected a workspace, you can go back to the Device Health blade and select **Create**.
|
||||
|
||||
5. Watch for a Notification (in the Azure portal) that "Deployment 'Microsoft.DeviceHealth' to resource group 'YourResourceGroupName' was successful." and then select **Go to resource** This might take several minutes to appear.
|
||||
|
||||
@ -53,7 +53,7 @@ Update Compliance is offered as a solution which is linked to a new or existing
|
||||
- Choose a workspace name which reflects the scope of planned usage in your organization, for example *PC-Analytics*.
|
||||
- For the resource group setting select **Create new** and use the same name you chose for your new workspace.
|
||||
- For the location setting, choose the Azure region where you would prefer the data to be stored.
|
||||
- For the pricing tier select **Free**.
|
||||
- For the pricing tier select **per GB**.
|
||||
|
||||
|
||||
|
||||
|
||||
@ -48,7 +48,7 @@ Quick-reference table:
|
||||
For this scenario, grouping devices by domain allows devices to be included in peer downloads and uploads across VLANs. **Set Download Mode to 2 - Group**. The default group is the authenticated domain or Active Directory site. If your domain-based group is too wide, or your Active Directory sites aren’t aligned with your site network topology, then you should consider additional options for dynamically creating groups, for example by using the GroupIDSrc parameter.
|
||||
|
||||
|
||||
[//]: # is there a topic on GroupIDSrc we can link to?
|
||||
[//]: # (is there a topic on GroupIDSrc we can link to?)
|
||||
|
||||
To do this in Group Policy go to **Configuration\Policies\Administrative Templates\Windows Components\Delivery Optimization** and set **Download mode** to **2**.
|
||||
|
||||
@ -77,7 +77,7 @@ To do this with MDM, go to **.Vendor/MSFT/Policy/Config/DeliveryOptimization/**
|
||||
|
||||
Many devices now come with large internal drives. You can set Delivery Optimization to take better advantage of this space (especially if you have large numbers of devices) by changing the minimum file size to cache. If you have more than 30 devices in your local network or group, change it from the default 50 MB to 10 MB. If you have more than 100 devices (and are running Windows 10, version 1803 or later), set this value to 1 MB.
|
||||
|
||||
[//]: # default of 50 aimed at consumer
|
||||
[//]: # (default of 50 aimed at consumer)
|
||||
|
||||
To do this in Group Policy, go to **Configuration\Policies\Administrative Templates\Windows Components\Delivery Optimization** and set **Minimum Peer Caching Content File Size** to 100 (if you have more than 30 devices) or 1 (if you have more than 100 devices).
|
||||
|
||||
@ -91,11 +91,11 @@ To do this in Group Policy, go to **Configuration\Policies\Administrative Templa
|
||||
|
||||
To do this with MDM, go to **.Vendor/MSFT/Policy/Config/DeliveryOptimization/** and set DOMaxCacheAge to 7 or more (up to 30 days).
|
||||
|
||||
[//]: # material about "preferred" devices; remove MinQos/MaxCacheAge; table format?
|
||||
[//]: # (material about "preferred" devices; remove MinQos/MaxCacheAge; table format?)
|
||||
|
||||
|
||||
## Monitor Delivery Optimization
|
||||
[//]: # How to tell if it’s working? What values are reasonable; which are not? If not, which way to adjust and how? -- check PercentPeerCaching for files > minimum >= 50%
|
||||
[//]: # (How to tell if it’s working? What values are reasonable; which are not? If not, which way to adjust and how? -- check PercentPeerCaching for files > minimum >= 50%)
|
||||
|
||||
### Windows PowerShell cmdlets for analyzing usage
|
||||
**Starting in Windows 10, version 1703**, you can use two new PowerShell cmdlets to check the performance of Delivery Optimization:
|
||||
|
||||
@ -25,6 +25,7 @@ Everyone wins when transparency is a top priority. We want you to know when upda
|
||||
|
||||
The latest news:
|
||||
<ul compact style="list-style: none">
|
||||
<li><a href="https://blogs.windows.com/windowsexperience/2019/04/04/improving-the-windows-10-update-experience-with-control-quality-and-transparency">Improving the Windows 10 update experience with control, quality and transparency</a> - April 4, 2019</li>
|
||||
<li><a href="https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-10-version-1809-designated-for-broad-deployment/ba-p/389540">Windows 10, version 1809 designated for broad deployment</a> - March 28, 2019</li>
|
||||
<li><a href="https://blogs.windows.com/windowsexperience/2019/03/06/data-insights-and-listening-to-improve-the-customer-experience">Data, insights and listening to improve the customer experience</a> - March 6, 2019</li>
|
||||
<li><a href="https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Getting-to-know-the-Windows-update-history-pages/ba-p/355079">Getting to know the Windows update history pages</a> - February 21, 2019</li>
|
||||
|
||||
@ -55,7 +55,7 @@ Event logs: Generic rollbacks (0xC1900101) or unexpected reboots.</td>
|
||||
|
||||
## Log entry structure
|
||||
|
||||
A setupact.log or setuperr.log entry includes the following elements:
|
||||
A setupact.log or setuperr.log entry (files are located at C:\Windows) includes the following elements:
|
||||
|
||||
<ol>
|
||||
<LI><B>The date and time</B> - 2016-09-08 09:20:05.
|
||||
|
||||
@ -59,7 +59,7 @@ Upgrade Readiness is offered as a *solution* which you link to a new or existing
|
||||
- Choose a workspace name which reflects the scope of planned usage in your organization, for example *PC-Analytics*.
|
||||
- For the resource group setting select **Create new** and use the same name you chose for your new workspace.
|
||||
- For the location setting, choose the Azure region where you would prefer the data to be stored.
|
||||
- For the pricing tier select **Free**.
|
||||
- For the pricing tier select **per GB**.
|
||||
4. Now that you have selected a workspace, you can go back to the Upgrade Readiness blade and select **Create**.
|
||||
|
||||
5. Watch for a Notification (in the Azure portal) that "Deployment 'Microsoft.CompatibilityAssessmentOMS' to resource group 'YourResourceGroupName' was successful." and then select **Go to resource** This might take several minutes to appear.
|
||||
|
||||
@ -20,7 +20,7 @@ ms.topic: article
|
||||
|
||||
Modern desktop management with Windows Autopilot enables you to easily deploy the latest version of Windows 10 to your existing devices. The apps you need for work can be automatically installed. Your work profile is synchronized, so you can resume working right away.
|
||||
|
||||
This topic describes how to convert Windows 7 domain-joined computers to Azure Active Directory-joined computers running Windows 10 by using Windows Autopilot.
|
||||
This topic describes how to convert Windows 7 or Windows 8.1 domain-joined computers to Azure Active Directory-joined computers running Windows 10 by using Windows Autopilot.
|
||||
|
||||
## Prerequisites
|
||||
|
||||
@ -278,7 +278,7 @@ Next, ensure that all content required for the task sequence is deployed to dist
|
||||
|
||||
### Complete the client installation process
|
||||
|
||||
1. Open the Software Center on the target Windows 7 client computer. You can do this by clicking Start and then typing **software** in the search box, or by typing the following at a Windows PowerShell or command prompt:
|
||||
1. Open the Software Center on the target Windows 7 or Windows 8.1 client computer. You can do this by clicking Start and then typing **software** in the search box, or by typing the following at a Windows PowerShell or command prompt:
|
||||
|
||||
```
|
||||
C:\Windows\CCM\SCClient.exe
|
||||
|
||||
@ -22,16 +22,26 @@ Windows Autopilot depends on specific capabilities available in Windows 10, Azur
|
||||
|
||||
- Windows 10 version 1703 (semi-annual channel) or higher is required.
|
||||
- The following editions are supported:
|
||||
- Pro
|
||||
- Pro Education
|
||||
- Pro for Workstations
|
||||
- Enterprise
|
||||
- Education
|
||||
- Windows 10 Pro
|
||||
- Windows 10 Pro Education
|
||||
- Windows 10 Pro for Workstations
|
||||
- Windows 10 Enterprise
|
||||
- Windows 10 Education
|
||||
- Windows 10 Enterprise 2019 LTSC
|
||||
|
||||
- If you're using Autopilot for Surface devices, note that only the following Surface devices support Autopilot:
|
||||
- Surface Go
|
||||
- Surface Go with LTE Advanced
|
||||
- Surface Pro (5th gen)
|
||||
- Surface Pro with LTE Advanced (5th gen)
|
||||
- Surface Pro 6
|
||||
- Surface Laptop (1st gen)
|
||||
- Surface Laptop 2
|
||||
- Surface Studio (1st gen)
|
||||
- Surface Studio 2
|
||||
- Surface Book 2
|
||||
|
||||
- Windows 10 Enterprise 2019 LTSC is also supported.
|
||||
|
||||
See the following topics for details on licensing, network, and configuration requirements:
|
||||
- [Licensing requirements](windows-autopilot-requirements-licensing.md)
|
||||
See the following topics for details on network and configuration requirements:
|
||||
- [Networking requirements](windows-autopilot-requirements-network.md)
|
||||
- [Configuration requirements](windows-autopilot-requirements-configuration.md)
|
||||
- For details about specific configuration requirements to enable user-driven Hybrid Azure Active Directory join for Windows Autopilot, see [Intune Connector (preview) language requirements](intune-connector.md). This requirement is a temporary workaround, and will be removed in the next release of Intune Connector.
|
||||
|
||||
@ -59,7 +59,7 @@ The remainder of the provisioning includes Windows Hello for Business requesting
|
||||
> Read [Azure AD Connect sync: Scheduler](https://docs.microsoft.com/azure/active-directory/connect/active-directory-aadconnectsync-feature-scheduler) to view and adjust the **synchronization cycle** for your organization.
|
||||
|
||||
> [!NOTE]
|
||||
> Windows Server 2016 update [KB4088889 (14393.2155)](https://support.microsoft.com/help/4088889) provides synchronous certificate enrollment during hybrid certificate trust provisioning. With this update, users no longer need to wait for Azure AD Connect to sync their public key on-premises. Users enroll their certificate during provisioning and can use the certificate for sign-in immediately after completeling the provisioning.
|
||||
> Windows Server 2016 update [KB4088889 (14393.2155)](https://support.microsoft.com/help/4088889) provides synchronous certificate enrollment during hybrid certificate trust provisioning. With this update, users no longer need to wait for Azure AD Connect to sync their public key on-premises. Users enroll their certificate during provisioning and can use the certificate for sign-in immediately after completeling the provisioning. The update needs to be installed on the federation servers.
|
||||
|
||||
After a successful key registration, Windows creates a certificate request using the same key pair to request a certificate. Windows send the certificate request to the AD FS server for certificate enrollment.
|
||||
|
||||
|
||||
@ -14,7 +14,7 @@ manager: dansimp
|
||||
audience: ITPro
|
||||
ms.collection: M365-security-compliance
|
||||
ms.topic: conceptual
|
||||
ms.date: 02/26/2019
|
||||
ms.date: 04/05/2019
|
||||
---
|
||||
|
||||
# Create and deploy a Windows Information Protection (WIP) policy using System Center Configuration Manager
|
||||
@ -95,7 +95,7 @@ If you don't know the publisher or product name, you can find them for both desk
|
||||
|
||||
**To find the Publisher and Product Name values for Store apps without installing them**
|
||||
|
||||
1. Go to the [Microsoft Store for Business](https://go.microsoft.com/fwlink/p/?LinkID=722910) website, and find your app. For example, Microsoft OneNote.
|
||||
1. Go to the [Microsoft Store for Business](https://businessstore.microsoft.com/store) website, and find your app. For example, Microsoft OneNote.
|
||||
|
||||
>[!NOTE]
|
||||
|
||||
@ -505,16 +505,11 @@ After you've finished configuring your policy, you can review all of your info o
|
||||
After you’ve created your WIP policy, you'll need to deploy it to your organization's devices. For info about your deployment options, see these topics:
|
||||
- [Operations and Maintenance for Compliance Settings in Configuration Manager](https://go.microsoft.com/fwlink/p/?LinkId=708224)
|
||||
|
||||
- [How to Create Configuration Baselines for Compliance Settings in Configuration Manager]( https://go.microsoft.com/fwlink/p/?LinkId=708225)
|
||||
- [How to Create Configuration Baselines for Compliance Settings in Configuration Manager](https://go.microsoft.com/fwlink/p/?LinkId=708225)
|
||||
|
||||
- [How to Deploy Configuration Baselines in Configuration Manager]( https://go.microsoft.com/fwlink/p/?LinkId=708226)
|
||||
- [How to Deploy Configuration Baselines in Configuration Manager](https://go.microsoft.com/fwlink/p/?LinkId=708226)
|
||||
|
||||
## Related topics
|
||||
- [System Center Configuration Manager and Endpoint Protection (Version 1606)](https://go.microsoft.com/fwlink/p/?LinkId=717372)
|
||||
|
||||
- [TechNet documentation for Configuration Manager](https://go.microsoft.com/fwlink/p/?LinkId=691623)
|
||||
|
||||
- [Manage mobile devices with Configuration Manager and Microsoft Intune](https://go.microsoft.com/fwlink/p/?LinkId=691624)
|
||||
|
||||
- [How to collect Windows Information Protection (WIP) audit event logs](collect-wip-audit-event-logs.md)
|
||||
|
||||
|
||||
@ -12,7 +12,7 @@ manager: dansimp
|
||||
audience: ITPro
|
||||
ms.collection: M365-security-compliance
|
||||
ms.topic: conceptual
|
||||
ms.date: 03/06/2019
|
||||
ms.date: 04/05/2019
|
||||
ms.localizationpriority: medium
|
||||
---
|
||||
|
||||
@ -124,7 +124,16 @@ This table provides info about the most common problems you might encounter whil
|
||||
<td>If all apps need to be managed, enroll the device for MDM.
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>By design, files in the Windows directory (%windir% or C:/Windows) cannot be encrypted because they need to be accessed by any user. If a file in the Windows directory gets encypted by one user, other users can't access it.
|
||||
</td>
|
||||
<td>Any attempt to encrypt a file in the Windows directory will return a file access denied error. But if you copy or drag and drop an encrypted file to the Windows directory, it will retain encryption to honor the intent of the owner.
|
||||
</td>
|
||||
<td>If you need to save an encrypted file in the Windows directory, create and encrypt the file in a different directory and copy it.
|
||||
</td>
|
||||
</tr>
|
||||
</table>
|
||||
|
||||
>[!NOTE]
|
||||
>Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to our content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md).
|
||||
|
||||
|
||||
@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: none
|
||||
author: Mir0sh
|
||||
ms.date: 04/19/2017
|
||||
ms.date: 04/04/2019
|
||||
---
|
||||
|
||||
# 4716(S): Trusted domain information was modified.
|
||||
@ -132,7 +132,7 @@ This event is generated only on domain controllers.
|
||||
| 0x8 | TRUST\_ATTRIBUTE\_FOREST\_TRANSITIVE | If this bit is set, the trust link is a [cross-forest trust](https://msdn.microsoft.com/library/cc223126.aspx#gt_86f3dbf2-338f-462e-8c5b-3c8e05798dbc) [\[MS-KILE\]](https://msdn.microsoft.com/library/cc233855.aspx) between the root domains of two [forests](https://msdn.microsoft.com/library/cc223126.aspx#gt_fd104241-4fb3-457c-b2c4-e0c18bb20b62), both of which are running in a [forest functional level](https://msdn.microsoft.com/library/cc223126.aspx#gt_b3240417-ca43-4901-90ec-fde55b32b3b8) of DS\_BEHAVIOR\_WIN2003 or greater.<br>Only evaluated on Windows Server 2003 operating system, Windows Server 2008 operating system, Windows Server 2008 R2 operating system, Windows Server 2012 operating system, Windows Server 2012 R2 operating system, and Windows Server 2016 operating system.<br>Can only be set if forest and trusted forest are running in a forest functional level of DS\_BEHAVIOR\_WIN2003 or greater. |
|
||||
| 0x10 | TRUST\_ATTRIBUTE\_CROSS\_ORGANIZATION | If this bit is set, then the trust is to a domain or forest that is not part of the [organization](https://msdn.microsoft.com/library/cc223126.aspx#gt_6fae7775-5232-4206-b452-f298546ab54f). The behavior controlled by this bit is explained in [\[MS-KILE\]](https://msdn.microsoft.com/library/cc233855.aspx) section [3.3.5.7.5](https://msdn.microsoft.com/library/cc233949.aspx) and [\[MS-APDS\]](https://msdn.microsoft.com/library/cc223948.aspx) section [3.1.5](https://msdn.microsoft.com/library/cc223991.aspx).<br>Only evaluated on Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016.<br>Can only be set if forest and trusted forest are running in a forest functional level of DS\_BEHAVIOR\_WIN2003 or greater. |
|
||||
| 0x20 | TRUST\_ATTRIBUTE\_WITHIN\_FOREST | If this bit is set, then the trusted domain is within the same forest.<br>Only evaluated on Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016. |
|
||||
| 0x40 | TRUST\_ATTRIBUTE\_TREAT\_AS\_EXTERNAL | If this bit is set, then a cross-forest trust to a domain is to be treated as an external trust for the purposes of SID Filtering. Cross-forest trusts are more stringently [filtered](https://msdn.microsoft.com/library/cc223126.aspx#gt_ffbe7b55-8e84-4f41-a18d-fc29191a4cda) than external trusts. This attribute relaxes those cross-forest trusts to be equivalent to external trusts. For more information on how each trust type is filtered, see [\[MS-PAC\]](https://msdn.microsoft.com/library/cc237917.aspx) section 4.1.2.2.<br>Only evaluated on Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016.<br>Only evaluated if SID Filtering is used.<br>Only evaluated on cross-forest trusts having TRUST\_ATTRIBUTE\_FOREST\_TRANSITIVE.<br>Can only be set if forest and trusted forest are running in a forest functional level of DS\_BEHAVIOR\_WIN2003 or greater. |
|
||||
| 0x40 | TRUST\_ATTRIBUTE\_TREAT\_AS\_EXTERNAL | If this bit is set, then a cross-forest trust to a domain is to be treated as an external trust for the purposes of SID Filtering. Cross-forest trusts are [more stringently filtered](https://docs.microsoft.com/openspecs/windows_protocols/ms-adts/e9a2d23c-c31e-4a6f-88a0-6646fdb51a3c) than external trusts. This attribute relaxes those cross-forest trusts to be equivalent to external trusts. For more information on how each trust type is filtered, see [\[MS-PAC\]](https://msdn.microsoft.com/library/cc237917.aspx) section 4.1.2.2.<br>Only evaluated on Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016.<br>Only evaluated if SID Filtering is used.<br>Only evaluated on cross-forest trusts having TRUST\_ATTRIBUTE\_FOREST\_TRANSITIVE.<br>Can only be set if forest and trusted forest are running in a forest functional level of DS\_BEHAVIOR\_WIN2003 or greater. |
|
||||
| 0x80 | TRUST\_ATTRIBUTE\_USES\_RC4\_ENCRYPTION | This bit is set on trusts with the [trustType](https://msdn.microsoft.com/library/cc220955.aspx) set to TRUST\_TYPE\_MIT, which are capable of using RC4 keys. Historically, MIT Kerberos distributions supported only DES and 3DES keys ([\[RFC4120\]](https://go.microsoft.com/fwlink/?LinkId=90458), [\[RFC3961\]](https://go.microsoft.com/fwlink/?LinkId=90450)). MIT 1.4.1 adopted the RC4HMAC encryption type common to Windows 2000 [\[MS-KILE\]](https://msdn.microsoft.com/library/cc233855.aspx), so trusted domains deploying later versions of the MIT distribution required this bit. For more information, see "Keys and Trusts", section [6.1.6.9.1](https://msdn.microsoft.com/library/cc223782.aspx).<br>Only evaluated on TRUST\_TYPE\_MIT |
|
||||
| 0x200 | TRUST\_ATTRIBUTE\_CROSS\_ORGANIZATION\_NO\_TGT\_DELEGATION | If this bit is set, tickets granted under this trust MUST NOT be trusted for delegation. The behavior controlled by this bit is as specified in [\[MS-KILE\]](https://msdn.microsoft.com/library/cc233855.aspx) section 3.3.5.7.5.<br>Only supported on Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016. |
|
||||
| 0x400 | TRUST\_ATTRIBUTE\_PIM\_TRUST | If this bit and the TATE bit are set, then a cross-forest trust to a domain is to be treated as Privileged Identity Management trust for the purposes of SID Filtering. For more information on how each trust type is filtered, see [\[MS-PAC\]](https://msdn.microsoft.com/library/cc237917.aspx) section 4.1.2.2.<br>Evaluated only on Windows Server 2016<br>Evaluated only if SID Filtering is used.<br>Evaluated only on cross-forest trusts having TRUST\_ATTRIBUTE\_FOREST\_TRANSITIVE.<br>Can be set only if the forest and the trusted forest are running in a forest functional level of DS\_BEHAVIOR\_WINTHRESHOLD or greater. |
|
||||
|
||||
@ -84,6 +84,7 @@ Enterprises should educate and train their employees to be wary of any communica
|
||||
Here are several telltale signs of a phishing scam:
|
||||
|
||||
* The links or URLs provided in emails are **not pointing to the correct location** or are attempting to have you access a third-party site that is not affiliated with the sender of the email. For example, in the image below the URL provided does not match the URL that you will be taken to.
|
||||
|
||||
|
||||
|
||||
* There is a **request for personal information** such as social security numbers or bank or financial information. Official communications won't generally request personal information from you in the form of an email.
|
||||
|
||||
@ -41,7 +41,7 @@ Windows Defender Antivirus is part of the [next generation](https://www.youtub
|
||||
|
||||
The AV-TEST Product Review and Certification Report tests on three categories: protection, performance, and usability. The scores listed below are for the Protection category which has two scores: Real-World Testing and the AV-TEST reference set (known as "Prevalent Malware").
|
||||
|
||||
- January - February 2019 AV-TEST Business User test: [Protection score 6.0/6.0](https://www.av-test.org/en/antivirus/business-windows-client/windows-10/december-2018/microsoft-windows-defender-antivirus-4.18-185074/) <sup>**Latest**</sup>
|
||||
- January - February 2019 AV-TEST Business User test: [Protection score 6.0/6.0](https://www.av-test.org/en/antivirus/business-windows-client/windows-10/february-2019/microsoft-windows-defender-antivirus-4.18-190611/) <sup>**Latest**</sup>
|
||||
|
||||
Windows Defender Antivirus achieved an overall Protection score of 6.0/6.0, with 19,956 malware samples used. This is the fifth consecutive cycle that Windows Defender Antivirus achieved a perfect score.
|
||||
|
||||
|
||||
@ -44,7 +44,7 @@ Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Use
|
||||
|
||||
### Default values
|
||||
|
||||
By default this setting is Administrators on domain controllers and on stand-alone servers.
|
||||
By default, this setting is Administrators and NT SERVICE\WdiServiceHost on domain controllers and on stand-alone servers.
|
||||
|
||||
The following table lists the actual and effective default policy values for the most recent supported versions of Windows. Default values are also listed on the policy’s property page.
|
||||
|
||||
|
||||
@ -6,7 +6,7 @@ ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.localizationpriority: medium
|
||||
author: jsuther1974
|
||||
ms.date: 08/31/2018
|
||||
ms.date: 04/09/2019
|
||||
---
|
||||
|
||||
# Microsoft recommended block rules
|
||||
@ -76,7 +76,13 @@ These modules cannot be blocked by name or version, and therefore must be blocke
|
||||
|
||||
For October 2017, we are announcing an update to system.management.automation.dll in which we are revoking older versions by hash values, instead of version rules.
|
||||
|
||||
Microsoft recommends that you block the following Microsoft-signed applications and PowerShell files by merging the following policy into your existing policy to add these deny rules using the Merge-CIPolicy cmdlet:
|
||||
Microsoft recommends that you block the following Microsoft-signed applications and PowerShell files by merging the following policy into your existing policy to add these deny rules using the Merge-CIPolicy cmdlet. Beginning with the March 2019 quality update, each version of Windows requires blocking a specific version of the following files:
|
||||
|
||||
- msxml3.dll
|
||||
- msxml6.dll
|
||||
- jscript9.dll
|
||||
|
||||
Pick the correct version of each .dll for the Windows release you plan to support, and remove the other versions.
|
||||
|
||||
```xml
|
||||
<?xml version="1.0" encoding="utf-8" ?>
|
||||
@ -137,7 +143,35 @@ Microsoft recommends that you block the following Microsoft-signed applications
|
||||
<Deny ID="ID_DENY_WMIC" FriendlyName="wmic.exe" FileName="wmic.exe" MinimumFileVersion="65535.65535.65535.65535"/>
|
||||
<Deny ID="ID_DENY_MWFC" FriendlyName="Microsoft.Workflow.Compiler.exe" FileName="Microsoft.Workflow.Compiler.exe" MinimumFileVersion="65535.65535.65535.65535" />
|
||||
<Deny ID="ID_DENY_WFC" FriendlyName="WFC.exe" FileName="wfc.exe" MinimumFileVersion="65535.65535.65535.65535" />
|
||||
<Deny ID="ID_DENY_KILL" FriendlyName="kill.exe" FileName="kill.exe" MinimumFileVersion="65535.65535.65535.65535" />
|
||||
<Deny ID="ID_DENY_KILL" FriendlyName="kill.exe" FileName="kill.exe" MinimumFileVersion="65535.65535.65535.65535" />
|
||||
<! -- msxml3.dll pick correct version based on release you are supporting -->
|
||||
<! -- msxml6.dll pick correct version based on release you are supporting -->
|
||||
<! -- jscript9.dll pick correct version based on release you are supporting -->
|
||||
<! -- RS1 Windows 1607
|
||||
<Deny ID="ID_DENY_MSXML3" FriendlyName="msxml3.dll" FileName="msxml3.dll" MinimumFileVersion ="8.110.14393.2550"/>
|
||||
<Deny ID="ID_DENY_MSXML6" FriendlyName="msxml6.dll" FileName="msxml6.dll" MinimumFileVersion ="6.30.14393.2550"/>
|
||||
<Deny ID="ID_DENY_JSCRIPT9" FriendlyName="jscript9.dll" FileName="jscript9.dll" MinimumFileVersion ="11.0.14393.2607"/>
|
||||
-->
|
||||
<! -- RS2 Windows 1703
|
||||
<Deny ID="ID_DENY_MSXML3" FriendlyName="msxml3.dll" FileName="msxml3.dll" MinimumFileVersion ="8.110.15063.1386"/>
|
||||
<Deny ID="ID_DENY_MSXML6" FriendlyName="msxml6.dll" FileName="msxml6.dll" MinimumFileVersion ="6.30.15063.1386"/>
|
||||
<Deny ID="ID_DENY_JSCRIPT9" FriendlyName="jscript9.dll" FileName="jscript9.dll" MinimumFileVersion ="11.0.15063.1445"/>
|
||||
-->
|
||||
<! -- RS3 Windows 1709
|
||||
<Deny ID="ID_DENY_MSXML3" FriendlyName="msxml3.dll" FileName="msxml3.dll" MinimumFileVersion ="8.110.16299.725"/>
|
||||
<Deny ID="ID_DENY_MSXML6" FriendlyName="msxml6.dll" FileName="msxml6.dll" MinimumFileVersion ="6.30.16299.725"/>
|
||||
<Deny ID="ID_DENY_JSCRIPT9" FriendlyName="jscript9.dll" FileName="jscript9.dll" MinimumFileVersion ="11.0.16299.785"/>
|
||||
-->
|
||||
<! -- RS4 Windows 1803
|
||||
<Deny ID="ID_DENY_MSXML3" FriendlyName="msxml3.dll" FileName="msxml3.dll" MinimumFileVersion ="8.110.17134.344"/>
|
||||
<Deny ID="ID_DENY_MSXML6" FriendlyName="msxml6.dll" FileName="msxml6.dll" MinimumFileVersion ="6.30.17134.344"/>
|
||||
<Deny ID="ID_DENY_JSCRIPT9" FriendlyName="jscript9.dll" FileName="jscript9.dll" MinimumFileVersion ="11.0.17134.406"/>
|
||||
-->
|
||||
<! -- RS5 Windows 1809
|
||||
<Deny ID="ID_DENY_MSXML3" FriendlyName="msxml3.dll" FileName="msxml3.dll" MinimumFileVersion ="8.110.17763.54"/>
|
||||
<Deny ID="ID_DENY_MSXML6" FriendlyName="msxml6.dll" FileName="msxml6.dll" MinimumFileVersion ="6.30.17763.54"/>
|
||||
<Deny ID="ID_DENY_JSCRIPT9" FriendlyName="jscript9.dll" FileName="jscript9.dll" MinimumFileVersion ="11.0.17763.133"/>
|
||||
-->
|
||||
<Deny ID="ID_DENY_D_1" FriendlyName="Powershell 1" Hash="02BE82F63EE962BCD4B8303E60F806F6613759C6"/>
|
||||
<Deny ID="ID_DENY_D_2" FriendlyName="Powershell 2" Hash="13765D9A16CC46B2113766822627F026A68431DF"/>
|
||||
<Deny ID="ID_DENY_D_3" FriendlyName="Powershell 3" Hash="148972F670E18790D62D753E01ED8D22B351A57E45544D88ACE380FEDAF24A40"/>
|
||||
@ -842,8 +876,11 @@ Microsoft recommends that you block the following Microsoft-signed applications
|
||||
<FileRuleRef RuleID="ID_DENY_KILL"/>
|
||||
<FileRuleRef RuleID="ID_DENY_WMIC"/>
|
||||
<FileRuleRef RuleID="ID_DENY_MWFC" />
|
||||
<FileRuleRef RuleID="ID_DENY_WFC" />
|
||||
<FileRuleRef RuleID="ID_DENY_D_1"/>
|
||||
<FileRuleRef RuleID="ID_DENY_WFC" />
|
||||
<FileRuleRef RuleID="ID_DENY_MSXML3" />
|
||||
<FileRuleRef RuleID="ID_DENY_MSXML6" />
|
||||
<FileRuleRef RuleID="ID_DENY_JSCRIPT9" />
|
||||
<FileRuleRef RuleID="ID_DENY_D_1"/>
|
||||
<FileRuleRef RuleID="ID_DENY_D_2"/>
|
||||
<FileRuleRef RuleID="ID_DENY_D_3"/>
|
||||
<FileRuleRef RuleID="ID_DENY_D_4"/>
|
||||
|
||||
@ -175,7 +175,12 @@ This rule blocks the following file types from launching unless they either meet
|
||||
>[!NOTE]
|
||||
>You must [enable cloud-delivered protection](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus) to use this rule.
|
||||
|
||||
Intune name: Executables that don't meet a prevalence, age, or trusted list criteria
|
||||
>[!IMPORTANT]
|
||||
>The rule **Block executable files from running unless they meet a prevalence, age, or trusted list criterion** with GUID 01443614-cd74-433a-b99e-2ecdc07bfc25 is owned by Microsoft and is not specified by admins. It uses cloud-delivered protection to update its trusted list regularly.
|
||||
>
|
||||
>You can specify individual files or folders (using folder paths or fully qualified resource names) but you can't specify which rules or exclusions apply to.
|
||||
|
||||
Intune name: Executables that don't meet a prevalence, age, or trusted list criteria.
|
||||
|
||||
SCCM name: Block executable files from running unless they meet a prevalence, age, or trusted list criteria
|
||||
|
||||
|
||||
@ -36,8 +36,8 @@ You can exclude files and folders from being evaluated by most attack surface re
|
||||
|
||||
You can specify individual files or folders (using folder paths or fully qualified resource names) but you can't specify which rules the exclusions apply to.
|
||||
|
||||
>[!IMPORTANT] The rule **Block executable files from running unless they meet a prevalence, age, or trusted list criterion** with GUID 01443614-cd74-433a-b99e-2ecdc07bfc25, it's owned by microsoft and is not specified by admins. It uses Microsoft CLoud's Protection to update its trusted list regularly.
|
||||
>You can specify individual files or folders (using folder paths or fully qualified resource names) but you can't specify which rules or exclusions apply to.
|
||||
>[!IMPORTANT]
|
||||
>The rule **Block executable files from running unless they meet a prevalence, age, or trusted list criterion** with GUID 01443614-cd74-433a-b99e-2ecdc07bfc25 is owned by Microsoft and is not specified by admins. It uses cloud-delivered protection to update its trusted list regularly.
|
||||
|
||||
ASR rules support environment variables and wildcards. For information about using wildcards, see [Use wildcards in the file name and folder path or extension exclusion lists](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists).
|
||||
|
||||
@ -179,3 +179,4 @@ Value: c:\path|e:\path|c:\Whitelisted.exe
|
||||
|
||||
- [Reduce attack surfaces with attack surface reduction rules](attack-surface-reduction-exploit-guard.md)
|
||||
- [Evaluate attack surface reduction](evaluate-attack-surface-reduction.md)
|
||||
- [Enable cloud-delivered protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus)
|
||||
|
||||
Reference in New Issue
Block a user