**-OR-**
diff --git a/browsers/internet-explorer/ie11-deploy-guide/ie11-delivery-through-automatic-updates.md b/browsers/internet-explorer/ie11-deploy-guide/ie11-delivery-through-automatic-updates.md index 0b1edff4cd..9fe7dca247 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/ie11-delivery-through-automatic-updates.md +++ b/browsers/internet-explorer/ie11-deploy-guide/ie11-delivery-through-automatic-updates.md @@ -37,8 +37,8 @@ current version of Internet Explorer. Internet Explorer 11 replaces Internet Explorer 8, Internet Explorer 9, or Internet Explorer 10. If you decide you don’t want Internet Explorer 11, and you’re running Windows 7 SP1 or Windows Server 2008 R2 with SP1, you can uninstall it from the **View installed updates** section of the **Uninstall an update** page of the Control Panel. ->[!Note] ->If a user installs Internet Explorer 11 and then removes it, it won’t be re-offered to that computer through Automatic Updates. Instead, the user will have to manually re-install the app. +> [!NOTE] +> If a user installs Internet Explorer 11 and then removes it, it won’t be re-offered to that computer through Automatic Updates. Instead, the user will have to manually re-install the app. ## Internet Explorer 11 automatic upgrades @@ -52,14 +52,14 @@ If you use Automatic Updates in your company, but want to stop your users from a - **Download and use the Internet Explorer 11 Blocker Toolkit.** Includes a Group Policy template and a script that permanently blocks Internet Explorer 11 from being offered by Windows Update or Microsoft Update as a high-priority update. You can download this kit from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=40722). - >[!Note] - >The toolkit won't stop users with local administrator accounts from manually installing Internet Explorer 11. Using this toolkit also prevents your users from receiving automatic upgrades from Internet Explorer 8, Internet Explorer 9, or Internet Explorer 10 to Internet Explorer 11. For more information, see the [Internet Explorer 11 Blocker Toolkit frequently asked questions](../ie11-faq/faq-ie11-blocker-toolkit.md). + > [!NOTE] + > The toolkit won't stop users with local administrator accounts from manually installing Internet Explorer 11. Using this toolkit also prevents your users from receiving automatic upgrades from Internet Explorer 8, Internet Explorer 9, or Internet Explorer 10 to Internet Explorer 11. For more information, see the [Internet Explorer 11 Blocker Toolkit frequently asked questions](../ie11-faq/faq-ie11-blocker-toolkit.md). - **Use an update management solution to control update deployment.** If you already use an update management solution, like [Windows Server Update Services (WSUS)](https://docs.microsoft.com/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus) or the more advanced [Microsoft Endpoint Configuration Manager](https://go.microsoft.com/fwlink/?LinkID=276664), you should use that instead of the Internet Explorer Blocker Toolkit. - >[!Note] - >If you use WSUS to manage updates, and Update Rollups are configured for automatic installation, Internet Explorer will automatically install throughout your company. This scenario is discussed in detail in the Knowledge Base article [here](https://support.microsoft.com/kb/946202). + > [!NOTE] + > If you use WSUS to manage updates, and Update Rollups are configured for automatic installation, Internet Explorer will automatically install throughout your company. This scenario is discussed in detail in the Knowledge Base article [here](https://support.microsoft.com/kb/946202). Additional information on Internet Explorer 11, including a Readiness Toolkit, technical overview, in-depth feature summary, and Internet Explorer 11 download is available on the [Internet Explorer 11 page of the Microsoft Edge IT Center](https://technet.microsoft.com/microsoft-edge/dn262703.aspx). @@ -81,13 +81,13 @@ Internet Explorer 11 will be released to WSUS as an Update Rollup package. There 4. Click the rule that automatically approves an update that is classified as Update Rollup, and then click **Edit.** - >[!Note] - >If you don’t see a rule like this, you most likely haven’t configured WSUS to automatically approve Update Rollups for installation. In this situation, you don’t have to do anything else. + > [!NOTE] + > If you don’t see a rule like this, you most likely haven’t configured WSUS to automatically approve Update Rollups for installation. In this situation, you don’t have to do anything else. 5. Click the **Update Rollups** property under the **Step 2: Edit the properties (click an underlined value)** section. - >[!Note] - >The properties for this rule will resemble the following:
- When an update is in Update Rollups
- Approve the update for all computers
- When an update is in Update Rollups
- Approve the update for all computers
- When an update is in Update Rollups
- Approve the update for all computers
- When an update is in Update Rollups
- Approve the update for all computers
Yes. The Internet Explorer Administration Kit 11 (IEAK 11) is available for download. IEAK 11 lets you create custom versions of IE11 for use in your organization. For more information, see the following resources: diff --git a/browsers/internet-explorer/ie11-ieak/troubleshooting-custom-browser-pkg-ieak11.md b/browsers/internet-explorer/ie11-ieak/troubleshooting-custom-browser-pkg-ieak11.md index 7b0db0bbc4..9ae559b4b4 100644 --- a/browsers/internet-explorer/ie11-ieak/troubleshooting-custom-browser-pkg-ieak11.md +++ b/browsers/internet-explorer/ie11-ieak/troubleshooting-custom-browser-pkg-ieak11.md @@ -98,14 +98,14 @@ Pressing the **F1** button on the **Automatic Version Synchronization** page of ## Certificate installation does not work on IEAK 11 IEAK 11 doesn't install certificates added using the Add a Root Certificate page of the Internet Explorer Customization Wizard 11. Administrators can manually install certificates using the Certificates Microsoft Management Console snap-in (Certmgr.msc) or using the command-line tool, Certificate Manager (Certmgr.exe). ->[!NOTE] ->This applies only when using the External licensing mode of IEAK 11. +> [!NOTE] +> This applies only when using the External licensing mode of IEAK 11. ## The Additional Settings page appears in the wrong language when using a localized version of IEAK 11 When using IEAK 11 in other languages, the settings on the Additional Settings page appear in the language of the target platform, regardless of the IEAK 11 language. ->[!NOTE] ->This applies only when using the Internal licensing mode of IEAK 11. +> [!NOTE] +> This applies only when using the Internal licensing mode of IEAK 11. To work around this issue, run the customization wizard following these steps: 1. On the **Language Selection** page, select the language that matches the language of your installed IEAK 11. diff --git a/browsers/internet-explorer/ie11-ieak/what-ieak-can-do-for-you.md b/browsers/internet-explorer/ie11-ieak/what-ieak-can-do-for-you.md index 5e8b4e979e..06b86bce15 100644 --- a/browsers/internet-explorer/ie11-ieak/what-ieak-can-do-for-you.md +++ b/browsers/internet-explorer/ie11-ieak/what-ieak-can-do-for-you.md @@ -32,8 +32,8 @@ IEAK 10 and newer includes the ability to install using one of the following ins - Internal - External ->[!NOTE] ->IEAK 11 works in network environments, with or without Microsoft Active Directory service. +> [!NOTE] +> IEAK 11 works in network environments, with or without Microsoft Active Directory service. ### Corporations diff --git a/devices/hololens/TOC.md b/devices/hololens/TOC.md index d1c0ab596f..c93f45cfd9 100644 --- a/devices/hololens/TOC.md +++ b/devices/hololens/TOC.md @@ -61,7 +61,9 @@ ## [Troubleshoot HoloLens](hololens-troubleshooting.md) ## [Known issues](hololens-known-issues.md) ## [Frequently asked questions](hololens-faq.md) +## [Frequently asked security questions](hololens-faq-security.md) ## [Hololens services status](hololens-status.md) +## [SCEP Whitepaper](scep-whitepaper.md) # [Release Notes](hololens-release-notes.md) # [Give us feedback](hololens-feedback.md) diff --git a/devices/hololens/hololens-FAQ.md b/devices/hololens/hololens-FAQ.md index a183165e4a..16169cec8c 100644 --- a/devices/hololens/hololens-FAQ.md +++ b/devices/hololens/hololens-FAQ.md @@ -1,5 +1,5 @@ --- -title: Frequently asked questions about HoloLens and holograms +title: Frequently asked questions about HoloLens devices and holograms description: Do you have a quick question about HoloLens or interacting with holograms? This article provides a quick answer and more resources. keywords: hololens, faq, known issue, help ms.prod: hololens @@ -9,40 +9,47 @@ ms.author: v-tea ms.topic: article audience: ITPro ms.localizationpriority: medium -ms.date: 10/30/2019 +ms.date: 02/27/2020 ms.reviewer: +ms.custom: +- CI 114606 +- CSSTroubleshooting manager: jarrettr appliesto: - HoloLens (1st gen) - HoloLens 2 --- -# HoloLens and holograms: Frequently asked questions +# Frequently asked questions about HoloLens devices and holograms -Here are some answers to questions you might have about using HoloLens, placing holograms, working with spaces, and more. +This article answers some questions that you may have about how to use HoloLens, including how to place holograms, work with spaces, and more. -Any time you're having problems, make sure HoloLens is [charged up](https://support.microsoft.com/help/12627/hololens-charge-your-hololens). Try [restarting it](hololens-restart-recover.md) to see if that fixes things. And please use the Feedback app to send us info about the issue—you'll find it on the [**Start** menu](holographic-home.md). +Any time that you have problems, make sure that HoloLens is [charged up](https://support.microsoft.com/help/12627/hololens-charge-your-hololens). Try [restarting it](hololens-restart-recover.md) to see whether that fixes things. And please use the Feedback app to send us information about the issue. You'll find the Feedback app on the [**Start** menu](holographic-home.md). -For tips about wearing your HoloLens, see [HoloLens fit and comfort: FAQ](https://support.microsoft.com/help/13405/hololens-fit-and-comfort-faq). +For tips about hwo to wear your HoloLens, see [HoloLens (1st gen) fit and comfort frequently asked questions](hololens1-fit-comfort-faq.md). -This FAQ addresses the following questions and issues: +This article addresses the following questions and issues: - [My holograms don't look right or are moving around](#my-holograms-dont-look-right-or-are-moving-around) - [I see a message that says "Finding your space"](#i-see-a-message-that-says-finding-your-space) -- [I'm not seeing the holograms I expect to see in my space](#im-not-seeing-the-holograms-i-expect-to-see-in-my-space) -- [I can't place holograms where I want](#i-cant-place-holograms-where-i-want) +- [I'm not seeing the holograms that I expect to see in my space](#im-not-seeing-the-holograms-that-i-expect-to-see-in-my-space) +- [I can't place holograms where I want to](#i-cant-place-holograms-where-i-want-to) - [Holograms disappear or are encased in other holograms or objects](#holograms-disappear-or-are-encased-in-other-holograms-or-objects) - [I can see holograms that are on the other side of a wall](#i-can-see-holograms-that-are-on-the-other-side-of-a-wall) -- [When I place a hologram on a wall, it seems to float](#when-i-place-a-hologram-on-a-wall-it-seems-to-float) +- [When I place a hologram on a wall, the hologram seems to float](#when-i-place-a-hologram-on-a-wall-the-hologram-seems-to-float) - [Apps appear too close to me when I'm trying to move them](#apps-appear-too-close-to-me-when-im-trying-to-move-them) - [I'm getting a low disk space error](#im-getting-a-low-disk-space-error) - [HoloLens doesn't respond to my gestures](#hololens-doesnt-respond-to-my-gestures) - [HoloLens doesn't respond to my voice](#hololens-doesnt-respond-to-my-voice) - [I'm having problems pairing or using a Bluetooth device](#im-having-problems-pairing-or-using-a-bluetooth-device) -- [I'm having problems with the HoloLens clicker](#im-having-problems-with-the-hololens-clicker) +- [HoloLens Settings lists devices as available, but the devices don’t work](#hololens-settings-lists-devices-as-available-but-the-devices-dont-work) +- [I'm having problems using the HoloLens clicker](#im-having-problems-using-the-hololens-clicker) - [I can't connect to Wi-Fi](#i-cant-connect-to-wi-fi) - [My HoloLens isn't running well, is unresponsive, or won't start](#my-hololens-isnt-running-well-is-unresponsive-or-wont-start) +- [I can't sign in to a HoloLens device because it was previously set up for someone else](#i-cant-sign-in-to-a-hololens-device-because-it-was-previously-set-up-for-someone-else) +- [Questions about managing HoloLens devices](#questions-about-managing-hololens-devices) +- [Questions about securing HoloLens devices](#questions-about-securing-hololens-devices) - [How do I delete all spaces?](#how-do-i-delete-all-spaces) - [I cannot find or use the keyboard to type in the HoloLens 2 Emulator](#i-cannot-find-or-use-the-keyboard-to-type-in-the-hololens-2-emulator) @@ -51,85 +58,85 @@ This FAQ addresses the following questions and issues: If your holograms don't look right (for example, they're jittery or shaky, or you see black patches on top of them), try one of these fixes: - [Clean your device visor](hololens1-hardware.md#care-and-cleaning) and make sure nothing is blocking the sensors. -- Make sure you're in a well-lit room without a lot of direct sunlight. -- Try walking around and gazing at your surroundings so HoloLens can scan them more completely. +- Make sure that you're in a well-lit room that does not have a lot of direct sunlight. +- Try walking around and gazing at your surroundings so that HoloLens can scan them more completely. - If you've placed a lot of holograms, try removing some. -If you're still having problems, trying running the Calibration app, which calibrates your HoloLens just for you, to help keep your holograms looking their best. Go to **Settings **>** System **>** Utilities**. Under Calibration, select **Open Calibration**. +If you're still having problems, trying running the Calibration app. This app calibrates your HoloLens just for you to help keep your holograms looking their best. To do this, go to **Settings** > **System** > **Utilities**. Under **Calibration**, select **Open Calibration**. [Back to list](#list) -## I see a message that says Finding your space +## I see a message that says "Finding your space" -When HoloLens is learning or loading a space, you might see a brief message that says "Finding your space." If this message continues for more than a few seconds, you'll see another message under the Start menu that says "Still looking for your space." +When HoloLens is learning or loading a space, you may see a brief message that says "Finding your space." If this message displays for more than a few seconds, you'll see another message under the Start menu that says "Still looking for your space." -These messages mean that HoloLens is having trouble mapping your space. When this happens, you'll be able to open apps, but you won't be able to place holograms in your environment. +These messages mean that HoloLens is having trouble mapping your space. When this happens, you can open apps, but you can't place holograms in your environment. -If you see these messages often, try the following: +If you see these messages often, try one or more of the following fixes: -- Make sure you're in a well-lit room without a lot of direct sunlight. -- Make sure your device visor is clean. [Learn how](hololens1-hardware.md#care-and-cleaning). -- Make sure you have a strong Wi-Fi signal. If you enter a new environment that has no Wi-Fi or a weak signal, HoloLens won't be able find your space. Check your Wi-Fi connection by going to **Settings **> **Network & Internet** >** Wi-Fi**. +- Make sure that you're in a well-lit room that does not have a lot of direct sunlight. +- Make sure that your device visor is clean. [Learn how to clean your visor](hololens1-hardware.md#care-and-cleaning). +- Make sure that you have a strong Wi-Fi signal. If you enter a new environment that has no Wi-Fi or a weak Wi-Fi signal, HoloLens won't be able find your space. Check your Wi-Fi connection by going to **Settings** > **Network & Internet** > **Wi-Fi**. - Try moving more slowly. [Back to list](#list) -## I'm not seeing the holograms I expect to see in my space +## I'm not seeing the holograms that I expect to see in my space -If you don't see holograms you placed, or you're seeing some you don't expect, try the following: +If you don't see the holograms that you placed, or if you're seeing some that you don't expect, try one or more of the following fixes: -- Try turning on some lights. HoloLens works best in a well-lit space. -- Remove holograms you don't need by going to **Settings** > **System** > **Holograms** > **Remove nearby holograms**. Or, if needed, select **Remove all holograms**. +- Turn on some lights. HoloLens works best in a well-lit space. +- Remove holograms that you don't need by going to **Settings** > **System** > **Holograms** > **Remove nearby holograms**. Or, if needed, select **Remove all holograms**. > [!NOTE] > If the layout or lighting in your space changes significantly, your device might have trouble identifying your space and showing your holograms. [Back to list](#list) -## I can't place holograms where I want +## I can't place holograms where I want to Here are some things to try if you're having trouble placing holograms: -- Stand about 1 to 3 meters from where you're trying to place the hologram. +- Stand between one and three meters from where you're trying to place the hologram. - Don't place holograms on black or reflective surfaces. -- Make sure you're in a well-lit room without a lot of direct sunlight. +- Make sure that you're in a well-lit room that does not have a lot of direct sunlight. - Walk around the rooms so HoloLens can rescan your surroundings. To see what's already been scanned, air tap to reveal the mapping mesh graphic. [Back to list](#list) ## Holograms disappear or are encased in other holograms or objects -If you get too close to a hologram, it will temporarily disappear—just move away from it. Also, if you've placed a lot of holograms close together, some may disappear. Try removing a few. +If you get too close to a hologram, it will temporarily disappear—to restore the hologram, just move away from it. Also, if you've placed several holograms close together, some may disappear. Try removing a few. -Holograms can also be blocked or encased by other holograms or by objects such as walls. If this happens, try one of the following: +Holograms can also be blocked or encased by other holograms or by objects such as walls. If this happens, try one of the following fixes: -- If the hologram is encased in another hologram, move it to another location: select **Adjust**, then tap and hold to position it. +- If the hologram is encased in another hologram, move the encased hologram to another location. To do this, select **Adjust**, then tap and hold to position it. - If the hologram is encased in a wall, select **Adjust**, then walk toward the wall until the hologram appears. Tap and hold, then pull the hologram forward and out of the wall. -- If you can't move the hologram with gestures, use your voice to remove it. Gaze at the hologram, then say "Remove." Then reopen it and place it in a new location. +- If you can't move the hologram by using gestures, use your voice to remove it. Gaze at the hologram, then say "Remove." Then reopen the hologram and place it in a new location. [Back to list](#list) ## I can see holograms that are on the other side of a wall -If you're very close to a wall, or if HoloLens hasn't scanned the wall yet, you'll be able to see holograms that are in the next room. Stand 1 to 3 meters from the wall and gaze to scan it. +If you're very close to a wall, or if HoloLens hasn't scanned the wall yet, you can see holograms that are in the next room. To scan the wall, stand between one and three meters from the wall and gaze at it. -If HoloLens has problems scanning the wall, it might be because there's a black or reflective object nearby (for example, a black couch or a stainless steel refrigerator). If there is, scan the other side of the wall. +A black or reflective object (for example, a black couch or a stainless steel refrigerator) near the wall may cause problems when HoloLens tries to scan the wall. If there is such an object, scan the other side of the wall. [Back to list](#list) -## When I place a hologram on a wall, it seems to float +## When I place a hologram on a wall, the hologram seems to float -Holograms placed on walls will appear to be an inch or so away from the wall. If they appear farther away, try the following: +A hologram that you place on a wall typically appears to be an inch or so away from the wall. If it appears to be farther away, try one or more of the following fixes: -- Stand 1 to 3 meters from the wall when you place a hologram and face the wall straight on. -- Air tap the wall to reveal the mapping mesh graphic. Make sure the mesh is lined up with the wall. If it isn't, remove the hologram, rescan the wall, and try again. +- When you place a hologram on a wall, stand between one and three meters from the wall and face the wall straight on. +- Air tap the wall to reveal the mapping mesh graphic. Make sure that the mesh aligns with the wall. If it doesn't, remove the hologram, rescan the wall, and then try again. - If the issue persists, run the Calibration app. You'll find it in **Settings** > **System** > **Utilities**. [Back to list](#list) ## Apps appear too close to me when I'm trying to move them -Try walking around and looking at the area where you're placing the app so HoloLens will scan it from different angles. [Cleaning your device visor](hololens1-hardware.md#care-and-cleaning) may also help. +Try walking around and looking at the area where you're placing the app so that HoloLens scans the area from different angles. [Cleaning your device visor](hololens1-hardware.md#care-and-cleaning) may also help. [Back to list](#list) @@ -137,21 +144,36 @@ Try walking around and looking at the area where you're placing the app so HoloL Free up some storage space by doing one or more of the following: -- Remove some of the holograms you've placed, or remove some saved data from within apps. [How do I find my data?](holographic-data.md) +- Remove some of the holograms that you've placed, or remove some saved data from within apps. [How do I find my data?](holographic-data.md) - Delete some pictures and videos in the Photos app. -- Uninstall some apps from your HoloLens. In the All apps list, tap and hold the app you want to uninstall, then select **Uninstall**. (This will also delete any of the app's data stored on the device.) +- Uninstall some apps from your HoloLens. In the **All apps** list, tap and hold the app you want to uninstall, then select **Uninstall**. (Uninstalling the app also deletes any data that the app stores on the device.) [Back to list](#list) ## HoloLens doesn't respond to my gestures -To make sure HoloLens can see your gestures, keep your hand in the gesture frame, which extends a couple of feet on either side of you. HoloLens can also best see your hand when you hold it about 18 inches in front of your body (though you don't have to be precise about this). When HoloLens can see your hand, the cursor will change from a dot to a ring. Learn more about [using gestures in HoloLens 2](hololens2-basic-usage.md) or [using gestures in HoloLens (1st gen)](hololens1-basic-usage.md). +To make sure that HoloLens can see your gestures, keep your hand in the gesture frame. The gesture frame extends a couple of feet on either side of you. HoloLens can also best see your hand when you hold it about 18 inches in front of your body (though you don't have to be precise about this). When HoloLens can see your hand, the cursor changes from a dot to a ring. Learn more about [using gestures in HoloLens 2](hololens2-basic-usage.md) or [using gestures in HoloLens (1st gen)](hololens1-basic-usage.md). [Back to list](#list) ## HoloLens doesn't respond to my voice -If Cortana isn't responding to your voice, make sure Cortana is on. In the **All apps** list, select **Cortana** > **Menu** > **Notebook** > **Settings** to make changes. To learn more about what you can say, see [Use your voice with HoloLens](hololens-cortana.md). +HoloLens (1st gen) and HoloLens 2 have built-in speech recognition, and also support Cortana (online speech recognition). + +### Built-in voice commands do not work + +On HoloLens (1st gen), built-in speech recognition is not configurable. It is always turned on. On HoloLens 2, you can choose whether to turn on both speech recognition and Cortana during device setup. + +If your HoloLens 2 is not responding to your voice, make sure Speech recognition is turned on. Go to **Start** > **Settings** > **Privacy** > **Speech** and turn on **Speech recognition**. + +### Cortana doesn't work + +If Cortana isn't responding to your voice, make sure Cortana is turned on. Go to **Start** > **Settings** > **Privacy** > **Speech** and verify the **Online speech recognition** settings. Then do one of the following to verify that Cortana itself is turned on: + +- In **All apps**, select **Cortana** > select **Menu** > **Notebook** > **Settings** to make changes. +- On HoloLens 2, select the **Speech settings** button or say "Speech settings." + +To learn more about what you can say, see [Use your voice with HoloLens](hololens-cortana.md). [Back to list](#list) @@ -159,42 +181,46 @@ If Cortana isn't responding to your voice, make sure Cortana is on. In the **All If you're having problems [pairing a Bluetooth device](hololens-connect-devices.md), try the following: -- Go to **Settings** > **Devices** and make sure Bluetooth is turned on. If it is, try turning if off and on again. -- Make sure your Bluetooth device is fully charged or has fresh batteries. -- If you still can't connect, [restart your HoloLens](hololens-recovery.md). - -If you're having trouble using a Bluetooth device, make sure it's a supported device. Supported devices include: - -- English-language QWERTY Bluetooth keyboards, which can be used anywhere you use the holographic keyboard. -- Bluetooth mice. -- The [HoloLens clicker](hololens1-clicker.md). - -Other Bluetooth HID and GATT devices can be paired, but they might require a companion app from Microsoft Store to work with HoloLens. - -HoloLens doesn't support Bluetooth audio profiles. Bluetooth audio devices, such as speakers and headsets, may appear as available in HoloLens settings, but they aren't supported. +- Go to **Settings** > **Devices**, and make sure that Bluetooth is turned on. If it is, turn it off and on again. +- Make sure that your Bluetooth device is fully charged or has fresh batteries. +- If you still can't connect, [restart the HoloLens](hololens-recovery.md). [Back to list](#list) -## I'm having problems with the HoloLens clicker +## HoloLens Settings lists devices as available, but the devices don’t work -Use the [clicker](hololens1-clicker.md) to select, scroll, move, and resize holograms. Additional clicker gestures may vary from app to app. +HoloLens doesn't support Bluetooth audio profiles. Bluetooth audio devices, such as speakers and headsets, may appear as available in HoloLens settings, but they aren't supported. -If you're having trouble using the clicker, make sure its charged and paired with your HoloLens. If the battery is low, the indicator light will blink amber. To see if its paired, go to **Settings** > **Devices** and see if it shows up there. [Pair the clicker](hololens-connect-devices.md#pair-the-clicker). +If you're having trouble using a Bluetooth device, make sure that it's a supported device. Supported devices include the following: + +- English-language QWERTY Bluetooth keyboards (you can use these anywhere that you use the holographic keyboard). +- Bluetooth mice. +- The [HoloLens clicker](hololens1-clicker.md). + +You can pair other Bluetooth HID and GATT devices together with your HoloLens. However, you may have to install corresponding companion apps from Microsoft Store to actually use the devices. + +[Back to list](#list) + +## I'm having problems using the HoloLens clicker + +Use the [clicker](hololens1-clicker.md) to select, scroll, move, and resize holograms. Individial apps may support additional clicker gestures. + +If you're having trouble using the clicker, make sure that it's charged and paired with your HoloLens. If the battery is low, the indicator light blinks amber. To verify that the clicker is paired, go to **Settings** > **Devices** and see if it shows up there. For more information, see [Pair the clicker](hololens-connect-devices.md#pair-the-clicker). If the clicker is charged and paired and you're still having problems, reset it by holding down the main button and the pairing button for 15 seconds. Then pair the clicker with your HoloLens again. -If that doesn't help, see [Restart or recover the HoloLens clicker](hololens1-clicker.md#restart-or-recover-the-clicker). +If resetting the clicker doesn't help, see [Restart or recover the HoloLens clicker](hololens1-clicker.md#restart-or-recover-the-clicker). [Back to list](#list) ## I can't connect to Wi-Fi -Here are some things to try if you can't connect to Wi-Fi on HoloLens: +Here are some things to try if you can't connect your HoloLens to a Wi-Fi network: -- Make sure Wi-Fi is turned on. Bloom to go to Start, then select **Settings** > **Network & Internet** > **Wi-Fi** to check. If Wi-Fi is on, try turning it off and on again. +- Make sure that Wi-Fi is turned on. To check, use the Start gesture, then select **Settings** > **Network & Internet** > **Wi-Fi**. If Wi-Fi is on, try turning it off and then on again. - Move closer to the router or access point. - Restart your Wi-Fi router, then [restart HoloLens](hololens-recovery.md). Try connecting again. -- If none of these things work, check to make sure your router is using the latest firmware. You can find this information on the manufacturers website. +- If none of these things work, check to make sure that your router is using the latest firmware. You can find this information on the manufacturer website. [Back to list](#list) @@ -204,6 +230,54 @@ If your device isn't performing properly, see [Restart, reset, or recover HoloLe [Back to list](#list) +## I can't sign in to a HoloLens device because it was previously set up for someone else + +If your device was previously set up for someone else, either for a client or for a former employee, and you don't have their password to unlock the device, you can do one of the following: + +- For a device that is enrolled in Intune mobile device management (MDM), you can use Intune to remotely [wipe](https://docs.microsoft.com/intune/remote-actions/devices-wipe) the device. The device then re-flashes itself. + > [!IMPORTANT] + > When you wipe the device, make sure to leave **Retain enrollment state and user account** unchecked. +- For a non-MDM device, you can [put the device into **Flashing Mode** and use Advanced Recovery Companion](hololens-recovery.md#re-install-the-operating-system) to recover the device. + +[Back to list](#list) + +## Questions about managing HoloLens devices + +### Can I use System Center Configuration Manager (SCCM) to manage HoloLens devices? + +No. You have to use an MDM system to manage HoloLens devices. + +### Can I use Active Directory Domain Services (AD DS) to manage HoloLens user accounts? + +No. You have to use Azure Active Directory (AAD) to manage user accounts for HoloLens devices. + +### Is HoloLens capable of Automated Data Capture Systems (ADCS) auto-enrollment? + +No. + +### Can HoloLens participate in WNA or Integrated Windows Authentication? + +No. + +### Does HoloLens support branding? + +No. However, you can work around this issue by using one of the following approaches: + +- Create a custom app, and then [enable Kiosk mode](hololens-kiosk.md). The custom app can have branding, and can launch other apps (such as Remote Assist). +- Change all of the user profile pictures in AAD to your company logo. However, this may not be desirable for all scenarios. + +### What logging capabilities do HoloLens (1st gen) and HoloLens 2 offer? + +Logging is limited to traces that can be captured in development or troubleshooting scenarios, or telemetry that the devices send to Microsoft servers. + +[Back to list](#list) + +## Questions about securing HoloLens devices + +See [frequently asked questions about securing HoloLens devices](hololens-faq-security.md). + +[Back to list](#list) + ## How do I delete all spaces? *Coming soon* diff --git a/devices/hololens/hololens-commercial-infrastructure.md b/devices/hololens/hololens-commercial-infrastructure.md index 568bbe92e5..98ec5c6e06 100644 --- a/devices/hololens/hololens-commercial-infrastructure.md +++ b/devices/hololens/hololens-commercial-infrastructure.md @@ -10,6 +10,7 @@ ms.topic: article ms.localizationpriority: high ms.date: 1/23/2020 ms.reviewer: +audience: ITPro manager: bradke appliesto: - HoloLens (1st gen) @@ -50,12 +51,12 @@ HoloLens does support a limited set of cloud disconnected experiences. ### HoloLens Specific Network Requirements -Make sure that these ports and URLs are allowed on your network firewall. This will enable HoloLens to function properly. The latest list can be found [here](hololens-offline.md). +Make sure that [this list](hololens-offline.md) of endpoints are allowed on your network firewall. This will enable HoloLens to function properly. ### Remote Assist Specific Network Requirements 1. The recommended bandwidth for optimal performance of Remote Assist is 1.5Mbps. Detailed network requirements and additional information can be found [here](https://docs.microsoft.com/MicrosoftTeams/prepare-network). -**Please note, if you don’t network have network speeds of at least 1.5Mbps, Remote Assist will still work. However, quality may suffer.** +**(Please note, if you don’t network have network speeds of at least 1.5Mbps, Remote Assist will still work. However, quality may suffer).** 1. Make sure that these ports and URLs are allowed on your network firewall. This will enable Microsoft Teams to function. The latest list can be found [here](https://docs.microsoft.com/office365/enterprise/urls-and-ip-address-ranges#skype-for-business-online-and-microsoft-teams). ### Guides Specific Network Requirements @@ -64,18 +65,18 @@ Guides only require network access to download and use the app. ## Azure Active Directory Guidance ->[!NOTE] ->This step is only necessary if your company plans on managing the HoloLens and mixed reality apps. +> [!NOTE] +> This step is only necessary if your company plans on managing the HoloLens. 1. Ensure that you have an Azure AD License. -Please [HoloLens Licenses Requirements](hololens-licenses-requirements.md)for additional information. +Please [HoloLens Licenses Requirements](hololens-licenses-requirements.md) for additional information. 1. If you plan on using Auto Enrollment, you will have to [Configure Azure AD enrollment.](https://docs.microsoft.com/intune/deploy-use/.set-up-windows-device-management-with-microsoft-intune#azure-active-directory-enrollment) 1. Ensure that your company’s users are in Azure Active Directory (Azure AD). Instructions for adding users can be found [here](https://docs.microsoft.com/azure/active-directory/fundamentals/add-users-azure-active-directory). -1. We suggest that users who will be need similar licenses are added to a group. +1. We suggest that users who need similar licenses are added to the same group. 1. [Create a Group](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-groups-create-azure-portal) 1. [Add users to groups](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-groups-members-azure-portal) @@ -99,11 +100,12 @@ These steps ensure that your company’s users (or a group of users) can add dev ### Ongoing device management ->[!NOTE] ->This step is only necessary if your company plans on managing the HoloLens and mixed reality apps. +> [!NOTE] +> This step is only necessary if your company plans to manage the HoloLens. + Ongoing device management will depend on your mobile device management infrastructure. Most have the same general functionality but the user interface may vary widely. -1. [CSPs (Configuration Service Providers)](https://docs.microsoft.com/windows/client-management/mdm/configuration-service-provider-reference#csps-supported-in-hololens-devices) allows you to create and deploy management settings for the devices on your network. Some CSPs are supported by HoloLens devices. (See the list of CSPs for HoloLens [here](https://docs.microsoft.com/windows/client-management/mdm/configuration-service-provider-reference#csps-supported-in-hololens-devices)). +1. [CSPs (Configuration Service Providers)](https://docs.microsoft.com/windows/client-management/mdm/configuration-service-provider-reference#csps-supported-in-hololens-devices) allows you to create and deploy management settings for the devices on your network. A list of CSPs for HoloLens can be found [here](https://docs.microsoft.com/windows/client-management/mdm/configuration-service-provider-reference#csps-supported-in-hololens-devices). 1. [Compliance policies](https://docs.microsoft.com/intune/device-compliance-get-started) are rules and settings that devices must meet to be compliant in your corporate infrastructure. Use these policies with Conditional Access to block access to company resources for devices that are non-compliant. For example, you can create a policy that requires Bitlocker be enabled. @@ -144,14 +146,14 @@ Read more about [installing apps on HoloLens](https://docs.microsoft.com/hololen ### Certificates -You can distribute certifcates through your MDM provider. If your company requires certificates, Intune supports PKCS, PFX, and SCEP. It is important to understand which certificate is right for your company. Please visit [here](https://docs.microsoft.com/intune/protect/certificates-configure) to determine which cert is best for you. If you plan to use certs for HoloLens Authentication, PFX or SCEP may be right for you. +You can distribute certificates through your MDM provider. If your company requires certificates, Intune supports PKCS, PFX, and SCEP. It is important to understand which certificate is right for your company. Please visit [here](https://docs.microsoft.com/intune/protect/certificates-configure) to determine which cert is best for you. If you plan to use certificates for HoloLens Authentication, PFX or SCEP may be right for you. Steps for SCEP can be found [here](https://docs.microsoft.com/intune/protect/certificates-profile-scep). ### How to Upgrade to Holographics for Business Commercial Suite ->[!NOTE] ->Windows Holographics for Business (commercial suite) is only intended for HoloLens 1st gen devices. The profile will not be applied to HoloLens 2 devices. +> [!NOTE] +> Windows Holographics for Business (commercial suite) is only intended for HoloLens 1st gen devices. The profile will not be applied to HoloLens 2 devices. Directions for upgrading to the commercial suite can be found [here](https://docs.microsoft.com/intune/configuration/holographic-upgrade). @@ -161,8 +163,10 @@ Directions for upgrading to the commercial suite can be found [here](https://doc 1. Check your app settings 1. Log into your Microsoft Store Business account - 1. **Manage** > **Products and Services** > **Apps and Software** > **Select the app you want to sync** > **Private Store Availability** > **Select “Everyone” or “Specific Groups”* - 1. If you do not see your apps in **Intune** > **Client Apps** > **Apps** , you may have to [sync your apps](https://docs.microsoft.com/intune/apps/windows-store-for-business#synchronize-apps) again. + 1. **Manage > Products and Services > Apps and Software > Select the app you want to sync > Private Store Availability > Select “Everyone” or “Specific Groups”** + >[!NOTE] + >If you don't see the app you want, you will have to "get" the app by searching the store for your app. **Click the "Search" bar in the upper right-hand corner > type in the name of the app > click on the app > select "Get"**. + 1. If you do not see your apps in **Intune > Client Apps > Apps** , you may have to [sync your apps](https://docs.microsoft.com/intune/apps/windows-store-for-business#synchronize-apps) again. 1. [Create a device profile for Kiosk mode](https://docs.microsoft.com/intune/configuration/kiosk-settings#create-the-profile) diff --git a/devices/hololens/hololens-cortana.md b/devices/hololens/hololens-cortana.md index 82ded27dd3..05d9a46105 100644 --- a/devices/hololens/hololens-cortana.md +++ b/devices/hololens/hololens-cortana.md @@ -36,8 +36,8 @@ Get around HoloLens faster with these basic commands. In order to use these you Use these commands throughout Windows Mixed Reality to get around faster. Some commands use the gaze cursor, which you bring up by saying “select.” ->[!NOTE] ->Hand rays are not supported on HoloLens (1st Gen). +> [!NOTE] +> Hand rays are not supported on HoloLens (1st Gen). | Say this | To do this | | - | - | diff --git a/devices/hololens/hololens-encryption.md b/devices/hololens/hololens-encryption.md index 6c8b9118e6..af44d41fb3 100644 --- a/devices/hololens/hololens-encryption.md +++ b/devices/hololens/hololens-encryption.md @@ -51,22 +51,22 @@ Provisioning packages are files created by the Windows Configuration Designer to 1. Find the XML license file that was provided when you purchased the Commercial Suite. 1. Browse to and select the XML license file that was provided when you purchased the Commercial Suite. - >[!NOTE] - >You can configure [additional settings in the provisioning package](hololens-provisioning.md). + > [!NOTE] + > You can configure [additional settings in the provisioning package](hololens-provisioning.md). 1. On the **File** menu, click **Save**. 1. Read the warning explaining that project files may contain sensitive information and click **OK**. - >[!IMPORTANT] - >When you build a provisioning package, you may include sensitive information in the project files and provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when no longer needed. + > [!IMPORTANT] + > When you build a provisioning package, you may include sensitive information in the project files and provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when no longer needed. 1. On the **Export** menu, click **Provisioning package**. 1. Change **Owner** to **IT Admin**, which will set the precedence of this provisioning package higher than provisioning packages applied to this device from other sources, and then select **Next**. 1. Set a value for **Package Version**. - >[!TIP] - >You can make changes to existing packages and change the version number to update previously applied packages. + > [!TIP] + > You can make changes to existing packages and change the version number to update previously applied packages. 1. On the **Select security details for the provisioning package**, click **Next**. 1. Click **Next** to specify the output location where you want the provisioning package to go once it's built. By default, Windows ICD uses the project folder as the output location. @@ -87,8 +87,8 @@ Provisioning packages are files created by the Windows Configuration Designer to 1. The device will ask you if you trust the package and would like to apply it. Confirm that you trust the package. 1. You will see whether the package was applied successfully or not. If it failed, you can fix your package and try again. If it succeeded, proceed with device setup. ->[!NOTE] ->If the device was purchased before August 2016, you will need to sign into the device with a Microsoft account, get the latest OS update, and then reset the OS in order to apply the provisioning package. +> [!NOTE] +> If the device was purchased before August 2016, you will need to sign into the device with a Microsoft account, get the latest OS update, and then reset the OS in order to apply the provisioning package. ## Verify device encryption diff --git a/devices/hololens/hololens-enroll-mdm.md b/devices/hololens/hololens-enroll-mdm.md index dc042a0f9f..c8b54ac1f2 100644 --- a/devices/hololens/hololens-enroll-mdm.md +++ b/devices/hololens/hololens-enroll-mdm.md @@ -20,8 +20,8 @@ appliesto: You can manage multiple Microsoft HoloLens devices simultaneously using solutions like [Microsoft Intune](https://docs.microsoft.com/intune/windows-holographic-for-business). You will be able to manage settings, select apps to install and set security configurations tailored to your organization's need. See [Manage devices running Windows Holographic with Microsoft Intune](https://docs.microsoft.com/intune/windows-holographic-for-business), the [configuration service providers (CSPs) that are supported in Windows Holographic](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/configuration-service-provider-reference#hololens), and the [policies supported by Windows Holographic for Business](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#hololenspolicies). ->[!NOTE] ->Mobile device management (MDM), including the VPN, Bitlocker, and kiosk mode features, is only available when you [upgrade to Windows Holographic for Business](hololens1-upgrade-enterprise.md). +> [!NOTE] +> Mobile device management (MDM), including the VPN, Bitlocker, and kiosk mode features, is only available when you [upgrade to Windows Holographic for Business](hololens1-upgrade-enterprise.md). ## Requirements diff --git a/devices/hololens/hololens-faq-security.md b/devices/hololens/hololens-faq-security.md new file mode 100644 index 0000000000..b56e555f7d --- /dev/null +++ b/devices/hololens/hololens-faq-security.md @@ -0,0 +1,126 @@ +--- +title: Frequently Asked Security Questions +description: security questions frequently asked about the hololens +ms.assetid: bd55ecd1-697a-4b09-8274-48d1499fcb0b +author: pawinfie +ms.author: pawinfie +ms.date: 02/19/2020 +keywords: hololens, Windows Mixed Reality, security +ms.prod: hololens +ms.sitesec: library +ms.topic: article +audience: ITPro +ms.localizationpriority: high +manager: bradke +appliesto: +- HoloLens 1 (1st gen) +- HoloLens 2 +--- + +# Frequently Asked Security Questions + +## HoloLens 1st Gen Security Questions + +1. **What type of wireless is used?** + 1. 802.11ac and Bluetooth 4.1 LE +1. **What type of architecture is incorporated? For example: point to point, mesh or something else?** + 1. Wi-Fi can be used in infrastructure mode to communicate with other wireless access points. + 1. Bluetooth can be used to talk peer to peer between multiple HoloLens if the customers application supports it or to other Bluetooth devices. +1. **What is FCC ID?** + 1. C3K1688 +1. **What frequency range and channels does the device operate on and is it configurable?** + 1. Wi-Fi: The frequency range is not user configurable and depends on the country of use. In the US Wi-Fi uses both 2.4 GHz (1-11) channels and 5 GHz (36-64, 100-165) channels. + 1. Bluetooth: Bluetooth uses the standard 2.4-2.48 GHz range. +1. **Can the device blacklist or white list specific frequencies?** + 1. This is not controllable by the user/device +1. **What is the power level for both transmit and receive? Is it adjustable? What is the range of operation?** + 1. Our emissions testing standards can be found [here](https://fccid.io/C3K1688). Range of operation is highly dependent on the access point and environment - but is roughly equivalent to other high-quality phones, tablets, or PCs. +1. **What is the duty cycle/lifetime for normal operation?** + 1. 2-3hrs of active use and up to 2 weeks of standby time + 1. Battery lifetime is unavailable. +1. **What is transmit and receive behavior when a tool is not in range?** + 1. HoloLens transmit/receive follows the standard Wi-Fi/Bluetooth pattern. At the edge of its range, you'll probably notice input getting choppy until it fully disconnects, but after you get back in range it should quickly reconnect. +1. **What is deployment density per square foot?** + 1. This is dependent on your network infrastructure. +1. **Can device use the infrastructure as a client?** + 1. Yes +1. **What protocol is used?** + 1. HoloLens does not use any proprietary protocols +1. **OS update frequency – What is the frequency of OS updates for the HL? Is there a set schedule? Does Microsoft release security patches as needed, etc.** + 1. Microsoft does provide OS updates to HoloLens exactly the same way it is done for Windows 10. There are normally two major updates per year, one in spring, one in fall. As HoloLens is a Windows device, the update concept is the same as with any other Windows device. Microsoft releases Security patches as needed and follows the same concept as done on any other Windows device. +1. **OS hardening – What options are there to harden the OS? Can we remove or shutdown unnecessary apps or services?** + 1. HoloLens behaves like a smartphone. It is comparable to other modern Windows devices. HoloLens can be managed by either Microsoft Intune or other Modern Device Management Solutions, like MobileIron, Airwatch, or Soti. There are Policies you can set in these Management Systems to put Security policies on the device and in order to harden the device. There is also the option in deleting any unnecessary applications if wanted. +1. **How will software applications be managed and updated? What control do we have to define what apps are loaded and app update process for apps that are living in the Microsoft store?** + 1. HoloLens gets software applications only through the Windows store. Only Appx Application Packages can be installed, which are developed for the Use of HoloLens. You can see this in the Microsoft Store with a little logo next to the application which shows the HoloLens device. Any control that you have over the management of Store applications also applies to HoloLens. You can use the concept of the official store or the store for business. Apps can either be side-loaded (manual process to load an app on a Windows device) or can be managed through an MDM so that apps are automatically pulled from the store when needed. +1. **What is the frequency of updates to apps in the store for HoloLens?** + 1. As we follow the same concept of the Microsoft Store and pull apps from there, the update cycle is determined by the developer of the Application. All management options that you have to control the update mechanism in the store apply to HoloLens as well. +1. **Is there a secure boot capability for the HoloLens?** + 1. Yes +1. **Is there an ability to disable or disconnect peripheral support from the device?** + 1. Yes +1. **Is there an ability to control or disable the use of ports on the device?** + 1. The HoloLens only contains 2 ports (one for headphones and one for charging or connecting to PCs). There is not ability to disable the port due to functionality and recovery reasons. +1. **Antivirus, end point detection, IPS, app control whitelist – Any ability to run antivirus, end point detection, IPS, app control whitelist, etc.** + 1. Windows Holographic for Business (commercial suite) does support Windows Defender Smart Screen. If an antivirus company were to create and publish their app to the Universal Windows Platform, it could be downloaded on HoloLens. At present, no companies have done this for HoloLens. + 1. Whitelisting apps is possible by using the Microsoft Enterprise Store, where you can choose only what specific apps can be downloaded. Also, through MDM you can lock what specific apps can be run or even seen on the device. +1. **Can we quarantine the device from prod network until we update the device if it has been offline for an extended period of time? Ex. Device has been sitting in a drawer not powered up for a period (6 months) and has not received any updates, patches, etc. When it tries to come on the network can we flag it and say you must update on another network prior to being complaint to join the network.** + 1. This is something that can be managed on the infrastructure level by either an MDM or an on-prem server. The device can be flagged as not compliant if it does not meet a specified Update version. +1. **Does Microsoft include any back doors or access to services that allows Microsoft to connect to the device for screen sharing or remote support at will?** + 1. No +1. **When a PKI cert is being generated for trusted communication, we want the cert to be generated on the device so that we know it’s only on that device, unique to that device, and can’t be exported or used to impersonate the device. Is this true on HoloLens? If not is there a potential mitigation?** + 1. CSR for SCEP is generated on the device itself. Intune and the on premise SCEP connector help secure the requests themselves by adding and verifying a challenge string that’s sent to the client. + 1. Since HoloLens (1st Gen and 2nd Gen) have a TPM module, these certs would be stored in the TPM module, and are unable to be extracted. Additionally, even if it could be extracted, the challenge strings couldn’t be verified on a different device, rendering the certs/key unusable on different devices. +1. **SCEP is vulnerable. How does Microsoft mitigate the known vulnerabilities of SCEP?** + 1. This [SCEP Whitepaper](scep-whitepaper.md) addresses how Microsoft mitigates SCEP vulnerabilities. + +## HoloLens 2nd Gen Security Questions + +1. **What type of wireless is used?** + 1. 802.11ac and Bluetooth 5.0 +1. **What type of architecture is incorporated? For example: point to point, mesh or something else?** + 1. Wi-Fi can be used in infrastructure mode to communicate with other wireless access points. + 1. Bluetooth can be used to talk peer to peer between multiple HoloLens if the customers application supports it or to other Bluetooth devices. +1. **What is FCC ID?** + 1. C3K1855 +1. **What frequency range and channels does the device operate on and is it configurable?** + 1. Wi-Fi: The frequency range is not user configurable and depends on the country of use. In the US Wi-Fi uses both 2.4 GHz (1-11) channels and 5 GHz (36-64, 100-165) channels. +1. **Can the device blacklist or white list specific frequencies?** + 1. This is not controllable by the user/device +1. **What is the power level for both transmit and receive? Is it adjustable? What is the range of operation?** + 1. Wireless power levels depend on the channel of operation. Devices are calibrated to perform at the highest power levels allowed based on the region’s regulatory rules. +1. **What is the duty cycle/lifetime for normal operation?** + 1. *Currently unavailable.* +1. **What is transmit and receive behavior when a tool is not in range?** + 1. HoloLens transmit/receive follows the standard Wi-Fi/Bluetooth pattern. At the edge of its range, you'll probably notice input getting choppy until it fully disconnects, but after you get back in range it should quickly reconnect. +1. **What is deployment density per square foot?** + 1. This is dependent on your network infrastructure. +1. **Can device use the infrastructure as a client?** + 1. Yes +1. **What protocol is used?** + 1. HoloLens does not use any proprietary protocols +1. **OS update frequency – What is the frequency of OS updates for the HL? Is there a set schedule? Does Microsoft release security patches as needed, etc.** + 1. Microsoft does provide OS updates to HoloLens exactly the same way it is done for Windows 10. There are normally two major updates per year, one in spring, one in fall. As HoloLens is a Windows device, the update concept is the same as with any other Windows device. Microsoft releases Security patches as needed and follows the same concept as done on any other Windows device. +1. **OS hardening – What options are there to harden the OS? Can we remove or shutdown unnecessary apps or services?** + 1. HoloLens behaves like a smartphone. It is comparable to other modern Windows devices. HoloLens can be managed by either Microsoft Intune or other Modern Device Management Solutions, like MobileIron, Airwatch, or Soti. There are Policies you can set in these Management Systems to put Security policies on the device and in order to harden the device. There is also the option in deleting any unnecessary applications if wanted. +1. **How will software applications be managed and updated? What control do we have to define what apps are loaded and app update process for apps that are living in the Microsoft store?** + 1. HoloLens gets software applications only through the Windows store. Only Appx Application Packages can be installed, which are developed for the Use of HoloLens. You can see this in the Microsoft Store with a little logo next to the application which shows the HoloLens device. Any control that you have over the management of Store applications also applies to HoloLens. You can use the concept of the official store or the store for business. Apps can either be side-loaded (manual process to load an app on a Windows device) or can be managed through an MDM so that apps are automatically pulled from the store when needed. +1. **What is the frequency of updates to apps in the store for HoloLens?** + 1. As we follow the same concept of the Microsoft Store and pull apps from there, the update cycle is determined by the developer of the Application. All management options that you have to control the update mechanism in the store apply to HoloLens as well. +1. **Is there a secure boot capability for the HoloLens?** + 1. Yes +1. **Is there an ability to disable or disconnect peripheral support from the device?** + 1. Yes +1. **Is there an ability to control or disable the use of ports on the device?** + 1. The HoloLens only contains 2 ports (one for headphones and one for charging or connecting to PCs). There is not ability to disable the port due to functionality and recovery reasons. +1. **Antivirus, end point detection, IPS, app control whitelist – Any ability to run antivirus, end point detection, IPS, app control whitelist, etc.** + 1. HoloLens 2nd Gen supports Windows Defender Smart Screen. If an antivirus company were to create and publish their app to the Universal Windows Platform, it could be downloaded on HoloLens. At present, no companies have done this for HoloLens. + 1. Whitelisting apps is possible by using the Microsoft Enterprise Store, where you can choose only what specific apps can be downloaded. Also, through MDM you can lock what specific apps can be run or even seen on the device. +1. **Can we quarantine the device from prod network until we update the device if it has been offline for an extended period of time? Ex. Device has been sitting in a drawer not powered up for a period (6 months) and has not received any updates, patches, etc. When it tries to come on the network can we flag it and say you must update on another network prior to being complaint to join the network.** + 1. This is something that can be managed on the infrastructure level by either an MDM or an on-prem server. The device can be flagged as not compliant if it does not meet a specified Update version. +1. **Does Microsoft include any back doors or access to services that allows Microsoft to connect to the device for screen sharing or remote support at will?** + 1. No +1. **When a PKI cert is being generated for trusted communication, we want the cert to be generated on the device so that we know it’s only on that device, unique to that device, and can’t be exported or used to impersonate the device. Is this true on HoloLens? If not is there a potential mitigation?** + 1. CSR for SCEP is generated on the device itself. Intune and the on premise SCEP connector help secure the requests themselves by adding and verifying a challenge string that’s sent to the client. + 1. Since HoloLens (1st Gen and 2nd Gen) have a TPM module, these certs would be stored in the TPM module, and are unable to be extracted. Additionally, even if it could be extracted, the challenge strings couldn’t be verified on a different device, rendering the certs/key unusable on different devices. +1. **SCEP is vulnerable. How does Microsoft mitigate the known vulnerabilities of SCEP?** + 1. This [SCEP Whitepaper](scep-whitepaper.md) addresses how Microsoft mitigates SCEP vulnerabilities. diff --git a/devices/hololens/hololens-insider.md b/devices/hololens/hololens-insider.md index 633f296a3e..5adbb7b0ca 100644 --- a/devices/hololens/hololens-insider.md +++ b/devices/hololens/hololens-insider.md @@ -12,7 +12,6 @@ ms.date: 1/6/2020 ms.reviewer: manager: dansimp appliesto: -- HoloLens (1st gen) - HoloLens 2 --- @@ -22,7 +21,7 @@ Welcome to the latest Insider Preview builds for HoloLens! It’s simple to get ## Start receiving Insider builds -On a device running the Windows 10 April 2018 Update, go to **Settings** -> **Update & Security** -> **Windows Insider Program** and select **Get started**. Link the account you used to register as a Windows Insider. +On a HoloLens 2 device go to **Settings** -> **Update & Security** -> **Windows Insider Program** and select **Get started**. Link the account you used to register as a Windows Insider. Then, select **Active development of Windows**, choose whether you’d like to receive **Fast** or **Slow** builds, and review the program terms. @@ -30,7 +29,7 @@ Select **Confirm -> Restart Now** to finish up. After your device has rebooted, ## Stop receiving Insider builds -If you no longer want to receive Insider builds of Windows Holographic, you can opt out when your HoloLens is running a production build, or you can [recover your device](hololens-recovery.md) using the Windows Device Recovery Tool to recover your device to a non-Insider version of Windows Holographic. +If you no longer want to receive Insider builds of Windows Holographic, you can opt out when your HoloLens is running a production build, or you can [recover your device](hololens-recovery.md) using the Advanced Recovery Companion to recover your device to a non-Insider version of Windows Holographic. To verify that your HoloLens is running a production build: @@ -46,9 +45,60 @@ To opt out of Insider builds: Please use [the Feedback Hub app](hololens-feedback.md) on your HoloLens to provide feedback and report issues. Using Feedback Hub ensures that all necessary diagnostics information is included to help our engineers quickly debug and resolve the problem. Issues with the Chinese and Japanese version of HoloLens should be reported the same way. ->[!NOTE] ->Be sure to accept the prompt that asks whether you’d like Feedback Hub to access your Documents folder (select **Yes** when prompted). +> [!NOTE] +> Be sure to accept the prompt that asks whether you’d like Feedback Hub to access your Documents folder (select **Yes** when prompted). ## Note for developers You are welcome and encouraged to try developing your applications using Insider builds of HoloLens. Check out the [HoloLens Developer Documentation](https://developer.microsoft.com/windows/mixed-reality/development) to get started. Those same instructions work with Insider builds of HoloLens. You can use the same builds of Unity and Visual Studio that you're already using for HoloLens development. + + +## Windows Insider Release Notes + +HoloLens 2 Windows Insider builds are full of new features and improvements. Sign up for Windows Insider Fast or Slow flights to test them out! +Here's a quick summary of what's new: + +- Support for FIDO2 Security Keys to enable secure and easy authentication for shared devices +- Seamlessly apply a provisioning package from a USB drive to your HoloLens +- Use a provisioning packages to enroll your HoloLens to your Mobile Device Management system +- Use Windows AutoPilot to set up and pre-configure new devices, quickly getting them ready for productive use. Send a note to hlappreview@microsoft.com to join the preview. +- Dark Mode - many Windows apps support both dark and light modes, and now HoloLens customers can choose the default mode for apps that support both color schemes! Based on customer feedback, with this update we are setting the default app mode to "dark," but you can easily change this setting at any time. Navigate to Settings > System > Colors to find "Choose your default app mode." +- Support for additional system voice commands +- Hand Tracking improvements to reduce the tendency to close the index finger when pointing. This should make button pressing and 2D slate usage feel more accurate +- Performance and stability improvements across the product +- More information in settings on HoloLens about the policy pushed to the device + +Once you’ve had a chance to explore these new capabilities, use the Feedback Hub app to let us know what you think. Feedback you provide in the Feedback Hub goes directly to our engineers. + +### FIDO 2 support +Many of you share a HoloLens with lots of people in a work or school environment. Whether devices are shared between students in a classroom or they're checked out from a device locker, it's important to be able to change users quickly and easily without typing long user names and passwords. FIDO lets anyone in your organization (AAD tenant) seamlessly sign in to HoloLens without entering a username or password. + +Read the [passwordless security docs](https://docs.microsoft.com/azure/active-directory/authentication/howto-authentication-passwordless-security-key) to get started. + +### Provisioning package updates +Provisioning packages let you set HoloLens configuration through a config file rather than going through the HoloLens out of box experience. Previously, provisioning packages had to be copied onto HoloLens' internal memory, now they can be on a USB drive so they're easier to re-use on multiple HoloLens and so more people can provision HoloLens in parallel. + +1. To try it out, download the latest version of the Windows Configuration Designer from the Windows store onto your PC. +1. Select **Provision HoloLens Devices** > Select **Provision HoloLens 2 devices** +1. Build your configuration profile and, when you're done, copy all files created to a USB-C storage device. +1. Plug it into any freshly flashed HoloLens and press **Volume down + Power** to apply your provisioning package. + +### System voice commands +You can now can access these commands with your voice: +- "Restart device" +- "Shutdown device" +- "Brightness up" +- "Brightness down" +- "Volume up" +- "Volume down" +- "What is my IP address?" + +If you're running your system with a different language, please try the appropriate commands in that language. + +### FFU download and flash directions +To test with a flight signed ffu, you first have to flight unlock your device prior to flashing the flight signed ffu. +1. On PC + 1. Download ffu to your PC from: [https://aka.ms/hololenspreviewdownload](https://aka.ms/hololenspreviewdownload) + 1. Install ARC (Advanced Recovery Companion) from the Microsoft Store: [https://www.microsoft.com/store/productId/9P74Z35SFRS8](https://www.microsoft.com/store/productId/9P74Z35SFRS8) +1. On HoloLens - Flight Unlock: Open **Settings** > **Update & Security** > **Windows Insider Program** then sign up, reboot device +1. Flash FFU - Now you can flash the flight signed FFU using ARC diff --git a/devices/hololens/hololens-kiosk.md b/devices/hololens/hololens-kiosk.md index ae870f5847..e895069d36 100644 --- a/devices/hololens/hololens-kiosk.md +++ b/devices/hololens/hololens-kiosk.md @@ -27,15 +27,15 @@ Kiosk mode | Voice and Bloom commands | Quick actions menu | Camera and video | Single-app kiosk |  |  |  |  Multi-app kiosk |  |  with **Home** and **Volume** (default)
Photo and video buttons shown in Quick actions menu if the Camera app is enabled in the kiosk configuration.
Miracast is shown if the Camera app and device picker app are enabled in the kiosk configuration. |  if the Camera app is enabled in the kiosk configuration. |  if the Camera app and device picker app are enabled in the kiosk configuration. ->[!NOTE] ->Use the Application User Model ID (AUMID) to allow apps in your kiosk configuration. The Camera app AUMID is `HoloCamera_cw5n1h2txyewy!HoloCamera`. The device picker app AUMID is `HoloDevicesFlow_cw5n1h2txyewy!HoloDevicesFlow`. +> [!NOTE] +> Use the Application User Model ID (AUMID) to allow apps in your kiosk configuration. The Camera app AUMID is `HoloCamera_cw5n1h2txyewy!HoloCamera`. The device picker app AUMID is `HoloDevicesFlow_cw5n1h2txyewy!HoloDevicesFlow`. The [AssignedAccess Configuration Service Provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/assignedaccess-csp) enables kiosk configuration. ->[!WARNING] ->The assigned access feature which enables kiosk mode is intended for corporate-owned fixed-purpose devices. When the multi-app assigned access configuration is applied on the device, certain policies are enforced system-wide, and will impact other users on the device. Deleting the multi-app configuration will remove the assigned access lockdown profiles associated with the users, but it cannot revert all [the enforced policies](https://docs.microsoft.com/windows/configuration/lock-down-windows-10-to-specific-apps#policies-set-by-multi-app-kiosk-configuration). A factory reset is needed to clear all the policies enforced via assigned access. +> [!WARNING] +> The assigned access feature which enables kiosk mode is intended for corporate-owned fixed-purpose devices. When the multi-app assigned access configuration is applied on the device, certain policies are enforced system-wide, and will impact other users on the device. Deleting the multi-app configuration will remove the assigned access lockdown profiles associated with the users, but it cannot revert all [the enforced policies](https://docs.microsoft.com/windows/configuration/lock-down-windows-10-to-specific-apps#policies-set-by-multi-app-kiosk-configuration). A factory reset is needed to clear all the policies enforced via assigned access. > ->Be aware that voice commands are enabled for kiosk mode configured in Microsoft Intune or provisioning packages, even if the Cortana app is not selected as a kiosk app. +> Be aware that voice commands are enabled for kiosk mode configured in Microsoft Intune or provisioning packages, even if the Cortana app is not selected as a kiosk app. For HoloLens devices running Windows 10, version 1803, there are three methods that you can use to configure the device as a kiosk: - You can use [Microsoft Intune or other mobile device management (MDM) service](#set-up-kiosk-mode-using-microsoft-intune-or-mdm-windows-10-version-1803) to configure single-app and multi-app kiosks. @@ -48,15 +48,15 @@ For HoloLens devices running Windows 10, version 1607, you can [use the Windows If you use [MDM, Microsoft Intune](#set-up-kiosk-mode-using-microsoft-intune-or-mdm-windows-10-version-1803), or a [provisioning package](#set-up-kiosk-mode-using-a-provisioning-package-windows-10-version-1803) to configure a multi-app kiosk, the procedure requires a Start layout. Start layout customization isn't supported in Holographic for Business, so you'll need to use a placeholder Start layout. ->[!NOTE] ->Because a single-app kiosk launches the kiosk app when a user signs in, there is no Start screen displayed. +> [!NOTE] +> Because a single-app kiosk launches the kiosk app when a user signs in, there is no Start screen displayed. ### Start layout file for MDM (Intune and others) Save the following sample as an XML file. You can use this file when you configure the multi-app kiosk in Microsoft Intune (or in another MDM service that provides a kiosk profile). ->[!NOTE] ->If you need to use a custom setting and full XML configuration to set up a kiosk in your MDM service, use the [Start layout instructions for a provisioning package](#start-layout-for-a-provisioning-package). +> [!NOTE] +> If you need to use a custom setting and full XML configuration to set up a kiosk in your MDM service, use the [Start layout instructions for a provisioning package](#start-layout-for-a-provisioning-package). ```xml
+ 
### Auto registration — Azure Active Directory Affiliated @@ -44,17 +44,31 @@ For additional supported CSPs, see [Surface Hub CSPs in Windows 10](https://docs ## Quality of Service (QoS) settings -To ensure optimal video and audio quality on Surface Hub 2S, add the following QoS settings to the device. The settings are identical for Skype for Business and Teams. +To ensure optimal video and audio quality on Surface Hub 2S, add the following QoS settings to the device. + +### Microsoft Teams QoS settings |**Name**|**Description**|**OMA-URI**|**Type**|**Value**| |:------ |:------------- |:--------- |:------ |:------- | -|**Audio Ports**| Audio Port range | ./Device/Vendor/MSFT/NetworkQoSPolicy/HubAudio/SourcePortMatchCondition | String | 50000-50019 | +|**Audio Ports**| Audio Port range | ./Device/Vendor/MSFT/NetworkQoSPolicy/HubAudio/DestinationPortMatchCondition | String | 3478-3479 | |**Audio DSCP**| Audio ports marking | ./Device/Vendor/MSFT/NetworkQoSPolicy/HubAudio/DSCPAction | Integer | 46 | -|**Video Ports**| Video Port range | ./Device/Vendor/MSFT/NetworkQoSPolicy/HubVideo/SourcePortMatchCondition | String | 50020-50039 | +|**Video Ports**| Video Port range | ./Device/Vendor/MSFT/NetworkQoSPolicy/HubVideo/DestinationPortMatchCondition | String | 3480 | |**Video DSCP**| Video ports marking | ./Device/Vendor/MSFT/NetworkQoSPolicy/HubVideo/DSCPAction | Integer | 34 | + +### Skype for Business QoS settings + +| Name | Description | OMA-URI | Type | Value | +| ------------------ | ------------------- | ------------------------------------------------------------------------ | ------- | ------------------------------ | +| Audio Ports | Audio Port range | ./Device/Vendor/MSFT/NetworkQoSPolicy/HubAudio/SourcePortMatchCondition | String | 50000-50019 | +| Audio DSCP | Audio ports marking | ./Device/Vendor/MSFT/NetworkQoSPolicy/HubAudio/DSCPAction | Integer | 46 | +| Audio Media Source | Skype App name | ./Device/Vendor/MSFT/NetworkQoSPolicy/HubAudio/AppPathNameMatchCondition | String | Microsoft.PPISkype.Windows.exe | +| Video Ports | Video Port range | ./Device/Vendor/MSFT/NetworkQoSPolicy/HubVideo/SourcePortMatchCondition | String | 50020-50039 | +| Video DSCP | Video ports marking | ./Device/Vendor/MSFT/NetworkQoSPolicy/HubVideo/DSCPAction | Integer | 34 | +| Video Media Source | Skype App name | ./Device/Vendor/MSFT/NetworkQoSPolicy/HubVideo/AppPathNameMatchCondition | String | Microsoft.PPISkype.Windows.exe | + > [!NOTE] -> These are the default port ranges. Administrators may change the port ranges in the Skype for Business and Teams control panel. +> Both tables show default port ranges. Administrators may change the port ranges in the Skype for Business and Teams control panel. ## Microsoft Teams Mode settings diff --git a/devices/surface-hub/surface-hub-2s-onprem-powershell.md b/devices/surface-hub/surface-hub-2s-onprem-powershell.md index fb2c98dcbd..6a0553f72e 100644 --- a/devices/surface-hub/surface-hub-2s-onprem-powershell.md +++ b/devices/surface-hub/surface-hub-2s-onprem-powershell.md @@ -26,12 +26,6 @@ $ExchSession = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUr Import-PSSession $ExchSession ``` -```PowerShell -$ExchServer = Read-Host "Please Enter the FQDN of your Exchange Server" -$ExchSession = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri http://$ExchServer/PowerShell/ -Authentication Kerberos -Credential (Get-Credential) -Import-PSSession $ExchSession -``` - ## Create the device account ```PowerShell diff --git a/devices/surface-hub/surface-hub-2s-pen-firmware.md b/devices/surface-hub/surface-hub-2s-pen-firmware.md new file mode 100644 index 0000000000..ce16a5cad3 --- /dev/null +++ b/devices/surface-hub/surface-hub-2s-pen-firmware.md @@ -0,0 +1,67 @@ +--- +title: "Update pen firmware on Surface Hub 2S" +description: "This page describes how to update firmware for the Surface Hub 2 pen." +keywords: separate values with commas +ms.prod: surface-hub +ms.sitesec: library +author: greg-lindsay +ms.author: greglin +manager: laurawi +audience: Admin +ms.topic: article +ms.date: 02/26/2020 +ms.localizationpriority: Medium +--- + +# Update pen firmware on Surface Hub 2S + +You can update firmware on Surface Hub 2 pen from Windows Update for Business or by downloading the firmware update to a separate PC. Updated firmware is available from Windows Update beginning February 26, 2020. + +## Update pen firmware using Windows Update for Business + +This section describes how to update pen firmware via the automated maintenance cycles for Windows Update, configured by default to occur nightly at 3 a.m. You will need to plan for two maintenance cycles to complete before applying the update to the Surface Hub 2 pen. Alternately, like any other update, you can use Windows Server Update Services (WSUS) to apply the pen firmware. For more information, see [Managing Windows updates on Surface Hub](manage-windows-updates-for-surface-hub.md). + +1. Ensure the Surface Hub 2 pen is paired to Surface Hub 2S: Press and hold the **top** button until the white indicator LED light begins to blink.
+
+2. On Surface Hub, login as an Admin, open **Settings**, and then scan for new Bluetooth devices. +3. Select the pen to complete the pairing process. +4. Press the **top** button on the pen to apply the update. It may take up to two hours to complete. + +## Update pen firmware by downloading to separate PC + +You can update the firmware on Surface Hub 2 pen from a separate PC running Windows 10. This method also enables you to verify that the pen firmware has successfully updated to the latest version. + +1. Pair the Surface Hub 2 pen to your Bluetooth-capable PC: Press and hold the **top** button until the white indicator LED light begins to blink.
+
+2. On the PC, scan for new Bluetooth devices. +3. Select the pen to complete the pairing process. +4. Disconnect all other Surface Hub 2s pens before starting a new update. +3. Download the [Surface Hub 2 Pen Firmware Update Tool](https://download.microsoft.com/download/8/3/F/83FD5089-D14E-42E3-AF7C-6FC36F80D347/Pen_Firmware_Tool.zip) to your PC. +4. Run **PenCfu.exe.** The install progress is displayed in the tool. It may take several minutes to finish updating. + + +## Check firmware version of Surface Hub 2 pen + +1. Run **get_version.bat** and press the **top** button on the pen. +2. The tool will report the firmware version of the pen. Example: + - Old firmware is 468.2727.368 + - New firmware is 468.2863.369 + +## Command line options + +You can run Surface Hub 2 Pen Firmware Update Tool (PenCfu.exe) from the command line. + +1. Pair the pen to your PC and click the **top** button on the pen. +2. Double click **PenCfu.exe** to initiate the firmware update. Note that the configuration file and the firmware image files must be stored in the same folder as the tool. +3. For additional options, run **PenCfu.exe -h** to display the available parameters, as listed in the following table. + - Example: PenCfu.exe -h +4. Enter **Ctrl+C** to safely shut down the tool. + + + +| **Command** | **Description** | +| -------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| -h help | Display tool command line interface help and exit. | +| -v version | Display tool version and exit. | +| -l log-filter | Set a filter level for the log file. Log messages have 4 possible levels: DEBUG (lowest), INFO, WARNING and ERROR (highest). Setting a log filter level filters log messages to only message with the same level or higher. For example, if the filter level is set to WARNING, only WARNING and ERROR messages will be logged. By default, this option is set to OFF, which disables logging. | +| -g get-version | If specified, the tool will only get the FW version of the connected pen that matches the configuration file that is stored in the same folder as the tool. \ No newline at end of file diff --git a/devices/surface-hub/surface-hub-update-history.md b/devices/surface-hub/surface-hub-update-history.md index 5d6989d80b..50af49ec5c 100644 --- a/devices/surface-hub/surface-hub-update-history.md +++ b/devices/surface-hub/surface-hub-update-history.md @@ -530,7 +530,6 @@ This update to the Surface Hub includes quality improvements and security fixes. ## Related topics -* [Windows 10 feature roadmap](https://go.microsoft.com/fwlink/p/?LinkId=785967) * [Windows 10 release information](https://go.microsoft.com/fwlink/p/?LinkId=724328) * [Windows 10 November update: FAQ](https://windows.microsoft.com/windows-10/windows-update-faq) * [Microsoft Surface update history](https://go.microsoft.com/fwlink/p/?LinkId=724327) diff --git a/devices/surface/images/dataeraser-arch.png b/devices/surface/images/dataeraser-arch.png new file mode 100644 index 0000000000..5010120cf1 Binary files /dev/null and b/devices/surface/images/dataeraser-arch.png differ diff --git a/devices/surface/images/manage-surface-uefi-fig4.png b/devices/surface/images/manage-surface-uefi-fig4.png index e956cefeaf..480b1d7f46 100644 Binary files a/devices/surface/images/manage-surface-uefi-fig4.png and b/devices/surface/images/manage-surface-uefi-fig4.png differ diff --git a/devices/surface/images/manage-surface-uefi-fig5-a.png b/devices/surface/images/manage-surface-uefi-fig5-a.png new file mode 100644 index 0000000000..7605291e93 Binary files /dev/null and b/devices/surface/images/manage-surface-uefi-fig5-a.png differ diff --git a/devices/surface/manage-surface-uefi-settings.md b/devices/surface/manage-surface-uefi-settings.md index d205908048..1a6d09a545 100644 --- a/devices/surface/manage-surface-uefi-settings.md +++ b/devices/surface/manage-surface-uefi-settings.md @@ -1,5 +1,5 @@ --- -title: Manage Surface UEFI settings (Surface) +title: Manage Surface UEFI settings description: Use Surface UEFI settings to enable or disable devices or components, configure security settings, and adjust Surface device boot settings. keywords: firmware, security, features, configure, hardware ms.localizationpriority: medium @@ -10,7 +10,7 @@ ms.pagetype: devices, surface author: dansimp ms.author: dansimp ms.topic: article -ms.date: 07/27/2017 +ms.date: 02/26/2020 ms.reviewer: manager: dansimp --- @@ -39,7 +39,7 @@ The PC information page includes detailed information about your Surface device: - **UUID** – This Universally Unique Identification number is specific to your device and is used to identify the device during deployment or management. - **Serial Number** – This number is used to identify this specific Surface device for asset tagging and support scenarios. -- **Asset Tag** – The asset tag is assigned to the Surface device with the [Asset Tag Tool](https://www.microsoft.com/download/details.aspx?id=44076). +- **Asset Tag** – The asset tag is assigned to the Surface device with the [Asset Tag Tool](https://docs.microsoft.com/surface/assettag). You will also find detailed information about the firmware of your Surface device. Surface devices have several internal components that each run different versions of firmware. The firmware version of each of the following devices is displayed on the **PC information** page (as shown in Figure 1): @@ -61,7 +61,11 @@ You can find up-to-date information about the latest firmware version for your S ## UEFI Security page -The Security page allows you to set a password to protect UEFI settings. This password must be entered when you boot the Surface device to UEFI. The password can contain the following characters (as shown in Figure 2): + + +*Figure 2. Configure Surface UEFI security settings* + +The Security page allows you to set a password to protect UEFI settings. This password must be entered when you boot the Surface device to UEFI. The password can contain the following characters (as shown in Figure 3): - Uppercase letters: A-Z @@ -75,19 +79,20 @@ The password must be at least 6 characters and is case sensitive.  -*Figure 2. Add a password to protect Surface UEFI settings* +*Figure 3. Add a password to protect Surface UEFI settings* -On the Security page you can also change the configuration of Secure Boot on your Surface device. Secure Boot technology prevents unauthorized boot code from booting on your Surface device, which protects against bootkit and rootkit-type malware infections. You can disable Secure Boot to allow your Surface device to boot third-party operating systems or bootable media. You can also configure Secure Boot to work with third-party certificates, as shown in Figure 3. Read more about [Secure Boot](https://msdn.microsoft.com/windows/hardware/commercialize/manufacture/desktop/secure-boot-overview) in the TechNet Library. +On the Security page you can also change the configuration of Secure Boot on your Surface device. Secure Boot technology prevents unauthorized boot code from booting on your Surface device, which protects against bootkit and rootkit-type malware infections. You can disable Secure Boot to allow your Surface device to boot third-party operating systems or bootable media. You can also configure Secure Boot to work with third-party certificates, as shown in Figure 4. Read more about [Secure Boot](https://msdn.microsoft.com/windows/hardware/commercialize/manufacture/desktop/secure-boot-overview) in the TechNet Library.  -*Figure 3. Configure Secure Boot* +*Figure 4. Configure Secure Boot* -You can also enable or disable the Trusted Platform Module (TPM) device on the Security page, as shown in Figure 4. The TPM is used to authenticate encryption for your device’s data with BitLocker. Read more about [BitLocker](https://technet.microsoft.com/itpro/windows/keep-secure/bitlocker-overview) in the TechNet Library. +Depending on your device, you may also be able to see if your TPM is enabled or disabled. If you do not see the **Enable TPM** setting, open tpm.msc in Windows to check the status, as shown in Figure 5. The TPM is used to authenticate encryption for your device’s data with BitLocker. To learn more, see [BitLocker overview](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-overview). - + + +*Figure 5. TPM console* -*Figure 4. Configure Surface UEFI security settings* ## UEFI menu: Devices @@ -107,11 +112,11 @@ The Devices page allows you to enable or disable specific devices and component - Onboard Audio (Speakers and Microphone) -Each device is listed with a slider button that you can move to **On** (enabled) or **Off** (disabled) position, as shown in Figure 5. +Each device is listed with a slider button that you can move to **On** (enabled) or **Off** (disabled) position, as shown in Figure 6.  -*Figure 5. Enable and disable specific devices* +*Figure 6. Enable and disable specific devices* ## UEFI menu: Boot configuration @@ -127,11 +132,11 @@ The Boot Configuration page allows you to change the order of your boot devices You can boot from a specific device immediately, or you can swipe left on that device’s entry in the list using the touchscreen. You can also boot immediately to a USB device or USB Ethernet adapter when the Surface device is powered off by pressing the **Volume Down** button and the **Power** button simultaneously. -For the specified boot order to take effect, you must set the **Enable Alternate Boot Sequence** option to **On**, as shown in Figure 6. +For the specified boot order to take effect, you must set the **Enable Alternate Boot Sequence** option to **On**, as shown in Figure 7.  -*Figure 6. Configure the boot order for your Surface device* +*Figure 7. Configure the boot order for your Surface device* You can also turn on and off IPv6 support for PXE with the **Enable IPv6 for PXE Network Boot** option, for example when performing a Windows deployment using PXE where the PXE server is configured for IPv4 only. @@ -139,7 +144,7 @@ You can also turn on and off IPv6 support for PXE with the **Enable IPv6 for PXE The Management page allows you to manage use of Zero Touch UEFI Management and other features on eligible devices including Surface Pro 7, Surface Pro X, and Surface Laptop 3.  -*Figure 7. Manage access to Zero Touch UEFI Management and other features* +*Figure 8. Manage access to Zero Touch UEFI Management and other features* Zero Touch UEFI Management lets you remotely manage UEFI settings by using a device profile within Intune called Device Firmware Configuration Interface (DFCI). If you do not configure this setting, the ability to manage eligible devices with DFCI is set to **Ready**. To prevent DFCI, select **Opt-Out**. @@ -151,11 +156,11 @@ For more information, refer to [Intune management of Surface UEFI settings](surf ## UEFI menu: Exit -Use the **Restart Now** button on the **Exit** page to exit UEFI settings, as shown in Figure 8. +Use the **Restart Now** button on the **Exit** page to exit UEFI settings, as shown in Figure 9.  -*Figure 8. Click Restart Now to exit Surface UEFI and restart the device* +*Figure 9. Click Restart Now to exit Surface UEFI and restart the device* ## Surface UEFI boot screens @@ -163,44 +168,44 @@ When you update Surface device firmware, by using either Windows Update or manua  -*Figure 9. The Surface UEFI firmware update displays a blue progress bar* +*Figure 10. The Surface UEFI firmware update displays a blue progress bar*  -*Figure 10. The System Embedded Controller firmware update displays a green progress bar* +*Figure 11. The System Embedded Controller firmware update displays a green progress bar*  -*Figure 11. The SAM Controller firmware update displays an orange progress bar* +*Figure 12. The SAM Controller firmware update displays an orange progress bar*  -*Figure 12. The Intel Management Engine firmware update displays a red progress bar* +*Figure 13. The Intel Management Engine firmware update displays a red progress bar*  -*Figure 13. The Surface touch firmware update displays a gray progress bar* +*Figure 14. The Surface touch firmware update displays a gray progress bar*  -*Figure 14. The Surface KIP firmware update displays a light green progress bar* +*Figure 15. The Surface KIP firmware update displays a light green progress bar*  -*Figure 15. The Surface ISH firmware update displays a light pink progress bar* +*Figure 16 The Surface ISH firmware update displays a light pink progress bar*  -*Figure 16. The Surface Trackpad firmware update displays a pink progress bar* +*Figure 17. The Surface Trackpad firmware update displays a pink progress bar*  -*Figure 17. The Surface TCON firmware update displays a light gray progress bar* +*Figure 18. The Surface TCON firmware update displays a light gray progress bar*  -*Figure 18. The Surface TPM firmware update displays a purple progress bar* +*Figure 19. The Surface TPM firmware update displays a purple progress bar* >[!NOTE] @@ -208,10 +213,10 @@ When you update Surface device firmware, by using either Windows Update or manua  -*Figure 19. Surface boot screen that indicates Secure Boot has been disabled in Surface UEFI settings* +*Figure 20. Surface boot screen that indicates Secure Boot has been disabled in Surface UEFI settings* ## Related topics - [Intune management of Surface UEFI settings](surface-manage-dfci-guide.md) -- [Surface Enterprise Management Mode](surface-enterprise-management-mode.md) \ No newline at end of file +- [Surface Enterprise Management Mode](surface-enterprise-management-mode.md) diff --git a/devices/surface/microsoft-surface-data-eraser.md b/devices/surface/microsoft-surface-data-eraser.md index 0fe84fc0b1..a835026b8b 100644 --- a/devices/surface/microsoft-surface-data-eraser.md +++ b/devices/surface/microsoft-surface-data-eraser.md @@ -14,7 +14,7 @@ author: dansimp ms.author: dansimp ms.topic: article ms.audience: itpro -ms.date: 02/06/2020 +ms.date: 02/20/2020 --- # Microsoft Surface Data Eraser @@ -85,31 +85,33 @@ After the creation tool is installed, follow these steps to create a Microsoft S 2. Click **Build** to begin the Microsoft Surface Data Eraser USB creation process. - >[!NOTE] - >For Surface Pro X devices, select **ARM64**. for other Surface devices, select **x64**. - 3. Click **Start** to acknowledge that you have a USB stick of at least 4 GB connected, as shown in Figure 1.  *Figure 1. Start the Microsoft Surface Data Eraser tool* +4. Choose **x64** for most Surface devices or **ARM64** for Surface Pro X from the **Architecture Selection** page, as shown in Figure 2. Select **Continue**. -4. Select the USB drive of your choice from the **USB Thumb Drive Selection** page as shown in Figure 2, and then click **Start** to begin the USB creation process. The drive you select will be formatted and any existing data on this drive will be lost. + 
+ *Figure 2. Select device architecture* + + +4. Select the USB drive of your choice from the **USB Thumb Drive Selection** page as shown in Figure 3, and then click **Start** to begin the USB creation process. The drive you select will be formatted and any existing data on this drive will be lost. >[!NOTE] >If the Start button is disabled, check that your removable drive has a total capacity of at least 4 GB.  - *Figure 2. USB thumb drive selection* + *Figure 3. USB thumb drive selection* 5. After the creation process is finished, the USB drive has been formatted and all binaries are copied to the USB drive. Click **Success**. -6. When the **Congratulations** screen is displayed, you can eject and remove the thumb drive. This thumb drive is now ready to be inserted into a Surface device, booted from, and wipe any data on the device. Click **Complete** to finish the USB creation process, as shown in Figure 3. +6. When the **Congratulations** screen is displayed, you can eject and remove the thumb drive. This thumb drive is now ready to be inserted into a Surface device, booted from, and wipe any data on the device. Click **Complete** to finish the USB creation process, as shown in Figure 4.  - *Figure 3. Complete the Microsoft Surface Data Eraser USB creation process* + *Figure 4. Complete the Microsoft Surface Data Eraser USB creation process* 7. Click **X** to close Microsoft Surface Data Eraser. @@ -133,11 +135,11 @@ After you create a Microsoft Surface Data Eraser USB stick, you can boot a suppo >[!NOTE] >If your device does not boot to USB using these steps, you may need to turn on the **Enable Alternate Boot Sequence** option in Surface UEFI. You can read more about Surface UEFI boot configuration in [Manage Surface UEFI Settings](https://technet.microsoft.com/itpro/surface/manage-surface-uefi-settings). -3. When the Surface device boots, a **SoftwareLicenseTerms** text file is displayed, as shown in Figure 4. +3. When the Surface device boots, a **SoftwareLicenseTerms** text file is displayed, as shown in Figure 5.  - *Figure 4. Booting the Microsoft Surface Data Eraser USB stick* + *Figure 5. Booting the Microsoft Surface Data Eraser USB stick* 4. Read the software license terms, and then close the Notepad file. @@ -150,7 +152,7 @@ After you create a Microsoft Surface Data Eraser USB stick, you can boot a suppo  - *Figure 5. Partition to be erased is displayed in Microsoft Surface Data Eraser* + *Figure 6. Partition to be erased is displayed in Microsoft Surface Data Eraser* 7. If you pressed **Y** in step 6, due to the destructive nature of the data erasure process, an additional dialog box is displayed to confirm your choice. diff --git a/devices/surface/surface-dock-firmware-update.md b/devices/surface/surface-dock-firmware-update.md index aac758fa29..e872ddc649 100644 --- a/devices/surface/surface-dock-firmware-update.md +++ b/devices/surface/surface-dock-firmware-update.md @@ -1,6 +1,6 @@ --- title: Microsoft Surface Dock Firmware Update -description: This article explains how to use Microsoft Surface Dock Firmware Update, newly redesigned to update Surface Dock firmware while running in the background on your Surface device. +description: This article explains how to use Microsoft Surface Dock Firmware Update to update Surface Dock firmware. When installed on your Surface device, it will update any Surface Dock attached to your Surface device. ms.localizationpriority: medium ms.prod: w10 ms.mktglfcycl: manage @@ -11,6 +11,7 @@ ms.topic: article ms.reviewer: scottmca manager: dansimp ms.audience: itpro +ms.date: 02/07/2020 --- # Microsoft Surface Dock Firmware Update @@ -32,17 +33,19 @@ This section is optional and provides an overview of how to monitor installation To monitor the update: 1. Open Event Viewer, browse to **Windows Logs > Application**, and then under **Actions** in the right-hand pane click **Filter Current Log**, enter **SurfaceDockFwUpdate** next to **Event sources**, and then click **OK**. + 2. Type the following command at an elevated command prompt: - ```cmd - Reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WUDF\Services\SurfaceDockFwUpdate\Parameters" - ``` + ```cmd + Reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WUDF\Services\SurfaceDockFwUpdate\Parameters" + ``` 3. Install the update as described in the [next section](#install-the-surface-dock-firmware-update) of this article. + 4. Event 2007 with the following text indicates a successful update: **Firmware update finished. hr=0 DriverTelementry EventCode = 2007**. - - If the update is not successful, then event ID 2007 will be displayed as an **Error** event rather than **Information**. Additionally, the version reported in the Windows Registry will not be current. + - If the update is not successful, then event ID 2007 will be displayed as an **Error** event rather than **Information**. Additionally, the version reported in the Windows Registry will not be current. 5. When the update is complete, updated DWORD values will be displayed in the Windows Registry, corresponding to the current version of the tool. See the [Versions reference](#versions-reference) section in this article for details. For example: - - Component10CurrentFwVersion 0x04ac3970 (78395760) - - Component20CurrentFwVersion 0x04915a70 (76634736) + - Component10CurrentFwVersion 0x04ac3970 (78395760) + - Component20CurrentFwVersion 0x04915a70 (76634736) >[!TIP] >If you see "The description for Event ID xxxx from source SurfaceDockFwUpdate cannot be found" in event text, this is expected and can be ignored. @@ -52,8 +55,8 @@ To monitor the update: This section describes how to install the firmware update. 1. Download and install [Microsoft Surface Dock Firmware Update](https://www.microsoft.com/download/details.aspx?id=46703). - - The update requires a Surface device running Windows 10, version 1803 or later. - - Installing the MSI file might prompt you to restart Surface. However, restarting is not required to perform the update. + - The update requires a Surface device running Windows 10, version 1803 or later. + - Installing the MSI file might prompt you to restart Surface. However, restarting is not required to perform the update. 2. Disconnect your Surface device from the Surface Dock (using the power adapter), wait ~5 seconds, and then reconnect. The Surface Dock Firmware Update will update the dock silently in background. The process can take a few minutes to complete and will continue even if interrupted. @@ -68,10 +71,10 @@ You can use Windows Installer commands (Msiexec.exe) to deploy Surface Dock Firm msiexec /i "\\share\folder\Surface_Dock_FwUpdate_1.42.139_Win10_17134_19.084.31680_0.msi" /quiet /norestart ``` -> [!NOTE] -> A log file is not created by default. In order to create a log file, you will need to append "/l*v [path]". For example: Msiexec.exe /i \
From a recovery partition
Lets you boot into DaRT without needing a CD, DVD, or UFD that includes instances in which there is no network connectivity.
-Also, can be implemented and managed as part of your standard Windows image process by using automated distribution tools, such as System Center Configuration Manager.
Also, can be implemented and managed as part of your standard Windows image process by using automated distribution tools, such as Microsoft Endpoint Configuration Manager.
When updating DaRT, requires you to update all computers in your enterprise instead of just one partition (on the network) or device (CD, DVD, or UFD).
For third-party MDM providers or management servers, check your product documentation. diff --git a/store-for-business/troubleshoot-microsoft-store-for-business.md b/store-for-business/troubleshoot-microsoft-store-for-business.md index 2855e4cd43..0c9d5e23e1 100644 --- a/store-for-business/troubleshoot-microsoft-store-for-business.md +++ b/store-for-business/troubleshoot-microsoft-store-for-business.md @@ -51,7 +51,7 @@ The private store for your organization is a page in Microsoft Store app that co  -## Troubleshooting Microsoft Store for Business integration with System Center Configuration Manager +## Troubleshooting Microsoft Store for Business integration with Microsoft Endpoint Configuration Manager If you encounter any problems when integrating Microsoft Store for Business with Configuration Manager, use the [troubleshooting guide](https://support.microsoft.com/help/4010214/understand-and-troubleshoot-microsoft-store-for-business-integration-w). diff --git a/windows/application-management/app-v/appv-deploying-microsoft-office-2010-wth-appv.md b/windows/application-management/app-v/appv-deploying-microsoft-office-2010-wth-appv.md index eb84b6e2b7..2e77179b7c 100644 --- a/windows/application-management/app-v/appv-deploying-microsoft-office-2010-wth-appv.md +++ b/windows/application-management/app-v/appv-deploying-microsoft-office-2010-wth-appv.md @@ -48,7 +48,7 @@ For detailed instructions on how to create virtual application packages using Ap You can deploy Office 2010 packages by using any of the following App-V deployment methods: -* System Center Configuration Manager +* Microsoft Endpoint Configuration Manager * App-V server * Stand-alone through Windows PowerShell commands diff --git a/windows/application-management/app-v/appv-deploying-microsoft-office-2013-with-appv.md b/windows/application-management/app-v/appv-deploying-microsoft-office-2013-with-appv.md index 6fa996507f..40175562d2 100644 --- a/windows/application-management/app-v/appv-deploying-microsoft-office-2013-with-appv.md +++ b/windows/application-management/app-v/appv-deploying-microsoft-office-2013-with-appv.md @@ -246,7 +246,7 @@ Use the following information to publish an Office package. Deploy the App-V package for Office 2013 by using the same methods you use for any other package: -* System Center Configuration Manager +* Microsoft Endpoint Configuration Manager * App-V Server * Stand-alone through Windows PowerShell commands @@ -284,10 +284,10 @@ Use the steps in this section to enable Office plug-ins with your Office package #### To enable plug-ins for Office App-V packages -1. Add a Connection Group through App-V Server, System Center Configuration Manager, or a Windows PowerShell cmdlet. +1. Add a Connection Group through App-V Server, Microsoft Endpoint Configuration Manager, or a Windows PowerShell cmdlet. 2. Sequence your plug-ins using the App-V Sequencer. Ensure that Office 2013 is installed on the computer being used to sequence the plug-in. It's a good idea to use Office 365 ProPlus (non-virtual) on the sequencing computer when you sequence Office 2013 plug-ins. 3. Create an App-V package that includes the desired plug-ins. -4. Add a Connection Group through App-V Server, System Center Configuration Manager, or a Windows PowerShell cmdlet. +4. Add a Connection Group through App-V Server, Configuration Manager, or a Windows PowerShell cmdlet. 5. Add the Office 2013 App-V package and the plug-ins package you sequenced to the Connection Group you created. >[!IMPORTANT] diff --git a/windows/application-management/app-v/appv-deploying-microsoft-office-2016-with-appv.md b/windows/application-management/app-v/appv-deploying-microsoft-office-2016-with-appv.md index ce7303bbf8..8f016604df 100644 --- a/windows/application-management/app-v/appv-deploying-microsoft-office-2016-with-appv.md +++ b/windows/application-management/app-v/appv-deploying-microsoft-office-2016-with-appv.md @@ -230,7 +230,7 @@ Use the following information to publish an Office package. Deploy the App-V package for Office 2016 by using the same methods as the other packages that you've already deployed: -* System Center Configuration Manager +* Microsoft Endpoint Configuration Manager * App-V Server * Stand-alone through Windows PowerShell commands @@ -267,10 +267,10 @@ The following steps will tell you how to enable Office plug-ins with your Office #### Enable plug-ins for Office App-V packages -1. Add a Connection Group through App-V Server, System Center Configuration Manager, or a Windows PowerShell cmdlet. +1. Add a Connection Group through App-V Server, Microsoft Endpoint Configuration Manager, or a Windows PowerShell cmdlet. 2. Sequence your plug-ins using the App-V Sequencer. Ensure that Office 2016 is installed on the computer that will be used to sequence the plug-in. We recommend that you use Office 365 ProPlus (non-virtual) on the sequencing computer when sequencing Office 2016 plug-ins. 3. Create an App-V package that includes the plug-ins you want. -4. Add a Connection Group through the App-V Server, System Center Configuration Manager, or a Windows PowerShell cmdlet. +4. Add a Connection Group through the App-V Server, Configuration Manager, or a Windows PowerShell cmdlet. 5. Add the Office 2016 App-V package and the plug-ins package you sequenced to the Connection Group you created. >[!IMPORTANT] diff --git a/windows/application-management/app-v/appv-planning-to-deploy-appv-with-electronic-software-distribution-solutions.md b/windows/application-management/app-v/appv-planning-to-deploy-appv-with-electronic-software-distribution-solutions.md index 7c682239c3..49e7266314 100644 --- a/windows/application-management/app-v/appv-planning-to-deploy-appv-with-electronic-software-distribution-solutions.md +++ b/windows/application-management/app-v/appv-planning-to-deploy-appv-with-electronic-software-distribution-solutions.md @@ -16,7 +16,7 @@ ms.topic: article >Applies to: Windows 10, version 1607 -If you are using an electronic software distribution (ESD) system to deploy App-V packages, review the following planning considerations. For information about deploying App-V with System Center Configuration Manager, see [Introduction to application management in Configuration Manager](https://technet.microsoft.com/library/gg682125.aspx#BKMK_Appv). +If you are using an electronic software distribution (ESD) system to deploy App-V packages, review the following planning considerations. For information about deploying App-V with Microsoft Endpoint Configuration Manager, see [Introduction to application management in Configuration Manager](https://technet.microsoft.com/library/gg682125.aspx#BKMK_Appv). Review the following component and architecture requirements options that apply when you use an ESD to deploy App-V packages: diff --git a/windows/application-management/app-v/appv-running-locally-installed-applications-inside-a-virtual-environment.md b/windows/application-management/app-v/appv-running-locally-installed-applications-inside-a-virtual-environment.md index 3befc157bd..b1a6caca2c 100644 --- a/windows/application-management/app-v/appv-running-locally-installed-applications-inside-a-virtual-environment.md +++ b/windows/application-management/app-v/appv-running-locally-installed-applications-inside-a-virtual-environment.md @@ -44,7 +44,7 @@ Each method accomplishes essentially the same task, but some methods may be bett To add a locally installed application to a package or to a connection group’s virtual environment, you add a subkey to the `RunVirtual` registry key in the Registry Editor, as described in the following sections. -There is no Group Policy setting available to manage this registry key, so you have to use System Center Configuration Manager or another electronic software distribution (ESD) system, or manually edit the registry. +There is no Group Policy setting available to manage this registry key, so you have to use Microsoft Endpoint Configuration Manager or another electronic software distribution (ESD) system, or manually edit the registry. Starting with App-V 5.0 SP3, when using RunVirtual, you can publish packages globally or to the user. diff --git a/windows/application-management/app-v/appv-supported-configurations.md b/windows/application-management/app-v/appv-supported-configurations.md index 2dce846fd9..a39eca9e4d 100644 --- a/windows/application-management/app-v/appv-supported-configurations.md +++ b/windows/application-management/app-v/appv-supported-configurations.md @@ -117,9 +117,9 @@ The following table lists the operating systems that the App-V Sequencer install See the Windows or Windows Server documentation for the hardware requirements. -## Supported versions of System Center Configuration Manager +## Supported versions of Microsoft Endpoint Configuration Manager -The App-V client works with System Center Configuration Manager versions starting with Technical Preview for System Center Configuration Manager, version 1606. +The App-V client works with Configuration Manager versions starting with Technical Preview for System Center Configuration Manager, version 1606. ## Related topics diff --git a/windows/application-management/deploy-app-upgrades-windows-10-mobile.md b/windows/application-management/deploy-app-upgrades-windows-10-mobile.md index d176e86059..cab2bb9669 100644 --- a/windows/application-management/deploy-app-upgrades-windows-10-mobile.md +++ b/windows/application-management/deploy-app-upgrades-windows-10-mobile.md @@ -16,7 +16,7 @@ ms.topic: article > Applies to: Windows 10 -When you have a new version of an application, how do you get that to the Windows 10 Mobile devices in your environment? With [application supersedence in System Center Configuration Manager](/sccm/apps/deploy-use/revise-and-supersede-applications#application-supersedence). +When you have a new version of an application, how do you get that to the Windows 10 Mobile devices in your environment? With [application supersedence in Microsoft Endpoint Configuration Manager](/configmgr/apps/deploy-use/revise-and-supersede-applications#application-supersedence). There are two steps to deploy an app upgrade: @@ -58,4 +58,4 @@ You don't need to delete the deployment associated with the older version of the  -If you haven't deployed an app through Configuration Manager before, check out [Deploy applications with System Center Configuration Manager](https://docs.microsoft.com/sccm/apps/deploy-use/deploy-applications). You can also see how to delete deployments (although you don't have to) and notify users about the upgraded app. +If you haven't deployed an app through Configuration Manager before, check out [Deploy applications with Microsoft Endoint Configuration Manager](https://docs.microsoft.com/configmgr/apps/deploy-use/deploy-applications). You can also see how to delete deployments (although you don't have to) and notify users about the upgraded app. diff --git a/windows/application-management/media/app-upgrade-cm-console.png b/windows/application-management/media/app-upgrade-cm-console.png index 8681e2fb39..2ce9cd411e 100644 Binary files a/windows/application-management/media/app-upgrade-cm-console.png and b/windows/application-management/media/app-upgrade-cm-console.png differ diff --git a/windows/client-management/advanced-troubleshooting-802-authentication.md b/windows/client-management/advanced-troubleshooting-802-authentication.md index 267386adc6..124846eb32 100644 --- a/windows/client-management/advanced-troubleshooting-802-authentication.md +++ b/windows/client-management/advanced-troubleshooting-802-authentication.md @@ -59,7 +59,7 @@ First, validate the type of EAP method being used:  -If a certificate is used for its authentication method, check if the certificate is valid. For server (NPS) side, you can confirm what certificate is being used from the EAP property menu: +If a certificate is used for its authentication method, check if the certificate is valid. For server (NPS) side, you can confirm what certificate is being used from the EAP property menu. In **NPS snap-in**, go to **Policies** > **Network Policies**. Right click on the policy and select **Properties**. In the pop-up window, go to the **Constraints** tab and select the **Authentication Methods** section.  @@ -118,4 +118,3 @@ Even if audit policy appears to be fully enabled, it sometimes helps to disable [Troubleshooting Windows Vista 802.11 Wireless Connections](https://technet.microsoft.com/library/cc766215%28v=ws.10%29.aspx)
[Troubleshooting Windows Vista Secure 802.3 Wired Connections](https://technet.microsoft.com/library/cc749352%28v=ws.10%29.aspx) - diff --git a/windows/client-management/connect-to-remote-aadj-pc.md b/windows/client-management/connect-to-remote-aadj-pc.md index 3afcb4da3f..54f8565c87 100644 --- a/windows/client-management/connect-to-remote-aadj-pc.md +++ b/windows/client-management/connect-to-remote-aadj-pc.md @@ -69,7 +69,7 @@ In organizations that have integrated Active Directory and Azure AD, you can con - Password - Smartcards -- Windows Hello for Business, if the domain is managed by System Center Configuration Manager +- Windows Hello for Business, if the domain is managed by Microsoft Endpoint Configuration Manager In organizations that have integrated Active Directory and Azure AD, you can connect from an Azure AD-joined PC to an AD-joined PC when the Azure AD-joined PC is on the corporate network using: diff --git a/windows/client-management/images/windows-10-management-range-of-options.png b/windows/client-management/images/windows-10-management-range-of-options.png index e4de546709..c37b489954 100644 Binary files a/windows/client-management/images/windows-10-management-range-of-options.png and b/windows/client-management/images/windows-10-management-range-of-options.png differ diff --git a/windows/client-management/manage-corporate-devices.md b/windows/client-management/manage-corporate-devices.md index fad72959e6..7d344924f1 100644 --- a/windows/client-management/manage-corporate-devices.md +++ b/windows/client-management/manage-corporate-devices.md @@ -42,7 +42,7 @@ You can use the same management tools to manage all device types running Windows ## Learn more -[How to bulk-enroll devices with On-premises Mobile Device Management in System Center Configuration Manager](https://technet.microsoft.com/library/mt627898.aspx) +[How to bulk-enroll devices with On-premises Mobile Device Management in Microsoft Endpoint Configuration Manager](https://technet.microsoft.com/library/mt627898.aspx) [Azure AD, Microsoft Intune and Windows 10 - Using the cloud to modernize enterprise mobility](https://blogs.technet.microsoft.com/enterprisemobility/2015/06/12/azure-ad-microsoft-intune-and-windows-10-using-the-cloud-to-modernize-enterprise-mobility/) diff --git a/windows/client-management/manage-windows-10-in-your-organization-modern-management.md b/windows/client-management/manage-windows-10-in-your-organization-modern-management.md index c6fe7134c8..45de1ade9b 100644 --- a/windows/client-management/manage-windows-10-in-your-organization-modern-management.md +++ b/windows/client-management/manage-windows-10-in-your-organization-modern-management.md @@ -21,7 +21,7 @@ Use of personal devices for work, as well as employees working outside the offic Your organization might have considered bringing in Windows 10 devices and downgrading them to Windows 7 until everything is in place for a formal upgrade process. While this may appear to save costs due to standardization, greater savings can come from avoiding the downgrade and immediately taking advantage of the cost reductions Windows 10 can provide. Because Windows 10 devices can be managed using the same processes and technology as other previous Windows versions, it’s easy for versions to coexist. -Your organization can support various operating systems across a wide range of device types, and manage them through a common set of tools such as System Center Configuration Manager, Microsoft Intune, or other third-party products. This “managed diversity” enables you to empower your users to benefit from the productivity enhancements available on their new Windows 10 devices (including rich touch and ink support), while still maintaining your standards for security and manageability. It can help you and your organization benefit from Windows 10 much faster. +Your organization can support various operating systems across a wide range of device types, and manage them through a common set of tools such as Microsoft Endpoint Configuration Manager, Microsoft Intune, or other third-party products. This “managed diversity” enables you to empower your users to benefit from the productivity enhancements available on their new Windows 10 devices (including rich touch and ink support), while still maintaining your standards for security and manageability. It can help you and your organization benefit from Windows 10 much faster. This six-minute video demonstrates how users can bring in a new retail device and be up and working with their personalized settings and a managed experience in a few minutes, without being on the corporate network. It also demonstrates how IT can apply policies and configurations to ensure device compliance. @@ -46,7 +46,7 @@ Windows 10 offers a range of management options, as shown in the following diagr
-As indicated in the diagram, Microsoft continues to provide support for deep manageability and security through technologies like Group Policy, Active Directory, and System Center Configuration Manager. It also delivers a “mobile-first, cloud-first” approach of simplified, modern management using cloud-based device management solutions such as Microsoft Enterprise Mobility + Security (EMS). Future Windows innovations, delivered through Windows as a Service, are complemented by cloud services like Microsoft Intune, Azure Active Directory, Azure Information Protection, Office 365, and the Microsoft Store for Business.
+As indicated in the diagram, Microsoft continues to provide support for deep manageability and security through technologies like Group Policy, Active Directory, and Microsoft Configuration Manager. It also delivers a “mobile-first, cloud-first” approach of simplified, modern management using cloud-based device management solutions such as Microsoft Enterprise Mobility + Security (EMS). Future Windows innovations, delivered through Windows as a Service, are complemented by cloud services like Microsoft Intune, Azure Active Directory, Azure Information Protection, Office 365, and the Microsoft Store for Business.
## Deployment and Provisioning
@@ -57,7 +57,7 @@ With Windows 10, you can continue to use traditional OS deployment, but you can
- Create self-contained provisioning packages built with the [Windows Configuration Designer](https://technet.microsoft.com/itpro/windows/deploy/provisioning-packages).
-- Use traditional imaging techniques such as deploying custom images using [System Center Configuration Manager](https://docs.microsoft.com/sccm/core/understand/introduction).
+- Use traditional imaging techniques such as deploying custom images using [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/core/understand/introduction).
You have multiple options for [upgrading to Windows 10](https://technet.microsoft.com/itpro/windows/deploy/windows-10-deployment-scenarios). For existing devices running Windows 7 or Windows 8.1, you can use the robust in-place upgrade process for a fast, reliable move to Windows 10 while automatically preserving all the existing apps, data, and settings. This can mean significantly lower deployment costs, as well as improved productivity as end users can be immediately productive – everything is right where they left it. Of course, you can also use a traditional wipe-and-load approach if you prefer, using the same tools that you use today with Windows 7.
@@ -86,7 +86,7 @@ You can envision user and device management as falling into these two categories
- Windows Hello
- Domain joined PCs and tablets can continue to be managed with the [System Center Configuration Manager](https://docs.microsoft.com/sccm/core/understand/introduction) client or Group Policy.
+ Domain joined PCs and tablets can continue to be managed with the [Configuration Manager](https://docs.microsoft.com/configmgr/core/understand/introduction) client or Group Policy.
For more information about how Windows 10 and Azure AD optimize access to work resources across a mix of devices and scenarios, see [Using Windows 10 devices in your workplace](https://azure.microsoft.com/documentation/articles/active-directory-azureadjoin-windows10-devices/).
@@ -100,7 +100,7 @@ Your configuration requirements are defined by multiple factors, including the l
**MDM**: [MDM](https://www.microsoft.com/cloud-platform/mobile-device-management) gives you a way to configure settings that achieve your administrative intent without exposing every possible setting. (In contrast, Group Policy exposes fine-grained settings that you control individually.) One benefit of MDM is that it enables you to apply broader privacy, security, and application management settings through lighter and more efficient tools. MDM also allows you to target Internet-connected devices to manage policies without using GP that requires on-premises domain-joined devices. This makes MDM the best choice for devices that are constantly on the go.
-**Group Policy** and **System Center Configuration Manager**: Your organization might still need to manage domain joined computers at a granular level such as Internet Explorer’s 1,500 configurable Group Policy settings. If so, Group Policy and System Center Configuration Manager continue to be excellent management choices:
+**Group Policy** and **Microsoft Endpoint Configuration Manager**: Your organization might still need to manage domain joined computers at a granular level such as Internet Explorer’s 1,500 configurable Group Policy settings. If so, Group Policy and Configuration Manager continue to be excellent management choices:
- Group Policy is the best way to granularly configure domain joined Windows PCs and tablets connected to the corporate network using Windows-based tools. Microsoft continues to add Group Policy settings with each new version of Windows.
@@ -128,10 +128,10 @@ There are a variety of steps you can take to begin the process of modernizing de
**Optimize your existing investments**. On the road from traditional on-premises management to modern cloud-based management, take advantage of the flexible, hybrid architecture of Configuration Manager and Intune. Starting with Configuration Manager 1710, co-management enables you to concurrently manage Windows 10 devices by using both Configuration Manager and Intune. See these topics for details:
-- [Co-management for Windows 10 devices](https://docs.microsoft.com/sccm/core/clients/manage/co-management-overview)
-- [Prepare Windows 10 devices for co-management](https://docs.microsoft.com/sccm/core/clients/manage/co-management-prepare)
-- [Switch Configuration Manager workloads to Intune](https://docs.microsoft.com/sccm/core/clients/manage/co-management-switch-workloads)
-- [Co-management dashboard in System Center Configuration Manager](https://docs.microsoft.com/sccm/core/clients/manage/co-management-dashboard)
+- [Co-management for Windows 10 devices](https://docs.microsoft.com/configmgr/core/clients/manage/co-management-overview)
+- [Prepare Windows 10 devices for co-management](https://docs.microsoft.com/configmgr/core/clients/manage/co-management-prepare)
+- [Switch Configuration Manager workloads to Intune](https://docs.microsoft.com/configmgr/core/clients/manage/co-management-switch-workloads)
+- [Co-management dashboard in Configuration Manager](https://docs.microsoft.com/configmgr/core/clients/manage/co-management-dashboard)
## Related topics
diff --git a/windows/client-management/mdm/appv-deploy-and-config.md b/windows/client-management/mdm/appv-deploy-and-config.md
index 7c1c0a5050..cd4c993d17 100644
--- a/windows/client-management/mdm/appv-deploy-and-config.md
+++ b/windows/client-management/mdm/appv-deploy-and-config.md
@@ -15,7 +15,7 @@ manager: dansimp
## Executive summary
-Microsoft Application Virtualization (App-V) apps have typically been configured, deployed, and managed through on-premises group policies using System Center Configuration Manager (SCCM) or App-V server. In Windows 10, version 1703, App-V apps can be configured, deployed, and managed using mobile device management (MDM), matching their on-premises counterparts.
+Microsoft Application Virtualization (App-V) apps have typically been configured, deployed, and managed through on-premises group policies using Microsoft Endpoint Configuration Manager or App-V server. In Windows 10, version 1703, App-V apps can be configured, deployed, and managed using mobile device management (MDM), matching their on-premises counterparts.
MDM services can be used to publish App-V packages to clients running Windows 10, version 1703 (or later). All capabilities such as App-V enablement, configuration, and publishing can be completed using the EnterpriseAppVManagement CSP.
diff --git a/windows/client-management/mdm/azure-active-directory-integration-with-mdm.md b/windows/client-management/mdm/azure-active-directory-integration-with-mdm.md index 0a9fa5c02f..24d475d6e4 100644 --- a/windows/client-management/mdm/azure-active-directory-integration-with-mdm.md +++ b/windows/client-management/mdm/azure-active-directory-integration-with-mdm.md @@ -31,7 +31,7 @@ For personal devices (BYOD): ### Azure AD Join -Company owned devices are traditionally joined to the on-premises Active Directory domain of the organization. These devices can be managed using Group Policy or computer management software such as System Center Configuration Manager. In Windows 10, it’s also possible to manage domain joined devices with an MDM. +Company owned devices are traditionally joined to the on-premises Active Directory domain of the organization. These devices can be managed using Group Policy or computer management software such as Microsoft Endpoint Configuration Manager. In Windows 10, it’s also possible to manage domain joined devices with an MDM. Windows 10 introduces a new way to configure and deploy corporate owned Windows devices. This mechanism is called Azure AD Join. Like traditional domain join, Azure AD Join allows devices to become known and managed by an organization. However, with Azure AD Join, Windows authenticates to Azure AD instead of authenticating to a domain controller. diff --git a/windows/client-management/mdm/bitlocker-csp.md b/windows/client-management/mdm/bitlocker-csp.md index 82139a98a6..6ba943ffca 100644 --- a/windows/client-management/mdm/bitlocker-csp.md +++ b/windows/client-management/mdm/bitlocker-csp.md @@ -31,12 +31,15 @@ The following diagram shows the BitLocker configuration service provider in tree  + **./Device/Vendor/MSFT/BitLocker** Defines the root node for the BitLocker configuration service provider. - + **RequireStorageCardEncryption** + Allows the administrator to require storage card encryption on the device. This policy is valid only for a mobile SKU. - + +| Home | @@ -57,12 +60,13 @@ Allows the administrator to require storage card encryption on the device. This |
|---|
| Home | @@ -112,7 +118,7 @@ Allows the administrator to require encryption to be turned on by using BitLocke |
|---|
| Home | @@ -176,6 +185,8 @@ Allows you to set the default encryption method for each of the different drive |
|---|
- GP English name: Choose drive encryption method and cipher strength (Windows 10 [Version 1511] and later) @@ -183,6 +194,7 @@ ADMX Info:
- GP path: Windows Components/Bitlocker Drive Encryption
- GP ADMX file name: VolumeEncryption.admx
| Home | @@ -254,6 +270,8 @@ This setting is a direct mapping to the Bitlocker Group Policy "Require add |
|---|
- GP English name: Require additional authentication at startup @@ -261,6 +279,7 @@ ADMX Info:
- GP path: Windows Components/Bitlocker Drive Encryption/Operating System Drives
- GP ADMX file name: VolumeEncryption.admx
- true = Explicitly allow @@ -310,7 +329,7 @@ The possible values for 'yy' are:
- 1 = Required
- 0 = Disallowed
| Home | @@ -351,6 +374,8 @@ This setting is a direct mapping to the Bitlocker Group Policy "Configure m |
|---|
- GP English name:Configure minimum PIN length for startup @@ -358,6 +383,7 @@ ADMX Info:
- GP path: Windows Components/Bitlocker Drive Encryption/Operating System Drives
- GP ADMX file name: VolumeEncryption.admx
| Home | @@ -420,6 +451,8 @@ This setting is a direct mapping to the Bitlocker Group Policy "Configure p |
|---|
- GP English name: Configure pre-boot recovery message and URL @@ -427,6 +460,7 @@ ADMX Info:
- GP path: Windows Components/Bitlocker Drive Encryption/Operating System Drives
- GP ADMX file name: VolumeEncryption.admx
| Home | @@ -501,6 +540,8 @@ This setting is a direct mapping to the Bitlocker Group Policy "Choose how |
|---|
- GP English name: Choose how BitLocker-protected operating system drives can be recovered @@ -508,6 +549,7 @@ ADMX Info:
- GP path: Windows Components/Bitlocker Drive Encryption/Operating System Drives
- GP ADMX file name: VolumeEncryption.admx
| Home | @@ -591,6 +637,8 @@ This setting is a direct mapping to the Bitlocker Group Policy "Choose how |
|---|
- GP English name: Choose how BitLocker-protected fixed drives can be recovered @@ -598,6 +646,7 @@ ADMX Info:
- GP path: Windows Components/Bitlocker Drive Encryption/Fixed Drives
- GP ADMX file name: VolumeEncryption.admx
- true = Explicitly allow @@ -647,7 +696,7 @@ The possible values for 'zz' are:
- 2 = Store recovery passwords only
- 1 = Store recovery passwords and key packages
| Home | @@ -689,6 +742,8 @@ This setting is a direct mapping to the Bitlocker Group Policy "Deny write |
|---|
- GP English name: Deny write access to fixed drives not protected by BitLocker @@ -696,6 +751,7 @@ ADMX Info:
- GP path: Windows Components/Bitlocker Drive Encryption/Fixed Drives
- GP ADMX file name: VolumeEncryption.admx
| Home | @@ -751,6 +811,8 @@ This setting is a direct mapping to the Bitlocker Group Policy "Deny write |
|---|
- GP English name: Deny write access to removable drives not protected by BitLocker @@ -758,6 +820,7 @@ ADMX Info:
- GP path: Windows Components/Bitlocker Drive Encryption/Removeable Drives
- GP ADMX file name: VolumeEncryption.admx
- true = Explicitly allow
- false = Policy not set
| Home | @@ -831,12 +895,13 @@ Allows the admin to disable the warning prompt for other disk encryption on the |
|---|
| Home | @@ -916,15 +991,28 @@ This setting initiates a client-driven recovery password refresh after an OS dri |
|---|
| Home | @@ -957,14 +1046,21 @@ Each server-side recovery key rotation is represented by a request ID. The serve |
|---|
| Home | @@ -985,15 +1081,25 @@ This node reports compliance state of device encryption on the system. |
|---|
| Home | @@ -1021,11 +1128,21 @@ Status code can be one of the following: |
|---|
| Home | @@ -1046,6 +1163,9 @@ This node needs to be queried in synchronization with RotateRecoveryPasswordsSta |
|---|
For device certificates, use ./Device/Vendor/MSFT path and for user certificates use ./User/Vendor/MSFT path. +**Device or User** +For device certificates, use ./Device/Vendor/MSFT path and for user certificates use ./User/Vendor/MSFT path. -**ClientCertificateInstall** -
The root node for the ClientCertificateInstaller configuration service provider. +**ClientCertificateInstall** +The root node for the ClientCertificateInstaller configuration service provider. -**ClientCertificateInstall/PFXCertInstall** -
Required for PFX certificate installation. The parent node grouping the PFX certificate related settings. +**ClientCertificateInstall/PFXCertInstall** +Required for PFX certificate installation. The parent node grouping the PFX certificate related settings. -
Supported operation is Get. +Supported operation is Get. -**ClientCertificateInstall/PFXCertInstall/***UniqueID* -
Required for PFX certificate installation. A unique ID to differentiate different certificate install requests. +**ClientCertificateInstall/PFXCertInstall/***UniqueID* +Required for PFX certificate installation. A unique ID to differentiate different certificate install requests. -
The data type format is node. +The data type format is node. -
Supported operations are Get, Add, and Replace. +Supported operations are Get, Add, and Replace. -
Calling Delete on this node should delete the certificates and the keys that were installed by the corresponding PFX blob. +Calling Delete on this node should delete the certificates and the keys that were installed by the corresponding PFX blob. -**ClientCertificateInstall/PFXCertInstall/*UniqueID*/KeyLocation** -
Required for PFX certificate installation. Indicates the KeyStorage provider to target the private key installation to. +**ClientCertificateInstall/PFXCertInstall/*UniqueID*/KeyLocation** +Required for PFX certificate installation. Indicates the KeyStorage provider to target the private key installation to. -
Supported operations are Get, Add, and Replace. +Supported operations are Get, Add, and Replace. -
The data type is an integer corresponding to one of the following values: +The data type is an integer corresponding to one of the following values: | Value | Description | |-------|---------------------------------------------------------------------------------------------------------------| @@ -64,225 +64,229 @@ The following image shows the ClientCertificateInstall configuration service pro | 4 | Install to Windows Hello for Business (formerly known as Microsoft Passport for Work) whose name is specified | -**ClientCertificateInstall/PFXCertInstall/*UniqueID*/ContainerName** -
Optional. Specifies the Windows Hello for Business (formerly known as Microsoft Passport for Work) container name (if Windows Hello for Business storage provider (KSP) is chosen for the KeyLocation). If this node is not specified when Windows Hello for Business KSP is chosen, enrollment will fail. +**ClientCertificateInstall/PFXCertInstall/*UniqueID*/ContainerName** +Optional. Specifies the Windows Hello for Business (formerly known as Microsoft Passport for Work) container name (if Windows Hello for Business storage provider (KSP) is chosen for the KeyLocation). If this node is not specified when Windows Hello for Business KSP is chosen, enrollment will fail. -
Date type is string. +Date type is string. -
Supported operations are Get, Add, Delete, and Replace. +Supported operations are Get, Add, Delete, and Replace. -**ClientCertificateInstall/PFXCertInstall/*UniqueID*/PFXCertBlob** -
CRYPT_DATA_BLOB structure that contains a PFX packet with the exported and encrypted certificates and keys. The Add operation triggers the addition to the PFX certificate. This requires that all the other nodes under UniqueID that are parameters for PFX installation (Container Name, KeyLocation, CertPassword, KeyExportable) are present before this is called. This also sets the Status node to the current Status of the operation. +**ClientCertificateInstall/PFXCertInstall/*UniqueID*/PFXCertBlob** +CRYPT_DATA_BLOB structure that contains a PFX packet with the exported and encrypted certificates and keys. The Add operation triggers the addition to the PFX certificate. This requires that all the other nodes under UniqueID that are parameters for PFX installation (Container Name, KeyLocation, CertPassword, KeyExportable) are present before this is called. This also sets the Status node to the current Status of the operation. -
The data type format is binary. +The data type format is binary. -
Supported operations are Get, Add, and Replace. +Supported operations are Get, Add, and Replace. -
If a blob already exists, the Add operation will fail. If Replace is called on this node, the existing certificates are overwritten. +If a blob already exists, the Add operation will fail. If Replace is called on this node, the existing certificates are overwritten. -
If Add is called on this node for a new PFX, the certificate will be added. When a certificate does not exist, Replace operation on this node will fail. +If Add is called on this node for a new PFX, the certificate will be added. When a certificate does not exist, Replace operation on this node will fail. -
In other words, using Replace or Add will result in the effect of either overwriting the old certificate or adding a new certificate CRYPT_DATA_BLOB, which can be found in CRYPT_INTEGER_BLOB. +In other words, using Replace or Add will result in the effect of either overwriting the old certificate or adding a new certificate CRYPT_DATA_BLOB, which can be found in CRYPT_INTEGER_BLOB. -**ClientCertificateInstall/PFXCertInstall/*UniqueID*/PFXCertPassword** -
Password that protects the PFX blob. This is required if the PFX is password protected. +**ClientCertificateInstall/PFXCertInstall/*UniqueID*/PFXCertPassword** +Password that protects the PFX blob. This is required if the PFX is password protected. -
Data Type is a string. +Data Type is a string. -
Supported operations are Get, Add, and Replace. +Supported operations are Get, Add, and Replace. -**ClientCertificateInstall/PFXCertInstall/*UniqueID*/PFXCertPasswordEncryptionType** -
Optional. Used to specify whether the PFX certificate password is encrypted with the MDM certificate by the MDM server. +**ClientCertificateInstall/PFXCertInstall/*UniqueID*/PFXCertPasswordEncryptionType** +Optional. Used to specify whether the PFX certificate password is encrypted with the MDM certificate by the MDM server. -
The data type is int. Valid values: +The data type is int. Valid values: - 0 - Password is not encrypted. - 1 - Password is encrypted with the MDM certificate. - 2 - Password is encrypted with custom certificate. -
When PFXCertPasswordEncryptionType =2, you must specify the store name in PFXCertPasswordEncryptionStore setting. +When PFXCertPasswordEncryptionType =2, you must specify the store name in PFXCertPasswordEncryptionStore setting. -
Supported operations are Get, Add, and Replace. +Supported operations are Get, Add, and Replace. -**ClientCertificateInstall/PFXCertInstall/*UniqueID*/PFXKeyExportable** -
Optional. Used to specify if the private key installed is exportable (and can be exported later). The PFX is not exportable when it is installed to TPM. +**ClientCertificateInstall/PFXCertInstall/*UniqueID*/PFXKeyExportable** +Optional. Used to specify if the private key installed is exportable (and can be exported later). The PFX is not exportable when it is installed to TPM. > **Note** You can only set PFXKeyExportable to true if KeyLocation=3. For any other KeyLocation value, the CSP will fail. -
The data type bool. +The data type bool. -
Supported operations are Get, Add, and Replace. +Supported operations are Get, Add, and Replace. -**ClientCertificateInstall/PFXCertInstall/*UniqueID*/Thumbprint** -
Returns the thumbprint of the installed PFX certificate. +**ClientCertificateInstall/PFXCertInstall/*UniqueID*/Thumbprint** +Returns the thumbprint of the installed PFX certificate. -
The datatype is a string. +The datatype is a string. -
Supported operation is Get. +Supported operation is Get. -**ClientCertificateInstall/PFXCertInstall/*UniqueID*/Status** -
Required. Returns the error code of the PFX installation from the GetLastError command called after the PfxImportCertStore. +**ClientCertificateInstall/PFXCertInstall/*UniqueID*/Status** +Required. Returns the error code of the PFX installation from the GetLastError command called after the PfxImportCertStore. -
Data type is an integer. +Data type is an integer. -
Supported operation is Get. +Supported operation is Get. -**ClientCertificateInstall/PFXCertInstall/*UniqueID*/PFXCertPasswordEncryptionStore** -
Added in Windows 10, version 1511. When PFXCertPasswordEncryptionType = 2, it specifies the store name of the certificate used for decrypting the PFXCertPassword. +**ClientCertificateInstall/PFXCertInstall/*UniqueID*/PFXCertPasswordEncryptionStore** +Added in Windows 10, version 1511. When PFXCertPasswordEncryptionType = 2, it specifies the store name of the certificate used for decrypting the PFXCertPassword. -
Data type is string. +Data type is string. -
Supported operations are Add, Get, and Replace. +Supported operations are Add, Get, and Replace. -**ClientCertificateInstall/SCEP** -
Node for SCEP. +**ClientCertificateInstall/SCEP** +Node for SCEP. > **Note** An alert is sent after the SCEP certificate is installed. -**ClientCertificateInstall/SCEP/***UniqueID* -
A unique ID to differentiate different certificate installation requests. +**ClientCertificateInstall/SCEP/***UniqueID* +A unique ID to differentiate different certificate installation requests. -**ClientCertificateInstall/SCEP/*UniqueID*/Install** -
A node required for SCEP certificate enrollment. Parent node to group SCEP cert installation related requests. +**ClientCertificateInstall/SCEP/*UniqueID*/Install** +A node required for SCEP certificate enrollment. Parent node to group SCEP cert installation related requests. -
Supported operations are Get, Add, Replace, and Delete. +Supported operations are Get, Add, Replace, and Delete. > **Note** Although the child nodes under Install support Replace commands, once the Exec command is sent to the device, the device will take the values that are set when the Exec command is accepted. The server should not expect the node value change after Exec command is accepted, as it will impact the current enrollment underway. The server should check the Status node value and make sure the device is not at an unknown state before changing child node values. -**ClientCertificateInstall/SCEP/*UniqueID*/Install/ServerURL** -
Required for SCEP certificate enrollment. Specifies the certificate enrollment server. Multiple server URLs can be listed, separated by semicolons. - -
Data type is string. - -
Supported operations are Get, Add, Delete, and Replace. - -**ClientCertificateInstall/SCEP/*UniqueID*/Install/Challenge** -
Required for SCEP certificate enrollment. B64 encoded SCEP enrollment challenge. Challenge is deleted shortly after the Exec command is accepted. - -
Data type is string. - -
Supported operations are Add, Get, Delete, and Replace. - -**ClientCertificateInstall/SCEP/*UniqueID*/Install/EKUMapping** -
Required. Specifies extended key usages. Subject to SCEP server configuration. The list of OIDs are separated by a plus +. For example, OID1+OID2+OID3. +**ClientCertificateInstall/SCEP/*UniqueID*/Install/ServerURL** +Required for SCEP certificate enrollment. Specifies the certificate enrollment server. Multiple server URLs can be listed, separated by semicolons. Data type is string. -
Required for enrollment. Specifies the key usage bits (0x80, 0x20, 0xA0, etc.) for the certificate in decimal format. The value should at least have the second (0x20), fourth (0x80) or both bits set. If the value doesn’t have those bits set, the configuration will fail. -
Data type is int. +Supported operations are Get, Add, Delete, and Replace. -
Supported operations are Add, Get, Delete, and Replace. +**ClientCertificateInstall/SCEP/*UniqueID*/Install/Challenge** +Required for SCEP certificate enrollment. B64 encoded SCEP enrollment challenge. Challenge is deleted shortly after the Exec command is accepted. -**ClientCertificateInstall/SCEP/*UniqueID*/Install/SubjectName** -
Required. Specifies the subject name. +Data type is string. -
Data type is string. +Supported operations are Add, Get, Delete, and Replace. -
Supported operations are Add, Get, and Replace. +**ClientCertificateInstall/SCEP/*UniqueID*/Install/EKUMapping** +Required. Specifies extended key usages. Subject to SCEP server configuration. The list of OIDs are separated by a plus +. For example, OID1+OID2+OID3. -**ClientCertificateInstall/SCEP/*UniqueID*/Install/KeyProtection** -
Optional. Specifies where to keep the private key. +Data type is string. +Required for enrollment. Specifies the key usage bits (0x80, 0x20, 0xA0, etc.) for the certificate in decimal format. The value should at least have the second (0x20), fourth (0x80) or both bits set. If the value doesn’t have those bits set, the configuration will fail. + +Data type is int. + +Supported operations are Add, Get, Delete, and Replace. + +**ClientCertificateInstall/SCEP/*UniqueID*/Install/SubjectName** +Required. Specifies the subject name. + +The SubjectName value is quoted if it contains leading or trailing white space or one of the following characters: (“,” “=” “+” “;” ). + +For more details, see [CertNameToStrA function](https://docs.microsoft.com/windows/win32/api/wincrypt/nf-wincrypt-certnametostra#remarks). + +Data type is string. + +Supported operations are Add, Get, and Replace. + +**ClientCertificateInstall/SCEP/*UniqueID*/Install/KeyProtection** +Optional. Specifies where to keep the private key. > **Note** Even if the private key is protected by TPM, it is not protected with a TPM PIN. -
The data type is an integer corresponding to one of the following values: +The data type is an integer corresponding to one of the following values: | Value | Description | |-------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | 1 | Private key protected by TPM. | | 2 | Private key protected by phone TPM if the device supports TPM. All Windows Phone 8.1 devices support TPM and will treat value 2 as 1. | | 3 | (Default) Private key saved in software KSP. | -| 4 | Private key protected by Windows Hello for Business (formerly known as Microsoft Passport for Work). If this option is specified, the ContainerName must be specifed, otherwise enrollment will fail. | +| 4 | Private key protected by Windows Hello for Business (formerly known as Microsoft Passport for Work). If this option is specified, the ContainerName must be specified, otherwise enrollment will fail. | -
Supported operations are Add, Get, Delete, and Replace. +Supported operations are Add, Get, Delete, and Replace. -**ClientCertificateInstall/SCEP/*UniqueID*/Install/KeyUsage** -
Required for enrollment. Specify the key usage bits (0x80, 0x20, 0xA0, etc.) for the certificate in decimal format. The value should at least have second (0x20) or forth (0x80) or both bits set. If the value doesn’t have those bits set, configuration will fail. +**ClientCertificateInstall/SCEP/*UniqueID*/Install/KeyUsage** +Required for enrollment. Specify the key usage bits (0x80, 0x20, 0xA0, etc.) for the certificate in decimal format. The value should at least have second (0x20) or forth (0x80) or both bits set. If the value doesn’t have those bits set, configuration will fail. -
Supported operations are Add, Get, Delete, and Replace. Value type is integer. + Supported operations are Add, Get, Delete, and Replace. Value type is integer. -**ClientCertificateInstall/SCEP/*UniqueID*/Install/RetryDelay** -
Optional. When the SCEP server sends a pending status, this value specifies the device retry waiting time in minutes. +**ClientCertificateInstall/SCEP/*UniqueID*/Install/RetryDelay** +Optional. When the SCEP server sends a pending status, this value specifies the device retry waiting time in minutes. -
Data type format is an integer. +Data type format is an integer. -
The default value is 5. +The default value is 5. -
The minimum value is 1. +The minimum value is 1. -
Supported operations are Add, Get, Delete, and Replace. +Supported operations are Add, Get, Delete, and Replace. -**ClientCertificateInstall/SCEP/*UniqueID*/Install/RetryCount** -
Optional. Unique to SCEP. Specifies the device retry times when the SCEP server sends a pending status. +**ClientCertificateInstall/SCEP/*UniqueID*/Install/RetryCount** +Optional. Unique to SCEP. Specifies the device retry times when the SCEP server sends a pending status. -
Data type is integer. +Data type is integer. -
Default value is 3. +Default value is 3. -
Maximum value is 30. If the value is larger than 30, the device will use 30. +Maximum value is 30. If the value is larger than 30, the device will use 30. -
Minimum value is 0, which indicates no retry. +Minimum value is 0, which indicates no retry. -
Supported operations are Add, Get, Delete, and Replace. +Supported operations are Add, Get, Delete, and Replace. -**ClientCertificateInstall/SCEP/*UniqueID*/Install/TemplateName** -
Optional. OID of certificate template name. +**ClientCertificateInstall/SCEP/*UniqueID*/Install/TemplateName** +Optional. OID of certificate template name. > **Note** This name is typically ignored by the SCEP server; therefore the MDM server typically doesn’t need to provide it. -
Data type is string. +Data type is string. -
Supported operations are Add, Get, Delete, and Replace. +Supported operations are Add, Get, Delete, and Replace. -**ClientCertificateInstall/SCEP/*UniqueID*/Install/KeyLength** -
Required for enrollment. Specify private key length (RSA). +**ClientCertificateInstall/SCEP/*UniqueID*/Install/KeyLength** +Required for enrollment. Specify private key length (RSA). -
Data type is integer. +Data type is integer. -
Valid values are 1024, 2048, and 4096. +Valid values are 1024, 2048, and 4096. -
For Windows Hello for Business (formerly known as Microsoft Passport for Work) , only 2048 is the supported key length. +For Windows Hello for Business (formerly known as Microsoft Passport for Work) , only 2048 is the supported key length. -
Supported operations are Add, Get, Delete, and Replace. +Supported operations are Add, Get, Delete, and Replace. -**ClientCertificateInstall/SCEP/*UniqueID*/Install/HashAlgorithm** -
Required. Hash algorithm family (SHA-1, SHA-2, SHA-3) specified by MDM server. If multiple hash algorithm families are specified, they must be separated with +. +**ClientCertificateInstall/SCEP/*UniqueID*/Install/HashAlgorithm** +Required. Hash algorithm family (SHA-1, SHA-2, SHA-3) specified by MDM server. If multiple hash algorithm families are specified, they must be separated with +. -
For Windows Hello for Business, only SHA256 is the supported algorithm. +For Windows Hello for Business, only SHA256 is the supported algorithm. -
Data type is string. +Data type is string. -
Supported operations are Add, Get, Delete, and Replace. +Supported operations are Add, Get, Delete, and Replace. -**ClientCertificateInstall/SCEP/*UniqueID*/Install/CAThumbprint** -
Required. Specifies Root CA thumbprint. This is a 20-byte value of the SHA1 certificate hash specified as a hexadecimal string value. When client authenticates the SCEP server, it checks the CA certificate from the SCEP server to verify a match with this certificate. If it is not a match, the authentication will fail. +**ClientCertificateInstall/SCEP/*UniqueID*/Install/CAThumbprint** +Required. Specifies Root CA thumbprint. This is a 20-byte value of the SHA1 certificate hash specified as a hexadecimal string value. When client authenticates the SCEP server, it checks the CA certificate from the SCEP server to verify a match with this certificate. If it is not a match, the authentication will fail. -
Data type is string. +Data type is string. -
Supported operations are Add, Get, Delete, and Replace. +Supported operations are Add, Get, Delete, and Replace. -**ClientCertificateInstall/SCEP/*UniqueID*/Install/SubjectAlternativeNames** -
Optional. Specifies subject alternative names (SAN). Multiple alternative names can be specified by this node. Each name is the combination of name format+actual name. Refer to the name type definitions in MSDN for more information. +**ClientCertificateInstall/SCEP/*UniqueID*/Install/SubjectAlternativeNames** +Optional. Specifies subject alternative names (SAN). Multiple alternative names can be specified by this node. Each name is the combination of name format+actual name. Refer to the name type definitions in MSDN for more information. -
Each pair is separated by semicolon. For example, multiple SANs are presented in the format of [name format1]+[actual name1];[name format 2]+[actual name2]. +Each pair is separated by semicolon. For example, multiple SANs are presented in the format of [name format1]+[actual name1];[name format 2]+[actual name2]. -
Data type is string. +Data type is string. -
Supported operations are Add, Get, Delete, and Replace. +Supported operations are Add, Get, Delete, and Replace. -**ClientCertificateInstall/SCEP/*UniqueID*/Install/ValidPeriod** -
Optional. Specifies the units for the valid certificate period. +**ClientCertificateInstall/SCEP/*UniqueID*/Install/ValidPeriod** +Optional. Specifies the units for the valid certificate period. -
Data type is string. +Data type is string. -
Valid values are: +Valid values are: - Days (Default) - Months @@ -291,61 +295,61 @@ Data type is string. > **Note** The device only sends the MDM server expected certificate validation period (ValidPeriodUnits + ValidPeriod) to the SCEP server as part of certificate enrollment request. Depending on the server configuration, the server defines how to use this valid period to create the certificate. -
Supported operations are Add, Get, Delete, and Replace. +Supported operations are Add, Get, Delete, and Replace. -**ClientCertificateInstall/SCEP/*UniqueID*/Install/ValidPeriodUnits** -
Optional. Specifies the desired number of units used in the validity period. This is subject to SCEP server configuration. Default value is 0. The unit type (days, months, or years) are defined in the ValidPeriod node. Note the valid period specified by MDM will overwrite the valid period specified in the certificate template. For example, if ValidPeriod is Days and ValidPeriodUnits is 30, it means the total valid duration is 30 days. +**ClientCertificateInstall/SCEP/*UniqueID*/Install/ValidPeriodUnits** +Optional. Specifies the desired number of units used in the validity period. This is subject to SCEP server configuration. Default value is 0. The unit type (days, months, or years) are defined in the ValidPeriod node. Note the valid period specified by MDM will overwrite the valid period specified in the certificate template. For example, if ValidPeriod is Days and ValidPeriodUnits is 30, it means the total valid duration is 30 days. -
Data type is string. +Data type is string. >**Note** The device only sends the MDM server expected certificate validation period (ValidPeriodUnits + ValidPeriod) to the SCEP server as part of certificate enrollment request. Depending on the server configuration, the server defines how to use this valid period to create the certificate. -
Supported operations are Add, Get, Delete, and Replace. +Supported operations are Add, Get, Delete, and Replace. -**ClientCertificateInstall/SCEP/*UniqueID*/Install/ContainerName** -
Optional. Specifies the Windows Hello for Business container name (if Windows Hello for Business KSP is chosen for the node). If this node is not specified when Windows Hello for Business KSP is chosen, the enrollment will fail. +**ClientCertificateInstall/SCEP/*UniqueID*/Install/ContainerName** +Optional. Specifies the Windows Hello for Business container name (if Windows Hello for Business KSP is chosen for the node). If this node is not specified when Windows Hello for Business KSP is chosen, the enrollment will fail. -
Data type is string. +Data type is string. -
Supported operations are Add, Get, Delete, and Replace. +Supported operations are Add, Get, Delete, and Replace. -**ClientCertificateInstall/SCEP/*UniqueID*/Install/CustomTextToShowInPrompt** -
Optional. Specifies the custom text to show on the Windows Hello for Business PIN prompt during certificate enrollment. The admin can choose to provide more contextual information in this field for why the user needs to enter the PIN and what the certificate will be used for. +**ClientCertificateInstall/SCEP/*UniqueID*/Install/CustomTextToShowInPrompt** +Optional. Specifies the custom text to show on the Windows Hello for Business PIN prompt during certificate enrollment. The admin can choose to provide more contextual information in this field for why the user needs to enter the PIN and what the certificate will be used for. -
Data type is string. +Data type is string. -
Supported operations are Add, Get, Delete, and Replace. +Supported operations are Add, Get, Delete, and Replace. -**ClientCertificateInstall/SCEP/*UniqueID*/Install/Enroll** -
Required. Triggers the device to start the certificate enrollment. The device will not notify MDM server after certificate enrollment is done. The MDM server could later query the device to find out whether new certificate is added. +**ClientCertificateInstall/SCEP/*UniqueID*/Install/Enroll** +Required. Triggers the device to start the certificate enrollment. The device will not notify MDM server after certificate enrollment is done. The MDM server could later query the device to find out whether new certificate is added. -
The date type format is Null, meaning this node doesn’t contain a value. +The date type format is Null, meaning this node doesn’t contain a value. -
The only supported operation is Execute. +The only supported operation is Execute. -**ClientCertificateInstall/SCEP/*UniqueID*/Install/AADKeyIdentifierList** -
Optional. Specify the AAD Key Identifier List as a list of semicolon separated values. On Enroll, the values in this list are validated against the AAD Key present on the device. If no match is found, enrollment will fail. +**ClientCertificateInstall/SCEP/*UniqueID*/Install/AADKeyIdentifierList** +Optional. Specify the AAD Key Identifier List as a list of semicolon separated values. On Enroll, the values in this list are validated against the AAD Key present on the device. If no match is found, enrollment will fail. -
Data type is string. +Data type is string. -
Supported operations are Add, Get, Delete, and Replace. +Supported operations are Add, Get, Delete, and Replace. -**ClientCertificateInstall/SCEP/*UniqueID*/CertThumbprint** -
Optional. Specifies the current certificate’s thumbprint if certificate enrollment succeeds. It is a 20-byte value of the SHA1 certificate hash specified as a hexadecimal string value. +**ClientCertificateInstall/SCEP/*UniqueID*/CertThumbprint** +Optional. Specifies the current certificate’s thumbprint if certificate enrollment succeeds. It is a 20-byte value of the SHA1 certificate hash specified as a hexadecimal string value. -
If the certificate on the device becomes invalid (Cert expired, Cert chain is not valid, private key deleted) then it will return an empty string. +If the certificate on the device becomes invalid (Cert expired, Cert chain is not valid, private key deleted) then it will return an empty string. -
Data type is string. +Data type is string. -
The only supported operation is Get. +The only supported operation is Get. -**ClientCertificateInstall/SCEP/*UniqueID*/Status** -
Required. Specifies latest status of the certificated during the enrollment request. +**ClientCertificateInstall/SCEP/*UniqueID*/Status** +Required. Specifies latest status of the certificated during the enrollment request. -
Data type is string. Valid values: +Data type is string. Valid values: -
The only supported operation is Get. +The only supported operation is Get. | Value | Description | |-------|---------------------------------------------------------------------------------------------------| @@ -355,17 +359,17 @@ Data type is string. | 32 | Unknown | -**ClientCertificateInstall/SCEP/*UniqueID*/ErrorCode** -
Optional. An integer value that indicates the HRESULT of the last enrollment error code. +**ClientCertificateInstall/SCEP/*UniqueID*/ErrorCode** +Optional. An integer value that indicates the HRESULT of the last enrollment error code. -
The only supported operation is Get. +The only supported operation is Get. **ClientCertificateInstall/SCEP/*UniqueID*/RespondentServerUrl** -
Required. Returns the URL of the SCEP server that responded to the enrollment request. +Required. Returns the URL of the SCEP server that responded to the enrollment request. -
Data type is string. +Data type is string. -
The only supported operation is Get.
+The only supported operation is Get.
## Example
diff --git a/windows/client-management/mdm/dmclient-csp.md b/windows/client-management/mdm/dmclient-csp.md
index b4183451fc..9469f12408 100644
--- a/windows/client-management/mdm/dmclient-csp.md
+++ b/windows/client-management/mdm/dmclient-csp.md
@@ -1,6 +1,6 @@
---
title: DMClient CSP
-description: Understand how the DMClient configuration service provider works. It is used to specify enterprise-specific mobile device management configuration settings.
+description: Understand how the DMClient configuration service provider (CSP) is used to specify enterprise-specific mobile device management (MDM) configuration settings.
ms.assetid: a5cf35d9-ced0-4087-a247-225f102f2544
ms.reviewer:
manager: dansimp
@@ -15,9 +15,9 @@ ms.date: 11/01/2017
# DMClient CSP
-The DMClient configuration service provider is used to specify additional enterprise-specific mobile device management configuration settings for identifying the device in the enterprise domain, security mitigation for certificate renewal, and server-triggered enterprise unenrollment.
+The DMClient configuration service provider (CSP) is used to specify additional enterprise-specific mobile device management (MDM) configuration settings for identifying the device in the enterprise domain, for security mitigation for certificate renewal, and for server-triggered enterprise unenrollment.
-The following diagram shows the DMClient configuration service provider in tree format.
+The following diagram shows the DMClient CSP in tree format.
@@ -25,7 +25,7 @@ The following diagram shows the DMClient configuration service provider in tree
Root node for the CSP.
**UpdateManagementServiceAddress**
-For provisioning packages only. Specifies the list of servers (semicolon delimited). The first server in the semi-colon delimited list is the server that will be used to instantiate MDM sessions. The list can be a permutation or a subset of the existing server list. You cannot add new servers to the list using this node.
+For provisioning packages only. Specifies the list of servers (semicolon delimited). The first server in the semicolon delimited list is the server that will be used to instantiate MDM sessions. The list can be a permutation or a subset of the existing server list. You cannot add new servers to the list using this node.
**HWDevID**
Added in Windows 10, version 1703. Returns the hardware device ID.
@@ -45,16 +45,17 @@ For Intune, use **MS DM Server** for Windows desktop or **SCConfigMgr** for Wind
Supported operations are Get and Add.
**Provider/*ProviderID*/EntDeviceName**
-Optional. Character string that contains the user-friendly device name used by the IT admin console. The value is set during the enrollment process by way of the DMClient configuration service provider. You can retrieve it later during an OMA DM session.
+Optional. Character string that contains the user-friendly device name used by the IT admin console. The value is set during the enrollment process by way of the DMClient CSP. You can retrieve it later during an OMA DM session.
Supported operations are Get and Add.
**Provider/*ProviderID*/EntDMID**
-Optional. Character string that contains the unique enterprise device ID. The value is set by the management server during the enrollment process by way of the DMClient configuration service provider. You can retrieve it later during an OMA DM session.
+Optional. Character string that contains the unique enterprise device ID. The value is set by the management server during the enrollment process by way of the DMClient CSP. You can retrieve it later during an OMA DM session.
Supported operations are Get and Add.
-> **Note** Although hardware device IDs are guaranteed to be unique, there is a concern that this is not ultimately enforceable during a DM session. The device ID could be changed through the w7 APPLICATION configuration service provider’s **USEHWDEVID** parm by another management server. So during enterprise bootstrap and enrollment, a new device ID is specified by the enterprise server.
+> [!NOTE]
+> Although hardware device IDs are guaranteed to be unique, there is a concern that this is not ultimately enforceable during a DM session. The device ID could be changed through the w7 APPLICATION CSP’s **USEHWDEVID** parm by another management server. So during enterprise bootstrap and enrollment, a new device ID is specified by the enterprise server.
This node is required and must be set by the server before the client certificate renewal is triggered.
@@ -62,7 +63,8 @@ This node is required and must be set by the server before the client certificat
**Provider/*ProviderID*/ExchangeID**
Optional. Character string that contains the unique Exchange device ID used by the Outlook account of the user the session is running against. This is useful for the enterprise management server to correlate and merge records for a device that is managed by exchange and natively managed by a dedicated management server.
-> **Note** In some cases for the desktop, this node will return "not found" until the user sets up their email.
+> [!NOTE]
+> In some cases for the desktop, this node will return "not found" until the user sets up their email.
@@ -87,7 +89,7 @@ The following is a Get command example.
Supported operation is Get.
**Provider/*ProviderID*/SignedEntDMID**
-Optional. Character string that contains the device ID. This node and the nodes **CertRenewTimeStamp** can be used by the mobile device management server to verify client identity in order to update the registration record after the device certificate is renewed. The device signs the **EntDMID** with the old client certificate during the certificate renewal process and saves the signature locally.
+Optional. Character string that contains the device ID. This node and the nodes **CertRenewTimeStamp** can be used by the MDM server to verify client identity in order to update the registration record after the device certificate is renewed. The device signs the **EntDMID** with the old client certificate during the certificate renewal process and saves the signature locally.
Supported operation is Get.
@@ -99,11 +101,12 @@ Supported operation is Get.
**Provider/*ProviderID*/ManagementServiceAddress**
Required. The character string that contains the device management server address. It can be updated during an OMA DM session by the management server to allow the server to load balance to another server in situations where too many devices are connected to the server.
-> **Note** When the ManagementServerAddressList value is set, the device ignores the value in ManagementServiceAddress.
+> [!NOTE]
+> When the **ManagementServerAddressList** value is set, the device ignores the value.
-The DMClient configuration service provider will save the address to the same location as the w7 and DMS configuration service providers to ensure the management client has a single place to retrieve the current server address. The initial value for this node is the same server address value as bootstrapped via the [w7 APPLICATION configuration service provider](w7-application-csp.md).
+The DMClient CSP will save the address to the same location as the w7 and DMS CSPs to ensure the management client has a single place to retrieve the current server address. The initial value for this node is the same server address value as bootstrapped via the [w7 APPLICATION configuration service provider](w7-application-csp.md).
Starting in Windows 10, version 1511, this node supports multiple server addresses in the format <URL1><URL2><URL3>. If there is only a single URL, then the <> are not required. This is supported for both desktop and mobile devices.
@@ -143,8 +146,8 @@ Supported operations are Get, Replace, and Delete.
**Provider/*ProviderID*/SyncApplicationVersion**
Optional. Used by the management server to set the DM session version that the server and device should use. Default is 1.0. In Windows 10, the DM session protocol version of the client is 2.0. If the server is updated to support 2.0, then you should set this value to 2.0. In the next session, check to see if there is a client behavior change between 1.0 and 2.0.
-> **Note**
-This node is only supported in Windows 10 and later.
+> [!NOTE]
+> This node is only supported in Windows 10 and later.
Once you set the value to 2.0, it will not go back to 1.0.
@@ -160,9 +163,9 @@ When you query this node, a Windows 10 client will return 2.0 and a Windows 8.
Supported operation is Get.
**Provider/*ProviderID*/AADResourceID**
-Optional. This is the ResourceID used when requesting the user token from the OMA DM session for Azure Active Directory enrollments (AAD Join or Add Accounts). The token is audience specific, which allows for different service principals (enrollment vs. device management). It can be an application ID or the endpoint that you are trying to access.
+Optional. This is the ResourceID used when requesting the user token from the OMA DM session for Azure Active Directory (Azure AD) enrollments (Azure AD Join or Add Accounts). The token is audience-specific, which allows for different service principals (enrollment vs. device management). It can be an application ID or the endpoint that you are trying to access.
-For more information about Azure Active Directory enrollment, see [Azure Active Directory integration with MDM](azure-active-directory-integration-with-mdm.md).
+For more information about Azure AD enrollment, see [Azure Active Directory integration with MDM](azure-active-directory-integration-with-mdm.md).
**Provider/*ProviderID*/EnableOmaDmKeepAliveMessage**
Added in Windows 10, version 1511. A boolean value that specifies whether the DM client should send out a request pending alert in case the device response to a DM request is too slow.
@@ -203,7 +206,7 @@ Here is an example of DM message sent by the device when it is in pending state:
```
**Provider/*ProviderID*/AADDeviceID**
-Added in Windows 10, version 1607. Returns the device ID for the Azure Active Directory device registration.
+Added in Windows 10, version 1607. Returns the device ID for the Azure AD device registration.
Supported operation is Get.
@@ -223,9 +226,10 @@ Added in Windows 10, version 1607. Configures the identifier used to uniquely a
Supported operations are Add, Get, Replace, and Delete.
**Provider/*ProviderID*/ManagementServerAddressList**
-Added in Windows 10, version 1607. The list of management server URLs in the format <URL1><URL2><URL3>, etc... If there is only one, the angle brackets (<>) are not required.
+Added in Windows 10, version 1607. The list of management server URLs in the format <URL1><URL2><URL3>, and so on. If there is only one, the angle brackets (<>) are not required.
-> **Note** The < and > should be escaped.
+> [!NOTE]
+> The < and > should be escaped.
@@ -260,6 +264,7 @@ Optional. Number of days after last successful sync to unenroll.
Supported operations are Add, Delete, Get, and Replace. Value type is integer.
**Provider/*ProviderID*/AADSendDeviceToken**
+
Device. Added in Windows 10 version 1803. For Azure AD backed enrollments, this will cause the client to send a Device Token if the User Token can not be obtained.
Supported operations are Add, Delete, Get, and Replace. Value type is bool.
@@ -377,7 +382,8 @@ If there is no infinite schedule set, then a 24-hour schedule is created and sch
**Invalid poll schedule: disable all poll schedules**
-> **Note** Disabling poll schedules results in UNDEFINED behavior and enrollment may fail if poll schedules are all set to zero.
+> [!NOTE]
+> Disabling poll schedules results in UNDEFINED behavior and enrollment may fail if poll schedules are all set to zero.
@@ -557,7 +563,7 @@ Optional. Not configurable during WAP Provisioning XML. If removed, DM sessions
Supported operations are Add and Delete.
**Provider/*ProviderID*/Push/PFN**
-Required. A string provided by the Windows 10 ecosystem for a Mobile Device Management solution. Used to register a device for Push Notifications. The server must use the same PFN as the devices it is managing.
+Required. A string provided by the Windows 10 ecosystem for an MDM solution. Used to register a device for Push Notifications. The server must use the same PFN as the devices it is managing.
Supported operations are Add, Get, and Replace.
@@ -665,7 +671,7 @@ Required. Added in Windows 10, version 1709. This node contains a list of LocURI
Supported operations are Add, Delete, Get, and Replace. Value type is string.
**Provider/*ProviderID*/FirstSyncStatus/ExpectedMSIAppPackages**
-Required. Added in Windows 10, version 1709. This node contains a list of LocURIs that refer to App Packages the management service provider expects to provision via EnterpriseDesktopAppManagement CSP, delimited by the character L"\xF000". The LocURI will be followed by a semicolon and a number, representing the amount of apps included in the App Package. We will not verify that number. For example, `./User/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/ProductID1/Status;4"\xF000" ./User/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/ProductID2/Status;2` This represents App Package ProductID1 containing 4 apps, and ProductID2 containing 2 apps.
+Required. Added in Windows 10, version 1709. This node contains a list of LocURIs that refer to App Packages the management service provider expects to provision via EnterpriseDesktopAppManagement CSP, delimited by the character L"\xF000". The LocURI will be followed by a semicolon and a number, representing the number of apps included in the App Package. We will not verify that number. For example, `./User/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/ProductID1/Status;4"\xF000" ./User/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/ProductID2/Status;2` This represents App Package ProductID1 containing four apps, and ProductID2 containing two apps.
Supported operations are Add, Delete, Get, and Replace. Value type is string.
@@ -677,7 +683,7 @@ Required. Added in Windows 10, version 1709. This node contains a list of LocURI
./Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/PackageFamilyName/PackageFullName2/Name;2
```
-This represents App Package PackageFullName containing 4 apps, and PackageFullName2 containing 2 apps.
+This represents App Package PackageFullName containing four apps, and PackageFullName2 containing two apps.
Supported operations are Add, Delete, Get, and Replace. Value type is string.
diff --git a/windows/client-management/mdm/eap-configuration.md b/windows/client-management/mdm/eap-configuration.md
index f687502610..7ccca3fe88 100644
--- a/windows/client-management/mdm/eap-configuration.md
+++ b/windows/client-management/mdm/eap-configuration.md
@@ -1,6 +1,6 @@
---
title: EAP configuration
-description: Learn how to create an Extensible Authentication Protocol (EAP) configuration XML for a VPN profile, plus info about EAP certificate filtering in Windows 10.
+description: Learn how to create an Extensible Authentication Protocol (EAP) configuration XML for a VPN profile, including details about EAP certificate filtering in Windows 10.
ms.assetid: DD3F2292-4B4C-4430-A57F-922FED2A8FAE
ms.reviewer:
manager: dansimp
@@ -15,46 +15,46 @@ ms.date: 06/26/2017
# EAP configuration
-The topic provides a step-by-step guide for creating an Extensible Authentication Protocol (EAP) configuration XML for the VPN profile and information about EAP certificate filtering in Windows 10.
+This article provides a step-by-step guide for creating an Extensible Authentication Protocol (EAP) configuration XML for a VPN profile, including information about EAP certificate filtering in Windows 10.
-## Create an Extensible Authentication Protocol (EAP) configuration XML for the VPN profile
+## Create an EAP configuration XML for a VPN profile
-Here is an easy way to get the EAP configuration from your desktop using the rasphone tool that is shipped in the box.
+To get the EAP configuration from your desktop using the rasphone tool that is shipped in the box:
1. Run rasphone.exe.
-2. If you don't currently have any VPN connections and you see the following message, click **OK**.
+1. If you don't currently have a VPN connection and you see the following message, select **OK**.
-3. Select **Workplace network** in the wizard.
+1. In the wizard, select **Workplace network**.
-4. Enter any dummy information for the internet address and connection name. These can be fake since it does not impact the authentication parameters.
+1. Enter an Internet address and connection name. These can be fake since it does not impact the authentication parameters.
-5. Create a fake VPN connection. In the UI shown below, click **Properties**.
+1. Create a fake VPN connection. In the UI shown here, select **Properties**.
-6. In the **Test Properties** dialog, click the **Security** tab.
+1. In the **Test Properties** dialog, select the **Security** tab.
-7. In the **Security** tab, select **Use Extensible Authentication Protocol (EAP)** radio button.
+1. On the **Security** tab, select **Use Extensible Authentication Protocol (EAP)**.
-8. From the drop down menu, select the EAP method that you want to configure. Then click **Properties** to configure as needed.
+1. From the drop-down menu, select the EAP method that you want to configure, and then select **Properties** to configure as needed.
-9. Switch over to PowerShell and use the following cmdlets to retrieve the EAP configuration XML.
+1. Switch over to PowerShell and use the following cmdlets to retrieve the EAP configuration XML.
```powershell
Get-VpnConnection -Name Test
@@ -88,7 +88,7 @@ Here is an easy way to get the EAP configuration from your desktop using the ras
$a.EapConfigXmlStream.InnerXml
```
- Here is an example output
+ Here is an example output.
```xml
**NOTE:** Microsoft Defender ATP customers need to apply for the Microsoft Threat Experts managed threat hunting service to get proactive Targeted Attack Notifications and to collaborate with experts on demand. Experts on Demand is an add-on service. Targeted Attack Notifications are always included after you have been accepted into Microsoft Threat Experts managed threat hunting service. If you are not enrolled yet and would like to experience its benefits, go to **Settings** > **General** > **Advanced features** > **Microsoft Threat Experts** to apply. Once accepted, you will get the benefits of Targeted Attack Notifications, and start a 90-day trial of Experts on Demand. Contact your Microsoft representative to get a full Experts on Demand subscription.
[Advanced hunting](advanced-hunting-overview.md) | Use a powerful query-based threat-hunting tool to proactively find breach activity and create custom detection rules.
[Management and APIs](management-apis.md) | Microsoft Defender ATP supports a wide variety of tools to help you manage and interact with the platform so that you can integrate the service into your existing workflows.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/portal-overview.md b/windows/security/threat-protection/microsoft-defender-atp/portal-overview.md
index 480df72feb..ceb8637a40 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/portal-overview.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/portal-overview.md
@@ -122,5 +122,5 @@ Icon | Description
## Related topics
- [Understand the Microsoft Defender Advanced Threat Protection portal](use.md)
- [View the Security operations dashboard](security-operations-dashboard.md)
-- [View the Secure Score dashboard and improve your secure score](secure-score-dashboard.md)
+- [View the Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md)
- [View the Threat analytics dashboard and take recommended mitigation actions](threat-analytics.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/prepare-deployment.md b/windows/security/threat-protection/microsoft-defender-atp/prepare-deployment.md
index 2fc67b8211..d54f893ac4 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/prepare-deployment.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/prepare-deployment.md
@@ -58,7 +58,7 @@ The following is in scope for this project:
capabilities including automatic investigation and remediation
- Enabling Microsoft Defender ATP threat and vulnerability management (TVM)
-- Use of System Center Configuration Manager to onboard endpoints into the service.
+- Use of Microsoft Endpoint Configuration Manager to onboard endpoints into the service.
### Out of scope
diff --git a/windows/security/threat-protection/microsoft-defender-atp/product-brief.md b/windows/security/threat-protection/microsoft-defender-atp/product-brief.md
index 2a83d109de..e69a6bc890 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/product-brief.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/product-brief.md
@@ -36,33 +36,33 @@ Capability | Description
**Threat and Vulnerability Management** | This built-in capability uses a game-changing risk-based approach to the discovery, prioritization, and remediation of endpoint vulnerabilities and misconfigurations.
**Attack Surface Reduction** | The attack surface reduction set of capabilities provide the first line of defense in the stack. By ensuring configuration settings are properly set and exploit mitigation techniques are applied, these set of capabilities resist attacks and exploitations.
**Next Generation Protection** | To further reinforce the security perimeter of the organizations network, Microsoft Defender ATP uses next generation protection designed to catch all types of emerging threats.
-**Endpoint Detection & Response** | Endpoint detection and response capabilities are put in place to detect, investigate, and respond to advanced threats that may have made it past the first two security pillars.
-**Auto Investigation & Remediation** | In conjunction with being able to quickly respond to advanced attacks, Microsoft Defender ATP offers automatic investigation and remediation capabilities that help reduce the volume of alerts in minutes at scale.
+**Endpoint Detection & Response** | Endpoint detection and response capabilities are put in place to detect, investigate, and respond to advanced threats that may have made it past the first two security pillars.
+**Auto Investigation & Remediation** | In conjunction with being able to quickly respond to advanced attacks, Microsoft Defender ATP offers automatic investigation and remediation capabilities that help reduce the volume of alerts in minutes at scale.
**Microsoft Threat Experts** | Microsoft Defender ATP's new managed threat hunting service provides proactive hunting, prioritization, and additional context and insights that further empower Security operation centers (SOCs) to identify and respond to threats quickly and accurately.
-**Secure Score** | Microsoft Defender ATP includes a secure score to help dynamically assess the security state of the enterprise network, identify unprotected systems, and take recommended actions to improve the overall security of the organization.
+**Configuration Score** | Microsoft Defender ATP includes configuration score to help dynamically assess the security state of the enterprise network, identify unprotected systems, and take recommended actions to improve the overall security of the organization.
**Advance Hunting** | Create custom threat intelligence and use a powerful search and query tool to hunt for possible threats in the organization.
**Management and API** | Integrate Microsoft Defender Advanced Threat Protection into existing workflows.
**Microsoft Threat Protection** | Microsoft Defender ATP is part of the Microsoft Threat Protection solution that helps implement end-to-end security across possible attack surfaces in the modern workplace. Bring the power of Microsoft threat protection to the organization. | |
Microsoft Defender ATP uses the following combination of technology built into Windows 10 and Microsoft's robust cloud service:
-- **Endpoint behavioral sensors**: Embedded in Windows 10, these sensors
+- **Endpoint behavioral sensors**: Embedded in Windows 10, these sensors
collect and process behavioral signals from the operating system and sends this sensor data to your private, isolated, cloud instance of Microsoft Defender ATP.
-
-- **Cloud security analytics**: Leveraging big-data, machine-learning, and
+- **Cloud security analytics**: Leveraging big-data, machine-learning, and
unique Microsoft optics across the Windows ecosystem,
enterprise cloud products (such as Office 365), and online assets, behavioral signals
are translated into insights, detections, and recommended responses
to advanced threats.
-- **Threat intelligence**: Generated by Microsoft hunters, security teams,
+- **Threat intelligence**: Generated by Microsoft hunters, security teams,
and augmented by threat intelligence provided by partners, threat
intelligence enables Microsoft Defender ATP to identify attacker
tools, techniques, and procedures, and generate alerts when these
are observed in collected sensor data.
## Licensing requirements
+
Microsoft Defender Advanced Threat Protection requires one of the following Microsoft Volume Licensing offers:
- Windows 10 Enterprise E5
@@ -71,4 +71,5 @@ Microsoft Defender Advanced Threat Protection requires one of the following Micr
- Microsoft 365 A5 (M365 A5)
## Related topic
+
- [Prepare deployment](prepare-deployment.md)
\ No newline at end of file
diff --git a/windows/security/threat-protection/microsoft-defender-atp/production-deployment.md b/windows/security/threat-protection/microsoft-defender-atp/production-deployment.md
index 4e93583820..6bed8fc78a 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/production-deployment.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/production-deployment.md
@@ -25,13 +25,13 @@ ms.topic: article
Proper planning is the foundation of a successful deployment. In this deployment scenario, you'll be guided through the steps on:
- Tenant configuration
- Network configuration
-- Onboarding using System Center Configuration Manager
+- Onboarding using Microsoft Endpoint Configuration Manager
- Endpoint detection and response
- Next generation protection
- Attack surface reduction
>[!NOTE]
->For the purpose of guiding you through a typical deployment, this scenario will only cover the use of System Center Configuration Manager. Microsoft Defnder ATP supports the use of other onboarding tools but will not cover those scenarios in the deployment guide. For more information, see [Onboard machines to Microsoft Defender ATP](onboard-configure.md).
+>For the purpose of guiding you through a typical deployment, this scenario will only cover the use of Microsoft Endpoint Configuration Manager. Microsoft Defender ATP supports the use of other onboarding tools but will not cover those scenarios in the deployment guide. For more information, see [Onboard machines to Microsoft Defender ATP](onboard-configure.md).
## Tenant Configuration
@@ -111,7 +111,7 @@ under:
Preview Builds \> Configure Authenticated Proxy usage for the Connected User
Experience and Telemetry Service
- - Set it to **Enabled** and select**Disable Authenticated Proxy usage**
+ - Set it to **Enabled** and select�**Disable Authenticated Proxy usage**
1. Open the Group Policy Management Console.
2. Create a policy or edit an existing policy based off the organizational practices.
@@ -205,9 +205,9 @@ You can find the Azure IP range on [Microsoft Azure Datacenter IP Ranges](https:
> [!NOTE]
> As a cloud-based solution, the IP range can change. It's recommended you move to DNS resolving setting.
-## Onboarding using System Center Configuration Manager
+## Onboarding using Microsoft Endpoint Configuration Manager
### Collection creation
-To onboard Windows 10 devices with System Center Configuration Manager, the
+To onboard Windows 10 devices with Microsoft Endpoint Configuration Manager, the
deployment can target either and existing collection or a new collection can be
created for testing. The onboarding like group policy or manual method does
not install any agent on the system. Within the Configuration Manager console
@@ -217,55 +217,54 @@ maintain that configuration for as long as the Configuration Manager client
continues to receive this policy from the management point. Follow the steps
below to onboard systems with Configuration Manager.
-1. In System Center Configuration Manager console, navigate to **Assets and Compliance \> Overview \> Device Collections**.
+1. In the Configuration Manager console, navigate to **Assets and Compliance \> Overview \> Device Collections**.
- 
+ 
2. Right Click **Device Collection** and select **Create Device Collection**.
- 
+ 
3. Provide a **Name** and **Limiting Collection**, then select **Next**.
- 
+ 
4. Select **Add Rule** and choose **Query Rule**.
- 
+ 
5. Click **Next** on the **Direct Membership Wizard** and click on **Edit Query Statement**.
- 
+ 
6. Select **Criteria** and then choose the star icon.
- 
+ 
7. Keep criterion type as **simple value**, choose where as **Operating System - build number**, operator as **is equal to** and value **10240** and click on **OK**.
- 
+ 
8. Select **Next** and **Close**.
- 
+ 
9. Select **Next**.
- 
+ 
After completing this task, you now have a device collection with all the Windows 10 endpoints in the environment.
## Endpoint detection and response
### Windows 10
From within the Microsoft Defender Security Center it is possible to download
-the '.onboarding' policy that can be used to create the policy in System Center Configuration
-Manager and deploy that policy to Windows 10 devices.
+the '.onboarding' policy that can be used to create the policy in Microsoft Endpoint Configuration Manager and deploy that policy to Windows 10 devices.
1. From a Microsoft Defender Security Center Portal, select [Settings and then Onboarding](https://securitycenter.windows.com/preferences2/onboarding).
-2. Under Deployment method select the supported version of **System Center Configuration Manager**.
+2. Under Deployment method select the supported version of **Configuration Manager**.
@@ -274,15 +273,15 @@ Manager and deploy that policy to Windows 10 devices.
4. Save the package to an accessible location.
-5. In System Center Configuration Manager, navigate to: **Assets and Compliance > Overview > Endpoint Protection > Microsoft Defender ATP Policies**.
+5. In Configuration Manager, navigate to: **Assets and Compliance > Overview > Endpoint Protection > Microsoft Defender ATP Policies**.
6. Right-click **Microsoft Defender ATP Policies** and select **Create Microsoft Defender ATP Policy**.
- 
+ 
7. Enter the name and description, verify **Onboarding** is selected, then select **Next**.
- 
+ 
8. Click **Browse**.
@@ -305,7 +304,7 @@ Manager and deploy that policy to Windows 10 devices.
15. Click **Close** when the Wizard completes.
-16. In the System Center Configuration Manager console, right-click the Microsoft Defender ATP policy you just created and select **Deploy**.
+16. In the Configuration Manager console, right-click the Microsoft Defender ATP policy you just created and select **Deploy**.
@@ -371,14 +370,14 @@ Specifically, for Windows 7 SP1, the following patches must be installed:
[KB3154518](https://support.microsoft.com/help/3154518/support-for-tls-system-default-versions-included-in-the-net-framework).
Do not install both on the same system.
-To deploy the MMA with System Center Configuration Manager, follow the steps
+To deploy the MMA with Microsoft Endpoint Configuration Manager, follow the steps
below to utilize the provided batch files to onboard the systems. The CMD file
when executed, will require the system to copy files from a network share by the
System, the System will install MMA, Install the DependencyAgent, and configure
MMA for enrollment into the workspace.
-1. In System Center Configuration Manager console, navigate to **Software
+1. In the Configuration Manager console, navigate to **Software
Library**.
2. Expand **Application Management**.
@@ -387,15 +386,15 @@ MMA for enrollment into the workspace.
4. Provide a Name for the package, then click **Next**
- 
+ 
5. Verify **Standard Program** is selected.
- 
+ 
6. Click **Next**.
- 
+ 
7. Enter a program name.
@@ -411,17 +410,17 @@ MMA for enrollment into the workspace.
13. Click **Next**.
- 
+ 
14. Verify the configuration, then click **Next**.
- 
+ 
15. Click **Next**.
16. Click **Close**.
-17. In the System Center Configuration Manager console, right-click the Microsoft Defender ATP
+17. In the Configuration Manager console, right-click the Microsoft Defender ATP
Onboarding Package just created and select **Deploy**.
18. On the right panel select the appropriate collection.
@@ -431,7 +430,7 @@ MMA for enrollment into the workspace.
## Next generation protection
Microsoft Defender Antivirus is a built-in antimalware solution that provides next generation protection for desktops, portable computers, and servers.
-1. In the System Center Configuration Manager console, navigate to **Assets and Compliance \> Overview \> Endpoint Protection \> Antimalware Polices** and choose **Create Antimalware Policy**.
+1. In the Configuration Manager console, navigate to **Assets and Compliance \> Overview \> Endpoint Protection \> Antimalware Polices** and choose **Create Antimalware Policy**.
@@ -481,9 +480,9 @@ Protection. All these features provide an audit mode and a block mode. In audit
To set ASR rules in Audit mode:
-1. In the System Center Configuration Manager console, navigate to **Assets and Compliance \> Overview \> Endpoint Protection \> Windows Defender Exploit Guard** and choose **Create Exploit Guard Policy**.
+1. In the Configuration Manager console, navigate to **Assets and Compliance \> Overview \> Endpoint Protection \> Windows Defender Exploit Guard** and choose **Create Exploit Guard Policy**.
- 
+ 
2. Select **Attack Surface Reduction**.
@@ -491,26 +490,26 @@ To set ASR rules in Audit mode:
3. Set rules to **Audit** and click **Next**.
- 
+ 
4. Confirm the new Exploit Guard policy by clicking on **Next**.
- 
+ 
5. Once the policy is created click **Close**.
- 
+ 
6. Right-click on the newly created policy and choose **Deploy**.
- 
+ 
7. Target the policy to the newly created Windows 10 collection and click **OK**.
- 
+ 
After completing this task, you now have successfully configured ASR rules in audit mode.
@@ -541,15 +540,15 @@ detections](https://docs.microsoft.com/windows/security/threat-protection/micros
### To set Network Protection rules in Audit mode:
-1. In the System Center Configuration Manager console, navigate to **Assets and Compliance \> Overview \> Endpoint Protection \> Windows Defender Exploit Guard** and choose **Create Exploit Guard Policy**.
+1. In the Configuration Manager console, navigate to **Assets and Compliance \> Overview \> Endpoint Protection \> Windows Defender Exploit Guard** and choose **Create Exploit Guard Policy**.
- 
+ 
2. Select **Network protection**.
3. Set the setting to **Audit** and click **Next**.
- 
+ 
4. Confirm the new Exploit Guard Policy by clicking **Next**.
@@ -561,42 +560,42 @@ detections](https://docs.microsoft.com/windows/security/threat-protection/micros
6. Right-click on the newly created policy and choose **Deploy**.
- 
+ 
7. Select the policy to the newly created Windows 10 collection and choose **OK**.
- 
+ 
After completing this task, you now have successfully configured Network
Protection in audit mode.
### To set Controlled Folder Access rules in Audit mode:
-1. In the System Center Configuration Manager console, navigate to **Assets and Compliance \> Overview \> Endpoint Protection \> Windows Defender Exploit Guard** and choose **Create Exploit Guard Policy**.
+1. In the Configuration Manager console, navigate to **Assets and Compliance \> Overview \> Endpoint Protection \> Windows Defender Exploit Guard** and choose **Create Exploit Guard Policy**.
- 
+ 
2. Select **Controlled folder access**.
3. Set the configuration to **Audit** and click **Next**.
- 
+ 
4. Confirm the new Exploit Guard Policy by clicking on **Next**.
- 
+ 
5. Once the policy is created click on **Close**.
- 
+ 
6. Right-click on the newly created policy and choose **Deploy**.
- 
+ 
7. Target the policy to the newly created Windows 10 collection and click **OK**.
- 
+ 
After completing this task, you now have successfully configured Controlled folder access in audit mode.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/raw-data-export-event-hub.md b/windows/security/threat-protection/microsoft-defender-atp/raw-data-export-event-hub.md
index a617060626..9bc6ebcb3f 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/raw-data-export-event-hub.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/raw-data-export-event-hub.md
@@ -63,6 +63,7 @@ Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://w
- Each event hub message in Azure Event Hubs contains list of records.
- Each record contains the event name, the time Microsoft Defender ATP received the event, the tenant it belongs (you will only get events from your tenant), and the event in JSON format in a property called "**properties**".
- For more information about the schema of Microsoft Defender ATP events, see [Advanced Hunting overview](advanced-hunting-overview.md).
+- In Advanced Hunting, the **DeviceInfo** table has a column named **MachineGroup** which contains the group of the machine. Here every event will be decorated with this column as well. See [Machine Groups](machine-groups.md) for more information.
## Data types mapping:
@@ -78,7 +79,7 @@ To get the data types for event properties do the following:
```
-- Here is an example for Machine Info event:
+- Here is an example for Device Info event:
diff --git a/windows/security/threat-protection/microsoft-defender-atp/raw-data-export-storage.md b/windows/security/threat-protection/microsoft-defender-atp/raw-data-export-storage.md
index f0c242ed3a..682cc7e7d9 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/raw-data-export-storage.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/raw-data-export-storage.md
@@ -64,6 +64,7 @@ Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://w
- Each blob contains multiple rows.
- Each row contains the event name, the time Microsoft Defender ATP received the event, the tenant it belongs (you will only get events from your tenant), and the event in JSON format in a property called "properties".
- For more information about the schema of Microsoft Defender ATP events, see [Advanced Hunting overview](advanced-hunting-overview.md).
+- In Advanced Hunting, the **DeviceInfo** table has a column named **MachineGroup** which contains the group of the machine. Here every event will be decorated with this column as well. See [Machine Groups](machine-groups.md) for more information.
## Data types mapping:
diff --git a/windows/security/threat-protection/microsoft-defender-atp/raw-data-export.md b/windows/security/threat-protection/microsoft-defender-atp/raw-data-export.md
index 7155ac0422..54dc6d37fa 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/raw-data-export.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/raw-data-export.md
@@ -17,7 +17,7 @@ ms.collection: M365-security-compliance
ms.topic: article
---
-# Raw Data Streaming API (Preview)
+# Raw Data Streaming API
**Applies to:**
diff --git a/windows/security/threat-protection/microsoft-defender-atp/secure-score-dashboard.md b/windows/security/threat-protection/microsoft-defender-atp/secure-score-dashboard.md
deleted file mode 100644
index 1ac2ee7415..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/secure-score-dashboard.md
+++ /dev/null
@@ -1,315 +0,0 @@
----
-title: Configure the security controls in Secure score
-description: Configure the security controls in Secure score
-keywords: secure score, dashboard, security recommendations, security control state, security score, score improvement, microsoft secure score, security controls, security control, improvement opportunities, edr, antivirus, av, os security updates
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: dolmont
-author: DulceMontemayor
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: conceptual
----
-
-# Configure the security controls in Secure score
-
-**Applies to:**
-
-* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-> [!NOTE]
-> Secure score is now part of [Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md) as [Configuration score](configuration-score.md). The secure score page will be available for a few weeks. View the [Secure score](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-secure-score) page.
-
-Each security control lists recommendations that you can take to increase the security posture of your organization.
-
-### Endpoint detection and response (EDR) optimization
-
-A well-configured machine complies to the minimum baseline configuration setting. This tile shows you a list of actions to apply on endpoints to meet the minimum baseline configuration setting for your Endpoint detection and response tool.
-
-> [!IMPORTANT]
-> This feature is available for machines on Windows 10, version 1607 or later.
-
-#### Minimum baseline configuration setting for EDR
-
-* Microsoft Defender ATP sensor is on
-* Data collection is working correctly
-* Communication to Microsoft Defender ATP service is not impaired
-
-##### Recommended actions
-
-You can take the following actions to increase the overall security score of your organization:
-
-* Turn on sensor
-* Fix sensor data collection
-* Fix impaired communications
-
-For more information, see [Fix unhealthy sensors](fix-unhealthy-sensors.md).
-
-### Windows Defender Antivirus (Windows Defender AV) optimization
-A well-configured machine complies to the minimum baseline configuration setting. This tile shows you a list of actions to apply on endpoints to meet the minimum baseline configuration setting for Windows Defender AV.
-
-> [!IMPORTANT]
-> This feature is available for machines on Windows 10, version 1607 or later.
-
-#### Minimum baseline configuration setting for Windows Defender AV:
-A well-configured machine for Windows Defender AV meets the following requirements:
-
-- Windows Defender AV is reporting correctly
-- Windows Defender AV is turned on
-- Security intelligence is up-to-date
-- Real-time protection is on
-- Potentially Unwanted Application (PUA) protection is enabled
-
-You can take the following actions to increase the overall security score of your organization:
-
->[!NOTE]
-> For the Windows Defender Antivirus properties to show, you'll need to ensure that the Windows Defender Antivirus Cloud-based protection is properly configured on the machine.
-
-- Fix antivirus reporting
- - This recommendation is displayed when the Windows Defender Antivirus is not properly configured to report its health state. For more information on fixing the reporting, see [Configure and validate network connections](../windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md).
-- Turn on antivirus
-- Update antivirus Security intelligence
-- Turn on real-time protection
-- Turn on PUA protection
-
-For more information, see [Configure Windows Defender Antivirus](../windows-defender-antivirus/configure-windows-defender-antivirus-features.md).
-
-### OS security updates optimization
-
-This tile shows you the number of machines that require the latest security updates. It also shows machines that are running on the latest Windows Insider preview build and serves as a reminder to ensure that users should run the latest builds.
-
-> [!IMPORTANT]
-> This feature is available for machines on Windows 10, version 1607 or later.
-
-You can take the following actions to increase the overall security score of your organization:
-
-* Install the latest security updates
-* Fix sensor data collection
- * The Microsoft Defender ATP service relies on sensor data collection to determine the security state of a machine. The service will not be able to determine the security state of machines that are not reporting sensor data properly. It's important to ensure that sensor data collection is working properly. For more information, see [Fix unhealthy sensors](fix-unhealthy-sensors.md).
-
-For more information, see [Windows Update Troubleshooter](https://support.microsoft.com/help/4027322/windows-windows-update-troubleshooter).
-
-### Windows Defender Exploit Guard (Windows Defender EG) optimization
-
-
-A well-configured machine complies to the minimum baseline configuration setting. This tile shows you a list of actions to apply on machines to meet the minimum baseline configuration setting for Microsoft Defender EG. When endpoints are configured according to the baseline the Microsoft Defender EG events shows on the Microsoft Defender ATP Machine timeline.
-
-> [!IMPORTANT]
-> This security control is only applicable for machines with Windows 10, version 1709 or later.
-
-#### Minimum baseline configuration setting for Windows Defender EG
-
-Machines are considered "well configured" for Microsoft Defender EG if the following requirements are met:
-
-* System level protection settings are configured correctly
-* Attack Surface Reduction rules are configured correctly
-* Controlled Folder Access setting is configured correctly
-
-##### System level protection
-
-The following system level configuration settings must be set to **On or Force On**:
-
-1. Control Flow Guard
-2. Data Execution Prevention (DEP)
-3. Randomize memory allocations (Bottom-up ASLR)
-4. Validate exception chains (SEHOP)
-5. Validate heap integrity
-
-> [!NOTE]
-> The setting **Force randomization for images (Mandatory ASLR)** is currently excluded from the baseline.
-> Consider configuring **Force randomization for images (Mandatory ASLR)** to **On or Force On** for better protection.
-
-##### Attack Surface Reduction (ASR) rules
-
-The following ASR rules must be configured to **Block mode**:
-
-Rule description | GUIDs
--|-
-Block executable content from email client and webmail | BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550
-Block Office applications from creating child processes | D4F940AB-401B-4EFC-AADC-AD5F3C50688A
-Block Office applications from creating executable content | 3B576869-A4EC-4529-8536-B80A7769E899
-Impede JavaScript and VBScript to launch executables | D3E037E1-3EB8-44C8-A917-57927947596D
-Block execution of potentially obfuscated scripts | 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC
-Block Win32 imports from Macro code in Office | 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B
-
-> [!NOTE]
-> The setting **Block Office applications from injecting into other processes** with GUID 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 is excluded from the baseline.
-> Consider enabling this rule in **Audit** or **Block mode** for better protection.
-
-##### Controlled Folder Access
-
-The Controlled Folder Access setting must be configured to **Audit mode** or **Enabled**.
-
-> [!NOTE]
-> Audit mode, allows you to see audit events in the Microsoft Defender ATP Machine timeline however it does not block suspicious applications.
-> Consider enabling Controlled Folder Access for better protection.
-
-##### Recommended actions
-
-You can take the following actions to increase the overall security score of your organization:
-
-- Turn on all system-level Exploit Protection settings
-- Set all ASR rules to enabled or audit mode
-- Turn on Controlled Folder Access
-- Turn on Windows Defender Antivirus on compatible machines
-
-### Windows Defender Application Guard (Windows Defender AG) optimization
-A well-configured machine complies to the minimum baseline configuration setting. This tile shows you a list of actions to apply on endpoints to meet the minimum baseline configuration setting for Windows Defender AG. When endpoints are configured according to the baseline, Windows Defender AG events shows on the Microsoft Defender ATP Machine timeline.
-
-A well-configured machine complies to a minimum baseline configuration setting. This tile shows you a list of actions to apply on endpoints to meet the minimum baseline configuration setting for Microsoft Defender AG. When endpoints are configured according to the baseline, Microsoft Defender AG events shows on the Microsoft Defender ATP Machine timeline.
-
-> [!IMPORTANT]
-> This security control is only applicable for machines with Windows 10, version 1709 or later.
-
-#### Minimum baseline configuration setting for Windows Defender AG:
-A well-configured machine for Windows Defender AG meets the following requirements:
-
-- Hardware and software prerequisites are met
-- Windows Defender AG is turned on compatible machines
-- Managed mode is turned on
-
-You can take the following actions to increase the overall security score of your organization:
-
-* Ensure hardware and software prerequisites are met
-
- > [!NOTE]
- > This improvement item does not contribute to the security score in itself because it's not a prerequisite for Microsoft Defender AG. It gives an indication of a potential reason why Microsoft Defender AG is not turned on.
-
-* Turn on Microsoft Defender AG on compatible machines
-* Turn on managed mode
-
-For more information, see [Microsoft Defender Application Guard overview](../windows-defender-application-guard/wd-app-guard-overview.md).
-
-### Windows Defender SmartScreen optimization
-
-A well-configured machine complies to a minimum baseline configuration setting. This tile shows you a list of actions to apply on endpoints to meet the minimum baseline configuration setting for Microsoft Defender SmartScreen.
-
-> [!WARNING]
-> Data collected by Microsoft Defender SmartScreen might be stored and processed outside of the storage location you have selected for your Microsoft Defender ATP data.
-
-> [!IMPORTANT]
-> This security control is only applicable for machines with Windows 10, version 1709 or later.
-
-#### Minimum baseline configuration setting for Windows Defender SmartScreen:
-
-The following settings must be configured with the following settings:
-
-* Check apps and files: **Warn** or **Block**
-* Microsoft Defender SmartScreen for Microsoft Edge: **Warn** or **Block**
-* Microsoft Defender SmartScreen for Microsoft store apps: **Warn** or **Off**
-
-You can take the following actions to increase the overall security score of your organization:
-
-- Set **Check app and files** to **Warn** or **Block**
-- Set **Windows Defender SmartScreen for Microsoft Edge** to **Warn** or **Block**
-- Set **Windows Defender SmartScreen for Microsoft store apps** to **Warn** or **Off**
-
-For more information, see [Windows Defender SmartScreen](../windows-defender-smartscreen/windows-defender-smartscreen-overview.md).
-
-* Set **Check app and files** to **Warn** or **Block**
-* Set **Windows Defender SmartScreen for Microsoft Edge** to **Warn** or **Block**
-* Set **Windows Defender SmartScreen for Microsoft store apps** to **Warn** or **Off**
-
-For more information, see [Windows Defender SmartScreen](../windows-defender-smartscreen/windows-defender-smartscreen-overview.md).
-
-### Windows Defender Firewall optimization
-
-A well-configured machine must have Microsoft Defender Firewall turned on and enabled for all profiles so that inbound connections are blocked by default. This tile shows you a list of actions to apply on endpoints to meet the minimum baseline configuration setting for Microsoft Defender Firewall.
-
-> [!IMPORTANT]
-> This security control is only applicable for machines with Windows 10, version 1709 or later.
-
-#### Minimum baseline configuration setting for Windows Defender Firewall
-
-* Microsoft Defender Firewall is turned on for all network connections
-* Secure domain profile by enabling Microsoft Defender Firewall and ensure that Inbound connections are set to Blocked
-* Secure private profile by enabling Microsoft Defender Firewall and ensure that Inbound connections are set to Blocked
-* Secure public profile is configured by enabling Microsoft Defender Firewall and ensure that Inbound connections are set to Blocked
-
-For more information on Windows Defender Firewall settings, see [Planning settings for a basic firewall policy](https://docs.microsoft.com/windows/security/identity-protection/windows-firewall/planning-settings-for-a-basic-firewall-policy).
-
-> [!NOTE]
-> If Windows Defender Firewall is not your primary firewall, consider excluding it from the security score calculations and make sure that your third-party firewall is configured in a securely.
-
-##### Recommended actions
-
-You can take the following actions to increase the overall security score of your organization:
-
-* Turn on firewall
-* Secure domain profile
-* Secure private profile
-* Secure public profile
-* Verify secure configuration of third-party firewall
-* Fix sensor data collection
- * The Microsoft Defender ATP service relies on sensor data collection to determine the security state of a machine. The service will not be able to determine the security state of machines that are not reporting sensor data properly. It's important to ensure that sensor data collection is working properly. For more information, see [Fix unhealthy sensors](fix-unhealthy-sensors.md).
-
-For more information, see [Windows Defender Firewall with Advanced Security](https://docs.microsoft.com/windows/security/identity-protection/windows-firewall/windows-firewall-with-advanced-security).
-
-### BitLocker optimization
-
-A well-configured machine complies to the minimum baseline configuration setting. This tile shows you a list of actions to apply on endpoints to meet the minimum baseline configuration setting for BitLocker.
-
-> [!IMPORTANT]
-> This security control is only applicable for machines with Windows 10, version 1803 or later.
-
-#### Minimum baseline configuration setting for BitLocker
-
-* Ensure all supported drives are encrypted
-* Ensure that all suspended protection on drives resume protection
-* Ensure that drives are compatible
-
-##### Recommended actions
-
-You can take the following actions to increase the overall security score of your organization:
-
-* Encrypt all supported drives
-* Resume protection on all drives
-* Ensure drive compatibility
-* Fix sensor data collection
- * The Microsoft Defender ATP service relies on sensor data collection to determine the security state of a machine. The service will not be able to determine the security state of machines that are not reporting sensor data properly. It's important to ensure that sensor data collection is working properly. For more information, see [Fix unhealthy sensors](fix-unhealthy-sensors.md).
-
-For more information, see [Bitlocker](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-overview).
-
-### Windows Defender Credential Guard optimization
-A well-configured machine complies to the minimum baseline configuration setting. This tile shows you a list of actions to apply on endpoints to meet the minimum baseline configuration setting for Windows Defender Credential Guard.
-
-> [!IMPORTANT]
-> This security control is only applicable for machines with Windows 10, version 1709 or later.
-
-#### Minimum baseline configuration setting for Windows Defender Credential Guard:
-Well-configured machines for Windows Defender Credential Guard meets the following requirements:
-
-- Hardware and software prerequisites are met
-- Windows Defender Credential Guard is turned on compatible machines
-
-##### Recommended actions
-
-You can take the following actions to increase the overall security score of your organization:
-
-* Ensure hardware and software prerequisites are met
-* Turn on Credential Guard
-* Fix sensor data collection
- * The Microsoft Defender ATP service relies on sensor data collection to determine the security state of a machine. The service will not be able to determine the security state of machines that are not reporting sensor data properly. It's important to ensure that sensor data collection is working properly. For more information, see [Fix unhealthy sensors](fix-unhealthy-sensors.md).
-
-For more information, see [Manage Windows Defender Credential Guard](https://docs.microsoft.com/windows/security/identity-protection/credential-guard/credential-guard-manage).
-
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-sadashboard-belowfoldlink)
-
-## Related topics
-
-* [Overview of Secure score](overview-secure-score.md)
-* [Risk-based Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md)
-* [Threat & Vulnerability Management dashboard overview](tvm-dashboard-insights.md)
-* [Exposure score](tvm-exposure-score.md)
-* [Configuration score](configuration-score.md)
-* [Security recommendations](tvm-security-recommendation.md)
-* [Remediation](tvm-remediation.md)
-* [Software inventory](tvm-software-inventory.md)
-* [Weaknesses](tvm-weaknesses.md)
-* [Scenarios](threat-and-vuln-mgt-scenarios.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/security-operations-dashboard.md b/windows/security/threat-protection/microsoft-defender-atp/security-operations-dashboard.md
index ea54e6d0ea..00820b5fe4 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/security-operations-dashboard.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/security-operations-dashboard.md
@@ -121,5 +121,5 @@ Click the user account to see details about the user account. For more informati
## Related topics
- [Understand the Microsoft Defender Advanced Threat Protection portal](use.md)
- [Portal overview](portal-overview.md)
-- [View the Secure Score dashboard and improve your secure score](secure-score-dashboard.md)
+- [View the Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md)
- [View the Threat analytics dashboard and take recommended mitigation actions](threat-analytics.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md b/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md
index 7df11c3d9e..14398b7265 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md
@@ -8,8 +8,8 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
-ms.author: dolmont
-author: DulceMontemayor
+ms.author: ellevin
+author: levinec
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
@@ -18,15 +18,19 @@ ms.topic: article
---
# Threat & Vulnerability Management scenarios
+
**Applies to:**
+
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink)
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink)
[!include[Prerelease information](../../includes/prerelease.md)]
## Before you begin
+
Ensure that your machines:
+
- Are onboarded to Microsoft Defender Advanced Threat Protection
- Run with Windows 10 1709 (Fall Creators Update) or later
@@ -47,15 +51,18 @@ Ensure that your machines:
- Are tagged or marked as co-managed
## Reduce your threat and vulnerability exposure
+
Threat & Vulnerability Management introduces a new exposure score metric, which visually represents how exposed your machines are to imminent threats.
The exposure score is continuously calculated on each device in the organization and influenced by the following factors:
+
- Weaknesses, such as vulnerabilities discovered on the device
- External and internal threats such as public exploit code and security alerts
- Likelihood of the device to get breached given its current security posture
- Value of the device to the organization given its role and content
The exposure score is broken down into the following levels:
+
- 0–29: low exposure score
- 30–69: medium exposure score
- 70–100: high exposure score
@@ -65,15 +72,19 @@ You can remediate the issues based on prioritized security recommendations to re
To lower down your threat and vulnerability exposure:
1. Review the **Top security recommendations** from your **Threat & Vulnerability Management dashboard**, and select the first item on the list. The **Security recommendation** page opens.
-
- >>
- >[!NOTE]
- > There are two types of recommendations:
- > - Security update which refers to recommendations that require a package installation
- > - Configuration change which refers to recommendations that require a registry or GPO modification
- > Always prioritize recommendations that are associated with ongoing threats. These recommendations are marked with the threat insight  icon and possible active alert  icon.
-
+ There are two types of recommendations:
+
+ - *Security update* which refers to recommendations that require a package installation
+ - *Configuration change* which refers to recommendations that require a registry or GPO modification
+
+ Always prioritize recommendations that are associated with ongoing threats:
+
+ -  Threat insight icon
+ -  Active alert icon
+
+ >
+
2. The **Security recommendations** page shows the list of items to remediate. Select the security recommendation that you need to investigate. When you select a recommendation from the list, a fly-out panel will display a description of what you need to remediate, number of vulnerabilities, associated exploits in machines, number of exposed machines and their machine names, business impact, and a list of CVEs. Click **Open software page** option from the flyout panel. 
3. Click **Installed machines** and select the affected machine from the list to open the flyout panel with the relevant machine details, exposure and risk levels, alert and incident activities. 
@@ -81,12 +92,13 @@ To lower down your threat and vulnerability exposure:
4. Click **Open machine page** to connect to the machine and apply the selected recommendation. See [Investigate machines in the Microsoft Defender ATP Machines list](investigate-machines.md) for details. 
5. Allow a few hours for the changes to propagate in the system.
-
+
6. Review the machine **Security recommendation** tab again. The recommendation you've chosen to remediate is removed from the security recommendation list, and the exposure score decreases.
## Improve your security configuration
+
>[!NOTE]
-> Secure score is now part of Threat & Vulnerability Management as [configuration score](configuration-score.md). The secure score page is available for a few weeks. View the [secure score](https://securitycenter.windows.com/securescore) page.
+> Secure score is now part of Threat & Vulnerability Management as [Configuration score](configuration-score.md).
You can improve your security configuration when you remediate issues from the security recommendations list. As you do so, your configuration score improves, which means your organization becomes more resilient against cybersecurity threats and vulnerabilities.
@@ -94,14 +106,15 @@ You can improve your security configuration when you remediate issues from the s
>
-2. Select the first item on the list. The flyout panel will open with a description of the security controls issue, a short description of the potential risk, insights, configuration ID, exposed machines, and business impact. Click **Remediation options**.
+2. Select the first item on the list. The flyout panel will open with a description of the security controls issue, a short description of the potential risk, insights, configuration ID, exposed machines, and business impact. Click **Remediation options**.
+
3. Read the description to understand the context of the issue and what to do next. Select a due date, add notes, and select **Export all remediation activity data to CSV** so you can attach it to the email that you can send to your IT Administrator for follow-up.
- >.
+ >.
- >You will see a confirmation message that the remediation task has been created.
+ You will see a confirmation message that the remediation task has been created.
>
4. Save your CSV file.
@@ -112,6 +125,7 @@ You can improve your security configuration when you remediate issues from the s
6. Review the machine **Configuration score** widget again. The number of the security controls issues will decrease. When you click **Security controls** to go back to the **Security recommendations** page, the item that you have addressed will not be listed there anymore, and your configuration score should increase.
## Request a remediation
+
>[!NOTE]
>To use this capability, enable your Microsoft Intune connections. Navigate to **Settings** > **General** > **Advanced features**. Scroll down and look for **Microsoft Intune connection**. By default, the toggle is turned off. Turn your **Microsoft Intune connection** toggle on.
@@ -133,6 +147,7 @@ See [Use Intune to remediate vulnerabilities identified by Microsoft Defender AT
>If your request involves remediating more than 10,000 machines, we can only send 10,000 machines for remediation to Intune.
## File for exception
+
With Threat & Vulnerability Management, you can create exceptions for recommendations, as an alternative to a remediation request.
There are many reasons why organizations create exceptions for a recommendation. For example, if there's a business justification that prevents the company from applying the recommendation, the existence of a compensating or alternative control that provides as much protection than the recommendation would, a false positive, among other reasons.
@@ -141,7 +156,6 @@ Exceptions can be created for both *Security update* and *Configuration change*
When an exception is created for a recommendation, the recommendation is no longer active. The recommendation state changes to **Exception**, and it no longer shows up in the security recommendations list.
-
1. Navigate to the **Security recommendations** page under the **Threat & Vulnerability Management** section menu.
2. Click the top-most recommendation. A flyout panel opens with the recommendation details.
@@ -156,10 +170,10 @@ When an exception is created for a recommendation, the recommendation is no long
5. Click **Submit**. A confirmation message at the top of the page indicates that the exception has been created.
-6. Navigate to the **Remediation** page under the **Threat & Vulnerability Management** menu and click the **Exceptions** tab to view all your exceptions (current and past).
-
+6. Navigate to the **Remediation** page under the **Threat & Vulnerability Management** menu and click the **Exceptions** tab to view all your exceptions (current and past).
+
-## Use advanced hunting query to search for machines with High active alerts or critical CVE public exploit
+## Use advanced hunting query to search for machines with High active alerts or critical CVE public exploit
1. Go to **Advanced hunting** from the left-hand navigation pane.
@@ -168,38 +182,41 @@ When an exception is created for a recommendation, the recommendation is no long
3. Enter the following queries:
```kusto
-// Search for machines with High active alerts or Critical CVE public exploit
-DeviceTvmSoftwareInventoryVulnerabilities
-| join kind=inner(DeviceTvmSoftwareVulnerabilitiesKB) on CveId
+// Search for machines with High active alerts or Critical CVE public exploit
+DeviceTvmSoftwareInventoryVulnerabilities
+| join kind=inner(DeviceTvmSoftwareVulnerabilitiesKB) on CveId
| where IsExploitAvailable == 1 and CvssScore >= 7
-| summarize NumOfVulnerabilities=dcount(CveId),
-DeviceName=any(DeviceName) by DeviceId
+| summarize NumOfVulnerabilities=dcount(CveId),
+DeviceName=any(DeviceName) by DeviceId
| join kind =inner(DeviceAlertEvents) on DeviceId
-| summarize NumOfVulnerabilities=any(NumOfVulnerabilities),
-DeviceName=any(DeviceName) by DeviceId, AlertId
+| summarize NumOfVulnerabilities=any(NumOfVulnerabilities),
+DeviceName=any(DeviceName) by DeviceId, AlertId
| project DeviceName, NumOfVulnerabilities, AlertId
-| order by NumOfVulnerabilities desc
+| order by NumOfVulnerabilities desc
```
-## Conduct an inventory of software or software versions which have reached their end-of-life
-End-of-life for software or software versions means that they will no longer be supported nor serviced. When you use software or software versions which have reached their end-of-life, you're exposing your organization to security vulnerabilities, legal, and financial risks.
+## Conduct an inventory of software or software versions which have reached end-of-support (EOS)
-It is crucial for you as Security and IT Administrators to work together and ensure that your organization's software inventory is configured for optimal results, compliance, and a healthy network ecosystem.
+End-of-support (otherwise known as end-of-life) for software or software versions means that they will no longer be supported or serviced. When you use software or software versions which have reached end-of-support, you're exposing your organization to security vulnerabilities, legal, and financial risks.
+
+It is crucial for Security and IT Administrators to work together and ensure that the organization's software inventory is configured for optimal results, compliance, and a healthy network ecosystem.
+
+To conduct an inventory of software or software versions which have reached end-of-support:
-To conduct an inventory of software or software versions which have reached their end of life:
1. From the Threat & Vulnerability Management menu, navigate to **Security recommendations**.
-2. Go to the **Filters** panel and select **Software uninstall** from **Remediation Type** options if you want to see the list of software recommendations associated with software which have reached their end-of-life (tagged as **EOL software**). Select **Software update** from **Remediation Type** options if you want to see the list of software recommendations associated with software and software versions which have reached their end-of-life (tagged as **EOL versions installed**).
-3. Select a software that you'd like to investigate. A fly-out screen opens where you can select **Open software page**.
-
+2. Go to the **Filters** panel and select **Software uninstall** from **Remediation Type** options to see the list of software recommendations associated with software which have reached end of support (tagged as **EOS software**).
+3. Select **Software update** from **Remediation Type** options to see the list of software recommendations associated with software and software versions which have reached end-of-support (tagged as **EOS versions installed**).
+4. Select software that you'd like to investigate. A fly-out screen opens where you can select **Open software page**.
+
-4. In the **Software page** select the **Version distribution** tab to know which versions of the software have reached their end-of-life, and how many vulnerabilities were discovered in it.
-
-
-After you have identified which software and software versions are vulnerable due to its end-of-life status, remediate them to lower your organizations exposure to vulnerabilities and advanced persistent threats. See [Remediation and exception](tvm-remediation.md) for details.
+5. In the **Software page** select the **Version distribution** tab to know which versions of the software have reached their end-of-support, and how many vulnerabilities were discovered in it.
+
+After you have identified which software and software versions are vulnerable due to its end-of-support status, remediate them to lower your organizations exposure to vulnerabilities and advanced persistent threats. See [Remediation and exception](tvm-remediation.md) for details.
## Related topics
+
- [Supported operating systems and platforms](tvm-supported-os.md)
- [Risk-based Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md)
- [Threat & Vulnerability Management dashboard overview](tvm-dashboard-insights.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-remediation.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-remediation.md
index ffd3002549..a0465dd642 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/tvm-remediation.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-remediation.md
@@ -66,10 +66,10 @@ When you submit a remediation request from Threat & Vulnerability Management, it
It creates a security task which will be tracked in Threat & Vulnerability Management **Remediation** page, and it also creates a remediation ticket in Microsoft Intune.
-The dashboard will show that status of your top remediation activities. Click any of the entries and it will take you to the **Remediation** page. You can mark the remediation activity as completed after the IT administration team remediates the task.
+The dashboard will show that status of your top remediation activities. Click any of the entries and it will take you to the **Remediation** page. You can mark the remediation activity as completed after the IT administration team remediates the task.
## When to file for exception instead of remediating issues
-You can file exceptions to exclude certain recommendation from showing up in reports and affecting risk scores or secure scores.
+You can file exceptions to exclude certain recommendation from showing up in reports and affecting your configuration score.
When you select a security recommendation, it opens up a flyout screen with details and options for your next step. You can either **Open software page**, choose from **Remediation options**, go through **Exception options** to file for exceptions, or **Report inaccuracy**.
@@ -113,10 +113,10 @@ Clicking the link opens up to the **Security recommendations** page, where you c
- **In effect** - The exception that you've filed is in progress
### Exception impact on scores
-Creating an exception can potentially affect the Exposure Score (for both types of weaknesses) and Secure Score (for configurations) of your organization in the following manner:
+Creating an exception can potentially affect the Exposure Score (for both types of weaknesses) and Configuration Score (for configurations) of your organization in the following manner:
- **No impact** - Removes the recommendation from the lists (which can be reverse through filters), but will not affect the scores
- **Mitigation-like impact** - As if the recommendation was mitigated (and scores will be adjusted accordingly) when you select it as a compensating control.
-- **Hybrid** - Provides visibility on both No impact and Mitigation-like impact. It shows both the Exposure Score and Secure Score results out of the exception option that you made
+- **Hybrid** - Provides visibility on both No impact and Mitigation-like impact. It shows both the Exposure Score and Configuration Score results out of the exception option that you made
The exception impact shows on both the Security recommendations page column and in the flyout pane.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/use.md b/windows/security/threat-protection/microsoft-defender-atp/use.md
index dbf6830312..1b86e94b66 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/use.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/use.md
@@ -29,7 +29,7 @@ Microsoft Defender Security Center is the portal where you can access Microsoft
Use the **Security operations** dashboard to gain insight on the various alerts on machines and users in your network.
-Use the **Secure Score** dashboard to expand your visibility on the overall security posture of your organization. You'll see machines that require attention and recommendations that can help you reduce the attack surface in your organization.
+Use the **Threat & Vulnerability Management** dashboard to expand your visibility on the overall security posture of your organization. You'll see machines that require attention and recommendations that can help you reduce the attack surface in your organization.
Use the **Threat analytics** dashboard to continually assess and control risk exposure to Spectre and Meltdown.
@@ -39,5 +39,5 @@ Topic | Description
:---|:---
[Portal overview](portal-overview.md) | Understand the portal layout and area descriptions.
[View the Security operations dashboard](security-operations-dashboard.md) | The Microsoft Defender ATP **Security operations dashboard** provides a snapshot of your network. You can view aggregates of alerts, the overall status of the service of the machines on your network, investigate machines, files, and URLs, and see snapshots of threats seen on machines.
-[View the Secure Score dashboard and improve your secure score](secure-score-dashboard.md) | The **Secure Score dashboard** expands your visibility into the overall security posture of your organization. From this dashboard, you'll be able to quickly assess the security posture of your organization, see machines that require attention, as well as recommendations for actions to further reduce the attack surface in your organization - all in one place.
+[View the Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md) | The **Threat & Vulnerability Management dashboard** lets you view exposure and configuration scores side-by-side with top security recommendations, software vulnerability, remediation activities, and exposed machines.
[View the Threat analytics dashboard and take recommended mitigation actions](threat-analytics.md) | The **Threat analytics** dashboard helps you continually assess and control risk exposure to threats. Use the charts to quickly identify machines for the presence or absence of mitigations.
\ No newline at end of file
diff --git a/windows/security/threat-protection/microsoft-defender-atp/web-content-filtering.md b/windows/security/threat-protection/microsoft-defender-atp/web-content-filtering.md
index 14439573d7..e64f5c502c 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/web-content-filtering.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/web-content-filtering.md
@@ -73,7 +73,7 @@ Cyren's web content classification technology is integrated by design into Micro
Learn more at https://www.cyren.com/products/url-filtering.
-### Cyren permissions
+### Cyren Permissions
"Sign in and read user profile" allows Cyren to read your tenant info from your Microsoft Defender ATP account, such as your tenant ID, which will be tied to your Cyren license.
@@ -81,7 +81,10 @@ Learn more at https://www.cyren.com/products/url-filtering.
### Signing up for a Cyren License
-Cyren is offering a 60-day free trial for all Microsoft Defender ATP customers. To sign up, please follow the steps below from the portal.
+Cyren is offering a 60-day free trial for all Microsoft Defender ATP customers. To sign up, please follow the steps below from the portal.
+
+>[!NOTE]
+>Make sure to add the URL you get redirected to by the signup process to the list of approved domains.
>[!NOTE]
>A user with AAD app admin/global admin permissions is required to complete these steps.
@@ -168,4 +171,4 @@ You need to be logged in to an AAD account with either App administrator or Glob
- [Web protection overview](web-protection-overview.md)
- [Web threat protection](web-threat-protection.md)
- [Monitor web security](web-protection-monitoring.md)
-- [Respond to web threats](web-protection-response.md)
\ No newline at end of file
+- [Respond to web threats](web-protection-response.md)
diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/WDAV-WinSvr2019-turnfeatureson.jpg b/windows/security/threat-protection/windows-defender-antivirus/images/WDAV-WinSvr2019-turnfeatureson.jpg
new file mode 100644
index 0000000000..9376fba47e
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-antivirus/images/WDAV-WinSvr2019-turnfeatureson.jpg differ
diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/server-add-gui.png b/windows/security/threat-protection/windows-defender-antivirus/images/server-add-gui.png
index f9ef1da5f7..d9664338fe 100644
Binary files a/windows/security/threat-protection/windows-defender-antivirus/images/server-add-gui.png and b/windows/security/threat-protection/windows-defender-antivirus/images/server-add-gui.png differ
diff --git a/windows/security/threat-protection/windows-defender-antivirus/office-365-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/office-365-windows-defender-antivirus.md
new file mode 100644
index 0000000000..8201f92e0e
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-antivirus/office-365-windows-defender-antivirus.md
@@ -0,0 +1,87 @@
+---
+title: Windows Defender Antivirus together with Office 365 (including OneDrive) - better protection from ransomware and cyberthreats
+description: Office 365, which includes OneDrive, goes together wonderfully with Windows Defender Antivirus. Read this article to learn more.
+keywords: windows defender, antivirus, office 365, onedrive
+search.product: eADQiWindows 10XVcnh
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+ms.localizationpriority: medium
+audience: ITPro
+ms.topic: article
+author: denisebmsft
+ms.author: deniseb
+ms.custom: nextgen
+ms.date: 02/26/2020
+ms.reviewer:
+manager: dansimp
+---
+
+# Windows Defender Antivirus together with Office 365
+
+**Applies to:**
+
+- Windows Defender Antivirus
+- Office 365
+
+You might already know that:
+
+- **Windows Defender Antivirus protects your Windows 10 device from software threats, such as viruses, malware, and spyware**. Windows Defender Antivirus is your complete, ongoing protection, built into Windows 10 and ready to go. [Windows Defender Antivirus is your next-generation protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10).
+
+- **Office 365 includes antiphishing, antispam, and antimalware protection**. With your Office 365 subscription, you get premium email and calendars, Office apps, 1 TB of cloud storage (via OneDrive), and advanced security across all your devices. This is true for home and business users. And if you're a business user, and your organization is using Office 365 E5, you get even more protection through Office 365 Advanced Threat Protection. [Protect against threats with Office 365](https://docs.microsoft.com/microsoft-365/security/office-365-security/protect-against-threats).
+
+- **OneDrive, included in Office 365, enables you to store your files and folders online, and share them as you see fit**. You can work together with people (for work or fun), and coauthor files that are stored in OneDrive. You can also access your files across all your devices (your PC, phone, and tablet). [Manage sharing in OneDrive](https://docs.microsoft.com/OneDrive/manage-sharing).
+
+**But did you know there are good security reasons to use Windows Defender Antivirus together with Office 365**? Here are two:
+
+ 1. [You get ransomware protection and recovery](#ransomware-protection-and-recovery).
+
+ 2. [Integration means better protection](#integration-means-better-protection).
+
+Read the following sections to learn more.
+
+## Ransomware protection and recovery
+
+When you save your files to [OneDrive](https://docs.microsoft.com/onedrive), and [Windows Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10) detects a ransomware threat on your device, the following things occur:
+
+1. **You are told about the threat**. (If your organization is using Microsoft Defender Advanced Threat Protection, your security operations team is notified, too.)
+
+2. **Windows Defender Antivirus helps you (and your organization's security team) remove the ransomware** from your device(s).
+
+3. **You get the option to recover your files in OneDrive**. With the OneDrive Files Restore feature, you can recover your files in OneDrive to the state they were in before the ransomware attack occurred. See [Ransomware detection and recovering your files](https://support.office.com/article/0d90ec50-6bfd-40f4-acc7-b8c12c73637f).
+
+Think of the time and hassle this can save.
+
+## Integration means better protection
+
+Office 365 Advanced Threat Protection integrated with Microsoft Defender Advanced Threat Protection means better protection. Here's how:
+
+- [Office 365 Advanced Threat Protection](https://docs.microsoft.com/microsoft-365/security/office-365-security/office-365-atp) safeguards your organization against malicious threats posed in email messages, email attachments, and links (URLs) in Office documents.
+
+ AND
+
+- [Microsoft Defender Advanced Threat Protection](https://docs.microsoft.com/windows/security/threat-protection) protects your devices from cyber threats, detects advanced attacks and data breaches, automates security incidents, and improves your security posture.
+
+ SO
+
+- Once integration is enabled, your security operations team can see a list of devices that are used by the recipients of any detected URLs or email messages, along with recent alerts for those devices, in the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)).
+
+If you haven't already done so, [integrate Office 365 Advanced Threat Protection with Microsoft Defender Advanced Threat Protection](https://docs.microsoft.com/microsoft-365/security/office-365-security/integrate-office-365-ti-with-wdatp).
+
+## More good reasons to use OneDrive
+
+Protection from ransomware is one great reason to put your files in OneDrive. And there are several more good reasons, summarized in this video:
[ClientCertificateInstall CSP](clientcertificateinstall-csp.md)|Added details about SubjectName value.|
+
### January 2020
|New or updated topic | Description|
|--- | ---|
diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md
index 6e8652ff9c..6704ebd00c 100644
--- a/windows/client-management/mdm/policy-configuration-service-provider.md
+++ b/windows/client-management/mdm/policy-configuration-service-provider.md
@@ -15,6 +15,8 @@ ms.date: 07/18/2019
# Policy CSP
+> [!WARNING]
+> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
The Policy configuration service provider enables the enterprise to configure policies on Windows 10. Use this configuration service provider to configure any company policies.
@@ -615,6 +617,9 @@ The following diagram shows the Policy configuration service provider in tree fo
@@ -40,6 +41,9 @@ manager: dansimp
+
+
+**Bluetooth/SetMinimumEncryptionKeySize**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Added in the next major release of Windows 10.
+There are multiple levels of encryption strength when pairing Bluetooth devices. This policy helps prevent weaker devices cryptographically being used in high security environments.
+
+
+
+The following list shows the supported values:
+- 0 (default) - All Bluetooth traffic is allowed.
+- N - A number from 1 through 16 representing the bytes that must be used in the encryption process. Currently, 16 is the largest allowed value for N and 16 bytes is the largest key size that Bluetooth supports. If you want to enforce Windows to always use Bluetooth encryption, ignoring the precise encryption key strength, use 1 as the value for N.
+
+For more information on allowed key sizes, refer to Bluetooth Core Specification v5.1.
+
+
+
+
+
+
+
+
+
Footnotes:
@@ -400,6 +470,7 @@ Footnotes:
- 4 - Added in Windows 10, version 1803.
- 5 - Added in Windows 10, version 1809.
- 6 - Added in Windows 10, version 1903.
+- 7 - Added in the next major release of Windows 10.
diff --git a/windows/client-management/mdm/policy-csp-restrictedgroups.md b/windows/client-management/mdm/policy-csp-restrictedgroups.md
index adff5f8a8b..475db540e0 100644
--- a/windows/client-management/mdm/policy-csp-restrictedgroups.md
+++ b/windows/client-management/mdm/policy-csp-restrictedgroups.md
@@ -127,11 +127,10 @@ Here is an example:
- Microsoft Store for Business4
+Microsoft Store for Business
YES - 1000 at a time max
YES4
4K HH
@@ -153,7 +153,8 @@ A summary of each platform's capabilities is provided below.
>1Microsoft recommended platform to use
>2Intune license required
>3Feature capabilities are limited
->4To be retired
+>4Device profile assignment will be retired from MSfB and Partner Center in the coming months
+
Also see the following topics for more information about device IDs:
- [Device identification](#device-identification)
diff --git a/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md b/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md
index 516142c42a..31298d382d 100644
--- a/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md
+++ b/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md
@@ -1,6 +1,6 @@
---
title: Demonstrate Autopilot deployment
-ms.reviewer:
+ms.reviewer:
manager: laurawi
description: Step-by-step instructions on how to set-up a Virtual Machine with a Windows Autopilot deployment
keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune, upgrade
@@ -21,20 +21,23 @@ ms.custom: autopilot
**Applies to**
-- Windows 10
+- Windows 10
To get started with Windows Autopilot, you should try it out with a virtual machine (VM) or you can use a physical device that will be wiped and then have a fresh install of Windows 10.
-In this topic you'll learn how to set-up a Windows Autopilot deployment for a VM using Hyper-V. Note: Although there are [multiple platforms](administer.md) available to enable Autopilot, this lab primarily uses Intune.
+In this topic you'll learn how to set-up a Windows Autopilot deployment for a VM using Hyper-V.
->Hyper-V and a VM are not required for this lab. You can also use a physical device. However, the instructions assume that you are using a VM. To use a physical device, skip the instructions to install Hyper-V and create a VM. All references to 'device' in the guide refer to the client device, either physical or virtual.
+> [!NOTE]
+> Although there are [multiple platforms](administer.md) available to enable Autopilot, this lab primarily uses Intune.
+
+> Hyper-V and a VM are not required for this lab. You can also use a physical device. However, the instructions assume that you are using a VM. To use a physical device, skip the instructions to install Hyper-V and create a VM. All references to 'device' in the guide refer to the client device, either physical or virtual.
The following video provides an overview of the process:
-
+
->For a list of terms used in this guide, see the [Glossary](#glossary) section.
+> For a list of terms used in this guide, see the [Glossary](#glossary) section.
## Prerequisites
@@ -83,9 +86,9 @@ A summary of the sections and procedures in the lab is provided below. Follow ea
## Verify support for Hyper-V
-If you don't already have Hyper-V, we must first enable this on a computer running Windows 10 or Windows Server (2012 R2 or later).
+If you don't already have Hyper-V, we must first enable this on a computer running Windows 10 or Windows Server (2012 R2 or later).
->If you already have Hyper-V enabled, skip to the [create a demo VM](#create-a-demo-vm) step. If you are using a physical device instead of a VM, skip to [Install Windows 10](#install-windows-10).
+> If you already have Hyper-V enabled, skip to the [create a demo VM](#create-a-demo-vm) step. If you are using a physical device instead of a VM, skip to [Install Windows 10](#install-windows-10).
If you are not sure that your device supports Hyper-V, or you have problems installing Hyper-V, see [appendix A](#appendix-a-verify-support-for-hyper-v) below for details on verifying that Hyper-V can be successfully installed.
@@ -103,9 +106,9 @@ This command works on all operating systems that support Hyper-V, but on Windows
Install-WindowsFeature -Name Hyper-V -IncludeManagementTools
```
-When you are prompted to restart the computer, choose **Yes**. The computer might restart more than once.
+When you are prompted to restart the computer, choose **Yes**. The computer might restart more than once.
->Alternatively, you can install Hyper-V using the Control Panel in Windows under **Turn Windows features on or off** for a client operating system, or using Server Manager's **Add Roles and Features Wizard** on a server operating system, as shown below:
+> Alternatively, you can install Hyper-V using the Control Panel in Windows under **Turn Windows features on or off** for a client operating system, or using Server Manager's **Add Roles and Features Wizard** on a server operating system, as shown below:
@@ -119,25 +122,25 @@ To read more about Hyper-V, see [Introduction to Hyper-V on Windows 10](https://
## Create a demo VM
-Now that Hyper-V is enabled, we need to create a VM running Windows 10. We can [create a VM](https://docs.microsoft.com/virtualization/hyper-v-on-windows/quick-start/create-virtual-machine) and [virtual network](https://docs.microsoft.com/virtualization/hyper-v-on-windows/quick-start/connect-to-network) using Hyper-V Manager, but it is simpler to use Windows PowerShell.
+Now that Hyper-V is enabled, we need to create a VM running Windows 10. We can [create a VM](https://docs.microsoft.com/virtualization/hyper-v-on-windows/quick-start/create-virtual-machine) and [virtual network](https://docs.microsoft.com/virtualization/hyper-v-on-windows/quick-start/connect-to-network) using Hyper-V Manager, but it is simpler to use Windows PowerShell.
-To use Windows Powershell we just need to know two things:
+To use Windows PowerShell, we just need to know two things:
1. The location of the Windows 10 ISO file.
- - In the example, we assume the location is **c:\iso\win10-eval.iso**.
+ - In the example, we assume the location is **c:\iso\win10-eval.iso**.
2. The name of the network interface that connects to the Internet.
- - In the example, we use a Windows PowerShell command to determine this automatically.
+ - In the example, we use a Windows PowerShell command to determine this automatically.
After we have set the ISO file location and determined the name of the appropriate network interface, we can install Windows 10.
### Set ISO file location
-You can download an ISO file for an evaluation version of the latest release of Windows 10 Enterprise [here](https://www.microsoft.com/evalcenter/evaluate-windows-10-enterprise).
-- When asked to select a platform, choose **64 bit**.
+You can download an ISO file for an evaluation version of the latest release of Windows 10 Enterprise [here](https://www.microsoft.com/evalcenter/evaluate-windows-10-enterprise).
+- When asked to select a platform, choose **64 bit**.
-After you download this file, the name will be extremely long (ex: 17763.107.101029-1455.rs5_release_svc_refresh_CLIENTENTERPRISEEVAL_OEMRET_x64FRE_en-us.iso).
+After you download this file, the name will be extremely long (ex: 17763.107.101029-1455.rs5_release_svc_refresh_CLIENTENTERPRISEEVAL_OEMRET_x64FRE_en-us.iso).
-1. So that it is easier to type and remember, rename the file to **win10-eval.iso**.
+1. So that it is easier to type and remember, rename the file to **win10-eval.iso**.
2. Create a directory on your computer named **c:\iso** and move the **win10-eval.iso** file there, so the path to the file is **c:\iso\win10-eval.iso**.
3. If you wish to use a different name and location for the file, you must modify the Windows PowerShell commands below to use your custom name and directory.
@@ -149,19 +152,19 @@ The Get-NetAdaper cmdlet is used below to automatically find the network adapter
(Get-NetAdapter |?{$_.Status -eq "Up" -and !$_.Virtual}).Name
```
-The output of this command should be the name of the network interface you use to connect to the Internet. Verify that this is the correct interface name. If it is not the correct interface name, you'll need to edit the first command below to use your network interface name.
+The output of this command should be the name of the network interface you use to connect to the Internet. Verify that this is the correct interface name. If it is not the correct interface name, you'll need to edit the first command below to use your network interface name.
For example, if the command above displays Ethernet but you wish to use Ethernet2, then the first command below would be New-VMSwitch -Name AutopilotExternal -AllowManagementOS $true -NetAdapterName **Ethernet2**.
-### Use Windows PowerShell to create the demo VM
+### Use Windows PowerShell to create the demo VM
All VM data will be created under the current path in your PowerShell prompt. Consider navigating into a new folder before running the following commands.
->[!IMPORTANT]
->**VM switch**: a VM switch is how Hyper-V connects VMs to a network.
If you have previously enabled Hyper-V and your Internet-connected network interface is already bound to a VM switch, then the PowerShell commands below will fail. In this case, you can either delete the existing VM switch (so that the commands below can create one), or you can reuse this VM switch by skipping the first command below and either modifying the second command to replace the switch name **AutopilotExternal** with the name of your switch, or by renaming your existing switch to "AutopilotExternal."
If you have never created an external VM switch before, then just run the commands below.
+> [!IMPORTANT]
+> **VM switch**: a VM switch is how Hyper-V connects VMs to a network.
If you have previously enabled Hyper-V and your Internet-connected network interface is already bound to a VM switch, then the PowerShell commands below will fail. In this case, you can either delete the existing VM switch (so that the commands below can create one), or you can reuse this VM switch by skipping the first command below and either modifying the second command to replace the switch name **AutopilotExternal** with the name of your switch, or by renaming your existing switch to "AutopilotExternal."
If you have never created an external VM switch before, then just run the commands below.
```powershell
-New-VMSwitch -Name AutopilotExternal -AllowManagementOS $true -NetAdapterName (Get-NetAdapter |?{$_.Status -eq "Up" -and !$_.Virtual}).Name
+New-VMSwitch -Name AutopilotExternal -AllowManagementOS $true -NetAdapterName (Get-NetAdapter |?{$_.Status -eq "Up" -and !$_.Virtual}).Name
New-VM -Name WindowsAutopilot -MemoryStartupBytes 2GB -BootDevice VHD -NewVHDPath .\VMs\WindowsAutopilot.vhdx -Path .\VMData -NewVHDSizeBytes 80GB -Generation 2 -Switch AutopilotExternal
Add-VMDvdDrive -Path c:\iso\win10-eval.iso -VMName WindowsAutopilot
Start-VM -VMName WindowsAutopilot
@@ -222,13 +225,13 @@ Ensure the VM booted from the installation ISO, click **Next** then click **Inst
->After the VM restarts, during OOBE, it’s fine to select **Set up for personal use** or **Domain join instead** and then choose an offline account on the **Sign in** screen. This will offer the fastest way to the desktop. For example:
+After the VM restarts, during OOBE, it’s fine to select **Set up for personal use** or **Domain join instead** and then choose an offline account on the **Sign in** screen. This will offer the fastest way to the desktop. For example:
- 
+ 
Once the installation is complete, sign in and verify that you are at the Windows 10 desktop, then create your first Hyper-V checkpoint. Checkpoints are used to restore the VM to a previous state. You will create multiple checkpoints throughout this lab, which can be used later to go through the process again.
- 
+ 
To create your first checkpoint, open an elevated Windows PowerShell prompt on the computer running Hyper-V (not on the VM) and run the following:
@@ -240,7 +243,8 @@ Click on the **WindowsAutopilot** VM in Hyper-V Manager and verify that you see
## Capture the hardware ID
->NOTE: Normally, the Device ID is captured by the OEM as they run the OA3 Tool on each device in the factory. The OEM then submits the 4K HH created by the OA3 Tool to Microsoft by submitting it with a Computer Build Report (CBR). For purposes of this lab, you are acting as the OEM (capturing the 4K HH), but you’re not going to use the OA3 Tool to capture the full 4K HH for various reasons (you’d have to install the OA3 tool, your device couldn’t have a volume license version of Windows, it’s a more complicated process than using a PS script, etc.). Instead, you’ll simulate running the OA3 tool by running a PowerShell script, which captures the device 4K HH just like the OA3 tool.
+> [!NOTE]
+> Normally, the Device ID is captured by the OEM as they run the OA3 Tool on each device in the factory. The OEM then submits the 4K HH created by the OA3 Tool to Microsoft by submitting it with a Computer Build Report (CBR). For purposes of this lab, you are acting as the OEM (capturing the 4K HH), but you’re not going to use the OA3 Tool to capture the full 4K HH for various reasons (you’d have to install the OA3 tool, your device couldn’t have a volume license version of Windows, it’s a more complicated process than using a PS script, etc.). Instead, you’ll simulate running the OA3 tool by running a PowerShell script, which captures the device 4K HH just like the OA3 tool.
Follow these steps to run the PS script:
@@ -292,18 +296,19 @@ Mode LastWriteTime Length Name
PS C:\HWID>
-Verify that there is an **AutopilotHWID.csv** file in the **c:\HWID** directory that is about 8 KB in size. This file contains the complete 4K HH.
+Verify that there is an **AutopilotHWID.csv** file in the **c:\HWID** directory that is about 8 KB in size. This file contains the complete 4K HH.
-**Note**: Although the .csv extension might be associated with Microsoft Excel, you cannot view the file properly by double-clicking it. To correctly parse the comma delimiters and view the file in Excel, you must use the **Data** > **From Text/CSV** function in Excel to import the appropriate data columns. You don't need to view the file in Excel unless you are curious. The file format will be validated when it is imported into Autopilot. An example of the data in this file is shown below.
+> [!NOTE]
+> Although the .csv extension might be associated with Microsoft Excel, you cannot view the file properly by double-clicking it. To correctly parse the comma delimiters and view the file in Excel, you must use the **Data** > **From Text/CSV** function in Excel to import the appropriate data columns. You don't need to view the file in Excel unless you are curious. The file format will be validated when it is imported into Autopilot. An example of the data in this file is shown below.
-You will need to upload this data into Intune to register your device for Autopilot, so it needs to be transferred to the computer you will use to access the Azure portal. If you are using a physical device instead of a VM, you can copy the file to a USB stick. If you’re using a VM, you can right-click the AutopilotHWID.csv file and copy it, then right-click and paste the file to your desktop (outside the VM).
+You will need to upload this data into Intune to register your device for Autopilot, so it needs to be transferred to the computer you will use to access the Azure portal. If you are using a physical device instead of a VM, you can copy the file to a USB stick. If you’re using a VM, you can right-click the AutopilotHWID.csv file and copy it, then right-click and paste the file to your desktop (outside the VM).
If you have trouble copying and pasting the file, just view the contents in Notepad on the VM and copy the text into Notepad outside the VM. Do not use another text editor to do this.
->[!NOTE]
->When copying and pasting to or from VMs, avoid clicking other things with your mouse cursor between the copy and paste process as this can empty or overwrite the clipboard and require that you start over. Go directly from copy to paste.
+> [!NOTE]
+> When copying and pasting to or from VMs, avoid clicking other things with your mouse cursor between the copy and paste process as this can empty or overwrite the clipboard and require that you start over. Go directly from copy to paste.
## Reset the VM back to Out-Of-Box-Experience (OOBE)
@@ -326,7 +331,7 @@ For this lab, you need an AAD Premium subscription. You can tell if you have a
-If the configuration blade shown above does not appear, it’s likely that you don’t have a **Premium** subscription. Auto-enrollment is a feature only available in AAD Premium.
+If the configuration blade shown above does not appear, it’s likely that you don’t have a **Premium** subscription. Auto-enrollment is a feature only available in AAD Premium.
To convert your Intune trial account to a free Premium trial account, navigate to **Azure Active Directory** > **Licenses** > **All products** > **Try / Buy** and select **Free trial** for Azure AD Premium, or EMS E5.
@@ -336,8 +341,8 @@ To convert your Intune trial account to a free Premium trial account, navigate t
If you already have company branding configured in Azure Active Directory, you can skip this step.
->[!IMPORTANT]
->Make sure to sign-in with a Global Administrator account.
+> [!IMPORTANT]
+> Make sure to sign-in with a Global Administrator account.
Navigate to [Company branding in Azure Active Directory](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/LoginTenantBranding), click on **Configure** and configure any type of company branding you'd like to see during the OOBE.
@@ -345,8 +350,8 @@ Navigate to [Company branding in Azure Active Directory](https://portal.azure.co
When you are finished, click **Save**.
->[!NOTE]
->Changes to company branding can take up to 30 minutes to apply.
+> [!NOTE]
+> Changes to company branding can take up to 30 minutes to apply.
## Configure Microsoft Intune auto-enrollment
@@ -368,8 +373,8 @@ Your VM (or device) can be registered either via Intune or Microsoft Store for B
- >[!NOTE]
- >If menu items like **Windows enrollment** are not active for you, then look to the far-right blade in the UI. You might need to provide Intune configuration privileges in a challenge window that appeared.
+ > [!NOTE]
+ > If menu items like **Windows enrollment** are not active for you, then look to the far-right blade in the UI. You might need to provide Intune configuration privileges in a challenge window that appeared.
2. Under **Add Windows Autopilot devices** in the far right pane, browse to the **AutopilotHWID.csv** file you previously copied to your local computer. The file should contain the serial number and 4K HH of your VM (or device). It’s okay if other fields (Windows Product ID) are left blank.
@@ -377,7 +382,7 @@ Your VM (or device) can be registered either via Intune or Microsoft Store for B
You should receive confirmation that the file is formatted correctly before uploading it, as shown above.
-3. Click **Import** and wait until the import process completes. This can take up to 15 minutes.
+3. Click **Import** and wait until the import process completes. This can take up to 15 minutes.
4. Click **Sync** to sync the device you just registered. Wait a few moments before refreshing to verify your VM or device has been added. See the following example.
@@ -385,8 +390,8 @@ Your VM (or device) can be registered either via Intune or Microsoft Store for B
### Autopilot registration using MSfB
->[!IMPORTANT]
->If you've already registered your VM (or device) using Intune, then skip this step.
+> [!IMPORTANT]
+> If you've already registered your VM (or device) using Intune, then skip this step.
Optional: see the following video for an overview of the process.
@@ -408,8 +413,8 @@ Click the **Add devices** link to upload your CSV file. A message will appear in
## Create and assign a Windows Autopilot deployment profile
->[!IMPORTANT]
->Autopilot profiles can be created and assigned to your registered VM or device either through Intune or MSfB. Both processes are shown here, but only pick one for purposes of this lab:
+> [!IMPORTANT]
+> Autopilot profiles can be created and assigned to your registered VM or device either through Intune or MSfB. Both processes are shown here, but only pick one for purposes of this lab:
Pick one:
- [Create profiles using Intune](#create-a-windows-autopilot-deployment-profile-using-intune)
@@ -417,12 +422,12 @@ Pick one:
### Create a Windows Autopilot deployment profile using Intune
->[!NOTE]
->Even if you registered your device in MSfB, it will still appear in Intune, though you might have to **sync** and then **refresh** your device list first:
+> [!NOTE]
+> Even if you registered your device in MSfB, it will still appear in Intune, though you might have to **sync** and then **refresh** your device list first:
->The example above lists both a physical device and a VM. Your list should only include only one of these.
+> The example above lists both a physical device and a VM. Your list should only include only one of these.
To create a Windows Autopilot profile, select **Device enrollment** > **Windows enrollment** > **Deployment profiles**
@@ -458,7 +463,7 @@ See the following example:
Click on **OK** and then click on **Create**.
->If you want to add an app to your profile via Intune, the OPTIONAL steps for doing so can be found in [Appendix B: Adding apps to your profile](#appendix-b-adding-apps-to-your-profile).
+> If you want to add an app to your profile via Intune, the OPTIONAL steps for doing so can be found in [Appendix B: Adding apps to your profile](#appendix-b-adding-apps-to-your-profile).
#### Assign the profile
@@ -534,8 +539,8 @@ Confirm the profile was successfully assigned to the intended device by checking
->[!IMPORTANT]
->The new profile will only be applied if the device has not been started, and gone through OOBE. Settings from a different profile can't be applied when another profile has been applied. Windows would need to be reinstalled on the device for the second profile to be applied to the device.
+> [!IMPORTANT]
+> The new profile will only be applied if the device has not been started, and gone through OOBE. Settings from a different profile can't be applied when another profile has been applied. Windows would need to be reinstalled on the device for the second profile to be applied to the device.
## See Windows Autopilot in action
@@ -545,14 +550,14 @@ If you shut down your VM after the last reset, it’s time to start it back up a
Also, make sure to wait at least 30 minutes from the time you've [configured company branding](#configure-company-branding), otherwise these changes might not show up.
->[!TIP]
->If you reset your device previously after collecting the 4K HH info, and then let it restart back to the first OOBE screen, then you might need to restart the device again to ensure the device is recognized as an Autopilot device and displays the Autopilot OOBE experience you’re expecting. If you do not see the Autopilot OOBE experience, then reset the device again (Settings > Update & Security > Recovery and click on Get started. Under Reset this PC, select Remove everything and Just remove my files. Click on Reset).
+> [!TIP]
+> If you reset your device previously after collecting the 4K HH info, and then let it restart back to the first OOBE screen, then you might need to restart the device again to ensure the device is recognized as an Autopilot device and displays the Autopilot OOBE experience you’re expecting. If you do not see the Autopilot OOBE experience, then reset the device again (Settings > Update & Security > Recovery and click on Get started. Under Reset this PC, select Remove everything and Just remove my files. Click on Reset).
- Ensure your device has an internet connection.
- Turn on the device
- Verify that the appropriate OOBE screens (with appropriate Company Branding) appear. You should see the region selection screen, the keyboard selection screen, and the second keyboard selection screen (which you can skip).
-
+
Soon after reaching the desktop, the device should show up in Intune as an **enabled** Autopilot device. Go into the Intune Azure portal, and select **Devices > All devices**, then **Refresh** the data to verify that your device has changed from disabled to enabled, and the name of the device is updated.
@@ -570,35 +575,38 @@ To use the device (or VM) for other purposes after completion of this lab, you w
You need to delete (or retire, or factory reset) the device from Intune before deregistering the device from Autopilot. To delete the device from Intune (not Azure Active Directory), log into your Intune Azure portal, then navigate to **Intune > Devices > All Devices**. Select the checkbox next to the device you want to delete, then click the Delete button along the top menu.
-
+
Click **X** when challenged to complete the operation:
-
+
This will remove the device from Intune management, and it will disappear from **Intune > Devices > All devices**. But this does not yet deregister the device from Autopilot, so the device should still appear under **Intune > Device Enrollment > Windows Enrollment > Windows Autopilot Deployment Program > Devices**.
-
+
-The **Intune > Devices > All Devices** list and the **Intune > Device Enrollment > Windows Enrollment > Windows Autopilot Deployment Program > Devices** list mean different things and are two completely separate datastores. The former (All devices) is the list of devices currently enrolled into Intune. Note: A device will only appear in the All devices list once it has booted. The latter (Windows Autopilot Deployment Program > Devices) is the list of devices currently registered from that Intune account into the Autopilot program - which may or may not be enrolled to Intune.
+The **Intune > Devices > All Devices** list and the **Intune > Device Enrollment > Windows Enrollment > Windows Autopilot Deployment Program > Devices** list mean different things and are two completely separate datastores. The former (All devices) is the list of devices currently enrolled into Intune.
+
+> [!NOTE]
+> A device will only appear in the All devices list once it has booted. The latter (Windows Autopilot Deployment Program > Devices) is the list of devices currently registered from that Intune account into the Autopilot program - which may or may not be enrolled to Intune.
To remove the device from the Autopilot program, select the device and click Delete.
-
+
A warning message appears reminding you to first remove the device from Intune, which we previously did.
-
+
At this point, your device has been unenrolled from Intune and also deregistered from Autopilot. After several minutes, click the **Sync** button, followed by the **Refresh** button to confirm the device is no longer listed in the Autopilot program:
-
+
Once the device no longer appears, you are free to reuse it for other purposes.
If you also (optionally) want to remove your device from AAD, navigate to **Azure Active Directory > Devices > All Devices**, select your device, and click the delete button:
-
+
## Appendix A: Verify support for Hyper-V
@@ -618,9 +626,9 @@ Hyper-V Requirements: VM Monitor Mode Extensions: Yes
In this example, the computer supports SLAT and Hyper-V.
->If one or more requirements are evaluated as **No** then the computer does not support installing Hyper-V. However, if only the virtualization setting is incompatible, you might be able to enable virtualization in the BIOS and change the **Virtualization Enabled In Firmware** setting from **No** to **Yes**. The location of this setting will depend on the manufacturer and BIOS version, but is typically found associated with the BIOS security settings.
+> If one or more requirements are evaluated as **No** then the computer does not support installing Hyper-V. However, if only the virtualization setting is incompatible, you might be able to enable virtualization in the BIOS and change the **Virtualization Enabled In Firmware** setting from **No** to **Yes**. The location of this setting will depend on the manufacturer and BIOS version, but is typically found associated with the BIOS security settings.
-You can also identify Hyper-V support using [tools](https://blogs.msdn.microsoft.com/taylorb/2008/06/19/hyper-v-will-my-computer-run-hyper-v-detecting-intel-vt-and-amd-v/) provided by the processor manufacturer, the [msinfo32](https://technet.microsoft.com/library/cc731397.aspx) tool, or you can download the [coreinfo](https://technet.microsoft.com/sysinternals/cc835722) utility and run it, as shown in the following example:
+You can also identify Hyper-V support using [tools](https://blogs.msdn.microsoft.com/taylorb/2008/06/19/hyper-v-will-my-computer-run-hyper-v-detecting-intel-vt-and-amd-v/) provided by the processor manufacturer, the [msinfo32](https://technet.microsoft.com/library/cc731397.aspx) tool, or you can download the [Coreinfo](https://technet.microsoft.com/sysinternals/cc835722) utility and run it, as shown in the following example:
C:>coreinfo -v
@@ -637,7 +645,8 @@ VMX * Supports Intel hardware-assisted virtualization
EPT * Supports Intel extended page tables (SLAT)
-Note: A 64-bit operating system is required to run Hyper-V.
+> [!NOTE]
+> A 64-bit operating system is required to run Hyper-V.
## Appendix B: Adding apps to your profile
@@ -645,10 +654,10 @@ Note: A 64-bit operating system is required to run Hyper-V.
#### Prepare the app for Intune
-Before we can pull an application into Intune to make it part of our AP profile, we need to “package” the application for delivery using the [IntuneWinAppUtil.exe command-line tool](https://github.com/Microsoft/Intune-Win32-App-Packaging-Tool). After downloading the tool, gather the following three bits of information to use the tool:
+Before we can pull an application into Intune to make it part of our AP profile, we need to “package” the application for delivery using the [IntuneWinAppUtil.exe command-line tool](https://github.com/Microsoft/Microsoft-Win32-Content-Prep-Tool). After downloading the tool, gather the following three bits of information to use the tool:
1. The source folder for your application
-2. The name of the setup executable file
+2. The name of the setup executable file
3. The output folder for the new file
For the purposes of this lab, we’ll use the Notepad++ tool as our Win32 app.
@@ -657,7 +666,7 @@ Download the Notepad++ msi package [here](https://www.hass.de/content/notepad-ms
Run the IntuneWinAppUtil tool, supplying answers to the three questions, for example:
-
+
After the tool finishes running, you should have an .intunewin file in the Output folder, which you can now upload into Intune using the following steps.
@@ -667,50 +676,51 @@ Log into the Azure portal and select **Intune**.
Navigate to **Intune > Clients apps > Apps**, and then click the **Add** button to create a new app package.
-
+
Under **App Type**, select **Windows app (Win32)**:
-
+
On the **App package file** blade, browse to the **npp.7.6.3.installer.x64.intunewin** file in your output folder, open it, then click **OK**:
-
+
On the **App Information Configure** blade, provide a friendly name, description, and publisher, such as:
-
+
On the **Program Configuration** blade, supply the install and uninstall commands:
Install: msiexec /i "npp.7.6.3.installer.x64.msi" /q
Uninstall: msiexec /x "{F188A506-C3C6-4411-BE3A-DA5BF1EA6737}" /q
-NOTE: Likely, you do not have to write the install and uninstall commands yourself because the [IntuneWinAppUtil.exe command-line tool](https://github.com/Microsoft/Intune-Win32-App-Packaging-Tool) automatically generated them when it converted the .msi file into a .intunewin file.
+> [!NOTE]
+> Likely, you do not have to write the install and uninstall commands yourself because the [IntuneWinAppUtil.exe command-line tool](https://github.com/Microsoft/Microsoft-Win32-Content-Prep-Tool) automatically generated them when it converted the .msi file into a .intunewin file.
-
+
-Simply using an install command like “notepad++.exe /S” will not actually install Notepad++; it will only launch the app. To actually install the program, we need to use the .msi file instead. Notepad++ doesn’t actually have an .msi version of their program, but we got an .msi version from a [third party provider](https://www.hass.de/content/notepad-msi-package-enterprise-deployment-available).
+Simply using an install command like “notepad++.exe /S” will not actually install Notepad++; it will only launch the app. To actually install the program, we need to use the .msi file instead. Notepad++ doesn’t actually have an .msi version of their program, but we got an .msi version from a [third party provider](https://www.hass.de/content/notepad-msi-package-enterprise-deployment-available).
Click **OK** to save your input and activate the **Requirements** blade.
On the **Requirements Configuration** blade, specify the **OS architecture** and the **Minimum OS version**:
-
+
Next, configure the **Detection rules**. For our purposes, we will select manual format:
-
+
Click **Add** to define the rule properties. For **Rule type**, select **MSI**, which will automatically import the right MSI product code into the rule:
-
+
-Click **OK** twice to save, as you back out to the main **Add app** blade again for the final configuration.
+Click **OK** twice to save, as you back out to the main **Add app** blade again for the final configuration.
**Return codes**: For our purposes, leave the return codes at their default values:
-
+
Click **OK** to exit.
@@ -720,31 +730,32 @@ Click the **Add** button to finalize and save your app package.
Once the indicator message says the addition has completed.
-
+
You will be able to find your app in your app list:
-
+
#### Assign the app to your Intune profile
-**NOTE**: The following steps only work if you previously [created a GROUP in Intune and assigned a profile to it](#assign-the-profile). If you have not done that, please return to the main part of the lab and complete those steps before returning here.
-
+> [!NOTE]
+> The following steps only work if you previously [created a GROUP in Intune and assigned a profile to it](#assign-the-profile). If you have not done that, please return to the main part of the lab and complete those steps before returning here.
+
In the **Intune > Client Apps > Apps** pane, select the app package you already created to reveal its properties blade. Then click **Assignments** from the menu:
-
+
Select **Add Group** to open the **Add group** pane that is related to the app.
For our purposes, select **Required** from the **Assignment type** dropdown menu:
->**Available for enrolled devices** means users install the app from the Company Portal app or Company Portal website.
+> **Available for enrolled devices** means users install the app from the Company Portal app or Company Portal website.
Select **Included Groups** and assign the groups you previously created that will use this app:
-
+
-
+
In the **Select groups** pane, click the **Select** button.
@@ -754,7 +765,7 @@ In the **Add group** pane, select **OK**.
In the app **Assignments** pane, select **Save**.
-
+
At this point, you have completed steps to add a Win32 app to Intune.
@@ -768,51 +779,52 @@ Log into the Azure portal and select **Intune**.
Navigate to **Intune > Clients apps > Apps**, and then click the **Add** button to create a new app package.
-
+
Under **App Type**, select **Office 365 Suite > Windows 10**:
-
+
Under the **Configure App Suite** pane, select the Office apps you want to install. For the purposes of this labe we have only selected Excel:
-
+
Click **OK**.
-In the **App Suite Information** pane, enter a unique suite name, and a suitable description.
+In the **App Suite Information** pane, enter a unique suite name, and a suitable description.
->Enter the name of the app suite as it is displayed in the company portal. Make sure that all suite names that you use are unique. If the same app suite name exists twice, only one of the apps is displayed to users in the company portal.
+> Enter the name of the app suite as it is displayed in the company portal. Make sure that all suite names that you use are unique. If the same app suite name exists twice, only one of the apps is displayed to users in the company portal.
-
+
Click **OK**.
In the **App Suite Settings** pane, select **Monthly** for the **Update channel** (any selection would be fine for the purposes of this lab). Also select **Yes** for **Automatically accept the app end user license agreement**:
-
+
Click **OK** and then click **Add**.
#### Assign the app to your Intune profile
-**NOTE**: The following steps only work if you previously [created a GROUP in Intune and assigned a profile to it](#assign-the-profile). If you have not done that, please return to the main part of the lab and complete those steps before returning here.
-
+> [!NOTE]
+> The following steps only work if you previously [created a GROUP in Intune and assigned a profile to it](#assign-the-profile). If you have not done that, please return to the main part of the lab and complete those steps before returning here.
+
In the **Intune > Client Apps > Apps** pane, select the Office package you already created to reveal its properties blade. Then click **Assignments** from the menu:
-
+
Select **Add Group** to open the **Add group** pane that is related to the app.
For our purposes, select **Required** from the **Assignment type** dropdown menu:
->**Available for enrolled devices** means users install the app from the Company Portal app or Company Portal website.
+> **Available for enrolled devices** means users install the app from the Company Portal app or Company Portal website.
Select **Included Groups** and assign the groups you previously created that will use this app:
-
+
-
+
In the **Select groups** pane, click the **Select** button.
@@ -822,7 +834,7 @@ In the **Add group** pane, select **OK**.
In the app **Assignments** pane, select **Save**.
-
+
At this point, you have completed steps to add Office to Intune.
@@ -830,7 +842,7 @@ For more information on adding Office apps to Intune, see [Assign Office 365 app
If you installed both the win32 app (Notepad++) and Office (just Excel) per the instructions in this lab, your VM will show them in the apps list, although it could take several minutes to populate:
-
+
## Glossary
diff --git a/windows/deployment/windows-autopilot/existing-devices.md b/windows/deployment/windows-autopilot/existing-devices.md
index 81cc5bf9a7..8a7020e6c9 100644
--- a/windows/deployment/windows-autopilot/existing-devices.md
+++ b/windows/deployment/windows-autopilot/existing-devices.md
@@ -204,8 +204,11 @@ See the following examples.
- Enable the account and specify the local administrator password: Optional.
- Click **Next**, and then on the Configure Network page choose **Join a workgroup** and specify a name (ex: workgroup) next to **Workgroup**.
+ > [!IMPORTANT]
+ > The Autopilot for existing devices task sequence will run the **Prepare Windows for capture** action which uses the System Preparation Tool (sysprep). This action will fail if the target machine is joined to a domain.
+
>[!IMPORTANT]
- >The Autopilot for existing devices task sequence will run the **Prepare Windows for capture** action which calls the System Preparation Tool (syeprep). This action will fail if the target machine is joined to a domain.
+ > The System Preparation Tool (sysprep) will run with the /Generalize parameter which, on Windows 10 versions 1903 and 1909, will delete the Autopilot profile file and the machine will boot into OOBE phase instead of Autopilot phase. To fix this issue, please see [Windows Autopilot - known issues](https://docs.microsoft.com/windows/deployment/windows-autopilot/known-issues).
5. Click **Next** and then click **Next** again to accept the default settings on the Install Configuration Manager page.
6. On the State Migration page, enter the following details:
diff --git a/windows/privacy/manage-windows-1903-endpoints.md b/windows/privacy/manage-windows-1903-endpoints.md
index 786649ef6a..e4464fdddc 100644
--- a/windows/privacy/manage-windows-1903-endpoints.md
+++ b/windows/privacy/manage-windows-1903-endpoints.md
@@ -161,7 +161,6 @@ The following methodology was used to derive these network endpoints:
|||HTTPS|ris.api.iris.microsoft.com|
|Windows Update|The following endpoint is used for Windows Update downloads of apps and OS updates, including HTTP downloads or HTTP downloads blended with peers. If you turn off traffic for this endpoint, Windows Update downloads will not be managed, as critical metadata that is used to make downloads more resilient is blocked. Downloads may be impacted by corruption (resulting in re-downloads of full files). Additionally, downloads of the same update by multiple devices on the same local network will not use peer devices for bandwidth reduction.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-updates)|
|||HTTPS|*.prod.do.dsp.mp.microsoft.com|
-|||HTTP|cs9.wac.phicdn.net|
|||HTTP|emdl.ws.microsoft.com|
||The following endpoints are used to download operating system patches, updates, and apps from Microsoft Store. If you turn off traffic for these endpoints, the device will not be able to download updates for the operating system.|HTTP|*.dl.delivery.mp.microsoft.com|
|||HTTP|*.windowsupdate.com|
diff --git a/windows/release-information/resolved-issues-windows-10-1507.yml b/windows/release-information/resolved-issues-windows-10-1507.yml
index 1edda2c7ba..7df978985d 100644
--- a/windows/release-information/resolved-issues-windows-10-1507.yml
+++ b/windows/release-information/resolved-issues-windows-10-1507.yml
@@ -33,7 +33,6 @@ sections:
text: "
"
@@ -52,12 +51,3 @@ sections:
Summary Originating update Status Date resolved Intermittent issues when printing
The print spooler service may intermittently have issues completing a print job and results print job failure.
See details >OS Build 10240.18334
September 23, 2019
KB4522009Resolved
KB4520011October 08, 2019
10:00 AM PTApps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error
Applications made using VB6, macros using VBA, and VBScript may stop responding and you may receive an error.
See details >OS Build 10240.18305
August 13, 2019
KB4512497Resolved
KB4517276August 17, 2019
02:00 PM PTIntermittent issues when printing
Back to topOS Build 10240.18334
September 23, 2019
KB4522009Resolved
KB4520011Resolved:
October 08, 2019
10:00 AM PT
Opened:
September 30, 2019
06:26 PM PT
- "
diff --git a/windows/release-information/resolved-issues-windows-10-1607.yml b/windows/release-information/resolved-issues-windows-10-1607.yml
index cabf372d2e..5585df19da 100644
--- a/windows/release-information/resolved-issues-windows-10-1607.yml
+++ b/windows/release-information/resolved-issues-windows-10-1607.yml
@@ -36,8 +36,6 @@ sections:
Details Originating update Status History Apps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error
Back to topOS Build 10240.18305
August 13, 2019
KB4512497Resolved
KB4517276Resolved:
August 17, 2019
02:00 PM PT
Opened:
August 14, 2019
03:34 PM PTIntermittent issues when printing
The print spooler service may intermittently have issues completing a print job and results print job failure.
See details >OS Build 14393.3206
September 23, 2019
KB4522010Resolved
KB4519998October 08, 2019
10:00 AM PTIME may become unresponsive or have High CPU usage
Some Input Method Editor (IME) including ChsIME.EXE and ChtIME.EXE, may become unresponsive or may have high CPU usage.
See details >OS Build 14393.3204
September 10, 2019
KB4516044Resolved September 17, 2019
04:47 PM PTApps and scripts using the NetQueryDisplayInformation API may fail with error
Applications and scripts that call NetQueryDisplayInformation may fail to return results after the first page of data.
See details >OS Build 14393.3053
June 18, 2019
KB4503294Resolved
KB4516044September 10, 2019
10:00 AM PTDevices starting using PXE from a WDS or SCCM servers may fail to start
Devices that start up using PXE images from Windows Deployment Services (WDS) may fail to start with error \"0xc0000001.\"
See details >OS Build 14393.3025
June 11, 2019
KB4503267Resolved
KB4512495August 17, 2019
02:00 PM PTApps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error
Applications made using VB6, macros using VBA, and VBScript may stop responding and you may receive an error.
See details >OS Build 14393.3144
August 13, 2019
KB4512517Resolved
KB4512495August 17, 2019
02:00 PM PT
- "
-
-- title: July 2019
-- items:
- - type: markdown
- text: "
- Details Originating update Status History Apps and scripts using the NetQueryDisplayInformation API may fail with error
Back to topOS Build 14393.3053
June 18, 2019
KB4503294Resolved
KB4516044Resolved:
September 10, 2019
10:00 AM PT
Opened:
August 01, 2019
05:00 PM PTApps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error
Back to topOS Build 14393.3144
August 13, 2019
KB4512517Resolved
KB4512495Resolved:
August 17, 2019
02:00 PM PT
Opened:
August 14, 2019
03:34 PM PT
"
diff --git a/windows/release-information/resolved-issues-windows-10-1709.yml b/windows/release-information/resolved-issues-windows-10-1709.yml
index 669db319e1..c85bdd82e9 100644
--- a/windows/release-information/resolved-issues-windows-10-1709.yml
+++ b/windows/release-information/resolved-issues-windows-10-1709.yml
@@ -35,8 +35,6 @@ sections:
Details Originating update Status History Devices starting using PXE from a WDS or SCCM servers may fail to start
Back to topOS Build 14393.3025
June 11, 2019
KB4503267Resolved
KB4512495Resolved:
August 17, 2019
02:00 PM PT
Opened:
July 10, 2019
02:51 PM PTUnable to create local users in Chinese, Japanese and Korean during device setup
You might be unable to create users in Chinese, Japanese and Korean using Input Method Editor (IME) during OOBE.
See details >OS Build 16299.1387
September 10, 2019
KB4516066Resolved
KB4534318January 23, 2020
02:00 PM PTIntermittent issues when printing
The print spooler service may intermittently have issues completing a print job and results print job failure.
See details >OS Build 16299.1392
September 23, 2019
KB4522012Resolved
KB4520004October 08, 2019
10:00 AM PTIME may become unresponsive or have High CPU usage
Some Input Method Editor (IME) including ChsIME.EXE and ChtIME.EXE, may become unresponsive or may have high CPU usage.
See details >OS Build 16299.1387
September 10, 2019
KB4516066Resolved September 19, 2019
04:08 PM PTDevices starting using PXE from a WDS or SCCM servers may fail to start
Devices that start up using PXE images from Windows Deployment Services (WDS) may fail to start with error \"0xc0000001.\"
See details >OS Build 16299.1217
June 11, 2019
KB4503284Resolved
KB4512494August 16, 2019
02:00 PM PTApps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error
Applications made using VB6, macros using VBA, and VBScript may stop responding and you may receive an error.
See details >OS Build 16299.1331
August 13, 2019
KB4512516Resolved
KB4512494August 16, 2019
02:00 PM PTIME may become unresponsive or have High CPU usage
Back to topOS Build 16299.1387
September 10, 2019
KB4516066Resolved Resolved:
September 19, 2019
04:08 PM PT
Opened:
September 13, 2019
05:25 PM PT
- "
-
-- title: July 2019
-- items:
- - type: markdown
- text: "
- Details Originating update Status History Apps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error
Back to topOS Build 16299.1331
August 13, 2019
KB4512516Resolved
KB4512494Resolved:
August 16, 2019
02:00 PM PT
Opened:
August 14, 2019
03:34 PM PT
- "
diff --git a/windows/release-information/resolved-issues-windows-10-1803.yml b/windows/release-information/resolved-issues-windows-10-1803.yml
index c5f045f610..63b5bd826c 100644
--- a/windows/release-information/resolved-issues-windows-10-1803.yml
+++ b/windows/release-information/resolved-issues-windows-10-1803.yml
@@ -38,8 +38,6 @@ sections:
Details Originating update Status History Devices starting using PXE from a WDS or SCCM servers may fail to start
Back to topOS Build 16299.1217
June 11, 2019
KB4503284Resolved
KB4512494Resolved:
August 16, 2019
02:00 PM PT
Opened:
July 10, 2019
02:51 PM PTIntermittent issues when printing
The print spooler service may intermittently have issues completing a print job and results print job failure.
See details >OS Build 17134.1009
September 23, 2019
KB4522014Resolved
KB4520008October 08, 2019
10:00 AM PTIME may become unresponsive or have High CPU usage
Some Input Method Editor (IME) including ChsIME.EXE and ChtIME.EXE, may become unresponsive or may have high CPU usage.
See details >OS Build 17134.1006
September 10, 2019
KB4516058Resolved September 19, 2019
04:08 PM PTNotification issue: \"Your device is missing important security and quality fixes.\"
Some users may have incorrectly received the notification \"Your device is missing important security and quality fixes.\"
See details >N/A Resolved September 03, 2019
12:32 PM PTDevices starting using PXE from a WDS or SCCM servers may fail to start
Devices that start up using PXE images from Windows Deployment Services (WDS) may fail to start with error \"0xc0000001.\"
See details >OS Build 17134.829
June 11, 2019
KB4503286Resolved
KB4512509August 19, 2019
02:00 PM PTApps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error
Applications made using VB6, macros using VBA, and VBScript may stop responding and you may receive an error.
See details >OS Build 17134.950
August 13, 2019
KB4512501Resolved
KB4512509August 19, 2019
02:00 PM PT
- "
-
-- title: July 2019
-- items:
- - type: markdown
- text: "
- Details Originating update Status History Apps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error
Back to topOS Build 17134.950
August 13, 2019
KB4512501Resolved
KB4512509Resolved:
August 19, 2019
02:00 PM PT
Opened:
August 14, 2019
03:34 PM PT
- "
-
- title: June 2019
- items:
- type: markdown
diff --git a/windows/release-information/resolved-issues-windows-10-1809-and-windows-server-2019.yml b/windows/release-information/resolved-issues-windows-10-1809-and-windows-server-2019.yml
index 727b436221..2eb42f02b4 100644
--- a/windows/release-information/resolved-issues-windows-10-1809-and-windows-server-2019.yml
+++ b/windows/release-information/resolved-issues-windows-10-1809-and-windows-server-2019.yml
@@ -39,8 +39,6 @@ sections:
Details Originating update Status History Devices starting using PXE from a WDS or SCCM servers may fail to start
Back to topOS Build 17134.829
June 11, 2019
KB4503286Resolved
KB4512509Resolved:
August 19, 2019
02:00 PM PT
Opened:
July 10, 2019
02:51 PM PTIntermittent issues when printing
The print spooler service may intermittently have issues completing a print job and results print job failure.
See details >OS Build 17763.740
September 23, 2019
KB4522015Resolved
KB4519338October 08, 2019
10:00 AM PTApps and scripts using the NetQueryDisplayInformation API may fail with error
Applications and scripts that call NetQueryDisplayInformation may fail to return results after the first page of data.
See details >OS Build 17763.55
October 09, 2018
KB4464330Resolved
KB4516077September 24, 2019
10:00 AM PTIME may become unresponsive or have High CPU usage
Some Input Method Editor (IME) including ChsIME.EXE and ChtIME.EXE, may become unresponsive or may have high CPU usage.
See details >OS Build 17763.737
September 10, 2019
KB4512578Resolved September 19, 2019
04:08 PM PTDevices starting using PXE from a WDS or SCCM servers may fail to start
Devices that start up using PXE images from Windows Deployment Services (WDS) may fail to start with error \"0xc0000001.\"
See details >OS Build 17763.557
June 11, 2019
KB4503327Resolved
KB4512534August 17, 2019
02:00 PM PTApps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error
Applications made using VB6, macros using VBA, and VBScript may stop responding and you may receive an error.
See details >OS Build 17763.678
August 13, 2019
KB4511553Resolved
KB4512534August 17, 2019
02:00 PM PT
- "
-
-- title: July 2019
-- items:
- - type: markdown
- text: "
- Details Originating update Status History Apps and scripts using the NetQueryDisplayInformation API may fail with error
Back to topOS Build 17763.55
October 09, 2018
KB4464330Resolved
KB4516077Resolved:
September 24, 2019
10:00 AM PT
Opened:
August 01, 2019
05:00 PM PTApps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error
Back to topOS Build 17763.678
August 13, 2019
KB4511553Resolved
KB4512534Resolved:
August 17, 2019
02:00 PM PT
Opened:
August 14, 2019
03:34 PM PT
"
diff --git a/windows/release-information/resolved-issues-windows-7-and-windows-server-2008-r2-sp1.yml b/windows/release-information/resolved-issues-windows-7-and-windows-server-2008-r2-sp1.yml
index 8ae49f0e18..7a74412dba 100644
--- a/windows/release-information/resolved-issues-windows-7-and-windows-server-2008-r2-sp1.yml
+++ b/windows/release-information/resolved-issues-windows-7-and-windows-server-2008-r2-sp1.yml
@@ -37,10 +37,6 @@ sections:
Details Originating update Status History Devices starting using PXE from a WDS or SCCM servers may fail to start
Back to topOS Build 17763.557
June 11, 2019
KB4503327Resolved
KB4512534Resolved:
August 17, 2019
02:00 PM PT
Opened:
July 10, 2019
02:51 PM PTMSRT might fail to install and be re-offered from Windows Update or WSUS
The November 2019 update for Windows Malicious Software Removal Tool (MSRT) might fail to install from WU/WSUS.
See details >Resolved January 23, 2020
02:08 PM PTIntermittent issues when printing
The print spooler service may intermittently have issues completing a print job and results print job failure.
See details >September 24, 2019
KB4516048Resolved
KB4519976October 08, 2019
10:00 AM PTYou may receive an error when opening or using the Toshiba Qosmio AV Center
Toshiba Qosmio AV Center may error when opening and you may also receive an error in Event Log related to cryptnet.dll.
See details >August 13, 2019
KB4512506Resolved
KB4516048September 24, 2019
10:00 AM PTWindows updates that are SHA-2 signed may not be offered for Symantec and Norton AV
Windows updates that are SHA-2 signed are not available with Symantec or Norton antivirus program installed
See details >August 13, 2019
KB4512506Resolved External August 27, 2019
02:29 PM PTDevices starting using PXE from a WDS or SCCM servers may fail to start
Devices that start up using PXE images from Windows Deployment Services (WDS) may fail to start with error \"0xc0000001.\"
See details >June 11, 2019
KB4503292Resolved
KB4512514August 17, 2019
02:00 PM PTApps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error
Applications made using VB6, macros using VBA, and VBScript may stop responding and you may receive an error.
See details >August 13, 2019
KB4512506Resolved
KB4517297August 16, 2019
02:00 PM PTSystem may be unresponsive after restart with certain McAfee antivirus products
Devices running certain McAfee Endpoint security applications may be slow or unresponsive at startup.
See details >April 09, 2019
KB4493472Resolved External August 13, 2019
06:59 PM PTYou may receive an error when opening or using the Toshiba Qosmio AV Center
Back to topAugust 13, 2019
KB4512506Resolved
KB4516048Resolved:
September 24, 2019
10:00 AM PT
Opened:
September 10, 2019
09:48 AM PT
- "
-
-- title: July 2019
-- items:
- - type: markdown
- text: "
- Details Originating update Status History Windows updates that are SHA-2 signed may not be offered for Symantec and Norton AV
Back to topAugust 13, 2019
KB4512506Resolved External Last updated:
August 27, 2019
02:29 PM PT
Opened:
August 13, 2019
10:05 AM PTApps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error
Back to topAugust 13, 2019
KB4512506Resolved
KB4517297Resolved:
August 16, 2019
02:00 PM PT
Opened:
August 14, 2019
03:34 PM PT
- "
-
-- title: April 2019
-- items:
- - type: markdown
- text: "
- Details Originating update Status History Devices starting using PXE from a WDS or SCCM servers may fail to start
Back to topJune 11, 2019
KB4503292Resolved
KB4512514Resolved:
August 17, 2019
02:00 PM PT
Opened:
July 10, 2019
02:51 PM PT
- "
diff --git a/windows/release-information/resolved-issues-windows-8.1-and-windows-server-2012-r2.yml b/windows/release-information/resolved-issues-windows-8.1-and-windows-server-2012-r2.yml
index 3ad99d98ca..bcebc8ddb6 100644
--- a/windows/release-information/resolved-issues-windows-8.1-and-windows-server-2012-r2.yml
+++ b/windows/release-information/resolved-issues-windows-8.1-and-windows-server-2012-r2.yml
@@ -35,9 +35,6 @@ sections:
Details Originating update Status History System may be unresponsive after restart with certain McAfee antivirus products
Back to topApril 09, 2019
KB4493472Resolved External Last updated:
August 13, 2019
06:59 PM PT
Opened:
April 09, 2019
10:00 AM PTPrinting from 32-bit apps might fail on a 64-bit OS
When attempting to print, you may receive an error or the application may stop responding or close.
See details >August 13, 2019
KB4512489Resolved
KB4525250November 12, 2019
10:00 AM PTIntermittent issues when printing
The print spooler service may intermittently have issues completing a print job and results print job failure.
See details >September 24, 2019
KB4516041Resolved
KB4520005October 08, 2019
10:00 AM PTWindows RT 8.1 devices may have issues opening Internet Explorer 11
On Windows RT 8.1 devices, Internet Explorer 11 may not open and you may receive an error.
See details >September 10, 2019
KB4516067Resolved
KB4516041September 24, 2019
10:00 AM PTDevices starting using PXE from a WDS or SCCM servers may fail to start
Devices that start up using PXE images from Windows Deployment Services (WDS) may fail to start with error \"0xc0000001.\"
See details >June 11, 2019
KB4503276Resolved
KB4512478August 17, 2019
02:00 PM PTApps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error
Applications made using VB6, macros using VBA, and VBScript may stop responding and you may receive an error.
See details >August 13, 2019
KB4512488Resolved
KB4517298August 16, 2019
02:00 PM PTSystem may be unresponsive after restart with certain McAfee antivirus products
Devices running certain McAfee Endpoint security applications may be slow or unresponsive at startup.
See details >April 09, 2019
KB4493446Resolved External August 13, 2019
06:59 PM PTWindows RT 8.1 devices may have issues opening Internet Explorer 11
Back to topSeptember 10, 2019
KB4516067Resolved
KB4516041Resolved:
September 24, 2019
10:00 AM PT
Opened:
September 13, 2019
05:25 PM PT
- "
-
-- title: July 2019
-- items:
- - type: markdown
- text: "
- Details Originating update Status History Apps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error
Back to topAugust 13, 2019
KB4512488Resolved
KB4517298Resolved:
August 16, 2019
02:00 PM PT
Opened:
August 14, 2019
03:34 PM PT
- "
-
-- title: April 2019
-- items:
- - type: markdown
- text: "
- Details Originating update Status History Devices starting using PXE from a WDS or SCCM servers may fail to start
Back to topJune 11, 2019
KB4503276Resolved
KB4512478Resolved:
August 17, 2019
02:00 PM PT
Opened:
July 10, 2019
02:51 PM PT
- "
diff --git a/windows/release-information/resolved-issues-windows-server-2008-sp2.yml b/windows/release-information/resolved-issues-windows-server-2008-sp2.yml
index a86f0270a1..8c0739bd8e 100644
--- a/windows/release-information/resolved-issues-windows-server-2008-sp2.yml
+++ b/windows/release-information/resolved-issues-windows-server-2008-sp2.yml
@@ -36,8 +36,6 @@ sections:
Details Originating update Status History System may be unresponsive after restart with certain McAfee antivirus products
Back to topApril 09, 2019
KB4493446Resolved External Last updated:
August 13, 2019
06:59 PM PT
Opened:
April 09, 2019
10:00 AM PTMSRT might fail to install and be re-offered from Windows Update or WSUS
The November 2019 update for Windows Malicious Software Removal Tool (MSRT) might fail to install from WU/WSUS.
See details >Resolved January 23, 2020
02:08 PM PTIssues manually installing updates by double-clicking the .msu file
You may encounter issues manually installing updates by double-clicking the .msu file and may receive an error.
See details >September 10, 2019
KB4474419Resolved
KB4474419September 23, 2019
10:00 AM PTIntermittent issues when printing
The print spooler service may intermittently have issues completing a print job and results print job failure.
See details >September 24, 2019
KB4516030Resolved
KB4520002October 08, 2019
10:00 AM PTDevices starting using PXE from a WDS or SCCM servers may fail to start
Devices that start up using PXE images from Windows Deployment Services (WDS) may fail to start with error \"0xc0000001.\"
See details >June 11, 2019
KB4503273Resolved
KB4512499August 17, 2019
02:00 PM PTApps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error
Applications made using VB6, macros using VBA, and VBScript may stop responding and you may receive an error.
See details >August 13, 2019
KB4512476Resolved
KB4517301August 16, 2019
02:00 PM PTIntermittent issues when printing
Back to topSeptember 24, 2019
KB4516030Resolved
KB4520002Resolved:
October 08, 2019
10:00 AM PT
Opened:
September 30, 2019
06:26 PM PT
- "
-
-- title: July 2019
-- items:
- - type: markdown
- text: "
- Details Originating update Status History Apps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error
Back to topAugust 13, 2019
KB4512476Resolved
KB4517301Resolved:
August 16, 2019
02:00 PM PT
Opened:
August 14, 2019
03:34 PM PT
- "
diff --git a/windows/release-information/resolved-issues-windows-server-2012.yml b/windows/release-information/resolved-issues-windows-server-2012.yml
index a3edb4121f..87c57cef75 100644
--- a/windows/release-information/resolved-issues-windows-server-2012.yml
+++ b/windows/release-information/resolved-issues-windows-server-2012.yml
@@ -34,8 +34,6 @@ sections:
Details Originating update Status History Devices starting using PXE from a WDS or SCCM servers may fail to start
Back to topJune 11, 2019
KB4503273Resolved
KB4512499Resolved:
August 17, 2019
02:00 PM PT
Opened:
July 10, 2019
02:51 PM PT
"
@@ -63,21 +61,3 @@ sections:
Summary Originating update Status Date resolved Printing from 32-bit apps might fail on a 64-bit OS
When attempting to print, you may receive an error or the application may stop responding or close.
See details >August 13, 2019
KB4512482Resolved
KB4525253November 12, 2019
10:00 AM PTIntermittent issues when printing
The print spooler service may intermittently have issues completing a print job and results print job failure.
See details >September 24, 2019
KB4516069Resolved
KB4520007October 08, 2019
10:00 AM PTDevices starting using PXE from a WDS or SCCM servers may fail to start
Devices that start up using PXE images from Windows Deployment Services (WDS) may fail to start with error \"0xc0000001.\"
See details >June 11, 2019
KB4503285Resolved
KB4512512August 17, 2019
02:00 PM PTApps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error
Applications made using VB6, macros using VBA, and VBScript may stop responding and you may receive an error.
See details >August 13, 2019
KB4512518Resolved
KB4517302August 16, 2019
02:00 PM PTIntermittent issues when printing
Back to topSeptember 24, 2019
KB4516069Resolved
KB4520007Resolved:
October 08, 2019
10:00 AM PT
Opened:
September 30, 2019
06:26 PM PT
- "
-
-- title: July 2019
-- items:
- - type: markdown
- text: "
- Details Originating update Status History Apps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error
Back to topAugust 13, 2019
KB4512518Resolved
KB4517302Resolved:
August 16, 2019
02:00 PM PT
Opened:
August 14, 2019
03:34 PM PT
- "
diff --git a/windows/release-information/status-windows-10-1507.yml b/windows/release-information/status-windows-10-1507.yml
index df76e08bd1..9c9ab15b4e 100644
--- a/windows/release-information/status-windows-10-1507.yml
+++ b/windows/release-information/status-windows-10-1507.yml
@@ -60,6 +60,7 @@ sections:
- type: markdown
text: "Details Originating update Status History Devices starting using PXE from a WDS or SCCM servers may fail to start
Back to topJune 11, 2019
KB4503285Resolved
KB4512512Resolved:
August 17, 2019
02:00 PM PT
Opened:
July 10, 2019
02:51 PM PT
@@ -72,6 +73,15 @@ sections:
Summary Originating update Status Last updated You might encounter issues with KB4502496
You might encounter issues trying to install or after installing KB4502496
See details >N/A
February 11, 2020
KB4502496Mitigated February 15, 2020
01:22 AM PTTLS connections might fail or timeout
Transport Layer Security (TLS) connections might fail or timeout when connecting or attempting a resumption.
See details >OS Build 10240.18368
October 08, 2019
KB4520011Mitigated External November 05, 2019
03:36 PM PTCertain operations performed on a Cluster Shared Volume may fail
Operations performed on files or folders on a CSV may fail with the error: STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5).
See details >OS Build 10240.18094
January 08, 2019
KB4480962Mitigated April 25, 2019
02:00 PM PT
+ "
+
- title: November 2019
- items:
- type: markdown
diff --git a/windows/release-information/status-windows-10-1607-and-windows-server-2016.yml b/windows/release-information/status-windows-10-1607-and-windows-server-2016.yml
index 349276ccd7..7aa6de52e5 100644
--- a/windows/release-information/status-windows-10-1607-and-windows-server-2016.yml
+++ b/windows/release-information/status-windows-10-1607-and-windows-server-2016.yml
@@ -60,7 +60,8 @@ sections:
- type: markdown
text: "Details Originating update Status History You might encounter issues with KB4502496
Back to topN/A
February 11, 2020
KB4502496Mitigated Last updated:
February 15, 2020
01:22 AM PT
Opened:
February 15, 2020
12:02 AM PT
"
-- title: October 2019
-- items:
- - type: markdown
- text: "
- Summary Originating update Status Last updated Windows may not start on certain Lenovo and Fujitsu laptops with less than 8GB of RAM
Windows may fail to start on certain Lenovo and Fujitsu laptops that have less than 8 GB of RAM.
See details >OS Build 14393.2608
November 13, 2018
KB4467691Resolved External January 23, 2020
02:08 PM PT“Reset this PC” feature might fail
“Reset this PC” feature is also called “Push Button Reset” or PBR.
See details >N/A
February 11, 2020
KB4524244Mitigated February 15, 2020
01:22 AM PTYou might encounter issues with KB4524244
You might encounter issues trying to install or after installing KB4524244
See details >N/A
February 11, 2020
KB4524244Mitigated February 15, 2020
01:22 AM PTTLS connections might fail or timeout
Transport Layer Security (TLS) connections might fail or timeout when connecting or attempting a resumption.
See details >OS Build 14393.3274
October 08, 2019
KB4519998Mitigated External November 05, 2019
03:36 PM PTCertain operations performed on a Cluster Shared Volume may fail
Operations performed on files or folders on a CSV may fail with the error: STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5).
See details >OS Build 14393.2724
January 08, 2019
KB4480961Mitigated April 25, 2019
02:00 PM PTCluster service may fail if the minimum password length is set to greater than 14
The cluster service may fail to start if “Minimum Password Length” is configured with greater than 14 characters.
See details >OS Build 14393.2639
November 27, 2018
KB4467684Mitigated April 25, 2019
02:00 PM PT
+ "
+
- title: November 2019
- items:
- type: markdown
@@ -97,7 +108,6 @@ sections:
- type: markdown
text: "
Details Originating update Status History “Reset this PC” feature might fail
Back to topN/A
February 11, 2020
KB4524244Mitigated Last updated:
February 15, 2020
01:22 AM PT
Opened:
February 15, 2020
12:02 AM PTYou might encounter issues with KB4524244
Back to topN/A
February 11, 2020
KB4524244Mitigated Last updated:
February 15, 2020
01:22 AM PT
Opened:
February 15, 2020
12:02 AM PT
"
diff --git a/windows/release-information/status-windows-10-1709.yml b/windows/release-information/status-windows-10-1709.yml
index 68f5967f84..8938c52372 100644
--- a/windows/release-information/status-windows-10-1709.yml
+++ b/windows/release-information/status-windows-10-1709.yml
@@ -60,7 +60,8 @@ sections:
- type: markdown
text: "Details Originating update Status History Windows may not start on certain Lenovo and Fujitsu laptops with less than 8GB of RAM
Back to topOS Build 14393.2608
November 13, 2018
KB4467691Resolved External Last updated:
January 23, 2020
02:08 PM PT
Opened:
November 13, 2018
10:00 AM PTCluster service may fail if the minimum password length is set to greater than 14
Back to topOS Build 14393.2639
November 27, 2018
KB4467684Mitigated Last updated:
April 25, 2019
02:00 PM PT
Opened:
November 27, 2018
10:00 AM PT
@@ -73,6 +74,16 @@ sections:
Summary Originating update Status Last updated Unable to create local users in Chinese, Japanese and Korean during device setup
You might be unable to create users in Chinese, Japanese and Korean using Input Method Editor (IME) during OOBE.
See details >OS Build 16299.1387
September 10, 2019
KB4516066Resolved
KB4534318January 23, 2020
02:00 PM PT“Reset this PC” feature might fail
“Reset this PC” feature is also called “Push Button Reset” or PBR.
See details >N/A
February 11, 2020
KB4524244Mitigated February 15, 2020
01:22 AM PTYou might encounter issues with KB4524244
You might encounter issues trying to install or after installing KB4524244
See details >N/A
February 11, 2020
KB4524244Mitigated February 15, 2020
01:22 AM PTTLS connections might fail or timeout
Transport Layer Security (TLS) connections might fail or timeout when connecting or attempting a resumption.
See details >OS Build 16299.1451
October 08, 2019
KB4520004Mitigated External November 05, 2019
03:36 PM PTCertain operations performed on a Cluster Shared Volume may fail
Operations performed on files or folders on a CSV may fail with the error: STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5).
See details >OS Build 16299.904
January 08, 2019
KB4480978Mitigated April 25, 2019
02:00 PM PT
+ "
+
- title: November 2019
- items:
- type: markdown
@@ -82,15 +93,6 @@ sections:
Details Originating update Status History “Reset this PC” feature might fail
Back to topN/A
February 11, 2020
KB4524244Mitigated Last updated:
February 15, 2020
01:22 AM PT
Opened:
February 15, 2020
12:02 AM PTYou might encounter issues with KB4524244
Back to topN/A
February 11, 2020
KB4524244Mitigated Last updated:
February 15, 2020
01:22 AM PT
Opened:
February 15, 2020
12:02 AM PT
- "
-
- title: January 2019
- items:
- type: markdown
diff --git a/windows/release-information/status-windows-10-1803.yml b/windows/release-information/status-windows-10-1803.yml
index d5408f495b..1baf22a6b0 100644
--- a/windows/release-information/status-windows-10-1803.yml
+++ b/windows/release-information/status-windows-10-1803.yml
@@ -64,7 +64,8 @@ sections:
- type: markdown
text: "Details Originating update Status History Unable to create local users in Chinese, Japanese and Korean during device setup
Back to topOS Build 16299.1387
September 10, 2019
KB4516066Resolved
KB4534318Resolved:
January 23, 2020
02:00 PM PT
Opened:
October 29, 2019
05:15 PM PT
@@ -77,6 +78,16 @@ sections:
Summary Originating update Status Last updated Unable to create local users in Chinese, Japanese and Korean during device setup
You might be unable to create users in Chinese, Japanese and Korean using Input Method Editor (IME) during OOBE.
See details >OS Build 17134.1006
September 10, 2019
KB4516058Resolved
KB4534308January 23, 2020
02:00 PM PT“Reset this PC” feature might fail
“Reset this PC” feature is also called “Push Button Reset” or PBR.
See details >N/A
February 11, 2020
KB4524244Mitigated February 15, 2020
01:22 AM PTYou might encounter issues with KB4524244
You might encounter issues trying to install or after installing KB4524244
See details >N/A
February 11, 2020
KB4524244Mitigated February 15, 2020
01:22 AM PTTLS connections might fail or timeout
Transport Layer Security (TLS) connections might fail or timeout when connecting or attempting a resumption.
See details >OS Build 17134.1069
October 08, 2019
KB4520008Mitigated External November 05, 2019
03:36 PM PTCertain operations performed on a Cluster Shared Volume may fail
Operations performed on files or folders on a CSV may fail with the error: STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5).
See details >OS Build 17134.523
January 08, 2019
KB4480966Mitigated April 25, 2019
02:00 PM PT
+ "
+
- title: November 2019
- items:
- type: markdown
@@ -86,15 +97,6 @@ sections:
"
-- title: October 2019
-- items:
- - type: markdown
- text: "
- Details Originating update Status History “Reset this PC” feature might fail
Back to topN/A
February 11, 2020
KB4524244Mitigated Last updated:
February 15, 2020
01:22 AM PT
Opened:
February 15, 2020
12:02 AM PTYou might encounter issues with KB4524244
Back to topN/A
February 11, 2020
KB4524244Mitigated Last updated:
February 15, 2020
01:22 AM PT
Opened:
February 15, 2020
12:02 AM PT
- "
-
- title: January 2019
- items:
- type: markdown
diff --git a/windows/release-information/status-windows-10-1809-and-windows-server-2019.yml b/windows/release-information/status-windows-10-1809-and-windows-server-2019.yml
index 7beb2e9c30..a684f5350f 100644
--- a/windows/release-information/status-windows-10-1809-and-windows-server-2019.yml
+++ b/windows/release-information/status-windows-10-1809-and-windows-server-2019.yml
@@ -64,7 +64,8 @@ sections:
- type: markdown
text: "Details Originating update Status History Unable to create local users in Chinese, Japanese and Korean during device setup
Back to topOS Build 17134.1006
September 10, 2019
KB4516058Resolved
KB4534308Resolved:
January 23, 2020
02:00 PM PT
Opened:
October 29, 2019
05:15 PM PT
"
-- title: October 2019
-- items:
- - type: markdown
- text: "
- Summary Originating update Status Last updated Unable to create local users in Chinese, Japanese and Korean during device setup
You might be unable to create users in Chinese, Japanese and Korean using Input Method Editor (IME) during OOBE.
See details >OS Build 17763.737
September 10, 2019
KB4512578Resolved
KB4534321January 23, 2020
02:00 PM PT“Reset this PC” feature might fail
“Reset this PC” feature is also called “Push Button Reset” or PBR.
See details >N/A
February 11, 2020
KB4524244Mitigated February 15, 2020
01:22 AM PTYou might encounter issues with KB4524244
You might encounter issues trying to install or after installing KB4524244
See details >N/A
February 11, 2020
KB4524244Mitigated February 15, 2020
01:22 AM PTTLS connections might fail or timeout
Transport Layer Security (TLS) connections might fail or timeout when connecting or attempting a resumption.
See details >OS Build 17763.805
October 08, 2019
KB4519338Mitigated External November 05, 2019
03:36 PM PTDevices with some Asian language packs installed may receive an error
Devices with Asian language packs installed may receive the error, \"0x800f0982 - PSFX_E_MATCHING_COMPONENT_NOT_FOUND.\"
See details >OS Build 17763.437
April 09, 2019
KB4493509Mitigated May 03, 2019
10:59 AM PTCertain operations performed on a Cluster Shared Volume may fail
Operations performed on files or folders on a CSV may fail with the error: STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5).
See details >OS Build 17763.253
January 08, 2019
KB4480116Mitigated April 09, 2019
10:00 AM PT
+ "
+
- title: November 2019
- items:
- type: markdown
@@ -87,15 +98,6 @@ sections:
Details Originating update Status History “Reset this PC” feature might fail
Back to topN/A
February 11, 2020
KB4524244Mitigated Last updated:
February 15, 2020
01:22 AM PT
Opened:
February 15, 2020
12:02 AM PTYou might encounter issues with KB4524244
Back to topN/A
February 11, 2020
KB4524244Mitigated Last updated:
February 15, 2020
01:22 AM PT
Opened:
February 15, 2020
12:02 AM PT
- "
-
- title: May 2019
- items:
- type: markdown
diff --git a/windows/release-information/status-windows-10-1903.yml b/windows/release-information/status-windows-10-1903.yml
index c37a9ca547..4fe4e28478 100644
--- a/windows/release-information/status-windows-10-1903.yml
+++ b/windows/release-information/status-windows-10-1903.yml
@@ -64,6 +64,8 @@ sections:
- type: markdown
text: "Details Originating update Status History Unable to create local users in Chinese, Japanese and Korean during device setup
Back to topOS Build 17763.737
September 10, 2019
KB4512578Resolved
KB4534321Resolved:
January 23, 2020
02:00 PM PT
Opened:
October 29, 2019
05:15 PM PT
@@ -76,6 +78,16 @@ sections:
Summary Originating update Status Last updated “Reset this PC” feature might fail
“Reset this PC” feature is also called “Push Button Reset” or PBR.
See details >N/A
February 11, 2020
KB4524244Mitigated February 15, 2020
01:22 AM PTYou might encounter issues with KB4524244
You might encounter issues trying to install or after installing KB4524244
See details >N/A
February 11, 2020
KB4524244Mitigated February 15, 2020
01:22 AM PTIssues with some older versions of Avast and AVG anti-virus products
Microsoft and Avast has identified compatibility issues with some versions of Avast and AVG Antivirus.
See details >N/A Mitigated External November 25, 2019
05:25 PM PTTLS connections might fail or timeout
Transport Layer Security (TLS) connections might fail or timeout when connecting or attempting a resumption.
See details >OS Build 18362.418
October 08, 2019
KB4517389Mitigated External November 05, 2019
03:36 PM PT
+ "
+
- title: November 2019
- items:
- type: markdown
diff --git a/windows/release-information/status-windows-10-1909.yml b/windows/release-information/status-windows-10-1909.yml
index 5d5aa24d52..6029fe13f7 100644
--- a/windows/release-information/status-windows-10-1909.yml
+++ b/windows/release-information/status-windows-10-1909.yml
@@ -64,6 +64,8 @@ sections:
- type: markdown
text: "Details Originating update Status History “Reset this PC” feature might fail
Back to topN/A
February 11, 2020
KB4524244Mitigated Last updated:
February 15, 2020
01:22 AM PT
Opened:
February 15, 2020
12:02 AM PTYou might encounter issues with KB4524244
Back to topN/A
February 11, 2020
KB4524244Mitigated Last updated:
February 15, 2020
01:22 AM PT
Opened:
February 15, 2020
12:02 AM PT
"
@@ -75,6 +77,16 @@ sections:
Summary Originating update Status Last updated “Reset this PC” feature might fail
“Reset this PC” feature is also called “Push Button Reset” or PBR.
See details >N/A
February 11, 2020
KB4524244Mitigated February 15, 2020
01:22 AM PTYou might encounter issues with KB4524244
You might encounter issues trying to install or after installing KB4524244
See details >N/A
February 11, 2020
KB4524244Mitigated February 15, 2020
01:22 AM PTIssues with some older versions of Avast and AVG anti-virus products
Microsoft and Avast has identified compatibility issues with some versions of Avast and AVG Antivirus.
See details >N/A Mitigated External November 25, 2019
05:25 PM PT
+ "
+
- title: November 2019
- items:
- type: markdown
diff --git a/windows/release-information/status-windows-7-and-windows-server-2008-r2-sp1.yml b/windows/release-information/status-windows-7-and-windows-server-2008-r2-sp1.yml
index d47c63c516..d7e5928590 100644
--- a/windows/release-information/status-windows-7-and-windows-server-2008-r2-sp1.yml
+++ b/windows/release-information/status-windows-7-and-windows-server-2008-r2-sp1.yml
@@ -62,7 +62,6 @@ sections:
Details Originating update Status History “Reset this PC” feature might fail
Back to topN/A
February 11, 2020
KB4524244Mitigated Last updated:
February 15, 2020
01:22 AM PT
Opened:
February 15, 2020
12:02 AM PTYou might encounter issues with KB4524244
Back to topN/A
February 11, 2020
KB4524244Mitigated Last updated:
February 15, 2020
01:22 AM PT
Opened:
February 15, 2020
12:02 AM PT
@@ -98,7 +97,6 @@ sections:
- type: markdown
text: "
Summary Originating update Status Last updated After installing an update and restarting, you might receive an error
You might receive the error, “Failure to configure Windows updates. Reverting Changes.” or \"Failed\" in Update History.
See details >February 11, 2020
KB4537820Resolved February 12, 2020
05:37 PM PTCustom wallpaper displays as black
Using a custom image set to \"Stretch\" might not display as expected.
See details >January 14, 2020
KB4534310Resolved
KB4539601February 07, 2020
10:00 AM PTMSRT might fail to install and be re-offered from Windows Update or WSUS
The November 2019 update for Windows Malicious Software Removal Tool (MSRT) might fail to install from WU/WSUS.
See details >Resolved January 23, 2020
02:08 PM PTTLS connections might fail or timeout
Transport Layer Security (TLS) connections might fail or timeout when connecting or attempting a resumption.
See details >October 08, 2019
KB4519976Mitigated External November 05, 2019
03:36 PM PTIA64 and x64 devices may fail to start after installing updates
After installing updates released on or after August 13, 2019, IA64 and x64 devices using EFI Boot may fail to start.
See details >August 13, 2019
KB4512506Mitigated August 17, 2019
12:59 PM PT
"
diff --git a/windows/release-information/status-windows-8.1-and-windows-server-2012-r2.yml b/windows/release-information/status-windows-8.1-and-windows-server-2012-r2.yml
index 596f76e9d2..1d522d681a 100644
--- a/windows/release-information/status-windows-8.1-and-windows-server-2012-r2.yml
+++ b/windows/release-information/status-windows-8.1-and-windows-server-2012-r2.yml
@@ -60,6 +60,7 @@ sections:
- type: markdown
text: "Details Originating update Status History MSRT might fail to install and be re-offered from Windows Update or WSUS
Back to topResolved Resolved:
January 23, 2020
02:08 PM PT
Opened:
November 15, 2019
05:59 PM PTTLS connections might fail or timeout
Back to topOctober 08, 2019
KB4519976Mitigated External Last updated:
November 05, 2019
03:36 PM PT
Opened:
November 05, 2019
03:36 PM PT
Summary Originating update Status Last updated You might encounter issues with KB4502496
You might encounter issues trying to install or after installing KB4502496
See details >February 11, 2020
KB4502496Mitigated February 15, 2020
01:22 AM PTTLS connections might fail or timeout
Transport Layer Security (TLS) connections might fail or timeout when connecting or attempting a resumption.
See details >October 08, 2019
KB4520005Mitigated External November 05, 2019
03:36 PM PTJapanese IME doesn't show the new Japanese Era name as a text input option
With previous dictionary updates installed, the Japanese IME doesn't show the new Japanese Era name as an input option.
See details >April 25, 2019
KB4493443Mitigated May 15, 2019
05:53 PM PTCertain operations performed on a Cluster Shared Volume may fail
Operations performed on files or folders on a CSV may fail with the error: STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5).
See details >January 08, 2019
KB4480963Mitigated April 25, 2019
02:00 PM PT
+ "
+
- title: November 2019
- items:
- type: markdown
diff --git a/windows/release-information/status-windows-server-2008-sp2.yml b/windows/release-information/status-windows-server-2008-sp2.yml
index 44b16a1a5e..cf035b38eb 100644
--- a/windows/release-information/status-windows-server-2008-sp2.yml
+++ b/windows/release-information/status-windows-server-2008-sp2.yml
@@ -61,7 +61,6 @@ sections:
text: "Details Originating update Status History You might encounter issues with KB4502496
Back to topFebruary 11, 2020
KB4502496Mitigated Last updated:
February 15, 2020
01:22 AM PT
Opened:
February 15, 2020
12:02 AM PT
"
@@ -87,7 +86,6 @@ sections:
- type: markdown
text: "
Summary Originating update Status Last updated After installing an update and restarting, you might receive an error
You might receive the error, “Failure to configure Windows updates. Reverting Changes.” or \"Failed\" in Update History.
See details >February 11, 2020
KB4537810Resolved February 12, 2020
05:37 PM PTMSRT might fail to install and be re-offered from Windows Update or WSUS
The November 2019 update for Windows Malicious Software Removal Tool (MSRT) might fail to install from WU/WSUS.
See details >Resolved January 23, 2020
02:08 PM PTTLS connections might fail or timeout
Transport Layer Security (TLS) connections might fail or timeout when connecting or attempting a resumption.
See details >October 08, 2019
KB4520002Mitigated External November 05, 2019
03:36 PM PT
"
diff --git a/windows/release-information/status-windows-server-2012.yml b/windows/release-information/status-windows-server-2012.yml
index c83ea0923f..cba7737955 100644
--- a/windows/release-information/status-windows-server-2012.yml
+++ b/windows/release-information/status-windows-server-2012.yml
@@ -60,6 +60,7 @@ sections:
- type: markdown
text: "Details Originating update Status History MSRT might fail to install and be re-offered from Windows Update or WSUS
Back to topResolved Resolved:
January 23, 2020
02:08 PM PT
Opened:
November 15, 2019
05:59 PM PTTLS connections might fail or timeout
Back to topOctober 08, 2019
KB4520002Mitigated External Last updated:
November 05, 2019
03:36 PM PT
Opened:
November 05, 2019
03:36 PM PT
Summary Originating update Status Last updated You might encounter issues with KB4502496
You might encounter issues trying to install or after installing KB4502496
See details >February 11, 2020
KB4502496Mitigated February 15, 2020
01:22 AM PTTLS connections might fail or timeout
Transport Layer Security (TLS) connections might fail or timeout when connecting or attempting a resumption.
See details >October 08, 2019
KB4520007Mitigated External November 05, 2019
03:36 PM PTJapanese IME doesn't show the new Japanese Era name as a text input option
With previous dictionary updates installed, the Japanese IME doesn't show the new Japanese Era name as an input option.
See details >April 25, 2019
KB4493462Mitigated May 15, 2019
05:53 PM PTCertain operations performed on a Cluster Shared Volume may fail
Operations performed on files or folders on a CSV may fail with the error: STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5).
See details >January 08, 2019
KB4480975Mitigated April 25, 2019
02:00 PM PT
+ "
+
- title: November 2019
- items:
- type: markdown
diff --git a/windows/release-information/windows-message-center.yml b/windows/release-information/windows-message-center.yml
index 2bc18cf098..28f4b85576 100644
--- a/windows/release-information/windows-message-center.yml
+++ b/windows/release-information/windows-message-center.yml
@@ -50,10 +50,13 @@ sections:
text: "
Details Originating update Status History You might encounter issues with KB4502496
Back to topFebruary 11, 2020
KB4502496Mitigated Last updated:
February 15, 2020
01:22 AM PT
Opened:
February 15, 2020
12:02 AM PT
"
diff --git a/windows/security/identity-protection/access-control/active-directory-security-groups.md b/windows/security/identity-protection/access-control/active-directory-security-groups.md
index 228b863e82..3d77adab6e 100644
--- a/windows/security/identity-protection/access-control/active-directory-security-groups.md
+++ b/windows/security/identity-protection/access-control/active-directory-security-groups.md
@@ -3375,7 +3375,7 @@ This security group has not changed since Windows Server 2008.
### Server Operators
-Members in the Server Operators group can administer domain servers. This group exists only on domain controllers. By default, the group has no members. Memebers of the Server Operators group can sign in to a server interactively, create and delete network shared resources, start and stop services, back up and restore files, format the hard disk drive of the computer, and shut down the computer. This group cannot be renamed, deleted, or moved.
+Members in the Server Operators group can administer domain servers. This group exists only on domain controllers. By default, the group has no members. Members of the Server Operators group can sign in to a server interactively, create and delete network shared resources, start and stop services, back up and restore files, format the hard disk drive of the computer, and shut down the computer. This group cannot be renamed, deleted, or moved.
By default, this built-in group has no members, and it has access to server configuration options on domain controllers. Its membership is controlled by the service administrator groups, Administrators and Domain Admins, in the domain, and the Enterprise Admins group. Members in this group cannot change any administrative group memberships. This is considered a service administrator account because its members have physical access to domain controllers, they can perform maintenance tasks (such as backup and restore), and they have the ability to change binaries that are installed on the domain controllers. Note the default user rights in the following table.
diff --git a/windows/security/identity-protection/credential-guard/credential-guard-manage.md b/windows/security/identity-protection/credential-guard/credential-guard-manage.md
index 69155363d3..a7532b9ecf 100644
--- a/windows/security/identity-protection/credential-guard/credential-guard-manage.md
+++ b/windows/security/identity-protection/credential-guard/credential-guard-manage.md
@@ -141,7 +141,7 @@ You can also check that Windows Defender Credential Guard is running by using th
DG_Readiness_Tool_v3.6.ps1 -Ready
```
> [!IMPORTANT]
-> When running the Windows Defender Device Guard and Windows Defender Credential Guard hardware readiness tool on a non-English operating system, within the script, change `*$OSArch = $(gwmi win32_operatingsystem).OSArchitecture` to be `$OSAch = $((gwmi win32_operatingsystem).OSArchitecture).tolower()` instead, in order for the tool to work.
+> When running the Windows Defender Device Guard and Windows Defender Credential Guard hardware readiness tool on a non-English operating system, within the script, change `*$OSArch = $(gwmi win32_operatingsystem).OSArchitecture` to be `$OSArch = $((gwmi win32_operatingsystem).OSArchitecture).tolower()` instead, in order for the tool to work.
> This is a known issue.
> [!NOTE]
diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md b/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md
index a40f945ba3..0b01799ab2 100644
--- a/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md
+++ b/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md
@@ -35,7 +35,7 @@ ms.reviewer:
The Microsoft PIN reset services enables you to help users recover who have forgotten their PIN. Using Group Policy, Microsoft Intune or a compatible MDM, you can configure Windows 10 devices to securely use the Microsoft PIN reset service that enables users to reset their forgotten PIN through settings or above the lock screen without requiring re-enrollment.
>[!IMPORTANT]
-> The Microsoft PIN Reset service only works with Windows 10, version 1709 to 1809 with **Enterprise Edition**. The feature works with **Pro** edition with Windows 10, version 1903 and newer.
+> The Microsoft PIN Reset service only works with **Enterprise Edition** for Windows 10, version 1709 to 1809. The feature works with **Enterprise Edition** and **Pro** edition with Windows 10, version 1903 and newer.
### Onboarding the Microsoft PIN reset service to your Intune tenant
diff --git a/windows/security/information-protection/windows-information-protection/recommended-network-definitions-for-wip.md b/windows/security/information-protection/windows-information-protection/recommended-network-definitions-for-wip.md
index c3e7e88640..fee621245c 100644
--- a/windows/security/information-protection/windows-information-protection/recommended-network-definitions-for-wip.md
+++ b/windows/security/information-protection/windows-information-protection/recommended-network-definitions-for-wip.md
@@ -33,12 +33,14 @@ This table includes the recommended URLs to add to your Enterprise Cloud Resourc
|If your organization uses... |Add these entries to your Enterprise Cloud Resources network settingMessage Date February 2020 Windows 10, version 1909 and Windows 10, version 1903 \"D\" optional release is available February 27, 2020
01:30 PM PTFebruary 2020 Windows \"C\" optional release is available. February 25, 2020
08:00 AM PTStatus of February 2020 “C” release February 21, 2020
12:00 PM PTCompatibility issue with some Windows Server container images February 13, 2020
03:21 PM PTTake action: February 2020 security update available for all supported versions of Windows February 11, 2020
08:00 AM PTTake action: ESU security updates available for Windows 7 SP1, Windows Server 2008 R2 SP1 and Windows Server 2008 SP2 February 11, 2020
08:00 AM PTResolved: Windows Search shows blank box February 05, 2020
12:00 PM PTResolved: Windows Search shows blank box February 05, 2020
12:00 PM PTJanuary 2020 Windows 10, version 1909 \"D\" optional release is available. January 28, 2020
08:00 AM PTJanuary 2020 Windows \"C\" optional release is available. January 23, 2020
12:00 PM PTWindows 7 has reached end of support January 15, 2020
10:00 AM PTStatus update: Windows 10, version 1903 \"D\" optional release available August 30th August 30, 2019
08:00 AM PTFeature update install notification on Windows 10, version 1809 (the October 2018 Update) August 29, 2019
04:39 PM PTTake Action: Internet Explorer 11 now available on Windows Update/WSUS for Windows Server 2012 and Windows Embedded 8 Standard August 29, 2019
08:00 AM PTTake action: SHA-2 code signing support guidance for Windows 7 SP1 and Windows Server 2008 RS2 SP1 August 23, 2019
03:35 PM PTTake action: Windows 10, version 1703 (the Windows 10 Creators Update) reaches end of life on October 9, 2019 August 23, 2019
02:17 PM PTResolved: Delays starting Internet Explorer 11 August 16, 2019
04:00 PM PTAdvisory: Windows Advanced Local Procedure Call Elevation of Privilege vulnerability disclosed (CVE-2019-1162) August 13, 2019
10:00 AM PTWindows 10, version 1903 rollout begins
The Windows 10 May 2019 Update (Windows 10, version 1903) is available today to commercial customers via Windows Server Update Services (WSUS), Windows Update for Business, and the Volume Licensing Service Center (VLSC)—and to end users who manually select “Check for updates.” We are slowly throttling up availability while we carefully monitor data and feedback.May 21, 2019
10:00 AM PT
(Replace "contoso" with your domain name(s)|
|-----------------------------|---------------------------------------------------------------------|
-|Office 365 for Business |
|
+|Sharepoint Online |
|
|Yammer |
|
|Outlook Web Access (OWA) |
|
|Microsoft Dynamics |contoso.crm.dynamics.com |
|Visual Studio Online |contoso.visualstudio.com |
|Power BI |contoso.powerbi.com |
+|Microsoft Teams |teams.microsoft.com |
+|Other Office 365 services |
|
You can add other work-only apps to the Cloud Resource list, or you can create a packaged app rule for the .exe file to protect every file the app creates or modifies. Depending on how the app is accessed, you might want to add both.
diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md
index c969d4994f..55521c5955 100644
--- a/windows/security/threat-protection/TOC.md
+++ b/windows/security/threat-protection/TOC.md
@@ -46,6 +46,7 @@
### [Next-generation protection](windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md)
#### [Better together: Windows Defender Antivirus and Microsoft Defender ATP](windows-defender-antivirus/why-use-microsoft-antivirus.md)
+#### [Better together: Windows Defender Antivirus and Office 365](windows-defender-antivirus/office-365-windows-defender-antivirus.md)
### [Endpoint detection and response]()
#### [Endpoint detection and response overview](microsoft-defender-atp/overview-endpoint-detection-response.md)
@@ -103,12 +104,11 @@
###### [Investigate entities on machines](microsoft-defender-atp/live-response.md)
###### [Live response command examples](microsoft-defender-atp/live-response-command-examples.md)
-### [Automated investigation and remediation]()
-#### [Automated investigation and remediation overview](microsoft-defender-atp/automated-investigations.md)
-#### [Use the automated investigation and remediation dashboard](microsoft-defender-atp/manage-auto-investigation.md)
-#### [Manage actions related to automated investigation and remediation](microsoft-defender-atp/auto-investigation-action-center.md)
+### [Automated investigation and remediation (AIR)]()
+#### [Overview of AIR](microsoft-defender-atp/automated-investigations.md)
+#### [View details and results of automated investigations](microsoft-defender-atp/auto-investigation-action-center.md)
+#### [View and approve remediation actions](microsoft-defender-atp/manage-auto-investigation.md)
-### [Secure score](microsoft-defender-atp/overview-secure-score.md)
### [Threat analytics](microsoft-defender-atp/threat-analytics.md)
### [Advanced hunting]()
@@ -342,8 +342,18 @@
#### [Privacy](microsoft-defender-atp/mac-privacy.md)
#### [Resources](microsoft-defender-atp/mac-resources.md)
+### [Microsoft Defender Advanced Threat Protection for Linux](microsoft-defender-atp/microsoft-defender-atp-linux.md)
+#### [Deploy]()
+##### [Manual deployment](microsoft-defender-atp/linux-install-manually.md)
+##### [Puppet based deployment](microsoft-defender-atp/linux-install-with-puppet.md)
+##### [Ansible based deployment](microsoft-defender-atp/linux-install-with-ansible.md)
+#### [Update](microsoft-defender-atp/linux-updates.md)
+#### [Configure]()
+##### [Static proxy configuration](microsoft-defender-atp/linux-static-proxy-configuration.md)
+##### [Set preferences](microsoft-defender-atp/linux-preferences.md)
+#### [Resources](microsoft-defender-atp/linux-resources.md)
-### [Configure Secure score dashboard security controls](microsoft-defender-atp/secure-score-dashboard.md)
+### [Configure Secure score dashboard security controls](microsoft-defender-atp/configuration-score.md)
### [Configure and manage Microsoft Threat Experts capabilities](microsoft-defender-atp/configure-microsoft-threat-experts.md)
@@ -500,7 +510,7 @@
#### [Pull detections to your SIEM tools]()
#### [Raw data streaming API]()
-##### [Raw data streaming (preview)](microsoft-defender-atp/raw-data-export.md)
+##### [Raw data streaming](microsoft-defender-atp/raw-data-export.md)
##### [Stream advanced hunting events to Azure Events hub](microsoft-defender-atp/raw-data-export-event-hub.md)
##### [Stream advanced hunting events to your storage account](microsoft-defender-atp/raw-data-export-storage.md)
@@ -561,7 +571,6 @@
#### [Update data retention settings](microsoft-defender-atp/data-retention-settings.md)
#### [Configure alert notifications](microsoft-defender-atp/configure-email-notifications.md)
#### [Enable and create Power BI reports using Windows Defender Security center data](microsoft-defender-atp/powerbi-reports.md)
-#### [Enable Secure score security controls](microsoft-defender-atp/enable-secure-score.md)
#### [Configure advanced features](microsoft-defender-atp/advanced-features.md)
### [Permissions]()
diff --git a/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change.md b/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change.md
index 4103970aa4..204a9b6320 100644
--- a/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change.md
+++ b/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change.md
@@ -32,14 +32,6 @@ Audit Filtering Platform Policy Change allows you to audit events generated by c
Windows Filtering Platform (WFP) enables independent software vendors (ISVs) to filter and modify TCP/IP packets, monitor or authorize connections, filter Internet Protocol security (IPsec)-protected traffic, and filter remote procedure calls (RPCs).
-This subcategory is outside the scope of this document.
-
-| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
-|-------------------|-----------------|-----------------|------------------|------------------|---------------------------------------------------------|
-| Domain Controller | - | - | - | - | This subcategory is outside the scope of this document. |
-| Member Server | - | - | - | - | This subcategory is outside the scope of this document. |
-| Workstation | - | - | - | - | This subcategory is outside the scope of this document. |
-
- 4709(S): IPsec Services was started.
- 4710(S): IPsec Services was disabled.
diff --git a/windows/security/threat-protection/index.md b/windows/security/threat-protection/index.md
index 16ddcac988..c4257e755a 100644
--- a/windows/security/threat-protection/index.md
+++ b/windows/security/threat-protection/index.md
@@ -1,7 +1,7 @@
---
title: Threat Protection (Windows 10)
description: Learn how Microsoft Defender ATP helps protect against threats.
-keywords: threat protection, Microsoft Defender Advanced Threat Protection, attack surface reduction, next generation protection, endpoint detection and response, automated investigation and response, microsoft threat experts, secure score, advanced hunting, cyber threat hunting, web threat protection
+keywords: threat protection, Microsoft Defender Advanced Threat Protection, attack surface reduction, next generation protection, endpoint detection and response, automated investigation and response, microsoft threat experts, configuration score, advanced hunting, cyber threat hunting, web threat protection
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
@@ -100,20 +100,17 @@ Endpoint detection and response capabilities are put in place to detect, investi
In conjunction with being able to quickly respond to advanced attacks, Microsoft Defender ATP offers automatic investigation and remediation capabilities that help reduce the volume of alerts in minutes at scale.
- [Automated investigation and remediation](microsoft-defender-atp/automated-investigations.md)
-- [Threat remediation](microsoft-defender-atp/automated-investigations.md#how-threats-are-remediated)
-- [Manage automated investigation](microsoft-defender-atp/manage-auto-investigation.md)
-- [Analyze automated investigation](microsoft-defender-atp/manage-auto-investigation.md#analyze-automated-investigations)
+- [View details and results of automated investigations](microsoft-defender-atp/auto-investigation-action-center.md)
+- [View and approve remediation actions](microsoft-defender-atp/manage-auto-investigation.md)
-**[Secure score](microsoft-defender-atp/overview-secure-score.md)**
+**[Configuration Score](microsoft-defender-atp/configuration-score.md)**
>[!NOTE]
-> Secure score is now part of [Threat & Vulnerability Management](microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md) as [Configuration score](microsoft-defender-atp/configuration-score.md). The secure score page will be available for a few weeks. View the [Secure score](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-secure-score) page.
+> Secure score is now part of [Threat & Vulnerability Management](microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md) as [Configuration score](microsoft-defender-atp/configuration-score.md).
-Microsoft Defender ATP includes a secure score to help you dynamically assess the security state of your enterprise network, identify unprotected systems, and take recommended actions to improve the overall security of your organization.
-- [Asset inventory](microsoft-defender-atp/secure-score-dashboard.md)
-- [Recommended improvement actions](microsoft-defender-atp/secure-score-dashboard.md)
-- [Secure score](microsoft-defender-atp/overview-secure-score.md)
+Microsoft Defender ATP includes a configuration score to help you dynamically assess the security state of your enterprise network, identify unprotected systems, and take recommended actions to improve the overall security of your organization.
+- [Configuration score](microsoft-defender-atp/configuration-score.md)
- [Threat analytics](microsoft-defender-atp/threat-analytics.md)
@@ -147,4 +144,4 @@ Integrate Microsoft Defender Advanced Threat Protection into your existing workf
**[Microsoft Threat Protection](https://docs.microsoft.com/microsoft-365/security/mtp/microsoft-threat-protection)**
- With Microsoft Threat Protection, Microsoft Defender ATP and various Microsoft security solutions form a unified pre- and post-breach enterprise defense suite that natively integrates across endpoint, identity, email, and applications to detect, prevent, investigate and automatically respond to sophisticated attacks.
\ No newline at end of file
+ With Microsoft Threat Protection, Microsoft Defender ATP and various Microsoft security solutions form a unified pre- and post-breach enterprise defense suite that natively integrates across endpoint, identity, email, and applications to detect, prevent, investigate and automatically respond to sophisticated attacks.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-features.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-features.md
index bf486af90d..2326198e30 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-features.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-features.md
@@ -108,6 +108,10 @@ The integration with Azure Advanced Threat Protection allows you to pivot direct
>[!NOTE]
>You'll need to have the appropriate license to enable this feature.
+## Microsoft Secure Score
+
+Forwards Microsoft Defender ATP signals to Microsoft Secure Score in the Microsoft 365 security center. Turning this feature on gives Microsoft Secure Score visibility into the devices security posture. Forwarded data is stored and processed in the same location as the your Microsoft Secure Score data.
+
### Enable the Microsoft Defender ATP integration from the Azure ATP portal
To receive contextual machine integration in Azure ATP, you'll also need to enable the feature in the Azure ATP portal.
@@ -185,4 +189,3 @@ You'll have access to upcoming features which you can provide feedback on to hel
- [Update data retention settings](data-retention-settings.md)
- [Configure alert notifications](configure-email-notifications.md)
- [Enable and create Power BI reports using Microsoft Defender ATP data](powerbi-reports.md)
-- [Enable Secure Score security controls](enable-secure-score.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md
index 0da23ce0b5..49e8e3074a 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md
@@ -134,15 +134,15 @@ GUID: D4F940AB-401B-4EFC-AADC-AD5F3C50688A
### Block Office applications from creating executable content
-This rule prevents Office apps, including Word, Excel, and PowerPoint, from creating executable content.
+This rule prevents Office apps, including Word, Excel, and PowerPoint, from creating potentially malicious executable content, by blocking malicious code from being written to disk.
-This rule targets a typical behavior where malware uses Office as a vector to break out of Office and save malicious components to disk, where they persist and survive a computer reboot. This rule prevents malicious code from being written to disk.
+ Malware that abuse Office as a vector may attempt to break out of Office and save malicious components to disk. These malicious components would survive a computer reboot and persist on the system. Therefore, this rule defends against a common persistence technique.
-This rule was introduced in: Windows 10 1709, Windows Server 1809, Windows Server 2019, Configuration Manager CB 1710
+This rule was introduced in: Windows 10 1709, Windows Server 1809, Windows Server 2019, SCCM CB 1710
Intune name: Office apps/macros creating executable content
-Configuration Manager name: Block Office applications from creating executable content
+SCCM name: Block Office applications from creating executable content
GUID: 3B576869-A4EC-4529-8536-B80A7769E899
diff --git a/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center.md b/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center.md
index 67192e12e8..fdb2c392fa 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center.md
@@ -1,14 +1,14 @@
---
-title: Manage actions related to automated investigation and remediation
-description: Use the action center to manage actions related to automated investigation and response
+title: View details and results of automated investigations
+description: Use the action center to view details and results following an automated investigation
keywords: action, center, autoir, automated, investigation, response, remediation
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
+ms.author: deniseb
+author: denisebmsft
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
@@ -16,36 +16,142 @@ ms.collection: M365-security-compliance
ms.topic: article
---
-# Manage actions related to automated investigation and remediation
+# View details and results of automated investigations
-The Action center aggregates all investigations that require an action for an investigation to proceed or be completed.
+Pending and completed [remediation actions](manage-auto-investigation.md#remediation-actions) are listed in the **Action center** ([https://securitycenter.windows.com/action-center](https://securitycenter.windows.com/action-center)) and the **Investigations** page ([https://securitycenter.windows.com/investigations](https://securitycenter.windows.com/investigations)).
-
+>[!NOTE]
+>If your organization has implemented role-based access to manage portal access, only authorized users or user groups who have permission to view the machine or machine group will be able to view the entire investigation.
-The action center consists of two main tabs:
-- Pending actions - Displays a list of ongoing investigations that require attention. A recommended action is presented to the analyst, which they can approve or reject.
-- History - Acts as an audit log for:
- - All actions taken by AutoIR or approved by an analyst with ability to undo actions that support this capability (for example, quarantine file).
- - All commands ran and remediation actions applied in Live Response with ability to undo actions that support this capability.
- - Remediation actions applied by Windows Defender AV with ability to undo actions that support this capability.
+## The Action center
-Use the Customize columns drop-down menu to select columns that you'd like to show or hide.
+
+
+The action center consists of two main tabs, as described in the following table.
+
+|Tab |Description |
+|---------|---------|
+|Pending actions |Displays a list of ongoing investigations that require attention. Recommended actions are presented that your security operations team can approve or reject.
**NOTE**: The Pending tab appears only if there are pending actions to be approved (or rejected). |
+|History |Acts as an audit log for all of the following:
- All actions taken by automated investigation and remediation in Microsoft Defender ATP
Actions that were approved by your security operations team (some actions, such as sending a file to quarantine, can be undone)
- All commands ran and remediation actions that were applied in Live Response sessions (some actions can be undone)
- Remediation actions that were applied by Windows Defender Antivirus (some actions can be undone) |
+
+Use the **Customize columns** menu to select columns that you'd like to show or hide.
+
+You can also download the entire list in CSV format using the **Export** feature, specify the number of items to show per page, and navigate between pages.
+
+## The Investigations page
+
+
+
+On the **Investigations** page, you'll find a list of all automated investigations. Select an item in the list to view additional information about that automated investigation.
+
+By default, the automated investigations list displays investigations initiated in the last week. You can also choose to select other time ranges from the drop-down menu or specify a custom range.
+
+Use the **Customize columns** menu to select columns that you'd like to show or hide.
From this view, you can also download the entire list in CSV format using the **Export** feature, specify the number of items to show per page, and navigate between pages.
+### Filters for the list of investigations
->[!NOTE]
->The tab will only appear if there are pending actions for that category.
+On the **Investigations** page, you can view details and use filters to focus on specific information. The following table lists available filters:
-### Approve or reject an action
-You'll need to manually approve or reject pending actions on each of these categories for the automated actions to proceed.
+|Filter |Description |
+|---------|---------|
+|**Status** |(See [Automated investigation status](#automated-investigation-status)) |
+|**Triggering alert** | The alert that initiated the automated investigation |
+|**Detection source** |The source of the alert that initiated the automated investigation. |
+|**Entities** | These can include device or machines, and machine groups. You can filter the automated investigations list to zone in a specific machine to see other investigations related to the machine, or to see specific machine groups that you might have created. |
+|**Threat** |The category of threat detected during the automated investigation. |
+|**Tags** |Filter using manually added tags that capture the context of an automated investigation.|
+|**Comments** |Select between filtering the list between automated investigations that have comments and those that don't.|
-Selecting an investigation from any of the categories opens a panel where you can approve or reject the remediation. Other details such as file or service details, investigation details, and alert details are displayed.
+## Automated investigation status
-From the panel, you can click on the Open investigation page link to see the investigation details.
+An automated investigation can be have one of the following status values:
-You also have the option of selecting multiple investigations to approve or reject actions on multiple investigations.
+|Status |Description |
+|---------|---------|
+| No threats found | No malicious entities found during the investigation. |
+| Failed | A problem has interrupted the investigation, preventing it from completing. |
+| Partially remediated | A problem prevented the remediation of some malicious entities. |
+| Pending action | Remediation actions require review and approval. |
+| Waiting for machine | Investigation paused. The investigation will resume as soon as the machine is available. |
+| Queued | Investigation has been queued and will resume as soon as other remediation activities are completed. |
+| Running | Investigation ongoing. Malicious entities found will be remediated. |
+| Remediated | Malicious entities found were successfully remediated. |
+| Terminated by system | Investigation was stopped by the system. |
+| Terminated by user | A user stopped the investigation before it could complete. |
+| Partially investigated | Entities directly related to the alert have been investigated. However, a problem stopped the investigation of collateral entities. |
-## Related topics
-- [Automated investigation and investigation](automated-investigations.md)
-- [Learn about the automated investigations dashboard](manage-auto-investigation.md)
+## View details about an automated investigation
+
+
+
+You can view the details of an automated investigation to see information such as the investigation graph, alerts associated with the investigation, the machine that was investigated, and other information.
+
+In this view, you'll see the name of the investigation, when it started and ended.
+
+### Investigation graph
+
+The investigation graph provides a graphical representation of an automated investigation. All investigation related information is simplified and arranged in specific sections. Clicking on any of the icons brings you the relevant section where you can view more information.
+
+A progress ring shows two status indicators:
+- Orange ring - shows the pending portion of the investigation
+- Green ring - shows the running time portion of the investigation
+
+
+
+In the example image, the automated investigation started on 10:26:59 AM and ended on 10:56:26 AM. Therefore, the entire investigation was running for 29 minutes and 27 seconds.
+
+The pending time of 16 minutes and 51 seconds reflects two possible pending states: pending for asset (for example, the device might have disconnected from the network) or pending for approval.
+
+From this view, you can also view and add comments and tags about the investigation.
+
+### Alerts
+
+The **Alerts** tab for an automated investigation shows details such as a short description of the alert that initiated the automated investigation, severity, category, the machine associated with the alert, user, time in queue, status, investigation state, and who the investigation is assigned to.
+
+Additional alerts seen on a machine can be added to an automated investigation as long as the investigation is ongoing.
+
+Selecting an alert using the check box brings up the alerts details pane where you have the option of opening the alert page, manage the alert by changing its status, see alert details, automated investigation details, related machine, logged-on users, and comments and history.
+
+Clicking on an alert title brings you the alert page.
+
+### Machines
+
+The **Machines** tab Shows details the machine name, IP address, group, users, operating system, remediation level, investigation count, and when it was last investigated.
+
+Machines that show the same threat can be added to an ongoing investigation and will be displayed in this tab. If 10 or more machines are found during this expansion process from the same entity, then that expansion action will require an approval and will be seen in the **Pending actions** view.
+
+Selecting a machine using the checkbox brings up the machine details pane where you can see more information such as machine details and logged-on users.
+
+Clicking on an machine name brings you the machine page.
+
+### Evidence
+
+The **Evidence** tab shows details related to threats associated with this investigation.
+
+### Entities
+
+The **Entities** tab shows details about entities such as files, process, services, drives, and IP addresses. The table details such as the number of entities that were analyzed. You'll gain insight into details such as how many are remediated, suspicious, or determined to be clean.
+
+### Log
+
+The **Log** tab gives a chronological detailed view of all the investigation actions taken on the alert. You'll see the action type, action, status, machine name, description of the action, comments entered by analysts who may have worked on the investigation, execution start time, duration, pending duration.
+
+As with other sections, you can customize columns, select the number of items to show per page, and filter the log.
+
+Available filters include action type, action, status, machine name, and description.
+
+You can also click on an action to bring up the details pane where you'll see information such as the summary of the action and input data.
+
+### Pending actions
+
+If there are pending actions on an automated investigation, you'll see a pop up similar to the following image.
+
+
+
+When you click on the pending actions link, you'll be taken to the Action center. You can also navigate to the page from the navigation page by going to **automated investigation** > **Action center**.
+
+## Next steps
+
+[View and approve remediation actions](manage-auto-investigation.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md b/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md
index 346bd331f0..17a56b7252 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md
@@ -85,3 +85,9 @@ When a pending action is approved, the entity is then remediated and this new st
## Next step
- [Learn about the automated investigations dashboard](manage-auto-investigation.md)
+
+## Related articles
+
+- [Automated investigation and response in Office 365 Advanced Threat Protection](https://docs.microsoft.com/microsoft-365/security/office-365-security/office-365-air)
+
+- [Automated investigation and response in Microsoft Threat Protection](https://docs.microsoft.com/microsoft-365/security/mtp/mtp-autoir)
\ No newline at end of file
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configuration-score.md b/windows/security/threat-protection/microsoft-defender-atp/configuration-score.md
index a040722887..5b876f90b8 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configuration-score.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configuration-score.md
@@ -1,6 +1,6 @@
---
title: Overview of Configuration score in Microsoft Defender Security Center
-description: Expand your visibility into the overall security configuration posture of your organization
+description: Your configuration score shows the collective security configuration state of your machines across application, operating system, network, accounts, and security controls
keywords: configuration score, mdatp configuration score, secure score, security controls, improvement opportunities, security configuration score over time, security posture, baseline
search.product: eADQiWindows 10XVcnh
search.appverid: met150
@@ -8,45 +8,50 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
-ms.author: dolmont
-author: DulceMontemayor
+ms.author: ellevin
+author: levinec
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 04/11/2019
---
# Configuration score
+
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
>[!NOTE]
-> Secure score is now part of Threat & Vulnerability Management as Configuration score. The secure score page will be available for a few weeks.
+> Secure score is now part of Threat & Vulnerability Management as Configuration score.
-The Microsoft Defender Advanced Threat Protection Configuration score gives you visibility and control over the security posture of your organization based on security best practices. High configuration score means your endpoints are more resilient from cybersecurity threat attacks.
+Your Configuration score is visible in the Threat & Vulnerability Management dashboard of the Microsoft Defender Security Center. It reflects the collective security configuration state of your machines across the following categories:
-Your configuration score widget shows the collective security configuration state of your machines across the following categories:
- Application
- Operating system
- Network
- Accounts
- Security controls
-## How it works
->[!NOTE]
-> Configuration score currently supports configurations set via Group Policy. Due to the current partial Intune support, configurations which might have been set through Intune might show up as misconfigured. Contact your IT Administrator to verify the actual configuration status in case your organization is using Intune for secure configuration management.
+A higher configuration score means your endpoints are more resilient from cybersecurity threat attacks.
+
+## How it works
+
+>[!NOTE]
+> Configuration score currently supports configurations set via Group Policy. Due to the current partial Intune support, configurations which might have been set through Intune might show up as misconfigured. Contact your IT Administrator to verify the actual configuration status in case your organization is using Intune for secure configuration management.
+
+The data in the configuration score card is the product of meticulous and ongoing vulnerability discovery process aggregated with configuration discovery assessments that continuously:
-The data in the configuration score widget is the product of meticulous and ongoing vulnerability discovery process aggregated with configuration discovery assessments that continuously:
- Compare collected configurations to the collected benchmarks to discover misconfigured assets
- Map configurations to vulnerabilities that can be remediated or partially remediated (risk reduction) by remediating the misconfiguration
- Collect and maintain best practice configuration benchmarks (vendors, security feeds, internal research teams)
- Collect and monitor changes of security control configuration state from all assets
-From the widget, you'd be able to see which security aspect requires attention. You can click the configuration score categories and it will take you to the **Security recommendations** page to see more details and understand the context of the issue. From there, you can act on them based on security benchmarks.
+From the widget, you'd be able to see which security aspect requires attention. You can click the configuration score categories and it will take you to the **Security recommendations** page to see more details and understand the context of the issue. From there, you can act on them based on security benchmarks.
## Improve your configuration score
+
The goal is to remediate the issues in the security recommendations list to improve your configuration score. You can filter the view based on:
+
- **Related component** — **Accounts**, **Application**, **Network**, **OS**, or **Security controls**
- **Remediation type** — **Configuration change** or **Software update**
@@ -64,6 +69,7 @@ See how you can [improve your security configuration](https://docs.microsoft.com
>2. Key-in the security update KB number that you need to download, then click **Search**.
## Related topics
+
- [Supported operating systems and platforms](tvm-supported-os.md)
- [Risk-based Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md)
- [Threat & Vulnerability Management dashboard overview](tvm-dashboard-insights.md)
@@ -78,4 +84,3 @@ See how you can [improve your security configuration](https://docs.microsoft.com
- [Software APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/software)
- [Vulnerability APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/vulnerability)
- [Recommendation APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/vulnerability)
-
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-email-notifications.md b/windows/security/threat-protection/microsoft-defender-atp/configure-email-notifications.md
index 8fafbb0b85..96650774c3 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-email-notifications.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-email-notifications.md
@@ -100,5 +100,4 @@ This section lists various issues that you may encounter when using email notifi
## Related topics
- [Update data retention settings](data-retention-settings.md)
- [Enable and create Power BI reports using Microsoft Defender ATP data](powerbi-reports.md)
-- [Enable Secure Score security controls](enable-secure-score.md)
- [Configure advanced features](advanced-features.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md b/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md
index f6e320c931..75e7f8f006 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md
@@ -129,11 +129,12 @@ Once completed, you should see onboarded servers in the portal within an hour.
To onboard Windows Server, version 1803 or Windows Server 2019, please refer to the supported methods and versions below.
> [!NOTE]
-> The Onboarding package for Windows Server 2019 through Microsoft Endpoint Configuration Manager currently ships a script. For more information on how to deploy scripts in Microsoft Endpoint Configuration Manager, see [Packages and programs in Configuration Manager](https://docs.microsoft.com/configmgr/apps/deploy-use/packages-and-programs).
+> The Onboarding package for Windows Server 2019 through Microsoft Endpoint Configuration Manager currently ships a script. For more information on how to deploy scripts in Configuration Manager, see [Packages and programs in Configuration Manager](https://docs.microsoft.com/configmgr/apps/deploy-use/packages-and-programs).
Supported tools include:
- Local script
- Group Policy
+- Microsoft Endpoint Configuration Manager
- System Center Configuration Manager 2012 / 2012 R2 1511 / 1602
- VDI onboarding scripts for non-persistent machines
diff --git a/windows/security/threat-protection/microsoft-defender-atp/data-retention-settings.md b/windows/security/threat-protection/microsoft-defender-atp/data-retention-settings.md
index 703b8a3412..d2df7a0c6e 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/data-retention-settings.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/data-retention-settings.md
@@ -44,5 +44,4 @@ During the onboarding process, a wizard takes you through the general settings o
- [Update data retention settings](data-retention-settings.md)
- [Configure alert notifications in Microsoft Defender ATP](configure-email-notifications.md)
- [Enable and create Power BI reports using Microsoft Defender ATP data](powerbi-reports.md)
-- [Enable Secure Score security controls](enable-secure-score.md)
- [Configure advanced features](advanced-features.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/enable-secure-score.md b/windows/security/threat-protection/microsoft-defender-atp/enable-secure-score.md
index 8829cf492a..76c04110e7 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/enable-secure-score.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/enable-secure-score.md
@@ -38,7 +38,7 @@ Set the baselines for calculating the score of security controls on the Secure S
3. Click **Save preferences**.
## Related topics
-- [View the Secure Score dashboard](secure-score-dashboard.md)
+- [View the Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md)
- [Update data retention settings for Microsoft Defender ATP](data-retention-settings.md)
- [Configure alert notifications in Microsoft Defender ATP](configure-email-notifications.md)
- [Enable and create Power BI reports using Microsoft Defender ATP data](powerbi-reports.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-webapp.md b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-webapp.md
index f69367a074..ef03093507 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-webapp.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-webapp.md
@@ -1,5 +1,5 @@
---
-title: Create an Application to access Microsoft Defender ATP without a user
+title: Create an app to access Microsoft Defender ATP without a user
ms.reviewer:
description: Learn how to design a web app to get programmatic access to Microsoft Defender ATP without a user.
keywords: apis, graph api, supported apis, actor, alerts, machine, user, domain, ip, file, advanced hunting, query
@@ -23,104 +23,88 @@ ms.topic: article
- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
-This page describes how to create an application to get programmatic access to Microsoft Defender ATP without a user.
-
-If you need programmatic access Microsoft Defender ATP on behalf of a user, see [Get access with user context](exposed-apis-create-app-nativeapp.md)
-
-If you are not sure which access you need, see [Get started](apis-intro.md).
+This page describes how to create an application to get programmatic access to Microsoft Defender ATP without a user. If you need programmatic access to Microsoft Defender ATP on behalf of a user, see [Get access with user context](exposed-apis-create-app-nativeapp.md). If you are not sure which access you need, see [Get started](apis-intro.md).
Microsoft Defender ATP exposes much of its data and actions through a set of programmatic APIs. Those APIs will help you automate work flows and innovate based on Microsoft Defender ATP capabilities. The API access requires OAuth2.0 authentication. For more information, see [OAuth 2.0 Authorization Code Flow](https://docs.microsoft.com/azure/active-directory/develop/active-directory-v2-protocols-oauth-code).
In general, you’ll need to take the following steps to use the APIs:
-- Create an AAD application
-- Get an access token using this application
-- Use the token to access Microsoft Defender ATP API
+- Create an Azure Active Directory (Azure AD) application.
+- Get an access token using this application.
+- Use the token to access Microsoft Defender ATP API.
-This page explains how to create an AAD application, get an access token to Microsoft Defender ATP and validate the token.
+This article explains how to create an Azure AD application, get an access token to Microsoft Defender ATP, and validate the token.
## Create an app
-1. Log on to [Azure](https://portal.azure.com) with user that has **Global Administrator** role.
+1. Log on to [Azure](https://portal.azure.com) with a user that has the **Global Administrator** role.
2. Navigate to **Azure Active Directory** > **App registrations** > **New registration**.
-3. In the registration form, choose a name for your application and then click **Register**.
+3. In the registration form, choose a name for your application, and then select **Register**.
-4. Allow your Application to access Microsoft Defender ATP and assign it **'Read all alerts'** permission:
+4. To enable your app to access Microsoft Defender ATP and assign it **'Read all alerts'** permission, on your application page, select **API Permissions** > **Add permission** > **APIs my organization uses** >, type **WindowsDefenderATP**, and then select **WindowsDefenderATP**.
- - On your application page, click **API Permissions** > **Add permission** > **APIs my organization uses** > type **WindowsDefenderATP** and click on **WindowsDefenderATP**.
-
- - **Note**: WindowsDefenderATP does not appear in the original list. You need to start writing its name in the text box to see it appear.
+ > [!NOTE]
+ > WindowsDefenderATP does not appear in the original list. You need to start writing its name in the text box to see it appear.
- - Choose **Application permissions** > **Alert.Read.All** > Click on **Add permissions**
+ - Select **Application permissions** > **Alert.Read.All**, and then select **Add permissions**.
- **Important note**: You need to select the relevant permissions. 'Read All Alerts' is only an example!
+ Note that you need to select the relevant permissions. 'Read All Alerts' is only an example. For instance:
- For instance,
-
- - To [run advanced queries](run-advanced-query-api.md), select 'Run advanced queries' permission
- - To [isolate a machine](isolate-machine.md), select 'Isolate machine' permission
+ - To [run advanced queries](run-advanced-query-api.md), select the 'Run advanced queries' permission.
+ - To [isolate a machine](isolate-machine.md), select the 'Isolate machine' permission.
- To determine which permission you need, please look at the **Permissions** section in the API you are interested to call.
-5. Click **Grant consent**
+5. Select **Grant consent**.
- - **Note**: Every time you add permission you must click on **Grant consent** for the new permission to take effect.
+ > [!NOTE]
+ > Every time you add a permission, you must select **Grant consent** for the new permission to take effect.
- 
+ 
-6. Add a secret to the application.
+6. To add a secret to the application, select **Certificates & secrets**, add a description to the secret, and then select **Add**.
- - Click **Certificates & secrets**, add description to the secret and click **Add**.
-
- **Important**: After click Add, **copy the generated secret value**. You won't be able to retrieve after you leave!
+ > [!NOTE]
+ > After you select **Add**, select **copy the generated secret value**. You won't be able to retrieve this value after you leave.
-7. Write down your application ID and your tenant ID:
-
- - On your application page, go to **Overview** and copy the following:
+7. Write down your application ID and your tenant ID. On your application page, go to **Overview** and copy the following.
-8. **For Microsoft Defender ATP Partners only** - Set your application to be multi-tenanted (available in all tenants after consent)
+8. **For Microsoft Defender ATP Partners only**. Set your app to be multi-tenanted (available in all tenants after consent). This is **required** for third-party apps (for example, if you create an app that is intended to run in multiple customers' tenant). This is **not required** if you create a service that you want to run in your tenant only (for example, if you create an application for your own usage that will only interact with your own data). To set your app to be multi-tenanted:
- This is **required** for 3rd party applications (for example, if you create an application that is intended to run in multiple customers tenant).
+ - Go to **Authentication**, and add https://portal.azure.com as the **Redirect URI**.
- This is **not required** if you create a service that you want to run in your tenant only (i.e. if you create an application for your own usage that will only interact with your own data)
+ - On the bottom of the page, under **Supported account types**, select the **Accounts in any organizational directory** application consent for your multi-tenant app.
- - Go to **Authentication** > Add https://portal.azure.com as **Redirect URI**.
+ You need your application to be approved in each tenant where you intend to use it. This is because your application interacts Microsoft Defender ATP on behalf of your customer.
- - On the bottom of the page, under **Supported account types**, mark **Accounts in any organizational directory**
+ You (or your customer if you are writing a third-party app) need to select the consent link and approve your app. The consent should be done with a user who has administrative privileges in Active Directory.
- - Application consent for your multi-tenant Application:
-
- You need your application to be approved in each tenant where you intend to use it. This is because your application interacts with Microsoft Defender ATP application on behalf of your customer.
-
- You (or your customer if you are writing a 3rd party application) need to click the consent link and approve your application. The consent should be done with a user who has admin privileges in the active directory.
-
- Consent link is of the form:
+ The consent link is formed as follows:
```
https://login.microsoftonline.com/common/oauth2/authorize?prompt=consent&client_id=00000000-0000-0000-0000-000000000000&response_type=code&sso_reload=true
```
- where 00000000-0000-0000-0000-000000000000 should be replaced with your Application ID
+ Where 00000000-0000-0000-0000-000000000000 is replaced with your application ID.
-- **Done!** You have successfully registered an application!
-- See examples below for token acquisition and validation.
+**Done!** You have successfully registered an application! See examples below for token acquisition and validation.
-## Get an access token examples:
+## Get an access token
-For more details on AAD token, refer to [AAD tutorial](https://docs.microsoft.com/azure/active-directory/develop/active-directory-v2-protocols-oauth-client-creds)
+For more details on Azure AD tokens, see the [Azure AD tutorial](https://docs.microsoft.com/azure/active-directory/develop/active-directory-v2-protocols-oauth-client-creds).
-### Using PowerShell
+### Use PowerShell
```
# That code gets the App Context Token and save it to a file named "Latest-token.txt" under the current directory
@@ -144,19 +128,19 @@ Out-File -FilePath "./Latest-token.txt" -InputObject $token
return $token
```
-### Using C#:
+### Use C#:
->The below code was tested with Nuget Microsoft.IdentityModel.Clients.ActiveDirectory 3.19.8
+The following code was tested with Nuget Microsoft.IdentityModel.Clients.ActiveDirectory 3.19.8.
-- Create a new Console Application
-- Install Nuget [Microsoft.IdentityModel.Clients.ActiveDirectory](https://www.nuget.org/packages/Microsoft.IdentityModel.Clients.ActiveDirectory/)
-- Add the below using
+1. Create a new console application.
+1. Install Nuget [Microsoft.IdentityModel.Clients.ActiveDirectory](https://www.nuget.org/packages/Microsoft.IdentityModel.Clients.ActiveDirectory/).
+1. Add the following:
```
using Microsoft.IdentityModel.Clients.ActiveDirectory;
```
-- Copy/Paste the below code in your application (do not forget to update the 3 variables: ```tenantId, appId, appSecret```)
+1. Copy and paste the following code in your app (don't forget to update the three variables: ```tenantId, appId, appSecret```):
```
string tenantId = "00000000-0000-0000-0000-000000000000"; // Paste your own tenant ID here
@@ -173,26 +157,25 @@ return $token
```
-### Using Python
+### Use Python
-Refer to [Get token using Python](run-advanced-query-sample-python.md#get-token)
+See [Get token using Python](run-advanced-query-sample-python.md#get-token).
-### Using Curl
+### Use Curl
> [!NOTE]
-> The below procedure supposed Curl for Windows is already installed on your computer
+> The following procedure assumes that Curl for Windows is already installed on your computer.
-- Open a command window
-- Set CLIENT_ID to your Azure application ID
-- Set CLIENT_SECRET to your Azure application secret
-- Set TENANT_ID to the Azure tenant ID of the customer that wants to use your application to access Microsoft Defender ATP application
-- Run the below command:
+1. Open a command prompt, and set CLIENT_ID to your Azure application ID.
+1. Set CLIENT_SECRET to your Azure application secret.
+1. Set TENANT_ID to the Azure tenant ID of the customer that wants to use your app to access Microsoft Defender ATP.
+1. Run the following command:
```
curl -i -X POST -H "Content-Type:application/x-www-form-urlencoded" -d "grant_type=client_credentials" -d "client_id=%CLIENT_ID%" -d "scope=https://securitycenter.onmicrosoft.com/windowsatpservice/.default" -d "client_secret=%CLIENT_SECRET%" "https://login.microsoftonline.com/%TENANT_ID%/oauth2/v2.0/token" -k
```
-You will get an answer of the form:
+You will get an answer in the following form:
```
{"token_type":"Bearer","expires_in":3599,"ext_expires_in":0,"access_token":"eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIn
false |
+
+#### Enable / disable passive mode
+
+Detemines whether the antivirus engine runs in passive mode or not. In passive mode:
+- Real-time protection is turned off.
+- On-demand scanning is turned on.
+- Automatic threat remediation is turned off.
+- Security intelligence updates are turned on.
+- Status menu icon is hidden.
+
+|||
+|:---|:---|
+| **Key** | passiveMode |
+| **Data type** | Boolean |
+| **Possible values** | false (default)
true |
+| **Comments** | Available in Microsoft Defender ATP version 100.67.60 or higher. |
+
+#### Exclusion merge policy
+
+Specifies the merge policy for exclusions. It can be a combination of administrator-defined and user-defined exclusions (`merge`) or only administrator-defined exclusions (`admin_only`). This setting can be used to restrict local users from defining their own exclusions.
+
+|||
+|:---|:---|
+| **Key** | exclusionsMergePolicy |
+| **Data type** | String |
+| **Possible values** | merge (default)
admin_only |
+| **Comments** | Available in Microsoft Defender ATP version 100.83.73 or higher. |
+
+#### Scan exclusions
+
+Entities that have been excluded from the scan. Exclusions can be specified by full paths, extensions, or file names.
+
+|||
+|:---|:---|
+| **Key** | exclusions |
+| **Data type** | Dictionary (nested preference) |
+| **Comments** | See the following sections for a description of the dictionary contents. |
+
+**Type of exclusion**
+
+Specifies the type of content excluded from the scan.
+
+|||
+|:---|:---|
+| **Key** | $type |
+| **Data type** | String |
+| **Possible values** | excludedPath
excludedFileExtension
excludedFileName |
+
+**Path to excluded content**
+
+Used to exclude content from the scan by full file path.
+
+|||
+|:---|:---|
+| **Key** | path |
+| **Data type** | String |
+| **Possible values** | valid paths |
+| **Comments** | Applicable only if *$type* is *excludedPath* |
+
+**Path type (file / directory)**
+
+Indicates if the *path* property refers to a file or directory.
+
+|||
+|:---|:---|
+| **Key** | isDirectory |
+| **Data type** | Boolean |
+| **Possible values** | false (default)
true |
+| **Comments** | Applicable only if *$type* is *excludedPath* |
+
+**File extension excluded from the scan**
+
+Used to exclude content from the scan by file extension.
+
+|||
+|:---|:---|
+| **Key** | extension |
+| **Data type** | String |
+| **Possible values** | valid file extensions |
+| **Comments** | Applicable only if *$type* is *excludedFileExtension* |
+
+**Process excluded from the scan**
+
+Specifies a process for which all file activity is excluded from scanning. The process can be specified either by its name (e.g. `cat`) or full path (e.g. `/bin/cat`).
+
+|||
+|:---|:---|
+| **Key** | name |
+| **Data type** | String |
+| **Possible values** | any string |
+| **Comments** | Applicable only if *$type* is *excludedFileName* |
+
+#### Allowed threats
+
+List of threats (identified by their name) that are not blocked by the product and are instead allowed to run.
+
+|||
+|:---|:---|
+| **Key** | allowedThreats |
+| **Data type** | Array of strings |
+
+#### Disallowed threat actions
+
+Restricts the actions that the local user of a device can take when threats are detected. The actions included in this list are not displayed in the user interface.
+
+|||
+|:---|:---|
+| **Key** | disallowedThreatActions |
+| **Data type** | Array of strings |
+| **Possible values** | allow (restricts users from allowing threats)
restore (restricts users from restoring threats from the quarantine) |
+| **Comments** | Available in Microsoft Defender ATP version 100.83.73 or higher. |
+
+#### Threat type settings
+
+The *threatTypeSettings* preference in the antivirus engine is used to control how certain threat types are handled by the product.
+
+|||
+|:---|:---|
+| **Key** | threatTypeSettings |
+| **Data type** | Dictionary (nested preference) |
+| **Comments** | See the following sections for a description of the dictionary contents. |
+
+**Threat type**
+
+Type of threat for which the behavior is configured.
+
+|||
+|:---|:---|
+| **Key** | key |
+| **Data type** | String |
+| **Possible values** | potentially_unwanted_application
archive_bomb |
+
+**Action to take**
+
+Action to take when coming across a threat of the type specified in the preceding section. Can be:
+
+- **Audit**: The device is not protected against this type of threat, but an entry about the threat is logged.
+- **Block**: The device is protected against this type of threat and you are notified in the user interface and the security console.
+- **Off**: The device is not protected against this type of threat and nothing is logged.
+
+|||
+|:---|:---|
+| **Key** | value |
+| **Data type** | String |
+| **Possible values** | audit (default)
block
off |
+
+#### Threat type settings merge policy
+
+Specifies the merge policy for threat type settings. This can be a combination of administrator-defined and user-defined settings (`merge`) or only administrator-defined settings (`admin_only`). This setting can be used to restrict local users from defining their own settings for different threat types.
+
+|||
+|:---|:---|
+| **Key** | threatTypeSettingsMergePolicy |
+| **Data type** | String |
+| **Possible values** | merge (default)
admin_only |
+| **Comments** | Available in Microsoft Defender ATP version 100.83.73 or higher. |
+
+### Cloud-delivered protection preferences
+
+The *cloudService* entry in the configuration profile is used to configure the cloud-driven protection feature of the product.
+
+|||
+|:---|:---|
+| **Key** | cloudService |
+| **Data type** | Dictionary (nested preference) |
+| **Comments** | See the following sections for a description of the dictionary contents. |
+
+#### Enable / disable cloud delivered protection
+
+Determines whether cloud-delivered protection is enabled on the device or not. To improve the security of your services, we recommend keeping this feature turned on.
+
+|||
+|:---|:---|
+| **Key** | enabled |
+| **Data type** | Boolean |
+| **Possible values** | true (default)
false |
+
+#### Diagnostic collection level
+
+Diagnostic data is used to keep Microsoft Defender ATP secure and up-to-date, detect, diagnose and fix problems, and also make product improvements. This setting determines the level of diagnostics sent by the product to Microsoft.
+
+|||
+|:---|:---|
+| **Key** | diagnosticLevel |
+| **Data type** | String |
+| **Possible values** | optional (default)
required |
+
+#### Enable / disable automatic sample submissions
+
+Determines whether suspicious samples (that are likely to contain threats) are sent to Microsoft. You are prompted if the submitted file is likely to contain personal information.
+
+|||
+|:---|:---|
+| **Key** | automaticSampleSubmission |
+| **Data type** | Boolean |
+| **Possible values** | true (default)
false |
+
+## Recommended configuration profile
+
+To get started, we recommend the following configuration profile for your enterprise to take advantage of all protection features that Microsoft Defender ATP provides.
+
+The following configuration profile will:
+
+- Enable real-time protection (RTP).
+- Specify how the following threat types are handled:
+ - **Potentially unwanted applications (PUA)** are blocked.
+ - **Archive bombs** (file with a high compression rate) are audited to the product logs.
+- Enable cloud-delivered protection.
+- Enable automatic sample submission.
+
+### Sample profile
+
+```JSON
+{
+ "antivirusEngine":{
+ "enableRealTimeProtection":true,
+ "threatTypeSettings":[
+ {
+ "key":"potentially_unwanted_application",
+ "value":"block"
+ },
+ {
+ "key":"archive_bomb",
+ "value":"audit"
+ }
+ ]
+ },
+ "cloudService":{
+ "automaticSampleSubmission":true,
+ "enabled":true
+ }
+}
+```
+
+## Full configuration profile example
+
+The following configuration profile contains entries for all settings described in this document and can be used for more advanced scenarios where you want more control over the product.
+
+### Full profile
+
+```JSON
+{
+ "antivirusEngine":{
+ "enableRealTimeProtection":true,
+ "passiveMode":false,
+ "exclusionsMergePolicy":"merge",
+ "exclusions":[
+ {
+ "$type":"excludedPath",
+ "isDirectory":false,
+ "path":"/var/log/system.log"
+ },
+ {
+ "$type":"excludedPath",
+ "isDirectory":true,
+ "path":"/home"
+ },
+ {
+ "$type":"excludedFileExtension",
+ "extension":"pdf"
+ },
+ {
+ "$type":"excludedFileName",
+ "name":"cat"
+ }
+ ],
+ "allowedThreats":[
+ "EICAR-Test-File (not a virus)"
+ ],
+ "disallowedThreatActions":[
+ "allow",
+ "restore"
+ ],
+ "threatTypeSettingsMergePolicy":"merge",
+ "threatTypeSettings":[
+ {
+ "key":"potentially_unwanted_application",
+ "value":"block"
+ },
+ {
+ "key":"archive_bomb",
+ "value":"audit"
+ }
+ ]
+ },
+ "cloudService":{
+ "enabled":true,
+ "diagnosticLevel":"optional",
+ "automaticSampleSubmission":true
+ }
+}
+```
+
+## Configuration profile deployment
+
+Once you've built the configuration profile for your enterprise, you can deploy it through the management tool that your enterprise is using. Microsoft Defender ATP for Linux reads the managed configuration from the */etc/opt/microsoft/mdatp/managed/mdatp_managed.json* file.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-resources.md b/windows/security/threat-protection/microsoft-defender-atp/linux-resources.md
new file mode 100644
index 0000000000..388b235ac3
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/linux-resources.md
@@ -0,0 +1,116 @@
+---
+title: Microsoft Defender ATP for Linux resources
+ms.reviewer:
+description: Describes resources for Microsoft Defender ATP for Linux, including how to uninstall it, how to collect diagnostic logs, CLI commands, and known issues with the product.
+keywords: microsoft, defender, atp, linux, installation, deploy, uninstallation, puppet, ansible, linux, redhat, ubuntu, debian, sles, suse, centos
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: dansimp
+author: dansimp
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: conceptual
+---
+
+# Resources
+
+**Applies to:**
+
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Linux](microsoft-defender-atp-linux.md)
+
+## Collect diagnostic information
+
+If you can reproduce a problem, please increase the logging level, run the system for some time, and restore the logging level to the default.
+
+1. Increase logging level:
+
+ ```bash
+ $ mdatp --log-level verbose
+ Creating connection to daemon
+ Connection established
+ Operation succeeded
+ ```
+
+2. Reproduce the problem.
+
+3. Run `sudo mdatp --diagnostic --create` to backup Microsoft Defender ATP's logs. The files will be stored inside of a .zip archive. This command will also print out the file path to the backup after the operation succeeds:
+
+ ```bash
+ $ sudo mdatp --diagnostic --create
+ Creating connection to daemon
+ Connection established
+ ```
+
+4. Restore logging level:
+
+ ```bash
+ $ mdatp --log-level info
+ Creating connection to daemon
+ Connection established
+ Operation succeeded
+ ```
+
+## Log installation issues
+
+If an error occurs during installation, the installer will only report a general failure.
+
+The detailed log will be saved to `/var/log/microsoft/mdatp_install.log`. If you experience issues during installation, send us this file so we can help diagnose the cause.
+
+## Uninstall
+
+There are several ways to uninstall Microsoft Defender ATP for Linux. If you are using a configuration tool such as Puppet, please follow the package uninstallation instructions for the configuration tool.
+
+### Manual uninstallation
+
+- ```sudo yum remove mdatp``` for RHEL and variants(CentOS and Oracle EL).
+- ```sudo zypper remove mdatp``` for SLES and variants.
+- ```sudo apt-get purge mdatp``` for Ubuntu and Debian systems.
+
+## Configure from the command line
+
+Important tasks, such as controlling product settings and triggering on-demand scans, can be done from the command line:
+
+|Group |Scenario |Command |
+|-------------|-------------------------------------------|-----------------------------------------------------------------------|
+|Configuration|Turn on/off real-time protection |`mdatp --config realTimeProtectionEnabled [true/false]` |
+|Configuration|Turn on/off cloud protection |`mdatp --config cloudEnabled [true/false]` |
+|Configuration|Turn on/off product diagnostics |`mdatp --config cloudDiagnosticEnabled [true/false]` |
+|Configuration|Turn on/off automatic sample submission |`mdatp --config cloudAutomaticSampleSubmission [true/false]` |
+|Configuration|Turn on PUA protection |`mdatp --threat --type-handling potentially_unwanted_application block`|
+|Configuration|Turn off PUA protection |`mdatp --threat --type-handling potentially_unwanted_application off` |
+|Configuration|Turn on audit mode for PUA protection |`mdatp --threat --type-handling potentially_unwanted_application audit`|
+|Diagnostics |Change the log level |`mdatp --log-level [error/warning/info/verbose]` |
+|Diagnostics |Generate diagnostic logs |`mdatp --diagnostic --create` |
+|Health |Check the product's health |`mdatp --health` |
+|Protection |Scan a path |`mdatp --scan --path [path]` |
+|Protection |Do a quick scan |`mdatp --scan --quick` |
+|Protection |Do a full scan |`mdatp --scan --full` |
+|Protection |Cancel an ongoing on-demand scan |`mdatp --scan --cancel` |
+|Protection |Request a security intelligence update |`mdatp --definition-update` |
+
+## Microsoft Defender ATP portal information
+
+In the Microsoft Defender ATP portal, you'll see two categories of information:
+
+- Antivirus alerts, including:
+ - Severity
+ - Scan type
+ - Device information (hostname, machine identifier, tenant identifier, app version, and OS type)
+ - File information (name, path, size, and hash)
+ - Threat information (name, type, and state)
+- Device information, including:
+ - Machine identifier
+ - Tenant identifier
+ - App version
+ - Hostname
+ - OS type
+ - OS version
+ - Computer model
+ - Processor architecture
+ - Whether the device is a virtual machine
diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-static-proxy-configuration.md b/windows/security/threat-protection/microsoft-defender-atp/linux-static-proxy-configuration.md
new file mode 100644
index 0000000000..43330660a0
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/linux-static-proxy-configuration.md
@@ -0,0 +1,77 @@
+---
+title: Microsoft Defender ATP for Linux static proxy discovery
+ms.reviewer:
+description: Describes how to configure Microsoft Defender ATP for static proxy discovery.
+keywords: microsoft, defender, atp, linux, installation, proxy
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: dansimp
+author: dansimp
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: conceptual
+---
+
+# Configuring Microsoft Defender ATP for static proxy discovery
+
+**Applies to:**
+
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Linux](microsoft-defender-atp-linux.md)
+
+Microsoft Defender ATP can discover a proxy server using the ```HTTPS_PROXY``` environment variable. This setting must be configured **both** at installation time and after the product has been installed.
+
+## Installation time configuration
+
+During installation, the ```HTTPS_PROXY``` environment variable must be passed to the package manager. The package manager can read this variable in any of the following ways:
+
+- The ```HTTPS_PROXY``` variable is defined in ```/etc/environment``` with the following line:
+
+ ```bash
+ HTTPS_PROXY=”http://proxy.server:port/”
+ ```
+
+- The `HTTPS_PROXY` variable is defined in the package manager global configuration. For example, in Ubuntu 18.04, you can add the following line to `/etc/apt/apt.conf.d/proxy.conf`:
+
+ ```bash
+ Acquire::https::Proxy "http://proxy.server:port/";
+ ```
+
+ > [!CAUTION]
+ > Note that above two methods could define the proxy to use for other applications on your system. Use this method with caution, or only if this is meant to be a generally global configuration.
+
+- The `HTTPS_PROXY` variable is prepended to the installation or uninstallation commands. For example, with the APT package manager, prepend the variable as follows when installing Microsoft Defender ATP:
+
+ ```bash
+ $ HTTPS_PROXY=”http://proxy.server:port/" apt install mdatp
+ ```
+
+ > [!NOTE]
+ > Do not add sudo between the environment variable definition and apt, otherwise the variable will not be propagated.
+
+The `HTTPS_PROXY` environment variable may similarly be defined during uninstallation.
+
+Note that installation and uninstallation will not necessarily fail if a proxy is required but not configured. However, telemetry will not be submitted, and the operation could take significantly longer due to network timeouts.
+
+## Post installation configuration
+
+After installation, the `HTTPS_PROXY` environment variable must be defined in the Microsoft Defender ATP service file. To do this, open `/lib/systemd/system/mdatp.service` in a text editor while running as the root user. You can then propagate the variable to the service in one of two ways:
+
+- Uncomment the line `#Environment=HTTPS_PROXY="http://address:port”` and specify your static proxy address.
+
+- Add a line `EnvironmentFile=/path/to/env/file`. This path can point to `/etc/environment` or a custom file, either of which needs to add the following line:
+
+ ```bash
+ HTTPS_PROXY=”http://proxy.server:port/”
+ ```
+
+After modifying the `mdatp.service` file, save and close it. Restart the service so the changes can be applied. In Ubuntu, this involves two commands:
+
+```bash
+$ systemctl daemon-reload; systemctl restart mdatp
+```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-updates.md b/windows/security/threat-protection/microsoft-defender-atp/linux-updates.md
new file mode 100644
index 0000000000..74979b6c15
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/linux-updates.md
@@ -0,0 +1,47 @@
+---
+title: Deploy updates for Microsoft Defender ATP for Linux
+ms.reviewer:
+description: Describes how to deploy updates for Microsoft Defender ATP for Linux in enterprise environments.
+keywords: microsoft, defender, atp, linux, updates, deploy
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: dansimp
+author: dansimp
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: conceptual
+---
+
+# Deploy updates for Microsoft Defender ATP for Linux
+
+**Applies to:**
+
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Linux](microsoft-defender-atp-linux.md)
+
+Microsoft regularly publishes software updates to improve performance, security, and to deliver new features.
+
+To update Microsoft Defender ATP for Linux manually, execute one of the following commands:
+
+## RHEL and variants (CentOS and Oracle EL)
+
+```bash
+sudo yum update mdatp
+```
+
+## SLES and variants
+
+```bash
+sudo zypper update mdatp
+```
+
+## Ubuntu and Debian systems
+
+```bash
+sudo apt-get install --only-upgrade mdatp
+```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-jamf.md b/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-jamf.md
index 04f3d87059..94bb66756c 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-jamf.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-jamf.md
@@ -45,7 +45,7 @@ Download the installation and onboarding packages from Microsoft Defender Securi
3. Set the deployment method to **Mobile Device Management / Microsoft Intune**.
>[!NOTE]
- >JamF falls under **Mobile Device Management**.
+ >Jamf falls under **Mobile Device Management**.
4. In Section 2 of the page, select **Download installation package**. Save it as _wdav.pkg_ to a local directory.
5. In Section 2 of the page, select **Download onboarding package**. Save it as _WindowsDefenderATPOnboardingPackage.zip_ to the same directory.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-preferences.md b/windows/security/threat-protection/microsoft-defender-atp/mac-preferences.md
index 315ec0f230..84b0a77870 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/mac-preferences.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/mac-preferences.md
@@ -24,7 +24,7 @@ ms.topic: conceptual
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Mac](microsoft-defender-atp-mac.md)
>[!IMPORTANT]
->This article contains instructions for how to set preferences for Microsoft Defender ATP for Mac in enterprise organizations. To configure Microsoft Defender ATP for Mac using the command-line interface, see the [Resources](mac-resources.md#configuring-from-the-command-line) page.
+>This article contains instructions for how to set preferences for Microsoft Defender ATP for Mac in enterprise organizations. To configure Microsoft Defender ATP for Mac using the command-line interface, see [Resources](mac-resources.md#configuring-from-the-command-line).
## Summary
@@ -325,6 +325,8 @@ Specify whether to enable EDR early preview features.
Specify a tag name and its value.
+- The GROUP tag, tags the machine with the specified value. The tag is reflected in the portal under the machine page and can be used for filtering and grouping machines.
+
|||
|:---|:---|
| **Domain** | `com.microsoft.wdav` |
@@ -569,6 +571,18 @@ The following configuration profile contains entries for all settings described
> NOTE:
>- IP is supported for all three protocols
->- Encrypted URLs can only be blocked on first party browsers
+>- Encrypted URLs (full path) can only be blocked on first party browsers
+>- Encrypted URLS (FQDN only) can be blocked outside of first party browsers
>- Full URL path blocks can be applied on the domain level and all unencrypted URLs
>[!NOTE]
diff --git a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md
index b08c20b0a4..9c596b4ec9 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md
@@ -98,11 +98,11 @@ In conjunction with being able to quickly respond to advanced attacks, Microsoft
-**[Secure score](overview-secure-score.md)**
+**[Configuration score](configuration-score.md)**
> [!NOTE]
-> Secure score is now part of [Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md) as [Configuration score](configuration-score.md). The secure score page will be available for a few weeks. View the [Secure score](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-secure-score) page.
+> Secure score is now part of [Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md) as [Configuration score](configuration-score.md).
-Microsoft Defender ATP includes a secure score to help you dynamically assess the security state of your enterprise network, identify unprotected systems, and take recommended actions to improve the overall security of your organization.
+Microsoft Defender ATP includes a configuration score to help you dynamically assess the security state of your enterprise network, identify unprotected systems, and take recommended actions to improve the overall security of your organization.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-linux.md b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-linux.md
new file mode 100644
index 0000000000..b3b7205da8
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-linux.md
@@ -0,0 +1,131 @@
+---
+title: Microsoft Defender ATP for Linux
+ms.reviewer:
+description: Describes how to install and use Microsoft Defender ATP for Linux.
+keywords: microsoft, defender, atp, linux, installation, deploy, uninstallation, puppet, ansible, linux, redhat, ubuntu, debian, sles, suse, centos
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: dansimp
+author: dansimp
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: conceptual
+---
+
+# Microsoft Defender ATP for Linux
+
+This topic describes how to install, configure, update, and use Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Linux.
+
+> [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4q3yP]
+
+
+
+> [!CAUTION]
+> Running other third-party endpoint protection products alongside Microsoft Defender ATP for Linux is likely to cause performance problems and unpredictable system errors.
+
+
+
+
+
+## How to install Microsoft Defender ATP for Linux
+
+### Prerequisites
+
+- Access to the Microsoft Defender Security Center portal
+- Beginner-level experience in Linux and BASH scripting
+- Administrative privileges on the device (in case of manual deployment)
+
+### Known issues
+
+- Logged on users do not appear in the ATP portal.
+- In SUSE distributions, if the installation of *libatomic1* fails, you should validate that your OS is registered:
+
+ ```bash
+ $ sudo SUSEConnect --status-text
+ ```
+
+### Installation instructions
+
+There are several methods and deployment tools that you can use to install and configure Microsoft Defender ATP for Linux.
+
+In general you need to take the following steps:
+
+- Ensure that you have a Microsoft Defender ATP subscription, and that you have access to the Microsoft Defender ATP portal.
+- Deploy Microsoft Defender ATP for Linux using one of the following deployment methods:
+ - The command-line tool:
+ - [Manual deployment](linux-install-manually.md)
+ - Third-party management tools:
+ - [Deploy using Puppet configuration management tool](linux-install-with-puppet.md)
+ - [Deploy using Ansible configuration management tool](linux-install-with-ansible.md)
+
+### System requirements
+
+- Supported Linux server distributions and versions:
+
+ - Red Hat Enterprise Linux 7 or higher
+ - CentOS 7 or higher
+ - Ubuntu 16.04 LTS or higher LTS
+ - Debian 9 or higher
+ - SUSE Linux Enterprise Server 12 or higher
+ - Oracle Enterprise Linux 7
+
+- Minimum kernel version 2.6.38
+- The `fanotify` kernel option must be enabled
+- Disk space: 650 MB
+
+After you've enabled the service, you may need to configure your network or firewall to allow outbound connections between it and your endpoints.
+
+### Network connections
+
+The following table lists the services and their associated URLs that your network must be able to connect to. You should ensure that there are no firewall or network filtering rules that would deny access to these URLs. If there are, you may need to create an *allow* rule specifically for them.
+
+| Service location | DNS record |
+| ---------------------------------------- | ----------------------- |
+| Common URLs for all locations | x.cp.wd.microsoft.com
cdn.x.cp.wd.microsoft.com
eu-cdn.x.cp.wd.microsoft.com
wu-cdn.x.cp.wd.microsoft.com
*.blob.core.windows.net
officecdn-microsoft-com.akamaized.net
crl.microsoft.com
events.data.microsoft.com |
+| European Union | europe.x.cp.wd.microsoft.com
eu-v20.events.data.microsoft.com |
+| United Kingdom | unitedkingdom.x.cp.wd.microsoft.com
uk-v20.events.data.microsoft.com |
+| United States | unitedstates.x.cp.wd.microsoft.com
us-v20.events.data.microsoft.com |
+
+Microsoft Defender ATP can discover a proxy server by using the following discovery methods:
+- Transparent proxy
+- Manual static proxy configuration
+
+If a proxy or firewall is blocking anonymous traffic, make sure that anonymous traffic is permitted in the previously listed URLs. For transparent proxies, no additional configuration is needed for Microsoft Defender ATP. For static proxy, follow the steps in [Manual Static Proxy Configuration](linux-static-proxy-configuration.md).
+
+## Validating cloud connectivity
+
+To test that a connection is not blocked, open [https://x.cp.wd.microsoft.com/api/report](https://x.cp.wd.microsoft.com/api/report) and [https://cdn.x.cp.wd.microsoft.com/ping](https://cdn.x.cp.wd.microsoft.com/ping) in a browser.
+
+If you prefer the command line, you can also check the connection by running the following command in Terminal:
+
+```bash
+$ curl -w ' %{url_effective}\n' 'https://x.cp.wd.microsoft.com/api/report' 'https://cdn.x.cp.wd.microsoft.com/ping'
+```
+
+The output from this command should be similar to the following:
+
+> `OK https://x.cp.wd.microsoft.com/api/report`
+> `OK https://cdn.x.cp.wd.microsoft.com/ping`
+
+Once Microsoft Defender ATP is installed, connectivity can be validated by running the following command in Terminal:
+```bash
+$ mdatp --connectivity-test
+```
+
+## How to update Microsoft Defender ATP for Linux
+
+Microsoft regularly publishes software updates to improve performance, security, and to deliver new features. To update Microsoft Defender ATP for Linux, refer to [Deploy updates for Microsoft Defender ATP for Linux](linux-updates.md).
+
+## How to configure Microsoft Defender ATP for Linux
+
+Guidance for how to configure the product in enterprise environments is available in [Set preferences for Microsoft Defender ATP for Linux](linux-preferences.md).
+
+## Resources
+
+- For more information about logging, uninstalling, or other topics, see the [Resources](linux-resources.md) page.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/microsoft-threat-experts.md b/windows/security/threat-protection/microsoft-defender-atp/microsoft-threat-experts.md
index a28cd30703..ff425c7895 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/microsoft-threat-experts.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/microsoft-threat-experts.md
@@ -22,7 +22,7 @@ ms.topic: conceptual
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-Microsoft Threat Experts is a managed detection and response (MDR) service that provides Security Operation Centers (SOCs) with expert level monitoring and analysis to help them ensure that critical threats in their unique environments don’t get missed.
+Microsoft Threat Experts is a managed threat hunting service that provides Security Operation Centers (SOCs) with expert level monitoring and analysis to help them ensure that critical threats in their unique environments don’t get missed.
This new capability provides expert-driven insights and data through targeted attack notification and access to experts on demand.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/oldTOC.txt b/windows/security/threat-protection/microsoft-defender-atp/oldTOC.txt
index a65e4c2dbb..51d5efdc49 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/oldTOC.txt
+++ b/windows/security/threat-protection/microsoft-defender-atp/oldTOC.txt
@@ -95,9 +95,6 @@
#### [Manage actions related to automated investigation and remediation](auto-investigation-action-center.md)
-### [Secure score](overview-secure-score.md)
-
-
### [Threat analytics](threat-analytics.md)
@@ -298,8 +295,6 @@
##### [Use the mpcmdrun.exe command line tool to manage next generation protection](../windows-defender-antivirus/command-line-arguments-windows-defender-antivirus.md)
-### [Configure Secure score dashboard security controls](secure-score-dashboard.md)
-
### [Configure and manage Microsoft Threat Experts capabilities](configure-microsoft-threat-experts.md)
@@ -481,7 +476,6 @@
##### [Update data retention settings](data-retention-settings.md)
##### [Configure alert notifications](configure-email-notifications.md)
##### [Enable and create Power BI reports using Windows Security app data](powerbi-reports.md)
-##### [Enable Secure score security controls](enable-secure-score.md)
##### [Configure advanced features](advanced-features.md)
#### [Permissions]()
diff --git a/windows/security/threat-protection/microsoft-defender-atp/onboard.md b/windows/security/threat-protection/microsoft-defender-atp/onboard.md
index 0d041b05e3..c304bcfd54 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/onboard.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/onboard.md
@@ -31,7 +31,6 @@ Topic | Description
:---|:---
[Configure attack surface reduction capabilities](configure-attack-surface-reduction.md) | By ensuring configuration settings are properly set and exploit mitigation techniques are applied, these set of capabilities resist attacks and exploitations.
[Configure next generation protection](../windows-defender-antivirus/configure-windows-defender-antivirus-features.md) | Configure next generation protection to catch all types of emerging threats.
-[Configure Secure score dashboard security controls](secure-score-dashboard.md) | Configure the security controls in Secure score to increase the security posture of your organization.
[Configure Microsoft Threat Experts capabilities](configure-microsoft-threat-experts.md) | Configure and manage how you would like to get cybersecurity threat intelligence from Microsoft Threat Experts.
[Configure Microsoft Threat Protection integration](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/threat-protection-integration)| Configure other solutions that integrate with Microsoft Defender ATP.
[Management and API support](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/management-apis)| Pull alerts to your SIEM or use APIs to create custom alerts. Create and build Power BI reports.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/overview-secure-score.md b/windows/security/threat-protection/microsoft-defender-atp/overview-secure-score.md
deleted file mode 100644
index f08e397a67..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/overview-secure-score.md
+++ /dev/null
@@ -1,93 +0,0 @@
----
-title: Overview of Secure score in Microsoft Defender Security Center
-description: Expand your visibility into the overall security posture of your organization
-keywords: secure score, security controls, improvement opportunities, security score over time, score, posture, baseline
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: conceptual
----
-
-# Overview of Secure score in Microsoft Defender Security Center
-**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
->[!NOTE]
-> Secure score is now part of [Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md) as [Configuration score](configuration-score.md). The secure score page will be available for a few weeks.
-
-The Secure score dashboard expands your visibility into the overall security posture of your organization. From this dashboard, you'll be able to quickly assess the security posture of your organization, see machines that require attention, as well as recommendations for actions to further reduce the attack surface in your organization - all in one place. From there you can take action based on the recommended configuration baselines.
-
->[!IMPORTANT]
-> This feature is available for machines on Windows 10, version 1703 or later.
-
-
-The **Secure score dashboard** displays a snapshot of:
-- Microsoft secure score
-- Secure score over time
-- Top recommendations
-- Improvement opportunities
-
-
-
-
-## Microsoft secure score
-The Microsoft secure score tile is reflective of the sum of all the security controls that are configured according to the recommended Windows baseline and Office 365 controls. It allows you to drill down into each portal for further analysis. You can also improve this score by taking the steps in configuring each of the security controls in the optimal settings.
-
-
-
-Each Microsoft security control contributes 100 points to the score. The total number is reflective of the score potential and calculated by multiplying the number of supported Microsoft security controls (security controls pillars) by the maximum points that each pillar contributes (maximum of 100 points for each pillar).
-
-The Office 365 Secure Score looks at your settings and activities and compares them to a baseline established by Microsoft. For more information, see [Introducing the Office 365 Secure Score](https://support.office.com/article/introducing-the-office-365-secure-score-c9e7160f-2c34-4bd0-a548-5ddcc862eaef#howtoaccess).
-
-In the example image, the total points for the security controls and Office 365 add up to 602 points.
-
-You can set the baselines for calculating the security control scores on the Secure score dashboard through the **Settings**. For more information, see [Enable Secure score security controls](enable-secure-score.md).
-
-## Secure score over time
-You can track the progression of your organizational security posture over time using this tile. It displays the overall score in a historical trend line enabling you to see how taking the recommended actions increase your overall security posture.
-
-
-
-You can mouse over specific date points to see the total score for that security control is on a specific date.
-
-
-## Top recommendations
-Reflects specific actions you can take to significantly increase the security stance of your organization and how many points will be added to the secure score if you take the recommended action.
-
-
-
-## Improvement opportunities
-Improve your score by taking the recommended improvement actions listed on this tile. The goal is to reduce the gap between the perfect score and the current score for each control.
-
-Clicking on the affected machines link at the top of the table takes you to the Machines list. The list is filtered to reflect the list of machines where improvements can be made.
-
-
-
-
-
-
-Within the tile, you can click on each control to see the recommended optimizations.
-
-Clicking the link under the **Misconfigured machines** column opens up the **Machines list** with filters applied to show only the list of machines where the recommendation is applicable. You can export the list in Excel to create a target collection and apply relevant policies using a management solution of your choice.
-
-## Related topic
-- [Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md)
-- [Threat & Vulnerability Management dashboard overview](tvm-dashboard-insights.md)
-- [Exposure score](tvm-exposure-score.md)
-- [Configuration score](configuration-score.md)
-- [Security recommendations](tvm-security-recommendation.md)
-- [Remediation](tvm-remediation.md)
-- [Software inventory](tvm-software-inventory.md)
-- [Weaknesses](tvm-weaknesses.md)
-- [Scenarios](threat-and-vuln-mgt-scenarios.md)
-- [Threat analytics](threat-analytics.md)
-
diff --git a/windows/security/threat-protection/microsoft-defender-atp/overview.md b/windows/security/threat-protection/microsoft-defender-atp/overview.md
index 0e926f6f8d..8600ed540e 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/overview.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/overview.md
@@ -38,7 +38,7 @@ Topic | Description
[Next generation protection](../windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md) | Learn about the antivirus capabilities in Microsoft Defender ATP so you can protect desktops, portable computers, and servers.
[Endpoint detection and response](overview-endpoint-detection-response.md) | Understand how Microsoft Defender ATP continuously monitors your organization for possible attacks against systems, networks, or users in your organization and the features you can use to mitigate and remediate threats.
[Automated investigation and remediation](automated-investigations.md) | In conjunction with being able to quickly respond to advanced attacks, Microsoft Defender ATP offers automatic investigation and remediation capabilities that help reduce the volume of alerts in minutes at scale.
-[Secure score](overview-secure-score.md) | Quickly assess the security posture of your organization, see machines that require attention, as well as recommendations for actions to better protect your organization - all in one place.
+[Configuration score](configuration-score.md) | Your configuration score shows the collective security configuration state of your machines across application, operating system, network, accounts, and security controls.
[Microsoft Threat Experts](microsoft-threat-experts.md) | Managed cybersecurity threat hunting service. Learn how you can get expert-driven insights and data through targeted attack notification and access to experts on demand.
+
+> [!VIDEO https://www.microsoft.com/videoplayer/embed/70b4d256-46fb-481f-ad9b-921ef5fd7bed]
+
+## Want to learn more?
+
+[OneDrive](https://docs.microsoft.com/onedrive)
+
+[Office 365 Advanced Threat Protection](https://docs.microsoft.com/microsoft-365/security/office-365-security/office-365-atp?view=o365-worldwide)
+
+[Microsoft Defender Advanced Threat Protection](https://docs.microsoft.com/windows/security/threat-protection/)
+
+
diff --git a/windows/security/threat-protection/windows-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md b/windows/security/threat-protection/windows-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md
index 3dd89a2653..52966241d0 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md
@@ -87,9 +87,9 @@ If you are part of your organization's security team, and your subscription incl
You must have appropriate [permissions](../microsoft-defender-atp/assign-portal-access.md), such as global admin, security admin, or security operations, to perform the following task.
-1. Make sure your organization meets all of the following requirements:
+1. Make sure your organization meets all of the following requirements to manage tamper protection using Intune:
- - Your organization must have [Microsoft Defender ATP E5](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp) (this is included in [Microsoft 365 E5](https://docs.microsoft.com/microsoft-365/enterprise/microsoft-365-overview)).
+ - Your organization must have [Microsoft Defender ATP E5](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp) (this is included in [Microsoft 365 E5](https://docs.microsoft.com/microsoft-365/enterprise/microsoft-365-overview)).
- Your organization uses [Intune to manage devices](https://docs.microsoft.com/intune/fundamentals/what-is-device-management). ([Intune licenses](https://docs.microsoft.com/intune/fundamentals/licenses) are required; this is included in Microsoft 365 E5.)
- Your Windows machines must be running Windows 10 OS [1709](https://docs.microsoft.com/windows/release-information/status-windows-10-1709), [1803](https://docs.microsoft.com/windows/release-information/status-windows-10-1803), [1809](https://docs.microsoft.com/windows/release-information/status-windows-10-1809-and-windows-server-2019) or later. (See [Windows 10 release information](https://docs.microsoft.com/windows/release-information/) for more details about releases.)
- You must be using Windows security with [security intelligence](https://www.microsoft.com/wdsi/definitions) updated to version 1.287.60.0 (or above).
diff --git a/windows/security/threat-protection/windows-defender-antivirus/use-powershell-cmdlets-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/use-powershell-cmdlets-windows-defender-antivirus.md
index 80c59d0658..76de6faff6 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/use-powershell-cmdlets-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/use-powershell-cmdlets-windows-defender-antivirus.md
@@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
ms.custom: nextgen
-ms.date: 09/03/2018
+ms.date: 02/24/2020
ms.reviewer:
manager: dansimp
---
@@ -23,36 +23,36 @@ manager: dansimp
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-You can use PowerShell to perform various functions in Windows Defender. Similar to the command prompt or command line, PowerShell is a task-based command-line shell and scripting language designed especially for system administration, and you can read more about it at the [PowerShell hub on MSDN](https://msdn.microsoft.com/powershell/mt173057.aspx).
+You can use PowerShell to perform various functions in Windows Defender. Similar to the command prompt or command line, PowerShell is a task-based command-line shell and scripting language designed especially for system administration. You can read more about it at the [PowerShell hub on MSDN](https://docs.microsoft.com/previous-versions/msdn10/mt173057(v=msdn.10)).
-For a list of the cmdlets and their functions and available parameters, see the [Defender cmdlets](https://technet.microsoft.com/library/dn433280.aspx) topic.
+For a list of the cmdlets and their functions and available parameters, see the [Defender cmdlets](https://docs.microsoft.com/powershell/module/defender) topic.
-PowerShell cmdlets are most useful in Windows Server environments that don't rely on a graphical user interface (GUI) to configure software.
+PowerShell cmdlets are most useful in Windows Server environments that don't rely on a graphical user interface (GUI) to configure software.
> [!NOTE]
-> PowerShell cmdlets should not be used as a replacement for a full network policy management infrastructure, such as [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr), [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), or [Windows Defender Antivirus Group Policy ADMX templates](https://support.microsoft.com/kb/927367).
+> PowerShell cmdlets should not be used as a replacement for a full network policy management infrastructure, such as [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr), [Group Policy Management Console](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), or [Windows Defender Antivirus Group Policy ADMX templates](https://www.microsoft.com/download/100591).
-Changes made with PowerShell will affect local settings on the endpoint where the changes are deployed or made. This means that deployments of policy with Group Policy, Microsoft Endpoint Configuration Manager, or Microsoft Intune can overwrite changes made with PowerShell.
+Changes made with PowerShell will affect local settings on the endpoint where the changes are deployed or made. This means that deployments of policy with Group Policy, Microsoft Endpoint Configuration Manager, or Microsoft Intune can overwrite changes made with PowerShell.
You can [configure which settings can be overridden locally with local policy overrides](configure-local-policy-overrides-windows-defender-antivirus.md).
-PowerShell is typically installed under the folder _%SystemRoot%\system32\WindowsPowerShell_.
-
+PowerShell is typically installed under the folder `%SystemRoot%\system32\WindowsPowerShell`.
## Use Windows Defender Antivirus PowerShell cmdlets
-1. Click **Start**, type **powershell**, and press **Enter**.
-2. Click **Windows PowerShell** to open the interface.
-3. Enter the command and parameters.
+1. In the Windows search bar, type **powershell**.
+2. Select **Windows PowerShell** from the results to open the interface.
+3. Enter the PowerShell command and any parameters.
> [!NOTE]
-> You may need to open an administrator-level version of PowerShell. Right-click the item in the Start menu, click **Run as administrator** and click **Yes** at the permissions prompt.
+> You may need to open PowerShell in administrator mode. Right-click the item in the Start menu, click **Run as administrator** and click **Yes** at the permissions prompt.
To open online help for any of the cmdlets type the following:
```PowerShell
Get-Help
- **Download updates but let me choose whether to install them** allows Windows Defender to download and install Security intelligence updates automatically, but other updates are not automatically installed. |
+|**Group Policy** | You can set up and manage Windows Update by using the settings available in Group Policy, in the following path: **Administrative Templates\Windows Components\Windows Update\Configure Automatic Updates** |
+|The **AUOptions** registry key |The following two values allow Windows Update to automatically download and install Security intelligence updates:
- **4** Install updates automatically. This value results in all updates being automatically installed, including Windows Defender Security intelligence updates.
- **3** Download updates but let me choose whether to install them. This value allows Windows Defender to download and install Security intelligence updates automatically, but other updates are not automatically installed. |
To ensure that protection from malware is maintained, we recommend that you enable the following services:
-- Windows Error Reporting service
+- Windows Error Reporting service
-- Windows Update service
+- Windows Update service
-The following table lists the services for Windows Defender and the dependent services.
+The following table lists the services for Windows Defender Antivirus and the dependent services.
|Service Name|File Location|Description|
|--------|---------|--------|
-|Windows Defender Service (Windefend)|C:\Program Files\Windows Defender\MsMpEng.exe|This is the main Windows Defender Antivirus service that needs to be running at all times.|
-|Windows Error Reporting Service (Wersvc)|C:\WINDOWS\System32\svchost.exe -k WerSvcGroup|This service sends error reports back to Microsoft.|
-|Windows Defender Firewall (MpsSvc)|C:\WINDOWS\system32\svchost.exe -k LocalServiceNoNetwork|We recommend leaving the Windows Defender Firewall service enabled.|
-|Windows Update (Wuauserv)|C:\WINDOWS\system32\svchost.exe -k netsvcs|Windows Update is needed to get Security intelligence updates and antimalware engine updates|
+|Windows Defender Service (WinDefend)|`C:\Program Files\Windows Defender\MsMpEng.exe`|This is the main Windows Defender Antivirus service that needs to be running at all times.|
+|Windows Error Reporting Service (Wersvc)|`C:\WINDOWS\System32\svchost.exe -k WerSvcGroup`|This service sends error reports back to Microsoft.|
+|Windows Defender Firewall (MpsSvc)|`C:\WINDOWS\system32\svchost.exe -k LocalServiceNoNetwork`|We recommend leaving the Windows Defender Firewall service enabled.|
+|Windows Update (Wuauserv)|`C:\WINDOWS\system32\svchost.exe -k netsvcs`|Windows Update is needed to get Security intelligence updates and antimalware engine updates|
-## Submit Samples
+## Submit samples
-Sample submission allows Microsoft to collect samples of potentially malicious software. To help provide continued and up-to-date protection, Microsoft researchers use these samples to analyze suspicious activities and produce updated antimalware Security intelligence.
+Sample submission allows Microsoft to collect samples of potentially malicious software. To help provide continued and up-to-date protection, Microsoft researchers use these samples to analyze suspicious activities and produce updated antimalware Security intelligence. We collect program executable files, such as .exe files and .dll files. We do not collect files that contain personal data, like Microsoft Word documents and PDF files.
+
+### Submit a file
+
+1. Review the [submission guide](https://docs.microsoft.com/windows/security/threat-protection/intelligence/submission-guide).
+
+2. Visit the [sample submission portal](https://www.microsoft.com/wdsi/filesubmission), and submit your file.
-We collect program executable files, such as .exe files and .dll files. We do not collect files that contain personal data, like Microsoft Word documents and PDF files.
### Enable automatic sample submission
To enable automatic sample submission, start a Windows PowerShell console as an administrator, and set the **SubmitSamplesConsent** value data according to one of the following settings:
-- **0** Always prompt. The Windows Defender service prompts you to confirm submission of all required files. This is the default setting for Windows Defender, but is not recommended for Windows Server 2016 installations without a GUI.
-
-- **1** Send safe samples automatically. The Windows Defender service sends all files marked as "safe" and prompts for the remainder of the files.
-
-- **2** Never send. The Windows Defender service does not prompt and does not send any files.
-
-- **3** Send all samples automatically. The Windows Defender service sends all files without a prompt for confirmation.
+|Setting |Description |
+|---------|---------|
+|**0** Always prompt |The Windows Defender Antivirus service prompts you to confirm submission of all required files. This is the default setting for Windows Defender Antivirus, but is not recommended for installations on Windows Server 2016 or 2019 without a GUI. |
+|**1** Send safe samples automatically |The Windows Defender Antivirus service sends all files marked as "safe" and prompts for the remainder of the files. |
+|**2** Never send |The Windows Defender Antivirus service does not prompt and does not send any files. |
+|**3** Send all samples automatically |The Windows Defender Antivirus service sends all files without a prompt for confirmation. |
## Configure automatic exclusions
-To help ensure security and performance, certain exclusions are automatically added based on the roles and features you install when using Windows Defender AV on Server 2016.
+To help ensure security and performance, certain exclusions are automatically added based on the roles and features you install when using Windows Defender Antivirus on Windows Server 2016 or 2019.
+
+See [Configure exclusions in Windows Defender Antivirus on Windows Server](configure-server-exclusions-windows-defender-antivirus.md).
+
+## Need to uninstall Windows Defender Antivirus?
+
+If you are using a third-party antivirus solution and you're running into issues with that solution and Windows Defender Antivirus, you can consider uninstalling Windows Defender Antivirus. Before you do that, review the following resources:
+
+- See the question "Should I run Microsoft security software at the same time as other security products?" on the [Windows Defender Security Intelligence Antivirus and antimalware software FAQ](https://www.microsoft.com/wdsi/help/antimalware-faq#multiple-products).
+
+- See [Better together: Windows Defender Antivirus and Microsoft Defender Advanced Threat Protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/why-use-microsoft-antivirus). This article describes 10 advantages to using Windows Defender Antivirus together with Microsoft Defender Advanced Threat Protection.
+
+If you determine you do want to uninstall Windows Defender Antivirus, follow the steps in the following sections.
+
+### Uninstall Windows Defender Antivirus using the Remove Roles and Features wizard
+
+1. Refer to [this article](https://docs.microsoft.com/windows-server/administration/server-manager/install-or-uninstall-roles-role-services-or-features#remove-roles-role-services-and-features-by-using-the-remove-roles-and-features-wizard), and use the **Remove Roles and Features Wizard**.
+
+2. When you get to the **Features** step of the wizard, unselect the **Windows Defender Features** option.
+
+ If you unselect **Windows Defender** by itself under the **Windows Defender Features** section, you will be prompted to remove the interface option **GUI for Windows Defender**.
+
+ Windows Defender AV will still run normally without the user interface, but the user interface cannot be enabled if you disable the core **Windows Defender** feature.
+
+### Uninstall Windows Defender Antivirus using PowerShell
+
+>[!NOTE]
+>You can't uninstall the Windows Security app, but you can disable the interface with these instructions.
+
+The following PowerShell cmdlet will also uninstall Windows Defender AV on Windows Server 2016 or 2019:
+
+```PowerShell
+Uninstall-WindowsFeature -Name Windows-Defender
+```
+
+### Turn off the GUI using PowerShell
+
+To turn off the Windows Defender Antivirus GUI, use the following PowerShell cmdlet:
+
+```PowerShell
+Uninstall-WindowsFeature -Name Windows-Defender-GUI
+```
-See the [Configure exclusions in Windows Defender AV on Windows Server](configure-server-exclusions-windows-defender-antivirus.md) topic for more information.
## Related topics
diff --git a/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-lightly-managed-devices.md b/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-lightly-managed-devices.md
index 6fc44116aa..d25131d06d 100644
--- a/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-lightly-managed-devices.md
+++ b/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-lightly-managed-devices.md
@@ -43,8 +43,8 @@ Alice identifies the following key factors to arrive at the "circle-of-trust" fo
- All clients are running Windows 10 version 1903 or above;
- All clients are managed by Microsoft Endpoint Manager (MEM) either with Configuration Manager (MEMCM) standalone or hybrid mode with Intune;
-> [!NOTE]
-> Microsoft Endpoint Configuration Manager was previously known as System Center Configuration Manager (SCCM)
+ > [!NOTE]
+ > Microsoft Endpoint Configuration Manager was previously known as System Center Configuration Manager (SCCM).
- Some, but not all, apps are deployed using MEMCM;
- Most users are local administrators on their devices;
@@ -117,7 +117,7 @@ Alice follows these steps to complete this task:
$PathRules += New-CIPolicyRule -FilePathRule "%windir%\*"
$PathRules += New-CIPolicyRule -FilePathRule "%OSDrive%\Program Files\*"
$PathRules += New-CIPolicyRule -FilePathRule "%OSDrive%\Program Files (x86)\*"
- Merge-CIPolicy -OutputFilePath = $LamnaPolicy -PolicyPaths $LamnaPolicy -Rules $PathRules
+ Merge-CIPolicy -OutputFilePath $LamnaPolicy -PolicyPaths $LamnaPolicy -Rules $PathRules
```
7. If appropriate, add additional signer or file rules to further customize the policy for your organization.
diff --git a/windows/security/threat-protection/windows-defender-application-control/deploy-catalog-files-to-support-windows-defender-application-control.md b/windows/security/threat-protection/windows-defender-application-control/deploy-catalog-files-to-support-windows-defender-application-control.md
index 1accae5758..484dd83dc0 100644
--- a/windows/security/threat-protection/windows-defender-application-control/deploy-catalog-files-to-support-windows-defender-application-control.md
+++ b/windows/security/threat-protection/windows-defender-application-control/deploy-catalog-files-to-support-windows-defender-application-control.md
@@ -219,7 +219,7 @@ Before you begin testing the deployed catalog file, make sure that the catalog s
## Deploy catalog files with Microsoft Endpoint Configuration Manager
-As an alternative to Group Policy, you can use Microsoft Endpoint Configuration Manager to deploy catalog files to the managed computers in your environment. This approach can simplify the deployment and management of multiple catalog files as well as provide reporting around which catalog each client or collection has deployed. In addition to the deployment of these files, Microsoft Endpoint Configuration Manager can also be used to inventory the currently deployed catalog files for reporting and compliance purposes. Complete the following steps to create a new deployment package for catalog files:
+As an alternative to Group Policy, you can use Configuration Manager to deploy catalog files to the managed computers in your environment. This approach can simplify the deployment and management of multiple catalog files as well as provide reporting around which catalog each client or collection has deployed. In addition to the deployment of these files, Configuration Manager can also be used to inventory the currently deployed catalog files for reporting and compliance purposes. Complete the following steps to create a new deployment package for catalog files:
>[!NOTE]
>The following example uses a network share named \\\\Shares\\CatalogShare as a source for the catalog files. If you have collection specific catalog files, or prefer to deploy them individually, use whichever folder structure works best for your organization.
@@ -294,7 +294,7 @@ Before you begin testing the deployed catalog file, make sure that the catalog s
## Inventory catalog files with Microsoft Endpoint Configuration Manager
-When catalog files have been deployed to the computers within your environment, whether by using Group Policy or Microsoft Endpoint Configuration Manager, you can inventory them with the software inventory feature of Microsoft Endpoint Configuration Manager. The following process walks you through the enablement of software inventory to discover catalog files on your managed systems through the creation and deployment of a new client settings policy.
+When catalog files have been deployed to the computers within your environment, whether by using Group Policy or Configuration Manager, you can inventory them with the software inventory feature of Configuration Manager. The following process walks you through the enablement of software inventory to discover catalog files on your managed systems through the creation and deployment of a new client settings policy.
>[!NOTE]
>A standard naming convention for your catalog files will significantly simplify the catalog file software inventory process. In this example, *-Contoso* has been added to all catalog file names.
@@ -332,7 +332,7 @@ When catalog files have been deployed to the computers within your environment,
9. Now that you have created the client settings policy, right-click the new policy, click **Deploy**, and then choose the collection on which you would like to inventory the catalog files.
-At the time of the next software inventory cycle, when the targeted clients receive the new client settings policy, you will be able to view the inventoried files in the built-in Microsoft Endpoint Configuration Manager reports or Resource Explorer. To view the inventoried files on a client within Resource Explorer, complete the following steps:
+At the time of the next software inventory cycle, when the targeted clients receive the new client settings policy, you will be able to view the inventoried files in the built-in Configuration Manager reports or Resource Explorer. To view the inventoried files on a client within Resource Explorer, complete the following steps:
1. Open the Configuration Manager console, and select the Assets and Compliance workspace.
diff --git a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md
index 67a0e29bf9..97443ac815 100644
--- a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md
+++ b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md
@@ -14,7 +14,7 @@ author: jsuther1974
ms.reviewer: isbrahm
ms.author: dansimp
manager: dansimp
-ms.date: 04/20/2018
+ms.date: 02/24/2020
---
# Understand WDAC policy rules and file rules
@@ -28,7 +28,7 @@ Windows Defender Application Control (WDAC) provides control over a computer run
## Windows Defender Application Control policy rules
-To modify the policy rule options of an existing WDAC policy XML, use [Set-RuleOption](https://docs.microsoft.com/powershell/module/configci/set-ruleoption). Note the following examples of how to use this cmdlet to add and remove a rule option on an existing WDAC policy:
+To modify the policy rule options of an existing WDAC policy XML, use [Set-RuleOption](https://docs.microsoft.com/powershell/module/configci/set-ruleoption). The following examples show how to use this cmdlet to add and remove a rule option on an existing WDAC policy:
- To ensure that UMCI is enabled for a WDAC policy that was created with the `-UserPEs` (user mode) option, add rule option 0 to an existing policy by running the following command:
@@ -120,9 +120,9 @@ There is a defined list of SIDs which WDAC recognizes as admins. If a filepath a
WDAC's list of well-known admin SIDs are:
S-1-3-0; S-1-5-18; S-1-5-19; S-1-5-20; S-1-5-32-544; S-1-5-32-549; S-1-5-32-550; S-1-5-32-551; S-1-5-32-577; S-1-5-32-559; S-1-5-32-568; S-1-15-2-1430448594-2639229838-973813799-439329657-1197984847-4069167804-1277922394; S-1-15-2-95739096-486727260-2033287795-3853587803-1685597119-444378811-2746676523.
-When generating filepath rules using [New-CIPolicy](https://docs.microsoft.com/powershell/module/configci/new-cipolicy), a unique, fully-qualified path rule is generated for every file discovered in the scanned path(s). To create rules that instead allow all files under a specified folder path, use [New-CIPolicyRule](https://docs.microsoft.com/powershell/module/configci/new-cipolicyrule) to define rules containing wildcards and include them in your [New-CIPolicy](https://docs.microsoft.com/powershell/module/configci/new-cipolicy) scan using the -Rules switch.
+When generating filepath rules using [New-CIPolicy](https://docs.microsoft.com/powershell/module/configci/new-cipolicy), a unique, fully-qualified path rule is generated for every file discovered in the scanned path(s). To create rules that instead allow all files under a specified folder path, use [New-CIPolicyRule](https://docs.microsoft.com/powershell/module/configci/new-cipolicyrule) to define rules containing wildcards using the [-FilePathRules](https://docs.microsoft.com/powershell/module/configci/new-cipolicyrule#parameters) switch.
-Wildcards can be used at the beginning or end of a path rule: only one wildcard is allowed per path rule. Wildcards placed at the end of a path authorize all files in that path and its subdirectories recursively (ex. C:\\* would include C:\foo\\* ). Wildcards placed at the beginning of a path will allow the exact specified filename under any path (ex. \*\bar.exe would allow C:\bar.exe and C:\foo\bar.exe). Wildcards in the middle of a path are not supported (ex. C:\\*\foo.exe). Without a wildcard, the rule will allow only a specific file (ex. C:\foo\bar.exe).
Supported macros: %WINDIR%, %SYSTEM32%, %OSDRIVE%.
+Wildcards can be used at the beginning or end of a path rule; only one wildcard is allowed per path rule. Wildcards placed at the end of a path authorize all files in that path and its subdirectories recursively (ex. `C:\\*` would include `C:\foo\\*` ). Wildcards placed at the beginning of a path will allow the exact specified filename under any path (ex. `*\bar.exe` would allow `C:\bar.exe` and `C:\foo\bar.exe`). Wildcards in the middle of a path are not supported (ex. `C:\\*\foo.exe`). Without a wildcard, the rule will allow only a specific file (ex. `C:\foo\bar.exe`).
The use of macros is also supported and useful in scenarios where the system drive is different from the `C:\` drive. Supported macros: `%OSDRIVE%`, `%WINDIR%`, `%SYSTEM32%`.
> [!NOTE]
> Due to an existing bug, you can not combine Path-based ALLOW rules with any DENY rules in a single policy. Instead, either separate DENY rules into a separate Base policy or move the Path-based ALLOW rules into a supplemental policy as described in [Deploy multiple WDAC policies.](deploy-multiple-windows-defender-application-control-policies.md)
diff --git a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md
index d516a6f73a..e34ac21abb 100644
--- a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md
+++ b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md
@@ -14,7 +14,6 @@ author: jsuther1974
ms.reviewer: isbrahm
ms.author: dansimp
manager: dansimp
-ms.date: 06/14/2018
---
# Authorize reputable apps with the Intelligent Security Graph (ISG)
@@ -24,34 +23,33 @@ ms.date: 06/14/2018
- Windows 10
- Windows Server 2016 and above
-Application execution control can be difficult to implement in enterprises that do not have processes to effectively control the deployment of applications centrally through an IT managed system.
-In such environments, users are empowered to acquire the applications they need for work, making accounting for all the applications that would need to be authorized for execution control a daunting task.
+Application execution control can be difficult to implement in enterprises that do not have processes to effectively control the deployment of applications centrally through an IT managed system. In such environments, users are empowered to acquire the applications they need for work, making accounting for all the applications that would need to be authorized for execution control a daunting task.
-Windows 10, version 1709 (also known as the Windows 10 Fall Creators Update) provides a new option, known as Intelligent Security Graph (ISG) authorization, that allows IT administrators to automatically authorize applications that Microsoft’s ISG recognizes as having known good reputation. The ISG option helps IT organizations take a significant first step towards going from having no application control at all to a simple means of preventing the execution of unknown and known bad software.
+Windows 10, version 1709 (also known as the Windows 10 Fall Creators Update) provides a new option, known as the Microsoft Intelligent Security Graph authorization, that allows IT administrators to automatically authorize applications that the Microsoft Intelligent Security Graph recognizes as having known good reputation. The the Microsoft Intelligent Security Graph option helps IT organizations take a significant first step towards going from having no application control at all to a simple means of preventing the execution of unknown and known bad software. To learn more about the Microsoft Intelligent Security Graph, see the Security section in [Major services and features in Microsoft Graph](https://docs.microsoft.com/graph/overview-major-services).
## How does the integration between WDAC and the Intelligent Security Graph work?
-The ISG relies on Microsoft’s vast security intelligence and machine learning analytics to help classify applications as having known good reputation. When users download applications on a system with WDAC enabled with the ISG authorization option specified, the reputation of the downloaded file, commonly an installer, is used to determine whether to run the installer and then that original reputation information is passed along to any files that were written by the installer. When any of these files try to execute after they are installed, the reputation data is used to help make the right policy authorization decision.
+The the Microsoft Intelligent Security Graph relies on Microsoft’s vast security intelligence and machine learning analytics to help classify applications as having known good reputation. When users download applications on a system with WDAC enabled with the the Microsoft Intelligent Security Graph authorization option specified, the reputation of the downloaded file, commonly an installer, is used to determine whether to run the installer and then that original reputation information is passed along to any files that were written by the installer. When any of these files try to execute after they are installed, the reputation data is used to help make the right policy authorization decision.
After that initial download and installation, the WDAC component will check for the presence of the positive reputation information when evaluating other application execution control rules specified in the policy. If there are no deny rules present for the file, it will be authorized based on the known good reputation classification.
The reputation data on the client is rechecked periodically and enterprises can also specify that any cached reputation results are flushed on reboot.
>[!NOTE]
->Admins needs to ensure that there is a WDAC policy in place to allow the system to boot and run any other authorized applications that may not be classified as being known good by the Intelligent Security Graph, for example custom line-of-business (LOB) apps. Since the Intelligent Security Graph is powered by global prevalence data, internal LOB apps may not be recognized as being known good. Other mechanisms like managed installer and explicit rules will help cover internal applications. Both Microsoft Endpoint Configuration Manager and Microsoft Intune can be used to create and push a WDAC policy to your client machines.
+>Admins should make sure there is a WDAC policy in place to allow the system to boot and run any other authorized applications that may not be classified as being known good by the Intelligent Security Graph, such as custom line-of-business (LOB) apps. Since the Intelligent Security Graph is powered by global prevalence data, internal LOB apps may not be recognized as being known good. Other mechanisms like managed installer and explicit rules will help cover internal applications. Both Microsoft Endpoint Configuration Manager and Microsoft Intune can be used to create and push a WDAC policy to your client machines.
-Other examples of WDAC policies are available in C:\Windows\schemas\CodeIntegrity\ExamplePolicies and can help authorize Windows OS components, WHQL signed drivers and all Store apps. Admins can reference and customize them as needed for their Windows Defender Application Control deployment or [create a custom WDAC policy](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/create-initial-default-policy).
+Other examples of WDAC policies are available in `C:\Windows\schemas\CodeIntegrity\ExamplePolicies` and can help authorize Windows OS components, WHQL signed drivers and all Store apps. Admins can reference and customize them as needed for their Windows Defender Application Control deployment or [create a custom WDAC policy](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/create-initial-default-policy).
## Configuring Intelligent Security Graph authorization for Windows Defender Application Control
-Setting up the ISG authorization is easy regardless of what management solution you use. Configuring the ISG option involves these basic steps:
+Setting up the Microsoft Intelligent Security Graph authorization is easy regardless of what management solution you use. Configuring the Microsoft Intelligent Security Graph option involves these basic steps:
-- [Ensure that the ISG option is enabled in the WDAC policy XML](#ensure-that-the-intelligent-security-graph-option-is-enabled-in-the-wdac-policy-xml)
-- [Enable the necessary services to allow WDAC to use the ISG correctly on the client](#enable-the-necessary-services-to-allow-wdac-to-use-the-isg-correctly-on-the-client)
+- [Ensure that the Microsoft Intelligent Security Graph option is enabled in the WDAC policy XML](#ensure-that-the-intelligent-security-graph-option-is-enabled-in-the-wdac-policy-xml)
+- [Enable the necessary services to allow WDAC to use the Microsoft Intelligent Security Graph correctly on the client](#enable-the-necessary-services-to-allow-wdac-to-use-the-isg-correctly-on-the-client)
### Ensure that the Intelligent Security Graph option is enabled in the WDAC policy XML
-In order to enable trust for executables based on classifications in the ISG, the **Enabled:Intelligent Security Graph authorization** option must be specified in the WDAC policy. This can be done with the Set-RuleOption cmdlet. In addition, it is recommended from a security perspective to also enable the **Enabled:Invalidate EAs on Reboot** option to invalidate the cached ISG results on reboot to force rechecking of applications against the ISG. Caution is advised if devices will regularly transition to and from environments that may not be able to access the ISG. The following example shows both options being set.
+In order to enable trust for executables based on classifications in the Microsoft Intelligent Security Graph, the **Enabled:Intelligent Security Graph authorization** option must be specified in the WDAC policy. This can be done with the Set-RuleOption cmdlet. In addition, it is recommended from a security perspective to also enable the **Enabled:Invalidate EAs on Reboot** option to invalidate the cached Intelligent Security Graph results on reboot to force rechecking of applications against the Microsoft Intelligent Security Graph. Caution is advised if devices will regularly transition to and from environments that may not be able to access the Microsoft Intelligent Security Graph. The following example shows both options being set.
```code