diff --git a/devices/hololens/holographic-store-apps.md b/devices/hololens/holographic-store-apps.md index 085f14c50e..f993afcb7f 100644 --- a/devices/hololens/holographic-store-apps.md +++ b/devices/hololens/holographic-store-apps.md @@ -33,12 +33,18 @@ Open the Microsoft Store from the **Start** menu. Then browse for apps and games ## Install apps -To download apps, you'll need to be signed in with a Microsoft account. To buy them, you'll need a payment method associated with the Microsoft account you use on your HoloLens. To set up a payment method, go to [account.microsoft.com](https://account.microsoft.com/) and select **Payment & billing** > **Payment options** > **Add a payment option**. +To download apps, you'll need to be signed in with a Microsoft account. Some apps are free and can be downloaded right away. Apps that require a purchase require you to be signed in to the Store with your Microsoft account and have a valid payment method. +> [!NOTE] +> The account you use on Microsoft Store does not have to be the same as the account you are signed in with. If you are using a Work or School account on your HoloLens then you'll need to sign in with your personal account in the Store App to make a purchase. -1. To open the [**Start** menu](holographic-home.md), perform a [bloom](hololens1-basic-usage.md) gesture or tap your wrist. -2. Select the Store app and then tap to place this tile into your world. -3. Once the Store app opens, use the search bar to look for any desired application. -4. Select **Get** or **Install** on the application's page (a purchase may be required). +To set up a payment method, go to [account.microsoft.com](https://account.microsoft.com/) and select **Payment & billing** > **Payment options** > **Add a payment option**. + +1. To open the [**Start** menu](holographic-home.md), perform a [Start gesture](https://docs.microsoft.com/hololens/hololens2-basic-usage#start-gesture) or [bloom](hololens1-basic-usage.md) gesture on HoloLens 1. +1. Select the Store app. Once the Store app opens: + 1. Use the search bar to look for any desired applications. + 1. Select essential apps or apps made specifically for HoloLens from one of the curated categories. + 1. On the top right of the Store app, select the **...** button and then select **My Library** to view any previously purchased apps. +1. Select **Get** or **Install** on the application's page (a purchase may be required). ## Uninstall apps @@ -46,7 +52,7 @@ There are two ways to uninstall applications. You can uninstall applications th ### Uninstall from the Start menu -On the **Start** menu or in the **All apps** list, gaze at the app. Tap and hold until the menu appears, then select **Uninstall**. +On the **Start** menu or in the **All apps** list, browse to the app. Air tap and hold until the menu appears, then select **Uninstall**. ### Uninstall from the Microsoft Store diff --git a/devices/hololens/hololens-connect-devices.md b/devices/hololens/hololens-connect-devices.md index 7926dab884..62ec90d0f2 100644 --- a/devices/hololens/hololens-connect-devices.md +++ b/devices/hololens/hololens-connect-devices.md @@ -63,6 +63,9 @@ HoloLens 2 supports the following classes of USB-C devices: - Wired keyboard - Combination PD hubs (USB A plus PD charging) +> [!NOTE] +> Some mobile devices with USB-C connections present themselves to the HoloLens as ethernet adaptors, and therefore could be used in a tethering configuration, starting with the 20H1 OS. USB LTE modems that require a separate driver, and/or application installed for configuration are not supported + ## Connect to Miracast To use Miracast, follow these steps: diff --git a/devices/hololens/hololens-insider.md b/devices/hololens/hololens-insider.md index e82148dd22..5bc9b7a304 100644 --- a/devices/hololens/hololens-insider.md +++ b/devices/hololens/hololens-insider.md @@ -63,80 +63,9 @@ You are welcome and encouraged to try developing your applications using Insider ## Windows Insider Release Notes -HoloLens 2 Windows Insider builds are full of new features and improvements. Sign up for Windows Insider Fast or Slow flights to test them out! -Here's a quick summary of what's new: +As of our [Windows Holographic May 2020 Update](hololens-release-notes.md) release all of our release preview feautres are now generally avalible! Make sure to [update your HoloLens](hololens-update-hololens.md) to get all the latest features. -- Support for FIDO2 Security Keys to enable secure and easy authentication for shared devices -- Seamlessly apply a provisioning package from a USB drive to your HoloLens -- Use a provisioning packages to enroll your HoloLens to your Mobile Device Management system -- Use Windows Autopilot to set up and pre-configure new devices, quickly getting them ready for productive use. To participate in the program you'll need to meet a few requirements. While the program is in preview mode you'll need to be using Microsoft Intune. You'll need to use a tenant that is flighted for HoloLens. Lastly you'll need to have installed an insider preview buildon your HoloLens 2. To praticipate in the preview of this new program send a note to hlappreview@microsoft.com to join the preview. -- Dark Mode - HoloLens customers can now choose the default mode for apps that support both color schemes! Based on customer feedback, with this update we are setting the default app mode to "dark," but you can easily change this setting at any time. -- Support for additional system voice commands -- An updated Cortana app with a focus on productivity -- Hand Tracking improvements to reduce the tendency to close the index finger when pointing. This should make button pressing and 2D slate usage feel more accurate -- Performance and stability improvements across the product -- More information in settings on HoloLens about the policy pushed to the device - -Once you've had a chance to explore these new capabilities, use the Feedback Hub app to let us know what you think. Feedback you provide in the Feedback Hub goes directly to our engineers. - -### FIDO 2 support -Many of you share a HoloLens with lots of people in a work or school environment. Whether devices are shared between students in a classroom or they're checked out from a device locker, it's important to be able to change users quickly and easily without typing long user names and passwords. FIDO lets anyone in your organization (AAD tenant) seamlessly sign in to HoloLens without entering a username or password. - -Read the [passwordless security docs](https://docs.microsoft.com/azure/active-directory/authentication/howto-authentication-passwordless-security-key) to get started. - -### Provisioning package updates -Provisioning packages let you set HoloLens configuration through a config file rather than going through the HoloLens out of box experience. Previously, provisioning packages had to be copied onto HoloLens' internal memory, now they can be on a USB drive so they're easier to re-use on multiple HoloLens and so more people can provision HoloLens in parallel. - -1. To try it out, download the latest version of the Windows Configuration Designer from the Windows store onto your PC. -1. Select **Provision HoloLens Devices** > Select **Provision HoloLens 2 devices** -1. Build your configuration profile and, when you're done, copy all files created to a USB-C storage device. -1. Plug it into any freshly flashed HoloLens and press **Volume down + Power** to apply your provisioning package. - -### System voice commands -You can now access these commands with your voice: -- "Restart device" -- "Shutdown device" -- "Brightness up" -- "Brightness down" -- "Volume up" -- "Volume down" -- "What is my IP address?" -- "Take a picture" -- "Take a video" / "Stop recording" - -If you're running your system with a different language, please try the appropriate commands in that language. - -### Cortana updates -The updated app integrates with Microsoft 365, currently in English (United States) only, to help you get more done across your devices. On HoloLens 2, Cortana will no longer support certain device-specific commands like adjusting the volume or restarting the device, which are now supported with the new system voice commands above. Learn more about the new Cortana app and its direction on our blog [here](https://blogs.windows.com/windowsexperience/2020/02/28/cortana-in-the-upcoming-windows-10-release-focused-on-your-productivity-with-enhanced-security-and-privacy/). - -There's currently an issue we're investigating that requires you to launch the app once after booting the device in order to use the "Hey Cortana" keyword activation, and if you updated from a 18362 build, you may see an app tile for the previous version of the Cortana app in Start that no longer works. - -### Dark mode -Many Windows apps support both dark and light modes, and now HoloLens customers can choose the default mode for apps that support both. Once updated, the default app mode will be "dark," but can be changed easily. Navigate to **Settings > System > Colors to find "Choose your default app mode."** -Here are some of the in-box apps that support Dark mode! -- Settings -- Microsoft Store -- Mail -- Calendar -- File Explorer -- Feedback Hub -- OneDrive -- Photos -- 3D Viewer -- Movies & TV - -### Windows Autopilot for HoloLens 2 - -This Autopilot program supports Autopilot self-deploying mode to provision HoloLens 2 devices as shared devices under your tenant. Self-deploying mode leverages the device's preinstalled OEM image and drivers during the provisioning process. A user can provision the device without putting the device on and going through the Out-of-the-box Experience (OOBE). - -When a user starts the Autopilot self-deploying process, the process completes the following steps: -1. Join the device to Azure Active Directory (Azure AD). -2. Use Azure AD to enroll the device in Microsoft Intune (or another MDM service). -3. Download the device-targeted policies, certificates, and networking profiles. -4. Provision the device. -5. Present the sign-in screen to the user. - -For full information about Autopilot, see [Windows Autopilot for HoloLens 2 evaluation guide](hololens2-autopilot.md). +We'll be updating this page again with new features again as we release them to Windows Insider builds. ### FFU download and flash directions To test with a flight signed ffu, you first have to flight unlock your device prior to flashing the flight signed ffu. diff --git a/devices/hololens/hololens-release-notes.md b/devices/hololens/hololens-release-notes.md index b289b56df1..f9a6957518 100644 --- a/devices/hololens/hololens-release-notes.md +++ b/devices/hololens/hololens-release-notes.md @@ -1,5 +1,5 @@ --- -title: HoloLens release notes +title: HoloLens 2 release notes description: Learn about updates in each new HoloLens release. author: scooley ms.author: scooley @@ -8,25 +8,165 @@ ms.prod: hololens ms.sitesec: library ms.topic: article ms.localizationpriority: medium -ms.date: 12/02/2019 +ms.date: 05/12/2020 ms.custom: - CI 111456 - CSSTroubleshooting audience: ITPro appliesto: -- HoloLens 1 - HoloLens 2 --- -# HoloLens release notes +# HoloLens 2 release notes -## HoloLens 2 +## Windows Holographic, version 2004 +Build - 19041.1103 + +| Feature | Description | +|--------------------------------------------------|-------------------------------------------------------------------------------------------------------------------| +| Windows Autopilot | Pre-configure and seamlessly set up new devices for production, with Windows AutoPilot | +| FIDO 2 support | Support for FIDO2 Security Keys to enable fast and secure authentication for shared devices | +| Improved provisioning | Seamlessly apply a provisioning package from a USB drive to your HoloLens | +| Application install status | Check install status for apps have been pushed to HoloLens 2 via MDM, in the Settings app | +| Configuration Service Providers (CSPs) | Added new Configuration Service Providers (CSPs) enhancing admin control capabilities. | +| USB 5G/LTE support | Expanded USB Ethernet capability enables support for 5G/LTE dongles | +| Dark App Mode | Dark App Mode for apps that support both dark and light modes, improving the viewing experience | +| Voice Commands | Support for additional system voice commands to control HoloLens, hands-free | +| Hand Tracking improvements | Hand Tracking improvements make buttons and 2D slate interactions more accurate | +| Quality improvements and fixes | Various system performance and reliability improvements across the platform | > [!Note] > HoloLens Emulator Release Notes can be found [here](https://docs.microsoft.com/windows/mixed-reality/hololens-emulator-archive). -### April Update - build 18362.1059 +### Support for Windows Autopilot + +Windows Autopilot for HoloLens 2 lets the device sales channel pre-enroll HoloLens into your Intune tenant. When devices arrive, they’re ready to self-deploy as shared devices under your tenant. To take advantage of self-deployment, devices will need to connect to a network during the first screen in setup using either a USB-C to ethernet dongle or USB-C to LTE dongle. + +When a user starts the Autopilot self-deploying process, the process completes the following steps: + +1. Join the device to Azure Active Directory (Azure AD). +1. Use Azure AD to enroll the device in Microsoft Intune (or another MDM service). +1. Download the device-targeted policies, certificates, and networking profiles. +1. Provision the device. +1. Present the sign-in screen to the user. + +Learn more from the [Windows Autopilot for HoloLens 2 evaluation guide](https://docs.microsoft.com/hololens/hololens2-autopilot). + +**Contact your Account Manager to join the AutoPilot preview now. Autopilot-ready devices will begin shipping soon.** + +### FIDO2 Security Key support + +Many of you share a HoloLens device with lots of people in a work or school environment. Whether devices are shared between students in a classroom or they're checked out from a device locker, it's important to be able to change users quickly and easily without typing long usernames and passwords. + +FIDO lets anyone in your organization (AAD tenant) seamlessly sign into HoloLens without entering a username or password. + +FIDO2 security keys are an unphishable standards-based passwordless authentication method that can come in any form factor. Fast Identity Online (FIDO) is an open standard for passwordless authentication. FIDO allows users and organizations to leverage the standard to sign-in to their resources without a username or password using an external security key or a platform key built into a device. + +Read the [passwordless security docs](https://docs.microsoft.com/azure/active-directory/authentication/howto-authentication-passwordless-security-key) to get started. + +### Improved MDM enrollment via provisioning package + +Provisioning packages let you set HoloLens configuration through a config file rather than going through the HoloLens out of box experience. Previously, provisioning packages had to be copied onto HoloLens' internal memory, now they can be on a USB drive so they're easier to re-use on multiple HoloLens and so more people can provision HoloLens in parallel. In addition, provisioning packages support a new field to enroll in device management so there is no manual set up post-provisioning. + +1. To try it out, download the latest version of the Windows Configuration Designer from the Windows store onto your PC. +1. Select **Provision HoloLens Devices** > Select **Provision HoloLens 2 devices** +1. Build your configuration profile and, when you're done, copy all files created to a USB-C storage device. +1. Plug it into any freshly flashed HoloLens and press **Volume down + Power** to apply your provisioning package. + +### Line of Business application install status + +MDM app deployment and management for Line of Business (LOB) apps is critical for our customers. Admins and users need to be able to view app install status, for auditing and diagnosis purposes. In this release we are adding more details in **Settings > Accounts > Access work or school > Click on your account > Info.** + +### Additional CSPs and Policies + +A [configuration service provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/configuration-service-provider-reference?redirectedfrom=MSDN) is an interface to read, set, modify, or delete configuration settings on a device. In this release, we are adding support for more policies, increasing the control administrators have over deployed HoloLens devices. For the list of CSPs supported by HoloLens, visit this [link](https://docs.microsoft.com/windows/client-management/mdm/networkqospolicy-csp). New in this release: + +**Policy CSP** + +The Policy configuration service provider enables the enterprise to configure policies on Windows devices. In this release, we are adding new policies for HoloLens, listed below. You can learn more about supported policies [here](https://docs.microsoft.com/windows/client-management/mdm/policies-supported-by-hololens2). + +- LetAppsAccessCamera_ForceAllowTheseApps +- LetAppsAccessCamera_ForceDenyTheseApps +- LetAppsAccessCamera_UserInControlOfTheseApps +- LetAppsAccessGazeInput +- LetAppsAccessGazeInput_ForceAllowTheseApps +- LetAppsAccessGazeInput_ForceDenyTheseApps +- LetAppsAccessGazeInput_UserInControlOfTheseApps +- LetAppsAccessMicrophone_ForceAllowTheseApps +- LetAppsAccessMicrophone_ForceDenyTheseApps +- LetAppsAccessMicrophone_UserInControlOfTheseApps +- AllowWiFi + +**NetworkQoSPolicy CSP** +The NetworkQoSPolicy configuration service provider creates network Quality of Service (QoS) policies. A QoS policy performs a set of actions on network traffic based on a set of matching conditions. You can learn more about this policy [here](https://docs.microsoft.com/windows/client-management/mdm/networkqospolicy-csp). + +### Expanded USB Ethernet support for 5G/LTE tethered devices + +Support has been added to enable certain mobile broadband devices, such as 5G/LTE phones and WiFi hotpots when tethered to the HoloLens 2 via USB. These devices will be displayed in network settings as another ethernet connection. Mobile broadband devices that require an external driver are not supported. This enables high bandwidth connections in scenarios where WiFi is not available, and WiFi tethering isn’t performant enough. You can learn more about supported USB devices [here](https://docs.microsoft.com/hololens/hololens-connect-devices). + +### Hand Tracking Improvements + +Hand tracking has received several improvements in this release. + +- **Pointing pose stability:** The system will now resist bending the index finger when it becomes occluded by the palm. This improves accuracy when pushing buttons, typing, scrolling content, and more! +- **Reduced accidental AirTaps:** We’ve improved detection of the AirTap gesture. Now there are fewer accidental activations in several common cases, such as dropping your hands to your side. +- **User switch reliability:** The system is now faster and more reliable at updating the hand size when sharing a device back and forth. +- **Reduced hand stealing:** We’ve improved handling of cases where there are more than 2 hands in view of the sensors. If multiple people are working close together, there is now a much lower chance that the tracked hand will jump from the user to the hand of someone else in the scene. +- **System reliability:** Fixed an issue that would cause hand tracking to stop working for a period if the device is under high load. + +### Dark mode + +Many Windows apps now support both dark and light modes, and HoloLens 2 customers can choose the default mode for apps that support both. Once updated, the default app mode will be "dark," but can be changed easily. Navigate to Settings > System > Colors to find "Choose your default app mode." Here are some of the in-box apps that support Dark mode: + +- Settings +- Microsoft Store +- Mail +- Calendar +- File Explorer +- Feedback Hub +- OneDrive +- Photos +- 3D Viewer +- Movies & TV + +![Dark mode windows tiled](images/hololens-darkmode-tiled-picture.jpg) + +### System voice commands + +You can now quickly access and use commands with your voice while using any app on the device. If you're running your system with a different language, please try the appropriate commands in that language. For more details on the commands and how to use them, see our documentation [here](https://docs.microsoft.com/hololens/hololens-cortana). + +### Cortana updates + +The updated app integrates with Microsoft 365, currently in English (United States) only, to help you get more done across your devices. On HoloLens 2, Cortana will no longer support certain device-specific commands like adjusting the volume or restarting the device, which are now supported with the new system voice commands mentioned above. Learn more about the new Cortana app and its direction on our blog [here](https://blogs.windows.com/windowsexperience/2020/02/28/cortana-in-the-upcoming-windows-10-release-focused-on-your-productivity-with-enhanced-security-and-privacy/). + +> [!NOTE] +> There's currently an issue we're investigating that requires you to launch the app after booting the device in order to use the "Hey Cortana" keyword activation, and if you updated from a 18362 build, you may see an app tile for the previous version of the Cortana app in Start that no longer works. + +### Quality improvements and fixes + +Improvements and Fixes also in the update: +- The update introduces an active display calibration system. This improves the stability and alignment of holograms, which helps them stay in place when moving your head side-to-side. +- Fixed a bug where Wi-Fi streaming to HoloLens gets disrupted periodically. If an application indicates that it needs low latency streaming this fix is can be accomplished by calling [this function](https://docs.microsoft.com/windows/win32/api/socketapi/nf-socketapi-setsocketmediastreamingmode). +- Fixed an issue where the device could hang during streaming in research mode. +- Fixed bug where in some cases the right user would not be displayed on sign-in screen when resuming session. +- Fixed an issue where users could not export MDM logs through settings. +- Fixed an issue where the accuracy of eye tracking immediately following out-of-box-setup could be lower than specification. +- Fixed an issue where eye tracking subsystem would fail to initialize and/or perform calibration under certain conditions. +- Fixed an issue where eye calibration would be prompted for an already calibrated user. +- Fixed an issue where a driver would crash during eye calibration. +- Fixed an issue where repeated power button presses can cause a 60 second system time-out and shell crash. +- Improved stability for depth buffers. +- Added ‘Share’ button in Feedback Hub so users can more easily share feedback. +- Fixed a bug where RoboRaid did not install correctly. + +## Windows Holographic, version 1903 - May 2020 Update +- Build 18362.1061 + +This monthly quality update does not contain any changes of note because the team has been focused on providing you with the highest quality Feature Update now available in the Windows Holographic, version 2004 May Update detailed above. Please take this opportunity to move to the latest feature update to get a ton of exciting new changes. + +## Windows Holographic, version 1903 - April 2020 Update +- Build 18362.1059 **Dark mode for supported apps** @@ -51,100 +191,50 @@ Here are some of the in-box apps that support dark mode: - Improve hologram stability in mixed reality capture when the HolographicDepthReprojectionMethod DepthReprojection algorithm is used. - Fixed WinRT IStreamSocketListener API Class Not Registered error on 32-bit ARM app. -### March Update - build 18362.1056 +## Windows Holographic, version 1903 - March 2020 Update +- Build 18362.1056 + +Improvements and fixes in the update: - Improve hologram stability in mixed reality capture when the HolographicDepthReprojectionMethod AutoPlanar algorithm is used. - Ensures the coordinate system attached to a depth MF sample is consistent with public documentation. - Developers productivity improvement by enabling customers to paste large amount of text through device portal. -### February Update - build 18362.1053 +## Windows Holographic, version 1903 - February 2020 Update +- Build 18362.1053 + +Improvements and fixes in the update: - Temporarily disabled the HolographicSpace.UserPresence API for Unity applications to avoid an issue which causes some apps to pause when the visor is flipped up, even if the setting to run in the background is enabled. - Fixed a random HUP crash cased by hand tracking, in which user will notice an UI freeze then back to shell after several seconds. - We made an improvement in hand tracking so that while poking using index finger, the upper part of that finger will be less likely to curl unexpectedly. - Improved reliability of head tracking, spatial mapping, and other runtimes. -### January Update - build 18362.1043 +## Windows Holographic, version 1903 - January 2020 Update +- Build 18362.1043 + +Improvement in the update: - Stability improvements for exclusive apps when working with the HoloLens 2 emulator. -### December Update - build 18362.1042 +## Windows Holographic, version 1903 - December 2019 Update +- Build 18362.1042 + +Improvements and fixes in the update: - Introduces LSR (Last Stage Reproduction) fixes. Improves visual rendering of holograms to appear more stable and crisp by more accurately accounting for their depth. This will be more noticeable if apps do not set the depth of holograms correctly, after this update. - Fixes stability of exclusive apps and navigation between exclusive apps. - Resolves an issue where Mixed Reality Capture couldn't record video after device is left in standby state for multiple days. - Improves hologram stability. -### November Update - build 18362.1039 +## Windows Holographic, version 1903 - November 2019 Update +- Build 18362.1039 + +Improvements and fixes in the update: - Fixes for **"Select"** voice commands during initial set-up for en-CA and en-AU. - Improvements in visual quality of objects placed far away in latest Unity and MRTK versions. - Fixes addressing issues with holographic applications being stuck in a paused state on launch until the pins panel is brought up and dismissed again. - OpenXR runtime conformance fixes and improvements for HoloLens 2 and the emulator. -## HoloLens (1st gen) -### Windows 10 Holographic, version 1809 - -> **Applies to:** Hololens (1st gen) - -| Feature | Details | -|---|---| -| **Quick actions menu** | When you're in an app, the Bloom gesture will now open a Quick actions menu to give you quick access to commonly used system features without having to leave the app.
See [Set up HoloLens in kiosk mode](hololens-kiosk.md) for information about the Quick actions menu in kiosk mode.

![sample of the Quick actions menu](images/minimenu.png) | -| **Stop video capture from the Start or quick actions menu** | If you start video capture from the Start menu or quick actions menu, you'll be able to stop recording from the same place. (Don't forget, you can always do this with voice commands too.) | -| **Project to a Miracast-enabled device** | Project your HoloLens content to a nearby Surface device or TV/Monitor if using Microsoft Display adapter. On **Start**, select **Connect**, and then select the device you want to project to. **Note:** You can deploy HoloLens to use Miracast projection without enabling developer mode. | -| **New notifications** | View and respond to notification toasts on HoloLens, just like you do on a PC. Gaze to respond to or dismiss them (or if you're in an immersive experience, use the bloom gesture). | -| **HoloLens overlays**
(file picker, keyboard, dialogs, etc.) | You'll now see overlays such as the keyboard, dialogs, file picker, etc. when using immersive apps. | -| **Visual feedback overlay UI for volume change** | When you use the volume up/down buttons on your HoloLens you'll see a visual display of the volume level. | -| **New UI for device boot** | A loading indicator was added during the boot process to provide visual feedback that the system is loading. Reboot your device to see the new loading indicator—it's between the "Hello" message and the Windows boot logo. | -| **Nearby sharing** | Addition of the Windows Nearby Sharing experience, allowing you to share a capture with a nearby Windows device. When you capture a photo or video on HoloLens (or use the share button from an app such as Microsoft Edge), select a nearby Windows device to share with. | -| **Share from Microsoft Edge** | Share button is now available on Microsoft Edge windows on HoloLens. In Microsoft Edge, select **Share**. Use the HoloLens share picker to share web content. | - -#### For international customers - -| Feature | Details | -| --- | --- | -| Localized Chinese and Japanese builds | Use HoloLens with localized user interface for Simplified Chinese or Japanese, including localized Pinyin keyboard, dictation, and voice commands.
[Learn how to install the Chinese and Japanese versions of HoloLens.](hololens1-install-localized.md) | -| Speech Synthesis (TTS) | Speech synthesis feature now supports Chinese, Japanese, and English. | - -#### For administrators - -| Feature | Details | -|---|----| -| [Enable post-setup provisioning](hololens-provisioning.md) | You can now apply a runtime provisioning package at any time using **Settings**. | -| Assigned access with Azure AD groups | You can now use Azure AD groups for configuration of Windows assigned access to set up single or multi-app kiosk configuration. | -| PIN sign-in on profile switch from sign-in screen | PIN sign-in is now available for **Other User**. | -| Sign in with Web Credential Provider using password | You can now select the Globe sign-in option to launch web sign-in with your password. From the sign-in screen, select **Sign-In options** and select the Globe option to launch web sign-in. Enter your user name if needed, then your password.
**Note:** You can choose to bypass any PIN/Smartcard options when prompted during web sign-in. | -| Read device hardware info through MDM so devices can be tracked by serial number | IT administrators can see and track HoloLens by device serial number in their MDM console. Refer to your MDM documentation for feature availability and instructions. | -| Set HoloLens device name through MDM (rename) | IT administrators can see and rename HoloLens devices in their MDM console. Refer to your MDM documentation for feature availability and instructions. | - -### Windows 10, version 1803 for Microsoft HoloLens - -> **Applies to:** Hololens (1st gen) - -Windows 10, version 1803, is the first feature update to Windows Holographic for Business since its release in Windows 10, version 1607. This update introduces the following changes: - -- Previously, you could only verify that upgrade license for Commercial Suite had been applied to your HoloLens device by checking to see if VPN was an available option on the device. Now, **Settings** > **System** will display **Windows Holographic for Business** after the upgrade license is applied. [Learn how to unlock Windows Holographic for Business features](hololens1-upgrade-enterprise.md). - -- You can view the operating system build number in device properties in the File Explorer app and in the [Windows Device Recovery Tool (WDRT)](https://support.microsoft.com/help/12379/windows-10-mobile-device-recovery-tool-faq). -- Provisioning a HoloLens device is now easier with the new **Provision HoloLens devices** wizard in the Windows Configuration Designer tool. In the wizard, you can configure the setup experience and network connections, set developer mode, and obtain bulk Azure AD tokens. [Learn how to use the simple provisioning wizard for HoloLens](hololens-provisioning.md#provisioning-package-hololens-wizard). - - ![Provisioning HoloLens devices](images/provision-hololens-devices.png) - -- When you create a local account in a provisioning package, the password no longer expires every 42 days. - -- You can [configure HoloLens as a single-app or multi-app kiosk](hololens-kiosk.md). Multi-app kiosk mode lets you set up a HoloLens to only run the apps that you specify, and prevents users from making changes. - -- Media Transfer Protocol (MTP) is enabled so that you can connect the HoloLens device to a PC by USB and transfer files between HoloLens and the PC. You can also use the File Explorer app to move and delete files from within HoloLens. - -- Previously, after you signed in to the device with an Azure Active Directory (Azure AD) account, you then had to **Add work access** in **Settings** to get access to corporate resources. Now, you sign in with an Azure AD account and enrollment happens automatically. - -- Before you sign in, you can choose the network icon below the password field to choose a different Wi-Fi network to connect to. You can also connect to a guest network, such as at a hotel, conference center, or business. - -- You can now easily [share HoloLens with multiple people](hololens-multiple-users.md) using Azure AD accounts. - -- When setup or sign-in fails, choose the new **Collect info** option to get diagnostic logs for troubleshooting. - -- Individual users can sync their corporate email without enrolling their device in mobile device management (MDM). You can use the device with a Microsoft Account, download and install the Mail app, and add an email account directly. - -- You can check the MDM sync status for a device in **Settings** > **Accounts** > **Access Work or School** > **Info**. In the **Device sync status** section, you can start a sync, see areas managed by MDM, and create and export an advanced diagnostics report. diff --git a/devices/hololens/hololens1-release-notes.md b/devices/hololens/hololens1-release-notes.md new file mode 100644 index 0000000000..4002d4b7ea --- /dev/null +++ b/devices/hololens/hololens1-release-notes.md @@ -0,0 +1,84 @@ +--- +title: HoloLens 1st (Gen) release notes +description: Learn about updates in each new HoloLens release. +author: evmill +ms.author: v-evmill +manager: yannisle +ms.prod: hololens +ms.sitesec: library +ms.topic: article +ms.localizationpriority: medium +ms.date: 05/12/2020 +ms.custom: +- CI 111456 +- CSSTroubleshooting +audience: ITPro +appliesto: +- HoloLens 1 + +--- + +# HoloLens 1st (Gen) release notes + +### Windows 10 Holographic, version 1809 + +> **Applies to:** Hololens (1st gen) + +| Feature | Details | +|---|---| +| **Quick actions menu** | When you're in an app, the Bloom gesture will now open a Quick actions menu to give you quick access to commonly used system features without having to leave the app.
See [Set up HoloLens in kiosk mode](hololens-kiosk.md) for information about the Quick actions menu in kiosk mode.

| +| **Stop video capture from the Start or quick actions menu** | If you start video capture from the Start menu or quick actions menu, you'll be able to stop recording from the same place. (Don't forget, you can always do this with voice commands too.) | +| **Project to a Miracast-enabled device** | Project your HoloLens content to a nearby Surface device or TV/Monitor if using Microsoft Display adapter. On **Start**, select **Connect**, and then select the device you want to project to. **Note:** You can deploy HoloLens to use Miracast projection without enabling developer mode. | +| **New notifications** | View and respond to notification toasts on HoloLens, just like you do on a PC. Gaze to respond to or dismiss them (or if you're in an immersive experience, use the bloom gesture). | +| **HoloLens overlays**
(file picker, keyboard, dialogs, etc.) | You'll now see overlays such as the keyboard, dialogs, file picker, etc. when using immersive apps. | +| **Visual feedback overlay UI for volume change** | When you use the volume up/down buttons on your HoloLens you'll see a visual display of the volume level. | +| **New UI for device boot** | A loading indicator was added during the boot process to provide visual feedback that the system is loading. Reboot your device to see the new loading indicator—it's between the "Hello" message and the Windows boot logo. | +| **Nearby sharing** | Addition of the Windows Nearby Sharing experience, allowing you to share a capture with a nearby Windows device. When you capture a photo or video on HoloLens (or use the share button from an app such as Microsoft Edge), select a nearby Windows device to share with. | +| **Share from Microsoft Edge** | Share button is now available on Microsoft Edge windows on HoloLens. In Microsoft Edge, select **Share**. Use the HoloLens share picker to share web content. | + +#### For international customers + +| Feature | Details | +| --- | --- | +| Localized Chinese and Japanese builds | Use HoloLens with localized user interface for Simplified Chinese or Japanese, including localized Pinyin keyboard, dictation, and voice commands.
[Learn how to install the Chinese and Japanese versions of HoloLens.](hololens1-install-localized.md) | +| Speech Synthesis (TTS) | Speech synthesis feature now supports Chinese, Japanese, and English. | + +#### For administrators + +| Feature | Details | +|---|----| +| [Enable post-setup provisioning](hololens-provisioning.md) | You can now apply a runtime provisioning package at any time using **Settings**. | +| Assigned access with Azure AD groups | You can now use Azure AD groups for configuration of Windows assigned access to set up single or multi-app kiosk configuration. | +| PIN sign-in on profile switch from sign-in screen | PIN sign-in is now available for **Other User**. | +| Sign in with Web Credential Provider using password | You can now select the Globe sign-in option to launch web sign-in with your password. From the sign-in screen, select **Sign-In options** and select the Globe option to launch web sign-in. Enter your user name if needed, then your password.
**Note:** You can choose to bypass any PIN/Smartcard options when prompted during web sign-in. | +| Read device hardware info through MDM so devices can be tracked by serial number | IT administrators can see and track HoloLens by device serial number in their MDM console. Refer to your MDM documentation for feature availability and instructions. | +| Set HoloLens device name through MDM (rename) | IT administrators can see and rename HoloLens devices in their MDM console. Refer to your MDM documentation for feature availability and instructions. | + +### Windows 10, version 1803 for Microsoft HoloLens + +> **Applies to:** Hololens (1st gen) + +Windows 10, version 1803, is the first feature update to Windows Holographic for Business since its release in Windows 10, version 1607. This update introduces the following changes: + +- Previously, you could only verify that upgrade license for Commercial Suite had been applied to your HoloLens device by checking to see if VPN was an available option on the device. Now, **Settings** > **System** will display **Windows Holographic for Business** after the upgrade license is applied. [Learn how to unlock Windows Holographic for Business features](hololens1-upgrade-enterprise.md). + +- You can view the operating system build number in device properties in the File Explorer app and in the [Windows Device Recovery Tool (WDRT)](https://support.microsoft.com/help/12379/windows-10-mobile-device-recovery-tool-faq). +- Provisioning a HoloLens device is now easier with the new **Provision HoloLens devices** wizard in the Windows Configuration Designer tool. In the wizard, you can configure the setup experience and network connections, set developer mode, and obtain bulk Azure AD tokens. [Learn how to use the simple provisioning wizard for HoloLens](hololens-provisioning.md#provisioning-package-hololens-wizard). + +- When you create a local account in a provisioning package, the password no longer expires every 42 days. + +- You can [configure HoloLens as a single-app or multi-app kiosk](hololens-kiosk.md). Multi-app kiosk mode lets you set up a HoloLens to only run the apps that you specify, and prevents users from making changes. + +- Media Transfer Protocol (MTP) is enabled so that you can connect the HoloLens device to a PC by USB and transfer files between HoloLens and the PC. You can also use the File Explorer app to move and delete files from within HoloLens. + +- Previously, after you signed in to the device with an Azure Active Directory (Azure AD) account, you then had to **Add work access** in **Settings** to get access to corporate resources. Now, you sign in with an Azure AD account and enrollment happens automatically. + +- Before you sign in, you can choose the network icon below the password field to choose a different Wi-Fi network to connect to. You can also connect to a guest network, such as at a hotel, conference center, or business. + +- You can now easily [share HoloLens with multiple people](hololens-multiple-users.md) using Azure AD accounts. + +- When setup or sign-in fails, choose the new **Collect info** option to get diagnostic logs for troubleshooting. + +- Individual users can sync their corporate email without enrolling their device in mobile device management (MDM). You can use the device with a Microsoft Account, download and install the Mail app, and add an email account directly. + +- You can check the MDM sync status for a device in **Settings** > **Accounts** > **Access Work or School** > **Info**. In the **Device sync status** section, you can start a sync, see areas managed by MDM, and create and export an advanced diagnostics report. diff --git a/devices/hololens/images/hololens-darkmode-tiled-picture.jpg b/devices/hololens/images/hololens-darkmode-tiled-picture.jpg new file mode 100644 index 0000000000..bfa3ee78af Binary files /dev/null and b/devices/hololens/images/hololens-darkmode-tiled-picture.jpg differ diff --git a/devices/surface/surface-enterprise-management-mode.md b/devices/surface/surface-enterprise-management-mode.md index 819ef39b6a..f83cacb0c1 100644 --- a/devices/surface/surface-enterprise-management-mode.md +++ b/devices/surface/surface-enterprise-management-mode.md @@ -96,7 +96,7 @@ The following list shows all the available devices you can manage in SEMM: |Enable Battery limit| Allows you to manage Battery limit functionality. If you do not configure this setting, Battery limit is enabled | | Security | Displays the Surface UEFI **Security** page. If you do not configure this setting, the Security page is displayed. | | Devices | Displays the Surface UEFI **Devices** page. If you do not configure this setting, the Devices page is displayed. | -| Boot | Displays the Surface UEFI **Boot** page. If you do not configure this setting, the DateTime page is displayed. | +| Boot | Displays the Surface UEFI **Boot** page. If you do not configure this setting, the Boot page is displayed. | | DateTime | Displays the Surface UEFI **DateTime** page. If you do not configure this setting, the DateTime page is displayed. | diff --git a/mdop/appv-v5/deploying-the-app-v-51-server.md b/mdop/appv-v5/deploying-the-app-v-51-server.md index 10380a684e..ddfa7f25d1 100644 --- a/mdop/appv-v5/deploying-the-app-v-51-server.md +++ b/mdop/appv-v5/deploying-the-app-v-51-server.md @@ -13,37 +13,27 @@ ms.prod: w10 ms.date: 06/16/2016 --- - # Deploying the App-V 5.1 Server - You can install the Microsoft Application Virtualization (App-V) 5.1 server features by using different deployment configurations, which described in this topic. Before you install the server features, review the server section of [App-V 5.1 Security Considerations](app-v-51-security-considerations.md). For information about deploying the App-V Server, see [About App-V 5.1](about-app-v-51.md#bkmk-migrate-to-51). -**Important**   -Before you install and configure the App-V 5.1 servers, you must specify a port where each component will be hosted. You must also add the associated firewall rules to allow incoming requests to access the specified ports. The installer does not modify firewall settings. - - +> [!IMPORTANT] +> Before you install and configure the App-V 5.1 servers, you must specify a port where each component will be hosted. You must also add the associated firewall rules to allow incoming requests to access the specified ports. The installer does not modify firewall settings. ## App-V 5.1 Server overview - The App-V 5.1 Server is made up of five components. Each component serves a different purpose within the App-V 5.1 environment. Each of the five components is briefly described here: -- Management Server – provides overall management functionality for the App-V 5.1 infrastructure. - -- Management Database – facilitates database predeployments for App-V 5.1 management. - -- Publishing Server – provides hosting and streaming functionality for virtual applications. - -- Reporting Server – provides App-V 5.1 reporting services. - -- Reporting Database – facilitates database predeployments for App-V 5.1 reporting. +- Management Server – provides overall management functionality for the App-V 5.1 infrastructure. +- Management Database – facilitates database predeployments for App-V 5.1 management. +- Publishing Server – provides hosting and streaming functionality for virtual applications. +- Reporting Server – provides App-V 5.1 reporting services. +- Reporting Database – facilitates database predeployments for App-V 5.1 reporting. ## App-V 5.1 stand-alone deployment - The App-V 5.1 standalone deployment provides a good topology for a small deployment or a test environment. When you use this type of implementation, all server components are deployed to a single computer. The services and associated databases will compete for the resources on the computer that runs the App-V 5.1 components. Therefore, you should not use this topology for larger deployments. [How to Deploy the App-V 5.1 Server](how-to-deploy-the-app-v-51-server.md) @@ -52,7 +42,6 @@ The App-V 5.1 standalone deployment provides a good topology for a small deploym ## App-V 5.1 Server distributed deployment - The distributed deployment topology can support a large App-V 5.1 client base and it allows you to more easily manage and scale your environment. When you use this type of deployment, the App-V 5.1 Server components are deployed across multiple computers, based on the structure and requirements of the organization. [How to Install the Management and Reporting Databases on Separate Computers from the Management and Reporting Services](how-to-install-the-management-and-reporting-databases-on-separate-computers-from-the-management-and-reporting-services51.md) @@ -67,19 +56,15 @@ The distributed deployment topology can support a large App-V 5.1 client base an ## Using an Enterprise Software Distribution (ESD) solution and App-V 5.1 - You can also deploy the App-V 5.1 clients and packages by using an ESD without having to deploy App-V 5.1. The full capabilities for integration will vary depending on the ESD that you use. -**Note**   -The App-V 5.1 reporting server and reporting database can still be deployed alongside the ESD to collect the reporting data from the App-V 5.1 clients. However, the other three server components should not be deployed, because they will conflict with the ESD functionality. - - +> [!NOTE] +> The App-V 5.1 reporting server and reporting database can still be deployed alongside the ESD to collect the reporting data from the App-V 5.1 clients. However, the other three server components should not be deployed, because they will conflict with the ESD functionality. [Deploying App-V 5.1 Packages by Using Electronic Software Distribution (ESD)](deploying-app-v-51-packages-by-using-electronic-software-distribution--esd-.md) ## App-V 5.1 Server logs - You can use App-V 5.1 server log information to help troubleshoot the server installation and operational events while using App-V 5.1. The server-related log information can be reviewed with the **Event Viewer**. The following line displays the specific path for Server-related events: **Event Viewer \\ Applications and Services Logs \\ Microsoft \\ App V** @@ -92,14 +77,11 @@ In App-V 5.0 SP3, some logs were consolidated and moved. See [About App-V 5.0 SP ## App-V 5.1 reporting - App-V 5.1 reporting allows App-V 5.1 clients to collect data and then send it back to be stored in a central repository. You can use this information to get a better view of the virtual application usage within your organization. The following list displays some of the types of information the App-V 5.1 client collects: -- Information about the computer that runs the App-V 5.1 client. - -- Information about virtualized packages on a specific computer that runs the App-V 5.1 client. - -- Information about package open and shutdown for a specific user. +- Information about the computer that runs the App-V 5.1 client. +- Information about virtualized packages on a specific computer that runs the App-V 5.1 client. +- Information about package open and shutdown for a specific user. The reporting information will be maintained until it is successfully sent to the reporting server database. After the data is in the database, you can use Microsoft SQL Server Reporting Services to generate any necessary reports. @@ -111,19 +93,4 @@ Use the following link for more information [About App-V 5.1 Reporting](about-ap ## Other resources for the App-V server - [Deploying App-V 5.1](deploying-app-v-51.md) - - - - - - - - - - - - - - diff --git a/mdop/appv-v5/how-to-deploy-the-app-v-databases-by-using-sql-scripts51.md b/mdop/appv-v5/how-to-deploy-the-app-v-databases-by-using-sql-scripts51.md index c8faae6bae..521bf090aa 100644 --- a/mdop/appv-v5/how-to-deploy-the-app-v-databases-by-using-sql-scripts51.md +++ b/mdop/appv-v5/how-to-deploy-the-app-v-databases-by-using-sql-scripts51.md @@ -13,75 +13,42 @@ ms.prod: w10 ms.date: 06/16/2016 --- - # How to Deploy the App-V Databases by Using SQL Scripts - Use the following instructions to use SQL scripts, rather than the Windows Installer, to: -- Install the App-V 5.1 databases +- Install the App-V 5.1 databases +- Upgrade the App-V databases to a later version -- Upgrade the App-V databases to a later version +> [!NOTE] +> If you have already deployed the App-V 5.0 SP3 database, the SQL scripts are not required to upgrade to App-V 5.1. -**Note** -If you have already deployed the App-V 5.0 SP3 database, the SQL scripts are not required to upgrade to App-V 5.1. +## How to install the App-V databases by using SQL scripts +1. Before you install the database scripts, review and keep a copy of the App-V license terms. By running the database scripts, you are agreeing to the license terms. If you do not accept them, you should not use this software. +1. Copy the **appv\_server\_setup.exe** from the App-V release media to a temporary location. +1. From a command prompt, run **appv\_server\_setup.exe** and specify a temporary location for extracting the database scripts. + Example: appv\_server\_setup.exe /layout c:\\<_temporary location path_> -**How to install the App-V databases by using SQL scripts** +1. Browse to the temporary location that you created, open the extracted **DatabaseScripts** folder, and review the appropriate Readme.txt file for instructions: -1. Before you install the database scripts, review and keep a copy of the App-V license terms. By running the database scripts, you are agreeing to the license terms. If you do not accept them, you should not use this software. + | Database | Location of Readme.txt file to use | + |--|--| + | Management database | ManagementDatabase subfolder | + | Reporting database | ReportingDatabase subfolder | -2. Copy the **appv\_server\_setup.exe** from the App-V release media to a temporary location. +> [!CAUTION] +> The readme.txt file in the ManagementDatabase subfolder is out of date. The information in the updated readme files below is the most current and should supersede the readme information provided in the **DatabaseScripts** folders. -3. From a command prompt, run **appv\_server\_setup.exe** and specify a temporary location for extracting the database scripts. - - Example: appv\_server\_setup.exe /layout c:\\<temporary location path> - -4. Browse to the temporary location that you created, open the extracted **DatabaseScripts** folder, and review the appropriate Readme.txt file for instructions: - - - - - - - - - - - - - - - - - - - - - - -
DatabaseLocation of Readme.txt file to use

Management database

ManagementDatabase subfolder

Reporting database

ReportingDatabase subfolder

- - - -~~~ -**Caution** -The readme.txt file in the ManagementDatabase subfolder is out of date. The information in the updated readme files below is the most current and should supersede the readme information provided in the **DatabaseScripts** folders. - - - -**Important** -The InsertVersionInfo.sql script is not required for versions of the App-V management database later than App-V 5.0 SP3. +> [!IMPORTANT] +> The InsertVersionInfo.sql script is not required for versions of the App-V management database later than App-V 5.0 SP3. The Permissions.sql script should be updated according to **Step 2** in [KB article 3031340](https://support.microsoft.com/kb/3031340). **Step 1** is not required for versions of App-V later than App-V 5.0 SP3. -~~~ +## Updated management database README file content - -**Updated management database README file content** - -``` syntax +```plaintext ****************************************************************** Before you install and use the Application Virtualization Database Scripts you must: 1.Review the Microsoft Application Virtualization Server 5.0 license terms. @@ -107,7 +74,7 @@ Steps to install "AppVManagement" schema in SQL SERVER. 2. Ensure the target SQL Server instance and SQL Server Agent service are running. - 3. If you are not running the scripts directly on the server, ensure the + 3. If you are not running the scripts directly on the server, ensure the necessary SQL Server client software is installed and available from the specified location. Specifically, the "osql" command must ## be supported for these scripts to run. @@ -120,7 +87,7 @@ Steps to install "AppVManagement" schema in SQL SERVER. defaults are likely sufficient, it is suggested that the following settings be reviewed: - DATABASE - ensure name is satisfactory - default is "AppVManagement". + DATABASE - ensure name is satisfactory - default is "AppVManagement". 2. Review the Permissions.sql file and provide all the necessary account information for setting up read and write access on the database. Note: Default settings @@ -130,23 +97,23 @@ Steps to install "AppVManagement" schema in SQL SERVER. ## INSTALLATION: - 1. Run the database.sql against the "master" database. Your user + 1. Run the database.sql against the "master" database. Your user credential must have the ability to create databases. This script will create the database. - 2. Run the following scripts against the "AppVManagement" database using the + 2. Run the following scripts against the "AppVManagement" database using the same account as above in order. CreateTables.sql CreateStoredProcs.sql UpdateTables.sql -## Permissions.sql +## Permissions.sql ``` -**Updated reporting database README file content** +## Updated reporting database README file content -``` syntax +```plaintext ****************************************************************** Before you install and use the Application Virtualization Database Scripts you must: 1.Review the Microsoft Application Virtualization Server 5.0 license terms. @@ -188,7 +155,7 @@ Steps to install "AppVReporting" schema in SQL SERVER. defaults are likely sufficient, it is suggested that the following settings be reviewed: - DATABASE - ensure name is satisfactory - default is "AppVReporting". + DATABASE - ensure name is satisfactory - default is "AppVReporting". 2. Review the Permissions.sql file and provide all the necessary account information for setting up read and write access on the database. Note: Default settings @@ -203,13 +170,13 @@ Steps to install "AppVReporting" schema in SQL SERVER. ## INSTALLATION: - 1. Run the database.sql against the "master" database. Your user + 1. Run the database.sql against the "master" database. Your user credential must have the ability to create databases. This script will create the database. 2. If upgrading the database, run UpgradeDatabase.sql This will upgrade database schema. - 2. Run the following scripts against the "AppVReporting" database using the + 2. Run the following scripts against the "AppVReporting" database using the same account as above in order. CreateTables.sql @@ -222,20 +189,10 @@ Steps to install "AppVReporting" schema in SQL SERVER. ``` -**Got a suggestion for App-V**? Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). **Got an App-V issue?** Use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv). +**Got an App-V issue?** Use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv). ## Related topics - [Deploying the App-V 5.1 Server](deploying-the-app-v-51-server.md) [How to Deploy the App-V 5.1 Server](how-to-deploy-the-app-v-51-server.md) - - - - - - - - - diff --git a/mdop/appv-v5/how-to-install-the-app-v-databases-and-convert-the-associated-security-identifiers--by-using-powershell51.md b/mdop/appv-v5/how-to-install-the-app-v-databases-and-convert-the-associated-security-identifiers--by-using-powershell51.md index ed4ef04eb0..152d31ca72 100644 --- a/mdop/appv-v5/how-to-install-the-app-v-databases-and-convert-the-associated-security-identifiers--by-using-powershell51.md +++ b/mdop/appv-v5/how-to-install-the-app-v-databases-and-convert-the-associated-security-identifiers--by-using-powershell51.md @@ -13,19 +13,17 @@ ms.prod: w10 ms.date: 06/16/2016 --- - # How to Install the App-V Databases and Convert the Associated Security Identifiers by Using PowerShell - Use the following PowerShell procedure to convert any number of Active Directory Domain Services (AD DS) user or machine accounts into formatted Security Identifiers (SIDs) both in the standard format and in the hexadecimal format used by Microsoft SQL Server when running SQL scripts. Before attempting this procedure, you should read and understand the information and examples displayed in the following list: -- **.INPUTS** – The account or accounts used to convert to SID format. This can be a single account name or an array of account names. +- **.INPUTS** – The account or accounts used to convert to SID format. This can be a single account name or an array of account names. -- **.OUTPUTS** - A list of account names with the corresponding SID in standard and hexadecimal formats. +- **.OUTPUTS** - A list of account names with the corresponding SID in standard and hexadecimal formats. -- **Examples** - +- **Examples** - **.\\ConvertToSID.ps1 DOMAIN\\user\_account1 DOMAIN\\machine\_account1$ DOMAIN\\user\_account2 | Format-List**. @@ -33,13 +31,10 @@ Before attempting this procedure, you should read and understand the information **.\\ConvertToSID.ps1 $accountsArray | Write-Output -FilePath .\\SIDs.txt -Width 200** - \#> - -**To convert any number of Active Directory Domain Services (AD DS) user or machine accounts into formatted Security Identifiers (SIDs)** +## To convert any number of Active Directory Domain Services (AD DS) user or machine accounts into formatted Security Identifiers (SIDs) 1. Copy the following script into a text editor and save it as a PowerShell script file, for example **ConvertToSIDs.ps1**. - -2. To open a PowerShell console click **Start** and type **PowerShell**. Right-click **Windows PowerShell** and select **Run as Administrator**. +1. To open a PowerShell console click **Start** and type **PowerShell**. Right-click **Windows PowerShell** and select **Run as Administrator**. ```powershell <# @@ -61,7 +56,7 @@ Before attempting this procedure, you should read and understand the information function ConvertSIDToHexFormat { - param(\[System.Security.Principal.SecurityIdentifier\]$sidToConvert) + param([System.Security.Principal.SecurityIdentifier]$sidToConvert) $sb = New-Object System.Text.StringBuilder [int] $binLength = $sidToConvert.BinaryLength @@ -79,7 +74,7 @@ Before attempting this procedure, you should read and understand the information [string]::Format("{0}====== Description ======{0}{0}" + " Converts any number of user or machine account names to string and hexadecimal SIDs.{0}" + - " Pass the account(s) as space separated command line parameters. (For example 'ConvertToSID.exe DOMAIN\\Account1 DOMAIN\\Account2 ...'){0}" + + " Pass the account(s) as space separated command line parameters. (For example 'ConvertToSID.ps1 DOMAIN\Account1 DOMAIN\Account2 ...'){0}" + " The output is written to the console in the format 'Account name SID as string SID as hexadecimal'{0}" + " And can be written out to a file using standard PowerShell redirection{0}" + " Please specify user accounts in the format 'DOMAIN\username'{0}" + @@ -131,17 +126,21 @@ Before attempting this procedure, you should read and understand the information Write-Output $SIDs } } -3. Run the script you saved in step one of this procedure passing the accounts to convert as arguments. + ``` + +1. Run the script you saved in step one of this procedure passing the accounts to convert as arguments. For example, - **.\\ConvertToSID.ps1 DOMAIN\\user\_account1 DOMAIN\\machine\_account1$ DOMAIN\\user\_account2 | Format-List” or “$accountsArray = @("DOMAIN\\user\_account1", "DOMAIN\\machine\_account1$", "DOMAIN\_user\_account2")** + **.\\ConvertToSID.ps1 DOMAIN\\user\_account1 DOMAIN\\machine\_account1$ DOMAIN\\user\_account2 | Format-List** + + or + + **$accountsArray = @("DOMAIN\\user\_account1", "DOMAIN\\machine\_account1$", "DOMAIN\_user\_account2")** + **.\\ConvertToSID.ps1 $accountsArray | Write-Output -FilePath .\\SIDs.txt -Width 200** - **.\\ConvertToSID.ps1 $accountsArray | Write-Output -FilePath .\\SIDs.txt -Width 200”** - - **Got a suggestion for App-V**? Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). **Got an App-V issue?** Use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv). +**Got an App-V issue?** Use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv). ## Related topics - [Administering App-V 5.1 by Using PowerShell](administering-app-v-51-by-using-powershell.md) diff --git a/mdop/appv-v5/how-to-install-the-management-and-reporting-databases-on-separate-computers-from-the-management-and-reporting-services51.md b/mdop/appv-v5/how-to-install-the-management-and-reporting-databases-on-separate-computers-from-the-management-and-reporting-services51.md index 77c7a3fd6a..ebe96992d3 100644 --- a/mdop/appv-v5/how-to-install-the-management-and-reporting-databases-on-separate-computers-from-the-management-and-reporting-services51.md +++ b/mdop/appv-v5/how-to-install-the-management-and-reporting-databases-on-separate-computers-from-the-management-and-reporting-services51.md @@ -13,114 +13,74 @@ ms.prod: w10 ms.date: 06/16/2016 --- - # How to Install the Management and Reporting Databases on Separate Computers from the Management and Reporting Services - Use the following procedure to install the database server and management server on different computers. The computer you plan to install the database server on must be running a supported version of Microsoft SQL or the installation will fail. -**Note** -After you complete the deployment, the **Microsoft SQL Server name**, **instance name** and **database name** will be required by the administrator installing the service to be able to connect to these databases. +> [!NOTE] +> After you complete the deployment, the **Microsoft SQL Server name**, **instance name** and **database name** will be required by the administrator installing the service to be able to connect to these databases. +## To install the management database and the management server on separate computers +1. Copy the App-V 5.1 server installation files to the computer on which you want to install it on. To start the App-V 5.1 server installation right-click and run **appv\_server\_setup.exe** as an administrator. Click **Install**. +1. On the **Getting Started** page, review and accept the license terms, and click **Next**. +1. On the **Use Microsoft Update to help keep your computer secure and up-to-date** page, to enable Microsoft updates, select **Use Microsoft Update when I check for updates (recommended).** To disable Microsoft updates, select **I don't want to use Microsoft Update**. Click **Next**. +1. On the **Feature Selection** page, select the components you want to install by selecting the **Management Server Database** checkbox and click **Next**. +1. On the **Installation Location** page, accept the default location and click **Next**. +1. On the initial **Create New Management Server Database page**, accept the default selections if appropriate, and click **Next**. -**To install the management database and the management server on separate computers** - -1. Copy the App-V 5.1 server installation files to the computer on which you want to install it on. To start the App-V 5.1 server installation right-click and run **appv\_server\_setup.exe** as an administrator. Click **Install**. - -2. On the **Getting Started** page, review and accept the license terms, and click **Next**. - -3. On the **Use Microsoft Update to help keep your computer secure and up-to-date** page, to enable Microsoft updates, select **Use Microsoft Update when I check for updates (recommended).** To disable Microsoft updates, select **I don’t want to use Microsoft Update**. Click **Next**. - -4. On the **Feature Selection** page, select the components you want to install by selecting the **Management Server Database** checkbox and click **Next**. - -5. On the **Installation Location** page, accept the default location and click **Next**. - -6. On the initial **Create New Management Server Database page**, accept the default selections if appropriate, and click **Next**. - - If you are using a custom SQL Server instance, then select **Use a custom instance** and type the name of the instance. - + If you are using a custom SQL Server instance, then select **Use a custom instance** and type the name of the instance.\ If you are using a custom database name, then select **Custom configuration** and type the database name. -7. On the next **Create New Management Server Database** page, select **Use a remote computer**, and type the remote machine account using the following format: **Domain\\MachineAccount**. +1. On the next **Create New Management Server Database** page, select **Use a remote computer**, and type the remote machine account using the following format: **Domain\\MachineAccount**. - **Note** - If you plan to deploy the management server on the same computer you must select **Use this local computer**. + > [!NOTE] + > If you plan to deploy the management server on the same computer you must select **Use this local computer**. +1. Specify the user name for the management server **Install Administrator** using the following format: **Domain\\AdministratorLoginName**. Click **Next**. +1. To start the installation, click **Install**. +## To install the reporting database and the reporting server on separate computers -~~~ -Specify the user name for the management server **Install Administrator** using the following format: **Domain\\AdministratorLoginName**. Click **Next**. -~~~ - -8. To start the installation, click **Install**. - -**To install the reporting database and the reporting server on separate computers** - -1. Copy the App-V 5.1 server installation files to the computer on which you want to install it on. To start the App-V 5.1 server installation right-click and run **appv\_server\_setup.exe** as an administrator. Click **Install**. - -2. On the **Getting Started** page, review and accept the license terms, and click **Next**. - -3. On the **Use Microsoft Update to help keep your computer secure and up-to-date** page, to enable Microsoft updates, select **Use Microsoft Update when I check for updates (recommended).** To disable Microsoft updates, select **I don’t want to use Microsoft Update**. Click **Next**. - -4. On the **Feature Selection** page, select the components you want to install by selecting the **Reporting Server Database** checkbox and click **Next**. - -5. On the **Installation Location** page, accept the default location and click **Next**. - -6. On the initial **Create New Reporting Server Database** page, accept the default selections if appropriate, and click **Next**. +1. Copy the App-V 5.1 server installation files to the computer on which you want to install it on. To start the App-V 5.1 server installation right-click and run **appv\_server\_setup.exe** as an administrator. Click **Install**. +1. On the **Getting Started** page, review and accept the license terms, and click **Next**. +1. On the **Use Microsoft Update to help keep your computer secure and up-to-date** page, to enable Microsoft updates, select **Use Microsoft Update when I check for updates (recommended).** To disable Microsoft updates, select **I don't want to use Microsoft Update**. Click **Next**. +1. On the **Feature Selection** page, select the components you want to install by selecting the **Reporting Server Database** checkbox and click **Next**. +1. On the **Installation Location** page, accept the default location and click **Next**. +1. On the initial **Create New Reporting Server Database** page, accept the default selections if appropriate, and click **Next**. If you are using a custom SQL Server instance, then select **Use a custom instance** and type the name of the instance. - If you are using a custom database name, then select **Custom configuration** and type the database name. -7. On the next **Create New Reporting Server Database** page, select **Use a remote computer**, and type the remote machine account using the following format: **Domain\\MachineAccount**. +1. On the next **Create New Reporting Server Database** page, select **Use a remote computer**, and type the remote machine account using the following format: **Domain\\MachineAccount**. - **Note** - If you plan to deploy the reporting server on the same computer you must select **Use this local computer**. + > [!NOTE] + > If you plan to deploy the reporting server on the same computer you must select **Use this local computer**. +1. Specify the user name for the reporting server **Install Administrator** using the following format: **Domain\\AdministratorLoginName**. Click **Next**. +1. To start the installation, click **Install**. +## To install the management and reporting databases using App-V 5.1 database scripts -~~~ -Specify the user name for the reporting server **Install Administrator** using the following format: **Domain\\AdministratorLoginName**. Click **Next**. -~~~ +1. Copy the App-V 5.1 server installation files to the computer on which you want to install it on. +1. To extract the App-V 5.1 database scripts, open a command prompt and specify the location where the installation files are saved and run the following command: -8. To start the installation, click **Install**. + **appv\_server\_setup.exe** **/LAYOUT** **/LAYOUTDIR="InstallationExtractionLocation"**. -**To install the management and reporting databases using App-V 5.1 database scripts** +1. After the extraction has been completed, to access the App-V 5.1 database scripts and instructions readme file: -1. Copy the App-V 5.1 server installation files to the computer on which you want to install it on. + - The App-V 5.1 Management Database scripts and instructions readme are located in the following folder: **InstallationExtractionLocation** \\ **Database Scripts** \\ **Management Database**. + - The App-V 5.1 Reporting Database scripts and instructions readme are located in the following folder: **InstallationExtractionLocation** \\ **Database Scripts** \\ **Reporting Database**. -2. To extract the App-V 5.1 database scripts, open a command prompt and specify the location where the installation files are saved and run the following command: +1. For each database, copy the scripts to a share and modify them following the instructions in the readme file. - **appv\_server\_setup.exe** **/LAYOUT** **/LAYOUTDIR=”InstallationExtractionLocation”**. + > [!NOTE] + > For more information about modifying the required SIDs contained in the scripts, see [How to Install the App-V Databases and Convert the Associated Security Identifiers by Using PowerShell](how-to-install-the-app-v-databases-and-convert-the-associated-security-identifiers--by-using-powershell51.md). -3. After the extraction has been completed, to access the App-V 5.1 database scripts and instructions readme file: +1. Run the scripts on the computer running Microsoft SQL Server. - - The App-V 5.1 Management Database scripts and instructions readme are located in the following folder: **InstallationExtractionLocation** \\ **Database Scripts** \\ **Management Database**. - - - The App-V 5.1 Reporting Database scripts and instructions readme are located in the following folder: **InstallationExtractionLocation** \\ **Database Scripts** \\ **Reporting Database**. - -4. For each database, copy the scripts to a share and modify them following the instructions in the readme file. - - **Note** - For more information about modifying the required SIDs contained in the scripts see, [How to Install the App-V Databases and Convert the Associated Security Identifiers by Using PowerShell](how-to-install-the-app-v-databases-and-convert-the-associated-security-identifiers--by-using-powershell51.md). - - - -5. Run the scripts on the computer running Microsoft SQL Server. - - **Got a suggestion for App-V**? Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). **Got an App-V issue?** Use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv). +**Got an App-V issue?** Use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv). ## Related topics - [Deploying App-V 5.1](deploying-app-v-51.md) - - - - - - - - - diff --git a/windows/application-management/app-v/appv-evaluating-appv.md b/windows/application-management/app-v/appv-evaluating-appv.md index df7f76ca07..9eb57e8521 100644 --- a/windows/application-management/app-v/appv-evaluating-appv.md +++ b/windows/application-management/app-v/appv-evaluating-appv.md @@ -1,6 +1,6 @@ --- title: Evaluating App-V (Windows 10) -description: Evaluating App-V for Windows 10 +description: Learn how to evaluate App-V for Windows 10 in a lab environment before deploying into a production environment. author: lomayor ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy diff --git a/windows/application-management/app-v/appv-maintaining-appv.md b/windows/application-management/app-v/appv-maintaining-appv.md index 3b54154537..e03e524b5a 100644 --- a/windows/application-management/app-v/appv-maintaining-appv.md +++ b/windows/application-management/app-v/appv-maintaining-appv.md @@ -1,6 +1,6 @@ --- title: Maintaining App-V (Windows 10) -description: Maintaining App-V +description: After you have deployed App-V for Windows 10, you can use the following information to maintain the App-V infrastructure. author: lomayor ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy diff --git a/windows/application-management/per-user-services-in-windows.md b/windows/application-management/per-user-services-in-windows.md index 1100a66787..4245e9fb23 100644 --- a/windows/application-management/per-user-services-in-windows.md +++ b/windows/application-management/per-user-services-in-windows.md @@ -1,6 +1,6 @@ --- title: Per-user services in Windows 10 and Windows Server -description: Learn about per-user services introduced in Windows 10. +description: Learn about per-user services, how to change the template service Startup Type, and manage per-user services through Group Policy and security templates. ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/client-management/data-collection-for-802-authentication.md b/windows/client-management/data-collection-for-802-authentication.md index e866b0d7c4..58f94bd27e 100644 --- a/windows/client-management/data-collection-for-802-authentication.md +++ b/windows/client-management/data-collection-for-802-authentication.md @@ -2,7 +2,7 @@ title: Data collection for troubleshooting 802.1X authentication ms.reviewer: manager: dansimp -description: Data needed for reviewing 802.1X Authentication issues +description: Use the steps in this article to collect data that can be used to troubleshoot 802.1X authentication issues. keywords: troubleshooting, data collection, data, 802.1X authentication, authentication, data ms.prod: w10 ms.mktglfcycl: diff --git a/windows/client-management/mandatory-user-profile.md b/windows/client-management/mandatory-user-profile.md index 9d7b5546ff..35227e3c16 100644 --- a/windows/client-management/mandatory-user-profile.md +++ b/windows/client-management/mandatory-user-profile.md @@ -15,23 +15,18 @@ ms.topic: article # Create mandatory user profiles - **Applies to** -- Windows 10 +- Windows 10 +A mandatory user profile is a roaming user profile that has been pre-configured by an administrator to specify settings for users. Settings commonly defined in a mandatory profile include (but are not limited to): icons that appear on the desktop, desktop backgrounds, user preferences in Control Panel, printer selections, and more. Configuration changes made during a user's session that are normally saved to a roaming user profile are not saved when a mandatory user profile is assigned. +Mandatory user profiles are useful when standardization is important, such as on a kiosk device or in educational settings. Only system administrators can make changes to mandatory user profiles. -A mandatory user profile is a roaming user profile that has been pre-configured by an administrator to specify settings for users. Settings commonly defined in a mandatory profile include (but are not limited to): icons that appear on the desktop, desktop backgrounds, user preferences in Control Panel, printer selections, and more. Configuration changes made during a user's session that are normally saved to a roaming user profile are not saved when a mandatory user profile is assigned. - -Mandatory user profiles are useful when standardization is important, such as on a kiosk device or in educational settings. Only system administrators can make changes to mandatory user profiles. - -When the server that stores the mandatory profile is unavailable, such as when the user is not connected to the corporate network, users with mandatory profiles can sign in with the locally cached copy of the mandatory profile, if one exists. Otherwise, the user will be signed in with a temporary profile. +When the server that stores the mandatory profile is unavailable, such as when the user is not connected to the corporate network, users with mandatory profiles can sign in with the locally cached copy of the mandatory profile, if one exists. Otherwise, the user will be signed in with a temporary profile. User profiles become mandatory profiles when the administrator renames the NTuser.dat file (the registry hive) of each user's profile in the file system of the profile server from `NTuser.dat` to `NTuser.man`. The `.man` extension causes the user profile to be a read-only profile. - - ## Profile extension for each Windows version The name of the folder in which you store the mandatory profile must use the correct extension for the operating system it will be applied to. The following table lists the correct extension for each operating system version. @@ -45,121 +40,112 @@ The name of the folder in which you store the mandatory profile must use the cor | Windows 10, versions 1507 and 1511 | N/A | v5 | | Windows 10, versions 1607, 1703, 1709, 1803, 1809 and 1903 | Windows Server 2016 and Windows Server 2019 | v6 | -For more information, see [Deploy Roaming User Profiles, Appendix B](https://technet.microsoft.com/library/jj649079.aspx) and [Roaming user profiles versioning in Windows 10 and Windows Server Technical Preview](https://support.microsoft.com/kb/3056198). +For more information, see [Deploy Roaming User Profiles, Appendix B](https://docs.microsoft.com/windows-server/storage/folder-redirection/deploy-roaming-user-profiles#appendix-b-profile-version-reference-information) and [Roaming user profiles versioning in Windows 10 and Windows Server Technical Preview](https://support.microsoft.com/kb/3056198). -## How to create a mandatory user profile +## Mandatory user profile First, you create a default user profile with the customizations that you want, run Sysprep with CopyProfile set to **True** in the answer file, copy the customized default user profile to a network share, and then you rename the profile to make it mandatory. -**To create a default user profile** +### How to create a default user profile 1. Sign in to a computer running Windows 10 as a member of the local Administrator group. Do not use a domain account. > [!NOTE] > Use a lab or extra computer running a clean installation of Windows 10 to create a default user profile. Do not use a computer that is required for business (that is, a production computer). This process removes all domain accounts from the computer, including user profile folders. -2. Configure the computer settings that you want to include in the user profile. For example, you can configure settings for the desktop background, uninstall default apps, install line-of-business apps, and so on. +1. Configure the computer settings that you want to include in the user profile. For example, you can configure settings for the desktop background, uninstall default apps, install line-of-business apps, and so on. - >[!NOTE] - >Unlike previous versions of Windows, you cannot apply a Start and taskbar layout using a mandatory profile. For alternative methods for customizing the Start menu and taskbar, see [Related topics](#related-topics). + > [!NOTE] + > Unlike previous versions of Windows, you cannot apply a Start and taskbar layout using a mandatory profile. For alternative methods for customizing the Start menu and taskbar, see [Related topics](#related-topics). -3. [Create an answer file (Unattend.xml)](https://msdn.microsoft.com/library/windows/hardware/dn915085.aspx) that sets the [CopyProfile](https://msdn.microsoft.com/library/windows/hardware/dn922656.aspx) parameter to **True**. The CopyProfile parameter causes Sysprep to copy the currently signed-on user’s profile folder to the default user profile. You can use [Windows System Image Manager](https://msdn.microsoft.com/library/windows/hardware/dn922445.aspx), which is part of the Windows Assessment and Deployment Kit (ADK) to create the Unattend.xml file. +1. [Create an answer file (Unattend.xml)](https://docs.microsoft.com/windows-hardware/customize/desktop/wsim/create-or-open-an-answer-file) that sets the [CopyProfile](https://docs.microsoft.com/windows-hardware/customize/desktop/unattend/microsoft-windows-shell-setup-copyprofile) parameter to **True**. The CopyProfile parameter causes Sysprep to copy the currently signed-on user’s profile folder to the default user profile. You can use [Windows System Image Manager](https://docs.microsoft.com/windows-hardware/customize/desktop/wsim/windows-system-image-manager-technical-reference), which is part of the Windows Assessment and Deployment Kit (ADK) to create the Unattend.xml file. -3. Uninstall any application you do not need or want from the PC. For examples on how to uninstall Windows 10 Application see [Remove-AppxProvisionedPackage](https://docs.microsoft.com/powershell/module/dism/remove-appxprovisionedpackage?view=winserver2012-ps). For a list of uninstallable applications, see [Understand the different apps included in Windows 10](https://docs.microsoft.com/windows/application-management/apps-in-windows-10). +1. Uninstall any application you do not need or want from the PC. For examples on how to uninstall Windows 10 Application see [Remove-AppxProvisionedPackage](https://docs.microsoft.com/powershell/module/dism/remove-appxprovisionedpackage?view=win10-ps). For a list of uninstallable applications, see [Understand the different apps included in Windows 10](https://docs.microsoft.com/windows/application-management/apps-in-windows-10). + > [!NOTE] + > It is highly recommended to uninstall unwanted or unneeded apps as it will speed up user sign-in times. - >[!NOTE] - >It is highly recommended to uninstall unwanted or unneeded apps as it will speed up user sign-in times. +1. At a command prompt, type the following command and press **ENTER**. -3. At a command prompt, type the following command and press **ENTER**. + ```dos + sysprep /oobe /reboot /generalize /unattend:unattend.xml + ``` - `sysprep /oobe /reboot /generalize /unattend:unattend.xml` - - (Sysprep.exe is located at: C:\Windows\System32\sysprep. By default, Sysprep looks for unattend.xml in this same folder.) + (Sysprep.exe is located at: C:\\Windows\\System32\\sysprep. By default, Sysprep looks for unattend.xml in this same folder.) > [!TIP] - > If you receive an error message that says "Sysprep was not able to validate your Windows installation", open %WINDIR%\System32\Sysprep\Panther\setupact.log and look for an entry like the following: - > + > If you receive an error message that says "Sysprep was not able to validate your Windows installation", open %WINDIR%\\System32\\Sysprep\\Panther\\setupact.log and look for an entry like the following: + > > ![Microsoft Bing Translator package](images/sysprep-error.png) - > - > Use the [Remove-AppxProvisionedPackage](https://technet.microsoft.com/library/dn376476%28v=wps.620%29.aspx) and [Remove-AppxPackage -AllUsers](https://docs.microsoft.com/powershell/module/appx/remove-appxpackage?view=win10-ps) cmdlet in Windows PowerShell to uninstall the app that is listed in the log. + > + > Use the [Remove-AppxProvisionedPackage](https://docs.microsoft.com/powershell/module/dism/remove-appxprovisionedpackage?view=win10-ps) and [Remove-AppxPackage -AllUsers](https://docs.microsoft.com/powershell/module/appx/remove-appxpackage?view=win10-ps) cmdlet in Windows PowerShell to uninstall the app that is listed in the log. -4. The sysprep process reboots the PC and starts at the first-run experience screen. Complete the set up, and then sign in to the computer using an account that has local administrator privileges. +1. The sysprep process reboots the PC and starts at the first-run experience screen. Complete the set up, and then sign in to the computer using an account that has local administrator privileges. -5. Right-click Start, go to **Control Panel** (view by large or small icons) > **System** > **Advanced system settings**, and click **Settings** in the **User Profiles** section. +1. Right-click Start, go to **Control Panel** (view by large or small icons) > **System** > **Advanced system settings**, and click **Settings** in the **User Profiles** section. -6. In **User Profiles**, click **Default Profile**, and then click **Copy To**. +1. In **User Profiles**, click **Default Profile**, and then click **Copy To**. ![Example of UI](images/copy-to.png) -7. In **Copy To**, under **Permitted to use**, click **Change**. +1. In **Copy To**, under **Permitted to use**, click **Change**. ![Example of UI](images/copy-to-change.png) -8. In **Select User or Group**, in the **Enter the object name to select** field, type `everyone`, click **Check Names**, and then click **OK**. +1. In **Select User or Group**, in the **Enter the object name to select** field, type `everyone`, click **Check Names**, and then click **OK**. -9. In **Copy To**, in the **Copy profile to** field, enter the path and folder name where you want to store the mandatory profile. The folder name must use the correct [extension](#extension) for the operating system version. For example, the folder name must end with “.v6” to identify it as a user profile folder for Windows 10, version 1607. +1. In **Copy To**, in the **Copy profile to** field, enter the path and folder name where you want to store the mandatory profile. The folder name must use the correct [extension](#profile-extension-for-each-windows-version) for the operating system version. For example, the folder name must end with ".v6" to identify it as a user profile folder for Windows 10, version 1607. - If the device is joined to the domain and you are signed in with an account that has permissions to write to a shared folder on the network, you can enter the shared folder path. - - If the device is not joined to the domain, you can save the profile locally and then copy it to the shared folder location. + - If the device is not joined to the domain, you can save the profile locally and then copy it to the shared folder location. - ![Example of UI](images/copy-to-path.png) + ![Example of UI](images/copy-to-path.png) -10. Click **OK** to copy the default user profile. +1. Click **OK** to copy the default user profile. +### How to make the user profile mandatory -**To make the user profile mandatory** +1. In File Explorer, open the folder where you stored the copy of the profile. + > [!NOTE] + > If the folder is not displayed, click **View** > **Options** > **Change folder and search options**. On the **View** tab, select **Show hidden files and folders**, clear **Hide protected operating system files**, click **Yes** to confirm that you want to show operating system files, and then click **OK** to save your changes. -3. In File Explorer, open the folder where you stored the copy of the profile. +1. Rename `Ntuser.dat` to `Ntuser.man`. - >[!NOTE] - >If the folder is not displayed, click **View** > **Options** > **Change folder and search options**. On the **View** tab, select **Show hidden files and folders**, clear **Hide protected operating system files**, click **Yes** to confirm that you want to show operating system files, and then click **OK** to save your changes. - -4. Rename `Ntuser.dat` to `Ntuser.man`. - -## How to apply a mandatory user profile to users +## Apply a mandatory user profile to users In a domain, you modify properties for the user account to point to the mandatory profile in a shared folder residing on the server. -**To apply a mandatory user profile to users** +### How to apply a mandatory user profile to users 1. Open **Active Directory Users and Computers** (dsa.msc). -2. Navigate to the user account that you will assign the mandatory profile to. +1. Navigate to the user account that you will assign the mandatory profile to. -3. Right-click the user name and open **Properties**. +1. Right-click the user name and open **Properties**. -4. On the **Profile** tab, in the **Profile path** field, enter the path to the shared folder without the extension. For example, if the folder name is \\\\*server*\profile.v6, you would enter \\\\*server*\profile. +1. On the **Profile** tab, in the **Profile path** field, enter the path to the shared folder without the extension. For example, if the folder name is \\\\*server*\\profile.v6, you would enter \\\\*server*\\profile. -5. Click **OK**. +1. Click **OK**. It may take some time for this change to replicate to all domain controllers. - - ## Apply policies to improve sign-in time When a user is configured with a mandatory profile, Windows 10 starts as though it was the first sign-in each time the user signs in. To improve sign-in performance for users with mandatory user profiles, apply the Group Policy settings shown in the following table. (The table shows which operating system versions each policy setting can apply to.) - | Group Policy setting | Windows 10 | Windows Server 2016 | Windows 8.1 | Windows Server 2012 | | --- | --- | --- | --- | --- | | Computer Configuration > Administrative Templates > System > Logon > **Show first sign-in animation** = Disabled | ![supported](images/checkmark.png) | ![supported](images/checkmark.png) | ![supported](images/checkmark.png) | ![supported](images/checkmark.png) | | Computer Configuration > Administrative Templates > Windows Components > Search > **Allow Cortana** = Disabled | ![supported](images/checkmark.png) | ![supported](images/checkmark.png) | ![not supported](images/crossmark.png) | ![not supported](images/crossmark.png) | | Computer Configuration > Administrative Templates > Windows Components > Cloud Content > **Turn off Microsoft consumer experience** = Enabled | ![supported](images/checkmark.png) | ![not supported](images/crossmark.png) | ![not supported](images/crossmark.png) | ![not supported](images/crossmark.png) | -> [!Note] +> [!NOTE] > The Group Policy settings above can be applied in Windows 10 Professional edition. - - - - ## Related topics - [Manage Windows 10 Start layout and taskbar options](/windows/configuration/windows-10-start-layout-options-and-policies) - [Lock down Windows 10 to specific apps](/windows/configuration/lock-down-windows-10-to-specific-apps) - [Windows Spotlight on the lock screen](/windows/configuration/windows-spotlight) - [Configure devices without MDM](/windows/configuration/configure-devices-without-mdm) - diff --git a/windows/client-management/mdm/cm-cellularentries-csp.md b/windows/client-management/mdm/cm-cellularentries-csp.md index 567dfd207e..02f2910d16 100644 --- a/windows/client-management/mdm/cm-cellularentries-csp.md +++ b/windows/client-management/mdm/cm-cellularentries-csp.md @@ -1,6 +1,6 @@ --- title: CM\_CellularEntries CSP -description: CM\_CellularEntries CSP +description: Configure the General Packet Radio Service (GPRS) entries using the CM\_CellularEntries CSP. ms.assetid: f8dac9ef-b709-4b76-b6f5-34c2e6a3c847 ms.reviewer: manager: dansimp diff --git a/windows/client-management/mdm/enterprisemodernappmanagement-xsd.md b/windows/client-management/mdm/enterprisemodernappmanagement-xsd.md index 99150bef80..f7544b10a4 100644 --- a/windows/client-management/mdm/enterprisemodernappmanagement-xsd.md +++ b/windows/client-management/mdm/enterprisemodernappmanagement-xsd.md @@ -1,6 +1,6 @@ --- title: EnterpriseModernAppManagement XSD -description: Here is the XSD for the application parameters. +description: Use the EnterpriseModernAppManagement XSD for set application parameters. ms.assetid: D393D094-25E5-4E66-A60F-B59CC312BF57 ms.reviewer: manager: dansimp diff --git a/windows/client-management/mdm/nodecache-csp.md b/windows/client-management/mdm/nodecache-csp.md index 9072c3eb82..045b8152d9 100644 --- a/windows/client-management/mdm/nodecache-csp.md +++ b/windows/client-management/mdm/nodecache-csp.md @@ -1,6 +1,6 @@ --- title: NodeCache CSP -description: NodeCache CSP +description: Use the NodeCache configuration service provider (CSP) to synchronize, monitor, and manage the client cache. ms.assetid: b4dd2b0d-79ef-42ac-ab5b-ee07b3097876 ms.reviewer: manager: dansimp diff --git a/windows/client-management/mdm/personalization-csp.md b/windows/client-management/mdm/personalization-csp.md index e3914d786d..8d4f260502 100644 --- a/windows/client-management/mdm/personalization-csp.md +++ b/windows/client-management/mdm/personalization-csp.md @@ -1,6 +1,6 @@ --- title: Personalization CSP -description: Personalization CSP +description: Use the Personalization CSP to lock screen and desktop background images, prevent users from changing the image, and use the settings in a provisioning package. ms.author: dansimp ms.topic: article ms.prod: w10 diff --git a/windows/client-management/mdm/personalization-ddf.md b/windows/client-management/mdm/personalization-ddf.md index 2492302fed..eef4903c8c 100644 --- a/windows/client-management/mdm/personalization-ddf.md +++ b/windows/client-management/mdm/personalization-ddf.md @@ -1,6 +1,6 @@ --- title: Personalization DDF file -description: Personalization DDF file +description: Learn how to set the OMA DM device description framework (DDF) for the **Personalization** configuration service provider. ms.author: dansimp ms.topic: article ms.prod: w10 diff --git a/windows/client-management/mdm/policy-csp-appruntime.md b/windows/client-management/mdm/policy-csp-appruntime.md index 7c7efc8c73..c5b211a563 100644 --- a/windows/client-management/mdm/policy-csp-appruntime.md +++ b/windows/client-management/mdm/policy-csp-appruntime.md @@ -1,6 +1,6 @@ --- title: Policy CSP - AppRuntime -description: Policy CSP - AppRuntime +description: Control whether Microsoft accounts are optional for Windows Store apps that require an account to sign in.Policy CSP - AppRuntime. ms.author: dansimp ms.topic: article ms.prod: w10 diff --git a/windows/client-management/mdm/policy-csp-bits.md b/windows/client-management/mdm/policy-csp-bits.md index 07a7f51c0f..d7f56e3f4c 100644 --- a/windows/client-management/mdm/policy-csp-bits.md +++ b/windows/client-management/mdm/policy-csp-bits.md @@ -1,6 +1,6 @@ --- title: Policy CSP - BITS -description: Policy CSP - BITS +description: Use StartTime, EndTime and Transfer rate together to define the BITS bandwidth-throttling schedule and transfer rate. ms.author: dansimp ms.topic: article ms.prod: w10 diff --git a/windows/client-management/mdm/policy-csp-browser.md b/windows/client-management/mdm/policy-csp-browser.md index 64a83cf92a..d3fa4df77e 100644 --- a/windows/client-management/mdm/policy-csp-browser.md +++ b/windows/client-management/mdm/policy-csp-browser.md @@ -1,6 +1,6 @@ --- title: Policy CSP - Browser -description: Policy CSP - Browser +description: Learn how to set the Policy CSP - Browser settings for Microsoft Edge, version 45 and earlier. ms.topic: article ms.prod: w10 ms.technology: windows diff --git a/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md index 9263511ddf..1e8a860af4 100644 --- a/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md +++ b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md @@ -111,6 +111,9 @@ manager: dansimp
LocalPoliciesSecurityOptions/NetworkSecurity_LANManagerAuthenticationLevel
+
+ LocalPoliciesSecurityOptions/NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedClients +
LocalPoliciesSecurityOptions/NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedServers
@@ -2385,6 +2388,74 @@ GP Info:
+ +**LocalPoliciesSecurityOptions/NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedClients** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procheck mark4
Businesscheck mark4
Enterprisecheck mark4
Educationcheck mark4
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Network security: Minimum session security for NTLM SSP based (including secure RPC) clients. + +This security setting allows a client device to require the negotiation of 128-bit encryption and/or NTLMv2 session security. These values are dependent on the LAN Manager Authentication Level security setting value. The options are: + +- Require NTLMv2 session security: The connection will fail if message integrity is not negotiated. +- Require 128-bit encryption: The connection will fail if strong encryption (128-bit) is not negotiated. + +Default: + +Windows XP, Windows Vista, Windows 2000 Server, Windows Server 2003, and Windows Server 2008: No requirements. + +Windows 7 and Windows Server 2008 R2: Require 128-bit encryption. + + + +GP Info: +- GP English name: *Network security: Minimum session security for NTLM SSP based (including secure RPC) clients* +- GP path: *Windows Settings/Security Settings/Local Policies/Security Options* + + + + +
+ **LocalPoliciesSecurityOptions/NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedServers** diff --git a/windows/client-management/mdm/policy-csp-messaging.md b/windows/client-management/mdm/policy-csp-messaging.md index aefb521407..b96fcd749d 100644 --- a/windows/client-management/mdm/policy-csp-messaging.md +++ b/windows/client-management/mdm/policy-csp-messaging.md @@ -1,6 +1,6 @@ --- title: Policy CSP - Messaging -description: Policy CSP - Messaging +description: Enable, and disable, text message back up and restore as well as Messaging Everywhere by using the Policy CSP for messaging. ms.author: dansimp ms.topic: article ms.prod: w10 diff --git a/windows/client-management/mdm/remotelock-csp.md b/windows/client-management/mdm/remotelock-csp.md index 3ea4ca8ee0..57368cb103 100644 --- a/windows/client-management/mdm/remotelock-csp.md +++ b/windows/client-management/mdm/remotelock-csp.md @@ -1,6 +1,6 @@ --- title: RemoteLock CSP -description: RemoteLock CSP +description: Learn how RemoteLock CSP supports the ability to lock a device that has a PIN set on the device or reset the PIN on a device that may or may not have a PIN set. ms.assetid: c7889331-5aa3-4efe-9a7e-20d3f433659b ms.reviewer: manager: dansimp diff --git a/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md b/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md index 7831cfbce6..28421dc466 100644 --- a/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md +++ b/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md @@ -1,6 +1,6 @@ --- title: WindowsDefenderApplicationGuard CSP -description: WindowsDefenderApplicationGuard CSP +description: Configure the settings in Windows Defender Application Guard by using the WindowsDefenderApplicationGuard configuration service provider (CSP). ms.author: dansimp ms.topic: article ms.prod: w10 diff --git a/windows/configuration/kiosk-xml.md b/windows/configuration/kiosk-xml.md index c9d6d3b2c0..f09e5ee991 100644 --- a/windows/configuration/kiosk-xml.md +++ b/windows/configuration/kiosk-xml.md @@ -1,6 +1,6 @@ --- title: Assigned Access configuration kiosk XML reference (Windows 10) -description: XML and XSD for kiosk device configuration. +description: Learn about the assigned access configuration (kiosk) for XML and XSD for kiosk device configuration in Windows 10. ms.assetid: 14DDDC96-88C7-4181-8415-B371F25726C8 ms.reviewer: manager: dansimp diff --git a/windows/configuration/ue-v/uev-upgrade-uev-from-previous-releases.md b/windows/configuration/ue-v/uev-upgrade-uev-from-previous-releases.md index bead7186c8..d726744568 100644 --- a/windows/configuration/ue-v/uev-upgrade-uev-from-previous-releases.md +++ b/windows/configuration/ue-v/uev-upgrade-uev-from-previous-releases.md @@ -1,6 +1,6 @@ --- title: Upgrade to UE-V for Windows 10 -description: Explains how to upgrade to the latest version of UE-V. +description: Use these few adjustments to upgrade from User Experience Virtualization (UE-V) 2.x to the latest version of UE-V. author: dansimp ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy @@ -30,7 +30,8 @@ If you’re already using UE-V 2.x and you’re planning to upgrade user devices 5. Install the UE-V template generator if you want to synchronize application settings for custom applications. -> **Important**  You can upgrade your existing UE-V installation to Windows 10, version 1607 from UE-V versions 2.1 or 2.0 only. If you are using a previous version of UE-V, you’ll need to upgrade from that version to UE-V 2.x before you upgrade to Windows 10, version 1607.. +> [!IMPORTANT] +> You can upgrade your existing UE-V installation to Windows 10, version 1607 from UE-V versions 2.1 or 2.0 only. If you are using a previous version of UE-V, you’ll need to upgrade from that version to UE-V 2.x before you upgrade to Windows 10, version 1607. ## Upgrade user devices to Windows 10, version 1607 @@ -38,7 +39,7 @@ Performing an in-place upgrade on user devices automatically installs the UE-V s ## Verify that UE-V settings were migrated correctly -After upgrading a user device to Windows 10, version 1607, it’s important to verify that UE-V settings and template registrations were migrated correctly during the upgrade. You can verify UE-V settings using Windows Powershell or the device’s registry. +After upgrading a user device to Windows 10, version 1607, it’s important to verify that UE-V settings and template registrations were migrated correctly during the upgrade. You can verify UE-V settings using Windows PowerShell or the device’s registry. **To verify UE-V settings using Windows PowerShell** @@ -48,7 +49,8 @@ After upgrading a user device to Windows 10, version 1607, it’s important to v 3. Type **Get-UEVTemplate** and press ENTER to check that your templates are still registered. - > **Note** You’ll need to register the NotePad template again after you upgrade the device to Windows 10. + > [!NOTE] + > You’ll need to register the NotePad template again after you upgrade the device to Windows 10. **To verify UE-V settings using the device’s registry** @@ -68,7 +70,8 @@ The UE-V service is the client-side component that captures user-personalized ap With Windows 10, version 1607 and later, the UE-V service replaces the UE-V Agent and no longer requires a separate download and installation. Enable the service on user devices to start using UE-V. You can enable the service with the Group Policy editor or with Windows PowerShell. -> **Important**  The UE-V Agent used in prior releases of UE-V is replaced with the UE service. The UE-V service included with Windows 10, version 1607 and later releases, does not include the agent user interface and is configurable through cmdlets or registry settings only. +> [!IMPORTANT] +> The UE-V Agent used in prior releases of UE-V is replaced with the UE service. The UE-V service included with Windows 10, version 1607 and later releases, does not include the agent user interface and is configurable through cmdlets or registry settings only. **To enable the UE-V service with Group Policy** diff --git a/windows/configuration/ue-v/uev-working-with-custom-templates-and-the-uev-generator.md b/windows/configuration/ue-v/uev-working-with-custom-templates-and-the-uev-generator.md index a2663f503d..0a5cc1a242 100644 --- a/windows/configuration/ue-v/uev-working-with-custom-templates-and-the-uev-generator.md +++ b/windows/configuration/ue-v/uev-working-with-custom-templates-and-the-uev-generator.md @@ -1,6 +1,6 @@ --- title: Working with Custom UE-V Templates and the UE-V Template Generator -description: Working with Custom UE-V Templates and the UE-V Template Generator +description: Create your own custom settings location templates by working with Custom User Experience Virtualization (UE-V) Templates and the UE-V Template Generator. author: dansimp ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy @@ -98,9 +98,8 @@ Use the UE-V template generator to edit settings location templates. When the re 1. Create a local copy of the settings location template .xml file. UE-V settings location templates are .xml files that identify the locations where application store settings values. - >**Note**   - A settings location template is unique because of the template **ID**. If you copy the template and rename the .xml file, template registration fails because UE-V reads the template **ID** tag in the .xml file to determine the name, not the file name of the .xml file. UE-V also reads the **Version** number to know if anything has changed. If the version number is higher, UE-V updates the template. - + > [!NOTE] + > A settings location template is unique because of the template **ID**. If you copy the template and rename the .xml file, template registration fails because UE-V reads the template **ID** tag in the .xml file to determine the name, not the file name of the .xml file. UE-V also reads the **Version** number to know if anything has changed. If the version number is higher, UE-V updates the template. 2. Open the settings location template file with an XML editor. diff --git a/windows/deployment/update/media-dynamic-update.md b/windows/deployment/update/media-dynamic-update.md index c981469bef..8af36e4df1 100644 --- a/windows/deployment/update/media-dynamic-update.md +++ b/windows/deployment/update/media-dynamic-update.md @@ -42,7 +42,7 @@ You can obtain Dynamic Update packages from the [Microsoft Update Catalog](https ![Table with columns labeled Title, Products, Classification, Last Updated, Version, and Size and four rows listing various dynamic updates and associated KB articles](images/update-catalog.png) -The various Dynamic Update packages might not all be present in the results from a single search, so you might have to search with different keywords to find all of the s. And you'll need to check various parts of the results to be sure you've identified the needed files. This table shows in bold the key items to search for or look for in the results. For example, to find the relevant "Setup Dynamic Update," you'll have to check the detailed description for the download by selecting the link in the **Title** column of the search results. +The various Dynamic Update packages might not all be present in the results from a single search, so you might have to search with different keywords to find all of the updates. And you'll need to check various parts of the results to be sure you've identified the needed files. This table shows in bold the key items to search for or look for in the results. For example, to find the relevant "Setup Dynamic Update," you'll have to check the detailed description for the download by selecting the link in the **Title** column of the search results. |To find this Dynamic Update packages, search for or check the results here--> |Title |Product |Description (select the **Title** link to see **Details**) | diff --git a/windows/security/identity-protection/access-control/active-directory-security-groups.md b/windows/security/identity-protection/access-control/active-directory-security-groups.md index 3d77adab6e..2c3214bc3c 100644 --- a/windows/security/identity-protection/access-control/active-directory-security-groups.md +++ b/windows/security/identity-protection/access-control/active-directory-security-groups.md @@ -1345,7 +1345,7 @@ This security group has not changed since Windows Server 2008. Members of the DnsUpdateProxy group are DNS clients. They are permitted to perform dynamic updates on behalf of other clients (such as DHCP servers). A DNS server can develop stale resource records when a DHCP server is configured to dynamically register host (A) and pointer (PTR) resource records on behalf of DHCP clients by using dynamic update. Adding clients to this security group mitigates this scenario. -However, to protect against unsecured records or to permit members of the DnsUpdateProxy group to register records in zones that allow only secured dynamic updates, you must create a dedicated user account and configure DHCP servers to perform DNS dynamic updates by using the credentials of this account (user name, password, and domain). Multiple DHCP servers can use the credentials of one dedicated user account. +However, to protect against unsecured records or to permit members of the DnsUpdateProxy group to register records in zones that allow only secured dynamic updates, you must create a dedicated user account and configure DHCP servers to perform DNS dynamic updates by using the credentials of this account (user name, password, and domain). Multiple DHCP servers can use the credentials of one dedicated user account. This group exists only if the DNS server role is or was once installed on a domain controller in the domain. For information, see [DNS Record Ownership and the DnsUpdateProxy Group](https://technet.microsoft.com/library/dd334715.aspx). @@ -1365,7 +1365,7 @@ This security group has not changed since Windows Server 2008.

Well-Known SID/RID

-

S-1-5-21-<domain>-1103

+

S-1-5-21-<domain>-<variable RID>

Type

@@ -1406,7 +1406,7 @@ This security group has not changed since Windows Server 2008. ### DnsAdmins -Members of DNSAdmins group have access to network DNS information. The default permissions are as follows: Allow: Read, Write, Create All Child objects, Delete Child objects, Special Permissions. +Members of DNSAdmins group have access to network DNS information. The default permissions are as follows: Allow: Read, Write, Create All Child objects, Delete Child objects, Special Permissions. This group exists only if the DNS server role is or was once installed on a domain controller in the domain. For more information about security and DNS, see [DNSSEC in Windows Server 2012](https://technet.microsoft.com/library/dn593694(v=ws.11).aspx). @@ -1426,7 +1426,7 @@ This security group has not changed since Windows Server 2008.

Well-Known SID/RID

-

S-1-5-21-<domain>-1102

+

S-1-5-21-<domain>-<variable RID>

Type

diff --git a/windows/security/identity-protection/access-control/local-accounts.md b/windows/security/identity-protection/access-control/local-accounts.md index 2c744d7f98..7e7c2236cd 100644 --- a/windows/security/identity-protection/access-control/local-accounts.md +++ b/windows/security/identity-protection/access-control/local-accounts.md @@ -1,6 +1,6 @@ --- title: Local Accounts (Windows 10) -description: Local Accounts +description: Learn how to secure and manage access to the resources on a standalone or member server for services or users. ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/security/identity-protection/credential-guard/credential-guard-manage.md b/windows/security/identity-protection/credential-guard/credential-guard-manage.md index 3ae86eaffe..c0f08da439 100644 --- a/windows/security/identity-protection/credential-guard/credential-guard-manage.md +++ b/windows/security/identity-protection/credential-guard/credential-guard-manage.md @@ -36,10 +36,11 @@ You can use Group Policy to enable Windows Defender Credential Guard. This will 2. Double-click **Turn On Virtualization Based Security**, and then click the **Enabled** option. 3. In the **Select Platform Security Level** box, choose **Secure Boot** or **Secure Boot and DMA Protection**. 4. In the **Credential Guard Configuration** box, click **Enabled with UEFI lock**, and then click **OK**. If you want to be able to turn off Windows Defender Credential Guard remotely, choose **Enabled without lock**. +5. In the **Secure Launch Configuration** box, choose **Not Configured**, **Enabled** or **Disabled**. Check [this article](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection) for more details. - ![Windows Defender Credential Guard Group Policy setting](images/credguard-gp.png) + ![Windows Defender Credential Guard Group Policy setting](images/credguard-gp-2.png) -5. Close the Group Policy Management Console. +6. Close the Group Policy Management Console. To enforce processing of the group policy, you can run ```gpupdate /force```. @@ -234,5 +235,3 @@ Set-VMSecurity -VMName -VirtualizationBasedSecurityOptOut $true - - diff --git a/windows/security/identity-protection/credential-guard/images/credguard-gp-2.png b/windows/security/identity-protection/credential-guard/images/credguard-gp-2.png new file mode 100644 index 0000000000..ead9410405 Binary files /dev/null and b/windows/security/identity-protection/credential-guard/images/credguard-gp-2.png differ diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works-device-registration.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works-device-registration.md index 4cbec54f34..e91ce1f65c 100644 --- a/windows/security/identity-protection/hello-for-business/hello-how-it-works-device-registration.md +++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works-device-registration.md @@ -63,11 +63,11 @@ Device Registration is a prerequisite to Windows Hello for Business provisioning | Phase | Description | | :----: | :----------- | -| A | The user signs in to a domain joined Windows 10 computers using domain credentials. This can be user name and password or smart card authentication. The user sign-in triggers the Automatic Device Join task.| +| A | The user signs in to a domain joined Windows 10 computers using domain credentials. This can be user name and password or smart card authentication. The user sign-in triggers the Automatic Device Join task. Note: the Automatic Device Join tasks is triggered on domain join as well as retried every hour. It does not solely depend on the user sign-in.| |B | The task queries Active Directory using the LDAP protocol for the keywords attribute on service connection point stored in the configuration partition in Active Directory (CN=62a0ff2e-97b9-4513-943f-0d221bd30080,CN=Device Registration Configuration,CN=Services,CN=Configuration,DC=corp,DC=contoso,DC=com). The value returned in the keywords attribute determines if device registration is directed to Azure Device Registration Service (ADRS) or the enterprise device registration service hosted on-premises.| |C | For the managed environment, the task creates an initial authentication credential in the form of a self-signed certificate. The task write the certificate to the userCertificate attribute on the computer object in Active Directory using LDAP. |D |The computer cannot authenticate to Azure DRS until a device object representing the computer that includes the certificate on the userCertificate attribute is created in Azure Active Directory. Azure AD Connect detects an attribute change. On the next synchronization cycle, Azure AD Connect sends the userCertificate, object GUID, and computer SID to Azure DRS. Azure DRS uses the attribute information to create a device object in Azure Active Directory.| -|E | The Automatic Device Join task triggers with each user sign-in and tries to authenticate the computer to Azure Active Directory using the corresponding private key of the public key in the userCertificate attribute. Azure Active Directory authenticates the computer and issues a ID token to the computer.| +|E | The Automatic Device Join task triggers with each user sign-in or every hour, and tries to authenticate the computer to Azure Active Directory using the corresponding private key of the public key in the userCertificate attribute. Azure Active Directory authenticates the computer and issues a ID token to the computer.| |F | The task creates TPM bound (preferred) RSA 2048 bit key-pair known as the device key (dkpub/dkpriv). The application create a certificate request using dkpub and the public key and signs the certificate request with using dkpriv. Next, the application derives second key pair from the TPM's storage root key. This is the transport key (tkpub/tkpriv).| |G | The task sends a device registration request to Azure DRS that includes the ID token, certificate request, tkpub, and attestation data. Azure DRS validates the ID token, creates a device ID, and creates a certificate based on the included certificate request. Azure DRS then updates the device object in Azure Active Directory and sends the device ID and the device certificate to the client.| |H | Device registration completes by receiving the device ID and the device certificate from Azure DRS. The device ID is saved for future reference (viewable from dsregcmd.exe /status), and the device certificate is installed in the Personal store of the computer. With device registration complete, the task exits.| @@ -78,7 +78,7 @@ Device Registration is a prerequisite to Windows Hello for Business provisioning | Phase | Description | | :----: | :----------- | -| A | The user signs in to a domain joined Windows 10 computers using domain credentials. This can be user name and password or smart card authentication. The user sign-in triggers the Automatic Device Join task.| +| A | The user signs in to a domain joined Windows 10 computers using domain credentials. This can be user name and password or smart card authentication. The user sign-in triggers the Automatic Device Join task. Note: the Automatic Device Join tasks is triggered on domain join as well as retried every hour. It does not solely depend on the user sign-in. | |B | The task queries Active Directory using the LDAP protocol for the keywords attribute on service connection point stored in the configuration partition in Active Directory (CN=62a0ff2e-97b9-4513-943f-0d221bd30080,CN=Device Registration Configuration,CN=Services,CN=Configuration,DC=corp,DC=contoso,DC=com). The value returned in the keywords attribute determines if device registration is directed to Azure Device Registration Service (ADRS) or the enterprise device registration service hosted on-premises.| |C | For the federated environments, the computer authenticates the enterprise device registration endpoint using Windows integrated authentication. The enterprise device registration service creates and returns a token that includes claims for the object GUID, computer SID, and domain joined state. The task submits the token and claims to Azure Active Directory where it is validated. Azure Active Directory returns an ID token to the running task. |D | The application creates TPM bound (preferred) RSA 2048 bit key-pair known as the device key (dkpub/dkpriv). The application create a certificate request using dkpub and the public key and signs the certificate request with using dkpriv. Next, the application derives second key pair from the TPM's storage root key. This is the transport key (tkpub/tkpriv).| diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md index 4a5e2492fe..ce973a2827 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md @@ -33,6 +33,7 @@ Before adding Azure Active Directory (Azure AD) joined devices to your existing - Certificate Revocation List (CRL) Distribution Point (CDP) - 2016 Domain Controllers - Domain Controller certificate +- Network infrastructure in place to reach your on-premises domain controller. If the machines are external, this can be achieved using any VPN solution. ### Azure Active Directory Connect synchronization Azure AD join, as well as hybrid Azure AD join devices register the user's Windows Hello for Business credential with Azure. To enable on-premises authentication, the credential must be synchronized to the on-premises Active Directory, regardless whether you are using a key or a certificate. Ensure you have Azure AD Connect installed and functioning properly. To learn more about Azure AD Connect, read [Integrate your on-premises directories with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/connect/active-directory-aadconnect). diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md index 9c4dba47c8..3cb290695f 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md @@ -1,6 +1,6 @@ --- title: Windows Hello for Business Key Trust New Installation -description: Learn how to perform a hybrid key trust deployment of Windows Hello for Business, for systems with no previous installations. +description: Learn how to configure a hybrid key trust deployment of Windows Hello for Business, for systems with no previous installations. keywords: identity, PIN, biometric, Hello, passport, WHFB ms.prod: w10 ms.mktglfcycl: deploy diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md index 97c87a6d14..20e50b5d3a 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md @@ -66,7 +66,7 @@ Key trust deployments do not need client issued certificates for on-premises aut The minimum required enterprise certificate authority that can be used with Windows Hello for Business is Windows Server 2012, but you can also use a third-party enterprise certification authority. The detailed requirements for the Domain Controller certificate are shown below. * The certificate must have a Certificate Revocation List (CRL) distribution point extension that points to a valid CRL. -* Optionally, the certificate Subject section should contain the directory path of the server object (the distinguished name). +* The certificate Subject section should contain the directory path of the server object (the distinguished name). * The certificate Key Usage section must contain Digital Signature and Key Encipherment. * Optionally, the certificate Basic Constraints section should contain: [Subject Type=End Entity, Path Length Constraint=None]. * The certificate Enhanced Key Usage section must contain Client Authentication (1.3.6.1.5.5.7.3.2), Server Authentication (1.3.6.1.5.5.7.3.1), and KDC Authentication (1.3.6.1.5.2.3.5). diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md index bbe8176263..87b70bbd2c 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md @@ -80,8 +80,8 @@ Sign-in a certificate authority or management workstations with _Enterprise Admi The certificate template is configured to supersede all the certificate templates provided in the certificate templates superseded templates list. However, the certificate template and the superseding of certificate templates is not active until you publish the certificate template to one or more certificate authorities. ->[!NOTE] ->The Domain Controller Certificate must be present in the NTAuth store. By default, Microsoft Enterprise CAs are added to the NTAuth store. If you are using a 3rd party CA, this may not be done by default. If the Domain Controller Certificate is not present in the NTAuth store, user authentication will fail. +> [!NOTE] +> The domain controller's certificate must chain to a root in the NTAuth store. By default, the Active Directory Certificate Authority's root certificate is added to the NTAuth store. If you are using a third-party CA, this may not be done by default. If the domain controller certificate does not chain to a root in the NTAuth store, user authentication will fail. ### Publish Certificate Templates to a Certificate Authority diff --git a/windows/security/identity-protection/remote-credential-guard.md b/windows/security/identity-protection/remote-credential-guard.md index a4029266dd..4e95da0531 100644 --- a/windows/security/identity-protection/remote-credential-guard.md +++ b/windows/security/identity-protection/remote-credential-guard.md @@ -143,13 +143,14 @@ Beginning with Windows 10 version 1703, you can enable Windows Defender Remote C ![Windows Defender Remote Credential Guard Group Policy](images/remote-credential-guard-gp.png) 3. Under **Use the following restricted mode**: - - If you want to require either [Restricted Admin mode](https://social.technet.microsoft.com/wiki/contents/articles/32905.how-to-enable-restricted-admin-mode-for-remote-desktop.aspx) or Windows Defender Remote Credential Guard, choose **Prefer Windows Defender Remote Credential Guard**. In this configuration, Windows Defender Remote Credential Guard is preferred, but it will use Restricted Admin mode (if supported) when Windows Defender Remote Credential Guard cannot be used. + - If you want to require either [Restricted Admin mode](https://social.technet.microsoft.com/wiki/contents/articles/32905.remote-desktop-services-enable-restricted-admin-mode.aspx) or Windows Defender Remote Credential Guard, choose **Restrict Credential Delegation**. In this configuration, Windows Defender Remote Credential Guard is preferred, but it will use Restricted Admin mode (if supported) when Windows Defender Remote Credential Guard cannot be used. - > **Note:** Neither Windows Defender Remote Credential Guard nor Restricted Admin mode will send credentials in clear text to the Remote Desktop server. + > [!NOTE] + > Neither Windows Defender Remote Credential Guard nor Restricted Admin mode will send credentials in clear text to the Remote Desktop server. - - If you want to require Windows Defender Remote Credential Guard, choose **Require Windows Defender Remote Credential Guard**. With this setting, a Remote Desktop connection will succeed only if the remote computer meets the [requirements](#reqs) listed earlier in this topic. + - If you want to require Windows Defender Remote Credential Guard, choose **Require Remote Credential Guard**. With this setting, a Remote Desktop connection will succeed only if the remote computer meets the [requirements](#reqs) listed earlier in this topic. - - If you want to require Restricted Admin mode, choose **Require Restricted Admin**. For information about Restricted Admin mode, see the table in [Comparing Windows Defender Remote Credential Guard with other Remote Desktop connection options](#comparing-remote-credential-guard-with-other-remote-desktop-connection-options), earlier in this topic. + - If you want to require Restricted Admin mode, choose **Require Restricted Admin**. For information about Restricted Admin mode, see the table in [Comparing Windows Defender Remote Credential Guard with other Remote Desktop connection options](#comparing-remote-credential-guard-with-other-remote-desktop-connection-options), earlier in this topic. 4. Click **OK**. diff --git a/windows/security/identity-protection/vpn/vpn-connection-type.md b/windows/security/identity-protection/vpn/vpn-connection-type.md index b6fab222d1..92c4d2b8c5 100644 --- a/windows/security/identity-protection/vpn/vpn-connection-type.md +++ b/windows/security/identity-protection/vpn/vpn-connection-type.md @@ -1,6 +1,6 @@ --- title: VPN connection types (Windows 10) -description: tbd +description: Learn about Windows VPN platform clients and the VPN connection-type features that can be configured. ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/security/identity-protection/vpn/vpn-office-365-optimization.md b/windows/security/identity-protection/vpn/vpn-office-365-optimization.md index 66699d9e0b..d067b5a21d 100644 --- a/windows/security/identity-protection/vpn/vpn-office-365-optimization.md +++ b/windows/security/identity-protection/vpn/vpn-office-365-optimization.md @@ -239,12 +239,12 @@ if ($VPNprofilefile -ne "" -and $FileExtension -eq ".ps1") # Extract the Profile XML from the ps1 file # - $regex = '(?sm).*^*.\r?\n(.*?)\r?\n.*' + $regex = '(?sm).*^*.\r?\n(.*?)\r?\n.*' # Create xml format variable to compare with the optimize list # $xmlbody=(Get-Content -Raw $VPNprofilefile) -replace $regex, '$1' - [xml]$VPNprofilexml=""+$xmlbody+"" + [xml]$VPNprofilexml=""+$xmlbody+"" # Loop through each address found in VPNPROFILE XML section # foreach ($Route in $VPNprofilexml.VPNProfile.Route) @@ -349,7 +349,7 @@ if ($VPNprofilefile -ne "" -and $FileExtension -eq ".xml") $In_VPN_Only=$null # Variable to hold IP Addresses that only appear in the VPN profile XML file # # Extract the Profile XML from the XML file # - $regex = '(?sm).*^*.\r?\n(.*?)\r?\n.*' + $regex = '(?sm).*^*.\r?\n(.*?)\r?\n.*' # Create xml format variable to compare with optimize list # $xmlbody=(Get-Content -Raw $VPNprofilefile) -replace $regex, '$1' @@ -367,7 +367,7 @@ if ($VPNprofilefile -ne "" -and $FileExtension -eq ".xml") # In VPN list only # $In_VPN_only =$ARRVPN | Where {$optimizeIpsv4 -NotContains $_} - [array]$Inpfile = get-content $VPNprofilefile + [System.Collections.ArrayList]$Inpfile = get-content $VPNprofilefile if ($In_Opt_Only.Count -gt 0 ) { @@ -377,10 +377,10 @@ if ($VPNprofilefile -ne "" -and $FileExtension -eq ".xml") { # Add the missing IP address(es) # $IPInfo=$NewIP.Split("/") - $inspoint = $Inpfile[0].IndexOf(""+$IPInfo[0].Trim()+""+""+$IPInfo[1].Trim()+""+"true"+"" + $routes += "`n"+"`t
"+$IPInfo[0].Trim()+"
`n"+"`t"+$IPInfo[1].Trim()+"`n"+"`ttrue`n"+"`n" } - $Inpfile = $Inpfile[0].Insert($inspoint,$routes) + $inspoint = $Inpfile.IndexOf("") + $Inpfile.Insert($inspoint,$routes) # Update filename and write new XML file # $NewFileName=(Get-Item $VPNprofilefile).Basename + "-NEW.xml" diff --git a/windows/security/threat-protection/auditing/event-1102.md b/windows/security/threat-protection/auditing/event-1102.md index c1d44d55e0..4a9b1e8b3a 100644 --- a/windows/security/threat-protection/auditing/event-1102.md +++ b/windows/security/threat-protection/auditing/event-1102.md @@ -1,6 +1,6 @@ --- title: 1102(S) The audit log was cleared. (Windows 10) -description: Describes security event 1102(S) The audit log was cleared. +description: Though you shouldn't normally see it, this event generates every time Windows Security audit log is cleared. This is for event 1102(S). ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy diff --git a/windows/security/threat-protection/auditing/event-1104.md b/windows/security/threat-protection/auditing/event-1104.md index 5854f68b90..fbcbb7dad9 100644 --- a/windows/security/threat-protection/auditing/event-1104.md +++ b/windows/security/threat-protection/auditing/event-1104.md @@ -1,6 +1,6 @@ --- title: 1104(S) The security log is now full. (Windows 10) -description: Describes security event 1104(S) The security log is now full. +description: This event generates every time Windows security log becomes full and the event log retention method is set to "Do not overwrite events." ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy diff --git a/windows/security/threat-protection/auditing/event-1105.md b/windows/security/threat-protection/auditing/event-1105.md index cd3b89cac3..e00e49b666 100644 --- a/windows/security/threat-protection/auditing/event-1105.md +++ b/windows/security/threat-protection/auditing/event-1105.md @@ -1,6 +1,6 @@ --- title: 1105(S) Event log automatic backup. (Windows 10) -description: Describes security event 1105(S) Event log automatic backup. +description: This event generates every time Windows security log becomes full and new event log file was created. ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy diff --git a/windows/security/threat-protection/mbsa-removal-and-guidance.md b/windows/security/threat-protection/mbsa-removal-and-guidance.md index dc96de376a..771169d40b 100644 --- a/windows/security/threat-protection/mbsa-removal-and-guidance.md +++ b/windows/security/threat-protection/mbsa-removal-and-guidance.md @@ -1,6 +1,6 @@ --- title: Guide to removing Microsoft Baseline Security Analyzer (MBSA) -description: This article documents the removal of Microsoft Baseline Security Analyzer (MBSA) and provides alternative solutions +description: This article documents the removal of Microsoft Baseline Security Analyzer (MBSA) and provides alternative solutions. keywords: MBSA, security, removal ms.prod: w10 ms.mktglfcycl: deploy diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-domain-info.md b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-domain-info.md index bfafa218ea..6546ddbb9b 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-domain-info.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-domain-info.md @@ -1,6 +1,6 @@ --- title: Get alert related domains information -description: Retrieves all domains related to a specific alert. +description: Retrieve all domains related to a specific alert using Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP). keywords: apis, graph api, supported apis, get alert information, alert information, related domain search.product: eADQiWindows 10XVcnh ms.prod: w10 diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-machine-info.md b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-machine-info.md index be84e2c9ca..b9deda47b1 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-machine-info.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-machine-info.md @@ -1,6 +1,6 @@ --- title: Get alert related machine information -description: Retrieves all machines related to a specific alert. +description: Retrieve all machines related to a specific alert using Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP). keywords: apis, graph api, supported apis, get alert information, alert information, related machine search.product: eADQiWindows 10XVcnh ms.prod: w10 diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machine-log-on-users.md b/windows/security/threat-protection/microsoft-defender-atp/get-machine-log-on-users.md index 59e1357d2e..b5b51cf3d7 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-machine-log-on-users.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-machine-log-on-users.md @@ -1,6 +1,6 @@ --- title: Get machine log on users API -description: Retrieves a collection of logged on users. +description: Retrieve a collection of logged on users on a specific machine using Microsoft Defender ATP APIs. keywords: apis, graph api, supported apis, get, machine, log on, users search.product: eADQiWindows 10XVcnh ms.prod: w10 diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/secconmgmt_baseline_intuneprofile2.png b/windows/security/threat-protection/microsoft-defender-atp/images/secconmgmt_baseline_intuneprofile2.png index 4b1576ec23..bcfd6506d9 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/secconmgmt_baseline_intuneprofile2.png and b/windows/security/threat-protection/microsoft-defender-atp/images/secconmgmt_baseline_intuneprofile2.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/machineaction.md b/windows/security/threat-protection/microsoft-defender-atp/machineaction.md index fdd4146f99..930d43341f 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/machineaction.md +++ b/windows/security/threat-protection/microsoft-defender-atp/machineaction.md @@ -1,6 +1,6 @@ --- title: machineAction resource type -description: Retrieves top recent machineActions. +description: Quickly respond to detected attacks by isolating machines or collecting an investigation package. keywords: apis, supported apis, get, machineaction, recent search.product: eADQiWindows 10XVcnh ms.prod: w10 diff --git a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-linux.md b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-linux.md index b84dce1ebe..0a57598987 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-linux.md +++ b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-linux.md @@ -83,7 +83,7 @@ If you experience any installation failures, refer to [Troubleshooting installat - SUSE Linux Enterprise Server 12 or higher - Oracle Linux 7.2 or higher -- Minimum kernel version 2.6.38 +- Minimum kernel version 3.10.0-327 - The `fanotify` kernel option must be enabled > [!CAUTION] > Running Microsoft Defender ATP for Linux side by side with other `fanotify`-based security solutions is not supported. It can lead to unpredictable results, including hanging the operating system. diff --git a/windows/security/threat-protection/microsoft-defender-atp/ti-indicator.md b/windows/security/threat-protection/microsoft-defender-atp/ti-indicator.md index 8e4d732734..8342b664ed 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/ti-indicator.md +++ b/windows/security/threat-protection/microsoft-defender-atp/ti-indicator.md @@ -1,6 +1,6 @@ --- title: Indicator resource type -description: Indicator entity description. +description: Specify the entity details and define the expiration of the indicator using Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP). keywords: apis, supported apis, get, TiIndicator, Indicator, recent search.product: eADQiWindows 10XVcnh ms.prod: w10 diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md index af838d196f..d74cf4da9a 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md @@ -22,7 +22,7 @@ ms.custom: nextgen - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -Block at first sight is a feature of next-generation protection that provides a way to detect and block new malware within seconds. This protection is enabled by default when certain prerequisite settings are also enabled. In most cases, these prerequisite settings are also enabled by default, so the feature is running without any intervention. +Block at first sight provides a way to detect and block new malware within seconds. This protection is enabled by default when certain prerequisite settings are also enabled. In most cases, these prerequisite settings are also enabled by default, so the feature is running without any intervention. You can [specify how long the file should be prevented from running](configure-cloud-block-timeout-period-windows-defender-antivirus.md) while the cloud-based protection service analyzes the file. And, you can [customize the message displayed on users' desktops](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-security-center/wdsc-customize-contact-information) when a file is blocked. You can change the company name, contact information, and message URL. @@ -117,14 +117,28 @@ For a list of Windows Defender Antivirus device restrictions in Intune, see [Dev If you had to change any of the settings, you should re-deploy the Group Policy Object across your network to ensure all endpoints are covered. -### Confirm block at first sight is enabled with the Windows Security app +### Confirm block at first sight is enabled with Registry editor -You can confirm that block at first sight is enabled in your Windows security settings. +1. Start Registry Editor. -Block at first sight is automatically enabled as long as **Cloud-delivered protection** and **Automatic sample submission** are both turned on. +2. Go to **HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Spynet**, and make sure that + + 1. **SpynetReporting** key is set to **1** + + 2. **SubmitSamplesConsent** key is set to either **1** (Send safe samples) or **3** (Send all samples) + +3. Go to **HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection**, and make sure that + + 1. **DisableIOAVProtection** key is set to **0** + + 2. **DisableRealtimeMonitoring** key is set to **0** ### Confirm Block at First Sight is enabled on individual clients +You can confirm that block at first sight is enabled on individual clients using Windows security settings. + +Block at first sight is automatically enabled as long as **Cloud-delivered protection** and **Automatic sample submission** are both turned on. + 1. Open the Windows Security app. 2. Select **Virus & threat protection**, and then, under **Virus & threat protection settings**, select **Manage Settings**. diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus.md index 97a45e8794..78f6412fd9 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus.md @@ -284,8 +284,6 @@ The transaction log files are specified in the registry key `HKEY_LOCAL_MACHINE\ - %windir%\Ntds\Ntds*.pat -- %windir%\Ntds\EDB*.log - - %windir%\Ntds\TEMP.edb #### The NTDS working folder diff --git a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-security-center-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-security-center-antivirus.md index 75d23d70dd..77eca7df65 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-security-center-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-security-center-antivirus.md @@ -1,6 +1,6 @@ --- title: Windows Defender Antivirus in the Windows Security app -description: Windows Defender AV is now included in the Windows Security app. +description: With Windows Defender AV now included in the Windows Security app, you can review, compare, and perform common tasks. keywords: wdav, antivirus, firewall, security, windows search.product: eADQiWindows 10XVcnh ms.pagetype: security diff --git a/windows/security/threat-protection/windows-firewall/create-an-outbound-program-or-service-rule.md b/windows/security/threat-protection/windows-firewall/create-an-outbound-program-or-service-rule.md index 354ed24f32..d1211abf11 100644 --- a/windows/security/threat-protection/windows-firewall/create-an-outbound-program-or-service-rule.md +++ b/windows/security/threat-protection/windows-firewall/create-an-outbound-program-or-service-rule.md @@ -1,6 +1,6 @@ --- title: Create an Outbound Program or Service Rule (Windows 10) -description: Create an Outbound Program or Service Rule +description: Use the Windows Defender Firewall with Advanced Security node in the Group Policy Management console to create firewall rules. ms.assetid: f71db4fb-0228-4df2-a95d-b9c056aa9311 ms.reviewer: ms.author: dansimp diff --git a/windows/security/threat-protection/windows-firewall/create-windows-firewall-rules-in-intune.md b/windows/security/threat-protection/windows-firewall/create-windows-firewall-rules-in-intune.md index 15c54f8ada..e7201d21c3 100644 --- a/windows/security/threat-protection/windows-firewall/create-windows-firewall-rules-in-intune.md +++ b/windows/security/threat-protection/windows-firewall/create-windows-firewall-rules-in-intune.md @@ -74,8 +74,8 @@ Comma separated list of local addresses covered by the rule. Valid tokens includ - \* indicates any local address. If present, this must be the only token included. - A subnet can be specified using either the subnet mask or network prefix notation. If neither a subnet mask nor a network prefix is specified, the subnet mask default is 255.255.255.255. - A valid IPv6 address. -- An IPv4 address range in the format of "start address - end address" with no spaces included. -- An IPv6 address range in the format of "start address - end address" with no spaces included. Default is Any address. +- An IPv4 address range in the format of "start address-end address" with no spaces included. +- An IPv6 address range in the format of "start address-end address" with no spaces included. Default is Any address. [Learn more](https://aka.ms/intunefirewalllocaladdressrule) @@ -93,8 +93,8 @@ List of comma separated tokens specifying the remote addresses covered by the ru - LocalSubnet indicates any local address on the local subnet. - A subnet can be specified using either the subnet mask or network prefix notation. If neither a subnet mask not a network prefix is specified, the subnet mask defaults to 255.255.255.255. - A valid IPv6 address. -- An IPv4 address range in the format of "start address - end address" with no spaces included. -- An IPv6 address range in the format of "start address - end address" with no spaces included. +- An IPv4 address range in the format of "start address-end address" with no spaces included. +- An IPv6 address range in the format of "start address-end address" with no spaces included. Default is Any address.