diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index 63876623e8..e6f31774fd 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -6503,7 +6503,7 @@ { "source_path": "store-for-business/app-inventory-management-windows-store-for-business.md", "redirect_url": "/microsoft-store/app-inventory-management-microsoft-store-for-business", -"redirect_document_id": true +"redirect_document_id": false }, { "source_path": "windows/manage/application-development-for-windows-as-a-service.md", diff --git a/devices/hololens/TOC.md b/devices/hololens/TOC.md index 5d0635344e..d50c95d74f 100644 --- a/devices/hololens/TOC.md +++ b/devices/hololens/TOC.md @@ -10,15 +10,25 @@ ## [Enroll HoloLens in MDM](hololens-enroll-mdm.md) ## [Manage updates to HoloLens](hololens-updates.md) ## [Restore HoloLens 2 using Advanced Recovery Companion](hololens-recovery.md) +## [Use the HoloLens Clicker](hololens-clicker.md) +## [Restart, reset, or recover the HoloLens](hololens-restart-recover.md) +## [Restart or recover the HoloLens clicker](hololens-clicker-restart-recover.md) # Application Management ## [Install apps on HoloLens](hololens-install-apps.md) ## [Share HoloLens with multiple people](hololens-multiple-users.md) +## [Cortana on HoloLens](hololens-cortana.md) +## [Get apps for HoloLens](hololens-get-apps.md) +## [Use apps on HoloLens](hololens-use-apps.md) +## [Use HoloLens offline](hololens-offline.md) +## [Spaces on HoloLens](hololens-spaces-on-hololens.md) # User/Access Management ## [Set up single application access](hololens-kiosk.md) ## [Enable Bitlocker device encryption for HoloLens](hololens-encryption.md) ## [How HoloLens stores data for spaces](hololens-spaces.md) +## [Find and save files](hololens-find-and-save-files.md) # [Insider preview for Microsoft HoloLens](hololens-insider.md) -# [Change history for Microsoft HoloLens documentation](change-history-hololens.md) \ No newline at end of file +# [Change history for Microsoft HoloLens documentation](change-history-hololens.md) + diff --git a/devices/hololens/hololens-clicker-restart-recover.md b/devices/hololens/hololens-clicker-restart-recover.md new file mode 100644 index 0000000000..81c7ffc704 --- /dev/null +++ b/devices/hololens/hololens-clicker-restart-recover.md @@ -0,0 +1,47 @@ +--- +title: Restart or recover the HoloLens clicker +description: Things to try if the HoloLens clicker is unresponsive or isn’t working well. +ms.assetid: 13406eca-e2c6-4cfc-8ace-426ff8f837f4 +ms.reviewer: jarrettrenshaw +ms.date: 07/01/2019 +manager: v-miegge +keywords: hololens +ms.prod: hololens +ms.sitesec: library +author: v-miegge +ms.author: v-miegge +ms.topic: article +ms.localizationpriority: medium +--- + +# Restart or recover the HoloLens clicker + +Here are some things to try if the HoloLens clicker is unresponsive or isn’t working well. + +## Restart the clicker + +Use the tip of a pen to press and hold the [pairing button](https://support.microsoft.com/en-us/help/12646). + +![Hold the pairing button](images/recover-clicker-1.png) + +At the same time, click and hold the clicker for 15 seconds. If the clicker was already paired with your HoloLens, it will stay paired after it restarts. + +![Hold the clicker](images/recover-clicker-2.png) + +If the clicker won't turn on or restart, try charging it using the HoloLens charger. If the battery is very low, it might take a few minutes for the white indicator light to turn on. + +## Re-pair the clicker + +Go to Settings > Devices and select the clicker. Select Remove, wait a few seconds, then pair the clicker again. + +## Recover the clicker + +If restarting and re-pairing the clicker don’t fix the problem, the Windows Device Recovery Tool can help you recover it. The recovery process may take some time, and the latest version of the clicker software will be installed. To use the tool, you’ll need a computer running Windows 10 or later with at least 4 GB of free storage space. + +To recover the clicker: + +1. Download and install the [Windows Device Recovery Tool](https://dev.azure.com/ContentIdea/ContentIdea/_queries/query/8a004dbe-73f8-4a32-94bc-368fc2f2a895/) on your computer. +1. Connect the clicker to your computer using the Micro USB cable that came with your HoloLens. +1. Run the Windows Device Recovery Tool and follow the instructions. + +If the clicker isn’t automatically detected, select **My device was not detected** and follow the instructions to put your device into recovery mode. diff --git a/devices/hololens/hololens-clicker.md b/devices/hololens/hololens-clicker.md new file mode 100644 index 0000000000..8ec7e8077b --- /dev/null +++ b/devices/hololens/hololens-clicker.md @@ -0,0 +1,65 @@ +--- +title: Use the HoloLens Clicker +description: +ms.assetid: 7d4a30fd-cf1d-4c9a-8eb1-1968ccecbe59 +ms.reviewer: jarrettrenshaw +ms.date: 07/01/2019 +manager: v-miegge +keywords: hololens +ms.prod: hololens +ms.sitesec: library +author: v-miegge +ms.author: v-miegge +ms.topic: article +ms.localizationpriority: medium +--- + +# Use the HoloLens Clicker + +The clicker was designed specifically for HoloLens and gives you another way to interact with holograms. It comes with HoloLens, in a separate box. Use it in place of hand gestures to select, scroll, move, and resize. + +![The HoloLens Clicker](images/use-hololens-clicker-1.png) + +## Hold the clicker + +To put on the clicker, slide the loop over your ring or middle finger with the Micro USB port toward your wrist. Rest your thumb in the indentation. + +![How to hold the Clicker](images/use-hololens-clicker-2.png) + +## Clicker gestures + +Clicker gestures are small wrist rotations, not the larger movements used for HoloLens hand gestures. And HoloLens will recognize your gestures and clicks even if the clicker is outside the [gesture frame](https://support.microsoft.com/help/12644), so you can hold the clicker in the position that's most comfortable for you​. + +- **Select**. To select a hologram, button, or other element, gaze at it, then click. + +- **Click and hold**. Click and hold your thumb down on the button to do some of the same things you would with tap and hold, like move or resize a hologram. + +- **Scroll**. On the app bar, select **Scroll Tool**. Click and hold, then rotate the clicker up, down, left, or right. To scroll faster, move your hand farther from the center of the scroll tool. + +- **Zoom**. On the app bar, select **Zoom Tool**. Click and hold, then rotate the clicker up to zoom in, or down to zoom out. + +>[!TIP] +>In Microsoft Edge, gaze at a page and double-click to zoom in or out. + +## Pair and charge the clicker + +To pair the clicker with your HoloLens, see [Pair Bluetooth devices](https://support.microsoft.com/help/12636). + +When the clicker battery is low, the battery indicator will blink amber. Plug the Micro USB cable into a USB power supply to charge the device. + +## Indicator lights + +Here's what the lights on the clicker mean. + +- **Blinking white**. The clicker is in pairing mode. + +- **Fast-blinking white**. Pairing was successful. + +- **Solid white**. The clicker is charging. + +- **Blinking amber**. The battery is low. + +- **Solid amber**. The clicker ran into an error and you'll need to restart it. While pressing the pairing button, click and hold for 15 seconds. + +>[!NOTE] +>If the clicker doesn't respond or won't start, see [Restart or recover the HoloLens clicker](https://support.microsoft.com/help/15555/hololens-restart-or-recover-the-hololens-clicker). diff --git a/devices/hololens/hololens-cortana.md b/devices/hololens/hololens-cortana.md new file mode 100644 index 0000000000..8c74b3b97e --- /dev/null +++ b/devices/hololens/hololens-cortana.md @@ -0,0 +1,50 @@ +--- +title: Cortana on HoloLens +description: Cortana can help you do all kinds of things on your HoloLens +ms.assetid: fd96fb0e-6759-4dbe-be1f-58bedad66fed +ms.reviewer: jarrettrenshaw +ms.date: 07/01/2019 +manager: v-miegge +keywords: hololens +ms.prod: hololens +ms.sitesec: library +author: v-miegge +ms.author: v-miegge +ms.topic: article +ms.localizationpriority: medium +--- + +# Cortana on HoloLens + +Cortana can help you do all kinds of things on your HoloLens, from searching the web to shutting down your device. To get her attention, select Cortana on Start or say "Hey Cortana" anytime. + +![Hey Cortana!](images/cortana-on-hololens.png) + +## What do I say to Cortana + +Here are some things you can try saying (remember to say "Hey Cortana" first): + +- What can I say? +- Increase the volume. +- Decrease the brightness. +- Shut down. +- Restart. +- Go to sleep. +- Mute. +- Launch . +- Move here (gaze at the spot you want the app to move to). +- Go to Start. +- Take a picture. +- Start recording. (Starts recording a video.) +- Stop recording. (Stops recording a video.) +- Call . (Requires Skype.) +- What time is it? +- Show me the latest NBA scores. +- How much battery do I have left? +- Tell me a joke. + +>[!NOTE] +>- Some Cortana features you're used to from Windows on your PC or phone (for example, reminders and notifications) aren't supported in Microsoft HoloLens Development Edition. Cortana on HoloLens is English only, and the Cortana experience may vary among regions. +>- Cortana is on the first time you use HoloLens. You can turn her off in Cortana's settings. In the All apps list, select Cortana > Settings. Then turn off Cortana can give you suggestions, ideas, reminders, alerts, and more. +>- If Cortana isn't responding to "Hey Cortana," go to Cortana's settings and check to make sure she's on. +>- If you turn Cortana off, "Hey Cortana" voice commands won't be available, but you'll still be able to use other commands (like "Select" and "Place"). diff --git a/devices/hololens/hololens-find-and-save-files.md b/devices/hololens/hololens-find-and-save-files.md new file mode 100644 index 0000000000..ba459eff13 --- /dev/null +++ b/devices/hololens/hololens-find-and-save-files.md @@ -0,0 +1,44 @@ +--- +title: Find and save files on HoloLens +description: Use File Explorer on HoloLens to view and manage files on your device +ms.assetid: 77d2e357-f65f-43c8-b62f-6cd9bf37070a +ms.reviewer: jarrettrenshaw +ms.date: 07/01/2019 +manager: v-miegge +keywords: hololens +ms.prod: hololens +ms.sitesec: library +author: v-miegge +ms.author: v-miegge +ms.topic: article +ms.localizationpriority: medium +--- + +# Find and save files on HoloLens + +Files you create on HoloLens, including Office documents, photos, and videos, are saved to your HoloLens. To view and manage them, you can use the File Explorer app on HoloLens or File Explorer on your PC. To sync photos and other files to the cloud, use the OneDrive app on HoloLens. + +## View files on HoloLens + +Use File Explorer on HoloLens to view and manage files on your device, including 3D objects, documents, and pictures. Go to Start > All apps > File Explorer on HoloLens to get started. + +>[!TIP] +>If there are no files listed in File Explorer, select **This Device** in the top left pane. + +## View HoloLens files on your PC + +To see your HoloLens files in File Explorer on your PC: + +1. Sign in to HoloLens, then plug it into the PC using the USB cable that came with the HoloLens. + +1. Select **Open Device to view files with File Explorer**, or open File Explorer on the PC and navigate to the device. + +>[!TIP] +>To see info about your HoloLens, right-click the device name in File Explorer on your PC, then select **Properties**. + +## Sync to the cloud + +To sync photos and other files from your HoloLens to the cloud, install and set up OneDrive on HoloLens. To get OneDrive, search for it in the Microsoft Store on your HoloLens. + +>[!TIP] +>HoloLens doesn't back up app files and data, so it's a good idea to save your important stuff to OneDrive. That way, if you reset your device or uninstall an app, your info will be backed up. diff --git a/devices/hololens/hololens-get-apps.md b/devices/hololens/hololens-get-apps.md new file mode 100644 index 0000000000..cd14341075 --- /dev/null +++ b/devices/hololens/hololens-get-apps.md @@ -0,0 +1,37 @@ +--- +title: Get apps for HoloLens +description: The Microsoft Store is your source for apps and games that work with HoloLens. +ms.assetid: cbe9aa3a-884f-4a92-bf54-8d4917bc3435 +ms.reviewer: jarrettrenshaw +ms.date: 07/01/2019 +manager: v-miegge +keywords: hololens +ms.prod: hololens +ms.sitesec: library +author: v-miegge +ms.author: v-miegge +ms.topic: article +ms.localizationpriority: medium +--- + +# Get apps for HoloLens + +The Microsoft Store is your source for apps and games that work with HoloLens. When you go to the Store on your HoloLens, any apps you see there will run on it. + +Apps on HoloLens use either 2D view or holographic view. Apps with 2D view look like windows and can be positioned all around you. Apps that use holographic view surround you and become the only app you see. + +## Get apps + +Open the Microsoft Store from the Start menu. Then browse for apps and games (or use your voice to search​), select the microphone on the HoloLens keyboard, and start talking. + +To download apps, you'll need to be signed in with a Microsoft account. To buy them, you'll need a payment method associated with the Microsoft account you use on your HoloLens. To set up a payment method, go to [account.microsoft.com](http://account.microsoft.com/) and select **Payment & billing** > **Payment options** > **Add a payment option**. + +## Find your apps + +Once you've installed an app, you'll find it in the All apps list​ (Start > All apps ). Keep apps handy by [pinning them to Start](https://support.microsoft.com/help/12638). + +App updates are automatic, and they're free. + +>[!NOTE] +>- To purchase apps in the Store, the billing address for your payment method must match the country or region your HoloLens is set to. +>- Some apps may not be available in all countries and regions. diff --git a/devices/hololens/hololens-kiosk.md b/devices/hololens/hololens-kiosk.md index 01dcda9e51..b648efe898 100644 --- a/devices/hololens/hololens-kiosk.md +++ b/devices/hololens/hololens-kiosk.md @@ -16,7 +16,7 @@ manager: dansimp -In Windows 10, version 1803, you can configure your HoloLens devices to run as multi-app or single-app kiosks. You can also configure guest access for a HoloLens kiosk device by [designating a SpecialGroup account in your XML file.](#guest) +In Windows 10, version 1803, you can configure your HoloLens devices to run as multi-app or single-app kiosks. You can also configure guest access for a HoloLens kiosk device by [designating a SpecialGroup account in your XML file.](#add-guest-access-to-the-kiosk-configuration-optional) When HoloLens is configured as a multi-app kiosk, only the allowed apps are available to the user. The benefit of a multi-app kiosk, or fixed-purpose device, is to provide an easy-to-understand experience for individuals by putting in front of them only the things they need to use, and removing from their view the things they don’t need to access. @@ -40,21 +40,19 @@ The [AssignedAccess Configuration Service Provider (CSP)](https://docs.microsoft >Be aware that voice commands are enabled for kiosk mode configured in Microsoft Intune or provisioning packages, even if the Cortana app is not selected as a kiosk app. For HoloLens devices running Windows 10, version 1803, there are three methods that you can use to configure the device as a kiosk: -- You can use [Microsoft Intune or other mobile device management (MDM) service](#intune-kiosk) to configure single-app and multi-app kiosks. -- You can [use a provisioning package](#ppkg-kiosk) to configure single-app and multi-app kiosks. -- You can [use the Windows Device Portal](#portal-kiosk) to configure single-app kiosks. This method is recommended only for demonstrations, as it requires that developer mode be enabled on the device. +- You can use [Microsoft Intune or other mobile device management (MDM) service](#set-up-kiosk-mode-using-microsoft-intune-or-mdm-windows-10-version-1803) to configure single-app and multi-app kiosks. +- You can [use a provisioning package](#setup-kiosk-mode-using-a-provisioning-package-windows-10-version-1803) to configure single-app and multi-app kiosks. +- You can [use the Windows Device Portal](#set-up-kiosk-mode-using-the-windows-device-portal-windows-10-version-1607-and-version-1803) to configure single-app kiosks. This method is recommended only for demonstrations, as it requires that developer mode be enabled on the device. -For HoloLens devices running Windows 10, version 1607, you can [use the Windows Device Portal](#portal-kiosk) to configure single-app kiosks. +For HoloLens devices running Windows 10, version 1607, you can [use the Windows Device Portal](#set-up-kiosk-mode-using-the-windows-device-portal-windows-10-version-1607-and-version-1803) to configure single-app kiosks. - -## Start layout for HoloLens +## Start layout for HoloLens -If you use [MDM, Microsoft Intune](#intune-kiosk), or a [provisioning package](#ppkg-kiosk) to configure a multi-app kiosk, the procedure requires a Start layout. Start layout customization isn't supported in Holographic for Business, so you'll need to use a placeholder Start layout. +If you use [MDM, Microsoft Intune](#set-up-kiosk-mode-using-microsoft-intune-or-mdm-windows-10-version-1803), or a [provisioning package](#setup-kiosk-mode-using-a-provisioning-package-windows-10-version-1803) to configure a multi-app kiosk, the procedure requires a Start layout. Start layout customization isn't supported in Holographic for Business, so you'll need to use a placeholder Start layout. >[!NOTE] >Because a single-app kiosk launches the kiosk app when a user signs in, there is no Start screen displayed. - ### Start layout file for MDM (Intune and others) Save the following sample as an XML file. You will select this file when you configure the kiosk in Microsoft Intune (or in another MDM service that provides a kiosk profile). @@ -80,7 +78,7 @@ Save the following sample as an XML file. You will select this file when you con ### Start layout for a provisioning package -You will [create an XML file](#ppkg-kiosk) to define the kiosk configuration to be included in a provisioning package. Use the following sample in the `StartLayout` section of your XML file. +You will [create an XML file](#setup-kiosk-mode-using-a-provisioning-package-windows-10-version-1803) to define the kiosk configuration to be included in a provisioning package. Use the following sample in the `StartLayout` section of your XML file. ```xml @@ -100,34 +98,28 @@ You will [create an XML file](#ppkg-kiosk) to define the kiosk configuration to ]]> -``` +``` - ## Set up kiosk mode using Microsoft Intune or MDM (Windows 10, version 1803) For HoloLens devices that are managed by Microsoft Intune, you [create a device profile](https://docs.microsoft.com/intune/device-profile-create) and configure the [Kiosk settings](https://docs.microsoft.com/intune/kiosk-settings). -For other MDM services, check your provider's documentation for instructions. If you need to use a custom setting and full XML configuration to set up a kiosk in your MDM service, [create an XML file that defines the kiosk configuration](#create-xml-file), and make sure to include the [Start layout](#start-layout-for-a-provisioning-package) in the XML file. +For other MDM services, check your provider's documentation for instructions. If you need to use a custom setting and full XML configuration to set up a kiosk in your MDM service, [create an XML file that defines the kiosk configuration](#create-a-kiosk-configuration-xml-file), and make sure to include the [Start layout](#start-layout-for-a-provisioning-package) in the XML file. - - - ## Setup kiosk mode using a provisioning package (Windows 10, version 1803) Process: -1. [Create an XML file that defines the kiosk configuration.](#create-xml-file) -2. [Add the XML file to a provisioning package.](#add-xml) -3. [Apply the provisioning package to HoloLens.](#apply-ppkg) +1. [Create an XML file that defines the kiosk configuration.](#create-a-kiosk-configuration-xml-file) +2. [Add the XML file to a provisioning package.](#add-the-kiosk-configuration-xml-file-to-a-provisioning-package) +3. [Apply the provisioning package to HoloLens.](#apply-the-provisioning-package-to-hololens) - ### Create a kiosk configuration XML file Follow [the instructions for creating a kiosk configuration XML file for desktop](https://docs.microsoft.com/windows/configuration/lock-down-windows-10-to-specific-apps#configure-a-kiosk-using-a-provisioning-package), with the following exceptions: - Do not include Classic Windows applications (Win32) since they aren't supported on HoloLens. -- Use the [placeholder Start XML](#start-kiosk) for HoloLens. +- Use the [placeholder Start XML](#start-layout-for-hololens) for HoloLens. - #### Add guest access to the kiosk configuration (optional) In the [Configs section of the XML file](https://docs.microsoft.com/windows/configuration/lock-down-windows-10-to-specific-apps#configs), you can configure a special group named **Visitor** to allow guests to use the kiosk. When the kiosk is configured with the **Visitor** special group, a "**Guest**" option is added to the sign-in page. The **Guest** account does not require a password, and any data associated with the account is deleted when the account signs out. @@ -143,8 +135,6 @@ Use the following snippet in your kiosk configuration XML to enable the **Guest* ``` - - ### Add the kiosk configuration XML file to a provisioning package 1. Open [Windows Configuration Designer](https://www.microsoft.com/store/apps/9nblggh4tx22). @@ -174,8 +164,6 @@ Use the following snippet in your kiosk configuration XML to enable the **Guest* 16. Click **Build** to start building the package. The provisioning package doesn't take long to build. The project information is displayed in the build page and the progress bar indicates the build status. - - ### Apply the provisioning package to HoloLens 1. Connect HoloLens via USB to a PC and start the device, but do not continue past the **Fit** page of OOBE (the first page with the blue box). @@ -191,7 +179,6 @@ Use the following snippet in your kiosk configuration XML to enable the **Guest* 7. You will see whether the package was applied successfully or not. If it failed, you can fix your package and try again. If it succeeded, proceed with OOBE. - ## Set up kiosk mode using the Windows Device Portal (Windows 10, version 1607 and version 1803) 1. [Set up the HoloLens to use the Windows Device Portal](https://developer.microsoft.com/windows/mixed-reality/using_the_windows_device_portal#setting_up_hololens_to_use_windows_device_portal). The Device Portal is a web server on your HoloLens that you can connect to from a web browser on your PC. diff --git a/devices/hololens/hololens-offline.md b/devices/hololens/hololens-offline.md new file mode 100644 index 0000000000..49190e6907 --- /dev/null +++ b/devices/hololens/hololens-offline.md @@ -0,0 +1,23 @@ +--- +title: Use HoloLens offline +description: To set up HoloLens, you'll need to connect to a Wi-Fi network +ms.assetid: b86f603c-d25f-409b-b055-4bbc6edcd301 +ms.reviewer: jarrettrenshaw +ms.date: 07/01/2019 +manager: v-miegge +keywords: hololens +ms.prod: hololens +ms.sitesec: library +author: v-miegge +ms.author: v-miegge +ms.topic: article +ms.localizationpriority: medium +--- + +# Use HoloLens offline + +To set up HoloLens, you'll need to connect to a Wi-Fi network—the setup tutorial will show you how. + +## HoloLens limitations + +After your HoloLens is set up, you can use it without a Wi-Fi connection, but apps that use Internet connections may have limited capabilities when you use HoloLens offline. diff --git a/devices/hololens/hololens-restart-recover.md b/devices/hololens/hololens-restart-recover.md new file mode 100644 index 0000000000..9bf0cddb37 --- /dev/null +++ b/devices/hololens/hololens-restart-recover.md @@ -0,0 +1,55 @@ +--- +title: Restart, reset, or recover HoloLens +description: Restart, reset, or recover HoloLens +ms.assetid: 9a546416-1648-403c-9e0c-742171b8812e +ms.reviewer: jarrettrenshaw +ms.date: 07/01/2019 +manager: v-miegge +keywords: hololens +ms.prod: hololens +ms.sitesec: library +author: v-miegge +ms.author: v-miegge +ms.topic: article +ms.localizationpriority: medium +--- + +# Restart, reset, or recover HoloLens + +Here are some things to try if your HoloLens is unresponsive, isn’t running well, or is experiencing software or update problems. + +## Restart your HoloLens + +If your HoloLens isn’t running well or is unresponsive, try the following things. + +First, try restarting the device: say, "Hey Cortana, restart the device." + +If you’re still having problems, press the power button for 4 seconds, until all of the battery indicators fade out. Wait 1 minute, then press the power button again to turn on the device. + +If neither of those things works, force restart the device. Hold down the power button for 10 seconds. Release it and wait 30 seconds, then press the power button again to turn on the device. + +## Reset or recover your HoloLens + +If restarting your HoloLens doesn’t help, another option is to reset it. If resetting it doesn’t fix the problem, the Windows Device Recovery Tool can help you recover your device. + +>[!IMPORTANT] +>Resetting or recovering your HoloLens will erase all of your personal data, including apps, games, photos, and settings. You won’t be able to restore a backup once the reset is complete. + +## Reset + +Resetting your HoloLens keeps the version of the Windows Holographic software that’s installed on it and returns everything else to factory settings. + +To reset your HoloLens, go to **Settings** > **Update** > **Reset** and select **Reset device**. The battery will need to have at least a 40 percent charge remaining to reset. + +## Recover using the Windows Device Recovery Tool + +Before you use this tool, determine if restarting or resetting your HoloLens fixes the problem. The recovery process may take some time, and the latest version of the Windows Holographic software approved for your HoloLens will be installed. + +To use the tool, you’ll need a computer running Windows 10 or later, with at least 4 GB of free storage space. Please note that you can’t run this tool on a virtual machine. +To recover your HoloLens + +1. Download and install the [Windows Device Recovery Tool](https://dev.azure.com/ContentIdea/ContentIdea/_queries/query/8a004dbe-73f8-4a32-94bc-368fc2f2a895/) on your computer. +1. Connect the clicker to your computer using the Micro USB cable that came with your HoloLens. +1. Run the Windows Device Recovery Tool and follow the instructions. + +If the clicker isn’t automatically detected, select **My device was not detected** and follow the instructions to put your device into recovery mode. diff --git a/devices/hololens/hololens-spaces-on-hololens.md b/devices/hololens/hololens-spaces-on-hololens.md new file mode 100644 index 0000000000..5c04bb7c3e --- /dev/null +++ b/devices/hololens/hololens-spaces-on-hololens.md @@ -0,0 +1,40 @@ +--- +title: Spaces on HoloLens +description: HoloLens blends holograms with your world +ms.assetid: bd55ecd1-697a-4b09-8274-48d1499fcb0b +ms.reviewer: jarrettrenshaw +ms.date: 07/01/2019 +manager: v-miegge +keywords: hololens +ms.prod: hololens +ms.sitesec: library +author: v-miegge +ms.author: v-miegge +ms.topic: article +ms.localizationpriority: medium +--- + +# Spaces on HoloLens + +HoloLens blends holograms with your world, mapping your surroundings to remember where you place your apps and content. + +>[!NOTE] +>For your HoloLens to work properly, HoloLens Wi-Fi needs to be turned on, though it doesn't have to be connected to a network. + +## Tips for setting up your space + +HoloLens works best in certain kinds of environments. Choose a room with adequate light and plenty of space. Avoid dark spaces and rooms with a lot of dark, shiny, or translucent surfaces (for instance, mirrors or gauzy curtains). + +>[!NOTE] +>HoloLens is optimized for indoor use. Use it in a safe place with no tripping hazards. [More on safety](https://support.microsoft.com/help/4023454/safety-information). + +## Mapping your space + +When HoloLens starts mapping your surroundings, you'll see a mesh graphic spreading over the space. + +To help HoloLens learn a space, walk around the space and gaze around you. Air tap in a space to light up the mesh and see what's been mapped. + +If your space changes significantly—for example, if a piece of furniture is moved—you might need to walk around the space and gaze around you so HoloLens can relearn it. + +>[!NOTE] +>If HoloLens is having trouble mapping your space or you're have difficulty placing holograms, see [HoloLens and holograms: FAQ](https://support.microsoft.com/help/13456/hololens-and-holograms-faq). diff --git a/devices/hololens/hololens-use-apps.md b/devices/hololens/hololens-use-apps.md new file mode 100644 index 0000000000..e3d0aba0a9 --- /dev/null +++ b/devices/hololens/hololens-use-apps.md @@ -0,0 +1,40 @@ +--- +title: Use apps on HoloLens +description: Apps on HoloLens use either 2D view or holographic view. +ms.assetid: 6bd124c4-731c-4bcc-86c7-23f9b67ff616 +ms.reviewer: jarrettrenshaw +ms.date: 07/01/2019 +manager: v-miegge +keywords: hololens +ms.prod: hololens +ms.sitesec: library +author: v-miegge +ms.author: v-miegge +ms.topic: article +ms.localizationpriority: medium +--- + +# Use apps on HoloLens + +Apps on HoloLens use either 2D view or holographic view. Apps with 2D view look like windows, and apps with holographic view surround you and become the only app you see. + +## Open apps + +You'll find your apps either pinned to Start or in the All apps list. To get to the All apps list, use the bloom gesture to go to Start, then select **All apps**. + +On Start or in the All apps list, select an app. It will open in a good position for viewing. + +>[!NOTE] +>- Up to three 2D app windows can be active at a time. You can open more, but only three will remain active. +>- Each open app can have one active window at a time, except Microsoft Edge, which can have up to three. +>- If you're having problems with apps, make sure there's enough light in your space, and walk around so HoloLens has a current scan. If you keep having trouble, see [HoloLens and holograms: FAQ](https://support.microsoft.com/help/13456/hololens-and-holograms-faq) for more info. + +## Move, resize, and rotate apps + +After opening an app, you can [change its position and size](https://support.microsoft.com/help/12634). + +## Close apps + +To close an app that uses 2D view, gaze at it, then select **Close**. + +To close an app that uses holographic view, use the bloom gesture to leave holographic view, then select **Close**. diff --git a/devices/hololens/images/cortana-on-hololens.png b/devices/hololens/images/cortana-on-hololens.png new file mode 100644 index 0000000000..6205d3d2fd Binary files /dev/null and b/devices/hololens/images/cortana-on-hololens.png differ diff --git a/devices/hololens/images/recover-clicker-1.png b/devices/hololens/images/recover-clicker-1.png new file mode 100644 index 0000000000..ad54e6ee09 Binary files /dev/null and b/devices/hololens/images/recover-clicker-1.png differ diff --git a/devices/hololens/images/recover-clicker-2.png b/devices/hololens/images/recover-clicker-2.png new file mode 100644 index 0000000000..d7a9d6fd0d Binary files /dev/null and b/devices/hololens/images/recover-clicker-2.png differ diff --git a/devices/hololens/images/use-hololens-clicker-1.png b/devices/hololens/images/use-hololens-clicker-1.png new file mode 100644 index 0000000000..ad54e6ee09 Binary files /dev/null and b/devices/hololens/images/use-hololens-clicker-1.png differ diff --git a/devices/hololens/images/use-hololens-clicker-2.png b/devices/hololens/images/use-hololens-clicker-2.png new file mode 100644 index 0000000000..d7a9d6fd0d Binary files /dev/null and b/devices/hololens/images/use-hololens-clicker-2.png differ diff --git a/devices/surface-hub/TOC.md b/devices/surface-hub/TOC.md index b11da0acf8..c27420b606 100644 --- a/devices/surface-hub/TOC.md +++ b/devices/surface-hub/TOC.md @@ -6,6 +6,7 @@ ### [What's new in Surface Hub 2S for IT admins](surface-hub-2s-whats-new.md) ### [Surface Hub 2S tech specs](surface-hub-2s-techspecs.md) ### [Operating system essentials (Surface Hub) ](differences-between-surface-hub-and-windows-10-enterprise.md) +### [Adjust Surface Hub 2S brightness, volume, and input](surface-hub-2s-onscreen-display.md) ## Plan ### [Surface Hub 2S Site Readiness Guide](surface-hub-2s-site-readiness-guide.md) @@ -20,7 +21,8 @@ ### [Configure Easy Authentication for Surface Hub 2S](surface-hub-2s-phone-authenticate.md) ## Deploy -### [First run setup for Surface Hub 2S](surface-hub-2s-setup.md) +### [Surface Hub 2S adoption toolkit](surface-hub-2s-adoption-kit.md) +### [First time setup for Surface Hub 2S](surface-hub-2s-setup.md) ### [Surface Hub 2S deployment checklist](surface-hub-2s-deploy-checklist.md) ### [Create Surface Hub 2S device account](surface-hub-2s-account.md) ### [Create provisioning packages for Surface Hub 2S](surface-hub-2s-deploy.md) diff --git a/devices/surface-hub/downloads/Guide-Surface Hub 2S-Office365.pptx b/devices/surface-hub/downloads/Guide-Surface Hub 2S-Office365.pptx new file mode 100644 index 0000000000..4fa5e3abd9 Binary files /dev/null and b/devices/surface-hub/downloads/Guide-Surface Hub 2S-Office365.pptx differ diff --git a/devices/surface-hub/downloads/Guide-SurfaceHub 2S-Navigation.pptx b/devices/surface-hub/downloads/Guide-SurfaceHub 2S-Navigation.pptx new file mode 100644 index 0000000000..b06a6e8b44 Binary files /dev/null and b/devices/surface-hub/downloads/Guide-SurfaceHub 2S-Navigation.pptx differ diff --git a/devices/surface-hub/downloads/Guide-SurfaceHub2S-Teams.pptx b/devices/surface-hub/downloads/Guide-SurfaceHub2S-Teams.pptx new file mode 100644 index 0000000000..210102de52 Binary files /dev/null and b/devices/surface-hub/downloads/Guide-SurfaceHub2S-Teams.pptx differ diff --git a/devices/surface-hub/downloads/Guide-SurfaceHub2S-Whiteboard.pptx b/devices/surface-hub/downloads/Guide-SurfaceHub2S-Whiteboard.pptx new file mode 100644 index 0000000000..6d39d374a7 Binary files /dev/null and b/devices/surface-hub/downloads/Guide-SurfaceHub2S-Whiteboard.pptx differ diff --git a/devices/surface-hub/downloads/Outline-SurfaceHub2S-EndUser.pdf b/devices/surface-hub/downloads/Outline-SurfaceHub2S-EndUser.pdf new file mode 100644 index 0000000000..6c5b52d377 Binary files /dev/null and b/devices/surface-hub/downloads/Outline-SurfaceHub2S-EndUser.pdf differ diff --git a/devices/surface-hub/downloads/Outline-SurfaceHub2S-HelpDesk.pdf b/devices/surface-hub/downloads/Outline-SurfaceHub2S-HelpDesk.pdf new file mode 100644 index 0000000000..ae296c8c08 Binary files /dev/null and b/devices/surface-hub/downloads/Outline-SurfaceHub2S-HelpDesk.pdf differ diff --git a/devices/surface-hub/downloads/Outline-SurfaceHub2S-PowerUser.pdf b/devices/surface-hub/downloads/Outline-SurfaceHub2S-PowerUser.pdf new file mode 100644 index 0000000000..9f64a7c4f2 Binary files /dev/null and b/devices/surface-hub/downloads/Outline-SurfaceHub2S-PowerUser.pdf differ diff --git a/devices/surface-hub/downloads/QRCConnectYourPC.pdf b/devices/surface-hub/downloads/QRCConnectYourPC.pdf new file mode 100644 index 0000000000..fbdb9d9164 Binary files /dev/null and b/devices/surface-hub/downloads/QRCConnectYourPC.pdf differ diff --git a/devices/surface-hub/downloads/QRCJoinTeamsMeeting.pdf b/devices/surface-hub/downloads/QRCJoinTeamsMeeting.pdf new file mode 100644 index 0000000000..62b86d2a00 Binary files /dev/null and b/devices/surface-hub/downloads/QRCJoinTeamsMeeting.pdf differ diff --git a/devices/surface-hub/downloads/QRCManageTeamsMeeting.pdf b/devices/surface-hub/downloads/QRCManageTeamsMeeting.pdf new file mode 100644 index 0000000000..a6af26dcf9 Binary files /dev/null and b/devices/surface-hub/downloads/QRCManageTeamsMeeting.pdf differ diff --git a/devices/surface-hub/downloads/QRCNavigationBasics.pdf b/devices/surface-hub/downloads/QRCNavigationBasics.pdf new file mode 100644 index 0000000000..6d8eb75ad5 Binary files /dev/null and b/devices/surface-hub/downloads/QRCNavigationBasics.pdf differ diff --git a/devices/surface-hub/downloads/QRCScheduleTeamsMeeting.pdf b/devices/surface-hub/downloads/QRCScheduleTeamsMeeting.pdf new file mode 100644 index 0000000000..a33cf1b1e1 Binary files /dev/null and b/devices/surface-hub/downloads/QRCScheduleTeamsMeeting.pdf differ diff --git a/devices/surface-hub/downloads/QRCShareSendFile.pdf b/devices/surface-hub/downloads/QRCShareSendFile.pdf new file mode 100644 index 0000000000..56d5c9f8c2 Binary files /dev/null and b/devices/surface-hub/downloads/QRCShareSendFile.pdf differ diff --git a/devices/surface-hub/downloads/QRCSignInToViewMeetingsFiles.pdf b/devices/surface-hub/downloads/QRCSignInToViewMeetingsFiles.pdf new file mode 100644 index 0000000000..61caa64f94 Binary files /dev/null and b/devices/surface-hub/downloads/QRCSignInToViewMeetingsFiles.pdf differ diff --git a/devices/surface-hub/downloads/QRCStartNewTeamsMeeting.pdf b/devices/surface-hub/downloads/QRCStartNewTeamsMeeting.pdf new file mode 100644 index 0000000000..d7a7c89268 Binary files /dev/null and b/devices/surface-hub/downloads/QRCStartNewTeamsMeeting.pdf differ diff --git a/devices/surface-hub/downloads/QRCWhiteboardAdvanced.pdf b/devices/surface-hub/downloads/QRCWhiteboardAdvanced.pdf new file mode 100644 index 0000000000..aed2f55671 Binary files /dev/null and b/devices/surface-hub/downloads/QRCWhiteboardAdvanced.pdf differ diff --git a/devices/surface-hub/downloads/QRCWhiteboardTools.pdf b/devices/surface-hub/downloads/QRCWhiteboardTools.pdf new file mode 100644 index 0000000000..c6dfcc3523 Binary files /dev/null and b/devices/surface-hub/downloads/QRCWhiteboardTools.pdf differ diff --git a/devices/surface-hub/downloads/SurfaceHubAdoptionToolKit.pdf b/devices/surface-hub/downloads/SurfaceHubAdoptionToolKit.pdf new file mode 100644 index 0000000000..79675aaaaa Binary files /dev/null and b/devices/surface-hub/downloads/SurfaceHubAdoptionToolKit.pdf differ diff --git a/devices/surface-hub/downloads/Training Guide-SurfaceHub2S-HelpDesk.pdf b/devices/surface-hub/downloads/Training Guide-SurfaceHub2S-HelpDesk.pdf new file mode 100644 index 0000000000..9e3ac0aa01 Binary files /dev/null and b/devices/surface-hub/downloads/Training Guide-SurfaceHub2S-HelpDesk.pdf differ diff --git a/devices/surface-hub/downloads/TrainingGuide-SurfaceHub2S-EndUser.pdf b/devices/surface-hub/downloads/TrainingGuide-SurfaceHub2S-EndUser.pdf new file mode 100644 index 0000000000..b8b6d804a9 Binary files /dev/null and b/devices/surface-hub/downloads/TrainingGuide-SurfaceHub2S-EndUser.pdf differ diff --git a/devices/surface-hub/downloads/TrainingGuide-SurfaceHub2S-PowerUser.pdf b/devices/surface-hub/downloads/TrainingGuide-SurfaceHub2S-PowerUser.pdf new file mode 100644 index 0000000000..a40bdf33d6 Binary files /dev/null and b/devices/surface-hub/downloads/TrainingGuide-SurfaceHub2S-PowerUser.pdf differ diff --git a/devices/surface-hub/images/sh2-onscreen-display.png b/devices/surface-hub/images/sh2-onscreen-display.png new file mode 100644 index 0000000000..4605f50734 Binary files /dev/null and b/devices/surface-hub/images/sh2-onscreen-display.png differ diff --git a/devices/surface-hub/local-management-surface-hub-settings.md b/devices/surface-hub/local-management-surface-hub-settings.md index 4d09394933..810691dfe8 100644 --- a/devices/surface-hub/local-management-surface-hub-settings.md +++ b/devices/surface-hub/local-management-surface-hub-settings.md @@ -7,7 +7,7 @@ ms.sitesec: library author: dansimp ms.author: dansimp ms.topic: article -ms.date: 06/20/2019 +ms.date: 07/08/2019 ms.reviewer: manager: dansimp ms.localizationpriority: medium @@ -29,7 +29,6 @@ Surface Hubs have many settings that are common to other Windows devices, but al | Change admin account password | Surface Hub > Accounts | Change the password for the local admin account. This is only available if you configured the device to use a local admin during first run. | | Device Management | Surface Hub > Device management | Manage policies and business applications using mobile device management (MDM). | | Provisioning packages | Surface Hub > Device management | Set or change provisioning packages installed on the Surface Hub. | -| Configure Operations Management Suite (OMS) | Surface Hub > Device management | Set up monitoring for your Surface Hub using OMS. | | Open the Microsoft Store app | Surface Hub > Apps & features | The Microsoft Store app is only available to admins through the Settings app. | | Skype for Business domain name | Surface Hub > Calling & Audio | Configure a domain name for your Skype for Business server. | | Default Speaker volume | Surface Hub > Calling & Audio | Configure the default speaker volume for the Surface Hub when it starts a session. | diff --git a/devices/surface-hub/save-bitlocker-key-surface-hub.md b/devices/surface-hub/save-bitlocker-key-surface-hub.md index aeff0b3763..acd4207515 100644 --- a/devices/surface-hub/save-bitlocker-key-surface-hub.md +++ b/devices/surface-hub/save-bitlocker-key-surface-hub.md @@ -10,7 +10,7 @@ ms.sitesec: library author: levinec ms.author: ellevin ms.topic: article -ms.date: 06/20/2019 +ms.date: 07/08/2019 ms.localizationpriority: medium --- @@ -27,7 +27,7 @@ There are several ways to manage your BitLocker key on the Surface Hub. 2. If you’ve joined the Surface Hub to Azure Active Directory (Azure AD), the BitLocker key will be stored under the account that was used to join the device. -3. If you’re using an admin account to manage the device, you can save the BitLocker key by going to the **Settings** app and navigating to **Update & security** > **Recovery**. Insert a USB drive and select the option to save the BitLocker key. The key will be saved to a text file on the USB drive. +3. If you’re using a local admin account to manage the device, you can save the BitLocker key by going to the **Settings** app and navigating to **Update & security** > **Recovery**. Insert a USB drive and select the option to save the BitLocker key. The key will be saved to a text file on the USB drive. ## Related topics diff --git a/devices/surface-hub/surface-hub-2s-adoption-kit.md b/devices/surface-hub/surface-hub-2s-adoption-kit.md new file mode 100644 index 0000000000..86b18eea48 --- /dev/null +++ b/devices/surface-hub/surface-hub-2s-adoption-kit.md @@ -0,0 +1,41 @@ +--- +title: "Surface Hub 2S adoption toolkit" +description: "Microsoft has developed downloadable materials that you can make available for your users to aid in adoption of Surface Hub 2S." +keywords: separate values with commas +ms.prod: surface-hub +ms.sitesec: library +author: robmazz +ms.author: robmazz +audience: Admin +ms.topic: article +ms.date: 07/08/2019 +ms.localizationpriority: Normal +--- + + # Surface Hub 2S adoption toolkit +Microsoft has developed downloadable materials that you can make available for your users to aid in adoption of Surface Hub 2S. + +## Training guides +- Surface Hub adoption toolkit +- Training guide – end user +- Training guide – power user +- Training guide – help desk +- Training guide – Microsoft Teams desktop + +## End user guides +- Guide to Navigation on Surface Hub our +- Guide to Office 365 on Surface Hub +- Guide to Microsoft Whiteboard on Surface Hub +- Guide to Microsoft Teams on Surface Hub + +## Quick reference cards +- Connect your PC +- Join a Teams Meeting +- Manage a Teams meeting +- Navigation basics +- Schedule a Teams meeting +- Start a new Teams meeting +- Share or send a file +- Sign in to view meetings and files +- Whiteboard advanced +- Whiteboard tools diff --git a/devices/surface-hub/surface-hub-2s-onscreen-display.md b/devices/surface-hub/surface-hub-2s-onscreen-display.md new file mode 100644 index 0000000000..3ce023df33 --- /dev/null +++ b/devices/surface-hub/surface-hub-2s-onscreen-display.md @@ -0,0 +1,37 @@ +--- +title: "Adjust Surface Hub 2S brightness, volume, and input" +description: "Learn how to use the onscreen display to adjust brightness and other settings in Surface Hub 2S." +keywords: separate values with commas +ms.prod: surface-hub +ms.sitesec: library +author: robmazz +ms.author: robmazz +audience: Admin +ms.topic: article +ms.date: 07/09/2019 +ms.localizationpriority: Normal +--- +# Adjust Surface Hub 2S brightness, volume, and input +Surface Hub 2S provides an on-screen display for volume, brightness, and input control. The Source button functions as a toggle key to switch between the volume, brightness, and input control menus. + +**To show the on-screen display:** + +- Press and hold the **Source** button for 4 seconds. + + ![Surface Hub 2S on-screen display](images/sh2-onscreen-display.png)
+ + When the on-screen display is visible, use one or more buttons to reach desired settings. + +**To adjust volume:** + +- Use the **Volume up/down** button to increase or decrease volume. + +**To adjust brightness:** + +1. Press the **Source** button again to switch to the brightness menu. +2. Use the **Volume up/down** button to increase or decrease brightness. + +**To adjust input:** + +1. Press the **Source** button twice to switch to the Source menu. +2. Use the **Volume up/down** button to switch between PC, HDMI, and USB-C inputs. diff --git a/devices/surface-hub/surface-hub-2s-pack-components.md b/devices/surface-hub/surface-hub-2s-pack-components.md index b052993bf1..3f5365d0fe 100644 --- a/devices/surface-hub/surface-hub-2s-pack-components.md +++ b/devices/surface-hub/surface-hub-2s-pack-components.md @@ -19,15 +19,9 @@ If you replace your Surface Hub 2S, one of its components, or a related accessor >[!IMPORTANT] >When packing your device for shipment, make sure that you use the packaging in which your replacement device arrived. -This article contains the following procedures: +## How to pack your Surface Hub 2S 50” -- [How to pack your Surface Hub 2S 55”](#how-to-pack-your-surface-hub-2s-55) -- [How to replace and pack your Surface Hub 2S Compute Cartridge](#how-to-replace-and-pack-your-surface-hub-2s-compute-cartridge) -- [How to replace your Surface Hub 2S Camera](#how-to-replace-your-surface-hub-2s-camera) - -## How to pack your Surface Hub 2S 55” - -Use the following steps to pack your Surface Hub 2S 55" for shipment. +Use the following steps to pack your Surface Hub 2S 50" for shipment. ![The Surface Hub unit and mobile stand.](images/surface-hub-2s-repack-1.png) diff --git a/devices/surface-hub/surface-hub-2s-setup.md b/devices/surface-hub/surface-hub-2s-setup.md index 6e9b7a9df3..610cdcc697 100644 --- a/devices/surface-hub/surface-hub-2s-setup.md +++ b/devices/surface-hub/surface-hub-2s-setup.md @@ -8,6 +8,7 @@ author: robmazz ms.author: robmazz audience: Admin ms.topic: article +ms.date: 07/03/2019 ms.localizationpriority: Normal --- diff --git a/devices/surface/TOC.md b/devices/surface/TOC.md index 6cdd5c13fd..15a51ed349 100644 --- a/devices/surface/TOC.md +++ b/devices/surface/TOC.md @@ -30,7 +30,7 @@ ### [Surface System SKU reference](surface-system-sku-reference.md) ## Manage -### [Maintain optimal power settings on Surface devices](maintain-optimal-power-settings-on-Surface-devices.md) +### [Best practice power settings for Surface devices](maintain-optimal-power-settings-on-Surface-devices.md) ### [Battery Limit setting](battery-limit.md) ### [Surface Brightness Control](microsoft-surface-brightness-control.md) ### [Surface Asset Tag](assettag.md) @@ -48,7 +48,8 @@ ### [Unenroll Surface devices from SEMM](unenroll-surface-devices-from-semm.md) ## Support -### [Surface Diagnostic Toolkit for Business](surface-diagnostic-toolkit-business.md) +### [Fix common Surface problems using the Surface Diagnostic Toolkit for Business](surface-diagnostic-toolkit-for-business-intro.md) +### [Deploy Surface Diagnostic Toolkit for Business](surface-diagnostic-toolkit-business.md) ### [Use Surface Diagnostic Toolkit for Business in desktop mode](surface-diagnostic-toolkit-desktop-mode.md) ### [Run Surface Diagnostic Toolkit for Business using commands](surface-diagnostic-toolkit-command-line.md) ### [Surface Data Eraser](microsoft-surface-data-eraser.md) diff --git a/devices/surface/change-history-for-surface.md b/devices/surface/change-history-for-surface.md index 312c8a39b2..14eea5c91d 100644 --- a/devices/surface/change-history-for-surface.md +++ b/devices/surface/change-history-for-surface.md @@ -15,19 +15,27 @@ ms.topic: article This topic lists new and updated topics in the Surface documentation library. +## July 2019 + +| **New or changed topic** | **Description** | +| ------------------------ | --------------- | +| [Deploy Surface Diagnostic Toolkit for Business](surface-diagnostic-toolkit-business.md) | Renamed to reflect focus on deployment guidance for IT professionals. Covers minor changes in Version 2.41.139.0. | + + + ## June 2019 -New or changed topic | Description ---- | --- +| **New or changed topic** | **Description** | +| ------------------------ | --------------- | +|[Fix common Surface problems using the Surface Diagnostic Toolkit for Business](surface-diagnostic-toolkit-for-business-intro.md) | New introductory page for the Surface Diagnostic Toolkit for Business. | +| [Best practice power settings for Surface devices](maintain-optimal-power-settings-on-Surface-devices.md) |Updated with summary of recommendations for managing power settings and optimizing battery life. | -[Fix common Surface problems using the Surface Diagnostic Toolkit for Business](surface-diagnostic-toolkit-for-business-intro.md) | New ## March 2019 -New or changed topic | Description ---- | --- - -[Surface System SKU reference](surface-system-sku-reference.md) | New +| **New or changed topic** | **Description** | +| ------------------------ | --------------- | +| [Surface System SKU reference](surface-system-sku-reference.md) | New | ## February 2019 diff --git a/devices/surface/images/Surface-Devices-400x140.svg b/devices/surface/images/Surface-Devices-400x140.svg index 9121e93531..4414de0f16 100644 --- a/devices/surface/images/Surface-Devices-400x140.svg +++ b/devices/surface/images/Surface-Devices-400x140.svg @@ -1 +1,25 @@ -Surface-Devices-400x140 \ No newline at end of file + + + + +Surface-Devices-400x140 + + + + + + + + + + + diff --git a/devices/surface/images/Surface-Hub-400x140.svg b/devices/surface/images/Surface-Hub-400x140.svg index 473fba1604..f5a5c12a56 100644 --- a/devices/surface/images/Surface-Hub-400x140.svg +++ b/devices/surface/images/Surface-Hub-400x140.svg @@ -1,59 +1,51 @@ - - - - - - win_it-pro-6 - - - - - - - - - - - - - - - DevicesLaptopTablet-blue - - - - - - - - - - - - - - - +win_it-pro-6 + + + + + + + + + + + + + DevicesLaptopTablet-blue + + + + + + + + + + + + + + diff --git a/devices/surface/surface-diagnostic-toolkit-business.md b/devices/surface/surface-diagnostic-toolkit-business.md index 71461687d7..8b78717d6c 100644 --- a/devices/surface/surface-diagnostic-toolkit-business.md +++ b/devices/surface/surface-diagnostic-toolkit-business.md @@ -33,7 +33,7 @@ To run SDT for Business, download the components listed in the following table. Mode | Primary scenarios | Download | Learn more --- | --- | --- | --- Desktop mode | Assist users in running SDT on their Surface devices to troubleshoot issues.
Create a custom package to deploy on one or more Surface devices allowing users to select specific logs to collect and analyze. | SDT distributable MSI package:
Microsoft Surface Diagnostic Toolkit for Business Installer
[Surface Tools for IT](https://www.microsoft.com/download/details.aspx?id=46703) | [Use Surface Diagnostic Toolkit in desktop mode](surface-diagnostic-toolkit-desktop-mode.md) -Command line | Directly troubleshoot Surface devices remotely without user interaction, using standard tools such as Configuration Manager. It includes the following commands:
`-DataCollector` collects all log files
`-bpa` runs health diagnostics using Best Practice Analyzer.
`-windowsupdate` checks Windows update for missing firmware or driver updates.
`-warranty` checks warranty information.

| SDT console app:
Microsoft Surface Diagnostics App Console
[Surface Tools for IT](https://www.microsoft.com/download/details.aspx?id=46703) | [Run Surface Diagnostic Toolkit using commands](surface-diagnostic-toolkit-command-line.md) +Command line | Directly troubleshoot Surface devices remotely without user interaction, using standard tools such as Configuration Manager. It includes the following commands:
`-DataCollector` collects all log files
`-bpa` runs health diagnostics using Best Practice Analyzer.
`-windowsupdate` checks Windows Update for missing firmware or driver updates.
`-warranty` checks warranty information.

| SDT console app:
Microsoft Surface Diagnostics App Console
[Surface Tools for IT](https://www.microsoft.com/download/details.aspx?id=46703) | [Run Surface Diagnostic Toolkit using commands](surface-diagnostic-toolkit-command-line.md) ## Supported devices @@ -123,21 +123,22 @@ Creating a custom package allows you to target the tool to specific known issues *Figure 3. Create custom package* -### Language and telemetry page +### Language and telemetry settings - -When you start creating the custom package, you’re asked whether you agree to send data to Microsoft to help improve the application. For more information,see the [Microsoft Privacy Statement](https://privacy.microsoft.com/privacystatement). Sharing is on by default, so uncheck the box if you wish to decline. + When creating a package, you can select language settings or opt out of sending telemetry information to Microsoft. By default, SDT sends telemetry to Microsoft that is used to improve the application in accordance with the [Microsoft Privacy Statement](https://privacy.microsoft.com/privacystatement). If you wish to decline, clear the check box when creating a custom package, as shown below. Or clear the **Send telemetry to Microsoft** check box on the **Install Options** page during SDT Setup. >[!NOTE] ->This setting is limited to only sharing data generated while running packages. +>This setting does not affect the minimal telemetry automatically stored on Microsoft servers when running tests and repairs that require an Internet connection, such as Windows Update and Software repair, or providing feedback using the Smile or Frown buttons in the app toolbar. + ![Select language and telemetry settings](images/sdt-4.png) *Figure 4. Select language and telemetry settings* + ### Windows Update page -Select the option appropriate for your organization. Most organizations with multiple users will typically select to receive updates via Windows Server Update Services (WSUS), as shown in figure 5. If using local Windows update packages or WSUS, enter the path as appropriate. +Select the option appropriate for your organization. Most organizations with multiple users will typically select to receive updates via Windows Server Update Services (WSUS), as shown in figure 5. If using local Windows Update packages or WSUS, enter the path as appropriate. ![Select Windows Update option](images/sdt-5.png) @@ -170,8 +171,8 @@ You can select to run a wide range of logs across applications, drivers, hardwar *Release date: June 24, 2019*
This version of Surface Diagnostic Toolkit for Business adds support for the following: - Driver version information included in logs and report. -- Ability to provide feedback about the app
-Please note that even though you turn off telemtry, windows update and feedback still connect to the internet. +- Ability to provide feedback about the app.
+ ### Version 2.36.139.0 *Release date: April 26, 2019*
@@ -180,11 +181,3 @@ This version of Surface Diagnostic Toolkit for Business adds support for the fol - Accessibility improvements. - Surface brightness control settings included in logs. - External monitor compatibility support link in report generator. - - - - - - - - diff --git a/devices/surface/surface-diagnostic-toolkit-for-business-intro.md b/devices/surface/surface-diagnostic-toolkit-for-business-intro.md index 26bac290b4..83613f4a36 100644 --- a/devices/surface/surface-diagnostic-toolkit-for-business-intro.md +++ b/devices/surface/surface-diagnostic-toolkit-for-business-intro.md @@ -28,7 +28,7 @@ Before you run the diagnostic tool, make sure you have the latest Windows update **To run the Surface Diagnostic Toolkit for Business:** -1. Download the [Surface Diagnostic Toolkit for Business](https://aka.ms/checkmysurface). +1. Download the [Surface Diagnostic Toolkit for Business](https://aka.ms/SDT4B). 2. Select Run and follow the on-screen instructions. The diagnosis and repair time averages 15 minutes but could take an hour or longer, depending on internet connection speed and the number of updates or repairs required. For more detailed information on Surface Diagnostic Toolkit for Business, refer to [Deploy Surface Diagnostic Toolkit for Business](https://docs.microsoft.com/surface/surface-diagnostic-toolkit-business). diff --git a/education/index.md b/education/index.md index b1cce0eedf..6c696d9f4b 100644 --- a/education/index.md +++ b/education/index.md @@ -55,8 +55,8 @@ ms.prod: w10
-

Deployment Overview

-

Learn how to deploy our suite of education offerings. Set up a cloud infrastructure for your school, acquire apps, and configure and manage Windows 10 devices.

+

Deployment Guidance

+

Dive right into the step-by-step process for the easiest deployment path to M365 EDU. We walk you through setting up cloud infrastructure, configuring and managing devices, and migrating on-premise servers for Sharepoint and Exchange to the cloud.

@@ -76,7 +76,7 @@ ms.prod: w10
-

1. Cloud deployment

+

1. M365 EDU deployment

Get started by creating your Office 365 tenant, setting up a cloud infrastructure for your school, and creating, managing, and syncing user accounts.

@@ -104,7 +104,7 @@ ms.prod: w10
  • - +
    @@ -114,8 +114,8 @@ ms.prod: w10
    -

    3. Tools for Teachers

    -

    The latest classroom resources at teachers’ fingertips when you deploy Learning Tools, OneNote Class Notebooks, Teams, and more.

    +

    3. Post Deployment Next Steps

    +

    Migrate to Sharepoint Server Hybrid or Sharepoint Online, and Exchange Server Hybrid or Exchange Online. Configure settings in your Admin portals.

    diff --git a/mdop/appv-v5/app-v-51-supported-configurations.md b/mdop/appv-v5/app-v-51-supported-configurations.md index 8b83ac6fad..63e4f12d3c 100644 --- a/mdop/appv-v5/app-v-51-supported-configurations.md +++ b/mdop/appv-v5/app-v-51-supported-configurations.md @@ -118,11 +118,21 @@ The following table lists the SQL Server versions that are supported for the App -

    Microsoft SQL Server 2014

    +

    Microsoft SQL Server 2017

    32-bit or 64-bit

    +

    Microsoft SQL Server 2016

    +

    SP2

    +

    32-bit or 64-bit

    + + +

    Microsoft SQL Server 2014

    +

    SP2

    +

    32-bit or 64-bit

    + +

    Microsoft SQL Server 2012

    SP2

    32-bit or 64-bit

    @@ -262,11 +272,21 @@ The following table lists the SQL Server versions that are supported for the App -

    Microsoft SQL Server 2014

    +

    Microsoft SQL Server 2017

    32-bit or 64-bit

    +

    Microsoft SQL Server 2016

    +

    SP2

    +

    32-bit or 64-bit

    + + +

    Microsoft SQL Server 2014

    +

    SP2

    +

    32-bit or 64-bit

    + +

    Microsoft SQL Server 2012

    SP2

    32-bit or 64-bit

    diff --git a/mdop/mbam-v25/about-mbam-25.md b/mdop/mbam-v25/about-mbam-25.md index e379ef1ec5..7afb0c3d9f 100644 --- a/mdop/mbam-v25/about-mbam-25.md +++ b/mdop/mbam-v25/about-mbam-25.md @@ -358,7 +358,7 @@ MBAM is a part of the Microsoft Desktop Optimization Pack (MDOP). MDOP is part o For more information and late-breaking news that is not included in this documentation, see [Release Notes for MBAM 2.5](release-notes-for-mbam-25.md). ## Got a suggestion for MBAM? -- Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). +- Send your feedback [here](https://support.microsoft.com/help/4021566/windows-10-send-feedback-to-microsoft-with-feedback-hub). - For MBAM issues, use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam). ## Related topics diff --git a/windows/application-management/manage-windows-mixed-reality.md b/windows/application-management/manage-windows-mixed-reality.md index 5c0ec34d50..56d7147923 100644 --- a/windows/application-management/manage-windows-mixed-reality.md +++ b/windows/application-management/manage-windows-mixed-reality.md @@ -22,10 +22,8 @@ ms.topic: article [Windows Mixed Reality](https://blogs.windows.com/windowsexperience/2017/10/03/the-era-of-windows-mixed-reality-begins-october-17/) was introduced in Windows 10, version 1709 (also known as the Fall Creators Update), as a [Windows 10 Feature on Demand (FOD)](https://docs.microsoft.com/windows-hardware/manufacture/desktop/features-on-demand-v2--capabilities). Features on Demand are Windows feature packages that can be added at any time. When a Windows 10 PC needs a new feature, it can request the feature package from Windows Update. -Organizations that use Windows Server Update Services (WSUS) must take action to [enable Windows Mixed Reality](#enable). Any organization that wants to prohibit use of Windows Mixed Reality can [block the installation of the Mixed Reality Portal](#block). +Organizations that use Windows Server Update Services (WSUS) must take action to [enable Windows Mixed Reality](#enable-windows-mixed-reality-in-wsus). Any organization that wants to prohibit use of Windows Mixed Reality can [block the installation of the Mixed Reality Portal](#block-the-mixed-reality-portal). - - ## Enable Windows Mixed Reality in WSUS 1. [Check your version of Windows 10.](https://support.microsoft.com/help/13443/windows-which-operating-system) @@ -52,8 +50,6 @@ Organizations that use Windows Server Update Services (WSUS) must take action to IT admins can also create [Side by side feature store (shared folder)](https://technet.microsoft.com/library/jj127275.aspx) to allow access to the Windows Mixed Reality FOD. - - ## Block the Mixed Reality Portal You can use the [AppLocker configuration service provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/applocker-csp) to block the Mixed Reality software. diff --git a/windows/client-management/mdm/TOC.md b/windows/client-management/mdm/TOC.md index 4ec8751db6..2777f01ddd 100644 --- a/windows/client-management/mdm/TOC.md +++ b/windows/client-management/mdm/TOC.md @@ -45,28 +45,6 @@ ## [DMProcessConfigXMLFiltered](dmprocessconfigxmlfiltered.md) ## [Using PowerShell scripting with the WMI Bridge Provider](using-powershell-scripting-with-the-wmi-bridge-provider.md) ## [WMI providers supported in Windows 10](wmi-providers-supported-in-windows.md) -## [Create a custom configuration service provider](create-a-custom-configuration-service-provider.md) -### [Design a custom configuration service provider](design-a-custom-windows-csp.md) -### [IConfigServiceProvider2](iconfigserviceprovider2.md) -#### [IConfigServiceProvider2::ConfigManagerNotification](iconfigserviceprovider2configmanagernotification.md) -#### [IConfigServiceProvider2::GetNode](iconfigserviceprovider2getnode.md) -### [ICSPNode](icspnode.md) -#### [ICSPNode::Add](icspnodeadd.md) -#### [ICSPNode::Clear](icspnodeclear.md) -#### [ICSPNode::Copy](icspnodecopy.md) -#### [ICSPNode::DeleteChild](icspnodedeletechild.md) -#### [ICSPNode::DeleteProperty](icspnodedeleteproperty.md) -#### [ICSPNode::Execute](icspnodeexecute.md) -#### [ICSPNode::GetChildNodeNames](icspnodegetchildnodenames.md) -#### [ICSPNode::GetProperty](icspnodegetproperty.md) -#### [ICSPNode::GetPropertyIdentifiers](icspnodegetpropertyidentifiers.md) -#### [ICSPNode::GetValue](icspnodegetvalue.md) -#### [ICSPNode::Move](icspnodemove.md) -#### [ICSPNode::SetProperty](icspnodesetproperty.md) -#### [ICSPNode::SetValue](icspnodesetvalue.md) -### [ICSPNodeTransactioning](icspnodetransactioning.md) -### [ICSPValidate](icspvalidate.md) -### [Samples for writing a custom configuration service provider](samples-for-writing-a-custom-configuration-service-provider.md) ## [Configuration service provider reference](configuration-service-provider-reference.md) ### [AccountManagement CSP](accountmanagement-csp.md) #### [AccountManagement DDF file](accountmanagement-ddf.md) diff --git a/windows/client-management/mdm/create-a-custom-configuration-service-provider.md b/windows/client-management/mdm/create-a-custom-configuration-service-provider.md deleted file mode 100644 index cb8579e827..0000000000 --- a/windows/client-management/mdm/create-a-custom-configuration-service-provider.md +++ /dev/null @@ -1,97 +0,0 @@ ---- -title: Create a custom configuration service provider -description: Create a custom configuration service provider -ms.assetid: 0cb37f03-5bf2-4451-8276-23f4a1dee33f -ms.reviewer: -manager: dansimp -ms.author: dansimp -ms.topic: article -ms.prod: w10 -ms.technology: windows -author: manikadhiman -ms.date: 06/26/2017 ---- - -# Create a custom configuration service provider - -Mobile device OEMs can create custom configuration service providers to manage their devices. A configuration service provider includes an interface for creating, editing, and deleting nodes, and the nodes themselves. Each node contains data for one registry value and can optionally support get, set, and delete operations. - -To design a custom configuration service provider, the OEM must perform the following steps: - -1. Establish node semantics -2. Shape the configuration service provider's subtree -3. Choose a transactioning scheme for each node -4. Determine node operations - -For more information, see [Designing a custom configuration service provider](design-a-custom-windows-csp.md). - -To write a custom configuration service provider, the OEM must implement the following interfaces: - -- [IConfigServiceProvider2](iconfigserviceprovider2.md) (one per configuration service provider) - -- [ICSPNode](icspnode.md) (one per node) - -- [ICSPNodeTransactioning](icspnodetransactioning.md) (optional, for internally transactioned nodes only) - -- [ICSPValidate](icspvalidate.md) (optional, for UI only) - -This code must be compiled into a single .dll file and added to a package by using the instructions found in "Adding content to a package" in [Creating packages](https://msdn.microsoft.com/library/windows/hardware/dn756642). While writing this code, OEMs can store registry settings and files in the following locations. - - ---- - - - - - - - - - - -

    File location

    %DataDrive%\SharedData\OEM\CSP</p>

    Registry location

    $(HKLM.SOFTWARE)\OEM\CSP</p>

    - - -For examples of how to perform common tasks such as adding a node, replacing a node's value, querying a node's value, or enumerating a node's children, see [Samples for writing a custom configuration service provider](samples-for-writing-a-custom-configuration-service-provider.md). - -To register the configuration service provider as a COM object, you must add the following registry setting to your package. This step is required. In the following sample, replace *uniqueCSPguid* with a new, unique CLSID generated for this purpose. Replace *dllName* with the name of the .dll file that contains the code for your configuration service provider. - -``` syntax - - - - - -``` - -To register the configuration service provider with ConfigManager2, you must add the following registry setting to your package. This step is required. In the following sample, replace *dllName* with the name of the configuration service provider (the name of the root node). Replace *uniqueCSPguid* with the same *uniqueCSPguid* value as in the preceding example. - -``` syntax - - - - - -``` - -To make the configuration service provider accessible from WAP XML, you must register it with the WAP data processing unit by setting the following registry key in your package. Replace *Name* with the name of the configuration service provider. Leave the GUID value exactly as written here. - -``` syntax - - - - - -``` - - - - - - - - diff --git a/windows/client-management/mdm/design-a-custom-windows-csp.md b/windows/client-management/mdm/design-a-custom-windows-csp.md deleted file mode 100644 index 583e098cdc..0000000000 --- a/windows/client-management/mdm/design-a-custom-windows-csp.md +++ /dev/null @@ -1,169 +0,0 @@ ---- -title: Design a custom configuration service provider -description: Design a custom configuration service provider -MS-HAID: -- 'p\_phDeviceMgmt.designing\_a\_custom\_configuration\_service\_provider' -- 'p\_phDeviceMgmt.design\_a\_custom\_windows\_csp' -ms.assetid: 0fff9516-a71a-4036-a57b-503ef1a81a37 -ms.reviewer: -manager: dansimp -ms.author: dansimp -ms.topic: article -ms.prod: w10 -ms.technology: windows -author: manikadhiman -ms.date: 06/26/2017 ---- - -# Design a custom configuration service provider - -To design a custom configuration service provider, the OEM must perform the following steps: - -1. Establish node semantics -2. Shape the configuration service provider's subtree -3. Choose a transactioning scheme for each node -4. Determine node operations - -For more information about the larger process of writing a new configuration service provider, see [Create a custom configuration service provider](create-a-custom-configuration-service-provider.md). - -## Establish node semantics - -First, determine the nodes you need based on the kind of data to be stored in the registry. - -Nodes can represent anything from abstract concepts or collections (such as email accounts or connection settings) to more concrete objects (such as registry keys and values, directories, and files). - -### Example - -For example, a hypothetical Email configuration service provider might have these nodes: - -- Account: The name of the email account (such as "Hotmail") - -- Username: The user name or email address ("exampleAccount@hotmail.com") - -- Password: The user's password - -- Server: The DNS address of the server ("mail-serv1-example.mail.hotmail.com") - -The `Account`, `Username`, and `Server` nodes would hold text-based information about the email account, the user's email address, and the server address associated with that account. The `Password` node, however, might hold a binary hash of the user's password. - -## Shape the configuration service provider's subtree - -After determining what the nodes represent, decide where each node fits in the settings hierarchy. - -The root node of a configuration service provider's subtree must be the name of the configuration service provider. In this example, the root node is `Email`. - -All of the nodes defined in the previous step must reside under the configuration service provider's root node. Leaf nodes should be used to store data, and interior nodes should be used to group the data into logical collections. Node URIs must be unique. In other words, no two nodes can have both the same parent and the same name. - -There are three typical scenarios for grouping and structuring the nodes: - -- If all of the data belongs to the same component and no further categorizing or grouping is required, you can build a flat tree in which all values are stored directly under the root node. For examples of this design, see [DevInfo configuration service provider](devinfo-csp.md), [HotSpot configuration service provider](hotspot-csp.md), and [w4 APPLICATION configuration service provider](w4-application-csp.md). - -- If the configuration service provider's nodes represent a preexisting set of entities whose structure is well-defined (such as directories and files), the configuration service provider's nodes can simply mirror the existing structure. - -- If the data must be grouped by type or component, a more complex structure is required. This is especially true when there can be multiple instances of the dataset on the device, and each set is indexed by an ID, account name, or account type. In this case, you must build a more complex tree structure. For examples, see [ActiveSync configuration service provider](activesync-csp.md), [CertificateStore configuration service provider](certificatestore-csp.md), and [CMPolicy configuration service provider](cmpolicy-csp.md). - -### Example - -The following image shows an incorrect way to structure the hypothetical `Email` configuration service provider. The interior `Account` nodes group the account data (server name, user name, and user password). - -![provisioning\-customcsp\-example1](images/provisioning-customcsp-example1.png) - -However, the account nodes in this design are not unique. Even though the nodes are grouped sensibly, the path for each of the leaf nodes is ambiguous. There is no way to disambiguate the two `Username` nodes, for example, or to reliably access the same node by using the same path. This structure will not work. The easiest solution to this problem is usually to replace an interior node (the grouping node) by: - -1. Promoting a child node. - -2. Using the node value as the name of the new interior node. - -The following design conveys the same amount of information as the first design, but all nodes have a unique path, and therefore it will work. - -![provisioning\-customcsp\-example2](images/provisioning-customcsp-example2.png) - -In this case, the `Server` nodes have been promoted up one level to replace the `Account` nodes, and their values are now used as the node names. For example, you could have two different email accounts on the phone, with server names "www.hotmail.com" and "exchange.microsoft.com", each of which stores a user name and a password. - -Note that the process of shaping the configuration service provider’s subtree influences the choice of transactioning schemes for each node. If possible, peer nodes should not have dependencies on each other. Internode dependencies other than parent/child relationships create mandatory groups of settings, which makes configuration service provider development more difficult. - -## Choose a transactioning scheme for each node - -For each node, decide whether to use *external transactioning* or *internal transactioning* to manage the transaction phases (rollback persistence, rollback, and commitment) for the node. - -External transactioning is the simplest option because it allows ConfigManager2 to automatically handle the node's transactioning. - -However, you must use internal transactioning for the following types of nodes: - -- A node that supports the **Execute** method. - -- A node that contains sensitive information (such as a password) that must not be saved in plain text in the ConfigManager2 rollback document. - -- A node that has a dependency on another node that is not a parent. For example, if a parent node has two children that are both required, the configuration service provider could use internal transactioning to defer provisioning the account until both values are set. - -You can choose to mix transactioning modes in your configuration service provider, using internal transactioning for some operations but external transactioning for others. For more information about writing an internally transactioned node, see the [ICSPNodeTransactioning](icspnodetransactioning.md) interface. - -## Determine node operations - -The operations available for each node can vary depending on the purpose of the configuration service provider. The configuration service provider will be easier to use if the operations are consistent. For more information about the supported operations, see the [ICSPNode](icspnode.md) interface. - -For externally transactioned nodes, an operation implementation must include the contrary operations shown in the following table to allow rollback of the operation. - -For internally transactioned nodes, the practice of implementing the contrary commands for each command is recommended, but not required. - - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    Node operationContrary node operation

    Add

    Clear and DeleteChild

    Copy

    To copy to a new node: Clear and DeleteChild

    -

    To copy to an existing node: Add and SetValue

    Clear

    To restore the state of the deleted node: SetValue and SetProperty

    DeleteChild

    To restore the old node: Add

    DeleteProperty

    To restore the deleted property: SetProperty

    Execute

    Externally transactioned nodes do not support the Execute command.

    GetValue

    None

    Move

    To restore a source node: Move

    -

    To restore an overwritten target node: Add and SetValue

    SetValue

    To restore the previous value: SetValue

    - - - - - - - - - diff --git a/windows/client-management/mdm/iconfigserviceprovider2.md b/windows/client-management/mdm/iconfigserviceprovider2.md deleted file mode 100644 index c73e0ce0b4..0000000000 --- a/windows/client-management/mdm/iconfigserviceprovider2.md +++ /dev/null @@ -1,57 +0,0 @@ ---- -title: IConfigServiceProvider2 -description: IConfigServiceProvider2 -ms.assetid: 8deec0fb-59a6-4d08-8ddb-6d0d3d868a10 -ms.reviewer: -manager: dansimp -ms.author: dansimp -ms.topic: article -ms.prod: w10 -ms.technology: windows -author: manikadhiman -ms.date: 06/26/2017 ---- - -# IConfigServiceProvider2 - - -OEMs are required to implement this interface once per configuration service provider. ConfigManager2 clients use this interface to instantiate the configuration service provider, to communicate general state information to the configuration service provider, and often to access or create nodes. - -The following table shows the methods defined by this interface that OEMs must implement. - - ---- - - - - - - - - - - - - - - - - -
    MethodDescription

    IConfigServiceProvider2::ConfigManagerNotification

    Enables ConfigManager2 to send notifications to a configuration service provider of events such as when the configuration service provider is loaded or unloaded, when rollbacks are performed, and when actions are called on nodes.

    IConfigServiceProvider2::GetNode

    Returns a node from the configuration service provider based on the path relative to the root node.

    - - - -## Related topics - -[Create a custom configuration service provider](create-a-custom-configuration-service-provider.md) - - - - - - - - diff --git a/windows/client-management/mdm/iconfigserviceprovider2configmanagernotification.md b/windows/client-management/mdm/iconfigserviceprovider2configmanagernotification.md deleted file mode 100644 index 67ed91ca36..0000000000 --- a/windows/client-management/mdm/iconfigserviceprovider2configmanagernotification.md +++ /dev/null @@ -1,146 +0,0 @@ ---- -title: IConfigServiceProvider2 ConfigManagerNotification -description: IConfigServiceProvider2 ConfigManagerNotification -ms.assetid: b1f0fe0f-afbe-4b36-a75d-34239a86a75c -ms.reviewer: -manager: dansimp -ms.author: dansimp -ms.topic: article -ms.prod: w10 -ms.technology: windows -author: manikadhiman -ms.date: 06/26/2017 ---- - -# IConfigServiceProvider2::ConfigManagerNotification - - -This method enables ConfigManager2 to send notifications of events to a configuration service provider, such as when the configuration service provider is loaded or unloaded, when rollbacks are performed, and when actions are called on nodes. - -## Syntax - - -``` syntax -HRESULT ConfigManagerNotification([in] CFGMGR_NOTIFICATION cmnfyState, - [in] LPARAM lpParam); -``` - -## Parameters - - -
    *cmnfyState* -
      -
    • -The following events are supported by all configuration service providers. - - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
      EventDescription

      CFGMGR_NOTIFICATION_LOAD

      First time the configuration service provider is loaded/instantiated.

      CFGMGR_NOTIFICATION_BEGINCOMMANDPROCESSING

      About to run the first command of a transaction.

      CFGMGR_NOTIFICATION_ENDCOMMANDPROCESSING

      Last command of transaction has executed. This event is always raised if BEGINCOMMANDPROCESSING was raised, even if the handling of BEGINCOMMANDPROCESSING failed.

      CFGMGR_NOTIFICATION_BEGINCOMMIT

      About to commit the first command of a transaction.

      CFGMGR_NOTIFICATION_ENDCOMMIT

      Last command of a transaction has been committed. This event is always raised if BEGINCOMMIT was raised, even if the handling of BEGINCOMMIT failed.

      CFGMGR_NOTIFICATION_BEGINROLLBACK

      About to roll back the first command of the transaction.

      CFGMGR_NOTIFICATION_ENDROLLBACK

      Last command of the transaction has been rolled back. This event is always raised if BEGINROLLBACK was raised, even if the handling of BEGINROLLBACK failed.

      CFGMGR_NOTIFICATION_UNLOAD

      The configuration service provider is about to be unloaded/deleted.

      CFGMGR_NOTIFICATION_SETSESSIONOBJ

      Session object is available for use; lpParam can be cast to an IConfigSession2 pointer.

      CFGMGR_NOTIFICATION_BEGINTRANSACTIONING

      Primarily used for compatibility with v1 configuration service providers. Signals the beginning of a transactioning sequence.

      CFGMGR_NOTIFICATION_ENDTRANSACTIONING

      Primarily used for compatibility with v1 configuration service providers. Signals the end of a transactioning sequence.

      -
    • -
    -
    - - -*lpParam* -
      -
    • -Normally NULL, but contains a pointer to an IConfigSession2 instance if cmnfState is CFGMGR_NOTIFICATION_SETSESSIONOBJ. -
    • -
    -
    - -## Return Value - -A value of S\_OK indicates success. - -## Remarks - -ConfigManager2 guarantees that if it raised one of the BEGIN events - -- CFGMGR\_NOTIFICATION\_BEGINCOMMANDPROCESSING -- CFGMGR\_NOTIFICATION\_BEGINCOMMIT -- CFGMGR\_NOTIFICATION\_BEGINROLLBACK - -then the corresponding END event will be raised, even if the handling of the BEGIN notification failed. -For each transaction, the sequence of notifications is: - -1. BEGINCOMMANDPROCESSING - -2. BEGINTRANSACTIONING - -3. ENDTRANSACTIONING - -4. ENDCOMMANDPROCESSING - -5. Either BEGINCOMMIT or BEGINROLLBACK, depending on whether the transaction succeeded or failed. - -6. Either ENDCOMMIT or ENDROLLBACK, depending on whether the transaction succeeded or failed. - -Each configuration service provider will receive the relevant BEGIN/END notifications exactly once per each transaction that ConfigManager2 executes. - -## Requirements - -**Header:** None - - - - - - - - diff --git a/windows/client-management/mdm/iconfigserviceprovider2getnode.md b/windows/client-management/mdm/iconfigserviceprovider2getnode.md deleted file mode 100644 index b1ed4618c7..0000000000 --- a/windows/client-management/mdm/iconfigserviceprovider2getnode.md +++ /dev/null @@ -1,106 +0,0 @@ ---- -title: IConfigServiceProvider2 GetNode -description: IConfigServiceProvider2 GetNode -ms.assetid: 4dc10a59-f6a2-45c0-927c-d594afc9bb91 -ms.reviewer: -manager: dansimp -ms.author: dansimp -ms.topic: article -ms.prod: w10 -ms.technology: windows -author: manikadhiman -ms.date: 06/26/2017 ---- - -# IConfigServiceProvider2::GetNode - - -This method returns a node from the configuration service provider based on the path that was passed in. The returned node is a descendent of the root node. - -## Syntax - - -``` syntax -HRESULT GetNode([in] IConfigManager2URI* pURI, - [out] ICSPNode** ppNode, - [in, out] DWORD* pgrfNodeOptions); -``` - -## Parameters - -*pUri* -
      -
    • -URI of the child node, relative to the root node. For example, to access the "./Vendor/Contoso/SampleCSP/ContainerA/UserName" node, ConfigManager2 calls the configuration service provider's GetNode method and passes in an IConfigManager2URI instance representing the URI “SampleCSP/ContainerA/UserName”. -
    • -
    -
    -ppNode -
      -
    • -If the query is successful, this returns the ICSPNode instance at the pUri location in the configuration service provider's tree. -
    • -
    -
    -pgrfNodeOptions -
      -
    • -Nodes support the following features. - - ----- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
      Feature nameBit value (in hex)Notes

      CSPNODE_OPTION_NATIVESECURITY

      0x01

      The native security option signifies that the node handles its own security checking, and that ConfigManager2 does not have to manage security for this node.

      CSPNODE_OPTION_INTERNALTRANSACTION

      0x02

      The internal transactioning option tells ConfigManager2 that the configuration service provider handles the transactioning (rollback and commitment) for the node. To handle internal transactioning, the node must implement the ICSPNodeTransactioning.

      CSPNODE_OPTION_HANDLEALLPROPERTIES

      0x04

      Unused.

      CSPNODE_OPTION_SECRETDATA

      0x08

      Unused.

      -
    • -
    -
    - -## Return Value - -This method returns an ICSPNode. If the function returns null, call GetLastError to get the error value. - -A value of S\_OK indicates that a node was successfully found. CFGMGR\_E\_NODENOTFOUND indicates that the node does not exist. Note that this may be normal, as in the case of optional nodes. - -## Requirements - -**Header:** None - - - - - - - - diff --git a/windows/client-management/mdm/icspnode.md b/windows/client-management/mdm/icspnode.md deleted file mode 100644 index bb66997ee8..0000000000 --- a/windows/client-management/mdm/icspnode.md +++ /dev/null @@ -1,104 +0,0 @@ ---- -title: ICSPNode -description: ICSPNode -ms.assetid: 023466e6-a8ab-48ad-8548-291409686ac2 -ms.reviewer: -manager: dansimp -ms.author: dansimp -ms.topic: article -ms.prod: w10 -ms.technology: windows -author: manikadhiman -ms.date: 06/26/2017 ---- - -# ICSPNode - -This interface does most of the work in a configuration service provider. Each individual node in a configuration service provider tree is represented by a separate implementation of this interface. The actions of a ConfigManager2 client are typically translated into calls to an instance of an ICSPNode. - -These methods must be implemented so that, if they fail, the node's state at the end of the method matches the state before the method was called. - -Some nodes will not be able to perform certain actions, and can return CFGMGR\_E\_COMMANDNOTALLOWED for those methods. For each method that is implemented for externally–transactioned nodes, the contrary method must also be implemented, as defined by "Determine node operations" in [Designing a custom configuration service provider](design-a-custom-windows-csp.md). - -The following table shows the methods defined by this interface that OEMs must implement. - - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    MethodDescription

    ICSPNode::Add

    Adds an immediate child to a configuration service provider node and returns a pointer to the new child node.

    ICSPNode::Clear

    Deletes the contents and children of the current configuration service provider node. Called before ICSPNode::DeleteChild.

    ICSPNode::Copy

    Makes a copy of the current node at the specified path within the configuration service provider. If the target node exists, it should be overwritten.

    ICSPNode::DeleteChild

    Deletes the specified child node from the configuration service provider node.

    ICSPNode::DeleteProperty

    Deletes a property from a configuration service provider node.

    ICSPNode::Execute

    Runs a task on an internally-transactioned configuration service provider node by passing in the specified user data and returning a result.

    ICSPNode::GetChildNodeNames

    Returns the list of children for a configuration service provider node.

    ICSPNode::GetProperty

    Returns a property value from a configuration service provider node.

    ICSPNode::GetPropertyIdentifiers

    Returns a list of non-standard properties supported by the node. The returned array must be allocated with CoTaskMemAlloc.

    ICSPNode::GetValue

    Gets the value and data type for the node. Interior (non-leaf) nodes may not have a value.

    ICSPNode::Move

    Moves this node to a new location within the configuration service provider. If the target node already exists, it should be overwritten.

    ICSPNode::SetProperty

    Sets a property value for a configuration service provider node.

    ICSPNode::SetValue

    Sets the value for the configuration service provider node. It is an error to attempt to set the value of an interior node.

    - - - -## Related topics - -[Create a custom configuration service provider](create-a-custom-configuration-service-provider.md) - - - - - - - - diff --git a/windows/client-management/mdm/icspnodeadd.md b/windows/client-management/mdm/icspnodeadd.md deleted file mode 100644 index 81f5b2cce5..0000000000 --- a/windows/client-management/mdm/icspnodeadd.md +++ /dev/null @@ -1,118 +0,0 @@ ---- -title: ICSPNode Add -description: ICSPNode Add -ms.assetid: 5f03d350-c82b-4747-975f-385fd8b5b3a8 -ms.reviewer: -manager: dansimp -ms.author: dansimp -ms.topic: article -ms.prod: w10 -ms.technology: windows -author: manikadhiman -ms.date: 06/26/2017 ---- - -# ICSPNode::Add - -This method adds an immediate child node to a configuration service provider node and returns a pointer to the new node. - -## Syntax - -``` syntax -HRESULT Add([in] IConfigManager2URI* pChildName, - [in] CFG_DATATYPE DataType, - [in] VARIANT varValue, - [in, out] ICSPNode** ppNewNode, - [in, out] DWORD* pgrfNodeOptions); -``` - -## Parameters - -*pChildName* -      Name of child node to add. - -*DataType* -      Data type of the child node to add. Supported types include: -- CFG\_DATATYPE\_NODE - -- CFG\_DATATYPE\_NULL - -- CFG\_DATATYPE\_BINARY - -- CFG\_DATATYPE\_INTEGER - -- CFG\_DATATYPE\_STRING - -- CFG\_DATATYPE\_MULTIPLE\_STRING - -*varValue* -      Value of the child node to add. - -*ppNewNode* -      New child node to return. - -*pgrfNodeOptions* -      Features supported on the new child node. - ----- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    Feature nameBit value (in hex)Notes

    CSPNODE_OPTION_NATIVESECURITY

    0x01

    The native security option signifies that the node handles its own security checking, and that ConfigManager2 does not have to manage security for this node.

    CSPNODE_OPTION_INTERNALTRANSACTION

    0x02

    The internal transactioning option tells ConfigManager2 that the configuration service provider handles the transactioning (rollback and commitment) for the node. To handle internal transactioning, the node must implement the ICSPNodeTransactioning.

    CSPNODE_OPTION_HANDLEALLPROPERTIES

    0x04

    Unused.

    CSPNODE_OPTION_SECRETDATA

    0x08

    Unused.

    - - -## Return Value - -This method returns an ICSPNode and the feature options supported on that child node. If the method returns null, call GetLastError to get the error value. - -A value of S\_OK indicates that a node was successfully found. CMN\_E\_ALREADY\_EXISTS indicates that a child node with the same name already exists. CFGMGR\_E\_COMMANDNOTALLOWED indicates that this node does not support the **Add** method. - -## Remarks - -For externally–transactioned nodes, if this method is implemented, then [ICSPNode::Clear](icspnodeclear.md) and [ICSPNode::DeleteChild](icspnodedeletechild.md) must also be implemented or rollback will fail. - -## Requirements - -**Header:** None - -## Related topics - -[Create a custom configuration service provider](create-a-custom-configuration-service-provider.md) - - - - - - - - diff --git a/windows/client-management/mdm/icspnodeclear.md b/windows/client-management/mdm/icspnodeclear.md deleted file mode 100644 index 89db169b0f..0000000000 --- a/windows/client-management/mdm/icspnodeclear.md +++ /dev/null @@ -1,53 +0,0 @@ ---- -title: ICSPNode Clear -description: ICSPNode Clear -ms.assetid: b414498b-110a-472d-95c0-2d5b38cd78a6 -ms.reviewer: -manager: dansimp -ms.author: dansimp -ms.topic: article -ms.prod: w10 -ms.technology: windows -author: manikadhiman -ms.date: 06/26/2017 ---- - - -# ICSPNode::Clear - -This method deletes the contents and child nodes of the current configuration service provider node. This method is always called on the child node before [ICSPNode::DeleteChild](icspnodedeletechild.md) is called on the parent node. - - -## Syntax - -``` syntax -HRESULT Clear(); -``` - - -## Return Value - -A value of S\_OK indicates that the node was successfully cleared. CFGMGR\_E\_COMMANDNOTALLOWED indicates that this node does not support the **Clear** method. - - -## Remarks - -For externally–transactioned nodes, if this method is implemented, then [ICSPNode::SetValue](icspnodesetvalue.md) and [ICSPNode::SetProperty](icspnodesetproperty.md) must also be implemented or rollback will fail. - -Before calling **Clear** on the target node, ConfigManager2 attempts to gather the current state of the node; the parent node does not have to preserve the state of its child nodes if they are externally-transactioned. - -## Requirements - -**Header:** None - - -## Related topics - -[Create a custom configuration service provider](create-a-custom-configuration-service-provider.md) - -  - - - - - diff --git a/windows/client-management/mdm/icspnodecopy.md b/windows/client-management/mdm/icspnodecopy.md deleted file mode 100644 index 1771aad0fa..0000000000 --- a/windows/client-management/mdm/icspnodecopy.md +++ /dev/null @@ -1,96 +0,0 @@ ---- -title: ICSPNode Copy -description: ICSPNode Copy -ms.assetid: cd5ce0bc-a08b-4f82-802d-c7ff8701b41f -ms.reviewer: -manager: dansimp -ms.author: dansimp -ms.topic: article -ms.prod: w10 -ms.technology: windows -author: manikadhiman -ms.date: 06/26/2017 ---- - -# ICSPNode::Copy - -This method makes a copy of the current node at the specified path within the configuration service provider. If the target node exists, it should be overwritten. - -## Syntax - -``` syntax -HRESULT Copy([in] IConfigManager2URI* puriDestination, - [in, out] ICSPNode** ppNewNode, - [in, out] DWORD* pgrfNodeOptions); -``` - -## Parameters - -*puriDestination* -      Path and name of new node's location, relative to the configuration service provider's root node. - -*ppNewNode* -      New node created by the copy operation. - -*pgrfNodeOptions* -      Features supported on the new node. - - ----- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    Feature nameBit value (in hex)Notes

    CSPNODE_OPTION_NATIVESECURITY

    0x01

    The native security option signifies that the node handles its own security checking, and that ConfigManager2 does not have to manage security for this node.

    CSPNODE_OPTION_INTERNALTRANSACTION

    0x02

    The internal transactioning option tells ConfigManager2 that the configuration service provider handles the transactioning (rollback and commitment) for the node. To handle internal transactioning, the node must implement the ICSPNodeTransactioning.

    CSPNODE_OPTION_HANDLEALLPROPERTIES

    0x04

    Unused.

    CSPNODE_OPTION_SECRETDATA

    0x08

    Unused.

    - - -## Return Value - -A value of S\_OK indicates that the node was successfully copied to the new location. CFGMGR\_E\_COMMANDNOTALLOWED indicates that this node does not support the **Copy** method. - -## Remarks - -For externally–transactioned nodes, if this method is implemented, then [ICSPNode::Add](icspnodeadd.md), [ICSPNode::SetValue](icspnodesetvalue.md), [ICSPNode::Clear](icspnodeclear.md), and [ICSPNode::DeleteChild](icspnodedeletechild.md) must also be implemented or rollback will fail. - -## Requirements - -**Header:** None - -## Related topics - -[Create a custom configuration service provider](create-a-custom-configuration-service-provider.md) - - - - - - diff --git a/windows/client-management/mdm/icspnodedeletechild.md b/windows/client-management/mdm/icspnodedeletechild.md deleted file mode 100644 index e08d2b025d..0000000000 --- a/windows/client-management/mdm/icspnodedeletechild.md +++ /dev/null @@ -1,59 +0,0 @@ ---- -title: ICSPNode DeleteChild -description: ICSPNode DeleteChild -ms.assetid: 8cf3663d-a4cf-4d11-b03a-f1d096ad7f9c -ms.reviewer: -manager: dansimp -ms.author: dansimp -ms.topic: article -ms.prod: w10 -ms.technology: windows -author: manikadhiman -ms.date: 06/26/2017 ---- - -# ICSPNode::DeleteChild - -Deletes the specified child node from the configuration service provider node. [ICSPNode::Clear](icspnodeclear.md) must always be called first on the child node that is to be deleted. - -## Syntax - -``` syntax -HRESULT DeleteChild([in] IConfigManager2URI* puriChildToDelete); -``` - -## Parameters - -*puriChildToDelete* -      The name of the child node to delete. - -## Return Values - -| Return Value | Description | -|------------------------------|--------------------------------------------------| -| CFGMGR\_E\_NODENOTFOUND | The child node does not exist | -| CFGMGR\_E\_COMMANDNOTALLOWED | The child node to be deleted is a read-only node | -| S\_OK | Success. | - -  -A value of S\_OK indicates that a node was successfully deleted. CFGMGR\_E\_NODENOTFOUND indicates that the child node does not exist. CFGMGR\_E\_COMMANDNOTALLOWED indicates that this node does not support the **ICSP::DeleteChild** method, or that the child node to be deleted is a read-only node. - -## Remarks - -For externally–transactioned nodes, if this method is implemented, then [ICSPNode::Add](icspnodeadd.md) must also be implemented or rollback will fail. - -## Requirements - -**Header:** None - -## Related topics - -[Create a custom configuration service provider](create-a-custom-configuration-service-provider.md) - -  - - - - - - diff --git a/windows/client-management/mdm/icspnodedeleteproperty.md b/windows/client-management/mdm/icspnodedeleteproperty.md deleted file mode 100644 index 6bcd73cc62..0000000000 --- a/windows/client-management/mdm/icspnodedeleteproperty.md +++ /dev/null @@ -1,52 +0,0 @@ ---- -title: ICSPNode DeleteProperty -description: ICSPNode DeleteProperty -ms.assetid: 7e21851f-d663-4558-b3e8-590d24b4f6c4 -ms.reviewer: -manager: dansimp -ms.author: dansimp -ms.topic: article -ms.prod: w10 -ms.technology: windows -author: manikadhiman -ms.date: 06/26/2017 ---- - -# ICSPNode::DeleteProperty - -This method deletes a property from a configuration service provider node. - -## Syntax - -``` syntax -HRESULT DeleteProperty([in] REFGUID guidProperty); -``` - -## Parameters - -*guidProperty* -      The GUID of the property to delete. - -## Return Value - -A value of S\_OK indicates that a node was successfully found. CFGMGR\_E\_PROPERTYNOTSUPPORTED indicates that this node does not manage or implement the property itself, but delegates it to ConfigManager2. E\_NOTIMPL indicates this method is not supported by this node. - -## Remarks - -For externally–transactioned nodes, if this method is implemented, then [ICSPNode::SetProperty](icspnodesetproperty.md) must also be implemented or rollback will fail. - -## Requirements - -**Header:** None - -## Related topics - -[Create a custom configuration service provider](create-a-custom-configuration-service-provider.md) - -  - - - - - - diff --git a/windows/client-management/mdm/icspnodeexecute.md b/windows/client-management/mdm/icspnodeexecute.md deleted file mode 100644 index b5008f4972..0000000000 --- a/windows/client-management/mdm/icspnodeexecute.md +++ /dev/null @@ -1,50 +0,0 @@ ---- -title: ICSPNode Execute -description: ICSPNode Execute -ms.assetid: 5916e7b7-256d-49fd-82b6-db0547a215ec -ms.reviewer: -manager: dansimp -ms.author: dansimp -ms.topic: article -ms.prod: w10 -ms.technology: windows -author: manikadhiman -ms.date: 06/26/2017 ---- - -# ICSPNode::Execute - -This method runs a task on an internally-transactioned configuration service provider node by passing in the specified user data and returning a result. The exact meaning of **Execute** and whether it is even supported depends on the purpose of the node. For example, **Execute** called on a node that represents a file should probably **ShellExecute** the file, whereas calling **Execute** on a registry node generally does not make sense. - -## Syntax - -``` syntax -HRESULT Execute([in] VARIANT varUserData); -``` - -## Parameters - -*varUserData* -    Data to pass into the execution. - -## Return Value - -A value of S\_OK indicates that the operation was performed successfully on the node. E\_NOTIMPL should be returned if this method is not implemented. - -## Remarks - -Externally–transactioned nodes do not support this method. - -## Requirements - -**Header:** None - -## Related topics - -[Create a custom configuration service provider](create-a-custom-configuration-service-provider.md) - -  - - - - diff --git a/windows/client-management/mdm/icspnodegetchildnodenames.md b/windows/client-management/mdm/icspnodegetchildnodenames.md deleted file mode 100644 index 176e294eb1..0000000000 --- a/windows/client-management/mdm/icspnodegetchildnodenames.md +++ /dev/null @@ -1,56 +0,0 @@ ---- -title: ICSPNode GetChildNodeNames -description: ICSPNode GetChildNodeNames -ms.assetid: dc057f2b-282b-49ac-91c4-bb83bd3ca4dc -ms.reviewer: -manager: dansimp -ms.author: dansimp -ms.topic: article -ms.prod: w10 -ms.technology: windows -author: manikadhiman -ms.date: 06/26/2017 ---- - -# ICSPNode::GetChildNodeNames - -This method returns the list of child nodes for a configuration service provider node. - -## Syntax - -``` syntax -HRESULT GetChildNodeNames([out] ULONG* pulCount, - [out,size_is(,*pulCount)] BSTR** pbstrNodeNames); -``` - -## Parameters - -*pulCount* -

    The number of child nodes to return.

    - -*pbstrNodeNames* -

    The array of child node names. The returned array must be allocated with CoTaskMemAlloc. Each element of the array must be a valid, non-NULL BSTR, allocated by SysAllocString or SysAllocStringLen. The names returned must not be encoded in any way, including URI-encoding, for canonicalization reasons.

    - -## Return Value - -A value of S\_OK indicates that a node was successfully found. CFGMGR\_E\_COMMANDNOTALLOWED indicates that this was called on a leaf node (no children will be returned). - -## Remarks - -For externally–transactioned nodes, no additional methods are required for successful rollback. - -## Requirements - -**Header:** None - -## Related topics - -[Create a custom configuration service provider](create-a-custom-configuration-service-provider.md) - - - - - - - - diff --git a/windows/client-management/mdm/icspnodegetproperty.md b/windows/client-management/mdm/icspnodegetproperty.md deleted file mode 100644 index e617650c97..0000000000 --- a/windows/client-management/mdm/icspnodegetproperty.md +++ /dev/null @@ -1,58 +0,0 @@ ---- -title: ICSPNode GetProperty -description: ICSPNode GetProperty -ms.assetid: a2bdc158-72e0-4cdb-97ce-f5cf1a44b7db -ms.reviewer: -manager: dansimp -ms.author: dansimp -ms.topic: article -ms.prod: w10 -ms.technology: windows -author: manikadhiman -ms.date: 06/26/2017 ---- - -# ICSPNode::GetProperty - -This method returns a property value from a configuration service provider node. - -## Syntax - -``` syntax -HRESULT GetProperty([in] REFGUID guidProperty, - [in,out] VARIANT* pvarValue); -``` - -## Parameters - -*guidProperty* -

    GUID that specifies the property to return.

    - -*pvarValue* -

    Value to return.

    - -## Return Value - -A value of S\_OK indicates that the value was successfully returned. CFGMGR\_E\_COMMANDNOTSUPPORTED indicates that the node does not implement the property itself, but delegates the management of the property to ConfigManager2. - -## Remarks - -Every node must handle the CFGMGR\_PROPERTY\_DATATYPE property. - -For externally–transactioned nodes, no additional methods are required for successful rollback. - -## Requirements - -**Header:** None - -## Related topics - -[Create a custom configuration service provider](create-a-custom-configuration-service-provider.md) - - - - - - - - diff --git a/windows/client-management/mdm/icspnodegetpropertyidentifiers.md b/windows/client-management/mdm/icspnodegetpropertyidentifiers.md deleted file mode 100644 index 479913e683..0000000000 --- a/windows/client-management/mdm/icspnodegetpropertyidentifiers.md +++ /dev/null @@ -1,55 +0,0 @@ ---- -title: ICSPNode GetPropertyIdentifiers -description: ICSPNode GetPropertyIdentifiers -ms.assetid: 8a052cd3-d74c-40c4-845f-f804b920deb4 -ms.reviewer: -manager: dansimp -ms.author: dansimp -ms.topic: article -ms.prod: w10 -ms.technology: windows -author: manikadhiman -ms.date: 06/26/2017 ---- - -# ICSPNode::GetPropertyIdentifiers - -This method returns a list of non-standard properties supported by the node. The returned array must be allocated with `CoTaskMemAlloc`. - -## Syntax - -``` syntax -HRESULT GetPropertyIdentifiers([out] ULONG* pulCount, - [out,size_is(,*pulCount)] GUID** pguidProperties); -``` - -## Parameters - -*pulCount* -

    The number of non-standard properties to return.

    - -*pguidProperties* -

    The array of property GUIDs to return. This array must be allocated with CoTaskMemAlloc.

    - -## Return Value - -A value of S\_OK indicates that the properties were successfully returned. E\_NOTIMPL indicates that this method is not supported by the node. - -## Remarks - -For externally–transactioned nodes, no additional methods are required for successful rollback. - -## Requirements - -**Header:** None - -## Related topics - -[Create a custom configuration service provider](create-a-custom-configuration-service-provider.md) - - - - - - - diff --git a/windows/client-management/mdm/icspnodegetvalue.md b/windows/client-management/mdm/icspnodegetvalue.md deleted file mode 100644 index 0e8d591f35..0000000000 --- a/windows/client-management/mdm/icspnodegetvalue.md +++ /dev/null @@ -1,53 +0,0 @@ ---- -title: ICSPNode GetValue -description: ICSPNode GetValue -ms.assetid: c684036d-98be-4659-8ce8-f72436a39b90 -ms.reviewer: -manager: dansimp -ms.author: dansimp -ms.topic: article -ms.prod: w10 -ms.technology: windows -author: manikadhiman -ms.date: 06/26/2017 ---- - -# ICSPNode::GetValue - -This method gets the value and data type for the node. Interior (non-leaf) nodes may not have a value. - -## Syntax - -``` syntax -HRESULT GetValue([in,out] VARIANT* pvarValue); -``` - -## Parameters - -*pvarValue* -

    Data value to return. A node containing a password value returns 16 asterisks (‘*’) for this method. A leaf node whose value has not been set returns a variant whose type is VT_NULL. -

    - -## Return Value - -A value of S\_OK indicates that a node was successfully found. CFGMGR\_E\_COMMANDNOTALLOWED indicates that this node does not support the **ICSP::GetValue** methods, or that this is an interior node. - -## Remarks - -For externally–transactioned nodes, this node is not required to implement any other methods for a successful rollback. - -## Requirements - -**Header:** None - -## Related topics - -[Create a custom configuration service provider](create-a-custom-configuration-service-provider.md) - - - - - - - - diff --git a/windows/client-management/mdm/icspnodemove.md b/windows/client-management/mdm/icspnodemove.md deleted file mode 100644 index 40d917ca2f..0000000000 --- a/windows/client-management/mdm/icspnodemove.md +++ /dev/null @@ -1,52 +0,0 @@ ---- -title: ICSPNode Move -description: ICSPNode Move -ms.assetid: efb359c3-5c86-4975-bf6f-a1c33922442a -ms.reviewer: -manager: dansimp -ms.author: dansimp -ms.topic: article -ms.prod: w10 -ms.technology: windows -author: manikadhiman -ms.date: 06/26/2017 ---- - -# ICSPNode::Move - -This method moves the node to a new location within the configuration service provider. If the target node already exists, it should be overwritten. - -## Syntax - -``` syntax -HRESULT Move([in] IConfigManager2URI* puriDestination); -``` - -## Parameters - -*puriDestination* -

    Path and name of the node's new location, relative to the configuration service provider's root node.

    - -## Return Value - -A value of S\_OK indicates that the node was successfully moved. CFGMGR\_E\_COMMANDNOTALLOWED indicates that this node does not support the **ICSP::Move** method. - -## Remarks - -For externally–transactioned nodes, if this method is implemented, then [ICSPNode::Add](icspnodeadd.md) and [ICSPNode::SetValue](icspnodesetvalue.md) must also be implemented or rollback will fail. - -## Requirements - -**Header:** None - -## Related topics - -[Create a custom configuration service provider](create-a-custom-configuration-service-provider.md) - - - - - - - - diff --git a/windows/client-management/mdm/icspnodesetproperty.md b/windows/client-management/mdm/icspnodesetproperty.md deleted file mode 100644 index 8052bf2d5d..0000000000 --- a/windows/client-management/mdm/icspnodesetproperty.md +++ /dev/null @@ -1,58 +0,0 @@ ---- -title: ICSPNode SetProperty -description: ICSPNode SetProperty -ms.assetid: e235c38f-ea04-4cd8-adec-3c6c0ce7172d -ms.reviewer: -manager: dansimp -ms.author: dansimp -ms.topic: article -ms.prod: w10 -ms.technology: windows -author: manikadhiman -ms.date: 06/26/2017 ---- - -# ICSPNode::SetProperty - -This method sets a property value for a configuration service provider node. - -## Syntax - -``` syntax -HRESULT SetProperty([in] REFGUID guidProperty, - [in] VARIANT varValue); -``` - -## Parameters - -*guidProperty* -

    The GUID of the property.

    - -*varValue* -

    The value to return.

    - -## Return Value - -A value of S\_OK indicates that a node was successfully found. CFGMGR\_E\_COMMANDNOTSUPPORTED indicates that this node delegates the management of the property to ConfigManager2. - -## Remarks - -Every node must properly handle the CFGMGR\_PROPERTY\_DATATYPE property. - -For externally–transactioned nodes, no additional methods are required for successful rollback. - -## Requirements - -**Header:** None - -## Related topics - -[Create a custom configuration service provider](create-a-custom-configuration-service-provider.md) - - - - - - - - diff --git a/windows/client-management/mdm/icspnodesetvalue.md b/windows/client-management/mdm/icspnodesetvalue.md deleted file mode 100644 index afcbc3b99d..0000000000 --- a/windows/client-management/mdm/icspnodesetvalue.md +++ /dev/null @@ -1,52 +0,0 @@ ---- -title: ICSPNode SetValue -description: ICSPNode SetValue -ms.assetid: b218636d-fe8b-4a0f-b4e8-a621f65619d3 -ms.reviewer: -manager: dansimp -ms.author: dansimp -ms.topic: article -ms.prod: w10 -ms.technology: windows -author: manikadhiman -ms.date: 06/26/2017 ---- - -# ICSPNode::SetValue - -This method sets the value for the configuration service provider node. It is an error to attempt to set the value of an interior node. - -## Syntax - -``` syntax -HRESULT SetValue([in] VARIANT varValue); -``` - -## Parameters - -*varValue* -

    Value to set. To clear a leaf node’s value, set varValue’s type to VT_NULL.

    - -## Return Value - -A value of S\_OK indicates that the value was set successfully. CFGMGR\_E\_COMMANDNOTALLOWED indicates that this node does not support the **ICSP::SetValue** method, or that it's an internal node. - -## Remarks - -For externally–transactioned nodes, no additional methods must be implemented to support rollback. - -## Requirements - -**Header:** None - -## Related topics - -[Create a custom configuration service provider](create-a-custom-configuration-service-provider.md) - - - - - - - - diff --git a/windows/client-management/mdm/icspnodetransactioning.md b/windows/client-management/mdm/icspnodetransactioning.md deleted file mode 100644 index 93b4a35b7b..0000000000 --- a/windows/client-management/mdm/icspnodetransactioning.md +++ /dev/null @@ -1,83 +0,0 @@ ---- -title: ICSPNodeTransactioning -description: ICSPNodeTransactioning -ms.assetid: 24dc518a-4a8d-41fe-9bc6-217bbbdf6a3f -ms.reviewer: -manager: dansimp -ms.author: dansimp -ms.topic: article -ms.prod: w10 -ms.technology: windows -author: manikadhiman -ms.date: 06/26/2017 ---- - -# ICSPNodeTransactioning - -This is an optional interface that enables a configuration service provider to define its own transactioning scheme (internal transactioning) for an individual node. Transactioning supports the ability to roll back previous actions on a node. The majority of nodes use external transactioning, which is handled automatically, and do not need to implement this interface. For more information about internal and external transactioning, including how to handle the `RollbackAction` functions, see "Determine node operations" in [Designing a custom configuration service provider](design-a-custom-windows-csp.md). - -``` syntax -interface ICSPNodeTransactioning : IUnknown -{ - HRESULT PersistRollbackAddState([in] IConfigManager2URI* puriChild, - [in] CFG_DATATYPE DataType, - [in] VARIANT varValue, - [in] ISequentialStream* pRollbackStream, - [in] ISequentialStream* pUninstallStream); - HRESULT PersistRollbackCopyState([in] IConfigManager2URI* puriDestination, - [in] ISequentialStream* pRollbackStream, - [in] ISequentialStream* pUninstallStream); - HRESULT PersistRollbackDeleteChildState([in] IConfigManager2URI* puriChild, - [in] ISequentialStream* pRollbackStream, - [in] ISequentialStream* pUninstallStream); - HRESULT PersistRollbackClearState([in] ISequentialStream* pRollbackStream, - [in] ISequentialStream* pUninstallStream); - HRESULT PersistRollbackExecuteState([in] VARIANT varUserData, - [in] ISequentialStream* pRollbackStream, - [in] ISequentialStream* pUninstallStream); - HRESULT PersistRollbackMoveState([in] IConfigManager2URI* puriDestination, - [in] ISequentialStream* pRollbackStream, - [in] ISequentialStream* pUninstallStream); - HRESULT PersistRollbackSetValueState([in] VARIANT varValue, - [in] ISequentialStream* pRollbackStream, - [in] ISequentialStream* pUninstallStream); - HRESULT PersistRollbackSetPropertyState([in] REFGUID guidProperty, - [in] VARIANT varValue, - [in] ISequentialStream* pRollbackStream, - [in] ISequentialStream* pUninstallStream); - HRESULT PersistRollbackDeletePropertyState([in] REFGUID guidProperty, - [in] ISequentialStream* pRollbackStream, - [in] ISequentialStream* pUninstallStream); - HRESULT RollbackAdd([in] ISequentialStream* pUndoStream, - [in] BOOL fRecoveryRollback); - HRESULT RollbackCopy([in] ISequentialStream* pUndoStream, - [in] BOOL fRecoveryRollback); - HRESULT RollbackDeleteChild([in] ISequentialStream* pUndoStream, - [in] BOOL fRecoveryRollback); - HRESULT RollbackClear([in] ISequentialStream* pUndoStream, - [in] BOOL fRecoveryRollback); - HRESULT RollbackExecute([in] ISequentialStream* pUndoStream, - [in] BOOL fRecoveryRollback); - HRESULT RollbackMove([in] ISequentialStream* pUndoStream, - [in] BOOL fRecoveryRollback); - HRESULT RollbackSetValue([in] ISequentialStream* pUndoStream, - [in] BOOL fRecoveryRollback); - HRESULT RollbackSetProperty([in] ISequentialStream* pUndoStream, - [in] BOOL fRecoveryRollback); - HRESULT RollbackDeleteProperty([in] ISequentialStream* pUndoStream, - [in] BOOL fRecoveryRollback); - - HRESULT Commit(); -}; -``` - -## Related topics - -[Create a custom configuration service provider](create-a-custom-configuration-service-provider.md) - -  - - - - - diff --git a/windows/client-management/mdm/icspvalidate.md b/windows/client-management/mdm/icspvalidate.md deleted file mode 100644 index 3d59448e68..0000000000 --- a/windows/client-management/mdm/icspvalidate.md +++ /dev/null @@ -1,54 +0,0 @@ ---- -title: ICSPValidate -description: ICSPValidate -ms.assetid: b0993f2d-6269-412f-a329-af25fff34ca2 -ms.reviewer: -manager: dansimp -ms.author: dansimp -ms.topic: article -ms.prod: w10 -ms.technology: windows -author: manikadhiman -ms.date: 06/26/2017 ---- - -# ICSPValidate - -This interface is optional. It is called by ConfigManager2 as it batches commands before transactioning begins. This allows the configuration service provider to validate the node before performing specific actions. It is generally only used for configuration service providers that need to expose UI. - -``` syntax -interface ICSPValidate : IUnknown -{ - HRESULT ValidateAdd([in] IConfigNodeState* pNodeState, - [in] IConfigManager2URI* puriChild, - [in] CFG_DATATYPE DataType, - [in] VARIANT varValue); - HRESULT ValidateCopy([in] IConfigNodeState* pNodeState, - [in] IConfigManager2URI* puriDestination); - HRESULT ValidateDeleteChild([in] IConfigNodeState* pNodeState, - [in] IConfigManager2URI* puriChild); - HRESULT ValidateClear([in] IConfigNodeState* pNodeState); - HRESULT ValidateExecute([in] IConfigNodeState* pNodeState, - [in] VARIANT varUserData); - HRESULT ValidateMove([in] IConfigNodeState* pNodeState, - [in] IConfigManager2URI* puriDestination); - HRESULT ValidateSetValue([in] IConfigNodeState* pNodeState, - [in] VARIANT varValue); - HRESULT ValidateSetProperty([in] IConfigNodeState* pNodeState, - [in] REFGUID guidProperty, - [in] VARIANT varValue); - HRESULT ValidateDeleteProperty([in] IConfigNodeState* pNodeState, - [in] REFGUID guidProperty); -``` - -## Related topics - -[Create a custom configuration service provider](create-a-custom-configuration-service-provider.md) - -  - - - - - - diff --git a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md index f224b4242c..c7dde016cf 100644 --- a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md +++ b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md @@ -12,7 +12,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: manikadhiman -ms.date: 05/15/2019 +ms.date: 07/01/2019 --- # What's new in mobile device enrollment and management @@ -56,6 +56,7 @@ For details about Microsoft mobile device management protocols for Windows 10 s - [What is dmwappushsvc?](#what-is-dmwappushsvc) - **Change history in MDM documentation** + - [July 2019](#july-2019) - [June 2019](#june-2019) - [May 2019](#may-2019) - [April 2019](#april-2019) @@ -120,6 +121,8 @@ For details about Microsoft mobile device management protocols for Windows 10 s
  • Power/TurnOffHybridSleepPluggedIn
  • Power/UnattendedSleepTimeoutOnBattery
  • Power/UnattendedSleepTimeoutPluggedIn
  • +
  • Privacy/LetAppsActivateWithVoice
  • +
  • Privacy/LetAppsActivateWithVoiceAboveLock
  • Search/AllowFindMyFiles
  • ServiceControlManager/SvchostProcessMitigation
  • System/AllowCommercialDataPipeline
  • @@ -1880,6 +1883,14 @@ How do I turn if off? | The service can be stopped from the "Services" console o ## Change history in MDM documentation +### July 2019 + +|New or updated topic | Description| +|--- | ---| +|[Policy CSP - Privacy](policy-csp-privacy.md)|Added the following new policies:
    LetAppsActivateWithVoice, LetAppsActivateWithVoiceAboveLock| +|Create a custom configuration service provider|Deleted the following documents from the CSP reference because extensibility via CSPs is not currently supported:
    Create a custom configuration service provider
    Design a custom configuration service provider
    IConfigServiceProvider2
    IConfigServiceProvider2::ConfigManagerNotification
    IConfigServiceProvider2::GetNode
    ICSPNode
    ICSPNode::Add
    ICSPNode::Clear
    ICSPNode::Copy
    ICSPNode::DeleteChild
    ICSPNode::DeleteProperty
    ICSPNode::Execute
    ICSPNode::GetChildNodeNames
    ICSPNode::GetProperty
    ICSPNode::GetPropertyIdentifiers
    ICSPNode::GetValue
    ICSPNode::Move
    ICSPNode::SetProperty
    ICSPNode::SetValue
    ICSPNodeTransactioning
    ICSPValidate
    Samples for writing a custom configuration service provider| + + ### June 2019 |New or updated topic | Description| diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md index e024166ef3..ec1c14a6b8 100644 --- a/windows/client-management/mdm/policy-configuration-service-provider.md +++ b/windows/client-management/mdm/policy-configuration-service-provider.md @@ -9,7 +9,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: manikadhiman -ms.date: 05/01/2019 +ms.date: 07/09/2019 --- # Policy CSP @@ -2743,6 +2743,12 @@ The following diagram shows the Policy configuration service provider in tree fo
    Privacy/LetAppsAccessTrustedDevices_UserInControlOfTheseApps
    +
    + Privacy/LetAppsActivateWithVoice +
    +
    + Privacy/LetAppsActivateWithVoiceAboveLock +
    Privacy/LetAppsGetDiagnosticInfo
    @@ -5358,6 +5364,8 @@ The following diagram shows the Policy configuration service provider in tree fo - [DeviceHealthMonitoring/AllowDeviceHealthMonitoring](#devicehealthmonitoring-allowdevicehealthmonitoring) - [DeviceHealthMonitoring/ConfigDeviceHealthMonitoringScope](#devicehealthmonitoring-configdevicehealthmonitoringscope) - [DeviceHealthMonitoring/ConfigDeviceHealthMonitoringUploadDestination](#devicehealthmonitoring-configdevicehealthmonitoringuploaddestination) +- [Privacy/LetAppsActivateWithVoice](#privacy-letappsactivatewithvoice) +- [Privacy/LetAppsActivateWithVoiceAboveLock](#privacy-letappsactivatewithvoiceabovelock) - [Update/ConfigureDeadlineForFeatureUpdates](#update-configuredeadlineforfeatureupdates) - [Update/ConfigureDeadlineForQualityUpdates](#update-configuredeadlineforqualityupdates) - [Update/ConfigureDeadlineGracePeriod](#update-configuredeadlinegraceperiod) @@ -5408,6 +5416,8 @@ The following diagram shows the Policy configuration service provider in tree fo - [DeviceHealthMonitoring/AllowDeviceHealthMonitoring](#devicehealthmonitoring-allowdevicehealthmonitoring) - [DeviceHealthMonitoring/ConfigDeviceHealthMonitoringScope](#devicehealthmonitoring-configdevicehealthmonitoringscope) - [DeviceHealthMonitoring/ConfigDeviceHealthMonitoringUploadDestination](#devicehealthmonitoring-configdevicehealthmonitoringuploaddestination) +- [Privacy/LetAppsActivateWithVoice](#privacy-letappsactivatewithvoice) +- [Privacy/LetAppsActivateWithVoiceAboveLock](#privacy-letappsactivatewithvoiceabovelock) - [Update/ConfigureDeadlineForFeatureUpdates](#update-configuredeadlineforfeatureupdates) - [Update/ConfigureDeadlineForQualityUpdates](#update-configuredeadlineforqualityupdates) - [Update/ConfigureDeadlineGracePeriod](#update-configuredeadlinegraceperiod) diff --git a/windows/client-management/mdm/policy-csp-authentication.md b/windows/client-management/mdm/policy-csp-authentication.md index 71ca1629b3..3b5cfe28d0 100644 --- a/windows/client-management/mdm/policy-csp-authentication.md +++ b/windows/client-management/mdm/policy-csp-authentication.md @@ -358,6 +358,9 @@ The following list shows the supported values: This policy is intended for use on Shared PCs to enable a quick first sign-in experience for a user. It works by automatically connecting new non-admin Azure Active Directory (Azure AD) accounts to the pre-configured candidate local accounts. +> [!Important] +> Pre-configured candidate local accounts are any local accounts (pre-configured or added) in your device. + Value type is integer. Supported values: - 0 - (default) The feature defaults to the existing SKU and device capabilities. diff --git a/windows/client-management/mdm/policy-csp-bluetooth.md b/windows/client-management/mdm/policy-csp-bluetooth.md index 51c93e97d7..883cf16ab7 100644 --- a/windows/client-management/mdm/policy-csp-bluetooth.md +++ b/windows/client-management/mdm/policy-csp-bluetooth.md @@ -335,7 +335,7 @@ If this policy is not set or it is deleted, the default local radio name is used -Set a list of allowable services and profiles. String hex formatted array of Bluetooth service UUIDs in canonical format, delimited by semicolons. For example, {782AFCFC-7CAA-436C-8BF0-78CD0FFBD4AF}. +Added in Windows 10, version 1511. Set a list of allowable services and profiles. String hex formatted array of Bluetooth service UUIDs in canonical format, delimited by semicolons. For example, {782AFCFC-7CAA-436C-8BF0-78CD0FFBD4AF}. The default value is an empty string. For more information, see [ServicesAllowedList usage guide](#servicesallowedlist-usage-guide) diff --git a/windows/client-management/mdm/policy-csp-privacy.md b/windows/client-management/mdm/policy-csp-privacy.md index 3395ba9cee..c7585eb14e 100644 --- a/windows/client-management/mdm/policy-csp-privacy.md +++ b/windows/client-management/mdm/policy-csp-privacy.md @@ -6,17 +6,13 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: manikadhiman -ms.date: 05/01/2019 +ms.date: 07/09/2019 ms.reviewer: manager: dansimp --- # Policy CSP - Privacy -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. - -
    @@ -233,6 +229,12 @@ manager: dansimp
    Privacy/LetAppsAccessTrustedDevices_UserInControlOfTheseApps
    +
    + Privacy/LetAppsActivateWithVoice +
    +
    + Privacy/LetAppsActivateWithVoiceAboveLock +
    Privacy/LetAppsGetDiagnosticInfo
    @@ -4088,6 +4090,126 @@ ADMX Info:
    + +**Privacy/LetAppsActivateWithVoice** + + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    checkmark mark6checkmark mark6check mark6check mark6check mark6
    + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Specifies if Windows apps can be activated by voice. + + + +ADMX Info: +- GP English name: *Allow voice activation* +- GP name: *LetAppsActivateWithVoice* +- GP element: *LetAppsActivateWithVoice_Enum* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + +The following list shows the supported values: + +- 0 (default) – User in control. Users can decide if Windows apps can be activated by voice using Settings > Privacy options on the device. +- 1 – Force allow. Windows apps can be activated by voice and users cannot change it. +- 2 - Force deny. Windows apps cannot be activated by voice and users cannot change it. + + + + +
    + + +**Privacy/LetAppsActivateWithVoiceAboveLock** + + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    check mark6check mark6check mark6check mark6check mark6
    + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Specifies if Windows apps can be activated by voice while the screen is locked. + + + +ADMX Info: +- GP English name: *Allow voice activation above locked screen* +- GP name: *LetAppsActivateWithVoiceAboveLock* +- GP element: *LetAppsActivateWithVoiceAboveLock_Enum* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + +The following list shows the supported values: + +- 0 (default) – User in control. Users can decide if Windows apps can be activated by voice while the screen is locked using Settings > Privacy options on the device. +- 1 – Force allow. Windows apps can be activated by voice while the screen is locked, and users cannot change it. +- 2 - Force deny. Windows apps cannot be activated by voice while the screen is locked, and users cannot change it. + + + + +
    + **Privacy/LetAppsGetDiagnosticInfo** @@ -4868,6 +4990,18 @@ ADMX Info: - [Privacy/AllowInputPersonalization](#privacy-allowinputpersonalization) + +## Privacy policies supported by Windows 10 IoT Core +- [Privacy/LetAppsActivateWithVoice](#privacy-letappsactivatewithvoice) +- [Privacy/LetAppsActivateWithVoiceAboveLock](#privacy-letappsactivatewithvoiceabovelock) + + + +## Privacy policies supported by Windows 10 IoT Enterprise +- [Privacy/LetAppsActivateWithVoice](#privacy-letappsactivatewithvoice) +- [Privacy/LetAppsActivateWithVoiceAboveLock](#privacy-letappsactivatewithvoiceabovelock) + +
    Footnotes: @@ -4877,4 +5011,4 @@ Footnotes: - 3 - Added in Windows 10, version 1709. - 4 - Added in Windows 10, version 1803. - 5 - Added in Windows 10, version 1809. -- 6 - Added in the next major release of Windows 10. +- 6 - Added in Windows 10, version 1903. diff --git a/windows/client-management/mdm/samples-for-writing-a-custom-configuration-service-provider.md b/windows/client-management/mdm/samples-for-writing-a-custom-configuration-service-provider.md deleted file mode 100644 index 0ee7ef78f1..0000000000 --- a/windows/client-management/mdm/samples-for-writing-a-custom-configuration-service-provider.md +++ /dev/null @@ -1,51 +0,0 @@ ---- -title: Samples for writing a custom configuration service provider -description: Samples for writing a custom configuration service provider -ms.assetid: ccda4d62-7ce1-483b-912f-25d50c974270 -ms.reviewer: -manager: dansimp -ms.author: dansimp -ms.topic: article -ms.prod: w10 -ms.technology: windows -author: manikadhiman -ms.date: 06/26/2017 ---- - -# Samples for writing a custom configuration service provider - -The following example shows how to retrieve Integrated Circuit Card Identifier (ICCID) and International Mobile Subscriber Identity (IMSI) for a dual SIM phone. - -## Retrieving ICCID and IMSI for a dual SIM phone - -The following sample is used in the [IConfigServiceProvider2::ConfigManagerNotification](iconfigserviceprovider2configmanagernotification.md) method implementation. It first retrieves the IConfigSession2 object, and then queries the ICCID with the IConfigSession2::GetSessionVariable method. To retrieve the IMSI, replace L”ICCID” with L”IMSI”. - -``` syntax -case CFGMGR_NOTIFICATION_SETSESSIONOBJ: - if (NULL != lpParam) - { - m_pSession = reinterpret_cast(lpParam); -        m_pSession->AddRef(); -    } - -    bstrContext = SysAllocString(L"ICCID"); -    if (NULL == bstrContext) -    { -    hr = E_OUTOFMEMORY; -    goto Error; -    } - -    hr = m_pSession->GetSessionVariable(bstrContext, &varValue); -    if (FAILED(hr)) -    { -     goto Error; -    } -    break; -``` - -  - - - - - diff --git a/windows/configuration/customize-and-export-start-layout.md b/windows/configuration/customize-and-export-start-layout.md index 53cd1f9039..2fd51caeeb 100644 --- a/windows/configuration/customize-and-export-start-layout.md +++ b/windows/configuration/customize-and-export-start-layout.md @@ -45,10 +45,8 @@ You can deploy the resulting .xml file to devices using one of the following met - [Mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md) - ## Customize the Start screen on your test computer - To prepare a Start layout for export, you simply customize the Start layout on a test computer. **To prepare a test computer** @@ -57,7 +55,6 @@ To prepare a Start layout for export, you simply customize the Start layout on a 2. Create a new user account that you will use to customize the Start layout. - **To customize Start** 1. Sign in to your test computer with the user account that you created. @@ -81,10 +78,8 @@ To prepare a Start layout for export, you simply customize the Start layout on a > >In earlier versions of Windows 10, no tile would be pinned. - ## Export the Start layout - When you have the Start layout that you want your users to see, use the [Export-StartLayout](https://docs.microsoft.com/powershell/module/startlayout/export-startlayout?view=win10-ps) cmdlet in Windows PowerShell to export the Start layout to an .xml file. Start layout is located by default at C:\Users\username\AppData\Local\Microsoft\Windows\Shell\ >[!IMPORTANT] @@ -176,9 +171,9 @@ If the Start layout is applied by Group Policy or MDM, and the policy is removed **To configure a partial Start screen layout** -1. [Customize the Start layout](#bmk-customize-start). +1. [Customize the Start layout](#customize-the-start-screen-on-your-test-computer). -2. [Export the Start layout](#bmk-exportstartscreenlayout). +2. [Export the Start layout](#export-the-start-layout). 3. Open the layout .xml file. There is a `` element. Add `LayoutCustomizationRestrictionType="OnlySpecifiedGroups"` to the **DefaultLayoutOverride** element as follows: ``` syntax diff --git a/windows/configuration/customize-windows-10-start-screens-by-using-mobile-device-management.md b/windows/configuration/customize-windows-10-start-screens-by-using-mobile-device-management.md index f01c3b9f44..bda947c233 100644 --- a/windows/configuration/customize-windows-10-start-screens-by-using-mobile-device-management.md +++ b/windows/configuration/customize-windows-10-start-screens-by-using-mobile-device-management.md @@ -30,7 +30,7 @@ In Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education, you can us >[!NOTE] >Support for applying a customized taskbar using MDM is added in Windows 10, version 1703. -**Before you begin**: [Customize and export Start layout](customize-and-export-start-layout.md) for desktop editions. +**Before you begin**: [Customize and export Start layout](customize-and-export-start-layout.md) for desktop editions (also works for taskbar customization). >[!WARNING] >When a full Start layout is applied with this method, the users cannot pin, unpin, or uninstall apps from Start. Users can view and open all apps in the **All Apps** view, but they cannot pin any apps to Start. When a partial Start layout is applied, the contents of the specified tile groups cannot be changed, but users can move those groups, and can also create and customize their own groups. diff --git a/windows/configuration/kiosk-single-app.md b/windows/configuration/kiosk-single-app.md index 89c720dbc9..fec62e33fd 100644 --- a/windows/configuration/kiosk-single-app.md +++ b/windows/configuration/kiosk-single-app.md @@ -31,7 +31,7 @@ A single-app kiosk uses the Assigned Access feature to run a single app above th >[!IMPORTANT] >[User account control (UAC)](https://docs.microsoft.com/windows/security/identity-protection/user-account-control/user-account-control-overview) must be turned on to enable kiosk mode. > ->Kiosk mode is not supported over a remote desktop connection. Your kiosk users must sign in on the physical device that is set up as a kiosk. +>Kiosk mode is not supported over a remote desktop connection. Your kiosk users must sign in on the physical device that is set up as a kiosk. Apps that run in kiosk mode cannot use copy and paste. You have several options for configuring your single-app kiosk. diff --git a/windows/configuration/lock-down-windows-10-to-specific-apps.md b/windows/configuration/lock-down-windows-10-to-specific-apps.md index 2c861f7c13..a8d16003c6 100644 --- a/windows/configuration/lock-down-windows-10-to-specific-apps.md +++ b/windows/configuration/lock-down-windows-10-to-specific-apps.md @@ -18,16 +18,13 @@ ms.topic: article # Set up a multi-app kiosk - **Applies to** -- Windows 10 Pro, Enterprise, and Education +- Windows 10 Pro, Enterprise, and Education +A [kiosk device](set-up-a-kiosk-for-windows-10-for-desktop-editions.md) typically runs a single app, and users are prevented from accessing any features or functions on the device outside of the kiosk app. In Windows 10, version 1709, the [AssignedAccess configuration service provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/assignedaccess-csp) was expanded to make it easy for administrators to create kiosks that run more than one app. The benefit of a kiosk that runs only one or more specified apps is to provide an easy-to-understand experience for individuals by putting in front of them only the things they need to use, and removing from their view the things they don’t need to access. -A [kiosk device](set-up-a-kiosk-for-windows-10-for-desktop-editions.md) typically runs a single app, and users are prevented from accessing any features or functions on the device outside of the kiosk app. In Windows 10, version 1709, the [AssignedAccess configuration service provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/assignedaccess-csp) was expanded to make it easy for administrators to create kiosks that run more than one app. The benefit of a kiosk that runs only one or more specified apps is to provide an easy-to-understand experience for individuals by putting in front of them only the things they need to use, and removing from their view the things they don’t need to access. - -The following table lists changes to multi-app kiosk in recent updates. - +The following table lists changes to multi-app kiosk in recent updates. | New features and improvements | In update | |--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| @@ -39,21 +36,21 @@ The following table lists changes to multi-app kiosk in recent updates. You can configure multi-app kiosks using [Microsoft Intune](#intune) or a [provisioning package](#provision). - >[!TIP] >Be sure to check the [configuration recommendations](kiosk-prepare.md) before you set up your kiosk. -## Configure a kiosk in Microsoft Intune +## Configure a kiosk in Microsoft Intune To configure a kiosk in Microsoft Intune, see [Windows 10 and Windows Holographic for Business device settings to run as a dedicated kiosk using Intune](https://docs.microsoft.com/intune/kiosk-settings). For explanations of the specific settings, see [Windows 10 and later device settings to run as a kiosk in Intune](https://docs.microsoft.com/intune/kiosk-settings-windows). - + ## Configure a kiosk using a provisioning package Process: + 1. [Create XML file](#create-xml-file) 2. [Add XML file to provisioning package](#add-xml) 3. [Apply provisioning package to device](#apply-ppkg) @@ -70,19 +67,19 @@ If you don't want to use a provisioning package, you can deploy the configuratio - The kiosk device must be running Windows 10 (S, Pro, Enterprise, or Education), version 1709 or later >[!NOTE] ->For devices running versions of Windows 10 earlier than version 1709, you can [create AppLocker rules](lock-down-windows-10-applocker.md) to configure a multi-app kiosk. +>For devices running versions of Windows 10 earlier than version 1709, you can [create AppLocker rules](lock-down-windows-10-applocker.md) to configure a multi-app kiosk. ### Create XML file -Let's start by looking at the basic structure of the XML file. +Let's start by looking at the basic structure of the XML file. -- A configuration xml can define multiple *profiles*. Each profile has a unique **Id** and defines a set of applications that are allowed to run, whether the taskbar is visible, and can include a custom Start layout. +- A configuration xml can define multiple *profiles*. Each profile has a unique **Id** and defines a set of applications that are allowed to run, whether the taskbar is visible, and can include a custom Start layout. -- A configuration xml can have multiple *config* sections. Each config section associates a non-admin user account to a default profile **Id**. +- A configuration xml can have multiple *config* sections. Each config section associates a non-admin user account to a default profile **Id**. - Multiple config sections can be associated to the same profile. -- A profile has no effect if it’s not associated to a config section. +- A profile has no effect if it’s not associated to a config section. ![profile = app and config = account](images/profile-config.png) @@ -90,7 +87,7 @@ You can start your file by pasting the following XML (or any other examples in t ```xml - @@ -98,7 +95,7 @@ You can start your file by pasting the following XML (or any other examples in t - + @@ -119,11 +116,11 @@ There are two types of profiles that you can specify in the XML: - **Lockdown profile**: Users assigned a lockdown profile will see the desktop in tablet mode with the specific apps on the Start screen. - **Kiosk profile**: New in Windows 10, version 1803, this profile replaces the KioskModeApp node of the [AssignedAccess CSP](https://docs.microsoft.com/windows/client-management/mdm/assignedaccess-csp). Users assigned a kiosk profile will not see the desktop, but only the kiosk app running in full-screen mode. -A lockdown profile section in the XML has the following entries: +A lockdown profile section in the XML has the following entries: -- [**Id**](#id) +- [**Id**](#id) -- [**AllowedApps**](#allowedapps) +- [**AllowedApps**](#allowedapps) - [**FileExplorerNamespaceRestrictions**](#fileexplorernamespacerestrictions) @@ -133,15 +130,13 @@ A lockdown profile section in the XML has the following entries: A kiosk profile in the XML has the following entries: -- [**Id**](#id) +- [**Id**](#id) - [**KioskModeApp**](#kioskmodeapp) - - ##### Id -The profile **Id** is a GUID attribute to uniquely identify the profile. You can create a GUID using a GUID generator. The GUID just needs to be unique within this XML file. +The profile **Id** is a GUID attribute to uniquely identify the profile. You can create a GUID using a GUID generator. The GUID just needs to be unique within this XML file. ```xml @@ -151,30 +146,28 @@ The profile **Id** is a GUID attribute to uniquely identify the profile. You can ##### AllowedApps -**AllowedApps** is a list of applications that are allowed to run. Apps can be Universal Windows Platform (UWP) apps or Windows desktop applications. In Windows 10, version 1809, you can configure a single app in the **AllowedApps** list to run automatically when the assigned access user account signs in. +**AllowedApps** is a list of applications that are allowed to run. Apps can be Universal Windows Platform (UWP) apps or Windows desktop applications. In Windows 10, version 1809, you can configure a single app in the **AllowedApps** list to run automatically when the assigned access user account signs in. - - -- For UWP apps, you need to provide the App User Model ID (AUMID). [Learn how to get the AUMID](https://go.microsoft.com/fwlink/p/?LinkId=614867), or [get the AUMID from the Start Layout XML](#startlayout). +- For UWP apps, you need to provide the App User Model ID (AUMID). [Learn how to get the AUMID](https://go.microsoft.com/fwlink/p/?LinkId=614867), or [get the AUMID from the Start Layout XML](#startlayout). - For desktop apps, you need to specify the full path of the executable, which can contain one or more system environment variables in the form of %variableName% (i.e. %systemroot%, %windir%). -- If an app has a dependency on another app, both must be included in the allowed apps list. For example, Internet Explorer 64-bit has a dependency on Internet Explorer 32-bit, so you must allow both "C:\Program Files\internet explorer\iexplore.exe" and “C:\Program Files (x86)\Internet Explorer\iexplore.exe”. +- If an app has a dependency on another app, both must be included in the allowed apps list. For example, Internet Explorer 64-bit has a dependency on Internet Explorer 32-bit, so you must allow both "C:\Program Files\internet explorer\iexplore.exe" and “C:\Program Files (x86)\Internet Explorer\iexplore.exe”. - To configure a single app to launch automatically when the user signs in, include `rs5:AutoLaunch="true"` after the AUMID or path. You can also include arguments to be passed to the app. For an example, see [the AllowedApps sample XML](#apps-sample). -When the mult-app kiosk configuration is applied to a device, AppLocker rules will be generated to allow the apps that are listed in the configuration. Here are the predefined assigned access AppLocker rules for **UWP apps**: +When the multi-app kiosk configuration is applied to a device, AppLocker rules will be generated to allow the apps that are listed in the configuration. Here are the predefined assigned access AppLocker rules for **UWP apps**: -1. Default rule is to allow all users to launch the signed package apps. -2. The package app deny list is generated at runtime when the assigned access user signs in. Based on the installed/provisioned package apps available for the user account, assigned access generates the deny list. This list will exclude the default allowed inbox package apps which are critical for the system to function, and then exclude the allowed packages that enterprises defined in the assigned access configuration. If there are multiple apps within the same package, all these apps will be excluded. This deny list will be used to prevent the user from accessing the apps which are currently available for the user but not in the allowed list. +1. Default rule is to allow all users to launch the signed package apps. +2. The package app deny list is generated at runtime when the assigned access user signs in. Based on the installed/provisioned package apps available for the user account, assigned access generates the deny list. This list will exclude the default allowed inbox package apps which are critical for the system to function, and then exclude the allowed packages that enterprises defined in the assigned access configuration. If there are multiple apps within the same package, all these apps will be excluded. This deny list will be used to prevent the user from accessing the apps which are currently available for the user but not in the allowed list. >[!NOTE] >You cannot manage AppLocker rules that are generated by the multi-app kiosk configuration in [MMC snap-ins](https://technet.microsoft.com/library/hh994629.aspx#BKMK_Using_Snapins). Avoid creating AppLocker rules that conflict with AppLocker rules that are generated by the multi-app kiosk configuration. > - >Multi-app kiosk mode doesn’t block the enterprise or the users from installing UWP apps. When a new UWP app is installed during the current assigned access user session, this app will not be in the deny list. When the user signs out and signs in again, the app will be included in the deny list. If this is an enterprise-deployed line-of-business app and you want to allow it to run, update the assigned access configuration to include it in the allowed app list. + >Multi-app kiosk mode doesn’t block the enterprise or the users from installing UWP apps. When a new UWP app is installed during the current assigned access user session, this app will not be in the deny list. When the user signs out and signs in again, the app will be included in the deny list. If this is an enterprise-deployed line-of-business app and you want to allow it to run, update the assigned access configuration to include it in the allowed app list. Here are the predefined assigned access AppLocker rules for **desktop apps**: -1. Default rule is to allow all users to launch the desktop programs signed with Microsoft Certificate in order for the system to boot and function. The rule also allows the admin user group to launch all desktop programs. -2. There is a predefined inbox desktop app deny list for the assigned access user account, and this deny list is adjusted based on the desktop app allow list that you defined in the multi-app configuration. -3. Enterprise-defined allowed desktop apps are added in the AppLocker allow list. +1. Default rule is to allow all users to launch the desktop programs signed with Microsoft Certificate in order for the system to boot and function. The rule also allows the admin user group to launch all desktop programs. +2. There is a predefined inbox desktop app deny list for the assigned access user account, and this deny list is adjusted based on the desktop app allow list that you defined in the multi-app configuration. +3. Enterprise-defined allowed desktop apps are added in the AppLocker allow list. The following example allows Groove Music, Movies & TV, Photos, Weather, Calculator, Paint, and Notepad apps to run on the device, with Notepad configured to automatically launch and create a file called `123.text` when the user signs in. @@ -220,23 +213,23 @@ The following example shows how to allow user access to the Downloads folder in ... - + ``` ##### StartLayout -After you define the list of allowed applications, you can customize the Start layout for your kiosk experience. You can choose to pin all the allowed apps on the Start screen or just a subset, depending on whether you want the end user to directly access them on the Start screen. +After you define the list of allowed applications, you can customize the Start layout for your kiosk experience. You can choose to pin all the allowed apps on the Start screen or just a subset, depending on whether you want the end user to directly access them on the Start screen. The easiest way to create a customized Start layout to apply to other Windows 10 devices is to set up the Start screen on a test device and then export the layout. For detailed steps, see [Customize and export Start layout](customize-and-export-start-layout.md). A few things to note here: -- The test device on which you customize the Start layout should have the same OS version that is installed on the device where you plan to deploy the multi-app assigned access configuration. -- Since the multi-app assigned access experience is intended for fixed-purpose devices, to ensure the device experiences are consistent and predictable, use the *full* Start layout option instead of the *partial* Start layout. +- The test device on which you customize the Start layout should have the same OS version that is installed on the device where you plan to deploy the multi-app assigned access configuration. +- Since the multi-app assigned access experience is intended for fixed-purpose devices, to ensure the device experiences are consistent and predictable, use the *full* Start layout option instead of the *partial* Start layout. - There are no apps pinned on the taskbar in the multi-app mode, and it is not supported to configure Taskbar layout using the `` tag in a layout modification XML as part of the assigned access configuration. -- The following example uses DesktopApplicationLinkPath to pin the desktop app to start. When the desktop app doesn’t have a shortcut link on the target device, [learn how to provision .lnk files using Windows Configuration Designer](#lnk-files). +- The following example uses DesktopApplicationLinkPath to pin the desktop app to start. When the desktop app doesn’t have a shortcut link on the target device, [learn how to provision .lnk files using Windows Configuration Designer](#lnk-files). This example pins Groove Music, Movies & TV, Photos, Weather, Calculator, Paint, and Notepad apps on Start. @@ -267,14 +260,13 @@ This example pins Groove Music, Movies & TV, Photos, Weather, Calculator, Paint, ``` >[!NOTE] ->If an app is not installed for the user but is included in the Start layout XML, the app will not be shown on the Start screen. - +>If an app is not installed for the user but is included in the Start layout XML, the app will not be shown on the Start screen. ![What the Start screen looks like when the XML sample is applied](images/sample-start.png) ##### Taskbar -Define whether you want to have the taskbar present in the kiosk device. For tablet-based or touch-enabled all-in-one kiosks, when you don’t attach a keyboard and mouse, you can hide the taskbar as part of the multi-app experience if you want. +Define whether you want to have the taskbar present in the kiosk device. For tablet-based or touch-enabled all-in-one kiosks, when you don’t attach a keyboard and mouse, you can hide the taskbar as part of the multi-app experience if you want. The following example exposes the taskbar to the end user: @@ -289,9 +281,9 @@ The following example hides the taskbar: ``` >[!NOTE] ->This is different from the **Automatically hide the taskbar** option in tablet mode, which shows the taskbar when swiping up from or moving the mouse pointer down to the bottom of the screen. Setting **ShowTaskbar** as **false** will always keep the taskbar hidden. +>This is different from the **Automatically hide the taskbar** option in tablet mode, which shows the taskbar when swiping up from or moving the mouse pointer down to the bottom of the screen. Setting **ShowTaskbar** as **false** will always keep the taskbar hidden. -##### KioskModeApp +##### KioskModeApp **KioskModeApp** is used for a [kiosk profile](#profile) only. Enter the AUMID for a single app. You can only specify one kiosk profile in the XML. @@ -302,27 +294,25 @@ The following example hides the taskbar: >[!IMPORTANT] >The kiosk profile is designed for public-facing kiosk devices. We recommend that you use a local, non-administrator account. If the device is connected to your company network, using a domain or Azure Active Directory account could potentially compromise confidential information. - #### Configs -Under **Configs**, define which user account will be associated with the profile. When this user account signs in on the device, the associated assigned access profile will be enforced, including the allowed apps, Start layout, and taskbar configuration, as well as other local group policies or mobile device management (MDM) policies set as part of the multi-app experience. +Under **Configs**, define which user account will be associated with the profile. When this user account signs in on the device, the associated assigned access profile will be enforced, including the allowed apps, Start layout, and taskbar configuration, as well as other local group policies or mobile device management (MDM) policies set as part of the multi-app experience. -The full multi-app assigned access experience can only work for non-admin users. It’s not supported to associate an admin user with the assigned access profile; doing this in the XML file will result in unexpected/unsupported experiences when this admin user signs in. +The full multi-app assigned access experience can only work for non-admin users. It’s not supported to associate an admin user with the assigned access profile; doing this in the XML file will result in unexpected/unsupported experiences when this admin user signs in. You can assign: - [A local standard user account that signs in automatically](#config-for-autologon-account) (Applies to Windows 10, version 1803 only) - [An individual account, which can be local, domain, or Azure Active Directory (Azure AD)](#config-for-individual-accounts) -- [A group account, which can be local, Active Directory (domain), or Azure AD](#config-for-group-accounts) (Applies to Windows 10, version 1803 only) +- [A group account, which can be local, Active Directory (domain), or Azure AD](#config-for-group-accounts) (Applies to Windows 10, version 1803 only). >[!NOTE] ->Configs that specify group accounts cannot use a kiosk profile, only a lockdown profile. If a group is configured to a kiosk profile, the CSP will reject the request. +>Configs that specify group accounts cannot use a kiosk profile, only a lockdown profile. If a group is configured to a kiosk profile, the CSP will reject the request. ##### Config for AutoLogon Account When you use `` and the configuration is applied to a device, the specified account (managed by Assigned Access) is created on the device as a local standard user account. The specified account is signed in automatically after restart. - The following example shows how to specify an account to sign in automatically. ```xml @@ -331,7 +321,7 @@ The following example shows how to specify an account to sign in automatically. - + ``` In Windows 10, version 1809, you can configure the display name that will be shown when the user signs in. The following example shows how to create an AutoLogon Account that shows the name "Hello World". @@ -347,13 +337,12 @@ In Windows 10, version 1809, you can configure the display name that will be sho On domain-joined devices, local user accounts aren't shown on the sign-in screen by default. To show the **AutoLogonAccount** on the sign-in screen, enable the following Group Policy setting: **Computer Configuration > Administrative Templates > System > Logon > Enumerate local users on domain-joined computers**. (The corresponding MDM policy setting is [WindowsLogon/EnumerateLocalUsersOnDomainJoinedComputers in the Policy CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-windowslogon#windowslogon-enumeratelocalusersondomainjoinedcomputers).) - >[!IMPORTANT] >When Exchange Active Sync (EAS) password restrictions are active on the device, the autologon feature does not work. This behavior is by design. For more informations, see [How to turn on automatic logon in Windows](https://support.microsoft.com/help/324737/how-to-turn-on-automatic-logon-in-windows). ##### Config for individual accounts -Individual accounts are specified using ``. +Individual accounts are specified using ``. - Local account can be entered as `machinename\account` or `.\account` or just `account`. - Domain account should be entered as `domain\account`. @@ -362,58 +351,56 @@ Individual accounts are specified using ``. >[!WARNING] >Assigned access can be configured via WMI or CSP to run its applications under a domain user or service account, rather than a local account. However, use of domain user or service accounts introduces risks that an attacker subverting the assigned access application might gain access to sensitive domain resources that have been inadvertently left accessible to any domain account. We recommend that customers proceed with caution when using domain accounts with assigned access, and consider the domain resources potentially exposed by the decision to do so. - Before applying the multi-app configuration, make sure the specified user account is available on the device, otherwise it will fail. >[!NOTE] >For both domain and Azure AD accounts, it’s not required that target account is explicitly added to the device. As long as the device is AD-joined or Azure AD-joined, the account can be discovered in the domain forest or tenant that the device is joined to. For local accounts, it is required that the account exist before you configure the account for assigned access. - ```xml MultiAppKioskUser - + ``` - - ##### Config for group accounts -Group accounts are specified using ``. Nested groups are not supported. For example, if user A is member of Group 1, Group 1 is member of Group 2, and Group 2 is used in ``, user A will not have the kiosk experience. +Group accounts are specified using ``. Nested groups are not supported. For example, if user A is member of Group 1, Group 1 is member of Group 2, and Group 2 is used in ``, user A will not have the kiosk experience. - Local group: Specify the group type as **LocalGroup** and put the group name in Name attribute. Any Azure AD accounts that are added to the local group will not have the kiosk settings applied. ```xml - - - - + + + + ``` + - Domain group: Both security and distribution groups are supported. Specify the group type as ActiveDirectoryGroup. Use the domain name as the prefix in the name attribute. ```xml - - - - + + + + ``` - Azure AD group: Use the group object ID from the Azure portal to uniquely identify the group in the Name attribute. You can find the object ID on the overview page for the group in **Users and groups** > **All groups**. Specify the group type as **AzureActiveDirectoryGroup**. The kiosk device must have internet connectivity when users that belong to the group sign in. ```xml - - - - + + + + ``` >[!NOTE] - >If an Azure AD group is configured with a lockdown profile on a device, a user in the Azure AD group must change their password (after the account has been created with default password on the portal) before they can sign in to this device. If the user uses the default password to sign in to the device, the user will be immediately signed out. + >If an Azure AD group is configured with a lockdown profile on a device, a user in the Azure AD group must change their password (after the account has been created with default password on the portal) before they can sign in to this device. If the user uses the default password to sign in to the device, the user will be immediately signed out. + ### Add XML file to provisioning package Before you add the XML file to a provisioning package, you can [validate your configuration XML against the XSD](kiosk-xml.md#xsd-for-assignedaccess-configuration-xml). @@ -439,7 +426,7 @@ Use the Windows Configuration Designer tool to create a provisioning package. [L ![Screenshot of the MultiAppAssignedAccessSettings field in Windows Configuration Designer](images/multiappassignedaccesssettings.png) -8. (**Optional**: If you want to apply the provisioning package after device initial setup and there is an admin user already available on the kiosk device, skip this step.) Create an admin user account in **Runtime settings** > **Accounts** > **Users**. Provide a **UserName** and **Password**, and select **UserGroup** as **Administrators**. With this account, you can view the provisioning status and logs if needed. +8. (**Optional**: If you want to apply the provisioning package after device initial setup and there is an admin user already available on the kiosk device, skip this step.) Create an admin user account in **Runtime settings** > **Accounts** > **Users**. Provide a **UserName** and **Password**, and select **UserGroup** as **Administrators**. With this account, you can view the provisioning status and logs if needed. 9. (**Optional**: If you already have a non-admin account on the kiosk device, skip this step.) Create a local standard user account in **Runtime settings** > **Accounts** > **Users**. Make sure the **UserName** is the same as the account that you specify in the configuration XML. Select **UserGroup** as **Standard Users**. @@ -451,9 +438,9 @@ Use the Windows Configuration Designer tool to create a provisioning package. [L 13. Optional. In the **Provisioning package security** window, you can choose to encrypt the package and enable package signing. - - **Enable package encryption** - If you select this option, an auto-generated password will be shown on the screen. + - **Enable package encryption** - If you select this option, an auto-generated password will be shown on the screen. - - **Enable package signing** - If you select this option, you must select a valid certificate to use for signing the package. You can specify the certificate by clicking **Browse** and choosing the certificate you want to use to sign the package. + - **Enable package signing** - If you select this option, you must select a valid certificate to use for signing the package. You can specify the certificate by clicking **Browse** and choosing the certificate you want to use to sign the package. 14. Click **Next** to specify the output location where you want the provisioning package to go when it's built. By default, Windows Imaging and Configuration Designer (ICD) uses the project folder as the output location. @@ -469,12 +456,13 @@ Use the Windows Configuration Designer tool to create a provisioning package. [L If your build is successful, the name of the provisioning package, output directory, and project directory will be shown. - - If you choose, you can build the provisioning package again and pick a different path for the output package. To do this, click **Back** to change the output package name and path, and then click **Next** to start another build. - - If you are done, click **Finish** to close the wizard and go back to the **Customizations Page**. + - If you choose, you can build the provisioning package again and pick a different path for the output package. To do this, click **Back** to change the output package name and path, and then click **Next** to start another build. + - If you are done, click **Finish** to close the wizard and go back to the **Customizations Page**. 18. Copy the provisioning package to the root directory of a USB drive. + ### Apply provisioning package to device Provisioning packages can be applied to a device during the first-run experience (out-of-box experience or "OOBE") and after ("runtime"). @@ -504,46 +492,28 @@ Provisioning packages can be applied to a device during the first-run experience ![Do you trust this package?](images/trust-package.png) - - #### After setup, from a USB drive, network folder, or SharePoint site 1. Sign in with an admin account. 2. Insert the USB drive to a desktop computer, navigate to **Settings** > **Accounts** > **Access work or school** > **Add or remove a provisioning package** > **Add a package**, and select the package to install. For a provisioning package stored on a network folder or on a SharePoint site, navigate to the provisioning package and double-click it to begin installation. >[!NOTE] ->if your provisioning package doesn’t include the assigned access user account creation, make sure the account you specified in the multi-app configuration XML exists on the device. +>if your provisioning package doesn’t include the assigned access user account creation, make sure the account you specified in the multi-app configuration XML exists on the device. ![add a package option](images/package.png) - - - -### Use MDM to deploy the multi-app configuration +### Use MDM to deploy the multi-app configuration +Multi-app kiosk mode is enabled by the [AssignedAccess configuration service provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/assignedaccess-csp). Your MDM policy can contain the assigned access configuration XML. -Multi-app kiosk mode is enabled by the [AssignedAccess configuration service provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/assignedaccess-csp). Your MDM policy can contain the assigned access configuration XML. - -If your device is enrolled with a MDM server which supports applying the assigned access configuration, you can use it to apply the setting remotely. +If your device is enrolled with a MDM server which supports applying the assigned access configuration, you can use it to apply the setting remotely. The OMA-URI for multi-app policy is `./Device/Vendor/MSFT/AssignedAccess/Configuration`. - - - - - - - - - - - ## Considerations for Windows Mixed Reality immersive headsets - -With the advent of [mixed reality devices (video link)](https://www.youtube.com/watch?v=u0jqNioU2Lo), you might want to create a kiosk that can run mixed reality apps. +With the advent of [mixed reality devices (video link)](https://www.youtube.com/watch?v=u0jqNioU2Lo), you might want to create a kiosk that can run mixed reality apps. To create a multi-app kiosk that can run mixed reality apps, you must include the following apps in the [AllowedApps list](#allowedapps): @@ -561,14 +531,12 @@ After the admin has completed setup, the kiosk account can sign in and repeat th There is a difference between the mixed reality experiences for a kiosk user and other users. Typically, when a user connects a mixed reality device, they begin in the [Mixed Reality home](https://developer.microsoft.com/windows/mixed-reality/navigating_the_windows_mixed_reality_home). The Mixed Reality home is a shell that runs in "silent" mode when the PC is configured as a kiosk. When a kiosk user connects a mixed reality device, they will see only a blank display in the device, and will not have access to the features and functionality available in the home. To run a mixed reality app, the kiosk user must launch the app from the PC Start screen. - ## Policies set by multi-app kiosk configuration It is not recommended to set policies enforced in assigned access multi-app mode to different values using other channels, as the multi-app mode has been optimized to provide a locked-down experience. When the multi-app assigned access configuration is applied on the device, certain policies are enforced system-wide, and will impact other users on the device. - ### Group Policy The following local policies affect all **non-administrator** users on the system, regardless whether the user is configured as an assigned access user or not. This includes local users, domain users, and Azure Active Directory users. @@ -605,11 +573,8 @@ Prevent access to drives from My Computer | Enabled - Restrict all drivers >[!NOTE] >When **Prevent access to drives from My Computer** is enabled, users can browse the directory structure in File Explorer, but they cannot open folders and access the contents. Also, they cannot use the **Run** dialog box or the **Map Network Drive** dialog box to view the directories on these drives. The icons representing the specified drives still appear in File Explorer, but if users double-click the icons, a message appears explaining that a setting prevents the action. This setting does not prevent users from using programs to access local and network drives. It does not prevent users from using the Disk Management snap-in to view and change drive characteristics. - - ### MDM policy - Some of the MDM policies based on the [Policy configuration service provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider) affect all users on the system (i.e. system-wide). Setting | Value | System-wide @@ -633,13 +598,14 @@ Start/DisableContextMenus | 1 - Context menus are hidden for Start apps | No [WindowsLogon/DontDisplayNetworkSelectionUI](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-windowslogon#windowslogon-dontdisplaynetworkselectionui) | <Enabled/> | Yes + ## Provision .lnk files using Windows Configuration Designer First, create your desktop app's shortcut file by installing the app on a test device, using the default installation location. Right-click the installed application, and choose **Send to** > **Desktop (create shortcut)**. Rename the shortcut to `.lnk` -Next, create a batch file with two commands. If the desktop app is already installed on the target device, skip the first command for MSI install. +Next, create a batch file with two commands. If the desktop app is already installed on the target device, skip the first command for MSI install. -``` +```PowerShell msiexec /I ".msi" /qn /norestart copy .lnk "%AllUsersProfile%\Microsoft\Windows\Start Menu\Programs\.lnk" ``` diff --git a/windows/configuration/start-secondary-tiles.md b/windows/configuration/start-secondary-tiles.md index 5c93aacf5e..fd49af9302 100644 --- a/windows/configuration/start-secondary-tiles.md +++ b/windows/configuration/start-secondary-tiles.md @@ -64,7 +64,7 @@ In Windows 10, version 1703, by using the PowerShell cmdlet `export-StartLayoutE ## Export Start layout and assets -1. Follow the instructions in [Customize and export Start layout](customize-and-export-start-layout.md#bkmkcustomizestartscreen) to customize the Start screen on your test computer. +1. Follow the instructions in [Customize and export Start layout](customize-and-export-start-layout.md#customize-the-start-screen-on-your-test-computer) to customize the Start screen on your test computer. 2. Open Windows PowerShell as an administrator and enter the following command: ``` diff --git a/windows/deployment/update/windows-analytics-get-started.md b/windows/deployment/update/windows-analytics-get-started.md index b3903e691b..e8bd2af8db 100644 --- a/windows/deployment/update/windows-analytics-get-started.md +++ b/windows/deployment/update/windows-analytics-get-started.md @@ -75,6 +75,12 @@ To enable data sharing, configure your proxy server to whitelist the following e > [!IMPORTANT] > For privacy and data integrity, Windows checks for a Microsoft SSL certificate when communicating with the diagnostic data endpoints. SSL interception and inspection aren't possible. To use Desktop Analytics, exclude these endpoints from SSL inspection. +>[!NOTE] +>Microsoft has a strong commitment to providing the tools and resources that put you in control of your privacy. As a result, Microsoft doesn't collect the following data from devices located in European countries (EEA and Switzerland): +>- Windows diagnostic data from Windows 8.1 devices +>- App usage data for Windows 7 devices + + ### Configuring endpoint access with SSL inspection To ensure privacy and data integrity Windows checks for a Microsoft SSL certificate when communicating with the diagnostic data endpoints. Accordingly SSL interception and inspection is not possible. To use Windows Analytics services you should exclude the above endpoints from SSL inspection. @@ -205,3 +211,4 @@ Note that it is possible to intiate a full inventory scan on a device by calling - CompatTelRunner.exe -m:appraiser.dll -f:DoScheduledTelemetryRun ent For details on how to run these and how to check results, see the deployment script. + diff --git a/windows/deployment/upgrade/upgrade-readiness-get-started.md b/windows/deployment/upgrade/upgrade-readiness-get-started.md index a75f7d866b..3cfb3be1df 100644 --- a/windows/deployment/upgrade/upgrade-readiness-get-started.md +++ b/windows/deployment/upgrade/upgrade-readiness-get-started.md @@ -26,7 +26,7 @@ You can use Upgrade Readiness to plan and manage your upgrade project end-to-end Before you begin, consider reviewing the following helpful information:
    - [Upgrade Readiness requirements](upgrade-readiness-requirements.md): Provides detailed requirements to use Upgrade Readiness.
    - - [Upgrade Readiness blog](https://aka.ms/blog/WindowsAnalytics): Contains announcements of new features and provides helpful tips for using Upgrade Readiness. + - [Upgrade Readiness blog](https://techcommunity.microsoft.com/t5/Windows-Analytics-Blog/bg-p/WindowsAnalyticsBlog): Contains announcements of new features and provides helpful tips for using Upgrade Readiness. >If you are using System Center Configuration Manager, also check out information about how to integrate Upgrade Readiness with Configuration Manager: [Integrate Upgrade Readiness with System Center Configuration Manager](https://docs.microsoft.com/sccm/core/clients/manage/upgrade/upgrade-analytics). diff --git a/windows/deployment/windows-autopilot/troubleshooting.md b/windows/deployment/windows-autopilot/troubleshooting.md index ece1531dec..dda5ad6943 100644 --- a/windows/deployment/windows-autopilot/troubleshooting.md +++ b/windows/deployment/windows-autopilot/troubleshooting.md @@ -26,20 +26,20 @@ Windows Autopilot is designed to simplify all parts of the Windows device lifecy Regardless of whether performing user-driven or self-deploying device deployments, the troubleshooting process is the mostly the same. It is useful to understand the flow for a specific device: -- Network connection established. This can be a wireless (Wi-fi) or wired (Ethernet) connection. -- Windows Autopilot profile downloaded. Whether using a wired connection or manually establishing a wireless connection, the Windows Autopilot profile will be downloaded from the Autopilot deployment service as soon as the network connection is in place. -- User authentication. When performing a user-driven deployment, the user will enter their Azure Active Directory credentials, which will be validated. -- Azure Active Directory join. For user-driven deployments, the device will be joined to Azure AD using the specified user credentials. For self-deploying scenarios, the device will be joined without specifying any user credentials. -- Automatic MDM enrollment. As part of the Azure AD join process, the device will enroll in the MDM service configured in Azure AD (e.g. Microsoft Intune). -- Settings are applied. If the [enrollment status page](enrollment-status.md) is configured, most settings will be applied while the enrollment status page is displayed. If not configured or available, settings will be applied after the user is signed in. +- Network connection established. This can be a wireless (Wi-fi) or wired (Ethernet) connection. +- Windows Autopilot profile downloaded. Whether using a wired connection or manually establishing a wireless connection, the Windows Autopilot profile will be downloaded from the Autopilot deployment service as soon as the network connection is in place. +- User authentication. When performing a user-driven deployment, the user will enter their Azure Active Directory credentials, which will be validated. +- Azure Active Directory join. For user-driven deployments, the device will be joined to Azure AD using the specified user credentials. For self-deploying scenarios, the device will be joined without specifying any user credentials. +- Automatic MDM enrollment. As part of the Azure AD join process, the device will enroll in the MDM service configured in Azure AD (e.g. Microsoft Intune). +- Settings are applied. If the [enrollment status page](enrollment-status.md) is configured, most settings will be applied while the enrollment status page is displayed. If not configured or available, settings will be applied after the user is signed in. For troubleshooting, key activities to perform are: -- Configuration. Has Azure Active Directory and Microsoft Intune (or an equivalent MDM service) been configured as specified in [Windows Autopilot configuration requirements](windows-autopilot-requirements.md)? -- Network connectivity. Can the device access the services described in [Windows Autopilot networking requirements](windows-autopilot-requirements.md)? -- Autopilot OOBE behavior. Were only the expected out-of-box experience screens displayed? Was the Azure AD credentials page customized with organization-specific details as expected? -- Azure AD join issues. Was the device able to join Azure Active Directory? -- MDM enrollment issues. Was the device able to enroll in Microsoft Intune (or an equivalent MDM service)? +- Configuration. Has Azure Active Directory and Microsoft Intune (or an equivalent MDM service) been configured as specified in [Windows Autopilot configuration requirements](windows-autopilot-requirements.md)? +- Network connectivity. Can the device access the services described in [Windows Autopilot networking requirements](windows-autopilot-requirements.md)? +- Autopilot OOBE behavior. Were only the expected out-of-box experience screens displayed? Was the Azure AD credentials page customized with organization-specific details as expected? +- Azure AD join issues. Was the device able to join Azure Active Directory? +- MDM enrollment issues. Was the device able to enroll in Microsoft Intune (or an equivalent MDM service)? ## Troubleshooting Autopilot OOBE issues @@ -109,7 +109,7 @@ When a profile is downloaded depends on the version of Windows 10 that is runnin | 1803 | The profile is downloaded as soon as possible. If wired, it is downloaded at the start of OOBE. If wireless, it is downloaded after the network connection page. | | 1809 | The profile is downloaded as soon as possible (same as 1803), and again after each reboot. | -If you need to reboot a computer during OOBE: +If you need to reboot a computer during OOBE: - Press Shift-F10 to open a command prompt. - Enter **shutdown /r /t 0** to restart immediately, or **shutdown /s /t 0** to shutdown immediately. diff --git a/windows/deployment/windows-autopilot/white-glove.md b/windows/deployment/windows-autopilot/white-glove.md index d0a2891d0c..642497fe48 100644 --- a/windows/deployment/windows-autopilot/white-glove.md +++ b/windows/deployment/windows-autopilot/white-glove.md @@ -38,6 +38,9 @@ In addition to [Windows Autopilot requirements](windows-autopilot-requirements.m - Physical devices that support TPM 2.0 and device attestation; virtual machines are not supported. The white glove provisioning process leverages Windows Autopilot self-deploying capabilities, hence the TPM 2.0 requirements. - Physical devices with Ethernet connectivity; Wi-fi connectivity is not supported due to the requirement to choose a language, locale, and keyboard to make that Wi-fi connection; doing that in a pre-provisioning process could prevent the user from choosing their own language, locale, and keyboard when they receive the device. +>[!IMPORTANT] +>Because the OEM or vendor performs the white glove process, this doesn’t require access to an end-user's on-prem domain infrastructure. This is unlike a typical hybrid Azure AD-joined scenario because rebooting the device is postponed. The device is resealed prior to the time when connectivity to a domain controller is expected, and the domain network is contacted when the device is unboxed on-prem by the end-user. + ## Preparation Devices slated for WG provisioning are registered for Autopilot via the normal registration process. diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md index 9f89972a1f..843d0975aa 100644 --- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md +++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md @@ -9,7 +9,7 @@ ms.sitesec: library ms.localizationpriority: medium author: medgarmedgar ms.author: v-medgar -ms.date: 3/1/2019 +ms.date: 7/9/2019 --- # Manage connections from Windows operating system components to Microsoft services using Microsoft Intune MDM Server @@ -70,14 +70,15 @@ For Windows 10, the following MDM policies are available in the [Policy CSP](htt | 14. Offline maps | [AllowOfflineMapsDownloadOverMeteredConnection](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-maps)|Allows the download and update of map data over metered connections.
    **Set to 0 (zero)** | | [EnableOfflineMapsAutoUpdate](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-maps#maps-enableofflinemapsautoupdate)|Disables the automatic download and update of map data. **Set to 0 (zero)** | 15. OneDrive | [DisableOneDriveFileSync](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-system#system-disableonedrivefilesync)| Allows IT Admins to prevent apps and features from working with files on OneDrive. **Set to 1 (one)** +| 15.1 Injest the ADMX | To get the latest OneDrive ADMX file you need an up-to-date Windows 10 client. | The ADMX files are located under the following path: %LocalAppData%\Microsoft\OneDrive\ there's a folder with the current OneDrive build (e.g. "18.162.0812.0001"). +| 15.2 Prevent Network Traffic before User SignIn | PreventNetworkTrafficPreUserSignIn | The OMA-URI value is: ./Device/Vendor/MSFT/Policy/Config/OneDriveNGSC\~Policy\~OneDriveNGSC/PreventNetworkTrafficPreUserSignIn | 16. Preinstalled apps | N/A | N/A | 17. Privacy settings | | Except for the Feedback & Diagnostics page, these settings must be configured for every user account that signs into the PC. | 17.1 General | [TextInput/AllowLinguisticDataCollection](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-textinput#textinput-allowlinguisticdatacollection) | This policy setting controls the ability to send inking and typing data to Microsoft. **Set to 0 (zero)** | 17.2 Location | [System/AllowLocation](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-system#system-allowlocation) | Specifies whether to allow app access to the Location service. **Set to 0 (zero)** | 17.3 Camera | [Camera/AllowCamera](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-camera#camera-allowcamera) | Disables or enables the camera. **Set to 0 (zero)** | 17.4 Microphone | [Privacy/LetAppsAccessMicrophone](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccessmicrophone) | Specifies whether Windows apps can access the microphone. **Set to 2 (two)** -| 17.5 Notifications | [Notifications/DisallowCloudNotification](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-notifications#notifications-disallowcloudnotification) | Turn off notifications network usage. **DO NOT TURN OFF WNS Notifications if you want manage your device(s) using Microsoft InTune** -| | [Privacy/LetAppsAccessNotifications](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccessnotifications) | Specifies whether Windows apps can access notifications. **Set to 2 (two)** +| 17.5 Notifications | [Privacy/LetAppsAccessNotifications](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccessnotifications) | Specifies whether Windows apps can access notifications. **Set to 2 (two)** | | [Settings/AllowOnlineTips]( https://docs.microsoft.com/windows/client-management/mdm/policy-csp-settings#settings-allowonlinetips) | Enables or disables the retrieval of online tips and help for the Settings app. **Set to Disabled** | 17.6 Speech, Inking, & Typing | [Privacy/AllowInputPersonalization](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-privacy#privacy-allowinputpersonalization) | This policy specifies whether users on the device have the option to enable online speech recognition. **Set to 0 (zero)** | | [TextInput/AllowLinguisticDataCollection](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-textinput#textinput-allowlinguisticdatacollection)| This policy setting controls the ability to send inking and typing data to Microsoft **Set to 0 (zero)** @@ -106,13 +107,30 @@ For Windows 10, the following MDM policies are available in the [Policy CSP](htt | | [Defender/SubmitSamplesConsent](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-submitsamplesconsent) | Stop sending file samples back to Microsoft. **Set to 2 (two)** | 23.1 Windows Defender Smartscreen | [Browser/AllowSmartScreen](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowsmartscreen) | Disable Windows Defender Smartscreen. **Set to 0 (zero)** | 23.2 Windows Defender Smartscreen EnableAppInstallControl | [SmartScreen/EnableAppInstallControl](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-smartscreen#smartscreen-enableappinstallcontrol) | Controls whether users are allowed to install apps from places other than the Microsoft Store. **Set to 0 (zero)** +| 23.3 Windows Defender Potentially Unwanted Applications(PUA) Protection | [Defender/PUAProtection](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#defender-puaprotection) | Specifies the level of detection for potentially unwanted applications (PUAs). **Set to 1 (one)** | 24. Windows Spotlight | [Experience/AllowWindowsSpotlight](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-experience#experience-allowwindowsspotlight) | Disable Windows Spotlight. **Set to 0 (zero)** | 25. Microsoft Store | [ApplicationManagement/DisableStoreOriginatedApps](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-applicationmanagement#applicationmanagement-disablestoreoriginatedapps)| Boolean value that disables the launch of all apps from Microsoft Store that came pre-installed or were downloaded. **Set to 1 (one)** | | [ApplicationManagement/AllowAppStoreAutoUpdate](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-applicationmanagement#applicationmanagement-allowappstoreautoupdate)| Specifies whether automatic update of apps from Microsoft Store are allowed. **Set to 0 (zero)** | 25.1 Apps for websites | [ApplicationDefaults/EnableAppUriHandlers](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-applicationdefaults#applicationdefaults-enableappurihandlers) | This policy setting determines whether Windows supports web-to-app linking with app URI handlers. **Set to 0 (zero)** | 26. Windows Update Delivery Optimization | | The following Delivery Optimization MDM policies are available in the [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx). | | [DeliveryOptimization/DODownloadMode](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deliveryoptimization#deliveryoptimization-dodownloadmode)| Lets you choose where Delivery Optimization gets or sends updates and apps. **Set to 100 (one hundred)** -| 27. Windows Update | [Update/AllowAutoUpdate](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-allowautoupdate) | Control automatic updates. **Set to 5 (five)** +| 27. Windows Update | [Update/AllowAutoUpdate](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-allowautoupdate) | Control automatic updates. **Set to 5 (five)** +| 27.1 Windows Update Allow Update Service | [Update/AllowUpdateService](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-update#update-allowupdateservice) | Specifies whether the device could use Microsoft Update, Windows Server Update Services (WSUS), or Microsoft Store. **Set to 0 (zero)** +| 27.2 Windows Update Service URL| [Update/UpdateServiceUrl](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-update#update-updateserviceurl) | Allows the device to check for updates from a WSUS server instead of Microsoft Update. **Set to String** with this Value: + + + $CmdID$ + + + chr + text/plain + + + ./Vendor/MSFT/Policy/Config/Update/UpdateServiceUrl + + http://abcd-srv:8530 + + ### Allowed traffic ("Whitelisted traffic") for Microsoft InTune / MDM configurations diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index 6130327341..fe82aa66b7 100644 --- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -547,14 +547,7 @@ To turn off the Windows Mail app: ### 12. Microsoft Account -To prevent communication to the Microsoft Account cloud authentication service. Many apps and system components that depend on Microsoft Account authentication may lose functionality. Some of them could be in unexpected ways. For example, Windows Update will no longer offer feature updates to devices running Windows 10 1709 or higher. See [Feature updates are not being offered while other updates are](https://docs.microsoft.com/windows/deployment/update/windows-update-troubleshooting#feature-updates-are-not-being-offered-while-other-updates-are). - -- **Enable** the Group Policy: **Computer Configuration** > **Windows Settings** > **Security Settings** > **Local Policies** > **Security Options** > **Accounts: Block Microsoft Accounts** and set it to **Users can't add Microsoft accounts**. - - -or- - -- Create a REG_DWORD registry setting named **NoConnectedUser** in **HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System** with a **value of 3**. - +Use the below setting to prevent communication to the Microsoft Account cloud authentication service. Many apps and system components that depend on Microsoft Account authentication may lose functionality. Some of them could be in unexpected ways. For example, Windows Update will no longer offer feature updates to devices running Windows 10 1709 or higher. See [Feature updates are not being offered while other updates are](https://docs.microsoft.com/windows/deployment/update/windows-update-troubleshooting#feature-updates-are-not-being-offered-while-other-updates-are). To disable the Microsoft Account Sign-In Assistant: @@ -604,9 +597,9 @@ For a complete list of the Microsoft Edge policies, see [Available policies for ### 14. Network Connection Status Indicator -Network Connection Status Indicator (NCSI) detects Internet connectivity and corporate network connectivity status. NCSI sends a DNS request and HTTP query to http://www.msftconnecttest.com/connecttest.txt to determine if the device can communicate with the Internet. For more info about NCSI, see [The Network Connection Status Icon](https://techcommunity.microsoft.com/t5/Networking-Blog/bg-p/NetworkingBlog). +Network Connection Status Indicator (NCSI) detects Internet connectivity and corporate network connectivity status. NCSI sends a DNS request and HTTP query to http://www.msftconnecttest.com/connecttest.txt to determine if the device can communicate with the Internet. See the [Microsoft Networking Blog](https://techcommunity.microsoft.com/t5/Networking-Blog/bg-p/NetworkingBlog) to learn more. -In versions of Windows 10 prior to Windows 10, version 1607 and Windows Server 2016, the URL was `http://www.msftncsi.com`. +In versions of Windows 10 prior to version 1607 and Windows Server 2016, the URL was `http://www.msftncsi.com/ncsi.txt`. You can turn off NCSI by doing one of the following: diff --git a/windows/release-information/cat-windows-docs-pr - Shortcut.lnk b/windows/release-information/cat-windows-docs-pr - Shortcut.lnk deleted file mode 100644 index 1c599245a0..0000000000 Binary files a/windows/release-information/cat-windows-docs-pr - Shortcut.lnk and /dev/null differ diff --git a/windows/release-information/resolved-issues-windows-10-1507.yml b/windows/release-information/resolved-issues-windows-10-1507.yml index 1c510dd2e2..fcb44369bb 100644 --- a/windows/release-information/resolved-issues-windows-10-1507.yml +++ b/windows/release-information/resolved-issues-windows-10-1507.yml @@ -32,6 +32,7 @@ sections: - type: markdown text: " + @@ -52,6 +53,15 @@ sections:
    " +- title: June 2019 +- items: + - type: markdown + text: " +
    SummaryOriginating updateStatusDate resolved
    Event Viewer may close or you may receive an error when using Custom Views
    When trying to expand, view or create Custom Views in Event Viewer, you may receive an error and the app may stop responding or close.

    See details >
    OS Build 10240.18244

    June 11, 2019
    KB4503291
    Resolved
    KB4507458
    July 09, 2019
    10:00 AM PT
    Unable to access some gov.uk websites
    gov.uk websites that don’t support “HSTS” may not be accessible

    See details >
    OS Build 10240.18215

    May 14, 2019
    KB4499154
    Resolved
    KB4505051
    May 19, 2019
    02:00 PM PT
    MSXML6 may cause applications to stop responding
    MSXML6 may cause applications to stop responding if an exception was thrown during node operations, such as appendChild(), insertBefore(), and moveNode().

    See details >
    OS Build 10240.18094

    January 08, 2019
    KB4480962
    Resolved
    KB4493475
    April 09, 2019
    10:00 AM PT
    Custom URI schemes may not start corresponding application
    Custom URI schemes for application protocol handlers may not start the corresponding application for local intranet and trusted sites in Internet Explorer.

    See details >
    OS Build 10240.18158

    March 12, 2019
    KB4489872
    Resolved
    KB4493475
    April 09, 2019
    10:00 AM PT
    + +
    DetailsOriginating updateStatusHistory
    Event Viewer may close or you may receive an error when using Custom Views
    When trying to expand, view, or create Custom Views in Event Viewer, you may receive the error, \"MMC has detected an error in a snap-in and will unload it.\" and the app may stop responding or close. You may also receive the same error when using Filter Current Log in the Action menu with built-in views or logs. Built-in views and other features of Event Viewer should work as expected.

    Affected platforms:
    • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
    • Server: Windows Server 2019; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
    Resolution: This issue was resolved in KB4507458.

    Back to top
    OS Build 10240.18244

    June 11, 2019
    KB4503291
    Resolved
    KB4507458
    Resolved:
    July 09, 2019
    10:00 AM PT

    Opened:
    June 12, 2019
    11:11 AM PT
    + " + - title: May 2019 - items: - type: markdown diff --git a/windows/release-information/resolved-issues-windows-10-1607.yml b/windows/release-information/resolved-issues-windows-10-1607.yml index 49d7c93e32..3ad444b3d0 100644 --- a/windows/release-information/resolved-issues-windows-10-1607.yml +++ b/windows/release-information/resolved-issues-windows-10-1607.yml @@ -32,6 +32,7 @@ sections: - type: markdown text: " + @@ -80,6 +81,7 @@ sections: - type: markdown text: "
    SummaryOriginating updateStatusDate resolved
    Devices with Hyper-V enabled may receive BitLocker error 0xC0210000
    Some devices with Hyper-V enabled may start into BitLocker recovery with error 0xC0210000.

    See details >
    OS Build 14393.2969

    May 14, 2019
    KB4494440
    Resolved
    KB4507460
    July 09, 2019
    10:00 AM PT
    Difficulty connecting to some iSCSI-based SANs
    Devices may have difficulty connecting to some Storage Area Network (SAN) devices that leverage iSCSI.

    See details >
    OS Build 14393.2999

    May 23, 2019
    KB4499177
    Resolved
    KB4509475
    June 27, 2019
    02:00 PM PT
    Event Viewer may close or you may receive an error when using Custom Views
    When trying to expand, view or create Custom Views in Event Viewer, you may receive an error and the app may stop responding or close.

    See details >
    OS Build 14393.3025

    June 11, 2019
    KB4503267
    Resolved
    KB4503294
    June 18, 2019
    02:00 PM PT
    Opening Internet Explorer 11 may fail
    Internet Explorer 11 may fail to open if Default Search Provider is not set or is malformed.

    See details >
    OS Build 14393.2999

    May 23, 2019
    KB4499177
    Resolved
    KB4503267
    June 11, 2019
    10:00 AM PT
    + diff --git a/windows/release-information/resolved-issues-windows-10-1703.yml b/windows/release-information/resolved-issues-windows-10-1703.yml index 0d6b415ad8..57777605fe 100644 --- a/windows/release-information/resolved-issues-windows-10-1703.yml +++ b/windows/release-information/resolved-issues-windows-10-1703.yml @@ -32,6 +32,7 @@ sections: - type: markdown text: "
    DetailsOriginating updateStatusHistory
    Devices with Hyper-V enabled may receive BitLocker error 0xC0210000
    Some devices with Hyper-V enabled may enter BitLocker recovery mode and receive an error, \"0xC0210000\" after installing KB4494440 and restarting.

    Affected platforms:
    • Client: Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607
    • Server: Windows Server 2016
    Resolution: This issue was resolved in KB4507460.

    Back to top
    OS Build 14393.2969

    May 14, 2019
    KB4494440
    Resolved
    KB4507460
    Resolved:
    July 09, 2019
    10:00 AM PT

    Opened:
    May 21, 2019
    08:50 AM PT
    Update not showing as applicable through WSUS or SCCM or when manually installed
    KB4494440 or later updates may not show as applicable through WSUS or SCCM to the affected platforms. When manually installing the standalone update from Microsoft Update Catalog, it may fail to install with the error, \"The update is not applicable to your computer.\"


    Affected platforms:
    • Client: Windows 10 Enterprise LTSC 2016; Windows 10, version 1607
    • Server: Windows Server 2016

    Resolution: The servicing stack update (SSU) (KB4498947) must be installed before installing the latest cumulative update (LCU). The LCU will not be reported as applicable until the SSU is installed. For more information, see Servicing stack updates.

    Back to top
    OS Build 14393.2969

    May 14, 2019
    KB4494440
    Resolved
    KB4498947
    Resolved:
    May 14, 2019
    10:00 AM PT

    Opened:
    May 24, 2019
    04:20 PM PT
    Unable to access some gov.uk websites
    After installing the May 14, 2019 update, some gov.uk websites that don’t support HTTP Strict Transport Security (HSTS) may not be accessible through Internet Explorer 11 or Microsoft Edge.

    Affected platforms:
    • Client: Windows 10, version 1809; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10, version 1507; Windows 8.1; Windows 7 SP1 
    • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1
    Resolution: We have released an \"optional, out-of-band\" update for Windows 10 (KB4505052) to resolve this issue. If you are affected, we recommend you apply this update by installing KB4505052 from Windows Update and then restarting your device.

    This update will not be applied automatically. To download and install this update, go to Settings > Update & Security > Windows Update and select Check for updates. To get the standalone package for KB4505052, search for it in the Microsoft Update Catalog.
     

    Back to top
    OS Build 14393.2969

    May 14, 2019
    KB4494440
    Resolved
    KB4505052
    Resolved:
    May 19, 2019
    02:00 PM PT

    Opened:
    May 16, 2019
    01:57 PM PT
    Layout and cell size of Excel sheets may change when using MS UI Gothic
    When using the MS UI Gothic or MS PGothic fonts, the text, layout, or cell size may become narrower or wider than expected in Microsoft Excel. For example, the layout and cell size of Microsoft Excel sheets may change when using MS UI Gothic.

    Affected platforms:
    • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1
    • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012
    Resolution: This issue has been resolved.

    Back to top
    OS Build 14393.2941

    April 25, 2019
    KB4493473
    Resolved
    KB4494440
    Resolved:
    May 14, 2019
    10:00 AM PT

    Opened:
    May 10, 2019
    10:35 AM PT
    + @@ -75,6 +76,7 @@ sections: - type: markdown text: "
    SummaryOriginating updateStatusDate resolved
    Devices with Hyper-V enabled may receive BitLocker error 0xC0210000
    Some devices with Hyper-V enabled may start into BitLocker recovery with error 0xC0210000.

    See details >
    OS Build 15063.1805

    May 14, 2019
    KB4499181
    Resolved
    KB4507450
    July 09, 2019
    10:00 AM PT
    Difficulty connecting to some iSCSI-based SANs
    Devices may have difficulty connecting to some Storage Area Network (SAN) devices that leverage iSCSI.

    See details >
    OS Build 15063.1839

    May 28, 2019
    KB4499162
    Resolved
    KB4509476
    June 26, 2019
    04:00 PM PT
    Event Viewer may close or you may receive an error when using Custom Views
    When trying to expand, view or create Custom Views in Event Viewer, you may receive an error and the app may stop responding or close.

    See details >
    OS Build 15063.1868

    June 11, 2019
    KB4503279
    Resolved
    KB4503289
    June 18, 2019
    02:00 PM PT
    Opening Internet Explorer 11 may fail
    Internet Explorer 11 may fail to open if Default Search Provider is not set or is malformed.

    See details >
    OS Build 15063.1839

    May 28, 2019
    KB4499162
    Resolved
    KB4503279
    June 11, 2019
    10:00 AM PT
    +
    DetailsOriginating updateStatusHistory
    Devices with Hyper-V enabled may receive BitLocker error 0xC0210000
    Some devices with Hyper-V enabled may enter BitLocker recovery mode and receive an error, \"0xC0210000\" after installing KB4499181 and restarting.

    Affected platforms:
    • Client: Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607
    • Server: Windows Server 2016
    Resolution: This issue was resolved in KB4507450.

    Back to top
    OS Build 15063.1805

    May 14, 2019
    KB4499181
    Resolved
    KB4507450
    Resolved:
    July 09, 2019
    10:00 AM PT

    Opened:
    May 21, 2019
    08:50 AM PT
    Unable to access some gov.uk websites
    After installing the May 14, 2019 update, some gov.uk websites that don’t support HTTP Strict Transport Security (HSTS) may not be accessible through Internet Explorer 11 or Microsoft Edge.

    Affected platforms:
    • Client: Windows 10, version 1809; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10, version 1507; Windows 8.1; Windows 7 SP1 
    • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1
    Resolution: We have released an \"optional, out-of-band\" update for Windows 10 (KB4505055) to resolve this issue. If you are affected, we recommend you apply this update by installing KB4505055 from Windows Update and then restarting your device.

    This update will not be applied automatically. To download and install this update, go to Settings > Update & Security > Windows Update and select Check for updates. To get the standalone package for KB4505055, search for it in the Microsoft Update Catalog.
     

    Back to top
    OS Build 15063.1805

    May 14, 2019
    KB4499181
    Resolved
    KB4505055
    Resolved:
    May 19, 2019
    02:00 PM PT

    Opened:
    May 16, 2019
    01:57 PM PT
    Layout and cell size of Excel sheets may change when using MS UI Gothic
    When using the MS UI Gothic or MS PGothic fonts, the text, layout, or cell size may become narrower or wider than expected in Microsoft Excel. For example, the layout and cell size of Microsoft Excel sheets may change when using MS UI Gothic.

    Affected platforms:
    • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1
    • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012
    Resolution: This issue has been resolved.

    Back to top
    OS Build 15063.1784

    April 25, 2019
    KB4493436
    Resolved
    KB4499181
    Resolved:
    May 14, 2019
    10:00 AM PT

    Opened:
    May 10, 2019
    10:35 AM PT
    diff --git a/windows/release-information/status-windows-10-1507.yml b/windows/release-information/status-windows-10-1507.yml index 038724ee59..e81ad9523c 100644 --- a/windows/release-information/status-windows-10-1507.yml +++ b/windows/release-information/status-windows-10-1507.yml @@ -60,8 +60,8 @@ sections: - type: markdown text: "
    This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.

    - +
    SummaryOriginating updateStatusLast updated
    Event Viewer may close or you may receive an error when using Custom Views
    When trying to expand, view or create Custom Views in Event Viewer, you may receive an error and the app may stop responding or close.

    See details >
    OS Build 10240.18244

    June 11, 2019
    KB4503291
    Mitigated
    June 13, 2019
    02:21 PM PT
    Certain operations performed on a Cluster Shared Volume may fail
    Certain operations, such as rename, performed on files or folders on a Cluster Shared Volume (CSV) may fail with the error, \"STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)\".

    See details >
    OS Build 10240.18094

    January 08, 2019
    KB4480962
    Mitigated
    April 25, 2019
    02:00 PM PT
    Event Viewer may close or you may receive an error when using Custom Views
    When trying to expand, view or create Custom Views in Event Viewer, you may receive an error and the app may stop responding or close.

    See details >
    OS Build 10240.18244

    June 11, 2019
    KB4503291
    Resolved
    KB4507458
    July 09, 2019
    10:00 AM PT
    " @@ -77,7 +77,7 @@ sections: - type: markdown text: " - +
    DetailsOriginating updateStatusHistory
    Event Viewer may close or you may receive an error when using Custom Views
    When trying to expand, view, or create Custom Views in Event Viewer, you may receive the error, \"MMC has detected an error in a snap-in and will unload it.\" and the app may stop responding or close. You may also receive the same error when using Filter Current Log in the Action menu with built-in views or logs. Built-in views and other features of Event Viewer should work as expected.

    Affected platforms:
    • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
    • Server: Windows Server 2019; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
    Workaround: To mitigate this issue, see KB4508640.

    Next steps: We are working on a resolution and estimate a solution will be available in late June.

    Back to top
    OS Build 10240.18244

    June 11, 2019
    KB4503291
    Mitigated
    Last updated:
    June 13, 2019
    02:21 PM PT

    Opened:
    June 12, 2019
    11:11 AM PT
    Event Viewer may close or you may receive an error when using Custom Views
    When trying to expand, view, or create Custom Views in Event Viewer, you may receive the error, \"MMC has detected an error in a snap-in and will unload it.\" and the app may stop responding or close. You may also receive the same error when using Filter Current Log in the Action menu with built-in views or logs. Built-in views and other features of Event Viewer should work as expected.

    Affected platforms:
    • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
    • Server: Windows Server 2019; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
    Resolution: This issue was resolved in KB4507458.

    Back to top
    OS Build 10240.18244

    June 11, 2019
    KB4503291
    Resolved
    KB4507458
    Resolved:
    July 09, 2019
    10:00 AM PT

    Opened:
    June 12, 2019
    11:11 AM PT
    " diff --git a/windows/release-information/status-windows-10-1607-and-windows-server-2016.yml b/windows/release-information/status-windows-10-1607-and-windows-server-2016.yml index db44883cf7..7916b99a81 100644 --- a/windows/release-information/status-windows-10-1607-and-windows-server-2016.yml +++ b/windows/release-information/status-windows-10-1607-and-windows-server-2016.yml @@ -60,16 +60,15 @@ sections: - type: markdown text: "
    This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.

    - + + - -
    SummaryOriginating updateStatusLast updated
    Devices with Hyper-V enabled may receive BitLocker error 0xC0210000
    Some devices with Hyper-V enabled may start into BitLocker recovery with error 0xC0210000

    See details >
    OS Build 14393.2969

    May 14, 2019
    KB4494440
    Mitigated
    June 24, 2019
    10:46 AM PT
    Devices starting using PXE from a WDS or SCCM servers may fail to start
    Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) may fail to start with error \"0xc0000001.\"

    See details >
    OS Build 14393.3025

    June 11, 2019
    KB4503267
    Mitigated
    July 10, 2019
    02:51 PM PT
    Some applications may fail to run as expected on clients of AD FS 2016
    Some applications may fail to run as expected on clients of Active Directory Federation Services 2016 (AD FS 2016)

    See details >
    OS Build 14393.2941

    April 25, 2019
    KB4493473
    Mitigated
    June 07, 2019
    04:25 PM PT
    Cluster service may fail if the minimum password length is set to greater than 14
    The cluster service may fail to start with the error “2245 (NERR_PasswordTooShort)” if the Group Policy “Minimum Password Length” is configured with greater than 14 characters.

    See details >
    OS Build 14393.2639

    November 27, 2018
    KB4467684
    Mitigated
    April 25, 2019
    02:00 PM PT
    SCVMM cannot enumerate and manage logical switches deployed on the host
    For hosts managed by System Center Virtual Machine Manager (VMM), VMM cannot enumerate and manage logical switches deployed on the host.

    See details >
    OS Build 14393.2639

    November 27, 2018
    KB4467684
    Mitigated
    April 25, 2019
    02:00 PM PT
    Certain operations performed on a Cluster Shared Volume may fail
    Certain operations, such as rename, performed on files or folders on a Cluster Shared Volume (CSV) may fail with the error, \"STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)\".

    See details >
    OS Build 14393.2724

    January 08, 2019
    KB4480961
    Mitigated
    April 25, 2019
    02:00 PM PT
    Windows may not start on certain Lenovo and Fujitsu laptops with less than 8GB of RAM
    Windows may fail to start on certain Lenovo and Fujitsu laptops that have less than 8 GB of RAM.

    See details >
    OS Build 14393.2608

    November 13, 2018
    KB4467691
    Mitigated
    February 19, 2019
    10:00 AM PT
    Devices with Hyper-V enabled may receive BitLocker error 0xC0210000
    Some devices with Hyper-V enabled may start into BitLocker recovery with error 0xC0210000.

    See details >
    OS Build 14393.2969

    May 14, 2019
    KB4494440
    Resolved
    KB4507460
    July 09, 2019
    10:00 AM PT
    Difficulty connecting to some iSCSI-based SANs
    Devices may have difficulty connecting to some Storage Area Network (SAN) devices that leverage iSCSI.

    See details >
    OS Build 14393.2999

    May 23, 2019
    KB4499177
    Resolved
    KB4509475
    June 27, 2019
    02:00 PM PT
    Event Viewer may close or you may receive an error when using Custom Views
    When trying to expand, view or create Custom Views in Event Viewer, you may receive an error and the app may stop responding or close.

    See details >
    OS Build 14393.3025

    June 11, 2019
    KB4503267
    Resolved
    KB4503294
    June 18, 2019
    02:00 PM PT
    Opening Internet Explorer 11 may fail
    Internet Explorer 11 may fail to open if Default Search Provider is not set or is malformed.

    See details >
    OS Build 14393.2999

    May 23, 2019
    KB4499177
    Resolved
    KB4503267
    June 11, 2019
    10:00 AM PT
    Issue using PXE to start a device from WDS
    There may be issues using the Preboot Execution Environment (PXE) to start a device from a Windows Deployment Services (WDS) server configured to use Variable Window Extension.

    See details >
    OS Build 14393.2848

    March 12, 2019
    KB4489882
    Resolved
    KB4503267
    June 11, 2019
    10:00 AM PT
    " @@ -80,6 +79,15 @@ sections:
    " +- title: July 2019 +- items: + - type: markdown + text: " + + +
    DetailsOriginating updateStatusHistory
    Devices starting using PXE from a WDS or SCCM servers may fail to start
    Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) or System Center Configuration Manager (SCCM) may fail to start with the error \"Status: 0xc0000001, Info: A required device isn't connected or can't be accessed\" after installing KB4503267 on a WDS server.

    Affected platforms:
    • Server: Windows Server 2008 SP2; Windows Server 2008 R2 SP1; Windows Server 2012; Windows Server 2012 R2; Windows Server 2016; Windows Server, version 1803; Windows Server 2019; Windows Server, version 1809; Windows Server, version 1903
    Workaround:
    To mitigate this issue on an SCCM server:
    1. Verify Variable Window Extension is enabled.
    2. Set the values of TFTP block size to 4096 and TFTP window size to 1. For guidance on how to configure them, see Customize the RamDisk TFTP block and window sizes on PXE-enabled distribution points.
    Note Try the default values for TFTP block size and TFTP window size first but depending on your environment and overall settings, you may need to adjust them for your setup. You can also try the Enable a PXE responder without Windows Deployment Service setting. For more information on this setting, see Install and configure distribution points in Configuration Manager.

    To mitigate this issue on a WDS server without SCCM:
    1. In WDS TFTP settings, verify Variable Window Extension is enabled.
    2. In the Boot Configuration Data (BCD) of the imported image, set RamDiskTFTPBlockSize to 1456.
    3. In the BCD of the imported image, set RamDiskTFTPWindowSize to 4.
    Note Try the default values for RamDiskTFTPBlockSize and RamDiskTFTPWindowSize first but depending on your environment and overall settings, you may need to adjust them for your setup.

    Next steps: We are working on a resolution and will provide an update in an upcoming release.

    Back to top
    OS Build 14393.3025

    June 11, 2019
    KB4503267
    Mitigated
    Last updated:
    July 10, 2019
    02:51 PM PT

    Opened:
    July 10, 2019
    02:51 PM PT
    + " + - title: June 2019 - items: - type: markdown @@ -88,7 +96,6 @@ sections:
    Some applications may fail to run as expected on clients of AD FS 2016
    Some applications may fail to run as expected on clients of Active Directory Federation Services 2016 (AD FS 2016) after installation of KB4493473 on the server. Applications that may exhibit this behavior use an IFRAME during non-interactive authentication requests and receive X-Frame Options set to DENY.

    Affected platforms:
    • Server: Windows Server 2016
    Workaround: You can use the Allow-From value of the header if the IFRAME is only accessing pages from a single-origin URL. On the affected server, open a PowerShell window as an administrator and run the following command: set-AdfsResponseHeaders -SetHeaderName X-Frame-Options -SetHeaderValue \"allow-from https://example.com\"

    Next steps: We are working on a resolution and will provide an update in an upcoming release.

    Back to topOS Build 14393.2941

    April 25, 2019
    KB4493473Mitigated
    Last updated:
    June 07, 2019
    04:25 PM PT

    Opened:
    June 04, 2019
    05:55 PM PT
    Difficulty connecting to some iSCSI-based SANs
    Devices may have issues connecting to some Storage Area Network (SAN) devices using Internet Small Computer System Interface (iSCSI) after installing KB4499177. You may also receive an error in the System log section of Event Viewer with Event ID 43 from iScsiPrt and a description of “Target failed to respond in time for a login request.”

    Affected platforms:
    • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016
    • Server: Windows Server 2019; Windows Server 2016
    Resolution: This issue was resolved in KB4509475.

    Back to topOS Build 14393.2999

    May 23, 2019
    KB4499177Resolved
    KB4509475Resolved:
    June 27, 2019
    02:00 PM PT

    Opened:
    June 20, 2019
    04:46 PM PT
    Event Viewer may close or you may receive an error when using Custom Views
    When trying to expand, view, or create Custom Views in Event Viewer, you may receive the error, \"MMC has detected an error in a snap-in and will unload it.\" and the app may stop responding or close. You may also receive the same error when using Filter Current Log in the Action menu with built-in views or logs. Built-in views and other features of Event Viewer should work as expected.

    Affected platforms:
    • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
    • Server: Windows Server 2019; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
    Resolution: This issue was resolved in KB4503294.

    Back to topOS Build 14393.3025

    June 11, 2019
    KB4503267Resolved
    KB4503294Resolved:
    June 18, 2019
    02:00 PM PT

    Opened:
    June 12, 2019
    11:11 AM PT -
    Opening Internet Explorer 11 may fail
    Internet Explorer 11 may fail to open if Default Search Provider is not set or is malformed.

    Affected platforms:
    • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607
    • Server: Windows Server 2019; Windows Server 2016
    Resolution: This issue was resolved in KB4503267.

    Back to topOS Build 14393.2999

    May 23, 2019
    KB4499177Resolved
    KB4503267Resolved:
    June 11, 2019
    10:00 AM PT

    Opened:
    June 05, 2019
    05:49 PM PT " @@ -97,16 +104,7 @@ sections: - type: markdown text: " - -
    DetailsOriginating updateStatusHistory
    Devices with Hyper-V enabled may receive BitLocker error 0xC0210000
    Some devices with Hyper-V enabled may enter BitLocker recovery mode and receive an error, \"0xC0210000\" after installing KB4494440 and restarting.

    Affected platforms:
    • Client: Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607
    • Server: Windows Server 2016
    Workaround: If your device is already in this state, you can successfully start Windows after suspending BitLocker from the Windows Recovery Environment (WinRE) using the following steps:
    1. Retrieve the 48-digit BitLocker recovery password for the OS volume from your organization's portal or from wherever the key was stored when BitLocker was first enabled.
    2. From the recovery screen, press the enter key and enter the recovery password when prompted.
    3. If your device starts in the Windows Recovery Environment and asks for recovery key again, select Skip the drive to continue to WinRE.
    4. Select Advanced options then Troubleshoot then Advanced options then Command Prompt.
    5. Unlock drive using the command: Manage-bde -unlock c: -rp <48 digit numerical recovery password separated by “-“ in 6 digit group>
    6. Suspend BitLocker using the command: Manage-bde -protectors -disable c:
    7. Exit the command window using the command: exit
    8. Select Continue from recovery environment.
    9. The device should now start Windows.
    10. Once started, launch an elevated Command Prompt (i.e. run Command Prompt as administrator) and resume the BitLocker to ensure the system remains protected, using the command: Manage-bde -protectors -enable c:
    Note The steps in this workaround need to be followed on every system start unless BitLocker is suspended before restarting.

    To prevent this issue, execute the following command to temporarily suspend BitLocker just before restarting the system: Manage-bde -protectors -disable c: -rc 1
    Note This command will suspend BitLocker for one restart of the device (-rc 1 option only works inside OS and does not work from recovery environment).

    Next steps: We are working on a resolution and will provide an update in an upcoming release.

    Back to top
    OS Build 14393.2969

    May 14, 2019
    KB4494440
    Mitigated
    Last updated:
    June 24, 2019
    10:46 AM PT

    Opened:
    May 21, 2019
    08:50 AM PT
    - " - -- title: March 2019 -- items: - - type: markdown - text: " - - +
    DetailsOriginating updateStatusHistory
    Issue using PXE to start a device from WDS
    After installing KB4489882, there may be issues using the Preboot Execution Environment (PXE) to start a device from a Windows Deployment Services (WDS) server configured to use Variable Window Extension. This may cause the connection to the WDS server to terminate prematurely while downloading the image. This issue does not affect clients or devices that are not using Variable Window Extension.

    Affected platforms:
    • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 8.1
    • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012
    Resolution: This issue was resolved in KB4503267.

    Back to top
    OS Build 14393.2848

    March 12, 2019
    KB4489882
    Resolved
    KB4503267
    Resolved:
    June 11, 2019
    10:00 AM PT

    Opened:
    March 12, 2019
    10:00 AM PT
    Devices with Hyper-V enabled may receive BitLocker error 0xC0210000
    Some devices with Hyper-V enabled may enter BitLocker recovery mode and receive an error, \"0xC0210000\" after installing KB4494440 and restarting.

    Affected platforms:
    • Client: Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607
    • Server: Windows Server 2016
    Resolution: This issue was resolved in KB4507460.

    Back to top
    OS Build 14393.2969

    May 14, 2019
    KB4494440
    Resolved
    KB4507460
    Resolved:
    July 09, 2019
    10:00 AM PT

    Opened:
    May 21, 2019
    08:50 AM PT
    " diff --git a/windows/release-information/status-windows-10-1703.yml b/windows/release-information/status-windows-10-1703.yml index 761911bdc5..7bc0807985 100644 --- a/windows/release-information/status-windows-10-1703.yml +++ b/windows/release-information/status-windows-10-1703.yml @@ -60,11 +60,10 @@ sections: - type: markdown text: "
    This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.

    - + -
    SummaryOriginating updateStatusLast updated
    Devices with Hyper-V enabled may receive BitLocker error 0xC0210000
    Some devices with Hyper-V enabled may start into BitLocker recovery with error 0xC0210000

    See details >
    OS Build 15063.1805

    May 14, 2019
    KB4499181
    Mitigated
    June 24, 2019
    10:46 AM PT
    Certain operations performed on a Cluster Shared Volume may fail
    Certain operations, such as rename, performed on files or folders on a Cluster Shared Volume (CSV) may fail with the error, \"STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)\".

    See details >
    OS Build 15063.1563

    January 08, 2019
    KB4480973
    Mitigated
    April 25, 2019
    02:00 PM PT
    Devices with Hyper-V enabled may receive BitLocker error 0xC0210000
    Some devices with Hyper-V enabled may start into BitLocker recovery with error 0xC0210000.

    See details >
    OS Build 15063.1805

    May 14, 2019
    KB4499181
    Resolved
    KB4507450
    July 09, 2019
    10:00 AM PT
    Difficulty connecting to some iSCSI-based SANs
    Devices may have difficulty connecting to some Storage Area Network (SAN) devices that leverage iSCSI.

    See details >
    OS Build 15063.1839

    May 28, 2019
    KB4499162
    Resolved
    KB4509476
    June 26, 2019
    04:00 PM PT
    Event Viewer may close or you may receive an error when using Custom Views
    When trying to expand, view or create Custom Views in Event Viewer, you may receive an error and the app may stop responding or close.

    See details >
    OS Build 15063.1868

    June 11, 2019
    KB4503279
    Resolved
    KB4503289
    June 18, 2019
    02:00 PM PT
    Opening Internet Explorer 11 may fail
    Internet Explorer 11 may fail to open if Default Search Provider is not set or is malformed.

    See details >
    OS Build 15063.1839

    May 28, 2019
    KB4499162
    Resolved
    KB4503279
    June 11, 2019
    10:00 AM PT
    " @@ -82,7 +81,6 @@ sections: -
    DetailsOriginating updateStatusHistory
    Difficulty connecting to some iSCSI-based SANs
    Devices may have issues connecting to some Storage Area Network (SAN) devices using Internet Small Computer System Interface (iSCSI) after installing KB4499162. You may also receive an error in the System log section of Event Viewer with Event ID 43 from iScsiPrt and a description of “Target failed to respond in time for a login request.”

    Affected platforms:
    • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016
    • Server: Windows Server 2019; Windows Server 2016
    Resolution: This issue was resolved in KB4509476.

    Back to top
    OS Build 15063.1839

    May 28, 2019
    KB4499162
    Resolved
    KB4509476
    Resolved:
    June 26, 2019
    04:00 PM PT

    Opened:
    June 20, 2019
    04:46 PM PT
    Event Viewer may close or you may receive an error when using Custom Views
    When trying to expand, view, or create Custom Views in Event Viewer, you may receive the error, \"MMC has detected an error in a snap-in and will unload it.\" and the app may stop responding or close. You may also receive the same error when using Filter Current Log in the Action menu with built-in views or logs. Built-in views and other features of Event Viewer should work as expected.

    Affected platforms:
    • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
    • Server: Windows Server 2019; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
    Resolution: This issue was resolved in KB4503289.

    Back to top
    OS Build 15063.1868

    June 11, 2019
    KB4503279
    Resolved
    KB4503289
    Resolved:
    June 18, 2019
    02:00 PM PT

    Opened:
    June 12, 2019
    11:11 AM PT
    Opening Internet Explorer 11 may fail
    Internet Explorer 11 may fail to open if Default Search Provider is not set or is malformed.

    Affected platforms:
    • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607
    • Server: Windows Server 2019; Windows Server 2016
    Resolution: This issue was resolved in KB4503279.

    Back to top
    OS Build 15063.1839

    May 28, 2019
    KB4499162
    Resolved
    KB4503279
    Resolved:
    June 11, 2019
    10:00 AM PT

    Opened:
    June 05, 2019
    05:49 PM PT
    " @@ -91,7 +89,7 @@ sections: - type: markdown text: " - +
    DetailsOriginating updateStatusHistory
    Devices with Hyper-V enabled may receive BitLocker error 0xC0210000
    Some devices with Hyper-V enabled may enter BitLocker recovery mode and receive an error, \"0xC0210000\" after installing KB4499181 and restarting.

    Affected platforms:
    • Client: Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607
    • Server: Windows Server 2016
    Workaround: If your device is already in this state, you can successfully start Windows after suspending BitLocker from the Windows Recovery Environment (WinRE) using the following steps:
    1. Retrieve the 48-digit BitLocker recovery password for the OS volume from your organization's portal or from wherever the key was stored when BitLocker was first enabled.
    2. From the recovery screen, press the enter key and enter the recovery password when prompted.
    3. If your device starts in the Windows Recovery Environment and asks for recovery key again, select Skip the drive to continue to WinRE.
    4. Select Advanced options then Troubleshoot then Advanced options then Command Prompt.
    5. Unlock drive using the command: Manage-bde -unlock c: -rp <48 digit numerical recovery password separated by “-“ in 6 digit group>
    6. Suspend BitLocker using the command: Manage-bde -protectors -disable c:
    7. Exit the command window using the command: exit
    8. Select Continue from recovery environment.
    9. The device should now start Windows.
    10. Once started, launch an elevated Command Prompt (i.e. run Command Prompt as administrator) and resume the BitLocker to ensure the system remains protected, using the command: Manage-bde -protectors -enable c:
    Note The steps in this workaround need to be followed on every system start unless BitLocker is suspended before restarting.

    To prevent this issue, execute the following command to temporarily suspend BitLocker just before restarting the system: Manage-bde -protectors -disable c: -rc 1
    Note This command will suspend BitLocker for one restart of the device (-rc 1 option only works inside OS and does not work from recovery environment).

    Next steps: We are working on a resolution and will provide an update in an upcoming release.

    Back to top
    OS Build 15063.1805

    May 14, 2019
    KB4499181
    Mitigated
    Last updated:
    June 24, 2019
    10:46 AM PT

    Opened:
    May 21, 2019
    08:50 AM PT
    Devices with Hyper-V enabled may receive BitLocker error 0xC0210000
    Some devices with Hyper-V enabled may enter BitLocker recovery mode and receive an error, \"0xC0210000\" after installing KB4499181 and restarting.

    Affected platforms:
    • Client: Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607
    • Server: Windows Server 2016
    Resolution: This issue was resolved in KB4507450.

    Back to top
    OS Build 15063.1805

    May 14, 2019
    KB4499181
    Resolved
    KB4507450
    Resolved:
    July 09, 2019
    10:00 AM PT

    Opened:
    May 21, 2019
    08:50 AM PT
    " diff --git a/windows/release-information/status-windows-10-1709.yml b/windows/release-information/status-windows-10-1709.yml index 3363497f79..6ea8473c9b 100644 --- a/windows/release-information/status-windows-10-1709.yml +++ b/windows/release-information/status-windows-10-1709.yml @@ -63,7 +63,6 @@ sections:
    Certain operations performed on a Cluster Shared Volume may fail
    Certain operations, such as rename, performed on files or folders on a Cluster Shared Volume (CSV) may fail with the error, \"STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)\".

    See details >OS Build 16299.904

    January 08, 2019
    KB4480978Mitigated
    April 25, 2019
    02:00 PM PT
    Difficulty connecting to some iSCSI-based SANs
    Devices may have difficulty connecting to some Storage Area Network (SAN) devices that leverage iSCSI.

    See details >OS Build 16299.1182

    May 28, 2019
    KB4499147Resolved
    KB4509477June 26, 2019
    04:00 PM PT
    Event Viewer may close or you may receive an error when using Custom Views
    When trying to expand, view or create Custom Views in Event Viewer, you may receive an error and the app may stop responding or close.

    See details >OS Build 16299.1217

    June 11, 2019
    KB4503284Resolved
    KB4503281June 18, 2019
    02:00 PM PT -
    Opening Internet Explorer 11 may fail
    Internet Explorer 11 may fail to open if Default Search Provider is not set or is malformed.

    See details >OS Build 16299.1182

    May 28, 2019
    KB4499147Resolved
    KB4503284June 11, 2019
    10:00 AM PT " @@ -81,7 +80,6 @@ sections: -
    DetailsOriginating updateStatusHistory
    Difficulty connecting to some iSCSI-based SANs
    Devices may have issues connecting to some Storage Area Network (SAN) devices using Internet Small Computer System Interface (iSCSI) after installing KB4499147. You may also receive an error in the System log section of Event Viewer with Event ID 43 from iScsiPrt and a description of “Target failed to respond in time for a login request.”

    Affected platforms:
    • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016
    • Server: Windows Server 2019; Windows Server 2016
    Resolution: This issue was resolved in KB4509477.

    Back to top
    OS Build 16299.1182

    May 28, 2019
    KB4499147
    Resolved
    KB4509477
    Resolved:
    June 26, 2019
    04:00 PM PT

    Opened:
    June 20, 2019
    04:46 PM PT
    Event Viewer may close or you may receive an error when using Custom Views
    When trying to expand, view, or create Custom Views in Event Viewer, you may receive the error, \"MMC has detected an error in a snap-in and will unload it.\" and the app may stop responding or close. You may also receive the same error when using Filter Current Log in the Action menu with built-in views or logs. Built-in views and other features of Event Viewer should work as expected.

    Affected platforms:
    • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
    • Server: Windows Server 2019; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
    Resolution: This issue was resolved in KB4503281.

    Back to top
    OS Build 16299.1217

    June 11, 2019
    KB4503284
    Resolved
    KB4503281
    Resolved:
    June 18, 2019
    02:00 PM PT

    Opened:
    June 12, 2019
    11:11 AM PT
    Opening Internet Explorer 11 may fail
    Internet Explorer 11 may fail to open if Default Search Provider is not set or is malformed.

    Affected platforms:
    • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607
    • Server: Windows Server 2019; Windows Server 2016
    Resolution: This issue was resolved in KB4503284.

    Back to top
    OS Build 16299.1182

    May 28, 2019
    KB4499147
    Resolved
    KB4503284
    Resolved:
    June 11, 2019
    10:00 AM PT

    Opened:
    June 05, 2019
    05:49 PM PT
    " diff --git a/windows/release-information/status-windows-10-1803.yml b/windows/release-information/status-windows-10-1803.yml index bbff4c0692..ff666a63c6 100644 --- a/windows/release-information/status-windows-10-1803.yml +++ b/windows/release-information/status-windows-10-1803.yml @@ -60,11 +60,11 @@ sections: - type: markdown text: "
    This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.

    + -
    SummaryOriginating updateStatusLast updated
    Devices starting using PXE from a WDS or SCCM servers may fail to start
    Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) may fail to start with error \"0xc0000001.\"

    See details >
    OS Build 17134.829

    June 11, 2019
    KB4503286
    Mitigated
    July 10, 2019
    02:51 PM PT
    Startup to a black screen after installing updates
    Your device may startup to a black screen during the first logon after installing updates.

    See details >
    OS Build 17134.829

    June 11, 2019
    KB4503286
    Mitigated
    June 14, 2019
    04:41 PM PT
    Certain operations performed on a Cluster Shared Volume may fail
    Certain operations, such as rename, performed on files or folders on a Cluster Shared Volume (CSV) may fail with the error, \"STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)\".

    See details >
    OS Build 17134.523

    January 08, 2019
    KB4480966
    Mitigated
    April 25, 2019
    02:00 PM PT
    Difficulty connecting to some iSCSI-based SANs
    Devices may have difficulty connecting to some Storage Area Network (SAN) devices that leverage iSCSI.

    See details >
    OS Build 17134.799

    May 21, 2019
    KB4499183
    Resolved
    KB4509478
    June 26, 2019
    04:00 PM PT
    Event Viewer may close or you may receive an error when using Custom Views
    When trying to expand, view or create Custom Views in Event Viewer, you may receive an error and the app may stop responding or close.

    See details >
    OS Build 17134.829

    June 11, 2019
    KB4503286
    Resolved
    KB4503288
    June 18, 2019
    02:00 PM PT
    Opening Internet Explorer 11 may fail
    Internet Explorer 11 may fail to open if Default Search Provider is not set or is malformed.

    See details >
    OS Build 17134.799

    May 21, 2019
    KB4499183
    Resolved
    KB4503286
    June 11, 2019
    10:00 AM PT
    " @@ -75,6 +75,15 @@ sections:
    " +- title: July 2019 +- items: + - type: markdown + text: " + + +
    DetailsOriginating updateStatusHistory
    Devices starting using PXE from a WDS or SCCM servers may fail to start
    Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) or System Center Configuration Manager (SCCM) may fail to start with the error \"Status: 0xc0000001, Info: A required device isn't connected or can't be accessed\" after installing KB4503286 on a WDS server.

    Affected platforms:
    • Server: Windows Server 2008 SP2; Windows Server 2008 R2 SP1; Windows Server 2012; Windows Server 2012 R2; Windows Server 2016; Windows Server, version 1803; Windows Server 2019; Windows Server, version 1809; Windows Server, version 1903
    Workaround:
    To mitigate this issue on an SCCM server:
    1. Verify Variable Window Extension is enabled.
    2. Set the values of TFTP block size to 4096 and TFTP window size to 1. For guidance on how to configure them, see Customize the RamDisk TFTP block and window sizes on PXE-enabled distribution points.
    Note Try the default values for TFTP block size and TFTP window size first but depending on your environment and overall settings, you may need to adjust them for your setup. You can also try the Enable a PXE responder without Windows Deployment Service setting. For more information on this setting, see Install and configure distribution points in Configuration Manager.

    To mitigate this issue on a WDS server without SCCM:
    1. In WDS TFTP settings, verify Variable Window Extension is enabled.
    2. In the Boot Configuration Data (BCD) of the imported image, set RamDiskTFTPBlockSize to 1456.
    3. In the BCD of the imported image, set RamDiskTFTPWindowSize to 4.
    Note Try the default values for RamDiskTFTPBlockSize and RamDiskTFTPWindowSize first but depending on your environment and overall settings, you may need to adjust them for your setup.

    Next steps: We are working on a resolution and will provide an update in an upcoming release.

    Back to top
    OS Build 17134.829

    June 11, 2019
    KB4503286
    Mitigated
    Last updated:
    July 10, 2019
    02:51 PM PT

    Opened:
    July 10, 2019
    02:51 PM PT
    + " + - title: June 2019 - items: - type: markdown @@ -83,7 +92,6 @@ sections:
    Startup to a black screen after installing updates
    We are investigating reports that a small number of devices may startup to a black screen during the first logon after installing updates.


    Affected platforms:
    • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803
    • Server: Windows Server 2019
    Workaround: To mitigate this issue, press Ctrl+Alt+Delete, then select the Power button in the lower right corner of the screen and select Restart. Your device should now restart normally.

    Next steps: We are working on a resolution and will provide an update in an upcoming release.

    Back to topOS Build 17134.829

    June 11, 2019
    KB4503286Mitigated
    Last updated:
    June 14, 2019
    04:41 PM PT

    Opened:
    June 14, 2019
    04:41 PM PT
    Difficulty connecting to some iSCSI-based SANs
    Devices may have issues connecting to some Storage Area Network (SAN) devices using Internet Small Computer System Interface (iSCSI) after installing KB4499183. You may also receive an error in the System log section of Event Viewer with Event ID 43 from iScsiPrt and a description of “Target failed to respond in time for a login request.”

    Affected platforms:
    • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016
    • Server: Windows Server 2019; Windows Server 2016
    Resolution: This issue was resolved in KB4509478.

    Back to topOS Build 17134.799

    May 21, 2019
    KB4499183Resolved
    KB4509478Resolved:
    June 26, 2019
    04:00 PM PT

    Opened:
    June 20, 2019
    04:46 PM PT
    Event Viewer may close or you may receive an error when using Custom Views
    When trying to expand, view, or create Custom Views in Event Viewer, you may receive the error, \"MMC has detected an error in a snap-in and will unload it.\" and the app may stop responding or close. You may also receive the same error when using Filter Current Log in the Action menu with built-in views or logs. Built-in views and other features of Event Viewer should work as expected.

    Affected platforms:
    • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
    • Server: Windows Server 2019; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
    Resolution: This issue was resolved in KB4503288.

    Back to topOS Build 17134.829

    June 11, 2019
    KB4503286Resolved
    KB4503288Resolved:
    June 18, 2019
    02:00 PM PT

    Opened:
    June 12, 2019
    11:11 AM PT -
    Opening Internet Explorer 11 may fail
    Internet Explorer 11 may fail to open if Default Search Provider is not set or is malformed.

    Affected platforms:
    • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607
    • Server: Windows Server 2019; Windows Server 2016
    Resolution: This issue was resolved in KB4503286.

    Back to topOS Build 17134.799

    May 21, 2019
    KB4499183Resolved
    KB4503286Resolved:
    June 11, 2019
    10:00 AM PT

    Opened:
    June 05, 2019
    05:49 PM PT " diff --git a/windows/release-information/status-windows-10-1809-and-windows-server-2019.yml b/windows/release-information/status-windows-10-1809-and-windows-server-2019.yml index 0f816b4c0d..7240f836fa 100644 --- a/windows/release-information/status-windows-10-1809-and-windows-server-2019.yml +++ b/windows/release-information/status-windows-10-1809-and-windows-server-2019.yml @@ -65,6 +65,7 @@ sections: - type: markdown text: "
    This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.

    + @@ -72,8 +73,6 @@ sections: - -
    SummaryOriginating updateStatusLast updated
    Devices starting using PXE from a WDS or SCCM servers may fail to start
    Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) may fail to start with error \"0xc0000001.\"

    See details >
    OS Build 17763.557

    June 11, 2019
    KB4503327
    Mitigated
    July 10, 2019
    02:51 PM PT
    Startup to a black screen after installing updates
    Your device may startup to a black screen during the first logon after installing updates.

    See details >
    OS Build 17763.557

    June 11, 2019
    KB4503327
    Mitigated
    June 14, 2019
    04:41 PM PT
    Devices with some Asian language packs installed may receive an error
    After installing the KB4493509 devices with some Asian language packs installed may receive the error, \"0x800f0982 - PSFX_E_MATCHING_COMPONENT_NOT_F

    See details >
    OS Build 17763.437

    April 09, 2019
    KB4493509
    Mitigated
    May 03, 2019
    10:59 AM PT
    Certain operations performed on a Cluster Shared Volume may fail
    Certain operations, such as rename, performed on files or folders on a Cluster Shared Volume (CSV) may fail with the error, \"STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)\".

    See details >
    OS Build 17763.253

    January 08, 2019
    KB4480116
    Mitigated
    April 09, 2019
    10:00 AM PT
    Devices with Realtek Bluetooth radios drivers may not pair or connect as expected
    Devices with some Realtek Bluetooth radios drivers, in some circumstances, may have issues pairing or connecting to devices.

    See details >
    OS Build 17763.503

    May 14, 2019
    KB4494441
    Resolved
    KB4501371
    June 18, 2019
    02:00 PM PT
    Event Viewer may close or you may receive an error when using Custom Views
    When trying to expand, view or create Custom Views in Event Viewer, you may receive an error and the app may stop responding or close.

    See details >
    OS Build 17763.557

    June 11, 2019
    KB4503327
    Resolved
    KB4501371
    June 18, 2019
    02:00 PM PT
    Printing from Microsoft Edge or other UWP apps may result in the error 0x80070007
    Attempting to print from Microsoft Edge or other Universal Windows Platform (UWP) apps, you may receive an error.

    See details >
    OS Build 17763.379

    March 12, 2019
    KB4489899
    Resolved
    KB4501371
    June 18, 2019
    02:00 PM PT
    Opening Internet Explorer 11 may fail
    Internet Explorer 11 may fail to open if Default Search Provider is not set or is malformed.

    See details >
    OS Build 17763.529

    May 21, 2019
    KB4497934
    Resolved
    KB4503327
    June 11, 2019
    10:00 AM PT
    Issue using PXE to start a device from WDS
    Using PXE to start a device from a WDS server configured to use Variable Window Extension may cause the connection to the WDS server to terminate prematurely.

    See details >
    OS Build 17763.379

    March 12, 2019
    KB4489899
    Resolved
    KB4503327
    June 11, 2019
    10:00 AM PT
    " @@ -84,6 +83,15 @@ sections:
    " +- title: July 2019 +- items: + - type: markdown + text: " + + +
    DetailsOriginating updateStatusHistory
    Devices starting using PXE from a WDS or SCCM servers may fail to start
    Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) or System Center Configuration Manager (SCCM) may fail to start with the error \"Status: 0xc0000001, Info: A required device isn't connected or can't be accessed\" after installing KB4503327 on a WDS server.

    Affected platforms:
    • Server: Windows Server 2008 SP2; Windows Server 2008 R2 SP1; Windows Server 2012; Windows Server 2012 R2; Windows Server 2016; Windows Server, version 1803; Windows Server 2019; Windows Server, version 1809; Windows Server, version 1903
    Workaround:
    To mitigate this issue on an SCCM server:
    1. Verify Variable Window Extension is enabled.
    2. Set the values of TFTP block size to 4096 and TFTP window size to 1. For guidance on how to configure them, see Customize the RamDisk TFTP block and window sizes on PXE-enabled distribution points.
    Note Try the default values for TFTP block size and TFTP window size first but depending on your environment and overall settings, you may need to adjust them for your setup. You can also try the Enable a PXE responder without Windows Deployment Service setting. For more information on this setting, see Install and configure distribution points in Configuration Manager.

    To mitigate this issue on a WDS server without SCCM:
    1. In WDS TFTP settings, verify Variable Window Extension is enabled.
    2. In the Boot Configuration Data (BCD) of the imported image, set RamDiskTFTPBlockSize to 1456.
    3. In the BCD of the imported image, set RamDiskTFTPWindowSize to 4.
    Note Try the default values for RamDiskTFTPBlockSize and RamDiskTFTPWindowSize first but depending on your environment and overall settings, you may need to adjust them for your setup.

    Next steps: We are working on a resolution and will provide an update in an upcoming release.

    Back to top
    OS Build 17763.557

    June 11, 2019
    KB4503327
    Mitigated
    Last updated:
    July 10, 2019
    02:51 PM PT

    Opened:
    July 10, 2019
    02:51 PM PT
    + " + - title: June 2019 - items: - type: markdown @@ -93,7 +101,6 @@ sections:
    Difficulty connecting to some iSCSI-based SANs
    Devices may have issues connecting to some Storage Area Network (SAN) devices using Internet Small Computer System Interface (iSCSI) after installing KB4497934. You may also receive an error in the System log section of Event Viewer with Event ID 43 from iScsiPrt and a description of “Target failed to respond in time for a login request.”

    Affected platforms:
    • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016
    • Server: Windows Server 2019; Windows Server 2016
    Resolution: This issue was resolved in KB4509479.

    Back to topOS Build 17763.529

    May 21, 2019
    KB4497934Resolved
    KB4509479Resolved:
    June 26, 2019
    04:00 PM PT

    Opened:
    June 20, 2019
    04:46 PM PT
    Devices with Realtek Bluetooth radios drivers may not pair or connect as expected
    In some circumstances, devices with Realtek Bluetooth radios may have issues pairing or connecting to Bluetooth devices due to a driver issue.

    Affected platforms:
    • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019
    • Server: Windows Server 2019
    Resolution: This issue was resolved in KB4501371.

    Back to topOS Build 17763.503

    May 14, 2019
    KB4494441Resolved
    KB4501371Resolved:
    June 18, 2019
    02:00 PM PT

    Opened:
    June 14, 2019
    05:45 PM PT
    Event Viewer may close or you may receive an error when using Custom Views
    When trying to expand, view, or create Custom Views in Event Viewer, you may receive the error, \"MMC has detected an error in a snap-in and will unload it.\" and the app may stop responding or close. You may also receive the same error when using Filter Current Log in the Action menu with built-in views or logs. Built-in views and other features of Event Viewer should work as expected.

    Affected platforms:
    • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
    • Server: Windows Server 2019; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
    Resolution: This issue was resolved in KB4501371.

    Back to topOS Build 17763.557

    June 11, 2019
    KB4503327Resolved
    KB4501371Resolved:
    June 18, 2019
    02:00 PM PT

    Opened:
    June 12, 2019
    11:11 AM PT -
    Opening Internet Explorer 11 may fail
    Internet Explorer 11 may fail to open if Default Search Provider is not set or is malformed.

    Affected platforms:
    • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607
    • Server: Windows Server 2019; Windows Server 2016
    Resolution: This issue was resolved in KB4503327.

    Back to topOS Build 17763.529

    May 21, 2019
    KB4497934Resolved
    KB4503327Resolved:
    June 11, 2019
    10:00 AM PT

    Opened:
    June 05, 2019
    05:49 PM PT " @@ -107,15 +114,6 @@ sections: " -- title: March 2019 -- items: - - type: markdown - text: " - - -
    DetailsOriginating updateStatusHistory
    Issue using PXE to start a device from WDS
    After installing KB4489899, there may be issues using the Preboot Execution Environment (PXE) to start a device from a Windows Deployment Services (WDS) server configured to use Variable Window Extension. This may cause the connection to the WDS server to terminate prematurely while downloading the image. This issue does not affect clients or devices that are not using Variable Window Extension. 

    Affected platforms:
    • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 8.1
    • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012
    Resolution: This issue was resolved in KB4503327.

    Back to top
    OS Build 17763.379

    March 12, 2019
    KB4489899
    Resolved
    KB4503327
    Resolved:
    June 11, 2019
    10:00 AM PT

    Opened:
    March 12, 2019
    10:00 AM PT
    - " - - title: January 2019 - items: - type: markdown diff --git a/windows/release-information/status-windows-10-1903.yml b/windows/release-information/status-windows-10-1903.yml index 98f91cde7b..812bca780e 100644 --- a/windows/release-information/status-windows-10-1903.yml +++ b/windows/release-information/status-windows-10-1903.yml @@ -70,6 +70,7 @@ sections:
    Loss of functionality in Dynabook Smartphone Link app
    After updating to Windows 10, version 1903, you may experience a loss of functionality when using the Dynabook Smartphone Link application.

    See details >OS Build 18362.116

    May 20, 2019
    KB4505057Investigating
    May 24, 2019
    03:10 PM PT
    Display brightness may not respond to adjustments
    Microsoft and Intel have identified a driver compatibility issue on devices configured with certain Intel display drivers.

    See details >OS Build 18362.116

    May 21, 2019
    KB4505057Investigating
    May 21, 2019
    04:47 PM PT
    Audio not working with Dolby Atmos headphones and home theater
    Users may experience audio loss with Dolby Atmos headphones or Dolby Atmos home theater.

    See details >OS Build 18362.116

    May 21, 2019
    KB4505057Investigating
    May 21, 2019
    07:17 AM PT +
    Devices starting using PXE from a WDS or SCCM servers may fail to start
    Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) may fail to start with error \"0xc0000001.\"

    See details >OS Build 18362.175

    June 11, 2019
    KB4503293Mitigated
    July 10, 2019
    02:51 PM PT
    RASMAN service may stop working and result in the error “0xc0000005”
    The Remote Access Connection Manager (RASMAN) service may stop working and result in the error “0xc0000005” with VPN profiles configured as an Always On VPN connection.

    See details >OS Build 18362.145

    May 29, 2019
    KB4497935Mitigated
    July 01, 2019
    05:04 PM PT
    Error attempting to update with external USB device or memory card attached
    PCs with an external USB device or SD memory card attached may get error: \"This PC can't be upgraded to Windows 10.\"

    See details >OS Build 18362.116

    May 21, 2019
    KB4505057Mitigated
    June 11, 2019
    12:34 PM PT
    Gamma ramps, color profiles, and night light settings do not apply in some cases
    Microsoft has identified some scenarios where gamma ramps, color profiles and night light settings may stop working.

    See details >OS Build 18362.116

    May 21, 2019
    KB4505057Mitigated
    May 24, 2019
    11:02 AM PT @@ -79,9 +80,6 @@ sections:
    Intermittent loss of Wi-Fi connectivity
    Some older devices may experience loss of Wi-Fi connectivity due to an outdated Qualcomm driver.

    See details >OS Build 18362.116

    May 21, 2019
    KB4505057Mitigated
    May 21, 2019
    04:46 PM PT
    Event Viewer may close or you may receive an error when using Custom Views
    When trying to expand, view or create Custom Views in Event Viewer, you may receive an error and the app may stop responding or close.

    See details >OS Build 18362.175

    June 11, 2019
    KB4503293Resolved
    KB4501375June 27, 2019
    10:00 AM PT
    Duplicate folders and documents showing in user profile directory
    If known folders (e.g. Desktop, Documents, or Pictures folders) are redirected, an empty folder with that same name may be created.

    See details >OS Build 18362.116

    May 21, 2019
    KB4505057Resolved
    KB4497935May 29, 2019
    02:00 PM PT -
    Older versions of BattlEye anti-cheat software incompatible
    Microsoft and BattlEye have identified a compatibility issue with some games that use older versions of BattlEye anti-cheat software.

    See details >OS Build 18362.116

    May 21, 2019
    KB4505057Resolved
    June 07, 2019
    04:26 PM PT -
    AMD RAID driver incompatibility
    Installation process may stop when trying to install Windows 10, version 1903 update on computers that run certain versions of AMD RAID drivers.

    See details >OS Build 18362.116

    May 21, 2019
    KB4505057Resolved
    June 06, 2019
    11:06 AM PT -
    D3D applications and games may fail to enter full-screen mode on rotated displays
    Some Direct3D (D3D) applications and games may fail to enter full-screen mode on rotated displays.

    See details >OS Build 18362.116

    May 21, 2019
    KB4505057Resolved
    KB4497935May 29, 2019
    02:00 PM PT " @@ -92,6 +90,15 @@ sections:
    " +- title: July 2019 +- items: + - type: markdown + text: " + + +
    DetailsOriginating updateStatusHistory
    Devices starting using PXE from a WDS or SCCM servers may fail to start
    Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) or System Center Configuration Manager (SCCM) may fail to start with the error \"Status: 0xc0000001, Info: A required device isn't connected or can't be accessed\" after installing KB4503293 on a WDS server.

    Affected platforms:
    • Server: Windows Server 2008 SP2; Windows Server 2008 R2 SP1; Windows Server 2012; Windows Server 2012 R2; Windows Server 2016; Windows Server, version 1803; Windows Server 2019; Windows Server, version 1809; Windows Server, version 1903
    Workaround:
    To mitigate this issue on an SCCM server:
    1. Verify Variable Window Extension is enabled.
    2. Set the values of TFTP block size to 4096 and TFTP window size to 1. For guidance on how to configure them, see Customize the RamDisk TFTP block and window sizes on PXE-enabled distribution points.
    Note Try the default values for TFTP block size and TFTP window size first but depending on your environment and overall settings, you may need to adjust them for your setup. You can also try the Enable a PXE responder without Windows Deployment Service setting. For more information on this setting, see Install and configure distribution points in Configuration Manager.

    To mitigate this issue on a WDS server without SCCM:
    1. In WDS TFTP settings, verify Variable Window Extension is enabled.
    2. In the Boot Configuration Data (BCD) of the imported image, set RamDiskTFTPBlockSize to 1456.
    3. In the BCD of the imported image, set RamDiskTFTPWindowSize to 4.
    Note Try the default values for RamDiskTFTPBlockSize and RamDiskTFTPWindowSize first but depending on your environment and overall settings, you may need to adjust them for your setup.

    Next steps: We are working on a resolution and will provide an update in an upcoming release.

    Back to top
    OS Build 18362.175

    June 11, 2019
    KB4503293
    Mitigated
    Last updated:
    July 10, 2019
    02:51 PM PT

    Opened:
    July 10, 2019
    02:51 PM PT
    + " + - title: June 2019 - items: - type: markdown @@ -118,8 +125,5 @@ sections:
    Cannot launch Camera app
    Microsoft and Intel have identified an issue affecting Intel RealSense SR300 and Intel RealSense S200 cameras when using the Camera app. After updating to the Windows 10 May 2019 Update and launching the Camera app, you may get an error message stating:

    \"Close other apps, error code: 0XA00F4243.”


    To safeguard your update experience, we have applied a protective hold on machines with Intel RealSense SR300 or Intel RealSense S200 cameras installed from being offered Windows 10, version 1903, until this issue is resolved.

    Affected platforms:
    • Client: Windows 10, version 1903
    Workaround: To temporarily resolve this issue, perform one of the following:

    • Unplug your camera and plug it back in.

    or

    • Disable and re-enable the driver in Device Manager. In the Search box, type \"Device Manager\" and press Enter. In the Device Manager dialog box, expand Cameras, then right-click on any RealSense driver listed and select Disable device. Right click on the driver again and select Enable device.

    or

    • Restart the RealSense service. In the Search box, type \"Task Manager\" and hit Enter. In the Task Manager dialog box, click on the Services tab, right-click on RealSense, and select Restart
    Note This workaround will only resolve the issue until your next system restart.

    Note We recommend that you do not attempt to manually update using the Update now button or the Media Creation Tool until this issue has been resolved.

    Next steps: We are working on a resolution and will provide an update in an upcoming release.

    Back to topOS Build 18362.116

    May 21, 2019
    KB4505057Mitigated
    Last updated:
    May 21, 2019
    04:47 PM PT

    Opened:
    May 21, 2019
    07:20 AM PT
    Intermittent loss of Wi-Fi connectivity
    Some older computers may experience loss of Wi-Fi connectivity due to an outdated Qualcomm driver. An updated Wi-Fi driver should be available from your device manufacturer (OEM).

    To safeguard your upgrade experience, we have applied a hold on devices with this Qualcomm driver from being offered Windows 10, version 1903, until the updated driver is installed.

    Affected platforms:
    • Client: Windows 10, version 1903
    Workaround: Download and install an updated Wi-Fi driver from your device manufacturer (OEM).
     
    Note We recommend that you do not attempt to manually update using the Update now button or the Media Creation Tool until a new driver has been installed and the Windows 10, version 1903 feature update has been automatically offered to you.

    Back to topOS Build 18362.116

    May 21, 2019
    KB4505057Mitigated
    Last updated:
    May 21, 2019
    04:46 PM PT

    Opened:
    May 21, 2019
    07:13 AM PT
    Duplicate folders and documents showing in user profile directory
    If you have redirected known folders (e.g. Desktop, Documents, or Pictures folders) you may see an empty folder with the same name in your %userprofile% directories after updating to Windows 10, version 1903. This may occur if known folders were redirected when you chose to back up your content to OneDrive using the OneDrive wizard, or if you chose to back up your content during the Windows Out-of-Box-Experience (OOBE). This may also occur if you redirected your known folders manually through the Properties dialog box in File Explorer. ​This issue does not cause any user files to be deleted and a solution is in progress.

    To safeguard your update experience, we have applied a quality hold on devices with redirected known folders from being offered Windows 10, version 1903, until this issue is resolved.

    Affected platforms:
    • Client: Windows 10, version 1903
    Resolution: This issue was resolved in KB4497935 and the safeguard hold has been removed. Please note, it can take up to 48 hours before you can update to Window 10, version 1903.
    (Posted June 11, 2019)

    Back to topOS Build 18362.116

    May 21, 2019
    KB4505057Resolved
    KB4497935Resolved:
    May 29, 2019
    02:00 PM PT

    Opened:
    May 21, 2019
    07:16 AM PT -
    Older versions of BattlEye anti-cheat software incompatible
    Microsoft and BattlEye have identified a compatibility issue with some games that use older versions of BattlEye anti-cheat software. When launching a game that uses an older, impacted version of BattlEye anti-cheat software on a device running Windows 10, version 1903, the device may experience a system crash.

    To safeguard your gaming experience, we have applied a compatibility hold on devices with the impacted versions of BattlEye software used by games installed on your PC. This will prevent Windows 10, version 1903 from being offered until the incompatible version of BattlEye software is no longer installed on the device. 

    Affected platforms:
    • Client: Windows 10, version 1903
    Workaround: Before updating your machine, we recommend you do one or more of the following:

    • Verify that your game is up to date with the latest available version of BattlEye software. Some game platforms allow you to validate your game files, which can confirm that your installation is fully up to date.
    • Restart your system and open the game again.
    • Uninstall BattlEye using https://www.battleye.com/downloads/UninstallBE.exe, and then reopen your game.
    • Uninstall and reinstall your game.
    Resolution: This issue was resolved externally by BattlEye for all known impacted games. For a list of recent games that use BattlEye, go to https://www.battleye.com/. We recommend following the workaround before updating to Windows 10, version 1903, as games with incompatible versions of BattleEye may fail to open after updating Windows. If you have confirmed your game is up to date and you have any issues with opening games related to a BattlEye error, please see https://www.battleye.com/support/faq/.

    Back to topOS Build 18362.116

    May 21, 2019
    KB4505057Resolved
    Resolved:
    June 07, 2019
    04:26 PM PT

    Opened:
    May 21, 2019
    07:34 AM PT -
    AMD RAID driver incompatibility
    Microsoft and AMD have identified an incompatibility with AMD RAID driver versions earlier than 9.2.0.105. When you attempt to install the Windows 10, version 1903 update on a Windows 10-based computer with an affected driver version, the installation process stops and you get a message like the following:

    AMD Ryzen™ or AMD Ryzen™ Threadripper™ configured in SATA or NVMe RAID mode.

    “A driver is installed that causes stability problems on Windows. This driver will be disabled. Check with your software/driver provider for an updated version that runs on this version of Windows.”

     
    To safeguard your update experience, we have applied a compatibility hold on devices with these AMD drivers from being offered Windows 10, version 1903, until this issue is resolved.

    Affected platforms:
    • Client: Windows 10, version 1903
    Resolution: This issue has been resolved externally by AMD. To resolve this issue, you will need to download the latest AMD RAID drivers directly from AMD at https://www.amd.com/en/support/chipsets/amd-socket-tr4/x399. The drivers must be version 9.2.0.105 or later. Install the drivers on the affected computer, and then restart the installation process for the Windows 10, version 1903 feature update.
     
    Note The safeguard hold will remain in place on machines with the older AMD RAID drivers. We recommend that you do not attempt to manually update using the Update now button or the Media Creation Tool until a new driver has been installed and the Windows 10, version 1903 feature update has been automatically offered to you.

    Back to topOS Build 18362.116

    May 21, 2019
    KB4505057Resolved
    Resolved:
    June 06, 2019
    11:06 AM PT

    Opened:
    May 21, 2019
    07:12 AM PT -
    D3D applications and games may fail to enter full-screen mode on rotated displays
    Some Direct3D (D3D) applications and games (e.g., 3DMark) may fail to enter full-screen mode on displays where the display orientation has been changed from the default (e.g., a landscape display in portrait mode).

    Affected platforms:
    • Client: Windows 10, version 1903
    • Server: Windows Server, version 1903
    Resolution: This issue was resolved in KB4497935

    Back to topOS Build 18362.116

    May 21, 2019
    KB4505057Resolved
    KB4497935Resolved:
    May 29, 2019
    02:00 PM PT

    Opened:
    May 21, 2019
    07:05 AM PT " diff --git a/windows/release-information/status-windows-7-and-windows-server-2008-r2-sp1.yml b/windows/release-information/status-windows-7-and-windows-server-2008-r2-sp1.yml index 02209f2340..bd47291e52 100644 --- a/windows/release-information/status-windows-7-and-windows-server-2008-r2-sp1.yml +++ b/windows/release-information/status-windows-7-and-windows-server-2008-r2-sp1.yml @@ -60,6 +60,7 @@ sections: - type: markdown text: "
    This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.

    + @@ -73,6 +74,15 @@ sections:
    " +- title: July 2019 +- items: + - type: markdown + text: " +
    SummaryOriginating updateStatusLast updated
    Devices starting using PXE from a WDS or SCCM servers may fail to start
    Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) may fail to start with error \"0xc0000001.\"

    See details >
    June 11, 2019
    KB4503292
    Mitigated
    July 10, 2019
    02:59 PM PT
    System may be unresponsive after restart with certain McAfee antivirus products
    Devices with McAfee Endpoint Security Threat Prevention 10.x, Host Intrusion Prevention 8.0, or VirusScan Enterprise 8.8 may be slow or unresponsive at startup.

    See details >
    April 09, 2019
    KB4493472
    Mitigated
    April 25, 2019
    02:00 PM PT
    IE11 may stop working when loading or interacting with Power BI reports
    Power BI reports that contain line charts with markers may cause Internet Explorer 11 to stop working.

    See details >
    May 14, 2019
    KB4499164
    Resolved
    KB4503277
    June 20, 2019
    02:00 PM PT
    Event Viewer may close or you may receive an error when using Custom Views
    When trying to expand, view or create Custom Views in Event Viewer, you may receive an error and the app may stop responding or close.

    See details >
    June 11, 2019
    KB4503292
    Resolved
    KB4503277
    June 20, 2019
    02:00 PM PT
    + +
    DetailsOriginating updateStatusHistory
    Devices starting using PXE from a WDS or SCCM servers may fail to start
    Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) or System Center Configuration Manager (SCCM) may fail to start with the error \"Status: 0xc0000001, Info: A required device isn't connected or can't be accessed\" after installing KB4503292 on a WDS server.

    Affected platforms:
    • Server: Windows Server 2008 SP2; Windows Server 2008 R2 SP1; Windows Server 2012; Windows Server 2012 R2; Windows Server 2016; Windows Server, version 1803; Windows Server 2019; Windows Server, version 1809; Windows Server, version 1903
    Workaround:
    To mitigate this issue on an SCCM server, set the values of TFTP block size to 4096 and TFTP window size to 1. For guidance on how to configure them, see Customize the RamDisk TFTP block and window sizes on PXE-enabled distribution points.

    Note Try the default values for TFTP block size and TFTP window size first but depending on your environment and overall settings, you may need to adjust them for your setup. You can also try the Enable a PXE responder without Windows Deployment Service setting. For more information on this setting, see Install and configure distribution points in Configuration Manager.

    To mitigate this issue on a WDS server without SCCM:
    1. In the Boot Configuration Data (BCD) of the imported image, set RamDiskTFTPBlockSize to 1456.
    2. In the BCD of the imported image, set RamDiskTFTPWindowSize to 4.
    Note Try the default values for RamDiskTFTPBlockSize and RamDiskTFTPWindowSize first but depending on your environment and overall settings, you may need to adjust them for your setup.

    Next steps: We are working on a resolution and will provide an update in an upcoming release.

    Back to top
    June 11, 2019
    KB4503292
    Mitigated
    Last updated:
    July 10, 2019
    02:59 PM PT

    Opened:
    July 10, 2019
    02:51 PM PT
    + " + - title: June 2019 - items: - type: markdown diff --git a/windows/release-information/status-windows-8.1-and-windows-server-2012-r2.yml b/windows/release-information/status-windows-8.1-and-windows-server-2012-r2.yml index 0c01e06684..21909b115d 100644 --- a/windows/release-information/status-windows-8.1-and-windows-server-2012-r2.yml +++ b/windows/release-information/status-windows-8.1-and-windows-server-2012-r2.yml @@ -60,12 +60,12 @@ sections: - type: markdown text: "
    This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.

    + -
    SummaryOriginating updateStatusLast updated
    Devices starting using PXE from a WDS or SCCM servers may fail to start
    Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) may fail to start with error \"0xc0000001.\"

    See details >
    June 11, 2019
    KB4503276
    Mitigated
    July 10, 2019
    02:51 PM PT
    Japanese IME doesn't show the new Japanese Era name as a text input option
    If previous dictionary updates are installed, the Japanese input method editor (IME) doesn't show the new Japanese Era name as a text input option.

    See details >
    April 25, 2019
    KB4493443
    Mitigated
    May 15, 2019
    05:53 PM PT
    Certain operations performed on a Cluster Shared Volume may fail
    Certain operations, such as rename, performed on files or folders on a Cluster Shared Volume (CSV) may fail with the error, “STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)”.

    See details >
    January 08, 2019
    KB4480963
    Mitigated
    April 25, 2019
    02:00 PM PT
    System may be unresponsive after restart with certain McAfee antivirus products
    Devices with McAfee Endpoint Security Threat Prevention 10.x, Host Intrusion Prevention 8.0, or VirusScan Enterprise 8.8 may be slow or unresponsive at startup.

    See details >
    April 09, 2019
    KB4493446
    Mitigated
    April 18, 2019
    05:00 PM PT
    IE11 may stop working when loading or interacting with Power BI reports
    Power BI reports that contain line charts with markers may cause Internet Explorer 11 to stop working.

    See details >
    May 14, 2019
    KB4499151
    Resolved
    KB4503283
    June 20, 2019
    02:00 PM PT
    Event Viewer may close or you may receive an error when using Custom Views
    When trying to expand, view or create Custom Views in Event Viewer, you may receive an error and the app may stop responding or close.

    See details >
    June 11, 2019
    KB4503276
    Resolved
    KB4503283
    June 20, 2019
    02:00 PM PT
    Issue using PXE to start a device from WDS
    There may be issues using the Preboot Execution Environment (PXE) to start a device from a Windows Deployment Services (WDS) server configured to use Variable Window Extension.

    See details >
    March 12, 2019
    KB4489881
    Resolved
    KB4503276
    June 11, 2019
    10:00 AM PT
    " @@ -76,6 +76,15 @@ sections:
    " +- title: July 2019 +- items: + - type: markdown + text: " + + +
    DetailsOriginating updateStatusHistory
    Devices starting using PXE from a WDS or SCCM servers may fail to start
    Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) or System Center Configuration Manager (SCCM) may fail to start with the error \"Status: 0xc0000001, Info: A required device isn't connected or can't be accessed\" after installing KB4503276 on a WDS server.

    Affected platforms:
    • Server: Windows Server 2008 SP2; Windows Server 2008 R2 SP1; Windows Server 2012; Windows Server 2012 R2; Windows Server 2016; Windows Server, version 1803; Windows Server 2019; Windows Server, version 1809; Windows Server, version 1903
    Workaround:
    To mitigate this issue on an SCCM server:
    1. Verify Variable Window Extension is enabled.
    2. Set the values of TFTP block size to 4096 and TFTP window size to 1. For guidance on how to configure them, see Customize the RamDisk TFTP block and window sizes on PXE-enabled distribution points.
    Note Try the default values for TFTP block size and TFTP window size first but depending on your environment and overall settings, you may need to adjust them for your setup. You can also try the Enable a PXE responder without Windows Deployment Service setting. For more information on this setting, see Install and configure distribution points in Configuration Manager.

    To mitigate this issue on a WDS server without SCCM:
    1. In WDS TFTP settings, verify Variable Window Extension is enabled.
    2. In the Boot Configuration Data (BCD) of the imported image, set RamDiskTFTPBlockSize to 1456.
    3. In the BCD of the imported image, set RamDiskTFTPWindowSize to 4.
    Note Try the default values for RamDiskTFTPBlockSize and RamDiskTFTPWindowSize first but depending on your environment and overall settings, you may need to adjust them for your setup.

    Next steps: We are working on a resolution and will provide an update in an upcoming release.

    Back to top
    June 11, 2019
    KB4503276
    Mitigated
    Last updated:
    July 10, 2019
    02:51 PM PT

    Opened:
    July 10, 2019
    02:51 PM PT
    + " + - title: June 2019 - items: - type: markdown @@ -104,15 +113,6 @@ sections: " -- title: March 2019 -- items: - - type: markdown - text: " - - -
    DetailsOriginating updateStatusHistory
    Issue using PXE to start a device from WDS
    After installing KB4489881, there may be issues using the Preboot Execution Environment (PXE) to start a device from a Windows Deployment Services (WDS) server configured to use Variable Window Extension. This may cause the connection to the WDS server to terminate prematurely while downloading the image. This issue does not affect clients or devices that are not using Variable Window Extension.

    Affected platforms: 
    • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 8.1 
    • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012 
    Resolution: This issue was resolved in KB4503276.

    Back to top
    March 12, 2019
    KB4489881
    Resolved
    KB4503276
    Resolved:
    June 11, 2019
    10:00 AM PT

    Opened:
    March 12, 2019
    10:00 AM PT
    - " - - title: January 2019 - items: - type: markdown diff --git a/windows/release-information/status-windows-server-2008-sp2.yml b/windows/release-information/status-windows-server-2008-sp2.yml index 4d86a87e46..c8ea355938 100644 --- a/windows/release-information/status-windows-server-2008-sp2.yml +++ b/windows/release-information/status-windows-server-2008-sp2.yml @@ -60,6 +60,7 @@ sections: - type: markdown text: "
    This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.

    +
    SummaryOriginating updateStatusLast updated
    Devices starting using PXE from a WDS or SCCM servers may fail to start
    Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) may fail to start with error \"0xc0000001.\"

    See details >
    June 11, 2019
    KB4503273
    Mitigated
    July 10, 2019
    02:59 PM PT
    Event Viewer may close or you may receive an error when using Custom Views
    When trying to expand, view or create Custom Views in Event Viewer, you may receive an error and the app may stop responding or close.

    See details >
    June 11, 2019
    KB4503273
    Resolved
    KB4503271
    June 20, 2019
    02:00 PM PT
    " @@ -71,6 +72,15 @@ sections:
    " +- title: July 2019 +- items: + - type: markdown + text: " + + +
    DetailsOriginating updateStatusHistory
    Devices starting using PXE from a WDS or SCCM servers may fail to start
    Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) or System Center Configuration Manager (SCCM) may fail to start with the error \"Status: 0xc0000001, Info: A required device isn't connected or can't be accessed\" after installing KB4503273 on a WDS server.

    Affected platforms:
    • Server: Windows Server 2008 SP2; Windows Server 2008 R2 SP1; Windows Server 2012; Windows Server 2012 R2; Windows Server 2016; Windows Server, version 1803; Windows Server 2019; Windows Server, version 1809; Windows Server, version 1903
    Workaround:
    To mitigate this issue on an SCCM server, set the values of TFTP block size to 4096 and TFTP window size to 1. For guidance on how to configure them, see Customize the RamDisk TFTP block and window sizes on PXE-enabled distribution points.

    Note Try the default values for TFTP block size and TFTP window size first but depending on your environment and overall settings, you may need to adjust them for your setup. You can also try the Enable a PXE responder without Windows Deployment Service setting. For more information on this setting, see Install and configure distribution points in Configuration Manager.

    To mitigate this issue on a WDS server without SCCM:
    1. In the Boot Configuration Data (BCD) of the imported image, set RamDiskTFTPBlockSize to 1456.
    2. In the BCD of the imported image, set RamDiskTFTPWindowSize to 4.
    Note Try the default values for RamDiskTFTPBlockSize and RamDiskTFTPWindowSize first but depending on your environment and overall settings, you may need to adjust them for your setup.

    Next steps: We are working on a resolution and will provide an update in an upcoming release.

    Back to top
    June 11, 2019
    KB4503273
    Mitigated
    Last updated:
    July 10, 2019
    02:59 PM PT

    Opened:
    July 10, 2019
    02:51 PM PT
    + " + - title: June 2019 - items: - type: markdown diff --git a/windows/release-information/status-windows-server-2012.yml b/windows/release-information/status-windows-server-2012.yml index 7588536963..cc93c5a426 100644 --- a/windows/release-information/status-windows-server-2012.yml +++ b/windows/release-information/status-windows-server-2012.yml @@ -60,12 +60,12 @@ sections: - type: markdown text: "
    This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.

    + -
    SummaryOriginating updateStatusLast updated
    Devices starting using PXE from a WDS or SCCM servers may fail to start
    Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) may fail to start with error \"0xc0000001.\"

    See details >
    June 11, 2019
    KB4503285
    Mitigated
    July 10, 2019
    02:51 PM PT
    Japanese IME doesn't show the new Japanese Era name as a text input option
    If previous dictionary updates are installed, the Japanese input method editor (IME) doesn't show the new Japanese Era name as a text input option.

    See details >
    April 25, 2019
    KB4493462
    Mitigated
    May 15, 2019
    05:53 PM PT
    Certain operations performed on a Cluster Shared Volume may fail
    Certain operations, such as rename, performed on files or folders on a Cluster Shared Volume (CSV) may fail with the error, “STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)”.

    See details >
    January 08, 2019
    KB4480975
    Mitigated
    April 25, 2019
    02:00 PM PT
    Some devices and generation 2 Hyper-V VMs may have issues installing updates
    Some devices and generation 2 Hyper-V virtual machines (VMs) may have issues installing some updates when Secure Boot is enabled.

    See details >
    June 11, 2019
    KB4503285
    Resolved
    KB4503295
    June 21, 2019
    02:00 PM PT
    IE11 may stop working when loading or interacting with Power BI reports
    Power BI reports that contain line charts with markers may cause Internet Explorer 11 to stop working.

    See details >
    May 14, 2019
    KB4499171
    Resolved
    KB4503295
    June 21, 2019
    02:00 PM PT
    Event Viewer may close or you may receive an error when using Custom Views
    When trying to expand, view or create Custom Views in Event Viewer, you may receive an error and the app may stop responding or close.

    See details >
    June 11, 2019
    KB4503285
    Resolved
    KB4503295
    June 20, 2019
    02:00 PM PT
    Issue using PXE to start a device from WDS
    There may be issues using the Preboot Execution Environment (PXE) to start a device from a Windows Deployment Services (WDS) server configured to use Variable Window Extension.

    See details >
    March 12, 2019
    KB4489891
    Resolved
    KB4503285
    June 11, 2019
    10:00 AM PT
    " @@ -76,6 +76,15 @@ sections:
    " +- title: July 2019 +- items: + - type: markdown + text: " + + +
    DetailsOriginating updateStatusHistory
    Devices starting using PXE from a WDS or SCCM servers may fail to start
    Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) or System Center Configuration Manager (SCCM) may fail to start with the error \"Status: 0xc0000001, Info: A required device isn't connected or can't be accessed\" after installing KB4503285 on a WDS server.

    Affected platforms:
    • Server: Windows Server 2008 SP2; Windows Server 2008 R2 SP1; Windows Server 2012; Windows Server 2012 R2; Windows Server 2016; Windows Server, version 1803; Windows Server 2019; Windows Server, version 1809; Windows Server, version 1903
    Workaround:
    To mitigate this issue on an SCCM server:
    1. Verify Variable Window Extension is enabled.
    2. Set the values of TFTP block size to 4096 and TFTP window size to 1. For guidance on how to configure them, see Customize the RamDisk TFTP block and window sizes on PXE-enabled distribution points.
    Note Try the default values for TFTP block size and TFTP window size first but depending on your environment and overall settings, you may need to adjust them for your setup. You can also try the Enable a PXE responder without Windows Deployment Service setting. For more information on this setting, see Install and configure distribution points in Configuration Manager.

    To mitigate this issue on a WDS server without SCCM:
    1. In WDS TFTP settings, verify Variable Window Extension is enabled.
    2. In the Boot Configuration Data (BCD) of the imported image, set RamDiskTFTPBlockSize to 1456.
    3. In the BCD of the imported image, set RamDiskTFTPWindowSize to 4.
    Note Try the default values for RamDiskTFTPBlockSize and RamDiskTFTPWindowSize first but depending on your environment and overall settings, you may need to adjust them for your setup.

    Next steps: We are working on a resolution and will provide an update in an upcoming release.

    Back to top
    June 11, 2019
    KB4503285
    Mitigated
    Last updated:
    July 10, 2019
    02:51 PM PT

    Opened:
    July 10, 2019
    02:51 PM PT
    + " + - title: June 2019 - items: - type: markdown @@ -96,15 +105,6 @@ sections: " -- title: March 2019 -- items: - - type: markdown - text: " - - -
    DetailsOriginating updateStatusHistory
    Issue using PXE to start a device from WDS
    After installing KB4489891, there may be issues using the Preboot Execution Environment (PXE) to start a device from a Windows Deployment Services (WDS) server configured to use Variable Window Extension. This may cause the connection to the WDS server to terminate prematurely while downloading the image. This issue does not affect clients or devices that are not using Variable Window Extension.

    Affected platforms: 
    • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 8.1 
    • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012 
    Resolution: This issue was resolved in KB4503285.

    Back to top
    March 12, 2019
    KB4489891
    Resolved
    KB4503285
    Resolved:
    June 11, 2019
    10:00 AM PT

    Opened:
    March 12, 2019
    10:00 AM PT
    - " - - title: January 2019 - items: - type: markdown diff --git a/windows/security/identity-protection/hello-for-business/hello-adequate-domain-controllers.md b/windows/security/identity-protection/hello-for-business/hello-adequate-domain-controllers.md index 6b0c32bc57..57524af4a3 100644 --- a/windows/security/identity-protection/hello-for-business/hello-adequate-domain-controllers.md +++ b/windows/security/identity-protection/hello-for-business/hello-adequate-domain-controllers.md @@ -19,7 +19,7 @@ ms.reviewer: # Planning an adequate number of Windows Server 2019 Domain Controllers for Windows Hello for Business deployments **Applies to** -- Windows 10, version 1702 or later +- Windows 10, version 1703 or later - Windows Server, versions 2016 and 2019 - Hybrid or On-Premises deployment - Key trust diff --git a/windows/security/identity-protection/hello-for-business/hello-identity-verification.md b/windows/security/identity-protection/hello-for-business/hello-identity-verification.md index 83bb883504..ba1e004510 100644 --- a/windows/security/identity-protection/hello-for-business/hello-identity-verification.md +++ b/windows/security/identity-protection/hello-for-business/hello-identity-verification.md @@ -26,7 +26,7 @@ Windows Hello addresses the following problems with passwords: - Strong passwords can be difficult to remember, and users often reuse passwords on multiple sites. - Server breaches can expose symmetric network credentials (passwords). - Passwords are subject to [replay attacks](https://go.microsoft.com/fwlink/p/?LinkId=615673). -- Users can inadvertently expose their passwords due to [phishing attacks](https://go.microsoft.com/fwlink/p/?LinkId=615674). +- Users can inadvertently expose their passwords due to [phishing attacks](https://docs.microsoft.com/windows/security/threat-protection/intelligence/phishing). >[!div class="mx-tdBreakAll"] >| | | | diff --git a/windows/security/information-protection/windows-information-protection/wip-learning.md b/windows/security/information-protection/windows-information-protection/wip-learning.md index 5e113928fe..6edaaf0f7d 100644 --- a/windows/security/information-protection/windows-information-protection/wip-learning.md +++ b/windows/security/information-protection/windows-information-protection/wip-learning.md @@ -10,9 +10,9 @@ ms.mktglfcycl: ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: dulcemontemayor -ms.author: dolmont -manager: dansimp +author: stephow-MSFT +ms.author: stephow +manager: laurawi audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md index 87abacb1bf..c0304043d6 100644 --- a/windows/security/threat-protection/TOC.md +++ b/windows/security/threat-protection/TOC.md @@ -425,6 +425,11 @@ #### [Troubleshoot Microsoft Defender ATP service issues](microsoft-defender-atp/troubleshoot-mdatp.md) ##### [Check service health](microsoft-defender-atp/service-status.md) + +#### [Troubleshoot live response issues]() +##### [Troubleshoot issues related to live response](microsoft-defender-atp/troubleshoot-live-response.md) + + ####Troubleshoot attack surface reduction ##### [Network protection](windows-defender-exploit-guard/troubleshoot-np.md) ##### [Attack surface reduction rules](windows-defender-exploit-guard/troubleshoot-asr.md) diff --git a/windows/security/threat-protection/auditing/event-4768.md b/windows/security/threat-protection/auditing/event-4768.md index 41c866e704..74e6e22b45 100644 --- a/windows/security/threat-protection/auditing/event-4768.md +++ b/windows/security/threat-protection/auditing/event-4768.md @@ -219,7 +219,7 @@ The most common values: | 0x18 | KDC\_ERR\_PREAUTH\_FAILED | Pre-authentication information was invalid | The wrong password was provided.
    This error code cannot occur in event “[4768](event-4768.md). A Kerberos authentication ticket (TGT) was requested”. It occurs in “[4771](event-4771.md). Kerberos pre-authentication failed” event. | | 0x19 | KDC\_ERR\_PREAUTH\_REQUIRED | Additional pre-authentication required | This error often occurs in UNIX interoperability scenarios. MIT-Kerberos clients do not request pre-authentication when they send a KRB\_AS\_REQ message. If pre-authentication is required (the default), Windows systems will send this error. Most MIT-Kerberos clients will respond to this error by giving the pre-authentication, in which case the error can be ignored, but some clients might not respond in this way. | | 0x1A | KDC\_ERR\_SERVER\_NOMATCH | KDC does not know about the requested server | No information. | -| 0x1B | KDC\_ERR\_SVC\_UNAVAILABLE | KDC is unavailable | No information. | +| 0x1D | KDC\_ERR\_SVC\_UNAVAILABLE | KDC is unavailable | No information. | | 0x1F | KRB\_AP\_ERR\_BAD\_INTEGRITY | Integrity check on decrypted field failed | The authenticator was encrypted with something other than the session key. The result is that the client cannot decrypt the resulting message. The modification of the message could be the result of an attack or it could be because of network noise. | | 0x20 | KRB\_AP\_ERR\_TKT\_EXPIRED | The ticket has expired | The smaller the value for the “Maximum lifetime for user ticket” Kerberos policy setting, the more likely it is that this error will occur. Because ticket renewal is automatic, you should not have to do anything if you get this message. | | 0x21 | KRB\_AP\_ERR\_TKT\_NYV | The ticket is not yet valid | The ticket presented to the server is not yet valid (in relationship to the server time). The most probable cause is that the clocks on the KDC and the client are not synchronized.
    If cross-realm Kerberos authentication is being attempted, then you should verify time synchronization between the KDC in the target realm and the KDC in the client realm, as well. | diff --git a/windows/security/threat-protection/microsoft-defender-atp/TOC.md b/windows/security/threat-protection/microsoft-defender-atp/TOC.md index 4224dfcfad..bcc613d70d 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/TOC.md +++ b/windows/security/threat-protection/microsoft-defender-atp/TOC.md @@ -420,10 +420,14 @@ ### [Troubleshoot Microsoft Defender ATP service issues](troubleshoot-mdatp.md) #### [Check service health](service-status.md) + +### [Troubleshoot live response issues]() +#### [Troubleshoot issues related to live response](troubleshoot-live-response.md) + ### Troubleshoot attack surface reduction #### [Network protection](../windows-defender-exploit-guard/troubleshoot-np.md) #### [Attack surface reduction rules](../windows-defender-exploit-guard/troubleshoot-asr.md) -#### [Collect diagnostic data for files](../windows-defender-exploit-guard/collect-cab-files-exploit-guard-submission.md) +#### [Collect diagnostic data for files](../windows-defender-exploit-guard/troubleshoot-np.md) ### [Troubleshoot next generation protection](../windows-defender-antivirus/troubleshoot-windows-defender-antivirus.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-features.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-features.md index a49b614738..edf9758501 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-features.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-features.md @@ -39,6 +39,7 @@ When you enable this feature, users with the appropriate permissions can initiat For more information on role assignments see, [Create and manage roles](user-roles.md). ## Live response unsigned script execution + Enabling this feature allows you to run unsigned scripts in a live response session. ## Auto-resolve remediated alerts @@ -58,7 +59,7 @@ Blocking is only available if your organization uses Windows Defender Antivirus This feature enables you to block potentially malicious files in your network. Blocking a file will prevent it from being read, written, or executed on machines in your organization. -To turn **Block or allow** files on: +To turn **Allow or block** files on: 1. In the navigation pane, select **Settings** > **Advanced features** > **Allow or block file**. @@ -137,12 +138,22 @@ Turning this setting on forwards signals to Azure Information Protection, giving ## Microsoft Intune connection -This feature is only available if you have an active Microsoft Intune (Intune) license. +Microsoft Defender ATP can be integrated with [Microsoft Intune](https://docs.microsoft.com/intune/what-is-intune) to [enable device risk-based conditional access](https://docs.microsoft.com/intune/advanced-threat-protection#enable-windows-defender-atp-in-intune). When you [enable this feature](configure-conditional-access.md), you'll be able to share Microsoft Defender ATP device information with Intune, enhancing policy enforcement. -When you enable this feature, you'll be able to share Microsoft Defender ATP device information to Intune and enhance policy enforcement. +>[!IMPORTANT] +>You'll need to enable the integration on both Intune and Microsoft Defender ATP to use this feature. For more information on specific steps, see [Configure Conditional Access in Microsoft Defender ATP](configure-conditional-access.md). + +This feature is only available if you have the following: + +- A licensed tenant for Enterprise Mobility + Security E3, and Windows E5 (or Microsoft 365 Enterprise E5) +- An active Microsoft Intune environment, with Intune-managed Windows 10 devices [Azure AD-joined](https://docs.microsoft.com/azure/active-directory/devices/concept-azure-ad-join/). + +### Conditional Access policy + +When you enable Intune integration, Intune will automatically create a classic Conditional Access (CA) policy. This classic CA policy is a prerequisite for setting up status reports to Intune. It should not be deleted. >[!NOTE] ->You'll need to enable the integration on both Intune and Microsoft Defender ATP to use this feature. +> The classic CA policy created by Intune is distinct from modern [Conditional Access policies](https://docs.microsoft.com/azure/active-directory/conditional-access/overview/), which are used for configuring endpoints. ## Preview features diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-best-practices.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-best-practices.md index 8e6f64817f..c22f668986 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-best-practices.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-best-practices.md @@ -18,7 +18,7 @@ ms.topic: conceptual ms.date: 04/24/2018 --- -# Advanced hunting query best practices Microsoft Defender ATP +# Advanced hunting query best practices in Microsoft Defender ATP **Applies to:** @@ -28,23 +28,26 @@ ms.date: 04/24/2018 ## Performance best practices The following best practices serve as a guideline of query performance best practices and for you to get faster results and be able to run complex queries. -- Use time filters first. Azure Kusto is highly optimized to utilize time filters. For more information, see [Azure Kusto](https://docs.microsoft.com/connectors/kusto/). -- Put filters that are expected to remove most of the data in the beginning of the query, following the time filter. -- Use 'has' keyword over 'contains' when looking for full tokens. +- When trying new queries, always use `limit` to avoid extremely large result sets or use `count` to assess the size of the result set. +- Use time filters first. Ideally, limit your queries to 7 days. +- Put filters that are expected to remove most of the data in the beginning of the query, right after the time filter. +- Use the `has` operator over `contains` when looking for full tokens. - Use looking in specific column rather than using full text search across all columns. -- When joining between two tables - choose the table with less rows to be the first one (left-most). -- When joining between two tables - project only needed columns from both sides of the join. +- When joining between two tables, specify the table with fewer rows first. +- When joining between two tables, project only needed columns from both sides of the join. + +>[!Tip] +>For more guidance on improving query performance, read [Kusto query best practices](https://docs.microsoft.com/en-us/azure/kusto/query/best-practices). ## Query tips and pitfalls -### Unique Process IDs -Process IDs are recycled in Windows and reused for new processes and therefore can't serve as a unique identifier for a specific process. +### Using process IDs +Process IDs (PIDs) are recycled in Windows and reused for new processes and therefore can't serve as a unique identifier for a specific process. To address this issue, Microsoft Defender ATP created the time process. To get a unique identifier for a process on a specific machine, use the process ID together with the process creation time. +So, when you join data based on a specific process or summarize data for each process, you'll need to use a machine identifier (either `MachineId` or `ComputerName`), a process ID (`ProcessId` or `InitiatingProcessId`) and the process creation time (`ProcessCreationTime` or `InitiatingProcessCreationTime`) -So, when you join data based on a specific process or summarize data for each process, you'll need to use a machine identifier (either MachineId or ComputerName), a process ID (ProcessId or InitiatingProcessId) and the process creation time (ProcessCreationTime or InitiatingProcessCreationTime) - -The following example query is created to find processes that access more than 10 IP addresses over port 445 (SMB) - possibly scanning for file shares. +The following example query is created to find processes that access more than 10 IP addresses over port 445 (SMB), possibly scanning for file shares. Example query: ``` @@ -54,13 +57,13 @@ NetworkCommunicationEvents | where RemoteIPCount > 10 ``` -The query summarizes by both InitiatingProcessId and InitiatingProcessCreationTime - to make sure the query looks at a single process, and not mixing multiple processes with the same process ID. +The query summarizes by both `InitiatingProcessId` and `InitiatingProcessCreationTime` so that it looks at a single process, without mixing multiple processes with the same process ID. -### Using command line queries +### Using command lines -Command lines may vary - when applicable, filter on file names and do fuzzy matching. +Command lines can vary. When applicable, filter on file names and do fuzzy matching. -There are numerous ways to construct a command line to accomplish a task. +There are numerous ways to construct a command line to accomplish a task. For example, a malicious attacker could specify the process image file name without a path, with full path, without the file extension, using environment variables, add quotes, and others. In addition, the attacker can also change the order of some parameters, add multiple quotes or spaces, and much more. @@ -68,7 +71,7 @@ To create more durable queries using command lines, we recommended the following - Identify the known processes (such as net.exe, psexec.exe, and others) by matching on the filename fields, instead of filtering on the command line field. - When querying for command line arguments, don't look for an exact match on multiple unrelated arguments in a certain order. Instead, use regular expressions or use multiple separate contains operators. -- Use case insensitive matches. For example, use '=~', 'in~', 'contains' instead of '==', 'in' or 'contains_cs' +- Use case insensitive matches. For example, use `=~`, `in~`, `contains` instead of `==`, `in` or `contains_cs` - To mitigate DOS command line obfuscation techniques, consider removing quotes, replacing commas with spaces, and replacing multiple consecutive spaces with a single space. This is just the start of handling DOS obfuscation techniques, but it does mitigate the most common ones. The following example query shows various ways to construct a query that looks for the file *net.exe* to stop the Windows Defender Firewall service: @@ -90,7 +93,4 @@ ProcessCreationEvents | where CanonicalCommandLine contains "stop" and CanonicalCommandLine contains "MpsSvc" ``` ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-bestpractices-belowfoldlink) - - - +>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-bestpractices-belowfoldlink) \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-atp/api-hello-world.md b/windows/security/threat-protection/microsoft-defender-atp/api-hello-world.md index a09b2f556d..a3d83d4880 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/api-hello-world.md +++ b/windows/security/threat-protection/microsoft-defender-atp/api-hello-world.md @@ -1,5 +1,5 @@ --- -title: Advanced Hunting API +title: Hello World ms.reviewer: description: Use this API to run advanced queries keywords: apis, supported apis, advanced hunting, query @@ -19,10 +19,9 @@ ms.topic: article # Microsoft Defender ATP API - Hello World -**Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -> Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) +- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) ## Get Alerts using a simple PowerShell script @@ -33,68 +32,60 @@ It only takes 5 minutes done in two steps: - Use examples: only requires copy/paste of a short PowerShell script ### Do I need a permission to connect? -For the App registration stage, you must have a Global administrator role in your Azure Active Directory (Azure AD) tenant. +For the Application registration stage, you must have a **Global administrator** role in your Azure Active Directory (Azure AD) tenant. ### Step 1 - Create an App in Azure Active Directory -1. Log on to [Azure](https://portal.azure.com) with your Global administrator user. +1. Log on to [Azure](https://portal.azure.com) with your **Global administrator** user. -2. Navigate to **Azure Active Directory** > **App registrations** > **New application registration**. +2. Navigate to **Azure Active Directory** > **App registrations** > **New registration**. - ![Image of Microsoft Azure and navigation to application registration](images/atp-azure-new-app.png) + ![Image of Microsoft Azure and navigation to application registration](images/atp-azure-new-app2.png) -3. In the registration form, enter the following information, then click **Create**. +3. In the registration form, choose a name for your application and then click **Register**. - - **Name:** Choose your own name. - - **Application type:** Web app / API - - **Redirect URI:** `https://127.0.0.1` +4. Allow your Application to access Microsoft Defender ATP and assign it **'Read all alerts'** permission: - ![Image of Create application window](images/webapp-create.png) + - On your application page, click **API Permissions** > **Add permission** > **APIs my organization uses** > type **WindowsDefenderATP** and click on **WindowsDefenderATP**. -4. Allow your App to access Microsoft Defender ATP and assign it 'Read all alerts' permission: + - **Note**: WindowsDefenderATP does not appear in the original list. You need to start writing its name in the text box to see it appear. - - Click **Settings** > **Required permissions** > **Add**. + ![Image of API access and API selection](images/add-permission.png) - ![Image of new app in Azure](images/webapp-add-permission.png) + - Choose **Application permissions** > **Alert.Read.All** > Click on **Add permissions** - - Click **Select an API** > **WindowsDefenderATP**, then click **Select**. + ![Image of API access and API selection](images/application-permissions.png) - **Note**: WindowsDefenderATP does not appear in the original list. You need to start writing its name in the text box to see it appear. + **Important note**: You need to select the relevant permissions. 'Read All Alerts' is only an example! - ![Image of API access and API selection](images/webapp-add-permission-2.png) + For instance, - - Click **Select permissions** > **Read all alerts** > **Select**. + - To [run advanced queries](run-advanced-query-api.md), select 'Run advanced queries' permission + - To [isolate a machine](isolate-machine.md), select 'Isolate machine' permission + - To determine which permission you need, please look at the **Permissions** section in the API you are interested to call. - ![Image of API access and API selection](images/webapp-add-permission-readalerts.png) +5. Click **Grant consent** - - Click **Done** + - **Note**: Every time you add permission you must click on **Grant consent** for the new permission to take effect. - ![Image of add permissions completion](images/webapp-add-permission-end.png) + ![Image of Grant permissions](images/grant-consent.png) - - Click **Grant permissions** +6. Add a secret to the application. - **Note**: Every time you add permission you must click on **Grant permissions**. + - Click **Certificates & secrets**, add description to the secret and click **Add**. - ![Image of Grant permissions](images/webapp-grant-permissions.png) + **Important**: After click Add, **copy the generated secret value**. You won't be able to retrieve after you leave! -5. Create a key for your App: + ![Image of create app key](images/webapp-create-key2.png) - - Click **Keys**, type a key name and click **Save**. +7. Write down your application ID and your tenant ID: - ![Image of create app key](images/webapp-create-key.png) + - On your application page, go to **Overview** and copy the following: -6. Write down your App ID and your Tenant ID: - - - App ID: - - ![Image of created app id](images/webapp-app-id1.png) - - - Tenant ID: Navigate to **Azure Active Directory** > **Properties** - - ![Image of create app key](images/api-tenant-id.png) + ![Image of created app id](images/app-and-tenant-ids.png) -Done! You have successfully registered an application! +Done! You have successfully registered an application! ### Step 2 - Get a token using the App and use this token to access the API. @@ -106,8 +97,8 @@ Done! You have successfully registered an application! # Paste below your Tenant ID, App ID and App Secret (App key). $tenantId = '' ### Paste your tenant ID here -$appId = '' ### Paste your app ID here -$appSecret = '' ### Paste your app key here +$appId = '' ### Paste your Application ID here +$appSecret = '' ### Paste your Application secret here $resourceAppIdUri = 'https://api.securitycenter.windows.com' $oAuthUri = "https://login.windows.net/$TenantId/oauth2/token" diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-conditional-access.md b/windows/security/threat-protection/microsoft-defender-atp/configure-conditional-access.md index e1ba0b2aff..76fe3c070d 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-conditional-access.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-conditional-access.md @@ -1,7 +1,7 @@ --- title: Configure Conditional Access in Microsoft Defender ATP -description: -keywords: +description: Learn about steps that you need to do in Intune, Microsoft Defender Security Center, and Azure to implement Conditional access +keywords: conditional access, conditional, access, device risk, risk level, integration, intune integration search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: w10 @@ -15,7 +15,6 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article -ms.date: 09/03/2018 --- # Configure Conditional Access in Microsoft Defender ATP @@ -29,17 +28,24 @@ This section guides you through all the steps you need to take to properly imple >It's important to note that Azure AD registered devices is not supported in this scenario.
    >Only Intune enrolled devices are supported. + You need to make sure that all your devices are enrolled in Intune. You can use any of the following options to enroll devices in Intune: - IT Admin: For more information on how to enabling auto-enrollment, see [Windows Enrollment](https://docs.microsoft.com/intune/windows-enroll#enable-windows-10-automatic-enrollment) -- End-user: For more information on how to enroll your Windows 10 device in Intune, see [Enroll your Windows 10 device in Intune](https://docs.microsoft.com/intune-user-help/enroll-your-w10-device-access-work-or-school) -- End-user alternative: For more information on joining an Azure AD domain, see [Set up Azure Active Directory joined devices](https://docs.microsoft.com/azure/active-directory/device-management-azuread-joined-devices-setup). +- End-user: For more information on how to enroll your Windows 10 device in Intune, see [Enroll your Windows 10 device in Intune]https://docs.microsoft.com/intune/quickstart-enroll-windows-device) +- End-user alternative: For more information on joining an Azure AD domain, see [How to: Plan your Azure AD join implementation](https://docs.microsoft.com/azure/active-directory/devices/azureadjoin-plan). There are steps you'll need to take in Microsoft Defender Security Center, the Intune portal, and Azure AD portal. +It's important to note the required roles to access these portals and implement Conditional access: +- **Microsoft Defender Security Center** - You'll need to sign into the portal with a global administrator role to turn on the integration. +- **Intune** - You'll need to sign in to the portal with security administrator rights with management permissions. +- **Azure AD portal** - You'll need to sign in as a global administrator, security administrator, or Conditional Access administrator. + + > [!NOTE] > You'll need a Microsoft Intune environment, with Intune managed and Azure AD joined Windows 10 devices. diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-gp.md b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-gp.md index d16c45de90..54f60b64f4 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-gp.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-gp.md @@ -52,9 +52,9 @@ ms.date: 04/24/2018 4. In the **Group Policy Management Editor**, go to **Computer configuration**, then **Preferences**, and then **Control panel settings**. -5. Right-click **Scheduled tasks**, point to **New**, and then click **Immediate task**. +5. Right-click **Scheduled tasks**, point to **New**, and then click **Immediate Task (At least Windows 7)**. -6. In the **Task** window that opens, go to the **General** tab. Choose the local SYSTEM user account (BUILTIN\SYSTEM) under **Security options**. +6. In the **Task** window that opens, go to the **General** tab. Under **Security options** click **Change User or Group** and type SYSTEM and then click **Check Names** then **OK**. NT AUTHORITY\SYSTEM appears as the user account the task will run as. 7. Select **Run whether user is logged on or not** and check the **Run with highest privileges** check box. @@ -84,7 +84,7 @@ You can use Group Policy (GP) to configure settings, such as settings for the sa 4. Click **Policies**, then **Administrative templates**. -5. Click **Windows components** and then **Microsoft Defender ATP**. +5. Click **Windows components** and then **Windows Defender ATP**. 6. Choose to enable or disable sample sharing from your machines. diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-machines-onboarding.md b/windows/security/threat-protection/microsoft-defender-atp/configure-machines-onboarding.md index ad42b1bcd9..f09ddf1096 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-machines-onboarding.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-machines-onboarding.md @@ -28,6 +28,9 @@ ms.topic: procedural Each onboarded machine adds an additional endpoint detection and response (EDR) sensor and increases visibility over breach activity in your network. Onboarding also ensures that a machine can be checked for vulnerable components as well security configuration issues and can receive critical remediation actions during attacks. +>[!NOTE] +>Before you can track and manage onboarding of machines, [enroll your machines to Intune management](configure-machines.md#enroll-machines-to-intune-management). + ## Discover and track unprotected machines The **Onboarding** card provides a high-level overview of your onboarding rate by comparing the number of Windows 10 machines that have actually onboarded to Microsoft Defender ATP against the total number of Intune-managed Windows 10 machines. diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-machines-security-baseline.md b/windows/security/threat-protection/microsoft-defender-atp/configure-machines-security-baseline.md index b7a5c0bf30..d91d24bb04 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-machines-security-baseline.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-machines-security-baseline.md @@ -30,6 +30,9 @@ Security baselines ensure that security features are configured according to gui To understand security baselines and how they are assigned on Intune using configuration profiles, [read this FAQ](https://docs.microsoft.com/intune/security-baselines#q--a). +>[!NOTE] +>Before you can track and manage compliance to the Microsoft Defender ATP security baseline, [enroll your machines to Intune management](configure-machines.md#enroll-machines-to-intune-management). + ## Compare the Microsoft Defender ATP and the Windows Intune security baselines The Windows Intune security baseline provides a comprehensive set of recommended settings needed to securely configure machines running Windows, including browser settings, PowerShell settings, as well as settings for some security features like Windows Defender Antivirus. In contrast, the Microsoft Defender ATP baseline provides settings that optimize all the security controls in the Microsoft Defender ATP stack, including settings for endpoint detection and response (EDR) as well as settings also found in the Windows Intune security baseline. For more information about each baseline, see: diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-machines.md b/windows/security/threat-protection/microsoft-defender-atp/configure-machines.md index 62140b2d6d..31fbc743c6 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-machines.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-machines.md @@ -49,14 +49,17 @@ Machine configuration management works closely with Intune device management to Before you can ensure your machines are configured properly, enroll them to Intune management. Intune enrollment is robust and has several enrollment options for Windows 10 machines. For more information about Intune enrollment options, read [Set up enrollment for Windows devices](https://docs.microsoft.com/en-us/intune/windows-enroll). +>[!NOTE] +>To enroll Windows devices to Intune, administrators must have already been assigned licenses. [Read about assigning licenses for device enrollment](https://docs.microsoft.com/en-us/intune/licenses-assign). + >[!TIP] >To optimize machine management through Intune, [connect Intune to Microsoft Defender ATP](https://docs.microsoft.com/en-us/intune/advanced-threat-protection#enable-windows-defender-atp-in-intune). ->[!NOTE] ->During preview, you might encounter a few known limitations: ->- You might experience discrepancies in aggregated data displayed on the machine configuration management page and those displayed on overview screens in Intune. ->- The count of onboarded machines tracked by machine configuration management might not include machines onboarded using Security Center Configuration Manager, the onboarding script, or other onboarding methods that don’t use Intune profiles. To include these machines, create a corresponding Intune configuration profile for Microsoft Defender ATP onboarding and assign that profile to these machines. ->- The Microsoft Defender ATP security baseline currently doesn’t cover settings for all Microsoft Defender ATP security controls, including settings for exploit protection and Application Guard. +## Known issues and limitations in this preview +During preview, you might encounter a few known limitations: +- You might experience discrepancies in aggregated data displayed on the machine configuration management page and those displayed on overview screens in Intune. +- The count of onboarded machines tracked by machine configuration management might not include machines onboarded using Security Center Configuration Manager, the onboarding script, or other onboarding methods that don’t use Intune profiles. To include these machines, create a corresponding Intune configuration profile for Microsoft Defender ATP onboarding and assign that profile to these machines. +- The Microsoft Defender ATP security baseline currently doesn’t cover settings for all Microsoft Defender ATP security controls, including settings for exploit protection and Application Guard. ## In this section diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md b/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md index 69993debe0..ad8b37b921 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md @@ -137,7 +137,7 @@ Agent Resource | Ports ## Windows Server, version 1803 and Windows Server 2019 -To onboard Windows Server, version 1803 or Windows Server 2019, use the same method used when onboarding Windows 10 machines. +To onboard Windows Server, version 1803 or Windows Server 2019, please refer to the supported methods and versions below. Supported tools include: - Local script @@ -245,4 +245,4 @@ To offboard the server, you can use either of the following methods: - [Onboard non-Windows machines](configure-endpoints-non-windows.md) - [Configure proxy and Internet connectivity settings](configure-proxy-internet.md) - [Run a detection test on a newly onboarded Microsoft Defender ATP machine](run-detection-test.md) -- [Troubleshooting Microsoft Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding.md) \ No newline at end of file +- [Troubleshooting Microsoft Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/event-error-codes.md b/windows/security/threat-protection/microsoft-defender-atp/event-error-codes.md index 4a19677915..080111bee7 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/event-error-codes.md +++ b/windows/security/threat-protection/microsoft-defender-atp/event-error-codes.md @@ -216,7 +216,7 @@ See The below code was tested with nuget Microsoft.IdentityModel.Clients.ActiveDirectory 3.19.8 +>The below code was tested with Nuget Microsoft.IdentityModel.Clients.ActiveDirectory 3.19.8 - Create a new Console Application - Install Nuget [Microsoft.IdentityModel.Clients.ActiveDirectory](https://www.nuget.org/packages/Microsoft.IdentityModel.Clients.ActiveDirectory/) @@ -215,7 +203,7 @@ You will get an answer of the form: Sanity check to make sure you got a correct token: - Copy/paste into [JWT](https://jwt.ms) the token you get in the previous step in order to decode it - Validate you get a 'roles' claim with the desired permissions -- In the screenshot below you can see a decoded token acquired from an app with permissions to all of Microsoft Defender ATP's roles: +- In the screen shot below you can see a decoded token acquired from an Application with permissions to all of Microsoft Defender ATP's roles: ![Image of token validation](images/webapp-decoded-token.png) diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/add-permission.png b/windows/security/threat-protection/microsoft-defender-atp/images/add-permission.png new file mode 100644 index 0000000000..74d57acf8e Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/add-permission.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/api-tenant-id.png b/windows/security/threat-protection/microsoft-defender-atp/images/api-tenant-id.png deleted file mode 100644 index ebac0b0e34..0000000000 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/api-tenant-id.png and /dev/null differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/app-and-tenant-ids.png b/windows/security/threat-protection/microsoft-defender-atp/images/app-and-tenant-ids.png new file mode 100644 index 0000000000..1f4f508c8c Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/app-and-tenant-ids.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/application-permissions-public-client.png b/windows/security/threat-protection/microsoft-defender-atp/images/application-permissions-public-client.png new file mode 100644 index 0000000000..3fc32f22db Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/application-permissions-public-client.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/application-permissions.png b/windows/security/threat-protection/microsoft-defender-atp/images/application-permissions.png new file mode 100644 index 0000000000..15977b7c35 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/application-permissions.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-azure-new-app.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-azure-new-app.png deleted file mode 100644 index 4449661657..0000000000 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-azure-new-app.png and /dev/null differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-azure-new-app2.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-azure-new-app2.png new file mode 100644 index 0000000000..e04f757cff Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-azure-new-app2.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/grant-consent.png b/windows/security/threat-protection/microsoft-defender-atp/images/grant-consent.png new file mode 100644 index 0000000000..0735940d05 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/grant-consent.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/nativeapp-create2.png b/windows/security/threat-protection/microsoft-defender-atp/images/nativeapp-create2.png new file mode 100644 index 0000000000..03c10910cb Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/nativeapp-create2.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/ta_dashboard.png b/windows/security/threat-protection/microsoft-defender-atp/images/ta_dashboard.png new file mode 100644 index 0000000000..11d2edcf3e Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/ta_dashboard.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/webapp-add-permission-2.png b/windows/security/threat-protection/microsoft-defender-atp/images/webapp-add-permission-2.png deleted file mode 100644 index 84672bbe4a..0000000000 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/webapp-add-permission-2.png and /dev/null differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/webapp-add-permission-end.png b/windows/security/threat-protection/microsoft-defender-atp/images/webapp-add-permission-end.png deleted file mode 100644 index 24bb4d1854..0000000000 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/webapp-add-permission-end.png and /dev/null differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/webapp-add-permission-readalerts.png b/windows/security/threat-protection/microsoft-defender-atp/images/webapp-add-permission-readalerts.png deleted file mode 100644 index 2872b71881..0000000000 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/webapp-add-permission-readalerts.png and /dev/null differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/webapp-add-permission.png b/windows/security/threat-protection/microsoft-defender-atp/images/webapp-add-permission.png deleted file mode 100644 index 38e98ce07d..0000000000 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/webapp-add-permission.png and /dev/null differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/webapp-app-id1.png b/windows/security/threat-protection/microsoft-defender-atp/images/webapp-app-id1.png deleted file mode 100644 index 4c058c2f93..0000000000 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/webapp-app-id1.png and /dev/null differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/webapp-create-key.png b/windows/security/threat-protection/microsoft-defender-atp/images/webapp-create-key.png deleted file mode 100644 index 4ddb1fae83..0000000000 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/webapp-create-key.png and /dev/null differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/webapp-create-key2.png b/windows/security/threat-protection/microsoft-defender-atp/images/webapp-create-key2.png new file mode 100644 index 0000000000..99339be6a7 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/webapp-create-key2.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/webapp-create.png b/windows/security/threat-protection/microsoft-defender-atp/images/webapp-create.png deleted file mode 100644 index dea9d8493d..0000000000 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/webapp-create.png and /dev/null differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/webapp-edit-multitenant.png b/windows/security/threat-protection/microsoft-defender-atp/images/webapp-edit-multitenant.png deleted file mode 100644 index 47203a8151..0000000000 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/webapp-edit-multitenant.png and /dev/null differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/webapp-grant-permissions.png b/windows/security/threat-protection/microsoft-defender-atp/images/webapp-grant-permissions.png deleted file mode 100644 index b7c7e0926f..0000000000 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/webapp-grant-permissions.png and /dev/null differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/webapp-select-permission.png b/windows/security/threat-protection/microsoft-defender-atp/images/webapp-select-permission.png deleted file mode 100644 index 8edc069eaf..0000000000 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/webapp-select-permission.png and /dev/null differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/live-response-command-examples.md b/windows/security/threat-protection/microsoft-defender-atp/live-response-command-examples.md index c431ecb195..89649bba47 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/live-response-command-examples.md +++ b/windows/security/threat-protection/microsoft-defender-atp/live-response-command-examples.md @@ -95,6 +95,19 @@ getfile c:\Users\user\Desktop\work.txt getfile c:\Users\user\Desktop\work.txt -auto ``` +>[!NOTE] +> +> The following file types **cannot** be downloaded using this command from within Live Response: +> +> * [Reparse point files](/windows/desktop/fileio/reparse-points/) +> * [Sparse files](/windows/desktop/fileio/sparse-files/) +> * Empty files +> * Virtual files, or files that are not fully present locally +> +> These file types **are** supported by [PowerShell](/powershell/scripting/overview?view=powershell-6/). +> +> Use PowerShell as an alternative, if you have problems using this command from within Live Response. + ## processes ``` # Show all processes diff --git a/windows/security/threat-protection/microsoft-defender-atp/portal-overview.md b/windows/security/threat-protection/microsoft-defender-atp/portal-overview.md index be5e22d9d9..84cf299759 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/portal-overview.md +++ b/windows/security/threat-protection/microsoft-defender-atp/portal-overview.md @@ -66,6 +66,9 @@ Area | Description **(2) Main portal** | Main area where you will see the different views such as the Dashboards, Alerts queue, and Machines list. **(3) Community center, Localization, Help and support, Feedback** | **Community center** -Access the Community center to learn, collaborate, and share experiences about the product.

    **Time settings** - Gives you access to the configuration settings where you can set time zones and view license information.

    **Help and support** - Gives you access to the Microsoft Defender ATP guide, Microsoft support, and Premier support.

    **Feedback** - Access the feedback button to provide comments about the portal. +> [!NOTE] +> For devices with high resolution DPI scaling issues, please see [Windows scaling issues for high-DPI devices](https://support.microsoft.com/help/3025083/windows-scaling-issues-for-high-dpi-devices) for possible solutions. + ## Microsoft Defender ATP icons The following table provides information on the icons used all throughout the portal: diff --git a/windows/security/threat-protection/microsoft-defender-atp/threat-analytics.md b/windows/security/threat-protection/microsoft-defender-atp/threat-analytics.md index 4ba83c3145..a1c5557fed 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/threat-analytics.md +++ b/windows/security/threat-protection/microsoft-defender-atp/threat-analytics.md @@ -1,7 +1,7 @@ --- -title: Microsoft Defender Advanced Threat Protection Threat analytics +title: Track and respond to emerging threats with Microsoft Defender ATP threat analytics ms.reviewer: -description: Get a tailored organizational risk evaluation and actionable steps you can take to minimize risks in your organization. +description: Learn about emerging threats and attack techniques and how to stop them. Assess their impact to your organization and evaluate your organizational resilience. keywords: threat analytics, risk evaluation, OS mitigation, microcode mitigation, mitigation status search.product: eADQiWindows 10XVcnh search.appverid: met150 @@ -9,8 +9,8 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security -ms.author: mjcaparas -author: mjcaparas +ms.author: lomayor +author: lomayor ms.localizationpriority: medium manager: dansimp audience: ITPro @@ -18,47 +18,46 @@ ms.collection: M365-security-compliance ms.topic: article --- -# Threat analytics +# Track and respond to emerging threats with threat analytics **Applies to:** - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +Cyberthreats are emerging more frequently and prevalently. It is critical for organizations to quickly assess their security posture, covering the impact of emerging threats and their organizational resilience. -Cyberthreats are emerging more frequently and prevalently. It is critical for organizations to be able to quickly assess their security posture, including impact, and organizational resilience in the context of specific emerging threats. +Threat analytics is a set of reports published by Microsoft security researchers as soon as emerging threats and outbreaks are identified. The reports help you assess the impact of threats to your environment and identify actions that can contain them. -Threat Analytics is a set of interactive reports published by the Microsoft Defender ATP research team as soon as emerging threats and outbreaks are identified. The reports help you the assess impact of threats in your environment and provides recommended actions to contain, increase organizational resilience, and prevent specific threats. - +## View the threat analytics dashboard ->[!NOTE] ->The number of resolved alerts indicates how quickly your organization responds to alerts associated with a threat. Ideally, the chart should be showing alerts being resolved within a few days. +The threat analytics dashboard is a great jump off point for getting to the reports that are most relevant to your organization. It provides several overviews about the threats covered in the reports: -Each threat report provides a summary to describe details such as where the threat is coming from, where it's been seen, or techniques and tools that were used by the threat. +- **Latest threats** — lists the most recently published threat reports, along with the number of machines with resolved and unresolved alerts. +- **High-impact threats** — lists the threats that have had the highest impact on the organization in terms of the number of machines that have had related alerts, along with the number of machines with resolved and unresolved alerts. +- **Threat summary** — shows the number of threats among the threats reported in threat analytics with actual alerts. -The dashboard shows the impact in your organization through the following tiles: -- Machines with alerts - shows the current distinct number of impacted machines in your organization -- Machines with alerts over time - shows the distinct number of impacted over time -- Mitigation status - shows the number of mitigated and unmitigated machines. Machines are considered mitigated if they have all the measurable mitigations in place. -- Vulnerability patching status - lists any vulnerabilities associated with the threat, and if they have been patched -- Mitigation recommendations - lists the measurable mitigations and the number of machines that do not have each of the mitigations in place +![Image of a threat analytics dashboard](images/ta_dashboard.png) + +Select a threat on any of the overviews or on the table to view the report for that threat. + +## View a threat analytics report + +Each threat report generally provides an overview of the threat and an analysis of the techniques and tools used by the threat. It also provides worldwide impact information, mitigation recommendations, and detection information. It includes several cards that show dynamic data about how your organization is impacted by the threat and how prepared it is to stop the threat. ![Image of a threat analytics report](images/ta.png) -## Organizational impact -You can assess the organizational impact of a threat using the **Machines with alerts** and **Machines with alerts over time** tiles. +### Organizational impact +Each report includes cards designed to provide information about the organizational impact of a threat: +- **Machines with alerts** — shows the current number of distinct machines in your organization that have been impacted by the threat. A machine is categorized as **Active** if there is at least 1 alert associated with that threat and **Resolved** if *all* alerts associated with the threat on the machine have been resolved. +- **Machines with alerts over time** — shows the number of distinct machines with **Active** and **Resolved** alerts over time. The number of resolved alerts indicates how quickly your organization responds to alerts associated with a threat. Ideally, the chart should be showing alerts resolved within a few days. -A machine is categorized as **Active** if there is at least 1 alert associated with that threat and **Resolved** if *all* alerts associated with the threat on the machine are resolved. - - -The **Machine with alerts over time**, shows the number of distinct machines with **Active** and **Resolved alerts over time**. The number of resolved alerts indicates how quickly your organization responds to alerts associated with a threat. Ideally, the chart should be showing alerts being resolved within a few days. -## Organizational resilience -The **Mitigation recommendations** section provides specific actionable recommendations to improve your visibility into this threat and increase your organizational resilience. - -The **Mitigation status** and **Mitigation status over time** shows the endpoint configuration status assessed based on the recommended mitigations. +### Organizational resilience +Each report also includes cards that provide an overview of how resilient your organization can be against a given threat: +- **Mitigation status** — shows the number of machines that have and have not applied mitigations for the threat. Machines are considered mitigated if they have all the measurable mitigations in place. +- **Vulnerability patching status** — shows the number of machines that have applied security updates or patches that address vulnerabilities exploited by the threat. +- **Mitigation recommendations** — lists specific actionable recommendations to improve your visibility into the threat and increase your organizational resilience. This card lists only measurable mitigations along with the number of machines that don't have these mitigations in place. >[!IMPORTANT] ->- The chart only reflects mitigations that are measurable and where an evaluation can be made on the machine state as being compliant or non-compliant. There can be additional mitigations or compliance actions that currently cannot be computed or measured that are not reflected in the charts and are covered in the threat description under **Mitigation recommendations** section. ->- Even if all mitigations were measurable, there is no absolute guarantee of complete resilience but reflects the best possible actions that need to be taken to improve resiliency. - - +>- Charts only reflect mitigations that are measurable, meaning an evaluation can be made on whether a machine has applied the mitigations or not. Check the report overview for additional mitigations that are not reflected in the charts. +>- Even if all mitigations were measurable, they don't guarantee complete resilience. They reflect the best possible actions needed to improve resiliency. >[!NOTE] ->The Unavailable category indicates that there is no data available from the specific machine yet. +>Machines are counted as "unavailable" if they have been unable to transmit data to the service. diff --git a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-live-response.md b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-live-response.md new file mode 100644 index 0000000000..c9f75c07aa --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-live-response.md @@ -0,0 +1,56 @@ +--- +title: Troubleshoot Microsoft Defender ATP live response issues +description: Troubleshoot issues that might arise when using live response in Microsoft Defender ATP +keywords: troubleshoot live response, live, response, locked, file +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: troubleshooting +--- + +# Troubleshoot Microsoft Defender Advanced Threat Protection live response issues + + +**Applies to:** +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + + +This page provides detailed steps to troubleshoot live response issues. + +## File cannot be accessed during live response sessions +If while trying to take an action during a live response session, you encounter an error message stating that the file can't be accessed, you'll need to use the steps below to address the issue. + +1. Copy the following script code snippet and save it as a PS1 file: + + ``` + $copied_file_path=$args[0] + $action=Copy-Item $copied_file_path -Destination $env:TEMP -PassThru -ErrorAction silentlyContinue + + if ($action){ + Write-Host "You copied the file specified in $copied_file_path to $env:TEMP Succesfully" + } + + else{ + Write-Output "Error occoured while trying to copy a file, details:" + Write-Output $error[0].exception.message + + } + ``` + + +2. Add the script to the live response library. +3. Run the script with one parameter: the file path of the file to be copied. +4. Navigate to your TEMP folder. +5. Run the action you wanted to take on the copied file. + + + diff --git a/windows/security/threat-protection/microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md b/windows/security/threat-protection/microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md index 44b4dab75d..994b79b7b6 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md +++ b/windows/security/threat-protection/microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md @@ -41,7 +41,7 @@ For more information preview features, see [Preview features](https://docs.micro - [Microsoft Threat Experts](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/microsoft-threat-experts)
    Microsoft Threat Experts is the new managed threat hunting service in Microsoft Defender ATP that provides proactive hunting, prioritization, and additional context and insights that further empower security operations centers (SOCs) to identify and respond to threats quickly and accurately. It provides additional layer of expertise and optics that Microsoft customers can utilize to augment security operation capabilities as part of Microsoft 365. -- [Indicators](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/ti-indicator)
    APIs for indicators are now generally available. +- [Indicators](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/ti-indicator)
    APIs for indicators are now generally available. - [Interoperability](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/partner-applications)
    Microsoft Defender ATP supports third-party applications to help enhance the detection, investigation, and threat intelligence capabilities of the platform. diff --git a/windows/security/threat-protection/security-policy-settings/network-security-configure-encryption-types-allowed-for-kerberos.md b/windows/security/threat-protection/security-policy-settings/network-security-configure-encryption-types-allowed-for-kerberos.md index 66aa8cbcb8..8a376e6b4f 100644 --- a/windows/security/threat-protection/security-policy-settings/network-security-configure-encryption-types-allowed-for-kerberos.md +++ b/windows/security/threat-protection/security-policy-settings/network-security-configure-encryption-types-allowed-for-kerberos.md @@ -32,16 +32,17 @@ For more information, see [article 977321](https://support.microsoft.com/kb/9773 The following table lists and explains the allowed encryption types. - -| Encryption type | Description and version support | -|-------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| DES_CBC_CRC | Data Encryption Standard with Cipher Block Chaining using the Cyclic Redundancy Check function
    Supported in Windows 2000 Server, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008. The Windows 7 and Windows Server 2008 R2 operating systems do not support DES | -| DES_CBC_MD5 | Data Encryption Standard with Cipher Block Chaining using the Message-Digest algorithm 5 checksum function
    Supported in Windows 2000 Server, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008. The Windows 7 and Windows Server 2008 R2 operating systems do not support DES by default. | -| RC4_HMAC_MD5 | Rivest Cipher 4 with Hashed Message Authentication Code using the Message-Digest algorithm 5 checksum function
    Supported in Windows 2000 Server, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2. | -| AES128_HMAC_SHA1 | Advanced Encryption Standard in 128 bit cipher block with Hashed Message Authentication Code using the Secure Hash Algorithm (1).
    Not supported in Windows 2000 Server, Windows XP, or Windows Server 2003. Supported in Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2. | -| AES256_HMAC_SHA1 | Advanced Encryption Standard in 256 bit cipher block with Hashed Message Authentication Code using the Secure Hash Algorithm (1).
    Not supported in Windows 2000 Server, Windows XP, or Windows Server 2003. Supported in Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2. | -| Future encryption types | Reserved by Microsoft for additional encryption types that might be implemented. | - + +| Encryption type | Description and version support | +| - | - | +| DES_CBC_CRC | Data Encryption Standard with Cipher Block Chaining using the Cyclic Redundancy Check function
    Supported in Windows 2000 Server, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008. The Windows 7, Windows 10 and Windows Server 2008 R2 operating systems do not support DES| by default. +| DES_CBC_MD5| Data Encryption Standard with Cipher Block Chaining using the Message-Digest algorithm 5 checksum function
    Supported in Windows 2000 Server, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008. The Windows 7, Windows 10 and Windows Server 2008 R2 operating systems do not support DES by default. | +| RC4_HMAC_MD5| Rivest Cipher 4 with Hashed Message Authentication Code using the Message-Digest algorithm 5 checksum function
    Supported in Windows 2000 Server, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, Windows 10 and Windows Server 2008 R2.| +| AES128_HMAC_SHA1| Advanced Encryption Standard in 128 bit cipher block with Hashed Message Authentication Code using the Secure Hash Algorithm (1).
    Not supported in Windows 2000 Server, Windows XP, or Windows Server 2003. Supported in Windows Vista, Windows Server 2008, Windows 7, Windows 10 and Windows Server 2008 R2. | +| AES256_HMAC_SHA1| Advanced Encryption Standard in 256 bit cipher block with Hashed Message Authentication Code using the Secure Hash Algorithm (1).
    Not supported in Windows 2000 Server, Windows XP, or Windows Server 2003. Supported in Windows Vista, Windows Server 2008, Windows 7, Windows 10 and Windows Server 2008 R2. | +| Future encryption types| Reserved by Microsoft for additional encryption types that might be implemented.| +  + ### Possible values @@ -81,16 +82,17 @@ This section describes how an attacker might exploit a feature or its configurat ### Vulnerability -Windows Server 2008 R2 and Windows 7 do not support the DES cryptographic suites because stronger ones are available. To enable Kerberos interoperability with non-Windows versions of the Kerberos protocol, these suites can be enabled. However, doing so might open attack vectors on computers running -Windows Server 2008 R2 and Windows 7. You can also disable DES for your computers running Windows Vista and Windows Server 2008. +Windows Server 2008 R2, Windows 7 and Windows 10, do not support the DES cryptographic suites because stronger ones are available. To enable Kerberos interoperability with non-Windows versions of the Kerberos protocol, these suites can be enabled. However, doing so might open attack vectors on computers running +Windows Server 2008 R2, Windows 7 and Windows 10. You can also disable DES for your computers running Windows Vista and Windows Server 2008. ### Countermeasure -Do not configure this policy. This will force the computers running Windows Server 2008 R2 and Windows 7 to use the AES or RC4 cryptographic suites. +Do not configure this policy. This will force the computers running Windows Server 2008 R2, Windows 7 and Windows 10 to use the AES or RC4 cryptographic suites. ### Potential impact -If you do not select any of the encryption types, computers running Windows Server 2008 R2 and Windows 7 might have Kerberos authentication failures when connecting with computers running non-Windows versions of the Kerberos protocol. +If you do not select any of the encryption types, computers running Windows Server 2008 R2, Windows 7 and Windows 10, might have Kerberos authentication failures when connecting with computers running non-Windows versions of the Kerberos protocol. + If you do select any encryption type, you will lower the effectiveness of encryption for Kerberos authentication but you will improve interoperability with computers running older versions of Windows. Contemporary non-Windows implementations of the Kerberos protocol support RC4 and AES 128-bit and AES 256-bit encryption. Most implementations, including the MIT Kerberos protocol and the Windows Kerberos protocol, are deprecating DES encryption. diff --git a/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md index 4bbfd25108..83abf9cc69 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md @@ -92,7 +92,7 @@ Use the following cmdlets to enable cloud-delivered protection: ```PowerShell Set-MpPreference -MAPSReporting Advanced -Set-MpPreference -SubmitSamplesConsent Always +Set-MpPreference -SubmitSamplesConsent AlwaysPrompt ``` >[!NOTE] diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_8_IntuneAppInfo.png b/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_8_IntuneAppInfo.png index 2cb9a5a416..1fba4fa7f5 100644 Binary files a/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_8_IntuneAppInfo.png and b/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_8_IntuneAppInfo.png differ diff --git a/windows/security/threat-protection/windows-defender-antivirus/manage-protection-updates-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/manage-protection-updates-windows-defender-antivirus.md index cb39ebc506..a76cb6ae4a 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/manage-protection-updates-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/manage-protection-updates-windows-defender-antivirus.md @@ -119,11 +119,11 @@ Use the following PowerShell cmdlets to set the update order. ```PowerShell Set-MpPreference -SignatureFallbackOrder {LOCATION|LOCATION|LOCATION|LOCATION} -Set-MpPreference -SignatureDefinitionUpdateFileSharesSouce {\\UNC SHARE PATH|\\UNC SHARE PATH} +Set-MpPreference -SignatureDefinitionUpdateFileSharesSource {\\UNC SHARE PATH|\\UNC SHARE PATH} ``` See the following for more information: - [Set-MpPreference -SignatureFallbackOrder](https://technet.microsoft.com/itpro/powershell/windows/defender/set-mppreference#-signaturefallbackorder) -- [Set-MpPreference -SignatureDefinitionUpdateFileSharesSouce](https://technet.microsoft.com/itpro/powershell/windows/defender/set-mppreference#-signaturedefinitionupdatefilesharessources) +- [Set-MpPreference -SignatureDefinitionUpdateFileSharesSource](https://technet.microsoft.com/itpro/powershell/windows/defender/set-mppreference#-signaturedefinitionupdatefilesharessources) - [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) - [Defender cmdlets](https://technet.microsoft.com/library/dn433280.aspx) @@ -133,7 +133,7 @@ Use the [**Set** method of the **MSFT_MpPreference**](https://msdn.microsoft.com ```WMI SignatureFallbackOrder -SignatureDefinitionUpdateFileSharesSouce +SignatureDefinitionUpdateFileSharesSource ``` See the following for more information: diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-manually.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-manually.md index 3963464f4e..5b0a86a447 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-manually.md +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-manually.md @@ -24,6 +24,11 @@ ms.topic: conceptual - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Mac](microsoft-defender-atp-mac.md) +This topic describes how to deploy Microsoft Defender ATP for Mac manually. A successful deployment requires the completion of all of the following steps: +- [Download installation and onboarding packages](#download-installation-and-onboarding-packages) +- [Application installation](#application-installation) +- [Client configuration](#client-configuration) + ## Prerequisites and system requirements Before you get started, see [the main Microsoft Defender ATP for Mac page](microsoft-defender-atp-mac.md) for a description of prerequisites and system requirements for the current software version. diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-intune.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-intune.md index 9565fa13e5..da2a6a8dcd 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-intune.md +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-intune.md @@ -24,6 +24,12 @@ ms.topic: conceptual - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Mac](microsoft-defender-atp-mac.md) +This topic describes how to deploy Microsoft Defender ATP for Mac through Intune. A successful deployment requires the completion of all of the following steps: +- [Download installation and onboarding packages](#download-installation-and-onboarding-packages) +- [Client device setup](#client-device-setup) +- [Create System Configuration profiles](#create-system-configuration-profiles) +- [Publish application](#publish-application) + ## Prerequisites and system requirements Before you get started, see [the main Microsoft Defender ATP for Mac page](microsoft-defender-atp-mac.md) for a description of prerequisites and system requirements for the current software version. @@ -122,7 +128,10 @@ Once the Intune changes are propagated to the enrolled devices, you can see them 2. Select **App type=Other/Line-of-business app**. 3. Select **file=wdav.pkg.intunemac**. Select **OK** to upload. 4. Select **Configure** and add the required information. -5. Use **macOS Sierra 10.12** as the minimum OS. Other settings can be any arbitrary value. +5. Use **macOS Sierra 10.12** as the minimum OS and set *Ignore app version* to **Yes**. Other settings can be any arbitrary value. + + > [!CAUTION] + > Failure to set *Ignore app version* to **Yes** impacts the ability of the application to receive updates through Microsoft AutoUpdate. See [Deploy updates for Microsoft Defender ATP for Mac](microsoft-defender-atp-mac-updates.md) for additional information about how the product is updated. ![Device status blade screenshot](images/MDATP_8_IntuneAppInfo.png) diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-jamf.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-jamf.md index 7105a86af8..44f2ed7150 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-jamf.md +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-jamf.md @@ -24,6 +24,13 @@ ms.topic: conceptual - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Mac](microsoft-defender-atp-mac.md) +This topic describes how to deploy Microsoft Defender ATP for Mac through JAMF. A successful deployment requires the completion of all of the following steps: +- [Download installation and onboarding packages](#download-installation-and-onboarding-packages) +- [Create JAMF policies](#create-jamf-policies) +- [Client device setup](#client-device-setup) +- [Deployment](#deployment) +- [Check onboarding status](#check-onboarding-status) + ## Prerequisites and system requirements Before you get started, please see [the main Microsoft Defender ATP for Mac page](microsoft-defender-atp-mac.md) for a description of prerequisites and system requirements for the current software version. @@ -57,7 +64,7 @@ Download the installation and onboarding packages from Windows Defender Security mavel-macmini:Downloads test$ ``` -## Create JAMF Policies +## Create JAMF policies You need to create a configuration profile and a policy to start deploying Microsoft Defender ATP for Mac to client devices. diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md index 7b04e554d4..912811fbfb 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md @@ -35,7 +35,6 @@ If you have any feedback that you would like to share, submit it by opening Micr ### Prerequisites -- Microsoft Defender ATP subscription - Access to the Microsoft Defender Security Center portal - Beginner-level experience in macOS and BASH scripting - Administrative privileges on the device (in case of manual deployment) @@ -50,11 +49,20 @@ If you have any feedback that you would like to share, submit it by opening Micr After you've enabled the service, you may need to configure your network or firewall to allow outbound connections between it and your endpoints. -The following table lists the services and their associated URLs that your network must be able to connect to. You should ensure that there are no firewall or network filtering rules that would deny access to these URLs, or you may need to create an *allow* rule specifically for them: +The following table lists the services and their associated URLs that your network must be able to connect to. You should ensure that there are no firewall or network filtering rules that would deny access to these URLs, or you may need to create an *allow* rule specifically for them. -| Service | Description | URL | -| -------------- | ------------------------------------ | -------------------------------------------------------------------- | -| ATP | Advanced threat protection service | [https://x.cp.wd.microsoft.com](https://x.cp.wd.microsoft.com), [https://cdn.x.cp.wd.microsoft.com](https://cdn.x.cp.wd.microsoft.com) | +| Service location | DNS record | +| ---------------------------------------- | ----------------------- | +| Common URLs for all locations | x.cp.wd.microsoft.com
    cdn.x.cp.wd.microsoft.com
    eu-cdn.x.cp.wd.microsoft.com
    wu-cdn.x.cp.wd.microsoft.com
    *.blob.core.windows.net
    officecdn-microsoft-com.akamaized.net | +| European Union | europe.x.cp.wd.microsoft.com | +| United Kingdon | unitedkingdom.x.cp.wd.microsoft.com | +| United States | unitedstates.x.cp.wd.microsoft.com | + +Microsoft Defender ATP can discover a proxy server by using the following discovery methods: +- Web Proxy Auto-discovery Protocol (WPAD) +- Manual static proxy configuration + +If a proxy or firewall is blocking anonymous traffic, make sure that anonymous traffic is permitted in the previously listed URLs. To test that a connection is not blocked, open [https://x.cp.wd.microsoft.com/api/report](https://x.cp.wd.microsoft.com/api/report) and [https://cdn.x.cp.wd.microsoft.com/ping]([https://cdn.x.cp.wd.microsoft.com/ping) in a browser. diff --git a/windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy.md b/windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy.md index c33eca6f6f..294b63f287 100644 --- a/windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy.md +++ b/windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy.md @@ -26,6 +26,14 @@ The [Microsoft Component Object Model (COM)](https://docs.microsoft.com/windows/ Prior to the Windows 10 1903 update, Windows Defender Application Control (WDAC) enforced a built-in allow list for COM object registration. While this mechanism works for most common application usage scenarios, customers have provided feedback that there are cases where additional COM objects need to be allowed. The 1903 update to Windows 10 introduces the ability to specify allowed COM objects via their GUID in the WDAC policy. +**NOTE**: To add this functionality to other versions of Windows 10, you can install the following or later updates: + +- Windows 10, 1809 June 18, 2019—KB4501371 (OS Build 17763.592) (https://support.microsoft.com/help/4501371/windows-10-update-kb4501371) +- Windows 10, 1803 June 18, 2019—KB4503288 (OS Build 17134.858) (https://support.microsoft.com/help/4503288/windows-10-update-kb4503288) +- Windows 10, 1709 June 18, 2019—KB4503281 (OS Build 16299.1237) (https://support.microsoft.com/help/4503281/windows-10-update-kb4503281) +- Windows 10, 1703 June 18, 2019—KB4503289 (OS Build 15063.1897) (https://support.microsoft.com/help/4503289/windows-10-update-kb4503289 +- Windows 10, 1607 June 18, 2019—KB4503294 (OS Build 14393.3053) (https://support.microsoft.com/help/4503294/windows-10-update-kb4503294) + ### Get COM object GUID Get GUID of application to allow in one of the following ways: diff --git a/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md b/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md index 059828dc17..abc8820fab 100644 --- a/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md +++ b/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md @@ -77,3 +77,17 @@ Note that "ResetPolicyId" reverts a supplemental policy to a base policy, and re When merging, the policy type and ID of the leftmost/first policy specified is used. If the leftmost is a base policy with ID \, then regardless of what the GUIDS and types are for any subsequent policies, the merged policy will be a base policy with ID \. +### Deploying policies + +In order to deploy policies using the new multiple policy format you will need to: + +1. Ensure policies are copied to the right location + - Policies must be copied to this directory: C:\Windows\System32\CodeIntegrity\CiPolicies\Active +2. Binary policy files must have the correct name which takes the format {PolicyGUID}.cip + - Ensure that the name of the binary policy file is exactly the same as the PolicyID in the policy + - For example if the policy XML had the ID as {A6D7FBBF-9F6B-4072-BF37-693741E1D745} the correct name for the binary policy file would be {A6D7FBBF-9F6B-4072-BF37-693741E1D745}.cip +3. Reboot the system or use WMI to rebootlessly refresh the policy + +```powershell +Invoke-CimMethod -Namespace root\Microsoft\Windows\CI -ClassName PS_UpdateAndCompareCIPolicy -MethodName Update -Arguments @{FilePath = 'C:\Windows\System32\CodeIntegrity\CiPolicies\Active\{A6D7FBBF-9F6B-4072-BF37-693741E1D745}.cip'} +``` diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/event-views-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/event-views-exploit-guard.md index 7d3b72d249..5652a45bd4 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/event-views-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/event-views-exploit-guard.md @@ -1,3 +1,4 @@ +--- ms.reviewer: title: Import custom views to see attack surface reduction events description: Use Windows Event Viewer to import individual views for each of the features. @@ -179,6 +180,4 @@ Controlled folder access | Windows Defender (Operational) | 1127 | Blocked Contr Controlled folder access | Windows Defender (Operational) | 1128 | Audited Controlled folder access sector write block event Attack surface reduction | Windows Defender (Operational) | 5007 | Event when settings are changed Attack surface reduction | Windows Defender (Operational) | 1122 | Event when rule fires in Audit-mode - - Attack surface reduction | Windows Defender (Operational) | 1121 | Event when rule fires in Block-mode diff --git a/windows/security/threat-protection/windows-security-configuration-framework/level-1-enterprise-basic-security.md b/windows/security/threat-protection/windows-security-configuration-framework/level-1-enterprise-basic-security.md index 2e88240751..60e0c1e82c 100644 --- a/windows/security/threat-protection/windows-security-configuration-framework/level-1-enterprise-basic-security.md +++ b/windows/security/threat-protection/windows-security-configuration-framework/level-1-enterprise-basic-security.md @@ -250,7 +250,7 @@ Microsoft recommends using [the rings methodology](https://docs.microsoft.com/wi | Windows Components / Internet Explorer / Internet Control Panel / Security Page / Locked-Down Local Machine Zone | Java permissions | Disable Java | This policy setting allows you to manage permissions for Java applets. If you enable this policy setting, you can choose options from the drop-down box. Custom, to control permissions settings individually. Disable Java to prevent any applets from running. | | Windows Components / Internet Explorer / Internet Control Panel / Security Page / Locked-Down Restricted Sites Zone | Java permissions | Disable Java | This policy setting allows you to manage permissions for Java applets. If you enable this policy setting, you can choose options from the drop-down box. Custom, to control permissions settings individually. Disable Java to prevent any applets from running. | | Windows Components / Internet Explorer / Internet Control Panel / Security Page / Locked-Down Restricted Sites Zone | Turn on SmartScreen Filter scan | Enabled: Enable | Controls whether SmartScreen Filter scans pages in this zone for malicious content. | -| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Locked-Down Trusted Sites Zone | Java permissions | Enable | Allows you to configure policy settings according to the default for the selected security level, such Low, Medium, or High. | +| Windows Components / Internet Explorer / Internet Control Panel / Security Page / Locked-Down Trusted Sites Zone | Java permissions | Disable Java | Allows you to configure policy settings according to the default for the selected security level, such Low, Medium, or High. | | Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Access data sources across domains | Enabled: Disable | This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO). | | Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Allow active scripting | Disable | This policy setting allows you to manage whether script code on pages in the zone is run. | | Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone | Allow binary and script behaviors | Disable | This policy setting allows you to manage dynamic binary and script behaviors: components that encapsulate specific functionality for HTML elements to which they were attached. | diff --git a/windows/security/threat-protection/windows-security-configuration-framework/level-2-enterprise-enhanced-security.md b/windows/security/threat-protection/windows-security-configuration-framework/level-2-enterprise-enhanced-security.md index 6cf7155a9a..3671675351 100644 --- a/windows/security/threat-protection/windows-security-configuration-framework/level-2-enterprise-enhanced-security.md +++ b/windows/security/threat-protection/windows-security-configuration-framework/level-2-enterprise-enhanced-security.md @@ -83,7 +83,6 @@ than the process in level 1. |---------|----------------|--------------|-------------| | Start Menu and Taskbar / Notifications | Turn off toast notifications on the lock screen | Enabled | Turns off toast notifications on the lock screen. | | Windows Components / Cloud Content | Do not suggest third-party content in the Windows spotlight | Enabled | Windows spotlight features like lock screen spotlight, suggested apps in Start menu or Windows tips will no longer suggest apps and content from third-party software publishers | -| Windows Components / Internet Explorer | Turn on the auto-complete feature for user names and passwords on forms | Disabled | This AutoComplete feature can remember and suggest User names and passwords on Forms. If you enable this setting, the user cannot change "User name and passwords on forms" or "prompt me to save passwords". The Auto Complete feature for User names and passwords on Forms will be turned on. You have to decide whether to select "prompt me to save passwords". If you disable this setting the user cannot change "User name and passwords on forms" or "prompt me to save passwords". The Auto Complete feature for User names and passwords on Forms is turned off. The user also cannot opt to be prompted to save passwords. If you do not configure this setting, the user has the freedom of turning on Auto complete for User name and passwords on forms and the option of prompting to save passwords. To display this option, the users open the Internet Options dialog box, click the Contents Tab and click the Settings button. | ### Services diff --git a/windows/security/threat-protection/windows-security-configuration-framework/level-3-enterprise-high-security.md b/windows/security/threat-protection/windows-security-configuration-framework/level-3-enterprise-high-security.md index e7cc86bf0e..d1673ce03b 100644 --- a/windows/security/threat-protection/windows-security-configuration-framework/level-3-enterprise-high-security.md +++ b/windows/security/threat-protection/windows-security-configuration-framework/level-3-enterprise-high-security.md @@ -53,6 +53,11 @@ a level of security commensurate with the risks facing targeted organizations. M | Windows Components / Internet Explorer / Internet Control Panel / Security Page | Intranet Sites: Include all network paths (UNCs) | Disabled | This policy setting controls whether URLs representing UNCs are mapped into the local Intranet security zone. | | Windows Components / Microsoft Edge | Configure Password Manager | Disabled | This policy setting lets you decide whether employees can save their passwords locally using Password Manager. By default, Password Manager is turned on. if you enable this setting, employees can use Password Manager to save their passwords locally. If you disable this setting employees can't use Password Manager to save their passwords locally. If you don't configure this setting employees can choose whether to use Password Manager to save their passwords locally. | +### User Policies +| Feature | Policy Setting | Policy Value | Description | +|----------|-----------------|---------------|--------------| +| Windows Components / Internet Explorer | Turn on the auto-complete feature for user names and passwords on forms | Disabled | This AutoComplete feature can remember and suggest User names and passwords on Forms. If you enable this setting, the user cannot change "User name and passwords on forms" or "prompt me to save passwords". The Auto Complete feature for User names and passwords on Forms will be turned on. You have to decide whether to select "prompt me to save passwords". If you disable this setting the user cannot change "User name and passwords on forms" or "prompt me to save passwords". The Auto Complete feature for User names and passwords on Forms is turned off. The user also cannot opt to be prompted to save passwords. If you do not configure this setting, the user has the freedom of turning on Auto complete for User name and passwords on forms and the option of prompting to save passwords. To display this option, the users open the Internet Options dialog box, click the Contents Tab and click the Settings button. | + ## Controls The controls enforced in level 3 implement complex security configuration and controls. diff --git a/windows/security/threat-protection/windows-security-configuration-framework/windows-security-configuration-framework.md b/windows/security/threat-protection/windows-security-configuration-framework/windows-security-configuration-framework.md index e9ada36273..fd0c3af5a7 100644 --- a/windows/security/threat-protection/windows-security-configuration-framework/windows-security-configuration-framework.md +++ b/windows/security/threat-protection/windows-security-configuration-framework/windows-security-configuration-framework.md @@ -71,6 +71,6 @@ Security controls which don't support an audit mode should be deployed gradually Security controls which support an audit mode can be deployed using the following methodology: -1. Audit - enable the control in audit mode, and gasther audit data in a centralized location +1. Audit - enable the control in audit mode, and gather audit data in a centralized location 2. Review - review the audit data to assess potential impact (both positive and negative) and configure any exemptions from the security control you need to configure 3. Enforce - deploy the configuration of any exemptions and convert the control to enforce mode