Merge remote-tracking branch 'refs/remotes/origin/master' into rs5

2025-05-16 07:17:24 +00:00 · 2018-08-14 08:50:08 -07:00 · 2018-08-14 08:50:08 -07:00 · 23ca4f9a6a
commit 23ca4f9a6a
parent 2bf41bde78 75df3655f3
11 changed files with 5312 additions and 5095 deletions
--- a/browsers/edge/includes/do-not-sync-browser-settings-include.md
+++ b/browsers/edge/includes/do-not-sync-browser-settings-include.md
@ -17,8 +17,6 @@
 For more details about configuring the browser syncing options, see [Sync browser settings options](../group-policies/sync-browser-settings-gp.md).


-
-
 ### ADMX info and settings
 #### ADMX info
 - **GP English name:** Do not sync browser settings
--- a/windows/client-management/mdm/TOC.md
+++ b/windows/client-management/mdm/TOC.md
@ -295,6 +295,8 @@
 #### [SUPL DDF file](supl-ddf-file.md)
 ### [SurfaceHub CSP](surfacehub-csp.md)
 #### [SurfaceHub DDF file](surfacehub-ddf-file.md)
+### [TenantLockdown CSP](tenantlockdown-csp.md)
+#### [TenantLockdown DDF file](tenantlockdown-ddf.md)
 ### [TPMPolicy CSP](tpmpolicy-csp.md)
 #### [TPMPolicy DDF file](tpmpolicy-ddf-file.md)
 ### [UEFI CSP](uefi-csp.md)
--- a/windows/client-management/mdm/configuration-service-provider-reference.md
+++ b/windows/client-management/mdm/configuration-service-provider-reference.md
@ -2165,6 +2165,34 @@ Footnotes:
 <!--EndSKU-->
 <!--EndCSP-->

+<!--StartCSP-->
+[TenantLockdown CSP](tenantlockdown-csp.md)  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--EndCSP-->
+
 <!--StartCSP-->
 [TPMPolicy CSP](tpmpolicy-csp.md)  

--- a/windows/client-management/mdm/images/provisioning-csp-tenantlockdown.png
+++ b/windows/client-management/mdm/images/provisioning-csp-tenantlockdown.png
--- a/windows/client-management/mdm/policy-configuration-service-provider.md
+++ b/windows/client-management/mdm/policy-configuration-service-provider.md
--- a/windows/client-management/mdm/policy-csp-deliveryoptimization.md
+++ b/windows/client-management/mdm/policy-csp-deliveryoptimization.md
@ -6,11 +6,13 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: MariciaAlforque
-ms.date: 05/14/2018
+ms.date: 07/06/2018
 ---

 # Policy CSP - DeliveryOptimization

+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.


 <hr/>
@ -25,6 +27,9 @@ ms.date: 05/14/2018
  <dd>
    <a href="#deliveryoptimization-doallowvpnpeercaching">DeliveryOptimization/DOAllowVPNPeerCaching</a>
  </dd>
+  <dd>
+    <a href="#deliveryoptimization-docachehost">DeliveryOptimization/DOCacheHost</a>
+  </dd>
  <dd>
    <a href="#deliveryoptimization-dodelaybackgrounddownloadfromhttp">DeliveryOptimization/DODelayBackgroundDownloadFromHttp</a>
  </dd>
@ -217,6 +222,67 @@ The following list shows the supported values:

 <hr/>

+<!--Policy-->
+<a href="" id="deliveryoptimization-docachehost"></a>**DeliveryOptimization/DOCacheHost**  
+
+<!--SupportedSKUs-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
+	<td></td>
+	<td></td>
+</tr>
+</table>
+
+<!--/SupportedSKUs-->
+<!--Scope-->
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+<hr/>
+
+<!--/Scope-->
+<!--Description-->
+[Reserved for future use]
+
+<!--/Description-->
+<!--ADMXMapped-->
+ADMX Info:  
+-   GP English name: *[Reserved for future use] Cache Server Hostname*
+-   GP name: *CacheHost*
+-   GP element: *CacheHost*
+-   GP path: *Windows Components/Delivery Optimization*
+-   GP ADMX file name: *DeliveryOptimization.admx*
+
+<!--/ADMXMapped-->
+<!--SupportedValues-->
+
+<!--/SupportedValues-->
+<!--Example-->
+
+<!--/Example-->
+<!--Validation-->
+
+<!--/Validation-->
+<!--/Policy-->
+
+<hr/>
+
 <!--Policy-->
 <a href="" id="deliveryoptimization-dodelaybackgrounddownloadfromhttp"></a>**DeliveryOptimization/DODelayBackgroundDownloadFromHttp**  

@ -1231,7 +1297,6 @@ ADMX Info:
 <!--Policy-->
 <a href="" id="deliveryoptimization-dopercentagemaxdownloadbandwidth"></a>**DeliveryOptimization/DOPercentageMaxDownloadBandwidth**  

-<!--/SupportedSKUs-->
 <!--Scope-->
 [Scope](./policy-configuration-service-provider.md#policy-scope):

@ -1501,6 +1566,7 @@ Footnote:
 -   2 - Added in Windows 10, version 1703.
 -   3 - Added in Windows 10, version 1709.
 -   4 - Added in Windows 10, version 1803.
+-   5 - Added in the next major release of Windows 10.

 <!--/Policies-->

--- a/windows/client-management/mdm/tenantlockdown-csp.md
+++ b/windows/client-management/mdm/tenantlockdown-csp.md
@ -0,0 +1,39 @@
+---
+title: TenantLockdown CSP
+description: 
+ms.author: maricia
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: MariciaAlforque
+ms.date: 08/13/2018
+---
+
+# TenantLockdown CSP
+
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. This CSP was added in Windows 10, next major version.
+
+The TenantLockdown configuration service provider is used by the IT admin to lock a device to a tenant, which ensures that the device remains bound to the tenant in case of accidental or intentional resets or wipes.
+
+> [!Note]  
+> The forced network connection is only applicable to devices after reset (not new).
+
+The following diagram shows the TenantLockdown configuration service provider in tree format.
+
+![TenantLockdown CSP diagram](images/provisioning-csp-tenantlockdown.png)
+
+<a href="" id="tenantlockdown"></a>**./Vendor/MSFT/TenantLockdown**  
+The root node.
+
+<a href="" id="requirenetworkinoobe"></a>**RequireNetworkInOOBE**  
+Specifies whether to require a network connection during the out-of-box experience (OOBE) at first logon.
+
+When RequireNetworkInOOBE is true, when the device goes through OOBE at first logon or after a reset, the user is required to choose a network before proceeding. There is no "skip for now" option.
+
+Value type is bool. Supported operations are Get and Replace.
+
+-  true - Require network in OOBE  
+-  false - No network connection requirement in OOBE
+
+Example scenario:  Henry is the IT admin at Contoso. He deploys 1000 devices successfully with RequireNetworkInOOBE set to true. When users accidentally or intentionally reset their device, they are required to connect to a network before they can proceed. Upon successful connection, users see the Contoso branded sign-in experience where they must use their Azure AD credentials. There is no option to skip the network connection and create a local account.
--- a/windows/client-management/mdm/tenantlockdown-ddf.md
+++ b/windows/client-management/mdm/tenantlockdown-ddf.md
@ -0,0 +1,75 @@
+---
+title: TenantLockdown DDF file
+description: XML file containing the device description framework
+ms.author: maricia
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: MariciaAlforque
+ms.date: 08/13/2018
+---
+
+# TenantLockdown DDF file 
+
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+This topic shows the OMA DM device description framework (DDF) for the **TenantLockdown** configuration service provider.
+
+Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download).
+
+The XML below is for Windows 10, next major version.
+
+``` syntax
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE MgmtTree PUBLIC " -//OMA//DTD-DM-DDF 1.2//EN"
+  "http://www.openmobilealliance.org/tech/DTD/DM_DDF-V1_2.dtd"
+  [<?oma-dm-ddf-ver supported-versions="1.2"?>]>
+<MgmtTree xmlns:MSFT="http://schemas.microsoft.com/MobileDevice/DM">
+  <VerDTD>1.2</VerDTD>
+      <Node>
+        <NodeName>TenantLockdown</NodeName>
+        <Path>./Vendor/MSFT</Path>
+        <DFProperties>
+          <AccessType>
+            <Get />
+          </AccessType>
+          <DFFormat>
+            <node />
+          </DFFormat>
+          <Occurrence>
+            <One />
+          </Occurrence>
+          <Scope>
+            <Permanent />
+          </Scope>
+          <DFType>
+            <MIME>com.microsoft/1.0/MDM/TenantLockdown</MIME>
+          </DFType>
+        </DFProperties>
+        <Node>
+          <NodeName>RequireNetworkInOOBE</NodeName>
+          <DFProperties>
+            <AccessType>
+              <Get />
+              <Replace />
+            </AccessType>
+            <DefaultValue>false</DefaultValue>
+            <Description>true - Require network in OOBE, false - no network connection requirement in OOBE</Description>
+            <DFFormat>
+              <bool />
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <MIME>text/plain</MIME>
+            </DFType>
+          </DFProperties>
+        </Node>
+      </Node>
+</MgmtTree>
+```
--- a/windows/client-management/mdm/win32compatibilityappraiser-csp.md
+++ b/windows/client-management/mdm/win32compatibilityappraiser-csp.md
@ -16,7 +16,7 @@ ms.date: 07/19/2018

 The Win32CompatibilityAppraiser configuration service provider enables the IT admin to query the current status of the Appraiser and UTC telementry health. This CSP was added in Windows 10, next major version.

-The following diagram shows the Storage configuration service provider in tree format.
+The following diagram shows the Win32CompatibilityAppraiser configuration service provider in tree format.

 ![Win32CompatibilityAppraiser CSP diagram](images/provisioning-csp-win32compatibilityappraiser.png)

--- a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-mam-intune-azure.md
+++ b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-mam-intune-azure.md
@ -420,7 +420,7 @@ In the **Advanced settings** blade you must specify where apps can access your c
 ### Choose where apps can access enterprise data
 After you've added a protection mode to your apps, you'll need to decide where those apps can access enterprise data on your network.

-There are no default locations included with WIP, you must add each of your network locations. This area applies to any network endpoint device that gets an IP address in your enterprise’s range and is also bound to one of your enterprise domains, including SMB shares. Local file system locations should just maintain encryption (for example, on local NTFS, FAT, ExFAT).
+Intune will add SharePoint sites that are discovered through the Graph API. You must add other network locations. This area applies to any network endpoint device that gets an IP address in your enterprise’s range and is also bound to one of your enterprise domains, including SMB shares. Local file system locations should just maintain encryption (for example, on local NTFS, FAT, ExFAT).

 >[!Important]
 >Every WIP policy should include policy that defines your enterprise network locations.<br>Classless Inter-Domain Routing (CIDR) notation isn’t supported for WIP configurations.
--- a/windows/security/threat-protection/windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity.md
@ -24,11 +24,16 @@ If this happens, see [Troubleshooting](#troubleshooting) for remediation steps.
 ## How to turn on HVCI in Windows 10 

 To enable HVCI on Windows 10 devices with supporting hardware throughout an enterprise, use any of these options:
+- [Windows Security app](#windows-security-app)
 - [Microsoft Intune (or another MDM provider)](#enable-hvci-using-intune)
 - [Group Policy](#enable-hvci-using-group-policy)
 - [System Center Configuration Manager](https://cloudblogs.microsoft.com/enterprisemobility/2015/10/30/managing-windows-10-device-guard-with-configuration-manager/) 
 - [Registry](#use-registry-keys-to-enable-virtualization-based-protection-of-code-integrity)

+### Windows Security app
+
+HVCI is labeled **Memory integrity** in the Windows Security app and it can be accessed via **Settings** > **Update & Security** > **Windows Security** > **Device security** > **Core isolation details** > **Memory integrity**. For more information, see [KB4096339](https://support.microsoft.com/help/4096339/windows-10-device-protection-in-windows-defender-security-center).
+
 ### Enable HVCI using Intune

 Enabling in Intune requires using the Code Integrity node in the [AppLocker CSP](https://docs.microsoft.com/windows/client-management/mdm/applocker-csp).