diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index 9bec0f99f7..7be88e5542 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -143,6 +143,11 @@ { "source_path": "windows/security/threat-protection/intelligence/av-tests.md", "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/intelligence/top-scoring-industry-antivirus-tests", +"redirect_document_id": false +}, +{ +"source_path": "windows/security/threat-protection/intelligence/top-scoring-industry-antivirus-tests.md", +"redirect_url": "https://docs.microsoft.com/microsoft-365/security/mtp/top-scoring-industry-tests", "redirect_document_id": true }, { @@ -1004,7 +1009,27 @@ "source_path": "windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicefilecertificateinfobeta-table.md", "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicefilecertificateinfo-table", "redirect_document_id": true - }, +}, +{ +"source_path": "windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-tvm-configassessment-table.md", +"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsecureconfigurationassessment-table", +"redirect_document_id": true +}, +{ +"source_path": "windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-tvm-secureconfigkb-table.md", +"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsecureconfigurationassessmentkb-table", +"redirect_document_id": true +}, +{ +"source_path": "windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-tvm-softwareinventory-table.md", +"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsoftwareinventoryvulnerabilities-table", +"redirect_document_id": true +}, +{ +"source_path": "windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-tvm-softwarevulnerability-table.md", +"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsoftwarevulnerabilitieskb-table", +"redirect_document_id": true +}, { "source_path": "windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-alertevents-table.md", "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicealertevents-table", @@ -1321,6 +1346,11 @@ "redirect_document_id": true }, { +"source_path": "windows/security/threat-protection/microsoft-defender-atp/configure-splunk.md", +"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-siem", +"redirect_document_id": false +}, +{ "source_path": "windows/threat-protection/windows-defender-atp/custom-ti-api-windows-defender-advanced-threat-protection.md", "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/custom-ti-api-windows-defender-advanced-threat-protection", "redirect_document_id": true @@ -14361,11 +14391,6 @@ "redirect_document_id": true }, { -"source_path": "windows/update/waas-wufb-intune.md", -"redirect_url": "https://docs.microsoft.com/windows/deployment/update/waas-wufb-intune", -"redirect_document_id": true -}, -{ "source_path": "windows/manage/manage-settings-app-with-group-policy.md", "redirect_url": "https://docs.microsoft.com/windows/client-management/manage-settings-app-with-group-policy", "redirect_document_id": true @@ -14621,9 +14646,9 @@ "redirect_document_id": true }, { -"source_path": "windows/privacy/basic-level-windows-diagnostic-events-and-fields.md", -"redirect_url": "https://docs.microsoft.com/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903", -"redirect_document_id": true + "source_path": "windows/privacy/basic-level-windows-diagnostic-events-and-fields.md", + "redirect_url": "https://docs.microsoft.com/windows/privacy/required-windows-diagnostic-events-and-fields-2004", + "redirect_document_id": true }, { "source_path": "windows/configuration/basic-level-windows-diagnostic-events-and-fields-1703.md", @@ -15507,7 +15532,7 @@ }, { "source_path": "windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md", -"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/exploit-protection", +"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction", "redirect_document_id": false }, { diff --git a/devices/hololens/TOC.md b/devices/hololens/TOC.md index 3dcabcaee0..cb44c5b311 100644 --- a/devices/hololens/TOC.md +++ b/devices/hololens/TOC.md @@ -18,7 +18,7 @@ ## [Getting around HoloLens (1st gen)](hololens1-basic-usage.md) ## [HoloLens (1st Gen) release notes](hololens1-release-notes.md) -# Deploy HoloLens and mixed-reality apps in commercial environments +# Deploy HoloLens and mixed reality apps in commercial environments ## [Commercial features](hololens-commercial-features.md) ## [Deploy HoloLens in a commercial environment](hololens-requirements.md) ## [Determine what licenses you need](hololens-licenses-requirements.md) @@ -29,13 +29,13 @@ ## [Manage HoloLens updates](hololens-updates.md) ## [Enable Bitlocker device encryption for HoloLens](hololens-encryption.md) -# Navigating Windows Holographic -## [Start menu and mixed reality home](holographic-home.md) -## [Use your voice with HoloLens](hololens-cortana.md) +# Navigate the Windows Holographic environment +## [Use the Start menu and mixed reality home](holographic-home.md) +## [Use your voice to operate HoloLens](hololens-cortana.md) ## [Find, open, and save files](holographic-data.md) ## [Create mixed reality photos and videos](holographic-photos-and-videos.md) -# User management and access management +# Manage users and access ## [Manage user identity and sign-in for HoloLens](hololens-identity.md) ## [Share your HoloLens with multiple people](hololens-multiple-users.md) ## [Set up HoloLens as a kiosk](hololens-kiosk.md) diff --git a/devices/hololens/holographic-home.md b/devices/hololens/holographic-home.md index 9b554c0638..8cbbe10268 100644 --- a/devices/hololens/holographic-home.md +++ b/devices/hololens/holographic-home.md @@ -1,5 +1,5 @@ --- -title: Start menu and mixed reality home +title: Use the Start menu and mixed reality home description: Navigate the mixed reality home in Windows Holographic. ms.assetid: 742bc126-7996-4f3a-abb2-cf345dff730c ms.date: 08/07/2019 @@ -15,7 +15,7 @@ appliesto: - HoloLens 2 --- -# Start menu and mixed reality home +# Use the Start menu and mixed reality home Just like the Windows PC experience starts with the desktop, Windows Holographic starts with mixed reality home. Using the Start menu you can open and place app windows, immersive app launchers, and 3D content in mixed reality home, and their placement in your physical space will be remembered. diff --git a/devices/hololens/hololens-calibration.md b/devices/hololens/hololens-calibration.md index b03fb4479f..dc20ced641 100644 --- a/devices/hololens/hololens-calibration.md +++ b/devices/hololens/hololens-calibration.md @@ -38,7 +38,7 @@ HoloLens 2 prompts a user to calibrate the device under the following circumstan ![Calibration prompt](./images/07-et-adjust-for-your-eyes.png) -During this process, you'll look at a set of targets (gems). It's fine if you blink or close your eyes during calibration but try not to stare at other objects in the room. This allows HoloLens to learn about your eye position to render your holographic world. +During this process, you'll look at a set of targets (gems). It's fine if you blink during calibration, but try to stay focused on the gems instead of other objects in the room. This allows HoloLens to learn about your eye position to render your holographic world. ![Calibration prompt](./images/07-et-hold-head-still.png) @@ -52,7 +52,7 @@ If calibration was successful, you'll see a success screen. If not, read more a ### Calibration when sharing a device or session -Multiple users can share a HoloLens 2 device, without a need for each person to go through device setup. When a new user puts the device on their head for th first time, HoloLens 2 automatically prompts the user to calibrate visuals. When a user that has previously calibrated visuals puts the device on their head, the display seamlessly adjusts for quality and a comfortable viewing experience. +Multiple users can share a HoloLens 2 device, without a need for each person to go through device setup. When a new user puts the device on their head for the first time, HoloLens 2 automatically prompts the user to calibrate visuals. When a user that has previously calibrated visuals puts the device on their head, the display seamlessly adjusts for quality and a comfortable viewing experience. ### Manually starting the calibration process @@ -84,7 +84,7 @@ If calibration is unsuccessful try: - Moving objects in your visor out of the way (such as hair) - Turning on a light in your room or moving out of direct sunlight -If you followed all guidelines and calibration is still failing, please let us know by filing feedback in [Feedback Hub](hololens-feedback.md). +If you followed all guidelines and calibration is still failing, you can disable the calibration prompt in Settings. Please also let us know by filing feedback in [Feedback Hub](hololens-feedback.md). Note that setting IPD is not applicable for Hololens 2, since eye positions are computed by the system. @@ -92,6 +92,8 @@ Note that setting IPD is not applicable for Hololens 2, since eye positions are Calibration information is stored locally on the device and is not associated with any account information. There is no record of who has used the device without calibration. This mean new users will get prompted to calibrate visuals when they use the device for the first time, as well as users who opted out of calibration previously or if calibration was unsuccessful. +The device can locally store up to 50 calibration profiles. After this number is reached, the device automatically deletes the oldest unused profile. + Calibration information can always be deleted from the device in **Settings** > **Privacy** > **Eye tracker**. ### Disable calibration diff --git a/devices/hololens/hololens-connect-devices.md b/devices/hololens/hololens-connect-devices.md index 62ec90d0f2..f75a5599df 100644 --- a/devices/hololens/hololens-connect-devices.md +++ b/devices/hololens/hololens-connect-devices.md @@ -45,10 +45,15 @@ HoloLens (1st gen) supports the following classes of Bluetooth devices: ### HoloLens (1st gen): Pair the clicker 1. Use the bloom gesture to go to **Start**, and then select **Settings**. + 1. Select **Devices**, and make sure that Bluetooth is on. + 1. Use the tip of a pen to press and hold the clicker pairing button until the clicker status light blinks white. Make sure to hold down the button until the light starts blinking. + The pairing button is on the underside of the clicker, next to the finger loop. + ![The pairing button is beside the finger loop](images/use-hololens-clicker-1.png) + 1. On the pairing screen, select **Clicker** > **Pair**. ## HoloLens 2: Connect USB-C devices @@ -64,7 +69,7 @@ HoloLens 2 supports the following classes of USB-C devices: - Combination PD hubs (USB A plus PD charging) > [!NOTE] -> Some mobile devices with USB-C connections present themselves to the HoloLens as ethernet adaptors, and therefore could be used in a tethering configuration, starting with the 20H1 OS. USB LTE modems that require a separate driver, and/or application installed for configuration are not supported +> Some mobile devices with USB-C connections present themselves to the HoloLens as ethernet adaptors, and therefore could be used in a tethering configuration, starting with Windows Holographic, version 2004. USB LTE modems that require a separate driver, and/or application installed for configuration are not supported ## Connect to Miracast @@ -77,3 +82,10 @@ To use Miracast, follow these steps: 1. On the list of devices that appears, select an available device. 1. Complete the pairing to begin projecting. + +## Disable Bluetooth + +This procedure turns off the RF components of the Bluetooth radio and disables all Bluetooth functionality on Microsoft HoloLens. + +1. Use the bloom gesture (HoloLens (1st gen)) or the start gesture (HoloLens 2) to go to **Start**, and then select **Settings** > **Devices**. +1. Move the slider switch for **Bluetooth** to the **Off** position. diff --git a/devices/hololens/hololens-cortana.md b/devices/hololens/hololens-cortana.md index 89a01c0628..ec869cc67d 100644 --- a/devices/hololens/hololens-cortana.md +++ b/devices/hololens/hololens-cortana.md @@ -1,5 +1,5 @@ --- -title: Use your voice with HoloLens +title: Use your voice to operate HoloLens description: Cortana can help you do all kinds of things on your HoloLens ms.assetid: fd96fb0e-6759-4dbe-be1f-58bedad66fed ms.date: 03/10/2020 @@ -17,7 +17,7 @@ appliesto: - HoloLens 2 --- -# Use your voice with HoloLens +# Use your voice to operate HoloLens You can use your voice to do almost anything on HoloLens, such as taking a quick photo or opening an app. Many voice commands are built into HoloLens, while others are available through Cortana. @@ -34,14 +34,14 @@ Get around HoloLens faster with these basic commands. In order to use these, you ### General speech commands -Use these commands throughout Windows Mixed Reality to get around faster. Some commands use the gaze cursor, which you bring up by saying “select.” +Use these commands throughout Windows Mixed Reality to get around faster. Some commands use the gaze cursor, which you bring up by saying "select." > [!NOTE] > Hand rays are not supported on HoloLens (1st Gen). | Say this | To do this | | - | - | -| "Select" | Say "select" to bring up the gaze cursor. Then, turn your head to position the cursor on the thing you want to select, and say “select” again. | +| "Select" | Say "select" to bring up the gaze cursor. Then, turn your head to position the cursor on the thing you want to select, and say "select" again. | |Open the Start menu | "Go to Start" | |Close the Start menu | "Close" | |Leave an immersive app | Say "Go to Start" to bring up the quick actions menu, then say "Mixed reality home." | diff --git a/devices/hololens/hololens-enroll-mdm.md b/devices/hololens/hololens-enroll-mdm.md index 0e557e9c50..9eb5eea890 100644 --- a/devices/hololens/hololens-enroll-mdm.md +++ b/devices/hololens/hololens-enroll-mdm.md @@ -41,7 +41,7 @@ When auto-enrollment is enabled, no additional manual enrollment is needed. When 1. Select **Enroll into device management** and enter your organizational account. You will be redirected to your organization's sign in page. 1. Upon successful authentication to the MDM server, a success message is shown. -Your device is now enrolled with your MDM server. The device will need to restart to acquire policies, certificates, and apps. The Settings app will now reflect that the device is enrolled in device management. +Your device is now enrolled with your MDM server. The Settings app will now reflect that the device is enrolled in device management. ## Unenroll HoloLens from Intune diff --git a/devices/hololens/hololens-feedback.md b/devices/hololens/hololens-feedback.md index 3199517a90..7fb8c4838e 100644 --- a/devices/hololens/hololens-feedback.md +++ b/devices/hololens/hololens-feedback.md @@ -4,7 +4,11 @@ description: Create actionable feedback for HoloLens and Windows Mixed Reality d ms.assetid: b9b24c72-ff86-44a9-b30d-dd76c49479a9 author: mattzmsft ms.author: mazeller -ms.date: 09/13/2019 +ms.date: 05/14/2020 +ms.custom: +- CI 116157 +- CSSTroubleshooting +audience: ITPro ms.prod: hololens ms.topic: article keywords: feedback, bug, issue, error, troubleshoot, help @@ -15,68 +19,66 @@ appliesto: - HoloLens 2 --- -# Give us feedback +# Feedback for HoloLens -Use the Feedback Hub to tell us which features you love, which features you could do without, or when something could be better. +Use the Feedback Hub to tell us which features you love, which features you could do without, and how something could be better. The engineering team uses the same mechanism internally to track and fix bugs, so please use Feedback Hub to report any bugs that you see. We are listening! -## Feedback for Windows Mixed Reality immersive headset on PC +Feedback Hub is an excellent way to alert the engineering team to bugs and to make sure that future updates are healthier and more consistently free of bugs. However, Feedback Hub does not provide a response. If you need immediate help, please file feedback, take note of the summary that you provided for your feedback, and then follow up with [HoloLens support](https://support.microsoft.com/supportforbusiness/productselection?sapid=e9391227-fa6d-927b-0fff-f96288631b8f). -> [!IMPORTANT] -> Before you report an issue, make sure that your environment meets the following requirements so that you can successfully upload logs and other information: -> -> - Have a minimum of 3GB free disk space available on the main drive of the device. -> - To upload cabs or other large files, connect to a non-metered network. +> [!NOTE] +> +> - Make sure you that you have the current version of Feedback Hub. To do this, select **Start** > **Microsoft Store**, and then select the ellipses (**...**). Then, select **Downloads and updates** > **Get updates**. +> +> - To provide the best possible data for fixing issues, we highly recommended that you set your device telemetry to **Full**. You can set this value during the Out-of-Box-Experience (OOBE), or by using the Settings app. To do this by using Settings, select **Start** > **Settings** > **Privacy** > **App Diagnostics** > **On**. -1. Make sure that you have the immersive headset connected to your PC, and then on the desktop, select **Feedback Hub**. -1. In the left pane, select **Feedback**. - ![Feedback tab](images/feedback1-600px.png) -1. To enter new feedback, select **Add new feedback**. - ![Add new feedback](images/feedback2-600px.png) -1. To make feedback actionable, in **What kind of feedback is this?** select **Problem**. -1. In **Summarize your issue**, enter a meaningful title for your feedback. -1. In **Give us more detail**, provide details and repro steps. - ![Details and repro steps](images/feedback3-600px.png) +## Use the Feedback Hub - As the top category, select **Mixed Reality**. Then select an applicable subcategory, as explained in the following table: - - |Subcategory |Description | - |----------|----------| - | Apps | Issues about a specific application. | - | Developer | Issues about authoring or running an app for Mixed Reality. | - | Device | Issues about the head-mounted device (HMD) itself. | - | Home experience | Issues about your VR environment and your interactions with the your mixed reality home. | - | Input | Issues about input methods, such as motion controllers, speech, gamepad, or mouse and keyboard. | - | Set up | Anything that is preventing you from setting up the device. | - | All other issues | Anything else. | - -1. If possible, add traces or video to your feedback to help us identify and fix the issue more quickly. To do this, follow these steps: - 1. To start collecting traces, select **Start capture**. The app starts collecting traces and a video capture of your mixed reality scenario. - - ![Start Capture](images/feedback4-600px.png) - 1. Do not close the Feedback Hub app, but switch to the scenario that produces the issue. Run through the scenario to produce the circumstances that you have described. - 1. After you finish your scenario, go back to the Feedback Hub app and select **Stop capture**. The app stops collecting information, stores the information in a file, and attaches the file to your feedback. -1. Select **Submit**. - ![Submit](images/feedback5-600px.png) - The Thank You page indicates that your feedback has been successfully submitted. - ![Thank You](images/feedback6-600px.png) +1. Use the **Start** gesture to open the **Start** menu, and then select **Feedback Hub**. The app opens in your environment. -To easily direct other people (such as co-workers, Microsoft staff, [forum](https://forums.hololens.com/) readers et al) to the issue, go to **Feedback** > **My Feedback**, select the issue, select **Share**. This action provides a shortened URL that you can give to others so that they can upvote or escalate your issue. + ![Feedback app on HoloLens Start menu](./images/hololens2-feedbackhub-tile.png) + > [!NOTE] + > If you don't see **Feedback Hub**, select **All Apps** to see the complete list of apps on the device. -## Feedback for HoloLens +1. To see whether someone else has given similar feedback, enter a few keywords about the topic in the **Feedback** search box. +1. If you find similar feedback, select it, add any additional information that you have in the **Write a comment** box, and then select **Upvote**. +1. If you don't find any similar feedback, select **Add new feedback**. -1. Use the **bloom** gesture to open the **Start** menu, and then select **Feedback Hub**. + ![Add new feedback](./images/hololens-feedback-1.png) - ![Start menu on Microsoft HoloLens](images/startmenu.jpg) -1. Place the app in your environment and then select the app to launch it. -1. To see if someone else has given similar feedback, in the Feedback search box, enter a few keywords about the topic. +1. In **Summarize your feedback**, enter a short summary of your feedback. Then add details in the **Explain in more detail** box. The more details that you provide, such as how to reproduce this problem and the effect that it has, the more useful your feedback is. When you're finished, select **Next**. - ![Search Feedback](images/searchfeedback-500px.jpg) -1. If you find similar feedback, select it, add any details, then select **Upvote**. +1. Select a topic from **Choose a category**, and then select a subcategory from **Select a subcategory**. The following table describes the categories that are available in the Windows Holographic category. - ![Upvote existing Feedback](images/upvotefeedback-500px.jpg) -1. If you don’t find any similar feedback, select **Add new feedback**, select a topic from **Select a category**, and then select a subcategory from **Select a subcategory**. + > [!NOTE] + > **Commercial customers**: To report a bug that is related to MDM, provisioning, or any other device management aspect, select the **Enterprise Management** category, and the **Device** subcategory. - ![Add new Feedback](images/addnewfeedback-500px.jpg) -1. Enter your feedback. -1. If you are reporting a reproducible issue, you can select **Reproduce**. Without closing Feedback Hub, reproduce the issue. After you finish, come back to Feedback Hub and select **I’m done**. The app adds a mixed reality capture of your repro and relevant diagnostic logs to your feedback. -1. Select **Post feedback**, and you’re done. + |Category |Description | + | --- | --- | + |Eye tracking |Feedback about eye tracking, iris sign-in, or calibration. | + |Hologram accuracy, stability, and reliability |Feedback about how holograms appear in space. | + |Launching, placing, adjusting, and exiting apps |Feedback about starting or stopping 2D or 3D apps. | + |Miracast |Feedback about Miracast. | + |Spaces and persistence |Feedback about how HoloLens recognizes spaces and retains holograms in space. | + |Start menu and all apps list |Feedback about the **Start** menu and the all apps list. | + |Surface mapping |Feedback about surface mapping. | + |Taking pictures and videos |Feedback about mixed reality captures. | + |Video hologram playback |Feedback about video hologram playback. | + |All other issues |All other issues. | + +1. You may be prompted to search for similar feedback. If your problem resembles feedback from other users, select that feedback. Otherwise, select **New feedback** and then select **Next**. + +1. If you are prompted, select the best description of the problem. + +1. Attach any relevant data to your feedback, or reproduce the problem. You can select any of the following options: + + - **Attach a screenshot**. Select this option to attach a screenshot that illustrates the situation that you're describing. + - **Attach a file**. Select this option to attach data files. If you have files that are relevant to your problem or that could help us to reproduce your problem, attach them. + - **Recreate my problem**. Select this option if you can reproduce the problem yourself. After you select **Recreate my problem**, follow these steps: + + 1. Select **Include data about** and make sure that the most relevant types of data are listed. In most cases, the default selections are based on the category and subcategory that you selected for your feedback. + 1. Select **Start Recording**. + + 1. Reproduce your problem. Don’t worry if this means that you have to enter an immersive app. You will return to the feedback page when you're done. + 1. Select **Stop recording**. After recording stops, you can see the data that is attached to your feedback for the engineering team. + +1. Make sure that you have an active internet connection so that we can receive your feedback. Select **Submit**, and you’re done. diff --git a/devices/hololens/hololens2-autopilot.md b/devices/hololens/hololens2-autopilot.md index 5589ec096d..39e0029ff0 100644 --- a/devices/hololens/hololens2-autopilot.md +++ b/devices/hololens/hololens2-autopilot.md @@ -71,7 +71,7 @@ Review the "[Requirements](https://docs.microsoft.com/windows/deployment/windows Before you start the OOBE and provisioning process, make sure that the HoloLens devices meet the following requirements: - The devices are not already members of Azure AD, and are not enrolled in Intune (or another MDM system). The Autopilot self-deploying process completes these steps. To make sure that all the device-related information is cleaned up, check the **Devices** pages in both Azure AD and Intune. -- Every device can connect to the internet. You can use a wired or wireless connection. +- Every device can connect to the internet. You can "USB C to Ethernet" adapters for wired internet connectivity or "USB C to Wifi" adapters for wireless internet connectivity. - Every device can connect to a computer by using a USB-C cable, and that computer has the following available: - Advanced Recovery Companion (ARC) - The latest Windows update: Windows 10, version 19041.1002.200107-0909 or a later version) @@ -185,24 +185,7 @@ The Enrollment Status Page (ESP) displays the status of the complete device conf ![ESP configuration](./images/hololens-ap-profile-settings.png) -### 8. Configure a custom configuration profile for HoloLens devices (known issue) - -1. In [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com), select **Devices** > **Configuration profiles** > **Create profile**. -1. For **Platform**, specify **Windows 10 and later**, and for **Profile**, select **Custom**. -1. Select **Create**. -1. Enter a name for the profile, and then select **Settings** > **Configure**. - - ![Settings for the custom configuration profile.](./images/hololens-ap-profile-settings-oma.png) -1. Select **Add**, and then specify the following information: - - - **Name**: SidecarPath - - **OMA-URI**: ./images/Device/Vendor/MSFT/EnrollmentStatusTracking/DevicePreparation/PolicyProviders/Sidecar/InstallationState - - **Data type**: Integer - - **Value**: 2 -1. Select **OK** two times, and then select **Create** to create the profile. -1. After Intune creates the configuration profile, assign the configuration profile to the device group for the HoloLens devices. - -### 9. Verify the profile status of the HoloLens devices +### 8. Verify the profile status of the HoloLens devices 1. In Microsoft Endpoint Manager Admin Center, select **Devices** > **Windows** > **Windows enrollment** > **Devices**. 1. Verify that the HoloLens devices are listed, and that their profile status is **Assigned**. @@ -234,7 +217,7 @@ At the end of OOBE, you can sign in to the device by using your user name and pa ## Known Issues -- The list of supported languages for Autopilot deployment profiles includes languages that HoloLens does not support. Select a language that [HoloLens supports](hololens2-language-support.md). +- You cannot install applications that use the device security context. ## Feedback diff --git a/devices/hololens/images/hololens-feedback-1.png b/devices/hololens/images/hololens-feedback-1.png new file mode 100644 index 0000000000..6433befe3c Binary files /dev/null and b/devices/hololens/images/hololens-feedback-1.png differ diff --git a/devices/hololens/images/hololens-start-feedback.png b/devices/hololens/images/hololens-start-feedback.png new file mode 100644 index 0000000000..0b4639843d Binary files /dev/null and b/devices/hololens/images/hololens-start-feedback.png differ diff --git a/devices/hololens/images/hololens2-feedbackhub-tile.png b/devices/hololens/images/hololens2-feedbackhub-tile.png new file mode 100644 index 0000000000..692baddd55 Binary files /dev/null and b/devices/hololens/images/hololens2-feedbackhub-tile.png differ diff --git a/devices/hololens/index.md b/devices/hololens/index.md index 47862d7138..91a487f9a0 100644 --- a/devices/hololens/index.md +++ b/devices/hololens/index.md @@ -53,7 +53,7 @@ appliesto: | [HoloLens user management](hololens-multiple-users.md) | Multiple users can share a HoloLens device by using their Azure Active Directory accounts. | | [HoloLens application access management](hololens-kiosk.md) | Manage application access for different user groups. | | [Recover and troubleshoot HoloLens issues](https://support.microsoft.com/products/hololens) | Learn how to gather logs from HoloLens, recover a misbehaving device, or reset HoloLens when necessary. | -| [Contact Support](https://support.microsoft.com/supportforbusiness/productselection) | Create a new support request for the business support team. | +| [Contact Support](https://support.microsoft.com/supportforbusiness/productselection?sapid=e9391227-fa6d-927b-0fff-f96288631b8f) | Create a new support request for the business support team. | | [More support options](https://support.microsoft.com/products/hololens) | Connect with Microsoft support resources for HoloLens in the enterprise. | ## Related resources diff --git a/devices/surface-hub/surface-hub-2s-account.md b/devices/surface-hub/surface-hub-2s-account.md index fb93b0e7d9..27c7053045 100644 --- a/devices/surface-hub/surface-hub-2s-account.md +++ b/devices/surface-hub/surface-hub-2s-account.md @@ -1,6 +1,6 @@ --- -title: "Create Surface Hub 2S device account" -description: "This page describes the procedure for creating the Surface Hub 2S device account." +title: Create Surface Hub 2S device account +description: This page describes the procedure for creating the Surface Hub 2S device account. keywords: separate values with commas ms.prod: surface-hub ms.sitesec: library @@ -15,15 +15,18 @@ ms.localizationpriority: Medium # Create Surface Hub 2S device account -Creating a Surface Hub device account (also known as a Room mailbox) allows Surface Hub 2S to receive, approve, or decline meeting requests and join meetings using Microsoft Teams or Skype for Business. Configure the device account during OOBE setup. If needed you can change it later (without going through OOBE setup). +Creating a Surface Hub device account (also known as a Room mailbox) allows Surface Hub 2S to receive, approve, or decline meeting requests and join meetings using either Microsoft Teams or Skype for Business. Configure the device account during Out-of-Box Experience (OOBE) setup. If needed, you can change it later (without going through OOBE setup). Unlike standard Room mailboxes that remain disabled by default, you need to enable the Surface Hub 2S device account to sign on to Microsoft Teams and Skype for Business. Surface Hub 2S relies on Exchange ActiveSync, which requires an ActiveSync mailbox policy on the device account. Apply the default ActiveSync mailbox policy that comes with Exchange Online. -Create the account using the Microsoft 365 admin center or by using PowerShell. You can use Exchange Online PowerShell to configure specific features including: +Create the account by using the Microsoft 365 admin center or by using PowerShell. You can use Exchange Online PowerShell to configure specific features including: - Calendar processing for every Surface Hub device account. - Custom auto replies to scheduling requests. -- If the default ActiveSync mailbox policy has already been modified by someone else or another process, you will likely have to create and assign a new ActiveSync mailbox policy +- If the default ActiveSync mailbox policy has already been modified by someone else or by another process, you will likely have to create and assign a new ActiveSync mailbox policy. + +> [!NOTE] +> The Surface Hub device account doesn’t support third-party Federated Identity Providers (FIPs) and must be a standard Active Directory or Azure Active Directory account. ## Create account using Microsoft 365 admin center @@ -31,17 +34,17 @@ Create the account using the Microsoft 365 admin center or by using PowerShell. 2. Provide a name and email address for the device account. Leave remaining settings unchanged in the default state. -![Provide a name and email address](images/sh2-account2.png) + ![Provide a name and email address](images/sh2-account2.png) -![Leave remaining settings unchanged in the default state](images/sh2-account3.png) + ![Leave remaining settings unchanged in the default state](images/sh2-account3.png) 3. Set the password for the device account. To set the password, choose **Users** and then select **Active Users**. Now search for the newly created user to set the password. Ensure that you **do not** select the option **Make this user change their password when they first sign in.** -![Set the password for the device account](images/sh2-account4.png) + ![Set the password for the device account](images/sh2-account4.png) 4. Assign the room with an Office 365 license. It’s recommended to assign the Office 365 **Meeting Room** license, a new option that automatically enables the account for Skype for Business Online and Microsoft Teams. -![Assign Office 365 license](images/sh2-account5.png) + ![Assign Office 365 license](images/sh2-account5.png) ### Finalize setup via PowerShell @@ -50,6 +53,7 @@ Create the account using the Microsoft 365 admin center or by using PowerShell. - **Microsoft Teams and Skype for Business Calendar:** Set [**Calendar Auto processing**](https://docs.microsoft.com/surface-hub/surface-hub-2s-account?source=docs#set-calendar-auto-processing) for this account. ## Create account using PowerShell + Instead of using the Microsoft Admin Center portal, you can create the account using PowerShell. ### Connect to Exchange Online PowerShell @@ -59,13 +63,13 @@ $365Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri $ImportResults = Import-PSSession $365Session ``` -### Create a new Room Mailbox +### Create a new Room mailbox ```powershell New-Mailbox -MicrosoftOnlineServicesID account@YourDomain.com -Alias SurfaceHub2S -Name SurfaceHub2S -Room -EnableRoomMailboxAccount $true -RoomMailboxPassword (ConvertTo-SecureString -String "" -AsPlainText -Force) ``` -### Set Calendar Auto processing +### Set Calendar auto-processing ```powershell Set-CalendarProcessing -Identity "account@YourDomain.com" -AutomateProcessing AutoAccept -AddOrganizerToSubject $false –AllowConflicts $false –DeleteComments $false -DeleteSubject $false -RemovePrivateProperty $false -AddAdditionalResponse $true -AdditionalResponse "This room is equipped with a Surface Hub" @@ -81,7 +85,7 @@ Set-MsolUserLicense -UserPrincipalName "account@YourDomain.com" -AddLicenses "co ## Connect to Skype for Business Online using PowerShell -### Install prerequisites +### Install pre-requisites - [Visual C++ 2017 Redistributable](https://aka.ms/vs/15/release/vc_redist.x64.exe) - [Skype for Business Online PowerShell Module](https://www.microsoft.com/download/confirmation.aspx?id=39366) diff --git a/devices/surface-hub/surface-hub-security.md b/devices/surface-hub/surface-hub-security.md index 4dc2b7518e..faee5ad929 100644 --- a/devices/surface-hub/surface-hub-security.md +++ b/devices/surface-hub/surface-hub-security.md @@ -5,7 +5,7 @@ keywords: separate values with commas ms.prod: surface-hub ms.sitesec: library author: coveminer -ms.author: v-jokai +ms.author: greglin manager: laurawi audience: Admin ms.topic: article diff --git a/devices/surface-hub/surface-hub-update-history.md b/devices/surface-hub/surface-hub-update-history.md index f4616cd18b..673c77e71c 100644 --- a/devices/surface-hub/surface-hub-update-history.md +++ b/devices/surface-hub/surface-hub-update-history.md @@ -37,7 +37,7 @@ This update is specific to the Surface Hub 2S and provides the driver and firmwa * Improves system stability. * Surface System driver - 1.7.139.0 * Improves system stability. -* Surface SMC Firmware update - 1.173.139.0 +* Surface SMC Firmware update - 1.176.139.0 * Improves system stability. diff --git a/devices/surface/TOC.md b/devices/surface/TOC.md index 92801e4289..4d8062c985 100644 --- a/devices/surface/TOC.md +++ b/devices/surface/TOC.md @@ -29,6 +29,7 @@ ### [Deploy Surface devices](deploy.md) ### [Windows Autopilot and Surface devices](windows-autopilot-and-surface-devices.md) +### [Windows Virtual Desktop on Surface](windows-virtual-desktop-surface.md) ### [Deploying, managing, and servicing Surface Pro X](surface-pro-arm-app-management.md) ### [Surface Pro X app compatibility](surface-pro-arm-app-performance.md) ### [Manage and deploy Surface driver and firmware updates](manage-surface-driver-and-firmware-updates.md) diff --git a/devices/surface/advanced-uefi-security-features-for-surface-pro-3.md b/devices/surface/advanced-uefi-security-features-for-surface-pro-3.md index 017f34559f..4abd9e0c86 100644 --- a/devices/surface/advanced-uefi-security-features-for-surface-pro-3.md +++ b/devices/surface/advanced-uefi-security-features-for-surface-pro-3.md @@ -11,7 +11,7 @@ ms.mktglfcycl: manage ms.pagetype: surface, devices, security ms.sitesec: library author: coveminer -ms.author: v-jokai +ms.author: greglin ms.topic: article --- diff --git a/devices/surface/assettag.md b/devices/surface/assettag.md index 296a57b10e..6d9533bb52 100644 --- a/devices/surface/assettag.md +++ b/devices/surface/assettag.md @@ -6,7 +6,7 @@ ms.mktglfcycl: manage ms.localizationpriority: medium ms.sitesec: library author: coveminer -ms.author: v-jokai +ms.author: greglin ms.topic: article ms.reviewer: hachidan manager: laurawi diff --git a/devices/surface/change-history-for-surface.md b/devices/surface/change-history-for-surface.md index 35be5e736d..b1aed6e997 100644 --- a/devices/surface/change-history-for-surface.md +++ b/devices/surface/change-history-for-surface.md @@ -7,7 +7,7 @@ ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library author: coveminer -ms.author: v-jokai +ms.author: greglin ms.topic: article ms.localizationpriority: medium ms.audience: itpro diff --git a/devices/surface/considerations-for-surface-and-system-center-configuration-manager.md b/devices/surface/considerations-for-surface-and-system-center-configuration-manager.md index f68989b045..e8ce13b98d 100644 --- a/devices/surface/considerations-for-surface-and-system-center-configuration-manager.md +++ b/devices/surface/considerations-for-surface-and-system-center-configuration-manager.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.pagetype: surface, devices ms.sitesec: library author: coveminer -ms.author: v-jokai +ms.author: greglin ms.topic: article ms.localizationpriority: medium ms.audience: itpro diff --git a/devices/surface/customize-the-oobe-for-surface-deployments.md b/devices/surface/customize-the-oobe-for-surface-deployments.md index 70d53dae71..cb492c2620 100644 --- a/devices/surface/customize-the-oobe-for-surface-deployments.md +++ b/devices/surface/customize-the-oobe-for-surface-deployments.md @@ -11,7 +11,7 @@ ms.mktglfcycl: deploy ms.pagetype: surface, devices ms.sitesec: library author: coveminer -ms.author: v-jokai +ms.author: greglin ms.topic: article ms.audience: itpro --- diff --git a/devices/surface/deploy-surface-app-with-windows-store-for-business.md b/devices/surface/deploy-surface-app-with-windows-store-for-business.md index 121be61007..fc2956ead6 100644 --- a/devices/surface/deploy-surface-app-with-windows-store-for-business.md +++ b/devices/surface/deploy-surface-app-with-windows-store-for-business.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.pagetype: surface, store ms.sitesec: library author: coveminer -ms.author: v-jokai +ms.author: greglin ms.topic: article ms.localizationpriority: medium ms.audience: itpro diff --git a/devices/surface/deploy-windows-10-to-surface-devices-with-mdt.md b/devices/surface/deploy-windows-10-to-surface-devices-with-mdt.md index 47f14939db..bb8e62fb6b 100644 --- a/devices/surface/deploy-windows-10-to-surface-devices-with-mdt.md +++ b/devices/surface/deploy-windows-10-to-surface-devices-with-mdt.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.pagetype: surface ms.sitesec: library author: coveminer -ms.author: v-jokai +ms.author: greglin ms.topic: article ms.localizationpriority: medium ms.audience: itpro diff --git a/devices/surface/deploy.md b/devices/surface/deploy.md index a7220315da..7431a22a8a 100644 --- a/devices/surface/deploy.md +++ b/devices/surface/deploy.md @@ -8,7 +8,7 @@ ms.sitesec: library author: coveminer ms.reviewer: manager: laurawi -ms.author: v-jokai +ms.author: greglin ms.topic: article ms.localizationpriority: medium ms.audience: itpro diff --git a/devices/surface/documentation/surface-system-sku-reference.md b/devices/surface/documentation/surface-system-sku-reference.md index 0d49be965e..227d58d778 100644 --- a/devices/surface/documentation/surface-system-sku-reference.md +++ b/devices/surface/documentation/surface-system-sku-reference.md @@ -5,7 +5,7 @@ ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library author: coveminer -ms.author: v-jokai +ms.author: greglin ms.topic: article --- # Surface System SKU Reference diff --git a/devices/surface/enable-peap-eap-fast-and-cisco-leap-on-surface-devices.md b/devices/surface/enable-peap-eap-fast-and-cisco-leap-on-surface-devices.md index d51a90413e..36f05515f3 100644 --- a/devices/surface/enable-peap-eap-fast-and-cisco-leap-on-surface-devices.md +++ b/devices/surface/enable-peap-eap-fast-and-cisco-leap-on-surface-devices.md @@ -11,7 +11,7 @@ ms.mktglfcycl: deploy ms.pagetype: surface, devices ms.sitesec: library author: coveminer -ms.author: v-jokai +ms.author: greglin ms.topic: article --- diff --git a/devices/surface/enroll-and-configure-surface-devices-with-semm.md b/devices/surface/enroll-and-configure-surface-devices-with-semm.md index 56282326a4..6eb848da41 100644 --- a/devices/surface/enroll-and-configure-surface-devices-with-semm.md +++ b/devices/surface/enroll-and-configure-surface-devices-with-semm.md @@ -7,7 +7,7 @@ ms.mktglfcycl: manage ms.pagetype: surface, devices, security ms.sitesec: library author: coveminer -ms.author: v-jokai +ms.author: greglin ms.topic: article ms.localizationpriority: medium ms.audience: itpro diff --git a/devices/surface/ethernet-adapters-and-surface-device-deployment.md b/devices/surface/ethernet-adapters-and-surface-device-deployment.md index abc4672793..a68242b88a 100644 --- a/devices/surface/ethernet-adapters-and-surface-device-deployment.md +++ b/devices/surface/ethernet-adapters-and-surface-device-deployment.md @@ -11,7 +11,7 @@ ms.mktglfcycl: deploy ms.pagetype: surface, devices ms.sitesec: library author: coveminer -ms.author: v-jokai +ms.author: greglin ms.topic: article ms.audience: itpro --- diff --git a/devices/surface/get-started.yml b/devices/surface/get-started.yml index a11e35c584..131d77a578 100644 --- a/devices/surface/get-started.yml +++ b/devices/surface/get-started.yml @@ -52,8 +52,8 @@ landingContent: url: microsoft-surface-deployment-accelerator.md - text: Autopilot and Surface devices url: windows-autopilot-and-surface-devices.md - - text: Deploying, managing, and servicing Surface Pro X - url: surface-pro-arm-app-management.md + - text: Windows Virtual Desktop on Surface + url: windows-virtual-desktop-surface.md # Card - title: Manage Surface devices diff --git a/devices/surface/ltsb-for-surface.md b/devices/surface/ltsb-for-surface.md index c250085467..17e6d48fb1 100644 --- a/devices/surface/ltsb-for-surface.md +++ b/devices/surface/ltsb-for-surface.md @@ -6,7 +6,7 @@ ms.mktglfcycl: manage ms.pagetype: surface, devices ms.sitesec: library author: coveminer -ms.author: v-jokai +ms.author: greglin ms.topic: article ms.reviewer: manager: laurawi diff --git a/devices/surface/maintain-optimal-power-settings-on-Surface-devices.md b/devices/surface/maintain-optimal-power-settings-on-Surface-devices.md index 36197ca93f..e7c739be75 100644 --- a/devices/surface/maintain-optimal-power-settings-on-Surface-devices.md +++ b/devices/surface/maintain-optimal-power-settings-on-Surface-devices.md @@ -5,7 +5,7 @@ ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library author: coveminer -ms.author: v-jokai +ms.author: greglin ms.topic: article ms.reviewer: manager: laurawi diff --git a/devices/surface/manage-surface-driver-and-firmware-updates.md b/devices/surface/manage-surface-driver-and-firmware-updates.md index 75ccff3070..1d78180a03 100644 --- a/devices/surface/manage-surface-driver-and-firmware-updates.md +++ b/devices/surface/manage-surface-driver-and-firmware-updates.md @@ -11,7 +11,7 @@ ms.mktglfcycl: manage ms.pagetype: surface, devices ms.sitesec: library author: coveminer -ms.author: v-jokai +ms.author: greglin ms.topic: article ms.audience: itpro --- diff --git a/devices/surface/manage-surface-uefi-settings.md b/devices/surface/manage-surface-uefi-settings.md index c5f41821d3..f56bcb55d1 100644 --- a/devices/surface/manage-surface-uefi-settings.md +++ b/devices/surface/manage-surface-uefi-settings.md @@ -8,7 +8,7 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: devices, surface author: coveminer -ms.author: v-jokai +ms.author: greglin ms.topic: article ms.reviewer: manager: laurawi diff --git a/devices/surface/microsoft-surface-brightness-control.md b/devices/surface/microsoft-surface-brightness-control.md index f0e6c5d221..2bb2c8a956 100644 --- a/devices/surface/microsoft-surface-brightness-control.md +++ b/devices/surface/microsoft-surface-brightness-control.md @@ -6,7 +6,7 @@ ms.mktglfcycl: manage ms.pagetype: surface, devices ms.sitesec: library author: coveminer -ms.author: v-jokai +ms.author: greglin ms.topic: article ms.reviewer: hachidan manager: laurawi diff --git a/devices/surface/support-solutions-surface.md b/devices/surface/support-solutions-surface.md index ab4c3a46c4..d9f0e6200d 100644 --- a/devices/surface/support-solutions-surface.md +++ b/devices/surface/support-solutions-surface.md @@ -10,7 +10,7 @@ ms.mktglfcycl: support ms.sitesec: library ms.pagetype: surfacehub author: coveminer -ms.author: v-jokai +ms.author: greglin ms.topic: article ms.date: 09/26/2019 ms.localizationpriority: medium diff --git a/devices/surface/surface-book-quadro.md b/devices/surface/surface-book-quadro.md index eaf5870411..8b1599f5b4 100644 --- a/devices/surface/surface-book-quadro.md +++ b/devices/surface/surface-book-quadro.md @@ -6,7 +6,7 @@ ms.mktglfcycl: manage ms.localizationpriority: medium ms.sitesec: library author: coveminer -ms.author: v-jokai +ms.author: greglin ms.topic: article ms.date: 5/06/2020 ms.reviewer: brrecord @@ -16,7 +16,7 @@ audience: itpro # Surface Book 3 Quadro RTX 3000 technical overview -Surface Book 3 for Business powered by the NVIDIA® Quadro RTX™ 3000 GPU is built for professionals who need real-time rendering, AI acceleration, and advanced graphics and compute performance in a portable form factor. Quadro RTX 3000 fundamentally changes what you can do with the new Surface Book 3: +Surface Book 3 for Business powered by the NVIDIA® Quadro RTX™ 3000 GPU is built for professionals who need real-time rendering, AI acceleration, advanced graphics, and compute performance in a portable form factor. Quadro RTX 3000 fundamentally changes what you can do with the new Surface Book 3: - **Ray Tracing** - Produce stunning renders, designs and animations faster than ever before with 30 RT Cores for hardware-accelerated ray tracing. - **Artificial Intelligence** - Remove redundant, tedious tasks and compute intensive work with 240 Tensor Cores for GPU-accelerated AI. @@ -133,4 +133,4 @@ Surface Book 3 with Quadro RTX 3000 delivers the best graphics performance on an - [Surface Book 3 GPU technical overview](surface-book-GPU-overview.md) - [Surface for Business](https://www.microsoft.com/surface/business) -- [Microsoft Cognitive Toolkit (CNTK)](https://docs.microsoft.com/cognitive-toolkit/) \ No newline at end of file +- [Microsoft Cognitive Toolkit (CNTK)](https://docs.microsoft.com/cognitive-toolkit/) diff --git a/devices/surface/surface-device-compatibility-with-windows-10-ltsc.md b/devices/surface/surface-device-compatibility-with-windows-10-ltsc.md index 044b0e0437..19eb605696 100644 --- a/devices/surface/surface-device-compatibility-with-windows-10-ltsc.md +++ b/devices/surface/surface-device-compatibility-with-windows-10-ltsc.md @@ -7,7 +7,7 @@ ms.mktglfcycl: manage ms.pagetype: surface, devices ms.sitesec: library author: coveminer -ms.author: v-jokai +ms.author: greglin ms.topic: article ms.localizationpriority: medium ms.audience: itpro diff --git a/devices/surface/surface-diagnostic-toolkit-command-line.md b/devices/surface/surface-diagnostic-toolkit-command-line.md index 035eec60da..d7b8828415 100644 --- a/devices/surface/surface-diagnostic-toolkit-command-line.md +++ b/devices/surface/surface-diagnostic-toolkit-command-line.md @@ -5,7 +5,7 @@ ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library author: coveminer -ms.author: v-jokai +ms.author: greglin ms.topic: article ms.reviewer: hachidan manager: laurawi diff --git a/devices/surface/surface-diagnostic-toolkit-desktop-mode.md b/devices/surface/surface-diagnostic-toolkit-desktop-mode.md index 795bff7f7f..7734d2a4fa 100644 --- a/devices/surface/surface-diagnostic-toolkit-desktop-mode.md +++ b/devices/surface/surface-diagnostic-toolkit-desktop-mode.md @@ -5,7 +5,7 @@ ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library author: coveminer -ms.author: v-jokai +ms.author: greglin ms.topic: article ms.reviewer: hachidan manager: laurawi diff --git a/devices/surface/surface-diagnostic-toolkit-for-business-intro.md b/devices/surface/surface-diagnostic-toolkit-for-business-intro.md index 2b19282899..10939f979e 100644 --- a/devices/surface/surface-diagnostic-toolkit-for-business-intro.md +++ b/devices/surface/surface-diagnostic-toolkit-for-business-intro.md @@ -5,7 +5,7 @@ ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library author: coveminer -ms.author: v-jokai +ms.author: greglin ms.topic: article ms.reviewer: cottmca manager: laurawi diff --git a/devices/surface/surface-enterprise-management-mode.md b/devices/surface/surface-enterprise-management-mode.md index 4599e50712..d44626e6a8 100644 --- a/devices/surface/surface-enterprise-management-mode.md +++ b/devices/surface/surface-enterprise-management-mode.md @@ -9,11 +9,11 @@ ms.sitesec: library author: coveminer ms.author: greglin ms.topic: article -ms.reviewer: scottmca +ms.reviewer: hachidan manager: laurawi ms.localizationpriority: medium audience: itpro -ms.date: 05/11/2020 +ms.date: 05/26/2020 --- # Microsoft Surface Enterprise Management Mode @@ -228,14 +228,27 @@ create a reset package using PowerShell to reset SEMM. ## Version History -The latest version of SEMM released May 11, 2020 includes: +### Version 2.71.139.0 + +This version of SEMM adds support for Surface Dock 2 management features for Surface Book 3, Surface Laptop 3, and Surface Pro 7 including: + +- Enabling audio (locking/unlocking), Ethernet and USB ports +- Ability to create dock packages for both authenticated and unauthenticated hosts + +### Version 2.70.130.0 + +This version of SEMM includes: + - Support for Surface Go 2 - Support for Surface Book 3 - Bug fixes -### Version 2.59. -* Support to Surface Pro 7, Surface Pro X, and Surface Laptop 3 13.5" and 15" models with Intel processor. Note: Surface Laptop 3 15" AMD processor is not supported. -- Support to Wake on Power feature + +### Version 2.59.139.0 + +* Support for Surface Pro 7, Surface Pro X, and Surface Laptop 3 13.5" and 15" models with Intel processor. Note: Surface Laptop 3 15" AMD processor is not supported. + +- Support for Wake on Power feature ### Version 2.54.139.0 * Support to Surface Hub 2S diff --git a/devices/surface/surface-manage-dfci-guide.md b/devices/surface/surface-manage-dfci-guide.md index f21805f1a7..e1df0dc226 100644 --- a/devices/surface/surface-manage-dfci-guide.md +++ b/devices/surface/surface-manage-dfci-guide.md @@ -6,7 +6,7 @@ ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library author: coveminer -ms.author: v-jokai +ms.author: greglin ms.topic: article ms.date: 11/13/2019 ms.reviewer: jesko diff --git a/devices/surface/surface-pro-arm-app-management.md b/devices/surface/surface-pro-arm-app-management.md index 488eeca1a2..5b7adaf812 100644 --- a/devices/surface/surface-pro-arm-app-management.md +++ b/devices/surface/surface-pro-arm-app-management.md @@ -6,7 +6,7 @@ ms.mktglfcycl: manage ms.localizationpriority: high ms.sitesec: library author: coveminer -ms.author: v-jokai +ms.author: greglin ms.topic: article ms.date: 4/15/2020 ms.reviewer: jessko diff --git a/devices/surface/surface-pro-arm-app-performance.md b/devices/surface/surface-pro-arm-app-performance.md index 4459d6052b..10f3e57bbd 100644 --- a/devices/surface/surface-pro-arm-app-performance.md +++ b/devices/surface/surface-pro-arm-app-performance.md @@ -6,7 +6,7 @@ ms.localizationpriority: medium ms.mktglfcycl: manage ms.sitesec: library author: coveminer -ms.author: v-jokai +ms.author: greglin ms.topic: article ms.date: 10/03/2019 ms.reviewer: jessko diff --git a/devices/surface/surface-system-sku-reference.md b/devices/surface/surface-system-sku-reference.md index c0de20193f..499e718991 100644 --- a/devices/surface/surface-system-sku-reference.md +++ b/devices/surface/surface-system-sku-reference.md @@ -7,7 +7,7 @@ ms.mktglfcycl: manage ms.pagetype: surface, devices, security ms.sitesec: library author: coveminer -ms.author: v-jokai +ms.author: greglin ms.topic: article ms.date: 03/09/2020 ms.reviewer: diff --git a/devices/surface/surface-wireless-connect.md b/devices/surface/surface-wireless-connect.md index 24a358065b..34c653abc0 100644 --- a/devices/surface/surface-wireless-connect.md +++ b/devices/surface/surface-wireless-connect.md @@ -7,7 +7,7 @@ ms.sitesec: library author: coveminer ms.audience: itpro ms.localizationpriority: medium -ms.author: v-jokai +ms.author: greglin ms.topic: article ms.reviewer: tokatz manager: laurawi diff --git a/devices/surface/unenroll-surface-devices-from-semm.md b/devices/surface/unenroll-surface-devices-from-semm.md index 0caea932ab..6750387137 100644 --- a/devices/surface/unenroll-surface-devices-from-semm.md +++ b/devices/surface/unenroll-surface-devices-from-semm.md @@ -7,7 +7,7 @@ ms.mktglfcycl: manage ms.pagetype: surface, devices, security ms.sitesec: library author: coveminer -ms.author: v-jokai +ms.author: greglin ms.topic: article ms.reviewer: manager: laurawi diff --git a/devices/surface/upgrade-surface-devices-to-windows-10-with-mdt.md b/devices/surface/upgrade-surface-devices-to-windows-10-with-mdt.md index c9345502d8..7602e690be 100644 --- a/devices/surface/upgrade-surface-devices-to-windows-10-with-mdt.md +++ b/devices/surface/upgrade-surface-devices-to-windows-10-with-mdt.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.pagetype: surface ms.sitesec: library author: coveminer -ms.author: v-jokai +ms.author: greglin ms.topic: article ms.localizationpriority: medium ms.audience: itpro diff --git a/devices/surface/use-system-center-configuration-manager-to-manage-devices-with-semm.md b/devices/surface/use-system-center-configuration-manager-to-manage-devices-with-semm.md index 21616dc89e..91c1b17875 100644 --- a/devices/surface/use-system-center-configuration-manager-to-manage-devices-with-semm.md +++ b/devices/surface/use-system-center-configuration-manager-to-manage-devices-with-semm.md @@ -7,7 +7,7 @@ ms.mktglfcycl: manage ms.pagetype: surface, devices ms.sitesec: library author: coveminer -ms.author: v-jokai +ms.author: greglin ms.topic: article ms.reviewer: manager: laurawi diff --git a/devices/surface/using-the-sda-deployment-share.md b/devices/surface/using-the-sda-deployment-share.md index 0309d071ec..288e79b8c6 100644 --- a/devices/surface/using-the-sda-deployment-share.md +++ b/devices/surface/using-the-sda-deployment-share.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.pagetype: surface, devices ms.sitesec: library author: coveminer -ms.author: v-jokai +ms.author: greglin ms.topic: article ms.localizationpriority: medium ms.audience: itpro diff --git a/devices/surface/wake-on-lan-for-surface-devices.md b/devices/surface/wake-on-lan-for-surface-devices.md index a6686dcf69..b9c11bd90f 100644 --- a/devices/surface/wake-on-lan-for-surface-devices.md +++ b/devices/surface/wake-on-lan-for-surface-devices.md @@ -8,7 +8,7 @@ ms.pagetype: surface, devices ms.sitesec: library ms.localizationpriority: medium author: coveminer -ms.author: v-jokai +ms.author: greglin ms.topic: article ms.reviewer: scottmca manager: laurawi diff --git a/devices/surface/windows-virtual-desktop-surface.md b/devices/surface/windows-virtual-desktop-surface.md new file mode 100644 index 0000000000..80434c8eb7 --- /dev/null +++ b/devices/surface/windows-virtual-desktop-surface.md @@ -0,0 +1,158 @@ +--- +title: Windows Virtual Desktop on Surface +description: This article explains how Surface devices deliver an ideal end node for Windows Virtual Desktop solutions, providing customers with flexible form factors, Windows 10 modern device security and manageability, and support for persistent, on-demand & just-in-time work scenarios. +ms.prod: w10 +ms.mktglfcycl: manage +ms.localizationpriority: medium +ms.sitesec: library +author: coveminer +ms.author: greglin +ms.topic: article +ms.date: 5/20/2020 +ms.reviewer: rohenr +manager: laurawi +audience: itpro +--- + +# Windows Virtual Desktop on Surface + +## Introduction + +Windows Virtual Desktop on Surface lets you run Virtual Desktop Infrastructure (VDI) on a Surface device blurring the lines between the local desktop experience and the virtual desktop where touch, pen, ink, and biometric authentication span both physical and virtual environments. Representing another milestone in the evolution of computing, Windows Virtual Desktop on Surface 1 combines Microsoft 365 - virtualized in the Azure cloud - with the advanced security protections, enterprise-level manageability, and enhanced productivity tools of Windows 10 on Surface. This fusion of premium form factor and Virtual Desktop Infrastructure in Azure provides exceptional customer value across user experiences, portability, security, business continuity, and modern management. + +### Windows Virtual Desktop + +Windows Virtual Desktop (WVD) is a comprehensive desktop and app virtualization service running in the Azure cloud. It’s the only virtual desktop infrastructure that delivers simplified management, multi-session Windows 10, optimizations for Office 365 ProPlus, and support for Remote Desktop Services (RDS) environments. With WVD you can quickly deploy and scale Windows desktops and apps on Azure and get built-in security and compliance features. + +### Windows Virtual Desktop partner integrations + +For a list of approved partner providers and independent software vendors for Windows Virtual Desktop, see [Windows Virtual Desktop partner integrations](https://docs.microsoft.com/azure/virtual-desktop/partners). Some partners also provide Virtual Desktop as a Service (DaaS). DaaS frees you from having to maintain your own virtual machines (VMs) by providing a fully managed, turnkey desktop and virtualization service. The ability to deliver customized desktops to users anywhere in the world enables companies to quickly adjust to changing market conditions by spinning up cloud desktops on-demand - when and where they’re needed. + +## Microsoft Surface Devices + +Surface engineering has long set new standards for innovation by going beyond the keyboard and mouse to imagine more natural ways of interacting with devices, whether by touch, voice, ink, or Surface Dial. And with chip-to-cloud integration of Microsoft 365 and the security and manageability of Windows 10 Pro, Surface delivers connected hardware, software, apps, and services the way they were intended. Although it’s possible to run WVD from Windows devices dating back to Windows 7, Microsoft Surface devices provide unique advantages including support for: + +- **Flexible form factors** - like 2-in-1 devices such as Surface Go 2, Surface Pro 7 and Surface Pro X with pen, touch and detachable keyboard. +- **Persistent, on-demand and just-in-time work scenarios** - with offline and on-device access for more productive experiences. +- **Windows 10 modern device security and manageability** - providing the flexibility to be productive anywhere. + +## Flexible form factors and premium user experience + +The Microsoft Surface for Business family comprises a diverse portfolio of form factors including traditional laptops, all-in-one machines, and 2-in-1 devices. Surface devices deliver experiences people love with the choice and flexibility they need in order to work on their terms. + +### The modern virtual desktop endpoint + +Surface 2-in-1 devices, including [Surface Go 2](https://www.microsoft.com/p/surface-go-2) (10.5”), [Surface Pro 7](https://www.microsoft.com/surface/devices/surface-pro-7/) (12”) and [Surface Pro X](https://www.microsoft.com/p/surface-pro-x/) (13”), provide users with the ideal cloud desktop endpoint bringing together the optimal balance of portability, versatility, power, and all-day battery. From site engineers relying on Surface Go 2 in tablet mode to financial advisors attaching Surface Pro 7 to a dock and multiple monitors, 2-in-1 devices deliver the versatility that has come to define the modern workplace. + + Unlike traditional, fixed VDI “terminals”, Surface devices allow users to work from anywhere and enable companies to remain viable and operational during unforeseen events -- from severe weather to public health emergencies. With support for persistent, on-demand and just-in-time scenarios, Surface devices effectively help companies sustain ongoing operations and mitigate risk from disruptive events. Features designed to enhance productivity on Surface 2-in-1 devices include: + +- Vibrant, high resolution displays with 3:2 aspect ratio to get work done. +- Natural inking and multi-touch for more immersive experiences. +- With a wide variety of built-in and third-party accessibility features, Surface devices let you choose how to interact with your device, express ideas, and get work done. +- Far-field mics and high-performance speakers for improved virtual meetings. +- Biometric security including built-in, Windows Hello camera that comes standard on every Surface device. +- Long battery life 2 and fast charging. +- LTE options 3 on modern devices like Surface Pro X and Surface Go 2 for hassle-free and secure connectivity. +- Support for a wide range of peripherals such as standard printers, 3D printers, cameras, credit card readers, barcode scanners, and many others. A large ecosystem of Designed for Surface partners provides licensed and certified Surface accessories. +- Broad range of Device Redirection support. + +### Device Redirection Support + +The Surface-centric productivity experiences listed above become even more compelling in Windows Virtual Desktop environments by taking advantage of device redirection capabilities with Windows 10. Surface provides a broad range of device redirection support, especially when compared to OEM thin clients and fixed terminals, Android, iOS/macOS and Web-based access. The Windows Inbox (MSTSC) and Windows Desktop (MSRDC) clients provide the most device redirection capabilities including Input Redirection (keyboard, mouse, pen and touch), Port Redirection (serial and USB) and Other Redirections (cameras, clipboard, local drive/storage, location, microphones, printers, scanners, smart cards and speakers). For a detailed comparison of device redirection support refer to the [device redirection documentation](https://docs.microsoft.com/windows-server/remote/remote-desktop-services/clients/remote-desktop-app-compare#redirection-support). + +### Familiar Desktop Experience + +Not only does running the Windows Desktop Client on Surface devices provide users with a broad set of device redirection capabilities, it lets everyone launch apps in familiar ways — directly from the Start Menu or Search bar. + +### Persistent, on-demand and just-in-time work scenarios + +Windows Virtual Desktop on Surface helps customers meet increasingly complex business and security requirements across industries, employee roles, and work environments. These include: + +- Multi-layered security of access to data and organizational resources. +- Compliance with industry regulations. +- Support for an increasingly elastic workforce. +- Employee-specific needs across a variety of job functions. +- Ability to support specialized, processor-intensive workloads. +- Resilience for sustaining operations during disruptions. + +### Table 1. Windows Virtual Desktop business conversations + +| Security & regulation | Elastic workforce | Work Roles | Special workloads | Business continuity | +| ---------------------------------------------------- | ---------------------------------------------------------------------------- | ----------------------------------------------------------------- | ---------------------------------------------------------------------------- | ---------------------------------------------------- | +| - Financial Services
- Healthcare
- Government | - Merger & acquisition
- Short term employees
- Contractors & partners | - BYOD & mobile
- Customer support/service
- Branch workers | - Design & engineering
- Support for legacy apps
- Software dev & test | - On demand
- Just-in-Time (JIT)
- Work @ Home | + +### Offline and on-device access for more productive experiences + +Traditionally, VDI solutions only work when the endpoint is connected to the internet. But what happens when the internet or power is unavailable for any reason (due to mobility, being on a plane, or power outages, and so on)? + +To support business continuity and keep employees productive, Surface devices can easily augment the virtual desktop experience with offline access to files, Microsoft 365 and third-party applications. Traditional apps like Microsoft Office, available across .x86, x64, Universal Windows Platform, ARM platforms, enable users to stay productive in “offline mode”. Files from the virtual desktop cloud environment can be synced locally on Surface using OneDrive for Business for offline access as well. You can have the confidence that all locally “cached” information is up-to-date and secure. + +In addition to adding support for offline access to apps and files, Surface devices are designed to optimize collaborative experiences like Microsoft Teams “On-Device”. Although some VDI solutions support the use of Teams through a virtual session, users can benefit from the more optimized experience provided by a locally installed instance of Teams. Localizing communications and collaboration apps for multimedia channels like voice, video, live captioning allows organizations to take full advantage of Surface devices’ ability to provide optimized Microsoft 365 experiences. The emergence of Surface artificial intelligence (AI) or “AI-on-device” brings new capabilities to life, such as eye gaze technology that adjusts the appearance of your eyes so the audience sees you looking directly at the camera when communicating via video. + +An alternative to locally installing traditional applications is to take advantage of the latest version of Microsoft Edge, which comes with support for Progressive Web Apps (PWA). PWAs are just websites that are progressively enhanced to function like native apps on supporting platforms. The qualities of a PWA combine the best of the web and native apps by additional features, such as push notifications, background data refresh, offline support, and more. + +### Virtual GPUs + +GPUs are ideal for AI compute and graphics-intensive workloads, helping customers to fuel innovation through scenarios like high-end remote visualization, deep learning, and predictive analytics. However, this isn’t ideal for professionals who need to work remotely or while on the go because varying degrees of internal GPU horsepower are tied to the physical devices, limiting mobility and flexibility. + +To solve for this Azure offers the N-series family of Virtual Machines with NVIDIA GPU capabilities (vGPU). With vGPUs, IT can either share GPU performance across multiple virtual machines, or power demanding workloads by assigning multiple GPUs to a single virtual machine. For Surface this means that no matter what device you’re using, from the highly portable Surface Go 2 to the slim and stylish Surface Laptop 3, your device has access to powerful server-class graphics performance. Surface and vGPUs allow you to combine all the things you love about Surface, to include pen, touch, keyboard, trackpad and PixelSense displays, with graphics capability only available in high performance computing environments. + +Azure N-series brings these capabilities to life on your Surface device allowing you to work in any way you want, wherever you go. [Learn more about Azure N-Series and GPU optimized virtual machine sizes.](https://docs.microsoft.com/azure/virtual-machines/sizes-gpu) + +## Microsoft 365 and Surface + +Even in a virtualized desktop environment, Microsoft 365 and Surface deliver the experiences employees love, the protection organizations demand, and flexibility for teams to work their way. According to Forrester Research: 4 + +- Microsoft 365-powered Surface devices give users up to 5 hours in weekly productivity gains with up to 9 hours saved per week for highly mobile workers, providing organizations with 112 percent ROI on Microsoft 365 with Surface +- 75 percent agree Microsoft 365-powered Surface devices help improve employee satisfaction and retention +- agree that Microsoft 365- powered Surface devices have helped improve employee satisfaction and retention. + +### Security and management + +From chip to cloud, Microsoft 365 and Surface helps organizations stay protected and up to date. +With both Surface hardware and software designed, built, and tested by Microsoft, users can be confident they’re productive and protected by leading technologies from chip to cloud. With increased numbers of users working remotely, protecting corporate data and intellectual property becomes more paramount than ever. Windows Virtual Desktop on Surface is designed around a zero-trust security model in which every access request is strongly authenticated, authorized within policy constraints, and inspected for anomalies before granting access. + +By maximizing efficiencies from cloud computing, modern management enables IT to better serve the needs of users, stakeholders and customers in an increasingly competitive business environment. For example, you can get Surface devices up-and-running with minimal interaction from your team. Setup is automatic and self-serviced. Updates are quick and painless for both your team and your users. You can manage devices regardless of their physical location. + +Security and management features delivered with Windows Virtual Desktop on Surface include: + +- **Windows Update.** Keeping Windows up to date helps you stay ahead of new security threats. Windows 10 has been engineered from the ground up to be more secure and utilize the latest hardware capabilities to improve security. With a purpose-built UEFI 5 and Windows Update for Business that responds to evolving threats, end-to-end protection is secure and simplified. + +- **Hardware encryption.** Device encryption lets you protect the data on your Surface so it can only be accessed by authorized individuals. All Surface for Business devices feature a discrete Trusted Platform Module (dTPM) that is hardware-protected against intrusion while software uses protected keys and measurements to verify software validity. +- **Windows Defender.** Windows Defender Antivirus brings together machine learning, big-data analysis, in-depth threat resistance research, and the Microsoft cloud infrastructure to protect devices. The tool is built in and needs no extra agents to be deployed on-devices or in the VDI environment, simplifying management and optimizing device start up. Windows Defender is built in and needs no extra agents to be deployed on-device or in the VDI environment, simplifying management and optimizing device start up. The true out-of-the-box experience. +- **Removable drives** - A subset of newer Surface devices feature removable SSD drives 6 providing greater control over data retention. +- **Modern authentication -** Microsoft 365 and Surface is a unified platform delivering every Windows security feature (subject to licensing and enablement). All Surface portfolio devices ship with a custom-built camera, designed for Windows Hello for Business providing biometric security that persists seamlessly from on-device to VDI-based experiences. +- **Modern firmware management** -Using Device Firmware Configuration Interface (DFCI),7 IT administrators can remotely disable hardware elements at a firmware level such as mics, USB ports, SD card slots, cameras, and Bluetooth which removes power to the peripheral. Windows Defender Credential Guard uses virtualization-based security so that only privileged system software can access them. +- **Backward and forward compatibility** - Windows 10 devices provide backward and forward compatibility across hardware, software and services. Microsoft has a strong history of maintaining legacy support of hardware, peripherals, software and services while incorporating the latest technologies. Businesses can plan IT investments to have a long useful life. +- **Bridge for legacy Windows 7 workloads** - For solution scenarios dependent on legacy Windows OS environments, enterprises can use VDI instances of Windows 7 running in Azure. This enables support on modern devices like Surface without the risk of relying on older Windows 7 machines that no longer receive the latest security updates. In addition to these “future proofing” benefits, migration of any legacy workloads becomes greatly simplified when modern Windows 10 hardware is already deployed. +- **Zero-Touch Deployment** - Autopilot is the recommended modern management deployment option for Surface devices. Windows Autopilot on Surface is a cloud-based deployment technology in Windows 10. You can use Windows Autopilot on Surface to remotely deploy and configure devices in a zero-touch process right out of the box. Windows Autopilot-registered devices are identified over the Internet at first startup through a unique device signature that's called a hardware hash. They're automatically enrolled and configured by using modern management solutions such as Azure Active Directory (Azure AD) and mobile device management. + +### Surface devices: Minimizing environmental impacts + +Surface performs life cycle assessments to calculate the environmental impact of devices across key stages of product life cycle enabling Microsoft to minimize these impacts. Each Surface product has an ECO profile that includes details on greenhouse gas emissions, primary energy consumption and material composition data, packaging, recycling, and related criteria. To download profiles for each Surface device, see [ECO Profiles](https://www.microsoft.com/download/details.aspx?id=55974) on the Microsoft Download Center. + +## Summary + +Windows Virtual Desktop on Surface provides organizations with greater flexibility and resilience in meeting the diverse needs of users, stakeholders, and customers. Running Windows Virtual Desktop solutions on Surface devices provides unique advantages over continued reliance on legacy devices. Flexible form factors like Surface Go 2 and Surface Pro 7 connected to the cloud (or offline), enable users to be productive from anywhere, at any time. Whether employees work in persistent, on-demand, or just-in-time scenarios, Windows Virtual Desktop on Surface affords businesses with the versatility to sustain productivity throughout disruptions from public health emergencies or other unforeseen events. Using the built in, multi-layered security and modern manageability of Windows 10, companies can take advantage of an expanding ecosystem of cloud-based services to rapidly deploy and scale Windows desktops and apps. Simply put, Windows Virtual Desktop on Surface delivers critically needed technology to organizations and businesses of all sizes. + +## Learn more + +For more information, see the following resources: + +- [Windows Virtual Desktop](https://azure.microsoft.com/services/virtual-desktop/) +- [Surface for Business](https://www.microsoft.com/surface/business) +- [Modernize your workforce with Microsoft Surface](https://boards.microsoft.com/public/prism/103849?token=754435c36d) +- [A guide to Surface Technical Content and Solutions](https://boards.microsoft.com/public/prism/104362/category/90968?token=09e688ec4a) +- [Microsoft zero-trust security](https://www.microsoft.com/security/business/zero-trust) + + +---------- + +1. Windows Virtual Desktop on Surface refers to running Azure Virtual Desktop Infrastructure on a Surface device and is described here as an architectural solution, not a separately available product.
+2. Battery life varies significantly with settings, usage and other factors.
+3. Service availability and performance subject to service provider’s network. Contact your service provider for details, compatibility, pricing, SIM card, and activation. See all specs and frequencies at surface.com.
+4. Forrester Consulting, “A Forrester Total Economic Impact™ Study: Maximizing Your ROI from Microsoft 365 Enterprise with Microsoft Surface,” commissioned by Microsoft, 2018.
+5. Surface Go and Surface Go 2 use a third-party UEFI and do not support DFCI. DFCI is currently available for Surface Book 3, Surface Laptop 3, Surface Pro 7, and Surface Pro X. Find out more about managing Surface UEFI settings.
+6. Removable SSD is available on Surface Laptop 3 and Surface Pro X. Note that hard drive is not user removable. Hard drive is only removable a by skilled technician following Microsoft instructions.
+7. DFCI is currently available for Surface Book 3, Surface Laptop 3, Surface Pro 7, and Surface Pro X. [Find out more](https://docs.microsoft.com/surface/manage-surface-uefi-settings) about managing Surface UEFI settings. + diff --git a/mdop/appv-v5/how-to-revert-extension-points-from-an-app-v-50-package-to-an-app-v-46-package-for-a-specific-user.md b/mdop/appv-v5/how-to-revert-extension-points-from-an-app-v-50-package-to-an-app-v-46-package-for-a-specific-user.md index 76656d39e1..38d5dc61eb 100644 --- a/mdop/appv-v5/how-to-revert-extension-points-from-an-app-v-50-package-to-an-app-v-46-package-for-a-specific-user.md +++ b/mdop/appv-v5/how-to-revert-extension-points-from-an-app-v-50-package-to-an-app-v-46-package-for-a-specific-user.md @@ -4,7 +4,6 @@ title: How to Revert Extension Points From an App-V 5.0 Package to an App-V 4.6 description: How to Revert Extension Points From an App-V 5.0 Package to an App-V 4.6 Package for a Specific User ms.assetid: f1d2ab1f-0831-4976-b49f-169511d3382a author: dansimp -ms.assetid: f1d2ab1f-0831-4976-b49f-169511d3382a ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library diff --git a/mdop/appv-v5/how-to-use-an-app-v-46-sp1-application-from-an-app-v-50-application.md b/mdop/appv-v5/how-to-use-an-app-v-46-sp1-application-from-an-app-v-50-application.md index 0345a45113..bad9d61431 100644 --- a/mdop/appv-v5/how-to-use-an-app-v-46-sp1-application-from-an-app-v-50-application.md +++ b/mdop/appv-v5/how-to-use-an-app-v-46-sp1-application-from-an-app-v-50-application.md @@ -4,7 +4,6 @@ title: How to Use an App-V 4.6 Application From an App-V 5.0 Application description: How to Use an App-V 4.6 Application From an App-V 5.0 Application ms.assetid: 4e78cb32-9c8b-478e-ae8b-c474a7e42487 author: msfttracyp -ms.assetid: 4e78cb32-9c8b-478e-ae8b-c474a7e42487 ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library diff --git a/mdop/mbam-v1/evaluating-mbam-10.md b/mdop/mbam-v1/evaluating-mbam-10.md index c7a6729376..f4c72234bf 100644 --- a/mdop/mbam-v1/evaluating-mbam-10.md +++ b/mdop/mbam-v1/evaluating-mbam-10.md @@ -55,21 +55,21 @@ Even when you set up a non-production instance of MBAM to evaluate in a lab envi

Prepare your computing environment for the MBAM installation. To do so, you must enable the Transparent Data Encryption (TDE) on the SQL Server instances that will host MBAM databases. To enable TDE in your lab environment, you can create a .sql file to run against the master database that is hosted on the instance of the SQL Server that MBAM will use.

-Note

You can use the following example to create a .sql file for your lab environment to quickly enable TDE on the SQL Server instance that will host the MBAM databases. These SQL Server commands will enable TDE by using a locally signed SQL Server certificate. Make sure to back up the TDE certificate and its associated encryption key to the example local backup path of C:\Backup</em>. The TDE certificate and key are required when recover the database or move the certificate and key to another server that has TDE encryption in place.

+Note

You can use the following example to create a .sql file for your lab environment to quickly enable TDE on the SQL Server instance that will host the MBAM databases. These SQL Server commands will enable TDE by using a locally signed SQL Server certificate. Make sure to back up the TDE certificate and its associated encryption key to the example local backup path of C:\Backup. The TDE certificate and key are required when recover the database or move the certificate and key to another server that has TDE encryption in place.

USE master;
 GO
-CREATE MASTER KEY ENCRYPTION BY PASSWORD = &amp;#39;P@55w0rd';
+CREATE MASTER KEY ENCRYPTION BY PASSWORD = 'P@55w0rd';
 GO
 CREATE CERTIFICATE tdeCert WITH SUBJECT = 'TDE Certificate';
 GO
 BACKUP CERTIFICATE tdeCert TO FILE = 'C:\Backup\TDECertificate.cer'
    WITH PRIVATE KEY (
          FILE = 'C:\Backup\TDECertificateKey.pvk',
-         ENCRYPTION BY PASSWORD = &amp;#39;P@55w0rd');
+         ENCRYPTION BY PASSWORD = 'P@55w0rd');
 GO

MBAM 1.0 Deployment Prerequisites

Database Encryption in SQL Server 2008 Enterprise Edition

diff --git a/mdop/mbam-v25/apply-hotfix-for-mbam-25-sp1.md b/mdop/mbam-v25/apply-hotfix-for-mbam-25-sp1.md index cd77d39b06..8a255ed548 100644 --- a/mdop/mbam-v25/apply-hotfix-for-mbam-25-sp1.md +++ b/mdop/mbam-v25/apply-hotfix-for-mbam-25-sp1.md @@ -11,8 +11,7 @@ ms.mktglfcycl: manage ms.sitesec: library ms.prod: w10 ms.date: 8/30/2018 -ms.author: pashort -author: shortpatti +ms.author: dansimp --- # Applying hotfixes on MBAM 2.5 SP1 diff --git a/mdop/mbam-v25/deploy-mbam.md b/mdop/mbam-v25/deploy-mbam.md index a921105176..c035e3eadb 100644 --- a/mdop/mbam-v25/deploy-mbam.md +++ b/mdop/mbam-v25/deploy-mbam.md @@ -8,7 +8,6 @@ ms.author: delhan ms.sitesec: library ms.prod: w10 ms.date: 09/16/2019 -manager: dcscontentpm --- # Deploying MBAM 2.5 in a standalone configuration diff --git a/mdop/mbam-v25/troubleshooting-mbam-installation.md b/mdop/mbam-v25/troubleshooting-mbam-installation.md index f2d0494b7f..9dce3b1297 100644 --- a/mdop/mbam-v25/troubleshooting-mbam-installation.md +++ b/mdop/mbam-v25/troubleshooting-mbam-installation.md @@ -8,7 +8,6 @@ ms.author: delhan ms.sitesec: library ms.prod: w10 ms.date: 09/16/2019 -manager: dcscontentpm --- # Troubleshooting MBAM 2.5 installation problems diff --git a/mdop/mbam-v25/upgrade-mbam2.5-sp1.md b/mdop/mbam-v25/upgrade-mbam2.5-sp1.md index 153757ee67..0e55529039 100644 --- a/mdop/mbam-v25/upgrade-mbam2.5-sp1.md +++ b/mdop/mbam-v25/upgrade-mbam2.5-sp1.md @@ -2,11 +2,10 @@ title: Upgrading from MBAM 2.5 to MBAM 2.5 SP1 Servicing Release Update author: dansimp ms.author: ksharma -manager: +manager: miaposto audience: ITPro ms.topic: article ms.prod: w10 -manager: miaposto ms.localizationpriority: Normal --- diff --git a/smb/cloud-mode-business-setup.md b/smb/cloud-mode-business-setup.md index b62b89b55a..9b5f3ae040 100644 --- a/smb/cloud-mode-business-setup.md +++ b/smb/cloud-mode-business-setup.md @@ -2,7 +2,7 @@ title: Deploy and manage a full cloud IT solution for your business description: Learn how to set up a cloud infrastructure for your business, acquire devices and apps, and configure and deploy policies to your devices. keywords: smb, full cloud IT solution, small to medium business, deploy, setup, manage, Windows, Intune, Office 365 -ms.prod: +ms.prod: w10 ms.technology: ms.author: eravena audience: itpro @@ -13,6 +13,7 @@ author: eavena ms.reviewer: manager: dansimp ms.localizationpriority: medium +ms.topic: conceptual --- # Get started: Deploy and manage a full cloud IT solution for your business diff --git a/smb/index.md b/smb/index.md index 5cc2746261..1f9527ebf2 100644 --- a/smb/index.md +++ b/smb/index.md @@ -2,16 +2,17 @@ title: Windows 10 for small to midsize businesses description: Microsoft products and devices to transform and grow your businessLearn how to use Windows 10 for your small to midsize business. keywords: Windows 10, SMB, small business, midsize business, business -ms.prod: +ms.prod: w10 ms.technology: ms.topic: article -ms.author: celested +ms.author: dansimp ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: smb -author: CelesteDG +author: dansimp ms.localizationpriority: medium manager: dansimp +audience: itpro --- # Windows 10 for SMB diff --git a/store-for-business/microsoft-store-for-business-education-powershell-module.md b/store-for-business/microsoft-store-for-business-education-powershell-module.md index b7fea1a9ef..04c86ceb64 100644 --- a/store-for-business/microsoft-store-for-business-education-powershell-module.md +++ b/store-for-business/microsoft-store-for-business-education-powershell-module.md @@ -9,7 +9,6 @@ author: TrudyHa ms.author: TrudyHa ms.topic: conceptual ms.localizationpriority: medium -ms.author: ms.date: 10/22/2017 ms.reviewer: manager: dansimp diff --git a/windows/application-management/manage-windows-mixed-reality.md b/windows/application-management/manage-windows-mixed-reality.md index da98a12e3b..b82c42bf9a 100644 --- a/windows/application-management/manage-windows-mixed-reality.md +++ b/windows/application-management/manage-windows-mixed-reality.md @@ -13,7 +13,7 @@ ms.author: dansimp ms.topic: article --- -# Enable or block Windows Mixed Reality apps in the enterprise +# Enable or block Windows Mixed Reality apps in enterprises **Applies to** @@ -33,7 +33,7 @@ Organizations that use Windows Server Update Services (WSUS) must take action to 2. Windows Mixed Reality Feature on Demand (FOD) is downloaded from Windows Update. If access to Windows Update is blocked, you must manually install the Windows Mixed Reality FOD. - a. Download the FOD .cab file for [Windows 10, version 1903 and 1909](https://software-download.microsoft.com/download/pr/Microsoft-Windows-Holographic-Desktop-FOD-Package-31bf3856ad364e35-amd64.cab), [Windows 10, version 1809](https://software-download.microsoft.com/download/pr/microsoft-windows-holographic-desktop-fod-package31bf3856ad364e35amd64_1.cab), [Windows 10, version 1803](https://download.microsoft.com/download/9/9/3/9934B163-FA01-4108-A38A-851B4ACD1244/Microsoft-Windows-Holographic-Desktop-FOD-Package~31bf3856ad364e35~amd64~~.cab), or [Windows 10, version 1709](https://download.microsoft.com/download/6/F/8/6F816172-AC7D-4F45-B967-D573FB450CB7/Microsoft-Windows-Holographic-Desktop-FOD-Package.cab). + a. Download the FOD .cab file for [Windows 10, version 20H1](https://software-download.microsoft.com/download/pr/Microsoft-Windows-Holographic-Desktop-FOD-Package~31bf3856ad364e35~amd64~~.cab), [Windows 10, version 1903 and 1909](https://software-download.microsoft.com/download/pr/Microsoft-Windows-Holographic-Desktop-FOD-Package-31bf3856ad364e35-amd64.cab), [Windows 10, version 1809](https://software-download.microsoft.com/download/pr/microsoft-windows-holographic-desktop-fod-package31bf3856ad364e35amd64_1.cab), [Windows 10, version 1803](https://download.microsoft.com/download/9/9/3/9934B163-FA01-4108-A38A-851B4ACD1244/Microsoft-Windows-Holographic-Desktop-FOD-Package~31bf3856ad364e35~amd64~~.cab), or [Windows 10, version 1709](https://download.microsoft.com/download/6/F/8/6F816172-AC7D-4F45-B967-D573FB450CB7/Microsoft-Windows-Holographic-Desktop-FOD-Package.cab). >[!NOTE] >You must download the FOD .cab file that matches your operating system version. diff --git a/windows/client-management/determine-appropriate-page-file-size.md b/windows/client-management/determine-appropriate-page-file-size.md index b6abb3661e..8daf0f4ce4 100644 --- a/windows/client-management/determine-appropriate-page-file-size.md +++ b/windows/client-management/determine-appropriate-page-file-size.md @@ -8,8 +8,8 @@ author: Deland-Han ms.localizationpriority: medium ms.author: delhan ms.date: 8/28/2019 -ms.reviewer: -manager: dcscontentpm +ms.reviewer: dcscontentpm +manager: dansimp --- # How to determine the appropriate page file size for 64-bit versions of Windows diff --git a/windows/client-management/introduction-page-file.md b/windows/client-management/introduction-page-file.md index cee81bcd72..2f12bd900f 100644 --- a/windows/client-management/introduction-page-file.md +++ b/windows/client-management/introduction-page-file.md @@ -7,8 +7,8 @@ ms.topic: troubleshooting author: Deland-Han ms.localizationpriority: medium ms.author: delhan -ms.reviewer: greglin -manager: dcscontentpm +ms.reviewer: dcscontentpm +manager: dansimp --- # Introduction to page files diff --git a/windows/client-management/mdm/accounts-csp.md b/windows/client-management/mdm/accounts-csp.md index 40de22d2b3..7a9545e09a 100644 --- a/windows/client-management/mdm/accounts-csp.md +++ b/windows/client-management/mdm/accounts-csp.md @@ -40,7 +40,7 @@ Available naming macros: Supported operation is Add. > [!Note] -> For desktop PCs on the next major release of Windows 10 or later, use the **Ext/Microsoft/DNSComputerName** node in [DevDetail CSP](devdetail-csp.md). +> For desktop PCs on Windows 10, version 2004 or later, use the **Ext/Microsoft/DNSComputerName** node in [DevDetail CSP](devdetail-csp.md). **Users** Interior node for the user account information. diff --git a/windows/client-management/mdm/configuration-service-provider-reference.md b/windows/client-management/mdm/configuration-service-provider-reference.md index c76115e831..f93af2f2a2 100644 --- a/windows/client-management/mdm/configuration-service-provider-reference.md +++ b/windows/client-management/mdm/configuration-service-provider-reference.md @@ -2808,4 +2808,4 @@ The following list shows the CSPs supported in HoloLens devices: - 5 - Added in Windows 10, version 1809. - 6 - Added in Windows 10, version 1903. - 7 - Added in Windows 10, version 1909. -- 8 - Added in the next major release of Windows 10. +- 8 - Added in Windows 10, version 2004. diff --git a/windows/client-management/mdm/devdetail-csp.md b/windows/client-management/mdm/devdetail-csp.md index 859ffd1672..285d96ddf8 100644 --- a/windows/client-management/mdm/devdetail-csp.md +++ b/windows/client-management/mdm/devdetail-csp.md @@ -14,9 +14,6 @@ ms.date: 03/27/2020 # DevDetail CSP -> [!WARNING] -> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. - The DevDetail configuration service provider handles the management object which provides device-specific parameters to the OMA DM server. These device parameters are not sent from the client to the server automatically, but can be queried by servers using OMA DM commands. > [!NOTE] @@ -135,7 +132,7 @@ Value type is string. Supported operations are Get and Replace. **Ext/Microsoft/DNSComputerName** -Added in the next major release of Windows 10. This node specifies the DNS computer name for a device. The server must explicitly reboot the device for this value to take effect. A couple of macros can be embedded within the value for dynamic substitution. Using any of these macros will limit the new name to 63 characters. This node replaces the **Domain/ComputerName** node in [Accounts CSP](accounts-csp.md). +Added in Windows 10, version 2004. This node specifies the DNS computer name for a device. The server must explicitly reboot the device for this value to take effect. A couple of macros can be embedded within the value for dynamic substitution. Using any of these macros will limit the new name to 63 characters. This node replaces the **Domain/ComputerName** node in [Accounts CSP](accounts-csp.md). The following are the available naming macros: diff --git a/windows/client-management/mdm/enterprisemodernappmanagement-csp.md b/windows/client-management/mdm/enterprisemodernappmanagement-csp.md index 1c440edf96..5384ce0168 100644 --- a/windows/client-management/mdm/enterprisemodernappmanagement-csp.md +++ b/windows/client-management/mdm/enterprisemodernappmanagement-csp.md @@ -14,9 +14,6 @@ ms.date: 09/27/2019 # EnterpriseModernAppManagement CSP -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. - The EnterpriseModernAppManagement configuration service provider (CSP) is used for the provisioning and reporting of modern enterprise apps. For details about how to use this CSP to for reporting apps inventory, installation and removal of apps for users, provisioning apps to devices, and managing app licenses, see [Enterprise app management](enterprise-app-management.md). > [!Note] @@ -329,6 +326,7 @@ Required. The value is 0 or 1 that indicates if the app is provisioned on the de Supported operation is Get. **.../*PackageFamilyName*/*PackageFullName*/IsStub** +Added in Windows 10, version 2004. Required. This node is used to identify whether the package is a stub package. A stub package is a version of the package with minimal functionality that will reduce the size of the app. The value is 1 if the package is a stub package and 0 (zero) for all other cases. Value type is int. diff --git a/windows/client-management/mdm/esim-enterprise-management.md b/windows/client-management/mdm/esim-enterprise-management.md index 386f5a8c48..9251f6a755 100644 --- a/windows/client-management/mdm/esim-enterprise-management.md +++ b/windows/client-management/mdm/esim-enterprise-management.md @@ -8,7 +8,7 @@ ms.sitesec: library author: dansimp ms.localizationpriority: medium ms.author: dansimp -ms.topic: +ms.topic: conceptual --- # How Mobile Device Management Providers support eSIM Management on Windows diff --git a/windows/client-management/mdm/get-seat.md b/windows/client-management/mdm/get-seat.md index 2169488622..598d24ea19 100644 --- a/windows/client-management/mdm/get-seat.md +++ b/windows/client-management/mdm/get-seat.md @@ -1,6 +1,6 @@ --- title: Get seat -description: The Get seat operation retrieves the information about an active seat for a specified user in the Micosoft Store for Business. +description: The Get seat operation retrieves the information about an active seat for a specified user in the Microsoft Store for Business. ms.assetid: 715BAEB2-79FD-4945-A57F-482F9E7D07C6 ms.reviewer: manager: dansimp @@ -14,7 +14,7 @@ ms.date: 09/18/2017 # Get seat -The **Get seat** operation retrieves the information about an active seat for a specified user in the Micosoft Store for Business. +The **Get seat** operation retrieves the information about an active seat for a specified user in the Microsoft Store for Business. ## Request diff --git a/windows/client-management/mdm/images/provisioning-csp-devdetail-dm.png b/windows/client-management/mdm/images/provisioning-csp-devdetail-dm.png index 6ece851369..76df1eafea 100644 Binary files a/windows/client-management/mdm/images/provisioning-csp-devdetail-dm.png and b/windows/client-management/mdm/images/provisioning-csp-devdetail-dm.png differ diff --git a/windows/client-management/mdm/images/provisioning-csp-enterprisemodernappmanagement.png b/windows/client-management/mdm/images/provisioning-csp-enterprisemodernappmanagement.png index 5c90ec5a2b..4328edcad7 100644 Binary files a/windows/client-management/mdm/images/provisioning-csp-enterprisemodernappmanagement.png and b/windows/client-management/mdm/images/provisioning-csp-enterprisemodernappmanagement.png differ diff --git a/windows/client-management/mdm/images/provisioning-csp-supl-dmandcp.png b/windows/client-management/mdm/images/provisioning-csp-supl-dmandcp.png index 498ce66f47..f123d98073 100644 Binary files a/windows/client-management/mdm/images/provisioning-csp-supl-dmandcp.png and b/windows/client-management/mdm/images/provisioning-csp-supl-dmandcp.png differ diff --git a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md index 5697d954da..8a720f94a0 100644 --- a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md +++ b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md @@ -24,6 +24,7 @@ This topic provides information about what's new and breaking changes in Windows For details about Microsoft mobile device management protocols for Windows 10 see [\[MS-MDM\]: Mobile Device Management Protocol](https://go.microsoft.com/fwlink/p/?LinkId=619346) and [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2]( https://go.microsoft.com/fwlink/p/?LinkId=619347). - **What’s new in MDM for Windows 10 versions** + - [What’s new in MDM for Windows 10, version 2004](#whats-new-in-mdm-for-windows-10-version-2004) - [What’s new in MDM for Windows 10, version 1909](#whats-new-in-mdm-for-windows-10-version-1909) - [What’s new in MDM for Windows 10, version 1903](#whats-new-in-mdm-for-windows-10-version-1903) - [What’s new in MDM for Windows 10, version 1809](#whats-new-in-mdm-for-windows-10-version-1809) @@ -58,6 +59,7 @@ For details about Microsoft mobile device management protocols for Windows 10 s - [What is dmwappushsvc?](#what-is-dmwappushsvc) - **Change history in MDM documentation** + - [May 2020](#may-2020) - [February 2020](#february-2020) - [January 2020](#january-2020) - [November 2019](#november-2019) @@ -87,6 +89,45 @@ For details about Microsoft mobile device management protocols for Windows 10 s - [September 2017](#september-2017) - [August 2017](#august-2017) +## What’s new in MDM for Windows 10, version 2004 + ++++ + + + + + + + + + + + + + + + + + + + + +
New or updated topicDescription
Policy CSP

Added the following new policies in Windows 10, version 2004:

+
DevDetail CSP

Added the following new node:
Ext/Microsoft/DNSComputerName

+
EnterpriseModernAppManagement CSP

Added the following new node:
IsStub

+
SUPL CSP

Added the following new node:
FullVersion

+
+ ## What’s new in MDM for Windows 10, version 1909 @@ -710,6 +751,7 @@ Policy, Policy/Channels, Policy/Channels/ChannelName, Policy/Channels/ChannelNam
  • LocalPoliciesSecurityOptions/InteractiveLogon_MachineInactivityLimit
  • LocalPoliciesSecurityOptions/InteractiveLogon_MessageTextForUsersAttemptingToLogOn
  • LocalPoliciesSecurityOptions/InteractiveLogon_MessageTitleForUsersAttemptingToLogOn
    • +
  • LocalPoliciesSecurityOptions/NetworkSecurity_AllowLocalSystemToUseComputerIdentityForNTLM
  • LocalPoliciesSecurityOptions/NetworkSecurity_AllowPKU2UAuthenticationRequests
  • LocalPoliciesSecurityOptions/RecoveryConsole_AllowAutomaticAdministrativeLogon
  • LocalPoliciesSecurityOptions/Shutdown_AllowSystemToBeShutDownWithoutHavingToLogOn
    • @@ -1939,6 +1981,13 @@ How do I turn if off? | The service can be stopped from the "Services" console o ## Change history in MDM documentation +### May 2020 +|New or updated topic | Description| +|--- | ---| +|[BitLocker CSP](bitlocker-csp.md)|Added the bitmask table for the Status/DeviceEncryptionStatus node.| +|[Policy CSP - RestrictedGroups](policy-csp-restrictedgroups.md)| Updated the topic with additional details. Added policy timeline table. + + ### February 2020 |New or updated topic | Description| |--- | ---| diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md index 07bf447af0..047fef66ae 100644 --- a/windows/client-management/mdm/policy-configuration-service-provider.md +++ b/windows/client-management/mdm/policy-configuration-service-provider.md @@ -2390,6 +2390,9 @@ The following diagram shows the Policy configuration service provider in tree fo
    LocalPoliciesSecurityOptions/NetworkAccess_RestrictClientsAllowedToMakeRemoteCallsToSAM
    +
    + LocalPoliciesSecurityOptions/NetworkSecurity_AllowLocalSystemToUseComputerIdentityForNTLM +
    LocalPoliciesSecurityOptions/NetworkSecurity_AllowPKU2UAuthenticationRequests
    diff --git a/windows/client-management/mdm/policy-csp-applicationmanagement.md b/windows/client-management/mdm/policy-csp-applicationmanagement.md index 798bbae111..b2bfd70f15 100644 --- a/windows/client-management/mdm/policy-csp-applicationmanagement.md +++ b/windows/client-management/mdm/policy-csp-applicationmanagement.md @@ -14,10 +14,6 @@ manager: dansimp # Policy CSP - ApplicationManagement -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. - -
    @@ -436,15 +432,15 @@ Most restricted value: 0 - + - + - +
    Businesscheck mark7check mark8
    Enterprisecheck mark7check mark8
    Educationcheck mark7check mark8
    @@ -462,7 +458,7 @@ Most restricted value: 0 -Added in the next major release of Windows 10. +Added in Windows 10, version 2004. Manages non-administrator users' ability to install Windows app packages. @@ -1112,7 +1108,7 @@ Footnotes: - 4 - Added in Windows 10, version 1803. - 5 - Added in Windows 10, version 1809. - 6 - Added in Windows 10, version 1903. -- 7 - Added in the next major release of Windows 10. - +- 7 - Added in Windows 10, version 1909. +- 8 - Added in Windows 10, version 2004. diff --git a/windows/client-management/mdm/policy-csp-bluetooth.md b/windows/client-management/mdm/policy-csp-bluetooth.md index 40e770a691..74dbe86c25 100644 --- a/windows/client-management/mdm/policy-csp-bluetooth.md +++ b/windows/client-management/mdm/policy-csp-bluetooth.md @@ -14,9 +14,6 @@ manager: dansimp # Policy CSP - Bluetooth -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. -
    @@ -412,19 +409,19 @@ The default value is an empty string. For more information, see [ServicesAllowed Pro - check mark7 + check mark8 Business - check mark7 + check mark8 Enterprise - check mark7 + check mark8 Education - check mark7 + check mark8 @@ -441,8 +438,7 @@ The default value is an empty string. For more information, see [ServicesAllowed -Added in the next major release of Windows 10. -There are multiple levels of encryption strength when pairing Bluetooth devices. This policy helps prevent weaker devices cryptographically being used in high security environments. +Added in Windows 10, version 2004. There are multiple levels of encryption strength when pairing Bluetooth devices. This policy helps prevent weaker devices cryptographically being used in high security environments. @@ -470,8 +466,8 @@ Footnotes: - 4 - Added in Windows 10, version 1803. - 5 - Added in Windows 10, version 1809. - 6 - Added in Windows 10, version 1903. -- 7 - Added in the next major release of Windows 10. - +- 7 - Added in Windows 10, version 1909. +- 8 - Added in Windows 10, version 2004.
    diff --git a/windows/client-management/mdm/policy-csp-browser.md b/windows/client-management/mdm/policy-csp-browser.md index d3fa4df77e..4b686d7c13 100644 --- a/windows/client-management/mdm/policy-csp-browser.md +++ b/windows/client-management/mdm/policy-csp-browser.md @@ -17,11 +17,6 @@ ms.localizationpriority: medium > [!NOTE] > You've reached the documentation for Microsoft Edge version 45 and earlier. To see the documentation for Microsoft Edge version 77 or later, go to the [Microsoft Edge documentation landing page](https://docs.microsoft.com/DeployEdge/). -
    - -> [!NOTE] -> You've reached the documentation for Microsoft Edge version 45 and earlier. To see the documentation for Microsoft Edge version 77 or later, go to the [Microsoft Edge documentation landing page](https://docs.microsoft.com/DeployEdge/). - ## Browser policies @@ -4310,4 +4305,3 @@ Footnotes: - 6 - Added in Windows 10, version 1903. - diff --git a/windows/client-management/mdm/policy-csp-education.md b/windows/client-management/mdm/policy-csp-education.md index 825ac41a15..3f4beef3e9 100644 --- a/windows/client-management/mdm/policy-csp-education.md +++ b/windows/client-management/mdm/policy-csp-education.md @@ -52,23 +52,23 @@ manager: dansimp Home - check mark + check mark8 Pro - check mark + check mark8 Business - check mark + check mark8 Enterprise - check mark + check mark8 Education - check mark + check mark8 @@ -85,7 +85,7 @@ manager: dansimp -Added in next major release of Windows 10. This policy setting allows you to control whether graphing functionality is available in the Windows Calculator app. If you disable this policy setting, graphing functionality will not be accessible in the Windows Calculator app. If you enable or don't configure this policy setting, you will be able to access graphing functionality. +Added in Windows 10, version 2004. This policy setting allows you to control whether graphing functionality is available in the Windows Calculator app. If you disable this policy setting, graphing functionality will not be accessible in the Windows Calculator app. If you enable or don't configure this policy setting, you will be able to access graphing functionality. ADMX Info: @@ -283,6 +283,8 @@ Footnotes: - 4 - Added in Windows 10, version 1803. - 5 - Added in Windows 10, version 1809. - 6 - Added in Windows 10, version 1903. +- 7 - Added in Windows 10, version 1909. +- 8 - Added in Windows 10, version 2004. diff --git a/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md index 1e8a860af4..6f8eb9a799 100644 --- a/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md +++ b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md @@ -102,6 +102,9 @@ manager: dansimp
    LocalPoliciesSecurityOptions/NetworkAccess_RestrictClientsAllowedToMakeRemoteCallsToSAM
    +
    + LocalPoliciesSecurityOptions/NetworkSecurity_AllowLocalSystemToUseComputerIdentityForNTLM +
    LocalPoliciesSecurityOptions/NetworkSecurity_AllowPKU2UAuthenticationRequests
    @@ -2169,6 +2172,73 @@ GP Info:
    + +**LocalPoliciesSecurityOptions/NetworkSecurity_AllowLocalSystemToUseComputerIdentityForNTLM** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procheck mark3
    Businesscheck mark3
    Enterprisecheck mark3
    Educationcheck mark3
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Network security: Allow Local System to use computer identity for NTLM. + +When services connect to devices that are running versions of the Windows operating system earlier than Windows Vista or Windows Server 2008, services that run as Local System and use SPNEGO (Negotiate) that revert to NTLM will authenticate anonymously. In Windows Server 2008 R2 and Windows 7 and later, if a service connects to a computer running Windows Server 2008 or Windows Vista, the system service uses the computer identity. + +When a service connects with the device identity, signing and encryption are supported to provide data protection. (When a service connects anonymously, a system-generated session key is created, which provides no protection, but it allows applications to sign and encrypt data without errors. Anonymous authentication uses a NULL session, which is a session with a server in which no user authentication is performed; and therefore, anonymous access is allowed.) + + + +GP Info: +- GP English name: *Network security: Allow Local System to use computer identity for NTLM* +- GP path: *Windows Settings/Security Settings/Local Policies/Security Options* + + + +Valid values: +- 0 - Disabled +- 1 - Enabled (Allow Local System to use computer identity for NTLM.) + + + + +
    + **LocalPoliciesSecurityOptions/NetworkSecurity_AllowPKU2UAuthenticationRequests** diff --git a/windows/client-management/mdm/policy-csp-restrictedgroups.md b/windows/client-management/mdm/policy-csp-restrictedgroups.md index 3b7a445092..4935d3f947 100644 --- a/windows/client-management/mdm/policy-csp-restrictedgroups.md +++ b/windows/client-management/mdm/policy-csp-restrictedgroups.md @@ -155,7 +155,7 @@ where: ### Policy timeline -The behavior of this policy setting differs in different Windows 10 versions. For Windows 10, version 1809 through version 1909, you can use name in `` and SID in ``. For the latest release of Windows 10, you can use name or SID for both the elements, as described in this topic. +The behavior of this policy setting differs in different Windows 10 versions. For Windows 10, version 1809 through version 1909, you can use name in `` and SID in ``. For Windows 10, version 2004, you can use name or SID for both the elements, as described in this topic. The following table describes how this policy setting behaves in different Windows 10 versions: @@ -163,7 +163,7 @@ The following table describes how this policy setting behaves in different Windo | ------------------ | --------------- | |Windows 10, version 1803 | Added this policy setting.
    XML accepts group and member only by name.
    Supports configuring the administrators group using the group name.
    Expects member name to be in the account name format. | | Windows 10, version 1809
    Windows 10, version 1903
    Windows 10, version 1909 | Supports configuring any local group.
    `` accepts only name.
    `` accepts a name or an SID.
    This is useful when you want to ensure a certain local group always has a well-known SID as member. | -| The latest release of Windows 10 | Behaves as described in this topic.
    Accepts name or SID for group and members and translates as appropriate. | +| Windows 10, version 2004 | Behaves as described in this topic.
    Accepts name or SID for group and members and translates as appropriate. | @@ -178,5 +178,7 @@ Footnotes: - 4 - Added in Windows 10, version 1803. - 5 - Added in Windows 10, version 1809. - 6 - Added in Windows 10, version 1903. +- 7 - Added in Windows 10, version 1909. +- 8 - Added in Windows 10, version 2004. diff --git a/windows/client-management/mdm/policy-csp-textinput.md b/windows/client-management/mdm/policy-csp-textinput.md index 7786a5eb5c..a116d3b084 100644 --- a/windows/client-management/mdm/policy-csp-textinput.md +++ b/windows/client-management/mdm/policy-csp-textinput.md @@ -815,19 +815,19 @@ This setting supports a range of values between 0 and 1. Pro - check mark + check mark8 Business - check mark + check mark8 Enterprise - check mark + check mark8 Education - check mark + check mark8 @@ -848,7 +848,7 @@ This setting supports a range of values between 0 and 1. > - The policy is only enforced in Windows 10 for desktop. > - This policy requires reboot to take effect. -Added in next major release of Windows 10. Allows IT admins to configure Microsoft Japanese IME version in the desktop. +Added in Windows 10, version 2004. Allows IT admins to configure Microsoft Japanese IME version in the desktop. @@ -878,19 +878,19 @@ The following list shows the supported values: Pro - check mark + check mark8 Business - check mark + check mark8 Enterprise - check mark + check mark8 Education - check mark + check mark8 @@ -911,7 +911,7 @@ The following list shows the supported values: > - This policy is enforced only in Windows 10 for desktop. > - This policy requires reboot to take effect. -Added in next major release of Windows 10. Allows IT admins to configure Microsoft Simplified Chinese IME version in the desktop. +Added in Windows 10, version 2004. Allows IT admins to configure Microsoft Simplified Chinese IME version in the desktop. @@ -941,19 +941,19 @@ The following list shows the supported values: Pro - check mark + check mark8 Business - check mark + check mark8 Enterprise - check mark + check mark8 Education - check mark + check mark8 @@ -974,7 +974,7 @@ The following list shows the supported values: > - This policy is enforced only in Windows 10 for desktop. > - This policy requires reboot to take effect. -Added in next major release of Windows 10. Allows IT admins to configure Microsoft Traditional Chinese IME version in the desktop. +Added in Windows 10, version 2004. Allows IT admins to configure Microsoft Traditional Chinese IME version in the desktop. @@ -1718,6 +1718,8 @@ Footnotes: - 4 - Added in Windows 10, version 1803. - 5 - Added in Windows 10, version 1809. - 6 - Added in Windows 10, version 1903. +- 7 - Added in Windows 10, version 1909. +- 8 - Added in Windows 10, version 2004. diff --git a/windows/client-management/mdm/policy-csps-supported-by-hololens2.md b/windows/client-management/mdm/policy-csps-supported-by-hololens2.md index 5e31cf4abc..0a0040f58c 100644 --- a/windows/client-management/mdm/policy-csps-supported-by-hololens2.md +++ b/windows/client-management/mdm/policy-csps-supported-by-hololens2.md @@ -104,7 +104,7 @@ Footnotes: - 5 - Added in Windows 10, version 1809. - 6 - Added in Windows 10, version 1903. - 7 - Added in Windows 10, version 1909. -- 8 - Added in the next major release of Windows 10. +- 8 - Added in Windows 10, version 2004. ## Related topics diff --git a/windows/client-management/mdm/supl-csp.md b/windows/client-management/mdm/supl-csp.md index 64077761f8..28d0b9c42e 100644 --- a/windows/client-management/mdm/supl-csp.md +++ b/windows/client-management/mdm/supl-csp.md @@ -14,9 +14,6 @@ ms.date: 09/12/2019 # SUPL CSP -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. - The SUPL configuration service provider is used to configure the location client, as shown in the following table: @@ -89,7 +86,7 @@ For OMA DM, if the format for this node is incorrect the entry will be ignored a Optional. Determines the major version of the SUPL protocol to use. For SUPL 1.0.0, set this value to 1. For SUPL 2.0.0, set this value to 2. The default is 1. Refer to FullVersion to define the minor version and the service indicator. **FullVersion** -Added in the next major release of Windows 10. Optional. Determines the full version (X.Y.Z where X, Y, and Z are the major version, the minor version, and the service indicator, respectively) of the SUPL protocol to use. The default is 1.0.0. If FullVersion is defined, Version field is ignored. +Added in Windows 10, version 2004. Optional. Determines the full version (X.Y.Z where X, Y, and Z are the major version, the minor version, and the service indicator, respectively) of the SUPL protocol to use. The default is 1.0.0. If FullVersion is defined, Version field is ignored. **MCCMNCPairs** Required. List all of the MCC and MNC pairs owned by the mobile operator. This list is used to verify that the UICC matches the network and SUPL can be used. When the UICC and network do not match, the device uses the default location service and does not use SUPL. diff --git a/windows/client-management/system-failure-recovery-options.md b/windows/client-management/system-failure-recovery-options.md index 28f7edaab0..d0806c95e1 100644 --- a/windows/client-management/system-failure-recovery-options.md +++ b/windows/client-management/system-failure-recovery-options.md @@ -8,8 +8,8 @@ author: Deland-Han ms.localizationpriority: medium ms.author: delhan ms.date: 8/22/2019 -ms.reviewer: -manager: dcscontentpm +ms.reviewer: dcscontentpm +manager: dansimp --- # Configure system failure and recovery options in Windows diff --git a/windows/configuration/TOC.md b/windows/configuration/TOC.md index 7428624219..0d01784273 100644 --- a/windows/configuration/TOC.md +++ b/windows/configuration/TOC.md @@ -1,21 +1,27 @@ # [Configure Windows 10](index.md) ## [Accessibility information for IT Pros](windows-10-accessibility-for-ITPros.md) ## [Configure access to Microsoft Store](stop-employees-from-using-microsoft-store.md) -## [Cortana integration in your business or enterprise](cortana-at-work/cortana-at-work-overview.md) -### [Testing scenarios using Cortana in your business or organization](cortana-at-work/cortana-at-work-testing-scenarios.md) -#### [Test scenario 1 - Sign-in to Azure AD and use Cortana to manage the notebook](cortana-at-work/cortana-at-work-scenario-1.md) -#### [Test scenario 2 - Perform a quick search with Cortana at work](cortana-at-work/cortana-at-work-scenario-2.md) -#### [Test scenario 3 - Set a reminder for a specific location using Cortana at work](cortana-at-work/cortana-at-work-scenario-3.md) -#### [Test scenario 4 - Use Cortana at work to find your upcoming meetings](cortana-at-work/cortana-at-work-scenario-4.md) -#### [Test scenario 5 - Use Cortana to send email to a co-worker](cortana-at-work/cortana-at-work-scenario-5.md) -#### [Test scenario 6 - Review a reminder suggested by Cortana based on what you’ve promised in email](cortana-at-work/cortana-at-work-scenario-6.md) -#### [Test scenario 7 - Use Cortana and Windows Information Protection (WIP) to help protect your organization’s data on a device](cortana-at-work/cortana-at-work-scenario-7.md) -### [Set up and test Cortana with Office 365 in your organization](cortana-at-work/cortana-at-work-o365.md) -### [Set up and test Cortana with Microsoft Dynamics CRM (Preview feature) in your organization](cortana-at-work/cortana-at-work-crm.md) -### [Set up and test Cortana for Power BI in your organization](cortana-at-work/cortana-at-work-powerbi.md) -### [Set up and test custom voice commands in Cortana for your organization](cortana-at-work/cortana-at-work-voice-commands.md) -### [Use Group Policy and mobile device management (MDM) settings to configure Cortana in your organization](cortana-at-work/cortana-at-work-policy-settings.md) -### [Send feedback about Cortana at work back to Microsoft](cortana-at-work/cortana-at-work-feedback.md) +## [Configure Cortana in Windows 10](cortana-at-work/cortana-at-work-overview.md) +## [Set up and test Cortana in Windows 10, version 2004 and later](cortana-at-work/set-up-and-test-cortana-in-windows-10.md) +## [Testing scenarios using Cortana in your business or organization](cortana-at-work/cortana-at-work-testing-scenarios.md) +### [Test scenario 1 - Sign into Azure AD, enable the wake word, and try a voice query](cortana-at-work/cortana-at-work-scenario-1.md) +### [Test scenario 2 - Perform a Bing search with Cortana](cortana-at-work/cortana-at-work-scenario-2.md) +### [Test scenario 3 - Set a reminder](cortana-at-work/cortana-at-work-scenario-3.md) +### [Test scenario 4 - Use Cortana to find free time on your calendar](cortana-at-work/cortana-at-work-scenario-4.md) +### [Test scenario 5 - Find out about a person](cortana-at-work/cortana-at-work-scenario-5.md) +### [Test scenario 6 - Change your language and perform a quick search with Cortana](cortana-at-work/cortana-at-work-scenario-6.md) +## [Send feedback about Cortana back to Microsoft](cortana-at-work/cortana-at-work-feedback.md) +## [Set up and test Cortana in Windows 10, versions 1909 and earlier, with Microsoft 365 in your organization](cortana-at-work/cortana-at-work-o365.md) +## [Testing scenarios using Cortana in your business or organization](cortana-at-work/cortana-at-work-testing-scenarios.md) +### [Test scenario 1 - Sign into Azure AD, enable the wake word, and try a voice query](cortana-at-work/test-scenario-1.md) +### [Test scenario 2 - Perform a quick search with Cortana at work](cortana-at-work/test-scenario-2.md) +### [Test scenario 3 - Set a reminder for a specific location using Cortana at work](cortana-at-work/test-scenario-3.md) +### [Test scenario 4 - Use Cortana at work to find your upcoming meetings](cortana-at-work/test-scenario-4.md) +### [Test scenario 5 - Use Cortana to send email to a co-worker](cortana-at-work/test-scenario-5.md) +### [Test scenario 6 - Review a reminder suggested by Cortana based on what you’ve promised in email](cortana-at-work/test-scenario-6.md) +### [Test scenario 7 - Use Cortana and Windows Information Protection (WIP) to help protect your organization’s data on a device](cortana-at-work/cortana-at-work-scenario-7.md) +## [Set up and test custom voice commands in Cortana for your organization](cortana-at-work/cortana-at-work-voice-commands.md) +## [Use Group Policy and mobile device management (MDM) settings to configure Cortana in your organization](cortana-at-work/cortana-at-work-policy-settings.md) ## [Set up a shared or guest PC with Windows 10](set-up-shared-or-guest-pc.md) ## [Configure kiosks and digital signs on Windows desktop editions](kiosk-methods.md) ### [Prepare a device for kiosk configuration](kiosk-prepare.md) diff --git a/windows/configuration/cortana-at-work/cortana-at-work-crm.md b/windows/configuration/cortana-at-work/cortana-at-work-crm.md index 250b7d99b0..9e2aea142f 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-crm.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-crm.md @@ -13,10 +13,6 @@ manager: dansimp --- # Set up and test Cortana with Microsoft Dynamics CRM (Preview feature) in your organization -**Applies to:** - -- Windows 10, version 1703 -- Windows 10 Mobile, version 1703 Cortana integration is a Preview feature that's available for your test or dev environment, starting with the CRM Online 2016 Update. If you decide to use this Preview feature, you'll need to turn in on and accept the license terms. After that, your salespeople will get proactive insights from Cortana on important CRM activities, including sales leads, accounts, and opportunities; presenting the most relevant info at any given time. This can even include getting company-specific news that surfaces when the person is meeting with a representative from another company. diff --git a/windows/configuration/cortana-at-work/cortana-at-work-feedback.md b/windows/configuration/cortana-at-work/cortana-at-work-feedback.md index 8def5a04c7..9b2fcfb9c3 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-feedback.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-feedback.md @@ -1,5 +1,5 @@ --- -title: Send feedback about Cortana at work back to Microsoft (Windows 10) +title: Send feedback about Cortana at work back to Microsoft description: How to send feedback to Microsoft about Cortana at work. ms.prod: w10 ms.mktglfcycl: manage @@ -12,15 +12,14 @@ ms.reviewer: manager: dansimp --- -# Send feedback about Cortana at work back to Microsoft -**Applies to:** +# Send feedback about Cortana back to Microsoft -- Windows 10, version 1703 -- Windows 10 Mobile, version 1703 +To provide feedback on an individual request or response, select the item in the conversation history and then select **Give feedback**. This opens the Feedback Hub application where you can provide more information to help diagnose reported issues. -We ask that you report bugs and issues. To provide feedback, you can click the **Feedback** icon in the Cortana window. When you send this form to Microsoft it also includes troubleshooting info, in case you run into problems. +:::image type="content" source="../screenshot1.png" alt-text="Screenshot: Send feedback page"::: -![Cortana at work, showing how to provide feedback to Microsoft](../images/cortana-feedback.png) +To provide feedback about the application in general, go to the **Settings** menu by selecting the three dots in the top left of the application, and select **Feedback**. This opens the Feedback Hub where more information on the issue can be provided. -If you don't want to use the feedback tool in Cortana, you can add feedback through the general Windows Insider Program feedback app. For info about the feedback app, see [How to use Windows Insider Preview – Updates and feedback](https://windows.microsoft.com/en-us/windows/preview-updates-feedback-pc). +:::image type="content" source="../screenshot12.png" alt-text="Screenshot: Select Feedback to go to the Feedback Hub"::: +In order for enterprise users to provide feedback, admins must unblock the Feedback Hub in the [Azure portal](https://portal.azure.com/). Go to the **Enterprise applications section** and enable **Users can allow apps to access their data**. \ No newline at end of file diff --git a/windows/configuration/cortana-at-work/cortana-at-work-o365.md b/windows/configuration/cortana-at-work/cortana-at-work-o365.md index 3ec17f6e6c..d915ec9aee 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-o365.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-o365.md @@ -1,5 +1,5 @@ --- -title: Set up and test Cortana with Office 365 in your organization (Windows 10) +title: Set up and test Cortana in Windows 10, versions 1909 and earlier, with Microsoft 365 in your organization description: Learn how to connect Cortana to Office 365 so employees are notified about regular meetings and unusual events. You can even set an alarm for early meetings. ms.prod: w10 ms.mktglfcycl: manage @@ -12,63 +12,45 @@ ms.reviewer: manager: dansimp --- -# Set up and test Cortana with Office 365 in your organization -**Applies to:** +# Set up and test Cortana in Windows 10, versions 1909 and earlier, with Microsoft 365 in your organization -- Windows 10, version 1703 -- Windows 10 Mobile, version 1703 -Cortana in Windows 10 is already great at letting your employees quickly see what the day is going to look like, do meeting prep work like researching people in LinkedIn or getting documents ready, see where and when their meetings are going to be, get a sense of travel times to and from work, and even get updates from a calendar for upcoming trips. +## What can you do with in Windows 10, versions 1909 and earlier? +Your employees can use Cortana to help manage their day and be more productive by getting quick answers to common questions, setting reminders, adding tasks to their To-Do lists, and find out where their next meeting is. -But Cortana works even harder when she connects to Office 365, helping employees to be notified about unusual events, such as meetings over lunch or during a typical commute time, and about early meetings, even setting an alarm so the employee isn’t late. +**See also:** -![Cortana at work, showing the day's schedule pulled from Office 365](../images/cortana-o365-screen.png) +[Known issues for Windows Desktop Search and Cortana in Windows 10](https://support.microsoft.com/help/3206883/known-issues-for-windows-desktop-search-and-cortana-in-windows-10). -We’re continuing to add more and more capabilities to Cortana so she can become even more helpful with your productivity-related tasks, such as emailing, scheduling, and other tasks that are important to help you be successful. +### Before you begin +There are a few things to be aware of before you start using Cortana in Windows 10, versions 1909 and earlier. ->[!NOTE] ->For a quick review of the frequently asked questions about Cortana and Office 365 integration, see the blog post, [An early look at Cortana integration with Office 365](https://go.microsoft.com/fwlink/p/?LinkId=717379). +- **Azure Active Directory (Azure AD) account.** Before your employees can use Cortana in your org, they must be logged in using their Azure AD account through Cortana's notebook. They must also authorize Cortana to access Microsoft 365 on their behalf. -## Before you begin -There are a few things to be aware of before you start using Cortana with Office 365 in your organization. +- **Office 365 Trust Center.** Cortana in Windows 10, version 1909 and earlier, isn't a service governed by the [Online Services Terms](https://www.microsoft.com/en-us/licensing/product-licensing/products). [Learn more about how Cortana in Windows 10, versions 1909 and earlier, treats your data](https://support.microsoft.com/en-us/help/4468233/cortana-and-privacy-microsoft-privacy). -- **Software requirements.** O365 integration with Cortana is available in all countries/regions where Cortana is supported for consumers today. This includes the United States, United Kingdom, Canada, France, Italy, Germany, Spain, China, Japan, India, and Australia. As Cortana comes to more countries, it will also become available to organizations. - -- **Azure Active Directory (Azure AD) account.** Before your employees can use Cortana in your org, they must be logged in using their Azure AD account through Cortana’s notebook. They must also authorize Cortana to access Office 365 on their behalf. - -- **Office 365 Trust Center.** Cortana isn't a service covered by the Office 365 Trust Center. [Learn more about how Cortana treats your data](https://go.microsoft.com/fwlink/p/?LinkId=536419). +- Windows Information Protection (WIP). If you want to secure the calendar, email, and contact info provided to Cortana on a device, you can use WIP. For more info about WIP, see [Protect your enterprise data using Windows Information Protection (WIP)](https://docs.microsoft.com/windows/threat-protection/windows-information-protection/protect-enterprise-data-using-wip). If you decide to use WIP, you must also have a management solution. This can be Microsoft Intune, Microsoft Endpoint Configuration Manager (version 1606 or later), or your current company-wide 3rd party mobile device management (MDM) solution. - **Troubleshooting tips.** If you run into issues, check out these [troubleshooting tips](https://go.microsoft.com/fwlink/p/?LinkId=620763). -## Turn on Cortana with Office 365 on employees’ devices -You must tell your employees to turn on Cortana before they’ll be able to use it with Office 365. +### Turn on Cortana enterprise services on employees' devices +Your employees must connect Cortana to their Microsoft 365 account to be able to use skills like email and calendar. -**To turn on local Cortana with Office 365** +#### Turn on Cortana enterprise services -1. Click on the **Cortana** search box in the taskbar, and then click the **Notebook** icon. +1. Select the **Cortana** search box in the taskbar, and then select the **Notebook** icon. -2. Click on **Connected Services**, click **Office 365**, and then click **Connect**. - - ![Cotana at work, showing how to turn on the connected services for Office 365](../images/cortana-connect-o365.png) - - The employee can also disconnect by clicking **Disconnect** from the **Office 365** screen. - -## Turn off Cortana with Office 365 -Cortana can only access data in your Office 365 org when it’s turned on. If you don’t want Cortana to access your corporate data, you can turn it off in the Microsoft 365 admin center. - -**To turn off Cortana with Office 365** -1. [Sign in to Office 365](https://www.office.com/signin) using your Azure AD account. - -2. Go to the [admin center](https://support.office.com/article/Office-365-admin-center-58537702-d421-4d02-8141-e128e3703547). - -3. Expand **Service Settings**, and select **Cortana**. - -4. Click **Cortana** to toggle Cortana off. - - All Office 365 functionality related to Cortana is turned off in your organization and your employees are unable to use her at work. +2. Select **Manage Skills** , select **Manage accounts** , and under **Microsoft 365** select **Link**. The employee will be directed to sign into their Microsoft 365 account. +3. The employee can also disconnect by selecting **Microsoft 365**, then **Unlink**. +#### Turn off Cortana enterprise services +Cortana in Windows 10, versions 1909 and earlier can only access data in your Microsoft 365 organization when it's turned on. If you don't want Cortana to access your corporate data, you can turn it off in the Microsoft 365 admin center. +1. Sign into the [Microsoft 365 admin center](https://admin.microsoft.com/) using your admin account. +2. Select the app launcher icon in the upper-left and choose **Admin**. +3. Expand **Settings** and select **Org Settings**. +4. Select **Cortana** to toggle Cortana's access to Microsoft 365 data off. \ No newline at end of file diff --git a/windows/configuration/cortana-at-work/cortana-at-work-overview.md b/windows/configuration/cortana-at-work/cortana-at-work-overview.md index cad5f5470d..5158bc4ada 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-overview.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-overview.md @@ -1,5 +1,5 @@ --- -title: Cortana integration in your business or enterprise (Windows 10) +title: Configure Cortana in Windows 10 ms.reviewer: manager: dansimp description: Cortana includes powerful configuration options specifically to optimize for unique small to medium-sized business and enterprise environments. @@ -11,53 +11,81 @@ ms.localizationpriority: medium ms.author: dansimp --- -# Cortana integration in your business or enterprise -**Applies to:** - -- Windows 10, version 1703 -- Windows 10 Mobile, version 1703 +# Configure Cortana in Windows 10 ## Who is Cortana? -Cortana is Microsoft’s personal digital assistant, who helps busy people get things done, even while at work. -Cortana has powerful configuration options, specifically optimized for your business. By signing in with an Azure Active Directory (Azure AD) account, your employees can give Cortana access to their enterprise/work identity, while getting all the functionality Cortana provides to them outside of work. -Using Azure AD also means that you can remove an employee’s profile (for example, when an employee leaves your organization) while respecting Windows Information Protection (WIP) policies and ignoring enterprise content, such as emails, calendar items, and people lists that are marked as enterprise data. +Cortana is a personal productivity assistant in Microsoft 365, helping your users achieve more with less effort and focus on what matters. The Cortana app in Windows 10 helps users quickly get information across Microsoft 365, using typed or spoken queries to connect with people, check calendars, set reminders, add tasks, and more. -![Cortana at work, showing the About me screen](../images/cortana-about-me.png) +:::image type="content" source="../screenshot1.png" alt-text="Screenshot: Cortana home page example"::: ## Where is Cortana available for use in my organization? -You can use Cortana at work in all countries/regions where Cortana is supported for consumers. This includes the United States, United Kingdom, Canada, France, Italy, Germany, Spain, China, Japan, India, and Australia. As Cortana comes to more countries, she will also become available to enterprise customers. -Cortana is available on Windows 10, version 1703 and with limited functionality on Windows 10 Mobile, version 1703. +Your employees can use Cortana in the languages listed [here](https://support.microsoft.com/help/4026948/cortanas-regions-and-languages). However, most productivity skills are currently only enabled for English (United States), for users with mailboxes in the United States. + +The Cortana app in Windows 10, version 2004 requires the latest Microsoft Store update to support languages other than English (United States). ## Required hardware and software -Cortana requires the following hardware and software to successfully run the included scenario in your organization. -|Hardware |Description | -|---------|------------| -|Microphone |For speech interaction with Cortana. If you don't have a microphone, you can still interact with Cortana by typing in the Cortana Search Box in the taskbar. | -|Windows Phone |For location-specific reminders. You can also use a desktop device to run through this scenario, but location accuracy is usually better on phones. | -|Desktop devices |For non-phone-related scenarios. | +Cortana requires a PC running Windows 10, version 1703 or later, as well as the following software to successfully run the included scenario in your organization. +>[!NOTE] +>A microphone isn't required to use Cortana. -|Software |Minimum version | -|---------|------------| -|Client operating system |
    • **Desktop:** Windows 10, version 1703
    • **Mobile:** Windows 10 Mobile, version 1703 (with limited functionality)
      • | -|Azure Active Directory (Azure AD) |While all employees signing into Cortana need an Azure AD account; an Azure AD premium tenant isn’t required. | -|Additional policies (Group Policy and Mobile Device Management (MDM)) |There is a rich set of policies that can be used to manage various aspects of Cortana. Most of these policies will limit the abilities of Cortana, but won't turn Cortana off.

      For example:

      If you turn **Location** off, Cortana won't be able to provide location-based reminders, such as reminding you to visit the mail room when you get to work.

      If you turn **Speech** off, your employees won't be able to use “Hello Cortana” for hands free usage or voice commands to easily ask for help. | -|Windows Information Protection (WIP) (optional) |If you want to secure the calendar, email, and contact info provided to Cortana on a device, you can use WIP. For more info about WIP, see [Protect your enterprise data using Windows Information Protection (WIP)](/windows/threat-protection/windows-information-protection/protect-enterprise-data-using-wip)

      If you decide to use WIP, you must also have a management solution. This can be Microsoft Intune, Microsoft Endpoint Configuration Manager (version 1606 or later), or your current company-wide 3rd party mobile device management (MDM) solution.| +|**Software** |**Minimum version** | +|---------|---------| +|Client operating system | Desktop:
      - Windows 10, version 2004 (recommended)

      - Windows 10, version 1703 (legacy version of Cortana)

      Mobile: Windows 10 mobile, version 1703 (legacy version of Cortana)

      For more information on the differences between Cortana in Windows 10, version 2004 and earlier versions, see [**How is my data processed by Cortana**](https://docs.microsoft.com/windows/configuration/cortana-at-work/cortana-at-work-overview#how-is-my-data-processed-by-cortana) below. | +|Azure Active Directory (Azure AD) | While all employees signing into Cortana need an Azure AD account, an Azure AD premium tenant isn’t required. | +|Additional policies (Group Policy and Mobile Device Management (MDM)) |There is a rich set of policies that can be used to manage various aspects of Cortana. Most of these policies will limit the abilities of Cortana but won't turn Cortana off. For example, if you turn **Speech** off, your employees won't be able to use the wake word (“Cortana”) for hands-free activation or voice commands to easily ask for help. | ## Signing in using Azure AD -Your organization must have an Azure AD tenant and your employees’ devices must all be Azure AD-joined for Cortana to work properly. For info about what an Azure AD tenant is, how to get your devices joined, and other Azure AD maintenance info, see [What is an Azure AD directory?](https://msdn.microsoft.com/library/azure/jj573650.aspx) -## Cortana and privacy -We understand that there are some questions about Cortana and your organization’s privacy, including concerns about what info is collected by Cortana, where the info is saved, how to manage what data is collected, how to turn Cortana off, how to opt completely out of data collection, and what info is shared with other Microsoft apps and services. For more details about these concerns, see the [Cortana, Search, and privacy: FAQ](https://windows.microsoft.com/windows-10/cortana-privacy-faq) topic. +Your organization must have an Azure AD tenant and your employees' devices must all be Azure AD-joined for the best Cortana experience. (Users may also sign into Cortana with a Microsoft account, but will not be able to use their enterprise email or calendar.) For info about what an Azure AD tenant is, how to get your devices joined, and other Azure AD maintenance info, see [Azure Active Directory documentation.](https://docs.microsoft.com/azure/active-directory/) + +## How is my data processed by Cortana? + +Cortana's approach to integration with Microsoft 365 has changed with Windows 10, version 2004 and later. + +### Cortana in Windows 10, version 2004 and later + +Cortana enterprise services that can be accessed using Azure AD through Cortana in Windows 10, version 2004 and later, meet the same enterprise-level privacy, security, and compliance promises as reflected in the [Online Services Terms (OST)](https://www.microsoft.com/en-us/licensing/product-licensing/products). To learn more, see [Cortana in Microsoft 365](https://docs.microsoft.com/microsoft-365/admin/misc/cortana-integration?view=o365-worldwide#what-data-is-processed-by-cortana-in-office-365). + +#### How does Microsoft store, retain, process, and use Customer Data in Cortana? + +The table below describes the data handling for Cortana enterprise services. + + +|**Name** |**Description** | +|---------|---------| +|**Storage** |Customer Data is stored on Microsoft servers inside the Office 365 cloud. Your data is part of your tenant. Speech audio is not retained. | +|**Stays in Geo** |Customer Data is stored on Microsoft servers inside the Office 365 cloud in Geo. Your data is part of your tenant. | +|**Retention** |Customer Data is deleted when the account is closed by the tenant administrator or when a GDPR Data Subject Rights deletion request is made. Speech audio is not retained. | +|**Processing and confidentiality** |Personnel engaged in the processing of Customer Data and personal data (i) will process such data only on instructions from Customer, and (ii) will be obligated to maintain the confidentiality and security of such data even after their engagement ends. | +|**Usage** |Microsoft uses Customer Data only to provide the services agreed upon, and for purposes that are compatible with those services. Machine learning to develop and improve models is one of those purposes. Machine learning is done inside the Office 365 cloud consistent with the Online Services Terms. Your data is not used to target advertising. | + +#### How does the wake word (Cortana) work? If I enable it, is Cortana always listening? + +>[!NOTE] +>The wake word has been temporarily disabled in the latest version of Cortana in Windows but will be restored soon. You can still click on the microphone button to use your voice with Cortana. + +Cortana only begins listening for commands or queries when the wake word is detected, or the microphone button has been selected. + +First, the user must enable the wake word from within Cortana settings. Once it has been enabled, a component of Windows called the [Windows Multiple Voice Assistant platform](https://docs.microsoft.com/windows-hardware/drivers/audio/voice-activation-mva#voice-activation) will start listening for the wake word. No audio is processed by speech recognition unless two local wake word detectors and a server-side one agree with high confidence that the wake word was heard. + +The first decision is made by the Windows Multiple Voice Assistant platform leveraging hardware optionally included in the user's PC for power savings. If the wake word is detected, Windows will show a microphone icon in the system tray indicating an assistant app is listening. + +:::image type="content" source="../screenshot2.png" alt-text="Screenshot: Microphone icon in the system tray indicating an assistant app is listening"::: + +At that point, the Cortana app will receive the audio, run a second, more accurate wake word detector, and optionally send it to a Microsoft cloud service where a third wake word detector will confirm. If the service does not confirm that the activation was valid, the audio will be discarded and deleted from any further processing or server logs. On the user's PC, the Cortana app will be silently dismissed, and no query will be shown in conversation history because the query was discarded. + +If all three wake word detectors agree, the Cortana canvas will show what speech has been recognized. + +### Cortana in Windows 10, versions 1909 and earlier + +Cortana in Windows 10, versions 1909 and earlier, isn't a service covered by the Office 365 Trust Center. [Learn more about how Cortana in Windows 10, version 1909 and earlier, treats your data](https://go.microsoft.com/fwlink/p/?LinkId=536419). Cortana is covered under the [Microsoft Privacy Statement](https://privacy.microsoft.com/privacystatement) and [Microsoft Services Agreement](https://www.microsoft.com/servicesagreement). ## See also + - [What is Cortana?](https://go.microsoft.com/fwlink/p/?LinkId=746818) - -- [Known issues for Windows Desktop Search and Cortana in Windows 10](https://support.microsoft.com/help/3206883/known-issues-for-windows-desktop-search-and-cortana-in-windows-10) - -- [Cortana for developers](https://go.microsoft.com/fwlink/?LinkId=717385) diff --git a/windows/configuration/cortana-at-work/cortana-at-work-policy-settings.md b/windows/configuration/cortana-at-work/cortana-at-work-policy-settings.md index 0122fb2eb7..1729809a44 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-policy-settings.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-policy-settings.md @@ -13,34 +13,40 @@ manager: dansimp --- # Use Group Policy and mobile device management (MDM) settings to configure Cortana in your organization -**Applies to:** - -- Windows 10 -- Windows 10 Mobile >[!NOTE] ->For specific info about how to set, manage, and use each of these MDM policies to configure Cortana in your enterprise, see the [Policy CSP](https://go.microsoft.com/fwlink/p/?LinkId=717380) topic, located in the configuration service provider reference topics. For specific info about how to set, manage, and use each of these Group Policies to configure Cortana in your enterprise, see the [Group Policy TechCenter](https://go.microsoft.com/fwlink/p/?LinkId=717381). - -|Group policy |MDM policy |Description | -|-------------|-----------|------------| -|Computer Configuration\Administrative Templates\Windows Components\Search\AllowCortanaAboveLock|AboveLock/AllowCortanaAboveLock|Specifies whether an employee can interact with Cortana using voice commands when the system is locked.

      **Note**
      This setting only applies to Windows 10 for desktop devices. | -|Computer Configuration\Administrative Templates\Control Panel\Regional and Language Options\Allow users to enable online speech recognition services|Privacy/AllowInputPersonalization|Specifies whether an employee can use voice commands with Cortana in your organization.

      **In Windows 10, version 1511**
      Cortana won’t work if this setting is turned off (disabled).

      **In Windows 10, version 1607 and later**
      Cortana still works if this setting is turned off (disabled).| -|None|System/AllowLocation|Specifies whether to allow app access to the Location service.

      **In Windows 10, version 1511**
      Cortana won’t work if this setting is turned off (disabled).

      **In Windows 10, version 1607 and later**
      Cortana still works if this setting is turned off (disabled).| -|None|Accounts/AllowMicrosoftAccountConnection|Specifies whether to allow employees to sign in using a Microsoft account (MSA) from Windows apps.

      Use this setting if you only want to support Azure AD in your organization.| -|Computer Configuration\Administrative Templates\Windows Components\Search\Allow search and Cortana to use location|Search/AllowSearchToUseLocation|Specifies whether Cortana can use your current location during searches and for location reminders.| -|Computer Configuration\Administrative Templates\Windows Components\Search\Set the SafeSearch setting for Search|Search/SafeSearchPermissions|Specifies what level of safe search (filtering adult content) is required.

      **Note**
      This setting only applies to Windows 10 Mobile. Other versions of Windows should use Don't search the web or display web results. | -|User Configuration\Administrative Templates\Windows Components\File Explorer\Turn off display of recent search entries in the File Explorer search box|None|Specifies whether the search box can suggest recent queries and prevent entries from being stored in the registry for future reference.| -|Computer Configuration\Administrative Templates\Windows Components\Search\Don't search the web or display web results|None|Specifies whether search can perform queries on the web and if the web results are displayed in search.

      **In Windows 10 Pro edition**
      This setting can’t be managed.

      **In Windows 10 Enterprise edition**
      Cortana won't work if this setting is turned off (disabled).| -|Computer Configuration\Administrative Templates\Windows Components\Search\Allow Cortana|Experience/AllowCortana|Specifies whether employees can use Cortana.

      **Important**
      Cortana won’t work if this setting is turned off (disabled). However, employees can still perform local searches even with Cortana turned off.| - - - - - - - - - - +>For specific info about how to set, manage, and use each of these MDM policies to configure Cortana in your enterprise, see the [Policy CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider) topic, located in the configuration service provider reference topics. +|**Group policy** |**MDM policy** |**Description** | +|---------|---------|---------| +|Computer Configuration\Administrative Templates\Windows Components\Search\Allow Cortana |Experience/AllowCortana |Specifies whether employees can use Cortana.
      +> [!IMPORTANT] +> Cortana won’t work if this setting is turned off (disabled). However, on Windows 10, version 1809 and below, employees can still perform local searches even with Cortana turned off. | +|Computer Configuration\Administrative Templates\Windows Components\Search\AllowCortanaAboveLock |AboveLock/AllowCortanaAboveLock |Specifies whether an employee can interact with Cortana using voice commands when the system is locked.
      +> [!NOTE] +> Cortana in Windows 10, versions 2004 and later do not currently support Above Lock. | +|Computer Configuration\Administrative Templates\Windows Components\App Privacy\LetAppsActivateWithVoice |[Privacy/LetAppsActivateWithVoice](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-privacy#privacy-letappsactivatewithvoice) |Specifies whether apps (such as Cortana or other voice assistants) can activate using a wake word (e.g. “Hey Cortana”).
      +> [!NOTE] +> This setting only applies to Windows 10 versions 2004 and later. To disable wake word activation on Windows 10 versions 1909 and earlier, you will need to disable voice commands using Privacy/AllowInputPersonalization. | +|Computer Configuration\Administrative Templates\Windows Components\App Privacy\LetAppsAccessMicrophone |[Privacy/LetAppsAccessMicrophone_ForceDenyTheseApps](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccessmicrophone-forcedenytheseapps) | Use this to disable Cortana’s access to the microphone. To do so, specify Cortana’s Package Family Name: Microsoft.549981C3F5F10_8wekyb3d8bbwe
      +Users will still be able to type queries to Cortana. | +|Computer Configuration\Administrative Templates\Control Panel\Regional and Language Options\Allow users to enable online speech recognition services |Privacy/AllowInputPersonalization |Specifies whether an employee can use voice commands with Cortana in your organization.
      +**In Windows 10, version 1511**
      Cortana won’t work if this setting is turned off (disabled).
      **In Windows 10, version 1607 and later**
      Non-speech aspects of Cortana will still work if this setting is turned off (disabled).
      **In Windows 10, version 2004 and later**
      Cortana will work, but voice input will be disabled. | +|None |System/AllowLocation |Specifies whether to allow app access to the Location service.
      +**In Windows 10, version 1511**
      Cortana won’t work if this setting is turned off (disabled).
      +**In Windows 10, version 1607 and later**
      +Cortana still works if this setting is turned off (disabled).
      +**In Windows 10, version 2004 and later**
      +Cortana still works if this setting is turned off (disabled). Cortana in Windows 10, versions 2004 and later do not currently use the Location service. | +|None |Accounts/AllowMicrosoftAccountConnection |Specifies whether to allow employees to sign in using a Microsoft account (MSA) from Windows apps.
      +Disable this setting if you only want to allow users to sign in with their Azure AD account. | +|Computer Configuration\Administrative Templates\Windows Components\Search\Allow search and Cortana to use location |Search/AllowSearchToUseLocation |Specifies whether Cortana can use your current location during searches and for location reminders.
      +**In Windows 10, version 2004 and later**
      Cortana still works if this setting is turned off (disabled). Cortana in Windows 10, versions 2004 and later, do not currently use the Location service. | +|Computer Configuration\Administrative Templates\Windows Components\Search\Don't search the web or display web results |Search/DoNotUseWebResults |Specifies whether search can perform queries on the web and if the web results are displayed in search.
      +**In Windows 10 Pro edition**
      This setting can’t be managed. +**In Windows 10 Enterprise edition**
      Cortana won't work if this setting is turned off (disabled). +**In Windows 10, version 2004 and later**
      This setting no longer affects Cortana. | +|Computer Configuration\Administrative Templates\Windows Components\Search\Set the SafeSearch setting for Search |Search/SafeSearchPermissions |Specifies what level of safe search (filtering adult content) is required.
      +> [!NOTE] +> This setting only applies to Windows 10 Mobile. Other versions of Windows should use Don't search the web or display web results. | \ No newline at end of file diff --git a/windows/configuration/cortana-at-work/cortana-at-work-powerbi.md b/windows/configuration/cortana-at-work/cortana-at-work-powerbi.md index 1239cdfc7a..6bf6aaf7bd 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-powerbi.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-powerbi.md @@ -13,10 +13,6 @@ manager: dansimp --- # Set up and test Cortana for Power BI in your organization -**Applies to:** - -- Windows 10, version 1703 -- Windows 10 Mobile, version 1703 >[!IMPORTANT] >Cortana for Power BI is deprecated and will not be available in future releases. This topic is provided as a reference for previous versions only. diff --git a/windows/configuration/cortana-at-work/cortana-at-work-scenario-1.md b/windows/configuration/cortana-at-work/cortana-at-work-scenario-1.md index a7b6e72c12..de5e546244 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-scenario-1.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-scenario-1.md @@ -12,49 +12,24 @@ ms.reviewer: manager: dansimp --- -# Test scenario 1 - Sign-in to Azure AD and use Cortana to manage the notebook +# Test scenario 1 – Sign into Azure AD, enable the wake word, and try a voice query -- Windows 10, version 1703 -- Windows 10 Mobile, version 1703 +>[!NOTE] +>The wake word has been temporarily disabled in the latest version of Cortana in Windows but will be restored soon. ->[!IMPORTANT] ->The data created as part of these scenarios will be uploaded to Microsoft’s Cloud to help Cortana learn and help your employees. This is the same info that Cortana uses in the consumer offering. +1. Select the **Cortana** icon in the task bar and sign in using your Azure AD account. -This scenario turns on Azure AD and let's your employee use Cortana to manage an entry in the notebook. +2. Select the "…" menu and select **Talking to Cortana**. -## Turn on Azure AD -This process helps you to sign out of a Microsoft Account and to sign into an Azure AD account. +3. Toggle **Wake word** to **On** and close Cortana. -1. Click on the **Cortana** icon in the taskbar, click the **Notebook**, and then click **About Me**. +4. Say **Cortana, what can you do?**. -2. Click your email address. +When you say **Cortana**, Cortana will open in listening mode to acknowledge the wake word. - A dialog box appears, showing the associated account info. +:::image type="content" source="../screenshot4.png" alt-text="Screenshot: Cortana listening mode"::: -3. Click your email address again, and then click **Sign out**. +Once you finish saying your query, Cortana will open with the result. - This signs out the Microsoft account, letting you continue to add and use the Azure AD account. - -4. Click the **Search** box and then the **Notebook** icon in the left rail. This will start the sign-in request. - -5. Click **Sign-In** and follow the instructions. - -6. When you’re asked to sign in, you’ll need to choose an Azure AD account, which will look like kelliecarlson@contoso.com. - - >[!IMPORTANT] - >If there’s no Azure AD account listed, you’ll need to go to **Windows Settings > Accounts > Email & app accounts**, and then click **Add a work or school account** to add it. - -## Use Cortana to manage the notebook content -This process helps you to manage the content Cortana shows in your Notebook. - -1. Click on the **Cortana** icon in the taskbar, click the **Notebook**, scroll down and click **Weather**. - -2. In the **Weather** settings, scroll down to the **Cities your tracking** area, and then click **Add a city**. - -3. Add *Redmond, Washington*, double-click the search result, click **Add**, and then click **Save**. - - ![Cortana at work, showing the multiple Weather screens](../images/cortana-weather-multipanel.png) - -4. Click on the **Home** icon and scroll to the weather forecast for Redmond, Washington. - - ![Cortana at work, showing Redmond, WA weather](../images/cortana-redmond-weather.png) +>[!NOTE] +>If you've disabled the wake word using MDM or Group Policy, you will need to manually activate the microphone by selecting Cortana, then the mic button. \ No newline at end of file diff --git a/windows/configuration/cortana-at-work/cortana-at-work-scenario-2.md b/windows/configuration/cortana-at-work/cortana-at-work-scenario-2.md index c58d165771..cd8da63e37 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-scenario-2.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-scenario-2.md @@ -12,32 +12,15 @@ ms.reviewer: manager: dansimp --- -# Test scenario 2 - Perform a quick search with Cortana at work +# Test scenario 2 – Perform a Bing search with Cortana -- Windows 10, version 1703 -- Windows 10 Mobile, version 1703 +1. Select the **Cortana** icon in the taskbar. ->[!IMPORTANT] ->The data created as part of these scenarios will be uploaded to Microsoft’s Cloud to help Cortana learn and help your employees. This is the same info that Cortana uses in the consumer offering. +2. Type **What time is it in Hyderabad?**. -This scenario helps you perform a quick search using Cortana, both by typing and through voice commands. +Cortana will respond with the information from Bing. -## Search using Cortana -This process helps you use Cortana at work to perform a quick search. +:::image type="content" source="../screenshot5.png" alt-text="Screenshot: Cortana showing current time in Hyderbad"::: -1. Click on the **Cortana** icon in the taskbar, and then click in the **Search** bar. - -2. Type *Weather in New York*. - - You should see the weather in New York, New York at the top of the search results. - - ![Cortana at work, showing the weather in New York, New York](../images/cortana-newyork-weather.png) - -## Search with Cortana, by using voice commands -This process helps you to use Cortana at work and voice commands to perform a quick search. - -1. Click on the **Cortana** icon in the taskbar, and then click the **Microphone** icon (to the right of the **Search** box). - -2. Say *What's the weather in Chicago?* Cortana tells you and shows you the current weather in Chicago. - - ![Cortana at work, showing the current weather in Chicago, IL](../images/cortana-chicago-weather.png) +>[!NOTE] +>This scenario requires Bing Answers to be enabled. To learn more, see [Set up and configure the Bing Answers feature](https://docs.microsoft.com/windows/configuration/cortana-at-work/set-up-and-test-cortana-in-windows-10#set-up-and-configure-the-bing-answers-feature). \ No newline at end of file diff --git a/windows/configuration/cortana-at-work/cortana-at-work-scenario-3.md b/windows/configuration/cortana-at-work/cortana-at-work-scenario-3.md index d072cdb5fa..5382e5665c 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-scenario-3.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-scenario-3.md @@ -12,77 +12,14 @@ ms.reviewer: manager: dansimp --- -# Test scenario 3 - Set a reminder for a specific location using Cortana at work +# Test scenario 3 - Set a reminder -- Windows 10, version 1703 -- Windows 10 Mobile, version 1703 +This scenario helps you set up, review, and edit a reminder. For example, you can remind yourself to send someone a link to a document after a meeting. ->[!IMPORTANT] ->The data created as part of these scenarios will be uploaded to Microsoft’s Cloud to help Cortana learn and help your employees. This is the same info that Cortana uses in the consumer offering. +1. Select the **Cortana** icon in the taskbar and type **Remind me to send a link to the deck at 3:05pm** and press **Enter**. -This scenario helps you set up, review, and edit a reminder based on a location. For example, reminding yourself to grab your expense report receipts before you leave the house. +Cortana will create a reminder in Microsoft To Do and will remind you at the appropriate time. ->[!NOTE] ->You can set each reminder location individually as you create the reminders, or you can go into the **About me** screen and add both **Work** and **Home** addresses as favorites. Make sure that you use real addresses since you’ll need to go to these locations to complete your testing scenario.

      Additionally, if you’ve turned on the **Meeting & reminder cards & notifications** option (in the **Meetings & reminders** option of your Notebook), you’ll also see your pending reminders on the Cortana **Home** page. +:::image type="content" source="../screenshot6.png" alt-text="Screenshot: Cortana set a reminder"::: -## Create a reminder for a specific location -This process helps you to create a reminder based on a specific location. - -1. Click on the **Cortana** icon in the taskbar, click on the **Notebook** icon, and then click **Reminders**. - -2. Click the **+** sign, add a subject for your reminder, such as _Remember to file expense report receipts_, and then click **Place**. - - ![Cortana at work, showing the add a reminder screens](../images/cortana-add-reminder.png) - -3. Choose **Arrive** from the drop-down box, and then type a location to associate with your reminder. For example, you can use the physical address of where you work. Just make sure you can physically get to your location, so you can test the reminder. - - ![Cortana at work, showing how to add a place to the reminder screens](../images/cortana-place-reminder.png) - -4. Click **Done**. - - >[!NOTE] - >If you’ve never used this location before, you’ll be asked to add a name for it so it can be added to the **Favorites list** in Windows Maps. - -5. Choose to be reminded the **Next time you arrive at the location** or on a specific day of the week from the drop-down box. - -6. Take a picture of your receipts and store them locally on your device. - -7. Click **Add Photo**, click **Library**, browse to your picture, and then click **OK**. - - The photo is stored with the reminder. - - ![Cortana at work, showing the stored image in the reminder screens](../images/cortana-final-reminder.png) - -8. Review the reminder info, and then click **Remind**. - - The reminder is saved and ready to be triggered. - - ![Cortana at work, showing the final reminder](../images/cortana-reminder-pending.png) - -## Create a reminder for a specific location by using voice commands -This process helps you to use Cortana at work and voice commands to create a reminder for a specific location. - -1. Click on the **Cortana** icon in the taskbar, and then click the **Microphone** icon (to the right of the **Search** box). - -2. Say _Remind me to grab my expense report receipts before I leave home_. - - Cortana opens a new reminder task and asks if it sounds good. - - ![Cortana at work, showing the reminder created through voice commands](../images/cortana-reminder-mic.png) - -3. Say _Yes_ so Cortana can save the reminder. - - ![Cortana at work, showing the final reminder created through voice commands](../images/cortana-reminder-pending-mic.png) - -## Edit or archive an existing reminder -This process helps you to edit or archive and existing or completed reminder. - -1. Click on the **Cortana** icon in the taskbar, click on the **Notebook** icon, and then click **Reminders**. - - ![Cortana at work, showing the list of pending reminders](../images/cortana-reminder-list.png) - -2. Click the pending reminder you want to edit. - - ![Cortana at work, showing the reminder editing screen](../images/cortana-reminder-edit.png) - -3. Change any text that you want to change, click **Add photo** if you want to add or replace an image, click **Delete** if you want to delete the entire reminder, click **Save** to save your changes, and click **Complete and move to History** if you want to save a completed reminder in your **Reminder History**. +:::image type="content" source="../screenshot7.png" alt-text="Screenshot: Cortana showing reminder on page"::: \ No newline at end of file diff --git a/windows/configuration/cortana-at-work/cortana-at-work-scenario-4.md b/windows/configuration/cortana-at-work/cortana-at-work-scenario-4.md index 4ea208fcfd..1a34778608 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-scenario-4.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-scenario-4.md @@ -12,42 +12,16 @@ ms.reviewer: manager: dansimp --- -# Test scenario 4 - Use Cortana at work to find your upcoming meetings +# Test scenario 4 - Use Cortana to find free time on your calendar -- Windows 10, version 1703 -- Windows 10 Mobile, version 1703 +This scenario helps you find out if a time slot is free on your calendar. ->[!IMPORTANT] ->The data created as part of these scenarios will be uploaded to Microsoft’s Cloud to help Cortana learn and help your employees. This is the same info that Cortana uses in the consumer offering. - -This scenario helps you search for both general upcoming meetings, and specific meetings, both manually and verbally. - ->[!NOTE] ->If you’ve turned on the **Meeting & reminder cards & notifications** option (in the **Meetings & reminders** option of your Notebook), you’ll also see your pending reminders on the Cortana **Home** page. - -## Find out about upcoming meetings -This process helps you find your upcoming meetings. - -1. Check to make sure your work calendar is connected and synchronized with your Azure AD account. +1. Select the **Cortana** icon in the taskbar. 2. Click on the **Cortana** icon in the taskbar, and then click in the **Search** bar. -3. Type _Show me my meetings for tomorrow_. - - You’ll see all your meetings scheduled for the next day. - - ![Cortana at work, showing all upcoming meetings](../images/cortana-meeting-tomorrow.png) - -## Find out about upcoming meetings by using voice commands -This process helps you to use Cortana at work and voice commands to find your upcoming meetings. - -1. Click on the **Cortana** icon in the taskbar, and then click the **Microphone** icon (to the right of the **Search** box. - -2. Say _Show me what meeting I have at 3pm tomorrow_. - - >[!IMPORTANT] - >Make sure that you have a meeting scheduled for the time you specify here. - - ![Cortana at work, showing the meeting scheduled for 3pm](../images/cortana-meeting-specific-time.png) +3. Type **Am I free at 3 PM tomorrow?** +Cortana will respond with your availability for that time, as well as nearby meetings. +:::image type="content" source="../screenshot8.png" alt-text="Screenshot: Cortana showing free time on a calendar"::: \ No newline at end of file diff --git a/windows/configuration/cortana-at-work/cortana-at-work-scenario-5.md b/windows/configuration/cortana-at-work/cortana-at-work-scenario-5.md index f5efc05577..6312ad8983 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-scenario-5.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-scenario-5.md @@ -12,48 +12,14 @@ ms.reviewer: manager: dansimp --- -# Test scenario 5 - Use Cortana to send email to a co-worker +# Test scenario 5 - Test scenario 5 – Find out about a person -- Windows 10, version 1703 -- Windows 10 Mobile, version 1703 +Cortana can help you quickly look up information about someone or the org chart. ->[!IMPORTANT] ->The data created as part of these scenarios will be uploaded to Microsoft’s Cloud to help Cortana learn and help your employees. This is the same info that Cortana uses in the consumer offering. +1. Select the **Cortana** icon in the taskbar. -This scenario helps you to send an email to a co-worker listed in your work address book, both manually and verbally. +2. Type or select the mic and say, **Who is name of person in your organization's?** -## Send an email to a co-worker -This process helps you to send a quick message to a co-worker from the work address book. +:::image type="content" source="../screenshot9.png" alt-text="Screenshot: Cortana showing name of person in your organization"::: -1. Check to make sure your Microsoft Outlook or mail app is connected and synchronized with your Azure AD account. - -2. Click on the **Cortana** icon in the taskbar, and then click in the **Search** bar. - -3. Type _Send an email to <contact_name>_. - - Where _<contact_name>_ is the name of someone in your work address book. - -4. Type your email message subject into the **Quick message** (255 characters or less) box and your message into the **Message** (unlimited characters) box, and then click **Send**. - - ![Cortana at work, showing the email text](../images/cortana-send-email-coworker.png) - -## Send an email to a co-worker by using voice commands -This process helps you to use Cortana at work and voice commands to send a quick message to a co-worker from the work address book. - -1. Click on the **Cortana** icon in the taskbar, and then click the **Microphone** icon (to the right of the **Search** box. - -2. Say _Send an email to <contact_name>_. - - Where _<contact_name>_ is the name of someone in your work address book. - -3. Add your email message by saying, _Hello this is a test email using Cortana at work._ - - The message is added and you’re asked if you want to **Send it**, **Add more**, or **Make changes**. - - ![Cortana at work, showing the email text created from verbal commands](../images/cortana-send-email-coworker-mic.png) - -4. Say _Send it_. - - The email is sent. - - ![Cortana at work, showing the sent email text](../images/cortana-complete-send-email-coworker-mic.png) +Cortana will respond with information about the person. You can select the person to see more information about them in Microsoft Search. \ No newline at end of file diff --git a/windows/configuration/cortana-at-work/cortana-at-work-scenario-6.md b/windows/configuration/cortana-at-work/cortana-at-work-scenario-6.md index f5ffb003b7..b2c7bdd9dd 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-scenario-6.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-scenario-6.md @@ -12,38 +12,14 @@ ms.reviewer: manager: dansimp --- -# Test scenario 6 - Review a reminder suggested by Cortana based on what you’ve promised in email +# Test scenario 6 – Change your language and perform a quick search with Cortana -- Windows 10, version 1703 -- Windows 10 Mobile, version 1703 +Cortana can help employees in regions outside the US search for quick answers like currency conversions, time zone conversions, or weather in their location. ->[!IMPORTANT] ->The data created as part of these scenarios will be uploaded to Microsoft’s Cloud to help Cortana learn and help your employees. This is the same info that Cortana uses in the consumer offering. For more info, see the [Microsoft Privacy Statement](https://privacy.microsoft.com/privacystatement) and the [Microsoft Services Agreement](https://www.microsoft.com/servicesagreement). +1. Select the **Cortana** icon in the taskbar. -Cortana automatically finds patterns in your email, suggesting reminders based things that you said you would do so you don’t forget about them. For example, Cortana recognizes that if you include the text, _I’ll get this to you by the end of the week_ in an email, you're making a commitment to provide something by a specific date. Cortana can now suggest that you be reminded about this event, letting you decide whether to keep it or to cancel it. +2. Select the **…** menu, then select **Settings**, **Language**, then select **Español (España)**. You will be prompted to restart the app. ->[!NOTE] ->The Suggested reminders feature is currently only available in English (en-us). - -**To use Cortana to create Suggested reminders for you** - -1. Make sure that you've connected Cortana to Office 365. For the steps to connect, see [Set up and test Cortana with Office 365 in your organization](cortana-at-work-o365.md). - -2. Click on the **Cortana** search box in the taskbar, click the **Notebook** icon, and then click **Permissions**. - -3. Make sure the **Contacts, email, calendar, and communication history** option is turned on. - - ![Permissions options for Cortana at work](../images/cortana-communication-history-permissions.png) - -4. Click the **Notebook** icon again, click the **Suggested reminders** option, click to turn on the **All reminder suggestions cards** option, click the **Notify me when something I mentioned doing is coming up** box, and then click **Save**. - - ![Suggested reminders options for Cortana at work](../images/cortana-suggested-reminder-settings.png) - -5. Create and send an email to yourself (so you can see the Suggested reminder), including the text, _I’ll finish this project by end of day today_. - -6. After you get the email, click on the Cortana **Home** icon, and scroll to today’s events. - - If the reminder has a specific date or time associated with it, like end of day, Cortana notifies you at the appropriate time and puts the reminder into the Action Center. Also from the Home screen, you can view the email where you made the promise, set aside time on your calendar, officially set the reminder, or mark the reminder as completed. - - ![Cortana Home screen with your suggested reminder showing](../images/cortana-suggested-reminder.png) +3. Once the app has restarted, type or say **Convierte 100 Euros a Dólares**. +:::image type="content" source="../screenshot10.png" alt-text="Screenshot: Cortana showing a change your language and showing search results in Spanish"::: \ No newline at end of file diff --git a/windows/configuration/cortana-at-work/cortana-at-work-scenario-7.md b/windows/configuration/cortana-at-work/cortana-at-work-scenario-7.md index a00867e25b..c10a722ceb 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-scenario-7.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-scenario-7.md @@ -14,9 +14,6 @@ manager: dansimp # Test scenario 7 - Use Cortana and Windows Information Protection (WIP) to help protect your organization’s data on a device -- Windows 10, version 1703 -- Windows 10 Mobile, version 1703 - >[!IMPORTANT] >The data created as part of these scenarios will be uploaded to Microsoft’s Cloud to help Cortana learn and help your employees. This is the same info that Cortana uses in the consumer offering. diff --git a/windows/configuration/cortana-at-work/cortana-at-work-testing-scenarios.md b/windows/configuration/cortana-at-work/cortana-at-work-testing-scenarios.md index 936f8b5788..9ab3b96e22 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-testing-scenarios.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-testing-scenarios.md @@ -13,26 +13,19 @@ manager: dansimp --- # Testing scenarios using Cortana in your business or organization -**Applies to:** - -- Windows 10, version 1703 -- Windows 10 Mobile, version 1703 We've come up with a list of suggested testing scenarios that you can use to test Cortana in your organization. After you complete all the scenarios, you should be able to: -- [Sign-in to Cortana using Azure AD, manage entries in the notebook, and search for content across your device, Bing, and the cloud, using Cortana](cortana-at-work-scenario-1.md) +- [Sign into Azure AD, enable the Cortana wake word, and try a voice query](cortana-at-work-scenario-1.md) -- [Perform a quick search with Cortana at work](cortana-at-work-scenario-2.md) +- [Perform a Bing search with Cortana](cortana-at-work-scenario-2.md) -- [Set a reminder and have it remind you when you’ve reached a specific location](cortana-at-work-scenario-3.md) +- [Set a reminder](cortana-at-work-scenario-3.md) -- [Search for your upcoming meetings on your work calendar](cortana-at-work-scenario-4.md) +- [Use Cortana to find free time on your calendar](cortana-at-work-scenario-4.md) -- [Send an email to a co-worker from your work email app](cortana-at-work-scenario-5.md) +- [Find out about a person](cortana-at-work-scenario-5.md) -- [Review a reminder suggested by Cortana based on what you’ve promised in email](cortana-at-work-scenario-6.md) +- [Change your language and perform a quick search with Cortana](cortana-at-work-scenario-6.md) -- [Use Windows Information Protection (WIP) to secure content on a device and then try to manage your organization’s entries in the notebook](cortana-at-work-scenario-7.md) - ->[!IMPORTANT] ->The data created as part of these scenarios will be uploaded to Microsoft’s Cloud to help Cortana learn and help your employees. This is the same info that Cortana uses in the consumer offering. +- [Use Windows Information Protection (WIP) to secure content on a device and then try to manage your organization’s entries in the notebook](cortana-at-work-scenario-7.md) \ No newline at end of file diff --git a/windows/configuration/cortana-at-work/cortana-at-work-voice-commands.md b/windows/configuration/cortana-at-work/cortana-at-work-voice-commands.md index 9ae00ff891..1425bcd323 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-voice-commands.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-voice-commands.md @@ -13,15 +13,11 @@ manager: dansimp --- # Set up and test custom voice commands in Cortana for your organization -**Applies to:** - -- Windows 10, version 1703 -- Windows 10 Mobile, version 1703 - -Working with a developer, you can create voice commands that use Cortana to perform voice-enabled actions in your line-of-business (LOB) Universal Windows Platform (UWP) apps. These voice-enabled actions can reduce the time necessary to access your apps and to complete simple actions. >[!NOTE] ->For more info about how your developer can extend your current apps to work directly with Cortana, see [The Cortana Skills Kit](https://docs.microsoft.com/cortana/getstarted). +>This content applies to Cortana in versions 1909 and earlier, but will not be available in future releases. + +Working with a developer, you can create voice commands that use Cortana to perform voice-enabled actions in your line-of-business (LOB) Universal Windows Platform (UWP) apps. These voice-enabled actions can reduce the time necessary to access your apps and to complete simple actions. ## High-level process Cortana uses a Voice Command Definition (VCD) file, aimed at an installed app, to define the actions that are to happen during certain vocal commands. A VCD file can be very simple to very complex, supporting anything from a single sound to a collection of more flexible, natural language sounds, all with the same intent. diff --git a/windows/configuration/cortana-at-work/set-up-and-test-cortana-in-windows-10.md b/windows/configuration/cortana-at-work/set-up-and-test-cortana-in-windows-10.md new file mode 100644 index 0000000000..14dfdcd3da --- /dev/null +++ b/windows/configuration/cortana-at-work/set-up-and-test-cortana-in-windows-10.md @@ -0,0 +1,49 @@ +--- +title: Set up and test Cortana in Windows 10, version 2004 and later +ms.reviewer: +manager: dansimp +description: Cortana includes powerful configuration options specifically to optimize for unique small to medium-sized business and enterprise environments. +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +author: kwekua +ms.localizationpriority: medium +ms.author: dansimp +--- + +# Set up and test Cortana in Windows 10, version 2004 and later + +## Before you begin + +- If your enterprise had previously disabled Cortana for your employees using the **Computer Configuration\Administrative Templates\Windows Components\Search\Allow Cortana** Group Policy or the **Experience\AllowCortana** MDM setting but want to enable it now that Cortana is part of Microsoft 365, you will need to re-enable it at least for Windows 10, version 2004 and later. +- **Cortana is regularly updated through the Microsoft Store.** Beginning with Windows 10, version 2004, Cortana is an appx preinstalled with Windows and is regularly updated through the Microsoft Store. To receive the latest updates to Cortana, you will need to [enable updates through the Microsoft Store](https://docs.microsoft.com/windows/configuration/stop-employees-from-using-microsoft-store). + +## Set up and configure the Bing Answers feature +Bing Answers provides fast, authoritative results to search queries based on search terms. When the Bing Answers feature is enabled, users will be able to ask Cortana web-related questions in the Cortana in Windows app, such as "What's the current weather?" or "Who is the president of the U.S.?," and get a response, based on public results from Bing.com. + +The above experience is powered by Microsoft Bing, and Cortana sends the user queries to Bing. The use of Microsoft Bing is governed by the [Microsoft Services Agreement](https://www.microsoft.com/servicesagreement) and [Privacy Statement](https://privacy.microsoft.com/en-US/privacystatement). + +## Configure the Bing Answers feature + +Admins can configure the Cortana in Windows Bing Answers feature for their organizations. As the admin, use the following steps to change the setting for Bing Answers at the tenant/security group level. This setting is enabled by default, so that all users who have Cortana enabled will be able to receive Bing Answers. By default, the Bing Answer feature will be available to your users. + +Users cannot enable or disable the Bing Answer feature individually. So, if you disable this feature at the tenant/security group level, no users in your organization or specific security group will be able to use Bing Answers in Cortana in Windows. + +Sign in to the [Office Configuration Admin tool](https://config.office.com/). + +Follow the steps [here](https://docs.microsoft.com/deployoffice/overview-office-cloud-policy-service#steps-for-creating-a-policy-configuration) to create this policy configuration. Once completed, the policy will look as shown below: + +:::image type="content" source="../screenshot3.png" alt-text="Screenshot: Bing policy example"::: + +## How does Microsoft handle customer data for Bing Answers? + +When a user enters a search query (by speech or text), Cortana evaluates if the request is for any of our first-party compliant skills if enabled in a specific market, and does the following: + +1. If it is for any of the first-party compliant skills, the query is sent to that skill, and results/action are returned. + +2. If it is not for any of the first-party compliant skills, the query is sent to Bing for a search of public results from Bing.com. Because enterprise searches might be sensitive, similar to [Microsoft Search in Bing](https://docs.microsoft.com/MicrosoftSearch/security-for-search#microsoft-search-in-bing-protects-workplace-searches), Bing Answers in Cortana has implemented a set of trust measures, described below, that govern how the separate search of public results from Bing.com is handled. The Bing Answers in Cortana trust measures are consistent with the enhanced privacy and security measures described in [Microsoft Search in Bing](https://docs.microsoft.com/MicrosoftSearch/security-for-search). All Bing.com search logs that pertain to Cortana traffic are disassociated from users' workplace identity. All Cortana queries issued via a work or school account are stored separately from public, non-Cortana traffic. + +Bing Answers is enabled by default for all users. However, admins can configure and change this for specific users and user groups in their organization. + +## How the Bing Answer policy configuration is applied +Before a query is sent to Bing for a search of public results from Bing.com, the Bing Answers service checks with the Office Cloud Policy Service to see if there are any policy configurations that pertain to the user for allowing Bing Answers to respond to questions users ask Cortana. If the user is a member of an AAD group that is assigned that policy configuration, then the appropriate policy settings are applied and a check is made again in 10 minutes. \ No newline at end of file diff --git a/windows/configuration/cortana-at-work/test-scenario-1.md b/windows/configuration/cortana-at-work/test-scenario-1.md new file mode 100644 index 0000000000..27402c3b61 --- /dev/null +++ b/windows/configuration/cortana-at-work/test-scenario-1.md @@ -0,0 +1,46 @@ +--- +title: Test scenario 1 – Sign in with your work or school account and use Cortana to manage the notebook +description: A test scenario about how to sign in with your work or school account and use Cortana to manage the notebook. +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +author: dansimp +ms.localizationpriority: medium +ms.author: dansimp +ms.date: 10/05/2017 +ms.reviewer: +manager: dansimp +--- + +# Test scenario 1 – Sign in with your work or school account and use Cortana to manage the notebook + +This scenario turns on Azure AD and lets your employee use Cortana to manage an entry in the notebook. + +## Sign in with your work or school account + +This process helps you to sign out of a Microsoft Account and to sign into an Azure AD account. + +1. Click on the **Cortana** icon in the taskbar, then click the profile picture in the navigation to open Cortana settings. + +2. Click your email address. + +A dialog box appears, showing the associated account info. + +3. Click **Sign out** under your email address. + +This signs out the Microsoft account, letting you continue to add your work or school account. + +4. Open Cortana again and select the **Sign in** glyph in the left rail and follow the instructions to sign in with your work or school account. + +## Use Cortana to manage the notebook content + +This process helps you to manage the content Cortana shows in your Notebook. + +1. Select the **Cortana** icon in the taskbar, click **Notebook**, select **Manage Skills.** Scroll down and click **Weather**. + +2. In the **Weather** settings, scroll down to the **Cities you're tracking** area, and then click **Add a city**. + +3. Add **Redmond, Washington**. + +> [!IMPORTANT] +> The data created as part of these scenarios will be uploaded to Microsoft's Cloud to help Cortana learn and help your employees. This is the same info that Cortana uses in the consumer offering. \ No newline at end of file diff --git a/windows/configuration/cortana-at-work/test-scenario-2.md b/windows/configuration/cortana-at-work/test-scenario-2.md new file mode 100644 index 0000000000..caf24e5f85 --- /dev/null +++ b/windows/configuration/cortana-at-work/test-scenario-2.md @@ -0,0 +1,38 @@ +--- +title: Test scenario 2 - Perform a quick search with Cortana at work +description: A test scenario about how to perform a quick search with Cortana at work. +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +author: dansimp +ms.localizationpriority: medium +ms.author: dansimp +ms.date: 10/05/2017 +ms.reviewer: +manager: dansimp +--- + +# Test scenario 2 – Perform a quick search with Cortana at work + +>[!Important] +>The data created as part of these scenarios will be uploaded to Microsoft’s Cloud to help Cortana learn and help your employees. This is the same info that Cortana uses in the consumer offering. + +This scenario helps you perform a quick search using Cortana, both by typing and through voice commands. + +## Search using Cortana + +1. Click on the Cortana icon in the taskbar, and then click in the Search bar. + +2. Type **Type Weather in New York**. + +You should see the weather in New York, New York at the top of the search results. +Insert screenshot + +## Search with Cortana, by using voice commands + +This process helps you to use Cortana at work and voice commands to perform a quick search. + +1. Click on the **Cortana** icon in the taskbar, and then click the **Microphone** icon (to the right of the Search box). + +2. Say **What's the weather in Chicago?** Cortana tells you and shows you the current weather in Chicago. +Insert screenshot \ No newline at end of file diff --git a/windows/configuration/cortana-at-work/test-scenario-3.md b/windows/configuration/cortana-at-work/test-scenario-3.md new file mode 100644 index 0000000000..e348a1cee9 --- /dev/null +++ b/windows/configuration/cortana-at-work/test-scenario-3.md @@ -0,0 +1,79 @@ +--- +title: Test scenario 3 - Set a reminder for a specific location using Cortana at work +description: A test scenario about how to set up, review, and edit a reminder based on a location. +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +author: dansimp +ms.localizationpriority: medium +ms.author: dansimp +ms.date: 10/05/2017 +ms.reviewer: +manager: dansimp +--- + +# Test scenario 3 - Set a reminder for a specific location using Cortana at work + +>[!Important] +>The data created as part of these scenarios will be uploaded to Microsoft’s Cloud to help Cortana learn and help your employees. This is the same info that Cortana uses in the consumer offering. + +This scenario helps you set up, review, and edit a reminder based on a location. For example, reminding yourself to grab your expense report receipts before you leave the house. + +>[!Note] +>You can set each reminder location individually as you create the reminders, or you can go into the About me screen and add both Work and Home addresses as favorites. Make sure that you use real addresses since you’ll need to go to these locations to complete your testing scenario. + +Additionally, if you’ve turned on the Meeting & reminder cards & notifications option (in the Meetings & reminders option of your Notebook), you’ll also see your pending reminders on the Cortana Home page. + +## Create a reminder for a specific location + +This process helps you to create a reminder based on a specific location. + +1. Click on the **Cortana** icon in the taskbar, click on the **Notebook** icon, and then click **Reminders**. + +2. Click the **+** sign, add a subject for your reminder, such as **Remember to file expense report receipts**, and then click **Place**. + +3. Choose **Arrive** from the drop-down box, and then type a location to associate with your reminder. For example, you can use the physical address of where you work. Just make sure you can physically get to your location, so you can test the reminder. + +4. Click **Done**. + +>[!Note] +>If you’ve never used this location before, you’ll be asked to add a name for it so it can be added to the Favorites list in Windows Maps. + +5. Choose to be reminded the Next time you arrive at the location or on a specific day of the week from the drop-down box. + +6. Take a picture of your receipts and store them locally on your device. + +7. Click **Add Photo**, click **Library**, browse to your picture, and then click **OK**. + +The photo is stored with the reminder. + +Insert screenshot 6 + +8. Review the reminder info, and then click **Remind**. + +The reminder is saved and ready to be triggered. +Insert screenshot + +## Create a reminder for a specific location by using voice commands + +This process helps you to use Cortana at work and voice commands to create a reminder for a specific location. + +1. Click on the **Cortana** icon in the taskbar, and then click the **Microphone* icon (to the right of the Search box). + +2. Say **Remind me to grab my expense report receipts before I leave home**. + +Cortana opens a new reminder task and asks if it sounds good. +insert screenshot + +3. Say **Yes** so Cortana can save the reminder. +insert screenshot + +## Edit or archive an existing reminder + +This process helps you to edit or archive and existing or completed reminder. + +1. Click on the **Cortana** icon in the taskbar, click on the **Notebook** icon, and then click **Reminders**. + +2. Click the pending reminder you want to edit. + +3. Change any text that you want to change, click **Add photo** if you want to add or replace an image, click **Delete** if you want to delete the entire reminder, click Save to save your changes, and click **Complete and move to History** if you want to save a completed reminder in your **Reminder History**. \ No newline at end of file diff --git a/windows/configuration/cortana-at-work/test-scenario-4.md b/windows/configuration/cortana-at-work/test-scenario-4.md new file mode 100644 index 0000000000..a0ea0e6332 --- /dev/null +++ b/windows/configuration/cortana-at-work/test-scenario-4.md @@ -0,0 +1,52 @@ +--- +title: Use Cortana at work to find your upcoming meetings (Windows 10) +description: A test scenario about how to use Cortana at work to find your upcoming meetings. +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +author: dansimp +ms.localizationpriority: medium +ms.author: dansimp +ms.date: 10/05/2017 +ms.reviewer: +manager: dansimp +--- + +# Test scenario 4 - Use Cortana at work to find your upcoming meetings + +>[!Important] +>The data created as part of these scenarios will be uploaded to Microsoft’s Cloud to help Cortana learn and help your employees. This is the same info that Cortana uses in the consumer offering. + +This scenario helps you search for both general upcoming meetings, and specific meetings, both manually and verbally. + +>[!Note] +>If you’ve turned on the Meeting & reminder cards & notifications option (in the Meetings & reminders option of your Notebook), you’ll also see your pending reminders on the Cortana Home page. + +## Find out about upcoming meetings + +This process helps you find your upcoming meetings. + +1. Check to make sure your work calendar is connected and synchronized with your Azure AD account. + +2. Click on the **Cortana** icon in the taskbar, and then click in the **Search** bar. + +3. Type **Show me my meetings for tomorrow**. + +You’ll see all your meetings scheduled for the next day. + +Cortana at work, showing all upcoming meetings +screenshot + +## Find out about upcoming meetings by using voice commands + +This process helps you to use Cortana at work and voice commands to find your upcoming meetings. + +1. Click on the **Cortana** icon in the taskbar, and then click the **Microphone** icon (to the right of the Search box. + +2. Say **Show me what meeting I have at 3pm tomorrow**. + +>[!Important] +>Make sure that you have a meeting scheduled for the time you specify here. + +Cortana at work, showing the meeting scheduled for 3pm +screenshot \ No newline at end of file diff --git a/windows/configuration/cortana-at-work/test-scenario-5.md b/windows/configuration/cortana-at-work/test-scenario-5.md new file mode 100644 index 0000000000..ec1cb06e32 --- /dev/null +++ b/windows/configuration/cortana-at-work/test-scenario-5.md @@ -0,0 +1,61 @@ +--- +title: Use Cortana to send email to a co-worker (Windows 10) +description: A test scenario about how to use Cortana at work to send email to a co-worker. +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +author: dansimp +ms.localizationpriority: medium +ms.author: dansimp +ms.date: 10/05/2017 +ms.reviewer: +manager: dansimp +--- + +# Test scenario 5 - Use Cortana to send email to a co-worker + +>[!Important] +>The data created as part of these scenarios will be uploaded to Microsoft’s Cloud to help Cortana learn and help your employees. This is the same info that Cortana uses in the consumer offering. + +This scenario helps you to send an email to a co-worker listed in your work address book, both manually and verbally. + +## Send email to a co-worker + +This process helps you to send a quick message to a co-worker from the work address book. + +1. Check to make sure your Microsoft Outlook or mail app is connected and synchronized with your Azure AD account. + +2. Click on the **Cortana** icon in the taskbar, and then click in the **Search** bar. + +3. Type **Send an email to **. + +Where is the name of someone in your work address book. + +4. Type your email message subject into the **Quick message** (255 characters or less) box and your message into the **Message** (unlimited characters) box, and then click **Send**. + +Cortana at work, showing the email text +screenshot + +## Send an email to a co-worker by using voice commands + +This process helps you to use Cortana at work and voice commands to send a quick message to a co-worker from the work address book. + +1. Click on the **Cortana** icon in the taskbar, and then click the **Microphone** icon (to the right of the Search box. + +2. Say **Send an email** to . + +Where is the name of someone in your work address book. + +3. Add your email message by saying, **Hello this is a test email using Cortana at work**. + +The message is added and you’re asked if you want to **Send it**, **Add more**, or **Make changes**. + +Cortana at work, showing the email text created from verbal commands +screenshot + +4. Say **Send it**. + +The email is sent. + +Cortana at work, showing the sent email text +screenshot \ No newline at end of file diff --git a/windows/configuration/cortana-at-work/test-scenario-6.md b/windows/configuration/cortana-at-work/test-scenario-6.md new file mode 100644 index 0000000000..cd22204b99 --- /dev/null +++ b/windows/configuration/cortana-at-work/test-scenario-6.md @@ -0,0 +1,48 @@ +--- +title: Test scenario 6 - Review a reminder suggested by Cortana based on what you’ve promised in email +description: A test scenario about how to use Cortana with the Suggested reminders feature. +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +author: dansimp +ms.localizationpriority: medium +ms.author: dansimp +ms.date: 10/05/2017 +ms.reviewer: +manager: dansimp +--- + +# Test scenario 6 - Review a reminder suggested by Cortana based on what you’ve promised in email + +>[!Important] +>The data created as part of these scenarios will be uploaded to Microsoft’s Cloud to help Cortana learn and help your employees. This is the same info that Cortana uses in the consumer offering. For more info, see the [Microsoft Privacy Statement](https://privacy.microsoft.com/privacystatement) and the [Microsoft Services Agreement](https://www.microsoft.com/servicesagreement). + +Cortana automatically finds patterns in your email, suggesting reminders based things that you said you would do so you don’t forget about them. For example, Cortana recognizes that if you include the text, I’ll get this to you by the end of the week in an email, you're making a commitment to provide something by a specific date. Cortana can now suggest that you be reminded about this event, letting you decide whether to keep it or to cancel it. + +>[!Important] +>The Suggested reminders feature is currently only available in English (en-us). + +## Use Cortana to create suggested reminders for you + +1. Make sure that you've connected Cortana to Office 365. For the steps to connect, see [Set up and test Cortana with Office 365 in your organization](https://docs.microsoft.com/windows/configuration/cortana-at-work/cortana-at-work-o365). + +2. Click on the **Cortana** search box in the taskbar, click the **Notebook** icon, and then click **Permissions**. + +3. Make sure the **Contacts**, **email**, **calendar**, and **communication history** option is turned on. + +Permissions options for Cortana at work +screenshot + +4. Click the **Notebook** icon again, click the **Suggested reminders** option, click to turn on the **All reminder suggestions cards** option, click the **Notify me when something I mentioned doing is coming up** box, and then click **Save**. + +Suggested reminders options for Cortana at work +screenshot + +5. Create and send an email to yourself (so you can see the Suggested reminder), including the text, **I’ll finish this project by end of day today**. + +6. After you get the email, click on the Cortana **Home** icon, and scroll to today’s events. + +If the reminder has a specific date or time associated with it, like end of day, Cortana notifies you at the appropriate time and puts the reminder into the Action Center. Also from the Home screen, you can view the email where you made the promise, set aside time on your calendar, officially set the reminder, or mark the reminder as completed. + +Cortana Home screen with your suggested reminder showing +screenshot \ No newline at end of file diff --git a/windows/configuration/cortana-at-work/testing-scenarios-using-cortana-in-business-org.md b/windows/configuration/cortana-at-work/testing-scenarios-using-cortana-in-business-org.md new file mode 100644 index 0000000000..01bd26ace5 --- /dev/null +++ b/windows/configuration/cortana-at-work/testing-scenarios-using-cortana-in-business-org.md @@ -0,0 +1,25 @@ +--- +title: Testing scenarios using Cortana in your business or organization +description: A list of suggested testing scenarios that you can use to test Cortana in your organization. +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +author: dansimp +ms.localizationpriority: medium +ms.author: dansimp +ms.date: 10/05/2017 +ms.reviewer: +manager: dansimp +--- + +# Testing scenarios using Cortana in your business or organization + +We've come up with a list of suggested testing scenarios that you can use to test Cortana in your organization. After you complete all the scenarios, you should be able to: + +- [Sign in with your work or school account and use Cortana to manage the notebook](https://docs.microsoft.com/windows/configuration/cortana-at-work/cortana-at-work-scenario-1) +- [Perform a quick search with Cortana at work](https://docs.microsoft.com/windows/configuration/cortana-at-work/cortana-at-work-scenario-2) +- [Set a reminder for a specific location using Cortana at work](https://docs.microsoft.com/windows/configuration/cortana-at-work/cortana-at-work-scenario-3) +- [Use Cortana at work to find your upcoming meetings](https://docs.microsoft.com/windows/configuration/cortana-at-work/cortana-at-work-scenario-4) +- [Use Cortana to send email to a co-worker](https://docs.microsoft.com/windows/configuration/cortana-at-work/cortana-at-work-scenario-5) +- [Review a reminder suggested by Cortana based on what you've promised in email](https://docs.microsoft.com/windows/configuration/cortana-at-work/cortana-at-work-scenario-6) +- [Use Cortana and Windows Information Protection (WIP) to help protect your organization's data on a device](https://docs.microsoft.com/windows/configuration/cortana-at-work/cortana-at-work-scenario-7) \ No newline at end of file diff --git a/windows/configuration/images/Shared_PC_1.png b/windows/configuration/images/Shared_PC_1.png new file mode 100644 index 0000000000..bf145f6c19 Binary files /dev/null and b/windows/configuration/images/Shared_PC_1.png differ diff --git a/windows/configuration/images/Shared_PC_2.png b/windows/configuration/images/Shared_PC_2.png new file mode 100644 index 0000000000..c9d2362634 Binary files /dev/null and b/windows/configuration/images/Shared_PC_2.png differ diff --git a/windows/configuration/images/Shared_PC_3.png b/windows/configuration/images/Shared_PC_3.png new file mode 100644 index 0000000000..83b3a66fc8 Binary files /dev/null and b/windows/configuration/images/Shared_PC_3.png differ diff --git a/windows/configuration/screenshot1.png b/windows/configuration/screenshot1.png new file mode 100644 index 0000000000..ed62740e92 Binary files /dev/null and b/windows/configuration/screenshot1.png differ diff --git a/windows/configuration/screenshot10.png b/windows/configuration/screenshot10.png new file mode 100644 index 0000000000..5cb1567235 Binary files /dev/null and b/windows/configuration/screenshot10.png differ diff --git a/windows/configuration/screenshot11.png b/windows/configuration/screenshot11.png new file mode 100644 index 0000000000..0ce852ebaa Binary files /dev/null and b/windows/configuration/screenshot11.png differ diff --git a/windows/configuration/screenshot12.png b/windows/configuration/screenshot12.png new file mode 100644 index 0000000000..cd85d80c7e Binary files /dev/null and b/windows/configuration/screenshot12.png differ diff --git a/windows/configuration/screenshot2.png b/windows/configuration/screenshot2.png new file mode 100644 index 0000000000..fb7995600e Binary files /dev/null and b/windows/configuration/screenshot2.png differ diff --git a/windows/configuration/screenshot3.png b/windows/configuration/screenshot3.png new file mode 100644 index 0000000000..07e01661c5 Binary files /dev/null and b/windows/configuration/screenshot3.png differ diff --git a/windows/configuration/screenshot4.png b/windows/configuration/screenshot4.png new file mode 100644 index 0000000000..ab1f083c71 Binary files /dev/null and b/windows/configuration/screenshot4.png differ diff --git a/windows/configuration/screenshot5.png b/windows/configuration/screenshot5.png new file mode 100644 index 0000000000..0ec6fda3a7 Binary files /dev/null and b/windows/configuration/screenshot5.png differ diff --git a/windows/configuration/screenshot6.png b/windows/configuration/screenshot6.png new file mode 100644 index 0000000000..2f3284ee77 Binary files /dev/null and b/windows/configuration/screenshot6.png differ diff --git a/windows/configuration/screenshot7.png b/windows/configuration/screenshot7.png new file mode 100644 index 0000000000..e3d80a3ac9 Binary files /dev/null and b/windows/configuration/screenshot7.png differ diff --git a/windows/configuration/screenshot8.png b/windows/configuration/screenshot8.png new file mode 100644 index 0000000000..f85eaffdff Binary files /dev/null and b/windows/configuration/screenshot8.png differ diff --git a/windows/configuration/screenshot9.png b/windows/configuration/screenshot9.png new file mode 100644 index 0000000000..f617991a63 Binary files /dev/null and b/windows/configuration/screenshot9.png differ diff --git a/windows/configuration/set-up-shared-or-guest-pc.md b/windows/configuration/set-up-shared-or-guest-pc.md index 95cf9806b1..289a37a0b6 100644 --- a/windows/configuration/set-up-shared-or-guest-pc.md +++ b/windows/configuration/set-up-shared-or-guest-pc.md @@ -58,7 +58,7 @@ Apps can take advantage of shared PC mode with the following three APIs: ### Customization -Shared PC mode exposes a set of customizations to tailor the behavior to your requirements. These customizations are the options that you'll set either using MDM or a provisioning package as explained in [Configuring shared PC mode on Windows](#configuring-shared-pc-mode-on-windows). The options are listed in the following table. +Shared PC mode exposes a set of customizations to tailor the behavior to your requirements. These customizations are the options that you'll set either using MDM or a provisioning package as explained in [Configuring Shared PC mode for Windows](#configuring-shared-pc-mode-for-windows). The options are listed in the following table. | Setting | Value | |:---|:---| @@ -80,16 +80,33 @@ Shared PC mode exposes a set of customizations to tailor the behavior to your re | Customization: SleepTimeout | Specifies all timeouts for when the PC should sleep. Enter the amount of idle time in seconds. If you don't set sleep timeout, the default of 1 hour applies. | [Policies: Authentication](wcd/wcd-policies.md#authentication) (optional related setting) | Enables a quick first sign-in experience for a user by automatically connecting new non-admin Azure AD accounts to the pre-configured candidate local accounts. +## Configuring Shared PC mode for Windows -## Configuring shared PC mode on Windows You can configure Windows to be in shared PC mode in a couple different ways: -- Mobile device management (MDM): Shared PC mode is enabled by the [SharedPC configuration service provider (CSP)](https://msdn.microsoft.com/library/windows/hardware/mt723294.aspx). Your MDM policy can contain any of the options listed in the [Customization](#customization) section. The following image shows a Microsoft Intune policy with the shared PC options added as OMA-URI settings. [Learn more about Windows 10 policy settings in Microsoft Intune.](https://docs.microsoft.com/intune/deploy-use/windows-10-policy-settings-in-microsoft-intune) -![custom OMA-URI policy in Intune](images/oma-uri-shared-pc.png) +- Mobile device management (MDM): Shared PC mode is enabled by the [SharedPC configuration service provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/sharedpc-csp). To setup a shared device policy for Windows 10 in Intune, complete the following steps: -- A provisioning package created with the Windows Configuration Designer: You can apply a provisioning package when you initially set up the PC (also known as the out-of-box-experience or OOBE), or you can apply the provisioning package to a Windows 10 PC that is already in use. The provisioning package is created in Windows Configuration Designer. Shared PC mode is enabled by the [SharedPC configuration service provider (CSP)](https://msdn.microsoft.com/library/windows/hardware/mt723294.aspx), exposed in Windows Configuration Designer as **SharedPC**. + 1. Go to the [Microsoft Endpoint Manager portal](https://endpoint.microsoft.com/#home). + 2. Select **Devices** from the navigation. + 3. Under **Policy**, select **Configuration profiles**. + 4. Select **Create profile**. + 5. From the **Platform** menu, select **Windows 10 and later**. + 6. From the **Profile** menu, select **Shared multi-user device**. -![Shared PC settings in ICD](images/icd-adv-shared-pc.png) + ![custom OMA-URI policy in Intune](images/Shared_PC_1.png) + + 7. Select **Create**. + 8. Enter a name for the policy (e.g. My Win10 Shared devices policy). You can optionally add a description should you wish to do so. + 9. Select **Next**. + 10. On the **Configuration settings** page, set the ‘Shared PC Mode’ value to **Enabled**. + + ![Shared PC settings in ICD](images/Shared_PC_3.png) + + 11. From this point on, you can configure any additional settings you’d like to be part of this policy, and then follow the rest of the set-up flow to its completion by selecting **Create** after **Step 6**. + +- A provisioning package created with the Windows Configuration Designer: You can apply a provisioning package when you initially set up the PC (also known as the out-of-box-experience or OOBE), or you can apply the provisioning package to a Windows 10 PC that is already in use. The provisioning package is created in Windows Configuration Designer. Shared PC mode is enabled by the [SharedPC configuration service provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/sharedpc-csp), exposed in Windows Configuration Designer as **SharedPC**. + + ![Shared PC settings in ICD](images/icd-adv-shared-pc.PNG) - WMI bridge: Environments that use Group Policy can use the [MDM Bridge WMI Provider](https://msdn.microsoft.com/library/windows/desktop/dn905224.aspx) to configure the [MDM_SharedPC class](https://msdn.microsoft.com/library/windows/desktop/mt779129.aspx). For all device settings, the WMI Bridge client must be executed under local system user; for more information, see [Using PowerShell scripting with the WMI Bridge Provider](https://docs.microsoft.com/windows/client-management/mdm/using-powershell-scripting-with-the-wmi-bridge-provider). For example, open PowerShell as an administrator and enter the following: diff --git a/windows/deployment/TOC.md b/windows/deployment/TOC.md deleted file mode 100644 index d4e56af1b7..0000000000 --- a/windows/deployment/TOC.md +++ /dev/null @@ -1,283 +0,0 @@ -# [Deploy and update Windows 10](https://docs.microsoft.com/windows/deployment) -## [Deployment process posters](windows-10-deployment-posters.md) -## [Deploy Windows 10 with Microsoft 365](deploy-m365.md) -## [What's new in Windows 10 deployment](deploy-whats-new.md) -## [Windows 10 deployment scenarios](windows-10-deployment-scenarios.md) -## [Windows Autopilot](windows-autopilot/windows-autopilot.md) - -## Subscription Activation -### [Windows 10 Subscription Activation](windows-10-subscription-activation.md) -### [Windows 10 Enterprise E3 in CSP](windows-10-enterprise-e3-overview.md) -### [Configure VDA for Subscription Activation](vda-subscription-activation.md) -### [Deploy Windows 10 Enterprise licenses](deploy-enterprise-licenses.md) - -## Resolve upgrade errors -### [Resolve Windows 10 upgrade errors](upgrade/resolve-windows-10-upgrade-errors.md) -### [Quick fixes](upgrade\quick-fixes.md) -### [SetupDiag](upgrade/setupdiag.md) -### [Troubleshooting upgrade errors](upgrade/troubleshoot-upgrade-errors.md) -### [Windows error reporting](upgrade/windows-error-reporting.md) -### [Upgrade error codes](upgrade/upgrade-error-codes.md) -### [Log files](upgrade/log-files.md) -### [Resolution procedures](upgrade/resolution-procedures.md) -### [Submit Windows 10 upgrade errors](upgrade/submit-errors.md) - -## Deploy Windows 10 -### [Deploying Windows 10](deploy.md) - -### [Windows Autopilot](windows-autopilot/windows-autopilot.md) -### [Windows 10 upgrade paths](upgrade/windows-10-upgrade-paths.md) -### [Windows 10 edition upgrade](upgrade/windows-10-edition-upgrades.md) -### [Windows 10 volume license media](windows-10-media.md) - -### [Windows 10 in S mode](s-mode.md) -#### [Switch to Windows 10 Pro/Enterprise from S mode](windows-10-pro-in-s-mode.md) - -### [Windows 10 deployment test lab](windows-10-poc.md) -#### [Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit](windows-10-poc-mdt.md) -#### [Deploy Windows 10 in a test lab using Microsoft Endpoint Configuration Manager](windows-10-poc-sc-config-mgr.md) - -### [Plan for Windows 10 deployment](planning/index.md) -#### [Windows 10 Enterprise FAQ for IT Pros](planning/windows-10-enterprise-faq-itpro.md) -#### [Windows 10 deployment considerations](planning/windows-10-deployment-considerations.md) -#### [Windows 10 compatibility](planning/windows-10-compatibility.md) -#### [Windows 10 infrastructure requirements](planning/windows-10-infrastructure-requirements.md) - -#### [Volume Activation [client]](volume-activation/volume-activation-windows-10.md) -##### [Plan for volume activation [client]](volume-activation/plan-for-volume-activation-client.md) -##### [Activate using Key Management Service [client]](volume-activation/activate-using-key-management-service-vamt.md) -##### [Activate using Active Directory-based activation [client]](volume-activation/activate-using-active-directory-based-activation-client.md) -##### [Activate clients running Windows 10](volume-activation/activate-windows-10-clients-vamt.md) -##### [Monitor activation [client]](volume-activation/monitor-activation-client.md) -##### [Use the Volume Activation Management Tool [client]](volume-activation/use-the-volume-activation-management-tool-client.md) -##### [Appendix: Information sent to Microsoft during activation [client]](volume-activation/appendix-information-sent-to-microsoft-during-activation-client.md) - -#### [Application Compatibility Toolkit (ACT) Technical Reference](planning/act-technical-reference.md) -##### [SUA User's Guide](planning/sua-users-guide.md) -###### [Using the SUA Wizard](planning/using-the-sua-wizard.md) -###### [Using the SUA Tool](planning/using-the-sua-tool.md) -####### [Tabs on the SUA Tool Interface](planning/tabs-on-the-sua-tool-interface.md) -####### [Showing Messages Generated by the SUA Tool](planning/showing-messages-generated-by-the-sua-tool.md) -####### [Applying Filters to Data in the SUA Tool](planning/applying-filters-to-data-in-the-sua-tool.md) -####### [Fixing Applications by Using the SUA Tool](planning/fixing-applications-by-using-the-sua-tool.md) -##### [Compatibility Administrator User's Guide](planning/compatibility-administrator-users-guide.md) -###### [Using the Compatibility Administrator Tool](planning/using-the-compatibility-administrator-tool.md) -####### [Available Data Types and Operators in Compatibility Administrator](planning/available-data-types-and-operators-in-compatibility-administrator.md) -####### [Searching for Fixed Applications in Compatibility Administrator](planning/searching-for-fixed-applications-in-compatibility-administrator.md) -####### [Searching for Installed Compatibility Fixes with the Query Tool in Compatibility Administrator](planning/searching-for-installed-compatibility-fixes-with-the-query-tool-in-compatibility-administrator.md) -####### [Creating a Custom Compatibility Fix in Compatibility Administrator](planning/creating-a-custom-compatibility-fix-in-compatibility-administrator.md) -####### [Creating a Custom Compatibility Mode in Compatibility Administrator](planning/creating-a-custom-compatibility-mode-in-compatibility-administrator.md) -####### [Creating an AppHelp Message in Compatibility Administrator](planning/creating-an-apphelp-message-in-compatibility-administrator.md) -####### [Viewing the Events Screen in Compatibility Administrator](planning/viewing-the-events-screen-in-compatibility-administrator.md) -####### [Enabling and Disabling Compatibility Fixes in Compatibility Administrator](planning/enabling-and-disabling-compatibility-fixes-in-compatibility-administrator.md) -####### [Installing and Uninstalling Custom Compatibility Databases in Compatibility Administrator](planning/installing-and-uninstalling-custom-compatibility-databases-in-compatibility-administrator.md) -###### [Managing Application-Compatibility Fixes and Custom Fix Databases](planning/managing-application-compatibility-fixes-and-custom-fix-databases.md) -####### [Understanding and Using Compatibility Fixes](planning/understanding-and-using-compatibility-fixes.md) -####### [Compatibility Fix Database Management Strategies and Deployment](planning/compatibility-fix-database-management-strategies-and-deployment.md) -####### [Testing Your Application Mitigation Packages](planning/testing-your-application-mitigation-packages.md) -###### [Using the Sdbinst.exe Command-Line Tool](planning/using-the-sdbinstexe-command-line-tool.md) -##### [Compatibility Fixes for Windows 10, Windows 8, Windows 7, and Windows Vista](planning/compatibility-fixes-for-windows-8-windows-7-and-windows-vista.md) - - -### Deploy Windows 10 with the Microsoft Deployment Toolkit (MDT) -#### [Get started with MDT](deploy-windows-mdt/get-started-with-the-microsoft-deployment-toolkit.md) - -#### Deploy Windows 10 with MDT -##### [Prepare for deployment with MDT](deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md) -##### [Create a Windows 10 reference image](deploy-windows-mdt/create-a-windows-10-reference-image.md) -##### [Deploy a Windows 10 image using MDT](deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md) -##### [Build a distributed environment for Windows 10 deployment](deploy-windows-mdt/build-a-distributed-environment-for-windows-10-deployment.md) -##### [Refresh a Windows 7 computer with Windows 10](deploy-windows-mdt/refresh-a-windows-7-computer-with-windows-10.md) -##### [Replace a Windows 7 computer with a Windows 10 computer](deploy-windows-mdt/replace-a-windows-7-computer-with-a-windows-10-computer.md) -##### [Perform an in-place upgrade to Windows 10 with MDT](deploy-windows-mdt/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md) - -#### Customize MDT -##### [Configure MDT settings](deploy-windows-mdt/configure-mdt-settings.md) -##### [Set up MDT for BitLocker](deploy-windows-mdt/set-up-mdt-for-bitlocker.md) -##### [Configure MDT deployment share rules](deploy-windows-mdt/configure-mdt-deployment-share-rules.md) -##### [Configure MDT for UserExit scripts](deploy-windows-mdt/configure-mdt-for-userexit-scripts.md) -##### [Simulate a Windows 10 deployment in a test environment](deploy-windows-mdt/simulate-a-windows-10-deployment-in-a-test-environment.md) -##### [Use the MDT database to stage Windows 10 deployment information](deploy-windows-mdt/use-the-mdt-database-to-stage-windows-10-deployment-information.md) -##### [Assign applications using roles in MDT](deploy-windows-mdt/assign-applications-using-roles-in-mdt.md) -##### [Use web services in MDT](deploy-windows-mdt/use-web-services-in-mdt.md) -##### [Use Orchestrator runbooks with MDT](deploy-windows-mdt/use-orchestrator-runbooks-with-mdt.md) - -### Deploy Windows 10 with Microsoft Endpoint Configuration Manager -#### Prepare for Windows 10 deployment with Configuration Manager -##### [Prepare for Zero Touch Installation with Configuration Manager](deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md) -##### [Create a custom Windows PE boot image with Configuration Manager](deploy-windows-cm/create-a-custom-windows-pe-boot-image-with-configuration-manager.md) -##### [Add a Windows 10 operating system image using Configuration Manager](deploy-windows-cm/add-a-windows-10-operating-system-image-using-configuration-manager.md) -##### [Create an application to deploy with Windows 10 using Configuration Manager](deploy-windows-cm/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md) -##### [Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](deploy-windows-cm/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md) -##### [Create a task sequence with Configuration Manager and MDT](deploy-windows-cm/create-a-task-sequence-with-configuration-manager-and-mdt.md) -##### [Finalize the operating system configuration for Windows 10 deployment with Configuration Manager](deploy-windows-cm/finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md) - -#### Deploy Windows 10 with Configuration Manager -##### [Deploy Windows 10 using PXE and Configuration Manager](deploy-windows-cm/deploy-windows-10-using-pxe-and-configuration-manager.md) -##### [Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](deploy-windows-cm/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md) -##### [Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](deploy-windows-cm/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md) -##### [Perform an in-place upgrade to Windows 10 using Configuration Manager](deploy-windows-cm/upgrade-to-windows-10-with-configuraton-manager.md) - -### [Windows 10 deployment tools](windows-10-deployment-tools.md) - -#### [Windows 10 deployment scenarios and tools](windows-deployment-scenarios-and-tools.md) -#### [Convert MBR partition to GPT](mbr-to-gpt.md) -#### [Configure a PXE server to load Windows PE](configure-a-pxe-server-to-load-windows-pe.md) -#### [Windows ADK for Windows 10 scenarios for IT Pros](windows-adk-scenarios-for-it-pros.md) - -#### [Deploy Windows To Go in your organization](deploy-windows-to-go.md) -##### [Windows To Go: feature overview](planning/windows-to-go-overview.md) -###### [Best practice recommendations for Windows To Go](planning/best-practice-recommendations-for-windows-to-go.md) -###### [Deployment considerations for Windows To Go](planning/deployment-considerations-for-windows-to-go.md) -###### [Prepare your organization for Windows To Go](planning/prepare-your-organization-for-windows-to-go.md) -###### [Security and data protection considerations for Windows To Go](planning/security-and-data-protection-considerations-for-windows-to-go.md) -###### [Windows To Go: frequently asked questions](planning/windows-to-go-frequently-asked-questions.md) - -#### [Volume Activation Management Tool (VAMT) Technical Reference](volume-activation/volume-activation-management-tool.md) -##### [Introduction to VAMT](volume-activation/introduction-vamt.md) -##### [Active Directory-Based Activation Overview](volume-activation/active-directory-based-activation-overview.md) -##### [Install and Configure VAMT](volume-activation/install-configure-vamt.md) -###### [VAMT Requirements](volume-activation/vamt-requirements.md) -###### [Install VAMT](volume-activation/install-vamt.md) -###### [Configure Client Computers](volume-activation/configure-client-computers-vamt.md) -##### [Add and Manage Products](volume-activation/add-manage-products-vamt.md) -###### [Add and Remove Computers](volume-activation/add-remove-computers-vamt.md) -###### [Update Product Status](volume-activation/update-product-status-vamt.md) -###### [Remove Products](volume-activation/remove-products-vamt.md) -##### [Manage Product Keys](volume-activation/manage-product-keys-vamt.md) -###### [Add and Remove a Product Key](volume-activation/add-remove-product-key-vamt.md) -###### [Install a Product Key](volume-activation/install-product-key-vamt.md) -###### [Install a KMS Client Key](volume-activation/install-kms-client-key-vamt.md) -##### [Manage Activations](volume-activation/manage-activations-vamt.md) -###### [Perform Online Activation](volume-activation/online-activation-vamt.md) -###### [Perform Proxy Activation](volume-activation/proxy-activation-vamt.md) -###### [Perform KMS Activation](volume-activation/kms-activation-vamt.md) -###### [Perform Local Reactivation](volume-activation/local-reactivation-vamt.md) -###### [Activate an Active Directory Forest Online](volume-activation/activate-forest-vamt.md) -###### [Activate by Proxy an Active Directory Forest](volume-activation/activate-forest-by-proxy-vamt.md) -##### [Manage VAMT Data](volume-activation/manage-vamt-data.md) -###### [Import and Export VAMT Data](volume-activation/import-export-vamt-data.md) -###### [Use VAMT in Windows PowerShell](volume-activation/use-vamt-in-windows-powershell.md) -##### [VAMT Step-by-Step Scenarios](volume-activation/vamt-step-by-step.md) -###### [Scenario 1: Online Activation](volume-activation/scenario-online-activation-vamt.md) -###### [Scenario 2: Proxy Activation](volume-activation/scenario-proxy-activation-vamt.md) -###### [Scenario 3: KMS Client Activation](volume-activation/scenario-kms-activation-vamt.md) -##### [VAMT Known Issues](volume-activation/vamt-known-issues.md) -#### [User State Migration Tool (USMT) Technical Reference](usmt/usmt-technical-reference.md) -##### [User State Migration Tool (USMT) Overview Topics](usmt/usmt-topics.md) -###### [User State Migration Tool (USMT) Overview](usmt/usmt-overview.md) -###### [Getting Started with the User State Migration Tool (USMT)](usmt/getting-started-with-the-user-state-migration-tool.md) -###### [Windows Upgrade and Migration Considerations](upgrade/windows-upgrade-and-migration-considerations.md) -##### [User State Migration Tool (USMT) How-to topics](usmt/usmt-how-to.md) -###### [Exclude Files and Settings](usmt/usmt-exclude-files-and-settings.md) -###### [Extract Files from a Compressed USMT Migration Store](usmt/usmt-extract-files-from-a-compressed-migration-store.md) -###### [Include Files and Settings](usmt/usmt-include-files-and-settings.md) -###### [Migrate Application Settings](usmt/migrate-application-settings.md) -###### [Migrate EFS Files and Certificates](usmt/usmt-migrate-efs-files-and-certificates.md) -###### [Migrate User Accounts](usmt/usmt-migrate-user-accounts.md) -###### [Reroute Files and Settings](usmt/usmt-reroute-files-and-settings.md) -###### [Verify the Condition of a Compressed Migration Store](usmt/verify-the-condition-of-a-compressed-migration-store.md) -##### [User State Migration Tool (USMT) Troubleshooting](usmt/usmt-troubleshooting.md) -###### [Common Issues](usmt/usmt-common-issues.md) -###### [Frequently Asked Questions](usmt/usmt-faq.md) -###### [Log Files](usmt/usmt-log-files.md) -###### [Return Codes](usmt/usmt-return-codes.md) -###### [USMT Resources](usmt/usmt-resources.md) -##### [User State Migration Toolkit (USMT) Reference](usmt/usmt-reference.md) -###### [USMT Requirements](usmt/usmt-requirements.md) -###### [USMT Best Practices](usmt/usmt-best-practices.md) -###### [How USMT Works](usmt/usmt-how-it-works.md) -###### [Plan Your Migration](usmt/usmt-plan-your-migration.md) -####### [Common Migration Scenarios](usmt/usmt-common-migration-scenarios.md) -####### [What Does USMT Migrate?](usmt/usmt-what-does-usmt-migrate.md) -####### [Choose a Migration Store Type](usmt/usmt-choose-migration-store-type.md) -######## [Migration Store Types Overview](usmt/migration-store-types-overview.md) -######## [Estimate Migration Store Size](usmt/usmt-estimate-migration-store-size.md) -######## [Hard-Link Migration Store](usmt/usmt-hard-link-migration-store.md) -######## [Migration Store Encryption](usmt/usmt-migration-store-encryption.md) -####### [Determine What to Migrate](usmt/usmt-determine-what-to-migrate.md) -######## [Identify Users](usmt/usmt-identify-users.md) -######## [Identify Applications Settings](usmt/usmt-identify-application-settings.md) -######## [Identify Operating System Settings](usmt/usmt-identify-operating-system-settings.md) -######## [Identify File Types, Files, and Folders](usmt/usmt-identify-file-types-files-and-folders.md) -####### [Test Your Migration](usmt/usmt-test-your-migration.md) -###### [User State Migration Tool (USMT) Command-line Syntax](usmt/usmt-command-line-syntax.md) -####### [ScanState Syntax](usmt/usmt-scanstate-syntax.md) -####### [LoadState Syntax](usmt/usmt-loadstate-syntax.md) -####### [UsmtUtils Syntax](usmt/usmt-utilities.md) -###### [USMT XML Reference](usmt/usmt-xml-reference.md) -####### [Understanding Migration XML Files](usmt/understanding-migration-xml-files.md) -####### [Config.xml File](usmt/usmt-configxml-file.md) -####### [Customize USMT XML Files](usmt/usmt-customize-xml-files.md) -####### [Custom XML Examples](usmt/usmt-custom-xml-examples.md) -####### [Conflicts and Precedence](usmt/usmt-conflicts-and-precedence.md) -####### [General Conventions](usmt/usmt-general-conventions.md) -####### [XML File Requirements](usmt/xml-file-requirements.md) -####### [Recognized Environment Variables](usmt/usmt-recognized-environment-variables.md) -####### [XML Elements Library](usmt/usmt-xml-elements-library.md) -###### [Offline Migration Reference](usmt/offline-migration-reference.md) -### [Install fonts in Windows 10](windows-10-missing-fonts.md) - -## Update Windows 10 -### [Update Windows 10 in enterprise deployments](update/index.md) -### Windows as a service -#### [Windows as a service - introduction](update/windows-as-a-service.md) -#### [Quick guide to Windows as a service](update/waas-quick-start.md) -#### [Servicing stack updates](update/servicing-stack-updates.md) -#### [Overview of Windows as a service](update/waas-overview.md) -### [Prepare servicing strategy for Windows 10 updates](update/waas-servicing-strategy-windows-10-updates.md) -### [Build deployment rings for Windows 10 updates](update/waas-deployment-rings-windows-10-updates.md) -### [Assign devices to servicing channels for Windows 10 updates](update/waas-servicing-channels-windows-10-updates.md) -### Get started -#### [Get started with Windows Update](update/windows-update-overview.md) -#### [How Windows Update works](update/how-windows-update-works.md) -#### [Windows Update log files](update/windows-update-logs.md) -#### [How to troubleshoot Windows Update](update/windows-update-troubleshooting.md) -#### [Common Windows Update errors](update/windows-update-errors.md) -#### [Windows Update error code reference](update/windows-update-error-reference.md) -#### [Other Windows Update resources](update/windows-update-resources.md) -### Optimize delivery -#### [Optimize Windows 10 update delivery](update/waas-optimize-windows-10-updates.md) -#### [Delivery Optimization for Windows 10 updates](update/waas-delivery-optimization.md) -#### [Set up Delivery Optimization for Windows 10 updates](update/waas-delivery-optimization-setup.md) -#### [Delivery Optimization reference](update/waas-delivery-optimization-reference.md) -#### [Configure BranchCache for Windows 10 updates](update/waas-branchcache.md) -#### [Whitepaper: Windows Updates using forward and reverse differentials](update/PSFxWhitepaper.md) -### Monitor Windows Updates -#### [Monitor Windows Updates with Update Compliance](update/update-compliance-monitor.md) -#### [Get started with Update Compliance](update/update-compliance-get-started.md) -##### [Update Compliance Configuration Script](update/update-compliance-configuration-script.md) -##### [Manually Configuring Devices for Update Compliance](update/update-compliance-configuration-manual.md) -#### [Use Update Compliance](update/update-compliance-using.md) -##### [Need Attention! report](update/update-compliance-need-attention.md) -##### [Security Update Status report](update/update-compliance-security-update-status.md) -##### [Feature Update Status report](update/update-compliance-feature-update-status.md) -##### [Delivery Optimization in Update Compliance](update/update-compliance-delivery-optimization.md) -##### [Data Handling and Privacy in Update Compliance](update/update-compliance-privacy.md) -##### [Update Compliance Schema Reference](update/update-compliance-schema.md) -###### [WaaSUpdateStatus](update/update-compliance-schema-waasupdatestatus.md) -###### [WaaSInsiderStatus](update/update-compliance-schema-waasinsiderstatus.md) -###### [WaaSDeploymentStatus](update/update-compliance-schema-waasdeploymentstatus.md) -###### [WUDOStatus](update/update-compliance-schema-wudostatus.md) -###### [WUDOAggregatedStatus](update/update-compliance-schema-wudoaggregatedstatus.md) -### Best practices -#### [Best practices for feature updates on mission-critical devices](update/feature-update-mission-critical.md) -#### [Update Windows 10 media with Dynamic Update](update/media-dynamic-update.md) -#### [Deploy feature updates during maintenance windows](update/feature-update-maintenance-window.md) -#### [Deploy feature updates for user-initiated installations](update/feature-update-user-install.md) -#### [Conclusion](update/feature-update-conclusion.md) -### [Deploy updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](update/waas-mobile-updates.md) -### Use Windows Update for Business -#### [Deploy updates using Windows Update for Business](update/waas-manage-updates-wufb.md) -#### [Configure Windows Update for Business](update/waas-configure-wufb.md) -#### [Enforcing compliance deadlines for updates](update/wufb-compliancedeadlines.md) -#### [Integrate Windows Update for Business with management solutions](update/waas-integrate-wufb.md) -#### [Walkthrough: use Group Policy to configure Windows Update for Business](update/waas-wufb-group-policy.md) -#### [Walkthrough: use Intune to configure Windows Update for Business](https://docs.microsoft.com/intune/windows-update-for-business-configure) -### Use Windows Server Update Services -#### [Deploy Windows 10 updates using Windows Server Update Services](update/waas-manage-updates-wsus.md) -#### [Enable FoD and language pack updates in Windows Update](update/fod-and-lang-packs.md) -### [Deploy Windows 10 updates using Microsoft Endpoint Configuration Manager](update/waas-manage-updates-configuration-manager.md) -### [Manage device restarts after updates](update/waas-restart.md) -### [Manage additional Windows Update settings](update/waas-wu-settings.md) -### [Determine the source of Windows updates](update/windows-update-sources.md) diff --git a/windows/deployment/TOC.yml b/windows/deployment/TOC.yml new file mode 100644 index 0000000000..3dda78fbb4 --- /dev/null +++ b/windows/deployment/TOC.yml @@ -0,0 +1,515 @@ +- name: Deploy and update Windows 10 + href: index.yml + items: + - name: Get started + items: + - name: What's new + href: deploy-whats-new.md + - name: Windows 10 deployment scenarios + href: windows-10-deployment-scenarios.md + - name: What is Windows as a service? + href: update/waas-quick-start.md + - name: Windows update fundamentals + href: update/waas-overview.md + - name: Types of Windows updates + href: update/waas-quick-start.md#definitions + - name: Servicing the Windows 10 operating system + href: update/waas-servicing-strategy-windows-10-updates.md + + - name: Deployment proof of concept + items: + - name: Demonstrate Autopilot deployment on a VM + href: windows-autopilot/demonstrate-deployment-on-vm.md + - name: Deploy Windows 10 with MDT and Configuration Manager + items: + - name: 'Step by step guide: Configure a test lab to deploy Windows 10' + href: windows-10-poc.md + - name: Deploy Windows 10 in a test lab using MDT + href: windows-10-poc-mdt.md + - name: Deploy Windows 10 in a test lab using Configuration Manager + href: windows-10-poc-sc-config-mgr.md + - name: Deployment process posters + href: windows-10-deployment-posters.md + + - name: Plan + items: + - name: Create a deployment plan + href: update/create-deployment-plan.md + - name: Define readiness criteria + href: update/plan-define-readiness.md + - name: Evaluate infrastructure and tools + href: update/eval-infra-tools.md + - name: Determine application readiness + href: update/plan-determine-app-readiness.md + - name: Define your servicing strategy + href: update/waas-servicing-strategy-windows-10-updates.md + - name: Best practices for feature updates on mission-critical devices + href: update/feature-update-mission-critical.md + - name: Plan for volume activation + href: volume-activation/plan-for-volume-activation-client.md + - name: Features removed or planned for replacement + items: + - name: Windows 10 features lifecycle + href: planning/features-lifecycle.md + - name: Features we're no longer developing + href: planning/windows-10-deprecated-features.md + - name: Features we removed + href: planning/windows-10-removed-features.md + + - name: Prepare + items: + - name: Prepare to deploy Windows 10 + href: deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md + - name: Evaluate and update infrastructure + href: update/update-policies.md + - name: Set up Delivery Optimization for Windows 10 updates + href: update/waas-delivery-optimization-setup.md + - name: Configure BranchCache for Windows 10 updates + href: update/waas-branchcache.md + - name: Prepare your deployment tools + items: + - name: Register devices for deployment with Windows Autopilot + href: windows-autopilot/add-devices.md + - name: Prepare for deployment with MDT + href: deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md + - name: Prepare for deployment with Configuration Manager + href: deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md + - name: Build a successful servicing strategy + items: + - name: Build deployment rings for Windows 10 updates + href: update/waas-deployment-rings-windows-10-updates.md + - name: Prepare updates using Windows Update for Business + href: update/waas-manage-updates-wufb.md + - name: Prepare updates using WSUS + href: update/waas-manage-updates-wsus.md + + - name: Deploy + items: + - name: Deploy Windows 10 + items: + - name: Deploy Windows 10 with Autopilot + href: windows-autopilot/windows-autopilot-scenarios.md + - name: Deploy Windows 10 with Configuration Manager + items: + - name: Deploy to a new device + href: deploy-windows-cm/deploy-windows-10-using-pxe-and-configuration-manager.md + - name: Refresh a device + href: deploy-windows-cm/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md + - name: Replace a device + href: deploy-windows-cm/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md + - name: In-place upgrade + href: deploy-windows-cm/upgrade-to-windows-10-with-configuraton-manager.md + - name: Deploy Windows 10 with MDT + items: + - name: Deploy to a new device + href: deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md + - name: Refresh a device + href: deploy-windows-mdt/refresh-a-windows-7-computer-with-windows-10.md + - name: Replace a device + href: deploy-windows-mdt/replace-a-windows-7-computer-with-a-windows-10-computer.md + - name: In-place upgrade + href: deploy-windows-mdt/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md + - name: Subscription Activation + items: + - name: Windows 10 Subscription Activation + href: windows-10-subscription-activation.md + - name: Windows 10 Enterprise E3 in CSP + href: windows-10-enterprise-e3-overview.md + - name: Configure VDA for Subscription Activation + href: vda-subscription-activation.md + - name: Deploy Windows 10 Enterprise licenses + href: deploy-enterprise-licenses.md + - name: Deploy Windows 10 updates + items: + - name: Assign devices to servicing channels + href: update/waas-servicing-channels-windows-10-updates.md + - name: Deploy updates with Configuration Manager + href: update/deploy-updates-configmgr.md + - name: Deploy updates with Intune + href: update/waas-wufb-csp-mdm.md + - name: Deploy updates with WSUS + href: update/waas-manage-updates-wsus.md + - name: Deploy updates with Group Policy + href: update/waas-wufb-group-policy.md + - name: Update Windows 10 media with Dynamic Update + href: update/media-dynamic-update.md + - name: Manage the Windows 10 update experience + items: + - name: Manage device restarts after updates + href: update/waas-restart.md + - name: Manage additional Windows Update settings + href: update/waas-wu-settings.md + - name: Deploy feature updates during maintenance windows + href: update/feature-update-maintenance-window.md + - name: Deploy feature updates for user-initiated installations + href: update/feature-update-user-install.md + - name: Use Windows Update for Business + items: + - name: What is Windows Update for Business? + href: update/waas-manage-updates-wufb.md + - name: Configure Windows Update for Business + href: update/waas-configure-wufb.md + - name: Enforcing compliance deadlines for updates + href: update/wufb-compliancedeadlines.md + - name: Integrate Windows Update for Business with management solutions + href: update/waas-integrate-wufb.md + - name: 'Walkthrough: use Group Policy to configure Windows Update for Business' + href: update/waas-wufb-group-policy.md + - name: 'Walkthrough: use Intune to configure Windows Update for Business' + href: update/waas-wufb-csp-mdm.md + - name: Monitor Windows 10 updates + items: + - name: Monitor Delivery Optimization + href: update/waas-delivery-optimization-setup.md#monitor-delivery-optimization + - name: Monitor Windows Updates with Update Compliance + items: + - name: Get started + items: + - name: Get started with Update Compliance + href: update/update-compliance-get-started.md + - name: Update Compliance configuration script + href: update/update-compliance-configuration-script.md + - name: Manually configuring devices for Update Compliance + href: update/update-compliance-configuration-manual.md + - name: Update Compliance monitoring + items: + - name: Use Update Compliance + href: update/update-compliance-using.md + - name: Need attention report + href: update/update-compliance-need-attention.md + - name: Security update status report + href: update/update-compliance-security-update-status.md + - name: Feature update status report + href: update/update-compliance-feature-update-status.md + - name: Delivery Optimization in Update Compliance + href: update/update-compliance-delivery-optimization.md + - name: Data handling and privacy in Update Compliance + href: update/update-compliance-privacy.md + - name: Update Compliance schema reference + items: + - name: WaaSUpdateStatus + href: update/update-compliance-schema-waasupdatestatus.md + - name: WaaSInsiderStatus + href: update/update-compliance-schema-waasinsiderstatus.md + - name: WaaSDepoymentStatus + href: update/update-compliance-schema-waasdeploymentstatus.md + - name: WUDOStatus + href: update/update-compliance-schema-wudostatus.md + - name: WUDOAggregatedStatus + href: update/update-compliance-schema-wudoaggregatedstatus.md + - name: Troubleshooting + items: + - name: Resolve upgrade errors + items: + - name: Resolve Windows 10 upgrade errors + href: upgrade/resolve-windows-10-upgrade-errors.md + - name: Quick fixes + href: upgrade/quick-fixes.md + - name: SetupDiag + href: upgrade/setupdiag.md + - name: Troubleshooting upgrade errors + href: upgrade/troubleshoot-upgrade-errors.md + - name: Windows error reporting + href: upgrade/windows-error-reporting.md + - name: Upgrade error codes + href: upgrade/upgrade-error-codes.md + - name: Log files + href: upgrade/log-files.md + - name: Resolution procedures + href: upgrade/resolution-procedures.md + - name: Submit Windows 10 upgrade errors + href: upgrade/submit-errors.md + - name: Troubleshoot Windows Update + items: + - name: How to troubleshoot Windows Update + href: update/windows-update-troubleshooting.md + - name: Determine the source of Windows Updates + href: update/windows-update-sources.md + - name: Common Windows Update errors + href: update/windows-update-errors.md + - name: Windows Update error code reference + href: update/windows-update-error-reference.md + + - name: Reference + items: + - name: How does Windows Update work? + href: update/how-windows-update-works.md + - name: Understanding the Unified Update Platform + href: update/windows-update-overview.md + - name: Servicing stack updates + href: update/servicing-stack-updates.md + - name: How Windows Update works + href: update/how-windows-update-works.md + - name: Additional Windows Update settings + href: update/waas-wu-settings.md + - name: Delivery Optimization reference + href: update/waas-delivery-optimization-reference.md + - name: Windows 10 in S mode + href: windows-10-pro-in-s-mode.md + - name: Windows 10 deployment tools + items: + - name: Windows 10 deployment scenarios and tools + items: + - name: Convert MBR partition to GPT + href: mbr-to-gpt.md + - name: Configure a PXE server to load Windows PE + href: configure-a-pxe-server-to-load-windows-pe.md + - name: Windows ADK for Windows 10 scenarios for IT Pros + href: windows-adk-scenarios-for-it-pros.md + - name: Windows To Go + items: + - name: Deploy Windows To Go in your organization + href: deploy-windows-to-go.md + - name: "Windows To Go: feature overview" + href: planning/windows-to-go-overview.md + - name: Best practice recommendations for Windows To Go + href: planning/best-practice-recommendations-for-windows-to-go.md + - name: Deployment considerations for Windows To Go + href: planning/deployment-considerations-for-windows-to-go.md + - name: Prepare your organization for Windows To Go + href: planning/prepare-your-organization-for-windows-to-go.md + - name: Security and data protection considerations for Windows To Go + href: planning/security-and-data-protection-considerations-for-windows-to-go.md + - name: "Windows To Go: frequently asked questions" + href: planning/windows-to-go-frequently-asked-questions.md + + - name: Volume Activation Management Tool (VAMT) technical reference + items: + - name: VAMT technical reference + href: volume-activation/volume-activation-management-tool.md + - name: Introduction to VAMT + href: volume-activation/introduction-vamt.md + - name: Active Directory-Based Activation Overview + href: volume-activation/active-directory-based-activation-overview.md + - name: Install and Configure VAMT + href: volume-activation/install-configure-vamt.md + - name: VAMT Requirements + href: volume-activation/vamt-requirements.md + - name: Install VAMT + href: volume-activation/install-vamt.md + - name: Configure Client Computers + href: volume-activation/configure-client-computers-vamt.md + - name: Add and Manage Products + href: volume-activation/add-manage-products-vamt.md + - name: Add and Remove Computers + href: volume-activation/add-remove-computers-vamt.md + - name: Update Product Status + href: volume-activation/update-product-status-vamt.md + - name: Remove Products + href: volume-activation/remove-products-vamt.md + - name: Manage Product Keys + href: volume-activation/manage-product-keys-vamt.md + - name: Add and Remove a Product Key + href: volume-activation/add-remove-product-key-vamt.md + - name: Install a Product Key + href: volume-activation/install-product-key-vamt.md + - name: Install a KMS Client Key + href: volume-activation/install-kms-client-key-vamt.md + - name: Manage Activations + href: volume-activation/manage-activations-vamt.md + - name: Perform Online Activation + href: volume-activation/online-activation-vamt.md + - name: Perform Proxy Activation + href: volume-activation/proxy-activation-vamt.md + - name: Perform KMS Activation + href: volume-activation/kms-activation-vamt.md + - name: Perform Local Reactivation + href: volume-activation/local-reactivation-vamt.md + - name: Activate an Active Directory Forest Online + href: volume-activation/activate-forest-vamt.md + - name: Activate by Proxy an Active Directory Forest + href: volume-activation/activate-forest-by-proxy-vamt.md + - name: Manage VAMT Data + href: volume-activation/manage-vamt-data.md + - name: Import and Export VAMT Data + href: volume-activation/import-export-vamt-data.md + - name: Use VAMT in Windows PowerShell + href: volume-activation/use-vamt-in-windows-powershell.md + - name: VAMT Step-by-Step Scenarios + href: volume-activation/vamt-step-by-step.md + - name: "Scenario 1: Online Activation" + href: volume-activation/scenario-online-activation-vamt.md + - name: "Scenario 2: Proxy Activation" + href: volume-activation/scenario-proxy-activation-vamt.md + - name: "Scenario 3: KMS Client Activation" + href: volume-activation/scenario-kms-activation-vamt.md + - name: VAMT Known Issues + href: volume-activation/vamt-known-issues.md + + - name: User State Migration Tool (USMT) technical reference + items: + - name: USMT overview topics + items: + - name: USMT overview + href: usmt/usmt-overview.md + - name: Getting started with the USMT + href: usmt/getting-started-with-the-user-state-migration-tool.md + - name: Windows upgrade and migration considerations + href: upgrade/windows-upgrade-and-migration-considerations.md + - name: USMT How-to topics + items: + - name: Exclude Files and Settings + href: usmt/usmt-exclude-files-and-settings.md + - name: Extract Files from a Compressed USMT Migration Store + href: usmt/usmt-extract-files-from-a-compressed-migration-store.md + - name: Include Files and Settings + href: usmt/usmt-include-files-and-settings.md + - name: Migrate Application Settings + href: usmt/migrate-application-settings.md + - name: Migrate EFS Files and Certificates + href: usmt/usmt-migrate-efs-files-and-certificates.md + - name: Migrate User Accounts + href: usmt/usmt-migrate-user-accounts.md + - name: Reroute Files and Settings + href: usmt/usmt-reroute-files-and-settings.md + - name: Verify the Condition of a Compressed Migration Store + href: usmt/verify-the-condition-of-a-compressed-migration-store.md + - name: USMT Troubleshooting + href: usmt/usmt-troubleshooting.md + - name: Common Issues + href: usmt/usmt-common-issues.md + - name: Frequently Asked Questions + href: usmt/usmt-faq.md + - name: Log Files + href: usmt/usmt-log-files.md + - name: Return Codes + href: usmt/usmt-return-codes.md + - name: USMT Resources + href: usmt/usmt-resources.md + + - name: USMT Reference + items: + - name: USMT Requirements + href: usmt/usmt-requirements.md + - name: USMT Best Practices + href: usmt/usmt-best-practices.md + - name: How USMT Works + href: usmt/usmt-how-it-works.md + - name: Plan Your Migration + href: usmt/usmt-plan-your-migration.md + - name: Common Migration Scenarios + href: usmt/usmt-common-migration-scenarios.md + - name: What Does USMT Migrate? + href: usmt/usmt-what-does-usmt-migrate.md + - name: Choose a Migration Store Type + href: usmt/usmt-choose-migration-store-type.md + - name: Migration Store Types Overview + href: usmt/migration-store-types-overview.md + - name: Estimate Migration Store Size + href: usmt/usmt-estimate-migration-store-size.md + - name: Hard-Link Migration Store + href: usmt/usmt-hard-link-migration-store.md + - name: Migration Store Encryption + href: usmt/usmt-migration-store-encryption.md + - name: Determine What to Migrate + href: usmt/usmt-determine-what-to-migrate.md + - name: Identify users + href: usmt/usmt-identify-users.md + - name: Identify Applications Settings + href: usmt/usmt-identify-application-settings.md + - name: Identify Operating System Settings + href: usmt/usmt-identify-operating-system-settings.md + - name: Identify File Types, Files, and Folders + href: usmt/usmt-identify-file-types-files-and-folders.md + - name: Test Your Migration + href: usmt/usmt-test-your-migration.md + - name: USMT Command-line Syntax + href: usmt/usmt-command-line-syntax.md + - name: ScanState Syntax + href: usmt/usmt-scanstate-syntax.md + - name: LoadState Syntax + href: usmt/usmt-loadstate-syntax.md + - name: UsmtUtils Syntax + href: usmt/usmt-utilities.md + - name: USMT XML Reference + href: usmt/usmt-xml-reference.md + - name: Understanding Migration XML Files + href: usmt/understanding-migration-xml-files.md + - name: Config.xml File + href: usmt/usmt-configxml-file.md + - name: Customize USMT XML Files + href: usmt/usmt-customize-xml-files.md + - name: Custom XML Examples + href: usmt/usmt-custom-xml-examples.md + - name: Conflicts and Precedence + href: usmt/usmt-conflicts-and-precedence.md + - name: General Conventions + href: usmt/usmt-general-conventions.md + - name: XML File Requirements + href: usmt/xml-file-requirements.md + - name: Recognized Environment Variables + href: usmt/usmt-recognized-environment-variables.md + - name: XML Elements Library + href: usmt/usmt-xml-elements-library.md + - name: Offline Migration Reference + href: usmt/offline-migration-reference.md + + - name: Application Compatibility Toolkit (ACT) Technical Reference + items: + - name: SUA User's Guide + href: planning/sua-users-guide.md + - name: Using the SUA Wizard + href: planning/using-the-sua-wizard.md + - name: Using the SUA Tool + href: planning/using-the-sua-tool.md + - name: Tabs on the SUA Tool Interface + href: planning/tabs-on-the-sua-tool-interface.md + - name: Showing Messages Generated by the SUA Tool + href: planning/showing-messages-generated-by-the-sua-tool.md + - name: Applying Filters to Data in the SUA Tool + href: planning/applying-filters-to-data-in-the-sua-tool.md + - name: Fixing Applications by Using the SUA Tool + href: planning/fixing-applications-by-using-the-sua-tool.md + - name: Compatibility Fixes for Windows 10, Windows 8, Windows 7, and Windows Vista + href: planning/compatibility-fixes-for-windows-8-windows-7-and-windows-vista.md + - name: Compatibility Administrator User's Guide + href: planning/compatibility-administrator-users-guide.md + - name: Using the Compatibility Administrator Tool + href: planning/using-the-compatibility-administrator-tool.md + - name: Available Data Types and Operators in Compatibility Administrator + href: planning/available-data-types-and-operators-in-compatibility-administrator.md + - name: Searching for Fixed Applications in Compatibility Administrator + href: planning/searching-for-fixed-applications-in-compatibility-administrator.md + - name: Searching for Installed Compatibility Fixes with the Query Tool in Compatibility Administrator + href: planning/searching-for-installed-compatibility-fixes-with-the-query-tool-in-compatibility-administrator.md + - name: Creating a Custom Compatibility Fix in Compatibility Administrator + href: planning/creating-a-custom-compatibility-fix-in-compatibility-administrator.md + - name: Creating a Custom Compatibility Mode in Compatibility Administrator + href: planning/creating-a-custom-compatibility-mode-in-compatibility-administrator.md + - name: Creating an AppHelp Message in Compatibility Administrator + href: planning/creating-an-apphelp-message-in-compatibility-administrator.md + - name: Viewing the Events Screen in Compatibility Administrator + href: planning/viewing-the-events-screen-in-compatibility-administrator.md + - name: Enabling and Disabling Compatibility Fixes in Compatibility Administrator + href: planning/enabling-and-disabling-compatibility-fixes-in-compatibility-administrator.md + - name: Installing and Uninstalling Custom Compatibility Databases in Compatibility Administrator + href: planning/installing-and-uninstalling-custom-compatibility-databases-in-compatibility-administrator.md + - name: Managing Application-Compatibility Fixes and Custom Fix Databases + href: planning/managing-application-compatibility-fixes-and-custom-fix-databases.md + - name: Understanding and Using Compatibility Fixes + href: planning/understanding-and-using-compatibility-fixes.md + - name: Compatibility Fix Database Management Strategies and Deployment + href: planning/compatibility-fix-database-management-strategies-and-deployment.md + - name: Testing Your Application Mitigation Packages + href: planning/testing-your-application-mitigation-packages.md + - name: Using the Sdbinst.exe Command-Line Tool + href: planning/using-the-sdbinstexe-command-line-tool.md + - name: Volume Activation + href: volume-activation/volume-activation-windows-10.md + - name: Plan for volume activation + href: volume-activation/plan-for-volume-activation-client.md + - name: Activate using Key Management Service + href: volume-activation/activate-using-key-management-service-vamt.md + - name: Activate using Active Directory-based activation + href: volume-activation/activate-using-active-directory-based-activation-client.md + - name: Activate clients running Windows 10 + href: volume-activation/activate-windows-10-clients-vamt.md + - name: Monitor activation + href: volume-activation/monitor-activation-client.md + - name: Use the Volume Activation Management Tool + href: volume-activation/use-the-volume-activation-management-tool-client.md + - name: "Appendix: Information sent to Microsoft during activation " + href: volume-activation/appendix-information-sent-to-microsoft-during-activation-client.md + + - name: Install fonts in Windows 10 + href: windows-10-missing-fonts.md \ No newline at end of file diff --git a/windows/deployment/deploy-whats-new.md b/windows/deployment/deploy-whats-new.md index 4e60ac99b8..50841d9bc7 100644 --- a/windows/deployment/deploy-whats-new.md +++ b/windows/deployment/deploy-whats-new.md @@ -27,12 +27,10 @@ This topic provides an overview of new solutions and online content related to d - For an all-up overview of new features in Windows 10, see [What's new in Windows 10](https://docs.microsoft.com/windows/whats-new/index). - For a detailed list of changes to Windows 10 ITPro TechNet library content, see [Online content change history](#online-content-change-history). -## Recent additions to this page +## Recent changes -[SetupDiag](#setupdiag) 1.6 is released.
      -The [Windows ADK for Windows 10, version 1903](https://docs.microsoft.com/windows-hardware/get-started/adk-install) is available.
      -New [Windows Autopilot](#windows-autopilot) content is available.
      -[Windows 10 Subscription Activation](#windows-10-subscription-activation) now supports Windows 10 Education. +[SetupDiag](#setupdiag) is included with Windows 10, version 2004 and later.
      +The [Windows ADK for Windows 10, version 2004](https://docs.microsoft.com/windows-hardware/get-started/adk-install) is available.
      ## The Modern Desktop Deployment Center @@ -50,8 +48,8 @@ See [Deploy Windows 10 with Microsoft 365](deploy-m365.md) for an overview, whic ## Windows 10 servicing and support - [**Delivery Optimization**](https://docs.microsoft.com/windows/deployment/update/waas-delivery-optimization): Improved Peer Efficiency for enterprises and educational institutions with complex networks is enabled with of [new policies](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deliveryoptimization). This now supports Microsoft 365 Apps for enterprise updates, and Intune content, with Microsoft Endpoint Configuration Manager content coming soon! -- [**Automatic Restart Sign-on (ARSO)**](https://docs.microsoft.com/windows-insider/at-work-pro/wip-4-biz-whats-new#automatic-restart-and-sign-on-arso-for-enterprises-build-18305): Windows will automatically logon as the user and lock their device in order to complete the update, ensuring that when the user returns and unlocks the device, the update will be completed. -- [**Windows Update for Business**](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-Update-for-Business-and-the-retirement-of-SAC-T/ba-p/339523): There will now be a single, common start date for phased deployments (no more SAC-T designation). In addition, there will a new notification and reboot scheduling experience for end users, the ability to enforce update installation and reboot deadlines, and the ability to provide end user control over reboots for a specific time period. +- [**Automatic Restart Sign-on (ARSO)**](https://docs.microsoft.com/windows-insider/at-work-pro/wip-4-biz-whats-new#automatic-restart-and-sign-on-arso-for-enterprises-build-18305): Windows will automatically log on as the user and lock their device in order to complete the update, ensuring that when the user returns and unlocks the device, the update will be completed. +- [**Windows Update for Business**](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-Update-for-Business-and-the-retirement-of-SAC-T/ba-p/339523): There will now be a single, common start date for phased deployments (no more SAC-T designation). In addition, there will be a new notification and reboot scheduling experience for end users, the ability to enforce update installation and reboot deadlines, and the ability to provide end user control over reboots for a specific time period. - **Update rollback improvements**: You can now automatically recover from startup failures by removing updates if the startup failure was introduced after the installation of recent driver or quality updates. When a device is unable to start up properly after the recent installation of Quality of driver updates, Windows will now automatically uninstall the updates to get the device back up and running normally. - **Pause updates**: We have extended the ability to pause updates for both feature and monthly updates. This extension ability is for all editions of Windows 10, including Home. You can pause both feature and monthly updates for up to 35 days (seven days at a time, up to five times). Once the 35-day pause period is reached, you will need to update your device before pausing again. - **Improved update notifications**: When there’s an update requiring you to restart your device, you’ll see a colored dot on the Power button in the Start menu and on the Windows icon in your taskbar. diff --git a/windows/deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker.md b/windows/deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker.md index c6400f67e9..4872285d93 100644 --- a/windows/deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker.md +++ b/windows/deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker.md @@ -88,7 +88,6 @@ Following these steps, you enable the backup of BitLocker and TPM recovery infor 3. Do not enable BitLocker until recovery information is stored in AD DS for operating system drives 2. Enable the **Configure TPM platform validation profile for BIOS-based firmware configurations** policy. 3. Enable the **Configure TPM platform validation profile for native UEFI firmware configurations** policy. - Computer Configuration / Policies / Administrative Templates / System / Trusted Platform Module Services > [!NOTE] > If you consistently get the error "Windows BitLocker Drive Encryption Information. The system boot information has changed since BitLocker was enabled. You must supply a BitLocker recovery password to start this system." after encrypting a computer with BitLocker, you might have to change the various "Configure TPM platform validation profile" Group Policies, as well. Whether or not you need to do this will depend on the hardware you are using. diff --git a/windows/deployment/deploy-windows-to-go.md b/windows/deployment/deploy-windows-to-go.md index b54532b820..52cc80097b 100644 --- a/windows/deployment/deploy-windows-to-go.md +++ b/windows/deployment/deploy-windows-to-go.md @@ -25,8 +25,8 @@ ms.topic: article This topic helps you to deploy Windows To Go in your organization. Before you begin deployment, make sure that you have reviewed the topics [Windows To Go: feature overview](planning/windows-to-go-overview.md) and [Prepare your organization for Windows To Go](planning/prepare-your-organization-for-windows-to-go.md) to ensure that you have the correct hardware and are prepared to complete the deployment. You can then use the steps in this topic to start your Windows To Go deployment. ->[!IMPORTANT] ->Windows To Go is no longer being developed. The feature does not support feature updates and therefore does not enable you to stay current. It also requires a specific type of USB that is no longer supported by many OEMs. +> [!IMPORTANT] +> Windows To Go is removed in Windows 10, version 2004 and later operating systems. The feature does not support feature updates and therefore does not enable you to stay current. It also requires a specific type of USB that is no longer supported by many OEMs. ## Deployment tips diff --git a/windows/deployment/index.yml b/windows/deployment/index.yml index 2d316a4b7f..753f83e575 100644 --- a/windows/deployment/index.yml +++ b/windows/deployment/index.yml @@ -1,105 +1,94 @@ -### YamlMime:YamlDocument +### YamlMime:Landing + +title: Windows 10 deployment resources and documentation # < 60 chars +summary: Learn about deploying and and keeping Windows 10 up to date. # < 160 chars -documentType: LandingData -title: Deploy and update Windows 10 metadata: - document_id: - title: Deploy and update Windows 10 - description: Deploying and updating Windows 10 for IT professionals. - keywords: deploy, update, Windows, service, Microsoft365, e5, e3 - ms.localizationpriority: high - author: greg-lindsay - ms.author: greglin - manager: laurawi - ms.topic: article - ms.devlang: na + title: Windows 10 deployment resources and documentation # Required; page title displayed in search results. Include the brand. < 60 chars. + description: Learn about deploying Windows 10 and keeping it up to date in your organization. # Required; article description that is displayed in search results. < 160 chars. + services: windows-10 + ms.service: windows-10 #Required; service per approved list. service slug assigned to your service by ACOM. + ms.subservice: subservice + ms.topic: landing-page # Required + ms.collection: windows-10 + author: greg-lindsay #Required; your GitHub user alias, with correct capitalization. + ms.author: greglin #Required; microsoft alias of author; optional team alias. + ms.date: 05/27/2020 #Required; mm/dd/yyyy format. + localization_priority: medium + +# linkListType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | tutorial | video | whats-new -sections: -- items: - - type: markdown - text: Learn about deployment of Windows 10 for IT professionals. This includes deploying the operating system, upgrading to it from previous versions and updating Windows 10. -- items: - - type: list - style: cards - className: cardsM - columns: 3 - items: - - href: windows-10-deployment-scenarios - html:

      Understand the different ways that Windows 10 can be deployed

      - image: - src: https://docs.microsoft.com/media/common/i_deploy.svg - title: Windows 10 deployment scenarios - - href: update - html:

      Update Windows 10 in the enterprise

      - image: - src: https://docs.microsoft.com/media/common/i_upgrade.svg - title: Windows as a service - - href: windows-autopilot/windows-autopilot - html:

      Windows Autopilot greatly simplifies deployment of Windows devices

      - image: - src: https://docs.microsoft.com/media/common/i_delivery.svg - title: Windows Autopilot -- title: -- items: - - type: markdown - text: " -
      -
    - - - - - - -
    [Modern Desktop Deployment Center](https://docs.microsoft.com/microsoft-365/enterprise/desktop-deployment-center-home) Check out the new Modern Deskop Deployment Center and discover content to help you with your Windows 10 and Microsoft 365 Apps for enterprise deployments.
    [What's new in Windows 10 deployment](deploy-whats-new.md) See this topic for a summary of new features and some recent changes related to deploying Windows 10 in your organization.
    [Windows 10 deployment scenarios](windows-10-deployment-scenarios.md) To successfully deploy the Windows 10 operating system in your organization, it is important to understand the different ways that it can be deployed, especially now that there are new scenarios to consider. Choosing among these scenarios, and understanding the key capabilities and limitations of each, is a key task.
    [Windows Autopilot](windows-autopilot/windows-autopilot.md) Windows Autopilot enables an IT department to pre-configure new devices and repurpose existing devices with a simple process that requires little to no infrastructure.
    [Windows 10 Subscription Activation](windows-10-subscription-activation.md) Windows 10 Enterprise has traditionally been sold as on premises software, however, with Windows 10 version 1703 (also known as the Creator’s Update), both Windows 10 Enterprise E3 and Windows 10 Enterprise E5 are available as true online services via subscription. You can move from Windows 10 Pro to Windows 10 Enterprise with no keys and no reboots. If you are using a Cloud Service Providers (CSP) see the related topic: [Windows 10 Enterprise E3 in CSP](windows-10-enterprise-e3-overview.md).
    [Resolve Windows 10 upgrade errors](upgrade/resolve-windows-10-upgrade-errors.md) This topic provides a brief introduction to Windows 10 installation processes, and provides resolution procedures that IT administrators can use to resolve issues with Windows 10 upgrade.
    - " -- title: Deploy Windows 10 -- items: - - type: markdown - text: " - Windows 10 upgrade options are discussed and information is provided about planning, testing, and managing your production deployment. -
     
    - - - - - - - - - - - -
    TopicDescription
    [Overview of Windows Autopilot](windows-autopilot/windows-autopilot.md) Windows Autopilot deployment is a new cloud service from Microsoft that provides a zero touch experience for deploying Windows 10 devices.
    [Windows 10 upgrade paths](upgrade/windows-10-upgrade-paths.md) This topic provides information about support for upgrading directly to Windows 10 from a previous operating system.
    [Windows 10 edition upgrade](upgrade/windows-10-edition-upgrades.md) This topic provides information about support for upgrading from one edition of Windows 10 to another.
    [Windows 10 volume license media](windows-10-media.md) This topic provides information about media available in the Microsoft Volume Licensing Service Center.
    [Manage Windows upgrades with Upgrade Readiness](upgrade/manage-windows-upgrades-with-upgrade-readiness.md) With Upgrade Readiness, enterprises now have the tools to plan and manage the upgrade process end to end, allowing them to adopt new Windows releases more quickly. With Windows diagnostic data enabled, Upgrade Readiness collects system, application, and driver data for analysis. We then identify compatibility issues that can block an upgrade and suggest fixes when they are known to Microsoft. The Upgrade Readiness workflow steps you through the discovery and rationalization process until you have a list of computers that are ready to be upgraded.
    [Windows 10 deployment test lab](windows-10-poc.md) This guide contains instructions to configure a proof of concept (PoC) environment requiring a minimum amount of resources. The guide makes extensive use of Windows PowerShell and Hyper-V. Subsequent companion guides contain steps to deploy Windows 10 using the PoC environment. After completing this guide, additional guides are provided to deploy Windows 10 in the test lab using [Microsoft Deployment Toolkit](windows-10-poc-mdt.md) or [Microsoft Endpoint Configuration Manager](windows-10-poc-sc-config-mgr.md).
    [Plan for Windows 10 deployment](planning/index.md) This section describes Windows 10 deployment considerations and provides information to assist in Windows 10 deployment planning.
    [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md) This guide will walk you through the process of deploying Windows 10 in an enterprise environment using the Microsoft Deployment Toolkit (MDT).
    [Deploy Windows 10 with System Center 2012 R2 Configuration Manager](deploy-windows-cm/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md) If you have Microsoft System Center 2012 R2 Configuration Manager in your environment, you will most likely want to use it to deploy Windows 10. This topic will show you how to set up Configuration Manager for operating system deployment and how to integrate Configuration Manager with the Microsoft Deployment Toolkit (MDT) or.
    [Windows 10 deployment tools](windows-10-deployment-tools-reference.md) Learn about available tools to deploy Windows 10, such as the Windows ADK, DISM, USMT, WDS, MDT, Windows PE and more.
    - " -- title: Update Windows 10 -- items: - - type: markdown - text: " - Information is provided about keeping Windows 10 up-to-date. -
     
    - - - - - - - - - - - - - - - -
    TopicDescription
    [Quick guide to Windows as a service](update/waas-quick-start.md) Provides a brief summary of the key points for the new servicing model for Windows 10.
    [Overview of Windows as a service](update/waas-overview.md) Explains the differences in building, deploying, and servicing Windows 10; introduces feature updates, quality updates, and the different servicing branches; compares servicing tools.
    [Prepare servicing strategy for Windows 10 updates](update/waas-servicing-strategy-windows-10-updates.md) Explains the decisions you need to make in your servicing strategy.
    [Build deployment rings for Windows 10 updates](update/waas-deployment-rings-windows-10-updates.md) Explains how to make use of servicing branches and update deferrals to manage Windows 10 updates.
    [Assign devices to servicing branches for Windows 10 updates](update/waas-servicing-branches-windows-10-updates.md) Explains how to assign devices to Current Branch (CB) or Current Branch for Business (CBB) for feature and quality updates, and how to enroll devices in Windows Insider.
    [Monitor Windows Updates with Update Compliance](update/update-compliance-monitor.md) Explains how to use Windows Analytics: Update Compliance to monitor and manage Windows Updates on devices in your organization.
    [Optimize update delivery for Windows 10 updates](update/waas-optimize-windows-10-updates.md) Explains the benefits of using Delivery Optimization or BranchCache for update distribution.
    [Deploy updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](update/waas-mobile-updates.md) Explains updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile.
    [Deploy updates using Windows Update for Business](update/waas-manage-updates-wufb.md) Explains how to use Windows Update for Business to manage when devices receive updates directly from Windows Update. Includes walkthroughs for configuring Windows Update for Business using Group Policy and Microsoft Intune.
    [Deploy Windows 10 updates using Windows Server Update Services (WSUS)](update/waas-manage-updates-wsus.md) Explains how to use WSUS to manage Windows 10 updates.
    [Deploy Windows 10 updates using Microsoft Endpoint Configuration Manager](update/waas-manage-updates-configuration-manager.md) Explains how to use Configuration Manager to manage Windows 10 updates.
    [Manage device restarts after updates](update/waas-restart.md) Explains how to manage update related device restarts.
    [Manage additional Windows Update settings](update/waas-wu-settings.md) Provides details about settings available to control and configure Windows Update.
    [Windows Insider Program for Business](update/waas-windows-insider-for-business.md) Explains how the Windows Insider Program for Business works and how to become an insider.
    - " -- title: Additional topics -- items: - - type: markdown - text: " -
    - [Upgrade a Windows Phone 8.1 to Windows 10 Mobile with Mobile Device Management](upgrade/upgrade-windows-phone-8-1-to-10.md) This topic describes how to upgrade eligible Windows Phone 8.1 devices to Windows 10 Mobile. - -  " +landingContent: +# Cards and links should be based on top customer tasks or top subjects +# Start card title with a verb + # Card (optional) + - title: Overview + linkLists: + - linkListType: overview + links: + - text: Windows 10 deployment scenarios + url: windows-10-deployment-scenarios.md + - text: What is Windows as a service? + url: update/waas-overview.md + - text: Types of Windows updates + url: update/waas-quick-start.md#definitions + + # Card (optional) + - title: Get started + linkLists: + - linkListType: get-started + links: + - text: Demonstrate Autopilot deployment + url: windows-autopilot/demonstrate-deployment-on-vm.md + - text: Servicing the Windows 10 operating system + url: update/waas-servicing-strategy-windows-10-updates.md + - text: Deploy Windows 10 in a test lab + url: windows-10-poc.md + + # Card (optional) + - title: Deployment planning + linkLists: + - linkListType: architecture + links: + - text: Create a deployment plan + url: update/create-deployment-plan.md + - text: Evaluate infrastructure and tools + url: update/eval-infra-tools.md + - text: Define your servicing strategy + url: update/waas-servicing-strategy-windows-10-updates.md + + # Card + - title: Prepare to deploy Windows 10 + linkLists: + - linkListType: how-to-guide + links: + - text: Prepare to deploy Windows 10 + url: deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md + - text: Evaluate and update infrastructure + url: update/update-policies.md + - text: Build a successful servicing strategy + url: update/waas-deployment-rings-windows-10-updates.md + + # Card + - title: Deploy Windows 10 + linkLists: + - linkListType: deploy + links: + - text: Deploy Windows 10 with Autopilot + url: windows-autopilot/windows-autopilot-scenarios.md + - text: Assign devices to servicing channels + url: update/waas-servicing-channels-windows-10-updates.md + - text: Deploy Windows 10 updates + url: update/index.md + + # Card (optional) + - title: Also see + linkLists: + - linkListType: reference + links: + - text: Windows 10 release information + url: https://docs.microsoft.com/en-us/windows/release-information/ + - text: What's new in Windows 10 + url: https://docs.microsoft.com/en-us/windows/whats-new/ + - text: Windows 10 Enterprise Security + url: https://docs.microsoft.com/en-us/windows/security/ diff --git a/windows/deployment/planning/TOC.md b/windows/deployment/planning/TOC.md deleted file mode 100644 index fc4cb8fefa..0000000000 --- a/windows/deployment/planning/TOC.md +++ /dev/null @@ -1,37 +0,0 @@ -# [Plan for Windows 10 deployment](index.md) -## [Windows 10 Enterprise FAQ for IT Pros](windows-10-enterprise-faq-itpro.md) -## [Windows 10 deployment considerations](windows-10-deployment-considerations.md) -## [Windows 10 compatibility](windows-10-compatibility.md) -## [Windows 10 infrastructure requirements](windows-10-infrastructure-requirements.md) - -## Features removed or planned for replacement -### [Windows 10 features lifecycle](features-lifecycle.md) -### [Features we're no longer developing](windows-10-deprecated-features.md) -### [Features we removed](windows-10-removed-features.md) - -## Application Compatibility Toolkit (ACT) -### [Application Compatibility Toolkit (ACT) Technical Reference](act-technical-reference.md) -### [SUA User's Guide](sua-users-guide.md) -#### [Using the SUA Wizard](using-the-sua-wizard.md) -#### [Using the SUA Tool](using-the-sua-tool.md) -##### [Tabs on the SUA Tool Interface](tabs-on-the-sua-tool-interface.md) -##### [Showing Messages Generated by the SUA Tool](showing-messages-generated-by-the-sua-tool.md) -##### [Applying Filters to Data in the SUA Tool](applying-filters-to-data-in-the-sua-tool.md) -##### [Fixing Applications by Using the SUA Tool](fixing-applications-by-using-the-sua-tool.md) -### [Compatibility Administrator User's Guide](compatibility-administrator-users-guide.md) -#### [Using the Compatibility Administrator Tool](using-the-compatibility-administrator-tool.md) -##### [Available Data Types and Operators in Compatibility Administrator](available-data-types-and-operators-in-compatibility-administrator.md) -##### [Searching for Fixed Applications in Compatibility Administrator](searching-for-fixed-applications-in-compatibility-administrator.md) -##### [Searching for Installed Compatibility Fixes with the Query Tool in Compatibility Administrator](searching-for-installed-compatibility-fixes-with-the-query-tool-in-compatibility-administrator.md) -##### [Creating a Custom Compatibility Fix in Compatibility Administrator](creating-a-custom-compatibility-fix-in-compatibility-administrator.md) -##### [Creating a Custom Compatibility Mode in Compatibility Administrator](creating-a-custom-compatibility-mode-in-compatibility-administrator.md) -##### [Creating an AppHelp Message in Compatibility Administrator](creating-an-apphelp-message-in-compatibility-administrator.md) -##### [Viewing the Events Screen in Compatibility Administrator](viewing-the-events-screen-in-compatibility-administrator.md) -##### [Enabling and Disabling Compatibility Fixes in Compatibility Administrator](enabling-and-disabling-compatibility-fixes-in-compatibility-administrator.md) -##### [Installing and Uninstalling Custom Compatibility Databases in Compatibility Administrator](installing-and-uninstalling-custom-compatibility-databases-in-compatibility-administrator.md) -#### [Managing Application-Compatibility Fixes and Custom Fix Databases](managing-application-compatibility-fixes-and-custom-fix-databases.md) -##### [Understanding and Using Compatibility Fixes](understanding-and-using-compatibility-fixes.md) -##### [Compatibility Fix Database Management Strategies and Deployment](compatibility-fix-database-management-strategies-and-deployment.md) -##### [Testing Your Application Mitigation Packages](testing-your-application-mitigation-packages.md) -#### [Using the Sdbinst.exe Command-Line Tool](using-the-sdbinstexe-command-line-tool.md) -### [Compatibility Fixes for Windows 10, Windows 8, Windows 7, and Windows Vista](compatibility-fixes-for-windows-8-windows-7-and-windows-vista.md) diff --git a/windows/deployment/planning/best-practice-recommendations-for-windows-to-go.md b/windows/deployment/planning/best-practice-recommendations-for-windows-to-go.md index 0652569347..41c34aec02 100644 --- a/windows/deployment/planning/best-practice-recommendations-for-windows-to-go.md +++ b/windows/deployment/planning/best-practice-recommendations-for-windows-to-go.md @@ -1,54 +1,55 @@ ---- -title: Best practice recommendations for Windows To Go (Windows 10) -description: Best practice recommendations for Windows To Go -ms.assetid: 05e6e0ab-94ed-4c0c-a195-0abd006f0a86 -ms.reviewer: -manager: laurawi -ms.author: greglin -keywords: best practices, USB, device, boot -ms.prod: w10 -ms.mktglfcycl: plan -ms.pagetype: mobility -ms.sitesec: library -audience: itpro author: greg-lindsay -ms.topic: article ---- - -# Best practice recommendations for Windows To Go - - -**Applies to** - -- Windows 10 - ->[!IMPORTANT] ->Windows To Go is no longer being developed. The feature does not support feature updates and therefore does not enable you to stay current. It also requires a specific type of USB that is no longer supported by many OEMs. - -The following are the best practice recommendations for using Windows To Go: - -- Always shut down Windows and wait for shutdown to complete before removing the Windows To Go drive. -- Do not insert the Windows To Go drive into a running computer. -- Do not boot the Windows To Go drive from a USB hub. Always insert the Windows To Go drive directly into a port on the computer. -- If available, use a USB 3.0 port with Windows To Go. -- Do not install non-Microsoft core USB drivers on Windows To Go. -- Suspend BitLocker on Windows host computers before changing the BIOS settings to boot from USB and then resume BitLocker protection. - -Additionally, we recommend that when you plan your deployment you should also plan a standard operating procedure for answering questions about which USB drives can be used for Windows To Go and how to enable booting from USB to assist your IT department or help desk in supporting users and work groups that want to use Windows To Go. It may be very helpful for your organization to work with your hardware vendors to create an IT standard for USB drives for use with Windows To Go, so that if groups within your organization want to purchase drives they can quickly determine which ones they should obtain. - -## More information - - -[Windows To Go: feature overview](windows-to-go-overview.md)
    -[Prepare your organization for Windows To Go](prepare-your-organization-for-windows-to-go.md)
    -[Deployment considerations for Windows To Go](deployment-considerations-for-windows-to-go.md)
    -[Security and data protection considerations for Windows To Go](security-and-data-protection-considerations-for-windows-to-go.md)
    -[Windows To Go: frequently asked questions](windows-to-go-frequently-asked-questions.md)
    - -  - -  - - - - - +--- +title: Best practice recommendations for Windows To Go (Windows 10) +description: Best practice recommendations for Windows To Go +ms.assetid: 05e6e0ab-94ed-4c0c-a195-0abd006f0a86 +ms.reviewer: +manager: laurawi +ms.author: greglin +keywords: best practices, USB, device, boot +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: mobility +ms.sitesec: library +audience: itpro +author: greg-lindsay +ms.topic: article +--- + +# Best practice recommendations for Windows To Go + + +**Applies to** + +- Windows 10 + +> [!IMPORTANT] +> Windows To Go is removed in Windows 10, version 2004 and later operating systems. The feature does not support feature updates and therefore does not enable you to stay current. It also requires a specific type of USB that is no longer supported by many OEMs. + +The following are the best practice recommendations for using Windows To Go: + +- Always shut down Windows and wait for shutdown to complete before removing the Windows To Go drive. +- Do not insert the Windows To Go drive into a running computer. +- Do not boot the Windows To Go drive from a USB hub. Always insert the Windows To Go drive directly into a port on the computer. +- If available, use a USB 3.0 port with Windows To Go. +- Do not install non-Microsoft core USB drivers on Windows To Go. +- Suspend BitLocker on Windows host computers before changing the BIOS settings to boot from USB and then resume BitLocker protection. + +Additionally, we recommend that when you plan your deployment you should also plan a standard operating procedure for answering questions about which USB drives can be used for Windows To Go and how to enable booting from USB to assist your IT department or help desk in supporting users and work groups that want to use Windows To Go. It may be very helpful for your organization to work with your hardware vendors to create an IT standard for USB drives for use with Windows To Go, so that if groups within your organization want to purchase drives they can quickly determine which ones they should obtain. + +## More information + + +[Windows To Go: feature overview](windows-to-go-overview.md)
    +[Prepare your organization for Windows To Go](prepare-your-organization-for-windows-to-go.md)
    +[Deployment considerations for Windows To Go](deployment-considerations-for-windows-to-go.md)
    +[Security and data protection considerations for Windows To Go](security-and-data-protection-considerations-for-windows-to-go.md)
    +[Windows To Go: frequently asked questions](windows-to-go-frequently-asked-questions.md)
    + +  + +  + + + + + diff --git a/windows/deployment/planning/deployment-considerations-for-windows-to-go.md b/windows/deployment/planning/deployment-considerations-for-windows-to-go.md index d57413d357..8724e8278a 100644 --- a/windows/deployment/planning/deployment-considerations-for-windows-to-go.md +++ b/windows/deployment/planning/deployment-considerations-for-windows-to-go.md @@ -23,7 +23,7 @@ ms.topic: article - Windows 10 > [!IMPORTANT] -> Windows To Go is no longer being developed. The feature does not support feature updates and therefore does not enable you to stay current. It also requires a specific type of USB that is no longer supported by many OEMs. +> Windows To Go is removed in Windows 10, version 2004 and later operating systems. The feature does not support feature updates and therefore does not enable you to stay current. It also requires a specific type of USB that is no longer supported by many OEMs. From the start, Windows To Go was designed to minimize differences between the user experience of working on a laptop and Windows To Go booted from a USB drive. Given that Windows To Go was designed as an enterprise solution, extra consideration was given to the deployment workflows that enterprises already have in place. Additionally, there has been a focus on minimizing the number of differences in deployment between Windows To Go workspaces and laptop PCs. diff --git a/windows/deployment/planning/prepare-your-organization-for-windows-to-go.md b/windows/deployment/planning/prepare-your-organization-for-windows-to-go.md index a9f0103eb9..c896c72fde 100644 --- a/windows/deployment/planning/prepare-your-organization-for-windows-to-go.md +++ b/windows/deployment/planning/prepare-your-organization-for-windows-to-go.md @@ -22,8 +22,8 @@ ms.topic: article - Windows 10 ->[!IMPORTANT] ->Windows To Go is no longer being developed. The feature does not support feature updates and therefore does not enable you to stay current. It also requires a specific type of USB that is no longer supported by many OEMs. +> [!IMPORTANT] +> Windows To Go is removed in Windows 10, version 2004 and later operating systems. The feature does not support feature updates and therefore does not enable you to stay current. It also requires a specific type of USB that is no longer supported by many OEMs. The following information is provided to help you plan and design a new deployment of a Windows To Go in your production environment. It provides answers to the “what”, “why”, and “when” questions an IT professional might have when planning to deploy Windows To Go. diff --git a/windows/deployment/planning/security-and-data-protection-considerations-for-windows-to-go.md b/windows/deployment/planning/security-and-data-protection-considerations-for-windows-to-go.md index 905e495858..952f743607 100644 --- a/windows/deployment/planning/security-and-data-protection-considerations-for-windows-to-go.md +++ b/windows/deployment/planning/security-and-data-protection-considerations-for-windows-to-go.md @@ -22,8 +22,8 @@ ms.topic: article - Windows 10 ->[!IMPORTANT] ->Windows To Go is no longer being developed. The feature does not support feature updates and therefore does not enable you to stay current. It also requires a specific type of USB that is no longer supported by many OEMs. +> [!IMPORTANT] +> Windows To Go is removed in Windows 10, version 2004 and later operating systems. The feature does not support feature updates and therefore does not enable you to stay current. It also requires a specific type of USB that is no longer supported by many OEMs. One of the most important requirements to consider when you plan your Windows To Go deployment is to ensure that the data, content, and resources you work with in the Windows To Go workspace is protected and secure. diff --git a/windows/deployment/planning/windows-10-deprecated-features.md b/windows/deployment/planning/windows-10-deprecated-features.md index 5a34226e0f..fba2f6ef1d 100644 --- a/windows/deployment/planning/windows-10-deprecated-features.md +++ b/windows/deployment/planning/windows-10-deprecated-features.md @@ -26,7 +26,9 @@ The features described below are no longer being actively developed, and might b |Feature | Details and mitigation | Announced in version | | ----------- | --------------------- | ---- | -| Hyper-V vSwitch on LBFO | In a future release, the Hyper-V vSwitch will no longer have the capability to be bound to an LBFO team. Instead, it can be bound via [Switch Embedded Teaming](https://docs.microsoft.com/windows-server/virtualization/hyper-v-virtual-switch/rdma-and-switch-embedded-teaming#bkmk_sswitchembedded) (SET).| 1909 | +| Companion Device Framework | The [Companion Device Framework](https://docs.microsoft.com/windows-hardware/design/device-experiences/windows-hello-companion-device-framework) is no longer under active development.| 2004 | +| Microsoft Edge | The legacy version of Microsoft Edge is no longer being developed.| 2004 | +| Dynamic Disks | The [Dynamic Disks](https://docs.microsoft.com/windows/win32/fileio/basic-and-dynamic-disks#dynamic-disks) feature is no longer being developed. This feature will be fully replaced by [Storage Spaces](https://docs.microsoft.com/windows-server/storage/storage-spaces/overview) in a future release.| 2004 | | Language Community tab in Feedback Hub | The Language Community tab will be removed from the Feedback Hub. The standard feedback process: [Feedback Hub - Feedback](feedback-hub://?newFeedback=true&feedbackType=2) is the recommended way to provide translation feedback. | 1909 | | My People / People in the Shell | My People is no longer being developed. It may be removed in a future update. | 1909 | | Package State Roaming (PSR) | PSR will be removed in a future update. PSR allows non-Microsoft developers to access roaming data on devices, enabling developers of UWP applications to write data to Windows and synchronize it to other instantiations of Windows for that user.
     
    The recommended replacement for PSR is [Azure App Service](https://docs.microsoft.com/azure/app-service/). Azure App Service is widely supported, well documented, reliable, and supports cross-platform/cross-ecosystem scenarios such as iOS, Android and web. | 1909 | diff --git a/windows/deployment/planning/windows-10-removed-features.md b/windows/deployment/planning/windows-10-removed-features.md index 508cc788a8..b79a9e0b9d 100644 --- a/windows/deployment/planning/windows-10-removed-features.md +++ b/windows/deployment/planning/windows-10-removed-features.md @@ -27,6 +27,9 @@ The following features and functionalities have been removed from the installed |Feature | Details and mitigation | Removed in version | | ----------- | --------------------- | ------ | +| Cortana | Cortana has been updated and enhanced in the Windows 10 May 2020 Update. With [these changes](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-2004#cortana), some previously available consumer skills such as music, connected home, and other non-Microsoft skills are no longer available. | 2004 | +| Windows To Go | Windows To Go was announced as deprecated in Windows 10, version 1903 and is removed in this release. | 2004 | +| Mobile Plans and Messaging apps | Both apps are still supported, but are now distributed in a different way. OEMs can now include these apps in Windows images for cellular enabled devices. The apps are removed for non-cellular devices.| 2004 | | PNRP APIs| ​The Peer Name Resolution Protocol (PNRP) cloud service was removed in Windows 10, version 1809. We are planning to complete the removal process by removing the corresponding APIs. | 1909 | | Taskbar settings roaming | Roaming of taskbar settings is removed in this release. This feature was announced as no longer being developed in Windows 10, version 1903. | 1909 | | Desktop messaging app doesn't offer messages sync | The messaging app on Desktop has a sync feature that can be used to sync SMS text messages received from Windows Mobile and keep a copy of them on the Desktop. The sync feature has been removed from all devices. Due to this change, you will only be able to access messages from the device that received the message. | 1903 | diff --git a/windows/deployment/planning/windows-to-go-frequently-asked-questions.md b/windows/deployment/planning/windows-to-go-frequently-asked-questions.md index d888468cfe..2a8889f1ab 100644 --- a/windows/deployment/planning/windows-to-go-frequently-asked-questions.md +++ b/windows/deployment/planning/windows-to-go-frequently-asked-questions.md @@ -22,8 +22,8 @@ ms.topic: article - Windows 10 ->[!IMPORTANT] ->Windows To Go is no longer being developed. The feature does not support feature updates and therefore does not enable you to stay current. It also requires a specific type of USB that is no longer supported by many OEMs. +> [!IMPORTANT] +> Windows To Go is removed in Windows 10, version 2004 and later operating systems. The feature does not support feature updates and therefore does not enable you to stay current. It also requires a specific type of USB that is no longer supported by many OEMs. The following list identifies some commonly asked questions about Windows To Go. diff --git a/windows/deployment/planning/windows-to-go-overview.md b/windows/deployment/planning/windows-to-go-overview.md index 23fefc02cd..c978295e6e 100644 --- a/windows/deployment/planning/windows-to-go-overview.md +++ b/windows/deployment/planning/windows-to-go-overview.md @@ -23,7 +23,7 @@ ms.topic: article - Windows 10 > [!IMPORTANT] -> Windows To Go is no longer being developed. The feature does not support feature updates and therefore does not enable you to stay current. It also requires a specific type of USB that is no longer supported by many OEMs. +> Windows To Go is removed in Windows 10, version 2004 and later operating systems. The feature does not support feature updates and therefore does not enable you to stay current. It also requires a specific type of USB that is no longer supported by many OEMs. Windows To Go is a feature in Windows 10 Enterprise and Windows 10 Education that enables the creation of a Windows To Go workspace that can be booted from a USB-connected external drive on PCs. diff --git a/windows/deployment/update/create-deployment-plan.md b/windows/deployment/update/create-deployment-plan.md new file mode 100644 index 0000000000..da1db27ff2 --- /dev/null +++ b/windows/deployment/update/create-deployment-plan.md @@ -0,0 +1,140 @@ +--- +title: Create a deployment plan +description: Devise the number of deployment rings you need and how you want to populate them +ms.prod: w10 +ms.mktglfcycl: manage +author: jaimeo +ms.localizationpriority: medium +ms.author: jaimeo +ms.reviewer: +manager: laurawi +ms.topic: article +--- + +# Create a deployment plan + +A service management mindset means that the devices in your organization fall into a continuum, with the software update process being constantly planned, deployed, monitored, and optimized. And once this process is used for feature updates, quality updates become a lightweight procedure that is simple and fast to execute, ultimately increasing velocity. + +When you move to a service management model, you need effective ways of rolling out updates to representative groups of devices, and we’ve found that ring-based deployment is a methodology that works well for us at Microsoft and many other organizations across the globe. Deployment rings in Windows 10 are similar to the deployment groups most organizations constructed for previous major revision upgrades--they are simply a method by which to separate devices into a deployment timeline. + +At the highest level, each “ring” comprise a group of users or devices that receive a particular update concurrently. For each ring, IT administrators set criteria to control deferral time or adoption (completion) that should be met before deployment to the next broader ring of devices or users can occur. + +A common ring structure comprises three deployment groups: + +- Preview: Planning and development +- Limited: Pilot and validation +- Broad: Wide deployment + +> [!NOTE] +> Organizations often use different names for their “rings," for example: +> - First > Fast > Broad +> - Canaries > Early Adopters > Users +> - Preview > Broad > Critical + + +## How many rings should I have? + +There are no definite rules for exactly how many rings to have for your deployments. As mentioned previously, you might want to ensure zero downtime for mission-critical devices by putting them in their own ring. If you have a large +organization, you might want to consider assigning devices to rings based on geographic location or the size of rings so that helpdesk resources are more available. Consider the needs of your business and introduce rings that make sense for your organization. + +## Advancing between rings + +There are basically two strategies for moving deployments from one ring to the next. One is service based, the other project based. + +- "Red button" (service based): Assumes that content is good until proven bad. Content flows until an issue is discovered, at which point the IT administrator presses the “red button” to stop further distribution. +- Green button (project based): Assumes that content is bad until proven good. Once all validation has passed, the IT administrator presses the “green button” to push the content to the next ring. + +When it comes to deployments, having manual steps in the process usually impedes update velocity, so a "red button" strategy is better when that is your goal. + +## Preview ring + +The purpose of the Preview ring is to evaluate the new features of the update. This is specifically *not* for broad parts of the organization but is limited to the people who are responsible for knowing what is coming next, +generally IT administrators. Ultimately, this is the time the design and planning work happens so that when the public update is actually shipped, you can have greater confidence in the update. + +> [!NOTE] +> Being part of the [Windows Insider Program](https://insider.windows.com/for-business/) gives you early access to Windows releases so that you can use Insider Preview builds in your Preview ring to validate your apps and infrastructure, preparing you for public Windows releases. + + +### Who goes in the Preview ring? + +The Preview ring users are the most tech savvy and resilient people, who will not lose productivity if something goes wrong. In general, these are IT pros, and perhaps a few people in the business organization. + +During your plan and prepare phases, these are the activities you should focus on: + +- Work with Windows Insider Preview builds. +- Identify the features and functionality your organization can or wants to use. +- Establish who will use the features and how they will benefit. +- Understand why you are putting the update out. +- Plan for usage feedback. + +Remember, you are working with pre-release software in the Preview ring and you will be evaluating features and testing the update for a targeted release. + +> [!IMPORTANT] +> If you are using Windows Insider (pre-release) releases for your preview ring and you are using WSUS or Windows Update for Business, be sure to set the following policies to allow for Preview builds: +> - **Manage Preview Builds: 2 - Enable preview builds** +> • Under **Branch Readiness Level**, select **When Preview Builds and Feature Updates are Received: 4--Windows Insider Program Slow** + +## Limited ring + +The purpose of the Limited ring is to validate the update on representative devices across the network. During this period, data, and feedback is generated to enable the decision to move forward to broader deployment. Desktop +Analytics can help with defining a good Limited ring of representative devices and assist in monitoring the deployment. + +### Who goes in the Limited ring? + +The most important part of this phase is finding a representative sample of devices and applications across your network. If possible, all hardware and all applications should be represented, and it's important that the people selected for this ring are using their devices regularly in order to generate the data you will need to make a decision for broader deployment across your organization. The IT department, lab devices, and users with the most cutting-edge hardware usually don’t have the applications or device drivers that are truly a representative sample of your network. + + +During your pilot and validate phases, these are the activities you should focus on: + +- Deploy new innovations. +- Assess and act if issues are encountered. +- Move forward unless blocked. + +When you deploy to the Limited ring, you’ll be able to gather data and react to incidents happening in the environment, quickly addressing any issues that might arise. Ensure you monitor for sufficient adoption within this ring, because your Limited ring represents your organization across the board, and when you achieve sufficient adoption, you can have confidence that your broader deployment will run more smoothly. + +## Broad deployment + +Once the devices in the Limited ring have had a sufficient stabilization period, it’s time for broad deployment across the network. + +### Who goes in the Broad deployment ring? + +In most businesses, the Broad ring includes the rest of your organization. Because of the work in the previous ring to vet stability and minimize disruption (with diagnostic data to support your decision) broad deployment can occur relatively quickly. + +> [!NOTE] +> In some instances, you might hold back on mission critical devices (such as medical devices) until deployment in the Broad ring is complete. Get best practices and recommendations for deploying Windows 10 feature +> updates to mission critical devices. + +During the broad deployment phase, these are the activities you should focus on: + +- Deploy to all devices in the organization. +- Work through any final unusual issues that were not detected in your Limited ring. + + +## Ring deployment planning + +Previously, we have provided methods for analyzing your deployments, but these have generally been standalone tools to assess, manage and execute deployments. In other words, you would generate an analysis, make a deployment strategy, and then move to your console for implementation, repeating these steps for each deployment. We have combined many of these tasks, and more, into a single interface with Desktop Analytics. + + +[Desktop Analytics](https://docs.microsoft.com/mem/configmgr/desktop-analytics/overview) is a cloud-based service and a key tool in [Microsoft Endpoint Manager](https://docs.microsoft.com/mem/configmgr/core/understand/microsoft-endpoint-manager-faq). Using artificial intelligence and machine learning, Desktop Analytics is a powerful tool to give you insights and intelligence to +make informed decisions about the readiness of your Windows devices. + +In Windows 10 deployments, we have seen compatibility issues on < 0.5% of apps when using Desktop Analytics. Using Desktop Analytics with Microsoft Endpoint Manager can help you assess app compatibility with the latest +feature update and create groups that represent the broadest number of hardware and software configurations on the smallest set of devices across your organization. In addition, Desktop Analytics can provide you with a device and software inventory and identify issues, giving you data that equate to actionable decisions. + +> [!IMPORTANT] +> Desktop Analytics does not support preview (Windows Insider) builds; use Configuration Manager to deploy to your Preview ring. As noted previously, the Preview ring is a small group of devices represents your ecosystem very well in terms of app, driver, and hardware diversity. + +### Deployment plan options + +There are two ways to implement a ring deployment plan, depending on how you manage your devices: + +- If you are using Configuration Manager: Desktop Analytics provides end-to-end deployment plan integration so that you can also kick off phased deployments within a ring. Learn more about [deployment plans in Desktop Analytics](https://docs.microsoft.com/mem/configmgr/desktop-analytics/about-deployment-plans). +- If you are using Microsoft Intune, see [Create deployment plans directly in Intune](https://docs.microsoft.com/mem/intune/fundamentals/planning-guide). + +For more about Desktop Analytics, see these articles: + +- [How to set up Desktop Analytics](https://docs.microsoft.com/mem/configmgr/desktop-analytics/set-up) +- [Tutorial: Deploy Windows 10 to Pilot](https://docs.microsoft.com/mem/configmgr/desktop-analytics/tutorial-windows10) +- [Desktop Analytics documentation](https://docs.microsoft.com/mem/configmgr/desktop-analytics/overview) +- [Intune deployment planning, design, and implementation guide](https://docs.microsoft.com/mem/intune/fundamentals/planning-guide) + diff --git a/windows/deployment/update/define-update-strategy.md b/windows/deployment/update/define-update-strategy.md new file mode 100644 index 0000000000..d8fd47ee87 --- /dev/null +++ b/windows/deployment/update/define-update-strategy.md @@ -0,0 +1,59 @@ +--- +title: Define update strategy +ms.reviewer: +manager: laurawi +description: +keywords: updates, calendar, servicing, current, deployment, semi-annual channel, feature, quality, rings, insider, tools +ms.prod: w10 +ms.mktglfcycl: manage +audience: itpro +author: jaimeo +ms.localizationpriority: medium +ms.audience: itpro +author: jaimeo +ms.topic: article +ms.collection: M365-modern-desktop +--- + +# Define update strategy + +Traditionally, organizations treated the deployment of operating system updates (especially feature updates) as a discrete project that had a beginning, a middle, and an end. A release was "built" (usually in the form of an image) and then distributed to users and their devices. + +Today, more organizations are treating deployment as a continual process of updates which roll out across the organization in waves. In this approach, an update is plugged into this process and while it runs, you monitor for anomalies, errors, or user impact and respond as issues arise--withouth interrupting the entire process. Microsoft has been evolving its Windows 10 release cycles, update mechanisms, and relevant tools to support this model. Feature updates are released twice per year, around March and September. All releases of Windows 10 have 18 months of servicing for all editions. Fall releases of the Enterprise and Education editions have an additional 12 months of servicing for specific Windows 10 releases, for a total of 30 months from initial release. + +Though we encourage you to deploy every available release and maintain a fast cadence for some portion of your environment, we also recognize that you might have a large number of devices, and a need for little or no disruption, an so you might choose to update annually. The 18/30 month lifecycle cadence lets you to allow some portion of you environment to move faster while a majority can move less quickly. + + + +## Calendar approaches + +You can use a calendar approach for either a faster 18-month or twice-per-year cadence or a 30-month or annual cadence. Depending on company size, installing Windows 10 feature updates less often than once annually risks devices going out of service and becoming vulnerable to security threats, because they will stop receiving the monthly security updates. + + +### Annual + +Here's a calendar showing an example schedule that applies one Windows 10 feature update per calendar year, aligned with Microsoft Endpoint Configuration Manager and Microsoft 365 Apps release cycles: + +![annual calendar](images/annual-calendar.png) + +This approach provides approximately twelve months of use from each feature update before the next update is due to be installed. By aligning to the Windows 10, version 20H2 feature update, each release will be serviced for 30 months from the time of availability, giving you more flexibility when applying future feature updates. + +This cadence might be most suitable for you if any of these conditions apply: + +- You are just starting your journey with the Windows 10 servicing process. If you are unfamiliar with new processes that support Windows 10 servicing, moving from a once every 3-5 year project to a twice a year feature update process can be daunting. This approach gives you time to learn new approaches and tools to reduce effort and cost. +- You want to wait and see how successful other companies are at adopting a Windows 10 feature update. +- You want to go quickly with feature updates, and want the ability to skip a feature update while keeping Windows 10 serviced in case business priorities change. Aligning to the Windows 10 feature update released in the *second* half of each calendar year, you get additional servicing for Windows 10 (30 months of servicing compared to 18 months). + + +### Rapid + +This calendar shows an example schedule that installs each feature update as it is released, twice per year: + +![rapid calendar](images/rapid-calendar.png) + +This cadence might be best for you if these conditions apply: + +- You have a strong appetite for change. +- You want to continuously update supporting infrastructure and unlock new scenarios. +- Your organization has a large population of information workers that can use the latest features and functionality in Windows 10 and Office. +- You have experience with feature updates for Windows 10. \ No newline at end of file diff --git a/windows/deployment/update/deploy-updates-configmgr.md b/windows/deployment/update/deploy-updates-configmgr.md new file mode 100644 index 0000000000..202b4531b9 --- /dev/null +++ b/windows/deployment/update/deploy-updates-configmgr.md @@ -0,0 +1,20 @@ +--- +title: Deploy Windows 10 updates with Configuration Manager (Windows 10) +description: Deploy Windows 10 updates with Configuration Manager +ms.prod: w10 +ms.mktglfcycl: manage +author: jaimeo +ms.localizationpriority: medium +ms.author: jaimeo +ms.reviewer: +manager: laurawi +ms.topic: article +--- + +# Deploy Windows 10 updates with Configuration Manager + +**Applies to** + +- Windows 10 + +See the Microsoft Endpoint Configuration Manager [documentation](https://docs.microsoft.com/mem/configmgr/osd/deploy-use/manage-windows-as-a-service) for details about using Configuration Manager to deploy and manage Windows 10 updates. \ No newline at end of file diff --git a/windows/deployment/update/eval-infra-tools.md b/windows/deployment/update/eval-infra-tools.md new file mode 100644 index 0000000000..af6fe156e8 --- /dev/null +++ b/windows/deployment/update/eval-infra-tools.md @@ -0,0 +1,71 @@ +--- +title: Evaluate infrastructure and tools +ms.reviewer: +manager: laurawi +description: +keywords: updates, servicing, current, deployment, semi-annual channel, feature, quality, rings, insider, tools +ms.prod: w10 +ms.mktglfcycl: manage +audience: itpro +author: jaimeo +ms.localizationpriority: medium +ms.audience: itpro +author: jaimeo +ms.topic: article +ms.collection: M365-modern-desktop +--- + +# Evaluate infrastructure and tools + +Before you deploy an update, it's best to assess your deployment infrastucture (that is, tools such as Configuration Manager, Microsoft Intune, or similar) and current configurations (such as security baselines, administrative templates, and policies that affect updates). Then, set some criteria to define your operational readiness. + +## Infrastructure + +Do your deployment tools need updates? + +- If you use Configuration Manager, is it on the Current Branch with the latest release installed. This ensures that it supports the next Windows 10 feature update. Configuration Manager releases are supported for 18 months. +- Using a cloud-based management tool like Microsoft Intune reduces support challenges, since no related products need to be updated. +- If you use a non-Microsoft tool, check with its product support to make sure you're using the current version and that it supports the next Windows 10 feature update. + +Rely on your experiences and data from previous deployments to help you judge how long infrastructure changes take and identify any problems you've encountered while doing so. + +## Device settings + +Make sure your security basline, administrative templates, and policies have the right settings to support your devices once the new Windows 10 update is installed. + +### Security baseline + +Keep security baslines current to help ensure that your environment is secure and that new security feature in the coming Windows 10 update are set properly. + +- **Microsoft security baselines**: You should implement security baselines from Microsoft. They are included in the [Security Compliance Toolkit](https://www.microsoft.com/download/details.aspx?id=55319), along with tools for managing them. +- **Industry- or region-specific baselines**: Your specific industry or region might have particular baselines that you must follow per regulations. Ensure that any new baselines support the version of Windows 10 you are about to deploy. + +### Configuration updates + +There are a number of Windows policies (set by Group Policy, Intune, or other methods) that affect when Windows updates are installed, deferral, end-user experience, and many other aspects. Check these policies to make sure they are set appropriately. + +- **Windows 10 Administrative templates**: Each Windows 10 feature update has a supporting Administrative template (.admx) file. Group Policy tools use Administrative template files to populate policy settings in the user interface. The templates are available in the Download Center, for example, this one for [Windows 10, version 1909](https://www.microsoft.com/download/100591). +- **Policies for update compliance and end-user experience**: A number of settings affect when a device installs updates, whether and for how long a user can defer an update, restart behavior after installation, and many other aspects of update behavior. It's especially important to look for existing policies that are out of date or could conflict with new ones. + + +## Define operational readiness criteria + +When you’ve deployed an update, you’ll need to make sure the update isn’t introducing new operational issues. And you’ll also ensure that if incidents arise, the needed documentation and processes are available. To achieve this, work with your operations and support team to define acceptable trends and what documents or processes require updating: + +- **Call trend**: Define what percentage increase in calls relating to Windows 10 feature updates are acceptable or can be supported. +- **Incident trend**: Define what percentage of increase in calls asking for support relating to Windows 10 feature updates are acceptable or can be supported. +- **Support documentation**: Review supporting documentation that requires an update to support new infrastructure tooling or configuration as part of the Windows 10 feature update. +- **Process changes:** Define and update any processes that will change as a result of the Windows 10 feature update. + +Your operations and support staff can help you determine if the appropriate information is being tracked at the moment. If it isn't, work out how to get get this information so you can gain the right insight. + +## Tasks + +Finally, you can begin to carry out the work needed to ensure your infrastructure and configuration can support the update. To help you keep track, you can classify the work into the following overarching tasks: + +- **Review infrastructure requirements**: Go over the details of requirements to support the update, and ensure they’ve all been defined. +- **Validate infrastructure against requirements**: Compare your infrastructure against the requirements that have been identified for the update. +- **Define infrastructure update plan**: Detail how your infrastructure must change to support the update. +- **Review current support volume**: Understand the current support volume to understand how much of an effect the update has when it’s been deployed. +- **Identify gaps that require attention**: Identify issues that will need to be addressed to successfully deploy the update. For example, will your infrastructure engineer have to research how a new feature that comes with the update might affect the infrastructure? +- **Define operational update plan**: Detail how your operational services and processes must change to support the update. diff --git a/windows/deployment/update/images/DO-absolute-bandwidth.png b/windows/deployment/update/images/DO-absolute-bandwidth.png new file mode 100644 index 0000000000..a13d5393e6 Binary files /dev/null and b/windows/deployment/update/images/DO-absolute-bandwidth.png differ diff --git a/windows/deployment/update/images/annual-calendar.png b/windows/deployment/update/images/annual-calendar.png new file mode 100644 index 0000000000..1ff15bed76 Binary files /dev/null and b/windows/deployment/update/images/annual-calendar.png differ diff --git a/windows/deployment/update/images/rapid-calendar.png b/windows/deployment/update/images/rapid-calendar.png new file mode 100644 index 0000000000..35aec71626 Binary files /dev/null and b/windows/deployment/update/images/rapid-calendar.png differ diff --git a/windows/deployment/update/plan-define-readiness.md b/windows/deployment/update/plan-define-readiness.md new file mode 100644 index 0000000000..a2ff53df19 --- /dev/null +++ b/windows/deployment/update/plan-define-readiness.md @@ -0,0 +1,115 @@ +--- +title: Define readiness criteria +ms.reviewer: +manager: laurawi +description: Identify important roles and figure out how to classify apps +keywords: updates, servicing, current, deployment, semi-annual channel, feature, quality, rings, insider, tools +ms.prod: w10 +ms.mktglfcycl: manage +audience: itpro +author: jaimeo +ms.localizationpriority: medium +ms.audience: itpro +author: jaimeo +ms.topic: article +ms.collection: M365-modern-desktop +--- + +# Define readiness criteria + +## Figure out roles and personnel + +Planning and managing a deployment involves a variety of distinct activies and roles best suited to each. As you plan, it's worth figuring out which roles you'll need to carry out the deployment and who should fill them. Different roles are active at various phases of a deployment. Depending on the size and complexity of your organization, some of the roles could be filled by the same person. However, it's best to have an established *process manager*, who will oversee all of the tasks for the deployment. + +### Process manager + +The process manager leads the update deployment process and has the authority to push the process forward--or halt it if necessary. They also have responsibilities in organizing these activities: + + +|Compatibility workstream |Deployment |Capability and modernization | +|---------|---------|---------| +|[Assigning application priority](#set-criteria-for-rating-apps) | Reviewing infrastructure requirements | Determining infrastructure changes | +|Application assessment | Validating infrastructure against requirements | Determining configuration changes | +|Device assessment | Creating infrastructure update plan | Create capability proposal | + +It's the process manager's role to collect reports on remediation efforts, escalate failures, and to decide whether your environment is ready for pilot deployment and then broad deployment. + + +This table sketches out one view of the other roles, with their responsibilities, relevant skills, and the deployment phases where they are needed: + + +|Role |Responsibilities |Skills |Active phases | +|---------|---------|---------|---------| +|Process manager | Manages the process end to end; ensures inputs and outputs are captures; ensures that activities progress | IT service management | Plan, prepare, pilot deployment, broad deployment | +|Application owner | Define application test plan; assign user acceptance testers; certify the application | Knowledge of critical and important applications | Plan, prepare, pilot deployment | +|Application developer | Ensure apps are developed to stay compatible with current Windows versions | Application development; application remediation | Plan, prepare | +|End-user computing | Typically a group including infrastructure engineers or deployment engineers who ensure upgrade tools are compatible with Windows | Bare-metal deployment; infrastructure management; application delivery; update management | Plan, prepare, pilot deployment, broad deployment | +|Operations | Ensure that support is available for current Windows version. Provide post-deployment support, including user communication and rollbacks. | Platform security | Prepare, pilot deployment, broad deployment | +|Security | Review and approve the security baseline and tools | Platform security | Prepare, pilot deployment | +|Stakeholders | Represent groups affected by updates, for example, heads of finance, end-user services, or change management | Key decision maker for a business unit or department | Plan, pilot deployment, broad deployment | + + + + + + +## Set criteria for rating apps + +Some apps in your environment are fundamental to your core business activities. Other apps help workers perform their roles, but aren’t critical to your business operations. Before you start inventorying and assessing the apps in your environment, you should establish some criteria for categorizing your apps, and then determine a priority for each. This will help you understand how best to deploy updates and how to resolve any issues that could arise. + +In the Prepare phase, you'll apply the criteria you define now to every app in your organization. + +Here's a suggested classification scheme: + + +|Classification |Definition| +|---------|---------| +|Critical | The most vital applications that handle core business activities and processes. If these applications were not available, the business, or a business unit, couldn't function at all. | +|Important | Applications that individual staff members need to support their productivity. Downtime here would affect individual users, but would only have a minimal impact on the business. | +|Not important | There is no impact on the business if these apps are not available for a while. | + +Once you have classified your applications, you should agree what each classification means to the organization in terms of priority and severity. This will help ensure that you can triage problems with the right level of urgency. You should assign each app a time-based priority. + +Here's an example priority rating system; of course the specifics could vary for your organization: + + +|Priority |Definition | +|---------|---------| +|1 | Any issues or risks identified must be investigated and resolved as soon as possible. | +|2 | Start investigating risks and issues within two business days and fix them *during* the current deployment cycle. | +|3 | Start investigating risks and issues within 10 business days. You don’t have to fix them all within the current deployment cycle. However, all issues must be fixed by the end of the next deployment cycle. | +|4 | Start investigating risks and issues within 20 business days. You can fix them in the current or any future development cycle. | + +Related to priority, but distinct, is the concept of severity. You should define a severity ranking as well, based on how you feel a problem with an app should affect the deployment cycle. + +Here's an example: + + +|Severity |Effect | +|---------|---------| +|1 | Work stoppage or loss of revenue | +|2 | Productivity loss for a business unit | +|3 | Productivity loss for individual users | +|4 | Minimal impact on users | + +## Example: a large financial corporation + +Using the suggested scheme, a financial corporation might classify their apps like this: + + +|App |Classification | +|---------|---------| +|Credit processing app | Critical | +|Frontline customer service app | Critical | +|PDF viewer | Important | +|Image processing app | Not important | + +Further, they might combine this classification with severity and priority rankings like this: + + +|Classification |Severity |Priority |Response | +|---------|---------|---------|---------| +|Critical | 1 or 2 | 1 or 2 | For 1, stop deployment until resolved; for 2, stop deployment for affected devices or users only. | +|Important | 3 or 4 | 3 or 4 | For 3, continue deployment, even for affected devices, as long as there is workaround guidance. | +|Not important | 4 | 4 | Continue deployment for all devices. | + diff --git a/windows/deployment/update/plan-determine-app-readiness.md b/windows/deployment/update/plan-determine-app-readiness.md new file mode 100644 index 0000000000..29c3c93099 --- /dev/null +++ b/windows/deployment/update/plan-determine-app-readiness.md @@ -0,0 +1,76 @@ +--- +title: Determine application readiness +ms.reviewer: +manager: laurawi +description: How to test your apps to know which need attention prior to deploying an update +keywords: updates, servicing, current, deployment, semi-annual channel, feature, quality, rings, insider, tools +ms.prod: w10 +ms.mktglfcycl: manage +audience: itpro +author: jaimeo +ms.localizationpriority: medium +ms.audience: itpro +author: jaimeo +ms.topic: article +ms.collection: M365-modern-desktop +--- + +# Determine application readiness + +Before you deploy a Windows 10 update, you should know which apps will continue to work without problems, which need their own updates, and which just won't work and must be replaced. If you haven't already, it's worth [classifying your apps] with respect to their criticality in your organization. + +## Validation methods + +You can choose from a variety of methods to validate apps. Exactly which ones to use will depend on the specifics of your environment. + + +|Validation method |Description | +|---------|---------| +|Full regression | A full quality assurance probing. Staff who know the application very well and can validate its core functionality should do this. | +|Smoke testing | The application goes through formal validation. That is, a user validates the application following a detailed plan, ideally with limited, or no knowledge of the application they’re validating. | +|Automated testing | Software performs tests automatically. The software will let you know whether the tests have passed or failed, and will provide detailed reporting for you automatically. | +|Test in pilot | You pre-select users to be in the pilot deployment group and carry out the same tasks they do on a day-to-day basis to validate the application. Normally you use this method in addition to one of the other validation types. | +|Reactive response | Applications are validated in late pilot, and no specific users are selected. These are normally applications aren't installed on many devices and aren’t handled by enterprise application distribution. | + +Combining the various validation methods with the app classifications you've previously established might look like this: + + +|Validation method |Critical apps |Important apps |Not important apps | +|---------|---------|---------|---------| +|Full regression | x | | | +|Smoke testing | | x | | +|Automated testing | x | x | x | +|Test in pilot | x | x | x | + + +## Identify users + +Since your organization no doubt has a wide variety of users, each with different background and regular tasks, you'll have to choose which users are best suited for validation testing. Some factors to consider include: + +- **Location**: If users are in different physical locations, can you support them and get validation feedback from the region they're in? +- **Application knowledge**: Do the users have appropriate knowledge of how the app is supposed to work? +- **Technical ability**: Do the users have enough technical competence to provide useful feedback from various test scenarios? + +You could seek volunteers who enjoy working with new features and include them in the pilot deployment. You might want to avoid using core users like department heads or project managers. Current application owners, operations personnel, and developers can help you identify the most appropriate pilot users. + +## Identify and set up devices for validation + +In addition to users, it's important to carefully choose devices to participate in app validation as well. For example, ideally, your selection will include devices representing all of the hardware models in your environment. + +There is more than one way to choose devices for app validation: + +- **Existing pilot devices**: You might already have a list of devices that you regularly use for testing updates as part of release cycles. +- **Manual selection**: Some internal groups like operations will have expertise to help choose devices manually based on specifications, usage, or records of past support problems. +- **Data-driven analysis**: With appropriate tools, you can use diagnostic data from devices to inform your choices. + + +## Desktop Analytics + +Desktop Analytics can make all of the tasks discussed in this article significantly easier: + +- Creating and maintaining an application and device inventory +- Assign owners to applications for testing +- Automatically apply your app classifications (critical, important, not important) +- Automatically identify application compatibility risks and provide recommendations for reducing those risks + +For more information, see [What is Desktop Analytics?](https://docs.microsoft.com/mem/configmgr/desktop-analytics/overview) diff --git a/windows/deployment/update/update-policies.md b/windows/deployment/update/update-policies.md new file mode 100644 index 0000000000..dbf94c9677 --- /dev/null +++ b/windows/deployment/update/update-policies.md @@ -0,0 +1,204 @@ +--- +title: Policies for update compliance, activity, and end-user experience +ms.reviewer: +manager: laurawi +description: +keywords: updates, servicing, current, deployment, semi-annual channel, feature, quality, rings, insider, tools +ms.prod: w10 +ms.mktglfcycl: manage +audience: itpro +author: jaimeo +ms.localizationpriority: medium +ms.audience: itpro +author: jaimeo +ms.topic: article +ms.collection: M365-modern-desktop +--- + +# Policies for update compliance, activity, and end-user experience +Keeping devices up to date is the best way to keep them working smoothly and securely. + +## Deadlines for update compliance + +You can control how strictly devices must reliably keep to your desired update schedule by using update deadline policies. Windows components adapt based on these deadlines. Also, they can make tradeoffs between user experience and velocity in order to meet your desired update deadlines. For example, they can prioritize user experience well before the +deadline approaches, and then prioritize velocity as the deadline nears, while still affording the user some control. + +### Deadlines + +Beginning with Windows 10, version 1903 and with the August 2019 security update for Windows 10, version 1709 +and late, a new policy was introduced to replace older deadline-like policies: **Specify deadlines for automatic updates and restarts**. + +The older policies started enforcing deadlines once the device reached a “restart pending” state for +an update. The new policy starts the countdown for the update installation deadline from when the +update is published plus any deferral. In addition, this policy includes a configurable grace period and the option +to opt out of automatic restarts until the deadline is reached (although we recommend always allowing automatic +restarts for maximum update velocity). + +> [!IMPORTANT] +> If you use the new **Specify deadlines for automatic updates and restarts** setting in Windows 10, +> version 1903, you must disable the [older deadline policies](wufb-compliancedeadlines.md#prior-to-windows-10-version-1709) because they could conflict. + +We recommend you set deadlines as follows: +- Quality update deadline, in days: 3 +- Feature update deadline, in days: 7 +- +Notifications are automatically presented to the user at appropriate times, and users can choose to be reminded +later, to reschedule, or to restart immediately, depending on how close the deadline is. We recommend that you +do **not** set any notification policies, because they are automatically configured with appropriate defaults. An exception is if you +have kiosks or digital signage. + +While three days for quality updates and seven days for feature updates is our recommendation, you might decide +you want more or less, depending on your organization and its requirements, and this policy is configurable down +to a minimum of two days. + + +> [!IMPORTANT] +> If the device is unable to reach the Internet, it can't determine when Microsoft +> published the update, so it won't be able to enforce the deadline. Learn more about [low activity devices](#device-activity-policies). + +### Grace periods + +You can set a period of days for Windows to find a minimally disruptive automatic restart time before the restart is enforced. This +is especially useful in cases where a user has been away for many days (for example, on vacation) so that the device will not +be forced to update immediately when the user returns. + +We recommend you set the following: + +- Grace period, in days: 2 + +Once the deadline and grace period have passed, updates are applied automatically, and a restart occurs +regardless of [active hours](#active-hours). + + +### Let Windows choose when to restart + +Windows can use user interactions to dynamically identify the least disruptive time for an +automatic restart. To take advantage of this feature, ensure **ConfigureDeadlineNoAutoReboot** is set to +**Disabled**. + +## Device activity policies + +Windows typically requires that a device is active and connected to the internet for at least six hours, with at least two +of continuous activity, in order to successfully complete a system update. The device could have other +physical circumstances that prevent successful installation of an update--for example, if a laptop is running low +on battery power, or the user has shut down the device before active hours end and the device cannot comply +with the deadline. + +You can use the settings in this section to ensure that devices are actually available to install updates during the update compliance period. + +### Active hours + +"Active hours" identify the period of time when a device is expected to be in use. Normally, restarts will occur outside of +these hours. Windows 10, version 1903 introduced "intelligent active hours," which allow the system to learn active hours based on a user’s activities, rather than you as an administrator having to make decisions for your organization or allowing the user to choose active hours that minimize the period when the system can install an update. + +> [!IMPORTANT] +> If you used the **Configure Active Hours** setting in previous versions of Windows 10, these +options must be **Disabled** in order to take advantage of intelligent active hours. + +If you do set active hours, we recommend setting the following policies to **Disabled** in order to increase update +velocity: + +- [Delay automatic reboot](waas-restart.md#delay-automatic-reboot). While it’s possible to set the system to delay restarts for users who are logged +in, this might delay an update indefinitely if a user is always either logged in or shut down. Instead, we +recommend setting the following polices to **Disabled**: + - **Turn off auto-restart during active hours** + - **No auto-restart with logged on users for scheduled automatic updates** + + - [Limit restart delays](waas-restart.md#limit-restart-delays). By using compliance deadlines, your users will receive notifications that +updates will occur, so we recommend that you set this policy to **Disabled**, to allow compliance deadlines to eliminate the user’s ability to delay a restart outside of compliance deadline settings. + +- **Do not allow users to approve updates and reboots**. Letting users approve or engage with the update process outside of the deadline policies decreases update velocity and increases risk. These policies should be set to **Disabled**: + - [Update/RequireUpdateApproval](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-requireupdateapproval) + - [Update/EngagedRestartDeadline](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-engagedrestartdeadline) + - [Update/EngagedRestartDeadlineForFeatureUpdates](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-engagedrestartdeadlineforfeatureupdates) + - [Update/EngagedRestartSnoozeSchedule](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-engagedrestartsnoozeschedule) + - [Update/EngagedRestartSnoozeScheduleForFeatureUpdates](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-engagedrestartsnoozescheduleforfeatureupdates) + - [Update/EngagedRestartTransitionSchedule](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-engagedrestarttransitionschedule) + +- [Configure automatic update](waas-wu-settings.md#configure-automatic-updates). By properly setting policies to configure automatic updates, you can increase update velocity by having clients contact a Windows Server Update Services (WSUS) server so it can manage them. We recommend that you set this policy to **Disabled**. However, if you need to provide values, ensure that you set downloads to install automatically by setting the [Group Policy](waas-manage-updates-wsus.md#configure-automatic-updates-and-update-service-location) to **4**. If you’re using Microsoft Intune, setting the value to [Reset to Default](https://docs.microsoft.com/mem/intune/protect/windows-update-settings#user-experience-settings). +- **Allow auto Windows Update to download over metered networks**. Since more and more devices primarily use cellular data and do not have wi-fi access, consider allowing users to automatically download updates from a metered network. Though the default setting does not allow download over a metered network, setting this value to **1** can increase velocity by enabling users to get updates whether they are connected to the internet or not, provided they have cellular service. + +> [!IMPORTANT] +> Older versions of Windows don't support intelligent active hours. If your device runs a version of Windows prior to Windows 10, version 1903, we recommend setting the following policies: +>- [Configure active hours](waas-restart.md#configure-active-hours). Starting with Windows 10, version 1703, you can specify a maximum active-hour range which is counted from the active hours start time. We recommend setting +this value to **10**. +>- [Schedule update installation](waas-restart.md#schedule-update-installation). In the **Configure Automatic Updates** settings, there are two ways to control a forced restart after a specified installation time. If you use **schedule update installation**, do not enable both settings because they will most likely conflict. +> - **Specify automatic maintenance time**. This setting lets you set broader maintenance windows for updates and ensures that this schedule does not conflict with active hours. We +recommend setting this value to **3** (corresponding to 3 AM). If 3:00 AM is in the middle of the work shift, pick another time that is at least a couple hours before your scheduled work time begins. +> - **Schedule the install time**. This setting allows you to schedule an installation time for a restart. We do *not* recommend you set this to **Disabled** as it could conflict with active hours. + +### Power policies + +Devices must actually be available during non-active hours in order to an update. They can't do this if power policies prevent them from waking up. In our organization, we strive to set a balance between security and eco-friendly configurations. We recommend the following settings to achieve what we feel are the appropriate tradeoffs: + +To a user, a device is either on or off, but for Windows, there are states that will allow an update to occur (active) and states that do not (inactive). Some states are considered active (sleep), but the user may think the device is off. Also, there are power statuses (plugged in/battery) that Windows checks before starting an update. + +You can override the default settings and prevent users from changing them in order to ensure that devices are available for updates during non-active hours. + +> [!NOTE] +> One way to ensure that devices can install updates when you need them to is to educate your users to keep devices plugged in during non-active hours. Even with the best policies, a device that isn't plugged in will not be updated, even in sleep mode. + +We recommend these power management settings: + +- Sleep mode (S1 or S0 Low Power Idle or [Modern Standby](https://docs.microsoft.com/windows-hardware/design/device-experiences/modern-standby)). When a device is in sleep mode, the system +appears to be off but if an update is available, it can wake the device up in order to take an update. The +power consumption in sleep mode is between working (system fully usable) and hibernate (S4 - lowest +power level before shutdown). When a device is not being used, the system will generally move to sleep +mode before it goes to hibernate. Issues in velocity arise when the time between sleep and hibernate is +too short and Windows does not have time to complete an update. Sleep mode is an important setting +because the system can wake the system from sleep in order to start the update process, as long as there +is enough power. + +Set the following policies to **Enable** or **Do Not Configure** in order to allow the device to use sleep mode: +- [Power/AllowStandbyStatesWhenSleepingOnBattery](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-power#power-allowstandbystateswhensleepingonbattery) +- [Power/AllowStandbyWhenSleepingPluggedIn](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-power#power-selectlidcloseactionpluggedin) + +Set the following policies to **1 (Sleep)** so that when a user closes the lid of a device, the system goes to +sleep mode and the device has an opportunity to take an update: +- [Power/SelectLidCloseActionOnBattery](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-power#power-selectlidcloseactiononbattery) +- [Power/SelectLidCloseActionPluggedIn](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-power#power-selectlidcloseactionpluggedin) + +- **Hibernate**. When a device is hibernating, power consumption is very low and the system cannot wake up +without user intervention, like pressing the power button. If a device is in this state, it cannot be updated +unless it supports an ACPI Time and Alarm Device (TAD). That said, if a device supporting Traditional Sleep +(S3) is plugged in, and a Windows update is available, a hibernate state will be delayed until the update is complete. + +> [!NOTE] +> This does not apply to devices that support Modern Standby (S0 Low Power Idle). You can check which system sleep state (S3 or S0 Low Power Idle) a device supports by running `powercfg /a` at a command prompt. For more, see [Powercfg options](https://docs.microsoft.com/windows-hardware/design/device-experiences/powercfg-command-line-options#option_availablesleepstates). + +The default timeout on devices that support traditional sleep is set to three hours. We recommend that you do not reduce these policies in order to allow Windows Update the opportunity to restart the device before sending it into hibernation: + +- [Power/HibernateTimeoutOnBattery](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-power#power-hibernatetimeoutonbattery) +- [Power/HibernateTimeoutPluggedIn](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-power#power-hibernatetimeoutpluggedin) + +## Old or conflicting policies + +Each release of Windows 10 can introduce new policies to make the experience better for both administrators and their organizations. When we release a new client policy, we either release it purely for that release and later or we backport the policy to make it available on earlier versions. + +> [!IMPORTANT] +> If you are using Group Policy, note that we don't update the old ADMX templates and you must use the newer (1903) ADMX template in order to use the newer policy. Also, if you are +> using an MDM tool (Microsoft or non-Microsoft), you can't use the new policy until it's available in the tool interface. + +As administrators, you have set up and expect certain behaviors, so we expressly do not remove older policies since they were set up for your particular use cases. However, if you set a new policy without disabling a similar older policy, you could have conflicting behavior and updates might not perform as expected. + +> [!IMPORTANT] +> We sometimes find that administrators set devices to get both Group Policy settings and MDM settings from an MDM server such as Microsoft Intune. Policy conflicts are handled differently, depending on how they are ultimately set up: +> - Windows updates: Group Policy settings take precedence over MDM. +> - Microsoft Intune: If you set different values for the same policy on two different groups, you will +> receive an alert and neither policy will be set until the conflict is resolved. +> It is crucial that you disable conflicting policies in order for devices in your organization to take updates as +> expected. For example, if a device is not reacting to your MDM policy changes, check to see if a similar +> policy is set in Group Policy with a differing value. +> If you find that update velocity is not as high as you expect or if some devices are slower than others, it might be +> time to clear all polices and settings and specify only the recommended update policies. See the Policy and settings reference for a consolidated list of recommended polices. + +The following are policies that you might want to disable because they could decrease update velocity or there are better policies to use that might conflict: +- **Defer Feature Updates Period in Days**. For maximum update velocity, it's best to set this to **0** (no +deferral) so that the feature update can complete and monthly security updates will be offered again. Even if there is an urgent quality update that must be quickly deployed, it is best to use **Pause Feature +Updates** rather than setting a deferral policy. You can choose a longer period if you don't want to stay up to date with the latest feature update. +- **Defer Quality Updates Period in Days**. To minimize risk and maximize update velocity, the maximum time you might want to consider while evaluating the update with a different ring of devices is two to three days. +- **Pause Feature Updates Start Time**. Set to **Disabled** unless there is a known issue requiring time for a resolution. +- **Pause Quality Updates Start Time**. Set to **Disabled** unless there is a known issue requiring time for a resolution. +- **Deadline No Auto Reboot**. Default is **Disabled – Set to 0** . We recommend that devices automatically try to restart when an update is received. Windows uses user interactions to dynamically identify the least disruptive time to restart. + +There are additional policies are no longer supported or have been superseded. diff --git a/windows/deployment/update/waas-configure-wufb.md b/windows/deployment/update/waas-configure-wufb.md index 0c96d3ba90..d25d48f473 100644 --- a/windows/deployment/update/waas-configure-wufb.md +++ b/windows/deployment/update/waas-configure-wufb.md @@ -99,9 +99,9 @@ In cases where the pause policy is first applied after the configured start date | Policy | Sets registry key under **HKLM\Software** | | --- | --- | -| GPO for Windows 10, version 1607 and later:
    Computer Configuration > Administrative Templates > Windows Components > Windows Update > Defer Windows Updates > **Select when Feature Updates are received** | **1607:** \Policies\Microsoft\Windows\WindowsUpdate\PauseFeatureUpdates
    **1703 and later:** \Policies\Microsoft\Windows\WindowsUpdate\PauseFeatureUpdatesStartDate | +| GPO for Windows 10, version 1607 and later:
    Computer Configuration > Administrative Templates > Windows Components > Windows Update > Defer Windows Updates > **Select when Feature Updates are received** | **1607:** \Policies\Microsoft\Windows\WindowsUpdate\PauseFeatureUpdates
    **1703 and later:** \Policies\Microsoft\Windows\WindowsUpdate\PauseFeatureUpdatesStartTime | | GPO for Windows 10, version 1511:
    Computer Configuration > Administrative Templates > Windows Components > Windows Update > **Defer Upgrades and Updates** | \Policies\Microsoft\Windows\WindowsUpdate\Pause | -| MDM for Windows 10, version 1607 and later:
    ../Vendor/MSFT/Policy/Config/Update/
    **PauseFeatureUpdates** | **1607:** \Microsoft\PolicyManager\default\Update\PauseFeatureUpdates
    **1703 and later:** \Microsoft\PolicyManager\default\Update\PauseFeatureUpdatesStartDate | +| MDM for Windows 10, version 1607 and later:
    ../Vendor/MSFT/Policy/Config/Update/
    **PauseFeatureUpdates** | **1607:** \Microsoft\PolicyManager\default\Update\PauseFeatureUpdates
    **1703 and later:** \Microsoft\PolicyManager\default\Update\PauseFeatureUpdatesStartTime | | MDM for Windows 10, version 1511:
    ../Vendor/MSFT/Policy/Config/Update/
    **DeferUpgrade** | \Microsoft\PolicyManager\default\Update\Pause | You can check the date that Feature Updates were paused by checking the registry key **PausedFeatureDate** under **HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings**. @@ -223,10 +223,10 @@ The following are quick-reference tables of the supported policy values for Wind | BranchReadinessLevel | REG_DWORD | 2: systems take Feature Updates for the Windows Insider build - Fast (added in Windows 10, version 1709)
    4: systems take Feature Updates for the Windows Insider build - Slow (added in Windows 10, version 1709)
    8: systems take Feature Updates for the Release Windows Insider build (added in Windows 10, version 1709)
    16: for Windows 10, version 1703: systems take Feature Updates for the Current Branch (CB); for Windows 10, version 1709, 1803 and 1809: systems take Feature Updates from Semi-annual Channel (Targeted) (SAC-T); for Windows 10, version 1903 or later: systems take Feature Updates from Semi-annual Channel
    32: systems take Feature Updates from Semi-annual Channel
    Note: Other value or absent: receive all applicable updates | | DeferQualityUpdates | REG_DWORD | 1: defer quality updates
    Other value or absent: don’t defer quality updates | | DeferQualityUpdatesPeriodinDays | REG_DWORD | 0-35: defer quality updates by given days | -| PauseQualityUpdatesStartDate | REG_DWORD | 1: pause quality updates
    Other value or absent: don’t pause quality updates | +| PauseQualityUpdatesStartTime | REG_DWORD | 1: pause quality updates
    Other value or absent: don’t pause quality updates | |DeferFeatureUpdates | REG_DWORD | 1: defer feature updates
    Other value or absent: don’t defer feature updates | | DeferFeatureUpdatesPeriodinDays | REG_DWORD | 0-365: defer feature updates by given days | -| PauseFeatureUpdatesStartDate | REG_DWORD |1: pause feature updates
    Other value or absent: don’t pause feature updates | +| PauseFeatureUpdatesStartTime | REG_DWORD |1: pause feature updates
    Other value or absent: don’t pause feature updates | | ExcludeWUDriversInQualityUpdate | REG_DWORD | 1: exclude Windows Update drivers
    Other value or absent: offer Windows Update drivers | @@ -236,9 +236,9 @@ The following are quick-reference tables of the supported policy values for Wind | --- | --- | --- | | BranchReadinessLevel | REG_DWORD |2: systems take Feature Updates for the Windows Insider build - Fast (added in Windows 10, version 1709)
    4: systems take Feature Updates for the Windows Insider build - Slow (added in Windows 10, version 1709)
    8: systems take Feature Updates for the Release Windows Insider build (added in Windows 10, version 1709)
    16: for Windows 10, version 1703: systems take Feature Updates for the Current Branch (CB); for Windows 10, version 1709, 1803 and 1809: systems take Feature Updates from Semi-annual Channel (Targeted) (SAC-T); for Windows 10, version 1903 or later: systems take Feature Updates from Semi-annual Channel
    32: systems take Feature Updates from Semi-annual Channel
    Note: Other value or absent: receive all applicable updates | | DeferQualityUpdatesPeriodinDays | REG_DWORD | 0-35: defer quality updates by given days | -| PauseQualityUpdatesStartDate | REG_DWORD | 1: pause quality updates
    Other value or absent: don’t pause quality updates | +| PauseQualityUpdatesStartTime | REG_DWORD | 1: pause quality updates
    Other value or absent: don’t pause quality updates | | DeferFeatureUpdatesPeriodinDays | REG_DWORD | 0-365: defer feature updates by given days | -| PauseFeatureUpdatesStartDate | REG_DWORD | 1: pause feature updates
    Other value or absent: don’t pause feature updates | +| PauseFeatureUpdatesStartTime | REG_DWORD | 1: pause feature updates
    Other value or absent: don’t pause feature updates | | ExcludeWUDriversinQualityUpdate | REG_DWORD | 1: exclude Windows Update drivers
    Other value or absent: offer Windows Update drivers | ## Update devices to newer versions diff --git a/windows/deployment/update/waas-delivery-optimization-reference.md b/windows/deployment/update/waas-delivery-optimization-reference.md index a5d605d778..b4bb57aef5 100644 --- a/windows/deployment/update/waas-delivery-optimization-reference.md +++ b/windows/deployment/update/waas-delivery-optimization-reference.md @@ -119,7 +119,7 @@ Download mode dictates which download sources clients are allowed to use when do By default, peer sharing on clients using the group download mode is limited to the same domain in Windows 10, version 1511, and the same domain and Active Directory Domain Services site in Windows 10, version 1607. By using the Group ID setting, you can optionally create a custom group that contains devices that should participate in Delivery Optimization but do not fall within those domain or Active Directory Domain Services site boundaries, including devices in another domain. Using Group ID, you can further restrict the default group (for example, you could create a sub-group representing an office building), or extend the group beyond the domain, allowing devices in multiple domains in your organization to be peers. This setting requires the custom group to be specified as a GUID on each device that participates in the custom group. -[//]: # (Configuration Manager Boundary Group option; GroupID Source policy) +[//]: # (Configuration Manager boundary group option; GroupID Source policy) >[!NOTE] >To generate a GUID using Powershell, use [```[guid]::NewGuid()```](https://blogs.technet.microsoft.com/heyscriptingguy/2013/07/25/powertip-create-a-new-guid-by-using-powershell/) diff --git a/windows/deployment/update/waas-delivery-optimization-setup.md b/windows/deployment/update/waas-delivery-optimization-setup.md index ac14bcf549..584aa81202 100644 --- a/windows/deployment/update/waas-delivery-optimization-setup.md +++ b/windows/deployment/update/waas-delivery-optimization-setup.md @@ -35,6 +35,9 @@ Delivery Optimization offers a great many settings to fine-tune its behavior (se >[!NOTE] >These scenarios (and the recommended settings for each) are not mutually exclusive. It's possible that your deployment might involve more than one of these scenarios, in which case you can employ the related settings in any combination as needed. In all cases, however, "download mode" is the most important one to set. +> [!NOTE] +> Microsoft Intune includes a profile to make it easier to set Delivery Optimization policies. For details, see [Delivery Optimization settings for Intune](https://docs.microsoft.com/mem/intune/configuration/delivery-optimization-settings). + Quick-reference table: | Use case | Policy | Recommended value | Reason | @@ -66,6 +69,9 @@ To do this in Group Policy go to **Configuration\Policies\Administrative Templat To do this with MDM, go to **.Vendor/MSFT/Policy/Config/DeliveryOptimization/** and set **DODownloadMode** to **2**. +> [!NOTE] +> For more about using Delivery Optimization with Configuration Manager boundary groups, see [Delivery Optmization](https://docs.microsoft.com/mem/configmgr/core/plan-design/hierarchy/fundamental-concepts-for-content-management#delivery-optimization). + ### Large number of mobile devices @@ -122,6 +128,8 @@ To do this with MDM, go to **.Vendor/MSFT/Policy/Config/DeliveryOptimization/** | PredefinedCallerApplication | Indicates the last caller that initiated a request for the file. | | ExpireOn | The target expiration date and time for the file. | | Pinned | A yes/no value indicating whether an item has been "pinned" in the cache (see `setDeliveryOptmizationStatus`). | + +Starting in Windows 10, version 2004, `Get-DeliveryOptimizationStatus` has a new option `-PeerInfo` which returns a real-time list of the connected peers. `Get-DeliveryOptimizationPerfSnap` returns a list of key performance data: @@ -139,7 +147,9 @@ Using the `-Verbose` option returns additional information: - Bytes from CDN (the number of bytes received over HTTP) - Average number of peer connections per download  -Starting in Window 10, version 1903, `get-DeliveryOptimizationPerfSnap` has a new option `-CacheSummary` which provides a summary of the cache status. +Starting in Windows 10, version 2004, `Get-DeliveryOptimizationPerfSnap` has a new option `-PeerInfo` which returns a real-time list of the connected peers. + +Starting in Windows 10, version 1903, `get-DeliveryOptimizationPerfSnap` has a new option `-CacheSummary` which provides a summary of the cache status. Starting in Windows 10, version 1803, `Get-DeliveryOptimizationPerfSnapThisMonth` returns data similar to that from `Get-DeliveryOptimizationPerfSnap` but limited to the current calendar month. @@ -166,6 +176,30 @@ You can now "pin" files to keep them persistent in the cache. You can only do th #### Work with Delivery Optimization logs +**Starting in Windows 10, version 2004:** + +`Get-DeliveryOptimizationLogAnalysis [ETL Logfile path] [-ListConnections]` + +With no options, this cmdlet returns these data: + +- total number of files +- number of foreground files +- minimum file size for it to be cached +- number of eligible files +- number of files with peers +- number of peering files [how different from the above?] +- overall efficiency +- efficiency in the peered files + +Using the `-ListConnections` option returns these detauls about peers: + +- destination IP address +- peer type +- status code +- bytes sent +- bytes received +- file ID + **Starting in Windows 10, version 1803:** `Get-DeliveryOptimizationLog [-Path ] [-Flush]` diff --git a/windows/deployment/update/waas-delivery-optimization.md b/windows/deployment/update/waas-delivery-optimization.md index d37589c3e6..d39db925b7 100644 --- a/windows/deployment/update/waas-delivery-optimization.md +++ b/windows/deployment/update/waas-delivery-optimization.md @@ -32,6 +32,15 @@ Delivery Optimization is a cloud-managed solution. Access to the Delivery Optimi >[!NOTE] >WSUS can also use [BranchCache](waas-branchcache.md) for content sharing and caching. If Delivery Optimization is enabled on devices that use BranchCache, Delivery Optimization will be used instead. +## New in Windows 10, version 2004 + +- Enterprise network throttling: new settings have been added in Group Policy and MDM to control foreground and background throttling as absolute values (Maximum Background Download Bandwidth in (in KB/s)). These settings are also available in the Windows user interface: + +![absolute bandwidth settings in delivery optimization interface](images/DO-absolute-bandwidth.png) + +- Activity Monitor now identifies the cache server used for as the source for Microsoft Connected Cache. For more information about using Microsoft Connected Cache with Configuration Manager, see [Microsoft Connected Cache](https://docs.microsoft.com/mem/configmgr/core/plan-design/hierarchy/fundamental-concepts-for-content-management#microsoft-connected-cache). + + ## Requirements The following table lists the minimum Windows 10 version that supports Delivery Optimization: @@ -54,11 +63,16 @@ The following table lists the minimum Windows 10 version that supports Delivery | Windows Defender definition updates | 1511 | | Office Click-to-Run updates | 1709 | | Win32 apps for Intune | 1709 | +| Office installations and updates | 2004 | +| Xbox game pass games | 2004 | +| MSIX apps (HTTP downloads only) | 2004 | | Configuration Manager Express Updates | 1709 + Configuration Manager version 1711 | - @@ -124,6 +138,30 @@ For the payloads (optional): **How does Delivery Optimization deal with congestion on the router from peer-to-peer activity on the LAN?**: Starting in Windows 10, version 1903, Delivery Optimization uses LEDBAT to relieve such congestion. For more details see this post on the [Networking Blog](https://techcommunity.microsoft.com/t5/Networking-Blog/Windows-Transport-converges-on-two-Congestion-Providers-Cubic/ba-p/339819). +**How does Delivery Optimization handle VPNs?** +Delivery Optimization attempts to identify VPNs by checking the network adapter type and details and will treat the connection as a VPN if the adapter description contains certain keywords, such as "VPN" or "secure." + +If the connection is identified as a VPN, Delivery Optimization will not use any peer-to-peer activity. However, you can allow peer-to-peer activity over a VPN by using the [Enable Peer Caching while the device connects via VPN](waas-delivery-optimization-reference.md#enable-peer-caching-while-the-device-connects-via-vpn) policy. + +If you have defined a boundary group in Configuration Manager and have for VPN IP ranges, you can set the DownloadMode policy to 0 for that boundary group to ensure that there will be no peer-to-peer activity over the VPN. + +With split tunnelling, it's best to exclude the boundary group for the VPN devices to exclude it from using peer-to-peer. (In this case, those devices won't get the policy and will default to using LAN.) If you're using split tunnelling, you should allow direct access for these endpoints: + +Delivery Optimization service endpoint: +- `https://*.prod.do.dsp.mp.microsoft.com` + +Delivery Optimization metadata: +- `http://emdl.ws.microsoft.com` +- `http://*.dl.delivery.mp.microsoft.com` + +Windows Update and Microsoft Store backend services and Windows Update and Microsoft Store payloads + +- `http://*.windowsupdate.com` +- `https://*.delivery.mp.microsoft.com` +- `https://*.update.microsoft.com` +- `https://tsfe.trafficshaping.dsp.mp.microsoft.com` + +For more information about this if you're using Configuration Manager, see this post on the [Configuration Manager blog](https://techcommunity.microsoft.com/t5/configuration-manager-blog/managing-patch-tuesday-with-configuration-manager-in-a-remote/ba-p/1269444). ## Troubleshooting diff --git a/windows/deployment/update/waas-manage-updates-wufb.md b/windows/deployment/update/waas-manage-updates-wufb.md index 0e9f6ba908..e0d6464259 100644 --- a/windows/deployment/update/waas-manage-updates-wufb.md +++ b/windows/deployment/update/waas-manage-updates-wufb.md @@ -1,5 +1,5 @@ --- -title: Deploy updates using Windows Update for Business (Windows 10) +title: Windows Update for Business (Windows 10) ms.reviewer: manager: laurawi description: Windows Update for Business lets you manage when devices received updates from Windows Update. @@ -11,24 +11,118 @@ ms.author: jaimeo ms.topic: article --- -# Deploy updates using Windows Update for Business +# What is Windows Update for Business? **Applies to** - Windows 10 -- Windows Server 2016 -- Windows Server 2019 -Windows Update for Business is a free service that is available for Windows Pro, Enterprise, Pro for Workstation, and Education editions. + +Windows Update for Business is a free service that is available for all premium editions including Windows 10 Pro, Enterprise, Pro for Workstation, and Education editions. > **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) - -Windows Update for Business enables IT administrators to keep the Windows 10 devices in their organization always up to date with the latest security defenses and Windows features by directly connecting these systems to Windows Update service. You can use Group Policy or MDM solutions such as Microsoft Intune to configure the Windows Update for Business settings that control how and when Windows 10 devices are updated. +Windows Update for Business enables IT administrators to keep the Windows 10 devices in their organization always up to date with the latest security defenses and Windows features by directly connecting these systems to Windows Update service. You can use Group Policy or Mobile Device Management (MDM) solutions such as Microsoft Intune to configure the Windows Update for Business settings that control how and when Windows 10 devices are updated. -Specifically, Windows Update for Business allows for control over update offering and experience to allow for reliability and performance testing on a subset of systems before rolling out updates across the organization as well as a positive update experience for those within your organization. +Specifically, Windows Update for Business allows for control over update offerings and experiences to allow for reliability and performance testing on a subset of devices before deploying updates across the organization as well as a positive update experience for those in your organization. + +## What can I do with Windows Update for Business? + +Windows Update for Business enables commercial customers to manage which Windows Updates are received when as well as the experience a device has when it receives them. + +You can control Windows Update for Business policies by using either Mobile Device Management (MDM) tools such as Microsoft Intune or Group Policy management tools such as local group policy or the Group Policy Management Console (GPMC), as well as a variety of other non-Microsoft management tools. MDMs use Configuration Service Provider (CSP) policies instead of Group Policy. Intune additionally uses Cloud Policies. Not all policies are available in all formats (CSP, Group Policy, or Cloud policy). + + +### Manage deployment of Windows Updates +By using Windows Update for Business, you can control which types of Windows Updates are offered to devices in your ecosystem, when updates are applied, and deployment to devices in your organization in waves. + +### Manage which updates are offered +Windows Update for Business enables an IT administrator to receive and manage a variety of different types of Windows Updates. + +## Types of updates managed by Windows Update for Business + +Windows Update for Business provides management policies for several types of updates to Windows 10 devices: + +- **Feature updates:** Previously referred to as "upgrades," feature updates contain not only security and quality revisions, but also significant feature additions and changes. Feature updates are released semi-annually in the fall and in the spring. +- **Quality updates:** These are traditional operating system updates, typically released on the second Tuesday of each month (though they can be released at any time). These include security, critical, and driver updates. Windows Update for Business also treats non-Windows updates (such as those for Microsoft Office or Visual Studio) as quality updates. These non-Windows Updates are known as "Microsoft updates" and you can set devices to receive such updates (or not) along with their Windows updates. +- **Driver updates:** These are non-Microsoft drivers that are applicable to your devices. Driver updates are on by default, but you can use Windows Update for Business policies to turn them off if you prefer. +- **Microsoft product updates**: These are updates for other Microsoft products, such as Office. Product updates are off by default. You can turn them on by using Windows Update for Business policies. + + +## Offering +You can control when updates are applied, for example by deferring when an update is installed on a device or by pausing updates for a certain period. + +### Manage when updates are offered +You can defer or pause the installation of updates for a set period of time. + +#### Enroll in pre-release updates + +The branch readiness level enables administrators to specify which channel of feature updates they want to receive. Today there are branch readiness level options for both pre-release and released updates: + +- Windows Insider Fast +- Windows Insider Slow +- Windows Insider Release Preview +- Semi-annual Channel + +Prior to Windows 10, version 1903, there are two channels for released updates: Semi-annual Channel and Semi-annual Channel (Targeted). Deferral days are calculated against the release date of the chosen channel. Starting with Windows 10, version 1903 there is only the one release channel: Semi-annual Channel. All deferral days are calculated against a release’s Semi-annual Channel release date. For exact release dates, see [Windows Release Information](https://docs.microsoft.com/windows/release-information/). You can set the branch readiness level by using the **Select when Preview Builds and Feature Updates are Received** policy. To use this policy to manage pre-release builds, first enable preview builds by using the **Manage preview Builds** policy. + +#### Defer an update + +A Windows Update for Business administrator can defer the installation of both feature and quality updates from deploying to devices within a bounded range of time from when those updates are first made available on the Windows Update service. You can use this deferral to allow time to validate deployments as they are pushed to devices. Deferrals work by allowing you to specify the number of days after an update is released before it is offered to a device. That is, if you set a feature update deferral period of 365 days, the device will not install a feature update that has been released for less than 365 days. To defer feature updates use the **Select when Preview Builds and Feature Updates are Received** policy. + + +|Category |Maximum deferral period | +|---------|---------| +|Feature updates | 365 days | +|Quality updates | 30 days | +|Non-deferrable | none | + + + +#### Pause an update + +If you discover a problem while deploying a feature or quality update, the IT administrator can pause the update for 35 days from a specified start date to prevent other devices from installing it until the issue is mitigated. +If you pause a feature update, quality updates are still offered to devices to ensure they stay secure. The pause period for both feature and quality updates is calculated from a start date that you set. + +To pause feature updates use the **Select when Preview Builds and Feature Updates are Received** policy and to pause quality updates use the **Select when Quality Updates are Received** policy. For more information, see [Pause feature updates](waas-configure-wufb.md#pause-feature-updates) and [Pause quality updates](waas-configure-wufb.md#pause-quality-updates). + +Built in benefits: +When updating from Windows Update you get the added benefits of built in compatibility checks to prevent against a poor update experience for your device as well as a check to prevent repeated rollbacks. + +### Recommendations + +For the best experience with Windows Update, follow these guidelines: + +- Use devices for at least 6 hours per month, including at least 2 hours of continuous use. +- Keep devices regularly charged. Plugging in devices overnight enables them to automatically update outside of active hours. +- Make sure that devices have at least 10 GB of free space. +- Give devices unobstructed access to the Windows Update service. + +### Manage the end-user experience when receiving Windows Updates + +Windows Update for Business provides controls to help meet your organization’s security standards as well as provide a great end-user experience. We do this by enabling you to set automatic updates at times that work well for those in your organization and set deadlines for quality and feature updates. Because Windows Update includes built-in intelligence, it's usually better to use fewer controls to manage the end-user experience. + +#### Recommended experience settings + +Features like the smart busy check (which ensure updates don't happen when a user is signed in) and active hours help provide the best experience for end users while keeping devices more secure and up to date. Follow these steps to take advantage of these features: + +1. Automatically download, install and restart (default if no restart policies are set up or enabled) +2. Use the default notifications +3. Set update deadlines + +##### Setting deadlines + +A compliance deadline policy (released in June 2019) enables you to set separate deadlines and grace periods for feature and quality updates. + +This policy enables you to specify the number of days from an update's publication date that it must be installed on the device. The policy also includes a configurable grace period that specifies the number of days from when the update is installed on the device until the device is forced to restart. This is extremely beneficial in a vacation scenario as it allows, for example, users who have been away to have a bit of time before being forced to restart their devices when they return from vacation. + + + + + 0x$("{0:X16}" -f $LibHandle.ToInt64())" Log "HstiTest2::QueryHSTIdetails 64bit --> 0x$("{0:X16}" -f $FuncHandle.ToInt64())" } @@ -450,7 +452,7 @@ function Instantiate-HSTI { $hr = [HstiTest3]::QueryHSTIdetails([ref] $overallError, $null, [ref] $providerErrorDupleCount, $null, [ref] $blobByteSize) [byte[]]$blob = New-Object byte[] $blobByteSize - [HstiTest3+HstiProviderErrorDuple[]]$providerErrors = New-Object HstiTest3+HstiProviderErrorDuple[] $providerErrorDupleCount + [HstiTest3+HstiProviderErrorDuple[]]$providerErrors = New-Object HstiTest3+HstiProviderErrorDuple[] $providerErrorDupleCount $hr = [HstiTest3]::QueryHSTIdetails([ref] $overallError, $providerErrors, [ref] $providerErrorDupleCount, $blob, [ref] $blobByteSize) $string = $null $blob | foreach { $string = $string + $_.ToString("X2")+"," } @@ -479,7 +481,7 @@ function Instantiate-HSTI { LogAndConsoleError $ErrorMessage $DGVerifyCrit.AppendLine($ErrorMessage) | Out-Null } - else + else { LogAndConsoleWarning $ErrorMessage $DGVerifyWarn.AppendLine("HSTI is absent") | Out-Null @@ -487,9 +489,9 @@ function Instantiate-HSTI { } } - catch + catch { - LogAndConsoleError $_.Exception.Message + LogAndConsoleError $_.Exception.Message LogAndConsoleError "Instantiate-HSTI failed" } } @@ -613,10 +615,10 @@ function ExecuteCommandAndLog($_cmd) $CmdOutput = Invoke-Expression $_cmd | Out-String Log "Output: $CmdOutput" } - catch + catch { Log "Exception while exectuing $_cmd" - Log $_.Exception.Message + Log $_.Exception.Message } @@ -676,7 +678,7 @@ function CheckDriverCompat verifier.exe /flags 0x02000000 /all /log.code_integrity LogAndConsole "Enabling Driver Verifier and Rebooting system" - Log $verifier_state + Log $verifier_state LogAndConsole "Please re-execute this script after reboot...." if($AutoReboot) { @@ -692,7 +694,7 @@ function CheckDriverCompat else { LogAndConsole "Driver verifier already enabled" - Log $verifier_state + Log $verifier_state ListDrivers($verifier_state.Trim().ToLowerInvariant()) } } @@ -700,23 +702,23 @@ function IsDomainController { $_isDC = 0 $CompConfig = Get-WmiObject Win32_ComputerSystem - foreach ($ObjItem in $CompConfig) + foreach ($ObjItem in $CompConfig) { $Role = $ObjItem.DomainRole Log "Role=$Role" - Switch ($Role) + Switch ($Role) { 0 { Log "Standalone Workstation" } 1 { Log "Member Workstation" } 2 { Log "Standalone Server" } 3 { Log "Member Server" } - 4 + 4 { Log "Backup Domain Controller" $_isDC=1 break } - 5 + 5 { Log "Primary Domain Controller" $_isDC=1 @@ -735,7 +737,7 @@ function CheckOSSKU Log "OSNAME:$osname" $SKUarray = @("Enterprise", "Education", "IoT", "Windows Server", "Pro", "Home") $HLKAllowed = @("microsoft windows 10 pro") - foreach ($SKUent in $SKUarray) + foreach ($SKUent in $SKUarray) { if($osname.ToString().Contains($SKUent.ToLower())) { @@ -762,7 +764,7 @@ function CheckOSSKU } ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\" /v "OSSKU" /t REG_DWORD /d 2 /f ' } - else + else { LogAndConsoleError "This PC edition is Unsupported for Device Guard" $DGVerifyCrit.AppendLine("OS SKU unsupported") | Out-Null @@ -773,14 +775,14 @@ function CheckOSSKU function CheckOSArchitecture { $OSArch = $(gwmi win32_operatingsystem).OSArchitecture.ToLower() - Log $OSArch - if($OSArch.Contains("64-bit")) + Log $OSArch + if($OSArch -match ("^64\-?\s?bit")) { - LogAndConsoleSuccess "64 bit archictecture" + LogAndConsoleSuccess "64 bit architecture" } - elseif($OSArch.Contains("32-bit")) + elseif($OSArch -match ("^32\-?\s?bit")) { - LogAndConsoleError "32 bit archictecture" + LogAndConsoleError "32 bit architecture" $DGVerifyCrit.AppendLine("32 Bit OS, OS Architecture failure.") | Out-Null } else @@ -878,7 +880,7 @@ function CheckTPM function CheckSecureMOR { $isSecureMOR = CheckDGFeatures(4) - Log "isSecureMOR= $isSecureMOR " + Log "isSecureMOR= $isSecureMOR " if($isSecureMOR -eq 1) { LogAndConsoleSuccess "Secure MOR is available" @@ -904,7 +906,7 @@ function CheckSecureMOR function CheckNXProtection { $isNXProtected = CheckDGFeatures(5) - Log "isNXProtected= $isNXProtected " + Log "isNXProtected= $isNXProtected " if($isNXProtected -eq 1) { LogAndConsoleSuccess "NX Protector is available" @@ -921,7 +923,7 @@ function CheckNXProtection function CheckSMMProtection { $isSMMMitigated = CheckDGFeatures(6) - Log "isSMMMitigated= $isSMMMitigated " + Log "isSMMMitigated= $isSMMMitigated " if($isSMMMitigated -eq 1) { LogAndConsoleSuccess "SMM Mitigation is available" @@ -938,15 +940,15 @@ function CheckSMMProtection function CheckHSTI { LogAndConsole "Copying HSTITest.dll" - try + try { $HSTITest_Decoded = [System.Convert]::FromBase64String($HSTITest_Encoded) [System.IO.File]::WriteAllBytes("$env:windir\System32\hstitest.dll",$HSTITest_Decoded) } - catch + catch { - LogAndConsole $_.Exception.Message + LogAndConsole $_.Exception.Message LogAndConsole "Copying and loading HSTITest.dll failed" } @@ -959,7 +961,7 @@ function PrintToolVersion LogAndConsole "" LogAndConsole "###########################################################################" LogAndConsole "" - LogAndConsole "Readiness Tool Version 3.7.1 Release. `nTool to check if your device is capable to run Device Guard and Credential Guard." + LogAndConsole "Readiness Tool Version 3.7.2 Release. `nTool to check if your device is capable to run Device Guard and Credential Guard." LogAndConsole "" LogAndConsole "###########################################################################" LogAndConsole "" @@ -1030,7 +1032,7 @@ if(!($Ready) -and !($Capable) -and !($Enable) -and !($Disable) -and !($Clear) -a } $user = [Security.Principal.WindowsIdentity]::GetCurrent(); -$TestForAdmin = (New-Object Security.Principal.WindowsPrincipal $user).IsInRole([Security.Principal.WindowsBuiltinRole]::Administrator) +$TestForAdmin = (New-Object Security.Principal.WindowsPrincipal $user).IsInRole([Security.Principal.WindowsBuiltinRole]::Administrator) if(!$TestForAdmin) { @@ -1065,7 +1067,7 @@ if($Ready) { Log "_CGState: $_CGState" PrintCGDetails $_CGState - + if($_CGState) { ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\" /v "CG_Running" /t REG_DWORD /d 1 /f' @@ -1077,28 +1079,28 @@ if($Ready) } elseif($DG) { - Log "_HVCIState: $_HVCIState, _ConfigCIState: $_ConfigCIState" + Log "_HVCIState: $_HVCIState, _ConfigCIState: $_ConfigCIState" PrintHVCIDetails $_HVCIState - PrintConfigCIDetails $_ConfigCIState + PrintConfigCIDetails $_ConfigCIState if($_ConfigCIState -and $_HVCIState) { LogAndConsoleSuccess "HVCI, and Config-CI are enabled and running." - + ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\" /v "DG_Running" /t REG_DWORD /d 1 /f' } else { LogAndConsoleWarning "Not all services are running." - + ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\" /v "DG_Running" /t REG_DWORD /d 0 /f' } } - else + else { - Log "_CGState: $_CGState, _HVCIState: $_HVCIState, _ConfigCIState: $_ConfigCIState" - + Log "_CGState: $_CGState, _HVCIState: $_HVCIState, _ConfigCIState: $_ConfigCIState" + PrintCGDetails $_CGState PrintHVCIDetails $_HVCIState PrintConfigCIDetails $_ConfigCIState @@ -1147,7 +1149,7 @@ if($Enable) { ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "HypervisorEnforcedCodeIntegrity" /t REG_DWORD /d 1 /f' } - else + else { ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Enabled" /t REG_DWORD /d 1 /f' ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Locked" /t REG_DWORD /d 0 /f' @@ -1158,8 +1160,8 @@ if($Enable) { if(!$HVCI -and !$CG) { - if(!$SIPolicyPath) - { + if(!$SIPolicyPath) + { Log "Writing Decoded SIPolicy.p7b" $SIPolicy_Decoded = [System.Convert]::FromBase64String($SIPolicy_Encoded) [System.IO.File]::WriteAllBytes("$env:windir\System32\CodeIntegrity\SIPolicy.p7b",$SIPolicy_Decoded) @@ -1182,7 +1184,7 @@ if($Enable) if(!$_isRedstone) { LogAndConsole "OS Not Redstone, enabling IsolatedUserMode separately" - #Enable/Disable IOMMU seperately + #Enable/Disable IOMMU separately ExecuteCommandAndLog 'DISM.EXE /Online /Enable-Feature:IsolatedUserMode /NoRestart' } $CmdOutput = DISM.EXE /Online /Enable-Feature:Microsoft-Hyper-V-Hypervisor /All /NoRestart | Out-String @@ -1251,7 +1253,7 @@ if($Disable) if(!$_isRedstone) { LogAndConsole "OS Not Redstone, disabling IsolatedUserMode separately" - #Enable/Disable IOMMU seperately + #Enable/Disable IOMMU separately ExecuteCommandAndLog 'DISM.EXE /Online /disable-Feature /FeatureName:IsolatedUserMode /NoRestart' } $CmdOutput = DISM.EXE /Online /disable-Feature /FeatureName:Microsoft-Hyper-V-Hypervisor /NoRestart | Out-String @@ -1270,7 +1272,7 @@ if($Disable) } #set of commands to run SecConfig.efi to delete UEFI variables if were set in pre OS - #these steps can be performed even if the UEFI variables were not set - if not set it will lead to No-Op but this can be run in general always + #these steps can be performed even if the UEFI variables were not set - if not set it will lead to No-Op but this can be run in general always #this requires a reboot and accepting the prompt in the Pre-OS which is self explanatory in the message that is displayed in pre-OS $FreeDrive = ls function:[s-z]: -n | ?{ !(test-path $_) } | random Log "FreeDrive=$FreeDrive" @@ -1314,7 +1316,7 @@ if($Capable) } $_StepCount = 1 if(!$CG) - { + { LogAndConsole " ====================== Step $_StepCount Driver Compat ====================== " $_StepCount++ CheckDriverCompat @@ -1323,15 +1325,15 @@ if($Capable) LogAndConsole " ====================== Step $_StepCount Secure boot present ====================== " $_StepCount++ CheckSecureBootState - + if(!$HVCI -and !$DG -and !$CG) - { + { #check only if sub-options are absent LogAndConsole " ====================== Step $_StepCount MS UEFI HSTI tests ====================== " $_StepCount++ CheckHSTI } - + LogAndConsole " ====================== Step $_StepCount OS Architecture ====================== " $_StepCount++ CheckOSArchitecture @@ -1345,11 +1347,11 @@ if($Capable) CheckVirtualization if(!$HVCI -and !$DG) - { + { LogAndConsole " ====================== Step $_StepCount TPM version ====================== " $_StepCount++ CheckTPM - + LogAndConsole " ====================== Step $_StepCount Secure MOR ====================== " $_StepCount++ CheckSecureMOR @@ -1358,11 +1360,11 @@ if($Capable) LogAndConsole " ====================== Step $_StepCount NX Protector ====================== " $_StepCount++ CheckNXProtection - + LogAndConsole " ====================== Step $_StepCount SMM Mitigation ====================== " $_StepCount++ CheckSMMProtection - + LogAndConsole " ====================== End Check ====================== " LogAndConsole " ====================== Summary ====================== " @@ -1371,7 +1373,6 @@ if($Capable) } - # SIG # Begin signature block ## REPLACE # SIG # End signature block diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md index 16c17aa3f9..0aa43d1982 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md @@ -21,14 +21,14 @@ ms.reviewer: **Applies to** - Windows 10, version 1703 or later - Hybrid deployment -- Certificate trust +- Key trust ## Directory Synchronization In hybrid deployments, users register the public portion of their Windows Hello for Business credential with Azure. Azure AD Connect synchronizes the Windows Hello for Business public key to Active Directory. -The key-trust model needs Windows Server 2016 domain controllers, which configures the key registration permissions automatically; however, the certificate-trust model does not and requires you to add the permissions manually. +The key-trust model needs Windows Server 2016 domain controllers, which configure the key registration permissions automatically; however, the certificate-trust model does not and requires you to add the permissions manually. > [!IMPORTANT] > If you already have a Windows Server 2016 domain controller in your domain, you can skip **Configure Permissions for Key Synchronization**. In this case, you should use the pre-created group KeyAdmins in step 3 of the "Group Memberships for the Azure AD Connect Service Account" section of this article. @@ -61,6 +61,9 @@ Sign-in a domain controller or management workstation with _Domain Admin_ equiva 5. In the **Enter the object names to select** text box, type the name of the Azure AD Connect service account. Click **OK**. 6. Click **OK** to return to **Active Directory Users and Computers**. +> [!NOTE] +> If your AD forest has multiple domains. Please make sure you add the ADConnect sync service account (that is, MSOL_12121212) into "Enterprise Key Admins" group to gain permission across the domains in the forest. + ### Section Review > [!div class="checklist"] diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md index 20e50b5d3a..0f6cbee626 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md @@ -63,7 +63,7 @@ The Windows Hello for Business deployment depends on an enterprise public key in Key trust deployments do not need client issued certificates for on-premises authentication. Active Directory user accounts are automatically configured for public key mapping by Azure AD Connect synchronizing the public key of the registered Windows Hello for Business credential to an attribute on the user's Active Directory object. -The minimum required enterprise certificate authority that can be used with Windows Hello for Business is Windows Server 2012, but you can also use a third-party enterprise certification authority. The detailed requirements for the Domain Controller certificate are shown below. +The minimum required Enterprise certificate authority that can be used with Windows Hello for Business is Windows Server 2012, but you can also use a third-party Enterprise certification authority. The requirements for the domain controller certificate are shown below. For more details, see [Requirements for domain controller certificates from a third-party CA](https://support.microsoft.com/help/291010/requirements-for-domain-controller-certificates-from-a-third-party-ca). * The certificate must have a Certificate Revocation List (CRL) distribution point extension that points to a valid CRL. * The certificate Subject section should contain the directory path of the server object (the distinguished name). @@ -71,7 +71,7 @@ The minimum required enterprise certificate authority that can be used with Wind * Optionally, the certificate Basic Constraints section should contain: [Subject Type=End Entity, Path Length Constraint=None]. * The certificate Enhanced Key Usage section must contain Client Authentication (1.3.6.1.5.5.7.3.2), Server Authentication (1.3.6.1.5.5.7.3.1), and KDC Authentication (1.3.6.1.5.2.3.5). * The certificate Subject Alternative Name section must contain the Domain Name System (DNS) name. -* The certificate template must have an extension that has the BMP data value "DomainController". +* The certificate template must have an extension that has the value "DomainController", encoded as a [BMPstring](https://docs.microsoft.com/windows/win32/seccertenroll/about-bmpstring). If you are using Windows Server Enterprise Certificate Authority, this extension is already included in the domain controller certificate template. * The domain controller certificate must be installed in the local computer's certificate store. diff --git a/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md b/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md index 85d9523c9b..8c01645295 100644 --- a/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md +++ b/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md @@ -74,7 +74,7 @@ Microsoft has made a concerted effort to enlighten several of our more popular a - Microsoft Remote Desktop > [!NOTE] -> Microsoft Visio, Microsoft Office Access and Microsoft Project are not enlightended apps and need to be exempted from WIP policy. If they are allowed, there is a risk of data loss. For example, if a device is workplace-joined and managed and the user leaves the company, metadata files that the apps rely on remain encrypted and the apps stop functioining. +> Microsoft Visio, Microsoft Office Access, Microsoft Project, and Microsoft Publisher are not enlightened apps and need to be exempted from WIP policy. If they are allowed, there is a risk of data loss. For example, if a device is workplace-joined and managed and the user leaves the company, metadata files that the apps rely on remain encrypted and the apps stop functioning. ## List of WIP-work only apps from Microsoft Microsoft still has apps that are unenlightened, but which have been tested and deemed safe for use in an enterprise with WIP and MAM solutions. diff --git a/windows/security/information-protection/windows-information-protection/limitations-with-wip.md b/windows/security/information-protection/windows-information-protection/limitations-with-wip.md index 3fc752f3ca..1e2b9fade3 100644 --- a/windows/security/information-protection/windows-information-protection/limitations-with-wip.md +++ b/windows/security/information-protection/windows-information-protection/limitations-with-wip.md @@ -145,8 +145,8 @@ This table provides info about the most common problems you might encounter whil > [!NOTE] > When corporate data is written to disk, WIP uses the Windows-provided Encrypting File System (EFS) to protect it and associate it with your enterprise identity. One caveat to keep in mind is that the Preview Pane in File Explorer will not work for encrypted files. -> [!NOTE] -> Chromium-based versions of Microsoft Edge (versions since 79) don't fully support WIP yet. The functionality could be partially enabled by going to the local page **edge://flags/#edge-dataprotection** and setting the **Windows Information Protection** flag to **enabled**. + + > [!NOTE] > Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to our content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md). diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md index 556bce1101..0d28ca5f2c 100644 --- a/windows/security/threat-protection/TOC.md +++ b/windows/security/threat-protection/TOC.md @@ -197,7 +197,8 @@ #### [Better together: Windows Defender Antivirus and Office 365](windows-defender-antivirus/office-365-windows-defender-antivirus.md) -### [Microsoft Defender Advanced Threat Protection for Mac](microsoft-defender-atp/microsoft-defender-atp-mac.md) +### [Microsoft Defender Advanced Threat Protection for Mac]() +#### [Overview of Microsoft Defender ATP for Mac](microsoft-defender-atp/microsoft-defender-atp-mac.md) #### [What's New](microsoft-defender-atp/mac-whatsnew.md) #### [Deploy]() @@ -222,7 +223,8 @@ #### [Resources](microsoft-defender-atp/mac-resources.md) -### [Microsoft Defender Advanced Threat Protection for Linux](microsoft-defender-atp/microsoft-defender-atp-linux.md) +### [Microsoft Defender Advanced Threat Protection for Linux]() +#### [Overview of Microsoft Defender ATP for Linux](microsoft-defender-atp/microsoft-defender-atp-linux.md) #### [What's New](microsoft-defender-atp/linux-whatsnew.md) #### [Deploy]() ##### [Manual deployment](microsoft-defender-atp/linux-install-manually.md) @@ -236,6 +238,7 @@ ##### [Configure and validate exclusions](microsoft-defender-atp/linux-exclusions.md) ##### [Static proxy configuration](microsoft-defender-atp/linux-static-proxy-configuration.md) ##### [Set preferences](microsoft-defender-atp/linux-preferences.md) +##### [Detect and block Potentially Unwanted Applications](microsoft-defender-atp/linux-pua.md) #### [Troubleshoot]() ##### [Troubleshoot installation issues](microsoft-defender-atp/linux-support-install.md) @@ -243,6 +246,7 @@ ##### [Troubleshoot performance issues](microsoft-defender-atp/linux-support-perf.md) +#### [Privacy](microsoft-defender-atp/linux-privacy.md) #### [Resources](microsoft-defender-atp/linux-resources.md) ### [Configure and manage Microsoft Threat Experts capabilities](microsoft-defender-atp/configure-microsoft-threat-experts.md) @@ -323,10 +327,13 @@ ### [Behavioral blocking and containment]() #### [Behavioral blocking and containment](microsoft-defender-atp/behavioral-blocking-containment.md) +#### [Client behavioral blocking](microsoft-defender-atp/client-behavioral-blocking.md) +#### [Feedback-loop blocking](microsoft-defender-atp/feedback-loop-blocking.md) #### [EDR in block mode](microsoft-defender-atp/edr-in-block-mode.md) -### [Automated investigation and response]() +### [Automated investigation and response (AIR)]() #### [Overview of AIR](microsoft-defender-atp/automated-investigations.md) +#### [Configure AIR capabilities](microsoft-defender-atp/configure-automated-investigations-remediation.md) ### [Advanced hunting]() #### [Advanced hunting overview](microsoft-defender-atp/advanced-hunting-overview.md) @@ -346,10 +353,10 @@ ##### [DeviceNetworkEvents](microsoft-defender-atp/advanced-hunting-devicenetworkevents-table.md) ##### [DeviceProcessEvents](microsoft-defender-atp/advanced-hunting-deviceprocessevents-table.md) ##### [DeviceRegistryEvents](microsoft-defender-atp/advanced-hunting-deviceregistryevents-table.md) -##### [DeviceTvmSoftwareInventoryVulnerabilities](microsoft-defender-atp/advanced-hunting-tvm-softwareinventory-table.md) -##### [DeviceTvmSoftwareVulnerabilitiesKB](microsoft-defender-atp/advanced-hunting-tvm-softwarevulnerability-table.md) -##### [DeviceTvmSecureConfigurationAssessment](microsoft-defender-atp/advanced-hunting-tvm-configassessment-table.md) -##### [DeviceTvmSecureConfigurationAssessmentKB](microsoft-defender-atp/advanced-hunting-tvm-secureconfigkb-table.md) +##### [DeviceTvmSoftwareInventoryVulnerabilities](microsoft-defender-atp/advanced-hunting-devicetvmsoftwareinventoryvulnerabilities-table.md) +##### [DeviceTvmSoftwareVulnerabilitiesKB](microsoft-defender-atp/advanced-hunting-devicetvmsoftwarevulnerabilitieskb-table.md) +##### [DeviceTvmSecureConfigurationAssessment](microsoft-defender-atp/advanced-hunting-devicetvmsecureconfigurationassessment-table.md) +##### [DeviceTvmSecureConfigurationAssessmentKB](microsoft-defender-atp/advanced-hunting-devicetvmsecureconfigurationassessmentkb-table.md) #### [Apply query best practices](microsoft-defender-atp/advanced-hunting-best-practices.md) ### [Microsoft Threat Experts](microsoft-defender-atp/microsoft-threat-experts.md) @@ -412,8 +419,6 @@ ###### [Create and manage machine groups](microsoft-defender-atp/machine-groups.md) ###### [Create and manage machine tags](microsoft-defender-atp/machine-tags.md) -#### [APIs]() -##### [Enable SIEM integration](microsoft-defender-atp/enable-siem-integration.md) #### [Rules]() ##### [Manage suppression rules](microsoft-defender-atp/manage-suppression-rules.md) @@ -436,7 +441,6 @@ ## Reference ### [Management and APIs]() #### [Overview of management and APIs](microsoft-defender-atp/management-apis.md) - #### [Microsoft Defender ATP API]() ##### [Get started]() ###### [Microsoft Defender ATP API license and terms](microsoft-defender-atp/api-terms-of-use.md) @@ -569,7 +573,6 @@ ##### [Understand threat intelligence concepts](microsoft-defender-atp/threat-indicator-concepts.md) ##### [Learn about different ways to pull detections](microsoft-defender-atp/configure-siem.md) ##### [Enable SIEM integration](microsoft-defender-atp/enable-siem-integration.md) -##### [Configure Splunk to pull detections](microsoft-defender-atp/configure-splunk.md) ##### [Configure Micro Focus ArcSight to pull detections](microsoft-defender-atp/configure-arcsight.md) ##### [Microsoft Defender ATP detection fields](microsoft-defender-atp/api-portal-mapping.md) ##### [Pull detections using SIEM REST API](microsoft-defender-atp/pull-alerts-using-rest-api.md) @@ -656,7 +659,6 @@ ### [How Microsoft identifies malware and PUA](intelligence/criteria.md) ### [Submit files for analysis](intelligence/submission-guide.md) ### [Safety Scanner download](intelligence/safety-scanner-download.md) -### [Industry antivirus tests](intelligence/top-scoring-industry-antivirus-tests.md) ### [Industry collaboration programs](intelligence/cybersecurity-industry-partners.md) #### [Virus information alliance](intelligence/virus-information-alliance-criteria.md) #### [Microsoft virus initiative](intelligence/virus-initiative-criteria.md) diff --git a/windows/security/threat-protection/auditing/event-4624.md b/windows/security/threat-protection/auditing/event-4624.md index d9b5265f75..a7f80d6745 100644 --- a/windows/security/threat-protection/auditing/event-4624.md +++ b/windows/security/threat-protection/auditing/event-4624.md @@ -230,7 +230,7 @@ This event generates when a logon session is created (on destination machine). I **Network Information:** -- **Workstation Name** \[Type = UnicodeString\]**:** machine name from which logon attempt was performed. +- **Workstation Name** \[Type = UnicodeString\]**:** machine name to which logon attempt was performed. - **Source Network Address** \[Type = UnicodeString\]**:** IP address of machine from which logon attempt was performed. diff --git a/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md b/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md index a3b27f24c3..35846937a0 100644 --- a/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md +++ b/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md @@ -1,6 +1,6 @@ --- -title: Enable virtualization-based protection of code integrity -description: This article explains the steps to opt in to using HVCI on Windows devices. +title: Enable virtualization-based protection of code integrity +description: This article explains the steps to opt in to using HVCI on Windows devices. ms.prod: w10 ms.mktglfcycl: deploy ms.localizationpriority: medium @@ -16,7 +16,7 @@ ms.reviewer: # Enable virtualization-based protection of code integrity -**Applies to** +**Applies to:** - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) @@ -25,13 +25,13 @@ Some applications, including device drivers, may be incompatible with HVCI. This can cause devices or software to malfunction and in rare cases may result in a blue screen. Such issues may occur after HVCI has been turned on or during the enablement process itself. If this happens, see [Troubleshooting](#troubleshooting) for remediation steps. ->[!NOTE] ->Because it makes use of *Mode Based Execution Control*, HVCI works better with Intel Kaby Lake or AMD Zen 2 CPUs and newer. Processors without MBEC will rely on an emulation of this feature, called *Restricted User Mode*, which has a bigger impact on performance. +> [!NOTE] +> Because it makes use of *Mode Based Execution Control*, HVCI works better with Intel Kaby Lake or AMD Zen 2 CPUs and newer. Processors without MBEC will rely on an emulation of this feature, called *Restricted User Mode*, which has a bigger impact on performance. ## HVCI Features * HVCI protects modification of the Control Flow Guard (CFG) bitmap. -* HVCI also ensure your other Truslets, like Credential Guard, have a valid certificate. +* HVCI also ensures that your other trusted processes, like Credential Guard, have got a valid certificate. * Modern device drivers must also have an EV (Extended Validation) certificate and should support HVCI. ## How to turn on HVCI in Windows 10 @@ -54,7 +54,7 @@ Enabling in Intune requires using the Code Integrity node in the [AppLocker CSP] ### Enable HVCI using Group Policy 1. Use Group Policy Editor (gpedit.msc) to either edit an existing GPO or create a new one. -2. Navigate to **Computer Configuration** > **Administrative Templates** > **System** > **Device Guard**. +2. Navigate to **Computer Configuration** > **Administrative Templates** > **System** > **Device Guard**. 3. Double-click **Turn on Virtualization Based Security**. 4. Click **Enabled** and under **Virtualization Based Protection of Code Integrity**, select **Enabled with UEFI lock** to ensure HVCI cannot be disabled remotely or select **Enabled without UEFI lock**. @@ -290,9 +290,9 @@ WDAC protects against malware running in the guest virtual machine. It does not Set-VMSecurity -VMName -VirtualizationBasedSecurityOptOut $true ``` -### Requirements for running HVCI in Hyper-V virtual machines +### Requirements for running HVCI in Hyper-V virtual machines - The Hyper-V host must run at least Windows Server 2016 or Windows 10 version 1607. -- The Hyper-V virtual machine must be Generation 2, and running at least Windows Server 2016 or Windows 10. +- The Hyper-V virtual machine must be Generation 2, and running at least Windows Server 2016 or Windows 10. - HVCI and [nested virtualization](https://docs.microsoft.com/virtualization/hyper-v-on-windows/user-guide/nested-virtualization) can be enabled at the same time - Virtual Fibre Channel adapters are not compatible with HVCI. Before attaching a virtual Fibre Channel Adapter to a virtual machine, you must first opt out of virtualization-based security using `Set-VMSecurity`. - The AllowFullSCSICommandSet option for pass-through disks is not compatible with HVCI. Before configuring a pass-through disk with AllowFullSCSICommandSet, you must first opt out of virtualization-based security using `Set-VMSecurity`. diff --git a/windows/security/threat-protection/images/lab-creation-page.png b/windows/security/threat-protection/images/lab-creation-page.png new file mode 100644 index 0000000000..75540493da Binary files /dev/null and b/windows/security/threat-protection/images/lab-creation-page.png differ diff --git a/windows/security/threat-protection/intelligence/TOC.md b/windows/security/threat-protection/intelligence/TOC.md index 1bea408ef2..b07721ab05 100644 --- a/windows/security/threat-protection/intelligence/TOC.md +++ b/windows/security/threat-protection/intelligence/TOC.md @@ -36,8 +36,6 @@ ## [Safety Scanner download](safety-scanner-download.md) -## [Industry tests](top-scoring-industry-antivirus-tests.md) - ## [Industry collaboration programs](cybersecurity-industry-partners.md) ### [Virus information alliance](virus-information-alliance-criteria.md) diff --git a/windows/security/threat-protection/intelligence/top-scoring-industry-antivirus-tests.md b/windows/security/threat-protection/intelligence/top-scoring-industry-antivirus-tests.md deleted file mode 100644 index fcd89c3a81..0000000000 --- a/windows/security/threat-protection/intelligence/top-scoring-industry-antivirus-tests.md +++ /dev/null @@ -1,112 +0,0 @@ ---- -title: Top scoring in industry tests (AV-TEST, AV Comparatives, SE Labs, MITRE ATT&CK) -ms.reviewer: -description: Microsoft Defender ATP consistently achieves high scores in independent tests. View the latest scores and analysis. -keywords: Windows Defender Antivirus, av reviews, antivirus test, av testing, latest av scores, detection scores, security product testing, security industry tests, industry antivirus tests, best antivirus, av-test, av-comparatives, SE labs, MITRE ATT&CK, endpoint protection platform, EPP, endpoint detection and response, EDR, Windows 10, Microsoft Defender Antivirus, WDAV, MDATP, Microsoft Threat Protection, security, malware, av, antivirus, scores, scoring, next generation protection, ranking, success -ms.prod: w10 -ms.mktglfcycl: secure -ms.sitesec: library -ms.localizationpriority: high -ms.author: ellevin -author: levinec -manager: dansimp -audience: ITPro -ms.collection: M365-security-compliance -ms.topic: article -search.appverid: met150 ---- - -# Top scoring in industry tests - -Microsoft Defender Advanced Threat Protection ([Microsoft Defender ATP](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp)) technologies consistently achieve high scores in independent tests, demonstrating the strength of its enterprise threat protection capabilities. Microsoft aims to be transparent about these test scores. This page summarizes the results and provides analysis. - -## Next generation protection - -[Windows Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10) consistently performs highly in independent tests, displaying how it is a top choice in the antivirus market. Keep in mind, these tests only provide results for antivirus and do not test for additional security protections. - -Windows Defender Antivirus is the [next generation protection](https://www.youtube.com/watch?v=Xy3MOxkX_o4) capability in the [Microsoft Defender ATP Windows 10 security stack](../microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md) that addresses the latest and most sophisticated threats today. In some cases, customers might not even know they were protected because a cyberattack is stopped [milliseconds after a campaign starts](https://cloudblogs.microsoft.com/microsoftsecure/2018/03/07/behavior-monitoring-combined-with-machine-learning-spoils-a-massive-dofoil-coin-mining-campaign). That's because Windows Defender Antivirus and other [endpoint protection platform (EPP)](https://www.microsoft.com/security/blog/2019/08/23/gartner-names-microsoft-a-leader-in-2019-endpoint-protection-platforms-magic-quadrant/) capabilities in Microsoft Defender ATP detect and stops malware at first sight with [machine learning](https://cloudblogs.microsoft.com/microsoftsecure/2018/06/07/machine-learning-vs-social-engineering), [artificial intelligence](https://cloudblogs.microsoft.com/microsoftsecure/2018/02/14/how-artificial-intelligence-stopped-an-emotet-outbreak), behavioral analysis, and other advanced technologies. -

    - -**Download the latest transparency report: [Examining industry test results, November 2019](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE4kagp)** - -### AV-TEST: Protection score of 5.5/6.0 in the latest test - -The AV-TEST Product Review and Certification Report tests on three categories: protection, performance, and usability. The following scores are for the Protection category which has two scores: Real-World Testing and the AV-TEST reference set (known as "Prevalent Malware"). - -- January - February 2020 AV-TEST Business User test: [Protection score 5.5/6.0](https://www.av-test.org/en/antivirus/business-windows-client/windows-10/february-2020/microsoft-windows-defender-antivirus-4.18-200614/) **Latest** - - Windows Defender Antivirus achieved an overall Protection score of 5.5/6.0, with 21,008 malware samples used. - -- November - December 2019 AV-TEST Business User test: [Protection score 6.0/6.0](https://www.av-test.org/en/antivirus/business-windows-client/windows-10/december-2019/microsoft-windows-defender-antivirus-4.18-195015/) - -- September - October 2019 AV-TEST Business User test: [Protection score 5.5/6.0](https://www.av-test.org/en/antivirus/business-windows-client/windows-10/october-2019/microsoft-windows-defender-antivirus-4.18-194115/) - -- July — August 2019 AV-TEST Business User test: [Protection score 6.0/6.0](https://www.av-test.org/en/antivirus/business-windows-client/windows-10/august-2019/microsoft-windows-defender-antivirus-4.18-193215/) | [Analysis](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE4kagp) - -- May — June 2019 AV-TEST Business User test: [Protection score 6.0/6.0](https://www.av-test.org/en/antivirus/business-windows-client/windows-10/june-2019/microsoft-windows-defender-antivirus-4.18-192415/) | [Analysis](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE3Esbl) - -- March — April 2019 AV-TEST Business User test: [Protection score 6.0/6.0](https://www.av-test.org/en/antivirus/business-windows-client/windows-10/april-2019/microsoft-windows-defender-antivirus-4.18-191517/) | [Analysis](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE3Esbl) - -- January — February 2019 AV-TEST Business User test: [Protection score 6.0/6.0](https://www.av-test.org/en/antivirus/business-windows-client/windows-10/february-2019/microsoft-windows-defender-antivirus-4.18-190611/) | [Analysis](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE33cdd) - -- November — December 2018 AV-TEST Business User test: [Protection score 6.0/6.0](https://www.av-test.org/en/antivirus/business-windows-client/windows-10/december-2018/microsoft-windows-defender-antivirus-4.18-185074/) | [Analysis](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RWusR9) - -- September — October 2018 AV-TEST Business User test: [Protection score 6.0/6.0](https://www.av-test.org/en/antivirus/business-windows-client/windows-10/october-2018/microsoft-windows-defender-antivirus-4.18-184174/) | [Analysis](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RWqOqD) - -### AV-Comparatives: Protection rating of 99.6% in the latest test - -Business Security Test consists of three main parts: the Real-World Protection Test that mimics online malware attacks, the Malware Protection Test where the malware enters the system from outside the internet (for example by USB), and the Performance Test that looks at the impact on the system's performance. - -- Business Security Test 2019 (August — November): [Real-World Protection Rate 99.6%](https://www.av-comparatives.org/tests/business-security-test-2019-august-november/) **Latest** - - Windows Defender Antivirus has scored consistently high in Real-World Protection Rates over the past year, with 99.6% in the latest test. - -- Business Security Test 2019 Factsheet (August — September): [Real-World Protection Rate 99.9%](https://www.av-comparatives.org/tests/business-security-test-august-september-2019-factsheet/) | [Analysis](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE4kagp) - -- Business Security Test 2019 (March — June): [Real-World Protection Rate 99.9%](https://www.av-comparatives.org/tests/business-security-test-2019-march-june/) | [Analysis](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE3Esbl) - -- Business Security Test 2018 (August — November): [Real-World Protection Rate 99.6%](https://www.av-comparatives.org/tests/business-security-test-2018-august-november/) - -- Business Security Test 2018 (March — June): [Real-World Protection Rate 98.7%](https://www.av-comparatives.org/tests/business-security-test-2018-march-june/) - -### SE Labs: AAA award in the latest test - -SE Labs tests a range of solutions used by products and services to detect and/or protect against attacks, including endpoint software, network appliances, and cloud services. - -- Enterprise Endpoint Protection October — December 2019: [AAA award](https://selabs.uk/download/enterprise/epp/2019/oct-dec-2019-enterprise.pdf) **pdf** - - Microsoft's next-gen protection was named one of the leading products, stopping all targeted attacks and all but two public threats. - -- Enterprise Endpoint Protection July — September 2019: [AAA award](https://selabs.uk/download/enterprise/epp/2019/jul-sep-2019-enterprise.pdf) **pdf** | [Analysis](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE4kagp) - -- Enterprise Endpoint Protection April — June 2019: [AAA award](https://selabs.uk/download/enterprise/epp/2019/apr-jun-2019-enterprise.pdf) **pdf** | [Analysis](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE3Esbl) - -- Enterprise Endpoint Protection January — March 2019: [AAA award](https://selabs.uk/download/enterprise/epp/2019/jan-mar-2019-enterprise.pdf) **pdf** | [Analysis](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE3Esbl) - -- Enterprise Endpoint Protection October — December 2018: [AAA award](https://selabs.uk/download/enterprise/epp/2018/oct-dec-2018-enterprise.pdf) **pdf** | [Analysis](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE33cdd) - -## Endpoint detection & response - -Microsoft Defender ATP [endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) capabilities provide advanced attack detections that are near real-time and actionable. Security analysts can prioritize alerts effectively, gain visibility into the full scope of a breach, and take response actions to remediate threats. - -![String of images showing EDR capabilities](./images/MITRE-Microsoft-Defender-ATP.png) - -**Read our analysis: [MITRE evaluation highlights industry-leading EDR capabilities in Windows Defender ATP](https://techcommunity.microsoft.com/t5/Windows-Defender-ATP/MITRE-evaluation-highlights-industry-leading-EDR-capabilities-in/ba-p/369831)** - -### MITRE: Industry-leading optics and detection capabilities - -MITRE tested the ability of products to detect techniques commonly used by the targeted attack group APT3 (also known as Boron or UPS). To isolate detection capabilities, all protection and prevention features were turned off. Microsoft is happy to be one of the first EDR vendors to sign up for the MITRE evaluation based on the ATT&CK framework. The framework is widely regarded today as the most comprehensive catalog of attacker techniques and tactics. - -- ATT&CK-based evaluation: [Leading optics and detection capabilities](https://www.microsoft.com/security/blog/2018/12/03/insights-from-the-mitre-attack-based-evaluation-of-windows-defender-atp/) | [Analysis](https://techcommunity.microsoft.com/t5/Windows-Defender-ATP/MITRE-evaluation-highlights-industry-leading-EDR-capabilities-in/ba-p/369831) - - Microsoft Defender ATP delivered comprehensive coverage of attacker techniques across the entire attack chain. Highlights included the breadth of telemetry, the strength of threat intelligence, and the advanced, automatic detection through machine learning, heuristics, and behavior monitoring. - -## To what extent are tests representative of protection in the real world? - -Independent security industry tests aim to evaluate the best antivirus and security products in an unbiased manner. However, it is important to remember that Microsoft sees a wider and broader set of threats beyond what's tested in the evaluations highlighted in this topic. For example, in an average month Microsoft's security products identify over 100 million new threats. Even if an independent tester can acquire and test 1% of those threats, that is a million tests across 20 or 30 products. In other words, the vastness of the malware landscape makes it extremely difficult to evaluate the quality of protection against real world threats. - -The capabilities within Microsoft Defender ATP provide [additional layers of protection](https://cloudblogs.microsoft.com/microsoftsecure/2017/12/11/detonating-a-bad-rabbit-windows-defender-antivirus-and-layered-machine-learning-defenses) that are not factored into industry antivirus tests, and address some of the latest and most sophisticated threats. Isolating AV from the rest of Microsoft Defender ATP creates a partial picture of how Microsoft's security stack operates in the real world. For example, attack surface reduction and endpoint detection & response capabilities can help prevent malware from getting onto devices in the first place. We have proven that [Microsoft Defender ATP components catch samples](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE2ouJA) that Windows Defender Antivirus missed in these industry tests, which is more representative of how effectively Microsoft's security suite protects customers in the real world. - -With independent tests, customers can view one aspect of their security suite but can't assess the complete protection of all the security features. Microsoft is highly engaged in working with several independent testers to evolve security testing to focus on the end-to-end security stack. - -[Learn more about Microsoft Defender ATP](../microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md) and evaluate it in your own network by signing up for a [90-day trial of Microsoft Defender ATP](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp), or [enabling Preview features on existing tenants](../microsoft-defender-atp/preview-settings.md). diff --git a/windows/security/threat-protection/microsoft-defender-atp/add-or-remove-machine-tags.md b/windows/security/threat-protection/microsoft-defender-atp/add-or-remove-machine-tags.md index 0e8ba41a5c..e520b394a2 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/add-or-remove-machine-tags.md +++ b/windows/security/threat-protection/microsoft-defender-atp/add-or-remove-machine-tags.md @@ -22,30 +22,34 @@ ms.topic: article - Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) - ## API description + Adds or remove tag to a specific [Machine](machine.md). - ## Limitations + 1. You can post on machines last seen in the past 30 days. + 2. Rate limitations for this API are 100 calls per minute and 1500 calls per hour. ## Permissions + One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) -Permission type | Permission | Permission display name +Permission type | Permission | Permission display name :---|:---|:--- -Application | Machine.ReadWrite.All | 'Read and write all machine information' +Application | Machine.ReadWrite.All | 'Read and write all machine information' Delegated (work or school account) | Machine.ReadWrite | 'Read and write machine information' >[!Note] > When obtaining a token using user credentials: ->- The user needs to have at least the following role permission: 'Manage security setting' (See [Create and manage roles](user-roles.md) for more information) +> +>- The user needs to have at least the following role permission: 'Manage security setting'. For more (See [Create and manage roles](user-roles.md) for more information) >- User needs to have access to the machine, based on machine group settings (See [Create and manage machine groups](machine-groups.md) for more information) ## HTTP request + ``` POST https://api.securitycenter.windows.com/api/machines/{id}/tags ``` @@ -58,17 +62,18 @@ Authorization | String | Bearer {token}. **Required**. Content-Type | string | application/json. **Required**. ## Request body + In the request body, supply a JSON object with the following parameters: -Parameter | Type | Description +Parameter | Type | Description :---|:---|:--- -Value | String | The tag name. **Required**. -Action | Enum | Add or Remove. Allowed values are: 'Add' or 'Remove'. **Required**. +Value | String | The tag name. **Required**. +Action | Enum | Add or Remove. Allowed values are: 'Add' or 'Remove'. **Required**. ## Response -If successful, this method returns 200 - Ok response code and the updated Machine in the response body. +If successful, this method returns 200 - Ok response code and the updated Machine in the response body. ## Example diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-tvm-configassessment-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsecureconfigurationassessment-table.md similarity index 96% rename from windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-tvm-configassessment-table.md rename to windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsecureconfigurationassessment-table.md index abec2caf4d..f43d02ff26 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-tvm-configassessment-table.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsecureconfigurationassessment-table.md @@ -1,53 +1,53 @@ ---- -title: DeviceTvmSecureConfigurationAssessment table in the advanced hunting schema -description: Learn about Threat & Vulnerability Management security assessment events in the DeviceTvmSecureConfigurationAssessment table of the Advanced hunting schema. These events provide machine information as well as security configuration details, impact, and compliance information. -keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, windows defender atp, wdatp search, query, telemetry, schema reference, kusto, table, column, data type, description, threat & vulnerability management, TVM, device management, security configuration, DeviceTvmSecureConfigurationAssessment -search.product: eADQiWindows 10XVcnh -search.appverid: met150 -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -ms.author: dolmont -author: DulceMontemayor -ms.localizationpriority: medium -manager: dansimp -audience: ITPro -ms.collection: M365-security-compliance -ms.topic: article -ms.date: 11/12/2019 ---- - -# DeviceTvmSecureConfigurationAssessment - -**Applies to:** - -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) - ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) - -[!include[Prerelease information](../../includes/prerelease.md)] - -Each row in the `DeviceTvmSecureConfigurationAssessment` table contains an assessment event for a specific security configuration from [Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md). Use this reference to check the latest assessment results and determine whether devices are compliant. - -For information on other tables in the advanced hunting schema, see [the advanced hunting reference](advanced-hunting-reference.md). - -| Column name | Data type | Description | -|-------------|-----------|-------------| -| `DeviceId` | string | Unique identifier for the machine in the service | -| `DeviceName` | string | Fully qualified domain name (FQDN) of the machine | -| `OSPlatform` | string | Platform of the operating system running on the machine. This indicates specific operating systems, including variations within the same family, such as Windows 10 and Windows 7.| -| `Timestamp` | datetime |Date and time when the record was generated | -| `ConfigurationId` | string | Unique identifier for a specific configuration | -| `ConfigurationCategory` | string | Category or grouping to which the configuration belongs: Application, OS, Network, Accounts, Security controls | -| `ConfigurationSubcategory` | string |Subcategory or subgrouping to which the configuration belongs. In many cases, this describes specific capabilities or features. | -| `ConfigurationImpact` | string | Rated impact of the configuration to the overall Microsoft Secure Score for Devices (1-10) | -| `IsCompliant` | boolean | Indicates whether the configuration or policy is properly configured | - - -## Related topics - -- [Advanced hunting overview](advanced-hunting-overview.md) -- [Learn the query language](advanced-hunting-query-language.md) -- [Understand the schema](advanced-hunting-schema-reference.md) -- [Overview of Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md) +s--- +title: DeviceTvmSecureConfigurationAssessment table in the advanced hunting schema +description: Learn about Threat & Vulnerability Management security assessment events in the DeviceTvmSecureConfigurationAssessment table of the Advanced hunting schema. These events provide machine information as well as security configuration details, impact, and compliance information. +keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, windows defender atp, wdatp search, query, telemetry, schema reference, kusto, table, column, data type, description, threat & vulnerability management, TVM, device management, security configuration, DeviceTvmSecureConfigurationAssessment +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: dolmont +author: DulceMontemayor +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article +ms.date: 11/12/2019 +--- + +# DeviceTvmSecureConfigurationAssessment + +**Applies to:** + +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + +>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) + +[!include[Prerelease information](../../includes/prerelease.md)] + +Each row in the `DeviceTvmSecureConfigurationAssessment` table contains an assessment event for a specific security configuration from [Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md). Use this reference to check the latest assessment results and determine whether devices are compliant. + +For information on other tables in the advanced hunting schema, see [the advanced hunting reference](advanced-hunting-reference.md). + +| Column name | Data type | Description | +|-------------|-----------|-------------| +| `DeviceId` | string | Unique identifier for the machine in the service | +| `DeviceName` | string | Fully qualified domain name (FQDN) of the machine | +| `OSPlatform` | string | Platform of the operating system running on the machine. This indicates specific operating systems, including variations within the same family, such as Windows 10 and Windows 7.| +| `Timestamp` | datetime |Date and time when the record was generated | +| `ConfigurationId` | string | Unique identifier for a specific configuration | +| `ConfigurationCategory` | string | Category or grouping to which the configuration belongs: Application, OS, Network, Accounts, Security controls | +| `ConfigurationSubcategory` | string |Subcategory or subgrouping to which the configuration belongs. In many cases, this describes specific capabilities or features. | +| `ConfigurationImpact` | string | Rated impact of the configuration to the overall configuration score (1-10) | +| `IsCompliant` | boolean | Indicates whether the configuration or policy is properly configured | + + +## Related topics + +- [Advanced hunting overview](advanced-hunting-overview.md) +- [Learn the query language](advanced-hunting-query-language.md) +- [Understand the schema](advanced-hunting-schema-reference.md) +- [Overview of Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-tvm-secureconfigkb-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsecureconfigurationassessmentkb-table.md similarity index 96% rename from windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-tvm-secureconfigkb-table.md rename to windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsecureconfigurationassessmentkb-table.md index 6398b2df0e..f30af239df 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-tvm-secureconfigkb-table.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsecureconfigurationassessmentkb-table.md @@ -1,53 +1,53 @@ ---- -title: DeviceTvmSecureConfigurationAssessmentKB table in the advanced hunting schema -description: Learn about the various secure configurations assessed by Threat & Vulnerability Management in the DeviceTvmSecureConfigurationAssessmentKB table of the Advanced hunting schema. -keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, windows defender atp, wdatp search, query, telemetry, schema reference, kusto, table, column, data type, description, threat & vulnerability management, TVM, device management, security configuration, MITRE ATT&CK framework, knowledge base, KB, DeviceTvmSecureConfigurationAssessmentKB -search.product: eADQiWindows 10XVcnh -search.appverid: met150 -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -ms.author: dolmont -author: DulceMontemayor -ms.localizationpriority: medium -manager: dansimp -audience: ITPro -ms.collection: M365-security-compliance -ms.topic: article -ms.date: 11/12/2019 ---- - -# DeviceTvmSecureConfigurationAssessmentKB - -**Applies to:** - -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) - ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) - -[!include[Prerelease information](../../includes/prerelease.md)] - -The `DeviceTvmSecureConfigurationAssessmentKB` table in the advanced hunting schema contains information about the various secure configurations — such as whether a device has automatic updates on — checked by [Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md). It also includes risk information, related industry benchmarks, and applicable MITRE ATT&CK techniques and tactics. Use this reference to construct queries that return information from the table. - -For information on other tables in the advanced hunting schema, see [the advanced hunting reference](advanced-hunting-reference.md). - -| Column name | Data type | Description | -|-------------|-----------|-------------| -| `ConfigurationId` | string | Unique identifier for a specific configuration | -| `ConfigurationImpact` | string | Rated impact of the configuration to the overall Microsoft Secure Score for Devices (1-10) | -| `ConfigurationName` | string | Display name of the configuration | -| `ConfigurationDescription` | string | Description of the configuration | -| `RiskDescription` | string | Description of the associated risk | -| `ConfigurationCategory` | string | Category or grouping to which the configuration belongs: Application, OS, Network, Accounts, Security controls| -| `ConfigurationSubcategory` | string |Subcategory or subgrouping to which the configuration belongs. In many cases, this describes specific capabilities or features. | -| `ConfigurationBenchmarks` | string | List of industry benchmarks recommending the same or similar configuration | -| `RelatedMitreTechniques` | string | List of Mitre ATT&CK framework techniques related to the configuration | -| `RelatedMitreTactics ` | string | List of Mitre ATT&CK framework tactics related to the configuration | - -## Related topics - -- [Advanced hunting overview](advanced-hunting-overview.md) -- [Learn the query language](advanced-hunting-query-language.md) -- [Understand the schema](advanced-hunting-schema-reference.md) -- [Overview of Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md) +--- +title: DeviceTvmSecureConfigurationAssessmentKB table in the advanced hunting schema +description: Learn about the various secure configurations assessed by Threat & Vulnerability Management in the DeviceTvmSecureConfigurationAssessmentKB table of the Advanced hunting schema. +keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, windows defender atp, wdatp search, query, telemetry, schema reference, kusto, table, column, data type, description, threat & vulnerability management, TVM, device management, security configuration, MITRE ATT&CK framework, knowledge base, KB, DeviceTvmSecureConfigurationAssessmentKB +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: dolmont +author: DulceMontemayor +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article +ms.date: 11/12/2019 +--- + +# DeviceTvmSecureConfigurationAssessmentKB + +**Applies to:** + +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + +>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) + +[!include[Prerelease information](../../includes/prerelease.md)] + +The `DeviceTvmSecureConfigurationAssessmentKB` table in the advanced hunting schema contains information about the various secure configurations — such as whether a device has automatic updates on — checked by [Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md). It also includes risk information, related industry benchmarks, and applicable MITRE ATT&CK techniques and tactics. Use this reference to construct queries that return information from the table. + +For information on other tables in the advanced hunting schema, see [the advanced hunting reference](advanced-hunting-reference.md). + +| Column name | Data type | Description | +|-------------|-----------|-------------| +| `ConfigurationId` | string | Unique identifier for a specific configuration | +| `ConfigurationImpact` | string | Rated impact of the configuration to the overall configuration score (1-10) | +| `ConfigurationName` | string | Display name of the configuration | +| `ConfigurationDescription` | string | Description of the configuration | +| `RiskDescription` | string | Description of the associated risk | +| `ConfigurationCategory` | string | Category or grouping to which the configuration belongs: Application, OS, Network, Accounts, Security controls| +| `ConfigurationSubcategory` | string |Subcategory or subgrouping to which the configuration belongs. In many cases, this describes specific capabilities or features. | +| `ConfigurationBenchmarks` | string | List of industry benchmarks recommending the same or similar configuration | +| `RelatedMitreTechniques` | string | List of Mitre ATT&CK framework techniques related to the configuration | +| `RelatedMitreTactics ` | string | List of Mitre ATT&CK framework tactics related to the configuration | + +## Related topics + +- [Advanced hunting overview](advanced-hunting-overview.md) +- [Learn the query language](advanced-hunting-query-language.md) +- [Understand the schema](advanced-hunting-schema-reference.md) +- [Overview of Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-tvm-softwareinventory-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsoftwareinventoryvulnerabilities-table.md similarity index 98% rename from windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-tvm-softwareinventory-table.md rename to windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsoftwareinventoryvulnerabilities-table.md index 0dcf6e3af5..384b79a65a 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-tvm-softwareinventory-table.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsoftwareinventoryvulnerabilities-table.md @@ -1,56 +1,56 @@ ---- -title: DeviceTvmSoftwareInventoryVulnerabilities table in the advanced hunting schema -description: Learn about the inventory of software in your devices and their vulnerabilities in the DeviceTvmSoftwareInventoryVulnerabilities table of the advanced hunting schema. -keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, windows defender atp, wdatp search, query, telemetry, schema reference, kusto, table, column, data type, description, threat & vulnerability management, TVM, device management, software, inventory, vulnerabilities, CVE ID, OS DeviceTvmSoftwareInventoryVulnerabilities -search.product: eADQiWindows 10XVcnh -search.appverid: met150 -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -ms.author: dolmont -author: DulceMontemayor -ms.localizationpriority: medium -manager: dansimp -audience: ITPro -ms.collection: M365-security-compliance -ms.topic: article -ms.date: 11/12/2019 ---- - -# DeviceTvmSoftwareInventoryVulnerabilities - -**Applies to:** - -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) - ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) - - -[!include[Prerelease information](../../includes/prerelease.md)] - -The `DeviceTvmSoftwareInventoryVulnerabilities` table in the advanced hunting schema contains the [Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md) inventory of software on your devices as well as any known vulnerabilities in these software products. This table also includes operating system information, CVE IDs, and vulnerability severity information. Use this reference to construct queries that return information from the table. - -For information on other tables in the advanced hunting schema, see [the advanced hunting reference](advanced-hunting-reference.md). - -| Column name | Data type | Description | -|-------------|-----------|-------------| -| `DeviceId` | string | Unique identifier for the machine in the service | -| `DeviceName` | string | Fully qualified domain name (FQDN) of the machine | -| `OSPlatform` | string | Platform of the operating system running on the machine. This indicates specific operating systems, including variations within the same family, such as Windows 10 and Windows 7. | -| `OSVersion` | string | Version of the operating system running on the machine | -| `OSArchitecture` | string | Architecture of the operating system running on the machine | -| `SoftwareVendor` | string | Name of the software vendor | -| `SoftwareName` | string | Name of the software product | -| `SoftwareVersion` | string | Version number of the software product | -| `CveId` | string | Unique identifier assigned to the security vulnerability under the Common Vulnerabilities and Exposures (CVE) system | -| `VulnerabilitySeverityLevel` | string | Severity level assigned to the security vulnerability based on the CVSS score and dynamic factors influenced by the threat landscape | - - - -## Related topics - -- [Advanced hunting overview](advanced-hunting-overview.md) -- [Learn the query language](advanced-hunting-query-language.md) -- [Understand the schema](advanced-hunting-schema-reference.md) -- [Overview of Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md) +--- +title: DeviceTvmSoftwareInventoryVulnerabilities table in the advanced hunting schema +description: Learn about the inventory of software in your devices and their vulnerabilities in the DeviceTvmSoftwareInventoryVulnerabilities table of the advanced hunting schema. +keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, windows defender atp, wdatp search, query, telemetry, schema reference, kusto, table, column, data type, description, threat & vulnerability management, TVM, device management, software, inventory, vulnerabilities, CVE ID, OS DeviceTvmSoftwareInventoryVulnerabilities +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: dolmont +author: DulceMontemayor +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article +ms.date: 11/12/2019 +--- + +# DeviceTvmSoftwareInventoryVulnerabilities + +**Applies to:** + +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + +>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) + + +[!include[Prerelease information](../../includes/prerelease.md)] + +The `DeviceTvmSoftwareInventoryVulnerabilities` table in the advanced hunting schema contains the [Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md) inventory of software on your devices as well as any known vulnerabilities in these software products. This table also includes operating system information, CVE IDs, and vulnerability severity information. Use this reference to construct queries that return information from the table. + +For information on other tables in the advanced hunting schema, see [the advanced hunting reference](advanced-hunting-reference.md). + +| Column name | Data type | Description | +|-------------|-----------|-------------| +| `DeviceId` | string | Unique identifier for the machine in the service | +| `DeviceName` | string | Fully qualified domain name (FQDN) of the machine | +| `OSPlatform` | string | Platform of the operating system running on the machine. This indicates specific operating systems, including variations within the same family, such as Windows 10 and Windows 7. | +| `OSVersion` | string | Version of the operating system running on the machine | +| `OSArchitecture` | string | Architecture of the operating system running on the machine | +| `SoftwareVendor` | string | Name of the software vendor | +| `SoftwareName` | string | Name of the software product | +| `SoftwareVersion` | string | Version number of the software product | +| `CveId` | string | Unique identifier assigned to the security vulnerability under the Common Vulnerabilities and Exposures (CVE) system | +| `VulnerabilitySeverityLevel` | string | Severity level assigned to the security vulnerability based on the CVSS score and dynamic factors influenced by the threat landscape | + + + +## Related topics + +- [Advanced hunting overview](advanced-hunting-overview.md) +- [Learn the query language](advanced-hunting-query-language.md) +- [Understand the schema](advanced-hunting-schema-reference.md) +- [Overview of Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-tvm-softwarevulnerability-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsoftwarevulnerabilitieskb-table.md similarity index 98% rename from windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-tvm-softwarevulnerability-table.md rename to windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsoftwarevulnerabilitieskb-table.md index 5af1cfe1f1..2ba11df0c9 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-tvm-softwarevulnerability-table.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsoftwarevulnerabilitieskb-table.md @@ -1,51 +1,51 @@ ---- -title: DeviceTvmSoftwareVulnerabilitiesKB table in the advanced hunting schema -description: Learn about the software vulnerabilities tracked by Threat & Vulnerability Management in the DeviceTvmSoftwareVulnerabilitiesKB table of the advanced hunting schema. -keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, windows defender atp, wdatp search, query, telemetry, schema reference, kusto, table, column, data type, description, threat & vulnerability management, TVM, device management, software, inventory, vulnerabilities, CVE ID, CVSS, DeviceTvmSoftwareVulnerabilitiesKB -search.product: eADQiWindows 10XVcnh -search.appverid: met150 -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -ms.author: dolmont -author: DulceMontemayor -ms.localizationpriority: medium -manager: dansimp -audience: ITPro -ms.collection: M365-security-compliance -ms.topic: article -ms.date: 11/12/2019 ---- - -# DeviceTvmSoftwareVulnerabilitiesKB - -**Applies to:** - -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) - ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) - -[!include[Prerelease information](../../includes/prerelease.md)] - -The `DeviceTvmSoftwareVulnerabilitiesKB` table in the advanced hunting schema contains the list of vulnerabilities [Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md) assesses devices for. Use this reference to construct queries that return information from the table. - -For information on other tables in the advanced hunting schema, see [the advanced hunting reference](advanced-hunting-reference.md). - -| Column name | Data type | Description | -|-------------|-----------|-------------| -| `CveId` | string | Unique identifier assigned to the security vulnerability under the Common Vulnerabilities and Exposures (CVE) system | -| `CvssScore` | string | Severity score assigned to the security vulnerability under th Common Vulnerability Scoring System (CVSS) | -| `IsExploitAvailable` | boolean | Indicates whether exploit code for the vulnerability is publicly available | -| `VulnerabilitySeverityLevel` | string | Severity level assigned to the security vulnerability based on the CVSS score and dynamic factors influenced by the threat landscape | -| `LastModifiedTime` | datetime | Date and time the item or related metadata was last modified | -| `PublishedDate` | datetime | Date vulnerability was disclosed to public | -| `VulnerabilityDescription` | string | Description of vulnerability and associated risks | -| `AffectedSoftware` | string | List of all software products affected by the vulnerability | - -## Related topics - -- [Advanced hunting overview](advanced-hunting-overview.md) -- [Learn the query language](advanced-hunting-query-language.md) -- [Understand the schema](advanced-hunting-schema-reference.md) -- [Overview of Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md) +--- +title: DeviceTvmSoftwareVulnerabilitiesKB table in the advanced hunting schema +description: Learn about the software vulnerabilities tracked by Threat & Vulnerability Management in the DeviceTvmSoftwareVulnerabilitiesKB table of the advanced hunting schema. +keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, windows defender atp, wdatp search, query, telemetry, schema reference, kusto, table, column, data type, description, threat & vulnerability management, TVM, device management, software, inventory, vulnerabilities, CVE ID, CVSS, DeviceTvmSoftwareVulnerabilitiesKB +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: dolmont +author: DulceMontemayor +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article +ms.date: 11/12/2019 +--- + +# DeviceTvmSoftwareVulnerabilitiesKB + +**Applies to:** + +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + +>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) + +[!include[Prerelease information](../../includes/prerelease.md)] + +The `DeviceTvmSoftwareVulnerabilitiesKB` table in the advanced hunting schema contains the list of vulnerabilities [Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md) assesses devices for. Use this reference to construct queries that return information from the table. + +For information on other tables in the advanced hunting schema, see [the advanced hunting reference](advanced-hunting-reference.md). + +| Column name | Data type | Description | +|-------------|-----------|-------------| +| `CveId` | string | Unique identifier assigned to the security vulnerability under the Common Vulnerabilities and Exposures (CVE) system | +| `CvssScore` | string | Severity score assigned to the security vulnerability under th Common Vulnerability Scoring System (CVSS) | +| `IsExploitAvailable` | boolean | Indicates whether exploit code for the vulnerability is publicly available | +| `VulnerabilitySeverityLevel` | string | Severity level assigned to the security vulnerability based on the CVSS score and dynamic factors influenced by the threat landscape | +| `LastModifiedTime` | datetime | Date and time the item or related metadata was last modified | +| `PublishedDate` | datetime | Date vulnerability was disclosed to public | +| `VulnerabilityDescription` | string | Description of vulnerability and associated risks | +| `AffectedSoftware` | string | List of all software products affected by the vulnerability | + +## Related topics + +- [Advanced hunting overview](advanced-hunting-overview.md) +- [Learn the query language](advanced-hunting-query-language.md) +- [Understand the schema](advanced-hunting-schema-reference.md) +- [Overview of Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-schema-reference.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-schema-reference.md index c371fcba4f..99bd62562e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-schema-reference.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-schema-reference.md @@ -48,10 +48,10 @@ Table and column names are also listed within the Microsoft Defender Security Ce | **[DeviceImageLoadEvents](advanced-hunting-deviceimageloadevents-table.md)** | DLL loading events | | **[DeviceEvents](advanced-hunting-deviceevents-table.md)** | Multiple event types, including events triggered by security controls such as Windows Defender Antivirus and exploit protection | | **[DeviceFileCertificateInfo](advanced-hunting-devicefilecertificateinfo-table.md)** | Certificate information of signed files obtained from certificate verification events on endpoints | -| **[DeviceTvmSoftwareInventoryVulnerabilities](advanced-hunting-tvm-softwareinventory-table.md)** | Inventory of software on devices as well as any known vulnerabilities in these software products | -| **[DeviceTvmSoftwareVulnerabilitiesKB ](advanced-hunting-tvm-softwarevulnerability-table.md)** | Knowledge base of publicly disclosed vulnerabilities, including whether exploit code is publicly available | -| **[DeviceTvmSecureConfigurationAssessment](advanced-hunting-tvm-configassessment-table.md)** | Threat & Vulnerability Management assessment events, indicating the status of various security configurations on devices | -| **[DeviceTvmSecureConfigurationAssessmentKB](advanced-hunting-tvm-secureconfigkb-table.md)** | Knowledge base of various security configurations used by Threat & Vulnerability Management to assess devices; includes mappings to various standards and benchmarks | +| **[DeviceTvmSoftwareInventoryVulnerabilities](advanced-hunting-devicetvmsoftwareinventoryvulnerabilities-table.md)** | Inventory of software on devices as well as any known vulnerabilities in these software products | +| **[DeviceTvmSoftwareVulnerabilitiesKB ](advanced-hunting-devicetvmsoftwarevulnerabilitieskb-table.md)** | Knowledge base of publicly disclosed vulnerabilities, including whether exploit code is publicly available | +| **[DeviceTvmSecureConfigurationAssessment](advanced-hunting-devicetvmsecureconfigurationassessment-table.md)** | Threat & Vulnerability Management assessment events, indicating the status of various security configurations on devices | +| **[DeviceTvmSecureConfigurationAssessmentKB](advanced-hunting-devicetvmsecureconfigurationassessmentkb-table.md)** | Knowledge base of various security configurations used by Threat & Vulnerability Management to assess devices; includes mappings to various standards and benchmarks | ## Related topics - [Advanced hunting overview](advanced-hunting-overview.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/api-portal-mapping.md b/windows/security/threat-protection/microsoft-defender-atp/api-portal-mapping.md index 3b57273926..95aaddc7ab 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/api-portal-mapping.md +++ b/windows/security/threat-protection/microsoft-defender-atp/api-portal-mapping.md @@ -28,8 +28,9 @@ ms.topic: article Understand what data fields are exposed as part of the detections API and how they map to Microsoft Defender Security Center. >[!Note] ->- [Microsoft Defender ATP Alert](alerts.md) is composed from one or more detections +>- [Microsoft Defender ATP Alert](alerts.md) is composed from one or more detections. >- **Microsoft Defender ATP Detection** is composed from the suspicious event occurred on the Machine and its related **Alert** details. +>-The Microsoft Defender ATP Alert API is the latest API for alert consumption and contain a detailed list of related evidence for each alert. For more information, see [Alert methods and properties](alerts.md) and [List alerts](get-alerts.md). ## Detections API fields and portal mapping The following table lists the available fields exposed in the detections API payload. It shows examples for the populated values and a reference on how data is reflected on the portal. @@ -91,7 +92,6 @@ Field numbers match the numbers in the images below. ## Related topics - [Enable SIEM integration in Microsoft Defender ATP](enable-siem-integration.md) -- [Configure Splunk to pull Microsoft Defender ATP detections](configure-splunk.md) - [Configure ArcSight to pull Microsoft Defender ATP detections](configure-arcsight.md) - [Pull Microsoft Defender ATP detections using REST API](pull-alerts-using-rest-api.md) - [Troubleshoot SIEM tool integration issues](troubleshoot-siem.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction-faq.md b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction-faq.md index 9f14575d2d..03366d39ad 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction-faq.md +++ b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction-faq.md @@ -23,25 +23,27 @@ ms.custom: asr * [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -**Is attack surface reduction (ASR) part of Windows?** +## Is attack surface reduction (ASR) part of Windows? -ASR was originally a feature of the suite of exploit guard features introduced as a major update to Windows Defender Antivirus, in Windows 10 version 1709. Windows Defender Antivirus is the native antimalware component of Windows. However, please note that the full ASR feature-set is only available with a Windows enterprise license. Also note that ASR rule exclusions are managed separately from Windows Defender Antivirus exclusions. +ASR was originally a feature of the suite of exploit guard features introduced as a major update to Microsoft Defender Antivirus, in Windows 10 version 1709. Microsoft Defender Antivirus is the native antimalware component of Windows. However, the full ASR feature-set is only available with a Windows enterprise license. Also note that ASR rule exclusions are managed separately from Microsoft Defender Antivirus exclusions. -**Do I need to have an enterprise license to run ASR rules?** +## Do I need to have an enterprise license to run ASR rules? -The full set of ASR rules and features are only supported if you have an enterprise license for Windows 10. A limited number of rules may work without an enterprise license, if you have Microsoft 365 Business, set Windows Defender Antivirus as your primary security solution, and enable the rules through PowerShell. However, ASR usage without an enterprise license is not officially supported and the full feature-set of ASR will not be available. +The full set of ASR rules and features is only supported if you have an enterprise license for Windows 10. A limited number of rules may work without an enterprise license. If you have Microsoft 365 Business, set Microsoft Defender Antivirus as your primary security solution, and enable the rules through PowerShell. However, ASR usage without an enterprise license is not officially supported and the full capabilities of ASR will not be available. -**Is ASR supported if I have an E3 license?** +To learn more about Windows licensing, see [Windows 10 Licensing](https://www.microsoft.com/licensing/product-licensing/windows10?activetab=windows10-pivot:primaryr5) and get the [Volume Licensing guide for Windows 10](https://download.microsoft.com/download/2/D/1/2D14FE17-66C2-4D4C-AF73-E122930B60F6/Windows-10-Volume-Licensing-Guide.pdf). -Yes. ASR is supported for Windows Enterprise E3 and above. See [Use attack surface reduction rules in Windows 10 Enterprise E3](attack-surface-reduction-rules-in-windows-10-enterprise-e3.md) for more details. +## Is ASR supported if I have an E3 license? -**Which features are supported with an E5 license?** +Yes. ASR is supported for Windows Enterprise E3 and above. + +## Which features are supported with an E5 license? All of the rules supported with E3 are also supported with E5. E5 also added greater integration with Microsoft Defender ATP. With E5, you can [use Microsoft Defender ATP to monitor and review analytics](https://docs.microsoft.com/microsoft-365/security/mtp/monitor-devices?view=o365-worldwide#monitor-and-manage-asr-rule-deployment-and-detections) on alerts in real-time, fine-tune rule exclusions, configure ASR rules, and view lists of event reports. -**What are the the currently supported ASR rules??** +## What are the currently supported ASR rules? ASR currently supports all of the rules below: @@ -52,8 +54,8 @@ ASR currently supports all of the rules below: * [Block JavaScript or VBScript from launching downloaded executable content](attack-surface-reduction.md##block-javascript-or-vbscript-from-launching-downloaded-executable-content) * [Block execution of potentially obfuscated scripts](attack-surface-reduction.md#block-execution-of-potentially-obfuscated-scripts) * [Block Win32 API calls from Office macro](attack-surface-reduction.md#block-win32-api-calls-from-office-macros) -* [Use advanced protection against ransomware](attack-surface-reduction.md#use-advanced-protection-against-ransomware) -* [Block credential stealing from the Windows local security authority subsystem (lsass.exe)](attack-surface-reduction.md#block-credential-stealing-from-the-windows-local-security-authority-subsystem) +* [Use advanced protection against ransomware](attack-surface-reduction.md#use-advanced-protection-against-ransomware) +* [Block credential stealing from the Windows local security authority subsystem](attack-surface-reduction.md#block-credential-stealing-from-the-windows-local-security-authority-subsystem) (lsass.exe) * [Block process creations originating from PSExec and WMI commands](attack-surface-reduction.md#block-process-creations-originating-from-psexec-and-wmi-commands) * [Block untrusted and unsigned processes that run from USB](attack-surface-reduction.md#block-untrusted-and-unsigned-processes-that-run-from-usb) * [Block executable files from running unless they meet a prevalence, age, or trusted list criteria](attack-surface-reduction.md#block-executable-files-from-running-unless-they-meet-a-prevalence-age-or-trusted-list-criterion) @@ -61,39 +63,41 @@ ASR currently supports all of the rules below: * [Block Adobe Reader from creating child processes](attack-surface-reduction.md#block-adobe-reader-from-creating-child-processes) * [Block persistence through WMI event subscription](attack-surface-reduction.md#block-persistence-through-wmi-event-subscription) -**What are some good recommendations for getting started with ASR?** +## What are some good recommendations for getting started with ASR? -It is generally best to first test how ASR rules will impact your organization before enabling them, by running them in audit mode for a brief period of time. While you are running the rules in audit mode, you can identify any line-of-business applications that might get blocked erroneously, and exclude them from ASR. +Test how ASR rules will impact your organization before enabling them by running ASR rules in audit mode for a brief period of time. While you are running the rules in audit mode, you can identify any line-of-business applications that might get blocked erroneously, and exclude them from ASR. -Larger organizations should consider rolling out ASR rules in "rings," by auditing and enabling rules in increasingly-broader subsets of devices. You can arrange your organization's devices into rings by using Intune or a Group Policy management tool. +Larger organizations should consider rolling out ASR rules in "rings," by auditing and enabling rules in increasingly broader subsets of devices. You can arrange your organization's devices into rings by using Intune or a Group Policy management tool. -**How long should I test an ASR rule in audit mode before enabling it?** +## How long should I test an ASR rule in audit mode before enabling it? -You should keep the rule in audit mode for about 30 days. This amount of time gives you a good baseline for how the rule will operate once it goes live throughout your organization. During the audit period, you can identify any line-of-business applications that might get blocked by the rule, and configure the rule to exclude them. +Keep the rule in audit mode for about 30 days to get a good baseline for how the rule will operate once it goes live throughout your organization. During the audit period, you can identify any line-of-business applications that might get blocked by the rule, and configure the rule to exclude them. -**I'm making the switch from a third-party security solution to Microsoft Defender ATP. Is there an "easy" way to export rules from another security solution to ASR?** +## I'm making the switch from a third-party security solution to Microsoft Defender ATP. Is there an "easy" way to export rules from another security solution to ASR? -Rather than attempting to import sets of rules from another security solution, it is, in most cases, easier and safer to start with the baseline recommendations suggested for your organization by Microsoft Defender ATP, then use tools such as audit mode, monitoring, and analytics to configure your new solution to suit your unique needs. The default configuration for most ASR rules, combined with Defender's real-time protection, will protect against a large number of exploits and vulnerabilities. +In most cases, it's easier and better to start with the baseline recommendations suggested by [Microsoft Defender Advanced Threat Protection](https://docs.microsoft.com/windows/security/threat-protection/) (Microsoft Defender ATP) than to attempt to import rules from another security solution. Then, use tools such as audit mode, monitoring, and analytics to configure your new solution to suit your unique needs. + +The default configuration for most ASR rules, combined with Microsoft Defender ATP's real-time protection, will protect against a large number of exploits and vulnerabilities. From within Microsoft Defender ATP, you can update your defenses with custom indicators, to allow and block certain software behaviors. ASR also allows for some customization of rules, in the form of file and folder exclusions. As a general rule, it is best to audit a rule for a period of time, and configure exclusions for any line-of-business applications that might get blocked. -**Does ASR support file or folder exclusions that include system variables and wildcards in the path?** +## Does ASR support file or folder exclusions that include system variables and wildcards in the path? Yes. See [Excluding files and folders from ASR rules](enable-attack-surface-reduction.md#exclude-files-and-folders-from-asr-rules) for more details on excluding files or folders from ASR rules, and [Configure and validate exclusions based on file extension and folder location](../windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists) for more on using system variables and wildcards in excluded file paths. -**Do ASR rules cover all applications by default?** +## Do ASR rules cover all applications by default? It depends on the rule. Most ASR rules cover the behavior of Microsoft Office products and services, such as Word, Excel, PowerPoint, and OneNote, or Outlook. Certain ASR rules, such as *Block execution of potentially obfuscated scripts*, are more general in scope. -**Does ASR support third-party security solutions?** +## Does ASR support third-party security solutions? ASR uses Microsoft Defender Antivirus to block applications. It is not possible to configure ASR to use another security solution for blocking at this time. -**I have an E5 license and enabled some ASR rules in conjunction with Microsoft Defender ATP. Is it possible for an ASR event to not show up at all in Microsoft Defender ATP's event timeline?** +## I have an E5 license and enabled some ASR rules in conjunction with Microsoft Defender ATP. Is it possible for an ASR event to not show up at all in Microsoft Defender ATP's event timeline? Whenever a notification is triggered locally by an ASR rule, a report on the event is also sent to the Microsoft Defender ATP portal. If you're having trouble finding the event, you can filter the events timeline using the search box. You can also view ASR events by visiting **Go to attack surface management**, from the **Configuration management** icon in the Security Center taskbar. The attack surface management page includes a tab for report detections, which includes a full list of ASR rule events reported to Microsoft Defender ATP. -**I applied a rule using GPO. Now when I try to check the indexing options for the rule in Microsoft Outlook, I get a message stating, 'Access denied'.** +## I applied a rule using GPO. Now when I try to check the indexing options for the rule in Microsoft Outlook, I get a message stating, 'Access denied'. Try opening the indexing options directly from Windows 10. @@ -101,23 +105,23 @@ Try opening the indexing options directly from Windows 10. 1. Enter **Indexing options** into the search box. -**Are the criteria used by the rule, *Block executable files from running unless they meet a prevalence, age, or trusted list criterion*, configurable by an admin?** +## Are the criteria used by the rule, "Block executable files from running unless they meet a prevalence, age, or trusted list criterion," configurable by an admin? -No. The criteria used by this rule are maintained by Microsoft cloud protection, to keep the trusted list constantly up-to-date with data gathered from around the world. Local admins do not have write access to alter this data. If you are looking to configure this rule to tailor it for your enterprise, you can add certain applications to the exclusions list to prevent the rule from being triggered. +No. The criteria used by this rule are maintained by Microsoft cloud protection, to keep the trusted list constantly up to date with data gathered from around the world. Local admins do not have write access to alter this data. If you are looking to configure this rule to tailor it for your enterprise, you can add certain applications to the exclusions list to prevent the rule from being triggered. -**I enabled the ASR rule, *Block executable files from running unless they meet a prevalence, age, or trusted list criterion*. After some time, I updated a piece of software, and the rule is now blocking it, even though it didn't before. Did something go wrong?** +## I enabled the ASR rule, *Block executable files from running unless they meet a prevalence, age, or trusted list criterion*. After some time, I updated a piece of software, and the rule is now blocking it, even though it didn't before. Did something go wrong? This rule relies upon each application having a known reputation, as measured by prevalence, age, or inclusion on a list of trusted apps. The rule's decision to block or allow an application is ultimately determined by Microsoft cloud protection's assessment of these criteria. -Usually, cloud protection can determine that a new version of an application is similar enough to previous versions that it does not need to be re-assessed at length. However, it might take some time for the app to build reputation after switching versions, particularly after a major update. In the meantime, you can add the application to the exclusions list, to prevent this rule from blocking important applications. If you are frequently updating and working with very new versions of applications, you may opt instead to run this rule in audit mode. +Usually, cloud protection can determine that a new version of an application is similar enough to previous versions that it does not need to be reassessed at length. However, it might take some time for the app to build reputation after switching versions, particularly after a major update. In the meantime, you can add the application to the exclusions list, to prevent this rule from blocking important applications. If you are frequently updating and working with new versions of applications, you may opt instead to run this rule in audit mode. -**I recently enabled the ASR rule, *Block credential stealing from the Windows local security authority subsystem (lsass.exe)*, and I am getting a large number of notifications. What is going on?** +## I recently enabled the ASR rule, *Block credential stealing from the Windows local security authority subsystem (lsass.exe)*, and I am getting a large number of notifications. What is going on? -A notification generated by this rule does not necessarily indicate malicious activity; however, this rule is still useful for blocking malicious activity, since malware often target lsass.exe to gain illicit access to accounts. The lsass.exe process stores user credentials in memory after a user has logged in. Windows uses these credentials to validate users and apply local security policies. +A notification generated by this rule does not necessarily indicate malicious activity; however, this rule is still useful for blocking malicious activity, since malware often targets lsass.exe to gain illicit access to accounts. The lsass.exe process stores user credentials in memory after a user has logged in. Windows uses these credentials to validate users and apply local security policies. -Because many legitimate processes throughout a typical day will be calling on lsass.exe for credentials, this rule can be especially noisy. If a known legitimate application causes this rule to generate an excessive amount of notifications, you can add it to the exclusion list. Most other ASR rules will generate a relatively smaller number of notifications, in comparison to this one, since calling on lsass.exe is typical of many applications' normal functioning. +Because many legitimate processes throughout a typical day will be calling on lsass.exe for credentials, this rule can be especially noisy. If a known legitimate application causes this rule to generate an excessive number of notifications, you can add it to the exclusion list. Most other ASR rules will generate a relatively smaller number of notifications, in comparison to this one, since calling on lsass.exe is typical of many applications' normal functioning. -**Is it a good idea to enable the rule, *Block credential stealing from the Windows local security authority subsystem (lsass.exe)*, alongside LSA protection?** +## Is it a good idea to enable the rule, *Block credential stealing from the Windows local security authority subsystem (lsass.exe)*, alongside LSA protection? Enabling this rule will not provide additional protection if you have [LSA protection](https://docs.microsoft.com/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection#BKMK_HowToConfigure) enabled as well. Both the rule and LSA protection work in much the same way, so having both running at the same time would be redundant. However, sometimes you may not be able to enable LSA protection. In those cases, you can enable this rule to provide equivalent protection against malware that target lsass.exe. diff --git a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md index da5160567b..0ca49f4b35 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md +++ b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md @@ -23,9 +23,6 @@ ms.custom: asr * [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -> [!IMPORTANT] -> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. - Your attack surface is the total number of places where an attacker could compromise your organization's devices or networks. Reducing your attack surface means offering attackers fewer ways to perform attacks. Attack surface reduction rules target software behaviors that are often abused by attackers, such as: @@ -44,9 +41,11 @@ For more information about configuring attack surface reduction rules, see [Enab ## Attack surface reduction features across Windows versions -You can set attack surface reduction rules for computers running the following versions of Windows: -- [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) or later -- [Windows Server, version 1803](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1803) (Semi-Annual Channel) or later +You can set attack surface reduction rules for devices running any of the following editions and versions of Windows: +- Windows 10 Pro, [version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) or later +- Windows 10 Enterprise, [version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) or later +- Windows Server, [version 1803 (Semi-Annual Channel)](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1803) or later +- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19) To use the entire feature-set of attack surface reduction rules, you need a [Windows 10 Enterprise license](https://www.microsoft.com/licensing/product-licensing/windows10). With a [Windows E5 license](https://docs.microsoft.com/windows/deployment/deploy-enterprise-licenses), you get advanced management capabilities including monitoring, analytics, and workflows available in [Microsoft Defender Advanced Threat Protection](microsoft-defender-advanced-threat-protection.md), as well as reporting and configuration capabilities in the [Microsoft 365 security center](https://docs.microsoft.com/microsoft-365/security/mtp/overview-security-center). These advanced capabilities aren't available with an E3 license, but you can still use Event Viewer to review attack surface reduction rule events. diff --git a/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center.md b/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center.md index eceb1d2833..8441d9b8c8 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center.md +++ b/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center.md @@ -136,7 +136,7 @@ The **Evidence** tab shows details related to threats associated with this inves ### Entities -The **Entities** tab shows details about entities such as files, process, services, drives, and IP addresses. The table details such as the number of entities that were analyzed. You'll gain insight into details such as how many are remediated, suspicious, or determined to be clean. +The **Entities** tab shows details about entities such as files, process, services, drives, and IP addresses. The table details such as the number of entities that were analyzed. You'll gain insight into details such as how many are remediated, suspicious, or had no threats found. ### Log diff --git a/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md b/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md index 17a56b7252..3399f94ff8 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md +++ b/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md @@ -30,7 +30,7 @@ The automated investigation feature leverages various inspection algorithms, and ## How the automated investigation starts -When an alert is triggered, a security playbook goes into effect. Depending on the security playbook, an automated investigation can start. For example, suppose a malicious file resides on a machine. When that file is detected, an alert is triggered. The automated investigation process begins. Microsoft Defender ATP checks to see if the malicious file is present on any other machines in the organization. Details from the investigation, including verdicts (Malicious, Suspicious, and Clean) are available during and after the automated investigation. +When an alert is triggered, a security playbook goes into effect. Depending on the security playbook, an automated investigation can start. For example, suppose a malicious file resides on a machine. When that file is detected, an alert is triggered. The automated investigation process begins. Microsoft Defender ATP checks to see if the malicious file is present on any other machines in the organization. Details from the investigation, including verdicts (*Malicious*, *Suspicious*, and *No threats found*) are available during and after the automated investigation. >[!NOTE] >Currently, automated investigation only supports the following OS versions: @@ -48,7 +48,7 @@ During and after an automated investigation, you can view details about the inve |**Alerts**| Shows the alert that started the investigation.| |**Machines** |Shows where the alert was seen.| |**Evidence** |Shows the entities that were found to be malicious during the investigation.| -|**Entities** |Provides details about each analyzed entity, including a determination for each entity type (*Malicious*, *Suspicious*, or *Clean*). | +|**Entities** |Provides details about each analyzed entity, including a determination for each entity type (*Malicious*, *Suspicious*, or *No threats found*). | |**Log** |Shows the chronological detailed view of all the investigation actions taken on the alert.| |**Pending actions** |If there are pending actions on the investigation, the **Pending actions** tab will be displayed where you can approve or reject actions. | diff --git a/windows/security/threat-protection/microsoft-defender-atp/behavioral-blocking-containment.md b/windows/security/threat-protection/microsoft-defender-atp/behavioral-blocking-containment.md index 4084d8b928..9ab72ae669 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/behavioral-blocking-containment.md +++ b/windows/security/threat-protection/microsoft-defender-atp/behavioral-blocking-containment.md @@ -24,26 +24,96 @@ ms.collection: - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -## Behavioral blocking and containment overview +## Overview -Not all cyberattacks involve a simple piece of malware that's found and removed. Some attacks, such as fileless attacks, are much more difficult to identify, let alone contain. Microsoft Defender ATP includes behavioral blocking and containment capabilities that can help identify and stop threats with machine learning, pre- and post-breach. In almost real time, when a suspicious behavior or artifact is detected and determined to be malicious, the threat is blocked. Pre-execution models learn about that threat, and prevent it from running on other endpoints. +Today’s threat landscape is overrun by [fileless malware](https://docs.microsoft.com/windows/security/threat-protection/intelligence/fileless-threats) and that lives off the land, highly polymorphic threats that mutate faster than traditional solutions can keep up with, and human-operated attacks that adapt to what adversaries find on compromised machines. Traditional security solutions are not sufficient to stop such attacks; you need artificial intelligence (AI) and machine learning (ML) backed capabilities, such as behavioral blocking and containment, included in [Microsoft Defender ATP](https://docs.microsoft.com/windows/security). -## Behavioral blocking and containment capabilities +Behavioral blocking and containment capabilities can help identify and stop threats, based on their behaviors and process trees even when the threat has started execution. Next-generation protection, EDR, and Microsoft Defender ATP components and features work together in behavioral blocking and containment capabilities. -Behavioral blocking and containment capabilities include the following: +:::image type="content" source="images/mdatp-next-gen-EDR-behavblockcontain.png" alt-text="Behavioral blocking and containment"::: -- **On-client, policy-driven [attack surface reduction rules](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction)**. Predefined common attack behaviors are prevented from executing, according to your attack surface reduction rules. When such behaviors attempt to execute, they can be seen in the Microsoft Defender Security Center (https://securitycenter.windows.com) as informational alerts. (Attack surface reduction rules are not enabled by default; you configure your policies in the Microsoft Defender Security Center.) +Behavioral blocking and containment capabilities work with multiple components and features of Microsoft Defender ATP to stop attacks immediately and prevent attacks from progressing. -- **Client behavioral blocking**. Threats on endpoints are detected through machine learning, and then are blocked and remediated automatically. (Client behavioral blocking is enabled by default.) +- [Next-generation protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10) (which includes Microsoft Defender Antivirus) can detect threats by analyzing behaviors, and stop threats that have started running. -- **Feedback-loop blocking** (also referred to as rapid protection). Threat detections that are assumed to be false negatives are observed through behavioral intelligence. Threats are stopped and prevented from running on other endpoints. (Feedback-loop blocking is enabled by default.) +- [Endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) (EDR) receives security signals across your network, devices, and kernel behavior. As threats are detected, alerts are created. Multiple alerts of the same type are aggregated into incidents, which makes it easier for your security operations team to investigate and respond. -- **[Endpoint detection and response (EDR) in block mode](edr-in-block-mode.md)**. Malicious artifacts or behaviors that are observed through post-breach protection are blocked and contained. EDR in block mode works even if Windows Defender Antivirus is not the primary antivirus solution. (EDR in block mode, currently in preview, is not enabled by default; you turn it on in the Microsoft Defender Security Center.) +- [Microsoft Defender ATP](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) has a wide range of optics across identities, email, data, and apps, in addition to the network, endpoint, and kernel behavior signals received through EDR. A component of [Microsoft Threat Protection](https://docs.microsoft.com/microsoft-365/security/mtp/microsoft-threat-protection), Microsoft Defender ATP processes and correlates these signals, raises detection alerts, and connects related alerts in incidents. -As Microsoft continues to improve threat protection features and capabilities, you can expect more to come in the area of behavioral blocking and containment. Visit the [Microsoft 365 roadmap](https://www.microsoft.com/microsoft-365/roadmap) to see what's rolling out now and what's in development. +With these capabilities, more threats can be prevented or blocked, even if they start running. Whenever suspicious behavior is detected, the threat is contained, alerts are created, and threats are stopped in their tracks. + +The following image shows an example of an alert that was triggered by behavioral blocking and containment capabilities: + +:::image type="content" source="images/blocked-behav-alert.png" alt-text="Example of an alert through behavioral blocking and containment"::: + +## Components of behavioral blocking and containment + +- **On-client, policy-driven [attack surface reduction rules](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction)** Predefined common attack behaviors are prevented from executing, according to your attack surface reduction rules. When such behaviors attempt to execute, they can be seen in the Microsoft Defender Security Center [https://securitycenter.windows.com](https://securitycenter.windows.com) as informational alerts. (Attack surface reduction rules are not enabled by default; you configure your policies in the Microsoft Defender Security Center.) + +- **[Client behavioral blocking](client-behavioral-blocking.md)** Threats on endpoints are detected through machine learning, and then are blocked and remediated automatically. (Client behavioral blocking is enabled by default.) + +- **[Feedback-loop blocking](feedback-loop-blocking.md)** (also referred to as rapid protection) Threat detections are observed through behavioral intelligence. Threats are stopped and prevented from running on other endpoints. (Feedback-loop blocking is enabled by default.) + +- **[Endpoint detection and response (EDR) in block mode](edr-in-block-mode.md)** Malicious artifacts or behaviors that are observed through post-breach protection are blocked and contained. EDR in block mode works even if Windows Defender Antivirus is not the primary antivirus solution. (EDR in block mode, currently in preview, is not enabled by default; you turn it on in the Microsoft Defender Security Center.) + +Expect more to come in the area of behavioral blocking and containment, as Microsoft continues to improve threat protection features and capabilities. To see what's planned and rolling out now, visit the [Microsoft 365 roadmap](https://www.microsoft.com/microsoft-365/roadmap). + +## Examples of behavioral blocking and containment in action + +Behavioral blocking and containment capabilities have blocked attacker techniques such as the following: + +- Credential dumping from LSASS +- Cross-process injection +- Process hollowing +- User Account Control bypass +- Tampering with antivirus (such as disabling it or adding the malware as exclusion) +- Contacting Command and Control (C&C) to download payloads +- Coin mining +- Boot record modification +- Pass-the-hash attacks +- Installation of root certificate +- Exploitation attempt for various vulnerabilities + +Below are two real-life examples of behavioral blocking and containment in action. + +### Example 1: Credential theft attack against 100 organizations + +As described in [In hot pursuit of elusive threats: AI-driven behavior-based blocking stops attacks in their tracks](https://www.microsoft.com/security/blog/2019/10/08/in-hot-pursuit-of-elusive-threats-ai-driven-behavior-based-blocking-stops-attacks-in-their-tracks), a credential theft attack against 100 organizations around the world was stopped by behavioral blocking and containment capabilities. Spear-phishing email messages that contained a lure document were sent to the targeted organizations. If a recipient opened the attachment, a related remote document was able to execute code on the user’s device and load Lokibot malware, which stole credentials, exfiltrated stolen data, and waited for further instructions from a command-and-control server. + +Behavior-based machine learning models in Microsoft Defender ATP caught and stopped the attacker’s techniques at two points in the attack chain: +- The first protection layer detected the exploit behavior. Machine learning classifiers in the cloud correctly identified the threat as and immediately instructed the client device to block the attack. +- The second protection layer, which helped stop cases where the attack got past the first layer, detected process hollowing, stopped that process, and removed the corresponding files (such as Lokibot). + +While the attack was detected and stopped, alerts, such as an "initial access alert," were triggered and appeared in the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)): + +:::image type="content" source="images/behavblockcontain-initialaccessalert.png" alt-text="Initial access alert in the Microsoft Defender Security Center"::: + +This example shows how behavior-based machine learning models in the cloud add new layers of protection against attacks, even after they have started running. + +### Example 2: NTML relay - Juicy Potato malware variant + +As described in the recent blog post, [Behavioral blocking and containment: Transforming optics into protection](https://www.microsoft.com/security/blog/2020/03/09/behavioral-blocking-and-containment-transforming-optics-into-protection), in January 2020, Microsoft Defender ATP detected a privilege escalation activity on a device in an organization. An alert called “Possible privilege escalation using NTLM relay” was triggered. + +:::image type="content" source="images/NTLMalertjuicypotato.png" alt-text="NTLM alert for Juicy Potato malware"::: + +The threat turned out to be malware; it was a new, not-seen-before variant of a notorious hacking tool called Juicy Potato, which is used by attackers to get privilege escalation on a device. + +Minutes after the alert was triggered, the file was analyzed, and confirmed to be malicious. Its process was stopped and blocked, as shown in the following image: + +:::image type="content" source="images/Artifactblockedjuicypotato.png" alt-text="Artifact blocked"::: + +A few minutes after the artifact was blocked, multiple instances of the same file were blocked on the same device, preventing additional attackers or other malware from deploying on the device. + +This example shows that with behavioral blocking and containment capabilities, threats are detected, contained, and blocked automatically. ## Next steps +- [Learn more about Microsoft Defender ATP](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) + - [Configure your attack surface reduction rules](attack-surface-reduction.md) -- [Enable EDR in block mode](edr-in-block-mode.md) \ No newline at end of file +- [Enable EDR in block mode](edr-in-block-mode.md) + +- [See recent global threat activity](https://www.microsoft.com/wdsi/threats) + +- [Get an overview of Microsoft Threat Protection](https://docs.microsoft.com/microsoft-365/security/mtp/microsoft-threat-protection) diff --git a/windows/security/threat-protection/microsoft-defender-atp/client-behavioral-blocking.md b/windows/security/threat-protection/microsoft-defender-atp/client-behavioral-blocking.md new file mode 100644 index 0000000000..317b858f36 --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/client-behavioral-blocking.md @@ -0,0 +1,90 @@ +--- +title: Client behavioral blocking +description: Client behavioral blocking is part of behavioral blocking and containment capabilities in Microsoft Defender ATP +keywords: behavioral blocking, rapid protection, client behavior, Microsoft Defender ATP +search.product: eADQiWindows 10XVcnh +ms.pagetype: security +author: denisebmsft +ms.author: deniseb +manager: dansimp +ms.reviewer: shwetaj +audience: ITPro +ms.topic: article +ms.prod: w10 +ms.localizationpriority: medium +ms.custom: +- next-gen +- edr +ms.collection: +--- + +# Client behavioral blocking + +**Applies to:** + +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + +## Overview + +Client behavioral blocking is a component of [behavioral blocking and containment capabilities](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/behavioral-blocking-containment) in Microsoft Defender ATP. As suspicious behaviors are detected on devices (also referred to as clients or endpoints), artifacts (such as files or applications) are blocked, checked, and remediated automatically. + +:::image type="content" source="images/pre-execution-and-post-execution-detection-engines.png" alt-text="Cloud and client protection"::: + +Antivirus protection works best when paired with cloud protection. + +## How client behavioral blocking works + +[Microsoft Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10) can detect suspicious behavior, malicious code, fileless and in-memory attacks, and more on a device. When suspicious behaviors are detected, Microsoft Defender Antivirus monitors and sends those suspicious behaviors and their process trees to the cloud protection service. Machine learning differentiates between malicious applications and good behaviors within milliseconds, and classifies each artifact. In almost real time, as soon as an artifact is found to be malicious, it's blocked on the device. + +Whenever a suspicious behavior is detected, an [alert](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/alerts-queue) is generated, and is visible in the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)). + +Client behavioral blocking is effective because it not only helps prevent an attack from starting, it can help stop an attack that has begun executing. And, with [feedback-loop blocking](feedback-loop-blocking.md) (another capability of behavioral blocking and containment), attacks are prevented on other devices in your organization. + +## Behavior-based detections + +Behavior-based detections are named according to the [MITRE ATT&CK Matrix for Enterprise](https://attack.mitre.org/matrices/enterprise). The naming convention helps identify the attack stage where the malicious behavior was observed: + + +|Tactic | Detection threat name | +|----|----| +|Initial Access | Behavior:Win32/InitialAccess.*!ml | +|Execution | Behavior:Win32/Execution.*!ml | +|Persistence | Behavior:Win32/Persistence.*!ml | +|Privilege Escalation | Behavior:Win32/PrivilegeEscalation.*!ml | +|Defense Evasion | Behavior:Win32/DefenseEvasion.*!ml | +|Credential Access | Behavior:Win32/CredentialAccess.*!ml | +|Discovery | Behavior:Win32/Discovery.*!ml | +|Lateral Movement | Behavior:Win32/LateralMovement.*!ml | +|Collection | Behavior:Win32/Collection.*!ml | +|Command and Control | Behavior:Win32/CommandAndControl.*!ml | +|Exfiltration | Behavior:Win32/Exfiltration.*!ml | +|Impact | Behavior:Win32/Impact.*!ml | +|Uncategorized | Behavior:Win32/Generic.*!ml | + +> [!TIP] +> To learn more about specific threats, see **[recent global threat activity](https://www.microsoft.com/wdsi/threats)**. + + +## Configuring client behavioral blocking + +If your organization is using Microsoft Defender ATP, client behavioral blocking is enabled by default. However, to benefit from all Microsoft Defender ATP capabilities, including [behavioral blocking and containment](behavioral-blocking-containment.md), make sure the following features and capabilities of Microsoft Defender ATP are enabled and configured: + +- [Microsoft Defender ATP baselines](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-machines-security-baseline) + +- [Devices onboarded to Microsoft Defender ATP](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/onboard-configure) + +- [EDR in block mode](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode) + +- [Attack surface reduction](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction) + +- [Next-generation protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-windows-defender-antivirus-features) (antivirus) + +## Related articles + +- [Behavioral blocking and containment](behavioral-blocking-containment.md) + +- [Feedback-loop blocking](feedback-loop-blocking.md) + +- [(Blog) Behavioral blocking and containment: Transforming optics into protection](https://www.microsoft.com/security/blog/2020/03/09/behavioral-blocking-and-containment-transforming-optics-into-protection/) + +- [Helpful Microsoft Defender ATP resources](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/helpful-resources) diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/configure-attack-surface-reduction.md index e959cf1bbf..ae36af69a0 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-attack-surface-reduction.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-attack-surface-reduction.md @@ -15,7 +15,6 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 07/01/2018 --- # Configure attack surface reduction @@ -27,11 +26,7 @@ You can configure attack surface reduction with a number of tools, including: * Group Policy * PowerShell cmdlets -The topics in this section describe how to configure attack surface reduction. Each topic includes instructions for the applicable configuration tool (or tools). - -## In this section - -Topic | Description +Article | Description -|- [Enable hardware-based isolation for Microsoft Edge](../windows-defender-application-guard/install-wd-app-guard.md) | How to prepare for and install Application Guard, including hardware and software requirements [Enable application control](../windows-defender-application-control/windows-defender-application-control.md)|How to control applications run by users and protect kernel mode processes diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-automated-investigations-remediation.md b/windows/security/threat-protection/microsoft-defender-atp/configure-automated-investigations-remediation.md new file mode 100644 index 0000000000..8286330112 --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-automated-investigations-remediation.md @@ -0,0 +1,55 @@ +--- +title: Configure automated investigation and remediation capabilities +description: Set up your automated investigation and remediation capabilities in Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP). +keywords: configure, setup, automated, investigation, detection, alerts, remediation, response +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: deniseb +author: denisebmsft +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: conceptual +--- + +# Configure automated investigation and remediation capabilities in Microsoft Defender Advanced Threat Protection + +**Applies to** + +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + +If your organization is using [Microsoft Defender Advanced Threat Protection](https://docs.microsoft.com/windows/security/threat-protection/) (Microsoft Defender ATP), [automated investigation and remediation capabilities](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automated-investigations) can save your security operations team time and effort. As outlined in [this blog post](https://techcommunity.microsoft.com/t5/microsoft-defender-atp/enhance-your-soc-with-microsoft-defender-atp-automatic/ba-p/848946), these capabilities mimic the ideal steps that a security analyst takes to investigate and remediate threats. [Learn more about automated investigation and remediation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automated-investigations). + +To configure automated investigation and remediation, you [turn on the features](#turn-on-automated-investigation-and-remediation), and then you [set up device groups](#set-up-device-groups). + +## Turn on automated investigation and remediation + +1. As a global administrator or security administrator, go to the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)) and sign in. +2. In the navigation pane, choose **Settings**. +3. In the **General** section, select **Advanced features**. +4. Turn on both **Automated Investigation** and **Automatically resolve alerts**. + +## Set up device groups + +1. In the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)), on the **Settings** page, under **Permissions**, select **Device groups**. +2. Select **+ Add machine group**. +3. Create at least one device group, as follows: + - Specify a name and description for the device group. + - In the **Automation level list**, select a level, such as **Full – remediate threats automatically**. The automation level determines whether remediation actions are taken automatically, or only upon approval. To learn more, see [How threats are remediated](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automated-investigations#how-threats-are-remediated). + - In the **Members** section, use one or more conditions to identify and include devices. + - On the **User access** tab, select the [Azure Active Directory groups](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-manage-groups?context=azure/active-directory/users-groups-roles/context/ugr-context) who should have access to the device group you're creating. +4. Select **Done** when you're finished setting up your device group. + +## Next steps + +- [Visit the Action Center to view pending and completed remediation actions](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center#the-action-center) + +- [Review and approve actions following an automated investigation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation) + +- [Manage indicators for files, IP addresses, URLs, or domains](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators) + diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md b/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md index b7e90ca3be..cc9b6af753 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md @@ -13,7 +13,7 @@ ms.author: macapara ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article --- @@ -24,8 +24,9 @@ ms.topic: article - Windows Server 2008 R2 SP1 - Windows Server 2012 R2 - Windows Server 2016 -- Windows Server, version 1803 -- Windows Server, 2019 and later +- Windows Server (SAC) version 1803 and later +- Windows Server 2019 and later +- Windows Server 2019 core edition - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) > Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-configserver-abovefoldlink) @@ -34,12 +35,12 @@ ms.topic: article Microsoft Defender ATP extends support to also include the Windows Server operating system. This support provides advanced attack detection and investigation capabilities seamlessly through the Microsoft Defender Security Center console. The service supports the onboarding of the following servers: -- Windows Server 2008 R2 SP1 +- Windows Server 2008 R2 SP1 - Windows Server 2012 R2 - Windows Server 2016 -- Windows Server, version 1803 +- Windows Server (SAC) version 1803 and later - Windows Server 2019 and later - +- Windows Server 2019 core edition For a practical guidance on what needs to be in place for licensing and infrastructure, see [Protecting Windows Servers with Microsoft Defender ATP](https://techcommunity.microsoft.com/t5/What-s-New/Protecting-Windows-Server-with-Windows-Defender-ATP/m-p/267114#M128). @@ -56,33 +57,36 @@ There are two options to onboard Windows Server 2008 R2 SP1, Windows Server 2012 ### Option 1: Onboard servers through Microsoft Defender Security Center -You'll need to take the following steps if you choose to onboard servers through Microsoft Defender Security Center. +You'll need to take the following steps if you choose to onboard servers through Microsoft Defender Security Center. -- For Windows Server 2008 R2 SP1 or Windows Server 2012 R2, ensure that you install the following hotfix: + - For Windows Server 2008 R2 SP1 or Windows Server 2012 R2, ensure that you install the following hotfix: - [Update for customer experience and diagnostic telemetry](https://support.microsoft.com/en-us/help/3080149/update-for-customer-experience-and-diagnostic-telemetry) - -- In addition, for Windows Server 2008 R2 SP1, ensure that you fulfill the following requirements: + + - In addition, for Windows Server 2008 R2 SP1, ensure that you fulfill the following requirements: - Install the [February monthly update rollup](https://support.microsoft.com/en-us/help/4074598/windows-7-update-kb4074598) - Install either [.NET framework 4.5](https://www.microsoft.com/download/details.aspx?id=30653) (or later) or [KB3154518](https://support.microsoft.com/help/3154518/support-for-tls-system-default-versions-included-in-the-net-framework) -- For Windows Server 2008 R2 SP1 and Windows Server 2012 R2: Configure and update System Center Endpoint Protection clients. + - For Windows Server 2008 R2 SP1 and Windows Server 2012 R2: Configure and update System Center Endpoint Protection clients. -> [!NOTE] -> This step is required only if your organization uses System Center Endpoint Protection (SCEP) and you're onboarding Windows Server 2008 R2 SP1 and Windows Server 2012 R2. + > [!NOTE] + > This step is required only if your organization uses System Center Endpoint Protection (SCEP) and you're onboarding Windows Server 2008 R2 SP1 and Windows Server 2012 R2. -- Turn on server monitoring from Microsoft Defender Security Center. -- If you're already leveraging System Center Operations Manager (SCOM) or Azure Monitor (formerly known as Operations Management Suite (OMS)), attach the Microsoft Monitoring Agent (MMA) to report to your Microsoft Defender ATP workspace through Multihoming support. Otherwise, install and configure MMA to report sensor data to Microsoft Defender ATP as instructed below. For more information, see [Collect log data with Azure Log Analytics agent](https://docs.microsoft.com/azure/azure-monitor/platform/log-analytics-agent). + - Turn on server monitoring from Microsoft Defender Security Center. + - If you're already leveraging System Center Operations Manager (SCOM) or Azure Monitor (formerly known as Operations Management Suite (OMS)), attach the Microsoft Monitoring Agent (MMA) to report to your Microsoft Defender ATP workspace through Multihoming support. + + Otherwise, install and configure MMA to report sensor data to Microsoft Defender ATP as instructed below. For more information, see [Collect log data with Azure Log Analytics agent](https://docs.microsoft.com/azure/azure-monitor/platform/log-analytics-agent). > [!TIP] > After onboarding the machine, you can choose to run a detection test to verify that it is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Microsoft Defender ATP endpoint](run-detection-test.md). ### Configure and update System Center Endpoint Protection clients -Microsoft Defender ATP integrates with System Center Endpoint Protection. The integration provides visibility to malware detections and to stop propagation of an attack in your organization by banning potentially malicious files or suspected malware. +Microsoft Defender ATP integrates with System Center Endpoint Protection. The integration provides visibility to malware detections and to stop propagation of an attack in your organization by banning potentially malicious files or suspected malware. + +The following steps are required to enable this integration: +- Install the [January 2017 anti-malware platform update for Endpoint Protection clients](https://support.microsoft.com/help/3209361/january-2017-anti-malware-platform-update-for-endpoint-protection-clie) -The following steps are required to enable this integration: -- Install the [January 2017 anti-malware platform update for Endpoint Protection clients](https://support.microsoft.com/help/3209361/january-2017-anti-malware-platform-update-for-endpoint-protection-clie) - Configure the SCEP client Cloud Protection Service membership to the **Advanced** setting @@ -91,19 +95,19 @@ The following steps are required to enable this integration: 1. In the navigation pane, select **Settings** > **Machine management** > **Onboarding**. 2. Select Windows Server 2012 R2 and 2016 as the operating system. - + 3. Click **Turn on server monitoring** and confirm that you'd like to proceed with the environment setup. When the setup completes, the **Workspace ID** and **Workspace key** fields are populated with unique values. You'll need to use these values to configure the MMA agent. -### Install and configure Microsoft Monitoring Agent (MMA) to report sensor data to Microsoft Defender ATP +### Install and configure Microsoft Monitoring Agent (MMA) to report sensor data to Microsoft Defender ATP 1. Download the agent setup file: [Windows 64-bit agent](https://go.microsoft.com/fwlink/?LinkId=828603). 2. Using the Workspace ID and Workspace key provided in the previous procedure, choose any of the following installation methods to install the agent on the server: - [Manually install the agent using setup](https://docs.microsoft.com/azure/log-analytics/log-analytics-windows-agents#install-the-agent-using-setup)
    On the **Agent Setup Options** page, choose **Connect the agent to Azure Log Analytics (OMS)**. - - [Install the agent using the command line](https://docs.microsoft.com/azure/log-analytics/log-analytics-windows-agents#install-the-agent-using-the-command-line) and [configure the agent using a script](https://docs.microsoft.com/azure/log-analytics/log-analytics-windows-agents#add-a-workspace-using-a-script). + - [Install the agent using the command line](https://docs.microsoft.com/azure/log-analytics/log-analytics-windows-agents#install-the-agent-using-the-command-line) and [configure the agent using a script](https://docs.microsoft.com/azure/log-analytics/log-analytics-windows-agents#add-a-workspace-using-a-script). 3. You'll need to configure proxy settings for the Microsoft Monitoring Agent. For more information, see [Configure proxy settings](configure-proxy-internet.md). @@ -112,7 +116,7 @@ Once completed, you should see onboarded servers in the portal within an hour. ### Configure server proxy and Internet connectivity settings - + - Each Windows server must be able to connect to the Internet using HTTPS. This connection can be direct, using a proxy, or through the OMS Gateway. - If a proxy or firewall is blocking all traffic by default and allowing only specific domains through or HTTPS scanning (SSL inspection) is enabled, make sure that you [enable access to Microsoft Defender ATP service URLs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet#enable-access-to-microsoft-defender-atp-service-urls-in-the-proxy-server). @@ -123,51 +127,50 @@ Once completed, you should see onboarded servers in the portal within an hour. 2. Select Windows Server 2008 R2 SP1, 2012 R2 and 2016 as the operating system. -3. Click **Onboard Servers in Azure Security Center**. +3. Click **Onboard Servers in Azure Security Center**. 4. Follow the onboarding instructions in [Microsoft Defender Advanced Threat Protection with Azure Security Center](https://docs.microsoft.com/azure/security-center/security-center-wdatp). - -## Windows Server, version 1803 and Windows Server 2019 -To onboard Windows Server, version 1803 or Windows Server 2019, refer to the supported methods and versions below. +## Windows Server (SAC) version 1803, Windows Server 2019, and Windows Server 2019 Core edition +To onboard Windows Server (SAC) version 1803, Windows Server 2019, or Windows Server 2019 Core edition, refer to the supported methods and versions below. > [!NOTE] > The Onboarding package for Windows Server 2019 through Microsoft Endpoint Configuration Manager currently ships a script. For more information on how to deploy scripts in Configuration Manager, see [Packages and programs in Configuration Manager](https://docs.microsoft.com/configmgr/apps/deploy-use/packages-and-programs). Supported tools include: - Local script -- Group Policy +- Group Policy - Microsoft Endpoint Configuration Manager - System Center Configuration Manager 2012 / 2012 R2 1511 / 1602 - VDI onboarding scripts for non-persistent machines For more information, see [Onboard Windows 10 machines](configure-endpoints.md). -Support for Windows Server, provide deeper insight into activities happening on the server, coverage for kernel and memory attack detection, and enables response actions on Windows Server endpoint as well. +Support for Windows Server, provide deeper insight into activities happening on the server, coverage for kernel and memory attack detection, and enables response actions on Windows Server endpoint as well. -1. Configure Microsoft Defender ATP onboarding settings on the server. For more information, see [Onboard Windows 10 machines](configure-endpoints.md). +1. Configure Microsoft Defender ATP onboarding settings on the server. For more information, see [Onboard Windows 10 machines](configure-endpoints.md). 2. If you're running a third-party antimalware solution, you'll need to apply the following Windows Defender AV passive mode settings. Verify that it was configured correctly: - a. Set the following registry entry: + 1. Set the following registry entry: - Path: `HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection` - Name: ForceDefenderPassiveMode - Value: 1 - b. Run the following PowerShell command to verify that the passive mode was configured: + 1. Run the following PowerShell command to verify that the passive mode was configured: - ```PowerShell - Get-WinEvent -FilterHashtable @{ProviderName="Microsoft-Windows-Sense" ;ID=84} - ``` + ```PowerShell + Get-WinEvent -FilterHashtable @{ProviderName="Microsoft-Windows-Sense" ;ID=84} + ``` - c. Confirm that a recent event containing the passive mode event is found: - - ![Image of passive mode verification result](images/atp-verify-passive-mode.png) + 1. Confirm that a recent event containing the passive mode event is found: + + ![Image of passive mode verification result](images/atp-verify-passive-mode.png) 3. Run the following command to check if Windows Defender AV is installed: - ```sc query Windefend``` + ```sc.exe query Windefend``` If the result is 'The specified service does not exist as an installed service', then you'll need to install Windows Defender AV. For more information, see [Windows Defender Antivirus in Windows 10](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10). @@ -185,13 +188,13 @@ The following capabilities are included in this integration: - Server investigation - Azure Security Center customers can access Microsoft Defender Security Center to perform detailed investigation to uncover the scope of a potential breach > [!IMPORTANT] -> - When you use Azure Security Center to monitor servers, a Microsoft Defender ATP tenant is automatically created. The Microsoft Defender ATP data is stored in Europe by default. +> - When you use Azure Security Center to monitor servers, a Microsoft Defender ATP tenant is automatically created. The Microsoft Defender ATP data is stored in Europe by default. > - If you use Microsoft Defender ATP before using Azure Security Center, your data will be stored in the location you specified when you created your tenant even if you integrate with Azure Security Center at a later time. +> - When you use Azure Security Center to monitor servers, a Microsoft Defender ATP tenant is automatically created and the Microsoft Defender ATP data is stored in Europe by default. If you need to move your data to another location, you need to contact Microsoft Support to reset the tenant. Server endpoint monitoring utilizing this integration has been disabled for Office 365 GCC customers. - -## Offboard servers -You can offboard Windows Server, version 1803 and Windows 2019 in the same method available for Windows 10 client machines. +## Offboard servers +You can offboard Windows Server (SAC), Windows Server 2019, and Windows Server 2019 Core edition in the same method available for Windows 10 client machines. For other server versions, you have two options to offboard servers from the service: - Uninstall the MMA agent @@ -207,10 +210,10 @@ For more information, see [To disable an agent](https://docs.microsoft.com/azure ### Remove the Microsoft Defender ATP workspace configuration To offboard the server, you can use either of the following methods: -- Remove the Microsoft Defender ATP workspace configuration from the MMA agent +- Remove the Microsoft Defender ATP workspace configuration from the MMA agent - Run a PowerShell command to remove the configuration -#### Remove the Microsoft Defender ATP workspace configuration from the MMA agent +#### Remove the Microsoft Defender ATP workspace configuration from the MMA agent 1. In the **Microsoft Monitoring Agent Properties**, select the **Azure Log Analytics (OMS)** tab. @@ -221,11 +224,12 @@ To offboard the server, you can use either of the following methods: #### Run a PowerShell command to remove the configuration 1. Get your Workspace ID: - a. In the navigation pane, select **Settings** > **Onboarding**. - b. Select **Windows Server 2012 R2 and 2016** as the operating system and get your Workspace ID: - - ![Image of server onboarding](images/atp-server-offboarding-workspaceid.png) + 1. In the navigation pane, select **Settings** > **Onboarding**. + + 1. Select **Windows Server 2012 R2 and 2016** as the operating system and get your Workspace ID: + + ![Image of server onboarding](images/atp-server-offboarding-workspaceid.png) 2. Open an elevated PowerShell and run the following command. Use the Workspace ID you obtained and replacing `WorkspaceID`: diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-siem.md b/windows/security/threat-protection/microsoft-defender-atp/configure-siem.md index ad965c75e5..d5f2d69d6c 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-siem.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-siem.md @@ -27,31 +27,29 @@ ms.topic: article ## Pull detections using security information and events management (SIEM) tools ->[!Note] ->- [Microsoft Defender ATP Alert](alerts.md) is composed from one or more detections +>[!NOTE] +>- [Microsoft Defender ATP Alert](alerts.md) is composed from one or more detections. >- [Microsoft Defender ATP Detection](api-portal-mapping.md) is composed from the suspicious event occurred on the Machine and its related Alert details. +>- The Microsoft Defender ATP Alert API is the latest API for alert consumption and contain a detailed list of related evidence for each alert. For more information, see [Alert methods and properties](alerts.md) and [List alerts](get-alerts.md). Microsoft Defender ATP supports security information and event management (SIEM) tools to pull detections. Microsoft Defender ATP exposes alerts through an HTTPS endpoint hosted in Azure. The endpoint can be configured to pull detections from your enterprise tenant in Azure Active Directory (AAD) using the OAuth 2.0 authentication protocol for an AAD application that represents the specific SIEM connector installed in your environment. -Microsoft Defender ATP currently supports the following SIEM tools: +Microsoft Defender ATP currently supports the following specific SIEM solution tools through a dedicated SIEM integration model: -- Splunk -- HP ArcSight +- IBM QRadar +- Micro Focus ArcSight + +Other SIEM solutions (such as Splunk, RSA NetWitness) are supported through a different integration model based on the new Alert API. For more information, view the [Partner application](https://df.securitycenter.microsoft.com/interoperability/partners) page and select the Security Information and Analytics section for full details. To use either of these supported SIEM tools you'll need to: - [Enable SIEM integration in Microsoft Defender ATP](enable-siem-integration.md) - Configure the supported SIEM tool: - - [Configure Splunk to pull Microsoft Defender ATP detections](configure-splunk.md) - - [Configure HP ArcSight to pull Microsoft Defender ATP detections](configure-arcsight.md) + - [Configure HP ArcSight to pull Microsoft Defender ATP detections](configure-arcsight.md) + - Configure IBM QRadar to pull Microsoft Defender ATP detections For more information, see [IBM Knowledge Center](https://www.ibm.com/support/knowledgecenter/SS42VS_DSM/com.ibm.dsm.doc/c_dsm_guide_MS_Win_Defender_ATP_overview.html?cp=SS42VS_7.3.1). For more information on the list of fields exposed in the Detection API see, [Microsoft Defender ATP Detection fields](api-portal-mapping.md). -## Pull Microsoft Defender ATP detections using REST API -Microsoft Defender ATP supports the OAuth 2.0 protocol to pull detections using REST API. - -For more information, see [Pull Microsoft Defender ATP detections using REST API](pull-alerts-using-rest-api.md). - diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-splunk.md b/windows/security/threat-protection/microsoft-defender-atp/configure-splunk.md deleted file mode 100644 index 10c69301a9..0000000000 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-splunk.md +++ /dev/null @@ -1,131 +0,0 @@ ---- -title: Configure Splunk to pull Microsoft Defender ATP detections -description: Configure Splunk to receive and pull detections from Microsoft Defender Security Center. -keywords: configure splunk, security information and events management tools, splunk -search.product: eADQiWindows 10XVcnh -search.appverid: met150 -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -ms.author: macapara -author: mjcaparas -ms.localizationpriority: medium -manager: dansimp -audience: ITPro -ms.collection: M365-security-compliance -ms.topic: article ---- - -# Configure Splunk to pull Microsoft Defender ATP detections - -**Applies to:** - - -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) - - - ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-configuresplunk-abovefoldlink) - -You'll need to configure Splunk so that it can pull Microsoft Defender ATP detections. - ->[!Note] ->- [Microsoft Defender ATP Alert](alerts.md) is composed from one or more detections ->- [Microsoft Defender ATP Detection](api-portal-mapping.md) is composed from the suspicious event occurred on the Machine and its related Alert details. - -## Before you begin - -- Install the open source [Windows Defender ATP Modular Inputs TA](https://splunkbase.splunk.com/app/4128/) in Splunk. -- Make sure you have enabled the **SIEM integration** feature from the **Settings** menu. For more information, see [Enable SIEM integration in Microsoft Defender ATP](enable-siem-integration.md) - -- Have the details file you saved from enabling the **SIEM integration** feature ready. You'll need to get the following values: - - Tenant ID - - Client ID - - Client Secret - - Resource URL - - -## Configure Splunk - -1. Login in to Splunk. - -2. Go to **Settings** > **Data inputs**. - -3. Select **Windows Defender ATP alerts** under **Local inputs**. - - NOTE: - This input will only appear after you install the [Windows Defender ATP Modular Inputs TA](https://splunkbase.splunk.com/app/4128/). - -4. Click **New**. - -5. Type the following values in the required fields, then click **Save**: - - NOTE: - All other values in the form are optional and can be left blank. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    FieldValue
    NameName for the Data Input
    Login URLURL to authenticate the azure app (Default : https://login.microsoftonline.com)
    EndpointDepending on the location of your datacenter, select any of the following URL:

    For EU: https://wdatp-alertexporter-eu.securitycenter.windows.com

    For US:https://wdatp-alertexporter-us.securitycenter.windows.com

    For UK:https://wdatp-alertexporter-uk.securitycenter.windows.com -
    Tenant IDAzure Tenant ID
    ResourceValue from the SIEM integration feature page
    Client IDValue from the SIEM integration feature page
    Client SecretValue from the SIEM integration feature page
    - -After completing these configuration steps, you can go to the Splunk dashboard and run queries. - -## View detections using Splunk solution explorer -Use the solution explorer to view detections in Splunk. - -1. In Splunk, go to **Settings** > **Searchers, reports, and alerts**. - -2. Select **New**. - -3. Enter the following details: - - Search: Enter a query, for example:
    - `sourcetype="wdatp:alerts" |spath|table*` - - App: Add-on for Windows Defender (TA_Windows-defender) - - Other values are optional and can be left with the default values. - -4. Click **Save**. The query is saved in the list of searches. - -5. Find the query you saved in the list and click **Run**. The results are displayed based on your query. - - ->[!TIP] -> To minimize Detection duplications, you can use the following query: ->```source="rest://wdatp:alerts" | spath | dedup _raw | table *``` - -## Related topics -- [Enable SIEM integration in Microsoft Defender ATP](enable-siem-integration.md) -- [Configure ArcSight to pull Microsoft Defender ATP detections](configure-arcsight.md) -- [Microsoft Defender ATP Detection fields](api-portal-mapping.md) -- [Pull Microsoft Defender ATP detections using REST API](pull-alerts-using-rest-api.md) -- [Troubleshoot SIEM tool integration issues](troubleshoot-siem.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/customize-attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/customize-attack-surface-reduction.md index 0786bb44f2..9540fd0ce6 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/customize-attack-surface-reduction.md +++ b/windows/security/threat-protection/microsoft-defender-atp/customize-attack-surface-reduction.md @@ -12,7 +12,7 @@ ms.localizationpriority: medium audience: ITPro author: levinec ms.author: ellevin -ms.date: 05/13/2019 +ms.date: 05/20/2020 ms.reviewer: manager: dansimp --- @@ -26,11 +26,16 @@ manager: dansimp > [!IMPORTANT] > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -Attack surface reduction rules help prevent software behaviors that are often abused to compromise your device or network. For example, an attacker might try to run an unsigned script off of a USB drive, or have a macro in an Office document make calls directly to the Win32 API. Attack surface reduction rules can constrain these kinds of risky behaviors and improve your organization's defensive posture. +[Attack surface reduction rules](enable-attack-surface-reduction.md) help prevent software behaviors that are often abused to compromise your device or network. For example, an attacker might try to run an unsigned script off of a USB drive, or have a macro in an Office document make calls directly to the Win32 API. Attack surface reduction rules can constrain these kinds of risky behaviors and improve your organization's defensive posture. Learn how to customize attack surface reduction rules by [excluding files and folders](#exclude-files-and-folders) or [adding custom text to the notification](#customize-the-notification) alert that appears on a user's computer. -Attack surface reduction rules are supported on Windows 10, versions 1709 and 1803 or later, Windows Server, version 1803 (Semi-Annual Channel) or later, and Windows Server 2019. You can use Group Policy, PowerShell, and MDM CSPs to configure these settings. +You can set attack surface reduction rules for devices running any of the following editions and versions of Windows: +- Windows 10 Pro, [version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) or later +- Windows 10 Enterprise, [version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) or later +- Windows Server, [version 1803 (Semi-Annual Channel)](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1803) or later +- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19) +You can use Group Policy, PowerShell, and MDM CSPs to configure these settings. ## Exclude files and folders @@ -72,7 +77,7 @@ See the [attack surface reduction](attack-surface-reduction.md) topic for detail 2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. -3. Expand the tree to **Windows components > Windows Defender Antivirus > Windows Defender Exploit Guard > Attack surface reduction**. +3. Expand the tree to **Windows components** > **Windows Defender Antivirus** > **Windows Defender Exploit Guard** > **Attack surface reduction**. 4. Double-click the **Exclude files and paths from Attack surface reduction Rules** setting and set the option to **Enabled**. Click **Show** and enter each file or folder in the **Value name** column. Enter **0** in the **Value** column for each item. diff --git a/windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction.md index 9115bc352e..e31b0b4fc7 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction.md +++ b/windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction.md @@ -12,22 +12,29 @@ ms.localizationpriority: medium audience: ITPro author: levinec ms.author: ellevin -ms.date: 05/05/2020 +ms.date: 05/20/2020 ms.reviewer: manager: dansimp --- # Enable attack surface reduction rules -[Attack surface reduction rules](attack-surface-reduction.md) help prevent actions that malware often abuse to compromise devices and networks. You can set attack surface reduction rules for computers running Windows 10, versions 1709 and 1803 or later, Windows Server, version 1803 (Semi-Annual Channel) or later, and Windows Server 2019. +[Attack surface reduction rules](attack-surface-reduction.md) help prevent actions that malware often abuses to compromise devices and networks. You can set attack surface reduction rules for devices running any of the following editions and versions of Windows: +- Windows 10 Pro, [version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) or later +- Windows 10 Enterprise, [version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) or later +- Windows Server, [version 1803 (Semi-Annual Channel)](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1803) or later +- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19) -Each ASR rule contains three settings: +Each ASR rule contains one of three settings: * Not configured: Disable the ASR rule * Block: Enable the ASR rule * Audit: Evaluate how the ASR rule would impact your organization if enabled -To use ASR rules, you need either a Windows 10 Enterprise E3 or E5 license. We recommend an E5 license so you can take advantage of the advanced monitoring and reporting capabilities available in Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP). These advanced capabilities aren't available with an E3 license, but you can develop your own monitoring and reporting tools to use in conjunction with ASR rules. +To use ASR rules, you need either a Windows 10 Enterprise E3 or E5 license. We recommend an E5 license so you can take advantage of the advanced monitoring and reporting capabilities available in [Microsoft Defender Advanced Threat Protection](https://docs.microsoft.com/windows/security/threat-protection) (Microsoft Defender ATP). These advanced capabilities aren't available with an E3 license, but you can develop your own monitoring and reporting tools to use in conjunction with ASR rules. + +> [!TIP] +> To learn more about Windows licensing, see [Windows 10 Licensing](https://www.microsoft.com/licensing/product-licensing/windows10?activetab=windows10-pivot:primaryr5) and get the [Volume Licensing guide for Windows 10](https://download.microsoft.com/download/2/D/1/2D14FE17-66C2-4D4C-AF73-E122930B60F6/Windows-10-Volume-Licensing-Guide.pdf). You can enable attack surface reduction rules by using any of these methods: diff --git a/windows/security/threat-protection/microsoft-defender-atp/enable-siem-integration.md b/windows/security/threat-protection/microsoft-defender-atp/enable-siem-integration.md index f408e29140..382f789aa7 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/enable-siem-integration.md +++ b/windows/security/threat-protection/microsoft-defender-atp/enable-siem-integration.md @@ -27,9 +27,10 @@ ms.topic: article Enable security information and event management (SIEM) integration so you can pull detections from Microsoft Defender Security Center using your SIEM solution or by connecting directly to the detections REST API. ->[!Note] ->- [Microsoft Defender ATP Alert](alerts.md) is composed from one or more detections +>[!NOTE] +>- [Microsoft Defender ATP Alert](alerts.md) is composed from one or more detections. >- [Microsoft Defender ATP Detection](api-portal-mapping.md) is composed from the suspicious event occurred on the Machine and its related Alert details. +>- The Microsoft Defender ATP Alert API is the latest API for alert consumption and contain a detailed list of related evidence for each alert. For more information, see [Alert methods and properties](alerts.md) and [List alerts](get-alerts.md). ## Prerequisites - The user who activates the setting must have permissions to create an app in Azure Active Directory (AAD). This is typically someone with a **Global administrator** role. @@ -75,7 +76,6 @@ You can now proceed with configuring your SIEM solution or connecting to the det You can configure IBM QRadar to collect detections from Microsoft Defender ATP. For more information, see [IBM Knowledge Center](https://www.ibm.com/support/knowledgecenter/SS42VS_DSM/c_dsm_guide_MS_Win_Defender_ATP_overview.html?cp=SS42VS_7.3.1). ## Related topics -- [Configure Splunk to pull Microsoft Defender ATP detections](configure-splunk.md) - [Configure HP ArcSight to pull Microsoft Defender ATP detections](configure-arcsight.md) - [Microsoft Defender ATP Detection fields](api-portal-mapping.md) - [Pull Microsoft Defender ATP detections using REST API](pull-alerts-using-rest-api.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/evaluate-attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/evaluate-attack-surface-reduction.md index 70a03c74e5..a77a399d92 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/evaluate-attack-surface-reduction.md +++ b/windows/security/threat-protection/microsoft-defender-atp/evaluate-attack-surface-reduction.md @@ -12,7 +12,7 @@ ms.localizationpriority: medium audience: ITPro author: levinec ms.author: ellevin -ms.date: 04/02/2019 +ms.date: 05/20/2020 ms.reviewer: manager: dansimp --- @@ -23,7 +23,11 @@ manager: dansimp * [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -Attack surface reduction rules help prevent actions that are typically used by malware to compromise devices or networks. Attack surface reduction rules are supported on Windows 10, versions 1709 and 1803 or later, Windows Server, version 1803 (Semi-Annual Channel) or later, and Windows Server 2019. +Attack surface reduction rules help prevent actions that are typically used by malware to compromise devices or networks. You can set attack surface reduction rules for devices running any of the following editions and versions of Windows: +- Windows 10 Pro, [version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) or later +- Windows 10 Enterprise, [version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) or later +- Windows Server, [version 1803 (Semi-Annual Channel)](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1803) or later +- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19) Learn how to evaluate attack surface reduction rules, by enabling audit mode to test the feature directly in your organization. diff --git a/windows/security/threat-protection/microsoft-defender-atp/evaluation-lab.md b/windows/security/threat-protection/microsoft-defender-atp/evaluation-lab.md index 702d9e6c4e..83b638059c 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/evaluation-lab.md +++ b/windows/security/threat-protection/microsoft-defender-atp/evaluation-lab.md @@ -23,36 +23,47 @@ ms.topic: article Conducting a comprehensive security product evaluation can be a complex process requiring cumbersome environment and machine configuration before an end-to-end attack simulation can actually be done. Adding to the complexity is the challenge of tracking where the simulation activities, alerts, and results are reflected during the evaluation. -The Microsoft Defender ATP evaluation lab is designed to eliminate the complexities of machine and environment configuration so that you can focus on evaluating the capabilities of the platform, running simulations, and seeing the prevention, detection, and remediation features in action. +The Microsoft Defender ATP evaluation lab is designed to eliminate the complexities of machine and environment configuration so that you can focus on evaluating the capabilities of the platform, running simulations, and seeing the prevention, detection, and remediation features in action. -When you get started with the lab, you'll be guided through a simple set-up process where you can specify the type of configuration that best suits your needs. - -After the lab setup process is complete, you can add Windows 10 or Windows Server 2019 machines. These test machines come pre-configured to have the latest and greatest OS versions with the right security components in place and Office 2019 Standard installed. +>[!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4qLUM] With the simplified set-up experience, you can focus on running your own test scenarios and the pre-made simulations to see how Microsoft Defender ATP performs. -You'll have full access to all the powerful capabilities of the platform such as automated investigations, advanced hunting, and threat analytics, allowing you to test the comprehensive protection stack that Microsoft Defender ATP offers. +You'll have full access to the powerful capabilities of the platform such as automated investigations, advanced hunting, and threat analytics, allowing you to test the comprehensive protection stack that Microsoft Defender ATP offers. + +You can add Windows 10 or Windows Server 2019 machines that come pre-configured to have the latest OS versions and the right security components in place as well as Office 2019 Standard installed. + +You can also install threat simulators. Microsoft Defender ATP has partnered with industry leading threat simulation platforms to help you test out the Microsoft Defender ATP capabilities without having to leave the portal. + + Install your preferred simulator, run scenarios within the evaluation lab, and instantly see how the platform performs - all conveniently available at no extra cost to you. You'll also have convenient access to wide array of simulations which you can access and run from the simulations catalog. + ## Before you begin You'll need to fulfill the [licensing requirements](minimum-requirements.md#licensing-requirements) or have trial access to Microsoft Defender ATP to access the evaluation lab. +You must have **Manage security settings** permissions to: +- Create the lab +- Create machines +- Reset password +- Create simulations + +For more information, see [Create and manage roles](user-roles.md). + Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-main-abovefoldlink) + ## Get started with the lab You can access the lab from the menu. In the navigation menu, select **Evaluation and tutorials > Evaluation lab**. ![Image of the evaluation lab on the menu](images/evaluation-lab-menu.png) -When you access the evaluation lab for the first time, you'll find an introduction page with a link to the evaluation guide. The guide contains tips and recommendations to keep in mind when evaluating an advanced threat protection product. - -It's a good idea to read the guide before starting the evaluation process so that you can conduct a thorough assessment of the platform. - >[!NOTE] >- Each environment is provisioned with a limited set of test machines. >- Depending the type of environment structure you select, machines will be available for the specified number of hours from the day of activation. >- When you've used up the provisioned machines, no new machines are provided. A deleted machine does not refresh the available test machine count. >- Given the limited resources, it’s advisable to use the machines carefully. +Already have a lab? Make sure to enable the new threat simulators and have active machines. ## Setup the evaluation lab @@ -60,17 +71,37 @@ It's a good idea to read the guide before starting the evaluation process so tha ![Image of the evaluation lab welcome page](images/evaluation-lab-setup.png) -2. Depending on your evaluation needs, you can choose to setup an environment with fewer machines for a longer period or more machines for a shorter period. Select your preferred lab configuration then select **Create lab**. +2. Depending on your evaluation needs, you can choose to setup an environment with fewer machines for a longer period or more machines for a shorter period. Select your preferred lab configuration then select **Next**. - ![Image of lab configuration options](images/lab-creation-page.png) + ![Image of lab configuration options](images/lab-creation-page.png) + + +3. (Optional) You can choose to install threat simulators in the lab. + + ![Image of install simulators agent](images/install-agent.png) + + >[!IMPORTANT] + >You'll first need to accept and provide consent to the terms and information sharing statements. + +4. Select the threat simulation agent you'd like to use and enter your details. You can also choose to install threat simulators at a later time. If you choose to install threat simulation agents during the lab setup, you'll enjoy the benefit of having them conveniently installed on the machines you add. + + ![Image of summary page](images/lab-setup-summary.png) + +5. Review the summary and select **Setup lab**. + +After the lab setup process is complete, you can add machines and run simulations. -When the environment completes the setup process, you're ready to add machines. ## Add machines When you add a machine to your environment, Microsoft Defender ATP sets up a well-configured machine with connection details. You can add Windows 10 or Windows Server 2019 machines. The machine will be configured with the most up-to-date version of the OS and Office 2019 Standard as well as other apps such as Java, Python, and SysIntenals. + >[!TIP] + > Need more machines in your lab? Submit a support ticket to have your request reviewed by the Microsoft Defender ATP team. + +If you chose to add a threat simulator during the lab setup, all machines will have the threat simulator agent installed in the machines that you add. + The machine will automatically be onboarded to your tenant with the recommended Windows security components turned on and in audit mode - with no effort on your side. The following security components are pre-configured in the test machines: @@ -94,9 +125,6 @@ Automated investigation settings will be dependent on tenant settings. It will b 1. From the dashboard, select **Add machine**. - ![Image of lab setup page](images/lab-setup-page.png) - - 2. Choose the type of machine to add. You can choose to add Windows 10 or Windows Server 2019. ![Image of lab setup with machine options](images/add-machine-options.png) @@ -114,20 +142,31 @@ Automated investigation settings will be dependent on tenant settings. It will b 4. Machine set up begins. This can take up to approximately 30 minutes. -The environment will reflect your test machine status through the evaluation - including risk score, exposure score, and alerts created through the simulation. +5. See the status of test machines, the risk and exposure levels, and the status of simulator installations by selecting the **Machines** tab. + + ![Image of machines tab](images/machines-tab.png) + + + >[!TIP] + >In the **Simulator status** column, you can hover over the information icon to know the installation status of an agent. -![Image of test machines](images/eval-lab-dashboard.png) ## Simulate attack scenarios -Use the test machines to run attack simulations by connecting to them. +Use the test machines to run your own attack simulations by connecting to them. -If you are looking for a pre-made simulation, you can use our ["Do It Yourself" attack scenarios](https://securitycenter.windows.com/tutorials). These scripts are safe, documented, and easy to use. These scenarios will reflect Microsoft Defender ATP capabilities and walk you through investigation experience. +You can simulate attack scenarios using: +- The ["Do It Yourself" attack scenarios](https://securitycenter.windows.com/tutorials) +- Threat simulators You can also use [Advanced hunting](advanced-hunting-query-language.md) to query data and [Threat analytics](threat-analytics.md) to view reports about emerging threats. -> [!NOTE] -> The connection to the test machines is done using RDP. Make sure that your firewall settings allow RDP connections. +### Do-it-yourself attack scenarios +If you are looking for a pre-made simulation, you can use our ["Do It Yourself" attack scenarios](https://securitycenter.windows.com/tutorials). These scripts are safe, documented, and easy to use. These scenarios will reflect Microsoft Defender ATP capabilities and walk you through investigation experience. + + +>[!NOTE] +>The connection to the test machines is done using RDP. Make sure that your firewall settings allow RDP connections. 1. Connect to your machine and run an attack simulation by selecting **Connect**. @@ -146,20 +185,70 @@ You can also use [Advanced hunting](advanced-hunting-query-language.md) to query ![Image of window to enter credentials](images/enter-password.png) -4. Run simulations on the machine. +4. Run Do-it-yourself attack simulations on the machine. + + +### Threat simulator scenarios +If you chose to install any of the supported threat simulators during the lab setup, you can run the built-in simulations on the evaluation lab machines. + + +Running threat simulations using third-party platforms is a good way to evaluate Microsoft Defender ATP capabilities within the confines of a lab environment. + +>[!NOTE] +>Before you can run simulations, ensure the following requirements are met: +>- Machines must be added to the evaluation lab +>- Threat simulators must be installed in the evaluation lab + +1. From the portal select **Create simulation**. + +2. Select a threat simulator. + + ![Image of threat simulator selection](images/select-simulator.png) + +3. Choose a simulation or look through the simulation gallery to browse through the available simulations. + + You can get to the simulation gallery from: + - The main evaluation dashboard in the **Simulations overview** tile or + - By navigating from the navigation pane **Evaluation and tutorials** > **Simulation & tutorials**, then select **Simulations catalog**. + +4. Select the devices where you'd like to run the simulation on. + +5. Select **Create simulation**. + +6. View the progress of a simulation by selecting the **Simulations** tab. View the simulation state, active alerts, and other details. + + ![Image of simulations tab](images/simulations-tab.png) + +After running your simulations, we encourage you to walk through the lab progress bar and explore Microsoft Defender ATP features. See if the attack simulations you ran triggered an automated investigation and remediation, check out the evidence collected and analyzed by the feature. -After running your simulations, we encourage you to walk through the lab progress bar and explore Microsoft Defender ATP features. See if your attacks triggered an automated investigation and remediation, check out the evidence collected and analyzed by the feature. Hunt for attack evidence through advanced hunting by using the rich query language and raw telemetry and check out some world-wide threats documented in Threat analytics. -## Simulation results -Get a full overview of the simulation results, all in one place, allowing you to drill down to the relevant pages with every detail you need. +## Simulation gallery +Microsoft Defender ATP has partnered with various threat simulation platforms to give you convenient access to test the capabilities of the platform right from the within the portal. -View the machine details page by selecting the machine from the table. You'll be able to drill down on relevant alerts and investigations by exploring the rich context provided on the attack simulation. +View all the available simulations by going to **Simulations and tutorials** > **Simulations catalog** from the menu. -### Evaluation report + +A list of supported third-party threat simulation agents are listed, and specific types of simulations along with detailed descriptions are provided on the catalog. + +You can conveniently run any available simulation right from the catalog. + + +![Image of simulations catalog](images/simulations-catalog.png) + +Each simulation comes with an in-depth description of the attack scenario and references such as the MITRE attack techniques used and sample Advanced hunting queries you run. + +**Examples:** +![Image of simulation description details](images/simulation-details-aiq.png) + + +![Image of simulation description details](images/simulation-details-sb.png) + + +## Evaluation report The lab reports summarize the results of the simulations conducted on the machines. ![Image of the evaluation report](images/eval-report.png) @@ -172,6 +261,7 @@ At a glance, you'll quickly be able to see: - Detection sources - Automated investigations + ## Provide feedback Your feedback helps us get better in protecting your environment from advanced attacks. Share your experience and impressions from product capabilities and evaluation results. diff --git a/windows/security/threat-protection/microsoft-defender-atp/feedback-loop-blocking.md b/windows/security/threat-protection/microsoft-defender-atp/feedback-loop-blocking.md new file mode 100644 index 0000000000..d4be39d220 --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/feedback-loop-blocking.md @@ -0,0 +1,58 @@ +--- +title: Feedback-loop blocking +description: Feedback-loop blocking, also called rapid protection, is part of behavioral blocking and containment capabilities in Microsoft Defender ATP +keywords: behavioral blocking, rapid protection, feedback blocking, Microsoft Defender ATP +search.product: eADQiWindows 10XVcnh +ms.pagetype: security +author: denisebmsft +ms.author: deniseb +manager: dansimp +ms.reviewer: shwetaj +audience: ITPro +ms.topic: article +ms.prod: w10 +ms.localizationpriority: medium +ms.custom: +- next-gen +- edr +ms.collection: +--- + +# Feedback-loop blocking + +**Applies to:** + +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + +## Overview + +Feedback-loop blocking, also referred to as rapid protection, is a component of [behavioral blocking and containment capabilities](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/behavioral-blocking-containment) in [Microsoft Defender ATP](https://docs.microsoft.com/windows/security/threat-protection/). With feedback-loop blocking, devices across your organization are better protected from attacks. + +## How feedback-loop blocking works + +When a suspicious behavior or file is detected, such as by [Microsoft Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10), information about that artifact is sent to multiple classifiers. The rapid protection loop engine inspects and correlates the information with other signals to arrive at a decision as to whether to block a file. Checking and classifying artifacts happens quickly. It results in rapid blocking of confirmed malware, and drives protection across the entire ecosystem. + +With rapid protection in place, an attack can be stopped on a device, other devices in the organization, and devices in other organizations, as an attack attempts to broaden its foothold. + + +## Configuring feedback-loop blocking + +If your organization is using Microsoft Defender ATP, feedback-loop blocking is enabled by default. However, rapid protection occurs through a combination of Microsoft Defender ATP capabilities, machine learning protection features, and signal-sharing across Microsoft security services. Make sure the following features and capabilities of Microsoft Defender ATP are enabled and configured: + +- [Microsoft Defender ATP baselines](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-machines-security-baseline) + +- [Devices onboarded to Microsoft Defender ATP](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/onboard-configure) + +- [EDR in block mode](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode) + +- [Attack surface reduction](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction) + +- [Next-generation protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-windows-defender-antivirus-features) (antivirus) + +## Related articles + +- [Behavioral blocking and containment](behavioral-blocking-containment.md) + +- [(Blog) Behavioral blocking and containment: Transforming optics into protection](https://www.microsoft.com/security/blog/2020/03/09/behavioral-blocking-and-containment-transforming-optics-into-protection/) + +- [Helpful Microsoft Defender ATP resources](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/helpful-resources) diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-started-partner-integration.md b/windows/security/threat-protection/microsoft-defender-atp/get-started-partner-integration.md index 066146d158..fe2ddd1f2d 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-started-partner-integration.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-started-partner-integration.md @@ -46,6 +46,15 @@ To have your company listed as a partner in the in-product partner page, you wil 3. Provide a 15-word product description. 4. Link to the landing page for the customer to complete the integration or blog post that will include sufficient information for customers. Please note that any press release including the Microsoft Defender ATP product name should be reviewed by the marketing and engineering teams. You should allow at least 10 days for review process to be performed. 5. If you use a multi-tenant Azure AD approach, we will need the AAD application name to track usage of the application. +6. We'd like to request that you include the User-Agent field in each API call made to Microsoft Defender ATP public set of APIs or Graph Security APIs. This will be used for statistical purposes, troubleshooting, and partner recognition. In addition, this step is a requirement for membership in Microsoft Intelligent Security Association (MISA). + Follow these steps: + 1. Identify a name adhering to the following nomenclature that includes your company name and the Microsoft Defender ATP integrated product with the version of the product that includes this integration. + + - ISV Nomenclature: `MdatpPartner-{CompanyName}-{TenantID}/{Version}`. + - Security partner Nomenclature: `MdatpPartner-{CompanyName}-{ProductName}/{Version}`. + + 2. Set the User-Agent field in each HTTP request header to the name based on the above nomenclature. + For more information, see [RFC 2616 section-14.43](https://tools.ietf.org/html/rfc2616#section-14.43). For example, User-Agent: `MdatpPartner-Contoso-ContosoCognito/1.0.0` Partnership with Microsoft Defender ATP help our mutual customers to further streamline, integrate, and orchestrate defenses. We are happy that you chose to become a Microsoft Defender ATP partner and to achieve our common goal of effectively protecting customers and their assets by preventing and responding to modern threats together. diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/945c9c5d66797037c3caeaa5c19f135c.png b/windows/security/threat-protection/microsoft-defender-atp/images/945c9c5d66797037c3caeaa5c19f135c.png index 7635b49f3e..50aaff6186 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/945c9c5d66797037c3caeaa5c19f135c.png and b/windows/security/threat-protection/microsoft-defender-atp/images/945c9c5d66797037c3caeaa5c19f135c.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/Artifactblockedjuicypotato.png b/windows/security/threat-protection/microsoft-defender-atp/images/Artifactblockedjuicypotato.png new file mode 100644 index 0000000000..3baa36a30e Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/Artifactblockedjuicypotato.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/NTLMalertjuicypotato.png b/windows/security/threat-protection/microsoft-defender-atp/images/NTLMalertjuicypotato.png new file mode 100644 index 0000000000..0ecdbe5a2d Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/NTLMalertjuicypotato.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-portal-onboarding-page.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-portal-onboarding-page.png new file mode 100644 index 0000000000..eb5819123e Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-portal-onboarding-page.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/behavblockcontain-initialaccessalert.png b/windows/security/threat-protection/microsoft-defender-atp/images/behavblockcontain-initialaccessalert.png new file mode 100644 index 0000000000..f02cd3b7c4 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/behavblockcontain-initialaccessalert.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/behavblockcontain-processtree.png b/windows/security/threat-protection/microsoft-defender-atp/images/behavblockcontain-processtree.png new file mode 100644 index 0000000000..cc46690248 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/behavblockcontain-processtree.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/blocked-behav-alert.png b/windows/security/threat-protection/microsoft-defender-atp/images/blocked-behav-alert.png new file mode 100644 index 0000000000..e9cb104a05 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/blocked-behav-alert.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/evaluation-lab-setup.png b/windows/security/threat-protection/microsoft-defender-atp/images/evaluation-lab-setup.png index fda12c1b95..2977a16c2d 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/evaluation-lab-setup.png and b/windows/security/threat-protection/microsoft-defender-atp/images/evaluation-lab-setup.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/install-agent.png b/windows/security/threat-protection/microsoft-defender-atp/images/install-agent.png new file mode 100644 index 0000000000..c477df78f0 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/install-agent.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/lab-creation-page.png b/windows/security/threat-protection/microsoft-defender-atp/images/lab-creation-page.png index 5f76ba9386..316e3e0700 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/lab-creation-page.png and b/windows/security/threat-protection/microsoft-defender-atp/images/lab-creation-page.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/lab-setup-summary.png b/windows/security/threat-protection/microsoft-defender-atp/images/lab-setup-summary.png new file mode 100644 index 0000000000..68c1dcf142 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/lab-setup-summary.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/machines-tab.png b/windows/security/threat-protection/microsoft-defender-atp/images/machines-tab.png new file mode 100644 index 0000000000..4275f94ded Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/machines-tab.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mdatp-next-gen-EDR-behavblockcontain.png b/windows/security/threat-protection/microsoft-defender-atp/images/mdatp-next-gen-EDR-behavblockcontain.png new file mode 100644 index 0000000000..add1b5bd15 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/mdatp-next-gen-EDR-behavblockcontain.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/pre-execution-and-post-execution-detection-engines.png b/windows/security/threat-protection/microsoft-defender-atp/images/pre-execution-and-post-execution-detection-engines.png new file mode 100644 index 0000000000..cea5e255f5 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/pre-execution-and-post-execution-detection-engines.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/select-simulator.png b/windows/security/threat-protection/microsoft-defender-atp/images/select-simulator.png new file mode 100644 index 0000000000..e98bc4b89e Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/select-simulator.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/send-us-feedback-eval-lab.png b/windows/security/threat-protection/microsoft-defender-atp/images/send-us-feedback-eval-lab.png index 8b37ac8a3a..f7d6472ba7 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/send-us-feedback-eval-lab.png and b/windows/security/threat-protection/microsoft-defender-atp/images/send-us-feedback-eval-lab.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/siem_details.png b/windows/security/threat-protection/microsoft-defender-atp/images/siem_details.png index 94c724f0c8..ef062f0c8e 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/siem_details.png and b/windows/security/threat-protection/microsoft-defender-atp/images/siem_details.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/simulation-details-aiq.png b/windows/security/threat-protection/microsoft-defender-atp/images/simulation-details-aiq.png new file mode 100644 index 0000000000..9eeb6d31cd Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/simulation-details-aiq.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/simulation-details-sb.png b/windows/security/threat-protection/microsoft-defender-atp/images/simulation-details-sb.png new file mode 100644 index 0000000000..706bd97b0c Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/simulation-details-sb.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/simulations-catalog.png b/windows/security/threat-protection/microsoft-defender-atp/images/simulations-catalog.png new file mode 100644 index 0000000000..4e84bc76f1 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/simulations-catalog.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/simulations-tab.png b/windows/security/threat-protection/microsoft-defender-atp/images/simulations-tab.png new file mode 100644 index 0000000000..437ee70e30 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/simulations-tab.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-install-manually.md b/windows/security/threat-protection/microsoft-defender-atp/linux-install-manually.md index 250093e512..31656eeae6 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/linux-install-manually.md +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-install-manually.md @@ -179,18 +179,59 @@ In order to preview new features and provide early feedback, it is recommended t sudo yum install mdatp ``` + If you have multiple Microsoft repositories configured on your device, you can be specific about which repository to install the package from. The following example shows how to install the package from the `production` channel if you also have the `insiders-fast` repository channel configured on this device. This situation can happen if you are using multiple Microsoft products on your device. + + ```bash + # list all repositories + $ yum repolist + ... + packages-microsoft-com-prod packages-microsoft-com-prod 316 + packages-microsoft-com-prod-insiders-fast packages-microsoft-com-prod-ins 2 + ... + + # install the package from the production repository + $ sudo yum --enablerepo=packages-microsoft-com-prod install mdatp + ``` + - SLES and variants: ```bash sudo zypper install mdatp ``` + If you have multiple Microsoft repositories configured on your device, you can be specific about which repository to install the package from. The following example shows how to install the package from the `production` channel if you also have the `insiders-fast` repository channel configured on this device. This situation can happen if you are using multiple Microsoft products on your device. + + ```bash + # list all repositories + $ zypper repos + ... + # | Alias | Name | ... + XX | packages-microsoft-com-insiders-fast | microsoft-insiders-fast | ... + XX | packages-microsoft-com-prod | microsoft-prod | ... + ... + + # install the package from the production repository + $ sudo zypper install packages-microsoft-com-prod:mdatp + ``` + - Ubuntu and Debian system: ```bash sudo apt-get install mdatp ``` + If you have multiple Microsoft repositories configured on your device, you can be specific about which repository to install the package from. The following example shows how to install the package from the `production` channel if you also have the `insiders-fast` repository channel configured on this device. This situation can happen if you are using multiple Microsoft products on your device. + + ```bash + # list all repositories + $ cat /etc/apt/sources.list.d/* + deb [arch=arm64,armhf,amd64] https://packages.microsoft.com/ubuntu/18.04/prod insiders-fast main + deb [arch=amd64] https://packages.microsoft.com/ubuntu/18.04/prod bionic main + + # install the package from the production repository + $ sudo apt -t bionic install mdatp + ``` + ## Download the onboarding package Download the onboarding package from Microsoft Defender Security Center: @@ -276,6 +317,10 @@ Download the onboarding package from Microsoft Defender Security Center: See [Log installation issues](linux-resources.md#log-installation-issues) for more information on how to find the automatically generated log that is created by the installer when an error occurs. +## Operating system upgrades + +When upgrading your operating system to a new major version, you must first uninstall Microsoft Defender ATP for Linux, install the upgrade, and finally reconfigure Microsoft Defender ATP for Linux on your device. + ## Uninstallation -See [Uninstall](linux-resources.md#uninstall) for details on how to remove Microsoft Defender ATP for Linux from client devices. +See [Uninstall](linux-resources.md#uninstall) for details on how to remove Microsoft Defender ATP for Linux from client devices. \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-ansible.md b/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-ansible.md index d097245cf8..34b6be737e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-ansible.md +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-ansible.md @@ -255,6 +255,10 @@ Now run the tasks files under `/etc/ansible/playbooks/`. See [Log installation issues](linux-resources.md#log-installation-issues) for more information on how to find the automatically generated log that is created by the installer when an error occurs. +## Operating system upgrades + +When upgrading your operating system to a new major version, you must first uninstall Microsoft Defender ATP for Linux, install the upgrade, and finally reconfigure Microsoft Defender ATP for Linux on your device. + ## References - [Add or remove YUM repositories](https://docs.ansible.com/ansible/2.3/yum_repository_module.html) diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-puppet.md b/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-puppet.md index 92c721fedf..3914bf58e0 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-puppet.md +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-puppet.md @@ -207,6 +207,10 @@ If the product is not healthy, the exit code (which can be checked through `echo See [Log installation issues](linux-resources.md#log-installation-issues) for more information on how to find the automatically generated log that is created by the installer when an error occurs. +## Operating system upgrades + +When upgrading your operating system to a new major version, you must first uninstall Microsoft Defender ATP for Linux, install the upgrade, and finally reconfigure Microsoft Defender ATP for Linux on your device. + ## Uninstallation Create a module *remove_mdatp* similar to *install_mdatp* with the following contents in *init.pp* file: diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-privacy.md b/windows/security/threat-protection/microsoft-defender-atp/linux-privacy.md new file mode 100644 index 0000000000..7a7de6e01f --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-privacy.md @@ -0,0 +1,300 @@ +--- +title: Privacy for Microsoft Defender ATP for Linux +description: Privacy controls, how to configure policy settings that impact privacy and information about the diagnostic data collected in Microsoft Defender ATP for Linux. +keywords: microsoft, defender, atp, linux, privacy, diagnostic +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: dansimp +author: dansimp +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: conceptual +--- + +# Privacy for Microsoft Defender ATP for Linux + +**Applies to:** + +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Linux](microsoft-defender-atp-linux.md) + +Microsoft is committed to providing you with the information and controls you need to make choices about how your data is collected and used when you’re using Microsoft Defender ATP for Linux. + +This topic describes the privacy controls available within the product, how to manage these controls with policy settings and more details on the data events that are collected. + +## Overview of privacy controls in Microsoft Defender ATP for Linux + +This section describes the privacy controls for the different types of data collected by Microsoft Defender ATP for Linux. + +### Diagnostic data + +Diagnostic data is used to keep Microsoft Defender ATP secure and up-to-date, detect, diagnose and fix problems, and also make product improvements. + +Some diagnostic data is required, while some diagnostic data is optional. We give you the ability to choose whether to send us required or optional diagnostic data through the use of privacy controls, such as policy settings for organizations. + +There are two levels of diagnostic data for Microsoft Defender ATP client software that you can choose from: + +* **Required**: The minimum data necessary to help keep Microsoft Defender ATP secure, up-to-date, and performing as expected on the device it’s installed on. + +* **Optional**: Additional data that helps Microsoft make product improvements and provides enhanced information to help detect, diagnose, and remediate issues. + +By default, only required diagnostic data is sent to Microsoft. + +### Cloud delivered protection data + +Cloud delivered protection is used to provide increased and faster protection with access to the latest protection data in the cloud. + +Enabling the cloud-delivered protection service is optional, however it is highly recommended because it provides important protection against malware on your endpoints and across your network. + +### Sample data + +Sample data is used to improve the protection capabilities of the product, by sending Microsoft suspicious samples so they can be analyzed. Enabling automatic sample submission is optional. + +There are three levels for controlling sample submission: + +- **None**: no suspicious samples are submitted to Microsoft. +- **Safe**: only suspicious samples that do not contain personally identifiable information (PII) are submitted automatically. This is the default value for this setting. +- **All**: all suspicious samples are submitted to Microsoft. + +## Manage privacy controls with policy settings + +If you're an IT administrator, you might want to configure these controls at the enterprise level. + +The privacy controls for the various types of data described in the preceding section are described in detail in [Set preferences for Microsoft Defender ATP for Linux](linux-preferences.md). + +As with any new policy settings, you should carefully test them out in a limited, controlled environment to ensure the settings that you configure have the desired effect before you implement the policy settings more widely in your organization. + +## Diagnostic data events + +This section describes what is considered required diagnostic data and what is considered optional diagnostic data, along with a description of the events and fields that are collected. + +### Data fields that are common for all events +There is some information about events that is common to all events, regardless of category or data subtype. + +The following fields are considered common for all events: + +| Field | Description | +| ----------------------- | ----------- | +| platform | The broad classification of the platform on which the app is running. Allows Microsoft to identify on which platforms an issue may be occurring so that it can correctly be prioritized. | +| machine_guid | Unique identifier associated with the device. Allows Microsoft to identify whether issues are impacting a select set of installs and how many users are impacted. | +| sense_guid | Unique identifier associated with the device. Allows Microsoft to identify whether issues are impacting a select set of installs and how many users are impacted. | +| org_id | Unique identifier associated with the enterprise that the device belongs to. Allows Microsoft to identify whether issues are impacting a select set of enterprises and how many enterprises are impacted. | +| hostname | Local machine name (without DNS suffix). Allows Microsoft to identify whether issues are impacting a select set of installs and how many users are impacted. | +| product_guid | Unique identifier of the product. Allows Microsoft to differentiate issues impacting different flavors of the product. | +| app_version | Version of the Microsoft Defender ATP for Linux application. Allows Microsoft to identify which versions of the product are showing an issue so that it can correctly be prioritized.| +| sig_version | Version of security intelligence database. Allows Microsoft to identify which versions of the security intelligence are showing an issue so that it can correctly be prioritized. | +| supported_compressions | List of compression algorithms supported by the application, for example `['gzip']`. Allows Microsoft to understand what types of compressions can be used when it communicates with the application. | +| release_ring | Ring that the device is associated with (for example Insider Fast, Insider Slow, Production). Allows Microsoft to identify on which release ring an issue may be occurring so that it can correctly be prioritized. | + +### Required diagnostic data + +**Required diagnostic data** is the minimum data necessary to help keep Microsoft Defender ATP secure, up-to-date, and perform as expected on the device it’s installed on. + +Required diagnostic data helps to identify problems with Microsoft Defender ATP that may be related to a device or software configuration. For example, it can help determine if a Microsoft Defender ATP feature crashes more frequently on a particular operating system version, with newly introduced features, or when certain Microsoft Defender ATP features are disabled. Required diagnostic data helps Microsoft detect, diagnose, and fix these problems more quickly so the impact to users or organizations is reduced. + +#### Software setup and inventory data events + +**Microsoft Defender ATP installation / uninstallation** + +The following fields are collected: + +| Field | Description | +| ---------------- | ----------- | +| correlation_id | Unique identifier associated with the installation. | +| version | Version of the package. | +| severity | Severity of the message (for example Informational). | +| code | Code that describes the operation. | +| text | Additional information associated with the product installation. | + +**Microsoft Defender ATP configuration** + +The following fields are collected: + +| Field | Description | +| --------------------------------------------------- | ----------- | +| antivirus_engine.enable_real_time_protection | Whether real-time protection is enabled on the device or not. | +| antivirus_engine.passive_mode | Whether passive mode is enabled on the device or not. | +| cloud_service.enabled | Whether cloud delivered protection is enabled on the device or not. | +| cloud_service.timeout | Time out when the application communicates with the Microsoft Defender ATP cloud. | +| cloud_service.heartbeat_interval | Interval between consecutive heartbeats sent by the product to the cloud. | +| cloud_service.service_uri | URI used to communicate with the cloud. | +| cloud_service.diagnostic_level | Diagnostic level of the device (required, optional). | +| cloud_service.automatic_sample_submission | Automatic sample submission level of the device (none, safe, all). | +| edr.early_preview | Whether the machine should run EDR early preview features. | +| edr.group_id | Group identifier used by the detection and response component. | +| edr.tags | User-defined tags. | +| features.\[optional feature name\] | List of preview features, along with whether they are enabled or not. | + +#### Product and service usage data events + +**Security intelligence update report** + +The following fields are collected: + +| Field | Description | +| ---------------- | ----------- | +| from_version | Original security intelligence version. | +| to_version | New security intelligence version. | +| status | Status of the update indicating success or failure. | +| using_proxy | Whether the update was done over a proxy. | +| error | Error code if the update failed. | +| reason | Error message if the update failed. | + +#### Product and service performance data events + +**Kernel extension statistics** + +The following fields are collected: + +| Field | Description | +| ---------------- | ----------- | +| version | Version of Microsoft Defender ATP for Linux. | +| instance_id | Unique identifier generated on kernel extension startup. | +| trace_level | Trace level of the kernel extension. | +| subsystem | The underlying subsystem used for real-time protection. | +| ipc.connects | Number of connection requests received by the kernel extension. | +| ipc.rejects | Number of connection requests rejected by the kernel extension. | +| ipc.connected | Whether there is any active connection to the kernel extension. | + +#### Support data + +**Diagnostic logs** + +Diagnostic logs are collected only with the consent of the user as part of the feedback submission feature. The following files are collected as part of the support logs: + +- All files under */var/log/microsoft/mdatp* +- Subset of files under */etc/opt/microsoft/mdatp* that are created and used by Microsoft Defender ATP for Linux +- Product installation and uninstallation logs under */var/log/microsoft_mdatp_\*.log* + +### Optional diagnostic data + +**Optional diagnostic data** is additional data that helps Microsoft make product improvements and provides enhanced information to help detect, diagnose, and fix issues. + +If you choose to send us optional diagnostic data, required diagnostic data is also included. + +Examples of optional diagnostic data include data Microsoft collects about product configuration (for example number of exclusions set on the device) and product performance (aggregate measures about the performance of components of the product). + +#### Software setup and inventory data events + +**Microsoft Defender ATP configuration** + +The following fields are collected: + +| Field | Description | +| -------------------------------------------------- | ----------- | +| connection_retry_timeout | Connection retry time-out when communication with the cloud. | +| file_hash_cache_maximum | Size of the product cache. | +| crash_upload_daily_limit | Limit of crash logs uploaded daily. | +| antivirus_engine.exclusions[].is_directory | Whether the exclusion from scanning is a directory or not. | +| antivirus_engine.exclusions[].path | Path that was excluded from scanning. | +| antivirus_engine.exclusions[].extension | Extension excluded from scanning. | +| antivirus_engine.exclusions[].name | Name of the file excluded from scanning. | +| antivirus_engine.scan_cache_maximum | Size of the product cache. | +| antivirus_engine.maximum_scan_threads | Maximum number of threads used for scanning. | +| antivirus_engine.threat_restoration_exclusion_time | Time out before a file restored from the quarantine can be detected again. | +| filesystem_scanner.full_scan_directory | Full scan directory. | +| filesystem_scanner.quick_scan_directories | List of directories used in quick scan. | +| edr.latency_mode | Latency mode used by the detection and response component. | +| edr.proxy_address | Proxy address used by the detection and response component. | + +**Microsoft Auto-Update configuration** + +The following fields are collected: + +| Field | Description | +| --------------------------- | ----------- | +| how_to_check | Determines how product updates are checked (for example automatic or manual). | +| channel_name | Update channel associated with the device. | +| manifest_server | Server used for downloading updates. | +| update_cache | Location of the cache used to store updates. | + +### Product and service usage + +#### Diagnostic log upload started report + +The following fields are collected: + +| Field | Description | +| ---------------- | ----------- | +| sha256 | SHA256 identifier of the support log. | +| size | Size of the support log. | +| original_path | Path to the support log (always under */var/opt/microsoft/mdatp/wdavdiag/*). | +| format | Format of the support log. | + +#### Diagnostic log upload completed report + +The following fields are collected: + +| Field | Description | +| ---------------- | ----------- | +| request_id | Correlation ID for the support log upload request. | +| sha256 | SHA256 identifier of the support log. | +| blob_sas_uri | URI used by the application to upload the support log. | + +#### Product and service performance data events + +**Unexpected application exit (crash)** + +Unexpected application exits and the state of the application when that happens. + +**Kernel extension statistics** + +The following fields are collected: + +| Field | Description | +| ------------------------------ | ----------- | +| pkt_ack_timeout | The following properties are aggregated numerical values, representing count of events that happened since kernel extension startup. | +| pkt_ack_conn_timeout | | +| ipc.ack_pkts | | +| ipc.nack_pkts | | +| ipc.send.ack_no_conn | | +| ipc.send.nack_no_conn | | +| ipc.send.ack_no_qsq | | +| ipc.send.nack_no_qsq | | +| ipc.ack.no_space | | +| ipc.ack.timeout | | +| ipc.ack.ackd_fast | | +| ipc.ack.ackd | | +| ipc.recv.bad_pkt_len | | +| ipc.recv.bad_reply_len | | +| ipc.recv.no_waiter | | +| ipc.recv.copy_failed | | +| ipc.kauth.vnode.mask | | +| ipc.kauth.vnode.read | | +| ipc.kauth.vnode.write | | +| ipc.kauth.vnode.exec | | +| ipc.kauth.vnode.del | | +| ipc.kauth.vnode.read_attr | | +| ipc.kauth.vnode.write_attr | | +| ipc.kauth.vnode.read_ex_attr | | +| ipc.kauth.vnode.write_ex_attr | | +| ipc.kauth.vnode.read_sec | | +| ipc.kauth.vnode.write_sec | | +| ipc.kauth.vnode.take_own | | +| ipc.kauth.vnode.link | | +| ipc.kauth.vnode.create | | +| ipc.kauth.vnode.move | | +| ipc.kauth.vnode.mount | | +| ipc.kauth.vnode.denied | | +| ipc.kauth.vnode.ackd_before_deadline | | +| ipc.kauth.vnode.missed_deadline | | +| ipc.kauth.file_op.mask | | +| ipc.kauth_file_op.open | | +| ipc.kauth.file_op.close | | +| ipc.kauth.file_op.close_modified | | +| ipc.kauth.file_op.move | | +| ipc.kauth.file_op.link | | +| ipc.kauth.file_op.exec | | +| ipc.kauth.file_op.remove | | +| ipc.kauth.file_op.unmount | | +| ipc.kauth.file_op.fork | | +| ipc.kauth.file_op.create | | + +## Resources + +- [Privacy at Microsoft](https://privacy.microsoft.com/) diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-pua.md b/windows/security/threat-protection/microsoft-defender-atp/linux-pua.md new file mode 100644 index 0000000000..b0cd02009a --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-pua.md @@ -0,0 +1,65 @@ +--- +title: Detect and block potentially unwanted applications with Microsoft Defender ATP for Linux +description: Detect and block Potentially Unwanted Applications (PUA) using Microsoft Defender ATP for Linux. +keywords: microsoft, defender, atp, linux, pua, pus +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: dansimp +author: dansimp +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: conceptual +--- + +# Detect and block potentially unwanted applications with Microsoft Defender ATP for Linux + +**Applies to:** + +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Linux](microsoft-defender-atp-linux.md) + +The potentially unwanted application (PUA) protection feature in Microsoft Defender ATP for Linux can detect and block PUA files on endpoints in your network. + +These applications are not considered viruses, malware, or other types of threats, but might perform actions on endpoints that adversely affect their performance or use. PUA can also refer to applications that are considered to have poor reputation. + +These applications can increase the risk of your network being infected with malware, cause malware infections to be harder to identify, and can waste IT resources in cleaning up the applications. + +## How it works + +Microsoft Defender ATP for Linux can detect and report PUA files. When configured in blocking mode, PUA files are moved to the quarantine. + +When a PUA is detected on an endpoint, Microsoft Defender ATP for Linux keeps a record of the infection in the threat history. The history can be visualized from the Microsoft Defender Security Center portal or through the `mdatp` command-line tool. The threat name will contain the word "Application". + +## Configure PUA protection + +PUA protection in Microsoft Defender ATP for Linux can be configured in one of the following ways: + +- **Off**: PUA protection is disabled. +- **Audit**: PUA files are reported in the product logs, but not in Microsoft Defender Security Center. No record of the infection is stored in the threat history and no action is taken by the product. +- **Block**: PUA files are reported in the product logs and in Microsoft Defender Security Center. A record of the infection is stored in the threat history and action is taken by the product. + +>[!WARNING] +>By default, PUA protection is configured in **Audit** mode. + +You can configure how PUA files are handled from the command line or from the management console. + +### Use the command-line tool to configure PUA protection: + +In Terminal, execute the following command to configure PUA protection: + +```bash +$ mdatp --threat --type-handling potentially_unwanted_application [off|audit|block] +``` + +### Use the management console to configure PUA protection: + +In your enterprise, you can configure PUA protection from a management console, such as Puppet or Ansible, similarly to how other product settings are configured. For more information, see the [Threat type settings](linux-preferences.md#threat-type-settings) section of the [Set preferences for Microsoft Defender ATP for Linux](linux-preferences.md) topic. + +## Related topics + +- [Set preferences for Microsoft Defender ATP for Linux](linux-preferences.md) \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-install-manually.md b/windows/security/threat-protection/microsoft-defender-atp/mac-install-manually.md index e633d8184f..f1928bc4d1 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mac-install-manually.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-install-manually.md @@ -1,6 +1,6 @@ --- -title: Manual deployment for Microsoft Defender ATP for Mac -description: Install Microsoft Defender ATP for Mac manually, from the command line. +title: Manual deployment for Microsoft Defender ATP for macOS +description: Install Microsoft Defender ATP for macOS manually, from the command line. keywords: microsoft, defender, atp, mac, installation, deploy, uninstallation, intune, jamf, macos, catalina, mojave, high sierra search.product: eADQiWindows 10XVcnh search.appverid: met150 @@ -17,45 +17,34 @@ ms.collection: M365-security-compliance ms.topic: conceptual --- -# Manual deployment for Microsoft Defender ATP for Mac +# Manual deployment for Microsoft Defender ATP for macOS **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Mac](microsoft-defender-atp-mac.md) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for macOS](microsoft-defender-atp-mac.md) -This topic describes how to deploy Microsoft Defender ATP for Mac manually. A successful deployment requires the completion of all of the following steps: +This topic describes how to deploy Microsoft Defender ATP for macOS manually. A successful deployment requires the completion of all of the following steps: - [Download installation and onboarding packages](#download-installation-and-onboarding-packages) - [Application installation](#application-installation) - [Client configuration](#client-configuration) ## Prerequisites and system requirements -Before you get started, see [the main Microsoft Defender ATP for Mac page](microsoft-defender-atp-mac.md) for a description of prerequisites and system requirements for the current software version. +Before you get started, see [the main Microsoft Defender ATP for macOS page](microsoft-defender-atp-mac.md) for a description of prerequisites and system requirements for the current software version. ## Download installation and onboarding packages Download the installation and onboarding packages from Microsoft Defender Security Center: 1. In Microsoft Defender Security Center, go to **Settings > Machine Management > Onboarding**. -2. In Section 1 of the page, set operating system to **Linux, macOS, iOS, and Android** and Deployment method to **Local script**. +2. In Section 1 of the page, set operating system to **macOS** and Deployment method to **Local script**. 3. In Section 2 of the page, select **Download installation package**. Save it as wdav.pkg to a local directory. 4. In Section 2 of the page, select **Download onboarding package**. Save it as WindowsDefenderATPOnboardingPackage.zip to the same directory. - ![Microsoft Defender Security Center screenshot](../windows-defender-antivirus/images/ATP-Portal-Onboarding-page.png) + ![Microsoft Defender Security Center screenshot](images/atp-portal-onboarding-page.png) 5. From a command prompt, verify that you have the two files. - Extract the contents of the .zip files: - - ```bash - $ ls -l - total 721152 - -rw-r--r-- 1 test staff 6185 Mar 15 10:45 WindowsDefenderATPOnboardingPackage.zip - -rw-r--r-- 1 test staff 354531845 Mar 13 08:57 wdav.pkg - $ unzip WindowsDefenderATPOnboardingPackage.zip - Archive: WindowsDefenderATPOnboardingPackage.zip - inflating: MicrosoftDefenderATPOnboardingMacOs.py - ``` - + ## Application installation To complete this process, you must have admin privileges on the machine. @@ -87,7 +76,7 @@ The installation proceeds. ## Client configuration -1. Copy wdav.pkg and MicrosoftDefenderATPOnboardingMacOs.py to the machine where you deploy Microsoft Defender ATP for Mac. +1. Copy wdav.pkg and MicrosoftDefenderATPOnboardingMacOs.py to the machine where you deploy Microsoft Defender ATP for macOS. The client machine is not associated with orgId. Note that the *orgId* attribute is blank. @@ -127,4 +116,4 @@ See [Logging installation issues](mac-resources.md#logging-installation-issues) ## Uninstallation -See [Uninstalling](mac-resources.md#uninstalling) for details on how to remove Microsoft Defender ATP for Mac from client devices. +See [Uninstalling](mac-resources.md#uninstalling) for details on how to remove Microsoft Defender ATP for macOS from client devices. diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-privacy.md b/windows/security/threat-protection/microsoft-defender-atp/mac-privacy.md index ab118ea2ca..9add09b4df 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mac-privacy.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-privacy.md @@ -43,7 +43,7 @@ There are two levels of diagnostic data for Microsoft Defender ATP client softwa * **Optional**: Additional data that helps Microsoft make product improvements and provides enhanced information to help detect, diagnose, and remediate issues. -By default, both optional and required diagnostic data are sent to Microsoft. +By default, only required diagnostic data is sent to Microsoft. ### Cloud delivered protection data @@ -127,6 +127,21 @@ The following fields are collected: | edr.tags | User-defined tags. | | features.\[optional feature name\] | List of preview features, along with whether they are enabled or not. | +#### Product and service usage data events + +**Security intelligence update report** + +The following fields are collected: + +| Field | Description | +| ---------------- | ----------- | +| from_version | Original security intelligence version. | +| to_version | New security intelligence version. | +| status | Status of the update indicating success or failure. | +| using_proxy | Whether the update was done over a proxy. | +| error | Error code if the update failed. | +| reason | Error message if the updated filed. | + #### Product and service performance data events **Kernel extension statistics** @@ -138,6 +153,7 @@ The following fields are collected: | version | Version of Microsoft Defender ATP for Mac. | | instance_id | Unique identifier generated on kernel extension startup. | | trace_level | Trace level of the kernel extension. | +| subsystem | The underlying subsystem used for real-time protection. | | ipc.connects | Number of connection requests received by the kernel extension. | | ipc.rejects | Number of connection requests rejected by the kernel extension. | | ipc.connected | Whether there is any active connection to the kernel extension. | @@ -259,7 +275,13 @@ The following fields are collected: | ipc.kauth.vnode.read_sec | | | ipc.kauth.vnode.write_sec | | | ipc.kauth.vnode.take_own | | +| ipc.kauth.vnode.link | | +| ipc.kauth.vnode.create | | +| ipc.kauth.vnode.move | | +| ipc.kauth.vnode.mount | | | ipc.kauth.vnode.denied | | +| ipc.kauth.vnode.ackd_before_deadline | | +| ipc.kauth.vnode.missed_deadline | | | ipc.kauth.file_op.mask | | | ipc.kauth_file_op.open | | | ipc.kauth.file_op.close | | @@ -268,6 +290,7 @@ The following fields are collected: | ipc.kauth.file_op.link | | | ipc.kauth.file_op.exec | | | ipc.kauth.file_op.remove | | +| ipc.kauth.file_op.unmount | | | ipc.kauth.file_op.fork | | | ipc.kauth.file_op.create | | diff --git a/windows/security/threat-protection/microsoft-defender-atp/machine-tags.md b/windows/security/threat-protection/microsoft-defender-atp/machine-tags.md index 23a14e3ccd..9da990fe57 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/machine-tags.md +++ b/windows/security/threat-protection/microsoft-defender-atp/machine-tags.md @@ -72,7 +72,7 @@ You can also delete tags from this view. >- Windows 7 SP1 > [!NOTE] -> The maximum number of characters that can be set in a tag from the registry is 30. +> The maximum number of characters that can be set in a tag is 200. Machines with similar tags can be handy when you need to apply contextual action on a specific list of machines. diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/manage-alerts.md index 3c7b1fa724..531278a14a 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/manage-alerts.md +++ b/windows/security/threat-protection/microsoft-defender-atp/manage-alerts.md @@ -76,7 +76,7 @@ Create custom rules to control when alerts are suppressed, or resolved. You can * URL - wildcard supported * Command line - wildcard supported -3. Select the **Trigerring IOC**. +3. Select the **Triggering IOC**. 4. Specify the action and scope on the alert.
    You can automatically resolve an alert or hide it from the portal. Alerts that are automatically resolved will appear in the resolved section of the alerts queue, alert page, and machine timeline and will appear as resolved across Microsoft Defender ATP APIs.

    Alerts that are marked as hidden will be suppressed from the entire system, both on the machine's associated alerts and from the dashboard and will not be streamed across Microsoft Defender ATP APIs. diff --git a/windows/security/threat-protection/microsoft-defender-atp/onboard-offline-machines.md b/windows/security/threat-protection/microsoft-defender-atp/onboard-offline-machines.md index 0534d30935..1f798a3ece 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/onboard-offline-machines.md +++ b/windows/security/threat-protection/microsoft-defender-atp/onboard-offline-machines.md @@ -30,14 +30,17 @@ To onboard machines without Internet access, you'll need to take the following g Windows Server 2016 and earlier or Windows 8.1 and earlier. > [!NOTE] -> An OMS gateway server can still be used as proxy for disconnected Windows 10 machines when configured via 'TelemetryProxyServer' registry or GPO. +> - An OMS gateway server cannot be used as proxy for disconnected Windows 10 or Windows Server 2019 machines when configured via 'TelemetryProxyServer' registry or GPO. +> - For Windows 10 or Windows Server 2019 - while you may use TelemetryProxyServer, it must point to a standard proxy device or appliance. +> - In addition, Windows 10 or Windows Server 2019 in disconnected environments must be able to update Certificate Trust Lists offline via an internal file or web server. +> - For more information about updating CTLs offline, see (Configure a file or web server to download the CTL files)[https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn265983(v=ws.11)#configure-a-file-or-web-server-to-download-the-ctl-files]. -For more information, see the following articles: +For more information about onboarding methods, see the following articles: - [Onboard previous versions of Windows](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/onboard-downlevel) - [Onboard servers to the Microsoft Defender ATP service](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints#windows-server-2008-r2-sp1--windows-server-2012-r2-and-windows-server-2016) - [Configure machine proxy and Internet connectivity settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet#configure-the-proxy-server-manually-using-a-registry-based-static-proxy) -## On-premise machines +## On-premises machines - Setup Azure Log Analytics (formerly known as OMS Gateway) to act as proxy or hub: - [Azure Log Analytics Agent](https://docs.microsoft.com/azure/azure-monitor/platform/gateway#download-the-log-analytics-gateway) diff --git a/windows/security/threat-protection/microsoft-defender-atp/onboarding.md b/windows/security/threat-protection/microsoft-defender-atp/onboarding.md index d5613256d1..5d98e6652f 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/onboarding.md +++ b/windows/security/threat-protection/microsoft-defender-atp/onboarding.md @@ -179,108 +179,45 @@ Follow the steps below to identify the Microsoft Defender ATP Workspace ID and W 3. Copy the **Workspace ID** and **Workspace Key** and save them. They will be used later in the process. -Before the systems can be onboarded into the workspace, the deployment scripts need to be updated to contain the correct information. Failure to do so will result in the systems not being properly onboarded. Depending on the deployment method, this step may have already been completed. +4. Install the Microsoft Monitoring Agent (MMA).
    + MMA is currently (as of January 2019) supported on the following Windows Operating + Systems: -Edit the InstallMMA.cmd with a text editor, such as notepad and update the -following lines and save the file: + - Server SKUs: Windows Server 2008 SP1 or Newer - ![Image of onboarding](images/a22081b675da83e8f62a046ae6922b0d.png) + - Client SKUs: Windows 7 SP1 and later -Edit the ConfiguerOMSAgent.vbs with a text editor, such as notepad, and update the following lines and save the file: + The MMA agent will need to be installed on Windows devices. To install the + agent, some systems will need to download the [Update for customer experience + and diagnostic + telemetry](https://support.microsoft.com/help/3080149/update-for-customer-experience-and-diagnostic-telemetry) + in order to collect the data with MMA. These system versions include but may not + be limited to: - ![Image of onboarding](images/09833d16df7f37eda97ea1d5009b651a.png) + - Windows 8.1 -Microsoft Monitoring Agent (MMA) is currently (as of January 2019) supported on the following Windows Operating -Systems: + - Windows 7 -- Server SKUs: Windows Server 2008 SP1 or Newer + - Windows Server 2016 -- Client SKUs: Windows 7 SP1 and later + - Windows Server 2012 R2 -The MMA agent will need to be installed on Windows devices. To install the -agent, some systems will need to download the [Update for customer experience -and diagnostic -telemetry](https://support.microsoft.com/help/3080149/update-for-customer-experience-and-diagnostic-telemetry) -in order to collect the data with MMA. These system versions include but may not -be limited to: + - Windows Server 2008 R2 -- Windows 8.1 + Specifically, for Windows 7 SP1, the following patches must be installed: -- Windows 7 + - Install + [KB4074598](https://support.microsoft.com/help/4074598/windows-7-update-kb4074598) -- Windows Server 2016 + - Install either [.NET Framework + 4.5](https://www.microsoft.com/en-us/download/details.aspx?id=30653) (or + later) **or** + [KB3154518](https://support.microsoft.com/help/3154518/support-for-tls-system-default-versions-included-in-the-net-framework). + Do not install both on the same system. -- Windows Server 2012 R2 +5. If you're using a proxy to connect to the Internet see the Configure proxy settings section. -- Windows Server 2008 R2 - -Specifically, for Windows 7 SP1, the following patches must be installed: - -- Install - [KB4074598](https://support.microsoft.com/help/4074598/windows-7-update-kb4074598) - -- Install either [.NET Framework - 4.5](https://www.microsoft.com/en-us/download/details.aspx?id=30653) (or - later) **or** - [KB3154518](https://support.microsoft.com/help/3154518/support-for-tls-system-default-versions-included-in-the-net-framework). - Do not install both on the same system. - -To deploy the MMA with Microsoft Endpoint Configuration Manager, follow the steps -below to utilize the provided batch files to onboard the systems. The CMD file -when executed, will require the system to copy files from a network share by the -System, the System will install MMA, Install the DependencyAgent, and configure -MMA for enrollment into the workspace. - - -1. In Microsoft Endpoint Configuration Manager console, navigate to **Software - Library**. - -2. Expand **Application Management**. - -3. Right-click **Packages** then select **Create Package**. - -4. Provide a Name for the package, then click **Next** - - ![Image of Microsoft Endpoint Configuration Manager console](images/e156a7ef87ea6472d57a3dc594bf08c2.png) - -5. Verify **Standard Program** is selected. - - ![Image of Microsoft Endpoint Configuration Manager console](images/227f249bcb6e7f29c4d43aa1ffaccd20.png) - -6. Click **Next**. - - ![Image of Microsoft Endpoint Configuration Manager console](images/2c7f9d05a2ebd19607cc76b6933b945b.png) - -7. Enter a program name. - -8. Browse to the location of the InstallMMA.cmd. - -9. Set Run to **Hidden**. - -10. Set **Program can run** to **Whether or not a user is logged on**. - -11. Click **Next**. - -12. Set the **Maximum allowed run time** to 720. - -13. Click **Next**. - - ![Image of Microsoft Endpoint Configuration Manager console](images/262a41839704d6da2bbd72ed6b4a826a.png) - -14. Verify the configuration, then click **Next**. - - ![Image of Microsoft Endpoint Configuration Manager console](images/a9d3cd78aa5ca90d3c2fbd2e57618faf.png) - -15. Click **Next**. - -16. Click **Close**. - -17. In the Microsoft Endpoint Configuration Manager console, right-click the Microsoft Defender ATP - Onboarding Package just created and select **Deploy**. - -18. On the right panel select the appropriate collection. - -19. Click **OK**. +Once completed, you should see onboarded endpoints in the portal within an hour. ## Next generation protection Microsoft Defender Antivirus is a built-in antimalware solution that provides next generation protection for desktops, portable computers, and servers. diff --git a/windows/security/threat-protection/microsoft-defender-atp/overview-attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/overview-attack-surface-reduction.md index 967d14b25f..2b029e2725 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/overview-attack-surface-reduction.md +++ b/windows/security/threat-protection/microsoft-defender-atp/overview-attack-surface-reduction.md @@ -27,8 +27,8 @@ ms.topic: conceptual Help reduce your attack surfaces, by minimizing the places where your organization is vulnerable to cyberthreats and attacks. Use the following resources to configure protection for the devices and applications in your organization. -

    -> [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4woug] + +> [!VIDEO https://www.microsoft.com/videoplayer/embed/RE4woug] Article | Description diff --git a/windows/security/threat-protection/microsoft-defender-atp/preview.md b/windows/security/threat-protection/microsoft-defender-atp/preview.md index a92e6a198a..8eb9582866 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/preview.md +++ b/windows/security/threat-protection/microsoft-defender-atp/preview.md @@ -29,6 +29,9 @@ The Microsoft Defender ATP service is constantly being updated to include new fe Learn about new features in the Microsoft Defender ATP preview release and be among the first to try upcoming features by turning on the preview experience. +>[!TIP] +>Get notified when this page is updated by copying and pasting the following URL into your feed reader: `https://docs.microsoft.com/api/search/rss?search=%22Microsoft+Defender+ATP+preview+features%22&locale=en-us` + For more information on new capabilities that are generally available, see [What's new in Microsoft Defender ATP](whats-new-in-microsoft-defender-atp.md). ## Turn on preview features @@ -44,6 +47,8 @@ Turn on the preview experience setting to be among the first to try upcoming fea ## Preview features The following features are included in the preview release: +- [Attack simulators in the evaluation lab](evaluation-lab.md#threat-simulator-scenarios)
    Microsoft Defender ATP has partnered with various threat simulation platforms to give you convenient access to test the capabilities of the platform right from the within the portal. + - [Create indicators for certificates](manage-indicators.md)
    Create indicators to allow or block certificates. - [Microsoft Defender ATP for Linux](microsoft-defender-atp-linux.md)
    Microsoft Defender ATP now adds support for Linux. Learn how to install, configure, update, and use Microsoft Defender ATP for Linux. diff --git a/windows/security/threat-protection/microsoft-defender-atp/production-deployment.md b/windows/security/threat-protection/microsoft-defender-atp/production-deployment.md index 0c0a59b197..3e320c90a9 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/production-deployment.md +++ b/windows/security/threat-protection/microsoft-defender-atp/production-deployment.md @@ -144,6 +144,9 @@ Appendix section in this document for the URLs Whitelisting or on [Microsoft Docs](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/configure-proxy-internet-windows-defender-advanced-threat-protection#enable-access-to-windows-defender-atp-service-urls-in-the-proxy-server). +> [!NOTE] +> For a detailed list of URLs that need to be whitelisted, please see [this article](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus). + **Manual static proxy configuration:** - Registry based configuration @@ -198,9 +201,9 @@ Use netsh to configure a system-wide static proxy. 1. Open an elevated command-line: - a. Go to **Start** and type **cmd**. + 1. Go to **Start** and type **cmd**. - b. Right-click **Command prompt** and select **Run as administrator**. + 1. Right-click **Command prompt** and select **Run as administrator**. 2. Enter the following command and press **Enter**: @@ -228,7 +231,7 @@ needed if the machine is on Windows 10, version 1803 or later. Service location | Microsoft.com DNS record -|- -Common URLs for all locations | ```crl.microsoft.com```
    ```ctldl.windowsupdate.com```
    ```events.data.microsoft.com```
    ```notify.windows.com```
    ```settings-win.data.microsoft.com``` +Common URLs for all locations | ```crl.microsoft.com/pki/crl/*```
    ```ctldl.windowsupdate.com```
    ```www.microsoft.com/pkiops/*```
    ```events.data.microsoft.com```
    ```notify.windows.com```
    ```settings-win.data.microsoft.com``` European Union | ```eu.vortex-win.data.microsoft.com```
    ```eu-v20.events.data.microsoft.com```
    ```usseu1northprod.blob.core.windows.net```
    ```usseu1westprod.blob.core.windows.net```
    ```winatp-gw-neu.microsoft.com```
    ```winatp-gw-weu.microsoft.com```
    ```wseu1northprod.blob.core.windows.net```
    ```wseu1westprod.blob.core.windows.net``` United Kingdom | ```uk.vortex-win.data.microsoft.com```
    ```uk-v20.events.data.microsoft.com```
    ```ussuk1southprod.blob.core.windows.net```
    ```ussuk1westprod.blob.core.windows.net```
    ```winatp-gw-uks.microsoft.com```
    ```winatp-gw-ukw.microsoft.com```
    ```wsuk1southprod.blob.core.windows.net```
    ```wsuk1westprod.blob.core.windows.net``` United States | ```us.vortex-win.data.microsoft.com```
    ```ussus1eastprod.blob.core.windows.net```
    ```ussus1westprod.blob.core.windows.net```
    ```ussus2eastprod.blob.core.windows.net```
    ```ussus2westprod.blob.core.windows.net```
    ```ussus3eastprod.blob.core.windows.net```
    ```ussus3westprod.blob.core.windows.net```
    ```ussus4eastprod.blob.core.windows.net```
    ```ussus4westprod.blob.core.windows.net```
    ```us-v20.events.data.microsoft.com```
    ```winatp-gw-cus.microsoft.com```
    ```winatp-gw-eus.microsoft.com```
    ```wsus1eastprod.blob.core.windows.net```
    ```wsus1westprod.blob.core.windows.net```
    ```wsus2eastprod.blob.core.windows.net```
    ```wsus2westprod.blob.core.windows.net``` @@ -253,9 +256,9 @@ Microsoft Defender ATP is built on Azure cloud, deployed in the following region You can find the Azure IP range on [Microsoft Azure Datacenter IP Ranges](https://www.microsoft.com/en-us/download/details.aspx?id=41653). > [!NOTE] -> As a cloud-based solution, the IP range can change. It's recommended you move to DNS resolving setting. +> As a cloud-based solution, the IP address range can change. It's recommended you move to DNS resolving setting. ## Next step ||| |:-------|:-----| -|![Phase 3: Onboard](images/onboard.png)
    [Phase 3: Onboard](onboarding.md) | Onboard devices to the service so the Microsoft Defender ATP service can get sensor data from them +|![Phase 3: Onboard](images/onboard.png)
    [Phase 3: Onboard](onboarding.md) | Onboard devices to the service so that the Microsoft Defender ATP service can get sensor data from them. diff --git a/windows/security/threat-protection/microsoft-defender-atp/pull-alerts-using-rest-api.md b/windows/security/threat-protection/microsoft-defender-atp/pull-alerts-using-rest-api.md index f2c30ec2e4..c55c6e231f 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/pull-alerts-using-rest-api.md +++ b/windows/security/threat-protection/microsoft-defender-atp/pull-alerts-using-rest-api.md @@ -27,8 +27,9 @@ ms.topic: article >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-pullalerts-abovefoldlink) >[!Note] ->- [Microsoft Defender ATP Alert](alerts.md) is composed from one or more detections +>- [Microsoft Defender ATP Alert](alerts.md) is composed from one or more detections. >- [Microsoft Defender ATP Detection](api-portal-mapping.md) is composed from the suspicious event occurred on the Machine and its related Alert details. +>-The Microsoft Defender ATP Alert API is the latest API for alert consumption and contain a detailed list of related evidence for each alert. For more information, see [Alert methods and properties](alerts.md) and [List alerts](get-alerts.md). Microsoft Defender ATP supports the OAuth 2.0 protocol to pull detections from the API. diff --git a/windows/security/threat-protection/microsoft-defender-atp/respond-file-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/respond-file-alerts.md index 9213bd067e..5989682e15 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/respond-file-alerts.md +++ b/windows/security/threat-protection/microsoft-defender-atp/respond-file-alerts.md @@ -211,7 +211,7 @@ Results of deep analysis are matched against threat intelligence and any matches Use the deep analysis feature to investigate the details of any file, usually during an investigation of an alert or for any other reason where you suspect malicious behavior. This feature is available within the **Deep analysis** tab, on the file's profile page. ->[!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4bGqr] +>[!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4aAYy?rel=0] **Submit for deep analysis** is enabled when the file is available in the Microsoft Defender ATP backend sample collection, or if it was observed on a Windows 10 machine that supports submitting to deep analysis. diff --git a/windows/security/threat-protection/microsoft-defender-atp/run-detection-test.md b/windows/security/threat-protection/microsoft-defender-atp/run-detection-test.md index 2251ec4e49..b3955f8794 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/run-detection-test.md +++ b/windows/security/threat-protection/microsoft-defender-atp/run-detection-test.md @@ -30,20 +30,20 @@ ms.topic: article Run the following PowerShell script on a newly onboarded machine to verify that it is properly reporting to the Microsoft Defender ATP service. -1. Create a folder: 'C:\test-WDATP-test'. +1. Create a folder: 'C:\test-MDATP-test'. 2. Open an elevated command-line prompt on the machine and run the script: - a. Go to **Start** and type **cmd**. + 1. Go to **Start** and type **cmd**. - b. Right-click **Command Prompt** and select **Run as administrator**. + 1. Right-click **Command Prompt** and select **Run as administrator**. - ![Window Start menu pointing to Run as administrator](images/run-as-admin.png) + ![Window Start menu pointing to Run as administrator](images/run-as-admin.png) 3. At the prompt, copy and run the following command: - ``` - powershell.exe -NoExit -ExecutionPolicy Bypass -WindowStyle Hidden $ErrorActionPreference= 'silentlycontinue';(New-Object System.Net.WebClient).DownloadFile('http://127.0.0.1/1.exe', 'C:\\test-WDATP-test\\invoice.exe');Start-Process 'C:\\test-WDATP-test\\invoice.exe' - ``` + ```powershell + powershell.exe -NoExit -ExecutionPolicy Bypass -WindowStyle Hidden $ErrorActionPreference= 'silentlycontinue';(New-Object System.Net.WebClient).DownloadFile('http://127.0.0.1/1.exe', 'C:\\test-MDATP-test\\invoice.exe');Start-Process 'C:\\test-MDATP-test\\invoice.exe' + ``` The Command Prompt window will close automatically. If successful, the detection test will be marked as completed and a new alert will appear in the portal for the onboarded machine in approximately 10 minutes. diff --git a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding-error-messages.md b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding-error-messages.md index 56a0d71130..0628b4a46e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding-error-messages.md +++ b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding-error-messages.md @@ -88,5 +88,4 @@ crl.microsoft.com` - `https://static2.sharepointonline.com` -## Related topics -- [Validate licensing provisioning and complete setup for Microsoft Defender ATP](licensing.md) + diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory.md index b249fb1bb3..2558e46497 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory.md +++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory.md @@ -23,8 +23,6 @@ ms.topic: conceptual >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink) -[!include[Prerelease information](../../includes/prerelease.md)] - Microsoft Defender ATP Threat & Vulnerability management's discovery capability shows in the **Software inventory** page. The software inventory includes the name of the product or vendor, the latest version it is in, and the number of weaknesses and vulnerabilities detected with it. ## How it works diff --git a/windows/security/threat-protection/microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md b/windows/security/threat-protection/microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md index 394a8eb887..caa1caf419 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md +++ b/windows/security/threat-protection/microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md @@ -27,8 +27,13 @@ The following features are generally available (GA) in the latest release of Mic For more information preview features, see [Preview features](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/preview-windows-defender-advanced-threat-protection). -RSS feed: Get notified when this page is updated by copying and pasting the following URL into your feed reader: -`https://docs.microsoft.com/api/search/rss?search=%22Lists+the+new+features+and+functionality+in+Microsoft+Defender+ATP%22&locale=en-us` + +> [!TIP] +> RSS feed: Get notified when this page is updated by copying and pasting the following URL into your feed reader: +> +> ```https +> https://docs.microsoft.com/api/search/rss?search=%22Microsoft+Defender+ATP+as+well+as+security+features+in+Windows+10+and+Windows+Server.%22&locale=en-us +> ``` ## April 2020 @@ -58,7 +63,7 @@ RSS feed: Get notified when this page is updated by copying and pasting the foll ## September 2019 -- [Tamper Protection settings using Intune](../windows-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md#turn-tamper-protection-on-or-off-for-your-organization-using-intune)
    You can now turn Tamper Protection on (or off) for your organization in the Microsoft 365 Device Management portal (Intune). +- [Tamper Protection settings using Intune](../windows-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md#turn-tamper-protection-on-or-off-for-your-organization-using-intune)
    You can now turn Tamper Protection on (or off) for your organization in the Microsoft 365 Device Management Portal (Intune). - [Live response](live-response.md)
    Get instantaneous access to a machine using a remote shell connection. Do in-depth investigative work and take immediate response actions to promptly contain identified threats - real-time. diff --git a/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md b/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md index 3f0c5a6304..e5fa9cb4bc 100644 --- a/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md +++ b/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md @@ -35,17 +35,17 @@ This topic provides an overview of some of the software and firmware threats fac ## The security threat landscape -Today’s security threat landscape is one of aggressive and tenacious threats. In previous years, malicious attackers mostly focused on gaining community recognition through their attacks or the thrill of temporarily taking a system offline. Since then, attacker’s motives have shifted toward making money, including holding devices and data hostage until the owner pays the demanded ransom. Modern attacks increasingly focus on large-scale intellectual property theft; targeted system degradation that can result in financial loss; and now even cyberterrorism that threatens the security of individuals, businesses, and national interests all over the world. These attackers are typically highly trained individuals and security experts, some of whom are in the employ of nation states that have large budgets and seemingly unlimited human resources. Threats like these require an approach that can meet this challenge. +Today's security threat landscape is one of aggressive and tenacious threats. In previous years, malicious attackers mostly focused on gaining community recognition through their attacks or the thrill of temporarily taking a system offline. Since then, attacker's motives have shifted toward making money, including holding devices and data hostage until the owner pays the demanded ransom. Modern attacks increasingly focus on large-scale intellectual property theft; targeted system degradation that can result in financial loss; and now even cyberterrorism that threatens the security of individuals, businesses, and national interests all over the world. These attackers are typically highly trained individuals and security experts, some of whom are in the employ of nation states that have large budgets and seemingly unlimited human resources. Threats like these require an approach that can meet this challenge. In recognition of this landscape, Windows 10 Creator's Update (Windows 10, version 1703) includes multiple security features that were created to make it difficult (and costly) to find and exploit many software vulnerabilities. These features are designed to: -- Eliminate entire classes of vulnerabilities +- Eliminate entire classes of vulnerabilities -- Break exploitation techniques +- Break exploitation techniques -- Contain the damage and prevent persistence +- Contain the damage and prevent persistence -- Limit the window of opportunity to exploit +- Limit the window of opportunity to exploit The following sections provide more detail about security mitigations in Windows 10, version 1703. @@ -59,14 +59,14 @@ Windows 10 mitigations that you can configure are listed in the following two ta |---|---| | **Windows Defender SmartScreen**
    helps prevent
    malicious applications
    from being downloaded | Windows Defender SmartScreen can check the reputation of a downloaded application by using a service that Microsoft maintains. The first time a user runs an app that originates from the Internet (even if the user copied it from another PC), SmartScreen checks to see if the app lacks a reputation or is known to be malicious, and responds accordingly.

    **More information**: [Windows Defender SmartScreen](#windows-defender-smartscreen), later in this topic | | **Credential Guard**
    helps keep attackers
    from gaining access through
    Pass-the-Hash or
    Pass-the-Ticket attacks | Credential Guard uses virtualization-based security to isolate secrets, such as NTLM password hashes and Kerberos Ticket Granting Tickets, so that only privileged system software can access them.
    Credential Guard is included in Windows 10 Enterprise and Windows Server 2016.

    **More information**: [Protect derived domain credentials with Credential Guard](/windows/access-protection/credential-guard/credential-guard) | -| **Enterprise certificate pinning**
    helps prevent
    man-in-the-middle attacks
    that leverage PKI | Enterprise certificate pinning enables you to protect your internal domain names from chaining to unwanted certificates or to fraudulently issued certificates. With enterprise certificate pinning, you can “pin” (associate) an X.509 certificate and its public key to its Certification Authority, either root or leaf.

    **More information**: [Enterprise Certificate Pinning](/windows/access-protection/enterprise-certificate-pinning) | -| **Device Guard**
    helps keep a device
    from running malware or
    other untrusted apps | Device Guard includes a Code Integrity policy that you create; a whitelist of trusted apps—the only apps allowed to run in your organization. Device Guard also includes a powerful system mitigation called hypervisor-protected code integrity (HVCI), which leverages virtualization-based security (VBS) to protect Windows’ kernel-mode code integrity validation process. HVCI has specific hardware requirements, and works with Code Integrity policies to help stop attacks even if they gain access to the kernel.
    Device Guard is included in Windows 10 Enterprise and Windows Server 2016.

    **More information**: [Introduction to Device Guard](/windows/device-security/device-guard/introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies) | +| **Enterprise certificate pinning**
    helps prevent
    man-in-the-middle attacks
    that leverage PKI | Enterprise certificate pinning enables you to protect your internal domain names from chaining to unwanted certificates or to fraudulently issued certificates. With enterprise certificate pinning, you can "pin" (associate) an X.509 certificate and its public key to its Certification Authority, either root or leaf.

    **More information**: [Enterprise Certificate Pinning](/windows/access-protection/enterprise-certificate-pinning) | +| **Device Guard**
    helps keep a device
    from running malware or
    other untrusted apps | Device Guard includes a Code Integrity policy that you create; a whitelist of trusted apps—the only apps allowed to run in your organization. Device Guard also includes a powerful system mitigation called hypervisor-protected code integrity (HVCI), which leverages virtualization-based security (VBS) to protect Windows' kernel-mode code integrity validation process. HVCI has specific hardware requirements, and works with Code Integrity policies to help stop attacks even if they gain access to the kernel.
    Device Guard is included in Windows 10 Enterprise and Windows Server 2016.

    **More information**: [Introduction to Device Guard](/windows/device-security/device-guard/introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies) | | **Windows Defender Antivirus**,
    which helps keep devices
    free of viruses and other
    malware | Windows 10 includes Windows Defender Antivirus, a robust inbox antimalware solution. Windows Defender Antivirus has been significantly improved since it was introduced in Windows 8.

    **More information**: [Windows Defender Antivirus](#windows-defender-antivirus), later in this topic | -| **Blocking of untrusted fonts**
    helps prevent fonts
    from being used in
    elevation-of-privilege attacks | Block Untrusted Fonts is a setting that allows you to prevent users from loading fonts that are "untrusted" onto your network, which can mitigate elevation-of-privilege attacks associated with the parsing of font files. However, as of Windows 10, version 1703, this mitigation is less important, because font parsing is isolated in an [AppContainer sandbox](https://msdn.microsoft.com/library/windows/desktop/mt595898(v=vs.85).aspx) (for a list describing this and other kernel pool protections, see [Kernel pool protections](#kernel-pool-protections), later in this topic).

    **More information**: [Block untrusted fonts in an enterprise](/windows/threat-protection/block-untrusted-fonts-in-enterprise) | +| **Blocking of untrusted fonts**
    helps prevent fonts
    from being used in
    elevation-of-privilege attacks | Block Untrusted Fonts is a setting that allows you to prevent users from loading fonts that are "untrusted" onto your network, which can mitigate elevation-of-privilege attacks associated with the parsing of font files. However, as of Windows 10, version 1703, this mitigation is less important, because font parsing is isolated in an [AppContainer sandbox](https://docs.microsoft.com/windows/win32/secauthz/appcontainer-isolation) (for a list describing this and other kernel pool protections, see [Kernel pool protections](#kernel-pool-protections), later in this topic).

    **More information**: [Block untrusted fonts in an enterprise](/windows/threat-protection/block-untrusted-fonts-in-enterprise) | | **Memory protections**
    help prevent malware
    from using memory manipulation
    techniques such as buffer
    overruns | These mitigations, listed in [Table 2](#table-2), help to protect against memory-based attacks, where malware or other code manipulates memory to gain control of a system (for example, malware that attempts to use buffer overruns to inject malicious executable code into memory. Note:
    A subset of apps will not be able to run if some of these mitigations are set to their most restrictive settings. Testing can help you maximize protection while still allowing these apps to run.

    **More information**: [Table 2](#table-2), later in this topic | -| **UEFI Secure Boot**
    helps protect
    the platform from
    bootkits and rootkits | Unified Extensible Firmware Interface (UEFI) Secure Boot is a security standard for firmware built in to PCs by manufacturers beginning with Windows 8. It helps to protect the boot process and firmware against tampering, such as from a physically present attacker or from forms of malware that run early in the boot process or in kernel after startup.

    **More information**: [UEFI and Secure Boot](/windows/device-security/bitlocker/bitlocker-countermeasures#uefi-and-secure-boot) | +| **UEFI Secure Boot**
    helps protect
    the platform from
    boot kits and rootkits | Unified Extensible Firmware Interface (UEFI) Secure Boot is a security standard for firmware built in to PCs by manufacturers beginning with Windows 8. It helps to protect the boot process and firmware against tampering, such as from a physically present attacker or from forms of malware that run early in the boot process or in kernel after startup.

    **More information**: [UEFI and Secure Boot](/windows/device-security/bitlocker/bitlocker-countermeasures#uefi-and-secure-boot) | | **Early Launch Antimalware (ELAM)**
    helps protect
    the platform from
    rootkits disguised as drivers | Early Launch Antimalware (ELAM) is designed to enable the antimalware solution to start before all non-Microsoft drivers and apps. If malware modifies a boot-related driver, ELAM will detect the change, and Windows will prevent the driver from starting, thus blocking driver-based rootkits.

    **More information**: [Early Launch Antimalware](/windows/device-security/bitlocker/bitlocker-countermeasures#protection-during-startup) | -| **Device Health Attestation**
    helps prevent
    compromised devices from
    accessing an organization’s
    assets | Device Health Attestation (DHA) provides a way to confirm that devices attempting to connect to an organization's network are in a healthy state, not compromised with malware. When DHA has been configured, a device’s actual boot data measurements can be checked against the expected "healthy" boot data. If the check indicates a device is unhealthy, the device can be prevented from accessing the network.

    **More information**: [Control the health of Windows 10-based devices](/windows/device-security/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices) and [Device Health Attestation](https://technet.microsoft.com/windows-server-docs/security/device-health-attestation) | +| **Device Health Attestation**
    helps prevent
    compromised devices from
    accessing an organization's
    assets | Device Health Attestation (DHA) provides a way to confirm that devices attempting to connect to an organization's network are in a healthy state, not compromised with malware. When DHA has been configured, a device's actual boot data measurements can be checked against the expected "healthy" boot data. If the check indicates a device is unhealthy, the device can be prevented from accessing the network.

    **More information**: [Control the health of Windows 10-based devices](/windows/device-security/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices) and [Device Health Attestation](https://docs.microsoft.com/windows-server/security/device-health-attestation) | Configurable Windows 10 mitigations designed to help protect against memory manipulation require in-depth understanding of these threats and mitigations and knowledge about how the operating system and applications handle memory. The standard process for maximizing these types of mitigations is to work in a test lab to discover whether a given setting interferes with any applications that you use so that you can deploy settings that maximize protection while still allowing apps to run correctly. @@ -84,7 +84,7 @@ As an IT professional, you can ask application developers and software vendors t Windows Defender SmartScreen notifies users if they click on reported phishing and malware websites, and helps protect them against unsafe downloads or make informed decisions about downloads. -For Windows 10, Microsoft improved SmartScreen (now called Windows Defender SmartScreen) protection capability by integrating its app reputation abilities into the operating system itself, which allows Windows Defender SmartScreen to check the reputation of files downloaded from the Internet and warn users when they’re about to run a high-risk downloaded file. The first time a user runs an app that originates from the Internet, Windows Defender SmartScreen checks the reputation of the application by using digital signatures and other factors against a service that Microsoft maintains. If the app lacks a reputation or is known to be malicious, Windows Defender SmartScreen warns the user or blocks execution entirely, depending on how the administrator has configured Microsoft Intune or Group Policy settings. +For Windows 10, Microsoft improved SmartScreen (now called Windows Defender SmartScreen) protection capability by integrating its app reputation abilities into the operating system itself, which allows Windows Defender SmartScreen to check the reputation of files downloaded from the Internet and warn users when they're about to run a high-risk downloaded file. The first time a user runs an app that originates from the Internet, Windows Defender SmartScreen checks the reputation of the application by using digital signatures and other factors against a service that Microsoft maintains. If the app lacks a reputation or is known to be malicious, Windows Defender SmartScreen warns the user or blocks execution entirely, depending on how the administrator has configured Microsoft Intune or Group Policy settings. For more information, see [Microsoft Defender SmartScreen overview](microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md). @@ -92,39 +92,39 @@ For more information, see [Microsoft Defender SmartScreen overview](microsoft-de Windows Defender Antivirus in Windows 10 uses a multi-pronged approach to improve antimalware: -- **Cloud-delivered protection** helps detect and block new malware within seconds, even if the malware has never been seen before. The service, available as of Windows 10, version 1703, uses distributed resources and machine learning to deliver protection to endpoints at a rate that is far faster than traditional signature updates. +- **Cloud-delivered protection** helps detect and block new malware within seconds, even if the malware has never been seen before. The service, available as of Windows 10, version 1703, uses distributed resources and machine learning to deliver protection to endpoints at a rate that is far faster than traditional signature updates. -- **Rich local context** improves how malware is identified. Windows 10 informs Windows Defender Antivirus not only about content like files and processes but also where the content came from, where it has been stored, and more. The information about source and history enables Windows Defender Antivirus to apply different levels of scrutiny to different content. +- **Rich local context** improves how malware is identified. Windows 10 informs Windows Defender Antivirus not only about content like files and processes but also where the content came from, where it has been stored, and more. The information about source and history enables Windows Defender Antivirus to apply different levels of scrutiny to different content. -- **Extensive global sensors** help keep Windows Defender Antivirus current and aware of even the newest malware. This is accomplished in two ways: by collecting the rich local context data from end points and by centrally analyzing that data. +- **Extensive global sensors** help keep Windows Defender Antivirus current and aware of even the newest malware. This is accomplished in two ways: by collecting the rich local context data from end points and by centrally analyzing that data. -- **Tamper proofing** helps guard Windows Defender Antivirus itself against malware attacks. For example, Windows Defender Antivirus uses Protected Processes, which prevents untrusted processes from attempting to tamper with Windows Defender Antivirus components, its registry keys, and so on. ([Protected Processes](#protected-processes) is described later in this topic.) +- **Tamper proofing** helps guard Windows Defender Antivirus itself against malware attacks. For example, Windows Defender Antivirus uses Protected Processes, which prevents untrusted processes from attempting to tamper with Windows Defender Antivirus components, its registry keys, and so on. ([Protected Processes](#protected-processes) is described later in this topic.) -- **Enterprise-level features** give IT pros the tools and configuration options necessary to make Windows Defender Antivirus an enterprise-class antimalware solution. +- **Enterprise-level features** give IT pros the tools and configuration options necessary to make Windows Defender Antivirus an enterprise-class antimalware solution. -For more information, see [Windows Defender in Windows 10](windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md) and [Windows Defender Overview for Windows Server](https://technet.microsoft.com/windows-server-docs/security/windows-defender/windows-defender-overview-windows-server). +For more information, see [Windows Defender in Windows 10](windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md) and [Windows Defender Overview for Windows Server](https://docs.microsoft.com/windows-server/security/windows-defender/windows-defender-overview-windows-server). For information about Microsoft Defender Advanced Threat Protection, a service that helps enterprises to detect, investigate, and respond to advanced and targeted attacks on their networks, see [Microsoft Defender Advanced Threat Protection (ATP)](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp) (resources) and [Microsoft Defender Advanced Threat Protection (ATP)](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection) (documentation). ### Data Execution Prevention -Malware depends on its ability to insert a malicious payload into memory with the hope that it will be executed later. Wouldn’t it be great if you could prevent malware from running if it wrote to an area that has been allocated solely for the storage of information? +Malware depends on its ability to insert a malicious payload into memory with the hope that it will be executed later. Wouldn't it be great if you could prevent malware from running if it wrote to an area that has been allocated solely for the storage of information? -Data Execution Prevention (DEP) does exactly that, by substantially reducing the range of memory that malicious code can use for its benefit. DEP uses the No eXecute bit on modern CPUs to mark blocks of memory as read-only so that those blocks can’t be used to execute malicious code that may be inserted by means of a vulnerability exploit. +Data Execution Prevention (DEP) does exactly that, by substantially reducing the range of memory that malicious code can use for its benefit. DEP uses the No eXecute bit on modern CPUs to mark blocks of memory as read-only so that those blocks can't be used to execute malicious code that may be inserted by means of a vulnerability exploit. **To use Task Manager to see apps that use DEP** -1. Open Task Manager: Press Ctrl+Alt+Del and select **Task Manager**, or search the Start screen. +1. Open Task Manager: Press Ctrl+Alt+Del and select **Task Manager**, or search the Start screen. 2. Click **More Details** (if necessary), and then click the **Details** tab. -3. Right-click any column heading, and then click **Select Columns**. +3. Right-click any column heading, and then click **Select Columns**. -4. In the **Select Columns** dialog box, select the last **Data Execution Prevention** check box. +4. In the **Select Columns** dialog box, select the last **Data Execution Prevention** check box. -5. Click **OK**. +5. Click **OK**. You can now see which processes have DEP enabled. @@ -138,19 +138,19 @@ You can use Control Panel to view or change DEP settings. #### To use Control Panel to view or change DEP settings on an individual PC -1. Open Control Panel, System: click Start, type **Control Panel System**, and press ENTER. +1. Open Control Panel, System: click Start, type **Control Panel System**, and press ENTER. -2. Click **Advanced system settings**, and then click the **Advanced** tab. +2. Click **Advanced system settings**, and then click the **Advanced** tab. -3. In the **Performance** box, click **Settings**. +3. In the **Performance** box, click **Settings**. -4. In **Performance Options**, click the **Data Execution Prevention** tab. +4. In **Performance Options**, click the **Data Execution Prevention** tab. -5. Select an option: +5. Select an option: - - **Turn on DEP for essential Windows programs and services only** + - **Turn on DEP for essential Windows programs and services only** - - **Turn on DEP for all programs and services except those I select**. If you choose this option, use the **Add** and **Remove** buttons to create the list of exceptions for which DEP will not be turned on. + - **Turn on DEP for all programs and services except those I select**. If you choose this option, use the **Add** and **Remove** buttons to create the list of exceptions for which DEP will not be turned on. #### To use Group Policy to control DEP settings @@ -158,7 +158,7 @@ You can use the Group Policy setting called **Process Mitigation Options** to co ### Structured Exception Handling Overwrite Protection -Structured Exception Handling Overwrite Protection (SEHOP) helps prevent attackers from being able to use malicious code to exploit the [Structured Exception Handler](https://msdn.microsoft.com/library/windows/desktop/ms680657(v=vs.85).aspx) (SEH), which is integral to the system and allows (non-malicious) apps to handle exceptions appropriately. Because this protection mechanism is provided at run-time, it helps to protect applications regardless of whether they have been compiled with the latest improvements. +Structured Exception Handling Overwrite Protection (SEHOP) helps prevent attackers from being able to use malicious code to exploit the [Structured Exception Handling](https://docs.microsoft.com/windows/win32/debug/structured-exception-handling) (SEH), which is integral to the system and allows (non-malicious) apps to handle exceptions appropriately. Because this protection mechanism is provided at run-time, it helps to protect applications regardless of whether they have been compiled with the latest improvements. You can use the Group Policy setting called **Process Mitigation Options** to control the SEHOP setting. A few applications have compatibility problems with SEHOP, so be sure to test for your environment. To use the Group Policy setting, see [Override Process Mitigation Options to help enforce app-related security policies](override-mitigation-options-for-app-related-security-policies.md). @@ -174,13 +174,13 @@ Address Space Layout Randomization (ASLR) makes that type of attack much more di Windows 10 applies ASLR holistically across the system and increases the level of entropy many times compared with previous versions of Windows to combat sophisticated attacks such as heap spraying. 64-bit system and application processes can take advantage of a vastly increased memory space, which makes it even more difficult for malware to predict where Windows 10 stores vital data. When used on systems that have TPMs, ASLR memory randomization will be increasingly unique across devices, which makes it even more difficult for a successful exploit that works on one system to work reliably on another. -You can use the Group Policy setting called **Process Mitigation Options** to control ASLR settings (“Force ASLR” and “Bottom-up ASLR”), as described in [Override Process Mitigation Options to help enforce app-related security policies](override-mitigation-options-for-app-related-security-policies.md). +You can use the Group Policy setting called **Process Mitigation Options** to control ASLR settings ("Force ASLR" and "Bottom-up ASLR"), as described in [Override Process Mitigation Options to help enforce app-related security policies](override-mitigation-options-for-app-related-security-policies.md). ## Mitigations that are built in to Windows 10 Windows 10 provides many threat mitigations to protect against exploits that are built into the operating system and need no configuration within the operating system. The table that follows describes some of these mitigations. -Control Flow Guard (CFG) is a mitigation that does not need configuration within the operating system, but does require that an application developer configure the mitigation into the application when it’s compiled. CFG is built into Microsoft Edge, IE11, and other areas in Windows 10, and can be built into many other applications when they are compiled. +Control Flow Guard (CFG) is a mitigation that does not need configuration within the operating system, but does require that an application developer configure the mitigation into the application when it's compiled. CFG is built into Microsoft Edge, IE11, and other areas in Windows 10, and can be built into many other applications when they are compiled. ### Table 3   Windows 10 mitigations to protect against memory exploits – no configuration needed @@ -191,29 +191,29 @@ Control Flow Guard (CFG) is a mitigation that does not need configuration within | **Universal Windows apps protections**
    screen downloadable
    apps and run them in
    an AppContainer sandbox | Universal Windows apps are carefully screened before being made available, and they run in an AppContainer sandbox with limited privileges and capabilities.

    **More information**: [Universal Windows apps protections](#universal-windows-apps-protections), later in this topic. | | **Heap protections**
    help prevent
    exploitation of the heap | Windows 10 includes protections for the heap, such as the use of internal data structures which help protect against corruption of memory used by the heap.

    **More information**: [Windows heap protections](#windows-heap-protections), later in this topic. | | **Kernel pool protections**
    help prevent
    exploitation of pool memory
    used by the kernel | Windows 10 includes protections for the pool of memory used by the kernel. For example, safe unlinking protects against pool overruns that are combined with unlinking operations that can be used to create an attack.

    **More information**: [Kernel pool protections](#kernel-pool-protections), later in this topic. | -| **Control Flow Guard**
    helps mitigate exploits
    that are based on
    flow between code locations
    in memory | Control Flow Guard (CFG) is a mitigation that requires no configuration within the operating system, but instead is built into software when it’s compiled. It is built into Microsoft Edge, IE11, and other areas in Windows 10. CFG can be built into applications written in C or C++, or applications compiled using Visual Studio 2015.
    For such an application, CFG can detect an attacker’s attempt to change the intended flow of code. If this occurs, CFG terminates the application. You can request software vendors to deliver Windows applications compiled with CFG enabled.

    **More information**: [Control Flow Guard](#control-flow-guard), later in this topic. | +| **Control Flow Guard**
    helps mitigate exploits
    that are based on
    flow between code locations
    in memory | Control Flow Guard (CFG) is a mitigation that requires no configuration within the operating system, but instead is built into software when it's compiled. It is built into Microsoft Edge, IE11, and other areas in Windows 10. CFG can be built into applications written in C or C++, or applications compiled using Visual Studio 2015.
    For such an application, CFG can detect an attacker's attempt to change the intended flow of code. If this occurs, CFG terminates the application. You can request software vendors to deliver Windows applications compiled with CFG enabled.

    **More information**: [Control Flow Guard](#control-flow-guard), later in this topic. | | **Protections built into Microsoft Edge** (the browser)
    helps mitigate multiple
    threats | Windows 10 includes an entirely new browser, Microsoft Edge, designed with multiple security improvements.

    **More information**: [Microsoft Edge and Internet Explorer 11](#microsoft-edge-and-internet-explorer11), later in this topic. | ### SMB hardening improvements for SYSVOL and NETLOGON shares -In Windows 10 and Windows Server 2016, client connections to the Active Directory Domain Services default SYSVOL and NETLOGON shares on domain controllers require Server Message Block (SMB) signing and mutual authentication (such as Kerberos). This reduces the likelihood of man-in-the-middle attacks. If SMB signing and mutual authentication are unavailable, a computer running Windows 10 or Windows Server 2016 won’t process domain-based Group Policy and scripts. +In Windows 10 and Windows Server 2016, client connections to the Active Directory Domain Services default SYSVOL and NETLOGON shares on domain controllers require Server Message Block (SMB) signing and mutual authentication (such as Kerberos). This reduces the likelihood of man-in-the-middle attacks. If SMB signing and mutual authentication are unavailable, a computer running Windows 10 or Windows Server 2016 won't process domain-based Group Policy and scripts. > [!NOTE] -> The registry values for these settings aren’t present by default, but the hardening rules still apply until overridden by Group Policy or other registry values. For more information on these security improvements, (also referred to as UNC hardening), see [Microsoft Knowledge Base article 3000483](https://support.microsoft.com/help/3000483/ms15-011-vulnerability-in-group-policy-could-allow-remote-code-execution-february-10,-2015) and [MS15-011 & MS15-014: Hardening Group Policy](https://blogs.technet.microsoft.com/srd/2015/02/10/ms15-011-ms15-014-hardening-group-policy/). +> The registry values for these settings aren't present by default, but the hardening rules still apply until overridden by Group Policy or other registry values. For more information on these security improvements, (also referred to as UNC hardening), see [Microsoft Knowledge Base article 3000483](https://support.microsoft.com/help/3000483/ms15-011-vulnerability-in-group-policy-could-allow-remote-code-execution-february-10,-2015) and [MS15-011 & MS15-014: Hardening Group Policy](https://msrc-blog.microsoft.com/2015/02/10/ms15-011-ms15-014-hardening-group-policy/). ### Protected Processes Most security controls are designed to prevent the initial infection point. However, despite all the best preventative controls, malware might eventually find a way to infect the system. So, some protections are built to place limits on malware that gets on the device. Protected Processes creates limits of this type. -With Protected Processes, Windows 10 prevents untrusted processes from interacting or tampering with those that have been specially signed. Protected Processes defines levels of trust for processes. Less trusted processes are prevented from interacting with and therefore attacking more trusted processes. Windows 10 uses Protected Processes more broadly across the operating system, and as in Windows 8.1, implements them in a way that can be used by 3rd party anti-malware vendors, as described in [Protecting Anti-Malware Services](https://msdn.microsoft.com/library/windows/desktop/dn313124(v=vs.85).aspx). This helps make the system and antimalware solutions less susceptible to tampering by malware that does manage to get on the system. +With Protected Processes, Windows 10 prevents untrusted processes from interacting or tampering with those that have been specially signed. Protected Processes defines levels of trust for processes. Less trusted processes are prevented from interacting with and therefore attacking more trusted processes. Windows 10 uses Protected Processes more broadly across the operating system, and as in Windows 8.1, implements them in a way that can be used by 3rd party anti-malware vendors, as described in [Protecting Anti-Malware Services](https://docs.microsoft.com/windows/win32/services/protecting-anti-malware-services-). This helps make the system and antimalware solutions less susceptible to tampering by malware that does manage to get on the system. ### Universal Windows apps protections -When users download Universal Windows apps from the Microsoft Store, it’s unlikely that they will encounter malware because all apps go through a careful screening process before being made available in the store. Apps that organizations build and distribute through sideloading processes will need to be reviewed internally to ensure that they meet organizational security requirements. +When users download Universal Windows apps from the Microsoft Store, it's unlikely that they will encounter malware because all apps go through a careful screening process before being made available in the store. Apps that organizations build and distribute through sideloading processes will need to be reviewed internally to ensure that they meet organizational security requirements. Regardless of how users acquire Universal Windows apps, they can use them with increased confidence. Universal Windows apps run in an AppContainer sandbox with limited privileges and capabilities. For example, Universal Windows apps have no system-level access, have tightly controlled interactions with other apps, and have no access to data unless the user explicitly grants the application permission. -In addition, all Universal Windows apps follow the security principle of least privilege. Apps receive only the minimum privileges they need to perform their legitimate tasks, so even if an attacker exploits an app, the damage the exploit can do is severely limited and should be contained within the sandbox. The Microsoft Store displays the exact capabilities the app requires (for example, access to the camera), along with the app’s age rating and publisher. +In addition, all Universal Windows apps follow the security principle of least privilege. Apps receive only the minimum privileges they need to perform their legitimate tasks, so even if an attacker exploits an app, the damage the exploit can do is severely limited and should be contained within the sandbox. The Microsoft Store displays the exact capabilities the app requires (for example, access to the camera), along with the app's age rating and publisher. ### Windows heap protections @@ -221,29 +221,29 @@ The *heap* is a location in memory that Windows uses to store dynamic applicatio Windows 10 has several important improvements to the security of the heap: -- **Heap metadata hardening** for internal data structures that the heap uses, to improve protections against memory corruption. +- **Heap metadata hardening** for internal data structures that the heap uses, to improve protections against memory corruption. -- **Heap allocation randomization**, that is, the use of randomized locations and sizes for heap memory allocations, which makes it more difficult for an attacker to predict the location of critical memory to overwrite. Specifically, Windows 10 adds a random offset to the address of a newly allocated heap, which makes the allocation much less predictable. +- **Heap allocation randomization**, that is, the use of randomized locations and sizes for heap memory allocations, which makes it more difficult for an attacker to predict the location of critical memory to overwrite. Specifically, Windows 10 adds a random offset to the address of a newly allocated heap, which makes the allocation much less predictable. -- **Heap guard pages** before and after blocks of memory, which work as tripwires. If an attacker attempts to write past a block of memory (a common technique known as a buffer overflow), the attacker will have to overwrite a guard page. Any attempt to modify a guard page is considered a memory corruption, and Windows 10 responds by instantly terminating the app. +- **Heap guard pages** before and after blocks of memory, which work as trip wires. If an attacker attempts to write past a block of memory (a common technique known as a buffer overflow), the attacker will have to overwrite a guard page. Any attempt to modify a guard page is considered a memory corruption, and Windows 10 responds by instantly terminating the app. ### Kernel pool protections -The operating system kernel in Windows sets aside two pools of memory, one that remains in physical memory (“nonpaged pool”) and one that can be paged in and out of physical memory (“paged pool”). There are many mitigations that have been added over time, such as process quota pointer encoding; lookaside, delay free, and pool page cookies; and PoolIndex bounds checks. Windows 10 adds multiple “pool hardening” protections, such as integrity checks, that help protect the kernel pool against more advanced attacks. +The operating system kernel in Windows sets aside two pools of memory, one which remains in physical memory ("nonpaged pool") and one which can be paged in and out of physical memory ("paged pool"). There are many mitigations that have been added over time, such as process quota pointer encoding; lookaside, delay free, and pool page cookies; and PoolIndex bounds checks. Windows 10 adds multiple "pool hardening" protections, such as integrity checks, that help protect the kernel pool against more advanced attacks. In addition to pool hardening, Windows 10 includes other kernel hardening features: -- **Kernel DEP** and **Kernel ASLR**: Follow the same principles as [Data Execution Prevention](#data-execution-prevention) and [Address Space Layout Randomization](#address-space-layout-randomization), described earlier in this topic. +- **Kernel DEP** and **Kernel ASLR**: Follow the same principles as [Data Execution Prevention](#data-execution-prevention) and [Address Space Layout Randomization](#address-space-layout-randomization), described earlier in this topic. -- **Font parsing in AppContainer:** Isolates font parsing in an [AppContainer sandbox](https://msdn.microsoft.com/library/windows/desktop/mt595898(v=vs.85).aspx). +- **Font parsing in AppContainer:** Isolates font parsing in an [AppContainer sandbox](https://docs.microsoft.com/windows/win32/secauthz/appcontainer-isolation). -- **Disabling of NT Virtual DOS Machine (NTVDM)**: The old NTVDM kernel module (for running 16-bit applications) is disabled by default, which neutralizes the associated vulnerabilities. (Enabling NTVDM decreases protection against Null dereference and other exploits.) +- **Disabling of NT Virtual DOS Machine (NTVDM)**: The old NTVDM kernel module (for running 16-bit applications) is disabled by default, which neutralizes the associated vulnerabilities. (Enabling NTVDM decreases protection against Null dereference and other exploits.) -- **Supervisor Mode Execution Prevention (SMEP)**: Helps prevent the kernel (the “supervisor”) from executing code in user pages, a common technique used by attackers for local kernel elevation of privilege (EOP). This requires processor support found in Intel Ivy Bridge or later processors, or ARM with PXN support. +- **Supervisor Mode Execution Prevention (SMEP)**: Helps prevent the kernel (the "supervisor") from executing code in user pages, a common technique used by attackers for local kernel elevation of privilege (EOP). This requires processor support found in Intel Ivy Bridge or later processors, or ARM with PXN support. -- **Safe unlinking:** Helps protect against pool overruns that are combined with unlinking operations to create an attack. Windows 10 includes global safe unlinking, which extends heap and kernel pool safe unlinking to all usage of LIST\_ENTRY and includes the “FastFail” mechanism to enable rapid and safe process termination. +- **Safe unlinking:** Helps protect against pool overruns that are combined with unlinking operations to create an attack. Windows 10 includes global safe unlinking, which extends heap and kernel pool safe unlinking to all usage of LIST\_ENTRY and includes the "FastFail" mechanism to enable rapid and safe process termination. -- **Memory reservations**: The lowest 64 KB of process memory is reserved for the system. Apps are not allowed to allocate that portion of the memory. This makes it more difficult for malware to use techniques such as “NULL dereference” to overwrite critical system data structures in memory. +- **Memory reservations**: The lowest 64 KB of process memory is reserved for the system. Apps are not allowed to allocate that portion of the memory. This makes it more difficult for malware to use techniques such as "NULL dereference" to overwrite critical system data structures in memory. ### Control Flow Guard @@ -251,31 +251,31 @@ When applications are loaded into memory, they are allocated space based on the This kind of threat is mitigated in Windows 10 through the Control Flow Guard (CFG) feature. When a trusted application that was compiled to use CFG calls code, CFG verifies that the code location called is trusted for execution. If the location is not trusted, the application is immediately terminated as a potential security risk. -An administrator cannot configure CFG; rather, an application developer can take advantage of CFG by configuring it when the application is compiled. Consider asking application developers and software vendors to deliver trustworthy Windows applications compiled with CFG enabled. For example, it can be enabled for applications written in C or C++, or applications compiled using Visual Studio 2015. For information about enabling CFG for a Visual Studio 2015 project, see [Control Flow Guard](https://msdn.microsoft.com/library/windows/desktop/mt637065(v=vs.85).aspx). +An administrator cannot configure CFG; rather, an application developer can take advantage of CFG by configuring it when the application is compiled. Consider asking application developers and software vendors to deliver trustworthy Windows applications compiled with CFG enabled. For example, it can be enabled for applications written in C or C++, or applications compiled using Visual Studio 2015. For information about enabling CFG for a Visual Studio 2015 project, see [Control Flow Guard](https://docs.microsoft.com/windows/win32/secbp/control-flow-guard). Of course, browsers are a key entry point for attacks, so Microsoft Edge, IE, and other Windows features take full advantage of CFG. ### Microsoft Edge and Internet Explorer 11 -Browser security is a critical component of any security strategy, and for good reason: the browser is the user’s interface to the Internet, an environment with many malicious sites and content waiting to attack. Most users cannot perform at least part of their job without a browser, and many users are completely reliant on one. This reality has made the browser the common pathway from which malicious hackers initiate their attacks. +Browser security is a critical component of any security strategy, and for good reason: the browser is the user's interface to the Internet, an environment with many malicious sites and content waiting to attack. Most users cannot perform at least part of their job without a browser, and many users are completely reliant on one. This reality has made the browser the common pathway from which malicious hackers initiate their attacks. All browsers enable some amount of extensibility to do things beyond the original scope of the browser. Two common examples of this are Flash and Java extensions that enable their respective applications to run inside a browser. Keeping Windows 10 secure for web browsing and applications, especially for these two content types, is a priority. Windows 10 includes an entirely new browser, Microsoft Edge. Microsoft Edge is more secure in multiple ways, especially: -- **Smaller attack surface; no support for non-Microsoft binary extensions**. Multiple browser components with vulnerable attack surfaces have been removed from Microsoft Edge. Components that have been removed include legacy document modes and script engines, Browser Helper Objects (BHOs), ActiveX controls, and Java. However, Microsoft Edge supports Flash content and PDF viewing by default through built-in extensions. +- **Smaller attack surface; no support for non-Microsoft binary extensions**. Multiple browser components with vulnerable attack surfaces have been removed from Microsoft Edge. Components that have been removed include legacy document modes and script engines, Browser Helper Objects (BHOs), ActiveX controls, and Java. However, Microsoft Edge supports Flash content and PDF viewing by default through built-in extensions. -- **Runs 64-bit processes.** A 64-bit PC running an older version of Windows often runs in 32-bit compatibility mode to support older and less secure extensions. When Microsoft Edge runs on a 64-bit PC, it runs only 64-bit processes, which are much more secure against exploits. +- **Runs 64-bit processes.** A 64-bit PC running an older version of Windows often runs in 32-bit compatibility mode to support older and less secure extensions. When Microsoft Edge runs on a 64-bit PC, it runs only 64-bit processes, which are much more secure against exploits. -- **Includes Memory Garbage Collection (MemGC)**. This helps protect against use-after-free (UAF) issues. +- **Includes Memory Garbage Collection (MemGC)**. This helps protect against use-after-free (UAF) issues. -- **Designed as a Universal Windows app.** Microsoft Edge is inherently compartmentalized and runs in an AppContainer that sandboxes the browser from the system, data, and other apps. IE11 on Windows 10 can also take advantage of the same AppContainer technology through Enhanced Protect Mode. However, because IE11 can run ActiveX and BHOs, the browser and sandbox are susceptible to a much broader range of attacks than Microsoft Edge. +- **Designed as a Universal Windows app.** Microsoft Edge is inherently compartmentalized and runs in an AppContainer that sandboxes the browser from the system, data, and other apps. IE11 on Windows 10 can also take advantage of the same AppContainer technology through Enhanced Protect Mode. However, because IE11 can run ActiveX and BHOs, the browser and sandbox are susceptible to a much broader range of attacks than Microsoft Edge. -- **Simplifies security configuration tasks.** Because Microsoft Edge uses a simplified application structure and a single sandbox configuration, there are fewer required security settings. In addition, Microsoft Edge default settings align with security best practices, which makes it more secure by default. +- **Simplifies security configuration tasks.** Because Microsoft Edge uses a simplified application structure and a single sandbox configuration, there are fewer required security settings. In addition, Microsoft Edge default settings align with security best practices, which makes it more secure by default. In addition to Microsoft Edge, Microsoft includes IE11 in Windows 10, primarily for backwards-compatibility with websites and with binary extensions that do not work with Microsoft Edge. It should not be configured as the primary browser but rather as an optional or automatic switchover. We recommend using Microsoft Edge as the primary web browser because it provides compatibility with the modern web and the best possible security. -For sites that require IE11 compatibility, including those that require binary extensions and plug ins, enable Enterprise mode and use the Enterprise Mode Site List to define which sites have the dependency. With this configuration, when Microsoft Edge identifies a site that requires IE11, users will automatically be switched to IE11. +For sites that require IE11 compatibility, including those that require binary extensions and plug-ins, enable Enterprise mode and use the Enterprise Mode Site List to define which sites have the dependency. With this configuration, when Microsoft Edge identifies a site that requires IE11, users will automatically be switched to IE11. ### Functions that software vendors can use to build mitigations into apps @@ -288,21 +288,21 @@ Some of the protections available in Windows 10 are provided through functions t | Mitigation | Function | |-------------|-----------| -| LoadLib image loading restrictions | [UpdateProcThreadAttribute function](https://msdn.microsoft.com/library/windows/desktop/ms686880(v=vs.85).aspx)
    \[PROCESS\_CREATION\_MITIGATION\_POLICY\_IMAGE\_LOAD\_NO\_REMOTE\_ALWAYS\_ON\] | -| MemProt dynamic code restriction | [UpdateProcThreadAttribute function](https://msdn.microsoft.com/library/windows/desktop/ms686880(v=vs.85).aspx)
    \[PROCESS\_CREATION\_MITIGATION\_POLICY\_PROHIBIT\_DYNAMIC\_CODE\_ALWAYS\_ON\] | -| Child Process Restriction to restrict the ability to create child processes | [UpdateProcThreadAttribute function](https://msdn.microsoft.com/library/windows/desktop/ms686880(v=vs.85).aspx)
    \[PROC\_THREAD\_ATTRIBUTE\_CHILD\_PROCESS\_POLICY\] | -| Code Integrity Restriction to restrict image loading | [SetProcessMitigationPolicy function](https://msdn.microsoft.com/library/windows/desktop/hh769088(v=vs.85).aspx)
    \[ProcessSignaturePolicy\] | -| Win32k System Call Disable Restriction to restrict ability to use NTUser and GDI | [SetProcessMitigationPolicy function](https://msdn.microsoft.com/library/windows/desktop/hh769088(v=vs.85).aspx)
    \[ProcessSystemCallDisablePolicy\] | -| High Entropy ASLR for up to 1TB of variance in memory allocations | [UpdateProcThreadAttribute function](https://msdn.microsoft.com/library/windows/desktop/ms686880(v=vs.85).aspx)
    \[PROCESS\_CREATION\_MITIGATION\_POLICY\_HIGH\_ENTROPY\_ASLR\_ALWAYS\_ON\] | -| Strict handle checks to raise immediate exception upon bad handle reference | [UpdateProcThreadAttribute function](https://msdn.microsoft.com/library/windows/desktop/ms686880(v=vs.85).aspx)
    \[PROCESS\_CREATION\_MITIGATION\_POLICY\_STRICT\_HANDLE\_CHECKS\_ALWAYS\_ON\] | -| Extension point disable to block the use of certain third-party extension points | [UpdateProcThreadAttribute function](https://msdn.microsoft.com/library/windows/desktop/ms686880(v=vs.85).aspx)
    \[PROCESS\_CREATION\_MITIGATION\_POLICY\_EXTENSION\_POINT\_DISABLE\_ALWAYS\_ON\] | -| Heap terminate on corruption to protect the system against a corrupted heap | [UpdateProcThreadAttribute function](https://msdn.microsoft.com/library/windows/desktop/ms686880(v=vs.85).aspx)
    \[PROCESS\_CREATION\_MITIGATION\_POLICY\_HEAP\_TERMINATE\_ALWAYS\_ON\] | +| MemProt dynamic code restriction | [UpdateProcThreadAttribute function](https://docs.microsoft.com/windows/win32/api/processthreadsapi/nf-processthreadsapi-updateprocthreadattribute)
    \[PROCESS\_CREATION\_MITIGATION\_POLICY\_PROHIBIT\_DYNAMIC\_CODE\_ALWAYS\_ON\] | +| LoadLib image loading restrictions | [UpdateProcThreadAttribute function](https://docs.microsoft.com/windows/win32/api/processthreadsapi/nf-processthreadsapi-updateprocthreadattribute)
    \[PROCESS\_CREATION\_MITIGATION\_POLICY\_IMAGE\_LOAD\_NO\_REMOTE\_ALWAYS\_ON\] | +| Child Process Restriction to restrict the ability to create child processes | [UpdateProcThreadAttribute function](https://docs.microsoft.com/windows/win32/api/processthreadsapi/nf-processthreadsapi-updateprocthreadattribute)
    \[PROC\_THREAD\_ATTRIBUTE\_CHILD\_PROCESS\_POLICY\] | +| Code Integrity Restriction to restrict image loading | [SetProcessMitigationPolicy function](https://docs.microsoft.com/windows/win32/api/processthreadsapi/nf-processthreadsapi-setprocessmitigationpolicy)
    \[ProcessSignaturePolicy\] | +| Win32k System Call Disable Restriction to restrict ability to use NTUser and GDI | [SetProcessMitigationPolicy function](https://docs.microsoft.com/windows/win32/api/processthreadsapi/nf-processthreadsapi-setprocessmitigationpolicy)
    \[ProcessSystemCallDisablePolicy\] | +| High Entropy ASLR for up to 1TB of variance in memory allocations | [UpdateProcThreadAttribute function](https://docs.microsoft.com/windows/win32/api/processthreadsapi/nf-processthreadsapi-updateprocthreadattribute)
    \[PROCESS\_CREATION\_MITIGATION\_POLICY\_HIGH\_ENTROPY\_ASLR\_ALWAYS\_ON\] | +| Strict handle checks to raise immediate exception upon bad handle reference | [UpdateProcThreadAttribute function](https://docs.microsoft.com/windows/win32/api/processthreadsapi/nf-processthreadsapi-updateprocthreadattribute)
    \[PROCESS\_CREATION\_MITIGATION\_POLICY\_STRICT\_HANDLE\_CHECKS\_ALWAYS\_ON\] | +| Extension point disable to block the use of certain third-party extension points | [UpdateProcThreadAttribute function](https://docs.microsoft.com/windows/win32/api/processthreadsapi/nf-processthreadsapi-updateprocthreadattribute)
    \[PROCESS\_CREATION\_MITIGATION\_POLICY\_EXTENSION\_POINT\_DISABLE\_ALWAYS\_ON\] | +| Heap terminate on corruption to protect the system against a corrupted heap | [UpdateProcThreadAttribute function](https://docs.microsoft.com/windows/win32/api/processthreadsapi/nf-processthreadsapi-updateprocthreadattribute)
    \[PROCESS\_CREATION\_MITIGATION\_POLICY\_HEAP\_TERMINATE\_ALWAYS\_ON\] | ## Understanding Windows 10 in relation to the Enhanced Mitigation Experience Toolkit -You might already be familiar with the [Enhanced Mitigation Experience Toolkit (EMET)](https://support.microsoft.com/kb/2458544), which has since 2009 offered a variety of exploit mitigations, and an interface for configuring those mitigations. You can use this section to understand how EMET mitigations relate to those in Windows 10. Many of EMET’s mitigations have been built into Windows 10, some with additional improvements. However, some EMET mitigations carry high performance cost, or appear to be relatively ineffective against modern threats, and therefore have not been brought into Windows 10. +You might already be familiar with the [Enhanced Mitigation Experience Toolkit (EMET)](https://support.microsoft.com/kb/2458544), which has since 2009 offered a variety of exploit mitigations, and an interface for configuring those mitigations. You can use this section to understand how EMET mitigations relate to those in Windows 10. Many of EMET's mitigations have been built into Windows 10, some with additional improvements. However, some EMET mitigations carry high performance cost, or appear to be relatively ineffective against modern threats, and therefore have not been brought into Windows 10. -Because many of EMET’s mitigations and security mechanisms already exist in Windows 10 and have been improved, particularly those assessed to have high effectiveness at mitigating known bypasses, version 5.5*x* has been announced as the final major version release for EMET (see [Enhanced Mitigation Experience Toolkit](https://technet.microsoft.com/security/jj653751)). +Because many of EMET's mitigations and security mechanisms already exist in Windows 10 and have been improved, particularly those assessed to have high effectiveness at mitigating known bypasses, version 5.5*x* has been announced as the final major version release for EMET (see [Enhanced Mitigation Experience Toolkit](https://web.archive.org/web/20170928073955/https://technet.microsoft.com/en-US/security/jj653751)). The following table lists EMET features in relation to Windows 10 features. @@ -337,7 +337,7 @@ to Windows 10 features

    • Null Page

    -Mitigations for this threat are built into Windows 10, as described in the “Memory reservations” item in Kernel pool protections, earlier in this topic. +Mitigations for this threat are built into Windows 10, as described in the "Memory reservations" item in Kernel pool protections, earlier in this topic.
      @@ -352,9 +352,9 @@ to Windows 10 features

    • Caller Check

    • Simulate Execution Flow

    • Stack Pivot

      • -

    • Deep Hooks (an ROP “Advanced Mitigation”)

      • -

    • Anti Detours (an ROP “Advanced Mitigation”)

      • -

    • Banned Functions (an ROP “Advanced Mitigation”)

      • +

    • Deep Hooks (an ROP "Advanced Mitigation")

      • +

    • Anti Detours (an ROP "Advanced Mitigation")

      • +

    • Banned Functions (an ROP "Advanced Mitigation")

    Mitigated in Windows 10 with applications compiled with Control Flow Guard, as described in Control Flow Guard, earlier in this topic. @@ -363,7 +363,7 @@ to Windows 10 features ### Converting an EMET XML settings file into Windows 10 mitigation policies -One of EMET’s strengths is that it allows you to import and export configuration settings for EMET mitigations as an XML settings file for straightforward deployment. To generate mitigation policies for Windows 10 from an EMET XML settings file, you can install the ProcessMitigations PowerShell module. In an elevated PowerShell session, run this cmdlet: +One of EMET's strengths is that it allows you to import and export configuration settings for EMET mitigations as an XML settings file for straightforward deployment. To generate mitigation policies for Windows 10 from an EMET XML settings file, you can install the ProcessMitigations PowerShell module. In an elevated PowerShell session, run this cmdlet: ```powershell Install-Module -Name ProcessMitigations @@ -423,21 +423,21 @@ ConvertTo-ProcessMitigationPolicy -EMETFilePath -OutputFilePath [!NOTE] -> You can also use the dedicated command-line tool [mpcmdrun.exe](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus) to restore quarantined files in Windows Defender AV. +> [!TIP] +> Restoring a file from quarantine can also be done using Command Prompt. See [Restore a file from quarantine](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/respond-file-alerts#restore-file-from-quarantine). ## Related articles diff --git a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.md b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.md index 02dad7adfd..7f723913e2 100644 --- a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.md +++ b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.md @@ -14,7 +14,7 @@ author: denisebmsft ms.reviewer: isbrahm ms.author: deniseb manager: dansimp -ms.date: 04/15/2020 +ms.date: 05/26/2020 ms.custom: asr --- @@ -43,12 +43,12 @@ Windows 10 includes two technologies that can be used for application control de ## In this section -| Topic | Description | -| - | - | -| [WDAC and AppLocker Overview](plan-windows-defender-application-control-management.md) | This topic describes the decisions you need to make to establish the processes for managing and maintaining WDAC policies. | -| [WDAC and AppLocker Feature Availability](understand-windows-defender-application-control-policy-design-decisions.md) | This topic lists the design questions, possible answers, and ramifications of the decisions when you plan a deployment of application control policies. | +| Article | Description | +| --- | --- | +| [WDAC and AppLocker Overview](wdac-and-applocker-overview.md) | This article describes the decisions you need to make to establish the processes for managing and maintaining WDAC policies. | +| [WDAC and AppLocker Feature Availability](feature-availability.md) | This article lists the design questions, possible answers, and ramifications of the decisions when you plan a deployment of application control policies. | -## See also +## Related articles - [WDAC design guide](windows-defender-application-control-design-guide.md) - [WDAC deployment guide](windows-defender-application-control-deployment-guide.md) diff --git a/windows/security/threat-protection/windows-defender-application-guard/configure-wd-app-guard.md b/windows/security/threat-protection/windows-defender-application-guard/configure-wd-app-guard.md index 7826641e1f..5020c63596 100644 --- a/windows/security/threat-protection/windows-defender-application-guard/configure-wd-app-guard.md +++ b/windows/security/threat-protection/windows-defender-application-guard/configure-wd-app-guard.md @@ -8,7 +8,7 @@ ms.pagetype: security ms.localizationpriority: medium author: denisebmsft ms.author: deniseb -ms.date: 10/17/2017 +ms.date: 05/27/2020 ms.reviewer: manager: dansimp ms.custom: asr @@ -53,9 +53,9 @@ These settings, located at **Computer Configuration\Administrative Templates\Win |Name|Supported versions|Description|Options| |-----------|------------------|-----------|-------| |Configure Windows Defender Application Guard clipboard settings|Windows 10 Enterprise, 1709 or higher

    Windows 10 Pro, 1803 or higher|Determines whether Application Guard can use the clipboard functionality.|**Enabled.** Turns On the clipboard functionality and lets you choose whether to additionally:
    -Disable the clipboard functionality completely when Virtualization Security is enabled.
    - Enable copying of certain content from Application Guard into Microsoft Edge.
    - Enable copying of certain content from Microsoft Edge into Application Guard. **Important:** Allowing copied content to go from Microsoft Edge into Application Guard can cause potential security risks and isn't recommended.

    **Disabled or not configured.** Completely turns Off the clipboard functionality for Application Guard.| -|Configure Windows Defender Application Guard print settings|Windows 10 Enterprise, 1709 or higher

    Windows 10 Pro, 1803 or higher|Determines whether Application Guard can use the print functionality.|**Enabled.** Turns On the print functionality and lets you choose whether to additionally:
    - Enable Application Guard to print into the XPS format.
    - Enable Application Guard to print into the PDF format.
    - Enable Application Guard to print to locally attached printers.
    - Enable Application Guard to print from previously connected network printers. Employees can't search for additional printers.

    **Disabled or not configured.** Completely turns Off the print functionality for Application Guard.| -|Block enterprise websites to load non-enterprise content in IE and Edge|Windows 10 Enterprise, 1709 or higher|Determines whether to allow Internet access for apps not included on the **Allowed Apps** list.|**Enabled.** Prevents network traffic from both Internet Explorer and Microsoft Edge to non-enterprise sites that can't render in the Application Guard container. **Note:** This may also block assets cached by CDNs and references to analytics sites. Please add them to the trusted enterprise resources to avoid broken pages.

    **Disabled or not configured.** Prevents Microsoft Edge to render network traffic to non-enterprise sites that can't render in Application Guard. | -|Allow Persistence|Windows 10 Enterprise, 1709 or higher

    Windows 10 Pro, 1803 or higher|Determines whether data persists across different sessions in Windows Defender Application Guard.|**Enabled.** Application Guard saves user-downloaded files and other items (such as, cookies, Favorites, and so on) for use in future Application Guard sessions.

    **Disabled or not configured.** All user data within Application Guard is reset between sessions.

    **Note**
    If you later decide to stop supporting data persistence for your employees, you can use our Windows-provided utility to reset the container and to discard any personal data.
    **To reset the container:**
    1. Open a command-line program and navigate to `Windows/System32`.
    2. Type `wdagtool.exe cleanup`. The container environment is reset, retaining only the employee-generated data.
    3. Type `wdagtool.exe cleanup RESET_PERSISTENCE_LAYER`. The container environment is reset, including discarding all employee-generated data.| +|Configure Windows Defender Application Guard print settings|Windows 10 Enterprise, 1709 or higher

    Windows 10 Pro, 1803 or higher|Determines whether Application Guard can use the print functionality.|**Enabled.** Turns On the print functionality and lets you choose whether to additionally:
    - Enable Application Guard to print into the XPS format.
    - Enable Application Guard to print into the PDF format.
    - Enable Application Guard to print to locally attached printers.
    - Enable Application Guard to print from previously connected network printers. Employees can't search for additional printers.

    **Disabled or not configured.** Completely turns Off the print functionality for Application Guard.

    **Note**
    Network printers must be published by Active Directory to work in Application Guard.| +|Block enterprise websites to load non-enterprise content in IE and Edge|Windows 10 Enterprise, 1709 or higher|Determines whether to allow Internet access for apps not included on the **Allowed Apps** list.|**Enabled.** Prevents network traffic from both Internet Explorer and Microsoft Edge to non-enterprise sites that can't render in the Application Guard container. **Note:** This may also block assets cached by CDNs and references to analytics sites. Please add them to the trusted enterprise resources to avoid broken pages.

    **Disabled or not configured.** Prevents Microsoft Edge to render network traffic to non-enterprise sites that can't render in Application Guard.

    **Note**
    This policy is no longer supported in the 2004 update and later.| +|Allow Persistence|Windows 10 Enterprise, 1709 or higher

    Windows 10 Pro, 1803 or higher|Determines whether data persists across different sessions in Windows Defender Application Guard.|**Enabled.** Application Guard saves user-downloaded files and other items (such as, cookies, Favorites, and so on) for use in future Application Guard sessions.

    **Disabled or not configured.** All user data within Application Guard is reset between sessions.

    **Note**
    If you later decide to stop supporting data persistence for your employees, you can use our Windows-provided utility to reset the container and to discard any personal data.

    **To reset the container:**
    1. Open a command-line program and navigate to `Windows/System32`.
    2. Type `wdagtool.exe cleanup`. The container environment is reset, retaining only the employee-generated data.
    3. Type `wdagtool.exe cleanup RESET_PERSISTENCE_LAYER`. The container environment is reset, including discarding all employee-generated data.| |Turn on Windows Defender Application Guard in Managed Mode|Windows 10 Enterprise, 1809 or higher|Determines whether to turn on Application Guard for Microsoft Edge and Microsoft Office.|**Enabled.** Turns on Application Guard for Microsoft Edge and/or Microsoft Office, honoring the network isolation settings, rendering non-enterprise domains in the Application Guard container. Be aware that Application Guard won't actually be turned On unless the required prerequisites and network isolation settings are already set on the device. Available options:
    - Enable Windows Defender Application Guard only for Microsoft Edge
    - Enable Windows Defender Application Guard only for Microsoft Office
    - Enable Windows Defender Application Guard for both Microsoft Edge and Microsoft Office

    **Disabled.** Turns Off Application Guard, allowing all apps to run in Microsoft Edge and Microsoft Office.| |Allow files to download to host operating system|Windows 10 Enterprise, 1803 or higher|Determines whether to save downloaded files to the host operating system from the Windows Defender Application Guard container.|**Enabled.** Allows users to save downloaded files from the Windows Defender Application Guard container to the host operating system.

    **Disabled or not configured.** Users are not able to saved downloaded files from Application Guard to the host operating system.| |Allow hardware-accelerated rendering for Windows Defender Application Guard|Windows 10 Enterprise, 1803 or higher

    Windows 10 Pro, 1803 or higher|Determines whether Windows Defender Application Guard renders graphics using hardware or software acceleration.|**Enabled.** Windows Defender Application Guard uses Hyper-V to access supported, high-security rendering graphics hardware (GPUs). These GPUs improve rendering performance and battery life while using Windows Defender Application Guard, particularly for video playback and other graphics-intensive use cases. If this setting is enabled without connecting any high-security rendering graphics hardware, Windows Defender Application Guard will automatically revert to software-based (CPU) rendering. **Important:** Be aware that enabling this setting with potentially compromised graphics devices or drivers might pose a risk to the host device.

    **Disabled or not configured.** Windows Defender Application Guard uses software-based (CPU) rendering and won’t load any third-party graphics drivers or interact with any connected graphics hardware.| diff --git a/windows/security/threat-protection/windows-security-baselines.md b/windows/security/threat-protection/windows-security-baselines.md index 1c44d0d42f..a0f657a331 100644 --- a/windows/security/threat-protection/windows-security-baselines.md +++ b/windows/security/threat-protection/windows-security-baselines.md @@ -22,6 +22,7 @@ ms.reviewer: - Windows 10 - Windows Server - Microsoft 365 Apps for enterprise +- Microsoft Edge ## Using security baselines in your organization diff --git a/windows/whats-new/TOC.md b/windows/whats-new/TOC.md index a043492918..edb6146667 100644 --- a/windows/whats-new/TOC.md +++ b/windows/whats-new/TOC.md @@ -1,4 +1,5 @@ # [What's new in Windows 10](index.md) +## [What's new in Windows 10, version 2004](whats-new-windows-10-version-2004.md) ## [What's new in Windows 10, version 1909](whats-new-windows-10-version-1909.md) ## [What's new in Windows 10, version 1903](whats-new-windows-10-version-1903.md) ## [What's new in Windows 10, version 1809](whats-new-windows-10-version-1809.md) diff --git a/windows/whats-new/images/system-guard2.png b/windows/whats-new/images/system-guard2.png new file mode 100644 index 0000000000..5505ffa78c Binary files /dev/null and b/windows/whats-new/images/system-guard2.png differ diff --git a/windows/whats-new/index.md b/windows/whats-new/index.md index b7051cfee0..f8674a3abf 100644 --- a/windows/whats-new/index.md +++ b/windows/whats-new/index.md @@ -18,6 +18,7 @@ Windows 10 provides IT professionals with advanced protection against modern sec ## In this section +- [What's new in Windows 10, version 2004](whats-new-windows-10-version-2004.md) - [What's new in Windows 10, version 1909](whats-new-windows-10-version-1909.md) - [What's new in Windows 10, version 1903](whats-new-windows-10-version-1903.md) - [What's new in Windows 10, version 1809](whats-new-windows-10-version-1809.md) diff --git a/windows/whats-new/whats-new-windows-10-version-1507-and-1511.md b/windows/whats-new/whats-new-windows-10-version-1507-and-1511.md index e49c027a4d..6898dce476 100644 --- a/windows/whats-new/whats-new-windows-10-version-1507-and-1511.md +++ b/windows/whats-new/whats-new-windows-10-version-1507-and-1511.md @@ -1,6 +1,6 @@ --- title: What's new in Windows 10, versions 1507 and 1511 (Windows 10) -description: This topic lists new and updated topics in the What's new in Windows 10 documentation for Windows 10 (versions 1507 and 1511) and Windows 10 Mobile. +description: What's new in Windows 10 for Windows 10 (versions 1507 and 1511) and Windows 10 Mobile. ms.assetid: 75F285B0-09BE-4821-9B42-37B9BE54CEC6 ms.reviewer: ms.prod: w10 @@ -13,7 +13,7 @@ ms.localizationpriority: high ms.topic: article --- -# What's new in Windows 10, versions 1507 and 1511 +# What's new in Windows 10, versions 1507 and 1511 for IT Pros Below is a list of some of the new and updated features included in the initial release of Windows 10 (version 1507) and the Windows 10 update to version 1511. diff --git a/windows/whats-new/whats-new-windows-10-version-1607.md b/windows/whats-new/whats-new-windows-10-version-1607.md index f27cc65739..2b6f691d44 100644 --- a/windows/whats-new/whats-new-windows-10-version-1607.md +++ b/windows/whats-new/whats-new-windows-10-version-1607.md @@ -1,6 +1,6 @@ --- title: What's new in Windows 10, version 1607 (Windows 10) -description: This topic lists new and updated topics in the What's new in Windows 10 documentation for Windows 10 (version 1607) and Windows 10 Mobile. +description: What's new in Windows 10 for Windows 10 (version 1607) and Windows 10 Mobile. keywords: ["What's new in Windows 10", "Windows 10", "anniversary update"] ms.prod: w10 ms.mktglfcycl: deploy @@ -13,7 +13,7 @@ ms.author: greglin ms.topic: article --- -# What's new in Windows 10, version 1607 +# What's new in Windows 10, version 1607 for IT Pros Below is a list of some of the new and updated features in Windows 10, version 1607 (also known as the Anniversary Update). diff --git a/windows/whats-new/whats-new-windows-10-version-1703.md b/windows/whats-new/whats-new-windows-10-version-1703.md index 1a4c0d57c0..bcec94de57 100644 --- a/windows/whats-new/whats-new-windows-10-version-1703.md +++ b/windows/whats-new/whats-new-windows-10-version-1703.md @@ -1,6 +1,6 @@ --- title: What's new in Windows 10, version 1703 -description: New and updated IT pro content about new features in Windows 10, version 1703 (also known as the Creators Updated). +description: New and updated features in Windows 10, version 1703 (also known as the Creators Updated). keywords: ["What's new in Windows 10", "Windows 10", "creators update"] ms.prod: w10 ms.mktglfcycl: deploy @@ -14,7 +14,7 @@ ms.author: greglin ms.topic: article --- -# What's new in Windows 10, version 1703 IT pro content +# What's new in Windows 10, version 1703 for IT Pros Below is a list of some of what's new in Information Technology (IT) pro features in Windows 10, version 1703 (also known as the Creators Update). diff --git a/windows/whats-new/whats-new-windows-10-version-1709.md b/windows/whats-new/whats-new-windows-10-version-1709.md index ef9b4541f0..17f5cb4dfe 100644 --- a/windows/whats-new/whats-new-windows-10-version-1709.md +++ b/windows/whats-new/whats-new-windows-10-version-1709.md @@ -1,6 +1,6 @@ --- title: What's new in Windows 10, version 1709 -description: New and updated IT Pro content about new features in Windows 10, version 1709 (also known as the Fall Creators Update). +description: New and updated features in Windows 10, version 1709 (also known as the Fall Creators Update). keywords: ["What's new in Windows 10", "Windows 10", "Fall Creators Update"] ms.prod: w10 ms.mktglfcycl: deploy @@ -13,7 +13,7 @@ ms.localizationpriority: high ms.topic: article --- -# What's new in Windows 10, version 1709 IT Pro content +# What's new in Windows 10, version 1709 for IT Pros **Applies to** - Windows 10, version 1709 @@ -95,7 +95,8 @@ Windows Defender Application Guard hardens a favorite attacker entry-point by is ### Window Defender Exploit Guard -Window Defender Exploit Guard provides intrusion prevention capabilities to reduce the attack and exploit surface of applications. Exploit Guard has many of the threat mitigations that were available in Enhanced Mitigation Experience Toolkit (EMET) toolkit, a deprecated security download. These mitigations are now built into Windows and configurable with Exploit Guard. These mitigations include [Exploit protection](https://docs.microsoft.com/windows/threat-protection/windows-defender-exploit-guard/exploit-protection), [Attack surface reduction protection](https://docs.microsoft.com/windows/threat-protection/windows-defender-exploit-guard/attack-surface-reduction), [Controlled folder access](https://docs.microsoft.com/windows/threat-protection/windows-defender-exploit-guard/controlled-folder-access), and [Network protection](https://docs.microsoft.com/windows/threat-protection/windows-defender-exploit-guard/network-protection). +Window Defender Exploit Guard provides intrusion prevention capabilities to reduce the attack and exploit surface of applications. Exploit Guard has many of the threat mitigations that were available in Enhanced Mitigation Experience Toolkit (EMET) toolkit, a deprecated security download. These mitigations are now built into Windows and configurable with Exploit Guard. These mitigations include [Exploit protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection), [Attack surface reduction protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/evaluate-attack-surface-reduction), [Controlled folder access](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/evaluate-controlled-folder-access), and [Network protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection). + ### Windows Defender Device Guard @@ -149,3 +150,7 @@ Several network stack enhancements are available in this release. Some of these [What's New in Windows 10](https://docs.microsoft.com/windows/whats-new/): See what’s new in other versions of Windows 10.
    [What's new in Windows 10, version 1709](https://docs.microsoft.com/windows-hardware/get-started/what-s-new-in-windows): See what’s new in Windows 10 hardware.
    [Windows 10 Fall Creators Update Next Generation Security](https://www.youtube.com/watch?v=JDGMNFwyUg8): YouTube video about Windows Defender ATP in Windows 10, version 1709. +[Threat protection on Windows 10](https://docs.microsoft.com/windows/security/threat-protection/):Detects advanced attacks and data breaches, automates security incidents and improves security posture.
    + + + diff --git a/windows/whats-new/whats-new-windows-10-version-1803.md b/windows/whats-new/whats-new-windows-10-version-1803.md index 051d5d4b6e..acd7f43bb2 100644 --- a/windows/whats-new/whats-new-windows-10-version-1803.md +++ b/windows/whats-new/whats-new-windows-10-version-1803.md @@ -1,6 +1,6 @@ --- title: What's new in Windows 10, version 1803 -description: New and updated IT Pro content about new features in Windows 10, version 1803 (also known as the Windows 10 April 2018 Update). +description: New and updated features in Windows 10, version 1803 (also known as the Windows 10 April 2018 Update). keywords: ["What's new in Windows 10", "Windows 10", "April 2018 Update"] ms.prod: w10 ms.mktglfcycl: deploy @@ -13,7 +13,7 @@ ms.localizationpriority: high ms.topic: article --- -# What's new in Windows 10, version 1803 IT Pro content +# What's new in Windows 10, version 1803 for IT Pros **Applies to** - Windows 10, version 1803 diff --git a/windows/whats-new/whats-new-windows-10-version-1903.md b/windows/whats-new/whats-new-windows-10-version-1903.md index ec640e3eea..795fbe2644 100644 --- a/windows/whats-new/whats-new-windows-10-version-1903.md +++ b/windows/whats-new/whats-new-windows-10-version-1903.md @@ -1,6 +1,6 @@ --- title: What's new in Windows 10, version 1903 -description: New and updated IT Pro content about new features in Windows 10, version 1903 (also known as the Windows 10 May 2019 Update). +description: New and updated features in Windows 10, version 1903 (also known as the Windows 10 May 2019 Update). keywords: ["What's new in Windows 10", "Windows 10", "May 2019 Update"] ms.prod: w10 ms.mktglfcycl: deploy @@ -13,7 +13,7 @@ ms.localizationpriority: high ms.topic: article --- -# What's new in Windows 10, version 1903 IT Pro content +# What's new in Windows 10, version 1903 for IT Pros **Applies to** - Windows 10, version 1903 diff --git a/windows/whats-new/whats-new-windows-10-version-1909.md b/windows/whats-new/whats-new-windows-10-version-1909.md index 6d20ec5fa7..60ca36e9dd 100644 --- a/windows/whats-new/whats-new-windows-10-version-1909.md +++ b/windows/whats-new/whats-new-windows-10-version-1909.md @@ -1,6 +1,6 @@ --- title: What's new in Windows 10, version 1909 -description: New and updated IT Pro content about new features in Windows 10, version 1909 (also known as the Windows 10 November 2019 Update). +description: New and updated features in Windows 10, version 1909 (also known as the Windows 10 November 2019 Update). keywords: ["What's new in Windows 10", "Windows 10", "November 2019 Update"] ms.prod: w10 ms.mktglfcycl: deploy @@ -13,7 +13,7 @@ ms.localizationpriority: high ms.topic: article --- -# What's new in Windows 10, version 1909 IT Pro content +# What's new in Windows 10, version 1909 for IT Pros **Applies to** - Windows 10, version 1909 diff --git a/windows/whats-new/whats-new-windows-10-version-2004.md b/windows/whats-new/whats-new-windows-10-version-2004.md new file mode 100644 index 0000000000..e231fecb9a --- /dev/null +++ b/windows/whats-new/whats-new-windows-10-version-2004.md @@ -0,0 +1,246 @@ +--- +title: What's new in Windows 10, version 2004 +description: New and updated features in Windows 10, version 2004 (also known as the Windows 10 May 2020 Update). +keywords: ["What's new in Windows 10", "Windows 10", "May 2020 Update"] +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +audience: itpro +author: greg-lindsay +ms.author: greglin +manager: laurawi +ms.localizationpriority: high +ms.topic: article +--- + +# What's new in Windows 10, version 2004 for IT Pros + +**Applies to** +- Windows 10, version 2004 + +This article lists new and updated features and content that are of interest to IT Pros for Windows 10, version 2004, also known as the Windows 10 May 2020 Update. This update also contains all features and fixes included in previous cumulative updates to Windows 10, version 1909. + +> [!NOTE] +> The month indicator for this release is 04 instead of 03 to avoid confusion with Windows releases in the year 2003. + +## Security + +### Windows Hello + +- Windows Hello is now supported as Fast Identity Online 2 (FIDO2) authenticator across all major browsers including Chrome and Firefox. +- You can now enable passwordless sign-in for Microsoft accounts on your Windows 10 device by going to **Settings > Accounts > Sign-in options**, and selecting **On** under **Make your device passwordless**. Enabling passwordless sign in will switch all Microsoft accounts on your Windows 10 device to modern authentication with Windows Hello Face, Fingerprint, or PIN. +- Windows Hello PIN sign-in support is [added to Safe mode](https://docs.microsoft.com/windows-insider/at-work-pro/wip-4-biz-whats-new#windows-hello-pin-in-safe-mode-build-18995). +- Windows Hello for Business now has Hybrid Azure Active Directory support and phone number sign-in (MSA). FIDO2 security key support is expanded to Azure Active Directory hybrid environments, enabling enterprises with hybrid environments to take advantage of [passwordless authentication](https://docs.microsoft.com/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises). For more information, see [Expanding Azure Active Directory support for FIDO2 preview to hybrid environments](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/expanding-azure-active-directory-support-for-fido2-preview-to/ba-p/981894). + +### Windows Defender System Guard + +In this release, [Windows Defender System Guard](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-system-guard/system-guard-how-hardware-based-root-of-trust-helps-protect-windows) enables an even *higher* level of [System Management Mode](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-system-guard/system-guard-how-hardware-based-root-of-trust-helps-protect-windows#system-management-mode-smm-protection) (SMM) Firmware Protection that goes beyond checking the OS memory and secrets to additional resources like registers and IO. + +With this improvement, the OS can detect a higher level of SMM compliance, enabling devices to be even more hardened against SMM exploits and vulnerabilities. This feature is forward-looking and currently requires new hardware available soon. + + ![System Guard](images/system-guard2.png) + +### Windows Defender Application Guard + +[Windows Defender Application Guard](https://docs.microsoft.com/deployedge/microsoft-edge-security-windows-defender-application-guard) has been available for Chromium-based Edge since early 2020. + +Note: [Application Guard for Office](https://support.office.com/article/application-guard-for-office-9e0fb9c2-ffad-43bf-8ba3-78f785fdba46) is coming soon. + +## Deployment + +### Windows Setup + +Improvements in Windows Setup with this release include: +- Reduced offline time during feature updates +- Improved controls for reserved storage +- Improved controls and diagnostics +- New recovery options + +For more information, see Windows Setup enhancements in the [Windows IT Pro Blog](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/pilot-new-features-with-the-windows-insider-program-for-business/ba-p/1220464). + +### SetupDiag + +In Windows 10, version 2004, SetupDiag is now automatically installed. + +[SetupDiag](https://docs.microsoft.com/windows/deployment/upgrade/setupdiag) is a command-line tool that can help diagnose why a Windows 10 update failed. SetupDiag works by searching Windows Setup log files. When searching log files, SetupDiag uses a set of rules to match known issues. + +During the upgrade process, Windows Setup will extract all its sources files to the **%SystemDrive%\$Windows.~bt\Sources** directory. With Windows 10, version 2004 and later, Windows Setup now also installs SetupDiag.exe to this directory. If there is an issue with the upgrade, SetupDiag is automatically run to determine the cause of the failure. If the upgrade process proceeds normally, this directory is moved under %SystemDrive%\Windows.Old for cleanup. + +### Windows Autopilot + +With this release, you can configure [Windows Autopilot user-driven](https://docs.microsoft.com/windows/deployment/windows-autopilot/user-driven) Hybrid Azure Active Directory join with VPN support. This support is also backported to Windows 10, version 1909 and 1903. + +If you configure the language settings in the Autopilot profile and the device is connected to Ethernet, all scenarios will now skip the language, locale, and keyboard pages. In previous versions, this was only supported with self-deploying profiles. + +### Microsoft Endpoint Manager + +An in-place upgrade wizard is available in Configuration Manager. For more information, see [Simplifying Windows 10 deployment with Configuraton Manager](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/simplifying-windows-10-deployment-with-configuration-manager/ba-p/1214364). + +Also see [What's new in Microsoft Intune](https://docs.microsoft.com/mem/intune/fundamentals/whats-new). + +### Windows Assessment and Deployment Toolkit (ADK) + +Download the Windows ADK and Windows PE add-on for Windows 10, version 2004 [here](https://docs.microsoft.com/windows-hardware/get-started/adk-install). + +For information about what's new in the ADK, see [What's new in the Windows ADK for Windows 10, version 2004](https://docs.microsoft.com/windows-hardware/get-started/what-s-new-in-kits-and-tools#whats-new-in-the-windows-adk-for-windows-10-version-2004). + +### Microsoft Deployment Toolkit (MDT) + +MDT version 8456 supports Windows 10, version 2004, but there is currently an issue that causes MDT to incorrectly detect that UEFI is present. This issue is currently under investigation. + +For the latest information about MDT, see the [MDT release notes](https://docs.microsoft.com/mem/configmgr/mdt/release-notes). + +## Servicing + +### Delivery Optimization + +Windows PowerShell cmdlets have been improved: + +- **Get-DeliveryOptimizationStatus** has added the **-PeerInfo** option for a real-time peak behind the scenes on peer-to-peer activity (for example the peer IP Address, bytes received / sent). +- **Get-DeliveryOptimizationLogAnalysis** is a new cmdlet that provides a summary of the activity in your DO log (# of downloads, downloads from peers, overall peer efficiency). Use the **-ListConnections** option to for in-depth look at peer-to-peer connections. +- **Enable-DeliveryOptimizationVerboseLogs** is a new cmdlet that enables a greater level of logging detail to assist in troubleshooting. + +Additional improvements: +- Enterprise network [throttling is enhanced](https://docs.microsoft.com/windows-insider/at-work-pro/wip-4-biz-whats-new#new-download-throttling-options-for-delivery-optimization-build-18917) to optimize foreground vs. background throttling. +- Automatic cloud-based congestion detection is available for PCs with cloud service support. + +The following [Delivery Optimization](https://docs.microsoft.com/windows/deployment/update/waas-delivery-optimization) policies are removed in this release: + +- Percentage of Maximum Download Bandwidth (DOPercentageMaxDownloadBandwidth) + - Reason: Replaced with separate policies for foreground and background +- Max Upload Bandwidth (DOMaxUploadBandwidth) + - Reason: impacts uploads to internet peers only, which isn't used in Enterprises. +- Absolute max throttle (DOMaxDownloadBandwidth) + - Reason: separated to foreground and background + +### Windows Update for Business + +[Windows Update for Business](https://docs.microsoft.com/windows/deployment/update/waas-manage-updates-wufb) enhancements in this release include: +- Intune console updates: target version is now available allowing you to specify which version of Windows 10 you want devices to move to. Additionally, this capability enables you to keep devices on their current version until they reach end of service. Check it out in Intune, also available as a Group Policy and Configuration Service Provider (CSP) policy. +- Validation improvements: To ensure devices and end users stay productive and protected, Microsoft uses safeguard holds to block devices from updating when there are known issues that would impact that device. Also, to better enable IT administrators to validate on the latest release, we have created a new policy that enables admins to opt devices out of the built-in safeguard holds. + +## Virtualization + +### Containers on Windows + +This update includes 5 fixes to allow the host to run down-level containers on up-level for process (Argon) isolation. Previously [Containers on Windows](https://docs.microsoft.com/virtualization/windowscontainers/) required matched host and container version. This limited Windows containers from supporting mixed-version container pod scenarios. + +### Windows Sandbox + +[Windows Sandbox](https://techcommunity.microsoft.com/t5/Windows-Kernel-Internals/Windows-Sandbox/ba-p/301849) is an isolated desktop environment where you can install software without the fear of lasting impact to your device. This feature was released with Windows 10, version 1903. Windows 10, version 2004 includes bugfixes and enables even more control over configuration. + +[Windows Sandbox configuration](https://docs.microsoft.com/windows/security/threat-protection/windows-sandbox/windows-sandbox-configure-using-wsb-file) includes: +- MappedFolders now supports a destination folder. Previously no destination could be specified, it was always mapped to the Sandbox desktop. +- AudioInput/VideoInput settings now enable you to share their host microphone or webcam with the Sandbox. +- ProtectedClient is a new security setting that runs the connection to the Sandbox with extra security settings enabled. This is disabled by default due to issues with copy & paste. +- PrinterRedirection: You can now enable and disable host printer sharing with the Sandbox. +- ClipboardRedirection: You can now enable and disable host clipboard sharing with the Sandbox. +- MemoryInMB adds the ability to specify the maximum memory usage of the Sandbox. + +Windows Media Player is also added back to the Sandbox image in this release. + +Windows Sandbox also has improved accessibility in this release, including: +- Microphone support is available. +- Added functionality to configure the audio input device via the Windows Sandbox config file. +- A Shift + Alt + PrintScreen key sequence that activates the ease of access dialog for enabling high contrast mode. +- A ctrl + alt + break key sequence that allows entering/exiting fullscreen mode. + +### Windows Subsystem for Linux (WSL) + +With this release, memory that is no longer in use in a Linux VM will be freed back to Windows. Previously, a WSL VM's memory could grow, but would not shrink when no longer needed. + +[WSL2](https://docs.microsoft.com/windows/wsl/wsl2-index) support is has been added for ARM64 devices if your device supports virtualization. + +For a full list of updates to WSL, see the [WSL release notes](https://docs.microsoft.com/windows/wsl/release-notes). + +### Windows Virtual Desktop (WVD) + +Windows 10 is an integral part of WVD, and several enhancements are available in the Spring 2020 update. Check out [Windows Virtual Desktop documentation](https://aka.ms/wvdgetstarted) for the latest and greatest information, as well as the [WVD Virtual Event from March](https://aka.ms/wvdvirtualevent). + +## Microsoft Edge + +Read about plans for the new Microsoft Edge and other innovations announced at [Build 2020](https://blogs.windows.com/msedgedev/2020/05/19/microsoft-edge-news-developers-build-2020/) and [What's new at Microsoft Edge Insider](https://www.microsoftedgeinsider.com/whats-new). + +Also see information about the exciting new Edge browser [here](https://blogs.windows.com/windowsexperience/2020/01/15/new-year-new-browser-the-new-microsoft-edge-is-out-of-preview-and-now-available-for-download/). + +## Application settings + +This release enables explicit [control over when Windows automatically restarts apps](https://docs.microsoft.com/windows-insider/at-work-pro/wip-4-biz-whats-new#control-over-restarting-apps-at-sign-in-build-18965) that were open when you restart your PC. + +## Windows Shell + +Several enhancements to the Windows 10 user interface are implemented in this release: + +### Cortana + +[Cortana](https://www.microsoft.com/cortana) has been updated and enhanced in Windows 10, version 2004: +- Productivity: chat-based UI gives you the ability to [interact with Cortana using typed or spoken natural language queries](https://support.microsoft.com/help/4557165) to easily get information across Microsoft 365 and stay on track. Productivity focused capabilities such as finding people profiles, checking schedules, joining meetings, and adding to lists in Microsoft To Do are currently available to English speakers in the US. + - In the coming months, with regular app updates through the Microsoft Store, we’ll enhance this experience to support wake word invocation and enable listening when you say “Cortana,” offer more productivity capabilities such as surfacing relevant emails and documents to help you prepare for meetings, and expand supported capabilities for international users. +- Security: tightened access to Cortana so that you must be securely logged in with your work or school account or your Microsoft account before using Cortana. Because of this tightened access, some consumer skills including music, connected home, and third-party skills will no longer be available. Additionally, users [get cloud-based assistance services that meet Office 365’s enterprise-level privacy, security, and compliance promises](https://docs.microsoft.com/microsoft-365/admin/misc/cortana-integration?view=o365-worldwide) as set out in the Online Services Terms. +- Move the Cortana window: drag the Cortana window to a more convenient location on your desktop. + +For updated information, see the [Microsoft 365 blog](https://aka.ms/CortanaUpdatesMay2020). + +### Windows Search + +Windows Search is [improved](https://insider.windows.com/community-news/desktop-search/) in several ways. + +### Virtual Desktops + +You can now [rename your virtual desktops](https://docs.microsoft.com/windows-insider/at-work-pro/wip-4-biz-whats-new#renaming-your-virtual-desktops-build-18975), instead of getting stuck with the system-issued names like Desktop 1. + +### Bluetooth pairing + +Pairing Bluetooth devices with your computer will occur through notifications, so you won't need to go to the Settings app to finish pairing. Other improvements include faster pairing and device name display. For more information, see [Improving your Bluetooth pairing experience](https://docs.microsoft.com/windows-insider/at-home/Whats-new-wip-at-home-20h1#improving-your-bluetooth-pairing-experience-build-18985). + +### Reset this PC + +The 'reset this PC' recovery function now includes a [cloud download](https://docs.microsoft.com/windows-insider/at-work-pro/wip-4-biz-whats-new#new-reset-this-pc-option-cloud-download-build-18970) option. + +### Task Manager + +The following items are added to Task Manager in this release: +- GPU Temperature is available on the Performance tab for devices with a dedicated GPU card. +- Disk type is now [listed for each disk on the Performance tab](https://docs.microsoft.com/windows-insider/at-work-pro/wip-4-biz-whats-new#disk-type-visible-in-task-manager-performance-tab-build-18898). + +## Graphics & display + +### DirectX + +[New DirectX 12 features](https://devblogs.microsoft.com/directx/dev-preview-of-new-directx-12-features/) are available in this release. + +### 2-in-1 PCs + +A [new tablet experience](https://docs.microsoft.com/windows-insider/at-work-pro/wip-4-biz-whats-new#new-tablet-experience-for-2-in-1-convertible-pcs-build-18970) for two-in-one convertible PCs is available. The screen will be optimized for touch When you detach your two-in-one's keyboard, but you'll still keep the familiar look of your desktop without interruption. + +### Specialized displays + +With this update, devices running Windows 10 Enterprise or Windows 10 Pro for Workstations with multiple displays can be configured to prevent Windows from using a display, making it available for a specialized purpose. + +Examples include: +- Fixed-function arcade & gaming such as cockpit, driving, flight, and military simulators +- Medical imaging devices with custom panels, such as grayscale X-ray displays +- Video walls like those displayed in Microsoft Store +- Dedicated video monitoring +- Monitor panel testing and validation +- Independent Hardware Vendor (IHV) driver testing and validation + +To prevent Windows from using a display, choose Settings > Display and click Advanced display settings. Select a display to view or change, and then set the Remove display from desktop setting to On. The display will now be available for a specialized use. + +## Desktop Analytics + +[Desktop Analytics](https://docs.microsoft.com/configmgr/desktop-analytics/overview) is a cloud-connected service, integrated with Configuration Manager that provides data-driven insights to the management of Windows endpoints in your organization. Desktop Analytics requires a Windows E3 or E5 license, or a Microsoft 365 E3 or E5 license. + +For information about Desktop Analytics and this release of Windows 10, see [What's new in Desktop Analytics](https://docs.microsoft.com/mem/configmgr/desktop-analytics/whats-new). + +## See Also + +[What's New in Windows Server](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server): New and updated features in Windows Server.
    +[Windows 10 Features](https://www.microsoft.com/windows/features): General information about Windows 10 features.
    +[What's New in Windows 10](https://docs.microsoft.com/windows/whats-new/): See what’s new in other versions of Windows 10.
    +[Start developing on Windows 10, version 2004 today](https://blogs.windows.com/windowsdeveloper/2020/05/12/start-developing-on-windows-10-version-2004-today/): New and updated features in Windows 10 that are of interest to developers.
    +[What's new for business in Windows 10 Insider Preview Builds](https://docs.microsoft.com/windows-insider/at-work-pro/wip-4-biz-whats-new): A preview of new features for businesses.
    +[What's new in Windows 10, version 2004 - Windows Insiders](https://docs.microsoft.com/windows-insider/at-home/whats-new-wip-at-home-20h1): This list also includes consumer focused new features.
    +[Features and functionality removed in Windows 10](https://docs.microsoft.com/windows/deployment/planning/windows-10-removed-features): Removed features.
    +[Windows 10 features we’re no longer developing](https://docs.microsoft.com/windows/deployment/planning/windows-10-deprecated-features): Features that are not being developed.
    +[What’s new for IT pros in Windows 10, version 2004](https://aka.ms/whats-new-in-2004): Windows IT Pro blog.