deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-20 12:53:38 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

from master

Browse Source
This commit is contained in:
Joey Caparas
2018-04-05 11:10:59 -07:00
parent 3bb7bad8d8 b23dfad952
commit 265c433b41
26 changed files with 783 additions and 413 deletions
Download Patch File Download Diff File Expand all files Collapse all files

31
windows/client-management/mdm/enterprisemodernappmanagement-csp.md
View File

@ -112,7 +112,7 @@ The following image shows the EnterpriseModernAppManagement configuration servic
</Replace>
```
<a href="" id="appmanagement-removepackage"></a>**AppManagement/RemovePackage**
<p style="margin-left: 20px">Added in Windows 10, version 1703. Used to remove packages.
<p style="margin-left: 20px">Added in Windows 10, version 1703. Used to remove packages. Not supported for ./User/Vendor/MSFT.
<p style="margin-left: 20px">Parameters:
<ul>
@ -121,34 +121,18 @@ The following image shows the EnterpriseModernAppManagement configuration servic
<li>Name: Specifies the PackageFullName of the particular package to remove.</li>
<li>RemoveForAllUsers:
<ul>
<li>0 (default) Package will be un-provisioned so that new users do not receive the package. The package will remain installed for current users.</li>
<li>1 Package will be removed for all users.</li>
<li>0 (default) Package will be un-provisioned so that new users do not receive the package. The package will remain installed for current users. This is not currently supported.</li>
<li>1 Package will be removed for all users only if it is a provisioned package.</li>
</ul>
</li>
</ul>
</li>
<li>User (optional): Specifies the SID of the particular user for whom to remove the package; only the package for the specified user can be removed. Not required for ./User/Vendor/MSFT.</li>
<li>User (optional): Specifies the SID of the particular user for whom to remove the package; only the package for the specified user can be removed.</li>
</ul>
<p style="margin-left: 20px">Supported operation is Execute.
<p style="margin-left: 20px">The following example removes a package for the specified user:
```XML
<Exec>
<CmdID>10</CmdID>
<Item>
<Target>
<LocURI>./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/RemovePackage</LocURI>
</Target>
<Meta><Format xmlns="syncml:metinf">xml</Format></Meta>
<Data>
<Package Name= "{PackageFullName}"/>
</Data>
</Item>
</Exec>
```
<p style="margin-left: 20px">The following example removes a package for all users:
````XML
@ -307,7 +291,12 @@ The following image shows the EnterpriseModernAppManagement configuration servic
<p style="margin-left: 20px">Supported operation is Get.
<a href="" id="----packagefamilyname-packagefullname-users"></a>**.../*PackageFamilyName*/*PackageFullName*/Users**
<p style="margin-left: 20px">Required. Registered users of the app. If the query is at the device level, it returns all the registered users of the device. If you query the user context, it will only return the current user. Value type is string.
<p style="margin-left: 20px">Required. Registered users of the app and the package install state. If the query is at the device level, it returns all the registered users of the device. If you query the user context, it will only return the current user. Value type is string.
- Not Installed = 0
- Staged = 1
- Installed = 2
- Paused = 6
<p style="margin-left: 20px">Supported operation is Get.

BIN
windows/client-management/mdm/images/provisioning-csp-windowsdefenderapplicationguard.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 17 KiB

After

Width:  |  Height:  |  Size: 22 KiB

22
windows/client-management/mdm/multisim-csp.md
View File

@ -24,49 +24,49 @@ The following diagram shows the MultiSIM configuration service provider in tree
<a href="" id="multisim"></a>**./Device/Vendor/MSFT/MultiSIM**
Root node.
<a href="" id="tbd"></a>**_ModemID_**
<a href="" id="modemid"></a>**_ModemID_**
Node representing a Mobile Broadband Modem. The node name is the modem ID. Modem ID is a GUID without curly braces, with exception of "Embedded" which represents the embedded modem.
<a href="" id="modemid"></a>**_ModemID_/Identifier**
<a href="" id="modemid-identifier"></a>**_ModemID_/Identifier**
Modem ID.
Supported operation is Get. Value type is string.
<a href="" id="tbd"></a>**_ModemID_/IsEmbedded**
<a href="" id="modemid-isembedded"></a>**_ModemID_/IsEmbedded**
Indicates whether this modem is embedded or external.
Supported operation is Get. Value type is bool.
<a href="" id="tbd"></a>**_ModemID_/Slots**
<a href="" id="modemid-slots"></a>**_ModemID_/Slots**
Represents all SIM slots in the Modem.
<a href="" id="tbd"></a>**_ModemID_/Slots/_SlotID_**
<a href="" id="modemid-slots-slotid"></a>**_ModemID_/Slots/_SlotID_**
Node representing a SIM Slot. The node name is the Slot ID. SIM Slot ID format is "0", "1", etc., with exception of "Embedded" which represents the embedded Slot.
<a href="" id="tbd"></a>**_ModemID_/Slots/_SlotID_/Identifier**
<a href="" id="modemid-slots-slotid-identifier"></a>**_ModemID_/Slots/_SlotID_/Identifier**
Slot ID.
Supported operation is Get. Value type is integer.
<a href="" id="tbd"></a>**_ModemID_/Slots/_SlotID_/IsEmbedded**
<a href="" id="modemid-slots-slotid-isembedded"></a>**_ModemID_/Slots/_SlotID_/IsEmbedded**
Indicates whether this Slot is embedded or a physical SIM slot.
Supported operation is Get. Value type is bool.
<a href="" id="tbd"></a>**_ModemID_/Slots/_SlotID_/IsSelected**
<a href="" id="modemid-slots-slotid-isselected"></a>**_ModemID_/Slots/_SlotID_/IsSelected**
Indicates whether this Slot is selected or not.
Supported operation is Get and Replace. Value type is bool.
<a href="" id="tbd"></a>**_ModemID_/Slots/_SlotID_/State**
<a href="" id="modemid-slots-slotid-state"></a>**_ModemID_/Slots/_SlotID_/State**
Slot state (Unknown = 0, OffEmpty = 1, Off = 2, Empty = 3, NotReady = 4, Active = 5, Error = 6, ActiveEsim = 7, ActiveEsimNoProfile = 8)
Supported operation is Get. Value type is integer.
<a href="" id="tbd"></a>**_ModemID_/Policies**
<a href="" id="modemid-policies"></a>**_ModemID_/Policies**
Policies associated with the Modem.
<a href="" id="tbd"></a>**_ModemID_/Policies/SlotSelectionEnabled**
<a href="" id="modemid-policies-slotselectionenabled"></a>**_ModemID_/Policies/SlotSelectionEnabled**
Determines whether the user is allowed to change slots in the Cellular settings UI. Default is true.
Supported operation is Get and Replace. Value type is bool.

25
windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
View File

@ -1608,6 +1608,31 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
## Change history in MDM documentation
### April 2018
<table class="mx-tdBreakAll">
<colgroup>
<col width="25%" />
<col width="75%" />
</colgroup>
<thead>
<tr class="header">
<th>New or updated topic</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td style="vertical-align:top">[WindowsDefenderApplicationGuard CSP](windowsdefenderapplicationguard-csp.md)</td>
<td style="vertical-align:top"><p>Added the following node in Windows 10, version 1803:</p>
<ul>
<li>Settings/AllowVirtualGPU</li>
<li>Settings/SaveFilesToHost</li>
</ul>
</td></tr>
</tbody>
</table>
### March 2018
<table class="mx-tdBreakAll">

4
windows/client-management/mdm/policy-csp-eventlogservice.md
View File

@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 03/12/2018
ms.date: 04/02/2018
---
# Policy CSP - EventLogService
@ -200,7 +200,7 @@ ADMX Info:
<!--Description-->
This policy setting specifies the maximum size of the log file in kilobytes.
If you enable this policy setting, you can configure the maximum log file size to be between 1 megabyte (1024 kilobytes) and 2 terabytes (2147483647 kilobytes) in kilobyte increments.
If you enable this policy setting, you can configure the maximum log file size to be between 20 megabytes (20480 kilobytes) and 2 terabytes (2147483647 kilobytes) in kilobyte increments.
If you disable or do not configure this policy setting, the maximum size of the log file will be set to the locally configured value. This value can be changed by the local administrator using the Log Properties dialog and it defaults to 20 megabytes.

2
windows/client-management/mdm/policy-csp-experience.md
View File

@ -359,7 +359,7 @@ The following list shows the supported values:
<!--/Scope-->
<!--Description-->
Specifies whether to allow the user to delete the workplace account using the workplace control panel. If the device is Azure Active Directory joined and MDM enrolled (e.g. auto-enrolled), which is majority of the case for Intune, then disabling the MDM unenrollment has no effect.
Specifies whether to allow the user to delete the workplace account using the workplace control panel. If the device is Azure Active Directory joined and MDM enrolled (e.g. auto-enrolled), then disabling the MDM unenrollment has no effect.
> [!NOTE]
> The MDM server can always remotely delete the account.

21
windows/client-management/mdm/policy-csp-kioskbrowser.md
View File

@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 03/12/2018
ms.date: 04/03/2018
---
# Policy CSP - KioskBrowser
@ -14,6 +14,7 @@ ms.date: 03/12/2018
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
These policies only apply to kiosk browser.
<hr/>
@ -83,6 +84,9 @@ ms.date: 03/12/2018
<!--Description-->
Added in Windows 10, version 1803. List of exceptions to the blocked website URLs (with wildcard support). This is used to configure URLs kiosk browsers are allowed to navigate to, which are a subset of the blocked URLs.
> [!Note]
> This policy only applies to kiosk browser.
<!--/Description-->
<!--/Policy-->
@ -127,6 +131,9 @@ Added in Windows 10, version 1803. List of exceptions to the blocked website URL
<!--Description-->
Added in Windows 10, version 1803. List of blocked website URLs (with wildcard support). This is used to configure blocked URLs kiosk browsers cannot navigate to.
> [!Note]
> This policy only applies to kiosk browser.
<!--/Description-->
<!--/Policy-->
@ -171,6 +178,9 @@ Added in Windows 10, version 1803. List of blocked website URLs (with wildcard s
<!--Description-->
Added in Windows 10, version 1803. Configures the default URL kiosk browsers to navigate on launch and restart.
> [!Note]
> This policy only applies to kiosk browser.
<!--/Description-->
<!--/Policy-->
@ -215,6 +225,9 @@ Added in Windows 10, version 1803. Configures the default URL kiosk browsers to
<!--Description-->
Added in Windows 10, version 1803. Enable/disable kiosk browser's home button.
> [!Note]
> This policy only applies to kiosk browser.
<!--/Description-->
<!--/Policy-->
@ -259,6 +272,9 @@ Added in Windows 10, version 1803. Enable/disable kiosk browser's home button.
<!--Description-->
Added in Windows 10, version 1803. Enable/disable kiosk browser's navigation buttons (forward/back).
> [!Note]
> This policy only applies to kiosk browser.
<!--/Description-->
<!--/Policy-->
@ -305,6 +321,9 @@ Added in Windows 10, version 1803. Amount of time in minutes the session is idle
The value is an int 1-1440 that specifies the amount of minutes the session is idle until the kiosk browser restarts in a fresh state. The default value is empty which means there is no idle timeout within the kiosk browser.
> [!Note]
> This policy only applies to kiosk browser.
<!--/Description-->
<!--/Policy-->
<hr/>

14
windows/client-management/mdm/windowsdefenderapplicationguard-csp.md
View File

@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 11/01/2017
ms.date: 03/22/2018
---
# WindowsDefenderApplicationGuard CSP
@ -81,6 +81,18 @@ The following diagram shows the WindowsDefenderApplicationGuard configuration se
- 0 - Application Guard discards user-downloaded files and other items (such as, cookies, Favorites, and so on) during machine restart or user log-off.
- 1 - Application Guard saves user-downloaded files and other items (such as, cookies, Favorites, and so on) for use in future Application Guard sessions.
<a href="" id="allowvirtualgpu"></a>**Settings/AllowVirtualGPU**
Added in Windows 10, version 1803. This policy setting allows you to determine whether Application Guard can use the virtual GPU to process graphics. Supported operations are Add, Get, Replace, and Delete. Value type is integer.
- 0 (default) - Cannot access the vGPU and uses the CPU to support rendering graphics. When the policy is not configured, it is the same as disabled (0).
- 1 - Turns on the functionality to access the vGPU offloading graphics rendering from the CPU. This can create a faster experience when working with graphics intense websites or watching video within the container.
<a href="" id="savefilestohost"></a>**Settings/SaveFilesToHost**
Added in Windows 10, version 1803. This policy setting allows you to determine whether users can elect to download files from Edge in the container and persist files them from container to the host operating system. Supported operations are Add, Get, Replace, and Delete. Value type is integer.
- 0 (default) - The user cannot download files from Edge in the container to the host file system. When the policy is not configured, it is the same as disabled (0).
- 1 - Turns on the functionality to allow users to download files from Edge in the container to the host file system.
<a href="" id="status"></a>**Status**
<p style="margin-left: 20px">Returns status on Application Guard installation and pre-requisites. Value type is integer. Supported operation is Get.</p>

56
windows/client-management/mdm/windowsdefenderapplicationguard-ddf-file.md
View File

@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 12/05/2017
ms.date: 03/22/2018
---
# WindowsDefenderApplicationGuard DDF file
@ -16,6 +16,8 @@ This topic shows the OMA DM device description framework (DDF) for the **Windows
Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download).
This XML is for Windows 10, version 1803.
``` syntax
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE MgmtTree PUBLIC " -//OMA//DTD-DM-DDF 1.2//EN"
@ -25,7 +27,7 @@ Looking for the DDF XML files? See [CSP DDF files download](configuration-servic
<VerDTD>1.2</VerDTD>
<Node>
<NodeName>WindowsDefenderApplicationGuard</NodeName>
<Path>./Vendor/MSFT</Path>
<Path>./Device/Vendor/MSFT</Path>
<DFProperties>
<AccessType>
<Get />
@ -40,7 +42,7 @@ Looking for the DDF XML files? See [CSP DDF files download](configuration-servic
<Permanent />
</Scope>
<DFType>
<MIME>com.microsoft/1.1/MDM/WindowsDefenderApplicationGuard</MIME>
<MIME>com.microsoft/1.2/MDM/WindowsDefenderApplicationGuard</MIME>
</DFType>
</DFProperties>
<Node>
@ -200,6 +202,52 @@ Looking for the DDF XML files? See [CSP DDF files download](configuration-servic
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>AllowVirtualGPU</NodeName>
<DFProperties>
<AccessType>
<Get />
<Add />
<Delete />
<Replace />
</AccessType>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>SaveFilesToHost</NodeName>
<DFProperties>
<AccessType>
<Get />
<Add />
<Delete />
<Replace />
</AccessType>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
</Node>
<Node>
<NodeName>Status</NodeName>
@ -229,7 +277,7 @@ Looking for the DDF XML files? See [CSP DDF files download](configuration-servic
<Exec />
</AccessType>
<DFFormat>
<int />
<chr />
</DFFormat>
<Occurrence>
<One />

8
windows/configuration/change-history-for-configure-windows-10.md
View File

@ -8,13 +8,19 @@ ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: high
author: jdeckerms
ms.date: 03/23/2018
ms.date: 04/04/2018
---
# Change history for Configure Windows 10
This topic lists new and updated topics in the [Configure Windows 10](index.md) documentation for Windows 10 and Windows 10 Mobile.
## April 2018
New or changed topic | Description
--- | ---
[Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md) | Updated endpoints.
## March 2018
New or changed topic | Description

12
windows/configuration/configure-windows-diagnostic-data-in-your-organization.md
View File

@ -8,7 +8,7 @@ ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: high
author: brianlic-msft
ms.date: 10/17/2017
ms.date: 04/04/2018
---
# Configure Windows diagnostic data in your organization
@ -143,11 +143,17 @@ All diagnostic data data is encrypted using SSL and uses certificate pinning dur
The Microsoft Data Management Service routes data back to our secure cloud storage. Only Microsoft personnel with a valid business justification are permitted access.
The following table defines the endpoints for diagnostic data services:
The following table defines the endpoints for Connected User Experiences and Telemetry component:
Windows release | Endpoint
--- | ---
Windows 10, versions 1703 and 1709 | Diagnostics data: v10.vortex-win.data.microsoft.com/collect/v1</br></br>Functional: v20.vortex-win.data.microsoft.com/collect/v1</br>Windows Advanced Threat Protection is country specific and the prefix changes by country for example: **de**.vortex-win.data.microsoft.com/collect/v1</br>settings-win.data.microsoft.com
Windows 10, version 1607 | v10.vortex-win.data.microsoft.com</br></br>settings-win.data.microsoft.com
The following table defines the endpoints for other diagnostic data services:
| Service | Endpoint |
| - | - |
| Connected User Experiences and Telemetry component | v10.vortex-win.data.microsoft.com<br />settings-win.data.microsoft.com |
| [Windows Error Reporting](http://msdn.microsoft.com/library/windows/desktop/bb513641.aspx) | watson.telemetry.microsoft.com |
| [Online Crash Analysis](http://msdn.microsoft.com/library/windows/desktop/ee416349.aspx) | oca.telemetry.microsoft.com |
| OneDrive app for Windows 10 | vortex.data.microsoft.com/collect/v1 |

4
windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image.md
View File

@ -9,7 +9,7 @@ ms.localizationpriority: high
ms.sitesec: library
ms.pagetype: mdt
author: mtniehaus
ms.date: 11/09/2017
ms.date: 04/03/2018
---
# Create a Windows 10 reference image
@ -20,7 +20,7 @@ ms.date: 11/09/2017
Creating a reference image is important because that image serves as the foundation for the devices in your organization. In this topic, you will learn how to create a Windows 10 reference image using the Microsoft Deployment Toolkit (MDT). You will create a deployment share, configure rules and settings, and import all the applications and operating system files required to build a Windows 10 reference image. After completing the steps outlined in this topic, you will have a Windows 10 reference image that can be used in your deployment solution.
For the purposes of this topic, we will use four machines: DC01, MDT01, HV01, and PC0001. DC01 is a domain controller, PC0001 is a Windows 10 Enterprise x64 client, and MDT01 is a Windows Server 2012 R2 standard server. HV01 is a Hyper-V host server, but HV01 could be replaced by PC0001 as long as PC0001 has enough memory and is capable of running Hyper-V. MDT01, HV01, and PC0001 are members of the domain contoso.com for the fictitious Contoso Corporation.
>{!NOTE]}  
>!NOTE]
>For important details about the setup for the steps outlined in this article, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md#proof).
 
![figure 1](../images/mdt-08-fig01.png)

22
windows/deployment/update/windows-analytics-FAQ-troubleshooting.md
View File

@ -8,7 +8,7 @@ ms.sitesec: library
ms.pagetype: deploy
author: jaimeo
ms.author: jaimeo
ms.date: 03/20/2018
ms.date: 04/03/2018
---
# Frequently asked questions and troubleshooting Windows Analytics
@ -33,6 +33,8 @@ If you've followed the steps in the [Enrolling devices in Windows Analytics](win
[Disable Upgrade Readiness](#disable-upgrade-readiness)
[Exporting large data sets](#exporting-large-data-sets)
### Devices not showing up
@ -179,6 +181,24 @@ If you want to stop using Upgrade Readiness and stop sending diagnostic data dat
3. If you enabled **Internet Explorer Site Discovery**, you can disable Internet Explorer data collection by setting the *IEDataOptIn* registry key to value "0". The IEDataOptIn key can be found under: *HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection*.
4. **Optional step:** You can also remove the “CommercialId” key from: "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection".
### Exporting large data sets
Azure Log Analytics is optimized for advanced analytics of large data sets and can efficiently generate summaries and analytics for them. The query language is not optimized (or intended) for returning large raw data sets and has built-in limits to protect against overuse. There are times when it might be necessary to get more data than this, but that should be done sparingly since this is not the intended way to use Azure Log Analytics. The following code snippet shows how to retrieve data from UAApp one “page” at a time:
```
let snapshot = toscalar(UAApp | summarize max(TimeGenerated));
let pageSize = 100000;
let pageNumber = 0;
UAApp
| where TimeGenerated == snapshot and IsRollup==true and RollupLevel=="Granular" and Importance == "Low install count"
| order by AppName, AppVendor, AppVersion desc
| serialize
| where row_number(0) >= (pageSize * pageNumber)
| take pageSize
```
## Other common questions

2
windows/deployment/upgrade/resolve-windows-10-upgrade-errors.md
View File

@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: deploy
author: greg-lindsay
ms.date: 03/30/2018
ms.date: 04/03/2018
ms.localizationpriority: high
---

4
windows/deployment/windows-10-deployment-scenarios.md
View File

@ -7,7 +7,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.localizationpriority: high
ms.sitesec: library
ms.date: 03/16/2018
ms.date: 04/03/2018
author: greg-lindsay
---
@ -23,7 +23,7 @@ The following table summarizes various Windows 10 deployment scenarios. The scen
- Dynamic deployment methods enable you to configure applications and settings for specific use cases.
- Traditional deployment methods use tools such as Microsoft Deployment Toolkit (MDT) and System Center Configuration Manager.<br>&nbsp;
<table border="1">
<table border="0">
<tr><td align="center" style="width:16%; border:1;" bgcolor='#a0e4fa'><b>Category</b></td>
<td align="center" style="width:16%; border:1;" bgcolor='#a0e4fa'><b>Scenario</b></td>
<td align="center" style="width:16%; border:1;" bgcolor='#a0e4fa'><b>Description</b></td>

2
windows/security/identity-protection/credential-guard/credential-guard-requirements.md
View File

@ -20,7 +20,7 @@ Prefer video? See
[Windows Defender Credential Guard Deployment](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=sRcyvLJyC_3304300474)
in the Deep Dive into Windows Defender Credential Guard video series.
For Windows Defender Credential Guard to provide protections, the computers you are protecting must meet certain baseline hardware, firmware, and software requirements which we will refer to as [Hardware and software requirements](#hardware-and-software-requirements). Additionally, Windows Defender Credential Guard blocks specific authentication capabilities, so applications that require such capabilities will break. We will refer to this as [Application requirements](#application-requirements). Beyond that, computers can meet additional hardware and firmware qualifications, and receive additional protections. Those computers will be more hardened against certain threats. For detailed information on baseline protections, plus protections for improved security that are associated with hardware and firmware options available in 2015, 2016, and 2017, refer to the tables in [Security Considerations](#security-considerations).
For Windows Defender Credential Guard to provide protection, the computers you are protecting must meet certain baseline hardware, firmware, and software requirements which we will refer to as [Hardware and software requirements](#hardware-and-software-requirements). Additionally, Windows Defender Credential Guard blocks specific authentication capabilities, so applications that require such capabilities will break. We will refer to this as [Application requirements](#application-requirements). Beyond that, computers can meet additional hardware and firmware qualifications, and receive additional protections. Those computers will be more hardened against certain threats. For detailed information on baseline protections, plus protections for improved security that are associated with hardware and firmware options available in 2015, 2016, and 2017, refer to the tables in [Security Considerations](#security-considerations).
## Hardware and software requirements

2
windows/security/threat-protection/device-guard/deploy-catalog-files-to-support-windows-defender-application-control.md
View File

@ -152,7 +152,7 @@ After the catalog file is signed, add the signing certificate to a WDAC policy,
> **Note**&nbsp;&nbsp;Include the **-UserPEs** parameter to ensure that the policy includes user mode code integrity.
3. Use [Add-SignerRule](https://technet.microsoft.com/library/mt634479.aspx) to add the signing certificate to the WDAC policy, filling in the correct path and filenames for `<policypath>` and `<certpath>`:
3. Use [Add-SignerRule](https://docs.microsoft.com/powershell/module/configci/add-signerrule?view=win10-ps) to add the signing certificate to the WDAC policy, filling in the correct path and filenames for `<policypath>` and `<certpath>`:
` Add-SignerRule -FilePath <policypath> -CertificatePath <certpath> -User `

2
windows/security/threat-protection/device-guard/deploy-managed-installer-for-device-guard.md
View File

@ -110,7 +110,7 @@ For example:
### Enable the managed installer option in WDAC policy
In order to enable trust for the binaries laid down by managed installers, the Allow: Managed Installer option must be specified in your WDAC policy.
This can be done by using the [Set-RuleOption cmdlet](https://technet.microsoft.com/itpro/powershell/windows/configci/set-ruleoption).
This can be done by using the [Set-RuleOption cmdlet](https://docs.microsoft.com/powershell/module/configci/set-ruleoption?view=win10-ps).
An example of the managed installer option being set in policy is shown below.
```code

2
windows/security/threat-protection/device-guard/deploy-windows-defender-application-control-policy-rules-and-file-rules.md
View File

@ -42,7 +42,7 @@ If you plan to use an internal CA to sign catalog files or WDAC policies, see th
WDAC policies include *policy rules*, which control options such as audit mode or whether UMCI is enabled in a WDAC policy. You can modify these options in a new or existing WDAC policy. (For information about *file rules*, which specify the level at which applications will be identified and trusted, see the next section, [Windows Defender Application Control file rule levels](#windows-defender-application-control-file-rule-levels).)
To modify the policy rule options of an existing WDAC policy, use the [Set-RuleOption](https://technet.microsoft.com/library/mt634483.aspx) Windows PowerShell cmdlet. Note the following examples of how to use this cmdlet to add and remove a rule option on an existing WDAC policy:
To modify the policy rule options of an existing WDAC policy, use [Set-RuleOption](https://docs.microsoft.com/powershell/module/configci/set-ruleoption?view=win10-ps). Note the following examples of how to use this cmdlet to add and remove a rule option on an existing WDAC policy:
- To ensure that UMCI is enabled for a WDAC policy that was created with the `-UserPEs` (user mode) option, add rule option 0 to an existing policy by running the following command:

19
windows/security/threat-protection/device-guard/device-guard-deployment-guide.md
View File

@ -20,25 +20,6 @@ With thousands of new malicious files created every day, using traditional metho
Windows Defender Device Guard also uses virtualization-based security to isolate the Code Integrity service and run it alongside the Windows kernel in a hypervisor-protected container. Even if an attacker manages to get control of the Windows kernel itself, the ability to run malicious executable code is much less likely.
This guide explores the individual features in Windows Defender Device Guard as well as how to plan for, configure, and deploy them. It includes:
- [Introduction to Windows Defender Device Guard: virtualization-based security and Windows Defender Application Control](introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md)
- [Requirements and deployment planning guidelines for Windows Defender Device Guard](requirements-and-deployment-planning-guidelines-for-device-guard.md)
- [Planning and getting started on the Windows Defender Device Guard deployment process](planning-and-getting-started-on-the-device-guard-deployment-process.md)
- [Deploy Windows Defender Application Control](deploy-windows-defender-application-control.md)
- [Optional: Create a code signing certificate for Windows Defender Application Control](optional-create-a-code-signing-certificate-for-windows-defender-application-control.md)
- [Deploy Windows Defender Application Control: policy rules and file rules](deploy-windows-defender-application-control-policy-rules-and-file-rules.md)
- [Deploy Windows Defender Application Control: steps](steps-to-deploy-windows-defender-application-control.md)
- [Deploy catalog files to support Windows Defender Application Control](deploy-catalog-files-to-support-windows-defender-application-control.md)
- [Enable virtualization-based protection of code integrity](deploy-device-guard-enable-virtualization-based-security.md)
## Related topics

18
windows/security/threat-protection/device-guard/steps-to-deploy-windows-defender-application-control.md
View File

@ -811,7 +811,7 @@ To create a WDAC policy, copy each of the following commands into an elevated Wi
> - The preceding example includes `3> CIPolicylog.txt`, which redirects warning messages to a text file, **CIPolicylog.txt**.
3. Use [ConvertFrom-CIPolicy](https://technet.microsoft.com/library/mt733073.aspx) to convert the WDAC policy to a binary format:
3. Use [ConvertFrom-CIPolicy](https://docs.microsoft.com/powershell/module/configci/convertfrom-cipolicy?view=win10-ps) to convert the WDAC policy to a binary format:
` ConvertFrom-CIPolicy $InitialCIPolicy $CIPolicyBin`
@ -955,11 +955,11 @@ To merge two WDAC policies, complete the following steps in an elevated Windows
> [!Note]
> The variables in this section specifically expect to find an initial policy on your desktop called **InitialScan.xml** and an audit WDAC policy called **DeviceGuardAuditPolicy.xml**. If you want to merge other WDAC policies, update the variables accordingly.
2. Use [Merge-CIPolicy](https://technet.microsoft.com/library/mt634485.aspx) to merge two policies and create a new WDAC policy:
2. Use [Merge-CIPolicy](https://docs.microsoft.com/powershell/module/configci/merge-cipolicy?view=win10-ps) to merge two policies and create a new WDAC policy:
` Merge-CIPolicy -PolicyPaths $InitialCIPolicy,$AuditCIPolicy -OutputFilePath $MergedCIPolicy`
3. Use [ConvertFrom-CIPolicy](https://technet.microsoft.com/library/mt733073.aspx) to convert the merged WDAC policy to binary format:
3. Use [ConvertFrom-CIPolicy](https://docs.microsoft.com/powershell/module/configci/convertfrom-cipolicy?view=win10-ps) to convert the merged WDAC policy to binary format:
` ConvertFrom-CIPolicy $MergedCIPolicy $CIPolicyBin `
@ -987,7 +987,7 @@ Every WDAC policy is created with audit mode enabled. After you have successfull
2. Ensure that rule options 9 (“Advanced Boot Options Menu”) and 10 (“Boot Audit on Failure”) are set the way that you intend for this policy. We strongly recommend that you enable these rule options before you run any enforced policy for the first time. Enabling these options provides administrators with a pre-boot command prompt, and allows Windows to start even if the WDAC policy blocks a kernel-mode driver from running. When ready for enterprise deployment, you can remove these options.
To ensure that these options are enabled in a policy, use [Set-RuleOption](https://technet.microsoft.com/library/mt634483.aspx) as shown in the following commands. You can run these commands even if you're not sure whether options 9 and 10 are already enabled—if so, the commands have no effect.
To ensure that these options are enabled in a policy, use [Set-RuleOption](https://docs.microsoft.com/powershell/module/configci/set-ruleoption?view=win10-ps) as shown in the following commands. You can run these commands even if you're not sure whether options 9 and 10 are already enabled—if so, the commands have no effect.
` Set-RuleOption -FilePath $InitialCIPolicy -Option 9`
@ -997,14 +997,14 @@ Every WDAC policy is created with audit mode enabled. After you have successfull
` copy $InitialCIPolicy $EnforcedCIPolicy`
4. Use [Set-RuleOption](https://technet.microsoft.com/library/mt634483.aspx) to delete the audit mode rule option:
4. Use [Set-RuleOption](https://docs.microsoft.com/powershell/module/configci/set-ruleoption?view=win10-ps) to delete the audit mode rule option:
` Set-RuleOption -FilePath $EnforcedCIPolicy -Option 3 -Delete`
> [!Note]
> To enforce a WDAC policy, you delete option 3, the **Audit Mode Enabled** option. There is no “enforced” option that can be placed in a WDAC policy.
5. Use [ConvertFrom-CIPolicy](https://technet.microsoft.com/library/mt733073.aspx) to convert the new WDAC policy to binary format:
5. Use [ConvertFrom-CIPolicy](https://docs.microsoft.com/powershell/module/configci/convertfrom-cipolicy?view=win10-ps) to convert the new WDAC policy to binary format:
` ConvertFrom-CIPolicy $EnforcedCIPolicy $CIPolicyBin`
@ -1052,7 +1052,7 @@ If you do not have a code signing certificate, see the [Optional: Create a code
` cd $env:USERPROFILE\Desktop `
5. Use [Add-SignerRule](https://technet.microsoft.com/library/mt634479.aspx) to add an update signer certificate to the WDAC policy:
5. Use [Add-SignerRule](https://docs.microsoft.com/powershell/module/configci/add-signerrule?view=win10-ps) to add an update signer certificate to the WDAC policy:
` Add-SignerRule -FilePath $InitialCIPolicy -CertificatePath <Path to exported .cer certificate> -Kernel -User Update`
@ -1060,11 +1060,11 @@ If you do not have a code signing certificate, see the [Optional: Create a code
> *&lt;Path to exported .cer certificate&gt;* should be the full path to the certificate that you exported in step 3.
Also, adding update signers is crucial to being able to modify or disable this policy in the future. For more information about how to disable signed WDAC policies, see the [Disable signed Windows Defender Application Control policies within Windows](#disable-signed-windows-defender-application-control-policies-within-windows) section.
6. Use [Set-RuleOption](https://technet.microsoft.com/library/mt634483.aspx) to remove the unsigned policy rule option:
6. Use [Set-RuleOption](https://docs.microsoft.com/powershell/module/configci/set-ruleoption?view=win10-ps) to remove the unsigned policy rule option:
` Set-RuleOption -FilePath $InitialCIPolicy -Option 6 -Delete`
7. Use [ConvertFrom-CIPolicy](https://technet.microsoft.com/library/mt733073.aspx) to convert the policy to binary format:
7. Use [ConvertFrom-CIPolicy](https://docs.microsoft.com/powershell/module/configci/convertfrom-cipolicy?view=win10-ps) to convert the policy to binary format:
` ConvertFrom-CIPolicy $InitialCIPolicy $CIPolicyBin`

2
windows/security/threat-protection/security-policy-settings/account-lockout-duration.md
View File

@ -29,7 +29,7 @@ This policy setting is dependent on the **Account lockout threshold** policy set
If [Account lockout threshold](account-lockout-threshold.md) is configured, after the specified number of failed attempts, the account will be locked out. If th **Account lockout duration** is set to 0, the account will remain locked until an administrator unlocks it manually.
It is advisable to set **Account lockout duration** to approximately 15 minutes. To specify that the account will never be locked out, set the Account lockout threshold value to 0.
It is advisable to set **Account lockout duration** to approximately 15 minutes. To specify that the account will never be locked out, set the **Account lockout threshold** value to 0.
### Location

8
windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md
View File

@ -9,9 +9,9 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: iaanw
ms.author: iawilt
ms.date: 11/20/2017
author: andreabichsel
ms.author: v-anbic
ms.date: 04/04/2018
---
# Configure and validate network connections for Windows Defender Antivirus
@ -77,7 +77,7 @@ Microsoft Update Service (MU)
Signature and product updates
</td>
<td>
*.updates.microsoft.com
*.update.microsoft.com
</td>
</tr>
<tr style="vertical-align:top">

8
windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md
View File

@ -9,9 +9,9 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: iaanw
ms.author: iawilt
ms.date: 11/09/2017
author: andreabichsel
ms.author: v-anbic
ms.date: 04/04/2018
---
@ -67,7 +67,7 @@ This table indicates the functionality and features that are available in each s
State | Description | [Real-time protection](configure-real-time-protection-windows-defender-antivirus.md) and [cloud-delivered protection](enable-cloud-protection-windows-defender-antivirus.md) | [Limited periodic scanning availability](limited-periodic-scanning-windows-defender-antivirus.md) | [File scanning and detection information](customize-run-review-remediate-scans-windows-defender-antivirus.md) | [Threat remediation](configure-remediation-windows-defender-antivirus.md) | [Threat definition updates](manage-updates-baselines-windows-defender-antivirus.md)
:-|:-|:-:|:-:|:-:|:-:|:-:
Passive mode | Windows Defender AV will not be used as the antivirus app, and threats will not be remediated by Windows Defender AV. Files will be scanned and reports will be provided for threat detections which are shared with the Windows Defender ATP service. | [!include[Check mark no](images/svg/check-no.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)]
Passive mode | Windows Defender AV will not be used as the antivirus app, and threats will not be remediated by Windows Defender AV. Files will be scanned and reports will be provided for threat detections which are shared with the Windows Defender ATP service. | [!include[Check mark no](images/svg/check-no.svg)] | [!include[Check mark no](images/svg/check-no.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)]
Automatic disabled mode | Windows Defender AV will not be used as the antivirus app. Files will not be scanned and threats will not be remediated. | [!include[Check mark no](images/svg/check-no.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)] | [!include[Check mark no](images/svg/check-no.svg)] | [!include[Check mark no](images/svg/check-no.svg)]]
Active mode | Windows Defender AV is used as the antivirus app on the machine. All configuration made with Configuration Manager, Group Policy, Intune, or other management products will apply. Files will be scanned and threats remediated, and detection information will be reported in your configuration tool (such as Configuration Manager or the Windows Defender AV app on the machine itself). | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)]