If you enabled this policy and now want to disable it, disabling removes all previously configured search engines. | |
-|Enabled |1 |1 |Allowed. Add up to five additional search engines and set any one of them as the default.
-For each search engine added you must specify a link to the OpenSearch XML file that contains, at a minimum, the short name and URL template (HTTPS) of the search engine. For more information about creating the OpenSearch XML file, see [Search provider discovery](https://developer.microsoft.com/en-us/microsoft-edge/platform/documentation/dev-guide/browser/search-provider-discovery/). | |
+|Disabled or not configured
**(default)** |0 |0 |Prevented/not allowed. Microsoft Edge uses the search engine specified in App settings.
If you enabled this policy and now want to disable it, disabling removes all previously configured search engines. | | +|Enabled |1 |1 |Allowed. Add up to five additional search engines and set any one of them as the default.
For each search engine added you must specify a link to the OpenSearch XML file that contains, at a minimum, the short name and URL template (HTTPS) of the search engine. For more information about creating the OpenSearch XML file, see [Search provider discovery](https://developer.microsoft.com/en-us/microsoft-edge/platform/documentation/dev-guide/browser/search-provider-discovery/). | | --- @@ -18,7 +17,7 @@ For each search engine added you must specify a link to the OpenSearch XML file | **Set default search engine** | **Allow search engine customization** | **Configure additional search engines** | **Outcome** | | --- | --- | --- | --- | -| Not configured (default) | Disabled | Disabled or not configured (default) | Default search engine specified in App settings. Users cannot make changes. | +| Not configured (default) | Disabled | Disabled or not configured (default) | Default search engine specified in App settings. Users cannot make changes. | | Not configured (default) | Enabled or not configured (default) | Disabled or not configured (default) | Default search engine specified in App settings. Users can make changes to the default search engine at any time. | | Disabled | Disabled | Disabled or not configured (default) | Users cannot add, remove, or change any of the search engines, but they can set a default search engine. | | Disabled | Enabled or not configured (default) | Disabled or not configured (default) | Users can add new search engines or change the default search engine, in Settings. | @@ -26,7 +25,7 @@ For each search engine added you must specify a link to the OpenSearch XML file | Enabled | Enabled or not configured (default) | Disabled or not configured (default) | Set the default search engine and allow users to add search engines or make changes. | --- - + ### ADMX info and settings diff --git a/browsers/edge/includes/configure-home-button-include.md b/browsers/edge/includes/configure-home-button-include.md index c18e8f645f..6fd8442c77 100644 --- a/browsers/edge/includes/configure-home-button-include.md +++ b/browsers/edge/includes/configure-home-button-include.md @@ -5,6 +5,7 @@ [!INCLUDE [configure-home-button-shortdesc](../shortdesc/configure-home-button-shortdesc.md)] + ### Allowed values |Group Policy |MDM |Registry |Description | @@ -15,13 +16,18 @@ |Enabled |3 |3 |Hide the home button. | --- +>[!TIP] +>If you want to make changes to this policy:
**_For single-app public browsing_**: If you do not configure the Configure kiosk reset after idle timeout policy and you enable this policy, Microsoft Edge kiosk resets after 5 minutes of idle time.
**_For single-app public browsing_**: If you do not configure the Configure kiosk reset after idle timeout policy and you enable this policy, Microsoft Edge kiosk resets after 5 minutes of idle time.
+**Version 1810:**
When you enable this policy (Configure Open Microsoft Edge With) and select an option, and also enable the Configure Start Pages policy, Microsoft Edge ignores the Configure Start Page policy.
### Allowed values
diff --git a/browsers/edge/includes/do-not-sync-browser-settings-include.md b/browsers/edge/includes/do-not-sync-browser-settings-include.md
index ef3c1b0884..2c1d1c206a 100644
--- a/browsers/edge/includes/do-not-sync-browser-settings-include.md
+++ b/browsers/edge/includes/do-not-sync-browser-settings-include.md
@@ -44,7 +44,7 @@ To verify if syncing is turned on or off:
- **GP ADMX file name:** SettingSync.admx
#### MDM settings
-- **MDM name:** Experience/[Experience/DoNotSyncBrowserSetting](../new-policies.md#donotsyncbrowsersetting)
+- **MDM name:** [Experience/DoNotSyncBrowserSetting](../available-policies.md#do-not-sync-browser-settings)
- **Supported devices:** Desktop
- **URI full path:** ./Vendor/MSFT/Policy/Config/Experience/DoNotSyncBrowserSetting
- **Data type:** Integer
diff --git a/browsers/edge/includes/prevent-turning-off-required-extensions-include.md b/browsers/edge/includes/prevent-turning-off-required-extensions-include.md
index f8d5229e4c..155f41be40 100644
--- a/browsers/edge/includes/prevent-turning-off-required-extensions-include.md
+++ b/browsers/edge/includes/prevent-turning-off-required-extensions-include.md
@@ -9,7 +9,7 @@
|Group Policy |Description |
|---|---|
|Disabled or not configured
**(default)** |Allowed. Users can uninstall extensions. If you previously enabled this policy and you decide to disable it, the list of extension PFNs defined in this policy get ignored. |
-|Enabled |Provide a semi-colon delimited list of extension PFNs. For example, adding the following the OneNote Web Clipper and Office Online extension prevents users from turning it off:
_Microsoft.OneNoteWebClipper8wekyb3d8bbwe;Microsoft.OfficeOnline8wekyb3d8bbwe_
After defining the list of extensions, you deploy them through any available enterprise deployment channel, such as Microsoft Intune. Removing extensions from the list does not uninstall the extension from the user’s computer automatically. To uninstall the extension, use any available enterprise deployment channel. If you enable the Allow Developer Tools policy, then this policy does not prevent users from debugging and altering the logic on an extension. | +|Enabled |Provide a semi-colon delimited list of extension PFNs. For example, adding the following the OneNote Web Clipper and Office Online extension prevents users from turning it off:
_Microsoft.OneNoteWebClipper8wekyb3d8bbwe;Microsoft.OfficeOnline8wekyb3d8bbwe_
After defining the list of extensions, you deploy them through any available enterprise deployment channel, such as Microsoft Intune. Removing extensions from the list does not uninstall the extension from the user’s computer automatically. To uninstall the extension, use any available enterprise deployment channel. If you enable the Allow Developer Tools policy, then this policy does not prevent users from debugging and altering the logic on an extension. | --- ### ADMX info and settings diff --git a/browsers/edge/includes/provision-favorites-include.md b/browsers/edge/includes/provision-favorites-include.md index 6ed0f7f204..82e428f83c 100644 --- a/browsers/edge/includes/provision-favorites-include.md +++ b/browsers/edge/includes/provision-favorites-include.md @@ -16,7 +16,7 @@ --- ### Configuration combinations -| **Keep favorites in sync between IE and Microsoft Edge** | **Provision Favorites** | **Outcome** | +| **Keep favorites in sync between IE and Microsoft Edge** | **Provision Favorites** | **Results** | | --- | --- | --- | | Disabled or not configured (default) | Disabled or not configured (default) | **Turned off/not syncing**. Microsoft Edge prevents users from syncing their favorites. | | Enabled (turned on/syncing) | Disabled or not configured (default) | **Turned on/syncing**. Syncs favorites between Internet Explorer and Microsoft Edge. | diff --git a/browsers/edge/includes/set-default-search-engine-include.md b/browsers/edge/includes/set-default-search-engine-include.md index 4f1d34a791..95b6739e0f 100644 --- a/browsers/edge/includes/set-default-search-engine-include.md +++ b/browsers/edge/includes/set-default-search-engine-include.md @@ -25,7 +25,7 @@ | Enabled | Enabled or not configured (default) | Disabled or not configured (default) | Set the default search engine and allow users to add search engines or make changes. | --- - + ### ADMX info and settings diff --git a/browsers/edge/includes/set-new-tab-url-include.md b/browsers/edge/includes/set-new-tab-url-include.md index 8e2bd06c1d..0083883f9a 100644 --- a/browsers/edge/includes/set-new-tab-url-include.md +++ b/browsers/edge/includes/set-new-tab-url-include.md @@ -33,7 +33,8 @@ ### Related policies -[Allow web content on New Tab page](../new-policies.md#allowwebcontentonnewtabpage): [!INCLUDE [allow-web-content-on-new-tab-page-shortdesc](../shortdesc/allow-web-content-on-new-tab-page-shortdesc.md)] +[Allow web content on New Tab page](../available-policies.md#allow-web-content-on-new-tab-page): [!INCLUDE [allow-web-content-on-new-tab-page-shortdesc](../shortdesc/allow-web-content-on-new-tab-page-shortdesc.md)] +
@@ -36,14 +37,14 @@ We are also deprecating the **Configure Favorites** group policy because no MDM
| [Allow printing](#allow-printing) | New | AllowPrinting | New |
| [Allow Saving History](#allow-saving-history) | New | AllowSavingHistory | New |
| [Allow sideloading of Extensions](#allow-sideloading-of-extensions) | New | AllowSideloadingOfExtensions | New |
-| Allow web content on new tab page | -- | [AllowWebContentOnNewTabPage](#allowwebcontentonnewtabpage) | New |
+| [Allow web content on new tab page](available-policies.md#allow-web-content-on-new-tab-page) | -- | [AllowWebContentOnNewTabPage](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowwebcontentonnewtabpage) | New |
| [Configure collection of browsing data for Microsoft 365 Analytics](#configure-collection-of-browsing-data-for-microsoft-365-analytics) | New | ConfigureTelemetryForMicrosoft365Analytics | New |
| [Configure Favorites Bar](#configure-favorites-bar) | New | ConfigureFavoritesBar | New |
| [Configure Home Button](#configure-home-button) | New | ConfigureHomeButton | New |
| [Configure kiosk mode](#configure-kiosk-mode) | New | ConfigureKioskMode | New |
| [Configure kiosk reset after idle timeout](#configure-kiosk-reset-after-idle-timeout) | New | ConfigureKioskResetAfterIdleTimeout | New |
| [Configure Open Microsoft Edge With](#configure-open-microsoft-edge-with) | New | ConfigureOpenMicrosoftEdgeWith | New |
-| Do not sync browser settings | -- | [Experience/DoNotSyncBrowserSetting](#donotsyncbrowsersetting) | New |
+| [Do not sync browser settings](available-policies.md#do-not-sync-browser-settings) | -- | Experience/DoNotSyncBrowserSetting | New |
| [Prevent certificate error overrides](#prevent-certificate-error-overrides) | New | PreventCertErrorOverrides | New |
| [Prevent users from turning on browser syncing](#preventusersfromturningonbrowsersyncing) | New | PreventUsersFromTurningOnBrowserSyncing | New |
| [Prevent turning off required extensions](#prevent-turning-off-required-extensions) | New | PreventTurningOffRequiredExtensions | New |
@@ -74,8 +75,6 @@ We are also deprecating the **Configure Favorites** group policy because no MDM
## Allow sideloading of Extensions
[!INCLUDE [allow-sideloading-extensions-include.md](includes/allow-sideloading-extensions-include.md)]
-## AllowWebContentOnNewTabPage
-[!INCLUDE [allow-web-content-new-tab-page-include](includes/allow-web-content-new-tab-page-include.md)]
## Configure collection of browsing data for Microsoft 365 Analytics
[!INCLUDE [configure-browser-telemetry-for-m365-analytics-include](includes/configure-browser-telemetry-for-m365-analytics-include.md)]
@@ -95,9 +94,6 @@ We are also deprecating the **Configure Favorites** group policy because no MDM
## Configure Open Microsoft Edge With
[!INCLUDE [configure-open-edge-with-include.md](includes/configure-open-edge-with-include.md)]
-## DoNotSyncBrowserSetting
-[!INCLUDE [do-not-sync-browser-settings-include](includes/do-not-sync-browser-settings-include.md)]
-
## Prevent certificate error overrides
[!INCLUDE [prevent-certificate-error-overrides-include.md](includes/prevent-certificate-error-overrides-include.md)]
diff --git a/browsers/edge/shortdesc/allow-configuration-updates-for-books-library-shortdesc.md b/browsers/edge/shortdesc/allow-configuration-updates-for-books-library-shortdesc.md
index 872ac26597..e5fd1dde74 100644
--- a/browsers/edge/shortdesc/allow-configuration-updates-for-books-library-shortdesc.md
+++ b/browsers/edge/shortdesc/allow-configuration-updates-for-books-library-shortdesc.md
@@ -1 +1 @@
-Microsoft Edge automatically updates the configuration data for the Books Library. Disabling this policy prevents Microsoft Edge from updating the configuration data.
\ No newline at end of file
+Microsoft Edge automatically updates the configuration data for the Books library. Disabling this policy prevents Microsoft Edge from updating the configuration data. If Microsoft receives feedback about the amount of data about the Books library, the data comes as a JSON file.
\ No newline at end of file
diff --git a/browsers/edge/shortdesc/configure-cookies-shortdesc.md b/browsers/edge/shortdesc/configure-cookies-shortdesc.md
index 2dd965592f..a35c4d0f31 100644
--- a/browsers/edge/shortdesc/configure-cookies-shortdesc.md
+++ b/browsers/edge/shortdesc/configure-cookies-shortdesc.md
@@ -1 +1 @@
-By default, Microsoft Edge allows all cookies from all websites. With this policy, however, you can configure Microsoft to block only 3rd-party cookies or block all cookies.
\ No newline at end of file
+Microsoft Edge allows all cookies from all websites by default. With this policy, you can configure Microsoft to block only 3rd-party cookies or block all cookies.
\ No newline at end of file
diff --git a/browsers/edge/shortdesc/configure-enterprise-mode-site-list-shortdesc.md b/browsers/edge/shortdesc/configure-enterprise-mode-site-list-shortdesc.md
index 8d666ec8c2..80383e4f0a 100644
--- a/browsers/edge/shortdesc/configure-enterprise-mode-site-list-shortdesc.md
+++ b/browsers/edge/shortdesc/configure-enterprise-mode-site-list-shortdesc.md
@@ -1 +1 @@
-Microsoft Edge does not support ActiveX controls, Browser Helper Objects, VBScript, or other legacy technology. If you have sites or apps that use this technology, you can configure Microsoft Edge to check the Enterprise Mode Site List XML file that lists the sites and domains with compatibility issues and switch to IE11 automatically. You can use the same site list for both Microsoft Edge and IE11, or you can use separate lists. By default, Microsoft Edge ignores the Enterprise Mode and the Enterprise Mode Site List XML file. In this case, users might experience problems while using legacy apps. These sites and domains must be viewed using Internet Explorer 11 and Enterprise Mode.
\ No newline at end of file
+Microsoft Edge does not support ActiveX controls, Browser Helper Objects, VBScript, or other legacy technology. If you have sites or apps that use this technology, you can configure Microsoft Edge to check the Enterprise Mode Site List XML file that lists the sites and domains with compatibility issues and switch to IE11 automatically. You can use the same site list for both Microsoft Edge and IE11, or you can use separate lists. By default, Microsoft Edge ignores the Enterprise Mode and the Enterprise Mode Site List XML file. In this case, users might experience problems while using legacy apps. These sites and domains must be viewed using Internet Explorer 11 and Enterprise Mode.
\ No newline at end of file
diff --git a/browsers/edge/shortdesc/configure-favorites-shortdesc.md b/browsers/edge/shortdesc/configure-favorites-shortdesc.md
index 6e44abbe67..d61df8e460 100644
--- a/browsers/edge/shortdesc/configure-favorites-shortdesc.md
+++ b/browsers/edge/shortdesc/configure-favorites-shortdesc.md
@@ -1,2 +1 @@
-Being deprecated in RS5 >> You can configure a list of URLs and create a set of folders to appear in Microsoft Edge’s Favorites list. When you enable this policy, users cannot customize the Favorites list, such as adding folders for organizing, and adding or removing any of the favorites configured. By default, this policy is disabled or not configured allowing users to customize the Favorites list.
-
+Use the **[Provision Favorites](../available-policies.md#provision-favorites)** in place of Configure Favorites.
\ No newline at end of file
diff --git a/windows/configuration/start-layout-xml-desktop.md b/windows/configuration/start-layout-xml-desktop.md
index 6831294b38..b75768d432 100644
--- a/windows/configuration/start-layout-xml-desktop.md
+++ b/windows/configuration/start-layout-xml-desktop.md
@@ -31,7 +31,7 @@ On Windows 10 for desktop editions, the customized Start works by:
- No limit to the number of apps that can be pinned. There is a theoretical limit of 24 tiles per group (4 small tiles per medium square x 3 columns x 2 rows).
>[!NOTE]
->Using the layout modification XML to configure Start is not supported with roaming user profiles. For more information, see [Deploy Roaming User Profiles](https://technet.microsoft.com/en-US/library/jj649079.aspx).
+>To use the layout modification XML to configure Start with roaming user profiles, see [Deploying Roaming User Profiles](https://docs.microsoft.com/windows-server/storage/folder-redirection/deploy-roaming-user-profiles#step-7-optionally-specify-a-start-layout-for-windows-10-pcs).
diff --git a/windows/configuration/wcd/wcd-windowshelloforbusiness.md b/windows/configuration/wcd/wcd-windowshelloforbusiness.md
index 7dd4fdef4f..0a2c9c16eb 100644
--- a/windows/configuration/wcd/wcd-windowshelloforbusiness.md
+++ b/windows/configuration/wcd/wcd-windowshelloforbusiness.md
@@ -17,7 +17,7 @@ ms.date: 07/19/2018
>Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
-Use WindowsHelloForBusiness settings to specify whether [FIDO2 security keys for Windows Hello for Business ](https://blogs.windows.com/business/2018/04/17/windows-hello-fido2-security-keys/) can be used to sign in to Windows on a device configured for [Shared PC mode](wcd-sharedpc.md).
+Use WindowsHelloForBusiness settings to specify whether [FIDO2 security keys for Windows Hello](https://blogs.windows.com/business/2018/04/17/windows-hello-fido2-security-keys/) can be used to sign in to Windows on a device configured for [Shared PC mode](wcd-sharedpc.md).
## Applies to
@@ -29,5 +29,5 @@ Use WindowsHelloForBusiness settings to specify whether [FIDO2 security keys for
Select the desired value:
-- `0`: security keys for Windows Hello for Business are disabled.
-- `1`: security keys for Windows Hello for Business are enabled on [Shared PCs](wcd-sharedpc.md).
+- `0`: security keys for Windows Hello are disabled.
+- `1`: security keys for Windows Hello are enabled on [Shared PCs](wcd-sharedpc.md).
diff --git a/windows/deployment/update/images/app-reliability.png b/windows/deployment/update/images/app-reliability.png
new file mode 100644
index 0000000000..47ecf49431
Binary files /dev/null and b/windows/deployment/update/images/app-reliability.png differ
diff --git a/windows/deployment/update/images/device-reliability-crash-count.png b/windows/deployment/update/images/device-reliability-crash-count.png
new file mode 100644
index 0000000000..7dd0a2d660
Binary files /dev/null and b/windows/deployment/update/images/device-reliability-crash-count.png differ
diff --git a/windows/deployment/update/images/device-reliability-device-count.png b/windows/deployment/update/images/device-reliability-device-count.png
new file mode 100644
index 0000000000..ba937d49e9
Binary files /dev/null and b/windows/deployment/update/images/device-reliability-device-count.png differ
diff --git a/windows/deployment/update/images/device-reliability-event1001-PSoutput.png b/windows/deployment/update/images/device-reliability-event1001-PSoutput.png
new file mode 100644
index 0000000000..323e0e3878
Binary files /dev/null and b/windows/deployment/update/images/device-reliability-event1001-PSoutput.png differ
diff --git a/windows/deployment/update/images/event_1001.png b/windows/deployment/update/images/event_1001.png
new file mode 100644
index 0000000000..e4f4604c2b
Binary files /dev/null and b/windows/deployment/update/images/event_1001.png differ
diff --git a/windows/deployment/update/windows-analytics-FAQ-troubleshooting.md b/windows/deployment/update/windows-analytics-FAQ-troubleshooting.md
index 3bf18afce3..d17beb7903 100644
--- a/windows/deployment/update/windows-analytics-FAQ-troubleshooting.md
+++ b/windows/deployment/update/windows-analytics-FAQ-troubleshooting.md
@@ -8,7 +8,7 @@ ms.sitesec: library
ms.pagetype: deploy
author: jaimeo
ms.author: jaimeo
-ms.date: 07/11/2018
+ms.date: 07/20/2018
ms.localizationpriority: high
---
@@ -20,10 +20,13 @@ This topic compiles the most common issues encountered with configuring and usin
If you've followed the steps in the [Enrolling devices in Windows Analytics](windows-analytics-get-started.md) topic and are still encountering problems, you might find the solution here.
-[Devices not showing up](#devices-not-showing-up)
+[Devices not appearing in Upgrade Readiness](#devices-not-appearing-in-upgrade-readiness)
-[Device Health crash data not appearing](#device-health-crash-data-not-appearing)
+[Devices not appearing in Device Health Device Reliability](#devices-not-appearing-in-device-health-device-reliability)
+[Device crashes not appearing in Device Health Device Reliability](#device-crashes-not-appearing-in-device-health-device-reliability)
+
+[Apps not appearing in Device Health App Reliability](#apps-not-appearing-in-device-health-app-reliability)
[Upgrade Readiness shows many "Computers with outdated KB"](#upgrade-readiness-shows-many-computers-with-outdated-kb)
@@ -36,7 +39,7 @@ If you've followed the steps in the [Enrolling devices in Windows Analytics](win
[Exporting large data sets](#exporting-large-data-sets)
-### Devices not showing up
+### Devices not appearing in Upgrade Readiness
In Log Analytics, go to **Settings > Connected sources > Windows telemetry** and verify that you are subscribed to the Windows Analytics solutions you intend to use.
@@ -58,77 +61,96 @@ If you want to check a large number of devices, you should run the latest script
If you think the issue might be related to a network proxy, check "Enable data sharing" section of the [Enrolling devices in Windows Analytics](windows-analytics-get-started.md) topic. Also see [Understanding connectivity scenarios and the deployment script](https://blogs.technet.microsoft.com/upgradeanalytics/2017/03/10/understanding-connectivity-scenarios-and-the-deployment-script/) on the Windows Analytics blog.
-If you have deployed images that have not been generalized, then many of them might have the same ID and so analytics will see them as one device. If you suspect this is the issue, then you can reset the IDs on the non-generalized devices by performing these steps:
+If you have deployed images that have not been generalized, then many of them might have the same ID and so Windows Analytics will see them as one device. If you suspect this is the issue, then you can reset the IDs on the non-generalized devices by performing these steps:
1. Net stop diagtrack
2. Reg delete hklm\software\microsoft\sqmclient /v MachineId /f
3. Net start diagtrack
+#### Devices not appearing in Device Health Device Reliability
-### Device Health crash data not appearing
+[](images/device-reliability-device-count.png)
-#### Is WER disabled?
-If Windows Error Reporting (WER) is disabled or redirected on your Windows devices, then reliability information cannot be shown in Device Health.
+If you have devices that appear in other solutions, but not Device Health, follow these steps to investigate the issue:
+1. Confirm that the devices are running Windows10.
+2. Verify that the Commercial ID is present in the device's registry. For details see [https://gpsearch.azurewebsites.net/#13551](https://gpsearch.azurewebsites.net/#13551).
+3. Confirm that devices have opted in to provide diagnostic data by checking in the registry that **AllowTelemetry** is set to 2 (Enhanced) or 3 (Full) in **HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\DataCollection** (or **HKLM\Software\Policies\Microsoft\Windows\DataCollection**, which takes precedence if set).
+4. Verify that devices can reach the endpoints specified in [Enrolling devices in Windows Analytics](windows-analytics-get-started.md). Also check settings for SSL inspection and proxy authentication; see [Configuring endpoint access with SSL inspection](https://docs.microsoft.com/windows/deployment/update/windows-analytics-get-started#configuring-endpoint-access-with-ssl-inspection) for more information.
+5. Wait 48 hours for activity to appear in the reports.
+6. If you need additional troubleshooting, contact Microsoft Support.
-Check these registry settings in **HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Windows Error Reporting**:
-- Verify that the value "Disabled" (REG_DWORD), if set, is 0.
-- Verify that the value "DontSendAdditionalData" (REG_DWORD), if set, is 0.
-- Verify that the value "CorporateWERServer" (REG_SZ) is not configured.
+### Device crashes not appearing in Device Health Device Reliability
-If you need further information on Windows Error Reporting (WER) settings, see WER Settings.
+[](images/device-reliability-crash-count.png)
+
+If you know that devices are experiencing stop error crashes that do not seem to be reflected in the count of devices with crashes, follow these steps to investigate the issue:
+
+1. Verify that devices are reporting data properly by following the steps in the [Devices not appearing in Device Health Device Reliability](#devices-not-appearing-in-device-health-device-reliability) section of this topic.
+2. Trigger a known crash on a test device by using a tool such as [NotMyFault](https://docs.microsoft.com/sysinternals/downloads/notmyfault) from Windows Sysinternals.
+3. Verify that Windows Error Reporting (WER) is not disabled or redirected by confirming the registry settings in **HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting** (or **HKLM\Software\Policies\Microsoft\Windows\DataCollection**, which will take precedence if set):
+
+ - Verify that the value "Disabled" (REG_DWORD), if set, is 0.
+ - Verify that the value "DontSendAdditionalData" (REG_DWORD), if set, is 0.
+ - Verify that the value "CorporateWERServer" (REG_SZ) is not configured.
+
+4. Verify that WER can reach all diagnostic endpoints specified in [Enrolling devices in Windows Analytics](windows-analytics-get-started.md)--if WER can only reach some of the endpoints, it could be included in the device count while not reporting crashes.
+5. Check that crash reports successfully complete the round trip with Event 1001 and that BucketID is not blank. A typical such event looks like this:
+
+ [](images/event_1001.png)
+
+ You can use the following Windows PowerShell snippet to summarize recent occurences of Event 1001. Most events should have a value for BucketID (a few intermittent blank values are OK, however).
+
+ ```powershell
+ $limitToMostRecentNEvents = 20
+ Get-WinEvent -FilterHashTable @{ProviderName="Windows Error Reporting"; ID=1001} |
+ ?{ $_.Properties[2].Value -match "crash|blue" } |
+ % { [pscustomobject]@{
+ TimeCreated=$_.TimeCreated
+ WEREvent=$_.Properties[2].Value
+ BucketId=$_.Properties[0].Value
+ ContextHint = $(
+ if($_.Properties[2].Value -eq "bluescreen"){"kernel"}
+ else{ $_.Properties[5].Value }
+ )
+ }} | Select-Object -First $limitToMostRecentNEvents
+ ```
+ The output should look something like this:
+ [](images/device-reliability-event1001-PSoutput.png)
+
+6. Check that some other installed device, app, or crash monitoring solution is not intercepting crash events.
+7. Wait 48 hours for activity to appear in the reports.
+8. If you need additional troubleshooting, contact Microsoft Support.
#### Endpoint connectivity
Devices must be able to reach the endpoints specified in [Enrolling devices in Windows Analytics](windows-analytics-get-started.md).
-If you are using proxy server authentication, it is worth taking extra care to check the configuration. Prior to Windows 10, version 1703, WER uploads error reports in the machine context. Both user (typically authenticated) and machine (typically anonymous) contexts require access through proxy servers to the diagnostic endpoints. In Windows 10, version 1703, and later WER will attempt to use the context of the user that is logged on for proxy authentication such that only the user account requires proxy access.
-
-Therefore, it's important to ensure that both machine and user accounts have access to the endpoints using authentication (or to whitelist the endpoints so that outbound proxy authentication is not required). For suggested methods, see [Enrolling devices in Windows Analytics](windows-analytics-get-started.md#configuring-endpoint-access-with-proxy-server-authentication).
-
-To test access as a given user, you can run this Windows PowerShell cmdlet *while logged on as that user*:
+If you are using proxy server authentication, it's worth taking extra care to check the configuration. Prior to Windows 10, version 1703, WER only uploads error reports in the machine context, so whitelisting endpoints to allow non-authenticated access was typically used. In Windows 10, version 1703 and later versions, WER will attempt to use the context of the user that is logged on for proxy authentication such that only the user account requires proxy access.
-```powershell
-$endPoints = @(
- 'watson.telemetry.microsoft.com'
- 'oca.telemetry.microsoft.com'
- 'v10.events.data.microsoft.com'
- )
+For more information, see [Enrolling devices in Windows Analytics](windows-analytics-get-started.md#configuring-endpoint-access-with-proxy-server-authentication).
-$endPoints | %{ Test-NetConnection -ComputerName $_ -Port 443 -ErrorAction Continue } | Select-Object -Property ComputerName,TcpTestSucceeded
+### Apps not appearing in Device Health App Reliability
-```
+[](images/app-reliability.png)
-If this is successful, `TcpTestSucceeded` should return `True` for each of the endpoints.
+If apps that you know are crashing do not appear in App Reliability, follow these steps to investigate the issue:
-To test access in the machine context (requires administrative rights), run the above as SYSTEM using PSexec or Task Scheduler, as in this example:
+1. Double-check the steps in the [Devices not appearing in Device Health Device Reliability](#devices-not-appearing-in-device-health-device-reliability) and [Device crashes not appearing in Device Health Device Reliability](#device-crashes-not-appearing-in-device-health-device-reliability) sections of this topic.
+2. Confirm that an in-scope application has crashed on an enrolled device. Keep the following points in mind:
+ - Not all user-mode crashes are included in App Reliability, which tracks only apps that have a GUI, have been used interactively by a user, and are not part of the operating system.
+ - Enrolling more devices helps to ensure that there are enough naturally occurring app crashes.
+ - You can also use test apps which are designed to crash on demand.
-```powershell
+3. Verify that *per-user* Windows Error Reporting (WER) is not disabled or redirected by confirming the registry settings in **HKCU\SOFTWARE\Microsoft\Windows\Windows Error Reporting** (or **HKCU\Software\Policies\Microsoft\Windows\DataCollection**, which will take precedence if set):
-[scriptblock]$accessTest = {
- $endPoints = @(
- 'watson.telemetry.microsoft.com'
- 'oca.telemetry.microsoft.com'
- 'v10.events.data.microsoft.com'
- )
+ - Verify that the value "Disabled" (REG_DWORD), if set, is 0.
+ - Verify that the value "DontSendAdditionalData" (REG_DWORD), if set, is 0.
+ - Verify that the value "CorporateWERServer" (REG_SZ) is not configured.
+4. Check that some other installed device, app, or crash monitoring solution is not intercepting crash events.
+5. Wait 48 hours for activity to appear in the reports.
+6. If you need additional troubleshooting, contact Microsoft Support.
- $endPoints | %{ Test-NetConnection -ComputerName $_ -Port 443 -ErrorAction Continue } | Select-Object -Property ComputerName,TcpTestSucceeded
-}
-
-$scriptFullPath = Join-Path $env:ProgramData "TestAccessToMicrosoftEndpoints.ps1"
-$outputFileFullPath = Join-Path $env:ProgramData "TestAccessToMicrosoftEndpoints_Output.txt"
-$accessTest.ToString() > $scriptFullPath
-$null > $outputFileFullPath
-$taskAction = New-ScheduledTaskAction -Execute 'powershell.exe' -Argument "-ExecutionPolicy Bypass -Command `"&{$scriptFullPath > $outputFileFullPath}`""
-$taskTrigger = New-ScheduledTaskTrigger -Once -At (Get-Date).Addseconds(10)
-$task = Register-ScheduledTask -User 'NT AUTHORITY\SYSTEM' -TaskName 'MicrosoftTelemetryAccessTest' -Trigger $taskTrigger -Action $taskAction -Force
-Start-Sleep -Seconds 120
-Unregister-ScheduledTask -TaskName $task.TaskName -Confirm:$false
-Get-Content $outputFileFullPath
-
-```
-
-As in the other example, if this is successful, `TcpTestSucceeded` should return `True` for each of the endpoints.
### Upgrade Readiness shows many "Computers with outdated KB"
If you see a large number of devices reported as shown in this screenshot of the Upgrade Readiness tile:
diff --git a/windows/deployment/update/windows-analytics-get-started.md b/windows/deployment/update/windows-analytics-get-started.md
index a783fc5d09..610f176f33 100644
--- a/windows/deployment/update/windows-analytics-get-started.md
+++ b/windows/deployment/update/windows-analytics-get-started.md
@@ -8,7 +8,7 @@ ms.sitesec: library
ms.pagetype: deploy
author: jaimeo
ms.author: jaimeo
-ms.date: 03/08/2018
+ms.date: 07/18/2018
ms.localizationpriority: medium
---
@@ -52,6 +52,9 @@ To enable data sharing, configure your proxy sever to whitelist the following en
| `http://adl.windows.com` | Allows the compatibility update to receive the latest compatibility data from Microsoft. |
| `https://watson.telemetry.microsoft.com` | Windows Error Reporting (WER); required for Device Health and Update Compliance AV reports. Not used by Upgrade Readiness. |
| `https://oca.telemetry.microsoft.com` | Online Crash Analysis; required for Device Health and Update Compliance AV reports. Not used by Upgrade Readiness. |
+| `https://login.live.com` | Windows Error Reporting (WER); required by Device Health for device tickets. |
+| `https://www.msftncsi.com` | Windows Error Reporting (WER); required for Device Health to check connectivity. |
+| `https://www.msftconnecttest.com` | Windows Error Reporting (WER); required for Device Health to check connectivity. **Note:** In this context login.live.com is *not* used for access to Microsoft Account consumer services. The endpoint is used only as part of the WIndows Error Reporting protocol to enhance the integrity of error reports. |
>[!NOTE]
diff --git a/windows/security/information-protection/TOC.md b/windows/security/information-protection/TOC.md
index c845e7e6aa..636404ef31 100644
--- a/windows/security/information-protection/TOC.md
+++ b/windows/security/information-protection/TOC.md
@@ -15,7 +15,7 @@
### [Prepare your organization for BitLocker: Planning and policies](bitlocker\prepare-your-organization-for-bitlocker-planning-and-policies.md)
### [BitLocker basic deployment](bitlocker\bitlocker-basic-deployment.md)
### [BitLocker: How to deploy on Windows Server 2012 and later](bitlocker\bitlocker-how-to-deploy-on-windows-server.md)
-### [BitLocker: Management recommendations for enterprises](bitlocker\bitlocker-management-for-enterprises.md)
+### [BitLocker: Management for enterprises](bitlocker\bitlocker-management-for-enterprises.md)
### [BitLocker: How to enable Network Unlock](bitlocker\bitlocker-how-to-enable-network-unlock.md)
### [BitLocker: Use BitLocker Drive Encryption Tools to manage BitLocker](bitlocker\bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md)
### [BitLocker: Use BitLocker Recovery Password Viewer](bitlocker\bitlocker-use-bitlocker-recovery-password-viewer.md)
diff --git a/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md b/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md
index e32e8560b9..9721dffec5 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md
@@ -11,82 +11,41 @@ author: brianlic-msft
ms.date: 07/18/2018
---
-# BitLocker Management Recommendations for Enterprises
+# BitLocker Management for Enterprises
-This topic explains recommendations for managing BitLocker, both on-premises using older hardware and cloud-based management of modern devices.
+The ideal for BitLocker management is to eliminate the need for IT admins to set management policies using tools or other mechanisms by having Windows perform tasks that are more practical to automate. This vision leverages modern hardware developments. The growth of TPM 2.0, Secure Boot, and other hardware improvements, for example, has helped to alleviate the support burden on the helpdesk, and we are seeing a consequent decrease in support call volumes, yielding improved user satisfaction. Windows continues to be the focus for new features and improvements for built-in encryption management, such as automatically enabling encryption on devices that support Modern Standby beginning with Windows 8.1.
-## Forward-looking recommendations for managing BitLocker
+Though much Windows BitLocker [documentation](bitlocker-overview.md) has been published, customers frequently ask for recommendations and pointers to specific, task-oriented documentation that is both easy to digest and focused on how to deploy and manage BitLocker. This article links to relevant documentation, products, and services to help answer this and other related frequently-asked questions, and also provides BitLocker recommendations for different types of computers.
-The ideal for modern BitLocker management is to eliminate the need for IT admins to set management policies using tools or other mechanisms by having Windows perform tasks that it is more practical to automate. This vision leverages modern hardware developments. The growth of TPM 2.0, Secure Boot, and other hardware improvements, for example, has helped to alleviate the support burden on the helpdesk, and we are seeing a consequent decrease in support call volumes, yielding improved user satisfaction.
-
-Therefore, we recommend that you upgrade your hardware so that your devices comply with Modern Standby or [Hardware Security Test Interface (HSTI)](https://msdn.microsoft.com/library/windows/hardware/mt712332.aspx) specifications to take advantage of their automated features, for example, when using Azure Active Directory (Azure AD).
-
-Though much Windows BitLocker [documentation](bitlocker-overview.md) has been published, customers frequently ask for recommendations and pointers to specific, task-oriented documentation that is both easy to digest and focused on how to deploy and manage BitLocker. This article links to relevant documentation, products, and services to help answer this and other related frequently-asked questions, and also provides BitLocker recommendations for:
-
- - [Domain-joined computers](#dom_join)
-
- - [Devices joined to Azure Active Directory (Azure AD)](#azure_ad)
-
- - [Workplace-joined PCs and Phones](#work_join)
-
- - [Servers](#servers)
-
- - [Scripts](#powershell)
-
-
-
-## BitLocker management at a glance
-
-| | PC – Old Hardware | PC – New* Hardware |[Servers](#servers)/[VMs](#VMs) | Phone
-|---|---|----|---|---|
-|On-premises Domain-joined |[MBAM](#MBAM25)| [MBAM](#MBAM25) | [Scripts](#powershell) |N/A|
-|Cloud-managed|[MDM](#MDM) |Auto-encryption|[Scripts](#powershell)|[MDM](#MDM)/EAS|
-
-
-*PC hardware that supports Modern Standby or HSTI
-
-
-
-
-
-## Recommendations for domain-joined computers
-
-Windows continues to be the focus for new features and improvements for built-in encryption management, for example, automatically enabling encryption on devices that support Modern Standby beginning with Windows 8.1. For more information, see [Overview of BitLocker Device Encryption in Windows 10](bitlocker-device-encryption-overview-windows-10.md#bitlocker-device-encryption).
+## Managing domain-joined computers and moving to cloud
Companies that image their own computers using Microsoft System Center 2012 Configuration Manager SP1 (SCCM) or later can use an existing task sequence to [pre-provision BitLocker](https://technet.microsoft.com/library/hh846237.aspx#BKMK_PreProvisionBitLocker) encryption while in Windows Preinstallation Environment (WinPE) and can then [enable protection](https://technet.microsoft.com/library/hh846237.aspx#BKMK_EnableBitLocker). This can help ensure that computers are encrypted from the start, even before users receive them. As part of the imaging process, a company could also decide to use SCCM to pre-set any desired [BitLocker Group Policy](https://technet.microsoft.com/library/ee706521(v=ws.10).aspx).
-For older client computers with BitLocker that are domain joined on-premises, use Microsoft BitLocker Administration and Management[1]. Using MBAM provides the following functionality:
+Enterprises can use [Microsoft BitLocker Administration and Management (MBAM)](https://docs.microsoft.com/microsoft-desktop-optimization-pack/mbam-v25/) to manage client computers with BitLocker that are domain-joined on-premises until [mainstream support ends in July 2019](https://support.microsoft.com/en-us/lifecycle/search?alpha=Microsoft%20BitLocker%20Administration%20and%20Monitoring%202.5%20Service%20Pack%201) or they can receive extended support until July 2024. Thus, over the next few years, a good strategy for enterprises will be to plan and move to cloud-based management for BitLocker. When moving to cloud-based management, following these steps could be helpful:
-- Encrypts device with BitLocker using MBAM
-- Stores BitLocker Recovery keys in MBAM Server
-- Provides Recovery key access to end-user, helpdesk and advanced helpdesk
-- Provides Reporting on Compliance and Recovery key access audit
+1. Disable MBAM management and leave MBAM as only a database backup for the recovery key.
+2. Join the computers to Azure Active Directory (Azure AD).
+3. Use `Manage-bde -protectors -aadbackup` to backup the recovery key to Azure AD.
-
-[1]The latest MBAM version is [MBAM 2.5](https://technet.microsoft.com/windows/hh826072.aspx) with Service Pack 1 (SP1).
+BitLocker recovery keys can be managed from Azure AD thereafter. The MBAM database does not need to be migrated.
-
+Enterprises that choose to continue managing BitLocker on-premises after MBAM support ends can use the [BitLocker WMI provider class](https://msdn.microsoft.com/library/windows/desktop/aa376483) to create a custom management solution.
-
-## Recommendations for devices joined to Azure Active Directory
+## Managing devices joined to Azure Active Directory
-
-
-Devices joined to Azure Active Directory (Azure AD) are managed using Mobile Device Management (MDM) policy such as [Microsoft Intune](https://www.microsoft.com/cloud-platform/microsoft-intune). BitLocker Device Encryption status can be queried from managed machines via the [Policy Configuration Settings Provider](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider) (CSP), which reports on whether BitLocker Device Encryption is enabled on the device. Compliance with BitLocker Device Encryption policy can be a requirement for [Conditional Access](https://www.microsoft.com/cloud-platform/conditional-access) to services like Exchange Online and SharePoint Online.
+Devices joined to Azure Active Directory (Azure AD) are managed using Mobile Device Management (MDM) policy from an MDM solution such as [Microsoft Intune](https://www.microsoft.com/cloud-platform/microsoft-intune). BitLocker Device Encryption status can be queried from managed machines via the [Policy Configuration Settings Provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider), which reports on whether BitLocker Device Encryption is enabled on the device. Compliance with BitLocker Device Encryption policy can be a requirement for [Conditional Access](https://www.microsoft.com/cloud-platform/conditional-access) to services like Exchange Online and SharePoint Online.
Starting with Windows 10 version 1703 (also known as the Windows Creators Update), the enablement of BitLocker can be triggered over MDM either by the [Policy CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider) or the [BitLocker CSP](https://docs.microsoft.com/windows/client-management/mdm/bitlocker-csp). The BitLocker CSP adds policy options that go beyond ensuring that encryption has occurred, and is available on computers that run Windows 10 Business or Enterprise editions and on Windows Phones.
For hardware that is compliant with Modern Standby and HSTI, when using either of these features, BitLocker Device Encryption is automatically turned on whenever the user joins a device to Azure AD. Azure AD provides a portal where recovery keys are also backed up, so users can retrieve their own recovery key for self-service, if required. For older devices that are not yet encrypted, beginning with Windows 10 version 1703 (the Windows 10 Creators Update), admins can use the [BitLocker CSP](https://docs.microsoft.com/windows/client-management/mdm/bitlocker-csp) to trigger encryption and store the recovery key in Azure AD.
-
-## Workplace-joined PCs and phones
+## Managing workplace-joined PCs and phones
-For Windows PCs and Windows Phones that enroll using **Connect to work or school account**, BitLocker Device Encryption is managed over MDM, and similarly for Azure AD domain join.
+For Windows PCs and Windows Phones that enroll using **Connect to work or school account**, BitLocker Device Encryption is managed over MDM, the same as devices joined to Azure AD.
-
-## Recommendations for servers
+## Managing servers
Servers are often installed, configured, and deployed using PowerShell, so the recommendation is to also use [PowerShell to enable BitLocker on a server](bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md#a-href-idbkmk-blcmdletsabitlocker-cmdlets-for-windows-powershell), ideally as part of the initial setup. BitLocker is an Optional Component (OC) in Windows Server, so follow the directions in [BitLocker: How to deploy on Windows Server 2012 and later](bitlocker-how-to-deploy-on-windows-server.md) to add the BitLocker OC.
@@ -98,8 +57,6 @@ If you are installing a server manually, such as a stand-alone server, then choo
For more information, see the Bitlocker FAQs article and other useful links in [Related Articles](#articles).
-
-
## PowerShell examples
For Azure AD-joined computers, including virtual machines, the recovery password should be stored in Azure Active Directory.
@@ -136,8 +93,6 @@ PS C:\>$SecureString = ConvertTo-SecureString "123456" -AsPlainText -Force
PS C:\> Enable-BitLocker -MountPoint "C:" -EncryptionMethod XtsAes256 -UsedSpaceOnly -Pin $SecureString -TPMandPinProtector
```
-
-
## Related Articles
[BitLocker: FAQs](bitlocker-frequently-asked-questions.md)
diff --git a/windows/security/threat-protection/windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus.md
index c53a13b919..12275ec64d 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus.md
@@ -11,7 +11,7 @@ ms.pagetype: security
ms.localizationpriority: medium
author: andreabichsel
ms.author: v-anbic
-ms.date: 05/21/2018
+ms.date: 07/19/2018
---
# Deploy, manage, and report on Windows Defender Antivirus
@@ -41,7 +41,7 @@ You'll also see additional links for:
Tool|Deployment options (2)|Management options (network-wide configuration and policy or baseline deployment) ([3](#fn3))|Reporting options
---|---|---|---
System Center Configuration Manager ([1](#fn1))|Use the [Endpoint Protection point site system role][] and [enable Endpoint Protection with custom client settings][]|With [default and customized antimalware policies][] and [client management][]|With the default [Configuration Manager Monitoring workspace][] and [email alerts][]
-Microsoft Intune|[Deploy the Microsoft Intune client to endpoints][]|Use and deploy a [custom Intune policy][] and use the Intune console to [manage tasks][]|[Monitor endpoint protection in the Microsoft Intune administration console][]
+Microsoft Intune|[Add endpoint protection settings in Intune](https://docs.microsoft.com/en-us/intune/endpoint-protection-configure)|[Configure device restriction settings in Intune](https://docs.microsoft.com/en-us/intune/device-restrictions-configure)| [Use the Intune console to manage devices](https://docs.microsoft.com/en-us/intune/device-management)
Windows Management Instrumentation|Deploy with Group Policy, System Center Configuration Manager, or manually on individual endpoints.|Use the [Set method of the MSFT_MpPreference class][] and the [Update method of the MSFT_MpSignature class][]|Use the [MSFT_MpComputerStatus][] class and the get method of associated classes in the [Windows Defender WMIv2 Provider][]
PowerShell|Deploy with Group Policy, System Center Configuration Manager, or manually on individual endpoints.|Use the [Set-MpPreference][] and [Update-MpSignature] [] cmdlets available in the Defender module|Use the appropriate [Get- cmdlets available in the Defender module][]
Group Policy and Active Directory (domain-joined)|Use a Group Policy Object to deploy configuration changes and ensure Windows Defender Antivirus is enabled.|Use Group Policy Objects (GPOs) to [Configure update options for Windows Defender Antivirus][] and [Configure Windows Defender features][]|Endpoint reporting is not available with Group Policy. You can generate a list of [Group Policies to determine if any settings or policies are not applied][]
diff --git a/windows/security/threat-protection/windows-defender-antivirus/specify-cloud-protection-level-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/specify-cloud-protection-level-windows-defender-antivirus.md
index 4dfdd0e9f8..b2b7a4640f 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/specify-cloud-protection-level-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/specify-cloud-protection-level-windows-defender-antivirus.md
@@ -11,7 +11,7 @@ ms.pagetype: security
ms.localizationpriority: medium
author: andreabichsel
ms.author: v-anbic
-ms.date: 04/30/2018
+ms.date: 07/19/2018
---
# Specify the cloud-delivered protection level
@@ -30,6 +30,7 @@ ms.date: 04/30/2018
- Group Policy
- System Center Configuration Manager (current branch)
+- Intune
You can specify the level of cloud-protection offered by Windows Defender Antivirus with Group Policy and System Center Configuration Manager.
@@ -59,7 +60,25 @@ You can specify the level of cloud-protection offered by Windows Defender Antivi
1. See [How to create and deploy antimalware policies: Cloud-protection service](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#cloud-protection-service) for details on configuring System Center Configuration Manager (current branch).
+**Use Intune to specify the level of cloud-delivered protection:**
+1. Sign in to the [Azure portal](https://portal.azure.com).
+2. Select **All services > Intune**.
+3. In the **Intune** pane, select **Device configuration > Profiles**, and then select the **Device restrictions** profile type you want to configure. If you haven't yet created a **Device restrictions** profile type, or if you want to create a new one, see [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/en-us/intune/device-restrictions-configure).
+4. Select **Properties**, select **Settings: Configure**, and then select **Windows Defender Antivirus**.
+5. On the **File Blocking Level** switch, select one of the following:
+
+ 1. **High** to provide a strong level of detection
+ 2. **High +** to apply additional protection measures
+ 3. **Zero tolerance** to block all unknown executables
+
+ > [!WARNING]
+ > While unlikely, setting this switch to **High** might cause some legitimate files to be detected. The **High +** setting might impact client performance. We recommend you set this to the default level (**Not configured**).
+
+8. Click **OK** to exit the **Windows Defender Antivirus** settings pane, click **OK** to exit the **Device restrictions** pane, and then click **Save** to save the changes to your **Device restrictions** profile.
+
+For more information about Intune device profiles, including how to create and configure their settings, see [What are Microsoft Intune device profiles?](https://docs.microsoft.com/en-us/intune/device-profiles)
+
## Related topics
diff --git a/windows/security/threat-protection/windows-defender-antivirus/use-intune-config-manager-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/use-intune-config-manager-windows-defender-antivirus.md
index df26ab7ae1..403cf6a2e3 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/use-intune-config-manager-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/use-intune-config-manager-windows-defender-antivirus.md
@@ -11,7 +11,7 @@ ms.pagetype: security
ms.localizationpriority: medium
author: andreabichsel
ms.author: v-anbic
-ms.date: 08/26/2017
+ms.date: 07/19/2018
---
# Use System Center Configuration Manager and Microsoft Intune to configure and manage Windows Defender AV
@@ -22,7 +22,7 @@ In some cases, the protection will be labeled as Endpoint Protection, although t
See the [Endpoint Protection](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-protection) library on docs.microsoft.com for information on using Configuration Manager.
-For Microsoft Intune, consult the [Help secure Windows PCs with Endpoint Protection for Microsoft Intune library](https://docs.microsoft.com/en-us/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune).
+For Microsoft Intune, consult the [Microsoft Intune library](https://docs.microsoft.com/en-us/intune/introduction-intune) and [Configure device restriction settings in Intune](https://docs.microsoft.com/en-us/intune/device-restrictions-configure).
## Related topics