diff --git a/education/windows/take-a-test-multiple-pcs.md b/education/windows/take-a-test-multiple-pcs.md index b71c991d7c..90429edde2 100644 --- a/education/windows/take-a-test-multiple-pcs.md +++ b/education/windows/take-a-test-multiple-pcs.md @@ -154,23 +154,26 @@ To set up a test account through Windows Configuration Designer, follow these st 4. Follow the steps in [Apply a provisioning package](https://technet.microsoft.com/en-us/itpro/windows/configure/provisioning-apply-package) to apply the package that you created. -### Set up a test account in Group Policy -To set up a test account using Group Policy, first create a Powershell script that configures the test account and assessment URL, and then create a scheduled task to run the script. +### Set up a tester account in Group Policy +To set up a tester account using Group Policy, first create a Powershell script that configures the tester account and assessment URL, and then create a scheduled task to run the script. #### Create a PowerShell script -This sample PowerShell script configures the test account and the assessment URL. Edit the sample to: +This sample PowerShell script configures the tester account and the assessment URL. Edit the sample to: - Use your assessment URL for **$obj.LaunchURI** -- Use your test account for **$obj.TesterAccount** -- Use your test account for **-UserName** +- Use your tester account for **$obj.TesterAccount** +- Use your tester account for **-UserName** - ``` - $obj = get-wmiobject -namespace root/cimv2/mdm/dmmap -class MDM_SecureAssessment -filter "InstanceID='SecureAssessment' AND ParentID='./Vendor/MSFT'"; - $obj.LaunchURI='http://www.foo.com'; - $obj.TesterAccount='TestAccount'; - $obj.put() - Set-AssignedAccess -AppUserModelId Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy!App -UserName TestAccount - ``` +>[!NOTE] +>The account that you specify for the tester account must already exist on the device. + +``` +$obj = get-wmiobject -namespace root/cimv2/mdm/dmmap -class MDM_SecureAssessment -filter "InstanceID='SecureAssessment' AND ParentID='./Vendor/MSFT'"; +$obj.LaunchURI='http://www.foo.com'; +$obj.TesterAccount='TestAccount'; +$obj.put() +Set-AssignedAccess -AppUserModelId Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy!App -UserName TestAccount +``` #### Create a scheduled task in Group Policy 1. Open the Group Policy Management Console. diff --git a/windows/application-management/apps-in-windows-10.md b/windows/application-management/apps-in-windows-10.md index b6515bbde1..5ee9f992a3 100644 --- a/windows/application-management/apps-in-windows-10.md +++ b/windows/application-management/apps-in-windows-10.md @@ -131,53 +131,58 @@ Here are the typical installed Windows apps in Windows 10 versions 1703, 1709, a ## Provisioned Windows apps -Here are the typical provisioned Windows apps in Windows 10 versions 1703, 1709, and 1803. +Here are the provisioned Windows apps in Windows 10 versions 1703, 1709, 1803 and 1809. + +``` +> Get-AppxProvisionedPackage -Online | Select-Object DisplayName, PackageName +``` + +| Package name | App name | 1703 | 1709 | 1803 | 1809 | Uninstall through UI? | +|----------------------------------------|--------------------------------------------------------------------------------------------------------------------|:----:|:----:|:----:|:----:|:---------------------:| +| Microsoft.3DBuilder | [3D Builder](ms-windows-store://pdp/?PFN=Microsoft.3DBuilder_8wekyb3d8bbwe) | x | | | | Yes | +| Microsoft.BingWeather | [MSN Weather](ms-windows-store://pdp/?PFN=Microsoft.BingWeather_8wekyb3d8bbwe) | x | x | x | x | Yes | +| Microsoft.DesktopAppInstaller | [App Installer](ms-windows-store://pdp/?PFN=Microsoft.DesktopAppInstaller_8wekyb3d8bbwe) | x | x | x | x | Via Settings App | +| Microsoft.GetHelp | [Get Help](ms-windows-store://pdp/?PFN=Microsoft.Gethelp_8wekyb3d8bbwe) | | x | x | x | No | +| Microsoft.Getstarted | [Microsoft Tips](ms-windows-store://pdp/?PFN=Microsoft.Getstarted_8wekyb3d8bbwe) | x | x | x | x | No | +| Microsoft.HEIFImageExtension | [HEIF Image Extensions](ms-windows-store://pdp/?PFN=Microsoft.HEIFImageExtension_8wekyb3d8bbwe) | | | | x | No | +| Microsoft.Messaging | [Microsoft Messaging](ms-windows-store://pdp/?PFN=Microsoft.Messaging_8wekyb3d8bbwe) | x | x | x | x | No | +| Microsoft.Microsoft3DViewer | [Mixed Reality Viewer](ms-windows-store://pdp/?PFN=Microsoft.Microsoft3DViewer_8wekyb3d8bbwe) | x | x | x | x | No | +| Microsoft.MicrosoftOfficeHub | [My Office](ms-windows-store://pdp/?PFN=Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe) | x | x | x | x | Yes | +| Microsoft.MicrosoftSolitaireCollection | [Microsoft Solitaire Collection](ms-windows-store://pdp/?PFN=Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe) | x | x | x | x | Yes | +| Microsoft.MicrosoftStickyNotes | [Microsoft Sticky Notes](ms-windows-store://pdp/?PFN=Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe) | x | x | x | x | No | +| Microsoft.MixedReality.Portal | [Mixed Reality Portal](ms-windows-store://pdp/?PFN=Microsoft.MixedReality.Portal_8wekyb3d8bbwe) | | | | x | No | +| Microsoft.MSPaint | [Paint 3D](ms-windows-store://pdp/?PFN=Microsoft.MSPaint_8wekyb3d8bbwe) | x | x | x | x | No | +| Microsoft.Office.OneNote | [OneNote](ms-windows-store://pdp/?PFN=Microsoft.Office.OneNote_8wekyb3d8bbwe) | x | x | x | x | Yes | +| Microsoft.OneConnect | [Paid Wi-Fi & Cellular](ms-windows-store://pdp/?PFN=Microsoft.OneConnect_8wekyb3d8bbwe) | x | x | x | x | No | +| Microsoft.People | [Microsoft People](ms-windows-store://pdp/?PFN=Microsoft.People_8wekyb3d8bbwe) | x | x | x | x | No | +| Microsoft.Print3D | [Print 3D](ms-windows-store://pdp/?PFN=Microsoft.Print3D_8wekyb3d8bbwe) | | x | x | x | No | +| Microsoft.SkreenSketch | [Snip & Sketch](ms-windows-store://pdp/?PFN=Microsoft.ScreenSketch_8wekyb3d8bbwe) | | | | x | No | +| Microsoft.SkypeApp | [Skype](ms-windows-store://pdp/?PFN=Microsoft.SkypeApp_kzf8qxf38zg5c) | x | x | x | x | No | +| Microsoft.StorePurchaseApp | [Store Purchase App](ms-windows-store://pdp/?PFN=Microsoft.StorePurchaseApp_8wekyb3d8bbwe) | x | x | x | x | No | +| Microsoft.VP9VideoExtensions | | | | | x | No | +| Microsoft.Wallet | [Microsoft Pay](ms-windows-store://pdp/?PFN=Microsoft.Wallet_8wekyb3d8bbwe) | x | x | x | x | No | +| Microsoft.WebMediaExtensions | [Web Media Extensions](ms-windows-store://pdp/?PFN=Microsoft.WebMediaExtensions_8wekyb3d8bbwe) | | | x | x | No | +| Microsoft.WebpImageExtension | [Webp Image Extension](ms-windows-store://pdp/?PFN=Microsoft.WebpImageExtension_8wekyb3d8bbwe) | | | | x | No | +| Microsoft.Windows.Photos | [Microsoft Photos](ms-windows-store://pdp/?PFN=Microsoft.Windows.Photos_8wekyb3d8bbwe) | x | x | x | x | No | +| Microsoft.WindowsAlarms | [Windows Alarms & Clock](ms-windows-store://pdp/?PFN=Microsoft.WindowsAlarms_8wekyb3d8bbwe) | x | x | x | x | No | +| Microsoft.WindowsCalculator | [Windows Calculator](ms-windows-store://pdp/?PFN=Microsoft.WindowsCalculator_8wekyb3d8bbwe) | x | x | x | x | No | +| Microsoft.WindowsCamera | [Windows Camera](ms-windows-store://pdp/?PFN=Microsoft.WindowsCamera_8wekyb3d8bbwe) | x | x | x | x | No | +| microsoft.windowscommunicationsapps | [Mail and Calendar](ms-windows-store://pdp/?PFN=microsoft.windowscommunicationsapps_8wekyb3d8bbwe) | x | x | x | x | No | +| Microsoft.WindowsFeedbackHub | [Feedback Hub](ms-windows-store://pdp/?PFN=Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe) | x | x | x | x | No | +| Microsoft.WindowsMaps | [Windows Maps](ms-windows-store://pdp/?PFN=Microsoft.WindowsMaps_8wekyb3d8bbwe) | x | x | x | x | No | +| Microsoft.WindowsSoundRecorder | [Windows Voice Recorder](ms-windows-store://pdp/?PFN=Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe) | x | x | x | x | No | +| Microsoft.WindowsStore | [Microsoft Store](ms-windows-store://pdp/?PFN=Microsoft.WindowsStore_8wekyb3d8bbwe) | x | x | x | x | No | +| Microsoft.Xbox.TCUI | [Xbox TCUI](ms-windows-store://pdp/?PFN=Microsoft.Xbox.TCUI_8wekyb3d8bbwe) | | x | x | x | No | +| Microsoft.XboxApp | [Xbox](ms-windows-store://pdp/?PFN=Microsoft.XboxApp_8wekyb3d8bbwe) | x | x | x | x | No | +| Microsoft.XboxGameOverlay | [Xbox Game Bar](ms-windows-store://pdp/?PFN=Microsoft.XboxGameOverlay_8wekyb3d8bbwe) | x | x | x | x | No | +| Microsoft.XboxGamingOverlay | [Xbox Gaming Overlay](ms-windows-store://pdp/?PFN=Microsoft.XboxGamingOverlay_8wekyb3d8bbwe) | | | x | x | No | +| Microsoft.XboxIdentityProvider | [Xbox Identity Provider](ms-windows-store://pdp/?PFN=Microsoft.XboxIdentityProvider_8wekyb3d8bbwe) | x | x | x | x | No | +| Microsoft.XboxSpeechToTextOverlay | | x | x | x | x | No | +| Microsoft.YourPhone | [Your Phone](ms-windows-store://pdp/?PFN=Microsoft.YourPhone_8wekyb3d8bbwe) | | | | x | No | +| Microsoft.ZuneMusic | [Groove Music](ms-windows-store://pdp/?PFN=Microsoft.ZuneMusic_8wekyb3d8bbwe) | x | x | x | x | No | +| Microsoft.ZuneVideo | [Movies & TV](ms-windows-store://pdp/?PFN=Microsoft.ZuneVideo_8wekyb3d8bbwe) | x | x | x | x | No | -| Name | Full name | 1703 | 1709 | 1803 | Uninstall through UI? | -|---------------------------------|----------------------------------------|:------:|:------:|:------:|:---------------------------:| -| 3D Builder | Microsoft.3DBuilder | x | | | Yes | -| Alarms & Clock | Microsoft.WindowsAlarms | x | x | x | No | -| App Installer | Microsoft.DesktopAppInstaller | x | x | x | Via Settings App | -| Calculator | Microsoft.WindowsCalculator | x | x | x | No | -| Camera | Microsoft.WindowsCamera | x | x | x | No | -| Feedback Hub | Microsoft.WindowsFeedbackHub | x | x | x | Yes | -| Get Help | Microsoft.GetHelp | | x | x | No | -| Get Office/My Office | Microsoft.Microsoft OfficeHub | x | x | x | Yes | -| Get Skype/Skype (preview)/Skype | Microsoft.SkypeApp | x | x | x | Yes | -| Get Started/Tips | Microsoft.Getstarted | x | x | x | Yes | -| Groove | Microsoft.ZuneMusic | x | x | x | No | -| Mail and Calendar | Microsoft.windows communicationsapps | x | x | x | No | -| Maps | Microsoft.WindowsMaps | x | x | x | No | -| Messaging | Microsoft.Messaging | x | x | x | No | -| Microsoft 3D Viewer | Microsoft.Microsoft3DViewer | x | x | x | No | -| Movies & TV | Microsoft.ZuneVideo | x | x | x | No | -| OneNote | Microsoft.Office.OneNote | x | x | x | Yes | -| Paid Wi-FI | Microsoft.OneConnect | x | x | x | Yes | -| Paint 3D | Microsoft.MSPaint | x | x | x | No | -| People | Microsoft.People | x | x | x | No | -| Photos | Microsoft.Windows.Photos | x | x | x | No | -| Print 3D | Microsoft.Print3D | | x | x | No | -| Solitaire | Microsoft.Microsoft SolitaireCollection| x | x | x | Yes | -| Sticky Notes | Microsoft.MicrosoftStickyNotes | x | x | x | No | -| Store | Microsoft.WindowsStore | x | x | x | No | -| Sway | Microsoft.Office.Sway | * | x | x | Yes | -| Voice Recorder | Microsoft.SoundRecorder | x | x | x | No | -| Wallet | Microsoft.Wallet | x | x | x | No | -| Weather | Microsoft.BingWeather | x | x | x | Yes | -| Xbox | Microsoft.XboxApp | x | x | x | No | -| | Microsoft.OneConnect | x | x | x | No | -| | Microsoft.DesktopAppInstaller | | | x | No | -| | Microsoft.StorePurchaseApp | x | x | x | No | -| | Microsoft.WebMediaExtensions | | | x | No | -| | Microsoft.Xbox.TCUI | | x | x | No | -| | Microsoft.XboxGameOverlay | x | x | x | No | -| | Microsoft.XboxGamingOverlay | | | x | No | -| | Microsoft.XboxIdentityProvider | x | x | x | No | -| | Microsoft.XboxSpeech ToTextOverlay | x | x | x | No | --- - >[!NOTE] >The Store app can't be removed. If you want to remove and reinstall the Store app, you can only bring Store back by either restoring your system from a backup or resetting your system. Instead of removing the Store app, you should use group policies to hide or disable it. - - ---- +--- \ No newline at end of file diff --git a/windows/application-management/msix-app-packaging-tool.md b/windows/application-management/msix-app-packaging-tool.md index c4e31dc19c..1500f26da8 100644 --- a/windows/application-management/msix-app-packaging-tool.md +++ b/windows/application-management/msix-app-packaging-tool.md @@ -8,42 +8,19 @@ ms.sitesec: library ms.localizationpriority: medium ms.author: mikeblodge ms.topic: article -ms.date: 09/21/2018 +ms.date: 10/16/2018 --- # Repackage existing win32 applications to the MSIX format -The MSIX Packaging Tool (Preview) is now available to install from the Microsoft Store. The MSIX Packaging Tool enables you to repackage your existing win32 applications to the MSIX format. You can run your desktop installers through this tool interactively and obtain an MSIX package that you can install on your machine and upload to the Microsoft Store (coming soon). +The MSIX Packaging Tool is now available to install from the Microsoft Store. The MSIX Packaging Tool enables you to repackage your existing win32 applications to the MSIX format. You can run your desktop installers through this tool interactively and obtain an MSIX package that you can install on your machine and upload to the Microsoft Store. > Prerequisites: -- Participation in the Windows Insider Program +- Participate in the Windows Insider Program or update to Windows 10 October 2018 Update (version 1809) - Minimum Windows 10 build 17701 - Admin privileges on your PC account -- A valid MSA alias (to access the app from the Store) - -## What's new -v1.2018.915.0 -- Updated UI to improve clarity and experience -- Ability to generate a template file for use with a command line -- Ability to add/remove entry points -- Ability to sign your package from package editor -- File extension handling - -v1.2018.821.0 -- Command Line Support -- Ability to use existing local virtual machines for packaging environment. -- Ability to cross check publisher information in the manifest with a signing certificate to avoid signing issues. -- Minor updates to the UI for added clarity. - -v1.2018.807.0 -- Ability to add/edit/remove file and registry exclusion items is now supported in Settings menu. -- Fixed an issue where signing with password protected certificates would fail in the tool. -- Fixed an issue where the tool was crashing when editing an existing MSIX package. -- Fixed an issue where the tool was injecting whitespaces programmatically to install location paths that was causing conversion failures. -- Minor UI tweaks to add clarity. -- Minor updates to the logs to add clarity. - +- A valid Micorsoft account (MSA) alias to access the app from the Store ## Installing the MSIX Packaging Tool @@ -51,7 +28,7 @@ v1.2018.807.0 2. Open the product description page. 3. Click the install icon to begin installation. -This is an early preview build and not all features are supported. Here is what you can expect to be able to do with this preview: +Here is what you can expect to be able to do with this tool: - Package your favorite application installer interactively (msi, exe, App-V 5.x and ClickOnce) to MSIX format by launching the tool and selecting **Application package** icon. - Create a modification package for a newly created Application MSIX Package by launching the tool and selecting the **Modification package** icon. @@ -99,7 +76,8 @@ Requirements: AllowTelemetry="true" ApplyAllPrepareComputerFixes="true" GenerateCommandLineFile="true" - AllowPromptForPassword="false" > + AllowPromptForPassword="false" + EnforceMicrosoftStoreVersioningRequirements="false"> @@ -200,6 +178,7 @@ Here is the complete list of parameters that you can use in the Conversion templ |Settings:: ApplyAllPrepareComputerFixes |[optional] Applies all recommended prepare computer fixes. Cannot be set when other attributes are used. | |Settings:: GenerateCommandLineFile |[optional] Copies the template file input to the SaveLocation directory for future use. | |Settings:: AllowPromptForPassword |[optional] Instructs the tool to prompt the user to enter passwords for the Virtual Machine and for the signing certificate if it is required and not specified. | +|Settings:: EnforceMicrosoftStoreVersioningRequirements|[optional] Instructs the tool to enforce the package versioning scheme required for deployment from Microsoft Store and Microsoft Store for Business.| |ExclusionItems |[optional] 0 or more FileExclusion or RegistryExclusion elements. All FileExclusion elements must appear before any RegistryExclusion elements. | |ExclusionItems::FileExclusion |[optional] A file to exclude for packaging. | |ExclusionItems::FileExclusion::ExcludePath |Path to file to exclude for packaging. | @@ -250,8 +229,7 @@ Open Feedback Hub. Alternatively, launch the tool and select the **Settings** ge - Performing the preparation steps on the **Prepare Computer** page is optional but *highly recommended*. ## Known issues -1. MSIX Packaging Tool Driver will fail to install if Windows Insider flight ring settings do no match the OS build of the conversion environment. Navigate to Settings, Updates & Security, Windows Insider Program to make sure your Insider preview build settings do not need attention. If you see this message click on the Fix me button to log in again. You might have to go to Windows Update page and check for update before settings change takes effect. Then try to run the tool again to download the MSIX Packaging Tool driver. If you are still hitting issues, try changing your flight ring to Canary or Insider Fast, install the latest Windows updates and try again. -2. You cannot edit the manifest manually from within the tool. (edit manifest button is disabled). Please use the SDK tools to unpack the MSIX package to edit the manifest manually. -3. Restarting the machine during application installation is not supported. Please ignore the restart request if possible or pass an argument to the installer to not require a restart. - - +- MSIX Packaging Tool Driver will fail to install if Windows Insider flight ring settings do no match the OS build of the conversion environment. Navigate to Settings, Updates & Security, Windows Insider Program to make sure your Insider preview build settings do not need attention. If you see this message click on the Fix me button to log in again. You might have to go to Windows Update page and check for update before settings change takes effect. Then try to run the tool again to download the MSIX Packaging Tool driver. If you are still hitting issues, try changing your flight ring to Canary or Insider Fast, install the latest Windows updates and try again. +- Restarting the machine during application installation is not supported. Please ignore the restart request if possible or pass an argument to the installer to not require a restart. +- Setting **EnforceMicrosoftStoreVersioningRequirements=true**, when using the command line interface, will throw an error, even if the vesrion is set correctly. To work around this issue, use **EnforceMicrosoftStoreVersioningRequirements=false** in the conversion template file. +- Adding files to MSIX packages in package editor does not add the file to the folder that the user right-clicks. To work around this issue, ensure that the file being added is in the correct classic app location. For example if you want to add a file in the VFS\ProgramFilesx86\MyApp folder, copy the file locally to your C:\Program Files (86)\MyApp location first, then in the package editor right-click **Package files**, and then click **Add file**. Browse to the newly copied file, then click **Save**. \ No newline at end of file diff --git a/windows/client-management/mdm/clientcertificateinstall-csp.md b/windows/client-management/mdm/clientcertificateinstall-csp.md index 64ded7b00e..f3c9fd3fc3 100644 --- a/windows/client-management/mdm/clientcertificateinstall-csp.md +++ b/windows/client-management/mdm/clientcertificateinstall-csp.md @@ -2,18 +2,18 @@ title: ClientCertificateInstall CSP description: ClientCertificateInstall CSP ms.assetid: B624EB73-2972-47F2-9D7E-826D641BF8A7 -ms.author: maricia +ms.author: pashort ms.topic: article ms.prod: w10 ms.technology: windows -author: MariciaAlforque -ms.date: 11/03/2017 +author: shortpatti +ms.date: 10/16/2018 --- # ClientCertificateInstall CSP -The ClientCertificateInstall configuration service provider enables the enterprise to install client certificates. +The ClientCertificateInstall configuration service provider enables the enterprise to install client certificates. A client certificate has a unique ID, which is the *\[UniqueID\]* for this configuration. Each client certificate must have different UniqueIDs for the SCEP enrollment request. For PFX certificate installation and SCEP installation, the SyncML commands must be wrapped in atomic commands to ensure enrollment execution is not triggered until all settings are configured. The Enroll command must be the last item in the atomic block. diff --git a/windows/configuration/ue-v/uev-for-windows.md b/windows/configuration/ue-v/uev-for-windows.md index 7ac31a3a1f..d6ca23c105 100644 --- a/windows/configuration/ue-v/uev-for-windows.md +++ b/windows/configuration/ue-v/uev-for-windows.md @@ -96,4 +96,4 @@ You can also [customize UE-V to synchronize settings](uev-deploy-uev-for-custom- ## Have a suggestion for UE-V? -Add or vote on suggestions on the [User Experience Virtualization feedback site](http://uev.uservoice.com/forums/280428-microsoft-user-experience-virtualization).
For UE-V issues, use the [UE-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-us/home?forum=mdopuev&filter=alltypes&sort=lastpostdesc). +For UE-V issues, use the [UE-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-us/home?forum=mdopuev&filter=alltypes&sort=lastpostdesc). diff --git a/windows/deployment/deploy-m365.md b/windows/deployment/deploy-m365.md index ded250b312..6ea42e8bc1 100644 --- a/windows/deployment/deploy-m365.md +++ b/windows/deployment/deploy-m365.md @@ -21,7 +21,7 @@ This topic provides a brief overview of Microsoft 365 and describes how to use a [Microsoft 365](https://www.microsoft.com/microsoft-365) is a new offering from Microsoft that combines [Windows 10](https://www.microsoft.com/windows/features) with [Office 365](https://products.office.com/business/explore-office-365-for-business), and [Enterprise Mobility and Security](https://www.microsoft.com/cloud-platform/enterprise-mobility-security) (EMS). -For Windows 10 deployment, Microsoft 365 includes a fantasic deployment advisor that can walk you through the entire process of deploying Windows 10. The wizard supports multiple Windows 10 deployment methods, including: +For Windows 10 deployment, Microsoft 365 includes a fantastic deployment advisor that can walk you through the entire process of deploying Windows 10. The wizard supports multiple Windows 10 deployment methods, including: - Windows Autopilot - In-place upgrade diff --git a/windows/deployment/update/servicing-stack-updates.md b/windows/deployment/update/servicing-stack-updates.md index ae2fc715ad..47764a02e8 100644 --- a/windows/deployment/update/servicing-stack-updates.md +++ b/windows/deployment/update/servicing-stack-updates.md @@ -45,3 +45,5 @@ Typically, the improvements are reliability, security, and performance improveme * Servicing stack updates contain the full servicing stack; as a result, typically administrators only need to install the latest servicing stack update for the operating system. * Installing servicing stack update does not require restarting the device, so installation should not be disruptive. * Servicing stack update releases are specific to the operating system version (build number), much like quality updates. +* Search to install latest available (Servicing stack update for Windows 10)[https://support.microsoft.com/en-us/search?query=servicing%20stack%20update%20Windows%2010]. + diff --git a/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md b/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md index a55901c0ac..3f71393153 100644 --- a/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md +++ b/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md @@ -19,7 +19,7 @@ Drive-by DMA attacks can lead to disclosure of sensitive information residing on This feature does not protect against DMA attacks via 1394/FireWire, PCMCIA, CardBus, ExpressCard, and so on. -For Thunderbolt DMA protection on earlier Windows versions and other platforms that lack support for Kernel DMA Protection, please refer to Intel documentation. +For Thunderbolt DMA protection on earlier Windows versions and other platforms that lack support for Kernel DMA Protection, please refer to [Intel Thunderbolt™ 3 Security documentation](https://thunderbolttechnology.net/security/Thunderbolt%203%20and%20Security.pdf). ## Background @@ -75,12 +75,14 @@ Systems running Windows 10 version 1803 that do support Kernel DMA Protection do - Turn on Intel Virtualization Technology. - Turn on Intel Virtualization Technology for I/O (VT-d). In Windows 10 version 1803, only Intel VT-d is supported. Other platforms can use DMA attack mitigations described in [BitLocker countermeasures](bitlocker/bitlocker-countermeasures.md). - Reboot system into Windows 10. -4. If the state of **Kernel DMA Protection** remains Off, then the system does not support this feature. +4. If the state of **Kernel DMA Protection** remains Off, then the system does not support this feature. + +For systems that do not support Kernel DMA Protection, please refer to the [BitLocker countermeasures](bitlocker/bitlocker-countermeasures.md) or [Thunderbolt™ 3 and Security on Microsoft Windows® 10 Operating system](https://thunderbolttechnology.net/security/Thunderbolt%203%20and%20Security.pdf) for other means of DMA protection. ## Frequently asked questions ### Do in-market systems support Kernel DMA Protection for Thunderbolt™ 3? -In market systems, released with Windows 10 version 1709 or earlier, will not support Kernel DMA Protection for Thunderbolt™ 3 after upgrading to Windows 10 version 1803, as this feature requires the BIOS/platform firmware changes and guarantees. +In market systems, released with Windows 10 version 1709 or earlier, will not support Kernel DMA Protection for Thunderbolt™ 3 after upgrading to Windows 10 version 1803, as this feature requires the BIOS/platform firmware changes and guarantees. For these systems, please refer to the [BitLocker countermeasures](bitlocker/bitlocker-countermeasures.md) or [Thunderbolt™ 3 and Security on Microsoft Windows® 10 Operating system](https://thunderbolttechnology.net/security/Thunderbolt%203%20and%20Security.pdf) for other means of DMA protection. ### Does Kernel DMA Protection prevent drive-by DMA attacks during Boot? No, Kernel DMA Protection only protects against drive-by DMA attacks after the OS is loaded. It is the responsibility of the system firmware/BIOS to protect against attacks via the Thunderbolt™ 3 ports during boot. diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md index 76837097e0..3bbbacf2d9 100644 --- a/windows/security/threat-protection/TOC.md +++ b/windows/security/threat-protection/TOC.md @@ -504,7 +504,7 @@ ####### [Event 4752 S: A member was removed from a security-disabled global group.](auditing/event-4752.md) ####### [Event 4753 S: A security-disabled global group was deleted.](auditing/event-4753.md) ###### [Audit Other Account Management Events](auditing/audit-other-account-management-events.md) -####### [Event 4782 S: The password hash an account was accessed.](auditing/event-4782.md) +####### [Event 4782 S: The password hash of an account was accessed.](auditing/event-4782.md) ####### [Event 4793 S: The Password Policy Checking API was called.](auditing/event-4793.md) ###### [Audit Security Group Management](auditing/audit-security-group-management.md) ####### [Event 4731 S: A security-enabled local group was created.](auditing/event-4731.md) diff --git a/windows/security/threat-protection/auditing/audit-other-account-management-events.md b/windows/security/threat-protection/auditing/audit-other-account-management-events.md index 01d32dee4a..2118e8090b 100644 --- a/windows/security/threat-protection/auditing/audit-other-account-management-events.md +++ b/windows/security/threat-protection/auditing/audit-other-account-management-events.md @@ -30,13 +30,13 @@ This subcategory allows you to audit next events: | Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments | |-------------------|-----------------|-----------------|------------------|------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| Domain Controller | Yes | No | Yes | No | The only reason to enable Success auditing on domain controllers is to monitor “[4782](event-4782.md)(S): The password hash an account was accessed.”
This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. | +| Domain Controller | Yes | No | Yes | No | The only reason to enable Success auditing on domain controllers is to monitor “[4782](event-4782.md)(S): The password hash of an account was accessed.”
This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. | | Member Server | No | No | No | No | The only event which is generated on Member Servers is “[4793](event-4793.md)(S): The Password Policy Checking API was called.”, this event is a typical information event with little to no security relevance.
This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. | | Workstation | No | No | No | No | The only event which is generated on Workstations is “[4793](event-4793.md)(S): The Password Policy Checking API was called.”, this event is a typical information event with little to no security relevance.
This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. | **Events List:** -- [4782](event-4782.md)(S): The password hash an account was accessed. +- [4782](event-4782.md)(S): The password hash of an account was accessed. - [4793](event-4793.md)(S): The Password Policy Checking API was called. diff --git a/windows/security/threat-protection/auditing/event-4782.md b/windows/security/threat-protection/auditing/event-4782.md index b41a078e08..7139478b3a 100644 --- a/windows/security/threat-protection/auditing/event-4782.md +++ b/windows/security/threat-protection/auditing/event-4782.md @@ -1,6 +1,6 @@ --- -title: 4782(S) The password hash an account was accessed. (Windows 10) -description: Describes security event 4782(S) The password hash an account was accessed. +title: 4782(S) The password hash of an account was accessed. (Windows 10) +description: Describes security event 4782(S) The password hash of an account was accessed. ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy @@ -10,7 +10,7 @@ author: Mir0sh ms.date: 04/19/2017 --- -# 4782(S): The password hash an account was accessed. +# 4782(S): The password hash of an account was accessed. **Applies to** - Windows 10 @@ -108,7 +108,7 @@ Typically **“Subject\\Security ID”** is the SYSTEM account. ## Security Monitoring Recommendations -For 4782(S): The password hash an account was accessed. +For 4782(S): The password hash of an account was accessed. - Monitor for all events of this type, because any actions with account’s password hashes should be planned. If this action was not planned, investigate the reason for the change. diff --git a/windows/security/threat-protection/index.md b/windows/security/threat-protection/index.md index e5fa21a032..43e37f1269 100644 --- a/windows/security/threat-protection/index.md +++ b/windows/security/threat-protection/index.md @@ -55,11 +55,12 @@ The attack surface reduction set of capabilities provide the first line of defen **[Next generation protection](windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md)**
To further reinforce the security perimeter of your network, Windows Defender ATP uses next generation protection designed to catch all types of emerging threats. -- [Windows Defender Antivirus](windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md) -- [Machine learning](windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus.md) +- [Behavior monitoring](/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus) +- [Cloud-based protection](/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus) +- [Machine learning](windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus.md) +- [URL Protection](/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus) - [Automated sandbox service](windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md) - **[Endpoint protection and response](windows-defender-atp/overview-endpoint-detection-response.md)**
diff --git a/windows/security/threat-protection/intelligence/supply-chain-malware.md b/windows/security/threat-protection/intelligence/supply-chain-malware.md index ce1112d198..31e68f0df4 100644 --- a/windows/security/threat-protection/intelligence/supply-chain-malware.md +++ b/windows/security/threat-protection/intelligence/supply-chain-malware.md @@ -17,6 +17,8 @@ Supply chain attacks are an emerging kind of threat that target software develop ## How supply chain attacks work +[!video https://www.youtube.com/embed/uXm2XNSavwo] + Attackers hunt for unsecure network protocols, unprotected server infrastructures, and unsafe coding practices. They break in, change source codes, and hide malware in build and update processes. Because software is built and released by trusted vendors, these apps and updates are signed and certified. In software supply chain attacks, vendors are likely unaware that their apps or updates are infected with malicious code when they’re released to the public. The malicious code then runs with the same trust and permissions as the app. diff --git a/windows/security/threat-protection/windows-defender-application-guard/configure-wd-app-guard.md b/windows/security/threat-protection/windows-defender-application-guard/configure-wd-app-guard.md index d1ce22572e..702c045b4f 100644 --- a/windows/security/threat-protection/windows-defender-application-guard/configure-wd-app-guard.md +++ b/windows/security/threat-protection/windows-defender-application-guard/configure-wd-app-guard.md @@ -24,7 +24,7 @@ Application Guard uses both network isolation and application-specific settings. These settings, located at **Computer Configuration\Administrative Templates\Network\Network Isolation**, help you define and manage your company's network boundaries. Application Guard uses this information to automatically transfer any requests to access the non-corporate resources into the Application Guard container. >[!NOTE] ->You must configure either the Enterprise resource domains hosted in the cloud or Private network ranges for apps settings on your employee devices to successfully turn on Application Guard using enterprise mode. +>You must configure either the Enterprise resource domains hosted in the cloud or Private network ranges for apps settings on your employee devices to successfully turn on Application Guard using enterprise mode. |Policy name|Supported versions|Description| @@ -38,10 +38,13 @@ These settings, located at **Computer Configuration\Administrative Templates\Win |Name|Supported versions|Description|Options| |-----------|------------------|-----------|-------| -|Configure Windows Defender Application Guard clipboard settings|Windows 10 Enterprise, 1709 or higher

Windows 10 Pro, 1803|Determines whether Application Guard can use the clipboard functionality.|**Enabled.** Turns On the clipboard functionality and lets you choose whether to additionally:**Disabled or not configured.** Completely turns Off the clipboard functionality for Application Guard.| -|Configure Windows Defender Application Guard print settings|Windows 10 Enterprise, 1709 or higher

Windows 10 Pro, 1803|Determines whether Application Guard can use the print functionality.|**Enabled.** Turns On the print functionality and lets you choose whether to additionally:**Disabled or not configured.** Completely turns Off the print functionality for Application Guard.| -|Block enterprise websites to load non-enterprise content in IE and Edge|Windows 10 Enterprise, 1709 or higher

Windows 10 Pro, 1803|Determines whether to allow Internet access for apps not included on the **Allowed Apps** list.|**Enabled.** Prevents network traffic from both Internet Explorer and Microsoft Edge to non-enterprise sites that can't render in the Application Guard container.**Note** This may also block assets cached by CDNs and references to analytics sites. Please add them to the trusted enterprise resources to avoid broken pages.

**Disabled or not configured.** Allows Microsoft Edge to render network traffic to non-enterprise sites that can't render in Application Guard. | -|Allow Persistence|Windows 10 Enterprise, 1709 or higher

Windows 10 Pro, 1803|Determines whether data persists across different sessions in Windows Defender Application Guard.|**Enabled.** Application Guard saves user-downloaded files and other items (such as, cookies, Favorites, and so on) for use in future Application Guard sessions.

**Disabled or not configured.** All user data within Application Guard is reset between sessions.

**Note**
If you later decide to stop supporting data persistence for your employees, you can use our Windows-provided utility to reset the container and to discard any personal data.
**To reset the container:**
  1. Open a command-line program and navigate to Windows/System32.
  2. Type `wdagtool.exe cleanup`.
    The container environment is reset, retaining only the employee-generated data.
  3. Type `wdagtool.exe cleanup RESET_PERSISTENCE_LAYER`.
    The container environment is reset, including discarding all employee-generated data.
| +|Configure Windows Defender Application Guard clipboard settings|Windows 10 Enterprise, 1709 or higher

Windows 10 Pro, 1803 or higher|Determines whether Application Guard can use the clipboard functionality.|**Enabled.** Turns On the clipboard functionality and lets you choose whether to additionally:**Disabled or not configured.** Completely turns Off the clipboard functionality for Application Guard.| +|Configure Windows Defender Application Guard print settings|Windows 10 Enterprise, 1709 or higher

Windows 10 Pro, 1803 or higher|Determines whether Application Guard can use the print functionality.|**Enabled.** Turns On the print functionality and lets you choose whether to additionally:**Disabled or not configured.** Completely turns Off the print functionality for Application Guard.| +|Block enterprise websites to load non-enterprise content in IE and Edge|Windows 10 Enterprise, 1709 or higher|Determines whether to allow Internet access for apps not included on the **Allowed Apps** list.|**Enabled.** Prevents network traffic from both Internet Explorer and Microsoft Edge to non-enterprise sites that can't render in the Application Guard container.**Note** This may also block assets cached by CDNs and references to analytics sites. Please add them to the trusted enterprise resources to avoid broken pages.

**Disabled or not configured.** Allows Microsoft Edge to render network traffic to non-enterprise sites that can't render in Application Guard. | +|Allow Persistence|Windows 10 Enterprise, 1709 or higher

Windows 10 Pro, 1803 or higher|Determines whether data persists across different sessions in Windows Defender Application Guard.|**Enabled.** Application Guard saves user-downloaded files and other items (such as, cookies, Favorites, and so on) for use in future Application Guard sessions.

**Disabled or not configured.** All user data within Application Guard is reset between sessions.

**Note**
If you later decide to stop supporting data persistence for your employees, you can use our Windows-provided utility to reset the container and to discard any personal data.
**To reset the container:**
  1. Open a command-line program and navigate to Windows/System32.
  2. Type `wdagtool.exe cleanup`.
    The container environment is reset, retaining only the employee-generated data.
  3. Type `wdagtool.exe cleanup RESET_PERSISTENCE_LAYER`.
    The container environment is reset, including discarding all employee-generated data.
| |Turn on Windows Defender Application Guard in Enterprise Mode|Windows 10 Enterprise, 1709 or higher|Determines whether to turn on Application Guard for Microsoft Edge.|**Enabled.** Turns on Application Guard for Microsoft Edge, honoring the network isolation settings, rendering non-enterprise domains in the Application Guard container. Be aware that Application Guard won't actually be turned On unless the required prerequisites and network isolation settings are already set on the device.

**Disabled.** Turns Off Application Guard, allowing all apps to run in Microsoft Edge.| -|Allow files to download to host operating system|Windows 10 Enterprise, 1803|Determines whether to save downloaded files to the host operating system from the Windows Defender Application Guard container.|**Enabled.** Allows users to save downloaded files from the Windows Defender Application Guard container to the host operating system.

**Disabled or not configured.** Users are not able to saved downloaded files from Application Guard to the host operating system.| -|Allow hardware-accelerated rendering for Windows Defender Application Guard|Windows 10 Enterprise, version 1803

(experimental only)|Determines whether Windows Defender Application Guard renders graphics using hardware or software acceleration.|**Enabled.** Windows Defender Application Guard uses Hyper-V to access supported, high-security rendering graphics hardware (GPUs). These GPUs improve rendering performance and battery life while using Windows Defender Application Guard, particularly for video playback and other graphics-intensive use cases. If this setting is enabled without connecting any high-security rendering graphics hardware, Windows Defender Application Guard will automatically revert to software-based (CPU) rendering.

**Disabled or not configured.** Windows Defender Application Guard uses software-based (CPU) rendering and won’t load any third-party graphics drivers or interact with any connected graphics hardware.

**Note**
This is an experimental feature in Windows 10 Enterprise, version 1803 and will not function without the presence of an additional registry key provided by Microsoft. If you would like to evaluate this feature on deployments of Windows 10 Enterprise, version 1803, please contact Microsoft for further information.| +|Allow files to download to host operating system|Windows 10 Enterprise, 1803 or higher|Determines whether to save downloaded files to the host operating system from the Windows Defender Application Guard container.|**Enabled.** Allows users to save downloaded files from the Windows Defender Application Guard container to the host operating system.

**Disabled or not configured.** Users are not able to saved downloaded files from Application Guard to the host operating system.| +|Allow hardware-accelerated rendering for Windows Defender Application Guard|Windows 10 Enterprise, 1803 or higher

Windows 10 Pro, 1803 or higher|Determines whether Windows Defender Application Guard renders graphics using hardware or software acceleration.|**Enabled.** Windows Defender Application Guard uses Hyper-V to access supported, high-security rendering graphics hardware (GPUs). These GPUs improve rendering performance and battery life while using Windows Defender Application Guard, particularly for video playback and other graphics-intensive use cases. If this setting is enabled without connecting any high-security rendering graphics hardware, Windows Defender Application Guard will automatically revert to software-based (CPU) rendering.

**Disabled or not configured.** Windows Defender Application Guard uses software-based (CPU) rendering and won’t load any third-party graphics drivers or interact with any connected graphics hardware.| +|Allow camera and microphone access in Windows Defender Application Guard|Windows 10 Enterprise, 1809 or higher

Windows 10 Pro, 1809 or higher|Determines whether to allow camera and microphone access inside Windows Defender Application Guard.|**Enabled.** Applications inside Windows Defender Application Guard are able to access the camera and microphone on the user's device.

**Important**
Be aware that enabling this policy with a potentially compromised container could bypass camera and microphone permissions and access the camera and microphone without the user's knowledge.

**Disabled or not configured.** Applications inside Windows Defender Application Guard are unable to access the camera and microphone on the user's device.| +|Allow Windows Defender Application Guard to use Root Certificate Authorities from users's device|Windows 10 Enterprise, 1809 or higher

Windows 10 Pro, 1809 or higher|Determines whether Root Certificates are shared with Windows Defender Application Guard.|**Enabled.** Certificates matching the specified thumbprint are transferred into the container. Multiple certificates can be specified by using a common to separate.

**Disabled or not configured.** Certificates are not shared with Windows Defender Application Guard.

.| +|Allow users to trust files that open in Windows Defender Application Guard|Windows 10 Enterprise, 1809 or higher|Determines whether users are able to manually trust untrusted files to open them on the host.|**Enabled.** Users are able to manually trust files or trust files after an antivirus check.

**Disabled or not configured.** Users are unable to manually trust files and files continue to open in Windows Defender Application Guard.| diff --git a/windows/security/threat-protection/windows-defender-application-guard/images/appguard-gp-allow-camera-and-mic.png b/windows/security/threat-protection/windows-defender-application-guard/images/appguard-gp-allow-camera-and-mic.png new file mode 100644 index 0000000000..3c1b046b93 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-application-guard/images/appguard-gp-allow-camera-and-mic.png differ diff --git a/windows/security/threat-protection/windows-defender-application-guard/images/appguard-gp-allow-root-certificates.png b/windows/security/threat-protection/windows-defender-application-guard/images/appguard-gp-allow-root-certificates.png new file mode 100644 index 0000000000..78552bf6db Binary files /dev/null and b/windows/security/threat-protection/windows-defender-application-guard/images/appguard-gp-allow-root-certificates.png differ diff --git a/windows/security/threat-protection/windows-defender-application-guard/images/appguard-gp-allow-users-to-trust-files-that-open-in-appguard.png b/windows/security/threat-protection/windows-defender-application-guard/images/appguard-gp-allow-users-to-trust-files-that-open-in-appguard.png new file mode 100644 index 0000000000..08cb4d5676 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-application-guard/images/appguard-gp-allow-users-to-trust-files-that-open-in-appguard.png differ diff --git a/windows/security/threat-protection/windows-defender-application-guard/images/appguard-security-center-settings.png b/windows/security/threat-protection/windows-defender-application-guard/images/appguard-security-center-settings.png new file mode 100644 index 0000000000..9e58d99ead Binary files /dev/null and b/windows/security/threat-protection/windows-defender-application-guard/images/appguard-security-center-settings.png differ diff --git a/windows/security/threat-protection/windows-defender-application-guard/test-scenarios-wd-app-guard.md b/windows/security/threat-protection/windows-defender-application-guard/test-scenarios-wd-app-guard.md index b05ad26647..e7f9fe2f97 100644 --- a/windows/security/threat-protection/windows-defender-application-guard/test-scenarios-wd-app-guard.md +++ b/windows/security/threat-protection/windows-defender-application-guard/test-scenarios-wd-app-guard.md @@ -8,7 +8,7 @@ ms.pagetype: security ms.localizationpriority: medium author: justinha ms.author: justinha -ms.date: 10/19/2017 +ms.date: 10/16/2018 --- # Application Guard testing scenarios @@ -66,9 +66,9 @@ Before you can use Application Guard in enterprise mode, you must install Window ![Group Policy editor with Neutral resources setting](images/appguard-gp-network-isolation-neutral.png) -4. Go to the **Administrative Templates\System\Windows Components\Windows Defender Application Guard\Turn on Windows Defender Application Guard in Enterprise Mode** setting. +4. Go to the **Computer Configuration\Administrative Templates\Windows Components\Windows Defender Application Guard\Turn on Windows Defender Application Guard in Enterprise Mode** setting. -5. Click **Enabled**. +5. Click **Enabled** and click **OK**. ![Group Policy editor with Turn On/Off setting](images/appguard-gp-turn-on.png) @@ -104,10 +104,11 @@ You have the option to change each of these settings to work with your enterpris - Windows 10 Enterpise edition, version 1709 or higher - Windows 10 Professional edition, version 1803 -**To change the copy and paste options** -1. Go to the **Administrative Templates\System\Windows Components\Windows Defender Application Guard\Configure Windows Defender Application Guard clipboard settings**. +#### Copy and paste options -2. Click **Enabled**. +1. Go to the **Computer Configuration\Administrative Templates\Windows Components\Windows Defender Application Guard\Configure Windows Defender Application Guard clipboard settings**. + +2. Click **Enabled** and click **OK**. ![Group Policy editor clipboard options](images/appguard-gp-clipboard.png) @@ -129,10 +130,11 @@ You have the option to change each of these settings to work with your enterpris 5. Click **OK**. -**To change the print options** -1. Go to the **Administrative Templates\System\Windows Components\Windows Defender Application Guard\Configure Windows Defender Application Guard print** settings. +#### Print options -2. Click **Enabled**. +1. Go to the **Computer Configuration\Administrative Templates\Windows Components\Windows Defender Application Guard\Configure Windows Defender Application Guard print** settings. + +2. Click **Enabled** and click **OK**. ![Group Policy editor Print options](images/appguard-gp-print.png) @@ -140,10 +142,11 @@ You have the option to change each of these settings to work with your enterpris 4. Click **OK**. -**To change the data persistence options** -1. Go to the **Administrative Templates\System\Windows Components\Windows Defender Application Guard\Allow data persistence for Windows Defender Application Guard** setting. +#### Data persistence options -2. Click **Enabled**. +1. Go to the **Computer Configuration\Administrative Templates\Windows Components\Windows Defender Application Guard\Allow data persistence for Windows Defender Application Guard** setting. + +2. Click **Enabled** and click **OK**. ![Group Policy editor Data Persistence options](images/appguard-gp-persistence.png) @@ -164,10 +167,11 @@ You have the option to change each of these settings to work with your enterpris - Windows 10 Enterpise edition, version 1803 - Windows 10 Professional edition, version 1803 -**To change the download options** -1. Go to the **Administrative Templates\System\Windows Components\Windows Defender Application Guard\Allow files to download and save to the host operating system from Windows Defender Application Guard** setting. +#### Download options -2. Click **Enabled**. +1. Go to the **Computer Configuration\Administrative Templates\Windows Components\Windows Defender Application Guard\Allow files to download and save to the host operating system from Windows Defender Application Guard** setting. + +2. Click **Enabled** and click **OK**. ![Group Policy editor Download options](images/appguard-gp-download.png) @@ -177,16 +181,57 @@ You have the option to change each of these settings to work with your enterpris 5. Check to see the file has been downloaded into This PC > Downloads > Untrusted files. -**To change hardware acceleration options** -1. Go to the **Administrative Templates\System\Windows Components\Windows Defender Application Guard\Allow hardware-accelerated rendering for Windows Defender Application Guard** setting. +#### Hardware acceleration options -2. Click **Enabled**. +1. Go to the **Computer Configuration\Administrative Templates\Windows Components\Windows Defender Application Guard\Allow hardware-accelerated rendering for Windows Defender Application Guard** setting. + +2. Click **Enabled** and click **OK**. ![Group Policy editor hardware acceleration options](images/appguard-gp-vgpu.png) -3. Contact Microsoft for further information to fully enable this setting. +3. Once you have enabled this feature, open Microsoft Edge and browse to an untrusted, but safe URL with video, 3D, or other graphics-intensive content. The website opens in an isolated session. -4. Once you have fully enabled this experimental feature, open Microsoft Edge and browse to an untrusted, but safe URL with video, 3D, or other graphics-intensive content. The website opens in an isolated session. +4. Assess the visual experience and battery performance. -5. Assess the visual experience and battery performance. +**Applies to:** +- Windows 10 Enterpise edition, version 1809 +- Windows 10 Professional edition, version 1809 + +#### File trust options + +1. Go to the **Computer Configuration\Administrative Templates\Windows Components\Windows Defender Application Guard\Allow users to trust files that open in Windows Defender Application Guard** setting. + +2. Click **Enabled**, set **Options** to 2, and click **OK**. + + ![Group Policy editor Download options](images/appguard-gp-allow-users-to-trust-files-that-open-in-appguard.png) + +3. Log out and back on to your device, opening Microsoft Edge in Application Guard again. + +4. Open a file in Edge, such an Office 365 file. + +5. Check to see that an antivirus scan completed before the file was opened. + +#### Camera and microphone options + +1. Go to the **Computer Configuration\Administrative Templates\Windows Components\Windows Defender Application Guard\Allow camera and microphone access in Windows Defender Application Guard** setting. + +2. Click **Enabled** and click **OK**. + + ![Group Policy editor Download options](images/appguard-gp-allow-camera-and-mic.png) + +3. Log out and back on to your device, opening Microsoft Edge in Application Guard again. + +4. Open an application with video or audio capability in Edge. + +5. Check that the camera and microphone work as expected. + +#### Root certificate sharing options + +1. Go to the **Computer Configuration\Administrative Templates\Windows Components\Windows Defender Application Guard\Allow Windows Defender Application Guard to use Root Certificate Authorities from the user's device** setting. + +2. Click **Enabled**, copy the thumbprint of each certificate to share, separated by a comma, and click **OK**. + + ![Group Policy editor Download options](images/appguard-gp-allow-root-certificates.png) + +3. Log out and back on to your device, opening Microsoft Edge in Application Guard again. diff --git a/windows/whats-new/whats-new-windows-10-version-1607.md b/windows/whats-new/whats-new-windows-10-version-1607.md index b296cc0cdf..287a4e1617 100644 --- a/windows/whats-new/whats-new-windows-10-version-1607.md +++ b/windows/whats-new/whats-new-windows-10-version-1607.md @@ -103,7 +103,7 @@ Several new features and management options have been added to Windows Defender - [Windows Defender Offline in Windows 10](/windows/threat-protection/windows-defender-antivirus/windows-defender-offline) can be run directly from within Windows, without having to create bootable media. - [Use PowerShell cmdlets for Windows Defender](/windows/threat-protection/windows-defender-antivirus/use-powershell-cmdlets-windows-defender-antivirus) to configure options and run scans. - [Enable the Block at First Sight feature in Windows 10](/windows/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus) to leverage the Windows Defender cloud for near-instant protection against new malware. -- [Configure enhanced notifications for Windows Defender in Windows 10](/windows/threat-protection/windows-defender-antivirus/configure-notifications-windows-defender-antivirus) to see more informaiton about threat detections and removal. +- [Configure enhanced notifications for Windows Defender in Windows 10](/windows/threat-protection/windows-defender-antivirus/configure-notifications-windows-defender-antivirus) to see more information about threat detections and removal. - [Run a Windows Defender scan from the command line](/windows/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus). - [Detect and block Potentially Unwanted Applications with Windows Defender](/windows/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus) during download and install times.