See [SurfaceHub CSP](https://msdn.microsoft.com/library/windows/hardware/mt608323.aspx). | No | No | Yes | -| Specify Skype domain | InBoxApps/SkypeForBusiness/DomainName | Yes | Yes.
[Use a custom setting.](#example-sccm) | Yes | -| Auto launch Connect App when projection is initiated | InBoxApps/Connect/AutoLaunch | Yes | Yes.
[Use a custom setting.](#example-sccm) | Yes | -| Set default volume | Properties/DefaultVolume | Yes | Yes.
[Use a custom setting.](#example-sccm) | Yes | -| Set screen timeout | Properties/ScreenTimeout | Yes | Yes.
[Use a custom setting.](#example-sccm) | Yes | -| Set session timeout | Properties/SessionTimeout | Yes | Yes.
[Use a custom setting.](#example-sccm) | Yes | -| Set sleep timeout | Properties/SleepTimeout | Yes | Yes.
[Use a custom setting.](#example-sccm) | Yes | -| Allow session to resume after screen is idle | Properties/AllowSessionResume | Yes | Yes.
[Use a custom setting.](#example-sccm) | Yes | -| Allow device account to be used for proxy authentication | Properties/AllowAutoProxyAuth | Yes | Yes.
[Use a custom setting.](#example-sccm) | Yes | -| Disable auto-populating the sign-in dialog with invitees from scheduled meetings | Properties/DisableSignInSuggestions | Yes | Yes.
[Use a custom setting.](#example-sccm) | Yes | -| Disable "My meetings and files" feature in Start menu | Properties/DoNotShowMyMeetingsAndFiles | Yes | Yes.
[Use a custom setting.](#example-sccm) | Yes | -| Set the LanProfile for 802.1x Wired Auth | Dot3/LanProfile | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes | -| Set the EapUserData for 802.1x Wired Auth | Dot3/EapUserData | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes | +| Specify Skype domain | InBoxApps/SkypeForBusiness/DomainName | Yes | Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes | +| Auto launch Connect App when projection is initiated | InBoxApps/Connect/AutoLaunch | Yes | Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes | +| Set default volume | Properties/DefaultVolume | Yes | Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes | +| Set screen timeout | Properties/ScreenTimeout | Yes | Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes | +| Set session timeout | Properties/SessionTimeout | Yes | Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes | +| Set sleep timeout | Properties/SleepTimeout | Yes | Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes | +| Allow session to resume after screen is idle | Properties/AllowSessionResume | Yes | Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes | +| Allow device account to be used for proxy authentication | Properties/AllowAutoProxyAuth | Yes | Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes | +| Disable auto-populating the sign-in dialog with invitees from scheduled meetings | Properties/DisableSignInSuggestions | Yes | Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes | +| Disable "My meetings and files" feature in Start menu | Properties/DoNotShowMyMeetingsAndFiles | Yes | Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes | +| Set the LanProfile for 802.1x Wired Auth | Dot3/LanProfile | Yes
[Use a custom policy.](#example-manage-surface-hub-settings-with-microsoft-intune) | Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes | +| Set the EapUserData for 802.1x Wired Auth | Dot3/EapUserData | Yes
[Use a custom policy.](#example-manage-surface-hub-settings-with-microsoft-intune) | Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes | \*Settings supported with SyncML can also be configured in a Windows Configuration Designer provisioning package. @@ -97,12 +97,12 @@ The following tables include info on Windows 10 settings that have been validate | Setting | Details | CSP reference | Supported with
Intune? | Supported with
Configuration Manager? | Supported with
SyncML\*? | |--------------------|------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------|-------------------------------------------------|-----------------------------| -| Allow Bluetooth | Keep this enabled to support Bluetooth peripherals. | [Connectivity/AllowBluetooth](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Connectivity_AllowBluetooth) | Yes.
| Yes.
[Use a custom setting.](#example-sccm) | Yes | -| Bluetooth policies | Use to set the Bluetooth device name, and block advertising, discovery, and automatic pairing. | Bluetooth/*`
See [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) | Yes.
| Yes.
[Use a custom setting.](#example-sccm) | Yes | -| Allow camera | Keep this enabled for Skype for Business. | [Camera/AllowCamera](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Camera_AllowCamera) | Yes.
| Yes.
[Use a custom setting.](#example-sccm) | Yes | -| Allow location | Keep this enabled to support apps such as Maps. | [System/AllowLocation](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#System_AllowLocation) | Yes.
. | Yes.
[Use a custom setting.](#example-sccm) | Yes | -| Allow telemetry | Keep this enabled to help Microsoft improve Surface Hub. | [System/AllowTelemetry](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#System_AllowTelemetry) | Yes.
| Yes.
[Use a custom setting.](#example-sccm) | Yes | -| Allow USB Drives | Keep this enabled to support USB drives on Surface Hub | [System/AllowStorageCard](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#system-allowstoragecard) | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes | +| Allow Bluetooth | Keep this enabled to support Bluetooth peripherals. | [Connectivity/AllowBluetooth](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Connectivity_AllowBluetooth) | Yes.
| Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes | +| Bluetooth policies | Use to set the Bluetooth device name, and block advertising, discovery, and automatic pairing. | Bluetooth/*`
See [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) | Yes.
| Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes | +| Allow camera | Keep this enabled for Skype for Business. | [Camera/AllowCamera](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Camera_AllowCamera) | Yes.
| Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes | +| Allow location | Keep this enabled to support apps such as Maps. | [System/AllowLocation](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#System_AllowLocation) | Yes.
. | Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes | +| Allow telemetry | Keep this enabled to help Microsoft improve Surface Hub. | [System/AllowTelemetry](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#System_AllowTelemetry) | Yes.
| Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes | +| Allow USB Drives | Keep this enabled to support USB drives on Surface Hub | [System/AllowStorageCard](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#system-allowstoragecard) | Yes
[Use a custom policy.](#example-manage-surface-hub-settings-with-microsoft-intune) | Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes | \*Settings supported with SyncML can also be configured in a Windows Configuration Designer provisioning package. @@ -110,15 +110,15 @@ The following tables include info on Windows 10 settings that have been validate | Setting | Details | CSP reference | Supported with
Intune? | Supported with
Configuration Manager? | Supported with
SyncML\*? | |-----------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------|-------------------------------------------------|-----------------------------| -| Homepages | Use to configure the default homepages in Microsoft Edge. | [Browser/Homepages](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_Homepages) | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes | -| Allow cookies | Surface Hub automatically deletes cookies at the end of a session. Use this to block cookies within a session. | [Browser/AllowCookies](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_AllowCookies) | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes | -| Allow developer tools | Use to stop users from using F12 Developer Tools. | [Browser/AllowDeveloperTools](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_AllowDeveloperTools) | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes | -| Allow Do Not Track | Use to enable Do Not Track headers. | [Browser/AllowDoNotTrack](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_AllowDoNotTrack) | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes | -| Allow pop-ups | Use to block pop-up browser windows. | [Browser/AllowPopups](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_AllowPopups) | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes | -| Allow search suggestions | Use to block search suggestions in the address bar. | [Browser/AllowSearchSuggestionsinAddressBar](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_AllowSearchSuggestionsinAddressBar) | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes | -| Allow Windows Defender SmartScreen | Keep this enabled to turn on Windows Defender SmartScreen. | [Browser/AllowSmartScreen](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_AllowSmartScreen) | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes | -| Prevent ignoring Windows Defender SmartScreen warnings for websites | For extra security, use to stop users from ignoring Windows Defender SmartScreen warnings and block them from accessing potentially malicious websites. | [Browser/PreventSmartScreenPromptOverride](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_PreventSmartScreenPromptOverride) | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes | -| Prevent ignoring Windows Defender SmartScreen warnings for files | For extra security, use to stop users from ignoring Windows Defender SmartScreen warnings and block them from downloading unverified files from Microsoft Edge. | [Browser/PreventSmartScreenPromptOverrideForFiles](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_PreventSmartScreenPromptOverrideForFiles) | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes | +| Homepages | Use to configure the default homepages in Microsoft Edge. | [Browser/Homepages](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_Homepages) | Yes
[Use a custom policy.](#example-manage-surface-hub-settings-with-microsoft-intune) | Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes | +| Allow cookies | Surface Hub automatically deletes cookies at the end of a session. Use this to block cookies within a session. | [Browser/AllowCookies](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_AllowCookies) | Yes
[Use a custom policy.](#example-manage-surface-hub-settings-with-microsoft-intune) | Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes | +| Allow developer tools | Use to stop users from using F12 Developer Tools. | [Browser/AllowDeveloperTools](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_AllowDeveloperTools) | Yes
[Use a custom policy.](#example-manage-surface-hub-settings-with-microsoft-intune) | Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes | +| Allow Do Not Track | Use to enable Do Not Track headers. | [Browser/AllowDoNotTrack](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_AllowDoNotTrack) | Yes
[Use a custom policy.](#example-manage-surface-hub-settings-with-microsoft-intune) | Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes | +| Allow pop-ups | Use to block pop-up browser windows. | [Browser/AllowPopups](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_AllowPopups) | Yes
[Use a custom policy.](#example-manage-surface-hub-settings-with-microsoft-intune) | Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes | +| Allow search suggestions | Use to block search suggestions in the address bar. | [Browser/AllowSearchSuggestionsinAddressBar](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_AllowSearchSuggestionsinAddressBar) | Yes
[Use a custom policy.](#example-manage-surface-hub-settings-with-microsoft-intune) | Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes | +| Allow Windows Defender SmartScreen | Keep this enabled to turn on Windows Defender SmartScreen. | [Browser/AllowSmartScreen](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_AllowSmartScreen) | Yes
[Use a custom policy.](#example-manage-surface-hub-settings-with-microsoft-intune) | Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes | +| Prevent ignoring Windows Defender SmartScreen warnings for websites | For extra security, use to stop users from ignoring Windows Defender SmartScreen warnings and block them from accessing potentially malicious websites. | [Browser/PreventSmartScreenPromptOverride](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_PreventSmartScreenPromptOverride) | Yes
[Use a custom policy.](#example-manage-surface-hub-settings-with-microsoft-intune) | Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes | +| Prevent ignoring Windows Defender SmartScreen warnings for files | For extra security, use to stop users from ignoring Windows Defender SmartScreen warnings and block them from downloading unverified files from Microsoft Edge. | [Browser/PreventSmartScreenPromptOverrideForFiles](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_PreventSmartScreenPromptOverrideForFiles) | Yes
[Use a custom policy.](#example-manage-surface-hub-settings-with-microsoft-intune) | Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes | \*Settings supported with SyncML can also be configured in a Windows Configuration Designer provisioning package. @@ -126,13 +126,13 @@ The following tables include info on Windows 10 settings that have been validate | Setting | Details | CSP reference | Supported with
Intune? | Supported with
Configuration Manager? | Supported with
SyncML\*? | |---------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------|-------------------------------------------------|-----------------------------| -| Use Current Branch or Current Branch for Business | Use to configure Windows Update for Business – see [Windows updates](manage-windows-updates-for-surface-hub.md). | [Update/BranchReadinessLevel](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_BranchReadinessLevel) | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes | -| Defer feature updates | See above. | [Update/ DeferFeatureUpdatesPeriodInDays](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_DeferFeatureUpdatesPeriodInDays) | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes | -| Defer quality updates | See above. | [Update/DeferQualityUpdatesPeriodInDays](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_DeferQualityUpdatesPeriodInDays) | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes | -| Pause feature updates | See above. | [Update/PauseFeatureUpdates](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_PauseFeatureUpdates) | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes | -| Pause quality updates | See above. | [Update/PauseQualityUpdates](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_PauseQualityUpdates) | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes | -| Configure device to use WSUS | Use to connect your Surface Hub to WSUS instead of Windows Update – see [Windows updates](manage-windows-updates-for-surface-hub.md). | [Update/UpdateServiceUrl](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_UpdateServiceUrl) | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes | -| Delivery optimization | Use peer-to-peer content sharing to reduce bandwidth issues during updates. See [Configure Delivery Optimization for Windows 10](https://technet.microsoft.com/itpro/windows/manage/waas-delivery-optimization) for details. | DeliveryOptimization/*`
See [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes | +| Use Current Branch or Current Branch for Business | Use to configure Windows Update for Business – see [Windows updates](manage-windows-updates-for-surface-hub.md). | [Update/BranchReadinessLevel](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_BranchReadinessLevel) | Yes
[Use a custom policy.](#example-manage-surface-hub-settings-with-microsoft-intune) | Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes | +| Defer feature updates | See above. | [Update/ DeferFeatureUpdatesPeriodInDays](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_DeferFeatureUpdatesPeriodInDays) | Yes
[Use a custom policy.](#example-manage-surface-hub-settings-with-microsoft-intune) | Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes | +| Defer quality updates | See above. | [Update/DeferQualityUpdatesPeriodInDays](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_DeferQualityUpdatesPeriodInDays) | Yes
[Use a custom policy.](#example-manage-surface-hub-settings-with-microsoft-intune) | Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes | +| Pause feature updates | See above. | [Update/PauseFeatureUpdates](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_PauseFeatureUpdates) | Yes
[Use a custom policy.](#example-manage-surface-hub-settings-with-microsoft-intune) | Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes | +| Pause quality updates | See above. | [Update/PauseQualityUpdates](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_PauseQualityUpdates) | Yes
[Use a custom policy.](#example-manage-surface-hub-settings-with-microsoft-intune) | Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes | +| Configure device to use WSUS | Use to connect your Surface Hub to WSUS instead of Windows Update – see [Windows updates](manage-windows-updates-for-surface-hub.md). | [Update/UpdateServiceUrl](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_UpdateServiceUrl) | Yes
[Use a custom policy.](#example-manage-surface-hub-settings-with-microsoft-intune) | Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes | +| Delivery optimization | Use peer-to-peer content sharing to reduce bandwidth issues during updates. See [Configure Delivery Optimization for Windows 10](https://technet.microsoft.com/itpro/windows/manage/waas-delivery-optimization) for details. | DeliveryOptimization/*`
See [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) | Yes
[Use a custom policy.](#example-manage-surface-hub-settings-with-microsoft-intune) | Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes | \*Settings supported with SyncML can also be configured in a Windows Configuration Designer provisioning package. @@ -140,7 +140,7 @@ The following tables include info on Windows 10 settings that have been validate | Setting | Details | CSP reference | Supported with
Intune? | Supported with
Configuration Manager? | Supported with
SyncML\*? | |-------------------|----------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------|-------------------------------------------------|-----------------------------| -| Defender policies | Use to configure various Defender settings, including a scheduled scan time. | Defender/*`
See [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes | +| Defender policies | Use to configure various Defender settings, including a scheduled scan time. | Defender/*`
See [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) | Yes
[Use a custom policy.](#example-manage-surface-hub-settings-with-microsoft-intune) | Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes | | Defender status | Use to initiate a Defender scan, force a Security intelligence update, query any threats detected. | [Defender CSP](https://msdn.microsoft.com/library/windows/hardware/mt187856.aspx) | Yes | Yes | Yes | \*Settings supported with SyncML can also be configured in a Windows Configuration Designer provisioning package. @@ -150,8 +150,8 @@ The following tables include info on Windows 10 settings that have been validate | Setting | Details | CSP reference | Supported with
Intune? | Supported with
Configuration Manager? | Supported with
SyncML\*? | |------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------|-------------------------------------------------|-----------------------------| | Reboot the device immediately | Use in conjunction with OMS to minimize support costs – see [Monitor your Microsoft Surface Hub](monitor-surface-hub.md). | ./Vendor/MSFT/Reboot/RebootNow
See [Reboot CSP](https://msdn.microsoft.com/library/windows/hardware/mt720802.aspx) | Yes | No | Yes | -| Reboot the device at a scheduled date and time | See above. | ./Vendor/MSFT/Reboot/Schedule/Single
See [Reboot CSP](https://msdn.microsoft.com/library/windows/hardware/mt720802.aspx) | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes | -| Reboot the device daily at a scheduled date and time | See above. | ./Vendor/MSFT/Reboot/Schedule/DailyRecurrent
See [Reboot CSP](https://msdn.microsoft.com/library/windows/hardware/mt720802.aspx) | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes | +| Reboot the device at a scheduled date and time | See above. | ./Vendor/MSFT/Reboot/Schedule/Single
See [Reboot CSP](https://msdn.microsoft.com/library/windows/hardware/mt720802.aspx) | Yes
[Use a custom policy.](#example-manage-surface-hub-settings-with-microsoft-intune) | Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes | +| Reboot the device daily at a scheduled date and time | See above. | ./Vendor/MSFT/Reboot/Schedule/DailyRecurrent
See [Reboot CSP](https://msdn.microsoft.com/library/windows/hardware/mt720802.aspx) | Yes
[Use a custom policy.](#example-manage-surface-hub-settings-with-microsoft-intune) | Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes | \*Settings supported with SyncML can also be configured in a Windows Configuration Designer provisioning package. @@ -180,7 +180,7 @@ The following tables include info on Windows 10 settings that have been validate | Setting | Details | CSP reference | Supported with
Intune? | Supported with
Configuration Manager? | Supported with
SyncML\*? | |------------------------|--------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------|--------------------------------------------------|-------------------------------------------------|-----------------------------| -| Set Network QoS Policy | Use to set a QoS policy to perform a set of actions on network traffic. This is useful for prioritizing Skype network packets. | [NetworkQoSPolicy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/networkqospolicy-csp) | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes | +| Set Network QoS Policy | Use to set a QoS policy to perform a set of actions on network traffic. This is useful for prioritizing Skype network packets. | [NetworkQoSPolicy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/networkqospolicy-csp) | Yes
[Use a custom policy.](#example-manage-surface-hub-settings-with-microsoft-intune) | Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes | \*Settings supported with SyncML can also be configured in a Windows Configuration Designer provisioning package. @@ -188,7 +188,7 @@ The following tables include info on Windows 10 settings that have been validate | Setting | Details | CSP reference | Supported with
Intune? | Supported with
Configuration Manager? | Supported with
SyncML\*? | |-------------------|---------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------|--------------------------------------------------|-------------------------------------------------|-----------------------------| -| Set Network proxy | Use to configure a proxy server for ethernet and Wi-Fi connections. | [NetworkProxy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/networkproxy-csp) | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes | +| Set Network proxy | Use to configure a proxy server for ethernet and Wi-Fi connections. | [NetworkProxy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/networkproxy-csp) | Yes
[Use a custom policy.](#example-manage-surface-hub-settings-with-microsoft-intune) | Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes | \*Settings supported with SyncML can also be configured in a Windows Configuration Designer provisioning package. @@ -196,12 +196,12 @@ The following tables include info on Windows 10 settings that have been validate | Setting | Details | CSP reference | Supported with
Intune? | Supported with
Configuration Manager? | Supported with
SyncML\*? | |----------------------|------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------|-------------------------------------------------|-----------------------------| -| Configure Start menu | Use to configure which apps are displayed on the Start menu. For more information, see [Configure Surface Hub Start menu](surface-hub-start-menu.md) | [Policy CSP: Start/StartLayout](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-start#start-startlayout) | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes | +| Configure Start menu | Use to configure which apps are displayed on the Start menu. For more information, see [Configure Surface Hub Start menu](surface-hub-start-menu.md) | [Policy CSP: Start/StartLayout](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-start#start-startlayout) | Yes
[Use a custom policy.](#example-manage-surface-hub-settings-with-microsoft-intune) | Yes.
[Use a custom setting.](#example-manage-surface-hub-settings-with-microsoft-endpoint-configuration-manager) | Yes | \*Settings supported with SyncML can also be configured in a Windows Configuration Designer provisioning package. ### Generate OMA URIs for settings -You need to use a setting’s OMA URI to create a custom policy in Intune, or a custom setting in Microsoft Endpoint Configuration Manager. +You need to use a setting's OMA URI to create a custom policy in Intune, or a custom setting in Microsoft Endpoint Configuration Manager. **To generate the OMA URI for any setting in the CSP documentation** 1. In the CSP documentation, identify the root node of the CSP. Generally, this looks like `./Vendor/MSFT/
@@ -217,15 +217,13 @@ The data type is also stated in the CSP documentation. The most common data type - bool (Boolean) - ## Example: Manage Surface Hub settings with Microsoft Intune You can use Microsoft Intune to manage Surface Hub settings. For custom settings, follow the instructions in [How to configure custom device settings in Microsoft Intune](https://docs.microsoft.com/intune/custom-settings-configure). For **Platform**, select **Windows 10 and later**, and in **Profile type**, select **Device restrictions (Windows 10 Team)**. - -## Example: Manage Surface Hub settings with Microsoft Endpoint Configuration Manager +## Example: Manage Surface Hub settings with Microsoft Endpoint Configuration Manager Configuration Manager supports managing modern devices that do not require the Configuration Manager client to manage them, including Surface Hub. If you already use Configuration Manager to manage other devices in your organization, you can continue to use the Configuration Manager console as your single location for managing Surface Hubs. > [!NOTE] @@ -238,26 +236,26 @@ Configuration Manager supports managing modern devices that do not require the C 3. On the **General** page of the Create Configuration Item Wizard, specify a name and optional description for the configuration item. 4. Under **Settings for devices managed without the Configuration Manager client**, select **Windows 8.1 and Windows 10**, and then click **Next**. -  +  5. On the **Supported Platforms** page, expand **Windows 10** and select **All Windows 10 Team and higher**. Unselect the other Windows platforms, and then click **Next**. -  +  7. On the **Device Settings** page, under **Device settings groups**, select **Windows 10 Team**. 8. On the **Windows 10 Team** page, configure the settings you require. -  +  9. You'll need to create custom settings to manage settings that are not available in the Windows 10 Team page. On the **Device Settings** page, select the check box **Configure additional settings that are not in the default setting groups**. -  +  10. On the **Additional Settings** page, click **Add**. 11. In the **Browse Settings** dialog, click **Create Setting**. 12. In the **Create Setting** dialog, under the **General** tab, specify a name and optional description for the custom setting. 13. Under **Setting type**, select **OMA URI**. 14. Complete the form to create a new setting, and then click **OK**. -  +  15. On the **Browse Settings** dialog, under **Available settings**, select the new setting you created, and then click **Select**. 16. On the **Create Rule** dialog, complete the form to specify a rule for the setting, and then click **OK**. 17. Repeat steps 9 to 15 for each custom setting you want to add to the configuration item. diff --git a/windows/configuration/images/sccm-asset.PNG b/windows/configuration/images/configmgr-asset.PNG similarity index 100% rename from windows/configuration/images/sccm-asset.PNG rename to windows/configuration/images/configmgr-asset.PNG diff --git a/windows/configuration/images/sccm-assets.PNG b/windows/configuration/images/configmgr-assets.PNG similarity index 100% rename from windows/configuration/images/sccm-assets.PNG rename to windows/configuration/images/configmgr-assets.PNG diff --git a/windows/configuration/images/sccm-client.PNG b/windows/configuration/images/configmgr-client.PNG similarity index 100% rename from windows/configuration/images/sccm-client.PNG rename to windows/configuration/images/configmgr-client.PNG diff --git a/windows/configuration/images/sccm-collection.PNG b/windows/configuration/images/configmgr-collection.PNG similarity index 100% rename from windows/configuration/images/sccm-collection.PNG rename to windows/configuration/images/configmgr-collection.PNG diff --git a/windows/configuration/images/sccm-install-os.PNG b/windows/configuration/images/configmgr-install-os.PNG similarity index 100% rename from windows/configuration/images/sccm-install-os.PNG rename to windows/configuration/images/configmgr-install-os.PNG diff --git a/windows/configuration/images/sccm-post-refresh.PNG b/windows/configuration/images/configmgr-post-refresh.PNG similarity index 100% rename from windows/configuration/images/sccm-post-refresh.PNG rename to windows/configuration/images/configmgr-post-refresh.PNG diff --git a/windows/configuration/images/sccm-pxe.PNG b/windows/configuration/images/configmgr-pxe.PNG similarity index 100% rename from windows/configuration/images/sccm-pxe.PNG rename to windows/configuration/images/configmgr-pxe.PNG diff --git a/windows/configuration/images/sccm-site.PNG b/windows/configuration/images/configmgr-site.PNG similarity index 100% rename from windows/configuration/images/sccm-site.PNG rename to windows/configuration/images/configmgr-site.PNG diff --git a/windows/configuration/images/sccm-software-cntr.PNG b/windows/configuration/images/configmgr-software-cntr.PNG similarity index 100% rename from windows/configuration/images/sccm-software-cntr.PNG rename to windows/configuration/images/configmgr-software-cntr.PNG diff --git a/windows/deployment/images/sccm-asset.PNG b/windows/deployment/images/configmgr-asset.png similarity index 100% rename from windows/deployment/images/sccm-asset.PNG rename to windows/deployment/images/configmgr-asset.png diff --git a/windows/deployment/images/sccm-assets.PNG b/windows/deployment/images/configmgr-assets.png similarity index 100% rename from windows/deployment/images/sccm-assets.PNG rename to windows/deployment/images/configmgr-assets.png diff --git a/windows/deployment/images/sccm-client.PNG b/windows/deployment/images/configmgr-client.PNG similarity index 100% rename from windows/deployment/images/sccm-client.PNG rename to windows/deployment/images/configmgr-client.PNG diff --git a/windows/deployment/images/sccm-collection.PNG b/windows/deployment/images/configmgr-collection.PNG similarity index 100% rename from windows/deployment/images/sccm-collection.PNG rename to windows/deployment/images/configmgr-collection.PNG diff --git a/windows/deployment/images/sccm-install-os.PNG b/windows/deployment/images/configmgr-install-os.PNG similarity index 100% rename from windows/deployment/images/sccm-install-os.PNG rename to windows/deployment/images/configmgr-install-os.PNG diff --git a/windows/deployment/images/sccm-post-refresh.PNG b/windows/deployment/images/configmgr-post-refresh.PNG similarity index 100% rename from windows/deployment/images/sccm-post-refresh.PNG rename to windows/deployment/images/configmgr-post-refresh.PNG diff --git a/windows/deployment/images/sccm-pxe.PNG b/windows/deployment/images/configmgr-pxe.PNG similarity index 100% rename from windows/deployment/images/sccm-pxe.PNG rename to windows/deployment/images/configmgr-pxe.PNG diff --git a/windows/deployment/images/sccm-site.PNG b/windows/deployment/images/configmgr-site.PNG similarity index 100% rename from windows/deployment/images/sccm-site.PNG rename to windows/deployment/images/configmgr-site.PNG diff --git a/windows/deployment/images/sccm-software-cntr.PNG b/windows/deployment/images/configmgr-software-cntr.PNG similarity index 100% rename from windows/deployment/images/sccm-software-cntr.PNG rename to windows/deployment/images/configmgr-software-cntr.PNG diff --git a/windows/deployment/windows-10-poc-sc-config-mgr.md b/windows/deployment/windows-10-poc-sc-config-mgr.md index 944908ad16..4f273824cb 100644 --- a/windows/deployment/windows-10-poc-sc-config-mgr.md +++ b/windows/deployment/windows-10-poc-sc-config-mgr.md @@ -108,11 +108,11 @@ Topics and procedures in this guide are summarized in the following table. An es 5. Type the following commands at an elevated Windows PowerShell prompt on SRV1: ``` - New-NetFirewallRule -DisplayName “SQL Server” -Direction Inbound –Protocol TCP –LocalPort 1433 -Action allow - New-NetFirewallRule -DisplayName “SQL Admin Connection” -Direction Inbound –Protocol TCP –LocalPort 1434 -Action allow - New-NetFirewallRule -DisplayName “SQL Database Management” -Direction Inbound –Protocol UDP –LocalPort 1434 -Action allow - New-NetFirewallRule -DisplayName “SQL Service Broker” -Direction Inbound –Protocol TCP –LocalPort 4022 -Action allow - New-NetFirewallRule -DisplayName “SQL Debugger/RPC” -Direction Inbound –Protocol TCP –LocalPort 135 -Action allow + New-NetFirewallRule -DisplayName "SQL Server" -Direction Inbound –Protocol TCP –LocalPort 1433 -Action allow + New-NetFirewallRule -DisplayName "SQL Admin Connection" -Direction Inbound –Protocol TCP –LocalPort 1434 -Action allow + New-NetFirewallRule -DisplayName "SQL Database Management" -Direction Inbound –Protocol UDP –LocalPort 1434 -Action allow + New-NetFirewallRule -DisplayName "SQL Service Broker" -Direction Inbound –Protocol TCP –LocalPort 4022 -Action allow + New-NetFirewallRule -DisplayName "SQL Debugger/RPC" -Direction Inbound –Protocol TCP –LocalPort 135 -Action allow ``` 7. Download and install the latest [Windows Assessment and Deployment Kit (ADK)](https://developer.microsoft.com/en-us/windows/hardware/windows-assessment-deployment-kit) on SRV1 using the default installation settings. The current version is the ADK for Windows 10, version 1703. Installation might require several minutes to acquire all components. @@ -123,7 +123,7 @@ Topics and procedures in this guide are summarized in the following table. An es ``` $AdminKey = "HKLM:\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}" - Set-ItemProperty -Path $AdminKey -Name “IsInstalled” -Value 0 + Set-ItemProperty -Path $AdminKey -Name "IsInstalled" -Value 0 Stop-Process -Name Explorer ``` @@ -207,7 +207,7 @@ Topics and procedures in this guide are summarized in the following table. An es 19. If desired, re-enable IE Enhanced Security Configuration at this time on SRV1: ``` - Set-ItemProperty -Path $AdminKey -Name “IsInstalled” -Value 1 + Set-ItemProperty -Path $AdminKey -Name "IsInstalled" -Value 1 Stop-Process -Name Explorer ``` @@ -326,7 +326,7 @@ WDSUTIL /Set-Server /AnswerClients:None See the following example: -
+ 
5. Click **OK**.
6. Wait for a minute, then type the following command at an elevated Windows PowerShell prompt on SRV1, and verify that the files displayed are present:
@@ -387,7 +387,7 @@ WDSUTIL /Set-Server /AnswerClients:None
In the trace tool, click **Tools** on the menu and choose **Find**. Search for "**STATMSG: ID=2301**". For example:
```
- STATMSG: ID=2301 SEV=I LEV=M SOURCE="SMS Server" COMP="SMS_DISTRIBUTION_MANAGER" SYS=SRV1.CONTOSO.COM SITE=PS1 PID=924 TID=1424 GMTDATE=Tue Oct 09 22:36:30.986 2018 ISTR0="Zero Touch WinPE x64" ISTR1="PS10000A" ISTR2="" ISTR3="" ISTR4="" ISTR5="" ISTR6="" ISTR7="" ISTR8="" ISTR9="" NUMATTRS=1 AID0=400 AVAL0="PS10000A" SMS_DISTRIBUTION_MANAGER 10/9/2018 3:36:30 PM 1424 (0x0590)
+ STATMSG: ID=2301 SEV=I LEV=M SOURCE="SMS Server" COMP="SMS_DISTRIBUTION_MANAGER" SYS=SRV1.CONTOSO.COM SITE=PS1 PID=924 TID=1424 GMTDATE=Tue Oct 09 22:36:30.986 2018 ISTR0="Zero Touch WinPE x64" ISTR1="PS10000A" ISTR2="" ISTR3="" ISTR4="" ISTR5="" ISTR6="" ISTR7="" ISTR8="" ISTR9="" NUMATTRS=1 AID0=400 AVAL0="PS10000A" SMS_DISTRIBUTION_MANAGER 10/9/2018 3:36:30 PM 1424 (0x0590)
```
11. You can also review status by clicking the **Zero Touch WinPE x64** image, and then clicking **Content Status** under **Related Objects** in the bottom right-hand corner of the console, or by entering **\Monitoring\Overview\Distribution Status\Content Status** on the location bar in the console. Double-click **Zero Touch WinPE x64** under **Content Status** in the console tree and verify that a status of **Successfully distributed content** is displayed on the **Success** tab.
@@ -847,7 +847,7 @@ Set-VMNetworkAdapter -VMName PC4 -StaticMacAddress 00-15-5D-83-26-FF
6. When a popup dialog box asks if you want to run full discovery, click **Yes**.
7. In the Assets and Compliance workspace, click **Devices** and verify that the computer account names for SRV1 and PC1 are displayed. See the following example (GREGLIN-PC1 is the computer account name of PC1 in this example):
- 
+ 
>If you do not see the computer account for PC1, try clicking the **Refresh** button in the upper right corner of the console.
@@ -900,7 +900,7 @@ Set-VMNetworkAdapter -VMName PC4 -StaticMacAddress 00-15-5D-83-26-FF
14. Click the **Site** tab, click **Configure Settings**, and click **Find Site**. The client will report that it has found the PS1 site. See the following example:
- 
+ 
If the client is not able to find the PS1 site, review any error messages that are displayed in **C:\Windows\CCM\Logs\ClientIDManagerStartup.log** and **LocationServices.log**. A common reason the site code is not located is because a previous configuration exists. For example, if a previous site code is configured at **HKLM\SOFTWARE\Microsoft\SMS\Mobile Client\GPRequestedSiteAssignmentCode** this must be deleted or updated.
@@ -908,7 +908,7 @@ Set-VMNetworkAdapter -VMName PC4 -StaticMacAddress 00-15-5D-83-26-FF
16. Click **All Desktop and Server Clients** and verify that the computer account for PC1 is displayed here with **Yes** and **Active** in the **Client** and **Client Activity** columns, respectively. You might have to refresh the view and wait few minutes for the client to appear here. See the following example:
- 
+ 
>It might take several minutes for the client to fully register with the site and complete a client check. When it is complete you will see a green check mark over the client icon as shown above. To refresh the client, click it and then press **F5** or right-click the client and click **Refresh**.
@@ -970,7 +970,7 @@ Set-VMNetworkAdapter -VMName PC4 -StaticMacAddress 00-15-5D-83-26-FF
11. Click **Device Collections** and then double-click **Install Windows 10 Enterprise x64**. Verify that **PC4** is displayed in the collection. You might have to update and refresh the collection, or wait a few minutes, but do not proceed until PC4 is available. See the following example:
- 
+ 
### Create a device collection for PC1
@@ -1018,7 +1018,7 @@ In the Configuration Manager console, in the Software Library workspace under Op
4. In the Software Center , click **Available Software** and then select the **Replace Task Sequence** checkbox. See the following example:
- 
+ 
>If you do not see any available software, try running step #2 again to start the Machine Policy Retrieval & Evaluation Cycle. You should see an alert that new software is available.
@@ -1056,17 +1056,17 @@ In the Configuration Manager console, in the Software Library workspace under Op
3. On PC1, in the notification area, click **New software is available** and then click **Open Software Center**.
4. In the Software Center, click **Operating Systems**, click **Windows 10 Enterprise x64**, click **Install** and then click **INSTALL OPERATING SYSTEM**. See the following example:
- 
+ 
The computer will restart several times during the installation process. Installation includes downloading updates, reinstalling the Configuration Manager Client Agent, and restoring the user state. You can view status of the installation in the Configuration Manager console by accessing the Monitoring workspace, clicking **Deployments**, and then double-clicking the deployment associated with the **Install Windows 10 Enterprise x64** collection. Under **Asset Details**, right-click the device and then click **More Details**. Click the **Status** tab to see a list of tasks that have been performed. See the following example:
- 
+ 
You can also monitor progress of the installation by using the MDT deployment workbench and viewing the **Monitoring** node under **Deployment Shares\MDT Production**.
When installation has completed, sign in using the contoso\administrator account or the contoso\user1 account and verify that applications and settings have been successfully backed up and restored to your new Windows 10 Enterprise operating system.
- 
+ 
diff --git a/windows/security/information-protection/TOC.md b/windows/security/information-protection/TOC.md
index c3c19ee400..6d79db4dc3 100644
--- a/windows/security/information-protection/TOC.md
+++ b/windows/security/information-protection/TOC.md
@@ -38,7 +38,7 @@
## [Encrypted Hard Drive](encrypted-hard-drive.md)
-## [Kernel DMA Protection for Thunderbolt™ 3](kernel-dma-protection-for-thunderbolt.md)
+## [Kernel DMA Protection for Thunderbolt™ 3](kernel-dma-protection-for-thunderbolt.md)
## [Protect your enterprise data using Windows Information Protection (WIP)](windows-information-protection\protect-enterprise-data-using-wip.md)
### [Create a WIP policy using Microsoft Intune](windows-information-protection\overview-create-wip-policy.md)
@@ -47,8 +47,8 @@
##### [Associate and deploy a VPN policy for WIP using the Azure portal for Microsoft Intune](windows-information-protection\create-vpn-and-wip-policy-using-intune-azure.md)
#### [Create and verify an EFS Data Recovery Agent (DRA) certificate](windows-information-protection\create-and-verify-an-efs-dra-certificate.md)
#### [Determine the Enterprise Context of an app running in WIP](windows-information-protection\wip-app-enterprise-context.md)
-### [Create a WIP policy using Microsoft Endpoint Configuration Manager](windows-information-protection\overview-create-wip-policy-sccm.md)
-#### [Create and deploy a WIP policy using Microsoft Endpoint Configuration Manager](windows-information-protection\create-wip-policy-using-sccm.md)
+### [Create a WIP policy using Microsoft Endpoint Configuration Manager](windows-information-protection\overview-create-wip-policy-configmgr.md)
+#### [Create and deploy a WIP policy using Microsoft Endpoint Configuration Manager](windows-information-protection\create-wip-policy-using-configmgr.md)
#### [Create and verify an EFS Data Recovery Agent (DRA) certificate](windows-information-protection\create-and-verify-an-efs-dra-certificate.md)
#### [Determine the Enterprise Context of an app running in WIP](windows-information-protection\wip-app-enterprise-context.md)
### [Mandatory tasks and settings required to turn on WIP](windows-information-protection\mandatory-settings-for-wip.md)
diff --git a/windows/security/information-protection/bitlocker/images/sccm-imageconfig.jpg b/windows/security/information-protection/bitlocker/images/configmgr-imageconfig.jpg
similarity index 100%
rename from windows/security/information-protection/bitlocker/images/sccm-imageconfig.jpg
rename to windows/security/information-protection/bitlocker/images/configmgr-imageconfig.jpg
diff --git a/windows/security/information-protection/bitlocker/ts-bitlocker-intune-issues.md b/windows/security/information-protection/bitlocker/ts-bitlocker-intune-issues.md
index 2f83a67ca2..18236c1ddf 100644
--- a/windows/security/information-protection/bitlocker/ts-bitlocker-intune-issues.md
+++ b/windows/security/information-protection/bitlocker/ts-bitlocker-intune-issues.md
@@ -111,7 +111,7 @@ list volume
If the status of any of the volumes is not healthy or if the recovery partition is missing, you may have to reinstall Windows. Before you do this, check the configuration of the Windows image that you are using for provisioning. Make sure that the image uses the correct disk configuration. The image configuration should resemble the following (this example is from Microsoft Endpoint Configuration Manager).
-
+
#### Step 2: Verify the status of WinRE
@@ -171,7 +171,7 @@ To verify the BIOS mode, use the System Information app. To do this, follow thes
You receive an error message that resembles the following:
-> **Error:** BitLocker cannot use Secure Boot for integrity because the UEFI variable ‘SecureBoot’ could not be read. A required privilege is not held by the client.
+> **Error:** BitLocker cannot use Secure Boot for integrity because the UEFI variable 'SecureBoot' could not be read. A required privilege is not held by the client.
### Cause
diff --git a/windows/security/information-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md b/windows/security/information-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md
index d2a77a72e2..2bcfcf6622 100644
--- a/windows/security/information-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md
+++ b/windows/security/information-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md
@@ -23,12 +23,12 @@ ms.reviewer:
- Windows 10, version 1607 and later
- Windows 10 Mobile, version 1607 and later
-If you don’t already have an EFS DRA certificate, you’ll need to create and extract one from your system before you can use Windows Information Protection (WIP), formerly known as enterprise data protection (EDP), in your organization. For the purposes of this section, we’ll use the file name EFSDRA; however, this name can be replaced with anything that makes sense to you.
+If you don't already have an EFS DRA certificate, you'll need to create and extract one from your system before you can use Windows Information Protection (WIP), formerly known as enterprise data protection (EDP), in your organization. For the purposes of this section, we'll use the file name EFSDRA; however, this name can be replaced with anything that makes sense to you.
The recovery process included in this topic only works for desktop devices. WIP deletes the data on Windows 10 Mobile devices.
>[!IMPORTANT]
->If you already have an EFS DRA certificate for your organization, you can skip creating a new one. Just use your current EFS DRA certificate in your policy. For more info about when to use a PKI and the general strategy you should use to deploy DRA certificates, see the [Security Watch Deploying EFS: Part 1](https://technet.microsoft.com/magazine/2007.02.securitywatch.aspx) article on TechNet. For more general info about EFS protection, see [Protecting Data by Using EFS to Encrypt Hard Drives](https://msdn.microsoft.com/library/cc875821.aspx).If your DRA certificate has expired, you won’t be able to encrypt your files with it. To fix this, you'll need to create a new certificate, using the steps in this topic, and then deploy it through policy. +>If you already have an EFS DRA certificate for your organization, you can skip creating a new one. Just use your current EFS DRA certificate in your policy. For more info about when to use a PKI and the general strategy you should use to deploy DRA certificates, see the [Security Watch Deploying EFS: Part 1](https://technet.microsoft.com/magazine/2007.02.securitywatch.aspx) article on TechNet. For more general info about EFS protection, see [Protecting Data by Using EFS to Encrypt Hard Drives](https://msdn.microsoft.com/library/cc875821.aspx).
If your DRA certificate has expired, you won't be able to encrypt your files with it. To fix this, you'll need to create a new certificate, using the steps in this topic, and then deploy it through policy. ## Manually create an EFS DRA certificate @@ -47,16 +47,16 @@ The recovery process included in this topic only works for desktop devices. WIP >[!Important] >Because the private keys in your DRA .pfx files can be used to decrypt any WIP file, you must protect them accordingly. We highly recommend storing these files offline, keeping copies on a smart card with strong protection for normal use and master copies in a secured physical location. -4. Add your EFS DRA certificate to your WIP policy using a deployment tool, such as [Microsoft Intune](create-wip-policy-using-intune-azure.md) or [Microsoft Endpoint Configuration Manager](create-wip-policy-using-sccm.md). +4. Add your EFS DRA certificate to your WIP policy using a deployment tool, such as [Microsoft Intune](create-wip-policy-using-intune-azure.md) or [Microsoft Endpoint Configuration Manager](create-wip-policy-using-configmgr.md). > [!NOTE] > This certificate can be used in Intune for policies both _with_ device enrollment (MDM) and _without_ device enrollment (MAM). ## Verify your data recovery certificate is correctly set up on a WIP client computer -1. Find or create a file that's encrypted using Windows Information Protection. For example, you could open an app on your allowed app list, and then create and save a file so it’s encrypted by WIP. +1. Find or create a file that's encrypted using Windows Information Protection. For example, you could open an app on your allowed app list, and then create and save a file so it's encrypted by WIP. -2. Open an app on your protected app list, and then create and save a file so that it’s encrypted by WIP. +2. Open an app on your protected app list, and then create and save a file so that it's encrypted by WIP. 3. Open a command prompt with elevated rights, navigate to where you stored the file you just created, and then run this command: @@ -89,7 +89,7 @@ It's possible that you might revoke data from an unenrolled device only to later
Robocopy "%localappdata%\Microsoft\EDP\Recovery" "new_location" * /EFSRAW
- Where "*new_location*" is in a different directory. This can be on the employee’s device or on a shared folder on a computer that runs Windows 8 or Windows Server 2012 or newer and can be accessed while you're logged in as a data recovery agent.
+ Where "*new_location*" is in a different directory. This can be on the employee's device or on a shared folder on a computer that runs Windows 8 or Windows Server 2012 or newer and can be accessed while you're logged in as a data recovery agent.
To start Robocopy in S mode, open Task Manager. Click **File** > **Run new task**, type the command, and click **Create this task with administrative privileges**.
@@ -109,12 +109,12 @@ It's possible that you might revoke data from an unenrolled device only to later
4. Ask the employee to lock and unlock the device.
- The Windows Credential service automatically recovers the employee’s previously revoked keys from the `Recovery\Input` location.
+ The Windows Credential service automatically recovers the employee's previously revoked keys from the `Recovery\Input` location.
## Auto-recovery of encryption keys
Starting with Windows 10, version 1709, WIP includes a data recovery feature that lets your employees auto-recover access to work files if the encryption key is lost and the files are no longer accessible. This typically happens if an employee reimages the operating system partition, removing the WIP key info, or if a device is reported as lost and you mistakenly target the wrong device for unenrollment.
-To help make sure employees can always access files, WIP creates an auto-recovery key that’s backed up to their Azure Active Directory (Azure AD) identity.
+To help make sure employees can always access files, WIP creates an auto-recovery key that's backed up to their Azure Active Directory (Azure AD) identity.
The employee experience is based on sign in with an Azure AD work account. The employee can either:
@@ -147,7 +147,7 @@ After signing in, the necessary WIP key info is automatically downloaded and emp
- [Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune-azure.md)
-- [Create a Windows Information Protection (WIP) policy using Microsoft Endpoint Configuration Manager](create-wip-policy-using-sccm.md)
+- [Create a Windows Information Protection (WIP) policy using Microsoft Endpoint Configuration Manager](create-wip-policy-using-configmgr.md)
- [Creating a Domain-Based Recovery Agent](https://msdn.microsoft.com/library/cc875821.aspx#EJAA)
diff --git a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-sccm.md b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-configmgr.md
similarity index 78%
rename from windows/security/information-protection/windows-information-protection/create-wip-policy-using-sccm.md
rename to windows/security/information-protection/windows-information-protection/create-wip-policy-using-configmgr.md
index 9d1178639c..a5baa19809 100644
--- a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-sccm.md
+++ b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-configmgr.md
@@ -25,10 +25,10 @@ ms.date: 01/09/2020
- Windows 10 Mobile, version 1607 and later
- Microsoft Endpoint Configuration Manager
-Microsoft Endpoint Configuration Manager helps you create and deploy your Windows Information Protection (WIP) policy, including letting you choose your protected apps, your WIP-protection mode, and how to find enterprise data on the network.
+Configuration Manager helps you create and deploy your Windows Information Protection (WIP) policy, including letting you choose your protected apps, your WIP-protection mode, and how to find enterprise data on the network.
## Add a WIP policy
-After you’ve installed and set up Configuration Manager for your organization, you must create a configuration item for WIP, which in turn becomes your WIP policy.
+After you've installed and set up Configuration Manager for your organization, you must create a configuration item for WIP, which in turn becomes your WIP policy.
>[!TIP]
> Review the [Limitations while using Windows Information Protection (WIP)](limitations-with-wip.md) article before creating a new configuration item to avoid common issues.
@@ -37,16 +37,16 @@ After you’ve installed and set up Configuration Manager for your organization,
1. Open the Configuration Manager console, click the **Assets and Compliance** node, expand the **Overview** node, expand the **Compliance Settings** node, and then expand the **Configuration Items** node.
- 
+ 
2. Click the **Create Configuration Item** button.The **Create Configuration Item Wizard** starts. -  +  3. On the **General Information screen**, type a name (required) and an optional description for your policy into the **Name** and **Description** boxes. -4. In the **Specify the type of configuration item you want to create** area, pick the option that represents whether you use Microsoft Endpoint Configuration Manager for device management, and then click **Next**. +4. In the **Specify the type of configuration item you want to create** area, pick the option that represents whether you use Configuration Manager for device management, and then click **Next**. - **Settings for devices managed with the Configuration Manager client:** Windows 10 @@ -56,25 +56,25 @@ The **Create Configuration Item Wizard** starts. 5. On the **Supported Platforms** screen, click the **Windows 10** box, and then click **Next**. -  +  6. On the **Device Settings** screen, click **Windows Information Protection**, and then click **Next**. -  +  The **Configure Windows Information Protection settings** page appears, where you'll configure your policy for your organization. ## Add app rules to your policy -During the policy-creation process in Microsoft Endpoint Configuration Manager, you can choose the apps you want to give access to your enterprise data through WIP. Apps included in this list can protect data on behalf of the enterprise and are restricted from copying or moving enterprise data to unprotected apps. +During the policy-creation process in Configuration Manager, you can choose the apps you want to give access to your enterprise data through WIP. Apps included in this list can protect data on behalf of the enterprise and are restricted from copying or moving enterprise data to unprotected apps. The steps to add your app rules are based on the type of rule template being applied. You can add a store app (also known as a Universal Windows Platform (UWP) app), a signed Windows desktop app, or an AppLocker policy file. >[!IMPORTANT] ->Enlightened apps are expected to prevent enterprise data from going to unprotected network locations and to avoid encrypting personal data. On the other hand, WIP-unaware apps might not respect the corporate network boundary, and WIP-unaware apps will encrypt all files they create or modify. This means that they could encrypt personal data and cause data loss during the revocation process.
Care must be taken to get a support statement from the software provider that their app is safe with WIP before adding it to your **App rules** list. If you don’t get this statement, it’s possible that you could experience app compat issues due to an app losing the ability to access a necessary file after revocation. +>Enlightened apps are expected to prevent enterprise data from going to unprotected network locations and to avoid encrypting personal data. On the other hand, WIP-unaware apps might not respect the corporate network boundary, and WIP-unaware apps will encrypt all files they create or modify. This means that they could encrypt personal data and cause data loss during the revocation process.
Care must be taken to get a support statement from the software provider that their app is safe with WIP before adding it to your **App rules** list. If you don't get this statement, it's possible that you could experience app compat issues due to an app losing the ability to access a necessary file after revocation. ### Add a store app rule to your policy -For this example, we’re going to add Microsoft OneNote, a store app, to the **App Rules** list. +For this example, we're going to add Microsoft OneNote, a store app, to the **App Rules** list. **To add a store app** @@ -82,13 +82,13 @@ For this example, we’re going to add Microsoft OneNote, a store app, to the ** The **Add app rule** box appears. -  +  -2. Add a friendly name for your app into the **Title** box. In this example, it’s *Microsoft OneNote*. +2. Add a friendly name for your app into the **Title** box. In this example, it's *Microsoft OneNote*. 3. Click **Allow** from the **Windows Information Protection mode** drop-down list. - Allow turns on WIP, helping to protect that app’s corporate data through the enforcement of WIP restrictions. If you want to exempt an app, you can follow the steps in the [Exempt apps from WIP restrictions](#exempt-apps-from-wip-restrictions) section. + Allow turns on WIP, helping to protect that app's corporate data through the enforcement of WIP restrictions. If you want to exempt an app, you can follow the steps in the [Exempt apps from WIP restrictions](#exempt-apps-from-wip-restrictions) section. 4. Pick **Store App** from the **Rule template** drop-down list. @@ -122,7 +122,7 @@ If you don't know the publisher or product name, you can find them for both desk 4. Copy the `publisherCertificateName` value and paste them into the **Publisher Name** box, copy the `packageIdentityName` value into the **Product Name** box of Intune. > [!IMPORTANT] - > The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app that’s using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as “CN=” followed by the `windowsPhoneLegacyId`.
For example:
+ > The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app that's using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as "CN=" followed by the `windowsPhoneLegacyId`.
For example:
> ```json > { > "windowsPhoneLegacyId": "ca05b3ab-f157-450c-8c49-a1f127f5e71d", @@ -150,7 +150,7 @@ If you don't know the publisher or product name, you can find them for both desk 8. Copy the `publisherCertificateName` value and paste it into the **Publisher Name** box and the `packageIdentityName` value into the **Product Name** box of Intune. > [!IMPORTANT] - > The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app that’s using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as “CN=” followed by the `windowsPhoneLegacyId`. + > The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app that's using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as "CN=" followed by the `windowsPhoneLegacyId`. > For example:
> ```json > { @@ -159,20 +159,20 @@ If you don't know the publisher or product name, you can find them for both desk > ``` ### Add a desktop app rule to your policy -For this example, we’re going to add Internet Explorer, a desktop app, to the **App Rules** list. +For this example, we're going to add Internet Explorer, a desktop app, to the **App Rules** list. **To add a desktop app to your policy** 1. From the **App rules** area, click **Add**. The **Add app rule** box appears. -  +  -2. Add a friendly name for your app into the **Title** box. In this example, it’s *Internet Explorer*. +2. Add a friendly name for your app into the **Title** box. In this example, it's *Internet Explorer*. 3. Click **Allow** from the **Windows Information Protection mode** drop-down list. - Allow turns on WIP, helping to protect that app’s corporate data through the enforcement of WIP restrictions. If you want to exempt an app, you can follow the steps in the [Exempt apps from WIP restrictions](#exempt-apps-from-wip-restrictions) section. + Allow turns on WIP, helping to protect that app's corporate data through the enforcement of WIP restrictions. If you want to exempt an app, you can follow the steps in the [Exempt apps from WIP restrictions](#exempt-apps-from-wip-restrictions) section. 4. Pick **Desktop App** from the **Rule template** drop-down list. @@ -186,7 +186,7 @@ For this example, we’re going to add Internet Explorer, a desktop app, to the
This is the XML file that AppLocker creates for Microsoft Photos. @@ -299,7 +299,7 @@ For this example, we’re going to add an AppLocker XML file to the **App Rules* ``` -12. After you’ve created your XML file, you need to import it by using Microsoft Endpoint Configuration Manager. +12. After you've created your XML file, you need to import it by using Configuration Manager. **To import your Applocker policy file app rule using Configuration Manager** @@ -307,13 +307,13 @@ For this example, we’re going to add an AppLocker XML file to the **App Rules* The **Add app rule** box appears. -  +  -2. Add a friendly name for your app into the **Title** box. In this example, it’s *Allowed app list*. +2. Add a friendly name for your app into the **Title** box. In this example, it's *Allowed app list*. 3. Click **Allow** from the **Windows Information Protection mode** drop-down list. - Allow turns on WIP, helping to protect that app’s corporate data through the enforcement of WIP restrictions. If you want to exempt an app, you can follow the steps in the [Exempt apps from WIP restrictions](#exempt-apps-from-wip-restrictions) section. + Allow turns on WIP, helping to protect that app's corporate data through the enforcement of WIP restrictions. If you want to exempt an app, you can follow the steps in the [Exempt apps from WIP restrictions](#exempt-apps-from-wip-restrictions) section. 4. Pick the **AppLocker policy file** from the **Rule template** drop-down list. @@ -332,13 +332,13 @@ If you're running into compatibility issues where your app is incompatible with The **Add app rule** box appears. -2. Add a friendly name for your app into the **Title** box. In this example, it’s *Exempt apps list*. +2. Add a friendly name for your app into the **Title** box. In this example, it's *Exempt apps list*. 3. Click **Exempt** from the **Windows Information Protection mode** drop-down list. - Be aware that when you exempt apps, they’re allowed to bypass the WIP restrictions and access your corporate data. To allow apps, see the [Add app rules to your policy](#add-app-rules-to-your-policy) section of this topic. + Be aware that when you exempt apps, they're allowed to bypass the WIP restrictions and access your corporate data. To allow apps, see the [Add app rules to your policy](#add-app-rules-to-your-policy) section of this topic. -4. Fill out the rest of the app rule info, based on the type of rule you’re adding: +4. Fill out the rest of the app rule info, based on the type of rule you're adding: - **Store app.** Follow the **Publisher** and **Product name** instructions in the [Add a store app rule to your policy](#add-a-store-app-rule-to-your-policy) section of this topic. @@ -360,13 +360,13 @@ We recommend that you start with **Silent** or **Override** while verifying with |-----|------------| |Block |WIP looks for inappropriate data sharing practices and stops the employee from completing the action. This can include sharing info across non-enterprise-protected apps in addition to sharing enterprise data between other people and devices outside of your enterprise.| |Override |WIP looks for inappropriate data sharing, warning employees if they do something deemed potentially unsafe. However, this management mode lets the employee override the policy and share the data, logging the action to your audit log. | -|Silent |WIP runs silently, logging inappropriate data sharing, without blocking anything that would’ve been prompted for employee interaction while in Override mode. Unallowed actions, like apps inappropriately trying to access a network resource or WIP-protected data, are still blocked.| -|Off (not recommended) |WIP is turned off and doesn't help to protect or audit your data.
After you turn off WIP, an attempt is made to decrypt any WIP-tagged files on the locally attached drives. Be aware that your previous decryption and policy info isn’t automatically reapplied if you turn WIP protection back on.| +|Silent |WIP runs silently, logging inappropriate data sharing, without blocking anything that would've been prompted for employee interaction while in Override mode. Unallowed actions, like apps inappropriately trying to access a network resource or WIP-protected data, are still blocked.| +|Off (not recommended) |WIP is turned off and doesn't help to protect or audit your data.
After you turn off WIP, an attempt is made to decrypt any WIP-tagged files on the locally attached drives. Be aware that your previous decryption and policy info isn't automatically reapplied if you turn WIP protection back on.|
-
+
## Define your enterprise-managed identity domains
-Corporate identity, usually expressed as your primary internet domain (for example, contoso.com), helps to identify and tag your corporate data from apps you’ve marked as protected by WIP. For example, emails using contoso.com are identified as being corporate and are restricted by your Windows Information Protection policies.
+Corporate identity, usually expressed as your primary internet domain (for example, contoso.com), helps to identify and tag your corporate data from apps you've marked as protected by WIP. For example, emails using contoso.com are identified as being corporate and are restricted by your Windows Information Protection policies.
You can specify multiple domains owned by your enterprise by separating them with the "|" character. For example, (contoso.com|newcontoso.com). With multiple domains, the first one is designated as your corporate identity and all of the additional ones as being owned by the first one. We strongly recommend that you include all of your email address domains in this list.
@@ -374,16 +374,16 @@ You can specify multiple domains owned by your enterprise by separating them wit
- Type the name of your corporate identity into the **Corporate identity** field. For example, `contoso.com` or `contoso.com|newcontoso.com`.
- 
+ 
## Choose where apps can access enterprise data
After you've added a protection mode to your apps, you'll need to decide where those apps can access enterprise data on your network.
-There are no default locations included with WIP, you must add each of your network locations. This area applies to any network endpoint device that gets an IP address in your enterprise’s range and is also bound to one of your enterprise domains, including SMB shares. Local file system locations should just maintain encryption (for example, on local NTFS, FAT, ExFAT).
+There are no default locations included with WIP, you must add each of your network locations. This area applies to any network endpoint device that gets an IP address in your enterprise's range and is also bound to one of your enterprise domains, including SMB shares. Local file system locations should just maintain encryption (for example, on local NTFS, FAT, ExFAT).
>[!IMPORTANT]
>Every WIP policy should include policy that defines your enterprise network locations.
->Classless Inter-Domain Routing (CIDR) notation isn’t supported for WIP configurations.
+>Classless Inter-Domain Routing (CIDR) notation isn't supported for WIP configurations.
**To define where your protected apps can find and send enterprise data on you network**
@@ -393,7 +393,7 @@ There are no default locations included with WIP, you must add each of your netw
2. Type a name for your corporate network element into the **Name** box, and then pick what type of network element it is, from the **Network element** drop-down box. This can include any of the options in the following table.
- 
+ 
| Enterprise Cloud Resources | With proxy: contoso.sharepoint.com,contoso.internalproxy1.com| contoso.visualstudio.com,contoso.internalproxy2.com Without proxy: contoso.sharepoint.com|contoso.visualstudio.com |
- Specify the cloud resources to be treated as corporate and protected by WIP. For each cloud resource, you may also optionally specify a proxy server from your Internal proxy servers list to route traffic for this cloud resource. Be aware that all traffic routed through your Internal proxy servers is considered enterprise. If you have multiple resources, you must separate them using the "|" delimiter. If you don’t use proxy servers, you must also include the "," delimiter just before the "|". For example: Important |
+ Specify the cloud resources to be treated as corporate and protected by WIP. For each cloud resource, you may also optionally specify a proxy server from your Internal proxy servers list to route traffic for this cloud resource. Be aware that all traffic routed through your Internal proxy servers is considered enterprise. If you have multiple resources, you must separate them using the "|" delimiter. If you don't use proxy servers, you must also include the "," delimiter just before the "|". For example: Important |
| Enterprise Network Domain Names (Required) | @@ -414,12 +414,12 @@ There are no default locations included with WIP, you must add each of your netw|||
| Proxy servers | proxy.contoso.com:80;proxy2.contoso.com:443 | -Specify the proxy servers your devices will go through to reach your cloud resources. Using this server type indicates that the cloud resources you’re connecting to are enterprise resources. This list shouldn’t include any servers listed in your Internal proxy servers list. Internal proxy servers must be used only for WIP-protected (enterprise) traffic. If you have multiple resources, you must separate them using the ";" delimiter. |
+ Specify the proxy servers your devices will go through to reach your cloud resources. Using this server type indicates that the cloud resources you're connecting to are enterprise resources. This list shouldn't include any servers listed in your Internal proxy servers list. Internal proxy servers must be used only for WIP-protected (enterprise) traffic. If you have multiple resources, you must separate them using the ";" delimiter. |
| Internal proxy servers | contoso.internalproxy1.com;contoso.internalproxy2.com | -Specify the internal proxy servers your devices will go through to reach your cloud resources. Using this server type indicates that the cloud resources you’re connecting to are enterprise resources. This list shouldn’t include any servers listed in your Proxy servers list. Proxy servers must be used only for non-WIP-protected (non-enterprise) traffic. If you have multiple resources, you must separate them using the ";" delimiter. | Specify the internal proxy servers your devices will go through to reach your cloud resources. Using this server type indicates that the cloud resources you're connecting to are enterprise resources. This list shouldn't include any servers listed in your Proxy servers list. Proxy servers must be used only for non-WIP-protected (non-enterprise) traffic. If you have multiple resources, you must separate them using the ";" delimiter. |
| Enterprise IPv4 Range (Required) | Starting IPv4 Address: 3.4.0.1 Ending IPv4 Address: 3.4.255.254 Custom URI: 3.4.0.1-3.4.255.254, 10.0.0.1-10.255.255.254 |
@@ -442,7 +442,7 @@ There are no default locations included with WIP, you must add each of your netw
4. Decide if you want to Windows to look for additional network settings and if you want to show the WIP icon on your corporate files while in File Explorer.
- 
+ 
- **Enterprise Proxy Servers list is authoritative (do not auto-detect).** Click this box if you want Windows to treat the proxy servers you specified in the network boundary definition as the complete list of proxy servers available on your network. If you clear this box, Windows will search for additional proxy servers in your immediate network. Not configured is the default option.
@@ -452,16 +452,16 @@ There are no default locations included with WIP, you must add each of your netw
5. In the required **Upload a Data Recovery Agent (DRA) certificate to allow recovery of encrypted data** box, click **Browse** to add a data recovery certificate for your policy.
- 
+ 
- After you create and deploy your WIP policy to your employees, Windows will begin to encrypt your corporate data on the employees’ local device drive. If somehow the employees’ local encryption keys get lost or revoked, the encrypted data can become unrecoverable. To help avoid this possibility, the DRA certificate lets Windows use an included public key to encrypt the local data, while you maintain the private key that can unencrypt the data.
+ After you create and deploy your WIP policy to your employees, Windows will begin to encrypt your corporate data on the employees' local device drive. If somehow the employees' local encryption keys get lost or revoked, the encrypted data can become unrecoverable. To help avoid this possibility, the DRA certificate lets Windows use an included public key to encrypt the local data, while you maintain the private key that can unencrypt the data.
For more info about how to find and export your data recovery certificate, see the [Data Recovery and Encrypting File System (EFS)](https://go.microsoft.com/fwlink/p/?LinkId=761462) topic. For more info about creating and verifying your EFS DRA certificate, see the [Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](create-and-verify-an-efs-dra-certificate.md).
## Choose your optional WIP-related settings
-After you've decided where your protected apps can access enterprise data on your network, you’ll be asked to decide if you want to add any optional WIP settings.
+After you've decided where your protected apps can access enterprise data on your network, you'll be asked to decide if you want to add any optional WIP settings.
-
+
**To set your optional settings**
1. Choose to set any or all of the optional settings:
@@ -478,13 +478,13 @@ After you've decided where your protected apps can access enterprise data on you
- **No, or not configured (recommended).** Stops Windows Search from searching and indexing encrypted corporate data and Store apps.
- - **Revoke local encryption keys during the unenrollment process.** Determines whether to revoke a user’s local encryption keys from a device when it’s unenrolled from Windows Information Protection. If the encryption keys are revoked, a user no longer has access to encrypted corporate data. The options are:
+ - **Revoke local encryption keys during the unenrollment process.** Determines whether to revoke a user's local encryption keys from a device when it's unenrolled from Windows Information Protection. If the encryption keys are revoked, a user no longer has access to encrypted corporate data. The options are:
- **Yes, or not configured (recommended).** Revokes local encryption keys from a device during unenrollment.
- - **No.** Stop local encryption keys from being revoked from a device during unenrollment. For example, if you’re migrating between Mobile Device Management (MDM) solutions.
+ - **No.** Stop local encryption keys from being revoked from a device during unenrollment. For example, if you're migrating between Mobile Device Management (MDM) solutions.
- - **Allow Azure RMS.** Enables secure sharing of files by using removable media such as USB drives. For more information about how RMS works with WIP, see [Create a WIP policy using Intune](create-wip-policy-using-intune-azure.md). To confirm what templates your tenant has, run [Get-AadrmTemplate](https://docs.microsoft.com/powershell/module/aadrm/get-aadrmtemplate) from the [AADRM PowerShell module](https://docs.microsoft.com/azure/information-protection/administer-powershell). If you don’t specify a template, WIP uses a key from a default RMS template that everyone in the tenant will have access to.
+ - **Allow Azure RMS.** Enables secure sharing of files by using removable media such as USB drives. For more information about how RMS works with WIP, see [Create a WIP policy using Intune](create-wip-policy-using-intune-azure.md). To confirm what templates your tenant has, run [Get-AadrmTemplate](https://docs.microsoft.com/powershell/module/aadrm/get-aadrmtemplate) from the [AADRM PowerShell module](https://docs.microsoft.com/azure/information-protection/administer-powershell). If you don't specify a template, WIP uses a key from a default RMS template that everyone in the tenant will have access to.
2. After you pick all of the settings you want to include, click **Summary**.
@@ -494,12 +494,12 @@ After you've finished configuring your policy, you can review all of your info o
**To view the Summary screen**
- Click the **Summary** button to review your policy choices, and then click **Next** to finish and to save your policy.
- 
+ 
A progress bar appears, showing you progress for your policy. After it's done, click **Close** to return to the **Configuration Items** page.
## Deploy the WIP policy
-After you’ve created your WIP policy, you'll need to deploy it to your organization's devices. For info about your deployment options, see these topics:
+After you've created your WIP policy, you'll need to deploy it to your organization's devices. For info about your deployment options, see these topics:
- [Operations and Maintenance for Compliance Settings in Configuration Manager](https://go.microsoft.com/fwlink/p/?LinkId=708224)
- [How to Create Configuration Baselines for Compliance Settings in Configuration Manager](https://go.microsoft.com/fwlink/p/?LinkId=708225)
diff --git a/windows/security/information-protection/windows-information-protection/how-wip-works-with-labels.md b/windows/security/information-protection/windows-information-protection/how-wip-works-with-labels.md
index 47d4db6ed7..684b78d8e2 100644
--- a/windows/security/information-protection/windows-information-protection/how-wip-works-with-labels.md
+++ b/windows/security/information-protection/windows-information-protection/how-wip-works-with-labels.md
@@ -82,7 +82,7 @@ When you create a sensitivity label, you can specify that the label be added to
-A default set of [sensitive information types](https://docs.microsoft.com/office365/securitycompliance/what-the-sensitive-information-types-look-for) in Microsoft 365 compliance center includes credit card numbers, phone numbers, driver’s license numbers, and so on.
+A default set of [sensitive information types](https://docs.microsoft.com/office365/securitycompliance/what-the-sensitive-information-types-look-for) in Microsoft 365 compliance center includes credit card numbers, phone numbers, driver's license numbers, and so on.
You can also [create a custom sensitive information type](https://docs.microsoft.com/office365/securitycompliance/create-a-custom-sensitive-information-type), which can include any keyword or expression that you want to evaluate.
### Protection
@@ -110,7 +110,7 @@ You can see sensitive information types in Microsoft 365 compliance under **Clas
- Auto labelling requires Windows 10, version 1903
- Devices need to be onboarded to [Windows Defender ATP](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection), which scans content for a label and applies WIP policy
- [Sensitivity labels](https://docs.microsoft.com/office365/securitycompliance/labels) need to be configured in Microsoft 365 compliance center
-- WIP policy needs to be applied to endpoint devices by using [Intune](create-wip-policy-using-intune-azure.md) or [Microsoft Endpoint Configuration Manager](overview-create-wip-policy-sccm.md)
+- WIP policy needs to be applied to endpoint devices by using [Intune](create-wip-policy-using-intune-azure.md) or [Microsoft Endpoint Configuration Manager](overview-create-wip-policy-configmgr.md)
diff --git a/windows/security/information-protection/windows-information-protection/images/wip-sccm-add-network-domain.png b/windows/security/information-protection/windows-information-protection/images/wip-configmgr-add-network-domain.png
similarity index 100%
rename from windows/security/information-protection/windows-information-protection/images/wip-sccm-add-network-domain.png
rename to windows/security/information-protection/windows-information-protection/images/wip-configmgr-add-network-domain.png
diff --git a/windows/security/information-protection/windows-information-protection/images/wip-sccm-addapplockerfile.png b/windows/security/information-protection/windows-information-protection/images/wip-configmgr-addapplockerfile.png
similarity index 100%
rename from windows/security/information-protection/windows-information-protection/images/wip-sccm-addapplockerfile.png
rename to windows/security/information-protection/windows-information-protection/images/wip-configmgr-addapplockerfile.png
diff --git a/windows/security/information-protection/windows-information-protection/images/wip-sccm-adddesktopapp.png b/windows/security/information-protection/windows-information-protection/images/wip-configmgr-adddesktopapp.png
similarity index 100%
rename from windows/security/information-protection/windows-information-protection/images/wip-sccm-adddesktopapp.png
rename to windows/security/information-protection/windows-information-protection/images/wip-configmgr-adddesktopapp.png
diff --git a/windows/security/information-protection/windows-information-protection/images/wip-sccm-additionalsettings.png b/windows/security/information-protection/windows-information-protection/images/wip-configmgr-additionalsettings.png
similarity index 100%
rename from windows/security/information-protection/windows-information-protection/images/wip-sccm-additionalsettings.png
rename to windows/security/information-protection/windows-information-protection/images/wip-configmgr-additionalsettings.png
diff --git a/windows/security/information-protection/windows-information-protection/images/wip-sccm-addpolicy.png b/windows/security/information-protection/windows-information-protection/images/wip-configmgr-addpolicy.png
similarity index 100%
rename from windows/security/information-protection/windows-information-protection/images/wip-sccm-addpolicy.png
rename to windows/security/information-protection/windows-information-protection/images/wip-configmgr-addpolicy.png
diff --git a/windows/security/information-protection/windows-information-protection/images/wip-sccm-adduniversalapp.png b/windows/security/information-protection/windows-information-protection/images/wip-configmgr-adduniversalapp.png
similarity index 100%
rename from windows/security/information-protection/windows-information-protection/images/wip-sccm-adduniversalapp.png
rename to windows/security/information-protection/windows-information-protection/images/wip-configmgr-adduniversalapp.png
diff --git a/windows/security/information-protection/windows-information-protection/images/wip-sccm-appmgmt.png b/windows/security/information-protection/windows-information-protection/images/wip-configmgr-appmgmt.png
similarity index 100%
rename from windows/security/information-protection/windows-information-protection/images/wip-sccm-appmgmt.png
rename to windows/security/information-protection/windows-information-protection/images/wip-configmgr-appmgmt.png
diff --git a/windows/security/information-protection/windows-information-protection/images/wip-sccm-corp-identity.png b/windows/security/information-protection/windows-information-protection/images/wip-configmgr-corp-identity.png
similarity index 100%
rename from windows/security/information-protection/windows-information-protection/images/wip-sccm-corp-identity.png
rename to windows/security/information-protection/windows-information-protection/images/wip-configmgr-corp-identity.png
diff --git a/windows/security/information-protection/windows-information-protection/images/wip-sccm-devicesettings.png b/windows/security/information-protection/windows-information-protection/images/wip-configmgr-devicesettings.png
similarity index 100%
rename from windows/security/information-protection/windows-information-protection/images/wip-sccm-devicesettings.png
rename to windows/security/information-protection/windows-information-protection/images/wip-configmgr-devicesettings.png
diff --git a/windows/security/information-protection/windows-information-protection/images/wip-sccm-dra.png b/windows/security/information-protection/windows-information-protection/images/wip-configmgr-dra.png
similarity index 100%
rename from windows/security/information-protection/windows-information-protection/images/wip-sccm-dra.png
rename to windows/security/information-protection/windows-information-protection/images/wip-configmgr-dra.png
diff --git a/windows/security/information-protection/windows-information-protection/images/wip-sccm-generalscreen.png b/windows/security/information-protection/windows-information-protection/images/wip-configmgr-generalscreen.png
similarity index 100%
rename from windows/security/information-protection/windows-information-protection/images/wip-sccm-generalscreen.png
rename to windows/security/information-protection/windows-information-protection/images/wip-configmgr-generalscreen.png
diff --git a/windows/security/information-protection/windows-information-protection/images/wip-sccm-network-domain.png b/windows/security/information-protection/windows-information-protection/images/wip-configmgr-network-domain.png
similarity index 100%
rename from windows/security/information-protection/windows-information-protection/images/wip-sccm-network-domain.png
rename to windows/security/information-protection/windows-information-protection/images/wip-configmgr-network-domain.png
diff --git a/windows/security/information-protection/windows-information-protection/images/wip-sccm-optsettings.png b/windows/security/information-protection/windows-information-protection/images/wip-configmgr-optsettings.png
similarity index 100%
rename from windows/security/information-protection/windows-information-protection/images/wip-sccm-optsettings.png
rename to windows/security/information-protection/windows-information-protection/images/wip-configmgr-optsettings.png
diff --git a/windows/security/information-protection/windows-information-protection/images/wip-sccm-summaryscreen.png b/windows/security/information-protection/windows-information-protection/images/wip-configmgr-summaryscreen.png
similarity index 100%
rename from windows/security/information-protection/windows-information-protection/images/wip-sccm-summaryscreen.png
rename to windows/security/information-protection/windows-information-protection/images/wip-configmgr-summaryscreen.png
diff --git a/windows/security/information-protection/windows-information-protection/images/wip-sccm-supportedplat.png b/windows/security/information-protection/windows-information-protection/images/wip-configmgr-supportedplat.png
similarity index 100%
rename from windows/security/information-protection/windows-information-protection/images/wip-sccm-supportedplat.png
rename to windows/security/information-protection/windows-information-protection/images/wip-configmgr-supportedplat.png
diff --git a/windows/security/information-protection/windows-information-protection/overview-create-wip-policy-sccm.md b/windows/security/information-protection/windows-information-protection/overview-create-wip-policy-configmgr.md
similarity index 88%
rename from windows/security/information-protection/windows-information-protection/overview-create-wip-policy-sccm.md
rename to windows/security/information-protection/windows-information-protection/overview-create-wip-policy-configmgr.md
index fc7e101613..a1e662c65e 100644
--- a/windows/security/information-protection/windows-information-protection/overview-create-wip-policy-sccm.md
+++ b/windows/security/information-protection/windows-information-protection/overview-create-wip-policy-configmgr.md
@@ -28,6 +28,6 @@ Microsoft Endpoint Configuration Manager helps you create and deploy your enterp
## In this section
|Topic |Description |
|------|------------|
-|[Create and deploy a Windows Information Protection (WIP) policy using Microsoft Endpoint Configuration Manager](create-wip-policy-using-sccm.md) |Microsoft Endpoint Configuration Manager helps you create and deploy your WIP policy, including letting you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network. |
+|[Create and deploy a Windows Information Protection (WIP) policy using Microsoft Endpoint Configuration Manager](create-wip-policy-using-configmgr.md) |Microsoft Endpoint Configuration Manager helps you create and deploy your WIP policy, including letting you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network. |
|[Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](create-and-verify-an-efs-dra-certificate.md) |Steps to create, verify, and perform a quick recovery using a Encrypting File System (EFS) Data Recovery Agent (DRA) certificate. |
|[Determine the Enterprise Context of an app running in Windows Information Protection (WIP)](wip-app-enterprise-context.md) |Use the Task Manager to determine whether an app is considered work, personal or exempt by Windows Information Protection (WIP). |
diff --git a/windows/security/information-protection/windows-information-protection/testing-scenarios-for-wip.md b/windows/security/information-protection/windows-information-protection/testing-scenarios-for-wip.md
index 0ef906a2b3..961744bbf6 100644
--- a/windows/security/information-protection/windows-information-protection/testing-scenarios-for-wip.md
+++ b/windows/security/information-protection/windows-information-protection/testing-scenarios-for-wip.md
@@ -56,7 +56,7 @@ You can try any of the processes included in these scenarios, but you should foc
Create work documents in enterprise-allowed apps. | For desktop:
|