deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-15 18:33:43 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'refs/remotes/origin/master' into rs1

Browse Source 
# Conflicts:
#	.gitignore
#	windows/deploy/change-history-for-deploy-windows-10.md
#	windows/plan/TOC.md
This commit is contained in:
LizRoss
2016-07-26 10:12:23 -07:00
parent 3a3e3f5c65 b38dfcdc0d
commit 2d86808029
252 changed files with 3015 additions and 7036 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
windows/deploy/TOC.md
View File

@ -1,5 +1,15 @@
# [Deploy Windows 10](index.md)
## [Windows 10 deployment scenarios](windows-10-deployment-scenarios.md)
## [Manage Windows upgrades with Upgrade Analytics](manage-windows-upgrades-with-upgrade-analytics.md)
### [Upgrade Analytics architecture](upgrade-analytics-architecture.md)
### [Upgrade Analytics requirements](upgrade-analytics-requirements.md)
### [Upgrade Analytics release notes](upgrade-analytics-release-notes.md)
### [Get started with Upgrade Analytics](upgrade-analytics-get-started.md)
### [Use Upgrade Analytics to manage Windows upgrades](use-upgrade-analytics-to-manage-windows-upgrades.md)
#### [Prepare your environment](upgrade-analytics-prepare-your-environment.md)
#### [Resolve application and driver issues](upgrade-analytics-resolve-issues.md)
#### [Deploy Windows](upgrade-analytics-deploy-windows.md)
### [Troubleshoot Upgrade Analytics](troubleshoot-upgrade-analytics.md)
## [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md)
### [Get started with the Microsoft Deployment Toolkit (MDT)](get-started-with-the-microsoft-deployment-toolkit.md)
#### [Key features in MDT 2013 Update 2](key-features-in-mdt-2013.md)

BIN
windows/deploy/images/upgrade-analytics-apps-known-issues.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 11 KiB

BIN
windows/deploy/images/upgrade-analytics-apps-no-known-issues.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 13 KiB

BIN
windows/deploy/images/upgrade-analytics-architecture.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 35 KiB

BIN
windows/deploy/images/upgrade-analytics-deploy-eligible.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 12 KiB

BIN
windows/deploy/images/upgrade-analytics-drivers-known.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 11 KiB

BIN
windows/deploy/images/upgrade-analytics-overview.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 10 KiB

BIN
windows/deploy/images/upgrade-analytics-pilot.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 12 KiB

BIN
windows/deploy/images/upgrade-analytics-prioritize.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 12 KiB

BIN
windows/deploy/images/upgrade-analytics-telemetry.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 19 KiB

1
windows/deploy/index.md
View File

@ -16,6 +16,7 @@ Learn about deploying Windows 10 for IT professionals.
|Topic |Description |
|------|------------|
|[Windows 10 deployment scenarios](windows-10-deployment-scenarios.md) |To successfully deploy the Windows 10 operating system in your organization, it is important to understand the different ways that it can be deployed, especially now that there are new scenarios to consider. Choosing among these scenarios, and understanding the key capabilities and limitations of each, is a key task. |
|[Manage Windows upgrades with Upgrade Analytics](manage-windows-upgrades-with-upgrade-analytics.md) |With Upgrade Analytics, enterprises now have the tools to plan and manage the upgrade process end to end, allowing them to adopt new Windows releases more quickly. With Windows telemetry enabled, Upgrade Analytics collects system, application, and driver data for analysis. We then identify compatibility issues that can block an upgrade and suggest fixes when they are known to Microsoft. The Upgrade Analytics workflow steps you through the discovery and rationalization process until you have a list of computers that are ready to be upgraded. |
|[Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md) |This guide will walk you through the process of deploying Windows 10 in an enterprise environment using the Microsoft Deployment Toolkit (MDT), and MDT 2013 Update 2 specifically. |
|[Deploy Windows 10 with System Center 2012 R2 Configuration Manager](deploy-windows-10-with-system-center-2012-r2-configuration-manager.md) |If you have Microsoft System Center 2012 R2 Configuration Manager in your environment, you will most likely want to use it to deploy Windows 10. This topic will show you how to set up Configuration Manager for operating system deployment and how to integrate Configuration Manager with the Microsoft Deployment Toolkit (MDT) or, more specifically, MDT 2013 Update 2. |
|[Upgrade to Windows 10 with the Microsoft Deployment Toolkit](upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md) |The simplest path to upgrade PCs that are currently running Windows 7, Windows 8, or Windows 8.1 to Windows 10 is through an in-place upgrade. You can use a Microsoft Deployment Toolkit (MDT) 2013 Update 2 task sequence to completely automate the process. |

57
windows/deploy/manage-windows-upgrades-with-upgrade-analytics.md Normal file
View File

@ -0,0 +1,57 @@
---
title: Manage Windows upgrades with Upgrade Analytics (Windows 10)
description: Provides an overview of the process of managing Windows upgrades with Upgrade Analytics.
ms.prod: w10
author: MaggiePucciEvans
---
# Manage Windows upgrades with Upgrade Analytics
Upgrading to new operating systems has traditionally been a challenging, complex, and slow process for many enterprises. Discovering applications and drivers and then testing them for potential compatibility issues have been among the biggest pain points.
With the release of Upgrade Analytics, enterprises now have the tools to plan and manage the upgrade process end to end, allowing them to adopt new Windows releases more quickly. With new Windows versions being released multiple times a year, ensuring application and driver compatibility on an ongoing basis is key to adopting new Windows versions as they are released.
Microsoft developed Upgrade Analytics in response to demand from enterprise customers looking for additional direction and details about upgrading to Windows 10. Upgrade Analytics was built taking into account multiple channels of customer feedback, testing, and Microsofts experience upgrading millions of devices to Windows 10.
With Windows telemetry enabled, Upgrade Analytics collects system, application, and driver data for analysis. We then identify compatibility issues that can block an upgrade and suggest fixes when they are known to Microsoft.
Use Upgrade Analytics to get:
- A visual workflow that guides you from pilot to production
- Detailed computer and application inventory
- Powerful computer level search and drill-downs
- Guidance and insights into application and driver compatibility issues, with suggested fixes
- Data driven application rationalization tools
- Application usage information, allowing targeted validation; workflow to track validation progress and decisions
- Data export to commonly used software deployment tools, including System Center Configuration Manager
The Upgrade Analytics workflow steps you through the discovery and rationalization process until you have a list of computers that are ready to be upgraded.
**Important** For system, application, and driver data to be shared with Microsoft, you must configure user computers to send data. For information about what telemetry data Microsoft collects and how that data is used and protected by Microsoft, see:
- [Configure Windows telemetry in your organization](https://technet.microsoft.com/itpro/windows/manage/configure-windows-telemetry-in-your-organization)
- [Manage connections from Windows operating system components to Microsoft services](https://technet.microsoft.com/itpro/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services)
- [Windows 7, Windows 8, and Windows 8.1 appraiser telemetry events and fields](http://go.microsoft.com/fwlink/?LinkID=822965)
##**Related topics**
[Upgrade Analytics architecture](upgrade-analytics-architecture.md)
[Upgrade Analytics requirements](upgrade-analytics-requirements.md)
[Upgrade Analytics release notes](upgrade-analytics-release-notes.md)
[Get started with Upgrade Analytics](upgrade-analytics-get-started.md)
[Use Upgrade Analytics to manage Windows upgrades](use-upgrade-analytics-to-manage-windows-upgrades.md)
[Troubleshoot Upgrade Analytics](troubleshoot-upgrade-analytics.md)

33
windows/deploy/troubleshoot-upgrade-analytics.md Normal file
View File

@ -0,0 +1,33 @@
---
title: Troubleshoot Upgrade Analytics (Windows 10)
description: Provides troubleshooting information for Upgrade Analytics.
ms.prod: w10
author: MaggiePucciEvans
---
# Troubleshoot Upgrade Analytics
If youre having issues seeing data in Upgrade Analytics after running the Upgrade Analytics Deployment script, make sure it completes successfully without any errors. Check the output of the script in the command window and/or log UA_dateTime_machineName.txt to ensure all steps were completed successfully. In addition, we recommend that you wait at least 48 hours before checking OMS for data after the script first completes without reporting any error.
If you still dont see data in Upgrade Analytics, follow these steps:
1. Download and extract UpgradeAnalytics.zip. Ensure the “Diagnostics” folder is included.
2. Edit the script as described in [Run the Upgrade Analytics deployment script](upgrade-analytics-get-started.md#run-the-upgrade-analytics-deployment-script).
3. Check that isVerboseLogging is set to $true.
4. Run the script again. Log files will be saved to the directory specified in the script.
5. Open a support case with Microsoft Support through your regular channel and provide this information.
## Disable Upgrade Analytics
If you want to stop using Upgrade Analytics and stop sending telemetry data to Microsoft, follow these steps:
1. Unsubscribe from the Upgrade Analytics solution in the OMS portal.
2. Disable the Customer Experience Improvement Program on computers running Windows 7 SP1 or 8.1. On computers running Windows 10, set the telemetry level to Security.
3. Delete the CommercialDataOptin key in *HKLM:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\DataCollection*

34
windows/deploy/upgrade-analytics-architecture.md Normal file
View File

@ -0,0 +1,34 @@
---
title: Upgrade Analytics architecture (Windows 10)
description: Describes Upgrade Analytics architecture.
ms.prod: w10
author: MaggiePucciEvans
---
# Upgrade Analytics architecture
Microsoft analyzes system, application, and driver telemetry data to help you determine when computers are upgrade-ready, allowing you to simplify and accelerate Windows upgrades in your organization. The diagram below illustrates how Upgrade Analytics components work together in a typical installation.
<!-- PRESERVING ORIGINAL IMAGE CODING JUST IN CASE
<img src="media/image1.png" width="624" height="401" />
-->
![Upgrade Analytics architecture](images/upgrade-analytics-architecture.png)
After you enable Windows telemetry on user computers and install the compatibility update KB (1), user computers send computer, application and driver telemetry data to a secure Microsoft data center through the Microsoft Data Management Service (2). After you configure Upgrade Analytics, telemetry data is analyzed by the Upgrade Analytics Service (3) and pushed to your OMS workspace (4). You can then use the Upgrade Analytics solution (5) to plan and manage Windows upgrades.
For more information about what telemetry data Microsoft collects and how that data is used and protected by Microsoft, see:
[Configure Windows telemetry in your organization](https://technet.microsoft.com/itpro/windows/manage/configure-windows-telemetry-in-your-organization)
[Manage connections from Windows operating system components to Microsoft services](https://technet.microsoft.com/itpro/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services)
[Windows 7, Windows 8, and Windows 8.1 appraiser telemetry events and fields](http://go.microsoft.com/fwlink/?LinkID=822965)
##**Related topics**
[Upgrade Analytics requirements](upgrade-analytics-requirements.md)
[Upgrade Analytics release notes](upgrade-analytics-release-notes.md)
[Get started with Upgrade Analytics](upgrade-analytics-get-started.md)

26
windows/deploy/upgrade-analytics-deploy-windows.md Normal file
View File

@ -0,0 +1,26 @@
---
title: Upgrade Analytics - Get a list of computers that are upgrade-ready (Windows 10)
description: Describes how to get a list of computers that are ready to be upgraded in Upgrade Analytics.
ms.prod: w10
author: MaggiePucciEvans
---
# Upgrade Analytics - Get a list of computers that are upgrade ready
All of your work up to now involved reviewing and resolving application and driver issues. Along the way, as youve resolved issues and decided which applications and drivers are ready to upgrade, youve been building a list of computers that are upgrade ready.
The blades in the **Deploy** section are:
## Deploy eligible computers
Computers grouped by deployment decision are listed.
<!-- PRESERVING ORIGINAL IMAGE CODING JUST IN CASE
<img src="media/image9.png" width="195" height="316" />
-->
![Deploy eligible computers](images/upgrade-analytics-deploy-eligible.png)
Select **Export computers** for more details, including computer name, manufacturer and model, and Windows edition currently running on the computer. Sort or further query the data and then select **Export** to generate and save a comma-separated value (csv) list of upgrade-ready computers.
>**Important**<br> When viewing inventory items in table view, the maximum number of rows that can be viewed and exported is limited to 5,000. If you need to view or export more than 5,000 items, reduce the scope of the query so you can export fewer items at a time.

161
windows/deploy/upgrade-analytics-get-started.md Normal file
View File

@ -0,0 +1,161 @@
---
title: Get started with Upgrade Analytics (Windows 10)
description: Explains how to get started with Upgrade Analytics.
ms.prod: w10
author: MaggiePucciEvans
---
# Get started with Upgrade Analytics
Use Upgrade Analytics to plan and manage your upgrade project end to end. After youve established communications between user computers and Microsoft, Upgrade Analytics collects computer, application, and driver data for analysis. We use this data to identify compatibility issues that can block your upgrade and suggest fixes that are known to Microsoft.
For system, application, and driver data to be shared with Microsoft, you must configure user computers to send data. For information about what telemetry data Microsoft collects and how that data is used and protected by Microsoft, see:
- [Configure Windows telemetry in your organization](https://technet.microsoft.com/itpro/windows/manage/configure-windows-telemetry-in-your-organization)
- [Manage connections from Windows operating system components to Microsoft services](https://technet.microsoft.com/itpro/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services)
- [Windows 7, Windows 8, and Windows 8.1 appraiser telemetry events and fields](http://go.microsoft.com/fwlink/?LinkID=822965)
This topic explains how to obtain and set up Upgrade Analytics components. If you havent done so already, see [Upgrade Analytics requirements](https://technet.microsoft.com/itpro/windows/deploy/upgrade-analytics-requirements) for information about requirements for using Upgrade Analytics.
To configure Upgrade Analytics, youll need to:
- Add the Upgrade Analytics solution to a workspace in the Operations Management Suite portal
- Establish communications and enable data sharing between your organization and Microsoft
Each task is explained in detail in the following sections.
## Add Upgrade Analytics to Operations Management Suite
Upgrade Analytics is offered as a solution in the Microsoft Operations Management Suite (OMS), a collection of cloud based services for managing your on-premise and cloud environments. For more information about OMS, see [Operations Management Suite overview](http://azure.microsoft.com/documentation/articles/operations-management-suite-overview/).
If you are already using OMS, youll find Upgrade Analytics in the Solutions Gallery. Select the **Upgrade Analytics** tile in the gallery and then click **Add** on the solution's details page. Upgrade Analytics is now visible in your workspace.
If you are not using OMS:
1. Go to the [Upgrade Analytics website](http://go.microsoft.com/fwlink/?LinkID=799190&clcid=0x409) and click **Sign up** to kick off the onboarding process.
2. Sign in to Operations Management Suite (OMS). You can use either a Microsoft Account or a Work or School account to create a workspace. If your company is already using Azure Active Directory (Azure AD), use a Work or School account when you sign in to OMS. Using a Work or School account allows you to use identities from your Azure AD to manage permissions in OMS.
3. Create a new OMS workspace. Enter a name for the workspace, select the workspace region, and provide the email address that you want associated with this workspace. Select **Create**.
4. If your organization already has an Azure subscription, you can link it to your workspace. Note that you may need to request access from your organizations Azure administrator.
> If your organization does not have an Azure subscription, create a new one or select the default OMS Azure subscription from the list. Your workspace opens.
1. To add the Upgrade Analytics solution to your workspace, go to the **Solutions Gallery**. Select the **Upgrade Analytics** tile in the gallery and then select **Add** on the solutions details page. The solution is now visible on your workspace. Note that you may need to scroll to find Upgrade Analytics.
2. Click the **Upgrade Analytics** tile to configure the solution. The **Settings Dashboard** opens.
## Enable data sharing between your organization and Upgrade Analytics
After youve signed in to Operations Management Suite and added the Upgrade Analytics solution to your workspace, complete the following tasks to establish communication and enable data sharing between user computers, Microsoft secure data centers, and Upgrade Analytics.
## Generate your commercial ID key
Microsoft uses a unique commercial ID to map information from user computers to your OMS workspace. Generate your commercial ID key in OMS and then deploy it to user computers.
1. On the Settings Dashboard, navigate to the **Windows telemetry** panel.
![upgrade-analytics-telemetry](images/upgrade-analytics-telemetry.png)
2. On the Windows telemetry panel, copy and save your commercial ID key. Youll need to insert this key into the Upgrade Analytics deployment script later so it can be deployed to user computers.
>**Important**<br> Regenerate a commercial ID key only if your original ID key can no longer be used. Regenerating a commercial ID key resets the data in your workspace for all solutions that use the ID. Additionally, youll need to deploy the new commercial ID key to user computers again.
## Subscribe to Upgrade Analytics
For Upgrade Analytics to receive and display upgrade readiness data from Microsoft, subscribe your OMS workspace to Upgrade Analytics.
1. On the **Windows telemetry** panel, click **Subscribe**. The button changes to **Unsubscribe**. Unsubscribe from the Upgrade Analytics solution if you no longer want to receive upgrade-readiness information from Microsoft. Note that user computer data will continue to be shared with Microsoft for as long as the opt-in keys are set on user computers and the proxy allows the traffic.
1. Click **Overview** on the Settings Dashboard to return to your OMS workspace portal. The Upgrade Analytics tile now displays summary data. Click the tile to open Upgrade Analytics.
## Whitelist select endpoints
To enable data sharing, whitelist the following endpoints. Note that you may need to get approval from your security group to do this.
Note: The compatibility update KB runs under the computers system account and does not support user authenticated proxies.
| **Endpoint** | **Function** |
|---------------------------------------------------------|-----------|
| `https://v10.vortex-win.data.microsoft.com/collect/v1` | Connected User Experience and Telemetry component endpoint. User computers send data to Microsoft through this endpoint. |
| `https://settings-win.data.microsoft.com/settings` | Enables the compatibility update KB to send data to Microsoft. |
| `http://go.microsoft.com/fwlink/?LinkID=544713`<br>`https://compatexchange1.trafficmanager.net/CompatibilityExchangeService.svc/extended` | This service provides driver information about whether there will be a driver available post-upgrade for the hardware on the system. |
| `https://vortex.data.microsoft.com/health/keepalive` <br>`https://settings.data.microsoft.com/qos` <br>`https://compatexchange1.trafficmanager.net/CompatibilityExchangeService.svc` | These endpoints are used to validate that user computers are sharing data with Microsoft. |
## Deploy the compatibility update and related KBs
The compatibility update KB scans your computers and enables application usage tracking. If you dont already have these KBs installed, you can download the applicable version from the Microsoft Update Catalog or deploy it using Windows Server Update Services (WSUS) or your software distribution solution, such as System Center Configuration Manager.
| **Operating System** | **KBs** |
|----------------------|-----------------------------------------------------------------------------|
| Windows 8.1 | [KB 2976978](http://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB2976978)<br>Performs diagnostics on the Windows 8.1 systems that participate in the Windows Customer Experience Improvement Program. These diagnostics help determine whether compatibility issues may be encountered when the latest Windows operating system is installed. <br>For more information about this KB, see <https://support.microsoft.com/kb/2976978><br>[KB 3150513](https://catalog.update.microsoft.com/v7/site/Search.aspx?q=3150513)<br>Provides updated configuration and definitions for compatibility diagnostics performed on the system.<br>For more information about this KB, see <https://support.microsoft.com/kb/3150513><br>NOTE: KB2976978 must be installed before you can download and install KB3150513. |
| Windows 7 SP1 | [KB2952664](http://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB2952664) <br>Performs diagnostics on the Windows 7 SP1 systems that participate in the Windows Customer Experience Improvement Program. These diagnostics help determine whether compatibility issues may be encountered when the latest Windows operating system is installed. <br>For more information about this KB, see <https://support.microsoft.com/kb/2952664><br>[KB 3150513](https://catalog.update.microsoft.com/v7/site/Search.aspx?q=3150513)<br>Provides updated configuration and definitions for compatibility diagnostics performed on the system.<br>For more information about this KB, see <https://support.microsoft.com/kb/3150513><br>NOTE: KB2976978 must be installed before you can download and install KB3150513. |
IMPORTANT: Restart user computers after you install the compatibility update KBs for the first time.
### Automate data collection
To ensure that user computers are receiving the most up to date data from Microsoft, we recommend that you establish the following data sharing and analysis processes.
- Enable automatic updates for the compatibility update and related KBs. These KBs are updated frequently to include the latest application and driver issue information as we discover it during testing.
- Schedule the Upgrade Analytics deployment script to automatically run so that you dont have to manually initiate an inventory scan each time the compatibility update KBs are updated. Computers are re-scanned only when the compatibility KBs are updated, so if your inventory changes significantly between KB releases you wont see the changes in Upgrade Analytics until you run the script again.
- Schedule monthly user computer scans to view monthly active computer and usage information.
## Run the Upgrade Analytics deployment script
To automate many of the steps outlined above and to troubleshoot data sharing issues, you can run the Upgrade Analytics deployment script, developed by Microsoft.
The Upgrade Analytics deployment script does the following:
1. Sets commercial ID key + CommercialDataOptIn + RequestAllAppraiserVersions keys.
2. Verifies that user computers can send data to Microsoft.
3. Checks whether the computer has a pending restart.  
4. Verifies that the latest version of KB package 10.0.x is installed (requires 10.0.14348 or subsequent releases).
5. If enabled, turns on verbose mode for troubleshooting.
6. Initiates the collection of the telemetry data that Microsoft needs to assess your organizations upgrade readiness.
7. If enabled, displays the scripts progress in a cmd window, providing you immediate visibility into issues (success or fail for each step) and/or writes to log file.
To run the Upgrade Analytics deployment script:
1. Download the [Upgrade Analytics deployment script](http://go.microsoft.com/fwlink/?LinkID=822966&clcid=0x409) and extract UpgradeAnalytics.zip. The files in the Diagnostics folder are necessary only if you plan to run the script in troubleshooting mode.
2. Edit the following parameters in RunConfig.bat:
1. Provide a storage location for log information. Example: %SystemDrive%\\UADiagnostics
2. You can store log information on a remote file share or a local directory. If the script is blocked from creating the log file for the given path, it creates the log files in the drive with the Windows directory.
3. Input your commercial ID key.
4. By default, the script sends log information to both the console and the log file. To change the default behavior, use one of the following options:
> *logMode = 0 log to console only*
>
> *logMode = 1 log to file and console*
>
> *logMode = 2 log to file only*
3. For troubleshooting, set isVerboseLogging to $true to generate log information that can help with diagnosing issues. By default, isVerboseLogging is set to $false. Ensure the Diagnostics folder is installed in the same directory as the script to use this mode.
4. Notify users if they need to restart their computers. By default, this is set to off.
5. After you finish editing the parameters in RunConfig.bat, run the script as an administrator.
## Seeing data from computers in Upgrade Analytics
After data is sent from computers to Microsoft, it generally takes 48 hours for the data to populate in Upgrade Analytics. The compatibility update KB takes several minutes to run. If the KB does not get a chance to finish running or if the computers are inaccessible (turned off or sleeping for example), data will take longer to populate in Upgrade Analytics. For this reason, you can expect most your computers to be populated in OMS in about 1-2 weeks after deploying the KB and configuration to user computers.

116
windows/deploy/upgrade-analytics-prepare-your-environment.md Normal file
View File

@ -0,0 +1,116 @@
---
title: Upgrade Analytics - Prepare your environment (Windows 10)
description: Describes how to prepare your environment so that you can use Upgrade Analytics to manage Windows upgrades.
ms.prod: w10
author: MaggiePucciEvans
---
# Upgrade Analytics - Prepare your environment
This section of the Upgrade Analytics workflow reports your computer and application inventory and lists computers that you can use in a pilot with no known issues or with fixable driver issues. Additionally, you can determine the priority level of applications to indicate which applications the team should focus on to get them upgrade ready.
The blades in the **Prepare your environment** section are:
## Upgrade overview
Displays the total count of computers sharing data with Microsoft and the count of computers upgraded. As you successfully upgrade computers, the count of computers upgraded increases.
Check this blade for data refresh status, including the date and time of the most recent data update and whether user changes are reflected. If a user change is pending when changing the upgrade assessment or importance level of an application or driver, **Data refresh pending** is displayed in orange. User changes are processed once every 24 hours and read **Up to date** in green when there are no pending changes.
<!-- PRESERVING ORIGINAL IMAGE CODING JUST IN CASE
<img src="media/image3.png" width="214" height="345" />
-->
![Upgrade overview](images/upgrade-analytics-overview.png)
Select **Total computers** for a list of computers and details about them, including:
- Computer ID and computer name
- Computer manufacturer
- Computer model
- Operating system version and build
- Count of system requirement, application, and driver issues per computer
- Upgrade assessment based on analysis of computer telemetry data
- Upgrade decision status
Select **Total applications** for a list of applications discovered on user computers and details about them, including:
- Application vendor
- Application version
- Count of computers the application is installed on
- Count of computers that opened the application at least once in the past 30 days
- Percentage of computers in your total computer inventory that opened the application in the past 30 days
- Issues detected, if any
- Upgrade assessment based on analysis of application data
- Roll up level
## Run a pilot
Computers with no known issues and computers with fixable driver issues are listed, grouped by upgrade assessment. We recommend that you use these computers to test the impact of upgrading.
<!-- PRESERVING ORIGINAL IMAGE CODING JUST IN CASE
<img src="media/image4.png" width="203" height="326" />
-->
![Run a pilot](images/upgrade-analytics-pilot.png)
Before you start your pilot project, be sure to review upgrade assessment and guidance details, explained in more detail in the table below.
| Upgrade assessment | Action required before or after upgrade pilot? | Issue | What it means | Guidance |
|-----------------------|------------------------------------------------|----------|-----------------|---------------|
| No known issues | No | None | Computers will upgrade seamlessly.<br> | OK to use as-is in pilot. |
| OK to pilot, fixed during upgrade | No, for awareness only | Application or driver will not migrate to new OS | The currently installed version of an application or driver wont migrate to the new operating system; however, a compatible version is installed with the new operating system. | OK to use as-is in pilot. |
| OK to pilot with new driver from Windows Update | Yes | Driver will not migrate to new OS | The currently installed version of a driver wont migrate to the new operating system; however, a newer, compatible version is available from Windows Update. | Although a compatible version of the driver is installed during upgrade, a newer version is available from Windows Update. <br><br>If the computer automatically receives updates from Windows Update, no action is required. Otherwise, replace the new in-box driver with the Windows Update version after upgrading. <br> <br> |
Select **Export computers** to view pilot-ready computers organized by operating system. After you select the computers you want to use in a pilot, click Export to generate and save a comma-separated value (csv) file.
>**Important**> When viewing inventory items in table view, the maximum number of rows that can be viewed and exported is limited to 5,000. If you need to view or export more than 5,000 items, reduce the scope of the query so you can export fewer items at a time.
See [Plan for Windows 10 deployment](http://technet.microsoft.com/itpro/windows/plan/index) for more information about ways to deploy Windows in your organization. Read about [how Microsoft IT deployed Windows as an in-place upgrade](https://www.microsoft.com/itshowcase/Article/Content/668/Deploying-Windows-10-at-Microsoft-as-an-inplace-upgrade) for best practices using the in-place upgrade method.
## Prioritize applications
Applications are listed, grouped by importance level. Prioritizing your applications allows you to identify the ones that you will focus on preparing for upgrade.
<!-- PRESERVING ORIGINAL IMAGE CODING JUST IN CASE
<img src="media/image5.png" width="213" height="345" />
-->
![Prioritize applications](images/upgrade-analytics-prioritize.png)
Select **Assign importance** to change an applications importance level. By default, applications are marked **Not reviewed** or **Low install count** until you assign a different importance level to them.
To change an applications importance level:
1. Select **Not reviewed** or **Low install count** on the **Prioritize applications** blade to view the list of applications with that importance level. Select **Table** to view the list in a table.
2. Select **User changes** to enable user input.
3. Select the applications you want to change to a specific importance level and then select the appropriate option from the **Select importance level** list.
4. Click **Save** when finished.
Importance levels include:
| Importance level | When to use it | Recommendation |
|--------------------|------------------|------------------|
| Low install count | We give you a head start by identifying applications that are installed on 2% or less of your total computer inventory. \[Number of computers application is installed on/total number of computers in your inventory.\]<br><br>Low install count applications are automatically marked as **Ready to upgrade** in the **UpgradeDecision** column unless they have issues that need attention.<br> | Be sure to review low install count applications for any business critical or important applications that are not yet upgrade-ready, despite their low installation rates. <br><br> |
| Not reviewed | Applications that are installed on more than 2% of your total computer inventory are marked not reviewed until you change the importance level.<br><br>These applications are also marked as **Not reviewed** in the **UpgradeDecision** column. <br> | Once youve started to investigate an application to determine its importance level and upgrade readiness, change its status to **Review in progress** in both the **Importance** and **UpgradeDecision** columns. |
| Business critical | By default, no applications are marked as business critical because only you can make that determination. If you know that an application is critical to your organizations functioning, mark it **Business critical**. <br><br> | You may also want to change the applications status to **Review in progress** in the **UpgradeDecision** column to let other team members know that youre working on getting this business critical application upgrade-ready. Once youve fixed any issues and validated that the application will migrate successfully, change the upgrade decision to **Ready to upgrade**. <br> |
| Important | By default, no applications are marked as important because only you can make that determination. If the application is important but not critical to your organizations functioning, mark it **Important**. | You may also want to change the applications status to **Review in progress** in the **UpgradeDecision** column to let other team members know that youre working on getting this important application upgrade-ready. Once youve fixed any issues and validated that the application will migrate successfully, change the upgrade decision to **Ready to upgrade**. <br> |
| Ignore | By default, no applications are marked as ignore because only you can make that determination. If the application is not important to your organizations functioning, such as user-installed applications and games, you may not want to spend time and money validating that these applications will migrate successfully. Mark these applications **Ignore**. <br> | Set the applications importance level to **Ignore** to let other team members know that it can be left as-is with no further investigation or testing.<br><br>You may also want to change the applications status to **Not reviewed** or **Ready to upgrade** in the **UpgradeDecision** column. <br> |
| Review in progress | Once youve started to investigate an application to determine its importance level and upgrade readiness, change its status to **Review in progress** in both the **Importance** and **UpgradeDecision** columns.<br> | As you learn more about the applications importance to your organizations functioning, change the importance level to **Business critical**, **Important**, or **Ignore**.<br><br>Until youve determined that priority applications will migrate successfully, leave the upgrade decision status as **Review in progress**. <br> |

5
windows/deploy/upgrade-analytics-release-notes.md Normal file
View File

@ -0,0 +1,5 @@
---
title: Upgrade Analytics release notes (Windows 10)
description: Provides tips and limitations about Upgrade Analytics.
redirect_url: https://technet.microsoft.com/itpro/windows/deploy/upgrade-analytics-requirements
---

88
windows/deploy/upgrade-analytics-requirements.md Normal file
View File

@ -0,0 +1,88 @@
---
title: Upgrade Analytics requirements (Windows 10)
description: Provides requirements for Upgrade Analytics.
ms.prod: w10
author: MaggiePucciEvans
---
# Upgrade Analytics requirements
This article introduces concepts and steps needed to get up and running with Upgrade Analytics. We recommend that you review this list of requirements before getting started as you may need to collect information, such as account credentials, and get approval from internal IT groups, such as your network security group, before you can start using Upgrade Analytics.
## Supported upgrade paths
To perform an in-place upgrade, user computers must be running the latest version of either Windows 7 SP1 or Windows 8.1. After you enable Windows telemetry, Upgrade Analytics performs a full inventory of computers so that you can see which version of Windows is installed on each computer.
The compatibility update KB that sends telemetry data from user computers to Microsoft data centers works with Windows 7 SP1 and Windows 8.1 only. Upgrade Analytics cannot evaluate Windows XP or Windows Vista for upgrade eligibility.
<!--With Windows 10, edition 1607, the compatibility update KB is installed automatically.-->
If you need to update user computers to Windows 7 SP1 or Windows 8.1, use Windows Update or download and deploy the applicable package from the Microsoft Download Center.
Note: Upgrade Analytics is designed to best support in-place upgrades. In-place upgrades do not support migrations from BIOS to UEFI or from 32-bit to 64-bit architecture. If you need to migrate computers in these scenarios, use the wipe-and-reload method. Upgrade Analytics insights are still valuable in this scenario, however, you can ignore in-place upgrade specific guidance.
See [Windows 10 Specifications](http://www.microsoft.com/en-US/windows/windows-10-specifications) for additional information about computer system requirements.
## Operations Management Suite
Upgrade Analytics is offered as a solution in the Microsoft Operations Management Suite (OMS), a collection of cloud based services for managing on premise and cloud computing environments. For more information about OMS, see [Operations Management Suite overview](http://azure.microsoft.com/en-us/documentation/articles/operations-management-suite-overview/).
If youre already using OMS, youll find Upgrade Analytics in the Solutions Gallery. Click the Upgrade Analytics tile in the gallery and then click Add on the solutions details page. Upgrade Analytics is now visible in your workspace.
If you are not using OMS, go to \[link to new Upgrade Analytics Web page on Microsoft.com\] and select **Upgrade Analytics Service** to kick off the OMS onboarding process. During the onboarding process, youll create an OMS workspace and add the Upgrade Analytics solution to it.
Important: You can use either a Microsoft Account or a Work or School account to create a workspace. If your company is already using Azure Active Directory, use a Work or School account when you sign in to OMS. Using a Work or School account allows you to use identities from your Azure AD to manage permissions in OMS.
## Telemetry and data sharing
After youve signed in to Operations Management Suite and added the Upgrade Analytics solution to your workspace, youll need to complete the following tasks to allow user computer data to be shared with and assessed by Upgrade Analytics.
See \[link to Steve Mays PDF doc when its published\] for more information about what user computer data Upgrade Analytics collects and assesses. See [Configure Windows telemetry in your organization](https://technet.microsoft.com/itpro/windows/manage/configure-windows-telemetry-in-your-organization) for more information about how Microsoft uses Windows telemetry data.
**Whitelist telemetry endpoints.** To enable telemetry data to be sent to Microsoft, youll need to whitelist the following Microsoft telemetry endpoints on your proxy server or firewall. You may need to get approval from your security group to do this.
`https://v10.vortex-win.data.microsoft.com/collect/v1`
`https://settings-win.data.microsoft.com/settings`
`https://vortex.data.microsoft.com/health/keepalive`
`https://settings.data.microsoft.com/qos`
`http://go.microsoft.com/fwlink/?LinkID=544713`
`https://compatexchange1.trafficmanager.net/CompatibilityExchangeService.svc/extended`
>**Note** The compatibility update KB runs under the computers system account and does not support user authentication in this release.
**Generate your commercial ID key.** Microsoft uses a unique commercial ID GUID to map data from your computers to your OMS workspace. Youll need to generate your commercial ID key in OMS. We recommend that you save your commercial ID key as youll need it later.
**Subscribe your OMS workspace to Upgrade Analytics.** For Upgrade Analytics to receive and display upgrade readiness data from Microsoft, youll need to subscribe your OMS workspace to Upgrade Analytics.
**Enable telemetry and connect data sources.** To allow Upgrade Analytics to collect system, application, and driver data and assess your organizations upgrade readiness, communication must be established between Upgrade Analytics and user computers. Youll need to connect Upgrade Analytics to your data sources and enable telemetry to establish communication.
**Deploy compatibility update and related KBs.** The compatibility update KB scans your systems and enables application usage tracking. If you dont already have this KB installed, you can download the applicable version from the Microsoft Update Catalog or deploy it using Windows Server Update Services (WSUS) or your software distribution solution, such as System Center Configuration Manager.
>**Important**<br> The compatibility update and related KBs are updated frequently to include new compatibility issues as they become known to Microsoft. We recommend that you use a deployment system that allows for automatic updates of these KBs. The compatibility update KB collects inventory information from computers only when it is updated.
**Configure and deploy Upgrade Analytics deployment script.** Configure and deploy the Upgrade Analytics deployment script to user computers to finish setting up.
## Important information about this release
Before you get started configuring Upgrade Anatlyics, review the following tips and limitations about this release.
**User authenticated proxies are not supported in this release.** User computers communicate with Microsoft through Windows telemetry. The Windows telemetry client runs in System context and requires a connection to various Microsoft telemetry endpoints. User authenticated proxies are not supported at this time. Work with your Network Administrator to ensure that user computers can communicate with telemetry endpoints.
**Upgrade Analytics does not support on-premise Windows deployments.** Upgrade Analytics is built as a cloud service, which allows Upgrade Analytics to provide you with insights based on the data from user computers and other Microsoft compatibility services. Cloud services are easy to get up and running and are cost-effective because there is no requirement to physically implement and maintain services on-premise.
**In-region data storage requirements.** Windows telemetry data from user computers is encrypted, sent to, and processed at Microsoft-managed secure data centers located in the US. Our analysis of the upgrade readiness-related data is then provided to you through the Upgrade Analytics solution in the Microsoft Operations Management Suite (OMS) portal. At the time this topic is being published, only OMS workspaces created in the East US and West Europe are supported. Were adding support for additional regions and well update this information when new international regions are supported.
### Tips
- When viewing inventory items in table view, the maximum number of rows that can be viewed and exported is limited to 5,000. If you need to view or export more than 5,000 items, reduce the scope of the query so you can export a list with fewer items.
- Sorting data by clicking a column heading may not sort your complete list of items. For information about how to sort data in OMS, see [Sorting DocumentDB data using Order By](https://azure.microsoft.com/documentation/articles/documentdb-orderby).
## Get started
See [Get started with Upgrade Analytics](upgrade-analytics-get-started.md) for detailed, step-by-step instructions for configuring Upgrade Analytics and getting started on your Windows upgrade project.

122
windows/deploy/upgrade-analytics-resolve-issues.md Normal file
View File

@ -0,0 +1,122 @@
---
title: Upgrade Analytics - Resolve application and driver issues (Windows 10)
description: Describes how to resolve application and driver issues that can occur during an upgrade with Upgrade Analytics.
ms.prod: w10
author: MaggiePucciEvans
---
# Upgrade Analytics - Resolve application and driver issues
This section of the Upgrade Analytics workflow reports application and driver inventory and shows you which applications have known issues, which applications have no known issues, and which drivers have issues. We identify applications and drivers that need attention and suggest fixes when we know about them.
You can change an applications upgrade decision and a drivers upgrade decision from the blades in this section. To change an applications or a drivers importance level, select **User changes**. Select the item you want to change and then select the appropriate option from the **Select upgrade decision** list.
Upgrade decisions include:
| Upgrade decision | When to use it | Guidance |
|--------------------|-------------------|-------------|
| Not reviewed | When you start to investigate an application or a driver to determine upgrade readiness, change their upgrade decision to **Review in progress.** <br><br> <br> | Some applications are automatically assigned upgrade decisions based on information known to Microsoft. <br><br>All drivers are marked not reviewed by default.<br><br> |
| Review in progress | When you start to investigate an application or a driver to determine upgrade readiness, change their upgrade decision to **Review in progress**.<br><br>Until youve determined that applications and drivers will migrate successfully or youve resolved blocking issues, leave the upgrade decision status as **Review in progress**. <br><br> | Once youve fixed any issues and validated that the application or driver will migrate successfully, change the upgrade decision to **Ready to upgrade**. <br> |
| Ready to upgrade | Mark applications and drivers **Ready to upgrade** once youve resolved all blocking issues and youre confident that they will upgrade successfully, or if youve decided to upgrade them as-is. | Applications with no known issues or with low installation rates are marked **Ready to upgrade** by default.<br><br>Be sure to review low install count applications for any business critical or important applications that are not yet upgrade-ready, despite their low installation rates. <br><br>All drivers are marked **Not reviewed** by default. <br> |
| Wont upgrade | By default, no applications or drivers are marked **Wont upgrade** because only you can make that determination. <br><br>Use **Wont upgrade** for computers you dont want to upgrade. <br> | If, during your investigation into an application or driver, you determine that they should not be upgraded, mark them **Wont upgrade**. <br><br> |
The blades in the **Resolve issues** section are:
## Review applications with known issues
Applications with issues known to Microsoft are listed, grouped by upgrade assessment into **Attention needed** or **Fix available**.
<!-- PRESERVING ORIGINAL IMAGE CODING JUST IN CASE
<img src="media/image6.png" width="192" height="321" />
-->
![Review applications with known issues](images/upgrade-analytics-apps-known-issues.png)
To change an application's upgrade decision:
1. Select **Decide upgrade readiness** to view applications with issues.
2. In the table view, sort on **UpgradeAssessment** to group applications into **Attention needed** and **Fix available**.
3. Select **User changes** to change the upgrade decision for each application.
4. Select the applications you want to change to a specific upgrade decision and then then select the appropriate option from the **Select upgrade decision** list.
5. Click **Save** when finished.
IMORTANT: Ensure that you have the most recent versions of the compatibility update and related KBs installed to get the most up-to-date compatibility information.
For applications assessed as **Attention needed**, review the table below for details about known issues and for guidance about how to resolve them, when possible.
| Upgrade Assessment | Action required prior to upgrade? | Issue | What it means | Guidance |
|--------------------|-----------------------------------|-----------|-----------------|------------|
| Attention needed | No | Application is removed during upgrade | Compatibility issues were detected and the application will not migrate to the new operating system. <br> | No action is required for the upgrade to proceed. |
| Attention needed | Yes | Blocking upgrade | Blocking issues were detected and Upgrade Analytics is not able to remove the application during upgrade. <br><br>The application may work on the new operating system.<br> | Remove the application before upgrading, and reinstall and test on new operating system. |
| Attention needed | No | Evaluate application on new OS | The application will migrate, but issues were detected that may impact its performance on the new operating system. | No action is required for the upgrade to proceed, but be sure to test the application on the new operating system.<br> |
| Attention needed | No | Does not work with new OS, but wont block upgrade | The application is not compatible with the new operating system, but wont block the upgrade. | No action is required for the upgrade to proceed, however, youll have to install a compatible version of the application on the new operating system.<br> |
| Attention needed | Yes | Does not work with new OS, and will block upgrade | The application is not compatible with the new operating system and will block the upgrade. | Remove the application before upgrading. <br><br>A compatible version of the application may be available.<br> |
| Attention needed | Yes | May block upgrade, test application | Issues were detected that may interfere with the upgrade, but need to be investigated further.<br> | Test the applications behavior during upgrade. If it blocks the upgrade, remove it before upgrading and reinstall and test it on the new operating system.<br> |
| Attention needed | Maybe | Multiple | Multiple issues are affecting the application. See detailed view for more information.| When you see Multiple in the query detailed view, click **Query** to see details about what issues were detected with the different versions of the application. |
For applications assessed as **Fix available**, review the table below for details about known issues and ways to fix them that are known to Microsoft.
| Upgrade Assessment | Action required prior to upgrade? | Issue | What it means | Guidance |
|--------------------|-----------------------------------|----------|-----------------|-------------|
| Fix available | Yes | Blocking upgrade, update application to newest version | The existing version of the application is not compatible with the new operating system and wont migrate. A compatible version of the application is available. | Update the application before upgrading. |
| Fix available | No | Reinstall application after upgrading | The application is compatible with the new operating system, but must be reinstalled after upgrading. The application is removed during the upgrade process.<br> | No action is required for the upgrade to proceed. Reinstall application on the new operating system. |
| Fix available | Yes | Blocking upgrade, but can be reinstalled after upgrading | The application is compatible with the new operating system, but wont migrate. | Remove the application before upgrading and reinstall on the new operating system.<br> |
| Fix available | Yes | Disk encryption blocking upgrade | The applications encryption features are blocking the upgrade. | Disable the encryption feature before upgrading and enable it again after upgrading.<br> |
## Review applications with no known issues
Applications with no issues known to Microsoft are listed, grouped by upgrade decision.
<!-- PRESERVING ORIGINAL IMAGE CODING JUST IN CASE
<img src="media/image7.png" width="197" height="336" />
-->
![Review applications with no known issues](images/upgrade-analytics-apps-no-known-issues.png)
Applications with no known issues that are installed on 2% or less of your total computer inventory \[number of computers application is installed on/total number of computers in your inventory\] are automatically marked **Ready to upgrade** and included in the applications reviewed count. Applications with no known issues that are installed on more than 2% of your total computer inventory are automatically marked **Not reviewed**.
Be sure to review low install count applications for any business critical or important applications that may not yet be upgrade-ready, despite their low installation rates.
To change an application's upgrade decision:
1. Select **Decide upgrade readiness** to view applications with issues. Select **Table** to view the list in a table.
2. Select **User changes** to change the upgrade decision for each application.
3. Select the applications you want to change to a specific upgrade decision and then then select the appropriate option from the **Select upgrade decision** list.
4. Click **Save** when finished.
## Review drivers with known issues
Drivers that wont migrate to the new operating system are listed, grouped by availability.
<!-- PRESERVING ORIGINAL IMAGE CODING JUST IN CASE
<img src="media/image8.png" width="197" height="316" />
-->
![Review drivers with known issues](images/upgrade-analytics-drivers-known.png)
Availability categories are explained in the table below.
| Driver availability | Action required before or after upgrade? | What it means | Guidance |
|-----------------------|------------------------------------------|----------------|--------------|
| Available in-box | No, for awareness only | The currently installed version of an application or driver wont migrate to the new operating system; however, a compatible version is installed with the new operating system.<br> | No action is required for the upgrade to proceed. |
| Import from Windows Update | Yes | The currently installed version of a driver wont migrate to the new operating system; however, a compatible version is available from Windows Update.<br> | If the computer automatically receives updates from Windows Update, no action is required. Otherwise, import a new driver from Windows Update after upgrading. <br> |
| Available in-box and from Windows Update | Yes | The currently installed version of a driver wont migrate to the new operating system. <br><br>Although a new driver is installed during upgrade, a newer version is available from Windows Update. <br> | If the computer automatically receives updates from Windows Update, no action is required. Otherwise, import a new driver from Windows Update after upgrading. <br> |
| Check with vendor | Yes | The driver wont migrate to the new operating system and we are unable to locate a compatible version. <br> | Check with the independent hardware vendor (IHV) who manufactures the driver for a solution. |
To change a drivers upgrade decision:
1. Select **Decide upgrade readiness** and then select the group of drivers you want to review. Select **Table** to view the list in a table.
2. Select **User changes** to enable user input.
3. Select the drivers you want to change to a specific upgrade decision and then select the appropriate option from the **Select upgrade decision** list.
4. Click **Save** when finished.

26
windows/deploy/use-upgrade-analytics-to-manage-windows-upgrades.md Normal file
View File

@ -0,0 +1,26 @@
---
title: Use Upgrade Analytics to manage Windows upgrades (Windows 10)
description: Describes how to use Upgrade Analytics to manage Windows upgrades.
ms.prod: w10
author: MaggiePucciEvans
---
# Use Upgrade Analytics to manage Windows upgrades
This topic explains how to use the Upgrade Analytics solution to plan, manage, and deploy Windows upgrades.
Based on telemetry data from user computers, Upgrade Analytics identifies application and driver compatibility issues that may block Windows upgrades, allowing you to make data-driven decisions about your organizations upgrade readiness.
You and your IT team can use the Upgrade Analytics workflow to prioritize and work through application and driver issues, assign and track issue resolution status, and identify computers that are ready to upgrade. You can then export the list of upgrade-ready computers and start deploying Windows with confidence, knowing that youve addressed potential blocking issues.
Information is refreshed daily so you can monitor upgrade progress. Any changes your team makes, such as assigning application importance and marking applications as ready to upgrade, are reflected 24 hours after you make them.
The Upgrade Analytics workflow gives you compatibility and usage information about computers, applications, and drivers and walks you through these high-level tasks. Each task is described in more detail in the topics that follow.
1. [Preparing your environment](upgrade-analytics-prepare-your-environment.md)
2. [Resolving application and driver issues](upgrade-analytics-resolve-issues.md)
3. [Identifying computers that are upgrade ready](upgrade-analytics-deploy-windows.md)

31
windows/deploy/windows-10-upgrade-paths.md
View File

@ -1,6 +1,6 @@
---
title: Windows 10 upgrade paths (Windows 10)
description: You can upgrade to Windows 10 from a previous version of Windows, providing the upgrade path is supported.
description: You can upgrade to Windows 10 from a previous version of Windows if the upgrade path is supported.
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
@ -31,7 +31,6 @@ D = Edition downgrade; personal data is maintained, applications and settings ar
<td></td>
<td>Windows 10 Home</td>
<td>Windows 10 Pro</td>
<td>Windows 10 Pro for Education</td>
<td>Windows 10 Education</td>
<td>Windows 10 Enterprise</td>
<td>Windows 10 Mobile</td>
@ -45,7 +44,6 @@ D = Edition downgrade; personal data is maintained, applications and settings ar
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
@ -55,7 +53,6 @@ D = Edition downgrade; personal data is maintained, applications and settings ar
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
@ -65,7 +62,6 @@ D = Edition downgrade; personal data is maintained, applications and settings ar
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
@ -76,7 +72,6 @@ D = Edition downgrade; personal data is maintained, applications and settings ar
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
@ -86,7 +81,6 @@ D = Edition downgrade; personal data is maintained, applications and settings ar
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
@ -94,7 +88,6 @@ D = Edition downgrade; personal data is maintained, applications and settings ar
<td>Enterprise</td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
@ -108,7 +101,6 @@ D = Edition downgrade; personal data is maintained, applications and settings ar
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
@ -119,7 +111,6 @@ D = Edition downgrade; personal data is maintained, applications and settings ar
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
@ -129,7 +120,6 @@ D = Edition downgrade; personal data is maintained, applications and settings ar
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
@ -137,7 +127,6 @@ D = Edition downgrade; personal data is maintained, applications and settings ar
<td>Enterprise</td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
@ -148,7 +137,6 @@ D = Edition downgrade; personal data is maintained, applications and settings ar
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
@ -161,7 +149,6 @@ D = Edition downgrade; personal data is maintained, applications and settings ar
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>Windows Phone 8</td>
@ -171,7 +158,6 @@ D = Edition downgrade; personal data is maintained, applications and settings ar
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td rowspan="10" nowrap="nowrap">Windows 8.1</td>
@ -181,7 +167,6 @@ D = Edition downgrade; personal data is maintained, applications and settings ar
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
@ -191,7 +176,6 @@ D = Edition downgrade; personal data is maintained, applications and settings ar
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
@ -202,7 +186,6 @@ D = Edition downgrade; personal data is maintained, applications and settings ar
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
@ -212,7 +195,6 @@ D = Edition downgrade; personal data is maintained, applications and settings ar
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
@ -222,7 +204,6 @@ D = Edition downgrade; personal data is maintained, applications and settings ar
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
@ -230,7 +211,6 @@ D = Edition downgrade; personal data is maintained, applications and settings ar
<td>Enterprise</td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
@ -241,7 +221,6 @@ D = Edition downgrade; personal data is maintained, applications and settings ar
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
@ -254,7 +233,6 @@ D = Edition downgrade; personal data is maintained, applications and settings ar
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>Windows Phone 8.1</td>
@ -262,7 +240,6 @@ D = Edition downgrade; personal data is maintained, applications and settings ar
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
@ -274,7 +251,6 @@ D = Edition downgrade; personal data is maintained, applications and settings ar
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
@ -285,7 +261,6 @@ D = Edition downgrade; personal data is maintained, applications and settings ar
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
@ -293,7 +268,6 @@ D = Edition downgrade; personal data is maintained, applications and settings ar
<td>Education</td>
<td></td>
<td></td>
<td></td>
<td></td>
<td>D</td>
<td></td>
@ -303,7 +277,6 @@ D = Edition downgrade; personal data is maintained, applications and settings ar
<td>Enterprise</td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
@ -315,7 +288,6 @@ D = Edition downgrade; personal data is maintained, applications and settings ar
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
@ -325,7 +297,6 @@ D = Edition downgrade; personal data is maintained, applications and settings ar
<td></td>
<td></td>
<td></td>
<td></td>
<td>D</td>
<td></td>
</tr>

9
windows/keep-secure/TOC.md
View File

@ -22,7 +22,9 @@
##### [Deploy your enterprise data protection (EDP) policy](deploy-edp-policy-using-intune.md)
##### [Create and deploy a VPN policy for enterprise data protection (EDP) using Microsoft Intune](create-vpn-and-edp-policy-using-intune.md)
#### [Create and deploy an enterprise data protection (EDP) policy using System Center Configuration Manager](create-edp-policy-using-sccm.md)
#### [Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](create-and-verify-an-efs-dra-certificate.md)
### [General guidance and best practices for enterprise data protection (EDP)](guidance-and-best-practices-edp.md)
#### [Mandatory tasks and settings required to turn on Windows Information Protection (WIP)](mandatory-settings-for-wip.md)
#### [Enlightened apps for use with enterprise data protection (EDP)](enlightened-microsoft-apps-and-edp.md)
#### [Testing scenarios for enterprise data protection (EDP)](testing-scenarios-for-edp.md)
## [Use Windows Event Forwarding to help with intrusion detection](use-windows-event-forwarding-to-assist-in-instrusion-detection.md)
@ -682,9 +684,12 @@
#### [Assign user access to the portal](assign-portal-access-windows-defender-advanced-threat-protection.md)
#### [Onboard endpoints and set up access](onboard-configure-windows-defender-advanced-threat-protection.md)
##### [Configure endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md)
###### [Configure endpoints using Group Policy](configure-endpoints-gp-windows-defender-advanced-threat-protection.md)
###### [Configure endpoints using System Security Configuration Manager](configure-endpoints-sccm-windows-defender-advanced-threat-protection.md)
###### [Configure endpoints using Mobile Device Management tools](configure-endpoints-mdm-windows-defender-advanced-threat-protection.md)
####### [Configure endpoints using Microsoft Intune](configure-endpoints-mdm-windows-defender-advanced-threat-protection.md#configure-endpoints-using-microsoft-intune)
###### [Configure endpoints using a local script](configure-endpoints-script-windows-defender-advanced-threat-protection.md)
##### [Configure proxy and Internet settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md)
##### [Additional configuration settings](additional-configuration-windows-defender-advanced-threat-protection.md)
##### [Monitor onboarding](monitor-onboarding-windows-defender-advanced-threat-protection.md)
##### [Troubleshoot onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md)
#### [Portal overview](portal-overview-windows-defender-advanced-threat-protection.md)
#### [Use the Windows Defender ATP portal](use-windows-defender-advanced-threat-protection.md)

47
windows/keep-secure/additional-configuration-windows-defender-advanced-threat-protection.md
View File

@ -1,47 +0,0 @@
---
title: Additional Windows Defender ATP configuration settings
description: Use the Group Policy Console to configure settings that enable sample sharing from your endpoints. These settings are used in the deep analysis feature.
keywords: configuration settings, Windows Defender ATP configuration settings, Windows Defender Advanced Threat Protection configuration settings, group policy Management Editor, computer configuration, policies, administrative templates,
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.pagetype: security
ms.sitesec: library
author: mjcaparas
---
# Additional Windows Defender ATP configuration settings
**Applies to**
- Windows 10 Insider Preview Build 14332 or later
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
<span style="color:#ED1C24;">[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
You can use Group Policy (GP) to configure settings, such as settings for the sample sharing used in the deep analysis feature.
## Configure sample collection settings with Group Policy
1. On your GP management machine, copy the following files from the
configuration package:
a. Copy _AtpConfiguration.admx_ into _C:\\Windows\\PolicyDefinitions_
b. Copy _AtpConfiguration.adml_ into _C:\\Windows\\PolicyDefinitions\\en-US_
2. Open the [Group Policy Management Console](https://technet.microsoft.com/en-us/library/cc731212.aspx), right-click the GPO you want to configure and click **Edit**.
3. In the **Group Policy Management Editor**, go to **Computer configuration**.
4. Click **Policies**, then **Administrative templates**.
5. Click **Windows components** and then **Windows Advanced Threat Protection**.
6. Choose to enable or disable sample sharing from your endpoints.
## Related topics
<!--- [Windows Defender ATP service onboarding](service-onboarding-windows-defender-advanced-threat-protection.md)-->
- [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md)
- [Configure endpoint proxy and Internet connectivity settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md)
- [Monitor the Windows Defender ATP onboarding](monitor-onboarding-windows-defender-advanced-threat-protection.md)
- [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md)

11
windows/keep-secure/assign-portal-access-windows-defender-advanced-threat-protection.md
View File

@ -16,7 +16,7 @@ author: mjcaparas
- Windows 10 Insider Preview Build 14332 or later
- Azure Active Directory
- Office 365
<!--Office 365-->
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
<span style="color:#ED1C24;">[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
@ -34,6 +34,13 @@ Users with read only access can log in, view all alerts, and related information
They will not be able to change alert states, submit files for deep analysis or perform any state changing operations.
Assigning read only access rights requires adding the users to the “Security Reader” AAD built-in role.
<!--
Your administrator can assign roles using the Office 365 portal, or in the Azure classic portal, or by using the AAD module for Windows PowerShell.
For more information, see [Assigning admin roles in Office 365](https://support.office.com/en-us/article/Assigning-admin-roles-in-Office-365-eac4d046-1afd-4f1a-85fc-8219c79e1504?ui=en-US&rs=en-US&ad=US) and [Assigning administrator roles in Azure Active Directory](https://azure.microsoft.com/en-us/documentation/articles/active-directory-assign-admin-roles/).
For more information, see [Assigning admin roles in Office 365](https://support.office.com/en-us/article/Assigning-admin-roles-in-Office-365-eac4d046-1afd-4f1a-85fc-8219c79e1504?ui=en-US&rs=en-US&ad=US) and [Assigning administrator roles in Azure Active Directory](https://azure.microsoft.com/en-us/documentation/articles/active-directory-assign-admin-roles/).-->
Use the following cmdlets to perform the security role assignment:
- Full access:<br>```Add-MsolRoleMember -RoleName "Security Reader" -RoleMemberEmailAddress “reader@Contoso.onmicrosoft.com”```
- Read only access:<br>```Add-MsolRoleMember -RoleName "Security Administrator" -RoleMemberEmailAddress "secadmin@Contoso.onmicrosoft.com"```
For more information see, [Manage Azure AD group and role membership](https://technet.microsoft.com/en-us/library/321d532e-407d-4e29-a00a-8afbe23008dd#BKMK_ManageGroups).

4
windows/keep-secure/change-history-for-keep-windows-10-secure.md
View File

@ -23,8 +23,10 @@ The topics in this library have been updated for Windows 10, version 1607 (also
|New or changed topic | Description |
|----------------------|-------------|
|[Create an enterprise data protection (EDP) policy using System Center Configuration Manager](create-edp-policy-using-sccm.md) |New |
|[Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](create-and-verify-an-efs-dra-certificate.md) |New |
|[Mandatory settings for Windows Information Protection (WIP)](mandatory-settings-for-wip.md) |New |
|[Create an enterprise data protection (EDP) policy using Microsoft Intune](create-edp-policy-using-intune.md) |New |
|[Create an enterprise data protection (EDP) policy using System Center Configuration Manager](create-edp-policy-using-sccm.md) |New |
|[Windows Defender Advanced Threat Protection](windows-defender-advanced-threat-protection.md) (multiple topics) | Updated |
|[Device Guard deployment guide](device-guard-deployment-guide.md) (multiple topics) | Updated |

111
windows/keep-secure/configure-endpoints-gp-windows-defender-advanced-threat-protection.md Normal file
View File

@ -0,0 +1,111 @@
---
title: Configure Windows Defender ATP endpoints using Group Policy
description: Use Group Policy to deploy the configuration package on endpoints so that they are onboarded to the service.
keywords: configure endpoints using group policy, endpoint management, configure Windows ATP endpoints, configure Windows Defender Advanced Threat Protection endpoints, group policy
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: mjcaparas
---
# Configure endpoints using Group Policy
**Applies to:**
- Windows 10 Insider Preview Build 14332 or later
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
<span style="color:#ED1C24;">[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
> **Note**&nbsp;&nbsp;To use Group Policy (GP) updates to deploy the package, you must be on Windows Server 2008 R2 or later.
### Onboard endpoints
1. Open the GP configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from the [Windows Defender ATP portal](https://securitycenter.windows.com/):
a. Click **Endpoint Management** on the **Navigation pane**.
b. Select **Group Policy**, click **Download package** and save the .zip file.
2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the endpoints. You should have a folder called *OptionalParamsPolicy* and the file *WindowsDefenderATPOnboardingScript.cmd*.
3. Open the [Group Policy Management Console](https://technet.microsoft.com/en-us/library/cc731212.aspx) (GPMC), right-click the Group Policy Object (GPO) you want to configure and click **Edit**.
4. In the **Group Policy Management Editor**, go to **Computer configuration**, then **Preferences**, and then **Control panel settings**.
5. Right-click **Scheduled tasks**, point to **New**, and then click **Immediate task**.
6. In the **Task** window that opens, go to the **General** tab. Choose the local SYSTEM user account under **Security options**.
7. Select **Run whether user is logged on or not** and check the **Run with highest privileges** check box.
8. Go to the **Actions** tab and click **New...** Ensure that **Start a program** is selected in the **Action** field. Enter the file name and location of the shared *WindowsDefenderATPOnboardingScript.cmd* file.
9. Click **OK** and close any open GPMC windows.
## Additional Windows Defender ATP configuration settings
You can use Group Policy (GP) to configure settings, such as settings for the sample sharing used in the deep analysis feature.
### Configure sample collection settings
1. On your GP management machine, copy the following files from the
configuration package:
a. Copy _AtpConfiguration.admx_ into _C:\\Windows\\PolicyDefinitions_
b. Copy _AtpConfiguration.adml_ into _C:\\Windows\\PolicyDefinitions\\en-US_
2. Open the [Group Policy Management Console](https://technet.microsoft.com/en-us/library/cc731212.aspx), right-click the GPO you want to configure and click **Edit**.
3. In the **Group Policy Management Editor**, go to **Computer configuration**.
4. Click **Policies**, then **Administrative templates**.
5. Click **Windows components** and then **Windows Advanced Threat Protection**.
6. Choose to enable or disable sample sharing from your endpoints.
### Offboard endpoints
For security reasons, the package used to offboard endpoints will expire 30 days after the date it was downloaded. Expired offboarding packages sent to an endpoint will be rejected. When downloading an offboarding package you will be notified of the packages expiry date and it will also be included in the package name.
> **Note**&nbsp;&nbsp;Onboarding and offboarding policies must not be deployed on the same endpoint at the same time, otherwise this will cause unpredictable collisions.
1. Get the offboarding package from the [Windows Defender ATP portal](https://securitycenter.windows.com/):
a. Click **Endpoint Management** on the **Navigation pane**.
b. Under **Endpoint offboarding** section, select **Group Policy**, click **Download package** and save the .zip file.
2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the endpoints. You should have a file named *WindowsDefenderATPOffboardingScript_valid_until_YYYY-MM-DD.cmd*.
3. Open the [Group Policy Management Console](https://technet.microsoft.com/en-us/library/cc731212.aspx) (GPMC), right-click the Group Policy Object (GPO) you want to configure and click Edit.
4. In the **Group Policy Management Editor**, go to **Computer configuration,** then **Preferences**, and then **Control panel settings**.
5. Right-click **Scheduled tasks**, point to **New**, and then click **Immediate task**.
6. In the **Task** window that opens, go to the **General** tab. Choose the local SYSTEM user account under **Security options**.
7. Select **Run whether user is logged on or not** and check the **Run with highest privileges** check-box.
8. Go to the **Actions** tab and click **New...**. Ensure that **Start a program** is selected in the **Action** field. Enter the file name and location of the shared *WindowsDefenderATPOffboardingScript_valid_until_YYYY-MM-DD.cmd* file.
9. Click **OK** and close any open GPMC windows.
## Monitor endpoint configuration
With Group Policy there isnt an option to monitor deployment of policies on the endpoints. Monitoring can be done directly on the portal, or by using the different deployment tools.
## Monitor endpoints using the portal
1. Go to the [Windows Defender ATP portal](https://securitycenter.windows.com/).
2. Click **Machines view**.
3. Verify that endpoints are appearing.
> **Note**&nbsp;&nbsp;It can take several days for endpoints to start showing on the **Machines view**. This includes the time it takes for the policies to be distributed to the endpoint, the time it takes before the user logs on, and the time it takes for the endpoint to start reporting.
## Related topics
- [Configure endpoints using System Center Configuration Manager](configure-endpoints-sccm-windows-defender-advanced-threat-protection.md)
- [Configure endpoints using Mobile Device Management tools](configure-endpoints-mdm-windows-defender-advanced-threat-protection.md)
- [Configure endpoints using a local script](configure-endpoints-script-windows-defender-advanced-threat-protection.md)
- [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md)

92
windows/keep-secure/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md Normal file
View File

@ -0,0 +1,92 @@
---
title: Configure Windows Defender ATP endpoints using Mobile Device Management tools
description: Use Mobile Device Management tools to deploy the configuration package on endpoints so that they are onboarded to the service.
keywords: configure endpoints using mdm, endpoint management, configure Windows ATP endpoints, configure Windows Defender Advanced Threat Protection endpoints, mdm
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: mjcaparas
---
# Configure endpoints using Mobile Device Management tools
**Applies to:**
- Windows 10 Insider Preview Build 14379 or later
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
<span style="color:#ED1C24;">[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
You can use mobile device management (MDM) solutions to configure endpoints. Windows Defender ATP supports MDMs by providing OMA-URIs to create policies to manage endpoints.
For more information on using Windows Defender ATP CSP see, [WindowsAdvancedThreatProtection CSP](https://msdn.microsoft.com/en-us/library/windows/hardware/mt723296(v=vs.85).aspx) and [WindowsAdvancedThreatProtection DDF file](https://msdn.microsoft.com/en-us/library/windows/hardware/mt723297(v=vs.85).aspx).
## Configure endpoints using Microsoft Intune
For more information on using Windows Defender ATP CSP see, [WindowsAdvancedThreatProtection CSP](https://msdn.microsoft.com/en-us/library/windows/hardware/mt723296(v=vs.85).aspx) and [WindowsAdvancedThreatProtection DDF file](https://msdn.microsoft.com/en-us/library/windows/hardware/mt723297(v=vs.85).aspx).
### Onboard and monitor endpoints
1. Open the Microsoft Intune configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from the [Windows Defender ATP portal](https://securitycenter.windows.com/):
a. Click **Endpoint Management** on the **Navigation pane**.
b. Select **Mobile Device Management/Microsoft Intune**, click **Download package** and save the .zip file.
2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the network administrators who will deploy the package. You should have a file called *WindowsDefenderATP.onboarding*.
3. Use the Microsoft Intune custom configuration policy to deploy the following supported OMA-URI settings. For more information on Microsoft Intune policy settings see, [Windows 10 policy settings in Microsoft Intune](https://docs.microsoft.com/en-us/intune/deploy-use/windows-10-policy-settings-in-microsoft-intune).
Onboarding - Use the onboarding policies to deploy configuration settings on endpoints. These policies can be sub-categorized to:
- Onboarding
- Health Status for onboarded machines
- Configuration for onboarded machines
Policy | OMA-URI | Type | Value | Description
:---|:---|:---|:---|:---
Onboarding | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/Onboarding | String | Copy content from onboarding MDM file | Onboarding
Health Status for onboarded machines | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/HealthState/SenseIsRunning | Boolean | TRUE | Windows Defender ATP service is running
| ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/HealthState/OnBoardingState | Integer | 1 | Onboarded to Windows Defender ATP
| ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/HealthState/OrgId | String | Use OrgID from onboarding file | Onboarded to Organization ID
Configuration for onboarded machines | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/Configuration/SampleSharing | Integer | 0 or 1 <br> Default value: 1 | Windows Defender ATP Sample sharing is enabled
> **Note**&nbsp;&nbsp;The **Health Status for onboarded machines** policy uses read-only properties and can't be remediated.
### Offboard and monitor endpoints
For security reasons, the package used to offboard endpoints will expire 30 days after the date it was downloaded. Expired offboarding packages sent to an endpoint will be rejected. When downloading an offboarding package you will be notified of the packages expiry date and it will also be included in the package name.
> **Note**&nbsp;&nbsp;Onboarding and offboarding policies must not be deployed on the same endpoint at the same time, otherwise this will cause unpredictable collisions.
1. Get the offboarding package from the [Windows Defender ATP portal](https://securitycenter.windows.com/):
a. Click **Endpoint Management** on the **Navigation pane**.
b. Under **Endpoint offboarding** section, select **Mobile Device Management /Microsoft Intune**, click **Download package** and save the .zip file.
2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the network administrators who will deploy the package. You should have a file named *WindowsDefenderATP_valid_until_YYYY-MM-DD.offboarding*.
3. Use the Microsoft Intune custom configuration policy to deploy the following supported OMA-URI settings. For more information on Microsoft Intune policy settings see, [Windows 10 policy settings in Microsoft Intune](https://docs.microsoft.com/en-us/intune/deploy-use/windows-10-policy-settings-in-microsoft-intune).
Offboarding - Use the offboarding policies to remove configuration settings on endpoints. These policies can be sub-categorized to:
- Offboarding
- Health Status for offboarded machines
- Configuration for offboarded machines
Policy | OMA-URI | Type | Value | Description
:---|:---|:---|:---|:---
Offboarding | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/Offboarding | String | Copy content from offboarding MDM file | Offboarding
Health Status for offboarded machines | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/HealthState/SenseIsRunning | Boolean | FALSE |Windows Defender ATP service is not running
| ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/HealthState/OnBoardingState | Integer | 0 | Offboarded from Windows Defender ATP
> **Note**&nbsp;&nbsp;The **Health Status for offboarded machines** policy uses read-only properties and can't be remediated.
## Related topics
- [Configure endpoints using Group Policy](configure-endpoints-gp-windows-defender-advanced-threat-protection.md)
- [Configure endpoints using System Center Configuration Manager](configure-endpoints-sccm-windows-defender-advanced-threat-protection.md)
- [Configure endpoints using a local script](configure-endpoints-script-windows-defender-advanced-threat-protection.md)
- [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md)

94
windows/keep-secure/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md Normal file
View File

@ -0,0 +1,94 @@
---
title: Configure Windows Defender ATP endpoints using System Center Configuration Manager
description: Use System Center Configuration Manager to deploy the configuration package on endpoints so that they are onboarded to the service.
keywords: configure endpoints using sccm, endpoint management, configure Windows ATP endpoints, configure Windows Defender Advanced Threat Protection endpoints, sccm
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: mjcaparas
---
# Configure endpoints using System Center Configuration Manager
**Applies to:**
- Windows 10 Insider Preview Build 14332 or later
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
<span style="color:#ED1C24;">[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
<span id="sccm1606"/>
## Configure endpoints using System Center Configuration Manager (current branch) version 1606
System Center Configuration Manager (current branch) version 1606, currently in technical preview, has UI integrated support for configuring and managing Windows Defender ATP on endpoints. For more information, see the [Support for Windows Defender Advanced Threat Protection service](https://technet.microsoft.com/en-us/library/mt706220.aspx#BKMK_ATP) section.
> **Note**&nbsp;&nbsp; If you intend to use this deployment tool, ensure that you are on Windows 10 Insider Preview Build 14379 or later. This deployment method is only available from that build or later.
<span id="sccm1602"/>
## Configure endpoints using System Center Configuration Manager (current branch) version 1602 or earlier versions
You can use System Center Configuration Managers existing functionality to create a policy to configure your endpoints. This is supported in System Center Configuration Manager (current branch), version 1602 or earlier, including: System Center 2012 R2 Configuration Manager and System Center 2012 Configuration Manager.
### Onboard endpoints
1. Open the SCCM configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from the [Windows Defender ATP portal](https://securitycenter.windows.com/):
a. Click **Endpoint Management** on the **Navigation pane**.
b. Select **System Center Configuration Manager (current branch) version 1602 or earlier**, click **Download package**, and save the .zip file.
2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the network administrators who will deploy the package. You should have a file called *WindowsDefenderATPOnboardingScript.cmd*.
3. Import the configuration package by following the steps in the [How to Create Packages and Programs in Configuration Manager](https://technet.microsoft.com/en-us/library/gg682112.aspx#BKMK_Import) topic.
4. Deploy the package by following the steps in the [How to Deploy Packages and Programs in Configuration Manager](https://technet.microsoft.com/en-us/library/gg682178.aspx) topic.
a. Choose a predefined device collection to deploy the package to.
### Offboard endpoints
For security reasons, the package used to offboard endpoints will expire 30 days after the date it was downloaded. Expired offboarding packages sent to an endpoint will be rejected. When downloading an offboarding package you will be notified of the packages expiry date and it will also be included in the package name.
> **Note**&nbsp;&nbsp;Onboarding and offboarding policies must not be deployed on the same endpoint at the same time, otherwise this will cause unpredictable collisions.
1. Get the offboarding package from the [Windows Defender ATP portal](https://securitycenter.windows.com/):
a. Click **Endpoint Management** on the **Navigation pane**.
b. Under **Endpoint offboarding** section, select **System Center Configuration Manager (current branch) version 1602 or earlier**, click **Download package**, and save the .zip file.
2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the network administrators who will deploy the package. You should have a file named *WindowsDefenderATPOffboardingScript_valid_until_YYYY-MM-DD.cmd*.
3. Import the configuration package by following the steps in the [How to Create Packages and Programs in Configuration Manager](https://technet.microsoft.com/en-us/library/gg682112.aspx#BKMK_Import) topic.
4. Deploy the package by following the steps in the [How to Deploy Packages and Programs in Configuration Manager](https://technet.microsoft.com/en-us/library/gg682178.aspx) topic.
a. Choose a predefined device collection to deploy the package to.
### Monitor endpoint configuration
Monitoring with SCCM consists of two parts:
1. Confirming the configuration package has been correctly deployed and is running (or has successfully run) on the endpoints in your network.
2. Checking that the endpoints are compliant with the Windows Defender ATP service (this ensures the endpoint can complete the onboarding process and can continue to report data to the service).
**To confirm the configuration package has been correctly deployed:**
1. In the SCCM console, click **Monitoring** at the bottom of the navigation pane.
2. Click **Overview** and then **Deployments**.
3. Click on the deployment with the package name.
4. Review the status indicators under **Completion Statistics** and **Content Status**.
If there are failed deployments (endpoints with **Error**, **Requirements Not Met**, or **Failed statuses**), you may need to troubleshoot the endpoints. See the [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) topic for more information.
![SCCM showing successful deployment with no errors](images/sccm-deployment.png)
## Related topics
- [Configure endpoints using Group Policy](configure-endpoints-gp-windows-defender-advanced-threat-protection.md)
- [Configure endpoints using Mobile Device Management tools](configure-endpoints-mdm-windows-defender-advanced-threat-protection.md)
- [Configure endpoints using a local script](configure-endpoints-script-windows-defender-advanced-threat-protection.md)
- [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md)

70
windows/keep-secure/configure-endpoints-script-windows-defender-advanced-threat-protection.md Normal file
View File

@ -0,0 +1,70 @@
---
title: Configure Windows Defender ATP endpoints using a local script
description: Use a local script to deploy the configuration package on endpoints so that they are onboarded to the service.
keywords: configure endpoints using a local script, endpoint management, configure Windows ATP endpoints, configure Windows Defender Advanced Threat Protection endpoints
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: mjcaparas
---
# Configure endpoints using a local script
You can also manually onboard individual endpoints to Windows Defender ATP. You might want to do this first when testing the service before you commit to onboarding all endpoints in your network.
1. Open the GP configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from the [Windows Defender ATP portal](https://securitycenter.windows.com/):
a. Click **Endpoint Management** on the **Navigation pane**.
b. Select **Local Script**, click **Download package** and save the .zip file.
2. Extract the contents of the configuration package to a location on the endpoint you want to onboard (for example, the Desktop). You should have a file called *WindowsDefenderATPOnboardingScript.cmd*.
3. Open an elevated command-line prompt on the endpoint and run the script:
a. Click **Start** and type **cmd**.
b. Right-click **Command prompt** and select **Run as administrator**.
![Window Start menu pointing to Run as administrator](images/run-as-admin.png)
4. Type the location of the script file. If you copied the file to the desktop, type: *%userprofile%\Desktop\WindowsDefenderATPOnboardingScript.cmd*
5. Press the **Enter** key or click **OK**.
See the [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) topic for details on how you can manually validate that the endpoint is compliant and correctly reports telemetry.
## Offboard endpoints using a local script
For security reasons, the package used to offboard endpoints will expire 30 days after the date it was downloaded. Expired offboarding packages sent to an endpoint will be rejected. When downloading an offboarding package you will be notified of the packages expiry date and it will also be included in the package name.
> **Note**&nbsp;&nbsp;Onboarding and offboarding policies must not be deployed on the same endpoint at the same time, otherwise this will cause unpredictable collisions.
1. Get the offboarding package from the [Windows Defender ATP portal](https://securitycenter.windows.com/):
a. Click **Endpoint Management** on the **Navigation pane**.
b. Under **Endpoint offboarding** section, select **Group Policy**, click **Download package** and save the .zip file.
2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the endpoints. You should have a file named *WindowsDefenderATPOffboardingScript_valid_until_YYYY-MM-DD.cmd*.
3. Open an elevated command-line prompt on the endpoint and run the script:
a. Click **Start** and type **cmd**.
b. Right-click **Command prompt** and select **Run as administrator**.
![Window Start menu pointing to Run as administrator](images/run-as-admin.png)
4. Type the location of the script file. If you copied the file to the desktop, type: *%userprofile%\Desktop\WindowsDefenderATPOffboardingScript_valid_until_YYYY-MM-DD.cmd*
5. Press the **Enter** key or click **OK**.
## Related topics
- [Configure endpoints using Group Policy](configure-endpoints-gp-windows-defender-advanced-threat-protection.md)
- [Configure endpoints using System Center Configuration Manager](configure-endpoints-sccm-windows-defender-advanced-threat-protection.md)
- [Configure endpoints using Mobile Device Management tools](configure-endpoints-mdm-windows-defender-advanced-threat-protection.md)
- [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md)

144
windows/keep-secure/configure-endpoints-windows-defender-advanced-threat-protection.md
View File

@ -24,140 +24,14 @@ Endpoints in your organization must be configured so that the Windows Defender A
Windows Defender ATP supports the following deployment tools and methods:
- Group Policy
- System Center Configuration Manager (current branch) version 1606
- System Center 2012 Configuration manager or later versions
- Mobile Device Management
- Microsoft Intune
- System Center Configuration Manager
- Mobile Device Management (including Microsoft Intune)
- Local script
## Configure endpoints with Group Policy
> **Note**&nbsp;&nbsp;To use GP updates to deploy the package, you must be on Windows Server 2008 R2 or later.
1. Open the GP configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from the [Windows Defender ATP portal](https://securitycenter.windows.com/):
a. Click **Endpoint Management** on the **Navigation pane**.
b. Select **Group Policy**, click **Download package** and save the .zip file.
2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the endpoints. You should have a folder called *OptionalParamsPolicy* and the file *WindowsDefenderATPOnboardingScript.cmd*.
3. Open the [Group Policy Management Console](https://technet.microsoft.com/en-us/library/cc731212.aspx) (GPMC), right-click the Group Policy Object (GPO) you want to configure and click **Edit**.
4. In the **Group Policy Management Editor**, go to **Computer configuration**, then **Preferences**, and then **Control panel settings**.
5. Right-click **Scheduled tasks**, point to **New**, and then click **Immediate task**.
6. In the **Task** window that opens, go to the **General** tab. Choose the local SYSTEM user account under **Security options**.
7. Select **Run whether user is logged on or not** and check the **Run with highest privileges** check box.
8. Go to the **Actions** tab and click **New...** Ensure that **Start a program** is selected in the **Action** field. Enter the file name and location of the shared *WindowsDefenderATPOnboardingScript.cmd* file.
9. Click **OK** and close any open GPMC windows.
For additional settings, see the [Additional configuration settings section](additional-configuration-windows-defender-advanced-threat-protection.md).
## Configure endpoints with System Center Configuration Manager (current branch) version 1606
System Center Configuration Manager (current branch) version 1606, currently in technical preview, has UI integrated support for configuring and managing Windows Defender ATP on endpoints. For more information, see the [Support for Windows Defender Advanced Threat Protection service](https://technet.microsoft.com/en-us/library/mt706220.aspx#BKMK_ATP) section.
> **Note**&nbsp;&nbsp; If you intend to use this deployment tool, ensure that you are on Windows 10 Insider Preview Build 14379 or later. This deployment method is only available from that build or later.
## Configure endpoints with System Center 2012 Configuration Manager or later versions
You can use System Center Configuration Managers existing functionality to create a policy to configure your endpoints. This is supported in System Center 2012 Configuration Manager or later versions, including: System Center 2012 R2 Configuration Manager, System Center Configuration Manager and System Center Configuration Manager (current branch), version 1602 or earlier.
1. Open the SCCM configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from the [Windows Defender ATP portal](https://securitycenter.windows.com/):
a. Click **Endpoint Management** on the **Navigation pane**.
b. Select **System Center Configuration Manager**, click **Download package**, and save the .zip file.
2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the network administrators who will deploy the package. You should have a file called *WindowsDefenderATPOnboardingScript.cmd*.
3. Import the configuration package by following the steps in the [How to Create Packages and Programs in Configuration Manager](https://technet.microsoft.com/en-us/library/gg682112.aspx#BKMK_Import) topic.
4. Deploy the package by following the steps in the [How to Deploy Packages and Programs in Configuration Manager](https://technet.microsoft.com/en-us/library/gg682178.aspx) topic.
a. Choose a predefined device collection to deploy the package to.
## Configure endpoints with Mobile Device Management tools
You can use mobile device management (MDM) solutions to configure endpoints. Windows Defender ATP supports MDMs by providing OMA-URIs to create policies to manage endpoints.
For more information on using Windows Defender ATP CSP see, [WindowsAdvancedThreatProtection CSP](https://msdn.microsoft.com/en-us/library/windows/hardware/mt723296(v=vs.85).aspx) and [WindowsAdvancedThreatProtection DDF file](https://msdn.microsoft.com/en-us/library/windows/hardware/mt723297(v=vs.85).aspx).
> **Note**&nbsp;&nbsp; If you intend to use this deployment tool, ensure that you are on Windows 10 Insider Preview Build 14379 or later. This deployment method is only available from that build or later.
## Configure endpoints with Microsoft Intune
For more information on using Windows Defender ATP CSP see, [WindowsAdvancedThreatProtection CSP](https://msdn.microsoft.com/en-us/library/windows/hardware/mt723296(v=vs.85).aspx) and [WindowsAdvancedThreatProtection DDF file](https://msdn.microsoft.com/en-us/library/windows/hardware/mt723297(v=vs.85).aspx).
> **Note**&nbsp;&nbsp; If you intend to use this deployment tool, ensure that you are on Windows 10 Insider Preview Build 14379 or later. This deployment method is only available from that build or later.
1. Open the Microsoft Intune configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from the [Windows Defender ATP portal](https://securitycenter.windows.com/):
a. Click **Endpoint Management** on the **Navigation pane**.
b. Select **Microsoft Intune**, click **Download package** and save the .zip file.
2. Extract the contents of the configuration package to a location on the endpoint you want to onboard (for example, the Desktop). You should have a file called *WindowsDefenderATP.onboarding*.
3. Use the Microsoft Intune custom configuration policy to deploy the following supported OMA-URI settings. For more information on Microsoft Intune policy settings see, [Windows 10 policy settings in Microsoft Intune](https://docs.microsoft.com/en-us/intune/deploy-use/windows-10-policy-settings-in-microsoft-intune).
These policies are categorized into two groups:
- Onboarding - Use the onboarding policies to deploy configuration settings on endpoints. These policies can be sub-categorized to:
- Onboarding
- Health Status for onboarded machines
- Configuration for onboarded machines
- Offboarding - Use the offboarding policies to remove configuration settings on endpoints. These policies can be sub-categorized to:
- Offboarding
- Health Status for offboarded machines
- Configuration for offboarded machines
> **Warning**&nbsp;&nbsp;These two groups must not be deployed on the same machine at same time, otherwise this will cause unpredictable collisions.
Policy | OMA-URI | Type | Description | Value
:---|:---|:---|:---|:---
Onboarding | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/Onboarding | String | Onboarding | Copy content from onboarding MDM file
Health Status for onboarded machines | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/HealthState/SenseIsRunning | Boolean | Windows Defender ATP service is running | TRUE
| ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/HealthState/OnBoardingState | Integer | Onboarded to Windows Defender ATP | 1
| ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/HealthState/OrgId | String | Onboarded to Organization ID | Use OrgID from onboarding file
Configuration for onboarded machines | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/Configuration/SampleSharing | Integer | Windows Defender ATP Sample sharing is enabled | 0 or 1 <br> Default value: 1
Offboarding | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/Offboarding | String | Offboarding | Copy content from offboarding MDM file
Health Status for offboarded machines | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/HealthState/SenseIsRunning | Boolean | Windows Defender ATP service is not running | FALSE
| ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/HealthState/OnBoardingState | Integer | Offboarded from Windows Defender ATP | 0
> **Note**&nbsp;&nbsp;Policies **Health Status for onboarded machines** and **Health Status for offboarded machines** use read-only properties and can't be remediated.
## Configure endpoints individually with a local script
You can also manually onboard individual endpoints to Windows Defender ATP. You might want to do this first when testing the service before you commit to onboarding all endpoints in your network.
1. Open the GP configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from the [Windows Defender ATP portal](https://securitycenter.windows.com/):
a. Click **Endpoint Management** on the **Navigation pane**.
b. Select **Local Script**, click **Download package** and save the .zip file.
2. Extract the contents of the configuration package to a location on the endpoint you want to onboard (for example, the Desktop). You should have a file called *WindowsDefenderATPOnboardingScript.cmd*.
3. Open an elevated command-line prompt on the endpoint and run the script:
a. Click **Start** and type **cmd**.
b. Right-click **Command prompt** and select **Run as administrator**.
![Window Start menu pointing to Run as administrator](images/run-as-admin.png)
4. Type the location of the script file. If you copied the file to the desktop, type: *`%userprofile%\Desktop\WindowsDefenderATPOnboardingScript.cmd`*
5. Press the **Enter** key or click **OK**.
See the [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) topic for details on how you can manually validate that the endpoint is compliant and correctly reports telemetry.
## Related topics
- [Configure endpoint proxy and Internet connectivity settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md)
- [Additional Windows Defender ATP configuration settings](additional-configuration-windows-defender-advanced-threat-protection.md)
- [Monitor the Windows Defender ATP onboarding](monitor-onboarding-windows-defender-advanced-threat-protection.md)
- [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md)
## In this section
Topic | Description
:---|:---
[Configure endpoints using Group Policy](configure-endpoints-gp-windows-defender-advanced-threat-protection.md) | Use Group Policy to deploy the configuration package on endpoints.
[Configure endpoints using System Center Configuration Manager](configure-endpoints-sccm-windows-defender-advanced-threat-protection.md) | You can use either use System Center Configuration Manager (current branch) version 1606 or System Center Configuration Manager(current branch) version 1602 or earlier to deploy the configuration package on endpoints.
[Configure endpoints using Mobile Device Management tools](configure-endpoints-mdm-windows-defender-advanced-threat-protection.md) | Use Mobile Device Managment tools or Microsoft Intune to deploy the configuration package on endpoints.
[Configure endpoints using a local script](configure-endpoints-script-windows-defender-advanced-threat-protection.md) | Learn how to use the local script to deploy the configuration package on endpoints.

3
windows/keep-secure/configure-proxy-internet-windows-defender-advanced-threat-protection.md
View File

@ -179,8 +179,5 @@ Verify the proxy configuration completed successfully, that WinHTTP can discover
If the any of the verification steps indicate a fail, then verify that you have performed the proxy configuration steps to enable server discovery and access to the service URLs.
## Related topics
<!--- [Windows Defender ATP service onboarding](service-onboarding-windows-defender-advanced-threat-protection.md)-->
- [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md)
- [Additional Windows Defender ATP configuration settings](additional-configuration-windows-defender-advanced-threat-protection.md)
- [Monitor the Windows Defender ATP onboarding](monitor-onboarding-windows-defender-advanced-threat-protection.md)
- [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md)

109
windows/keep-secure/create-and-verify-an-efs-dra-certificate.md Normal file
View File

@ -0,0 +1,109 @@
---
title: Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate (Windows 10)
description: Follow these steps to create, verify, and perform a quick recovery by using a Encrypting File System (EFS) Data Recovery Agent (DRA) certificate.
keywords: Windows Information Protection, WIP, WIP, Enterprise Data Protection
ms.prod: w10
ms.mktglfcycl: explore
ms.sitesec: library
ms.pagetype: security
---
# Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate
**Applies to:**
- Windows 10 Insider Preview
- Windows 10 Mobile Preview
<span style="color:#ED1C24;">[Some information relates to pre-released product, which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
If you dont already have an EFS DRA certificate, youll need to create and extract one from your system before you can use Windows Information Protection (WIP), formerly known as enterprise data protection (EDP), in your organization. For the purposes of this section, well use the file name EFSDRA; however, this name can be replaced with anything that makes sense to you.
The recovery process included in this topic only works for desktop devices. WIP deletes the data on Windows 10 Mobile devices.
>**Important**<br>
If you already have an EFS DRA certificate for your organization, you can skip creating a new one. Just use your current EFS DRA certificate in your policy. For more info about when to use a PKI and the general strategy you should use to deploy DRA certificates, see the [Security Watch Deploying EFS: Part 1](https://technet.microsoft.com/en-us/magazine/2007.02.securitywatch.aspx) article on TechNet. For more general info about EFS protection, see [Protecting Data by Using EFS to Encrypt Hard Drives](https://msdn.microsoft.com/en-us/library/cc875821.aspx).<p>If your DRA certificate has expired, you wont be able to encrypt your files with it. To fix this, you'll need to create a new certificate, using the steps in this topic, and then deploy it through policy.
**To manually create an EFS DRA certificate**
1. On a computer without an EFS DRA certificate installed, open a command prompt with elevated rights, and then navigate to where you want to store the certificate.
2. Run this command:
`cipher /r:<EFSRA>`
Where *&lt;EFSRA&gt;* is the name of the .cer and .pfx files that you want to create.
3. When prompted, type and confirm a password to help protect your new Personal Information Exchange (.pfx) file.
The EFSDRA.cer and EFSDRA.pfx files are created in the location you specified in Step 1.
>**Important**<br>
Because the private keys in your DRA .pfx files can be used to decrypt any WIP file, you must protect them accordingly. We highly recommend storing these files offline, keeping copies on a smart card with strong protection for normal use and master copies in a secured physical location.
4. Add your EFS DRA certificate to your WIP policy using a deployment tool, such as Microsoft Intune or System Center Configuration Manager.
>**Note**<br>
To add your EFS DRA certificate to your policy by using Microsoft Intune, see the [Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-edp-policy-using-intune.md) topic. To add your EFS DRA certificate to your policy by using System Center Configuration Manager, see the [Create a Windows Information Protection (WIP) policy using System Center Configuration Manager](create-edp-policy-using-sccm.md) topic.
**To verify your data recovery certificate is correctly set up on an WIP client computer**
1. Find or create a file that's encrypted using Windows Information Protection. For example, you could open an app on your allowed app list, and then create and save a file so its encrypted by WIP.
2. Open an app on your protected app list, and then create and save a file so that its encrypted by WIP.
3. Open a command prompt with elevated rights, navigate to where you stored the file you just created, and then run this command:
`cipher /c <filename>`
Where *&lt;filename&gt;* is the name of the file you created in Step 1.
4. Make sure that your data recovery certificate is listed in the **Recovery Certificates** list.
**To recover your data using the EFS DRA certificate in a test environment**
1. Copy your WIP-encrypted file to a location where you have admin access.
2. Install the EFSDRA.pfx file, using its password.
3. Open a command prompt with elevated rights, navigate to the encrypted file, and then run this command:
`cipher /d <encryptedfile.extension>`
Where *&lt;encryptedfile.extension&gt;* is the name of your encrypted file. For example, corporatedata.docx.
**To quickly recover WIP-protected desktop data after unenrollment**<br>
It's possible that you might revoke data from an unenrolled device only to later want to restore it all. This can happen in the case of a missing device being returned or if an unenrolled employee enrolls again. If the employee enrolls again using the original user profile, and the revoked key store is still on the device, all of the revoked data can be restored at once, by following these steps.
>**Important**<br>To maintain control over your enterprise data, and to be able to revoke again in the future, you must only perform this process after the employee has re-enrolled the device.
1. Have your employee sign in to the unenrolled device, open a command prompt, and type:
`Robocopy “%localappdata%\Microsoft\WIP\Recovery” <“new_location”> /EFSRAW`
Where *&lt;”new_location”&gt;* is in a different directory. This can be on the employees device or on a Windows 8 or Windows Server 2012 or newer server file share that can be accessed while you're logged in as a data recovery agent.
2. Sign in to a different device with administrator credentials that have access to your organization's DRA certificate, and perform the file decryption and recovery by typing:
`cipher.exe /D <“new_location”>`
3. Have your employee sign in to the unenrolled device, and type:
`Robocopy <”new_location”> “%localappdata%\Microsoft\WIP\Recovery\Input”`
4. Ask the employee to lock and unlock the device.
The Windows Credential service automatically recovers the employees previously revoked keys from the `Recovery\Input` location.
## Related topics
- [Security Watch Deploying EFS: Part 1](https://technet.microsoft.com/en-us/magazine/2007.02.securitywatch.aspx)
- [Protecting Data by Using EFS to Encrypt Hard Drives](https://msdn.microsoft.com/en-us/library/cc875821.aspx)
- [Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-edp-policy-using-intune.md)
- [Create a Windows Information Protection (WIP) policy using System Center Configuration Manager](create-edp-policy-using-sccm.md)
- [Creating a Domain-Based Recovery Agent](https://msdn.microsoft.com/en-us/library/cc875821.aspx#EJAA)

2
windows/keep-secure/create-edp-policy-using-intune.md
View File

@ -422,7 +422,7 @@ There are no default locations included with EDP, you must add each of your netw
5. In the required **Upload a Data Recovery Agent (DRA) certificate to allow recovery of encrypted data** box, click **Browse** to add a data recovery certificate for your policy.
![Microsoft Intune, Add your Data Recovery Agent (DRA) certificate](images/intune-data-recovery.png)
![Microsoft Intune, Add your Data Recovery Agent (DRA) certificate](images/intune-data-recovery.png)
After you create and deploy your EDP policy to your employees, Windows will begin to encrypt your corporate data on the employees local device drive. If somehow the employees local encryption keys get lost or revoked, the encrypted data can become unrecoverable. To help avoid this possibility, the DRA certificate lets Windows use an included public key to encrypt the local data, while you maintain the private key that can unencrypt the data.

22
windows/keep-secure/create-edp-policy-using-sccm.md
View File

@ -15,14 +15,14 @@ author: eross-msft
- Windows 10 Insider Preview
- Windows 10 Mobile Preview
- System Center Configuration Manager Technical Preview version 1605 or later
- System Center Configuration Manager (version 1605 Tech Preview or later)
<span style="color:#ED1C24;">[Some information relates to pre-released product, which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
System Center Configuration Manager Technical Preview version 1605 or later helps you create and deploy your enterprise data protection (EDP) policy, including letting you choose your protected apps, your EDP-protection mode, and how to find enterprise data on the network.
System Center Configuration Manager (version 1605 Tech Preview or later) helps you create and deploy your enterprise data protection (EDP) policy, including letting you choose your protected apps, your EDP-protection mode, and how to find enterprise data on the network.
>**Important**<br>
If you previously created an EDP policy using System Center Configuration Manager version 1511 or 1602, youll need to recreate it using Configuration Manager Technical Preview version 1605 or later. Editing an EDP policy created in version 1511 or 1602 is not supported in the Technical Preview version 1605 or later. There is no migration path between EDP policies across these versions.
If you previously created an EDP policy using System Center Configuration Manager version 1511 or 1602, youll need to recreate it using version 1605 Tech Preview or later. Editing an EDP policy created in version 1511 or 1602 is not supported in version 1605 Tech Preview. There is no migration path between EDP policies across these versions.
## Add an EDP policy
After youve installed and set up System Center Configuration Manager for your organization, you must create a configuration item for EDP, which in turn becomes your EDP policy.
@ -64,14 +64,14 @@ During the policy-creation process in System Center Configuration Manager, you c
The steps to add your app rules are based on the type of rule template being applied. You can add a store app (also known as a Universal Windows Platform (UWP) app), a signed desktop app (also known as a Classic Windows app), or an AppLocker policy file.
>**Important**<br>
EDP-aware apps are expected to prevent enterprise data from going to unprotected network locations and to avoid encrypting personal data. On the other hand, EDP-unaware apps might not respect the corporate network boundary, and EDP-unaware apps will encrypt all files they create or modify. This means that they could encrypt personal data and cause data loss during the revocation process. <p>Care must be taken to get a support statement from the software provider that their app is safe with EDP before adding it to your **App Rules** list. If you dont get this statement, its possible that you could experience app compat issues due to an app losing the ability to access a necessary file after revocation.
EDP-aware apps are expected to prevent enterprise data from going to unprotected network locations and to avoid encrypting personal data. On the other hand, EDP-unaware apps might not respect the corporate network boundary, and EDP-unaware apps will encrypt all files they create or modify. This means that they could encrypt personal data and cause data loss during the revocation process. <p>Care must be taken to get a support statement from the software provider that their app is safe with EDP before adding it to your **App rules** list. If you dont get this statement, its possible that you could experience app compat issues due to an app losing the ability to access a necessary file after revocation.
#### Add a store app rule to your policy
For this example, were going to add Microsoft OneNote, a store app, to the **App Rules** list.
**To add a store app**
1. From the **App Rules** area, click **Add**.
1. From the **App rules** area, click **Add**.
The **Add app rule** box appears.
@ -153,7 +153,7 @@ If you don't know the publisher or product name, you can find them for both desk
For this example, were going to add Internet Explorer, a desktop app, to the **App Rules** list.
**To add a desktop app to your policy**
1. From the **App Rules** area, click **Add**.
1. From the **App rules** area, click **Add**.
The **Add app rule** box appears.
@ -293,7 +293,7 @@ For this example, were going to add an AppLocker XML file to the **App Rules*
12. After youve created your XML file, you need to import it by using System Center Configuration Manager.
**To import your Applocker policy file app rule using 1System Center Configuration Manager**
1. From the **App Rules** area, click **Add**.
1. From the **App rules** area, click **Add**.
The **Add app rule** box appears.
@ -318,7 +318,7 @@ If you're running into compatibility issues where your app is incompatible with
**To exempt a store app, a desktop app, or an AppLocker policy file app rule**
1. From the **App Rules** area, click **Add**.
1. From the **App rules** area, click **Add**.
The **Add app rule** box appears.
@ -409,12 +409,12 @@ There are no default locations included with EDP, you must add each of your netw
<td>Specify the proxy servers your devices will go through to reach your cloud resources.<p>Using this server type indicates that the cloud resources youre connecting to are enterprise resources.<p>This list shouldnt include any servers listed in the Enterprise Proxy Servers list, which are used for non-EDP-protected traffic.<p>If you have multiple resources, you must separate them using the ";" delimiter.</td>
</tr>
<tr>
<td>Enterprise IPv4 Range (Required, if not using IPv6)</td>
<td>Enterprise IPv4 Range (Required)</td>
<td>**Starting IPv4 Address:** 3.4.0.1<br>**Ending IPv4 Address:** 3.4.255.254<br>**Custom URI:** 3.4.0.1-3.4.255.254,<br>10.0.0.1-10.255.255.254</td>
<td>Specify the addresses for a valid IPv4 value range within your intranet. These addresses, used with your Enterprise Network Domain Names, define your corporate network boundaries.<p>If you have multiple ranges, you must separate them using the "," delimiter.</td>
</tr>
<tr>
<td>Enterprise IPv6 Range (Required, if not using IPv4)</td>
<td>Enterprise IPv6 Range</td>
<td>**Starting IPv6 Address:** 2a01:110::<br>**Ending IPv6 Address:** 2a01:110:7fff:ffff:ffff:ffff:ffff:ffff<br>**Custom URI:** 2a01:110:7fff:ffff:ffff:ffff:ffff:ffff,<br>fd00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff</td>
<td>Specify the addresses for a valid IPv6 value range within your intranet. These addresses, used with your Enterprise Network Domain Names, define your corporate network boundaries.<p>If you have multiple ranges, you must separate them using the "," delimiter.</td>
</tr>
@ -440,7 +440,7 @@ There are no default locations included with EDP, you must add each of your netw
- **Show the enterprise data protection icon overlay on your allowed apps that are EDP-unaware in the Windows Start menu and on corporate file icons in the File Explorer.** Click this box if you want the enterprise data protection icon overlay to appear on corporate files or in the Start menu, on top the tiles for your unenlightened protected apps.
5. In the required **Upload a Data Recovery Agent (DRA) certificate to allow recovery of encrypted data** box, click **Browse** to add a data recovery certificate for your policy.
![Create Configuration Item wizard, Add a data recovery agent (DRA) certificate](images/edp-sccm-dra.png)
After you create and deploy your EDP policy to your employees, Windows will begin to encrypt your corporate data on the employees local device drive. If somehow the employees local encryption keys get lost or revoked, the encrypted data can become unrecoverable. To help avoid this possibility, the DRA certificate lets Windows use an included public key to encrypt the local data, while you maintain the private key that can unencrypt the data.

6
windows/keep-secure/dashboard-windows-defender-advanced-threat-protection.md
View File

@ -45,7 +45,7 @@ See the [View and organize the Windows Defender Advanced Threat Protection Alert
The **Latest ATP alerts** section includes the latest active alerts in your network. Each row includes an alert severity category and a short description of the alert. Click an alert to see its detailed view, or **Alerts queue** at the top of the list to go directly to the Alerts queue. See the [Investigate Windows Defender Advanced Threat Protection alerts](investigate-alerts-windows-defender-advanced-threat-protection.md) and [View and organize the Windows Defender Advanced Threat Protection Alerts queue](alerts-queue-windows-defender-advanced-threat-protection.md) topics for more information.
## Machines at risk
This tile shows you a list of machines with the highest number of active alerts. The total number of alerts for each machine is shown in a circle next to the machine name, and then further categorized by severity levels at the far end of the tile (hover over each severity bar to its label).
This tile shows you a list of machines with the highest number of active alerts. The total number of alerts for each machine is shown in a circle next to the machine name, and then further categorized by severity levels at the far end of the tile (hover over each severity bar to see its label).
![The Machines at risk tile shows a list of machines with the highest number of alerts, and a breakdown of the severity of the alerts](images/machines-at-risk.png)
@ -54,7 +54,7 @@ Click the name of the machine to see details about that machine. See the [Invest
You can also click **Machines view** at the top of the tile to go directly to the **Machines view**, sorted by the number of active alerts. See the [Investigate machines in the Windows Defender Advanced Threat Protection Machines view](investigate-machines-windows-defender-advanced-threat-protection.md) topic for more information.
## Status
The **Status** tile informs you if the service is active and running and the specific number of machines (endpoints) reporting to Windows Defender ATP.
The **Status** tile informs you if the service is active and running and the unique number of machines (endpoints) reporting over the past 30 days.
![The Status tile shows an overall indicator of the service and the total number of machines reporting to the service](images/status-tile.png)
@ -66,7 +66,7 @@ The **Machines reporting** tile shows a bar graph that represents the number of
## Machines with active malware detections
The **Machines with active malware detections** tile will only appear if your endpoints are using Windows Defender.
Active malware is defined as threats that are actively executing at the time of detection.
Active malware is defined as threats that were actively executing at the time of detection.
Hover over each bar to see the number of active malware detections (as **Malware detections**) and the number of endpoints with at least one active detection (as **Machines**) over the past 30 days.

3
windows/keep-secure/event-error-codes-windows-defender-advanced-threat-protection.md
View File

@ -242,9 +242,6 @@ See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defen
## Related topics
<!--- [Windows Defender ATP service onboarding](service-onboarding-windows-defender-advanced-threat-protection.md)-->
- [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md)
- [Configure endpoint proxy and Internet connectivity settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md)
- [Additional Windows Defender ATP configuration settings](additional-configuration-windows-defender-advanced-threat-protection.md)
- [Monitor the Windows Defender ATP onboarding](monitor-onboarding-windows-defender-advanced-threat-protection.md)
- [Troubleshoot Windows Defender ATP](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md)

1
windows/keep-secure/guidance-and-best-practices-edp.md
View File

@ -23,6 +23,7 @@ This section includes info about the enlightened Microsoft apps, including how t
## In this section
|Topic |Description |
|------|------------|
|[Mandatory settings for Windows Information Protection (WIP)](mandatory-settings-for-wip.md) |A list of all of the tasks and settings that are required for the operating system to turn on Windows Information Protection (WIP), formerly known as enterprise data protection (EDP), in your enterprise. |
|[Enlightened apps for use with enterprise data protection (EDP)](enlightened-microsoft-apps-and-edp.md) |Learn the difference between enlightened and unenlightened apps, and then review the list of enlightened apps provided by Microsoft along with the text you will need to use to add them to your **Protected Apps** list. |
|[Testing scenarios for enterprise data protection (EDP)](testing-scenarios-for-edp.md) |We've come up with a list of suggested testing scenarios that you can use to test EDP in your company. |

BIN
windows/keep-secure/images/timeline.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 39 KiB

After

Width:  |  Height:  |  Size: 39 KiB

6
windows/keep-secure/introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md
View File

@ -27,11 +27,11 @@ The following table lists security threats and describes the corresponding Devic
| Security threat in the enterprise | How a Device Guard feature helps protect against the threat |
| --------------------------------- | ----------------------------------------------------------- |
| **Exposure to new malware**, for which the "signature" is not yet known | **Code integrity policies**:&nbsp;&nbsp;You can maintain a whitelist of software that is allowed to run (a configurable code integrity policy), rather than trying to stay ahead of attackers by maintaining a constantly-updated list of "signatures" of software that should be blocked. This approach uses the trust-nothing model well known in mobile device operating systems.<br><br>**Specialized hardware required?** No security-related hardware features are required, although code integrity policies are strengthened by such features, as described in the last three rows of this table. |
| **Exposure to new malware**, for which the "signature" is not yet known | **Code integrity policies**:&nbsp;&nbsp;You can maintain a whitelist of software that is allowed to run (a configurable code integrity policy), rather than trying to stay ahead of attackers by maintaining a constantly-updated list of "signatures" of software that should be blocked. This approach uses the trust-nothing model well known in mobile device operating systems.<br>Only code that is verified by Code Integrity, usually through the digital signature that you have identified as being from a trusted signer, is allowed to run. This allows full control over allowed code in both kernel and user mode.<br><br>**Specialized hardware required?** No security-related hardware features are required, although code integrity policies are strengthened by such features, as described in the last three rows of this table. |
| **Exposure to unsigned code** (most malware is unsigned) | **Code integrity policies, plus catalog files as needed**:&nbsp;&nbsp;Because most malware is unsigned, using a code integrity policy (which in most cases requires signed code) can immediately help protect against a large number of threats. However, many organizations use unsigned line-of-business (LOB) applications, for which the process of signing might be difficult. This has changed in Windows 10, because you can use a tool called Package Inspector to create a *catalog* of all deployed and executed binary files for your trusted applications. After you sign and distribute the catalog, your trusted applications can be handled by code integrity policies in the same way as any other signed application. With this foundation, you can more easily block all unsigned applications, allowing only signed applications to run.<br><br>**Specialized hardware required?** No security-related hardware features are required for creating and using code integrity policies and catalogs. However, code integrity policies and catalogs are strengthened by the hardware features, as described in later rows of this table. |
| **Malware that gains access to the kernel** and then, from within the kernel, captures sensitive information or damages the system | **Virtualization-based security (VBS)**:&nbsp;&nbsp;This is protection that uses the hypervisor to help protect the kernel and other parts of the operating system. When VBS is enabled, it strengthens either the default kernel-mode code integrity policy (which protects against bad drivers or system files), or the configurable code integrity policy that you deploy. With VBS, even if malware gains access to the kernel, the effects can be severely limited, because the hypervisor can prevent the malware from executing code.<br><br>**Specialized hardware required?** Yes, VBS requires at least CPU virtualization extensions and SLAT, as described in [Hardware, firmware, and software requirements for Device Guard](requirements-and-deployment-planning-guidelines-for-device-guard.md#hardware-firmware-and-software-requirements-for-device-guard). |
| **Malware that gains access to the kernel** and then, from within the kernel, captures sensitive information or damages the system | **Virtualization-based security (VBS)**:&nbsp;&nbsp;This is protection that uses the hypervisor to help protect the kernel and other parts of the operating system. When VBS is enabled, it strengthens either the default kernel-mode code integrity policy (which protects against bad drivers or system files), or the configurable code integrity policy that you deploy.<br>With VBS, even if malware gains access to the kernel, the effects can be severely limited, because the hypervisor can prevent the malware from executing code. The hypervisor, the most privileged level of system software, enforces R/W/X permissions across system memory. Code integrity checks are performed in a secure environment which is resistant to attack from kernel mode software, and page permissions for kernel mode are set and maintained by the hypervisor. Even if there are vulnerabilities that allow memory modification, like a buffer overflow, the modified memory cannot be executed.<br><br>**Specialized hardware required?** Yes, VBS requires at least CPU virtualization extensions and SLAT, as described in [Hardware, firmware, and software requirements for Device Guard](requirements-and-deployment-planning-guidelines-for-device-guard.md#hardware-firmware-and-software-requirements-for-device-guard). |
| **DMA-based attacks**, for example, attacks launched from a malicious device that reads secrets from memory, making the enterprise more vulnerable to attack | **Virtualization-based security (VBS) using IOMMUs**:&nbsp;&nbsp;With this type of VBS protection, when the DMA-based attack makes a memory request, input/output memory management units (IOMMUs) will evaluate the request and deny access.<br><br>**Specialized hardware required?** Yes, IOMMUs are a hardware feature that supports the hypervisor, and if you choose hardware that includes them, they can help protect against malicious attempts to access memory. |
| **Exposure to boot kits** or to other forms of malware that runs early in the boot process, or in kernel after startup | **Universal Extensible Firmware Interface (UEFI) Secure Boot**:&nbsp;&nbsp; Secure Boot and related methods protect the boot process and firmware from tampering.<br><br>**Specialized hardware required?** With UEFI Secure Boot, the requirements are firmware requirements. For more information, see [Hardware, firmware, and software requirements for Device Guard](requirements-and-deployment-planning-guidelines-for-device-guard.md#hardware-firmware-and-software-requirements-for-device-guard). |
| **Exposure to boot kits or to a physically present attacker at boot time** | **Universal Extensible Firmware Interface (UEFI) Secure Boot**:&nbsp;&nbsp; Secure Boot and related methods protect the boot process and firmware from tampering. This tampering can come from a physically present attacker or from forms of malware that run early in the boot process or in kernel after startup. UEFI is locked down (Boot order, Boot entries, Secure Boot, Virtualization extensions, IOMMU, Microsoft UEFI CA), so the settings in UEFI cannot be changed to compromise Device Guard security.<br><br>**Specialized hardware required?** With UEFI Secure Boot, the requirements are firmware requirements. For more information, see [Hardware, firmware, and software requirements for Device Guard](requirements-and-deployment-planning-guidelines-for-device-guard.md#hardware-firmware-and-software-requirements-for-device-guard). |
In this guide, you learn about the individual features found within Device Guard as well as how to plan for, configure, and deploy them. Device Guard with configurable code integrity is intended for deployment alongside additional threat-mitigating Windows features such as [Credential Guard](credential-guard.md) and [AppLocker](applocker-overview.md).

2
windows/keep-secure/investigate-files-windows-defender-advanced-threat-protection.md
View File

@ -121,7 +121,7 @@ HKLM\SOFTWARE\Policies\Microsoft\Sense\AllowSampleCollection
Value = 0 - block sample collection
Value = 1 - allow sample collection
```
5. Change the organizational unit through the Group Policy. See [Configure with Group Policy](additional-configuration-windows-defender-advanced-threat-protection.md#configure-with-group-policy).
5. Change the organizational unit through the Group Policy. See [Configure endpoints using Group Policy](configure-endpoints-gp-windows-defender-advanced-threat-protection.md).
6. If these steps do not resolve the issue, contact [winatp@microsoft.com](mailto:winatp@microsoft.com).
> **Note**&nbsp;&nbsp;If the value *AllowSampleCollection* is not available, the client will allow sample collection by default.

1
windows/keep-secure/investigate-machines-windows-defender-advanced-threat-protection.md
View File

@ -106,7 +106,6 @@ Use the search bar to look for specific alerts or files associated with the mach
You can also filter by:
- Signed or unsigned files
- Detections mode: displays Windows ATP Alerts and detections
- Behaviors mode: displays "detections" and selected events of interest
- Verbose mode: displays "behaviors" (including "detections"), and all reported events

32
windows/keep-secure/mandatory-settings-for-wip.md Normal file
View File

@ -0,0 +1,32 @@
---
title: Mandatory tasks and settings required to turn on Windows Information Protection (WIP) (Windows 10)
description: This list provides all of the tasks that are required for the operating system to turn on Windows Information Protection (WIP), formerly known as enterprise data protection (EDP) in your enterprise.
keywords: Windows Information Protection, WIP, EDP, Enterprise Data Protection, protected apps, protected app list, App Rules, Allowed apps list
ms.prod: w10
ms.mktglfcycl: explore
ms.sitesec: library
ms.pagetype: security
---
# Mandatory tasks and settings required to turn on Windows Information Protection (WIP)
**Applies to:**
- Windows 10 Insider Preview
- Windows 10 Mobile Preview
<span style="color:#ED1C24;">[Some information relates to pre-released product, which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
This list provides all of the tasks and settings that are required for the operating system to turn on Windows Information Protection (WIP), formerly known as enterprise data protection (EDP), in your enterprise.
>**Important**<br>
All sections provided for more info appear in either the [Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-edp-policy-using-intune.md) or [Create a Windows Information Protection (WIP) policy using System Center Configuration Manager](create-edp-policy-using-sccm.md), based on the tool you're using in your enterprise.
|Task |Description |
|------------------------------------|--------------------------|
|Add at least one app rule in the **App Rules** area in your WIP policy. |You must have at least one app rule specified in the **App Rules** area of your WIP policy. For more info about where this area is and how to add an app rule, see the **Add individual apps to your Protected App list** section of the policy creation topics.|
|Pick your WIP protection level. |You must choose the level of protection level you want to apply to your WIP-protected content, including Override, Silent, or Block. For more info about where this area is and how to decide on your protection level, see the **Manage the EDP protection level for your enterprise data** section of the policy creation topics.|
|Specify your corporate identity. |You must specify your corporate identity, usually expressed as your primary Internet domain (for example, contoso.com). For more info about where this area is and what it means, see the **Define your enterprise-managed corporate identity** section of the policy creation topics. |
|Specify your Enterprise Network Domain Names. |You must specify the DNS suffixes used in your environment. All traffic to the fully-qualified domains appearing in this list will be protected. For more info about where this area is and how to add your suffixes, see the table that appears in the **Choose where apps can access enterprise data** section of the policy creation topics. |
|Specify your Enterprise IPv4 or IPv6 Ranges. |Specify the addresses for a valid IPv4 or IPv6 value range within your intranet. These addresses, used with your Enterprise Network Domain Names, define your corporate network boundaries. For more info about where this area is and what it means, see the table that appears in the **Define your enterprise-managed corporate identity** section of the policy creation topics. |
|Include your Data Recovery Agent (DRA) certificate. |This certificate makes sure that any of your WIP-encrypted data can be decrypted, even if the security keys are lost. For more info about where this area is and what it means, see the **Create and verify an Encrypting File System (EFS) DRA certificate for EDP** section of the policy creation topics. |

2
windows/keep-secure/microsoft-accounts.md
View File

@ -98,7 +98,7 @@ Although the Microsoft account was designed to serve consumers, you might find s
- **Integrated social media services**:
Contact information and status for your users friends and associates automatically stay up-to-date from sites such as Hotmail, Outlook, Facebook, Twitter, and LinkedIn. Users can also access and share photos, documents, and other files from sites such as SkyDrive, Facebook, and Flickr.
Contact information and status for your users friends and associates automatically stay up-to-date from sites such as Hotmail, Outlook, Facebook, Twitter, and LinkedIn. Users can also access and share photos, documents, and other files from sites such as OneDrive, Facebook, and Flickr.
### Managing the Microsoft account in the domain

66
windows/keep-secure/monitor-onboarding-windows-defender-advanced-threat-protection.md
View File

@ -1,66 +0,0 @@
---
title: Monitor Windows Defender ATP onboarding
description: Monitor the onboarding of the Windows Defender ATP service to ensure your endpoints are correctly configured and are sending telemetry reports.
keywords: monitor onboarding, monitor Windows Defender ATP onboarding, monitor Windows Defender Advanced Threat Protection onboarding
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: mjcaparas
---
# Monitor Windows Defender Advanced Threat Protection onboarding
**Applies to:**
- Windows 10 Insider Preview Build 14322 or later
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
<span style="color:#ED1C24;">[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
You can monitor the onboarding of the Windows Defender ATP service to ensure your endpoints are correctly configured and are sending telemetry reports.
You might need to monitor the onboarding if the package did not configure the registry correctly, or the reporting client did not start or execute correctly.
Monitoring can be done directly on the portal, or by using System Center Configuration Manager (SCCM).
## Monitor with the portal
1. Go to the [Windows Defender ATP portal](https://securitycenter.windows.com/).
2. Click **Machines view**.
3. Verify that endpoints are appearing.
> **Note**&nbsp;&nbsp;It can take several days for endpoints to start showing on the **Machines view**. This includes the time it takes for the policies to be distributed to the endpoint, the time it takes before the user logs on, and the time it takes for the endpoint to start reporting.
## Monitor with System Center Configuration Manager
Monitoring with SCCM consists of two parts:
1. Confirming the configuration package has been correctly deployed and is running (or has successfully run) on the endpoints in your network.
2. Checking that the endpoints are compliant with the Windows Defender ATP service (this ensures the endpoint can complete the onboarding process and can continue to report data to the service).
**To confirm the configuration package has been correctly deployed:**
1. In the SCCM console, click **Monitoring** at the bottom of the navigation pane.
2. Click **Overview** and then **Deployments**.
3. Click on the deployment with the package name.
4. Review the status indicators under **Completion Statistics** and **Content Status**.
If there are failed deployments (endpoints with **Error**, **Requirements Not Met**, or **Failed statuses**), you may need to troubleshoot the endpoints. See the [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) topic for more information.
![SCCM showing successful deployment with no errors](images/sccm-deployment.png)
## Related topics
<!--- [Windows Defender ATP service onboarding](service-onboarding-windows-defender-advanced-threat-protection.md)-->
- [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md)
- [Configure endpoint proxy and Internet connectivity settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md)
- [Additional Windows Defender ATP configuration settings](additional-configuration-windows-defender-advanced-threat-protection.md)
- [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md)

12
windows/keep-secure/onboard-configure-windows-defender-advanced-threat-protection.md
View File

@ -21,21 +21,9 @@ author: iaanw
You need to onboard to Windows Defender ATP before you can use the service.
<!--There are two stages to onboarding:
1. Set up user access in AAD and use a wizard to create a dedicated
cloud instance for your network (known as “service onboarding”).
2. Add endpoints to the service with System Center Configuration Manager, scheduled GP updates, or manual
registry changes.-->
<!--[Service onboarding](service-onboarding-windows-defender-advanced-threat-protection.md) | Learn about managing user access to the Windows Defender ATP portal by assigning users to the Windows Defender ATP service application in Azure Active Directory (AAD).-->
## In this section
Topic | Description
:---|:---
[Configure endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md) | You'll need to configure endpoints for it to report to the Windows Defender ATP service. Learn about the tools and methods you can use to configure endpoints in your enterprise.
[Configure proxy and Internet settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md)| Enable communication with the Windows Defender ATP cloud service by configuring the proxy and Internet connectivity settings.
[Additional configuration settings] (additional-configuration-windows-defender-advanced-threat-protection.md) | Learn how to configure settings for sample sharing used in the deep analysis feature.
[Monitor onboarding](monitor-onboarding-windows-defender-advanced-threat-protection.md) | Learn how you can monitor the onboarding to ensure your endpoints are correctly configured and are sending telemetry reports.
[Troubleshoot onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) | Learn about resolving issues that might arise during onboarding.

1
windows/keep-secure/overview-create-edp-policy.md
View File

@ -24,6 +24,7 @@ Microsoft Intune and System Center Configuration Manager Technical Preview versi
|------|------------|
|[Create an enterprise data protection (EDP) policy using Microsoft Intune](create-edp-policy-using-intune.md) |Intune helps you create and deploy your EDP policy, including letting you choose your protected apps, your EDP-protection level, and how to find enterprise data on the network. |
|[Create and deploy an enterprise data protection (EDP) policy using System Center Configuration Manager](create-edp-policy-using-sccm.md) |System Center Configuration Manager Technical Preview version 1605 or later helps you create and deploy your EDP policy, including letting you choose your protected apps, your EDP-protection level, and how to find enterprise data on the network. |
|[Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](create-and-verify-an-efs-dra-certificate.md)] |Steps to create, verify, and perform a quick recovery using a Encrypting File System (EFS) Data Recovery Agent (DRA) certificate. |
 
 

20
windows/keep-secure/requirements-and-deployment-planning-guidelines-for-device-guard.md
View File

@ -17,7 +17,7 @@ This article describes the following:
- [Hardware, firmware, and software requirements for Device Guard](#hardware-firmware-and-software-requirements-for-device-guard)
- [Device Guard requirements for baseline protections](#device-guard-requirements-for-baseline-protections)
- [Device Guard requirements for additional protections](#device-guard-requirements-for-additional-protections)
- [Device Guard requirements for improved security](#device-guard-requirements-for-improved-security)
- [Device Guard deployment in different scenarios: types of devices](#device-guard-deployment-in-different-scenarios-types-of-devices)
- [Reviewing your applications: application signing and catalog files](#reviewing-your-applications-application-signing-and-catalog-files)
- [Code integrity policy formats and signing](#code-integrity-policy-formats-and-signing)
@ -32,11 +32,13 @@ For example, hardware that includes CPU virtualization extensions and SLAT will
You can deploy Device Guard in phases, and plan these phases in relation to the computer purchases you plan for your next hardware refresh.
The following tables provide more information about the hardware, firmware, and software required for deployment of various Device Guard features.
The following tables provide more information about the hardware, firmware, and software required for deployment of various Device Guard features.
<!-- POTENTIAL FUTURE ADDITION--PUT RIGHT AFTER PREVIOUS SENTENCE: The tables describe baseline protections, plus additional protections associated with hardware and firmware options available in 2015, available in 2016, and announced as options for 2017. -->
<!-- POTENTIAL FUTURE ADDITION--PUT RIGHT AFTER PREVIOUS SENTENCE: The tables describe baseline protections, plus protections for improved security that are associated with hardware and firmware options available in 2015, available in 2016, and announced as options for 2017. -->
> **Note**&nbsp;&nbsp;For new computers running Windows 10, Trusted Platform Module (TPM 2.0) must be enabled by default. This requirement is not restated in the tables that follow.
> **Notes**
> - To understand the requirements in the following tables, you will need to be familiar with the main features in Device Guard: configurable code integrity policies, virtualization-based security (VBS), and Universal Extensible Firmware Interface (UEFI) Secure Boot. For information about these features, see [How Device Guard features help protect against threats](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md#how-device-guard-features-help-protect-against-threats).
> - For new computers running Windows 10, Trusted Platform Module (TPM 2.0) must be enabled by default. This requirement is not restated in the tables that follow.
## Device Guard requirements for baseline protections
@ -51,17 +53,15 @@ The following tables provide more information about the hardware, firmware, and
<!-- When additional tables are added, change "The following table lists" to "The following tables list" in the Important just below. -->
> **Important**&nbsp;&nbsp;The preceding table lists requirements for baseline protections. The following table lists requirements for additional protections. You can use Device Guard with hardware, firmware, and software that support baseline protections, even if they do not support additional protections.
> **Important**&nbsp;&nbsp;The preceding table lists requirements for baseline protections. The following table lists requirements for improved security. You can use Device Guard with hardware, firmware, and software that support baseline protections, even if they do not support protections for improved security. However, we strongly recommend meeting the requirements for improved security, to significantly strengthen the level of security that Device Guard can provide.
## Device Guard requirements for additional protections
## Device Guard requirements for improved security
The following tables describes additional hardware and firmware requirements, and the additional protections that are available when those requirements are met. We strongly recommend the following additional protections, which help you maximize the benefits that Device Guard can provide.
to take advantage of all the security options Device Guard can provide.
The following tables describes additional hardware and firmware requirements, and the improved security that is available when those requirements are met.
### 2015 Additional Qualification Requirements for Device Guard (Windows 10, version 1507 and Windows 10, version 1511)
|Additional Protections - requirement | Description |
| Protections for Improved Security - requirement | Description |
|---------------------------------------------|----------------------------------------------------|
| Firmware: **Securing Boot Configuration and Management** | **Requirements**:<br>- BIOS password or stronger authentication must be supported.<br>- In the BIOS configuration, BIOS authentication must be set.<br>- There must be support for protected BIOS option to configure list of permitted boot devices (for example, “Boot only from internal hard drive”) and boot device order, overriding BOOTORDER modification made by operating system.<br>- In the BIOS configuration, BIOS options related to security and boot options (list of permitted boot devices, boot order) must be secured to prevent other operating systems from starting and to prevent changes to the BIOS settings.<br><br>**Security benefits**:<br>- BIOS password or stronger authentication helps ensure that only authenticated Platform BIOS administrators can change BIOS settings. This helps protect against a physically present user with BIOS access.<br>- Boot order when locked provides protection against the computer being booted into WinRE or another operating system on bootable media. |

121
windows/keep-secure/service-onboarding-windows-defender-advanced-threat-protection.md
View File

@ -1,121 +0,0 @@
---
title: Windows Defender ATP service onboarding
description: Assign users to the Windows Defender ATP service application in Azure Active Directory to grant access to the portal.
keywords: service onboarding, Windows Defender Advanced Threat Protection service onboarding, manage users,
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: mjcaparas
---
# Windows Defender ATP service onboarding
**Applies to:**
- Windows 10 Insider Preview Build 14332 or later
- Azure Active Directory
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
<span style="color:#ED1C24;">[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
You have to assign users to the Windows Defender ATP Service application in Azure Active Directory (AAD) before they can access the portal.
**Manage user access to the Windows Defender ATP portal**:
1. When you first go to the [Windows Defender ATP portal](https://securitycenter.windows.com/) and your directory does not
have users assigned to the Windows ATP Service application, you will
be directed to open the [Microsoft Azure Dashboard](https://portal.azure.com) to manage user access.
> **Note**&nbsp;&nbsp;In AAD, a directory is essentially a tenant. See the [Azure AD documentation](https://msdn.microsoft.com/en-us/library/azure/jj573650.aspx) for more information on how tenants work with AAD.
2. Ensure you have logged in to Microsoft Azure with an account that
has permissions to assign users to an application in AAD. You might
need to sign out of Microsoft Azure and then sign back in again if
you used a different account to sign in to the Windows Defender ATP
portal:
a. On the top menu, click the signed-in users name.
b. Click **Sign out**.
![Azure sign out](images/azure-signout.png)
c. Go the [Microsoft Azure Dashboard](https://portal.azure.com) again where you will be asked to sign in.
d. Sign in with the correct user name and password for an account that has permissions to assign users in AAD.
3. On the **Microsoft Azure Dashboard**, click **Browse** in the navigation pane and then click **Active Directory** to open the [Azure Management Portal](https://manage.windowsazure.com/).
![Azure Active Directory menu](images/azure-browse.png)
4. You might need to open the **Directory** section of the [Azure Management Portal](https://manage.windowsazure.com/) so you can access your directory. There are two ways you can do this:
a. Click the arrow icon above the list of directories to see the full list of directories in the main area of the portal.
![Azure organization menu](images/azure-org-directory.png)
b. Scroll down in the navigation pane and click **Active Directory**.
![Azure active directory](images/azure-active-directory.png)
5. Click the directory that contains the Windows Defender ATP application. In the following example, the directory is
called **Contoso**.
![Azure active directory list](images/azure-active-directory-list.png)
> **Note**&nbsp;&nbsp;You can also access your directory by going straight to the [Azure Management Portal](https://manage.windowsazure.com/), clicking Active Directory and then finding your directory in the list.
6. Click **Applications** from the top menu bar.
![Example organization in Azure Active Directory](images/contoso.png)
7. Click the **Windows ATP Service** application. The dashboard for the application is shown.
![Example selected organization in Azure Active Directory](images/contoso-application.png)
> **Note**&nbsp;&nbsp;The application might have a slightly different name than the one shown here. It might be called **Windows Defender ATP Service**.
8. Click **Users** from the top menu bar. A list of users that are in the directory is displayed.
![Example windows atp service users](images/windows-atp-service.png)
![Example user assignment to the windows atp service](images/assign-users.png)
> **Note**&nbsp;&nbsp;If you do not normally work with AAD, you might not see any users in the directory, or we might have created a test tenant specifically for a single users account. See the [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) section for instructions on adding users to a directory.
9. Select the user you want manage.
10. Click **Assign**.
11. Confirm that you want to enable access for the user from the notification bar. If you click **Yes**, the user is given access to the Windows Defender ATP portal. One or more progress bars will appear that indicates the user is being assigned a role, and you will see confirmation messages. You dont need to do anything with the messages, they will go away after a short period of time.
![Confirmation page to enable access to users](images/confirm-user-access.png)
12. To remove the user's access, click **Remove**.
13. Select the **Disable access to this app for the selected users** checkbox, and then click **Complete** ![Complete icon](images/check-icon.png). One or more progress bars will appear, followed by confirmation messages. The messages will disappear after a short period.
![Remove menu](images/remove-menu.png)
14. To remove the access for all users, click **Manage access**. If you click **Complete** ![Complete icon](images/check-icon.png), you will not see the Windows ATP Service in the list of applications in your directory.
> **Note**&nbsp;&nbsp;If you want to give access to users again, see the Manage access for all users in Azure Active Directory topic in [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md).
15. You can continue assigning roles for other users in your organization now, or you can return to the Windows Defender ATP portal to complete the service onboarding wizard.
> **Note**&nbsp;&nbsp;You need to assign roles for every user in your organization that requires access to the Windows Defender ATP portal. You can assign roles at any time by going to the Azure Management Portal, clicking **Active Directory**, and then finding your directory in the list and following the steps above.
When you have finished assigning roles, return to the [Windows Defender ATP portal](https://securitycenter.windows.com) and refresh the
page.
Follow the steps in the onboarding wizard to complete the onboarding process.
At the end of the wizard, you can download the Group Policy configuration package which you will use to configure endpoints on your network. You can also download the package from the **Endpoint Management** menu on the portal after you have completed the onboarding wizard.
## Related topics
- [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md)
- [Monitor the Windows Defender ATP onboarding](monitor-onboarding-windows-defender-advanced-threat-protection.md)
- [Additional Windows Defender ATP configuration settings](additional-configuration-windows-defender-advanced-threat-protection.md)
- [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md)

6
windows/keep-secure/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md
View File

@ -74,7 +74,7 @@ Event ID | Error Type | Resolution steps
10 | Onboarding data couldn't be written to registry | Check the permissions on the registry, specifically ```HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat```. Verify that the script was ran as an administrator.
15 | Failed to start SENSE service |Check the service status (```sc query sense``` command). Make sure it's not in an intermediate state (*'Pending_Stopped'*, *'Pending_Running'*) and try to run the script again (with administrator rights).
30 | The script failed to wait for the service to start running | The service could have taken more time to start or has encountered errors while trying to start. For more information on events and errors related to SENSE, see [Review events and errors on endpoints with Event viewer](event-error-codes-windows-defender-advanced-threat-protection.md).
35 | The script failed to find needed onboarding status registry value | When the SENSE service starts for the first time, it writes onboarding status to the registry location ```HKLM\SOFTWARE\Microsoft\Windows Advanced Threat Protection\Status```. The script failed to find it after several seconds. You can manually test it and check if it's there. For more information on events and errors related to SENSE, see [Review events and errors on endpoints with Event viewer].(event-error-codes-windows-defender-advanced-threat-protection.md).
35 | The script failed to find needed onboarding status registry value | When the SENSE service starts for the first time, it writes onboarding status to the registry location ```HKLM\SOFTWARE\Microsoft\Windows Advanced Threat Protection\Status```. The script failed to find it after several seconds. You can manually test it and check if it's there. For more information on events and errors related to SENSE, see [Review events and errors on endpoints with Event viewer](event-error-codes-windows-defender-advanced-threat-protection.md).
40 | SENSE service onboarding status is not set to **1** | The SENSE service has failed to onboard properly. For more information on events and errors related to SENSE, see [Review events and errors on endpoints with Event viewer](event-error-codes-windows-defender-advanced-threat-protection.md).
<br>
@ -436,8 +436,6 @@ Log in to the application in the Azure Management Portal again:
-->
## Related topics
<!--- [Windows Defender ATP service onboarding](service-onboarding-windows-defender-advanced-threat-protection.md)-->
- [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md)
- [Configure endpoint proxy and Internet connectivity settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md)
- [Additional Windows Defender ATP configuration settings](additional-configuration-windows-defender-advanced-threat-protection.md)
- [Monitor the Windows Defender ATP onboarding](monitor-onboarding-windows-defender-advanced-threat-protection.md)

7
windows/keep-secure/vpn-profile-options.md
View File

@ -51,6 +51,13 @@ A VPN profile configured with LockDown secures the device to only allow network
- Only one VPN LockDown profile is allowed on a device.
> **Note:**  For inbox VPN, Lockdown VPN is only available for the Internet Key Exchange version 2 (IKEv2) tunnel type.
 
## Learn about VPN and the Conditional Access Framework in Azure Active Directory
- [Tip of the Day: The Conditional Access Framework and Device Compliance for VPN (Part 1)](https://blogs.technet.microsoft.com/tip_of_the_day/2016/03/12/tip-of-the-day-the-conditional-access-framework-and-device-compliance-for-vpn/)
- [Tip of the Day: The Conditional Access Framework and Device Compliance for VPN (Part 2)](https://blogs.technet.microsoft.com/tip_of_the_day/2016/03/14/tip-of-the-day-the-conditional-access-framework-and-device-compliance-for-vpn-part-2/)
- [Tip of the Day: The Conditional Access Framework and Device Compliance for VPN (Part 3)](https://blogs.technet.microsoft.com/tip_of_the_day/2016/03/15/tip-of-the-day-the-conditional-access-framework-and-device-compliance-for-vpn-part-3/)
- [Tip of the Day: The Conditional Access Framework and Device Compliance for VPN (Part 4)](https://blogs.technet.microsoft.com/tip_of_the_day/2016/03/16/tip-of-the-day-the-conditional-access-framework-and-device-compliance-for-vpn-part-4/)
## Learn more
[VPNv2 configuration service provider (CSP) reference](http://go.microsoft.com/fwlink/p/?LinkId=617588)

2
windows/keep-secure/windows-10-security-guide.md
View File

@ -634,7 +634,7 @@ With Protected Processes, Windows 10 prevents untrusted processes from interact
## Secure the Windows desktop
Windows 10 includes critical improvements to the Windows core and the desktop environment, where attacks and malware most frequently enter. The desktop environment is now more resistant to malware thanks to significant improvements to Windows Defender and SmartScreen Filters. Internet browsing is a safer experience because of Microsoft Edge, a completely new browser. The Windows Store reduces the likelihood that malware will infect devices by ensuring that all applications that enter the Windows Store ecosystem have been thoroughly reviewed before being made available. Universal Windows applications are inherently more secure than typical applications because they are sandboxed. Sandboxing restricts the applications risk of being compromised or tampered with in a way that would put the system, data, and other applications at risk.
Windows 10 includes critical improvements to the Windows core and the desktop environment, where attacks and malware most frequently enter. The desktop environment is now more resistant to malware thanks to significant improvements to Windows Defender and SmartScreen Filters. Internet browsing is a safer experience because of Microsoft Edge, a completely new browser. The Windows Store reduces the likelihood that malware will infect devices by ensuring that all applications that enter the Windows Store ecosystem have been thoroughly reviewed before being made available. Universal Windows apps are inherently more secure than typical applications because they are sandboxed. Sandboxing restricts the applications risk of being compromised or tampered with in a way that would put the system, data, and other applications at risk.
The sections that follow describe Windows 10 improvements to application security in more detail.
**Microsoft Edge and Internet Explorer 11**

2
windows/manage/TOC.md
View File

@ -51,7 +51,7 @@
#### [Distribute apps with a management tool](distribute-apps-with-management-tool.md)
#### [Distribute offline apps](distribute-offline-apps.md)
### [Manage apps](manage-apps-windows-store-for-business-overview.md)
#### [App inventory managemement for Windows Store for Business](app-inventory-managemement-windows-store-for-business.md)
#### [App inventory managemement for Windows Store for Business](app-inventory-management-windows-store-for-business.md)
#### [Manage app orders in Windows Store for Business](manage-orders-windows-store-for-business.md)
#### [Manage access to private store](manage-access-to-private-store.md)
#### [Manage private store settings](manage-private-store-settings.md)

1
windows/manage/acquire-apps-windows-store-for-business.md
View File

@ -6,6 +6,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: store
author: TrudyHa
localizationpriority: high
---
# Acquire apps in Windows Store for Business

1
windows/manage/add-unsigned-app-to-code-integrity-policy.md
View File

@ -7,6 +7,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: store, security
author: TrudyHa
localizationpriority: high
---
# Add unsigned app to code integrity policy

222
windows/manage/app-inventory-managemement-windows-store-for-business.md
View File

@ -2,6 +2,7 @@
title: App inventory management for Windows Store for Business (Windows 10)
description: You can manage all apps that you've acquired on your Inventory page.
ms.assetid: 44211937-801B-4B85-8810-9CA055CDB1B2
redirect_url: https://technet.microsoft.com/itpro/windows/manage/app-inventory-management-windows-store-for-business
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
@ -9,224 +10,3 @@ ms.pagetype: store
author: TrudyHa
---
# App inventory management for Windows Store for Business
**Applies to**
- Windows 10
- Windows 10 Mobile
You can manage all apps that you've acquired on your **Inventory** page.
The **Inventory** page in Windows Store for Business shows all apps in your inventory. This includes all apps that you've acquired from Store for Business, and the line-of-business (LOB) apps that you've accepted into your inventory. After LOB apps are submitted to your organization, you'll see a notification on your **Inventory** page. On the **New line-of-business apps** page, you can accept, or reject the LOB apps. For more information on LOB apps, see [Working with line-of-business apps](working-with-line-of-business-apps.md).
All of these apps are treated the same once they are in your inventory and you can perform app lifecycle tasks for them: distribute apps, add apps to private store, review license details, and reclaim app licenses.
![Image shows Inventory page in Windows Store for Business with status status options for an app.](images/wsfb-inventoryaddprivatestore.png)
Store for Business shows this info for each app in your inventory:
- Name
- Access to actions for the app
- Last modified date
- Supported devices
- Private store status
### Find apps in your inventory
There are a couple of ways to find specific apps, or groups of apps in your inventory.
**Search** - Use the Search box to search for an app.
**Refine** - Use **Refine** to scope your list of apps by one or more of these app attributes:
- **License** - Online or offline licenses. For more info, see [Apps in Windows Store for Business](apps-in-windows-store-for-business.md#licensing-model).
- **Platforms** - Lists the devices that apps in your inventory were originally written to support. This list is cumulative for all apps in your inventory.
- **Source** - **Store**, for apps acquired from Store for Business, or LOB, for line-of-business apps.
- **Private store** - **In private store**, or **Not in private store**, depending on whether or not you've added the app to your private store.
### Manage apps in your inventory
Each app in the Store for Business has an online, or an offline license. For more information on Store for Business licensing model, see [Apps in the Windows Store for Business](apps-in-windows-store-for-business.md#licensing-model). There are different actions you can take depending on the app license type. They're summarized in this table.
<table>
<colgroup>
<col width="33%" />
<col width="33%" />
<col width="33%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Action</th>
<th align="left">Online-licensed app</th>
<th align="left">Offline-licensed app</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>Assign to employees</p></td>
<td align="left"><p>X</p></td>
<td align="left"></td>
</tr>
<tr class="even">
<td align="left"><p>Add to private store</p></td>
<td align="left"><p>X</p></td>
<td align="left"></td>
</tr>
<tr class="odd">
<td align="left"><p>Remove from private store</p></td>
<td align="left"><p>X</p></td>
<td align="left"></td>
</tr>
<tr class="even">
<td align="left"><p>View license details</p></td>
<td align="left"><p>X</p></td>
<td align="left"></td>
</tr>
<tr class="odd">
<td align="left"><p>View product details</p></td>
<td align="left"><p>X</p></td>
<td align="left"><p>X</p></td>
</tr>
<tr class="even">
<td align="left"><p>Download for offline use</p></td>
<td align="left"></td>
<td align="left"><p>X</p></td>
</tr>
</tbody>
</table>
 
The actions in the table are how you distribute apps, and manage app licenses. We'll cover those in the next sections. Working with offline-licensed apps has different steps. For more information on distributing offline-licensed apps, see [Distribute offline apps](distribute-offline-apps.md).
### Distribute apps
For online-licensed apps, there are a couple of ways to distribute apps from your inventory:
- Assign apps to people in your organization.
- Add apps to your private store, and let people in your organization install the app.
If you use a management tool that supports Store for Business, you can distribute apps with your management tool. Once it is configured to work with Store for Business, your managment tool will have access to all apps in your inventory. For more information, see [Distribute apps with a management tool](distribute-apps-with-management-tool.md).
Once an app is in your private store, people in your org can install the app on their devices. For more information, see [Distribute apps using your private store](distribute-apps-from-your-private-store.md).
**To make an app in inventory available in your private store**
1. Sign in to the [Store for Business](http://businessstore.microsoft.com).
2. Click **Manage**, and then choose **Inventory**.
3. Click **Refine**, and then choose **Online**. Store for Business will update the list of apps on the **Inventory** page.
4. From an app in **Inventory**, click the ellipses under **Action**, and then choose **Add to private store**.
The value under Private store for the app will change to pending. It will take approximately twelve hours before the app is available in the private store.
Employees can claim apps that admins added to the private store by doing the following.
**To claim an app from the private store**
1. Sign in to your computer with your Azure Active Directory (AD) credentials, and start the Windows Store app.
2. Click the private store tab.
3. Click the app you want to install, and then click **Install**.
Another way to distribute apps is by assigning them to people in your organization.
If you decide that you don't want an app available for employees to install on their own, you can remove it from your private store.
**To remove an app from the private store**
1. Sign in to the [Store for Business](http://businessstore.microsoft.com).
2. Click **Manage**, and then choose **Inventory**.
3. Find an app, click the ellipses under **Action**, and then choose **Remove from private store**, and then click **Remove**.
The app will still be in your inventory, but your employees will not have access to the app from your private store.
**To assign an app to an employee**
1. Sign in to the [Store for Business](http://businessstore.microsoft.com).
2. Click **Manage**, and then choose **Inventory**.
3. Find an app, click the ellipses under **Action**, and then choose **Assign to people**.
4. Type the email address for the employee that you're assigning the app to, and click **Confirm**.
Employees will receive an email with a link that will install the app on their device. Click the link to start the Windows Store app, and then click **Install**. Also, in the Windows Store app, they can find the app under **My Library**.
### Manage app licenses
For each app in your inventory, you can view and manage license details. This give you another way to assign apps to people in your organization. It also allows you to reclaim app licenses after they've been assigned to people, or claimed by people in your organization.
**To view license details**
1. Sign in to [Store for Business](http://go.microsoft.com/fwlink/p/?LinkId=691845)
2. Click **Manage**, and then choose **Inventory**.
3. Click the ellipses for an app, and then choose **View license details**.
![Image showing Inventory page in Windows Store for Business.](images/wsfb-inventory-viewlicense.png)
You'll see the names of people in your organization who have installed the app and are using one of the licenses.
![Image showing assigned licenses for an app.](images/wsfb-licensedetails.png)
On **Assigned licenses**, you can do several things:
- Assign the app to other people in your organization.
- Reclaim app licenses.
- View app details.
- Add the app to your private store, if it is not in the private store.
You can assign the app to more people in your organization, or reclaim licenses.
**To assign an app to more people**
- Click **Assign to people**, type the email address for the employee that you're assigning the app to, and click **Assign**.
![Image showing Assign to people dialog for assigning app licenses to people in your organization.](images/wsfb-licenseassign.png)
Store for Business updates the list of assigned licenses.
**To reclaim licenses**
- Choose the person you want to reclaim the license from, click **Reclaim licenses**, and then click **Reclaim licenses**.
![Image showing Assign to people dialog for reclaiming app licenses from people in your organization.](images/wsfb-licensereclaim.png)
Store for Business updates the list of assigned licenses.
### <a href="" id="download-offline-licensed-apps"></a>Download offline-licensed app
Offline licensing is a new feature in Windows 10 and allows apps to be deployed to devices that are not connected to the Internet. This means organizations can deploy apps when users or devices do not have connectivity to the Store.
You can download offline-licensed apps from your inventory. You'll need to download these items:
- App metadata
- App package
- App license
- App framework
For more information about online and offline licenses, see [Apps in the Windows Store for Business](apps-in-windows-store-for-business.md#licensing-model).
For more information about downloading offline-licensed apps, see [Download offline apps](distribute-offline-apps.md).
 
 

223
windows/manage/app-inventory-management-windows-store-for-business.md Normal file
View File

@ -0,0 +1,223 @@
---
title: App inventory management for Windows Store for Business (Windows 10)
description: You can manage all apps that you've acquired on your Inventory page.
ms.assetid: 44211937-801B-4B85-8810-9CA055CDB1B2
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: store
author: TrudyHa
---
# App inventory management for Windows Store for Business
**Applies to**
- Windows 10
- Windows 10 Mobile
You can manage all apps that you've acquired on your **Inventory** page.
The **Inventory** page in Windows Store for Business shows all apps in your inventory. This includes all apps that you've acquired from Store for Business, and the line-of-business (LOB) apps that you've accepted into your inventory. After LOB apps are submitted to your organization, you'll see a notification on your **Inventory** page. On the **New line-of-business apps** page, you can accept, or reject the LOB apps. For more information on LOB apps, see [Working with line-of-business apps](working-with-line-of-business-apps.md).
All of these apps are treated the same once they are in your inventory and you can perform app lifecycle tasks for them: distribute apps, add apps to private store, review license details, and reclaim app licenses.
![Image shows Inventory page in Windows Store for Business with status status options for an app.](images/wsfb-inventoryaddprivatestore.png)
Store for Business shows this info for each app in your inventory:
- Name
- Access to actions for the app
- Last modified date
- Supported devices
- Private store status
### Find apps in your inventory
There are a couple of ways to find specific apps, or groups of apps in your inventory.
**Search** - Use the Search box to search for an app.
**Refine** - Use **Refine** to scope your list of apps by one or more of these app attributes:
- **License** - Online or offline licenses. For more info, see [Apps in Windows Store for Business](apps-in-windows-store-for-business.md#licensing-model).
- **Platforms** - Lists the devices that apps in your inventory were originally written to support. This list is cumulative for all apps in your inventory.
- **Source** - **Store**, for apps acquired from Store for Business, or LOB, for line-of-business apps.
- **Private store** - **In private store**, or **Not in private store**, depending on whether or not you've added the app to your private store.
### Manage apps in your inventory
Each app in the Store for Business has an online, or an offline license. For more information on Store for Business licensing model, see [Apps in the Windows Store for Business](apps-in-windows-store-for-business.md#licensing-model). There are different actions you can take depending on the app license type. They're summarized in this table.
<table>
<colgroup>
<col width="33%" />
<col width="33%" />
<col width="33%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Action</th>
<th align="left">Online-licensed app</th>
<th align="left">Offline-licensed app</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>Assign to employees</p></td>
<td align="left"><p>X</p></td>
<td align="left"></td>
</tr>
<tr class="even">
<td align="left"><p>Add to private store</p></td>
<td align="left"><p>X</p></td>
<td align="left"></td>
</tr>
<tr class="odd">
<td align="left"><p>Remove from private store</p></td>
<td align="left"><p>X</p></td>
<td align="left"></td>
</tr>
<tr class="even">
<td align="left"><p>View license details</p></td>
<td align="left"><p>X</p></td>
<td align="left"></td>
</tr>
<tr class="odd">
<td align="left"><p>View product details</p></td>
<td align="left"><p>X</p></td>
<td align="left"><p>X</p></td>
</tr>
<tr class="even">
<td align="left"><p>Download for offline use</p></td>
<td align="left"></td>
<td align="left"><p>X</p></td>
</tr>
</tbody>
</table>
 
The actions in the table are how you distribute apps, and manage app licenses. We'll cover those in the next sections. Working with offline-licensed apps has different steps. For more information on distributing offline-licensed apps, see [Distribute offline apps](distribute-offline-apps.md).
### Distribute apps
For online-licensed apps, there are a couple of ways to distribute apps from your inventory:
- Assign apps to people in your organization.
- Add apps to your private store, and let people in your organization install the app.
If you use a management tool that supports Store for Business, you can distribute apps with your management tool. Once it is configured to work with Store for Business, your managment tool will have access to all apps in your inventory. For more information, see [Distribute apps with a management tool](distribute-apps-with-management-tool.md).
Once an app is in your private store, people in your org can install the app on their devices. For more information, see [Distribute apps using your private store](distribute-apps-from-your-private-store.md).
**To make an app in inventory available in your private store**
1. Sign in to the [Store for Business](http://businessstore.microsoft.com).
2. Click **Manage**, and then choose **Inventory**.
3. Click **Refine**, and then choose **Online**. Store for Business will update the list of apps on the **Inventory** page.
4. From an app in **Inventory**, click the ellipses under **Action**, and then choose **Add to private store**.
The value under Private store for the app will change to pending. It will take approximately twelve hours before the app is available in the private store.
Employees can claim apps that admins added to the private store by doing the following.
**To claim an app from the private store**
1. Sign in to your computer with your Azure Active Directory (AD) credentials, and start the Windows Store app.
2. Click the private store tab.
3. Click the app you want to install, and then click **Install**.
Another way to distribute apps is by assigning them to people in your organization.
If you decide that you don't want an app available for employees to install on their own, you can remove it from your private store.
**To remove an app from the private store**
1. Sign in to the [Store for Business](http://businessstore.microsoft.com).
2. Click **Manage**, and then choose **Inventory**.
3. Find an app, click the ellipses under **Action**, and then choose **Remove from private store**, and then click **Remove**.
The app will still be in your inventory, but your employees will not have access to the app from your private store.
**To assign an app to an employee**
1. Sign in to the [Store for Business](http://businessstore.microsoft.com).
2. Click **Manage**, and then choose **Inventory**.
3. Find an app, click the ellipses under **Action**, and then choose **Assign to people**.
4. Type the email address for the employee that you're assigning the app to, and click **Confirm**.
Employees will receive an email with a link that will install the app on their device. Click the link to start the Windows Store app, and then click **Install**. Also, in the Windows Store app, they can find the app under **My Library**.
### Manage app licenses
For each app in your inventory, you can view and manage license details. This give you another way to assign apps to people in your organization. It also allows you to reclaim app licenses after they've been assigned to people, or claimed by people in your organization.
**To view license details**
1. Sign in to [Store for Business](http://go.microsoft.com/fwlink/p/?LinkId=691845)
2. Click **Manage**, and then choose **Inventory**.
3. Click the ellipses for an app, and then choose **View license details**.
![Image showing Inventory page in Windows Store for Business.](images/wsfb-inventory-viewlicense.png)
You'll see the names of people in your organization who have installed the app and are using one of the licenses.
![Image showing assigned licenses for an app.](images/wsfb-licensedetails.png)
On **Assigned licenses**, you can do several things:
- Assign the app to other people in your organization.
- Reclaim app licenses.
- View app details.
- Add the app to your private store, if it is not in the private store.
You can assign the app to more people in your organization, or reclaim licenses.
**To assign an app to more people**
- Click **Assign to people**, type the email address for the employee that you're assigning the app to, and click **Assign**.
![Image showing Assign to people dialog for assigning app licenses to people in your organization.](images/wsfb-licenseassign.png)
Store for Business updates the list of assigned licenses.
**To reclaim licenses**
- Choose the person you want to reclaim the license from, click **Reclaim licenses**, and then click **Reclaim licenses**.
![Image showing Assign to people dialog for reclaiming app licenses from people in your organization.](images/wsfb-licensereclaim.png)
Store for Business updates the list of assigned licenses.
### <a href="" id="download-offline-licensed-apps"></a>Download offline-licensed app
Offline licensing is a new feature in Windows 10 and allows apps to be deployed to devices that are not connected to the Internet. This means organizations can deploy apps when users or devices do not have connectivity to the Store.
You can download offline-licensed apps from your inventory. You'll need to download these items:
- App metadata
- App package
- App license
- App framework
For more information about online and offline licenses, see [Apps in the Windows Store for Business](apps-in-windows-store-for-business.md#licensing-model).
For more information about downloading offline-licensed apps, see [Download offline apps](distribute-offline-apps.md).

3
windows/manage/apps-in-windows-store-for-business.md
View File

@ -7,6 +7,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: store
author: TrudyHa
localizationpriority: high
---
# Apps in Windows Store for Business
@ -50,7 +51,7 @@ Apps that you acquire from the Store for Business only work on Windows 10-based
Some apps are free, and some apps charge a price. Currently, you can pay for apps with a credit card. We'll be adding more payment options over time.
Some apps which are available to consumers in the Windows Store might not be available to organizations in the Windows Store for Business. App developers can opt-out their apps, and they also need to meet eligibility requirements for Windows Store for Business. For more information, read this info on [Organizational licensing options](https://msdn.microsoft.com/en-us/windows/uwp/publish/organizational-licensing).
Some apps which are available to consumers in the Windows Store might not be available to organizations in the Windows Store for Business. App developers can opt-out their apps, and they also need to meet eligibility requirements for Windows Store for Business. For more information, read this info on [Organizational licensing options](https://msdn.microsoft.com/windows/uwp/publish/organizational-licensing).
**Note**<br>
We are still setting up the catalog of apps for Windows Store for Business. If you are searching for an app and it isnt available, please check again in a couple of days.

1
windows/manage/assign-apps-to-employees.md
View File

@ -7,6 +7,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: store
author: TrudyHa
localizationpriority: high
---
# Assign apps to employees

1
windows/manage/configure-mdm-provider-windows-store-for-business.md
View File

@ -7,6 +7,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: store
author: TrudyHa
localizationpriority: high
---
# Configure an MDM provider

2
windows/manage/configure-windows-10-devices-to-stop-data-flow-to-microsoft.md
View File

@ -1,6 +1,6 @@
---
title: Configure Windows 10 devices to stop data flow to Microsoft (Windows 10)
redirect_url: https://technet.microsoft.com/en-us/itpro/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services
redirect_url: https://technet.microsoft.com/itpro/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services
---
# Configure Windows 10 devices to stop data flow to Microsoft

194
windows/manage/configure-windows-telemetry-in-your-organization.md
View File

@ -6,6 +6,7 @@ ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
localizationpriority: high
author: brianlic-msft
---
@ -17,34 +18,118 @@ author: brianlic-msft
- Windows 10 Mobile
- Windows Server 2016 Technical Preview
Use this article to make informed decisions about how you can configure telemetry in your organization. Telemetry is a term that means different things to different people and organizations. For the purpose of this article, we discuss telemetry as system data that is uploaded by the Connected User Experience and Telemetry component. The telemetry data is used to keep Windows devices secure, and to help Microsoft improve the quality of Windows and Microsoft services.
At Microsoft, we use Windows telemetry to inform our decisions and focus our efforts in providing the most robust, most valuable platform for your business and the people who count on Windows to enable them to be as productive as possible. Telemetry gives users a voice in the operating systems development. This guide describes the importance of Windows telemetry and how we protect that data. Additionally, it differentiates between telemetry and functional data. It also describes the telemetry levels that Windows supports. Of course, you can choose how much telemetry is shared with Microsoft, and this guide demonstrates how.
>**Note:**  This article does not apply to System Center Configuration Manager, System Center Endpoint Protection, or System Center Data Protection Manager because those components use a different telemetry service than Windows and Windows Server.
To frame a discussion about telemetry, it is important to understand Microsofts privacy principles. We earn customer trust every day by focusing on six key privacy principles as described at [privacy.microsoft.com](https://privacy.microsoft.com/). These principles guided the implementation of the Windows telemetry system in the following ways:
It describes the types of telemetry we gather and the ways you can manage its telemetry. This article also lists some examples of how telemetry can provide you with valuable insights into your enterprise deployments, and how Microsoft uses the data to quickly identify and address issues affecting its customers.
- **Control.** We offer customers control of the telemetry they share with us by providing easy-to-use management tools.
- **Transparency.** We provide information about the telemetry that Windows and Windows Server collects so our customers can make informed decisions.
- **Security.** We encrypt telemetry in transit from your device and protect that data at our secure data centers.
- **Strong legal protections.** We respect customers local privacy laws and fight for legal protection of their privacy as a fundamental human right.
- **No content-based targeting.** We take steps to avoid and minimize the collection of customer content, such as the content of files, chats, or emails, through the Windows telemetry system. Customer content inadvertently collected is kept confidential and not used for user targeting.
- **Benefits to you.** We collect Windows telemetry to help provide you with an up-to-date, more secure, reliable and performant product, and to improve Windows for all of our customers.
We understand that the privacy and security of our customers information is important and we have taken a thoughtful and comprehensive approach to customer privacy and the protection of their data with Windows 10, Windows Server 2016 Technical Preview, and System Center 2016.
This article applies to Windows and Windows Server telemetry only. Other Microsoft or third-party apps, such as System Center Configuration Manager, System Center Endpoint Protection, or System Center Data Protection Manager, might send data to their cloud services in ways that are inconsistent with this guide. Their publishers are responsible for notifying users of their privacy policies, telemetry controls, and so on. This article describes the types of telemetry we may gather, the ways you might manage it in your organization, and some examples of how telemetry can provide you with valuable insights into your enterprise deployments. Microsoft uses the data to quickly identify and address issues affecting its customers.
Use this article to make informed decisions about how you might configure telemetry in your organization. Telemetry is a term that means different things to different people and organizations. For the purpose of this article, we discuss telemetry as system data that is uploaded by the Connected User Experience and Telemetry component. The telemetry data is used to help keep Windows devices secure by identifying malware trends and other threats and to help Microsoft improve the quality of Windows and Microsoft services.
## Overview
In previous versions of Windows and Windows Server, Microsoft used telemetry to check for updated or new Windows Defender signatures, check whether Windows Update installations were successful, gather reliability information through the Reliability Analysis Component (RAC) on Windows Server, and gather reliability information through the Windows Customer Experience Improvement Program (CEIP) on Windows. In Windows 10 and Windows Server 2016 Technical Preview, you can control telemetry streams by using Settings &gt; Privacy, Group Policy, or MDM.
Microsoft is committed to improving customer experiences in a mobile-first and cloud-first world, and it all starts with our customers. Telemetry is one critical way Microsoft is using data to improve our products and services. Telemetry gives every enterprise customer a voice that helps us shape future versions of Windows, Windows Server and System Center, allowing us to respond quickly to your feedback and providing new features and improved quality to our customers.
Our goal is to leverage the aggregated data to drive changes in the product and ecosystem to improve our customer experiences. We are also partnering with enterprises to provide added value from the telemetry information shared by their devices. Some examples include identifying outdated patches and downloading the latest antimalware signatures to help keep their devices secure, identifying application compatibility issues prior to upgrades, and gaining insights into driver reliability issues affecting other customers.
In previous versions of Windows and Windows Server, Microsoft used telemetry to check for updated or new Windows Defender signatures, check whether Windows Update installations were successful, gather reliability information through the Reliability Analysis Component (RAC), and gather reliability information through the Windows Customer Experience Improvement Program (CEIP) on Windows. In Windows 10 and Windows Server 2016 Technical Preview, you can control telemetry streams by using the Privacy option in Settings, Group Policy, or MDM.
For Windows 10, we invite IT pros to join the [Windows Insider Program](http://insider.windows.com) to give us feedback on what we can do to make Windows work better for your organization.
## Understanding Windows telemetry
Windows as a Service is a fundamental change in how Microsoft plans, builds, and delivers the operating system. Historically, we released a major Windows version every few years. The effort required to deploy large and infrequent Windows versions was substantial. That effort included updating the infrastructure to support the upgrade. Windows as a Service accelerates the cadence to provide rich updates more frequently, and these updates require substantially less effort to roll out than earlier versions of Windows. Since it provides more value to organizations in a shorter timeframe, delivering Windows as a Service is a top priority for us.
The release cadence of Windows may be fast, so feedback is critical to its success. We rely on telemetry at each stage of the process to inform our decisions and prioritize our efforts.
### What is Windows telemetry?
Windows telemetry is vital technical data from Windows devices about the device and how Windows and related software are performing. It's used in the following ways:
- Keep Windows up to date
- Keep Windows secure, reliable, and performant
- Improve Windows through the aggregate analysis of the use of Windows
- Personalize Windows engagement surfaces
Here are some specific examples of Windows telemetry data:
- Type of hardware being used
- Applications installed and usage details
- Reliability information on device drivers
### What is NOT telemetry?
Telemetry can sometimes be confused with functional data. Some Windows components and apps connect to Microsoft services directly, but the data they exchange is not telemetry. For example, exchanging a users location for local weather or news is not an example of telemetry—it is functional data that the app or service requires to satisfy the users request.
There are subtle differences between telemetry and functional data. Windows collects and sends telemetry in the background automatically. You can control how much information is gathered by setting the telemetry level. Microsoft tries to avoid collecting personal information wherever possible (for example, if a crash dump is collected and a document was in memory at the time of the crash). On the other hand, functional data can contain personal information. However, a user action, such as requesting news or asking Cortana a question, usually triggers collection and transmission of functional data.
If youre an IT pro that wants to manage Windows functional data sent from your organization to Microsoft, see [Manage connections from Windows operating system components to Microsoft services](https://technet.microsoft.com/en-us/itpro/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services).
The following are specific examples of functional data:
- Current location for weather
- Bing searches
- Wallpaper and desktop settings synced across multiple devices
### Telemetry gives users a voice
Windows and Windows Server telemetry gives every user a voice in the operating systems development and ongoing improvement. It helps us understand how Windows 10 and Windows Server 2016 behaves in the real world, focus on user priorities, and make informed decisions that benefit them. For our enterprise customers, representation in the dataset on which we will make future design decisions is a real benefit. The following sections offer real examples of these benefits.
### Drive higher app and driver quality
Our ability to collect telemetry that drives improvements to Windows and Windows Server helps raise the bar for app and device driver quality. Telemetry helps us to quickly identify and fix critical reliability and security issues with apps and device drivers on given configurations. For example, we can identify an app that hangs on devices using a specific version of a video driver, allowing us to work with the app and device driver vendor to quickly fix the issue. The result is less downtime and reduced costs and increased productivity associated with troubleshooting these issues.
A real-world example of how Windows telemetry helps us quickly identify and fix issues is a particular version of a video driver that was crashing on some devices running Windows 10, causing the device to reboot. We detected the problem in our telemetry, and immediately contacted the third-party developer who builds the video driver. Working with the developer, we provided an updated driver to Windows Insiders within 24 hours. Based on telemetry from the Windows Insiders devices, we were able to validate the new version of the video driver, and rolled it out to the broad public as an update the next day. Telemetry helped us find, fix, and resolve this problem in just 48 hours, providing a better user experience and reducing costly support calls.
### Improve end-user productivity
Windows telemetry also helps Microsoft better understand how customers use (or do not use) the operating systems features and related services. The insights we gain from this data helps us prioritize our engineering effort to directly impact our customers experiences. Examples are:
- **Start menu.** How do people change the Start menu layout? Do they pin other apps to it? Are there any apps that they frequently unpin? We use this dataset to adjust the default Start menu layout to better reflect peoples expectations when they turn on their device for the first time.
- **Cortana.** We use telemetry to monitor the scalability of our cloud service, improving search performance.
- **Application switching.** Research and observations from earlier Windows versions showed that people rarely used Alt+Tab to switch between applications. After discussing this with some users, we learned they loved the feature, saying that it would be highly productive, but they did not know about it previously. Based on this, we created the Task View button in Windows 10 to make this feature more discoverable. Later telemetry showed significantly higher usage of this feature.
**These examples show how the use of telemetry data enables Microsoft to build or enhance features which can help organizations increase employee productivity while lowering help desk calls.**
<!--
### Insights into your own organization
Sharing information with Microsoft helps make Windows and other products better, but it can also help make your internal processes and user experiences better, as well. Microsoft is in the process of developing a set of analytics customized for your internal use. The first of these, called Windows 10 Upgrade Analytics, will be available in Summer 2016.
#### Windows 10 Upgrade Analytics
Upgrading to new operating system versions has traditionally been a challenging, complex, and slow process for many enterprises. Discovering applications and drivers and then testing them for potential compatibility issues have been among the biggest pain points.
To better help customers through this difficult process, Microsoft developed Upgrade Analytics to give enterprises the tools to plan and manage the upgrade process end to end and allowing them to adopt new Windows releases more quickly and on an ongoing basis.
With Windows telemetry enabled, Microsoft collects computer, application, and driver compatibility-related information for analysis. We then identify compatibility issues that can block your upgrade and suggest fixes when they are known to Microsoft.
Use Upgrade Analytics to get:
- A visual workflow that guides you from pilot to production
- Detailed computer, driver, and application inventory
- Powerful computer level search and drill-downs
- Guidance and insights into application and driver compatibility issues with suggested fixes
- Data driven application rationalization tools
- Application usage information, allowing targeted validation; workflow to track validation progress and decisions
- Data export to commonly used software deployment tools
The Upgrade Analytics workflow steps you through the discovery and rationalization process until you have a list of computers that are ready to be upgraded.
-->
## How is telemetry data handled by Microsoft?
### Data collection
Windows 10 and Windows Server 2016 Technical Preview includes the Connected User Experience and Telemetry component, which uses Event Tracing for Windows (ETW) tracelogging technology to gather and store telemetry events and data. The operating system and some Microsoft management solutions, such as System Center, use the same logging technology.
Windows 10 and Windows Server 2016 Technical Preview includes the Connected User Experience and Telemetry component, which uses Event Tracing for Windows (ETW) tracelogging technology that gathers and stores telemetry events and data. The operating system and some Microsoft management solutions, such as System Center, use the same logging technology.
1. Operating system features and some management applications are instrumented to publish events and data. Examples of management applications include Virtual Machine Manager (VMM), Server Manager, and Storage Spaces.
2. Events are gathered using public operating system event logging and tracing APIs.
3. You can configure the telemetry level by using an MDM policy, Group Policy, or registry settings.
4. The Connected User Experience and Telemetry component transmits telemetry data over HTTPS to Microsoft and uses certificate pinning.
4. The Connected User Experience and Telemetry component transmits the telemetry data.
Info collected at the Enhanced and Full levels of telemetry is typically gathered at a fractional sampling rate, which can be as low as 1% of devices reporting data at those levels.
@ -56,21 +141,21 @@ All telemetry data is encrypted using SSL and uses certificate pinning during tr
The Microsoft Data Management Service routes data back to our secure cloud storage. Only Microsoft personnel with a valid business justification are permitted access.
The Connected User Experience and Telemetry component connects to the Microsoft Data Management service at v10.vortex-win.data.microsoft.com.
The following table defines the endpoints for telemetry services:
The Connected User Experience and Telemetry component also connects to settings-win.data.microsoft.com to download configuration information.
[Windows Error Reporting](http://msdn.microsoft.com/library/windows/desktop/bb513641.aspx) connects to watson.telemetry.microsoft.com.
[Online Crash Analysis](http://msdn.microsoft.com/library/windows/desktop/ee416349.aspx) connects to oca.telemetry.microsoft.com.
| Service | Endpoint |
| - | - |
| Connected User Experience and Telemetry component | v10.vortex-win.data.microsoft.com<br />settings-win.data.microsoft.com |
| [Windows Error Reporting](http://msdn.microsoft.com/library/windows/desktop/bb513641.aspx) | watson.telemetry.microsoft.com |
| [Online Crash Analysis](http://msdn.microsoft.com/library/windows/desktop/ee416349.aspx) | oca.telemetry.microsoft.com |
### Data use and access
Data gathered from telemetry is used by Microsoft teams primarily to improve our customer experiences, and for security, health, quality, and performance analysis. The principle of least privileged guides access to telemetry data. Only Microsoft personnel with a valid business need are permitted access to the telemetry data. Microsoft does not share personal data of our customers with third parties, except at the customers discretion or for the limited purposes described in the Privacy Statement. We do share business reports with OEMs and third party partners that include aggregated, anonymized telemetry information. Data-sharing decisions are made by an internal team including privacy, legal, and data management.
The principle of least privileged access guides access to telemetry data. Microsoft does not share personal data of our customers with third parties, except at the customers discretion or for the limited purposes described in the [Privacy Statement](https://privacy.microsoft.com/en-us/privacystatement). Microsoft may share business reports with OEMs and third party partners that include aggregated and anonymized telemetry information. Data-sharing decisions are made by an internal team including privacy, legal, and data management.
### Retention
Microsoft believes in and practices information minimization. We strive to gather only the info we need, and store it for as long as its needed to provide a service or for analysis. Much of the info about how Windows and apps are functioning is deleted within 30 days. Other info may be retained longer, such as error reporting data or Store purchase history.
Microsoft believes in and practices information minimization. We strive to gather only the info we need, and store it for as long as its needed to provide a service or for analysis. Much of the info about how Windows and apps are functioning is deleted within 30 days. Other info may be retained longer, such as error reporting data or Windows Store purchase history.
## Telemetry levels
@ -81,19 +166,19 @@ The telemetry data is categorized into four levels:
- **Security**. Information thats required to help keep Windows, Windows Server, and System Center secure, including data about the Connected User Experience and Telemetry component settings, the Malicious Software Removal Tool, and Windows Defender.
- **Basic**. Basic device info, including: quality-related data, app compat, app usage data, and data from the **Security** level.
- **Basic**. Basic device info, including: quality-related data, app compatibility, app usage data, and data from the **Security** level.
- **Enhanced**. Additional insights, including: how Windows, Windows Server, System Center, and apps are used, how they perform, advanced reliability data, and data from both the **Basic** and the **Security** levels.
- **Full**. All data necessary to identify and help to fix problems, plus data from the **Security**, **Basic**, and **Enhanced** levels.
The levels are cumulative and are illustrated in the following diagram. These levels apply to all editions of Windows Server 2016 Technical Preview.
The levels are cumulative and are illustrated in the following diagram. Also, these levels apply to all editions of Windows Server 2016 Technical Preview.
![breakdown of telemetry levels and types of administrative controls](images/priv-telemetry-levels.png)
### Security level
The Security level gathers only the telemetry info that is required to keep Windows devices, Windows Server, and guests secure with the latest security updates. This level is only available on Windows Server 2016, Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile Enterprise, and IoT Core editions.
The Security level gathers only the telemetry info that is required to keep Windows devices, Windows Server, and guests protected with the latest security updates. This level is only available on Windows Server 2016, Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile Enterprise, and Windos IoT Core editions.
> **Note:**  If your organization relies on Windows Update for updates, you shouldnt use the **Security** level. Because no Windows Update information is gathered at this level, important information about update failures is not sent. Microsoft uses this information to fix the causes of those failures and improve the quality of our updates.
@ -103,7 +188,7 @@ Windows Server Update Services (WSUS) and System Center Configuration Manager fu
The data gathered at this level includes:
- **Connected User Experience and Telemetry component settings**. If data has been gathered and is queued to be sent, the Connected User Experience and Telemetry component downloads its settings file from Microsofts servers. The data gathered by the client for this request includes OS information, device id (used to identify what specific device is requesting settings) and device class (for example, whether the device is server or desktop).
- **Connected User Experience and Telemetry component settings**. If general telemetry data has been gathered and is queued, it is sent to Microsoft. Along with this telemetry, the Connected User Experience and Telemetry component may download a configuration settings file from Microsofts servers. This file is used to configure the Connected User Experience and Telemetry component itself. The data gathered by the client for this request includes OS information, device id (used to identify what specific device is requesting settings) and device class (for example, whether the device is server or desktop).
- **Malicious Software Removal Tool (MSRT)** The MSRT infection report contains information, including device info and IP address.
@ -126,11 +211,11 @@ No user content, such as user files or communications, is gathered at the **Secu
### Basic level
The Basic level gathers a limited set of data thats critical for understanding the device and its configuration. This level also includes the **Security** level data. This level helps to identify problems that can occur on a particular device hardware or software configuration. For example, it can help determine if crashes are more frequent on devices with a specific amount of memory or that are running a particular driver version. The Connected User Experience and Telemetry component does not gather telemetry data about System Center, but it can transmit telemetry for other non-Windows applications if they have user consent.
The Basic level gathers a limited set of data thats critical for understanding the device and its configuration. This level also includes the **Security** level data. This level helps to identify problems that can occur on a particular hardware or software configuration. For example, it can help determine if crashes are more frequent on devices with a specific amount of memory or that are running a particular driver version. The Connected User Experience and Telemetry component does not gather telemetry data about System Center, but it can transmit telemetry for other non-Windows applications if they have user consent.
The data gathered at this level includes:
- **Basic device data**. Helps provide an understanding about the types of Windows devices and the configurations and types of native and virtualized Windows Server 2016 Technical Preview instances in the ecosystem, including:
- **Basic device data**. Helps provide an understanding about the types of Windows devices and the configurations and types of native and virtualized Windows Server 2016 Technical Preview in the ecosystem. Examples include:
- Device attributes, such as camera resolution and display type
@ -156,7 +241,7 @@ The data gathered at this level includes:
- **General app data and app data for Internet Explorer add-ons**. Includes a list of apps that are installed on a native or virtualized instance of the OS and whether these apps function correctly after an upgrade. This app data includes the app name, publisher, version, and basic details about which files have been blocked from usage.
- **App usage data**. Includes how an app is used, including how long an app is used for, when the app has focus, and when the app is started
- **App usage data**. Includes how an app is used, including how long an app is used, when the app has focus, and when the app is started
- **Internet Explorer add-ons**. Includes a list of Internet Explorer add-ons that are installed on a device and whether these apps will work after an upgrade.
@ -166,13 +251,13 @@ The data gathered at this level includes:
- **Driver data**. Includes specific driver usage thats meant to help figure out whether apps and devices will function after upgrading to a new version of the operating system. This can help to determine blocking issues and then help Microsoft and our partners apply fixes and improvements.
- **Store**. Provides information about how the Windows Store performs, including app downloads, installations, and updates. It also includes Windows Store launches, page views, suspend and resumes, and obtaining licenses.
- **Windows Store**. Provides information about how the Windows Store performs, including app downloads, installations, and updates. It also includes Windows Store launches, page views, suspend and resumes, and obtaining licenses.
### Enhanced level
The Enhanced level gathers data about how Windows and apps are used and how they perform. This level also includes data from both the **Basic** and **Security** levels. This level helps to improve the user experience with the operating system and apps. Data from this level can be abstracted into patterns and trends that can help Microsoft determine future improvements.
This is the default level, and the minimum level needed to quickly identify and address Windows, Windows Server, and System Center quality issues.
This is the default level for Windows 10 Enterprise and Windows 10 Education editions, and the minimum level needed to quickly identify and address Windows, Windows Server, and System Center quality issues.
The data gathered at this level includes:
@ -202,6 +287,15 @@ However, before more data is gathered, Microsofts privacy governance team, in
- All crash dump types, including heap dumps and full dumps.
## Enterprise management
Sharing telemetry data with Microsoft provides many benefits to enterprises, so we do not recommend turning it off. For most enterprise customers, simply adjusting the telemetry level and managing specific components is the best option.
Customers can set the telemetry level in both the user interface and with existing management tools. Users can change the telemetry level in the **Diagnostic and usage data** setting. In the Settings app, it is in **Privacy\Feedback & diagnostics**. They can choose between Basic, Enhanced, and Full. The Security level is not available.
IT pros can use various methods, including Group Policy and Mobile Device Management (MDM), to choose a telemetry level. If youre using Windows 10 Enterprise, Windows 10 Education, or Windows Server 2016, the Security telemetry level is available when managing the policy. Setting the telemetry level through policy overrides users choices. The remainder of this section describes how to do that.
### Manage your telemetry settings
We do not recommend that you turn off telemetry in your organization as valuable functionality may be impacted, but we recognize that in some scenarios this may be required. Use the steps in this section to do so for Windows, Windows Server, and System Center.
@ -210,7 +304,7 @@ We do not recommend that you turn off telemetry in your organization as valuable
You can turn on or turn off System Center telemetry gathering. The default is on and the data gathered at this level represents what is gathered by default when System Center telemetry is turned on. However, setting the operating system telemetry level to **Basic** will turn off System Center telemetry, even if the System Center telemetry switch is turned on.
The lowest telemetry setting level supported through management policies is **Security**. The lowest telemetry setting supported through the Settings UI is **Basic**. The default telemetry setting for Windows Server 2016 Technical Preview is **Enhanced.**
The lowest telemetry setting level supported through management policies is **Security**. The lowest telemetry setting supported through the Settings UI is **Basic**. The default telemetry setting for Windows Server 2016 Technical Preview is **Enhanced**.
### Configure the operating system telemetry level
@ -218,14 +312,13 @@ You can configure your operating system telemetry settings using the management
Use the appropriate value in the table below when you configure the management policy.
| Value | Level | Data gathered |
|-------|----------|---------------------------------------------------------------------------------------------------------------------------|
| **0** | Security | Security data only. |
| **1** | Basic | Security data, and basic system and quality data. |
| **2** | Enhanced | Security data, basic system and quality data, and enhanced insights and advanced reliability data. |
| **3** | Full | Security data, basic system and quality data, enhanced insights and advanced reliability data, and full diagnostics data. |
| Level | Data gathered | Value |
| - | - | - |
| Security | Security data only. | **0** |
| Basic | Security data, and basic system and quality data. | **1** |
| Enhanced | Security data, basic system and quality data, and enhanced insights and advanced reliability data. | **2** |
| Full | Security data, basic system and quality data, enhanced insights and advanced reliability data, and full diagnostics data. | **3** |
 
### Use Group Policy to set the telemetry level
@ -277,19 +370,32 @@ There are a few more settings that you can turn off that may send telemetry info
>**Note:**  Microsoft does not intend to gather sensitive information, such as credit card numbers, usernames and passwords, email addresses, or other similarly sensitive information for Linguistic Data Collection. We guard against such events by using technologies to identify and remove sensitive information before linguistic data is sent from the user's device. If we determine that sensitive information has been inadvertently received, we delete the information.
 
## Additional resources
## Examples of how Microsoft uses the telemetry data
FAQs
- [Cortana, Search, and privacy](http://windows.microsoft.com/en-us/windows-10/cortana-privacy-faq)
- [Windows 10 feedback, diagnostics, and privacy](http://windows.microsoft.com/en-us/windows-10/feedback-diagnostics-privacy-faq)
- [Windows 10 camera and privacy](http://windows.microsoft.com/en-us/windows-10/camera-privacy-faq)
- [Windows 10 location service and privacy](http://windows.microsoft.com/en-us/windows-10/location-service-privacy)
- [Microsoft Edge and privacy](http://windows.microsoft.com/en-us/windows-10/edge-privacy-faq)
- [Windows 10 speech, inking, typing, and privacy](http://windows.microsoft.com/en-us/windows-10/speech-inking-typing-privacy-faq)
- [Windows Hello and privacy](http://windows.microsoft.com/en-us/windows-10/windows-hello-privacy-faq)
- [Wi-Fi Sense](http://windows.microsoft.com/en-us/windows-10/wi-fi-sense-faq)
- [Windows Update Delivery Optimization](http://windows.microsoft.com/en-us/windows-10/windows-update-delivery-optimization-faq)
### Drive higher application and driver quality in the ecosystem
Blogs
Telemetry plays an important role in quickly identifying and fixing critical reliability and security issues in our customers deployments and configurations. Insights into the telemetry data we gather helps us to quickly identify crashes or hangs associated with a certain application or driver on a given configuration, like a particular storage type (for example, SCSI) or a memory size. For System Center, job usages and statuses can also help us enhance the job workload and the communication between System Center and its managed products. Microsofts ability to get this data from customers and drive improvements into the ecosystem helps raise the bar for the quality of System Center, Windows Server applications, Windows apps, and drivers. Real-time data about Windows installations reduces downtime and the cost associated with troubleshooting unreliable drivers or unstable applications.
- [Privacy and Windows 10](https://blogs.windows.com/windowsexperience/2015/09/28/privacy-and-windows-10)
### Reduce your total cost of ownership and downtime
Privacy Statement
Telemetry provides a view of which features and services customers use most. For example, the telemetry data provides us with a heat map of the most commonly deployed Windows Server roles, most used Windows features, and which ones are used the least. This helps us make informed decisions on where we should invest our engineering resources to build a leaner operating system. For System Center, understanding the customer environment for management and monitoring will help drive the support compatibilities matrix, such as host and guest OS. This can help you use existing hardware to meet your business needs and reduce your total cost of ownership, as well as reducing downtime associated with security updates.
- [Microsoft Privacy Statement](https://privacy.microsoft.com/en-us/privacystatement)
### Build features that address our customers needs
TechNet
Telemetry also helps us better understand how customers deploy components, use features, and use services to achieve their business goals. Getting insights from that information helps us prioritize our engineering investments in areas that can directly affect our customers experiences and workloads. Some examples include customer usage of containers, storage, and networking configurations associated with Windows Server roles like Clustering and Web. Another example could be to find out when is CPU hyper-threading turned off and the resulting impact. We use the insights to drive improvements and intelligence into some of our management and monitoring solutions, to help customers diagnose quality issues, and save money by making fewer help calls to Microsoft.
- [Manage connections from Windows operating system components to Microsoft services](https://technet.microsoft.com/en-us/itpro/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services)
Web Pages
- [Privacy at Microsoft](http://privacy.microsoft.com)

1
windows/manage/device-guard-signing-portal.md
View File

@ -7,6 +7,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: store, security
author: TrudyHa
localizationpriority: high
---
# Device Guard signing

2
windows/manage/disconnect-your-organization-from-microsoft.md
View File

@ -1,4 +1,4 @@
---
title: Configure Windows 10 devices to stop data flow to Microsoft (Windows 10)
redirect_url: https://technet.microsoft.com/en-us/itpro/windows/manage/configure-windows-10-devices-to-stop-data-flow-to-microsoft
redirect_url: https://technet.microsoft.com/itpro/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services
---

1
windows/manage/distribute-apps-to-your-employees-windows-store-for-business.md
View File

@ -7,6 +7,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: store
author: TrudyHa
localizationpriority: high
---
# Distribute apps to your employees from the Windows Store for Business

1
windows/manage/distribute-apps-with-management-tool.md
View File

@ -7,6 +7,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: store
author: TrudyHa
localizationpriority: high
---
# Distribute apps with a management tool

1
windows/manage/distribute-offline-apps.md
View File

@ -7,6 +7,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: store
author: TrudyHa
localizationpriority: high
---
# Distribute offline apps

1
windows/manage/find-and-acquire-apps-overview.md
View File

@ -7,6 +7,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: store
author: TrudyHa
localizationpriority: high
---
# Find and acquire apps

1
windows/manage/manage-apps-windows-store-for-business-overview.md
View File

@ -7,6 +7,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: store
author: TrudyHa
localizationpriority: high
---
# Manage apps in Windows Store for Business

1
windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
View File

@ -6,6 +6,7 @@ keywords: privacy, manage connections to Microsoft
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
localizationpriority: high
author: brianlic-msft
---

17
windows/manage/manage-cortana-in-enterprise.md
View File

@ -50,14 +50,15 @@ Set up and manage Cortana by using the following Group Policy and mobile device
|Group policy |MDM policy |Description |
|-------------|-----------|------------|
|Computer Configuration\Administrative Templates\Windows Components\Search\Allow Cortana |Experience/AllowCortana |Specifies whether employees can use Cortana.<p>**Note**<br>Employees can still perform searches even with Cortana turned off. |
|Computer Configuration\Administrative Templates\Control Panel\Regional and Language Options\Allow input personalization |Privacy/AllowInput Personalization |Specifies whether to turn on automatic learning, which allows the collection of speech and handwriting patterns, typing history, contacts, and recent calendar information. It is required for the use of Cortana.<p>**Important**<br>Cortana wont work if this setting is turned off (disabled). |
|None |System/AllowLocation |Specifies whether to allow app access to the Location service. |
|Computer Configuration\Administrative Templates\Windows Components\Search\Don't search the web or display web results |None |Specifies whether search can perform queries on the web and if the web results are displayed in search.<p>**Important**<br>Cortana wont work if this setting is turned off (disabled). |
|Computer Configuration\Administrative Templates\Windows Components\Search\Allow search and Cortana to use location |Search/AllowSearchToUse Location |Specifies whether search and Cortana can provide location aware search and Cortana results.<p>**Important**<br>Cortana wont work if this setting is turned off (disabled). |
|Computer Configuration\Administrative Templates\Windows Components\Search\Set the SafeSearch setting for Search |Search/SafeSearch Permissions |Specifies what level of safe search (filtering adult content) is required.<p>**Note**<br>This setting only applies to Windows 10 Mobile. |
|User Configuration\Administrative Templates\Windows Components\File Explorer\Turn off display of recent search entries in the File Explorer search box |None |Specifies whether the search box can suggest recent queries and prevent entries from being stored in the registry for future reference.<p>**Important**<br>Cortana wont work if this setting is turned off (disabled). |
|User Configuration\Administrative Templates\Start Menu and Taskbar\Do not search communications |None |Specifies whether the Start menu search box searches communications.<p>**Important**<br>Cortana wont work if this setting is turned off (disabled). |
|Computer Configuration\Administrative Templates\Windows Components\Search\AllowCortanaAboveLock |AboveLock/AllowCortanaAboveLock |Specifies whether an employee can interact with Cortana using voice commands when the system is locked.<p>**Note**<br>This setting only applies to Windows 10 for desktop devices. |
|Computer Configuration\Administrative Templates\Control Panel\Regional and Language Options\Allow input personalization |Privacy/AllowInputPersonalization |Specifies whether an employee can use voice commands with Cortana in the enterprise.<p>**In Windows 10, version 1511**<br>Cortana wont work if this setting is turned off (disabled).<p>**In Windows 10, version 1607 and later**<br>Cortana still works if this setting is turned off (disabled). |
|None |System/AllowLocation |Specifies whether to allow app access to the Location service.<p>**In Windows 10, version 1511**<br>Cortana wont work if this setting is turned off (disabled).<p>**In Windows 10, version 1607 and later**<br>Cortana still works if this setting is turned off (disabled). |
|None |Accounts/AllowMicrosoftAccountConnection |Specifies whether to allow employees to sign in using a Microsoft account (MSA) from Windows apps.<p>Use this setting if you only want to support Azure AD in your organization. |
|Computer Configuration\Administrative Templates\Windows Components\Search\Allow search and Cortana to use location |Search/AllowSearchToUseLocation |Specifies whether Cortana can use your current location during searches and for location reminders. |
|Computer Configuration\Administrative Templates\Windows Components\Search\Set the SafeSearch setting for Search |Search/SafeSearchPermissions |Specifies what level of safe search (filtering adult content) is required.<p>**Note**<br>This setting only applies to Windows 10 Mobile. |
|User Configuration\Administrative Templates\Windows Components\File Explorer\Turn off display of recent search entries in the File Explorer search box |None |Specifies whether the search box can suggest recent queries and prevent entries from being stored in the registry for future reference. |
|Computer Configuration\Administrative Templates\Windows Components\Search\Don't search the web or display web results |None |Specifies whether search can perform queries on the web and if the web results are displayed in search.<p>**In Windows 10 Pro edition**<br>This setting cant be managed.<p>**In Windows 10 Enterprise edition**<br>Cortana won't work if this setting is turned off (disabled). |
|Computer Configuration\Administrative Templates\Windows Components\Search\Allow Cortana |Experience/AllowCortana |Specifies whether employees can use Cortana.<p>**Important**<br>Cortana wont work if this setting is turned off (disabled). However, employees can still perform local searches even with Cortana turned off. |
**More info:**
- For specific info about how to set, manage, and use each of these MDM policies to configure Cortana in your enterprise, see the [Policy CSP](http://go.microsoft.com/fwlink/p/?LinkId=717380) topic, located in the configuration service provider reference topics. For specific info about how to set, manage, and use each of these Group Policies to configure Cortana in your enterprise, see the [Group Policy TechCenter](http://go.microsoft.com/fwlink/p/?LinkId=717381).

64
windows/manage/manage-inventory-windows-store-for-business.md
View File

@ -1,70 +1,10 @@
---
title: Manage inventory in Windows Store for Business (Windows 10)
description: When you acquire apps from the Windows Store for Business, we add them to the Inventory for your organization. Once an app is part of your inventory, you can distribute the app, and manage licenses.
redirect_url: https://technet.microsoft.com/en-us/itpro/windows/manage/app-inventory-management-windows-store-for-business
redirect_url: https://technet.microsoft.com/itpro/windows/manage/app-inventory-managemement-windows-store-for-business
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
---
# Manage inventory in Window Store for Business
When you acquire apps from the Windows Store for Business, we add them to the inventory for your organization. Once an app is part of your inventory, you can distribute the app, and manage licenses.
## Distribute apps
You can assign apps to people, or you can make apps available in your private store. Once an app is in your private store, people in your org can install the app on their devices. For more information, see [Distribute apps using your private store](distribute-apps-from-your-private-store.md).
**To make an app in inventory available in your private store**
1. Sign in to the [Store for Business](http://businessstore.microsoft.com).
2. Click **Manage**, and then choose **Inventory**.
3. Click **Refine**, and then choose **Online**. Store for Business will update the list of apps on the **Inventory** page.
4. From an app in **Inventory**, click the ellipses under **Action**, and then choose **Add to private store**.
The value under Private store for the app will change to pending. It will take approximately twelve hours before the app is available in the private store.
Employees can claim apps that admins added to the private store by doing the following.
**To claim an app from the private store**
1. Sign in to your computer with your Azure Active Directory (AD) credentials, and start the Windows Store app.
2. Click the private store tab.
3. Click the app you want to install, and then click **Install**.
Another way to distribute apps is by assigning them to people in your organization.
**To assign an app to an employee**
1. Sign in to the [Store for Business](http://businessstore.microsoft.com).
2. Click **Manage**, and then choose **Inventory**.
3. Find an app, click the ellipses under **Action**, and then choose **Assign to people**.
4. Type the email address for the employee that you're assigning the app to, and click **Confirm**.
Employees will receive an email with a link that will install the app on their device. Click the link to start the Windows Store app, and then click **Install**. Also, in the Windows Store app, they can find the app under **My Library**.
## Manage licenses
For apps in inventory, when you assign an app to an employee, a license for the app is assigned to them. You can manage these licenses, either by assigning them, or reclaiming them so you can assign them to another employee. You can also remove an app from the private store.
**To assign licenses**
1. Sign in to the [Store for Business](http://businessstore.microsoft.com).
2. Click **Manage**, and then choose **Inventory**.
3. Find an app, click the ellipses under **Action**, and then choose **View license details**.
4. Click **Assign to people**, type the name you are assigning the license to, and then click **Assign**.
Store for Business assigns a license to the person, and adds them to the list of assigned licenses.
**To reclaim licenses**
1. Sign in to the [Store for Business](http://businessstore.microsoft.com).
2. Click **Manage**, and then choose **Inventory**.
3. Find an app, click the ellipses under **Action**, and then choose **View license details**.
4. Click the name of the person you are reclaiming the license from, and then click **Reclaim licenses**.
Store for Business reclaims the license, and updates the number of avialable licenses. After you reclaim a license, you can assign a license to another employee.
**To remove an app from the private store**
If you decide that you don't want an app available for employees to install on their own, you can remove it from your private store.
1. Sign in to the [Store for Business](http://businessstore.microsoft.com).
2. Click **Manage**, and then choose **Inventory**.
3. Find an app, click the ellipses under **Action**, and then choose **Remove from private store**, and then click **Remove**.
The app will still be in your inventory, but your employees will not have access to the app from your private store.

1
windows/manage/manage-orders-windows-store-for-business.md
View File

@ -6,6 +6,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: store
author: TrudyHa
localizationpriority: high
---
# Manage app orders in Windows Store for Business

1
windows/manage/manage-private-store-settings.md
View File

@ -7,6 +7,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: store
author: TrudyHa
localizationpriority: high
---
# Manage private store settings

1
windows/manage/manage-settings-windows-store-for-business.md
View File

@ -7,6 +7,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: store
author: TrudyHa
localizationpriority: high
---
# Manage settings for the Windows Store for Business

1
windows/manage/manage-users-and-groups-windows-store-for-business.md
View File

@ -7,6 +7,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: store
author: TrudyHa
localizationpriority: high
---
# Manage user accounts in Windows Store for Business

1
windows/manage/prerequisites-windows-store-for-business.md
View File

@ -7,6 +7,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: store
author: TrudyHa
localizationpriority: high
---
# Prerequisites for Windows Store for Business

1
windows/manage/roles-and-permissions-windows-store-for-business.md
View File

@ -7,6 +7,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: store
author: TrudyHa
localizationpriority: high
---
# Roles and permissions in Windows Store for Business

1
windows/manage/sign-code-integrity-policy-with-device-guard-signing.md
View File

@ -7,6 +7,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: store, security
author: TrudyHa
localizationpriority: high
---
# Sign code integrity policy with Device Guard signing

1
windows/manage/sign-up-windows-store-for-business-overview.md
View File

@ -7,6 +7,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: store
author: TrudyHa
localizationpriority: high
---
# Sign up and get started

1
windows/manage/sign-up-windows-store-for-business.md
View File

@ -7,6 +7,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: store
author: TrudyHa
localizationpriority: high
---
# Sign up for Windows Store for Business

1
windows/manage/troubleshoot-windows-store-for-business.md
View File

@ -7,6 +7,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: store
author: TrudyHa
localizationpriority: high
---
# Troubleshoot Windows Store for Business

1
windows/manage/update-windows-store-for-business-account-settings.md
View File

@ -6,6 +6,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: store
author: TrudyHa
localizationpriority: high
---
# Update Windows Store for Business account settings

1
windows/manage/windows-store-for-business.md
View File

@ -7,6 +7,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: store
author: TrudyHa
localizationpriority: high
---
# Windows Store for Business

3
windows/manage/working-with-line-of-business-apps.md
View File

@ -7,6 +7,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: store
author: TrudyHa
localizationpriority: high
---
# Working with line-of-business apps
@ -80,7 +81,7 @@ After an app is published and available in the Store, ISVs publish an updated ve
5. Click **Save** to save your changes and start the app submission process.
For more information, see [Organizational licensing options]( http://go.microsoft.com/fwlink/p/?LinkId=708615) and [Distributing LOB apps to enterprises](http://go.microsoft.com/fwlink/p/?LinkId=627543).<br>
**Note** In order to get the LOB app, the organization must be located in a [supported market](https://technet.microsoft.com/en-us/itpro/windows/whats-new/windows-store-for-business-overview#supported-markets), and you must not have excluded that market when submitting your app.
**Note** In order to get the LOB app, the organization must be located in a [supported market](https://technet.microsoft.com/itpro/windows/whats-new/windows-store-for-business-overview#supported-markets), and you must not have excluded that market when submitting your app.
### <a href="" id="add-lob-app-to-inventory"></a>Add app to inventory (admin)

47
windows/plan/act-community-ratings-and-process.md
View File

@ -1,48 +1,5 @@
---
title: ACT Community Ratings and Process (Windows 10)
description: The Application Compatibility Toolkit (ACT) Community uses the Microsoft® Compatibility Exchange to share compatibility ratings between all registered ACT Community members.
ms.assetid: be6c8c71-785b-4adf-a375-64ca7d24e26c
ms.prod: w10
ms.mktglfcycl: plan
ms.sitesec: library
ms.pagetype: appcompat
author: TrudyHa
---
# ACT Community Ratings and Process
**Applies to**
- Windows 10
- Windows 8.1
- Windows 8
- Windows 7
- Windows Server 2012
- Windows Server 2008 R2
The Application Compatibility Toolkit (ACT) Community uses the Microsoft® Compatibility Exchange to share compatibility ratings between all registered ACT Community members.
When you access the Microsoft Compatibility Exchange as a registered ACT Community member, you can upload your compatibility data to the community and download issues from other ACT Community members. For information about how compatibility ratings are entered, see [Selecting Your Compatibility Rating](selecting-your-compatibility-rating.md).
ACT takes your information and combines it with all of the information provided by the other ACT Community users and shows the average rating as a color gradient from one to five bars.
![act community](images/dep-win8-e-act-communityexample.gif)
## Process for Synchronizing Compatibility Ratings
The following diagram shows the process for synchronizing compatibility ratings with the ACT Community.
You have the option to exclude applications from being shared with the Microsoft Compatibility Exchange. However, you will not get compatibility ratings from the ACT Community for any application that you exclude. For more information, see [Sending and Receiving Compatibility Data](sending-and-receiving-compatibility-data.md).
![act community workflow](images/dep-win8-l-act-communityworkflowdiagram.jpg)
 
 
redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics
---

84
windows/plan/act-database-configuration.md
View File

@ -1,85 +1,5 @@
---
title: ACT Database Configuration (Windows 10)
description: The Application Compatibility Toolkit (ACT) uses a Microsoft® SQL Server® database for storing and sharing compatibility issue data.
ms.assetid: 032bbfe0-86fa-48ff-b638-b9d6a908c45e
ms.prod: w10
ms.mktglfcycl: plan
ms.pagetype: appcompat
ms.sitesec: library
author: TrudyHa
---
# ACT Database Configuration
**Applies to**
- Windows 10
- Windows 8.1
- Windows 8
- Windows 7
- Windows Server 2012
- Windows Server 2008 R2
The Application Compatibility Toolkit (ACT) uses a Microsoft® SQL Server® database for storing and sharing compatibility issue data. If you do not use Microsoft SQL Server, you can download and install Microsoft SQL Server Express. For information about creating Microsoft SQL Server databases, see [Administering the Database Engine](http://go.microsoft.com/fwlink/p/?LinkId=64169).
## ACT Database Creation
You can create the ACT database by using one of the following methods:
- Run Application Compatibility Manager (ACM), and then use the ACT Configuration Wizard to create a new database.
-or-
- Run the CreateDB.sql file, located at %SYSTEMDRIVE%\\ProgramData\\Microsoft\\Application Compatibility Toolkit\\CreateDB.sql.
### ACT Database Permissions
You must assign the following database roles to the following accounts.
- To the user and local service accounts that will run the ACT Log Processing Service (LPS), assign the db\_datareader, db\_datawriter, and db\_owner database roles.
- To the user account that will run Application Compatibility Manager (ACM), assign the db\_datareader and db\_datawriter database roles.
Alternatively, grant the following explicit permissions to each user that will run the ACT LPS or ACM.
- SELECT
- INSERT
- UPDATE
- DELETE
- EXECUTE
### ACT Database Recommendations
We also recommend that you make the following changes to the database as part of your deployment planning:
- **Create a larger database, including a larger log filesize setting, and then set the growth increments appropriately**. If you create a database with the default setting for data storage, the data portion of the database will have an initial size of 1 megabyte (MB), and a growth increment of 1 MB. If you create a database with the default setting for log file storage, the log file portion of the database will have an initial size of 1 MB and a growth increment of 10 percent. We recommend that you maintain a data-to-log file ratio of 5:1 or 4:1. For example, if your data portion is 5 gigabytes (GB), your log file portion should be 1 GB.
- **Change the recovery model of your database**. The default recovery model is **Full**, but we recommend that you change the recovery model to **Simple** to improve performance and reduce disk space requirements.
- **Store the data portion and log file portion of your ACT database on separate hard drives**. Unless otherwise specified by your SQL Administrator, the default is for the data and log files to be stored on the same hard drive. We recommend separating the data from the log files to reduce disk I/O contention.
## Related topics
[ACT Tools, Packages, and Services](act-tools-packages-and-services.md)
[ACT Deployment Options](act-deployment-options.md)
[ACT Database Migration](act-database-migration.md)
[ACT LPS Share Permissions](act-lps-share-permissions.md)
 
 
redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics
---

67
windows/plan/act-database-migration.md
View File

@ -1,68 +1,5 @@
---
title: ACT Database Migration (Windows 10)
description: The schema for an ACT database can change when ACT is updated or when a new version of ACT is released.
ms.assetid: b13369b4-1fb7-4889-b0b8-6d0ab61aac3d
ms.prod: w10
ms.mktglfcycl: plan
ms.pagetype: appcompat
ms.sitesec: library
author: TrudyHa
---
# ACT Database Migration
**Applies to**
- Windows 10
- Windows 8.1
- Windows 8
- Windows 7
- Windows Server 2012
- Windows Server 2008 R2
The schema for an ACT database can change when ACT is updated or when a new version of ACT is released. If the schema for an ACT database does not match the current schema, you can migrate the compatibility data to a new database. You can then use the current version of ACT to open the new database.
To create the new database, you must have database-creation permissions on the instance of SQL Server.
## Migrating Compatibility Data from an ACT Database
You can migrate compatibility data from an ACT database to a new database by using one of the following methods:
- Run Application Compatibility Manager (ACM), and then use the ACT Configuration Wizard to open the database. The wizard guides you through migrating the compatibility data to a new database.
- Run the MigrateDB.sql file, located at %SYSTEMDRIVE%\\ProgramData\\Microsoft\\Application Compatibility Toolkit\\MigrateDB.sql.. The following table shows the location of the MigrateDB.sql file.
## Database Migration from ACT 5.6
When you migrate compatibility data from an ACT 5.6 database to a new database, the following information is excluded from the migration:
- Issues that were reported by ACT 5.6 data-collection packages (DCPs).
- Solutions that correspond to issues reported by ACT 5.6 DCPs.
- Lists of file names that ACT 5.6 associated with each application.
You cannot migrate any compatibility data from ACT databases that were created on a version of ACT before ACT 5.6.
## Related topics
[ACT Tools, Packages, and Services](act-tools-packages-and-services.md)
[ACT Deployment Options](act-deployment-options.md)
[ACT Database Configuration](act-database-configuration.md)
[ACT LPS Share Permissions](act-lps-share-permissions.md)
 
 
redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics
---

60
windows/plan/act-deployment-options.md
View File

@ -1,61 +1,5 @@
---
title: ACT Deployment Options (Windows 10)
description: While planning your deployment of the Application Compatibility Toolkit (ACT), consider which computers you want running the various tools, packages, and services for ACT.
ms.assetid: 90d56dd8-8d57-44e8-bf7a-29aabede45ba
ms.prod: w10
ms.mktglfcycl: plan
ms.pagetype: appcompat
ms.sitesec: library
author: TrudyHa
---
# ACT Deployment Options
**Applies to**
- Windows 10
- Windows 8.1
- Windows 8
- Windows 7
- Windows Server 2012
- Windows Server 2008 R2
While planning your deployment of the Application Compatibility Toolkit (ACT), consider which computers you want running the various tools, packages, and services for ACT.
The following diagram shows supported deployment options for an ACT installation. The options listed first are the most highly recommended.
![act supported topologies](images/dep-win8-l-act-supportedtopologies.jpg)
## Collecting Data Across Domains
If you plan to deploy inventory-collector packages to computers running Windows XP, where some of the computers are on a different domain than the ACT LPS share, do one of the following:
- Set up a separate ACT LPS share on each domain and configure the inventory-collector package to upload log files to the ACT LPS share on the same domain.
- Set up a single ACT LPS share on one computer. On the computer that hosts the share, use Group Policy to allow connections from anonymous users.
These steps are not necessary if the computers where you deploy inventory-collector packages are running Windows Vista, Windows 7, Windows 8, Windows 8.1, or Windows 10.
If you choose to have distributed logging with a subsequent step of moving log files to your central share, move the files to the central share before processing the files. You can move the files manually or use a technology like Distributed File-System Replication (DFSR).
## Related topics
[ACT Tools, Packages, and Services](act-tools-packages-and-services.md)
[ACT Database Configuration](act-database-configuration.md)
[ACT Database Migration](act-database-migration.md)
[ACT LPS Share Permissions](act-lps-share-permissions.md)
 
 
redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics
---

117
windows/plan/act-glossary.md
View File

@ -1,118 +1,5 @@
---
title: ACT Glossary (Windows 10)
description: The following table lists terms and definitions used by the Application Compatibility Toolkit (ACT).
ms.assetid: 984d1cce-c1ac-4aa8-839a-a23e15da6f32
ms.prod: w10
ms.mktglfcycl: plan
ms.pagetype: appcompat
ms.sitesec: library
author: TrudyHa
---
# ACT Glossary
**Applies to**
- Windows 10
- Windows 8.1
- Windows 8
- Windows 7
- Windows Server 2012
- Windows Server 2008 R2
The following table lists terms and definitions used by the Application Compatibility Toolkit (ACT).
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Term</th>
<th align="left">Definition</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>ACT Community</p></td>
<td align="left"><p>An online environment that enables ACT users to share issues and solution data with other registered ACT users.</p></td>
</tr>
<tr class="even">
<td align="left"><p>ACT Log Processing Service (LPS)</p></td>
<td align="left"><p>The service that processes the log files uploaded from your client computers, adding the information to your ACT database.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>AppHelp message</p></td>
<td align="left"><p>A type of compatibility fix. An AppHelp message is designed to appear when a user starts an application that has compatibility issues. The message can prevent the application from starting, or simply provide information about compatibility issues in the application.</p></td>
</tr>
<tr class="even">
<td align="left"><p>Application Compatibility Manager (ACM)</p></td>
<td align="left"><p>The user interface that enables you to view reports generated from the ACT database. This is also where you create data-collection packages.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>Compatibility Administrator</p></td>
<td align="left"><p>A tool that enables you to create and deploy compatibility fixes, compatibility modes, and AppHelp messages, to resolve your compatibility issues.</p></td>
</tr>
<tr class="even">
<td align="left"><p>compatibility fix</p></td>
<td align="left"><p>A small piece of code that intercepts API calls from applications, transforming them so that Windows will provide the same product support for the application as previous versions of the operating system. Previously known as a &quot;shim&quot;.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>compatibility mode</p></td>
<td align="left"><p>Group of compatibility fixes found to resolve many common application compatibility issues.</p></td>
</tr>
<tr class="even">
<td align="left"><p>compatibility solution</p></td>
<td align="left"><p>The solution to a known compatibility issue, as entered by the user, Microsoft, or a vendor.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>data-collection package</p></td>
<td align="left"><p>A Windows installer (.msi) file created by Application Compatibility Manager (ACM) for deploying to each of your client computers. Data-collection packages include inventory collection packages and runtime analysis packages.</p></td>
</tr>
<tr class="even">
<td align="left"><p>deployment</p></td>
<td align="left"><p>The process of distributing and installing a software program throughout an entire organization. A deployment is not the same as a pilot, which is where you provide the software application to a smaller group of users to identify and evaluate problems that might occur during the actual deployment.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>independent software vendor (ISV)</p></td>
<td align="left"><p>An individual or an organization that independently creates computer software.</p></td>
</tr>
<tr class="even">
<td align="left"><p>inventory-collector package</p></td>
<td align="left"><p>A package that examines each of your organization's computers to identify the installed applications and system information. You can view the results on the Analyze screen in ACM.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>Microsoft Compatibility Exchange</p></td>
<td align="left"><p>A web service that transfers compatibility information between Microsoft and the ACT database.</p></td>
</tr>
<tr class="even">
<td align="left"><p>runtime-analysis package</p></td>
<td align="left"><p>A data-collection package that you deploy to computers in a test environment for compatibility testing. The runtime-analysis package includes tools for monitoring applications for compatibility issues and submitting compatibility feedback.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>session 0</p></td>
<td align="left"><p>The session that is used for all of the system services. Previously, users could run in Session 0 without issues; however, this was changed in Windows Vista so that all users are now required to run in Session 1 or later.</p></td>
</tr>
<tr class="even">
<td align="left"><p>shim</p></td>
<td align="left"><p>See Other Term: compatibility fix</p></td>
</tr>
<tr class="odd">
<td align="left"><p>User Account Control (UAC)</p></td>
<td align="left"><p>A security feature that helps prevent unauthorized changes to a computer, by asking the user for permission or administrator credentials before performing actions that could potentially affect the computer's operation or that change settings that affect multiple users.</p></td>
</tr>
</tbody>
</table>
 
 
 
redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics
---

75
windows/plan/act-lps-share-permissions.md
View File

@ -1,76 +1,5 @@
---
title: ACT LPS Share Permissions (Windows 10)
description: To upload log files to the ACT Log Processing Service (LPS) share, certain permissions must be set at the share level and folder level.
ms.assetid: 51f6ddf7-f424-4abe-a0e0-71fe616f9e84
ms.prod: w10
ms.mktglfcycl: plan
ms.pagetype: appcompat
ms.sitesec: library
author: TrudyHa
---
# ACT LPS Share Permissions
**Applies to**
- Windows 10
- Windows 8.1
- Windows 8
- Windows 7
- Windows Server 2012
- Windows Server 2008 R2
To upload log files to the ACT Log Processing Service (LPS) share, certain permissions must be set at the share level and folder level.
## Share-Level Permissions
The **Everyone** group must have **Change** and **Read** permissions to the ACT LPS share.
**To set the share-level permissions**
1. Browse to the ACT LPS share, right-click the folder, and select **Properties**.
2. Click the **Sharing** tab, share the folder, and then click **Permissions**.
3. Add the **Everyone** group if it is not already listed, and then select the **Change** and **Read** check boxes in the **Allow** column.
## Folder-Level Permissions (NTFS Only)
The **Everyone** group must have **Write** access to the ACT LPS share.
The ACT Log Processing Service account must have **List Folder Contents**, **Read**, and **Write** permissions.
- If the ACT Log Processing Service account is **Local System Account**, apply the permissions to the *&lt;domain&gt;*\\*&lt;computer&gt;*$ account.
- If the ACT Log Processing Service is a user account, apply the permissions to the specific user.
**To set the folder-level permissions**
1. In Windows Explorer, right-click the folder for the ACT LPS share, and then click **Properties**.
2. Click the **Security** tab, add the account that runs the ACT Log Processing Service, and then select the **List Folder Contents**, **Read**, and **Write** check boxes in the **Allow** column.
3. Add the **Everyone** group if it is not already listed, and then select the **Write** check box in the **Allow** column.
## Related topics
[ACT Tools, Packages, and Services](act-tools-packages-and-services.md)
[ACT Deployment Options](act-deployment-options.md)
[ACT Database Configuration](act-database-configuration.md)
[ACT Database Migration](act-database-migration.md)
 
 
redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics
---

79
windows/plan/act-operatingsystem-application-report.md
View File

@ -1,80 +1,5 @@
---
title: OperatingSystem - Application Report (Windows 10)
description: This section describes the compatibility reports in Application Compatibility Manager (ACM) and how you can work with the reports.
ms.assetid: 9721485b-6092-4974-8cfe-c84472237a57
ms.prod: w10
ms.mktglfcycl: plan
ms.pagetype: appcompat
ms.sitesec: library
author: TrudyHa
---
# &lt;OperatingSystem&gt; - Application Report
**Applies to**
- Windows 10
- Windows 8.1
- Windows 8
- Windows 7
- Windows Server 2012
- Windows Server 2008 R2
This section describes the compatibility reports in Application Compatibility Manager (ACM) and how you can work with the reports.
The **&lt;OperatingSystem&gt; - Application Report** screen shows the following information for the applications from which you have collected data:
- The application name, application vendor, and application version.
- Your organizations compatibility rating for the application.
- Compatibility ratings from users in your organization who are using a runtime analysis package to test the application.
- Whether the information for the application is included in the synchronization process with the Microsoft Compatibility Exchange.
- Compatibility information for the application from the application vendor.
- Compatibility ratings from the ACT Community, if you are a member of the ACT Community. To join the ACT Community, see [Settings Dialog Box - Preferences Tab](act-settings-dialog-box-preferences-tab.md).
- The count of active issues for the application.
- The count of computers in your organization on which the application is installed.
**To open the &lt;OperatingSystem&gt; - Application Report screen**
1. In ACM, on the **Quick Reports** pane, click **Analyze**.
2. In the **Quick Reports** pane, under an operating system heading, click **Applications**.
## <a href="" id="using-the--operatingsystem----application-report-screen"></a>Using the &lt;OperatingSystem&gt; - Application Report Screen
On the **&lt;OperatingSystem&gt; - Application Report** screen, you can perform the following actions:
- Export the report data to a spreadsheet, or import a report. For more information, see [Saving, Opening, and Exporting Reports](saving-opening-and-exporting-reports.md).
- Choose whether to synchronize data for each application with the Microsoft Compatibility Exchange. For more information, see [Selecting the Send and Receive Status for an Application](selecting-the-send-and-receive-status-for-an-application.md).
- Synchronize your compatibility issues by using the Microsoft Compatibility Exchange. For more information, see [Sending and Receiving Compatibility Data](sending-and-receiving-compatibility-data.md).
- Filter the report by using the query builder. For more information, see [Filtering Your Compatibility Data](filtering-your-compatibility-data.md).
- Select your compatibility rating for an application. For more information, see [Selecting Your Compatibility Rating](selecting-your-compatibility-rating.md).
- Select your deployment status for an application. For more information, see [Selecting Your Deployment Status](selecting-your-deployment-status.md).
- Assign categories and subcategories to an application. For more information, see [Categorizing Your Compatibility Data](categorizing-your-compatibility-data.md).
- Specify the importance of an application to your organization. For more information, see [Prioritizing Your Compatibility Data](prioritizing-your-compatibility-data.md).
- Double-click an application name to view the associated dialog box. For more information, see [&lt;Application&gt; Dialog Box](application-dialog-box.md).
 
 
redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics
---

63
windows/plan/act-operatingsystem-computer-report.md
View File

@ -1,62 +1,5 @@
---
title: OperatingSystem - Computer Report (Windows 10)
ms.assetid: ed0a56fc-9f2a-4df0-8cef-3a09d6616de8
description:
ms.prod: w10
ms.mktglfcycl: plan
ms.pagetype: appcompat
ms.sitesec: library
author: TrudyHa
---
# &lt;OperatingSystem&gt; - Computer Report
**Applies to**
- Windows 10
- Windows 8.1
- Windows 8
- Windows 7
- Windows Server 2012
- Windows Server 2008 R2
The **&lt;OperatingSystem&gt; - Computer Report** screen shows the following information for each computer in your organization:
- The computer name, domain, and operating system.
- The count of applications and devices installed on the computer.
- The count of installed applications and devices that have issues.
**To open the &lt;OperatingSystem&gt; - Computer Report screen**
1. In Application Compatibility Manager (ACM), on the **Quick Reports** pane, click **Analyze**.
2. In the **Quick Reports** pane, under an operating system heading, click **Computers**.
## <a href="" id="using-the--operatingsystem----computer-report-screen"></a>Using the &lt;OperatingSystem&gt; - Computer Report Screen
On the **&lt;OperatingSystem&gt; - Computer Report** screen, you can perform the following actions:
- Export the report data to a spreadsheet, or import a report. For more information, see [Saving, Opening, and Exporting Reports](saving-opening-and-exporting-reports.md).
- Synchronize your compatibility issues by using the Microsoft Compatibility Exchange. For more information, see [Sending and Receiving Compatibility Data](sending-and-receiving-compatibility-data.md).
- Filter the report by using the query builder. For more information, see [Filtering Your Compatibility Data](filtering-your-compatibility-data.md).
- Assign categories and subcategories to a computer. For more information, see [Categorizing Your Compatibility Data](categorizing-your-compatibility-data.md).
- Specify the importance of a computer to your organization. For more information, see [Prioritizing Your Compatibility Data](prioritizing-your-compatibility-data.md).
- Double-click a computer name to view its associated dialog box. For more information, see [&lt;Computer&gt; Dialog Box](computer-dialog-box.md).
 
 
description: This section describes the compatibility reports in Application Compatibility Manager (ACM) and how you can work with the reports.
redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics
---

65
windows/plan/act-operatingsystem-device-report.md
View File

@ -1,64 +1,5 @@
---
title: OperatingSystem - Device Report (Windows 10)
ms.assetid: 8b5a936f-a92e-46a7-ac44-6edace262355
description:
ms.prod: w10
ms.mktglfcycl: plan
ms.pagetype: appcompat
ms.sitesec: library
author: TrudyHa
---
# &lt;OperatingSystem&gt; - Device Report
**Applies to**
- Windows 10
- Windows 8.1
- Windows 8
- Windows 7
- Windows Server 2012
- Windows Server 2008 R2
The **&lt;OperatingSystem&gt; - Device Report** screen shows the following information for each device installed in your organization:
- The model and manufacturer of the device.
- The class of device, as reported by the device.
- An evaluation from the device manufacturer of whether the device works on a 32-bit operating system or a 64-bit operating system.
- The count of computers on which the device is installed.
**To open the &lt;OperatingSystem&gt; - Device Report screen**
1. In Application Compatibility Manager (ACM), on the **Quick Reports** pane, click **Analyze**.
2. In the **Quick Reports** pane, under an operating system heading, click **Devices**.
## <a href="" id="using-the--operatingsystem----device-report-screen"></a>Using the &lt;OperatingSystem&gt; - Device Report Screen
On the **&lt;OperatingSystem&gt; - Device Report** screen, you can:
- Export the report data to a spreadsheet, or import a report. For more information, see [Saving, Opening, and Exporting Reports](saving-opening-and-exporting-reports.md).
- Synchronize your compatibility issues by using the Microsoft Compatibility Exchange. For more information, see [Sending and Receiving Compatibility Data](sending-and-receiving-compatibility-data.md).
- Filter the report by using the query builder. For more information, see [Filtering Your Compatibility Data](filtering-your-compatibility-data.md).
- Assign categories and subcategories to a device. For more information, see [Categorizing Your Compatibility Data](categorizing-your-compatibility-data.md).
- Specify the importance of a device to your organization. For more information, see [Prioritizing Your Compatibility Data](prioritizing-your-compatibility-data.md).
- Double-click a device name to view its associated dialog box. For more information, see [&lt;Device&gt; Dialog Box](device-dialog-box.md).
 
 
description: This section describes the compatibility reports in Application Compatibility Manager (ACM) and how you can work with the reports.
redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics
---

56
windows/plan/act-product-and-documentation-resources.md
View File

@ -1,62 +1,8 @@
---
title: ACT Product and Documentation Resources (Windows 10)
description: The following sections provide links to resources and reference material for the Application Compatibility Toolkit (ACT).
ms.assetid: c7954b5a-164d-4548-af58-cd3a1de5cc43
ms.prod: w10
ms.mktglfcycl: plan
ms.pagetype: appcompat
ms.sitesec: library
author: TrudyHa
redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics
---
# ACT Product and Documentation Resources
**Applies to**
- Windows 10
- Windows 8.1
- Windows 8
- Windows 7
- Windows Server 2012
- Windows Server 2008 R2
The following sections provide links to resources and reference material for the Application Compatibility Toolkit (ACT).
## Information Related to the Application Compatibility Toolkit
- [Microsoft SQL Server](http://go.microsoft.com/fwlink/p/?LinkId=184584). Use Microsoft SQL Server to take full advantage of ACT features. Visit the SQL Server home page for product information, technical resources, and support.
- [Microsoft SQL Server Express Edition](http://go.microsoft.com/fwlink/p/?LinkId=690325). If you are not already running SQL Server, download a free version of SQL Server Express and its management tools.
- [Microsoft System Center Configuration Manager](http://go.microsoft.com/fwlink/p/?LinkId=690326). Visit the System Center Configuration Manager home page for product information, technical resources, and support.
- [Microsoft Application Verifier](http://go.microsoft.com/fwlink/p/?LinkId=52529). Application Verifier is required by the Standard User Analyzer tool.
## Information About Application Compatibility
- [Application Compatibility home page](http://go.microsoft.com/fwlink/p/?LinkId=184586). Go here for general application compatibility information, including videos, key resources, advice, and technical guidance.
- [Windows Developer Center home page](http://go.microsoft.com/fwlink/p/?LinkId=184587). Find information about the Windows SDK, including how to develop your application, how to get help with compatibility issues, and other development-related content.
## Information About Windows Deployment
- [Microsoft Deployment Toolkit](http://go.microsoft.com/fwlink/p/?LinkId=618117). Download the latest version of the Microsoft Deployment Toolkit (MDT) to assist with image creation and automated installation, reduce deployment time, standardize desktop and server images, limit service disruptions, reduce post-deployment help desk costs, and improve security and ongoing configuration management.
- [Windows website](http://go.microsoft.com/fwlink/p/?LinkId=731). Visit the Windows home page for product information, technical resources, and support.
## Related topics
[Troubleshooting ACT](troubleshooting-act.md)
[Using ACT](using-act.md)
[Software Requirements for ACT](software-requirements-for-act.md)
 
 

64
windows/plan/act-settings-dialog-box-preferences-tab.md
View File

@ -1,65 +1,5 @@
---
title: Settings Dialog Box - Preferences Tab (Windows 10)
description: To display the Settings dialog box, in Application Compatibility Manager (ACM), on the Tools menu, click Settings.
ms.assetid: deae2100-4110-4d72-b5ee-7c167f80bfa4
ms.prod: w10
ms.mktglfcycl: plan
ms.pagetype: appcompat
ms.sitesec: library
author: TrudyHa
---
# Settings Dialog Box - Preferences Tab
**Applies to**
- Windows 10
- Windows 8.1
- Windows 8
- Windows 7
- Windows Server 2012
- Windows Server 2008 R2
To display the **Settings** dialog box, in Application Compatibility Manager (ACM), on the **Tools** menu, click **Settings**.
In the **Settings** dialog box, on the **Preferences** tab, use the following controls to join or leave the ACT Community, send ACT usage data to Microsoft, or be notified when there are updates available for ACT.
<a href="" id="yes--i-want-to-join-the-act-community"></a>**Yes, I want to join the ACT Community**
If this check box is selected, you are a member of the ACT Community and can share application compatibility data with other ACT users.
If this check box is cleared, you still receive compatibility data from the Microsoft compatibility database, but not from other ACT users.
For more information about the ACT Community, see [ACT Community Ratings and Process](act-community-ratings-and-process.md).
<a href="" id="send-act-usage-data-to-microsoft"></a>**Send ACT usage data to Microsoft**
If this check box is selected, the following ACT usage data is sent to Microsoft:
- The version of SQL Server being used by the ACT database.
- The count of 32-bit or 64-bit computers in your organization.
- The count of computers running a Windows operating system.
- The operating systems you intend to deploy into your organization.
- The count of computers to which you deployed data-collection packages.
If this check box is cleared, your ACT usage data is not sent to Microsoft.
<a href="" id="notify-me-when-a-newer-version-of-act-is-available--recommended-"></a>**Notify me when a newer version of ACT is available (recommended)**
If this check box is selected, ACM notifies you when an update is available for ACT.
## Related topics
[Settings Dialog Box - Settings Tab](act-settings-dialog-box-settings-tab.md)
 
 
redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics
---

65
windows/plan/act-settings-dialog-box-settings-tab.md
View File

@ -1,66 +1,5 @@
---
title: Settings Dialog Box - Settings Tab (Windows 10)
description: To display the Settings dialog box, in Application Compatibility Manager (ACM), on the Tools menu, click Settings.
ms.assetid: aeec1647-cf91-4f8b-9f6d-dbf4b898d901
ms.prod: w10
ms.mktglfcycl: plan
ms.pagetype: appcompat
ms.sitesec: library
author: TrudyHa
---
# Settings Dialog Box - Settings Tab
**Applies to**
- Windows 10
- Windows 8.1
- Windows 8
- Windows 7
- Windows Server 2012
- Windows Server 2008 R2
To display the **Settings** dialog box, in Application Compatibility Manager (ACM), on the **Tools** menu, click **Settings**.
In the **Settings** dialog box, on the **Settings** tab, use the following controls to modify the settings for your ACT database and ACT Log Processing Service.
<a href="" id="sql-server"></a>**SQL Server**
Lists the database server name for the SQL Server database server that contains your ACT database.
Click **Browse** to search for available database servers. A **Select Server** dialog box appears from which you can select the database server that contains your ACT database.
<a href="" id="database"></a>**Database**
Lists the database name of your ACT database.
<a href="" id="change"></a>**Change**
Opens the user interface where you can create, open, or migrate an ACT database.
<a href="" id="this-computer-is-configured-as-a-log-processing-service"></a>**This computer is configured as a Log Processing Service**
If selected, indicates that this computer is used for the ACT Log Processing Service. Clear this check box to use a different computer to process the logs.
If there is no designated ACT Log Processing Service, log processing defaults to the local computer.
<a href="" id="log-processing-service-account"></a>**Log Processing Service Account**
Specifies the account information, including the account type and account credentials, to be used to start the ACT Log Processing Service.
The account must have read and write access to the ACT database. For information about setting up database permissions for the ACT Log Processing Service, see [Troubleshooting ACT Database Issues](troubleshooting-act-database-issues.md).
<a href="" id="log-share"></a>**Log Share**
Specifies the absolute path to the ACT Log Processing Service share where log files are processed. Click **Browse** to search for a location. The **Share as** box automatically updates to show the directory name.
For information about ensuring that all computers can access the share, see [Troubleshooting the ACT Log Processing Service](troubleshooting-the-act-log-processing-service.md).
## Related topics
[Settings Dialog Box - Preferences Tab](act-settings-dialog-box-preferences-tab.md)
 
 
redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics
---

94
windows/plan/act-technical-reference.md
View File

@ -13,77 +13,37 @@ author: TrudyHa
**Applies to**
- Windows 10, version 1607
We've replaced the majority of functionality included in the Application Compatibility Toolkit (ACT) with Upgrade Analytics, a solution in the Microsoft Operations Management Suite. Upgrade Analytics gives enterprises the tools to plan and manage the upgrade process end to end, allowing them to adopt new Windows releases more quickly. With new Windows versions being released multiple times a year, ensuring application and driver compatibility on an ongoing basis is key to adopting new Windows versions as they are released.
Microsoft developed Upgrade Analytics in response to demand from enterprise customers looking for additional direction and details about upgrading to Windows 10. Upgrade Analytics was built taking into account multiple channels of customer feedback, testing, and Microsofts experience upgrading millions of devices to Windows 10.
With Windows telemetry enabled, Upgrade Analytics collects system, application, and driver data for analysis. We then identify compatibility issues that can block an upgrade and suggest fixes when they are known to Microsoft.
Use Upgrade Analytics to get:
- A visual workflow that guides you from pilot to production
- Windows 10
- Windows 8.1
- Windows 8
- Windows 7
- Windows Server 2012
- Windows Server 2008 R2
- Detailed computer and application inventory
The Microsoft® Application Compatibility Toolkit (ACT) helps you determine whether the applications, devices, and computers in your organization are compatible with versions of the Windows® operating system.
- Powerful computer level search and drill-downs
By using ACT, you can obtain compatibility information from Microsoft and software vendors, identify compatibility issues within your own organization, and share compatibility ratings with other ACT users. The tools in ACT help you analyze and mitigate compatibility issues before you deploy a version of Windows to your organization.
- Guidance and insights into application and driver compatibility issues, with suggested fixes
ACT is available in the [Windows Assessment and Deployment Kit (ADK) for Windows 10](http://go.microsoft.com/fwlink/p/?LinkId=526740).
- Data driven application rationalization tools
- Application usage information, allowing targeted validation; workflow to track validation progress and decisions
- Data export to commonly used software deployment tools, including System Center Configuration Manager
The Upgrade Analytics workflow steps you through the discovery and rationalization process until you have a list of computers that are ready to be upgraded. For more information about Upgrade Analytics, see [Manage Windows upgrades with Upgrade Analytics](https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics)
At the same time, we've kept the Standard User Analyzer tool, which helps you test your apps and to monitor API calls for potential compatibility issues, and the Compatiblility Administrator, which helps you to resolve potential compatibility issues.
## In this section
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Topic</th>
<th align="left">Description</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>[Welcome to ACT](welcome-to-act.md)</p></td>
<td align="left"><p>The Application Compatibility Toolkit (ACT) helps you determine whether the applications, devices, and computers in your organization are compatible with versions of the Windows® operating system. With ACT, you can obtain compatibility information from Microsoft and software vendors, identify compatibility issues within your own organization, and share compatibility ratings with other ACT users. The tools in ACT help you analyze and mitigate compatibility issues before deploying a version of Windows to your organization.</p></td>
</tr>
<tr class="even">
<td align="left"><p>[Configuring ACT](configuring-act.md)</p></td>
<td align="left"><p>This section provides information about setting up the Application Compatibility Toolkit (ACT) in your organization.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>[Using ACT](using-act.md)</p></td>
<td align="left"><p>This section describes how to use the Application Compatibility Toolkit (ACT) in your organization.</p></td>
</tr>
<tr class="even">
<td align="left"><p>[Troubleshooting ACT](troubleshooting-act.md)</p></td>
<td align="left"><p>This section provides troubleshooting information for the Application Compatibility Toolkit (ACT).</p></td>
</tr>
<tr class="odd">
<td align="left"><p>[ACT User Interface Reference](act-user-interface-reference.md)</p></td>
<td align="left"><p>This section contains information about the user interface for Application Compatibility Manager (ACM), which is a tool in the Application Compatibility Toolkit (ACT).</p></td>
</tr>
<tr class="even">
<td align="left"><p>[ACT Product and Documentation Resources](act-product-and-documentation-resources.md)</p></td>
<td align="left"><p>The following sections provide links to resources and reference material for the Application Compatibility Toolkit (ACT).</p></td>
</tr>
<tr class="odd">
<td align="left"><p>[ACT Glossary](act-glossary.md)</p></td>
<td align="left"><p>The following table lists terms and definitions used by the Application Compatibility Toolkit (ACT).</p></td>
</tr>
<tr class="even">
<td align="left"><p>[Compatibility Fixes for Windows 10, Windows 8, Windows 7, and Windows Vista](compatibility-fixes-for-windows-8-windows-7-and-windows-vista.md)</p></td>
<td align="left"><p>You can fix some compatibility issues that are due to the changes made between Windows operating system versions. These issues can include User Account Control (UAC) restrictions.</p></td>
</tr>
</tbody>
</table>
 
 
 
|Topic |Description |
|------|------------|
|[Standard User Analyzer (SUA) User's Guide](sua-users-guide.md) |The Standard User Analyzer (SUA) helps you test your applications and monitor API calls to detect compatibility issues related to the User Account Control (UAC) feature in Windows. |
|[Compatibility Administrator User's Guide](compatibility-administrator-users-guide.md) |The Compatibility Administrator tool helps you resolve potential application-compatibility issues before deploying a new version of Windows to your organization. |
|[Compatibility Fixes for Windows 10, Windows 8, Windows 7, and Windows Vista](compatibility-fixes-for-windows-8-windows-7-and-windows-vista.md) |You can fix some compatibility issues that are due to the changes made between Windows operating system versions. These issues can include User Account Control (UAC) restrictions. |

232
windows/plan/act-toolbar-icons-in-acm.md
View File

@ -1,233 +1,5 @@
---
title: Toolbar Icons in ACM (Windows 10)
description: The following table shows icons that appear on toolbars and navigational elements in Application Compatibility Manager (ACM).
ms.assetid: 44872da1-c7ad-41b9-8323-d3c3f49b2706
ms.prod: w10
ms.mktglfcycl: plan
ms.pagetype: appcompat
ms.sitesec: library
author: TrudyHa
---
# Toolbar Icons in ACM
**Applies to**
- Windows 10
- Windows 8.1
- Windows 8
- Windows 7
- Windows Server 2012
- Windows Server 2008 R2
The following table shows icons that appear on toolbars and navigational elements in Application Compatibility Manager (ACM).
<table>
<colgroup>
<col width="33%" />
<col width="33%" />
<col width="33%" />
</colgroup>
<thead>
<tr class="header">
<th align="left"><strong>Icon</strong></th>
<th align="left"><strong>Description</strong></th>
<th align="left"><strong>Location</strong></th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><img src="images/dep-win8-e-act-home.gif" alt="ACT home icon" /></td>
<td align="left"><p>Opens the <strong>Application Compatibility Manager Overview</strong> screen.</p></td>
<td align="left"><ul>
<li><p><strong>Collect</strong> toolbar</p></li>
<li><p><strong>Analyze</strong> toolbar</p></li>
</ul></td>
</tr>
<tr class="even">
<td align="left"><img src="images/dep-win8-e-act-createnewdcp.gif" alt="ACT Create new DCP" /></td>
<td align="left"><p>Opens the <strong>New Data Collection Package</strong> dialog box.</p>
<p>For more information, see [Creating a Runtime-Analysis Package](creating-a-runtime-analysis-package.md).</p></td>
<td align="left"><ul>
<li><p><strong>Collect</strong> toolbar</p></li>
</ul></td>
</tr>
<tr class="odd">
<td align="left"><img src="images/dep-win8-e-act-exportdcp.gif" alt="ACT export DCP" /></td>
<td align="left"><p>Exports your data-collection package settings.</p>
<p>For more information, see [Exporting a Data-Collection Package](exporting-a-data-collection-package.md).</p></td>
<td align="left"><ul>
<li><p><strong>Collect</strong> toolbar</p></li>
</ul></td>
</tr>
<tr class="even">
<td align="left"><img src="images/dep-win8-e-act-delete.gif" alt="ACT delete icon" /></td>
<td align="left"><p>Deletes a data-collection package that has not yet run on your client computers.</p>
<p>For more information, see [Deleting a Data-Collection Package](deleting-a-data-collection-package.md).</p></td>
<td align="left"><ul>
<li><p><strong>Collect</strong> toolbar</p></li>
</ul></td>
</tr>
<tr class="odd">
<td align="left"><img src="images/dep-win8-e-act-open.gif" alt="ACT open icon" /></td>
<td align="left"><p>Imports an existing compatibility report.</p>
<p>For more information, see [Saving, Opening, and Exporting Reports](saving-opening-and-exporting-reports.md).</p></td>
<td align="left"><ul>
<li><p><strong>Analyze</strong> toolbar</p></li>
</ul></td>
</tr>
<tr class="even">
<td align="left"><img src="images/dep-win8-e-act-savereport.gif" alt="ACT save report" /></td>
<td align="left"><p>Saves a compatibility report, including your preferences and settings.</p>
<p>For more information, see [Saving, Opening, and Exporting Reports](saving-opening-and-exporting-reports.md).</p></td>
<td align="left"><ul>
<li><p><strong>Analyze</strong> toolbar</p></li>
</ul></td>
</tr>
<tr class="odd">
<td align="left"><img src="images/dep-win8-e-act-exportreportdata.gif" alt="ACT export report data" /></td>
<td align="left"><p>Exports your report data to a Microsoft® Excel® spreadsheet (.xls) file.</p>
<p>For more information, see [Saving, Opening, and Exporting Reports](saving-opening-and-exporting-reports.md).</p></td>
<td align="left"><ul>
<li><p><strong>Analyze</strong> toolbar</p></li>
</ul></td>
</tr>
<tr class="even">
<td align="left"><img src="images/dep-win8-e-act-sendandreceive.gif" alt="ACT send and receive" /></td>
<td align="left"><p>Synchronizes your compatibility data with the Microsoft Compatibility Exchange.</p>
<p>For more information, see [Sending and Receiving Compatibility Data](sending-and-receiving-compatibility-data.md).</p></td>
<td align="left"><ul>
<li><p><strong>Analyze</strong> toolbar</p></li>
</ul></td>
</tr>
<tr class="odd">
<td align="left"><img src="images/dep-win8-e-act-filterdata.gif" alt="ACT filter data" /></td>
<td align="left"><p>Turns the query builder on or off.</p>
<p>For more information, see [Filtering Your Compatibility Data](filtering-your-compatibility-data.md).</p></td>
<td align="left"><ul>
<li><p><strong>Analyze</strong> toolbar</p></li>
</ul></td>
</tr>
<tr class="even">
<td align="left"><img src="images/dep-win8-e-act-riskassessment.gif" alt="ACT Risk Assessment" /></td>
<td align="left"><p>Opens the <strong>Set Assessment</strong> dialog box.</p>
<p>For more information, see [Selecting Your Compatibility Rating](selecting-your-compatibility-rating.md).</p></td>
<td align="left"><ul>
<li><p><strong>Analyze</strong> toolbar</p></li>
<li><p><strong>Report Details</strong> toolbar</p></li>
</ul></td>
</tr>
<tr class="odd">
<td align="left"><img src="images/dep-win8-e-act-deploymentstatus.gif" alt="ACT deployment status" /></td>
<td align="left"><p>Opens the <strong>Set Deployment Status</strong> dialog box.</p>
<p>For more information, see [Selecting Your Deployment Status](selecting-your-deployment-status.md).</p></td>
<td align="left"><ul>
<li><p><strong>Analyze</strong> toolbar</p></li>
<li><p><strong>Report Details</strong> toolbar</p></li>
</ul></td>
</tr>
<tr class="even">
<td align="left"><img src="images/dep-win8-e-act-categorize.gif" alt="ACT categorize icon" /></td>
<td align="left"><p>Opens the <strong>Assign Categories</strong> dialog box.</p>
<p>For more information, see [Categorizing Your Compatibility Data](categorizing-your-compatibility-data.md).</p></td>
<td align="left"><ul>
<li><p><strong>Analyze</strong> toolbar</p></li>
<li><p><strong>Report Details</strong> toolbar</p></li>
</ul></td>
</tr>
<tr class="odd">
<td align="left"><img src="images/dep-win8-e-act-prioritize.gif" alt="ACT prioritize icon" /></td>
<td align="left"><p>Opens the <strong>Assign Priorities</strong> dialog box.</p>
<p>For more information, see [Prioritizing Your Compatibility Data](prioritizing-your-compatibility-data.md).</p></td>
<td align="left"><ul>
<li><p><strong>Analyze</strong> toolbar</p></li>
<li><p><strong>Report Details</strong> toolbar</p></li>
</ul></td>
</tr>
<tr class="even">
<td align="left"><img src="images/dep-win8-e-act-sendandreceiveicon.gif" alt="ACT send and receive icon" /></td>
<td align="left"><p>Opens the <strong>Send and Receive Status</strong> dialog box.</p>
<p>For more information, see [Selecting the Send and Receive Status for an Application](selecting-the-send-and-receive-status-for-an-application.md).</p></td>
<td align="left"><ul>
<li><p><strong>Analyze</strong> toolbar</p></li>
<li><p><strong>Report Details</strong> toolbar</p></li>
</ul></td>
</tr>
<tr class="odd">
<td align="left"><img src="images/dep-win8-e-act-addissue.gif" alt="ACT Add issue icon" /></td>
<td align="left"><p>Opens the <strong>Add Issue</strong> dialog box.</p>
<p>For more information, see [Adding or Editing an Issue](adding-or-editing-an-issue.md).</p></td>
<td align="left"><ul>
<li><p><strong>Report Details</strong> toolbar</p></li>
</ul></td>
</tr>
<tr class="even">
<td align="left"><img src="images/dep-win8-e-act-addsolution.gif" alt="ACT add solution" /></td>
<td align="left"><p>Opens the <strong>Add Solution</strong> dialog box.</p>
<p>For more information, see [Adding or Editing a Solution](adding-or-editing-a-solution.md).</p></td>
<td align="left"><ul>
<li><p><strong>Report Details</strong> toolbar</p></li>
</ul></td>
</tr>
<tr class="odd">
<td align="left"><img src="images/dep-win8-e-act-save.gif" alt="ACT Save icon" /></td>
<td align="left"><p>Saves a compatibility issue.</p></td>
<td align="left"><ul>
<li><p><strong>Add Issue</strong> dialog box</p></li>
</ul></td>
</tr>
<tr class="even">
<td align="left"><img src="images/dep-win8-e-act-reactivate-resolved-issue.gif" alt="ACT Reactivate resolved issue icon" /></td>
<td align="left"><p>Reactivates a resolved compatibility issue.</p>
<p>For more information, see [Resolving an Issue](resolving-an-issue.md).</p></td>
<td align="left"><ul>
<li><p><strong>Add Issue</strong> dialog box</p></li>
</ul></td>
</tr>
<tr class="odd">
<td align="left"><img src="images/dep-win8-e-act-refresh.gif" alt="ACT refresh icon" /></td>
<td align="left"><p>Refreshes the screen. If you are using the query builder, updates the screen with the query results.</p></td>
<td align="left"><ul>
<li><p><strong>Collect</strong> toolbar</p></li>
<li><p><strong>Analyze</strong> toolbar</p></li>
<li><p><strong>Data Collection Package - Status</strong> toolbar</p></li>
<li><p><strong>Report Details</strong> toolbar</p></li>
</ul></td>
</tr>
<tr class="even">
<td align="left"><img src="images/dep-win8-e-act-moveupanddown.gif" alt="ACT move up and down icons" /></td>
<td align="left"><p>Enables you to scroll up and down the screen or dialog box information, showing the related details.</p>
<p>This button may not be available for all issues or information.</p></td>
<td align="left"><ul>
<li><p><strong>Report Details</strong> toolbar</p></li>
<li><p><strong>Add Issue</strong> dialog box</p></li>
<li><p><strong>New Data Collection Package</strong> dialog box</p></li>
<li><p><strong>Data Collection Package - Status</strong> toolbar</p></li>
</ul></td>
</tr>
<tr class="odd">
<td align="left"><img src="images/dep-win8-e-act-help.gif" alt="ACT help icon" /></td>
<td align="left"><p>Opens the online Help system.</p></td>
<td align="left"><ul>
<li><p>All screens</p></li>
</ul></td>
</tr>
</tbody>
</table>
 
## Related topics
[Ratings Icons in ACM](ratings-icons-in-acm.md)
 
 
redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics
---

59
windows/plan/act-tools-packages-and-services.md
View File

@ -1,60 +1,5 @@
---
title: ACT Tools, Packages, and Services (Windows 10)
description: The Application Compatibility Toolkit is included with the Windows ADK. Download the Windows ADK.
ms.assetid: f5a16548-7d7b-4be9-835e-c06158dd0b89
ms.prod: w10
ms.mktglfcycl: plan
ms.pagetype: appcompat
ms.sitesec: library
author: TrudyHa
---
# ACT Tools, Packages, and Services
**Applies to**
- Windows 10
- Windows 8.1
- Windows 8
- Windows 7
- Windows Server 2012
- Windows Server 2008 R2
The Application Compatibility Toolkit is included with the Windows ADK. [Download the Windows ADK.](http://go.microsoft.com/fwlink/p/?LinkId=526740)
ACT includes the following:
- **Application Compatibility Manager (ACM):** A tool that you can use to create your data-collection packages and analyze the collected inventory and compatibility data.
- **Inventory-collector package:** A data-collection package that can be deployed to computers to gather inventory data that will be uploaded to the ACT database.
- **Runtime-analysis package:** A data-collection package that can be deployed to computers in a test environment for compatibility testing on the new operating system.
- **ACT Log Processing Service (LPS):** A service that is used to process the ACT log files uploaded from the computers where your data-collection packages have been installed. The service adds the information to your ACT database.
- **ACT LPS share:** A file share that is accessed by the ACT LPS, to store the log files that will be processed and added to the ACT database.
- **ACT database:** A Microsoft® SQL Server database that stores the collected inventory and compatibility data. You can use ACM to view the information stored in the ACT database.
- **Microsoft Compatibility Exchange:** A web service that propagates application-compatibility issues.
## Related topics
[ACT Deployment Options](act-deployment-options.md)
[ACT Database Configuration](act-database-configuration.md)
[ACT Database Migration](act-database-migration.md)
[ACT LPS Share Permissions](act-lps-share-permissions.md)
 
 
redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics
---

Some files were not shown because too many files have changed in this diff Show More