diff --git a/browsers/edge/available-policies.md b/browsers/edge/available-policies.md index 65193cad8d..3b66180dfe 100644 --- a/browsers/edge/available-policies.md +++ b/browsers/edge/available-policies.md @@ -8,7 +8,7 @@ ms.mktglfcycl: explore ms.sitesec: library title: Group Policy and Mobile Device Management settings for Microsoft Edge (Microsoft Edge for IT Pros) ms.localizationpriority: high -ms.date: 09/13/2017 #Previsou release date +ms.date: 4/5/2018 #Previsou release date 09/13/2017 --- # Group Policy and Mobile Device Management (MDM) settings for Microsoft Edge @@ -34,8 +34,9 @@ Microsoft Edge works with these Group Policy settings (`Computer Configuration\A ## Allow Address bar drop-down list suggestions >*Supporteded versions: Windows 10, version 1703 or later* +The Address bar drop-down list, when enabled, allows the Address bar drop-down functionality in Microsoft Edge. By default, this policy is enabled. If disabled, you do not see the address bar drop-down functionality and disables the user-defined policy "Show search and site suggestions as I type." Therefore, because search suggestions are shown in the drop-down, this policy takes precedence over the [Configure search suggestions in Address bar](https://review.docs.microsoft.com/en-us/microsoft-edge/deploy/available-policies?branch=pashort_edge-backlog_vsts15846461#configure-search-suggestions-in-address-bar) or [AllowSearchSuggestionsinAddressBar](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowsearchsuggestionsinaddressbar) policy. -This policy settings specifies whether to allow the address bar drop-down functionality in Microsoft Edge. By default, this setting is enabled. We recommend that you disable this setting if you want to minimize network connections from Microsoft Edge to Microsoft services. If disabled, you do not see the address bar drop-down functionality and also disables the user-defined settting "Show search and site suggestions as I type." Therefore, because search suggestions are shown in the drop-down, this setting takes precedence over the [Configure search suggestions in Address bar](https://review.docs.microsoft.com/en-us/microsoft-edge/deploy/available-policies?branch=pashort_edge-backlog_vsts15846461#configure-search-suggestions-in-address-bar) or [AllowSearchSuggestionsinAddressBar](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowsearchsuggestionsinaddressbar) setting. +If you want to minimize network connections from Microsoft Edge to Microsoft services, we recommend that you disable this policy. **Microsoft Intune to manage your MDM settings** | | | @@ -44,31 +45,30 @@ This policy settings specifies whether to allow the address bar drop-down functi |Supported devices |Desktop | |URI full path | ./Vendor/MSFT/Policy/Config/Browser/AllowAddressBarDropdown | |Data type | Integer | -|Allowed values | | +|Allowed values | | ## Allow Adobe Flash >*Supporteded version: Windows 10* - -This policy setting specifies whether Adobe Flash can run in Microsoft Edge. By default, this setting is enabled or not configured, which allows you to use Adobe Flash. +Adobe Flash is integrated with Microsoft Edge and is updated via Windows Update. By default, this policy is enabled or not configured allowing you to use Adobe Flash Player in Microsoft Edge. **Microsoft Intune to manage your MDM settings** | | | |---|---| |MDM name |[AllowFlash](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowflash) | |Supported devices |Desktop | -|URI full path | ./Vendor/MSFT/Policy/Config/Browser/AllowAutofill | +|URI full path | ./Vendor/MSFT/Policy/Config/Browser/AllowAdobeFlash | |Data type | Integer | -|Allowed values | | +|Allowed values | | ## Allow clearing browsing data on exit >*Supporteded versions: Windows 10, version 1703* +Your browsing data is the information that Microsoft Edge remembers and stores as you browse websites. Browsing data includes information you entered into forms, passwords, and the websites you visited. By default, this policy is disabled or not configured, the browsing data is not cleared when exiting. When this policy is disabled or not configured, you can turn on and configure the Clear browsing data option under Settings. -This policy setting specifies whether to clear browsing data on exiting Microsoft Edge. By default, this setting is disabled or not configured, which means you can turn on and configure Clear browsing data option under Settings. If enabled, browsing history on exit is turned on. -**Microsoft Intune to manage your MDM settings** +**Microsoft Intune to manage your MDM settings** | | | |---|---| |MDM name |[ClearBrowsingDataOnExit](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-clearbrowsingdataonexit) | @@ -80,7 +80,7 @@ This policy setting specifies whether to clear browsing data on exiting Microsof ## Allow configuration updates for the Books Library >*Supporteded versions: Windows 10* -This policy setting specifies whether Microsoft Edge can automatically update the configuration data for the Books Library. By default, this setting is enabled, which means Microsoft Edge retrieves configuration data for the Books Library. If disabled, Microsoft Edge does not retrieve configuration data. +Microsoft Edge automatically retrieves the configuration data for the Books Library, when this policy is enabled or not configured. If disabled, Microsoft Edge does not retrieve the Books configuration data. **Microsoft Intune to manage your MDM settings** | | | @@ -95,7 +95,7 @@ This policy setting specifies whether Microsoft Edge can automatically update th ## Allow Cortana >*Supported versions: Windows 10, version 1607 or later* -This policy setting specifies whether Cortana is allowed on the device. By default, this setting is enabled (allowed), which allows you to use Cortana on your devices. If disabled (not allowed), Cortana is not available for use, but you can use search to find items on your device. +Cortana is integrated with Microsoft Edge, and when enabled, Cortana allows you use the voice assistant on your device. If disabled, Cortana is not available for use, but you can search to find items on your device. **Microsoft Intune to manage your MDM settings** | | | @@ -103,14 +103,14 @@ This policy setting specifies whether Cortana is allowed on the device. By defau |MDM name |[AllowCortana](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-experience#experience-allowcortana) | |Supported devices |Mobile | |URI full path |./Vendor/MSFT/Policy/Config/Browser/AllowCortana | -|Location |Computer Configuration\Administrative Templates\Windows Components\Search\Allow Cortana | +|Location |Computer Configuration\Administrative Templates\Windows Components\Search\AllowCortana | |Data type | Integer | |Allowed values | | ## Allow Developer Tools >*Supporteded versions: Windows 10, version 1511 or later* -This policy setting specifies whether you can use the F12 Developer Tools on Microsoft Edge. By default, this setting is enabled making the F12 Developer Tools availabe to use. If disabled, the F12 Developer Tools are not available. +F12 developer tools is a suite of tools to help you build and debug your webpage. By default, this policy is enabled making the F12 Developer Tools availabe to use. **Microsoft Intune to manage your MDM settings** | | | @@ -119,12 +119,12 @@ This policy setting specifies whether you can use the F12 Developer Tools on Mic |Supported devices |Desktop | |URI full path |./Vendor/MSFT/Policy/Config/Browser/AllowDeveloperTools | |Data type | Integer | -|Allowed values | | +|Allowed values | | ## Allow extended telemetry for the Books tab >*Supporteded versions: Windows 10* -This policy setting allows you to specify how much data to send to Microsoft about the books you are reading from the Books tab in Microsoft Edge. By default, this setting is disabled or not configured, which means Microsoft Edge only sends basic diagnostic data, depending on your device configuration. If enabled, Microsoft Edge sends additional diagnostic data in addition to the basic diagnostic data, from the Books tab. +If you enable this policy, both basic and additional diagnostic data is sent to Microsoft about the books you are reading from Books in Microsoft Edge. By default, this policy is disabled or not configured and only basic diagnostic data, depending on your device configuration, is sent to Microsoft. **Microsoft Intune to manage your MDM settings** | | | @@ -133,12 +133,12 @@ This policy setting allows you to specify how much data to send to Microsoft abo |Supported devices |Desktop
Mobile | |URI full path | ./Vendor/MSFT/Policy/Config/Browser/EnableExtendedBooksTelemetry | |Data type | Integer | -|Allowed values | | +|Allowed values | | ## Allow Extensions >*Supporteded versions: Windows 10, version 1607 or later* -This policy setting specifies whether you can use Edge Extensions. By default, this setting is enabled allowing you to use extensions. If disabled, you cannot use extensions. +If you enable this policy, you can personalize and add new features to Microsoft Edge with extensions. By default, this policy is enabled. If you want to prevent others from installing unwanted extensions, disable this policy. **Microsoft Intune to manage your MDM settings** | | | @@ -147,12 +147,12 @@ This policy setting specifies whether you can use Edge Extensions. By default, |Supported devices |Desktop | |URI full path |./Vendor/MSFT/Policy/Config/Browser/AllowExtensions | |Data type | Integer | -|Allowed values | | +|Allowed values | | ## Allow InPrivate browsing >*Supporteded versions: Windows 10, version 1511 or later* -This policy setting specifies whether InPrivate browsing is allowed on corporate networks. By default, this setting is enabled allowing you to use InPrivate website browsing. If disabled, you cannot use InPrivate website browsing. +InPrivate browsing, when enabled, prevents your browsing data is not saved on your device. Microsoft Edge deletes temporary data from your device after all your InPrivate tabs are closed. **Microsoft Intune to manage your MDM settings** | | | @@ -161,12 +161,13 @@ This policy setting specifies whether InPrivate browsing is allowed on corporate |Supported devices |Desktop
Mobile | |URI full path |./Vendor/MSFT/Policy/Config/Browser/AllowInPrivate | |Data type | Integer | -|Allowed values | | +|Allowed values | | ## Allow Microsoft Compatibility List >*Supporteded versions: Windows 10, version 1703 or later* -This policy setting specifies whether to use the Microsoft compatibility list in Microsoft Edge. The list helps websites with known compatibility issues to display properly. By default, the Microsoft compatibility list is enabled and used during browser navigation. The list can be viewed by visiting "about:compat". By default, this setting is enabled allowing periodic downloads and installation of updates. Visiting any site on the Microsoft Compatibility List prompts the employee to use Internet Explorer 11, where the site renders as though it is in whatever version of IE is necessary for it to appear properly. If disabled, the compatibility list is not used. +Microsoft Edge uses the compatibility list that helps websites with known compatibility issues display properly. When enabled, Microsoft Edge checks the list to determine if the website has compatibility issues during browser navigation. By default, this policy is enabled allowing periodic downloads and installation of updates. Visiting any site on the Microsoft compatibility list prompts the employee to use Internet Explorer 11, where the site renders as though it is in whatever version of IE is necessary for it to appear properly. If disabled, the compatibility list is not used. + **Microsoft Intune to manage your MDM settings** | | | @@ -175,7 +176,7 @@ This policy setting specifies whether to use the Microsoft compatibility list in |Supported devices |Desktop
Mobile | |URI full path |./Vendor/MSFT/Policy/Config/Browser/AllowMicrosoftCompatibilityList | |Data type | Integer | -|Allowed values | | +|Allowed values | | ## Allow search engine customization >*Supported versions: Windows 10, version 1703 or later* @@ -273,6 +274,7 @@ This policy setting specifies whether Do Not Track requests to websites is allow |Data type | Integer | |Allowed values | | + + ## Configure Password Manager >*Supported versions: Windows 10* @@ -498,9 +508,15 @@ This policy setting specifies whether you can add, import, sort, or edit the Fav >[!Important] >Don't enable both this setting and the Keep favorites in sync between Internet Explorer and Microsoft Edge setting. Enabling both settings stops you from syncing their favorites between Internet Explorer and Microsoft Edge. - + +**Microsoft Intune to manage your MDM settings** +| | | +|---|---| +|MDM name |[LockdownFavorites](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-lockdownfavorites) | +|Supported devices |Desktop
Mobile | +|URI full path |./Vendor/MSFT/Policy/Config/Browser/LockdownFavorites | +|Data type | Integer | +|Allowed values | | ## Prevent Microsoft Edge from gathering Live Tile information when pinning a site to Start >*Supported versions: Windows 10, version 1703 or later* diff --git a/devices/surface-hub/manage-settings-with-mdm-for-surface-hub.md b/devices/surface-hub/manage-settings-with-mdm-for-surface-hub.md index 238158def7..dfed286bc9 100644 --- a/devices/surface-hub/manage-settings-with-mdm-for-surface-hub.md +++ b/devices/surface-hub/manage-settings-with-mdm-for-surface-hub.md @@ -25,17 +25,7 @@ Surface Hub has been validated with Microsoft’s first-party MDM providers: You can also manage Surface Hubs using any third-party MDM provider that can communicate with Windows 10 using the MDM protocol. ## Enroll a Surface Hub into MDM -You can enroll your Surface Hubs using bulk or manual enrollment. - -> [!NOTE] -> You can join your Surface Hub to Azure Active Directory (Azure AD) to manage admin groups on the device. However, Surface Hub does not currently support automatic enrollment to Microsoft Intune through Azure AD join. If your organization automatically enrolls Azure AD-joined devices into Intune, you must disable this policy for Surface Hub before joining the device to Azure AD. -> -> **To enable automatic enrollment for Microsoft Intune** -> 1. In the [Azure classic portal](https://manage.windowsazure.com/), navigate to the **Active Directory** node and select your directory. -> 2. Click the **Applications** tab, then click **Microsoft Intune**. -> 3. Under **Manage devices for these users**, click **Groups**. -> 4. Click **Select Groups**, then select the groups of users you want to automatically enroll into Intune. **Do not include accounts that are used to enroll Surface Hubs into Intune.** -> 5. Click the checkmark button, then click **Save**. +You can enroll your Surface Hubs using bulk, manual, or automatic enrollment. ### Bulk enrollment **To configure bulk enrollment** @@ -51,6 +41,20 @@ You can enroll your Surface Hubs using bulk or manual enrollment. 4. Under **Device management**, select **+ Device management**. 5. Follow the instructions in the dialog to connect to your MDM provider. +### Automatic enrollment via Azure Active Directory join + +Surface Hub now supports the ability to automatically enroll in Intune by joining the device to Azure Active Directory. + +**To enable automatic enrollment for Microsoft Intune** +1. In the [Azure classic portal](https://manage.windowsazure.com/), navigate to the **Active Directory** node and select your directory. +2. Click the **Applications** tab, then click **Microsoft Intune**. +3. Under **Manage devices for these users**, click **Groups**. +4. Click **Select Groups**, then select the groups of users you want to automatically enroll into Intune. +5. Click the checkmark button, then click **Save**. + +For more information, see [Enable Windows 10 automatic enrollment](https://docs.microsoft.com/intune/windows-enroll#enable-windows-10-automatic-enrollment). + + ## Manage Surface Hub settings with MDM You can use MDM to manage some [Surface Hub CSP settings](#supported-surface-hub-csp-settings), and some [Windows 10 settings](#supported-windows-10-settings). Depending on the MDM provider that you use, you may set these settings using a built-in user interface, or by deploying custom SyncML. Microsoft Intune and System Center Configuration Manager provide built-in experiences to help create policy templates for Surface Hub. Refer to documentation from your MDM provider to learn how to create and deploy SyncML. diff --git a/education/windows/set-up-school-pcs-technical.md b/education/windows/set-up-school-pcs-technical.md index c4c3cbd233..8164b32aca 100644 --- a/education/windows/set-up-school-pcs-technical.md +++ b/education/windows/set-up-school-pcs-technical.md @@ -9,7 +9,7 @@ ms.pagetype: edu ms.localizationpriority: high author: CelesteDG ms.author: celested -ms.date: 03/12/2018 +ms.date: 04/04/2018 --- # Technical reference for the Set up School PCs app @@ -290,7 +290,8 @@ The Set up School PCs app produces a specialized provisioning package that makes

Accounts: Block Microsoft accounts

**Note** Microsoft accounts can still be used in apps.

Enabled

Interactive logon: Do not display last user name

Enabled

-

Interactive logon: Sign-in last interactive user automatically after a system-initiated restart

Disabled

+

Interactive logon: Sign-in last interactive user automatically after a system-initiated restart

Disabled

+

User Account Control: Behavior of the elevation prompt for standard users

Auto deny

diff --git a/mdop/mbam-v25/mbam-25-server-prerequisites-for-stand-alone-and-configuration-manager-integration-topologies.md b/mdop/mbam-v25/mbam-25-server-prerequisites-for-stand-alone-and-configuration-manager-integration-topologies.md index 79fac92aba..b5cd982105 100644 --- a/mdop/mbam-v25/mbam-25-server-prerequisites-for-stand-alone-and-configuration-manager-integration-topologies.md +++ b/mdop/mbam-v25/mbam-25-server-prerequisites-for-stand-alone-and-configuration-manager-integration-topologies.md @@ -286,6 +286,10 @@ The following table lists the installation prerequisites for the MBAM Administra +

ASP.NET MVC 4.0

+

[ASP.NET MVC 4 download](https://go.microsoft.com/fwlink/?LinkId=392271)

+ +

Service Principal Name (SPN)

The web applications require an SPN for the virtual host name under the domain account that you use for the web application pools.

If your administrative rights permit you to create SPNs in Active Directory Domain Services, MBAM creates the SPN for you. See [Setspn](http://technet.microsoft.com/library/cc731241.aspx) for information about the rights required to create SPNs.

diff --git a/windows/client-management/mdm/policy-csp-kioskbrowser.md b/windows/client-management/mdm/policy-csp-kioskbrowser.md index 6554f182c6..583d9b17cd 100644 --- a/windows/client-management/mdm/policy-csp-kioskbrowser.md +++ b/windows/client-management/mdm/policy-csp-kioskbrowser.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 04/03/2018 +ms.date: 04/06/2018 --- # Policy CSP - KioskBrowser @@ -14,7 +14,8 @@ ms.date: 04/03/2018 > [!WARNING] > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -These policies only apply to kiosk browser. +These policies currently only apply to Kiosk Browser app. Kiosk Browser is a Microsoft Store app, added in Windows 10 version 1803, that provides IT a way to customize the end user’s browsing experience to fulfill kiosk, signage, and shared device scenarios. Application developers can also create their own kiosk browser and read these policies using [NamedPolicy.GetPolicyFromPath(String, String) Method](https://docs.microsoft.com/en-us/uwp/api/windows.management.policies.namedpolicy.getpolicyfrompath#Windows_Management_Policies_NamedPolicy_GetPolicyFromPath_System_String_System_String_). +
@@ -85,7 +86,7 @@ These policies only apply to kiosk browser. Added in Windows 10, version 1803. List of exceptions to the blocked website URLs (with wildcard support). This is used to configure URLs kiosk browsers are allowed to navigate to, which are a subset of the blocked URLs. > [!Note] -> This policy only applies to kiosk browser. +> This policy only applies to the Kiosk Browser app in Microsoft Store. @@ -132,7 +133,7 @@ Added in Windows 10, version 1803. List of exceptions to the blocked website URL Added in Windows 10, version 1803. List of blocked website URLs (with wildcard support). This is used to configure blocked URLs kiosk browsers cannot navigate to. > [!Note] -> This policy only applies to kiosk browser. +> This policy only applies to the Kiosk Browser app in Microsoft Store. @@ -179,7 +180,7 @@ Added in Windows 10, version 1803. List of blocked website URLs (with wildcard s Added in Windows 10, version 1803. Configures the default URL kiosk browsers to navigate on launch and restart. > [!Note] -> This policy only applies to kiosk browser. +> This policy only applies to the Kiosk Browser app in Microsoft Store. @@ -226,7 +227,7 @@ Added in Windows 10, version 1803. Configures the default URL kiosk browsers to Added in Windows 10, version 1803. Enable/disable kiosk browser's home button. > [!Note] -> This policy only applies to kiosk browser. +> This policy only applies to the Kiosk Browser app in Microsoft Store. @@ -273,7 +274,7 @@ Added in Windows 10, version 1803. Enable/disable kiosk browser's home button. Added in Windows 10, version 1803. Enable/disable kiosk browser's navigation buttons (forward/back). > [!Note] -> This policy only applies to kiosk browser. +> This policy only applies to the Kiosk Browser app in Microsoft Store. @@ -322,7 +323,7 @@ Added in Windows 10, version 1803. Amount of time in minutes the session is idle The value is an int 1-1440 that specifies the amount of minutes the session is idle until the kiosk browser restarts in a fresh state. The default value is empty which means there is no idle timeout within the kiosk browser. > [!Note] -> This policy only applies to kiosk browser. +> This policy only applies to the Kiosk Browser app in Microsoft Store. diff --git a/windows/deployment/TOC.md b/windows/deployment/TOC.md index 94f70ce62d..81fe4b5d61 100644 --- a/windows/deployment/TOC.md +++ b/windows/deployment/TOC.md @@ -230,6 +230,7 @@ ### [Deploy Windows 10 updates using System Center Configuration Manager](update/waas-manage-updates-configuration-manager.md) ### [Manage device restarts after updates](update/waas-restart.md) ### [Manage additional Windows Update settings](update/waas-wu-settings.md) +### [Determine the source of Windows updates](update/windows-update-sources.md) ### [Windows Insider Program for Business](update/waas-windows-insider-for-business.md) #### [Introduction to the Windows Insider Program for Business](update/WIP4Biz-intro.md) #### [Windows Insider Program for Business Frequently Asked Questions](update/waas-windows-insider-for-business-faq.md) diff --git a/windows/deployment/update/index.md b/windows/deployment/update/index.md index a9805be280..0cd39373d7 100644 --- a/windows/deployment/update/index.md +++ b/windows/deployment/update/index.md @@ -1,16 +1,16 @@ --- -title: Update Windows 10 in the enterprise (Windows 10) +title: Update Windows 10 in enterprise deployments (Windows 10) description: Windows as a service provides an all-new way to think about building, deploying, and servicing Windows 10. ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library -author: DaniHalfin +author: Jaimeo ms.localizationpriority: high -ms.author: daniha -ms.date: 11/17/2017 +ms.author: jaimeo +ms.date: 04/06/2018 --- -# Update Windows 10 in the enterprise +# Update Windows 10 in enterprise deployments **Applies to** diff --git a/windows/deployment/update/windows-update-sources.md b/windows/deployment/update/windows-update-sources.md new file mode 100644 index 0000000000..2fd8f9c79a --- /dev/null +++ b/windows/deployment/update/windows-update-sources.md @@ -0,0 +1,37 @@ +--- +title: Determine the source of Windows updates +description: Determine the source that Windows Update service is currently using. +ms.prod: w10 +ms.mktglfcycl: +ms.sitesec: library +author: kaushika-msft +ms.localizationpriority: high +ms.author: jaimeo +ms.date: 04/05/2018 +--- + +# Determine the source of Windows updates + +Windows 10 devices can receive updates from a variety of sources, including Windows Update online, a Windows Server Update Services server, and others. To determine the source of Windows Updates currently being used on a device, follow these steps:  + +1. Start Windows PowerShell as an administrator +2. Run `\$MUSM = New-Object -ComObject “Microsoft.Update.ServiceManager”`. +3. Run `\$MUSM.Services`. Check the resulting output for the **Name** and **OffersWindowsUPdates** parameters, which you can intepret according to this table: + +| Output | Interpretation | +|-----------------------------------------------------|-----------------------------------| +| - Name: **Microsoft Update**
-OffersWindowsUpdates: **True** | - The update source is Microsoft Update, which means that updates for other Microsoft products besides the operating system could also be delivered.
- Indicates that the client is configured to receive updates for all Microsoft Products (Office, etc.)| +|- Name: **DCat Flighting Prod**
- OffersWindowsUpdates: **False**|- The update source is the Windows Insider Program.
- Indicates that the client will not receive or is not configured to receive these updates. | +| - Name: **Windows Store (DCat Prod)**
- OffersWindowsUpdates: **False** |-The update source is Insider Updates for Store Apps.
- Indicates that the client will not receive or is not configured to receive these updates.| +|- Name: **Windows Server Update Service**
- OffersWindowsUpdates: **True** |- The source is a Windows Server Updates Services server.
- The client is configured to receive updates from WSUS.| +|- Name: **Windows Update**
- OffersWindowsUpdates: **True** |- The source is Windows Update.
- The client is configured to receive updates from Windows Update Online.| + + + +See also: + +[Understanding the Windowsupdate.log file for advanced users](https://support.microsoft.com/help/4035760) + +[You can't install updates on a Windows-based computer](https://support.microsoft.com/help/2509997/you-can-t-install-updates-on-a-windows-based-computer) + +[How to read the Windowsupdate.log file on Windows 7 and earlier OS versions](https://support.microsoft.com/help/902093/how-to-read-the-windowsupdate-log-file) diff --git a/windows/security/threat-protection/device-guard/steps-to-deploy-windows-defender-application-control.md b/windows/security/threat-protection/device-guard/steps-to-deploy-windows-defender-application-control.md index 2d66a5c847..3cdfa39794 100644 --- a/windows/security/threat-protection/device-guard/steps-to-deploy-windows-defender-application-control.md +++ b/windows/security/threat-protection/device-guard/steps-to-deploy-windows-defender-application-control.md @@ -799,7 +799,7 @@ To create a WDAC policy, copy each of the following commands into an elevated Wi 2. Use [New-CIPolicy](https://docs.microsoft.com/powershell/module/configci/new-cipolicy?view=win10-ps) to create a new WDAC policy by scanning the system for installed applications: - ` New-CIPolicy -Level PcaCertificate -FilePath $InitialCIPolicy –UserPEs 3> CIPolicyLog.txt ` + ` New-CIPolicy -Level FilePublisher -FilePath $InitialCIPolicy –UserPEs -FallBack Hash 3> CIPolicyLog.txt ` > [!Note] @@ -841,7 +841,7 @@ When WDAC policies are run in audit mode, it allows administrators to discover a > - An alternative method to test a policy is to rename the test file to SIPolicy.p7b and drop it into C:\\Windows\\System32\\CodeIntegrity, rather than deploy it by using the Local Group Policy Editor. -3. Navigate to **Computer Configuration\\Administrative Templates\\System\\Windows Defender Device Guard**, and then select **Deploy Windows Defender Application Control**. Enable this setting by using the appropriate file path, for example, C:\\Windows\\System32\\CodeIntegrity\\DeviceGuardPolicy.bin, as shown in Figure 1. +3. Navigate to **Computer Configuration\\Administrative Templates\\System\\Device Guard**, and then select **Deploy Windows Defender Application Control**. Enable this setting by using the appropriate file path, for example, C:\\Windows\\System32\\CodeIntegrity\\DeviceGuardPolicy.bin, as shown in Figure 1. > [!Note] @@ -889,7 +889,7 @@ Use the following procedure after you have been running a computer with a WDAC p 3. Use [New-CIPolicy](https://docs.microsoft.com/powershell/module/configci/new-cipolicy?view=win10-ps) to generate a new WDAC policy from logged audit events. This example uses a file rule level of **Hash** and includes `3> CIPolicylog.txt`, which redirects warning messages to a text file, **CIPolicylog.txt**. - ` New-CIPolicy -Audit -Level Hash -FilePath $CIAuditPolicy –UserPEs 3> CIPolicylog.txt` + ` New-CIPolicy -Audit -Level Hash -FilePath $CIAuditPolicy –UserPEs 3 -FallBack Hash > CIPolicylog.txt` > [!Note] > When you create policies from audit events, you should carefully consider the file rule level that you select to trust. The preceding example uses the **Hash** rule level, which is the most specific. Any change to the file (such as replacing the file with a newer version of the same file) will change the Hash value, and require an update to the policy.