deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-28 13:17:23 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge branch 'master' of https://github.com/Microsoft/win-cpub-itpro-docs into maricia-11920594

Browse Source
This commit is contained in:
Maricia Alforque 2017-06-16 14:47:21 -07:00
commit 2f68821e9d
77 changed files with 2115 additions and 176 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
browsers/edge/docfx.json
View File

@ -19,7 +19,8 @@
"ROBOTS": "INDEX, FOLLOW",
"ms.technology": "microsoft-edge",
"ms.topic": "article",
"ms.author": "lizross"
"ms.author": "lizross",
"ms.date": "04/05/2017"
},
"externalReference": [
],

3
browsers/internet-explorer/docfx.json
View File

@ -20,7 +20,8 @@
"ms.author": "lizross",
"author": "eross-msft",
"ms.technology": "internet-explorer",
"ms.topic": "article"
"ms.topic": "article",
"ms.date": "04/05/2017"
},
"externalReference": [
],

3
devices/hololens/docfx.json
View File

@ -33,7 +33,8 @@
"breadcrumb_path": "/hololens/breadcrumb/toc.json",
"ms.technology": "windows",
"ms.topic": "article",
"ms.author": "jdecker"
"ms.author": "jdecker",
"ms.date": "04/05/2017"
},
"fileMetadata": {},
"template": [

3
devices/surface-hub/docfx.json
View File

@ -22,7 +22,8 @@
"ms.mktglfcycl": "manage",
"author": "jdeckerms",
"ms.sitesec": "library",
"ms.author": "jdecker"
"ms.author": "jdecker",
"ms.date": "05/23/2017"
},
"externalReference": [
],

3
devices/surface/docfx.json
View File

@ -19,7 +19,8 @@
"ROBOTS": "INDEX, FOLLOW",
"ms.technology": "windows",
"ms.topic": "article",
"ms.author": "jdecker"
"ms.author": "jdecker",
"ms.date": "05/09/2017"
},
"externalReference": [
],

3
education/docfx.json
View File

@ -19,7 +19,8 @@
"ms.author": "celested",
"audience": "windows-education",
"ms.topic": "article",
"breadcrumb_path": "/education/breadcrumb/toc.json"
"breadcrumb_path": "/education/breadcrumb/toc.json",
"ms.date": "05/09/2017"
},
"externalReference": [
],

137
education/get-started/get-started-with-microsoft-education.md
View File

@ -1,7 +1,7 @@
---
title: Deploy and manage a full cloud IT solution with Microsoft Education
description: Learn how to use the new Microsoft Education system to set up a cloud infrastructure for your school, acquire devices and apps, and configure and deploy policies to your Windows 10 devices.
keywords: education, Microsoft Education, Microsoft Education system, full cloud IT solution, school, deploy, setup, manage, Windows 10, Intune for Education, Office 365 for Education, Microsoft Store for Education, Azure AD, Set up School PCs
keywords: education, Microsoft Education, full cloud IT solution, school, deploy, setup, manage, Windows 10, Intune for Education, Office 365 for Education, School Data Sync, Microsoft Teams, Microsoft Store for Education, Azure AD, Set up School PCs
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
@ -27,6 +27,7 @@ Hello, IT administrators! In this walkthrough, we'll show you how you can quickl
- **Office 365 for Education** provides online apps for work from anywhere and desktop apps for advanced functionality, built for working together and available across devices, and it's free for schools, teachers, and students
- **School Data Sync** to help automate the process for importing and integrating School Information System (SIS) data that you can use with Office 365
- **OneNote Class Notebook** to organize course content, create and deliver interactive lessons to some or all students, collaborate and provide private feedback to individual students, and connect with major LMS and SIS partners for assignment workflow
- **Microsoft Teams** to bring conversations, content, and apps together in one place and create collaborate classrooms, connect in professional learning communities, and communicate with school staff
- **Learning Tools** are moving beyond the OneNote desktop app and is now available in Office Lens, OneNote Online, Word Online, and Word desktop
- **Whiteboard** to create interactive lessons on the big screen, share and collaborate real-time by connecting to Class Notebook and Classroom
- **Windows 10, version 1703 (Creators Update)** which brings 3D for everyone and other new and updated Windows features
@ -43,6 +44,7 @@ Go to the <a href="https://www.microsoft.com/en-us/education" target="_blank">Mi
In this walkthrough, we'll show you the basics on how to:
- Acquire an Office 365 for Education tenant, if you don't already have one
- Import school, student, teacher, and class data using School Data Sync (SDS)
- Deploy Microsoft Teams to enable groups and teams in your school to communicate and collaborate
- Manage apps and settings deployment with Intune for Education
- Acquire additional apps in Microsoft Store for Education
- Use the Set up School PCs app to quickly set up and provision your Windows 10 education devices
@ -52,7 +54,7 @@ This diagram shows a high-level view of what we cover in this walkthrough. The n
**Figure 1** - Microsoft Education IT administrator workflow
![Deploy and manage a full cloud IT solution using Microsoft Education](images/microsoft-education-get-started-workflow.png)
![Deploy and manage a full cloud IT solution using Microsoft Education](images/microsoft_education_it_getstarted_workflow.png)
## Prerequisites
Complete these tasks before you start the walkthrough:
@ -116,7 +118,7 @@ Already have an Office 365 for Education verified tenant? Just sign in with your
![Intune for Education trial sign in page](images/i4e_trialsigninpage.png)
3. Enter your Office 365 global admin credentials to apply the Intune for Education trial to your tenant.
4. Skip ahead and follow the instructions in the walkthrough beginning with [3. Configure Microsoft Store for Education](#3-configure-microsoft-store-for-education).
4. Skip ahead and follow the instructions in the walkthrough beginning with [4. Configure Microsoft Store for Education](#4-configure-microsoft-store-for-education).
## 1. Set up a new Office 365 for Education tenant
@ -131,7 +133,7 @@ Don't have an Office 365 for Education verified tenant or just starting out? Fol
![Create an Office 365 account](images/o365_createaccount.png)
3. Save your sign-in info so you can use it to sign into <a href="https://portal.office.com" target="_blank">https://portal.office.com</a> (the sign-in page). Click **You're ready to go...**
3. Save your sign-in info so you can use it to sign in to <a href="https://portal.office.com" target="_blank">https://portal.office.com</a> (the sign-in page). Click **You're ready to go...**
4. In the **Verify eligibility for Microsoft Office 365 for Education** screen:
1. Add your domain name and follow the steps to confirm ownership of the domain.
2. Choose your DNS hosting provider to see step-by-step instructions on how to confirm that you own the domain.
@ -140,7 +142,7 @@ Don't have an Office 365 for Education verified tenant or just starting out? Fol
You may need to fill in other information to provide that you qualify for an education tenant. Provide and submit the info to Microsoft to continue verification for your tenant.
As part of setting up a basic cloud infrastructure, you don't need to complete the rest of the Office 365 for Education setup so we will skip the rest of setup for now and start importing school data. You can pick up where you left off with Office 365 for Education setup once you've completed the rest of the steps in the walkthrough. See [6.3 Complete Office 365 for Education setup](#63-complete-office-365-education-setup) for info.
As part of setting up a basic cloud infrastructure, you don't need to complete the rest of the Office 365 for Education setup so we will skip the rest of setup for now and start importing school data. You can pick up where you left off with Office 365 for Education setup once you've completed the rest of the steps in the walkthrough. See [7.3 Complete Office 365 for Education setup](#73-complete-office-365-education-setup) for info.
## 2. Use School Data Sync to import student data
@ -240,7 +242,7 @@ The Classroom application is retired, but you will need to assign the Classroom
3. Select the domain for the schools/sections. This domain will be used for the Section email addresses created during setup. If you have more than one domain, make sure you select the appropriate domain for the sync profile and subsequent sections being created.
4. In the **Select school and section properties** section, ensure the attributes that have been automatically selected for you align to your CSV files. If you select additional properties, or deselect any properties, make sure you have the properties and values contained within the CSV files. For the walkthrough, you don't have to change the default.
5. In the **Sync option for Section Group Display Name**, check the box if you want to allow teachers to overwrite the section names. Otherwise, SDS will always reset the display name value for sections to the value contained within the CSV files.
6. In the **License Options** section, check the box to allow users being created to receive an Office 365 license.
6. In the **License Options** section, check the box to enable the Classroom Preview license for all synced students and teachers within the sync profile.
7. Check the **Intune for Education** checkbox to allow users to receive the Intune for Education license and to create the SDS dynamic groups and security groups, which be used within Intune for Education.
8. Click **Next**.
@ -295,35 +297,68 @@ The Classroom application is retired, but you will need to assign the Classroom
That's it for importing sample school data using SDS.
## 3. Configure Microsoft Store for Education
## 3. Enable Microsoft Teams for your school
Microsoft Teams is a digital hub that brings conversations, content, and apps together in one place. Because it's built on Office 365, schools benefit from integration with their familiar Office apps and services. Your institution can use Microsoft Teams to create collaborative classrooms, connect in professional learning communities, and communicate with school staff all from a single experience in Office 365 for Education.
To get started, IT administrators need to use the Office 365 Admin Center to enable Microsoft Teams for your school.
**Enable Microsoft Teams for your school**
1. Sign in to <a href="https://portal.office.com" target="_blank">Office 365</a> with your work or school account.
2. Click **Admin** to go to the Office 365 admin center.
3. Go to **Settings > Services & add-ins**.
4. On the **Services & add-ins** page, select **Microsoft Teams**.
**Figure 14** - Select Microsoft Teams from the list of services & add-ins
![Enable Microsoft Teams for your school](images/o365_settings_services_msteams.png)
5. On the Microsoft Teams settings screen, select the license that you want to configure, **Student** or **Faculty and Staff**.
**Figure 15** - Select the license that you want to configure
![Select the Microsoft Teams license that you want to configure](images/o365_msteams_settings.png)
6. After you select the license type, set the toggle to turn on Microsoft Teams for your organization.
**Figure 16** - Turn on Microsoft Teams for your organization
![Turn on Microsoft Teams for your organization](images/o365_msteams_turnon.png)
7. Click **Save**.
You can find more info about how to control which users in your school can use Microsoft Teams, turn off group creation, configure tenant-level settings, and more by reading the *Guide for IT admins** getting started guide in the <a href="https://aka.ms/MeetTeamsEdu" target="_blank">Meet Microsoft Teams</a> page.
## 4. Configure Microsoft Store for Education
You'll need to configure Microsoft Store for Education to accept the services agreement and make sure your Microsoft Store account is associated with Intune for Education.
**Associate your Microsoft Store account with Intune for Education**
1. Sign into <a href="https://educationstore.microsoft.com" target="_blank">Microsoft Store for Education</a>.
1. Sign in to <a href="https://educationstore.microsoft.com" target="_blank">Microsoft Store for Education</a>.
2. Accept the Microsoft Store for Business and Education Services Agreement.
This will take you to the Microsoft Store for Education portal.
**Figure 14** - Microsoft Store for Education portal
**Figure 17** - Microsoft Store for Education portal
![Microsoft Store for Education portal](images/msfe_store_portal.png)
3. In the Microsoft Store portal, click **Manage** to go to the Microsoft Store **Overview** page.
4. Find the **Overview** page, find the **Store settings** tile and click **Management tools**.
**Figure 15** - Select management tools from the list of Store settings options
**Figure 18** - Select management tools from the list of Store settings options
![Select management tools from list of Store settings options](images/msfe_storesettings_select_managementtools.png)
4. In the **Management tools** page, find **Microsoft Intune** on the list and click **Activate** to get Intune for Education ready for use with Microsoft Store for Education.
**Figure 16** - Activate Intune for Education as the management tool
**Figure 19** - Activate Intune for Education as the management tool
![Activate Intune for Education as the management tool](images/msfe_managementtools_activateintune.png)
Your Microsoft Store for Education account is now linked to Intune for Education so let's set that up next.
## 4. Use Intune for Education to manage groups, apps, and settings
## 5. Use Intune for Education to manage groups, apps, and settings
Intune for Education is a streamlined device management solution for educational institutions that can be used to quickly set up and manage Windows 10 devices for your school. It provides a new streamlined UI with the enterprise readiness and resiliency of the Intune service. You can learn more about Intune for Education by reading the <a href="https://docs.microsoft.com/intune-education" target="_blank">Intune for Education documentation</a>.
### Example - Set up Intune for Education, buy apps from the Store, and install the apps
@ -351,20 +386,20 @@ Intune for Education provides an **Express configuration** option so you can get
1. Log into the <a href="https://intuneeducation.portal.azure.com/" target="_blank">Intune for Education console</a>. You will see the Intune for Education dashboard once you're logged in.
**Figure 17** - Intune for Education dashboard
**Figure 20** - Intune for Education dashboard
![Intune for Education dashboard](images/i4e_portal.png)
2. On the dashboard, click **Launch Express Configuration**, or select the **Express configuration** option on the menu on the left.
3. In the **Welcome to Intune for Education** screen, click **Get started**.
**Figure 18** - Click Get started to set up Intune for Education
**Figure 21** - Click Get started to set up Intune for Education
![Click Get Started to configure groups, apps, and settings](images/i4e_expressconfiguration_welcome.png)
4. In the **Get school information (optional)** screen, it should indicate that SDS is already configured. Click **Next**.
**Figure 19** - SDS is configured
**Figure 22** - SDS is configured
![SDS is already configured](images/i4e_expressconfiguration_sdsconfigured.png)
@ -377,7 +412,7 @@ Intune for Education provides an **Express configuration** option so you can get
> [!TIP]
> At the top of the screen, did you notice the **Choose group** button change to a green check mark? This means we are done with that step. If you change your mind or need to make changes, simply click on the button to go back to that step. Try it!
>
> **Figure 20** - Click on the buttons to go back to that step
> **Figure 23** - Click on the buttons to go back to that step
>
> ![Click on the buttons to back to that step](images/i4e_expressconfiguration_choosebuttontogoback.png)
@ -390,7 +425,7 @@ Intune for Education provides an **Express configuration** option so you can get
> [!TIP]
> Web apps are pushed as links in the Windows Start menu under **All apps**. If you want apps to appear in Microsoft Edge browser tabs, use the **Homepages** setting for Microsoft Edge through **Express configuration** or **Manage Users and Devices**.
**Figure 21** - Choose the apps that you want to install for the group
**Figure 24** - Choose the apps that you want to install for the group
![Choose apps to install for the group](images/i4e_expressconfiguration_chooseapps_selected_cropped.png)
@ -400,7 +435,7 @@ Intune for Education provides an **Express configuration** option so you can get
8. In the **Choose settings** screen, we will set the settings to apply to the group. Click the reverse caret (downward-facing arrow) to expand the settings group and get more information about each setting in that settings group.
**Figure 22** - Expand the settings group to get more details
**Figure 25** - Expand the settings group to get more details
![Expand the settings group to get more info](images/i4e_expressconfiguration_choosesettings_expandcollapse_cropped_052217.png)
@ -408,20 +443,20 @@ Intune for Education provides an **Express configuration** option so you can get
- In the **Microsoft Edge settings** group, change the **Do-Not-Track headers** setting to **Require**.
- In the **App settings** group, change the **Microsoft Store for Business apps** setting to **Block**, and then set the **Require Microsoft Store for Business apps to be installed from private store** to **Require**.
**Figure 23** - Set some additional settings
**Figure 26** - Set some additional settings
![Set some additional settings](images/i4e_expressconfiguration_choosesettings_additionalsettings_cropped.png)
10. Click **Next**. In the **Review** screen, you will see a summary of the apps and settings you selected to apply.
**Figure 24** - Review the group, apps, and settings you configured
**Figure 27** - Review the group, apps, and settings you configured
![Review the group, apps, and settings you configured](images/i4e_expressconfiguration_review.png)
11. Click **Save** to end express configuration.
12. You will see the **You're done!** screen which lets you choose one of two options.
**Figure 25** - All done with Intune for Education express configuration
**Figure 28** - All done with Intune for Education express configuration
![Done with Intune for Education express configuration](images/i4e_expressconfiguration_alldone.png)
@ -438,13 +473,13 @@ Intune for Education provides an **Express configuration** option so you can get
1. In the <a href="https://intuneeducation.portal.azure.com/" target="_blank">Intune for Education console</a>, click **Apps** from the menu on the left.
**Figure 26** - Click on **Apps** to see the list of apps for your tenant
**Figure 29** - Click on **Apps** to see the list of apps for your tenant
![Click Apps to see the list of apps for your tenant](images/i4e_dashboard_clickapps.png)
2. In the **Store apps** section, click **+ New app**. This will take you to the Microsoft Store for Education portal and you will already be signed in.
**Figure 27** - Select the option to add a new Store app
**Figure 30** - Select the option to add a new Store app
![Select the option to add a new Store app](images/i4e_apps_newstoreapp_selected.png)
@ -463,7 +498,7 @@ Intune for Education provides an **Express configuration** option so you can get
For example, if you bought Duolingo and Khan Academy, they will show up in your inventory along with the apps that Microsoft automatically provisioned for your education tenant.
**Figure 28** - Apps inventory in Microsoft Store for Education
**Figure 31** - Apps inventory in Microsoft Store for Education
![Apps inventory in Store for Business](images/msfe_manageapps_inventory_grouped.png)
@ -478,40 +513,40 @@ Now that you've bought the apps, use Intune for Education to specify the group t
1. In the <a href="https://intuneeducation.portal.azure.com/" target="_blank">Intune for Education console</a>, click the **Groups** option from the menu on the left.
**Figure 29** - Groups page in Intune for Education
**Figure 32** - Groups page in Intune for Education
![Groups page in Intune for Education](images/i4e_groupspage.png)
2. In the **Groups** page, select **All Users** from the list of groups on the left, and then click **Users** in the taskbar at the top of the **All Users** page.
**Figure 30** - List of all users in the tenant
**Figure 33** - List of all users in the tenant
![List of all users in the tenant](images/i4e_groups_allusers_users_steps.png)
3. In the taskbar at the top, select **Apps** and then click **Edit apps** to see a list of available apps.
**Figure 31** - Edit apps to assign them to users
**Figure 34** - Edit apps to assign them to users
![Edit apps to assign them to users](images/i4e_groups_allusers_appspage_editapps.png)
4. Select the apps to deploy to the group. A blue checkmark will appear next to the apps you select.
**Figure 32** - Select the apps to deploy to the group
**Figure 35** - Select the apps to deploy to the group
![Select the apps to deploy to the group](images/i4e_groups_allusers_selectappstodeploy.png)
5. Once you're done, click **Save** at the bottom of the page to deploy the selected apps to the group.
6. You'll be notified that app assignments are being updated. The updated **All Users** groups page now include the apps you selected.
**Figure 33** - Updated list of assigned apps
**Figure 36** - Updated list of assigned apps
![Updated list of assigned apps](images/i4e_groups_allusers_updatedappslist.png)
You're now done assigning apps to all users in your tenant. It's time to set up your Windows 10 device(s) and check that your cloud infrastructure is correctly set up and your apps are being pushed to your devices from the cloud.
## 5. Set up Windows 10 devices
## 6. Set up Windows 10 devices
### 5.1 Set up devices using Set up School PCs or Windows OOBE
### 6.1 Set up devices using Set up School PCs or Windows OOBE
We recommend using the latest build of Windows 10, version 1703 on your education devices. To set up new Windows 10 devices and enroll them to your education tenant, choose from one of these options:
- **Option 1: [Use the Set up School PCs app](#usesetupschoolpcs)** - You can use the app to create a setup file that you can use to quickly set up one or more Windows 10 devices.
- **Option 2: [Go through Windows OOBE and join the device to Azure AD](#usewindowsoobandjoinaad)** - You can go through a typical Windows 10 device setup or first-run experience to configure your device.
@ -551,13 +586,13 @@ Set up School PCs makes it easy to set up Windows 10 PCs with Microsoft's recomm
1. If you don't have a Wi-Fi network configured, make sure you connect the device to the Internet through a wired or Ethernet connection.
2. Go through the Windows device setup experience. On a new or reset device, this starts with the **Let's start with region. Is this right?** screen.
**Figure 34** - Let's start with region
**Figure 37** - Let's start with region
![Let's start with region](images/win10_letsstartwithregion.png)
3. Continue with setup. In the **How would you like to set up?** screen, select **Set up for an organization**.
**Figure 35** - Select setup for an organization
**Figure 38** - Select setup for an organization
![Select setup for an organization](images/win10_setupforanorg.png)
@ -566,7 +601,7 @@ Set up School PCs makes it easy to set up Windows 10 PCs with Microsoft's recomm
6. Click **Accept** to go through the rest of device setup.
### 5.2 Verify correct device setup
### 6.2 Verify correct device setup
Verify that the device is set up correctly and boots without any issues.
**Verify that the device was set up correctly**
@ -576,11 +611,11 @@ Verify that the device is set up correctly and boots without any issues.
> [!NOTE]
> It may take some time before some apps are pushed down to your device from Intune for Education. Check again later if you don't see some of the apps you provisioned for the user.
**Figure 36** - Sample list of apps for a user
**Figure 39** - Sample list of apps for a user
![Apps list contains the apps provisioned for the user](images/win10_start_checkapps.png)
### 5.3 Verify the device is Azure AD joined
### 6.3 Verify the device is Azure AD joined
Let's now verify that the device is joined to your organization's Azure AD and shows up as being managed in Microsoft Intune for Education.
**Verify if the device is joined to Azure AD**
@ -588,7 +623,7 @@ Let's now verify that the device is joined to your organization's Azure AD and s
2. Select **Groups** and select **All Devices**.
3. In the **All Devices** page, see the list of devices and verify that the device you're signed into appears on the list.
**Figure 37** - List of all managed devices
**Figure 40** - List of all managed devices
![Verify that the device is managed in Intune for Education](images/i4e_groups_alldevices_listofaadjdevices.png)
@ -596,23 +631,23 @@ Let's now verify that the device is joined to your organization's Azure AD and s
5. Select **Accounts > Access work or school**.
6. In the **Access work or school** page, confirm that the device is connected to the organization's Azure AD.
**Figure 38** - Confirm that the Windows 10 device is joined to Azure AD
**Figure 41** - Confirm that the Windows 10 device is joined to Azure AD
![Confirm that the Windows 10 device is joined to Azure AD](images/win10_confirmaadj.png)
**That's it! You're done!** You've completed basic cloud setup, deployment, and management using Microsoft Education. You can continue follow the rest of the walkthrough to finish setup and complete other tasks.
## 6. Finish setup and other tasks
## 7. Finish setup and other tasks
### 6.1 Update group settings in Intune for Education
### 7.1 Update group settings in Intune for Education
If you need to make changes or updates to any of the apps or settings for the group(s), follow these steps.
1. Log in to the <a href="https://intuneeducation.portal.azure.com/" target="_blank">Intune for Education console</a>.
2. Click **Groups** and then choose **Settings** in the taskbar at the top of the page.
3. You will see the same settings groups that you saw in express setup for Intune for Education as well as other settings categories such as **Windows Defender settings**, **Device sharing**, **Edition upgrade**, and so on.
**Figure 39** - See the list of available settings in Intune for Education
**Figure 42** - See the list of available settings in Intune for Education
![See the list of available settings in Intune for Education](images/i4e_groups_settingslist_full.png)
@ -622,7 +657,7 @@ If you need to make changes or updates to any of the apps or settings for the gr
5. Click **Save** or **Discard changes**.
### 6.2 Configure Azure settings
### 7.2 Configure Azure settings
After completing the basic setup for your cloud infrastructure and confirming that it is up and running, it's time to prepare for additional devices to be added and enable capabilities for the user to use.
#### Enable many devices to be added by a single person
@ -634,7 +669,7 @@ Follow the steps in this section to enable a single person to add many devices t
2. Configure the device settings for the school's Active Directory. To do this, go to the new Azure portal, <a href="https://portal.azure.com" target="_blank">https://portal.azure.com</a>.
3. Select **Azure Active Directory > Users and groups > Device settings**.
**Figure 40** - Device settings in the new Azure portal
**Figure 43** - Device settings in the new Azure portal
![Configure device settings in the new Azure portal](images/azure_newportal_usersandgroups_devicesettings.png)
@ -651,22 +686,22 @@ Follow the steps in this section to ensure that settings for the each user follo
3. Select **Azure Active Directory > Users and groups > Device settings**.
4. Find the setting **Users may sync settings and enterprise app data** and change the value to **All**.
**Figure 41** - Enable settings to roam with users
**Figure 44** - Enable settings to roam with users
![Enable settings to roam with users](images/azure_usersandgroups_devicesettings_ers.png)
5. Click **Save** to update device settings.
### 6.3 Complete Office 365 for Education setup
### 7.3 Complete Office 365 for Education setup
Now that your basic cloud infrastructure is up and running, it's time to complete the rest of the Office 365 for Education setup. You can find detailed information about completing Office 365 setup, services and applications, troubleshooting, and more by reading the <a href="https://support.office.com/en-US/Article/set-up-Office-365-for-business-6a3a29a0-e616-4713-99d1-15eda62d04fa#ID0EAAAABAAA=Education" target="_blank">Office 365 admin documentation</a>.
### 6.4 Add more users
### 7.4 Add more users
After your cloud infrastructure is set up and you have a device management strategy in place, you may need to add more users and you want the same policies to apply to these users. You can add new users to your tenant simply by adding them to the Office 365 groups. Adding new users to Office 365 groups automatically adds them to the corresponding groups in Intune for Education.
See <a href="https://support.office.com/en-us/article/Add-users-to-Office-365-for-business-435ccec3-09dd-4587-9ebd-2f3cad6bc2bc" target="_blank">Add users to Office 365</a> to learn more. Once you're done adding new users, go to the <a href="https://intuneeducation.portal.azure.com/" target="_blank">Intune for Education console</a> and verify that the same users were added to the Intune for Education groups as well.
### 6.5 Connect other devices to your cloud infrastructure
Adding a new device to your cloud-based tenant is easy. For new devices, you can follow the steps in [5. Set up Windows 10 devices](#5-set-up-windows-10-devices). For other devices, such as those personally-owned by teachers who need to connect to the school network to access work or school resources (BYOD), you can follow the steps in this section to get these devices connected.
### 7.5 Connect other devices to your cloud infrastructure
Adding a new device to your cloud-based tenant is easy. For new devices, you can follow the steps in [6. Set up Windows 10 devices](#6-set-up-windows-10-devices). For other devices, such as those personally-owned by teachers who need to connect to the school network to access work or school resources (BYOD), you can follow the steps in this section to get these devices connected.
> [!NOTE]
> These steps enable users to get access to the organization's resources, but it also gives the organization some control over the device.
@ -679,7 +714,7 @@ Adding a new device to your cloud-based tenant is easy. For new devices, you can
For example, if a teacher connects their personal device to the school network, they'll see the following screen after typing in their account information.
**Figure 42** - Device is now managed by Intune for Education
**Figure 45** - Device is now managed by Intune for Education
![Device is managed by Intune for Education](images/byob_aad_enrollment_intune.png)
@ -689,11 +724,11 @@ Adding a new device to your cloud-based tenant is easy. For new devices, you can
5. After the user's credentails are validated, the window will refresh and will now include an entry that shows the device is now connected to the organization's MDM. This means the device is now enrolled in Intune for Education MDM and the account should have access to the organization's resources.
**Figure 43** - Device is connected to organization's MDM
**Figure 46** - Device is connected to organization's MDM
![Device is connected to organization's MDM](images/win10_connectedtoorgmdm.png)
6. You can confirm that the new device and user are showing up as Intune for Education-managed by going to the Intune for Education management portal and following the steps in [5.3 Verify the device is Azure AD joined](#53-verify-the-device-is-azure-ad-joined).
6. You can confirm that the new device and user are showing up as Intune for Education-managed by going to the Intune for Education management portal and following the steps in [6.3 Verify the device is Azure AD joined](#63-verify-the-device-is-azure-ad-joined).
It may take several minutes before the new device shows up so check again later.

BIN
education/get-started/images/microsoft_education_it_getstarted_workflow.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 454 KiB

BIN
education/get-started/images/o365_msteams_settings.PNG Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 37 KiB

BIN
education/get-started/images/o365_msteams_turnon.PNG Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 54 KiB

BIN
education/get-started/images/o365_settings_services_msteams.PNG Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 120 KiB

1
education/windows/change-history-edu.md
View File

@ -1,6 +1,7 @@
---
title: Change history for Windows 10 for Education (Windows 10)
description: New and changed topics in Windows 10 for Education
keywords: Windows 10 education documentation, change history
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library

2
education/windows/chromebook-migration-guide.md
View File

@ -2,7 +2,7 @@
title: Chromebook migration guide (Windows 10)
description: In this guide you will learn how to migrate a Google Chromebook-based learning environment to a Windows 10-based learning environment.
ms.assetid: 7A1FA48A-C44A-4F59-B895-86D4D77F8BEA
keywords: migrate, automate, device
keywords: migrate, automate, device, Chromebook migration
ms.prod: w10
ms.mktglfcycl: plan
ms.sitesec: library

2
education/windows/configure-windows-for-education.md
View File

@ -1,7 +1,7 @@
---
title: Windows 10 configuration recommendations for education customers
description: Provides guidance on ways to configure the OS diagnostic data, consumer experiences, Cortana, search, as well as some of the preinstalled apps, so that Windows is ready for your school.
keywords: ["Windows 10 deployment", "recommendations", "privacy settings", "school", "education", "configurations"]
keywords: Windows 10 deployment, recommendations, privacy settings, school, education, configurations
ms.mktglfcycl: plan
ms.sitesec: library
localizationpriority: high

2
education/windows/deploy-windows-10-in-a-school-district.md
View File

@ -1,7 +1,7 @@
---
title: Deploy Windows 10 in a school district (Windows 10)
description: Learn how to deploy Windows 10 in a school district. Integrate the school environment with Office 365, Active Directory Domain Services (AD DS), and Microsoft Azure Active Directory (Azure AD), use System Center Configuration Manager, Intune, and Group Policy to manage devices.
keywords: configure, tools, device, school
keywords: configure, tools, device, school district, deploy Windows 10
ms.prod: w10
ms.mktglfcycl: plan
ms.pagetype: edu

2
education/windows/deploy-windows-10-in-a-school.md
View File

@ -1,7 +1,7 @@
---
title: Deploy Windows 10 in a school (Windows 10)
description: Learn how to integrate your school environment with Microsoft Office 365, Active Directory Domain Services (AD DS), and Microsoft Azure Active Directory (Azure AD). Deploy Windows 10 and apps to new devices or upgrade existing devices to Windows 10. Manage faculty, students, and devices by using Microsoft Intune and Group Policy.
keywords: configure, tools, device, school
keywords: configure, tools, device, school, deploy Windows 10
ms.prod: w10
ms.mktglfcycl: plan
ms.pagetype: edu

2
education/windows/edu-deployment-recommendations.md
View File

@ -1,7 +1,7 @@
---
title: Deployment recommendations for school IT administrators
description: Provides guidance on ways to customize the OS privacy settings, as well as some of the apps, for Windows-based devices used in schools so that you can choose what information is shared with Microsoft.
keywords: ["Windows 10 deployment", "recommendations", "privacy settings", "school"]
keywords: Windows 10 deployment, recommendations, privacy settings, school
ms.mktglfcycl: plan
ms.sitesec: library
localizationpriority: high

2
education/windows/education-scenarios-store-for-business.md
View File

@ -1,7 +1,7 @@
---
title: Education scenarios Microsoft Store for Education
description: Learn how IT admins and teachers can use Microsoft Store for Education to acquire and manage apps in schools.
keywords: ["school", "store for business"]
keywords: school, Microsoft Store for Education, Microsoft education store
ms.prod: W10
ms.mktglfcycl: plan
ms.sitesec: library

2
education/windows/get-minecraft-for-education.md
View File

@ -1,7 +1,7 @@
---
title: Get Minecraft Education Edition
description: Learn how to get and distribute Minecraft Education Edition.
keywords: school, minecraft
keywords: school, Minecraft, education edition
ms.prod: W10
ms.mktglfcycl: plan
ms.sitesec: library

BIN
education/windows/images/suspc_createpackage_recommendedapps_office061217.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 130 KiB

2
education/windows/school-get-minecraft.md
View File

@ -1,7 +1,7 @@
---
title: For IT administrators get Minecraft Education Edition
description: Learn how IT admins can get and distribute Minecraft in their schools.
keywords: ["school"]
keywords: Minecraft, Education Edition, IT admins, acquire
ms.prod: W10
ms.mktglfcycl: plan
ms.sitesec: library

2
education/windows/set-up-students-pcs-to-join-domain.md
View File

@ -1,7 +1,7 @@
---
title: Set up student PCs to join domain
description: Learn how to use Configuration Designer to easily provision student devices to join Active Directory.
keywords: school
keywords: school, student PC setup, Windows Configuration Designer
ms.prod: W10
ms.mktglfcycl: plan
ms.sitesec: library

2
education/windows/set-up-students-pcs-with-apps.md
View File

@ -1,7 +1,7 @@
---
title: Provision student PCs with apps
description: Learn how to use Configuration Designer to easily provision student devices to join Active Directory.
keywords: ["shared cart", "shared PC", "school"]
keywords: shared cart, shared PC, school, provision PCs with apps, Windows Configuration Designer
ms.prod: W10
ms.mktglfcycl: plan
ms.sitesec: library

2
education/windows/take-a-test-app-technical.md
View File

@ -1,7 +1,7 @@
---
title: Take a Test app technical reference
description: The policies and settings applied by the Take a Test app.
keywords: take a test, test taking, school
keywords: take a test, test taking, school, policies
ms.prod: w10
ms.mktglfcycl: plan
ms.sitesec: library

2
education/windows/take-a-test-multiple-pcs.md
View File

@ -1,7 +1,7 @@
---
title: Set up Take a Test on multiple PCs
description: Learn how to set up and use the Take a Test app on multiple PCs.
keywords: ["take a test", "test taking", "school"]
keywords: take a test, test taking, school, set up on multiple PCs
ms.prod: w10
ms.mktglfcycl: plan
ms.sitesec: library

2
education/windows/take-a-test-single-pc.md
View File

@ -1,7 +1,7 @@
---
title: Set up Take a Test on a single PC
description: Learn how to set up and use the Take a Test app on a single PC.
keywords: take a test, test taking, school
keywords: take a test, test taking, school, set up on single PC
ms.prod: w10
ms.mktglfcycl: plan
ms.sitesec: library

2
education/windows/take-tests-in-windows-10.md
View File

@ -1,7 +1,7 @@
---
title: Take tests in Windows 10
description: Learn how to set up and use the Take a Test app.
keywords: take a test, test taking, school
keywords: take a test, test taking, school, how to, use Take a Test
ms.prod: w10
ms.mktglfcycl: plan
ms.sitesec: library

2
education/windows/teacher-get-minecraft.md
View File

@ -1,7 +1,7 @@
---
title: For teachers get Minecraft Education Edition
description: Learn how teachers can get and distribute Minecraft.
keywords: ["school", "minecraft"]
keywords: school, Minecraft, Education Edition, educators, teachers, acquire, distribute
ms.prod: W10
ms.mktglfcycl: plan
ms.sitesec: library

12
education/windows/use-set-up-school-pcs-app.md
View File

@ -1,7 +1,7 @@
---
title: Use Set up School PCs app
description: Learn how the Set up School PCs app works and how to use it.
keywords: shared cart, shared PC, school, set up school pcs
keywords: shared cart, shared PC, school, Set up School PCs, overview, how to use
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
@ -145,7 +145,7 @@ The **Set up School PCs** app guides you through the configuration choices for t
![Only skip Wi-Fi if you have a wired Ethernet connection](images/suspc_createpackage_skipwifi_modaldialog.png)
5. To assign a name to the student PCs, in the **Assign a name to these student PCs** page:
5. To assign a name to the student PCs, in the **Name these devices** page:
1. Add a short name that Set up School PCs will use as a prefix to identify and easily manage the group of devices, apps, and other settings through your device management client.
> [!NOTE]
@ -191,13 +191,17 @@ The **Set up School PCs** app guides you through the configuration choices for t
3. Click **Next** or **Skip** depending on whether you want to set up Take a Test.
8. In the **Add recommended apps** page, you can choose from a set of recommended Microsoft Store apps to provision. The recommended apps include Minecraft: Education Edition and several STEM and Makerspace apps.
8. In the **Add recommended apps** page, you can choose from a set of recommended Microsoft Store apps to provision. The recommended apps include the following:
* **Office 365 for Windows 10 S (Education Preview)** - Your student PCs must be running Windows 10 S to install this app. If you try to install this app on other editions of Windows, setup will fail.
* **Minecraft: Education Edition** - Free trial
* Popular **STEM and Makerspace apps**
1. Select the apps that you would like to provision and then click **Next** when you're done.
2. Click **Skip** if you don't want to provision any apps.
**Figure 6** - Select from a set of recommended Microsoft Store apps
![Select from a set of recommended Microsoft Store apps](images/suspc_createpackage_recommendedapps.png)
![Select from a set of recommended Microsoft Store apps](images/suspc_createpackage_recommendedapps_office061217.png)
The set of recommended Microsoft Store for Education apps may vary from what we show here.

3
mdop/docfx.json
View File

@ -20,7 +20,8 @@
"ms.technology": "mdop",
"ms.sitesec": "library",
"ms.topic": "article",
"ms.author": "jamiet"
"ms.author": "jamiet",
"ms.date": "04/05/2017"
},
"externalReference": [
],

1
store-for-business/TOC.md
View File

@ -27,4 +27,5 @@
### [Update Microsoft Store for Business and Microsoft Store for Education account settings](update-windows-store-for-business-account-settings.md)
### [Manage user accounts in Microsoft Store for Business and Education](manage-users-and-groups-windows-store-for-business.md)
## [Troubleshoot Microsoft Store for Business](troubleshoot-windows-store-for-business.md)
## [Notifications in Microsoft Store for Business and Education](notifications-microsoft-store-business.md)

3
store-for-business/docfx.json
View File

@ -35,7 +35,8 @@
"uhfHeaderId": "MSDocsHeader-WindowsIT",
"ms.author": "trudyha",
"ms.technology": "windows",
"ms.topic": "article"
"ms.topic": "article",
"ms.date": "05/09/2017"
},
"fileMetadata": {},
"template": [],

1
store-for-business/education/TOC.md
View File

@ -32,4 +32,5 @@
### [Update Microsoft Store for Business and Microsoft Store for Education account settings](/microsoft-store/update-windows-store-for-business-account-settings?toc=/microsoft-store/education/toc.json)
### [Manage user accounts in Microsoft Store for Business and Education](/microsoft-store/manage-users-and-groups-windows-store-for-business?toc=/microsoft-store/education/toc.json)
## [Troubleshoot Microsoft Store for Business](/microsoft-store/troubleshoot-windows-store-for-business?toc=/microsoft-store/education/toc.json)
## [Notifications in Microsoft Store for Business and Education](/microsoft-store/notifications-microsoft-store-business?toc=/microsoft-store/education/toc.json)

33
store-for-business/notifications-microsoft-store-business.md Normal file
View File

@ -0,0 +1,33 @@
---
title: Notifications in Microsoft Store for Business and Education (Windows 10)
description: Notifications alert you to issues or outages with Micrososft Store for Business and Education.
keywords: notifications, alerts
ms.assetid:
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: store
author: TrudyHa
localizationpriority: high
---
# Notifications in Microsoft Store for Business and Education
**Applies to**
- Windows 10
- Windows 10 Mobile
Microsoft Store for Business and Microsoft Store for Education use a set of notifications to alert admins if there is an issue or outage with Microsoft Store.
## Notifications for admins
| Store area | Notification message | Customer impact |
| ---------- | -------------------- | --------------- |
| General | Were on it. Something happened on our end with the Store. Waiting a bit might help. | You might be unable to sign in. There might be an intermittent Azure AD outage. |
| Manage | Were on it. Something happened on our end with management for apps and software. Were working to fix the problem. | You might be unable to manage inventory, including viewing inventory, distributing apps, assigning licenses, or viewing and managing order history. |
| Shop | Were on it. Something happened on our end with purchasing. Were working to fix the problem. | Shop might not be available. You might not be able to purchase new, or additional licenses. |
| Private store | Were on it. Something happened on our end with your organizations private store. People in your organization cant download apps right now. Were working to fix the problem. | People in your organization might not be able to view the private store, or get apps. |
| Acquistion and licensing | Were on it. People in your org might not be able to install or use certain apps. Were working to fix the problem. | People in your org might not be able to claim a license from your private store. |
| Partner | Were on it. Something happened on our end with Find a Partner. Were working to fix the problem. | You might not be able to search for a partner. |

6
store-for-business/windows-store-for-business-overview.md
View File

@ -472,7 +472,7 @@ Microsoft Store for Business and Education is currently available in these marke
<li>United Kingdom</li>
<li>United States</li>
<li>Uruguay</li>
<li>Viet Nam</li>
<li>Vietnam</li>
<li>Virgin Islands, U.S.</li>
<li>Zambia</li>
<li>Zimbabwe<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</li>
@ -488,7 +488,11 @@ Customers in these markets can use Microsoft Store for Business and Education to
### Support for free apps and Minecraft: Education Edition
Customers in these markets can use Microsoft Store for Business and Education to acquire free apps and Minecraft: Education Edition:
- Albania
- Bosnia
- Brazil
- Georgia
- Korea
- Taiwan
- Ukraine

5
windows/access-protection/docfx.json
View File

@ -33,7 +33,10 @@
"globalMetadata": {
"uhfHeaderId": "MSDocsHeader-WindowsIT",
"breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json",
"ms.technology": "windows"
"ms.technology": "windows",
"ms.topic": "article",
"ms.author": "justinha",
"ms.date": "04/05/2017"
},
"fileMetadata": {},
"template": [],

5
windows/application-management/docfx.json
View File

@ -33,7 +33,10 @@
"globalMetadata": {
"uhfHeaderId": "MSDocsHeader-WindowsIT",
"breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json",
"ms.technology": "windows"
"ms.technology": "windows",
"ms.topic": "article",
"ms.author": "elizapo",
"ms.date": "04/05/2017"
},
"fileMetadata": {},
"template": [],

2
windows/client-management/TOC.md
View File

@ -9,5 +9,5 @@
## [Reset a Windows 10 Mobile device](reset-a-windows-10-mobile-device.md)
## [Windows 10 Mobile deployment and management guide](windows-10-mobile-and-mdm.md)
## [Windows libraries](windows-libraries.md)
## [Mobile device management protocol](mdm/index.md)
## [Mobile device management for solution providers](mdm/index.md)
## [Change history for Client management](change-history-for-client-management.md)

8
windows/client-management/change-history-for-client-management.md
View File

@ -8,12 +8,20 @@ ms.sitesec: library
ms.pagetype: security
localizationpriority: high
author: jdeckerMS
ms.author: jdecker
ms.date: 06/13/2017
---
# Change history for Client management
This topic lists new and updated topics in the [Client management](index.md) documentation for Windows 10 and Windows 10 Mobile.
## June 2017
| New or changed topic | Description |
| --- | --- |
| [Create mandatory user profiles](mandatory-user-profile.md) | Added Windows 10, version 1703, to profile extension table |
## April 2017
| New or changed topic | Description |
|----------------------|-------------|

5
windows/client-management/docfx.json
View File

@ -33,7 +33,10 @@
"globalMetadata": {
"uhfHeaderId": "MSDocsHeader-WindowsIT",
"breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json",
"ms.technology": "windows"
"ms.technology": "windows",
"ms.topic": "article",
"ms.author": "dongill",
"ms.date": "04/05/2017"
},
"fileMetadata": {},
"template": [],

1
windows/client-management/index.md
View File

@ -28,4 +28,5 @@ Learn about the administrative tools, tasks and best practices for managing Wind
|[Reset a Windows 10 Mobile device](reset-a-windows-10-mobile-device.md)| Instructions for resetting a Windows 10 Mobile device using either *factory* or *'wipe and persist'* reset options|
|[Deploy Windows 10 Mobile](windows-10-mobile-and-mdm.md)| Considerations and instructions for deploying Windows 10 Mobile|
|[Windows libraries](windows-libraries.md)| Considerations and instructions for managing Windows 10 libraries such as My Documents, My Pictures, and My Music.|
|[Mobile device management for solution providers](mdm/index.md) | Procedural and reference documentation for solution providers providing mobile device management (MDM) for Windows 10 devices. |
|[Change history for Client management](change-history-for-client-management.md) | This topic lists new and updated topics in the Client management documentation for Windows 10 and Windows 10 Mobile. |

4
windows/client-management/mandatory-user-profile.md
View File

@ -6,6 +6,8 @@ ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
author: jdeckerms
ms.author: jdecker
ms.date: 06/13/2017
---
# Create mandatory user profiles
@ -38,7 +40,7 @@ The name of the folder in which you store the mandatory profile must use the cor
| Windows 8 | Windows Server 2012 | v3 |
| Windows 8.1 | Windows Server 2012 R2 | v4 |
| Windows 10, versions 1507 and 1511 | N/A | v5 |
| Windows 10, version 1607 (also known as the Anniversary Update) | Windows Server 2016 | v6 |
| Windows 10, version 1607 (Anniversary Update) and version 1703 (Creators Update) | Windows Server 2016 | v6 |
For more information, see [Deploy Roaming User Profiles, Appendix B](https://technet.microsoft.com/library/jj649079.aspx) and [Roaming user profiles versioning in Windows 10 and Windows Server Technical Preview](https://support.microsoft.com/kb/3056198).

BIN
windows/client-management/mdm/images/provisioning-csp-watp.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 16 KiB

After

Width:  |  Height:  |  Size: 20 KiB

52
windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
View File

@ -642,6 +642,16 @@ For details about Microsoft mobile device management protocols for Windows 10 s
<li>SmartScreen/EnableAppInstallControl</li>
<li>SmartScreen/EnableSmartScreenInShell</li>
<li>SmartScreen/PreventOverrideForFilesInShell</li>
<li>Start/AllowPinnedFolderDocuments</li>
<li>Start/AllowPinnedFolderDownloads</li>
<li>Start/AllowPinnedFolderFileExplorer</li>
<li>Start/AllowPinnedFolderHomeGroup</li>
<li>Start/AllowPinnedFolderMusic</li>
<li>Start/AllowPinnedFolderNetwork</li>
<li>Start/AllowPinnedFolderPersonalFolder </li>
<li>Start/AllowPinnedFolderPictures</li>
<li>Start/AllowPinnedFolderSettings</li>
<li>Start/AllowPinnedFolderVideos</li>
<li>Start/HideAppList</li>
<li>Start/HideChangeAccountSettings</li>
<li>Start/HideFrequentlyUsedApps</li>
@ -663,6 +673,7 @@ For details about Microsoft mobile device management protocols for Windows 10 s
<li>TextInput/AllowKeyboardTextSuggestions</li>
<li>TimeLanguageSettings/AllowSet24HourClock</li>
<li>Update/ActiveHoursMaxRange</li>
<li>Update/AutoRestartDeadlinePeriodInDays</li>
<li>Update/AutoRestartNotificationSchedule</li>
<li>Update/AutoRestartNotificationStyle</li>
<li>Update/AutoRestartRequiredNotificationDismissal</li>
@ -1201,6 +1212,41 @@ Also Added [Firewall DDF file](firewall-ddf-file.md).</td></tr>
<td style="vertical-align:top">[TPMPolicy CSP](tpmpolicy-csp.md)</td>
<td style="vertical-align:top">New CSP added in Windows 10, version 1703.</td>
</tr>
<tr class="even">
<td style="vertical-align:top">[Policy CSP](policy-configuration-service-provider.md)</td>
<td style="vertical-align:top">
<p>Added the following new policies for Windows 10, version 1703:</p>
<ul>
<li>Start/AllowPinnedFolderDocuments</li>
<li>Start/AllowPinnedFolderDownloads</li>
<li>Start/AllowPinnedFolderFileExplorer</li>
<li>Start/AllowPinnedFolderHomeGroup</li>
<li>Start/AllowPinnedFolderMusic</li>
<li>Start/AllowPinnedFolderNetwork</li>
<li>Start/AllowPinnedFolderPersonalFolder </li>
<li>Start/AllowPinnedFolderPictures</li>
<li>Start/AllowPinnedFolderSettings</li>
<li>Start/AllowPinnedFolderVideos</li>
<li>Update/AutoRestartDeadlinePeriodInDays</li>
</ul>
<p>Added the following new policies for Windows 10, version 1709:</p>
<ul>
<li>Power/DisplayOffTimeoutOnBattery</li>
<li>Power/DisplayOffTimeoutPluggedIn</li>
<li>Power/HibernateTimeoutOnBattery</li>
<li>Power/HibernateTimeoutPluggedIn</li>
<li>Power/StandbyTimeoutOnBattery</li>
<li>Power/StandbyTimeoutPluggedIn</li>
</ul>
</td></tr>
<tr class="odd">
<td style="vertical-align:top">[WindowsAdvancedThreatProtection CSP](windowsadvancedthreatprotection-csp.md)</td>
<td style="vertical-align:top">Updated the CSP in Windows 10, version 1709. Added the following settings:
<ul>
<li>DeviceTagging/Group</li>
<li>DeviceTagging/Criticality</li>
</ul>
</td></tr>
</tbody>
</table>
@ -1276,7 +1322,7 @@ Also Added [Firewall DDF file](firewall-ddf-file.md).</td></tr>
</td></tr>
<tr class="even">
<td style="vertical-align:top">[Firewall CSP](firewall-csp.md)</td>
<td style="vertical-align:top"><p>Added new CSP in the next major update to Windows 10.</p>
<td style="vertical-align:top"><p>Added new CSP in Windows 10, version 1709.</p>
</td></tr>
<tr class="odd">
<td style="vertical-align:top">MDM support for Windows 10 S</td>
@ -1790,7 +1836,7 @@ Also Added [Firewall DDF file](firewall-ddf-file.md).</td></tr>
</td></tr>
<tr class="even">
<td style="vertical-align:top">[CM_CellularEntries CSP](cm-cellularentries-csp.md)</td>
<td style="vertical-align:top"><p>To PurposeGroups setting, added the following values for the next major update of Windows 10:</p>
<td style="vertical-align:top"><p>To PurposeGroups setting, added the following values Windows 10, version 1709:</p>
<ul>
<li>Purchase - 95522B2B-A6D1-4E40-960B-05E6D3F962AB </li>
<li>Administrative - 2FFD9261-C23C-4D27-8DCF-CDE4E14A3364</li>
@ -1798,7 +1844,7 @@ Also Added [Firewall DDF file](firewall-ddf-file.md).</td></tr>
</td></tr>
<tr class="odd">
<td style="vertical-align:top">[CellularSettings CSP](cellularsettings-csp.md)<p>[CM_CellularEntries CSP](cm-cellularentries-csp.md)</p><p>[EnterpriseAPN CSP](enterpriseapn-csp.md)</p></td>
<td style="vertical-align:top"><p>In the next major update of Windows 10, support was added for Windows 10 Home, Pro, Enterprise, and Education editions.</p>
<td style="vertical-align:top"><p>In the Windows 10, version 1709, support was added for Windows 10 Home, Pro, Enterprise, and Education editions.</p>
</td></tr>
<tr class="even">
<td style="vertical-align:top">Updated the DDF topics.</td>

730
windows/client-management/mdm/policy-configuration-service-provider.md
View File

@ -1976,6 +1976,29 @@ ADMX Info:
<!--StartPolicy-->
<a href="" id="browser-allowaddressbardropdown"></a>**Browser/AllowAddressBarDropdown**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>MobileEnterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark"/></td>
<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
<td><img src="images/crossmark.png" alt="cross mark"/></td>
<td><img src="images/crossmark.png" alt="cross mark"/></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
<p style="margin-left: 20px">Added in Windows 10, version 1703. Specifies whether to allow the address bar drop-down functionality in Microsoft Edge. If you want to minimize network connections from Microsoft Edge to Microsoft services, we recommend disabling this functionality. 
@ -2361,6 +2384,29 @@ ADMX Info:
<!--StartPolicy-->
<a href="" id="browser-allowmicrosoftcompatibilitylist"></a>**Browser/AllowMicrosoftCompatibilityList**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>MobileEnterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark"/></td>
<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
<p style="margin-left: 20px">Added in Windows 10, version 1703. Specifies whether to use the Microsoft compatibility list in Microsoft Edge. The Microsoft compatibility list is a Microsoft-provided list that enables sites with known compatibility issues to display properly.
By default, the Microsoft compatibility list is enabled and can be viewed by visiting "about:compat".
@ -2469,6 +2515,29 @@ By default, the Microsoft compatibility list is enabled and can be viewed by vis
<!--StartPolicy-->
<a href="" id="browser-allowsearchenginecustomization"></a>**Browser/AllowSearchEngineCustomization**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>MobileEnterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark"/></td>
<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
<p style="margin-left: 20px">Added in Windows 10, version 1703. Allows search engine customization for MDM-enrolled devices. Users can change their default search engine. 
 
@ -2569,6 +2638,29 @@ By default, the Microsoft compatibility list is enabled and can be viewed by vis
<!--StartPolicy-->
<a href="" id="browser-clearbrowsingdataonexit"></a>**Browser/ClearBrowsingDataOnExit**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>MobileEnterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark"/></td>
<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
<p style="margin-left: 20px">Added in Windows 10, version 1703. Specifies whether to clear browsing data on exiting Microsoft Edge.
@ -2590,6 +2682,29 @@ By default, the Microsoft compatibility list is enabled and can be viewed by vis
<!--StartPolicy-->
<a href="" id="browser-configureadditionalsearchengines"></a>**Browser/ConfigureAdditionalSearchEngines**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>MobileEnterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark"/></td>
<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
<p style="margin-left: 20px">Added in Windows 10, version 1703. Allows you to add up to 5 additional search engines for MDM-enrolled devices. 
 
@ -2613,6 +2728,29 @@ Employees cannot remove these search engines, but they can set any one as the de
<!--StartPolicy-->
<a href="" id="browser-disablelockdownofstartpages"></a>**Browser/DisableLockdownOfStartPages**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>MobileEnterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark"/></td>
<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
<td><img src="images/crossmark.png" alt="cross mark"/></td>
<td><img src="images/crossmark.png" alt="cross mark"/></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
<p style="margin-left: 20px">Added in Windows 10, version 1703. Boolean value that specifies whether the lockdown on the Start pages is disabled. This policy works with the Browser/HomePages policy, which locks down the Start pages that the users cannot modify. You can use the DisableLockdownOfStartPages policy to allow users to modify the Start pages when the Browser/HomePages policy is in effect. 
 
@ -2822,6 +2960,29 @@ Employees cannot remove these search engines, but they can set any one as the de
<!--StartPolicy-->
<a href="" id="browser-preventfirstrunpage"></a>**Browser/PreventFirstRunPage**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>MobileEnterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark"/></td>
<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
<p style="margin-left: 20px">Added in Windows 10, version 1703. Specifies whether to enable or disable the First Run webpage. On the first explicit user-launch of Microsoft Edge, a First Run webpage hosted on Microsoft.com opens automatically via a FWLINK. This policy allows enterprises (such as those enrolled in a zero-emissions configuration) to prevent this page from opening.
@ -2837,6 +2998,29 @@ Employees cannot remove these search engines, but they can set any one as the de
<!--StartPolicy-->
<a href="" id="browser-preventlivetiledatacollection"></a>**Browser/PreventLiveTileDataCollection**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>MobileEnterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark"/></td>
<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
<p style="margin-left: 20px">Added in Windows 10, version 1703. Specifies whether Microsoft can collect information to create a Live Tile when pinning a site to Start from Microsoft Edge.
@ -3008,6 +3192,29 @@ Employees cannot remove these search engines, but they can set any one as the de
<!--StartPolicy-->
<a href="" id="browser-setdefaultsearchengine"></a>**Browser/SetDefaultSearchEngine**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>MobileEnterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark"/></td>
<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
<p style="margin-left: 20px">Added in Windows 10, version 1703. Allows you configure the default search engine for your employees. By default, your employees can change the default search engine at any time. If you want to prevent your employees from changing the default search engine that you set, you can do so by configuring the AllowSearchEngineCustomization policy.
@ -7230,6 +7437,29 @@ ADMX Info:
<!--StartPolicy-->
<a href="" id="experience-allowtailoredexperienceswithdiagnosticdata"></a>**Experience/AllowTailoredExperiencesWithDiagnosticData**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>MobileEnterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark"/></td>
<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
<td><img src="images/crossmark.png" alt="cross mark"/></td>
<td><img src="images/crossmark.png" alt="cross mark"/></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
@ -7465,6 +7695,29 @@ ADMX Info:
<!--StartPolicy-->
<a href="" id="experience-allowwindowsspotlightonactioncenter"></a>**Experience/AllowWindowsSpotlightOnActionCenter**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>MobileEnterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark"/></td>
<td><img src="images/crossmark.png" alt="cross mark"/></td>
<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
<td><img src="images/crossmark.png" alt="cross mark"/></td>
<td><img src="images/crossmark.png" alt="cross mark"/></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
@ -7483,6 +7736,29 @@ ADMX Info:
<!--StartPolicy-->
<a href="" id="experience-allowwindowsspotlightwindowswelcomeexperience"></a>**Experience/AllowWindowsSpotlightWindowsWelcomeExperience**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>MobileEnterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark"/></td>
<td><img src="images/crossmark.png" alt="cross mark"/></td>
<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
<td><img src="images/crossmark.png" alt="cross mark"/></td>
<td><img src="images/crossmark.png" alt="cross mark"/></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
@ -11343,6 +11619,29 @@ ADMX Info:
<!--StartPolicy-->
<a href="" id="messaging-allowmms"></a>**Messaging/AllowMMS**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>MobileEnterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark"/></td>
<td><img src="images/crossmark.png" alt="cross mark"/></td>
<td><img src="images/crossmark.png" alt="cross mark"/></td>
<td><img src="images/crossmark.png" alt="cross mark"/></td>
<td><img src="images/crossmark.png" alt="cross mark"/></td>
<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
> [!NOTE]
> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop.
@ -11395,6 +11694,29 @@ ADMX Info:
<!--StartPolicy-->
<a href="" id="messaging-allowrcs"></a>**Messaging/AllowRCS**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>MobileEnterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark"/></td>
<td><img src="images/crossmark.png" alt="cross mark"/></td>
<td><img src="images/crossmark.png" alt="cross mark"/></td>
<td><img src="images/crossmark.png" alt="cross mark"/></td>
<td><img src="images/crossmark.png" alt="cross mark"/></td>
<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
> [!NOTE]
> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop.
@ -11742,6 +12064,100 @@ ADMX Info:
<!--EndADMX-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="power-displayofftimeoutonbattery"></a>**Power/DisplayOffTimeoutOnBattery**
<!--StartDescription-->
<p style="margin-left: 20px">Added in Windows 10, version 1709. Turn off the display (on battery). This policy setting allows you to specify the period of inactivity before Windows turns off the display.
<p style="margin-left: 20px">If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before Windows turns off the display.
<p style="margin-left: 20px">If you disable or do not configure this policy setting, users control this setting.
<p style="margin-left: 20px">If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the display from turning off. The "Prevent enabling lock screen slide show" (DeviceLock/PreventLockScreenSlideShow) policy setting can be used to disable the slide show feature.
<!--EndDescription-->
<!--StartADMX-->
ADMX Info:
- GP english name: *Turn off the display (on battery)*
- GP name: *VideoPowerDownTimeOutDC_2*
- GP path: *System/Power Management/Video and Display Settings*
- GP ADMX file name: *power.admx*
<!--EndADMX-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="power-displayofftimeoutpluggedin"></a>**Power/DisplayOffTimeoutPluggedIn**
<!--EndSKU-->
<!--StartDescription-->
<p style="margin-left: 20px">Added in Windows 10, version 1709. Turn off the display (plugged in). This policy setting allows you to specify the period of inactivity before Windows turns off the display.
<p style="margin-left: 20px">If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before Windows turns off the display.
<p style="margin-left: 20px">If you disable or do not configure this policy setting, users control this setting.
<p style="margin-left: 20px">If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the display from turning off. The "Prevent enabling lock screen slide show" (DeviceLock/PreventLockScreenSlideShow) policy setting can be used to disable the slide show feature.
<!--EndDescription-->
<!--StartADMX-->
ADMX Info:
- GP english name: *Turn off the display (plugged in)*
- GP name: *VideoPowerDownTimeOutAC_2*
- GP path: *System/Power Management/Video and Display Settings*
- GP ADMX file name: *power.admx*
<!--EndADMX-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="power-hibernatetimeoutonbattery"></a>**Power/HibernateTimeoutOnBattery**
<!--StartDescription-->
<p style="margin-left: 20px">Added in Windows 10, version 1709. Specify the system hibernate timeout (on battery). This policy setting allows you to specify the period of inactivity before Windows transitions the system to hibernate.
<p style="margin-left: 20px">If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before Windows transitions to hibernate.
<p style="margin-left: 20px">If you disable or do not configure this policy setting, users control this setting.
<p style="margin-left: 20px">If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the sleep transition from occuring. The "Prevent enabling lock screen slide show" (DeviceLock/PreventLockScreenSlideShow) policy setting can be used to disable the slide show feature.
<!--EndDescription-->
<!--StartADMX-->
ADMX Info:
- GP english name: *Specify the system hibernate timeout (on battery)*
- GP name: *DCHibernateTimeOut_2*
- GP path: *System/Power Management/Sleep Settings*
- GP ADMX file name: *power.admx*
<!--EndADMX-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="power-hibernatetimeoutpluggedin"></a>**Power/HibernateTimeoutPluggedIn**
<!--StartDescription-->
<p style="margin-left: 20px">Added in Windows 10, version 1709. Specify the system hibernate timeout (plugged in). This policy setting allows you to specify the period of inactivity before Windows transitions the system to hibernate.
<p style="margin-left: 20px">If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before Windows transitions to hibernate.
<p style="margin-left: 20px">If you disable or do not configure this policy setting, users control this setting.
<p style="margin-left: 20px">If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the sleep transition from occuring. The "Prevent enabling lock screen slide show" (DeviceLock/PreventLockScreenSlideShow) policy setting can be used to disable the slide show feature.
<!--EndDescription-->
<!--StartADMX-->
ADMX Info:
- GP english name: *Specify the system hibernate timeout (plugged in)*
- GP name: *ACHibernateTimeOut_2*
- GP path: *System/Power Management/Sleep Settings*
- GP ADMX file name: *power.admx*
<!--EndADMX-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="power-requirepasswordwhencomputerwakesonbattery"></a>**Power/RequirePasswordWhenComputerWakesOnBattery**
@ -11782,6 +12198,53 @@ ADMX Info:
<!--EndADMX-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="power-standbytimeoutonbattery"></a>**Power/StandbyTimeoutOnBattery**
<!--StartDescription-->
<p style="margin-left: 20px">Added in Windows 10, version 1709. Specify the system sleep timeout (on battery). This policy setting allows you to specify the period of inactivity before Windows transitions the system to sleep.
<p style="margin-left: 20px">If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before Windows transitions to sleep.
<p style="margin-left: 20px">If you disable or do not configure this policy setting, users control this setting.
<p style="margin-left: 20px">If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the sleep transition from occuring. The "Prevent enabling lock screen slide show" (DeviceLock/PreventLockScreenSlideShow) policy setting can be used to disable the slide show feature.
<!--EndDescription-->
<!--StartADMX-->
ADMX Info:
- GP english name: *Specify the system sleep timeout (on battery)*
- GP name: *DCStandbyTimeOut_2*
- GP path: *System/Power Management/Sleep Settings*
- GP ADMX file name: *power.admx*
<!--EndADMX-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="power-standbytimeoutpluggedin"></a>**Power/StandbyTimeoutPluggedIn**
<!--StartDescription-->
<p style="margin-left: 20px">Added in Windows 10, version 1709. Specify the system sleep timeout (plugged in). This policy setting allows you to specify the period of inactivity before Windows transitions the system to sleep.
<p style="margin-left: 20px">If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before Windows transitions to sleep.
<p style="margin-left: 20px">If you disable or do not configure this policy setting, users control this setting.
<p style="margin-left: 20px">If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the sleep transition from occuring. The "Prevent enabling lock screen slide show" (DeviceLock/PreventLockScreenSlideShow) policy setting can be used to disable the slide show feature.
<!--EndDescription-->
<!--StartADMX-->
ADMX Info:
- GP english name: *Specify the system sleep timeout (plugged in)*
- GP name: *ACStandbyTimeOut_2*
- GP path: *System/Power Management/Sleep Settings*
- GP ADMX file name: *power.admx*
<!--EndADMX-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="printers-pointandprintrestrictions"></a>**Printers/PointAndPrintRestrictions**
@ -14952,7 +15415,7 @@ ADMX Info:
<!--EndSKU-->
<!--StartDescription-->
<p style="margin-left: 20px">Enabling this policy prevents indexing from continuing after less than the specified amount of hard drive space is left on the same drive as the index location. Select between 0 and 2147483647 MB.
<p style="margin-left: 20px">Enabling this policy prevents indexing from continuing after less than the specified amount of hard drive space is left on the same drive as the index location. Select between 0 and 1.
<p style="margin-left: 20px">Enable this policy if computers in your environment have extremely limited hard drive space.
@ -18282,6 +18745,29 @@ ADMX Info:
<!--StartPolicy-->
<a href="" id="timelanguagesettings-allowset24hourclock"></a>**TimeLanguageSettings/AllowSet24HourClock**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>MobileEnterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark"/></td>
<td><img src="images/crossmark.png" alt="cross mark"/></td>
<td><img src="images/crossmark.png" alt="cross mark"/></td>
<td><img src="images/crossmark.png" alt="cross mark"/></td>
<td><img src="images/crossmark.png" alt="cross mark"/></td>
<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
<p style="margin-left: 20px">Allows for the configuration of the default clock setting to be the 24 hour format. Selecting 'Set 24 hour Clock' enables this setting. Selecting 'Locale default setting' uses the default clock as prescribed by the current locale setting.
@ -18337,6 +18823,29 @@ ADMX Info:
<!--StartPolicy-->
<a href="" id="update-activehoursmaxrange"></a>**Update/ActiveHoursMaxRange**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>MobileEnterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark"/></td>
<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
<td><img src="images/crossmark.png" alt="cross mark"/></td>
<td><img src="images/CheckMark.png" alt="check mark"/><sup>2</sup></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
@ -18390,6 +18899,41 @@ ADMX Info:
<p style="margin-left: 20px">The default value is 8 (8 AM).
<!--EndDescription-->
<!--EndPolicy-->
<!--StartPolicy-->
<a href="" id="update-autorestartdeadlineperiodindays"></a>**Update/AutoRestartDeadlinePeriodInDays**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>MobileEnterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
<p style="margin-left: 20px">Added in Windows 10, version 1703. This policy defines the deadline in days after which a reboot for updates will become mandatory.
<p style="margin-left: 20px">Supported values are 2-30 days.
<p style="margin-left: 20px">The default value is 7 days.
<!--EndDescription-->
<!--EndPolicy-->
<!--StartPolicy-->
@ -18578,6 +19122,29 @@ ADMX Info:
<!--StartPolicy-->
<a href="" id="update-autorestartnotificationschedule"></a>**Update/AutoRestartNotificationSchedule**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>MobileEnterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark"/></td>
<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
<td><img src="images/crossmark.png" alt="cross mark"/></td>
<td><img src="images/CheckMark.png" alt="check mark"/><sup>2</sup></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
@ -18594,6 +19161,29 @@ ADMX Info:
<!--StartPolicy-->
<a href="" id="update-autorestartrequirednotificationdismissal"></a>**Update/AutoRestartRequiredNotificationDismissal**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>MobileEnterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark"/></td>
<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
<td><img src="images/crossmark.png" alt="cross mark"/></td>
<td><img src="images/CheckMark.png" alt="check mark"/><sup>2</sup></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
@ -18903,6 +19493,29 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
<!--StartPolicy-->
<a href="" id="update-engagedrestartdeadline"></a>**Update/EngagedRestartDeadline**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>MobileEnterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark"/></td>
<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
<td><img src="images/crossmark.png" alt="cross mark"/></td>
<td><img src="images/CheckMark.png" alt="check mark"/><sup>2</sup></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
@ -18919,6 +19532,29 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
<!--StartPolicy-->
<a href="" id="update-engagedrestartsnoozeschedule"></a>**Update/EngagedRestartSnoozeSchedule**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>MobileEnterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark"/></td>
<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
<td><img src="images/crossmark.png" alt="cross mark"/></td>
<td><img src="images/CheckMark.png" alt="check mark"/><sup>2</sup></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
@ -18935,6 +19571,29 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
<!--StartPolicy-->
<a href="" id="update-engagedrestarttransitionschedule"></a>**Update/EngagedRestartTransitionSchedule**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>MobileEnterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark"/></td>
<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
<td><img src="images/crossmark.png" alt="cross mark"/></td>
<td><img src="images/CheckMark.png" alt="check mark"/><sup>2</sup></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
@ -19407,6 +20066,29 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
<!--StartPolicy-->
<a href="" id="update-scheduleimminentrestartwarning"></a>**Update/ScheduleImminentRestartWarning**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>MobileEnterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark"/></td>
<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
<td><img src="images/crossmark.png" alt="cross mark"/></td>
<td><img src="images/CheckMark.png" alt="check mark"/><sup>2</sup></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
@ -19423,6 +20105,29 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
<!--StartPolicy-->
<a href="" id="update-schedulerestartwarning"></a>**Update/ScheduleRestartWarning**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>MobileEnterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark"/></td>
<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
<td><img src="images/crossmark.png" alt="cross mark"/></td>
<td><img src="images/CheckMark.png" alt="check mark"/><sup>2</sup></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
@ -19532,6 +20237,29 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
<!--StartPolicy-->
<a href="" id="update-setautorestartnotificationdisable"></a>**Update/SetAutoRestartNotificationDisable**
<!--StartSKU-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>MobileEnterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark"/></td>
<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
<td></td>
<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
<td><img src="images/checkmark.png" alt="check mark"/><sup>2</sup></td>
<td><img src="images/crossmark.png" alt="cross mark"/></td>
<td><img src="images/CheckMark.png" alt="check mark"/><sup>2</sup></td>
</tr>
</table>
<!--EndSKU-->
<!--StartDescription-->
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise

50
windows/client-management/mdm/windowsadvancedthreatprotection-csp.md
View File

@ -91,6 +91,28 @@ The following list describes the characteristics and parameters.
<p style="margin-left: 20px">Supported operations are Get and Replace.
<a href="" id="devicetagging"></a>**DeviceTagging**
<p style="margin-left: 20px">Added in Windows 10, version 1709. Represents Windows Defender Advanced Threat Protection configuration for managing role based access and device tagging.
<p style="margin-left: 20px">Supported operations is Get.
<a href="" id="group"></a>**DeviceTagging/Group**
<p style="margin-left: 20px">Added in Windows 10, version 1709. Device group identifiers.
<p style="margin-left: 20px">The data type is a string.
<p style="margin-left: 20px">Supported operations are Get and Replace.
<a href="" id="criticality"></a>**DeviceTagging/Criticality**
<p style="margin-left: 20px">Added in Windows 10, version 1709. Asset criticality value. Supported values:
- 0 - Normal
- 1 - Critical
<p style="margin-left: 20px">The data type is an integer.
<p style="margin-left: 20px">Supported operations are Get and Replace.
## Examples
@ -98,7 +120,7 @@ The following list describes the characteristics and parameters.
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<Get>
<CmdID>11</CmdID>
<CmdID>111</CmdID>
<Item>
<Target>
<LocURI>
@ -117,7 +139,7 @@ The following list describes the characteristics and parameters.
</Target>
</Item>
</Get>
<Get>
<Get>
<CmdID>2</CmdID>
<Item>
<Target>
@ -127,7 +149,7 @@ The following list describes the characteristics and parameters.
</Target>
</Item>
</Get>
<Get>
<Get>
<CmdID>3</CmdID>
<Item>
<Target>
@ -137,7 +159,7 @@ The following list describes the characteristics and parameters.
</Target>
</Item>
</Get>
<Get>
<Get>
<CmdID>4</CmdID>
<Item>
<Target>
@ -167,6 +189,26 @@ The following list describes the characteristics and parameters.
</Target>
</Item>
</Get>
<Get>
<CmdID>11</CmdID>
<Item>
<Target>
<LocURI>
./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/DeviceTagging/Group
</LocURI>
</Target>
</Item>
</Get>
<Get>
<CmdID>12</CmdID>
<Item>
<Target>
<LocURI>
./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/DeviceTagging/Criticality
</LocURI>
</Target>
</Item>
</Get>
<Get>
<CmdID>99</CmdID>
<Item>

71
windows/client-management/mdm/windowsadvancedthreatprotection-ddf.md
View File

@ -45,7 +45,7 @@ The XML below is the current version for this CSP.
<Permanent />
</Scope>
<DFType>
<MIME>com.microsoft/1.1/MDM/WindowsAdvancedThreatProtection</MIME>
<MIME>com.microsoft/1.2/MDM/WindowsAdvancedThreatProtection</MIME>
</DFType>
</DFProperties>
<Node>
@ -267,6 +267,75 @@ The XML below is the current version for this CSP.
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>DeviceTagging</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>Represents Windows Defender Advanced Threat Protection configuration for managing role base access and device tagging</Description>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFTitle>Device Tagging</DFTitle>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>Group</NodeName>
<DFProperties>
<AccessType>
<Get />
<Replace />
</AccessType>
<Description>Device group identifiers</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFTitle>Device Group Identifier</DFTitle>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>Criticality</NodeName>
<DFProperties>
<AccessType>
<Get />
<Replace />
</AccessType>
<DefaultValue>0</DefaultValue>
<Description>Asset criticality value. 0 - Normal, 1 - Critical.</Description>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFTitle>Device Criticality</DFTitle>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
</Node>
</Node>
</MgmtTree>
```

5
windows/configuration/docfx.json
View File

@ -33,7 +33,10 @@
"globalMetadata": {
"uhfHeaderId": "MSDocsHeader-WindowsIT",
"breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json",
"ms.technology": "windows"
"ms.technology": "windows",
"ms.topic": "article",
"ms.author": "jdecker",
"ms.date": "04/05/2017"
},
"fileMetadata": {},
"template": [],

6
windows/configuration/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
View File

@ -8,6 +8,8 @@ ms.mktglfcycl: manage
ms.sitesec: library
localizationpriority: high
author: brianlic-msft
ms.author: brianlic-msft
ms.date: 06/13/2017
---
# Manage connections from Windows operating system components to Microsoft services
@ -1692,6 +1694,10 @@ If you're running Windows 10, version 1607 or later, you only need to enable the
- Create a new REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CloudContent!DisableWindowsSpotlightFeatures**, with a value of 1 (one).
-and-
- Create a new REG\_DWORD registry setting in **HKEY\_CURRENT\_USER\\SOFTWARE\\Policies\\Microsoft\\Windows\\CloudContent!DisableWindowsSpotlightFeatures**, with a value of 1 (one).
If you're not running Windows 10, version 1607 or later, you can use the other options in this section.
- Configure the following in **Settings**:

2
windows/configuration/set-up-a-kiosk-for-windows-10-for-desktop-editions.md
View File

@ -21,7 +21,7 @@ localizationpriority: high
A single-use or *kiosk* device is easy to set up in Windows 10 for desktop editions.
- Use the [Provision kiosk devices wizard](#wizard) in Windows Configuration Designer to create a provisioning package that configures a kiosk device running either a Universal Windows app or a Classic Windows application (Windows 10 Enterprise or Education only).
- Use the [Provision kiosk devices wizard](#wizard) in Windows Configuration Designer (Windows 10, version 1607 or later) to create a provisioning package that configures a kiosk device running either a Universal Windows app or a Classic Windows application (Windows 10 Enterprise or Education only).
or

12
windows/configuration/start-layout-xml-desktop.md
View File

@ -6,6 +6,8 @@ ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
author: jdeckerms
ms.author: jdecker
ms.date: 06/13/2017
localizationpriority: high
---
@ -52,9 +54,9 @@ The following table lists the supported elements and attributes for the LayoutMo
| RequiredStartGroupsCollection</br></br>Parent:</br>LayoutModificationTemplate | n/a | Use to contain collection of RequiredStartGroups |
| [RequiredStartGroups](#requiredstartgroups)</br></br>Parent:</br>RequiredStartGroupsCollection | Region | Use to contain the AppendGroup tags, which represent groups that can be appended to the default Start layout |
| [AppendGroup](#appendgroup)</br></br>Parent:</br>RequiredStartGroups | Name | Use to specify the tiles that need to be appended to the default Start layout |
| [start:Tile](#specify-start-tiles)</br></br>Parent:</br>AppendGroup | AppUserModelID</br>Size</br>Row</br>Column | Use to specify any of the following:</br>- A Universal Windows app</br>- A Windows 8 or Windows 8.1 app |
| [start:Tile](#specify-start-tiles)</br></br>Parent:</br>AppendGroup | AppUserModelID</br>Size</br>Row</br>Column | Use to specify any of the following:</br>- A Universal Windows app</br>- A Windows 8 or Windows 8.1 app</br></br>Note that AppUserModelID is case-sensitive. |
| start:DesktopApplicationTile</br></br>Parent:</br>AppendGroup | DesktopApplicationID</br>DesktopApplicationLinkPath</br>Size</br>Row</br>Column | Use to specify any of the following:</br>- A Windows desktop application with a known AppUserModelID</br>- An application in a known folder with a link in a legacy Start Menu folder</br>- A Windows desktop application link in a legacy Start Menu folder</br>- A Web link tile with an associated .url file that is in a legacy Start Menu folder |
| start:SecondaryTile</br></br>Parent:</br>AppendGroup | AppUserModelID</br>TileID</br>Arguments</br>DisplayName</br>Square150x150LogoUri</br>ShowNameOnSquare150x150Logo</br>ShowNameOnWide310x150Logo</br>Wide310x150LogoUri</br>BackgroundColor</br>ForegroundText</br>IsSuggestedApp</br>Size</br>Row</br>Column | Use to pin a Web link through a Microsoft Edge secondary tile |
| start:SecondaryTile</br></br>Parent:</br>AppendGroup | AppUserModelID</br>TileID</br>Arguments</br>DisplayName</br>Square150x150LogoUri</br>ShowNameOnSquare150x150Logo</br>ShowNameOnWide310x150Logo</br>Wide310x150LogoUri</br>BackgroundColor</br>ForegroundText</br>IsSuggestedApp</br>Size</br>Row</br>Column | Use to pin a Web link through a Microsoft Edge secondary tile. Note that AppUserModelID is case-sensitive. |
| TopMFUApps</br></br>Parent:</br>LayoutModificationTemplate | n/a | Use to add up to 3 default apps to the frequently used apps section in the system area |
| Tile</br></br>Parent:</br>TopMFUApps | AppUserModelID | Use with the TopMFUApps tags to specify an app with a known AppUserModelID |
| DesktopApplicationTile</br></br>Parent:</br>TopMFUApps | LinkFilePath | Use with the TopMFUApps tags to specify an app without a known AppUserModelID |
@ -144,6 +146,9 @@ You can use the **start:Tile** tag to pin any of the following apps to Start:
To specify any one of these apps, you must set the **AppUserModelID** attribute to the application user model ID that's associated with the corresponding app.
>[!IMPORTANT]
>**AppUserModelID** (AUMID) is case-sensitive.
The following example shows how to pin the Microsoft Edge Universal Windows app:
```XML
@ -181,6 +186,7 @@ You can use the **start:DesktopApplicationTile** tag to pin a Windows desktop ap
- By using the application's application user model ID, if this is known. If the Windows desktop application doesn't have one, use the shortcut link option.
You can use the [Get-StartApps cmdlet](https://technet.microsoft.com/library/dn283402.aspx) on a PC that has the application pinned to Start to obtain the app ID.
To pin a Windows desktop application through this method, you must set the **DesktopApplicationID** attribute to the application user model ID that's associated with the corresponding app.
@ -239,7 +245,7 @@ The following table describes the other attributes that you can use with the **s
| Attribute | Required/optional | Description |
| --- | --- | --- |
| AppUserModelID | Required | Must point to Microsoft Edge. |
| AppUserModelID | Required | Must point to Microsoft Edge. Note that AppUserModelID is case-sensitive. |
| TileID | Required | Must uniquely identify your Web site tile. |
| Arguments | Required | Must contain the URL of your Web site. |
| DisplayName | Required | Must specify the text that you want users to see. |

5
windows/deployment/docfx.json
View File

@ -33,7 +33,10 @@
"globalMetadata": {
"uhfHeaderId": "MSDocsHeader-WindowsIT",
"breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json",
"ms.technology": "windows"
"ms.technology": "windows",
"ms.topic": "article",
"ms.author": "greglin",
"ms.date": "04/05/2017"
},
"fileMetadata": {},
"template": [],

266
windows/device-security/device-guard/deploy-code-integrity-policies-steps.md
View File

@ -20,7 +20,208 @@ For an overview of the process described in the following procedures, see [Deplo
The process for creating a golden code integrity policy from a reference system is straightforward. This section outlines the process that is required to successfully create a code integrity policy with Windows PowerShell. First, for this example, you must initiate variables to be used during the creation process. Rather than using variables, you can simply use the full file paths in the command. Next, you create the code integrity policy by scanning the system for installed applications. When created, the policy file is converted to binary format so that Windows can consume its contents.
> **Note**&nbsp;&nbsp;Before you begin this procedure, ensure that the reference PC is clean of viruses or malware. Each piece of installed software should be validated as trustworthy before you create this policy. Also, be sure that any software that you would like to be scanned is installed on the system before you create the code integrity policy.
> [!Note]
> Before you begin this procedure, make sure that the reference PC is virus and malware-free,and that any software you want to be scanned is installed on the system before creating the code integrity policy.
### Scripting and applications
Each installed software application should be validated as trustworthy before you create a policy. We recommend that you review the reference PC for software that can load arbitrary DLLs and run code or scripts that could render the PC more vulnerable. Examples include software aimed at development or scripting such as msbuild.exe (part of Visual Studio and the .NET Framework) which can be removed if you do not want it to run scripts.
You can remove or disable such software on reference PCs used to create code integrity policies. You can also fine-tune your control by using Device Guard in combination with AppLocker, as described in [Device Guard with AppLocker](https://technet.microsoft.com/itpro/windows/keep-secure/introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies#device-guard-with-applocker).
Members of the security community<sup>\*</sup> continuously collaborate with Microsoft® to help protect customers. With the help of their valuable reports, Microsoft has identified a list of valid applications that an attacker could also potentially use to bypass Device Guard code integrity policies.
Unless your use scenarios explicitly require them, Microsoft recommends that you block the following applications. These applications or files can be used by an attacker to circumvent Application Whitelisting policies, including Device Guard:
- bash.exe
- bginfo.exe
- cdb.exe
- csi.exe
- dnx.exe
- fsi.exe
- kd.exe
- lxssmanager.dll
- msbuild.exe<sup>[1]</sup>
- mshta.exe
- ntsd.exe
- rcsi.exe
- system.management.automation.dll
- windbg.exe
<sup>[1]</sup>If you are using your reference system in a development context and use msbuild.exe to build managed applications, we recommend that you whitelist msbuild.exe in your code integrity policies. However, if your reference system is an end user device that is not being used in a development context, we recommend that you block msbuild.exe.
<sup>*</sup>Microsoft recognizes the efforts of those in the security community who help us protect customers through responsible vulnerability disclosure, and extends thanks to the following people:
<br />
|Name|Twitter|
|---|---|
|Casey Smith |@subTee|
|Matt Graeber | @mattifestation|
|Matt Nelson | @enigma0x3|
|Oddvar Moe |@Oddvarmoe|
<br />
>[!Note]
>This application list is fluid and will be updated with the latest vendor information as application vulnerabilities are resolved and new issues are discovered.
Certain software applications may allow additional code to run by design. These types of applications should be blocked by your Device Guard policy. In addition, when an application version is upgraded to fix a security vulnerability or potential Device Guard bypass, you should add deny rules to your code integrity policies for that applications previous, less secure versions.
Microsoft recommends that you install the latest security updates. The June 2017 Windows updates resolve several issues in in-box PowerShell modules that allowed an attacker to bypass Device Guard code integrity policies. These modules cannot be blocked by name or version, and therefore must be blocked by their corresponding hashes.
Microsoft recommends that you block the following Microsoft-signed applications and PowerShell files by merging the following policy into your existing policy to add these deny rules using the Merge-CIPolicy cmdlet:
```
<?xml version="1.0" encoding="utf-8"?>
<SiPolicy xmlns="urn:schemas-microsoft-com:sipolicy">
<VersionEx>10.0.0.0</VersionEx>
<PolicyTypeID>{A244370E-44C9-4C06-B551-F6016E563076}</PolicyTypeID>
<PlatformID>{2E07F7E4-194C-4D20-B7C9-6F44A6C5A234}</PlatformID>
<Rules>
<Rule>
<Option>Enabled:Unsigned System Integrity Policy</Option>
</Rule>
<Rule>
<Option>Enabled:Audit Mode</Option>
</Rule>
<Rule>
<Option>Enabled:Advanced Boot Options Menu</Option>
</Rule>
<Rule>
<Option>Required:Enforce Store Applications</Option>
</Rule>
<Rule>
<Option>Enabled:UMCI</Option>
</Rule>
</Rules>
<!--EKUS-->
<EKUs />
<!--File Rules-->
<FileRules>
<Deny ID="ID_DENY_BGINFO" FriendlyName="bginfo.exe" FileName="BGINFO.Exe" MinimumFileVersion = "4.21.0.0" />
<Deny ID="ID_DENY_CBD" FriendlyName="cdb.exe" FileName="CDB.Exe" MinimumFileVersion = "65535.65535.65535.65535" />
<Deny ID="ID_DENY_KD" FriendlyName="kd.exe" FileName="kd.Exe" MinimumFileVersion = "65535.65535.65535.65535" />
<Deny ID="ID_DENY_WINDBG" FriendlyName="windbg.exe" FileName="windbg.Exe" MinimumFileVersion = "65535.65535.65535.65535" />
<Deny ID="ID_DENY_MSBUILD" FriendlyName="MSBuild.exe" FileName="MSBuild.Exe" MinimumFileVersion = "65535.65535.65535.65535" />
<Deny ID="ID_DENY_CSI" FriendlyName="csi.exe" FileName="csi.Exe" MinimumFileVersion = "65535.65535.65535.65535" />
<Deny ID="ID_DENY_DNX" FriendlyName="dnx.exe" FileName="dnx.Exe" MinimumFileVersion = "65535.65535.65535.65535" />
<Deny ID="ID_DENY_RCSI" FriendlyName="rcsi.exe" FileName="rcsi.Exe" MinimumFileVersion = "65535.65535.65535.65535" />
<Deny ID="ID_DENY_NTSD" FriendlyName="ntsd.exe" FileName="ntsd.Exe" MinimumFileVersion = "65535.65535.65535.65535" />
<Deny ID="ID_DENY_LXSS" FriendlyName="LxssManager.dll" FileName="LxssManager.dll" MinimumFileVersion = "65535.65535.65535.65535" />
<Deny ID="ID_DENY_BASH" FriendlyName="bash.exe" FileName="bash.exe" MinimumFileVersion = "65535.65535.65535.65535" />
<Deny ID="ID_DENY_FSI" FriendlyName="fsi.exe" FileName="fsi.exe" MinimumFileVersion = "65535.65535.65535.65535" />
<Deny ID="ID_DENY_MSHTA" FriendlyName="mshta.exe" FileName="mshta.exe" MinimumFileVersion = "65535.65535.65535.65535" />
<Deny ID="ID_DENY_SMA" FriendlyName="System.Management.Automation.dll" FileName="System.Management.Automation.dll" MinimumFileVersion = "10.0.16215.999" />
<Deny ID="ID_DENY_D_1" FriendlyName="Powershell 1" Hash="DED853481A176999723413685A79B36DD0F120F9" />
<Deny ID="ID_DENY_D_2" FriendlyName="Powershell 2" Hash="D027E09D9D9828A87701288EFC91D240C0DEC2C3" />
<Deny ID="ID_DENY_D_3" FriendlyName="Powershell 3" Hash="46936F4F0AFE4C87D2E55595F74DDDFFC9AD94EE" />
<Deny ID="ID_DENY_D_4" FriendlyName="Powershell 4" Hash="5090F22BB9C0B168C7F5E9E800784A05AFCCBC4F" />
<Deny ID="ID_DENY_D_5" FriendlyName="Powershell 5" Hash="A920D0706FCEA648D28638E9198BCC368996B8FD" />
<Deny ID="ID_DENY_D_6" FriendlyName="Powershell 6" Hash="93E22F2BA6C8B1C09F100F9C0E3B06FAF2D1DDB6" />
<Deny ID="ID_DENY_D_7" FriendlyName="Powershell 7" Hash="943E307BE7B0B381715CA5CC0FAB7B558025BA80" />
<Deny ID="ID_DENY_D_8" FriendlyName="Powershell 8" Hash="DE6A02520E1D7325025F2761A97D36E407E8490C" />
<Deny ID="ID_DENY_D_9" FriendlyName="Powershell 9" Hash="CC968868EDC6718DA14DDDB11228A04D5D5BD9A5" />
<Deny ID="ID_DENY_D_10" FriendlyName="Powershell 10" Hash="789D0657689DB6F0900A787BEF52A449585A92B5" />
<Deny ID="ID_DENY_D_11" FriendlyName="Powershell 11" Hash="F29A958287788A6EEDE6035D49EF5CB85EEC40D214FDDE5A0C6CAA65AFC00EEC" />
<Deny ID="ID_DENY_D_12" FriendlyName="Powershell 12" Hash="84BB081141DA50B3839CD275FF34854F53AECB96CA9AEB8BCD24355C33C1E73E" />
<Deny ID="ID_DENY_D_13" FriendlyName="Powershell 13" Hash="8D396FEAEED1F0CA709B62B1F27EDC9CCEFF95E3473C923624362A042E91D787" />
<Deny ID="ID_DENY_D_14" FriendlyName="Powershell 14" Hash="7BF44433D3A606104778F64B11B92C52FC99C4BA570C50B70438275D0B587B8E" />
<Deny ID="ID_DENY_D_15" FriendlyName="Powershell 15" Hash="6B3CB996EC5129D345830C3D6D5C7C009372FFD9F08837E8B2572AB31E9648A5" />
<Deny ID="ID_DENY_D_16" FriendlyName="Powershell 16" Hash="C3A5DAB20947CA8FD092E75C25177E7BAE7884CA58710F14827144C09EA1F94B" />
<Deny ID="ID_DENY_D_17" FriendlyName="Powershell 17" Hash="BE3FFE10CDE8B62C3E8FD4D8198F272B6BD15364A33362BB07A0AFF6731DABA1" />
<Deny ID="ID_DENY_D_18" FriendlyName="Powershell 18" Hash="75288A0CF0806A68D8DA721538E64038D755BBE74B52F4B63FEE5049AE868AC0" />
<Deny ID="ID_DENY_D_19" FriendlyName="Powershell 19" Hash="F875E43E12685ECE0BA2D42D55A13798CE9F1FFDE3CAE253D2529F4304811A52" />
<Deny ID="ID_DENY_D_20" FriendlyName="Powershell 20" Hash="6D89FDD29D50C07801FB01F031CDB96E2E14288F066BD895356AE0517ABB09CE" />
<Deny ID="ID_DENY_D_21" FriendlyName="Powershell 21" Hash="326669C4A31E2049E3750BCF4287241BB8B555B3670D31A1ACA74C3AC598DF81" />
<Deny ID="ID_DENY_D_22" FriendlyName="Powershell 22" Hash="38DC1956313B160696A172074C6F5DA9852BF508F55AFB7FA079B98F2849AFB5" />
<Deny ID="ID_DENY_D_23" FriendlyName="Powershell 23" Hash="C6C073A80A8E76DC13E724B5E66FE4035A19CCA0C1AF3FABBC18E5185D1B66CB" />
<Deny ID="ID_DENY_D_24" FriendlyName="Powershell 24" Hash="9EA4BD3D8FB8F490E8099E0412F091E545AF028E3C4CAF179324B679124D1742" />
<Deny ID="ID_DENY_D_25" FriendlyName="Powershell 25" Hash="CD83C3C293EC4D24D3328C74881FA04AAF9CCF73E099631A9EB100BD0F384F58" />
<Deny ID="ID_DENY_D_26" FriendlyName="Powershell 26" Hash="74E207F539C4EAC648A5507EB158AEE9F6EA401E51808E83E73709CFA0820FDD" />
<Deny ID="ID_DENY_D_27" FriendlyName="Powershell 27" Hash="148972F670E18790D62D753E01ED8D22B351A57E45544D88ACE380FEDAF24A40" />
<Deny ID="ID_DENY_D_28" FriendlyName="Powershell 28" Hash="72E4EC687CFE357F3E681A7500B6FF009717A2E9538956908D3B52B9C865C189" />
<Deny ID="ID_DENY_D_29" FriendlyName="Powershell 29" Hash="F16E605B55774CDFFDB0EB99FAFF43A40622ED2AB1C011D1195878F4B20030BC" />
<Deny ID="ID_DENY_D_30" FriendlyName="Powershell 30" Hash="BD3139CE7553AC7003C96304F08EAEC2CDB2CC6A869D36D6F1E478DA02D3AA16" />
<Deny ID="ID_DENY_D_31" FriendlyName="Powershell 31" Hash="71FC552E66327EDAA72D72C362846BD80CB65EECFAE95C4D790C9A2330D95EE6" />
<Deny ID="ID_DENY_D_32" FriendlyName="Powershell 32" Hash="A1D1AF7675C2596D0DF977F57B54372298A56EE0F3E1FF2D974D387D7F69DD4E" />
<Deny ID="ID_DENY_D_33" FriendlyName="Powershell 33" Hash="0D905709AB1174F8E12A063F259A52DABE85CAEB8018985F5411F1CE9C6C99C3" />
<Deny ID="ID_DENY_D_34" FriendlyName="Powershell 34" Hash="939C291D4A2592209EC7664EC832670FA0AC1009F974F47489D866751F4B862F" />
</FileRules>
<!--Signers-->
<Signers />
<!--Driver Signing Scenarios-->
<SigningScenarios>
<SigningScenario Value="131" ID="ID_SIGNINGSCENARIO_DRIVERS_1" FriendlyName="Driver Signing Scenarios">
<ProductSigners>
<FileRulesRef>
<FileRuleRef RuleID="ID_DENY_KD" />
</FileRulesRef>
</ProductSigners>
</SigningScenario>
<SigningScenario Value="12" ID="ID_SIGNINGSCENARIO_WINDOWS" FriendlyName="User Mode Signing Scenarios">
<ProductSigners>
<FileRulesRef>
<FileRuleRef RuleID="ID_DENY_BGINFO"/>
<FileRuleRef RuleID="ID_DENY_CBD"/>
<FileRuleRef RuleID="ID_DENY_KD"/>
<FileRuleRef RuleID="ID_DENY_WINDBG"/>
<FileRuleRef RuleID="ID_DENY_MSBUILD"/>
<FileRuleRef RuleID="ID_DENY_CSI"/>
<FileRuleRef RuleID="ID_DENY_DNX"/>
<FileRuleRef RuleID="ID_DENY_RCSI"/>
<FileRuleRef RuleID="ID_DENY_NTSD"/>
<FileRuleRef RuleID="ID_DENY_LXSS"/>
<FileRuleRef RuleID="ID_DENY_BASH"/>
<FileRuleRef RuleID="ID_DENY_FSI"/>
<FileRuleRef RuleID="ID_DENY_MSHTA"/>
<FileRuleRef RuleID="ID_DENY_SMA"/>
<FileRuleRef RuleID="ID_DENY_D_1" />
<FileRuleRef RuleID="ID_DENY_D_2" />
<FileRuleRef RuleID="ID_DENY_D_3" />
<FileRuleRef RuleID="ID_DENY_D_4" />
<FileRuleRef RuleID="ID_DENY_D_5" />
<FileRuleRef RuleID="ID_DENY_D_6" />
<FileRuleRef RuleID="ID_DENY_D_7" />
<FileRuleRef RuleID="ID_DENY_D_8" />
<FileRuleRef RuleID="ID_DENY_D_9" />
<FileRuleRef RuleID="ID_DENY_D_10" />
<FileRuleRef RuleID="ID_DENY_D_11" />
<FileRuleRef RuleID="ID_DENY_D_12" />
<FileRuleRef RuleID="ID_DENY_D_13" />
<FileRuleRef RuleID="ID_DENY_D_14" />
<FileRuleRef RuleID="ID_DENY_D_15" />
<FileRuleRef RuleID="ID_DENY_D_16" />
<FileRuleRef RuleID="ID_DENY_D_17" />
<FileRuleRef RuleID="ID_DENY_D_18" />
<FileRuleRef RuleID="ID_DENY_D_19" />
<FileRuleRef RuleID="ID_DENY_D_20" />
<FileRuleRef RuleID="ID_DENY_D_21" />
<FileRuleRef RuleID="ID_DENY_D_22" />
<FileRuleRef RuleID="ID_DENY_D_23" />
<FileRuleRef RuleID="ID_DENY_D_24" />
<FileRuleRef RuleID="ID_DENY_D_25" />
<FileRuleRef RuleID="ID_DENY_D_26" />
<FileRuleRef RuleID="ID_DENY_D_27" />
<FileRuleRef RuleID="ID_DENY_D_28" />
<FileRuleRef RuleID="ID_DENY_D_29" />
<FileRuleRef RuleID="ID_DENY_D_30" />
<FileRuleRef RuleID="ID_DENY_D_31" />
<FileRuleRef RuleID="ID_DENY_D_32" />
<FileRuleRef RuleID="ID_DENY_D_33" />
<FileRuleRef RuleID="ID_DENY_D_34" />
</FileRulesRef>
</ProductSigners>
</SigningScenario>
</SigningScenarios>
<UpdatePolicySigners />
<CiSigners />
<HvciOptions>0</HvciOptions>
</SiPolicy>
```
<br />
To create a code integrity policy, copy each of the following commands into an elevated Windows PowerShell session, in order:
@ -36,7 +237,7 @@ To create a code integrity policy, copy each of the following commands into an e
` New-CIPolicy -Level PcaCertificate -FilePath $InitialCIPolicy UserPEs 3> CIPolicyLog.txt `
> **Notes**
> [!Notes]
> - When you specify the **-UserPEs** parameter (to include user mode executables in the scan), rule option **0 Enabled:UMCI** is automatically added to the code integrity policy. In contrast, if you do not specify **-UserPEs**, the policy will be empty of user mode executables and will only have rules for kernel mode binaries like drivers, in other words, the whitelist will not include applications. If you create such a policy and later add rule option **0 Enabled:UMCI**, all attempts to start applications will cause a response from Device Guard. In audit mode, the response is logging an event, and in enforced mode, the response is blocking the application.
@ -52,7 +253,8 @@ To create a code integrity policy, copy each of the following commands into an e
After you complete these steps, the Device Guard binary file (DeviceGuardPolicy.bin) and original .xml file (IntialScan.xml) will be available on your desktop. You can use the binary version as a code integrity policy or sign it for additional security.
> **Note**&nbsp;&nbsp;We recommend that you keep the original .xml file of the policy for use when you need to merge the code integrity policy with another policy or update its rule options. Alternatively, you would have to create a new policy from a new scan for servicing. For more information about how to merge code integrity policies, see [Merge code integrity policies](#merge-code-integrity-policies).
> [!Note]
> We recommend that you keep the original .xml file of the policy for use when you need to merge the code integrity policy with another policy or update its rule options. Alternatively, you would have to create a new policy from a new scan for servicing. For more information about how to merge code integrity policies, see [Merge code integrity policies](#merge-code-integrity-policies).
We recommend that every code integrity policy be run in audit mode before being enforced. Doing so allows administrators to discover any issues with the policy without receiving error message dialog boxes. For information about how to audit a code integrity policy, see the next section, [Audit code integrity policies](#audit-code-integrity-policies).
@ -60,7 +262,8 @@ We recommend that every code integrity policy be run in audit mode before being
When code integrity policies are run in audit mode, it allows administrators to discover any applications that were missed during an initial policy scan and to identify any new applications that have been installed and run since the original policy was created. While a code integrity policy is running in audit mode, any binary that runs and would have been denied had the policy been enforced is logged in the **Applications and Services Logs\\Microsoft\\Windows\\CodeIntegrity\\Operational** event log. When these logged binaries have been validated, they can easily be added to a new code integrity policy. When the new exception policy is created, you can merge it with your existing code integrity policies.
> **Note**&nbsp;&nbsp;Before you begin this process, you need to create a code integrity policy binary file. If you have not already done so, see [Create a code integrity policy from a golden computer](#create-a-code-integrity-policy-from-a-golden-computer), earlier in this topic, for a step-by-step walkthrough of the process to create a code integrity policy and convert it to binary format.
> [!Note]
> Before you begin this process, you need to create a code integrity policy binary file. If you have not already done so, see [Create a code integrity policy from a golden computer](#create-a-code-integrity-policy-from-a-golden-computer), earlier in this topic, for a step-by-step walkthrough of the process to create a code integrity policy and convert it to binary format.
**To audit a code integrity policy with local policy:**
@ -68,7 +271,7 @@ When code integrity policies are run in audit mode, it allows administrators to
2. On the computer you want to run in audit mode, open the Local Group Policy Editor by running **GPEdit.msc**.
> **Notes**
> [!Note]
> - The computer that you will run in audit mode must be clean of viruses or malware. Otherwise, in the process that you follow after auditing the system, you might unintentionally merge in a code integrity policy that allows viruses or malware to run.
@ -76,7 +279,7 @@ When code integrity policies are run in audit mode, it allows administrators to
3. Navigate to **Computer Configuration\\Administrative Templates\\System\\Device Guard**, and then select **Deploy Code Integrity Policy**. Enable this setting by using the appropriate file path, for example, C:\\Windows\\System32\\CodeIntegrity\\DeviceGuardPolicy.bin, as shown in Figure 1.
> **Notes**
> [!Note]
> - The illustration shows the example file name *DeviceGuardPolicy.bin* because this name was used earlier in this topic, in [Create a code integrity policy from a golden computer](#create-a-code-integrity-policy-from-a-golden-computer). Also, this policy file does not need to be copied to every system. You can instead copy the code integrity policies to a file share to which all computer accounts have access.
@ -124,7 +327,8 @@ Use the following procedure after you have been running a computer with a code i
` New-CIPolicy -Audit -Level Hash -FilePath $CIAuditPolicy UserPEs 3> CIPolicylog.txt`
> **Note**&nbsp;&nbsp;When you create policies from audit events, you should carefully consider the file rule level that you select to trust. The preceding example uses the **Hash** rule level, which is the most specific. Any change to the file (such as replacing the file with a newer version of the same file) will change the Hash value, and require an update to the policy.
> [!Note]
> When you create policies from audit events, you should carefully consider the file rule level that you select to trust. The preceding example uses the **Hash** rule level, which is the most specific. Any change to the file (such as replacing the file with a newer version of the same file) will change the Hash value, and require an update to the policy.
4. Find and review the Device Guard audit policy .xml file that you created. If you used the example variables as shown, the filename will be **DeviceGuardAuditPolicy.xml**, and it will be on your desktop. Look for the following:
@ -134,7 +338,8 @@ Use the following procedure after you have been running a computer with a code i
You can now use this file to update the existing code integrity policy that you ran in audit mode by merging the two policies. For instructions on how to merge this audit policy with the existing code integrity policy, see the next section, [Merge code integrity policies](#merge-code-integrity-policies).
> **Note**&nbsp;&nbsp;You may have noticed that you did not generate a binary version of this policy as you did in [Create a code integrity policy from a golden computer](#create-a-code-integrity-policy-from-a-golden-computer). This is because code integrity policies created from an audit log are not intended to run as stand-alone policies but rather to update existing code integrity policies.
> [!Note]
> You may have noticed that you did not generate a binary version of this policy as you did in [Create a code integrity policy from a golden computer](#create-a-code-integrity-policy-from-a-golden-computer). This is because code integrity policies created from an audit log are not intended to run as stand-alone policies but rather to update existing code integrity policies.
## <a href="" id="plug-ins"></a>Use a code integrity policy to control specific plug-ins, add-ins, and modules
@ -166,7 +371,8 @@ New-CIPolicy -Rules $rule -FilePath ".\BlockAddins.xml" -UserPEs
When you develop code integrity policies, you will occasionally need to merge two policies. A common example is when a code integrity policy is initially created and audited. Another example is when you create a single master policy by using multiple code integrity policies previously created from golden computers. Because each computer running Windows 10 can have only one code integrity policy, it is important to properly maintain these policies. In this example, audit events have been saved into a secondary code integrity policy that you then merge with the initial code integrity policy.
> **Note**&nbsp;&nbsp;The following example uses several of the code integrity policy .xml files that you created in earlier sections in this topic. You can follow this process, however, with any two code integrity policies you would like to combine.
> [!Note]
> The following example uses several of the code integrity policy .xml files that you created in earlier sections in this topic. You can follow this process, however, with any two code integrity policies you would like to combine.
To merge two code integrity policies, complete the following steps in an elevated Windows PowerShell session:
@ -182,7 +388,8 @@ To merge two code integrity policies, complete the following steps in an elevate
` $CIPolicyBin=$CIPolicyPath+"NewDeviceGuardPolicy.bin"`
> **Note**&nbsp;&nbsp;The variables in this section specifically expect to find an initial policy on your desktop called **InitialScan.xml** and an audit code integrity policy called **DeviceGuardAuditPolicy.xml**. If you want to merge other code integrity policies, update the variables accordingly.
> [!Note]
> The variables in this section specifically expect to find an initial policy on your desktop called **InitialScan.xml** and an audit code integrity policy called **DeviceGuardAuditPolicy.xml**. If you want to merge other code integrity policies, update the variables accordingly.
2. Use [Merge-CIPolicy](https://technet.microsoft.com/library/mt634485.aspx) to merge two policies and create a new code integrity policy:
@ -198,7 +405,8 @@ Now that you have created a new code integrity policy (for example, called **New
Every code integrity policy is created with audit mode enabled. After you have successfully deployed and tested a code integrity policy in audit mode and are ready to test the policy in enforced mode, complete the following steps in an elevated Windows PowerShell session:
> **Note**&nbsp;&nbsp;Every code integrity policy should be tested in audit mode first. For information about how to audit code integrity policies, see [Audit code integrity policies](#audit-code-integrity-policies), earlier in this topic.
> [!Note]
> Every code integrity policy should be tested in audit mode first. For information about how to audit code integrity policies, see [Audit code integrity policies](#audit-code-integrity-policies), earlier in this topic.
1. Initialize the variables that will be used:
@ -210,7 +418,8 @@ Every code integrity policy is created with audit mode enabled. After you have s
` $CIPolicyBin=$CIPolicyPath+"EnforcedDeviceGuardPolicy.bin"`
> **Note**&nbsp;&nbsp;The initial code integrity policy that this section refers to was created in the [Create a code integrity policy from a golden computer](#create-a-code-integrity-policy-from-a-golden-computer) section. If you are using a different code integrity policy, update the **CIPolicyPath** and **InitialCIPolicy** variables.
> [!Note]
> The initial code integrity policy that this section refers to was created in the [Create a code integrity policy from a golden computer](#create-a-code-integrity-policy-from-a-golden-computer) section. If you are using a different code integrity policy, update the **CIPolicyPath** and **InitialCIPolicy** variables.
2. Ensure that rule options 9 (“Advanced Boot Options Menu”) and 10 (“Boot Audit on Failure”) are set the way that you intend for this policy. We strongly recommend that you enable these rule options before you run any enforced policy for the first time. Enabling these options provides administrators with a pre-boot command prompt, and allows Windows to start even if the code integrity policy blocks a kernel-mode driver from running. When ready for enterprise deployment, you can remove these options.
@ -228,7 +437,8 @@ Every code integrity policy is created with audit mode enabled. After you have s
` Set-RuleOption -FilePath $EnforcedCIPolicy -Option 3 -Delete`
> **Note**&nbsp;&nbsp;To enforce a code integrity policy, you delete option 3, the **Audit Mode Enabled** option. There is no “enforced” option that can be placed in a code integrity policy.
> [!Note]
> To enforce a code integrity policy, you delete option 3, the **Audit Mode Enabled** option. There is no “enforced” option that can be placed in a code integrity policy.
5. Use [ConvertFrom-CIPolicy](https://technet.microsoft.com/library/mt733073.aspx) to convert the new code integrity policy to binary format:
@ -244,7 +454,8 @@ Signing code integrity policies by using an on-premises CA-generated certificate
Before signing code integrity policies for the first time, be sure to enable rule options 9 (“Advanced Boot Options Menu”) and 10 (“Boot Audit on Failure”) to leave troubleshooting options available to administrators. To ensure that a rule option is enabled, you can run a command such as `Set-RuleOption -FilePath <PathAndFilename> -Option 9` even if you're not sure whether the option is already enabled—if so, the command has no effect. When validated and ready for enterprise deployment, you can remove these options. For more information about rule options, see [Code integrity policy rules](deploy-code-integrity-policies-policy-rules-and-file-rules.md#code-integrity-policy-rules) in "Deploy code integrity policies: policy rules and file rules."
> **Note**&nbsp;&nbsp;Signing code integrity policies is the last step in a code integrity deployment. It is much more difficult to remove a signed code integrity policy than an unsigned one. Before you deploy a signed code integrity policy to deployed client computers, be sure to test its effect on a subset of computers.
> [!Note]
> Signing code integrity policies is the last step in a code integrity deployment. It is much more difficult to remove a signed code integrity policy than an unsigned one. Before you deploy a signed code integrity policy to deployed client computers, be sure to test its effect on a subset of computers.
To sign a code integrity policy with SignTool.exe, you need the following components:
@ -264,7 +475,8 @@ If you do not have a code signing certificate, see the [Optional: Create a code
` $CIPolicyBin=$CIPolicyPath+"DeviceGuardPolicy.bin"`
> **Note**&nbsp;&nbsp;This example uses the code integrity policy that you created in the [Create a code integrity policy from a golden computer](#create-a-code-integrity-policy-from-a-golden-computer) section. If you are signing another policy, be sure to update the **$CIPolicyPath** and **$CIPolicyBin** variables with the correct information.
> [!Note]
> This example uses the code integrity policy that you created in the [Create a code integrity policy from a golden computer](#create-a-code-integrity-policy-from-a-golden-computer) section. If you are signing another policy, be sure to update the **$CIPolicyPath** and **$CIPolicyBin** variables with the correct information.
2. Import the .pfx code signing certificate. Import the code signing certificate that you will use to sign the code integrity policy into the signing users personal store on the computer that will be doing the signing. In this example, you use the certificate that was created in [Optional: Create a code signing certificate for code integrity policies](optional-create-a-code-signing-certificate-for-code-integrity-policies.md).
@ -278,9 +490,9 @@ If you do not have a code signing certificate, see the [Optional: Create a code
` Add-SignerRule -FilePath $InitialCIPolicy -CertificatePath <Path to exported .cer certificate> -Kernel -User Update`
> **Notes**&nbsp;&nbsp;*&lt;Path to exported .cer certificate&gt;* should be the full path to the certificate that you exported in step 3.
> Also, adding update signers is crucial to being able to modify or disable this policy in the future. For more information about how to disable signed code integrity policies, see the [Disable signed code integrity policies within Windows](#disable-signed-code-integrity-policies-within-windows) section.
> [!Note]
> *&lt;Path to exported .cer certificate&gt;* should be the full path to the certificate that you exported in step 3.
Also, adding update signers is crucial to being able to modify or disable this policy in the future. For more information about how to disable signed code integrity policies, see the [Disable signed code integrity policies within Windows](#disable-signed-code-integrity-policies-within-windows) section.
6. Use [Set-RuleOption](https://technet.microsoft.com/library/mt634483.aspx) to remove the unsigned policy rule option:
@ -294,7 +506,8 @@ If you do not have a code signing certificate, see the [Optional: Create a code
` <Path to signtool.exe> sign -v /n "ContosoDGSigningCert" -p7 . -p7co 1.3.6.1.4.1.311.79.1 -fd sha256 $CIPolicyBin`
> **Note**&nbsp;&nbsp;The *&lt;Path to signtool.exe&gt;* variable should be the full path to the SignTool.exe utility. **ContosoDGSigningCert** is the subject name of the certificate that will be used to sign the code integrity policy. You should import this certificate to your personal certificate store on the computer you use to sign the policy.
> [!Note]
> The *&lt;Path to signtool.exe&gt;* variable should be the full path to the SignTool.exe utility. **ContosoDGSigningCert** is the subject name of the certificate that will be used to sign the code integrity policy. You should import this certificate to your personal certificate store on the computer you use to sign the policy.
9. Validate the signed file. When complete, the commands should output a signed policy file called DeviceGuardPolicy.bin.p7 to your desktop. You can deploy this file the same way you deploy an enforced or non-enforced policy. For information about how to deploy code integrity policies, see [Deploy and manage code integrity policies with Group Policy](#deploy-and-manage-code-integrity-policies-with-group-policy).
@ -312,7 +525,8 @@ If the code integrity policy was deployed by using Group Policy, the GPO that is
Signed policies protect Windows from administrative manipulation as well as malware that has gained administrative-level access to the system. For this reason, signed code integrity policies are intentionally more difficult to remove than unsigned policies. They inherently protect themselves from modification or removal and therefore are difficult even for administrators to remove successfully. If the signed code integrity policy is manually enabled and copied to the CodeIntegrity folder, to remove the policy, you must complete the following steps.
> **Note**&nbsp;&nbsp;For reference, signed code integrity policies should be replaced and removed from the following locations:
> [!Note]
> For reference, signed code integrity policies should be replaced and removed from the following locations:
- &lt;EFI System Partition&gt;\\Microsoft\\Boot\\
@ -363,9 +577,11 @@ There may be a time when signed code integrity policies cause a boot failure. Be
Code integrity policies can easily be deployed and managed with Group Policy. A Device Guard administrative template will be available in Windows Server 2016 that allows you to simplify deployment of Device Guard hardware-based security features and code integrity policies. The following procedure walks you through how to deploy a code integrity policy called **DeviceGuardPolicy.bin** to a test OU called *DG Enabled PCs* by using a GPO called **Contoso GPO Test**.
> **Note**&nbsp;&nbsp;This walkthrough requires that you have previously created a code integrity policy and have a computer running Windows 10 on which to test a Group Policy deployment. For more information about how to create a code integrity policy, see [Create a code integrity policy from a golden computer](#create-a-code-integrity-policy-from-a-golden-computer), earlier in this topic.
> [!Note]
> This walkthrough requires that you have previously created a code integrity policy and have a computer running Windows 10 on which to test a Group Policy deployment. For more information about how to create a code integrity policy, see [Create a code integrity policy from a golden computer](#create-a-code-integrity-policy-from-a-golden-computer), earlier in this topic.
> **Note**&nbsp;&nbsp;Signed code integrity policies can cause boot failures when deployed. We recommend that signed code integrity policies be thoroughly tested on each hardware platform before enterprise deployment.
> [!Note]
> Signed code integrity policies can cause boot failures when deployed. We recommend that signed code integrity policies be thoroughly tested on each hardware platform before enterprise deployment.
To deploy and manage a code integrity policy with Group Policy:
@ -393,13 +609,15 @@ To deploy and manage a code integrity policy with Group Policy:
In this policy setting, you specify either the local path in which the policy will exist on the client computer or a Universal Naming Convention (UNC) path that the client computers will look to retrieve the latest version of the policy. For example, with DeviceGuardPolicy.bin on the test computer, the example file path would be C:\\Windows\\System32\\CodeIntegrity\\DeviceGuardPolicy.bin, as shown in Figure 5.
> **Note**&nbsp;&nbsp;The illustration shows the example file name *DeviceGuardPolicy.bin* because this name was used earlier in this topic, in [Create a code integrity policy from a golden computer](#create-a-code-integrity-policy-from-a-golden-computer). Also, this policy file does not need to be copied to every computer. You can instead copy the code integrity policies to a file share to which all computer accounts have access. Any policy selected here is converted to SIPolicy.p7b when it is deployed to the individual client computers.
> [!Note]
> The illustration shows the example file name *DeviceGuardPolicy.bin* because this name was used earlier in this topic, in [Create a code integrity policy from a golden computer](#create-a-code-integrity-policy-from-a-golden-computer). Also, this policy file does not need to be copied to every computer. You can instead copy the code integrity policies to a file share to which all computer accounts have access. Any policy selected here is converted to SIPolicy.p7b when it is deployed to the individual client computers.
![Group Policy called Deploy Code Integrity Policy](images/dg-fig26-enablecode.png)
Figure 5. Enable the code integrity policy
> **Note**&nbsp;&nbsp;You may have noticed that the GPO setting references a .p7b file and this example uses a .bin file for the policy. Regardless of the type of policy you deploy (.bin, .p7b, or .p7), they are all converted to SIPolicy.p7b when dropped on the client computer running Windows 10. Make your code integrity policies friendly and allow the system to convert the policy names for you to ensure that the policies are easily distinguishable when viewed in a share or any other central repository.
> [!Note]
> You may have noticed that the GPO setting references a .p7b file and this example uses a .bin file for the policy. Regardless of the type of policy you deploy (.bin, .p7b, or .p7), they are all converted to SIPolicy.p7b when dropped on the client computer running Windows 10. Make your code integrity policies friendly and allow the system to convert the policy names for you to ensure that the policies are easily distinguishable when viewed in a share or any other central repository.
7. Close the Group Policy Management Editor, and then restart the Windows 10 test computer. Restarting the computer updates the code integrity policy. For information about how to audit code integrity policies, see the [Audit code integrity policies](#audit-code-integrity-policies) section.

22
windows/device-security/device-guard/planning-and-getting-started-on-the-device-guard-deployment-process.md
View File

@ -25,12 +25,30 @@ This topic provides a roadmap for planning and getting started on the Device Gua
3. **Review how much variety in software and hardware is needed by roles or departments**. When several departments all use the same hardware and software, you might need to deploy only one code integrity policy for them. More variety across departments might mean you need to create and manage more code integrity policies. The following questions can help you clarify how many code integrity policies to create:
- How standardized is the hardware?<br>This can be relevant because of drivers. You could create a code integrity policy on hardware that uses a particular set of drivers, and if other drivers in your environment use the same signature, they would also be allowed to run. However, you might need to create several code integrity policies on different "reference" hardware, then merge the policies together, to ensure that the resulting policy recognizes all the drivers in your environment.
- Is there already a list of accepted applications?<br>A list of accepted applications can be used to help create a baseline code integrity policy.<br>As of Windows 10, version 1703, it might also be useful to have a list of plug-ins, add-ins, or modules that you want to allow only in a specific app (such as a line-of-business app). Similarly, it might be useful to have a list of plug-ins, add-ins, or modules that you want to block in a specific app (such as a browser).
- What software does each department or role need? Should they be able to install and run other departments software?<br>If multiple departments are allowed to run the same list of software, you might be able to merge several code integrity policies to simplify management.
- Are there departments or roles where unique, restricted software is used?<br>If one department needs to run an application that no other department is allowed, it might require a separate code integrity policy. Similarly, if only one department must run an old version of an application (while other departments allow only the newer version), it might require a separate code integrity policy.
- Is there already a list of accepted applications?<br>A list of accepted applications can be used to help create a baseline code integrity policy.<br>As of Windows 10, version 1703, it might also be useful to have a list of plug-ins, add-ins, or modules that you want to allow only in a specific app (such as a line-of-business app). Similarly, it might be useful to have a list of plug-ins, add-ins, or modules that you want to block in a specific app (such as a browser).
- As part of a threat review process, have you reviewed systems for software that can load arbitrary DLLs or run code or scripts?
In day-to-day operations, your organizations security policy may allow certain applications, code, or scripts to run on your systems depending on their role and the context. However, if your security policy requires that you run only trusted applications, code, and scripts on your systems, you may decide to lock these systems down securely with Device Guard code integrity policies. You can also fine-tune your control by using Device Guard in combination with AppLocker, as described in [Device Guard with AppLocker](https://technet.microsoft.com/itpro/windows/keep-secure/introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies#device-guard-with-applocker).
Legitimate applications from trusted vendors provide valid functionality. However, an attacker could also potentially use that same functionality to run malicious executable code that could bypass code integrity policies.
For operational scenarios that require elevated security, certain applications with known Code Integrity bypasses may represent a security risk if you whitelist them in your code integrity policies. Other applications where older versions of the application had vulnerabilities also represent a risk. Therefore, you may want to deny or block such applications from your code integrity policies. For applications with vulnerabilities, once the vulnerabilities are fixed you can create a rule that only allows the fixed or newer versions of that application. The decision to allow or block applications depends on the context and on how the reference system is being used.
Security professionals collaborate with Microsoft continuously to help protect customers. With the help of their valuable reports, Microsoft has identified a list of known applications that an attacker could potentially use to bypass Device Guard code integrity policies. (See the Acknowledgments section of [Deploy code integrity policies: steps](https://technet.microsoft.com/itpro/windows/keep-secure/deploy-code-integrity-policies-steps)).
Depending on the context, you may want to block these applications. To see this list of applications and for use case examples, such as disabling Windows Script Host (WHS) or disabling msbuild.exe, see Deploy code integrity policies: steps.
4. **Identify LOB applications that are currently unsigned**. Although requiring signed code (through code integrity policies) protects against many threats, your organization might use unsigned LOB applications, for which the process of signing might be difficult. You might also have applications that are signed, but you want to add a secondary signature to them. If so, identify these applications, because you will need to create a catalog file for them. For a basic description of catalog files, see the table in [Introduction to Device Guard: virtualization-based security and code integrity policies](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md). For more background information about catalog files, see [Reviewing your applications: application signing and catalog files](requirements-and-deployment-planning-guidelines-for-device-guard.md#reviewing-your-applications-application-signing-and-catalog-files).
## Getting started on the deployment process

5
windows/device-security/docfx.json
View File

@ -33,7 +33,10 @@
"globalMetadata": {
"uhfHeaderId": "MSDocsHeader-WindowsIT",
"breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json",
"ms.technology": "windows"
"ms.technology": "windows",
"ms.topic": "article",
"ms.author": "justinha",
"ms.date": "04/05/2017"
},
"fileMetadata": {},
"template": [],

BIN
windows/device-security/images/tpm-capabilities.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 91 KiB

BIN
windows/device-security/images/tpm-remote-attestation.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 110 KiB

6
windows/device-security/tpm/tpm-recommendations.md
View File

@ -100,8 +100,8 @@ The following table defines which Windows features require TPM support.
| Windows Features | Windows 10 TPM 1.2 | Windows 10 TPM 2.0 | Details |
|-------------------------|----------------------|----------------------|----------|
| Measured Boot | Required | Required | Measured boot requires TPM 1.2 or 2.0 and UEFI Secure boot. |
| Bitlocker | Required | Required | TPM 1.2 or later required or a removable USB memory device such as a flash drive. |
| Measured Boot | Required | Required | Measured boot requires TPM 1.2 or 2.0 and UEFI Secure Boot. |
| Bitlocker | Required | Required | TPM 1.2 or later required or a removable USB memory device such as a flash drive. Please note that TPM 2.0 requires UEFI Secure Boot in order for BitLocker to work properly. |
| Passport: Domain AADJ Join | Required | Required | Supports both versions of TPM, but requires TPM with HMAC and EK certificate for key attestation support. |
| Passport: MSA or Local Account | Required | Required | TPM 2.0 is required with HMAC and EK certificate for key attestation support. |
| Device Encryption | Not Applicable | Required | TPM 2.0 is required for all InstantGo devices. |
@ -120,4 +120,4 @@ Government customers and enterprise customers in regulated industries may have a
## Related topics
- [Trusted Platform Module](trusted-platform-module-top-node.md) (list of topics)
- [Trusted Platform Module](trusted-platform-module-top-node.md) (list of topics)

5
windows/hub/docfx.json
View File

@ -35,7 +35,10 @@
"globalMetadata": {
"uhfHeaderId": "MSDocsHeader-WindowsIT",
"breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json",
"ms.technology": "windows"
"ms.technology": "windows",
"ms.topic": "article",
"ms.author": "brianlic",
"ms.date": "04/05/2017"
},
"fileMetadata": {},
"template": [],

9
windows/threat-protection/TOC.md
View File

@ -134,9 +134,12 @@
## [Protect your enterprise data using Windows Information Protection (WIP)](windows-information-protection\protect-enterprise-data-using-wip.md)
### [Create a Windows Information Protection (WIP) policy](windows-information-protection\overview-create-wip-policy.md)
#### [Create a Windows Information Protection (WIP) policy using Microsoft Intune](windows-information-protection\create-wip-policy-using-intune.md)
##### [Deploy your Windows Information Protection (WIP) policy](windows-information-protection\deploy-wip-policy-using-intune.md)
##### [Create and deploy a VPN policy for Windows Information Protection (WIP) using Microsoft Intune](windows-information-protection\create-vpn-and-wip-policy-using-intune.md)
#### [Create a Windows Information Protection (WIP) using the classic console for Microsoft Intune](windows-information-protection\create-wip-policy-using-intune.md)
##### [Deploy your Windows Information Protection (WIP) policy using the classic console for Microsoft Intune](windows-information-protection\deploy-wip-policy-using-intune.md)
##### [Associate and deploy a VPN policy for Windows Information Protection (WIP) using the classic console for Microsoft Intune](windows-information-protection\create-vpn-and-wip-policy-using-intune.md)
#### [Create a Windows Information Protection (WIP) with enrollment policy using the Azure portal for Microsoft Intune](windows-information-protection\create-wip-policy-using-intune-azure.md)
##### [Deploy your Windows Information Protection (WIP) policy using the Azure portal for Microsoft Intune](windows-information-protection\deploy-wip-policy-using-intune-azure.md)
##### [Associate and deploy a VPN policy for Windows Information Protection (WIP) using the Azure portal for Microsoft Intune](windows-information-protection\create-vpn-and-wip-policy-using-intune-azure.md)
#### [Create and deploy a Windows Information Protection (WIP) policy using System Center Configuration Manager](windows-information-protection\create-wip-policy-using-sccm.md)
#### [Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](windows-information-protection\create-and-verify-an-efs-dra-certificate.md)
#### [Determine the Enterprise Context of an app running in Windows Information Protection (WIP)](windows-information-protection\wip-app-enterprise-context.md)

11
windows/threat-protection/change-history-for-threat-protection.md
View File

@ -11,10 +11,19 @@ author: brianlic-msft
# Change history for threat protection
This topic lists new and updated topics in the [Threat protection](index.md) documentation.
## June 2017
|New or changed topic |Description |
|---------------------|------------|
[Create a Windows Information Protection (WIP) with enrollment policy using the Azure portal for Microsoft Intune](windows-information-protection\create-wip-policy-using-intune-azure.md)|New topic for MDM using the Azure portal.|
[Deploy your Windows Information Protection (WIP) policy using the Azure portal for Microsoft Intune](windows-information-protection\deploy-wip-policy-using-intune-azure.md)|New topic for MDM using the Azure portal.|
[Associate and deploy a VPN policy for Windows Information Protection (WIP) using the Azure portal for Microsoft Intune](windows-information-protection\create-vpn-and-wip-policy-using-intune-azure.md)|New topic for MDM using the Azure portal.|
|[List of enlightened Microsoft apps for use with Windows Information Protection (WIP)](windows-information-protection\enlightened-microsoft-apps-and-wip.md)|Updated to include newly enlightened and supported apps.|
## March 2017
|New or changed topic |Description |
|---------------------|------------|
|[How to collect Windows Information Protection (WIP) audit event logs](windows-information-protection\collect-wip-audit-event-logs.md) |New |
||[How to collect Windows Information Protection (WIP) audit event logs](windows-information-protection\collect-wip-audit-event-logs.md) |New |
|[Mandatory tasks and settings required to turn on Windows Information Protection (WIP)](windows-information-protection\mandatory-settings-for-wip.md) |Updated based on Windows 10, version 1703. |
|[Limitations while using Windows Information Protection (WIP)](windows-information-protection\limitations-with-wip.md) |Added additional limitations for Windows 10, version 1703.|
|[Windows Defender SmartScreen overview](windows-defender-smartscreen\windows-defender-smartscreen-overview.md)|New |

5
windows/threat-protection/docfx.json
View File

@ -33,7 +33,10 @@
"globalMetadata": {
"uhfHeaderId": "MSDocsHeader-WindowsIT",
"breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json",
"ms.technology": "windows"
"ms.technology": "windows",
"ms.topic": "article",
"ms.author": "justinha",
"ms.date": "04/05/2017"
},
"fileMetadata": {},
"template": [],

72
windows/threat-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune-azure.md Normal file
View File

@ -0,0 +1,72 @@
---
title: Associate and deploy a VPN policy for Windows Information Protection (WIP) using the Azure portal for Microsoft Intune (Windows 10)
description: After you've created and deployed your Windows Information Protection (WIP) policy, you can use Microsoft Intune to associate and deploy your Virtual Private Network (VPN) policy, linking it to your WIP policy.
keywords: WIP, Enterprise Data Protection
ms.prod: w10
ms.mktglfcycl: explore
ms.sitesec: library
ms.pagetype: security
author: eross-msft
localizationpriority: high
---
# Associate and deploy a VPN policy for Windows Information Protection (WIP) using the Azure portal for Microsoft Intune
**Applies to:**
- Windows 10, version 1607 and later
- Windows 10 Mobile, version 1607 and later (except Microsoft Azure Rights Management, which is only available on the desktop)
After you've created and deployed your Windows Information Protection (WIP) policy, you can use Microsoft Intune to associate and deploy your Virtual Private Network (VPN) policy, linking it to your WIP policy.
## Associate your WIP policy to your VPN policy by using Microsoft Intune
Follow these steps to associate your WIP policy with your organization's existing VPN policy.
**To associate your policies**
1. Create your VPN profile. For info about how to do this, see [How to configure VPN settings in Microsoft Intune](https://docs.microsoft.com/en-us/intune-azure/configure-devices/how-to-configure-vpn-settings) and [How to create custom VPN profiles in Microsoft Intune](https://docs.microsoft.com/en-us/intune-azure/configure-devices/create-custom-vpn-profiles#create-a-custom-configuration).
2. Open the Microsoft Intune mobile application management console, click **Device configuration**, and then click **Create Profile**.
![Microsoft Intune, Create a new policy using the portal](images/wip-azure-vpn-device-policy.png)
3. In the **Create Profile** blade, type a name for your profile, such as *Contoso_VPN_Win10*, into the **Name** box, add an optional description for your policy into the **Description** box, select **Windows 10 and later** from the **Platform** dropdown box, select **Custom** from the **Profile type** dropdown box, and then click **Configure**.
![Microsoft Intune, Create a new policy using the Create Profile blade](images/wip-azure-vpn-configure-policy.png)
4. In the **Custom OMA-URI Settings** blade, click **Add**.
5. In the **Add Row** blade, type:
- **Name.** Type a name for your setting, such as *EDPModeID*.
- **Description.** Type an optional description for your setting.
- **OMA-URI.** Type _./Vendor/MSFT/VPNv2/&lt;VPNProfileName&gt;/EDPModeId_ into the box.
- **Data type.** Select **String** from the dropdown box
- **Value.** Type your fully-qualified domain that should be used by the OMA-URI setting. For example, _corp.contoso.com_.
![Microsoft Intune, Add your OMA-URI settings](images/wip-azure-vpn-custom-omauri.png)
6. Click **OK** to save your setting info in the **Add Row** blade, and then click **OK** in the **Custom OMA-URI Settings** blade to save the setting with your policy.
7. Click **Create** to create the policy, including your OMA_URI info.
## Deploy your VPN policy using Microsoft Intune
After youve created your VPN policy, you'll need to deploy it to the same group you deployed your Windows Information Protection (WIP) policy.
**To deploy your Custom VPN policy**
1. On the **App policy** blade, click your newly-created policy, click **User groups** from the menu that appears, and then click **Add user group**.
A list of user groups, made up of all of the security groups in your Azure Active Directory, appear in the **Add user group** blade.
2. Choose the group you want your policy to apply to, and then click **Select** to deploy the policy.
The policy is deployed to the selected users' devices.
![Microsoft Intune: Pick your user groups that should get the policy when it's deployed](images/wip-azure-add-user-groups.png)
>[!NOTE]
>Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md).

8
windows/threat-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune.md
View File

@ -1,5 +1,5 @@
---
title: Create and deploy a VPN policy for Windows Information Protection (WIP) using Microsoft Intune (Windows 10)
title: Associate and deploy a VPN policy for Windows Information Protection (WIP) using the classic console for Microsoft Intune (Windows 10)
description: After you've created and deployed your Windows Information Protection (WIP) policy, you can use Microsoft Intune to create and deploy your Virtual Private Network (VPN) policy, linking it to your WIP policy.
ms.assetid: d0eaba4f-6d7d-4ae4-8044-64680a40cf6b
keywords: WIP, Enterprise Data Protection
@ -11,11 +11,11 @@ author: eross-msft
localizationpriority: high
---
# Create and deploy a VPN policy for Windows Information Protection (WIP) using Microsoft Intune
# Associate and deploy a VPN policy for Windows Information Protection (WIP) using the classic console for Microsoft Intune
**Applies to:**
- Windows 10, version 1607
- Windows 10 Mobile
- Windows 10, version 1607 and later
- Windows 10 Mobile, version 1607 and later
After you've created and deployed your Windows Information Protection (WIP) policy, you can use Microsoft Intune to create and deploy your Virtual Private Network (VPN) policy, linking it to your WIP policy.

532
windows/threat-protection/windows-information-protection/create-wip-policy-using-intune-azure.md Normal file
View File

@ -0,0 +1,532 @@
---
title: Create a Windows Information Protection (WIP) with enrollment policy using the Azure portal for Microsoft Intune (Windows 10)
description: Microsoft Intune helps you create and deploy your Windows Information Protection (WIP) policy, including letting you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network.
ms.prod: w10
ms.mktglfcycl: explore
ms.sitesec: library
ms.pagetype: security
author: eross-msft
localizationpriority: high
---
# Create a Windows Information Protection (WIP) with enrollment policy using the Azure portal for Microsoft Intune
**Applies to:**
- Windows 10, version 1607 and later
- Windows 10 Mobile, version 1607 and later (except Microsoft Azure Rights Management, which is only available on the desktop)
Microsoft Intune helps you create and deploy your Windows Information Protection (WIP) policy, including letting you choose your allowed apps, your WIP-protection level, and how to find enterprise data on the network.
>[!Important]
>This topic covers creating a Windows Information Protection (WIP) policy for organizations already managing devices by using Mobile Device Management (MDM) solutions. If your organization uses a mobile application management (MAM) solution to deploy your WIP policy to Intune apps without managing devices, you must follow the instructions in the [Create and deploy Windows Information Protection (WIP) app protection policy with Intune](https://docs.microsoft.com/en-us/intune/deploy-use/create-windows-information-protection-policy-with-intune) topic.
## Add a WIP policy
After youve set up Intune for your organization, you must create a WIP-specific policy.
**To add a WIP policy**
1. Open the Microsoft Intune mobile application management console, click **All settings**, and then click **App policy**.
![Microsoft Intune management console: App policy link](images/wip-azure-portal-start.png)
2. In the **App policy** screen, click **Add a policy**, and then fill out the fields:
- **Name.** Type a name (required) for your new policy.
- **Description.** Type an optional description.
- **Platform.** Choose **Windows 10** as the supported platform for your policy.
- **Enrollment state.** Choose **With enrollment** as the enrollment state for your policy.
![Microsoft Intune management console: Create your new policy in the Add a policy blade](images/wip-azure-portal-add-policy.png)
>[!Important]
>Choosing **With enrollment** only applies for organizations using MDM. If you're using MAM, you must use these instructions, [Create and deploy Windows Information Protection (WIP) app protection policy with Intune](https://docs.microsoft.com/en-us/intune/deploy-use/create-windows-information-protection-policy-with-intune), instead.
3. Click **Create**.
The policy is created and appears in the table on the **App Policy** screen.
>[!NOTE]
>Optionally, you can also add your apps and set your settings from the **Add a policy** blade, but for the purposes of this documentation, we recommend instead that you create the policy first, and then use the subsequent menus that become available.
### Add apps to your Allowed apps list
During the policy-creation process in Intune, you can choose the apps you want to give access to your enterprise data through WIP. Apps included in this list can protect data on behalf of the enterprise and are restricted from copying or moving enterprise data to unprotected apps.
The steps to add your apps are based on the type of template being applied. You can add a recommended app, a store app (also known as a Universal Windows Platform (UWP) app), or a signed Windows desktop app.
>[!Important]
>Enlightened apps are expected to prevent enterprise data from going to unprotected network locations and to avoid encrypting personal data. On the other hand, WIP-unaware apps might not respect the corporate network boundary, and WIP-unaware apps will encrypt all files they create or modify. This means that they could encrypt personal data and cause data loss during the revocation process.<br><br>Care must be taken to get a support statement from the software provider that their app is safe with WIP before adding it to your **Allowed apps** list. If you dont get this statement, its possible that you could experience app compat issues due to an app losing the ability to access a necessary file after revocation.
#### Add a Recommended app to your Allowed apps list
For this example, were going to add Microsoft Edge, a recommended app, to the **Allowed apps** list.
**To add a recommended app**
1. From the **App policy** blade, click the name of your policy, and then click **Allowed apps** from the menu that appears.
The **Allowed apps** blade appears, showing you any apps that are already included in the list for this policy.
![Microsoft Intune management console: Viewing the recommended apps that you can add to your policy](images/wip-azure-allowed-apps-pane.png)
2. From the **Allowed apps** blade, click **Add apps**.
The **Add apps** blade appears, showing you all **Recommended apps**.
![Microsoft Intune management console: Adding recommended apps to your policy](images/wip-azure-add-recommended-apps.png)
3. Select each app you want to access your enterprise data, and then click **OK**.
The **Allowed apps** blade updates to show you your selected apps.
![Microsoft Intune management console: Allowed apps blade with recommended apps](images/wip-azure-allowed-apps-with-apps.png)
#### Add a Store app to your Allowed apps list
For this example, were going to add Microsoft Power BI, a store app, to the **Allowed apps** list.
**To add a Store app**
1. From the **App policy** blade, click the name of your policy, and then click **Allowed apps** from the menu that appears.
The **Allowed apps** blade appears, showing you any apps that are already included in the list for this policy.
2. From the **Allowed apps** blade, click **Add apps**.
3. On the **Add apps** blade, click **Store apps** from the dropdown list.
The blade changes to show boxes for you to add a publisher and app name.
4. Type the name of the app and the name of its publisher, and then click **OK**. For this UWP app example, the **Publisher** is `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US` and the Product **name** is `Microsoft.MicrosoftPowerBIForWindows`.
5. After youve entered the info into the fields, click **OK** to add the app to your **Allowed apps** list.
>[!NOTE]
>To add multiple Store apps at the same time, you can click the menu **(…)** at the end of the app row, and then continue to add more apps. When youre done, click **OK**.
![Microsoft Intune management console: Adding Store app info](images/wip-azure-add-store-apps.png)
If you don't know the publisher or product name, you can find them for both desktop devices and Windows 10 Mobile phones by following these steps.
**To find the publisher and product name values for Store apps without installing them**
1. Go to the [Windows Store for Business](https://go.microsoft.com/fwlink/p/?LinkID=722910) website, and find your app. For example, *Microsoft Power BI*.
2. Copy the ID value from the app URL. For example, Microsoft Power BI ID URL is https://www.microsoft.com/en-us/store/p/microsoft-power-bi/9nblgggzlxn1, and you'd copy the ID value, `9nblgggzlxn1`.
3. In a browser, run the Store for Business portal web API, to return a JavaScript Object Notation (JSON) file that includes the publisher and product name values. For example, run https://bspmts.mp.microsoft.com/v1/public/catalog/Retail/Products/9nblgggzlxn1/applockerdata, where `9nblgggzlxn1` is replaced with your ID value.
The API runs and opens a text editor with the app details.
```json
{
"packageIdentityName": "Microsoft.MicrosoftPowerBIForWindows",
"publisherCertificateName": "CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US"
}
```
4. Copy the `publisherCertificateName` value into the **Publisher** box and copy the `packageIdentityName` value into the **Name** box of Intune.
>[!Important]
>The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app thats using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as `CN=` followed by the `windowsPhoneLegacyId`.<br><br>For example:<br>
<code>{<br>"windowsPhoneLegacyId": "ca05b3ab-f157-450c-8c49-a1f127f5e71d",<br>}</code>
**To find the publisher and product name values for apps installed on Windows 10 mobile phones**
1. If you need to add mobile apps that aren't distributed through the Store for Business, you must use the **Windows Device Portal** feature.
>**Note**<br>Your PC and phone must be on the same wireless network.
2. On the Windows Phone, go to **Settings**, choose **Update & security**, and then choose **For developers**.
3. In the **For developers** screen, turn on **Developer mode**, turn on **Device Discovery**, and then turn on **Device Portal**.
4. Copy the URL in the **Device Portal** area into your device's browser, and then accept the SSL certificate.
5. In the **Device discovery** area, press **Pair**, and then enter the PIN into the website from the previous step.
6. On the **Apps** tab of the website, you can see details for the running apps, including the publisher and product names.
7. Start the app for which you're looking for the publisher and product name values.
8. Copy the `publisherCertificateName` value and paste it into the **Publisher Name** box and the `packageIdentityName` value into the **Product Name** box of Intune.
>[!Important]
>The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app thats using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as `CN=` followed by the `windowsPhoneLegacyId`.<br><br>For example:<br>
<code>{<br>"windowsPhoneLegacyId": "ca05b3ab-f157-450c-8c49-a1f127f5e71d",<br>}</code>
#### Add a Desktop app to your Allowed apps list
For this example, were going to add WordPad, a desktop app, to the **Allowed apps** list.
**To add a Desktop app**
1. From the **App policy** blade, click the name of your policy, and then click **Allowed apps** from the menu that appears.
The **Allowed apps** blade appears, showing you any apps that are already included in the list for this policy.
2. From the **Allowed apps** blade, click **Add apps**.
3. On the **Add apps** blade, click **Desktop apps** from the dropdown list.
The blade changes to show boxes for you to add the following, based on what results you want returned:
<table>
<tr>
<th>Field</th>
<th>Manages</th>
</tr>
<tr>
<td>All fields marked as “*”</td>
<td>All files signed by any publisher. (Not recommended)</td>
</tr>
<tr>
<td>Publisher only</td>
<td>If you only fill out this field, youll get all files signed by the named publisher.<br><br>This might be useful if your company is the publisher and signer of internal line-of-business apps.</td>
</tr>
<tr>
<td>Publisher and Name only</td>
<td>If you only fill out these fields, youll get all files for the specified product, signed by the named publisher.</td>
</tr>
<tr>
<td>Publisher, Name, and File only</td>
<td>If you only fill out these fields, youll get any version of the named file or package for the specified product, signed by the named publisher.</td>
</tr>
<tr>
<td>Publisher, Name, File, and Min version only</td>
<td>If you only fill out these fields, youll get the specified version or newer releases of the named file or package for the specified product, signed by the named publisher.<br><br>This option is recommended for enlightened apps that weren't previously enlightened.</td>
</tr>
<tr>
<td>Publisher, Name, File, and Max version only</td>
<td>If you only fill out these fields, youll get the specified version or older releases of the named file or package for the specified product, signed by the named publisher.</td>
</tr>
<tr>
<td>All fields completed</td>
<td>If you fill out all fields, youll get the specified version of the named file or package for the specified product, signed by the named publisher.</td>
</tr>
</table>
4. After youve entered the info into the fields, click **OK** to add the app to your **Allowed apps** list.
>[!Note]
>To add multiple Desktop apps at the same time, you can click the menu **(…)** at the end of the app row, and then continue to add more apps. When youre done, click **OK**.
![Microsoft Intune management console: Adding Desktop app info](images/wip-azure-add-desktop-apps.png)
**To find the Publisher values for Desktop apps**
If youre unsure about what to include for the publisher, you can run this PowerShell command:
```ps1
Get-AppLockerFileInformation -Path "<path_of_the_exe>"
```
Where `"<path_of_the_exe>"` goes to the location of the app on the device. For example, `Get-AppLockerFileInformation -Path "C:\Program Files\Windows NT\Accessories\wordpad.exe"`.
In this example, you'd get the following info:
``` json
Path Publisher
---- ---------
%PROGRAMFILES%\WINDOWS NT\ACCESSORIES\WORDPAD.EXE O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US
```
Where the text, `O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US` is the publisher name to enter into the **Publisher** box and `WORDPAD.EXE` is the text to enter into the **File** box.
#### Import a list of apps to your Allowed apps list
For this example, were going to add an AppLocker XML file to the **Allowed apps** list. Youll use this option if you want to add multiple apps at the same time. For more info about AppLocker, see the [AppLocker](https://technet.microsoft.com/itpro/windows/keep-secure/applocker-overview) content.
**To create a list of Allowed apps using the AppLocker tool**
1. Open the Local Security Policy snap-in (SecPol.msc).
2. In the left blade, expand **Application Control Policies**, expand **AppLocker**, and then click **Packaged App Rules**.
![Local security snap-in, showing the Packaged app Rules](images/wip-applocker-secpol-1.png)
3. Right-click in the right-hand blade, and then click **Create New Rule**.
The **Create Packaged app Rules** wizard appears.
4. On the **Before You Begin** page, click **Next**.
![Create Packaged app Rules wizard, showing the Before You Begin page](images/wip-applocker-secpol-wizard-1.png)
5. On the **Permissions** page, make sure the **Action** is set to **Allow** and the **User or group** is set to **Everyone**, and then click **Next**.
![Create Packaged app Rules wizard, showing the Before You Begin page](images/wip-applocker-secpol-wizard-2.png)
6. On the **Publisher** page, click **Select** from the **Use an installed packaged app as a reference** area.
![Create Packaged app Rules wizard, showing the Publisher](images/wip-applocker-secpol-wizard-3.png)
7. In the **Select applications** box, pick the app that you want to use as the reference for your rule, and then click **OK**. For this example, were using Microsoft Dynamics 365.
![Create Packaged app Rules wizard, showing the Select applications page](images/wip-applocker-secpol-wizard-4.png)
8. On the updated **Publisher** page, click **Create**.
![Create Packaged app Rules wizard, showing the Microsoft Dynamics 365 on the Publisher page](images/wip-applocker-secpol-wizard-5.png)
9. Click **No** in the dialog box that appears, asking if you want to create the default rules. You must not create default rules for your WIP policy.
![Create Packaged app Rules wizard, showing the Microsoft Dynamics 365 on the Publisher page](images/wip-applocker-default-rule-warning.png)
9. Review the Local Security Policy snap-in to make sure your rule is correct.
![Local security snap-in, showing the new rule](images/wip-applocker-secpol-create.png)
10. In the left blade, right-click on **AppLocker**, and then click **Export policy**.
The **Export policy** box opens, letting you export and save your new policy as XML.
![Local security snap-in, showing the Export Policy option](images/wip-applocker-secpol-export.png)
11. In the **Export policy** box, browse to where the policy should be stored, give the policy a name, and then click **Save**.
The policy is saved and youll see a message that says 1 rule was exported from the policy.
**Example XML file**<br>
This is the XML file that AppLocker creates for Microsoft Dynamics 365.
```xml
<?xml version="1.0"?>
<AppLockerPolicy Version="1">
<RuleCollection EnforcementMode="NotConfigured" Type="Appx">
<FilePublisherRule Action="Allow" UserOrGroupSid="S-1-1-0" Description="" Name="Microsoft.MicrosoftDynamicsCRMforWindows10, version 3.2.0.0 and above, from Microsoft Corporation" Id="3da34ed9-aec6-4239-88ba-0afdce252ab4">
<Conditions>
<FilePublisherCondition BinaryName="*" ProductName="Microsoft.MicrosoftDynamicsCRMforWindows10" PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US">
<BinaryVersionRange HighSection="*" LowSection="3.2.0.0"/>
</FilePublisherCondition>
</Conditions>
</FilePublisherRule>
</RuleCollection>
<RuleCollection EnforcementMode="NotConfigured" Type="Dll"/>
<RuleCollection EnforcementMode="NotConfigured" Type="Exe"/>
<RuleCollection EnforcementMode="NotConfigured" Type="Msi"/>
<RuleCollection EnforcementMode="NotConfigured" Type="Script"/>
</AppLockerPolicy>
```
12. After youve created your XML file, you need to import it by using Microsoft Intune.
**To import your list of Allowed apps using Microsoft Intune**
1. From the **Allowed apps** area, click **Import apps**.
The blade changes to let you add your import file.
![Microsoft Intune, Importing your AppLocker policy file using Intune](images/wip-azure-import-apps.png)
2. Browse to your exported AppLocker policy file, and then click **Open**.
The file imports and the apps are added to your **Allowed app** list.
#### Add exempt apps to your policy
If you're running into compatibility issues where your app is incompatible with WIP, but still needs to be used with enterprise data, you can exempt the app from the WIP restrictions. This means that your apps won't include auto-encryption or tagging and won't honor your network restrictions. It also means that your exempted apps might leak.
**To exempt a Store app, a Desktop app, or an AppLocker policy file from the Allowed apps list**
1. From the **App policy** blade, click the name of your policy, and then click **Exempt apps** from the menu that appears.
The **Exempt apps** blade appears, showing you any apps that are already included in the list for this policy.
2. From the **Exempt apps** blade, click **Add apps**.
Be aware that when you exempt apps, theyre allowed to bypass the WIP restrictions and access your corporate data. To allow apps, see the [Add app rules to your policy](#add-apps-to_your-allowed-apps-list) section of this topic.
3. Fill out the rest of the app info, based on the type of app youre adding:
- **Recommended app.** Follow the instructions in the [Add a Recommended app to your Allowed apps list](#add-a-recommended-app-to_your-allowed-apps-list) section of this topic.
- **Store app.** Follow the instructions in the [Add a Store app to your Allowed apps list](#add-a-store-app-to_your-allowed-apps-list) section of this topic.
- **Desktop app.** Follow the instructions in the [Add a Desktop app to your Allowed apps list](#add-a-desktop-app-to_your-allowed-apps-list) section of this topic.
- **AppLocker policy file.** Follow the instructions to create your app list in the [Import a list of apps to your Allowed apps list](#import-a-list-of-apps-to_your-allowed-apps-list) section of this topic, using a list of exempted apps.
4. Click **OK**.
### Manage the WIP protection mode for your enterprise data
After you've added the apps you want to protect with WIP, you'll need to apply a management and protection mode.
We recommend that you start with **Silent** or **Allow Overrides** while verifying with a small group that you have the right apps on your allowed apps list. After you're done, you can change to your final enforcement policy, **Hide Overrides**.
>[!NOTE]
>For info about how to collect your audit log files, see [How to collect Windows Information Protection (WIP) audit event logs](collect-wip-audit-event-logs.md).
**To add your protection mode**
1. From the **App policy** blade, click the name of your policy, and then click **Required settings** from the menu that appears.
The **Required settings** blade appears.
![Microsoft Intune, Required settings blade showing Windows Information Protection mode](images/wip-azure-required-settings-protection-mode.png)
|Mode |Description |
|-----|------------|
|Hide Overrides |WIP looks for inappropriate data sharing practices and stops the employee from completing the action. This can include sharing info across non-enterprise-protected apps in addition to sharing enterprise data between other people and devices outside of your enterprise.|
|Allow Overrides |WIP looks for inappropriate data sharing, warning employees if they do something deemed potentially unsafe. However, this management mode lets the employee override the policy and share the data, logging the action to your audit log. For info about how to collect your audit log files, see [How to collect Windows Information Protection (WIP) audit event logs](collect-wip-audit-event-logs.md).|
|Silent |WIP runs silently, logging inappropriate data sharing, without blocking anything that wouldve been prompted for employee interaction while in Allow Override mode. Unallowed actions, like apps inappropriately trying to access a network resource or WIP-protected data, are still stopped.|
|Off (not recommended) |WIP is turned off and doesn't help to protect or audit your data.<br><br>After you turn off WIP, an attempt is made to decrypt any WIP-tagged files on the locally attached drives. Be aware that your previous decryption and policy info isnt automatically reapplied if you turn WIP protection back on.|
2. Click **Save**.
### Define your enterprise-managed corporate identity
Corporate identity, usually expressed as your primary Internet domain (for example, contoso.com), helps to identify and tag your corporate data from apps youve marked as protected by WIP. For example, emails using contoso.com are identified as being corporate and are restricted by your Windows Information Protection policies.
Starting with Windows 10, version 1703, Intune automatically determines your corporate identity and adds it to the Corporate identity field. You can specify multiple domains owned by your enterprise by separating them with the "|" character. For example, (`contoso.com|newcontoso.com`). With multiple domains, the first one is designated as your corporate identity and all of the additional ones as being owned by the first one. We strongly recommend that you include all of your email address domains in this list.
**To change your corporate identity**
1. From the **App policy** blade, click the name of your policy, and then click **Required settings** from the menu that appears.
The **Required settings** blade appears.
2. If the identity isnt correct, or if you need to add additional domains, type info into the **Corporate identity** field. For example, `contoso.com|newcontoso.com`.
![Microsoft Intune, Set your corporate identity for your organization](images/wip-azure-required-settings-corp-identity.png)
### Choose where apps can access enterprise data
After you've added a protection mode to your apps, you'll need to decide where those apps can access enterprise data on your network.
There are no default locations included with WIP, you must add each of your network locations. This area applies to any network endpoint device that gets an IP address in your enterprises range and is also bound to one of your enterprise domains, including SMB shares. Local file system locations should just maintain encryption (for example, on local NTFS, FAT, ExFAT).
>[!Important]
>Every WIP policy should include policy that defines your enterprise network locations.<br>Classless Inter-Domain Routing (CIDR) notation isnt supported for WIP configurations.
**To define where your allowed apps can find and send enterprise data on you network**
1. From the **App policy** blade, click the name of your policy, and then click **Advanced settings** from the menu that appears.
The **Advanced settings** blade appears.
2. Click **Add network boundary** from the Network perimeter area.
The **Add network boundary** blade appears.
![Microsoft Intune, Set where your apps can access enterprise data on your network](images/wip-azure-advanced-settings-network.png)
3. Select the type of network boundary to add from the **Boundary type** box.
4. Type a name for your boundary into the **Name** box, add your values to the **Value** box, based on the following options, and then click **OK**.
<table>
<tr>
<th>Boundary type</th>
<th>Value format</th>
<th>Description</th>
</tr>
<tr>
<td>Cloud Resources</td>
<td><strong>With proxy:</strong> contoso.sharepoint.com,contoso.internalproxy1.com|<br>contoso.visualstudio.com,contoso.internalproxy2.com<br><br><strong>Without proxy:</strong> contoso.sharepoint.com|contoso.visualstudio.com</td>
<td>Specify the cloud resources to be treated as corporate and protected by WIP.<br><br>For each cloud resource, you may also optionally specify a proxy server from your Internal proxy servers list to route traffic for this cloud resource. Be aware that all traffic routed through your Internal proxy servers is considered enterprise.<br><br>If you have multiple resources, you must separate them using the "|" delimiter. If you dont use proxy servers, you must also include the "," delimiter just before the "|". For example: <code>URL &lt;,proxy&gt;|URL &lt;,proxy&gt;</code>.<br><br><strong>Important</strong><br>In some cases, such as when an app connects directly to a cloud resource through an IP address, Windows cant tell whether its attempting to connect to an enterprise cloud resource or to a personal site. In this case, Windows blocks the connection by default. To stop Windows from automatically blocking these connections, you can add the <code>/&#42;AppCompat&#42;/</code> string to the setting. For example: <code>URL &lt;,proxy&gt;|URL &lt;,proxy&gt;|/&#42;AppCompat&#42;/</code>.<br><br>When using this string, we recommend that you also turn on [Azure Active Directory Conditional Access](https://docs.microsoft.com/en-us/azure/active-directory/active-directory-conditional-access), using the <strong>Domain joined or marked as compliant</strong> option, which blocks apps from accessing any enterprise cloud resources that are protected by conditional access.</td>
</tr>
<tr>
<td>Network domain names</td>
<td>corp.contoso.com,region.contoso.com</td>
<td>Starting with Windows 10, version 1703, this field is optional.<br><br>Specify the DNS suffixes used in your environment. All traffic to the fully-qualified domains appearing in this list will be protected.<br><br>If you have multiple resources, you must separate them using the "," delimiter.</td>
</tr>
<tr>
<td>Proxy servers</td>
<td>proxy.contoso.com:80;proxy2.contoso.com:443</td>
<td>Specify the proxy servers your devices will go through to reach your cloud resources. Using this server type indicates that the cloud resources youre connecting to are enterprise resources.<br><br>This list shouldnt include any servers listed in your Internal proxy servers list. Internal proxy servers must be used only for WIP-protected (enterprise) traffic.<br><br>If you have multiple resources, you must separate them using the ";" delimiter.</td>
</tr>
<tr>
<td>Internal proxy servers</td>
<td>contoso.internalproxy1.com;contoso.internalproxy2.com</td>
<td>Specify the internal proxy servers your devices will go through to reach your cloud resources. Using this server type indicates that the cloud resources youre connecting to are enterprise resources.<br><br>This list shouldnt include any servers listed in your Proxy servers list. Proxy servers must be used only for non-WIP-protected (non-enterprise) traffic.<br><br>If you have multiple resources, you must separate them using the ";" delimiter.</td>
</tr>
<tr>
<td>IPv4 ranges</td>
<td>**Starting IPv4 Address:** 3.4.0.1<br>**Ending IPv4 Address:** 3.4.255.254<br>**Custom URI:** 3.4.0.1-3.4.255.254,<br>10.0.0.1-10.255.255.254</td>
<td>Starting with Windows 10, version 1703, this field is optional.<br><br>Specify the addresses for a valid IPv4 value range within your intranet. These addresses, used with your Network domain names, define your corporate network boundaries.<br><br>If you have multiple ranges, you must separate them using the "," delimiter.</td>
</tr>
<tr>
<td>IPv6 ranges</td>
<td>**Starting IPv6 Address:** 2a01:110::<br>**Ending IPv6 Address:** 2a01:110:7fff:ffff:ffff:ffff:ffff:ffff<br>**Custom URI:** 2a01:110:7fff:ffff:ffff:ffff:ffff:ffff,<br>fd00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff</td>
<td>Starting with Windows 10, version 1703, this field is optional.<br><br>Specify the addresses for a valid IPv6 value range within your intranet. These addresses, used with your Network domain names, define your corporate network boundaries.<br><br>If you have multiple ranges, you must separate them using the "," delimiter.</td>
</tr>
<tr>
<td>Neutral resources</td>
<td>sts.contoso.com,sts.contoso2.com</td>
<td>Specify your authentication redirection endpoints for your company.<br><br>These locations are considered enterprise or personal, based on the context of the connection before the redirection.<br><br>If you have multiple resources, you must separate them using the "," delimiter.</td>
</tr>
</table>
5. Repeat steps 1-4 to add any additional network boundaries.
6. Decide if you want to Windows to look for additional network settings:
![Microsoft Intune, Choose if you want Windows to search for additional proxy servers or IP ranges in your enterprise](images/wip-azure-advanced-settings-network-autodetect.png)
- **Enterprise Proxy Servers list is authoritative (do not auto-detect).** Click this box if you want Windows to treat the proxy servers you specified in the network boundary definition as the complete list of proxy servers available on your network. If you clear this box, Windows will search for additional proxy servers in your immediate network.
- **Enterprise IP Ranges list is authoritative (do not auto-detect).** Click this box if you want Windows to treat the IP ranges you specified in the network boundary definition as the complete list of IP ranges available on your network. If you clear this box, Windows will search for additional IP ranges on any domain-joined devices connected to your network.
### Upload your Data Recovery Agent (DRA) certificate
After you create and deploy your WIP policy to your employees, Windows begins to encrypt your corporate data on the employees local device drive. If somehow the employees local encryption keys get lost or revoked, the encrypted data can become unrecoverable. To help avoid this possibility, the Data Recovery Agent (DRA) certificate lets Windows use an included public key to encrypt the local data while you maintain the private key that can unencrypt the data.
>[!Important]
>Using a DRA certificate isnt mandatory. However, we strongly recommend it. For more info about how to find and export your data recovery certificate, see the [Data Recovery and Encrypting File System (EFS)](https://go.microsoft.com/fwlink/p/?LinkId=761462) topic. For more info about creating and verifying your EFS DRA certificate, see the [Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](https://tnstage.redmond.corp.microsoft.com/en-us/itpro/windows/keep-secure/create-and-verify-an-efs-dra-certificate) topic.
**To upload your DRA certificate**
1. From the **App policy** blade, click the name of your policy, and then click **Advanced settings** from the menu that appears.
The **Advanced settings** blade appears.
2. In the **Upload a Data Recovery Agent (DRA) certificate to allow recovery of encrypted data** box, click **Browse** to add a data recovery certificate for your policy.
![Microsoft Intune, Upload your Data Recovery Agent (DRA) certificate](images/wip-azure-advanced-settings-efsdra.png)
### Choose your optional WIP-related settings
After you've decided where your protected apps can access enterprise data on your network, youll be asked to decide if you want to add any optional WIP settings.
**To set your optional settings**
1. Choose to set any or all optional settings:
![Microsoft Intune, Choose if you want to include any of the optional settings](images/wip-azure-advanced-settings-optional.png)
- **Prevent corporate data from being accessed by apps when the device is locked. Applies only to Windows 10 Mobile.** Determines whether to encrypt enterprise data using a key that's protected by an employee's PIN code on a locked device. Apps won't be able to read corporate data when the device is locked. The options are:
- **On (recommended).** Turns on the feature and provides the additional protection.
- **Off, or not configured.** Doesn't enable this feature.
- **Revoke encryption keys on unenroll.** Determines whether to revoke a users local encryption keys from a device when its unenrolled from Windows Information Protection. If the encryption keys are revoked, a user no longer has access to encrypted corporate data. The options are:
- **On, or not configured (recommended).** Revokes local encryption keys from a device during unenrollment.
- **Off.** Stop local encryption keys from being revoked from a device during unenrollment. For example if youre migrating between Mobile Device Management (MDM) solutions.
- **Show the Windows Information Protection icon overlay.** Determines whether the Windows Information Protection icon overlay appears on corporate files in the Save As and File Explorer views. The options are:
- **On.** Allows the Windows Information Protection icon overlay to appear on corporate files in the Save As and File Explorer views. Additionally, for unenlightened but allowed apps, the icon overlay also appears on the app tile and with Managed text on the app name in the **Start** menu.
- **Off, or not configured (recommended).** Stops the Windows Information Protection icon overlay from appearing on corporate files or unenlightened, but allowed apps. Not configured is the default option.
- **Use Azure RMS for WIP.** Determines whether to use Azure Rights Management encryption with Windows Information Protection.
- **On.** Starts using Azure Rights Management encryption with WIP. By turning this option on, you can also add a TemplateID GUID to specify who can access the Azure Rights Management protected files, and for how long. For more info about setting up Azure Rights management and using a template ID with WIP, see the [Choose to set up Azure Rights Management with WIP](#choose-to-set-up-azure-rights-management-with-wip) section of this topic.
- **Off, or not configured.** Stops using Azure Rights Management encryption with WIP.
### Choose to set up Azure Rights Management with WIP
WIP can integrate with Microsoft Azure Rights Management to enable secure sharing of files by using removable drives such as USB drives. For more info about Azure Rights Management, see [Microsoft Azure Rights Management](https://products.office.com/en-us/business/microsoft-azure-rights-management). To integrate Azure Rights Management with WIP, you must already have Azure Rights Management set up.
To configure WIP to use Azure Rights Management, you must set the **AllowAzureRMSForEDP** MDM setting to **1** in Microsoft Intune. This setting tells WIP to encrypt files copied to removable drives with Azure Rights Management, so they can be shared amongst your employees on computers running at least Windows 10, version 1703.
Optionally, if you dont want everyone in your organization to be able to share your enterprise data, you can set the **RMSTemplateIDForEDP** MDM setting to the **TemplateID** of the Azure Rights Management template used to encrypt the data. You must make sure to mark the template with the **EditRightsData** option.
>[!NOTE]
>For more info about setting the **AllowAzureRMSForEDP** and the **RMSTemplateIDForEDP** MDM settings, see the [EnterpriseDataProtection CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/enterprisedataprotection-csp) topic. For more info about setting up and using a custom template, see [Configuring custom templates for the Azure Rights Management service](https://docs.microsoft.com/en-us/information-protection/deploy-use/configure-custom-templates) topic.
## Related topics
- [How to collect Windows Information Protection (WIP) audit event logs](collect-wip-audit-event-logs.md)
- [Deploy your Windows Information Protection (WIP) policy](deploy-wip-policy-using-intune.md)
- [Associate and deploy your Windows Information Protection (WIP) and VPN policies by using Microsoft Intune](create-vpn-and-wip-policy-using-intune.md)
- [General guidance and best practices for Windows Information Protection (WIP)](guidance-and-best-practices-wip.md)
- [What is Azure Rights Management?]( https://docs.microsoft.com/en-us/information-protection/understand-explore/what-is-azure-rms)
- [Create and deploy Windows Information Protection (WIP) app protection policy with Intune and MAM](https://docs.microsoft.com/en-us/intune/deploy-use/create-windows-information-protection-policy-with-intune)
- [Intune MAM Without Enrollment](https://blogs.technet.microsoft.com/configmgrdogs/2016/02/04/intune-mam-without-enrollment/)
- [Azure RMS Documentation Update for May 2016](https://blogs.technet.microsoft.com/enterprisemobility/2016/05/31/azure-rms-documentation-update-for-may-2016/)
>[!NOTE]
>Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md).

18
windows/threat-protection/windows-information-protection/create-wip-policy-using-intune.md
View File

@ -1,5 +1,5 @@
---
title: Create a Windows Information Protection (WIP) policy using Microsoft Intune (Windows 10)
title: Create a Windows Information Protection (WIP) with enrollment policy using the classic console for Microsoft Intune (Windows 10)
description: Microsoft Intune helps you create and deploy your Windows Information Protection (WIP) policy, including letting you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network.
ms.assetid: 4b307c99-3016-4d6a-9ae7-3bbebd26e721
ms.prod: w10
@ -10,12 +10,12 @@ author: eross-msft
localizationpriority: high
---
# Create a Windows Information Protection (WIP) policy using Microsoft Intune
# Create a Windows Information Protection (WIP) using the classic console for Microsoft Intune
**Applies to:**
- Windows 10, version 1703
- Windows 10 Mobile (except Microsoft Azure Rights Management, which is only available on the desktop)
- Windows 10, version 1607 and later
- Windows 10 Mobile, version 1607 and later
Microsoft Intune helps you create and deploy your Windows Information Protection (WIP) policy, including letting you choose your allowed apps, your WIP-protection level, and how to find enterprise data on the network.
@ -39,7 +39,7 @@ During the policy-creation process in Intune, you can choose the apps you want t
The steps to add your app rules are based on the type of rule template being applied. You can add a store app (also known as a Universal Windows Platform (UWP) app), a signed Windows desktop app, or an AppLocker policy file.
>[!Important]
>WIP-aware apps are expected to prevent enterprise data from going to unprotected network locations and to avoid encrypting personal data. On the other hand, WIP-unaware apps might not respect the corporate network boundary, and WIP-unaware apps will encrypt all files they create or modify. This means that they could encrypt personal data and cause data loss during the revocation process.<p>Care must be taken to get a support statement from the software provider that their app is safe with WIP before adding it to your **App Rules** list. If you dont get this statement, its possible that you could experience app compat issues due to an app losing the ability to access a necessary file after revocation.
>Enlightened apps are expected to prevent enterprise data from going to unprotected network locations and to avoid encrypting personal data. On the other hand, WIP-unaware apps might not respect the corporate network boundary, and WIP-unaware apps will encrypt all files they create or modify. This means that they could encrypt personal data and cause data loss during the revocation process.<p>Care must be taken to get a support statement from the software provider that their app is safe with WIP before adding it to your **App Rules** list. If you dont get this statement, its possible that you could experience app compat issues due to an app losing the ability to access a necessary file after revocation.
#### Add a store app rule to your policy
For this example, were going to add Microsoft OneNote, a store app, to the **App Rules** list.
@ -309,13 +309,13 @@ If you're running into compatibility issues where your app is incompatible with
### Manage the WIP protection mode for your enterprise data
After you've added the apps you want to protect with WIP, you'll need to apply a management and protection mode.
We recommend that you start with **Silent** or **Override** while verifying with a small group that you have the right apps on your protected apps list. After you're done, you can change to your final enforcement policy, either **Override** or **Block**.
We recommend that you start with **Silent** or **Allow Overrides** while verifying with a small group that you have the right apps on your protected apps list. After you're done, you can change to your final enforcement policy, either **Allow Overrides** or **Hide Overrides**.
|Mode |Description |
|-----|------------|
|Block |WIP looks for inappropriate data sharing practices and stops the employee from completing the action. This can include sharing info across non-enterprise-protected apps in addition to sharing enterprise data between other people and devices outside of your enterprise.|
|Override |WIP looks for inappropriate data sharing, warning employees if they do something deemed potentially unsafe. However, this management mode lets the employee override the policy and share the data, logging the action to your audit log, accessible through the [Reporting CSP](https://go.microsoft.com/fwlink/p/?LinkID=746459). |
|Silent |WIP runs silently, logging inappropriate data sharing, without blocking anything that wouldve been prompted for employee interaction while in Override mode. Unallowed actions, like apps inappropriately trying to access a network resource or WIP-protected data, are still blocked.|
|Hide Overrides|WIP looks for inappropriate data sharing practices and stops the employee from completing the action. This can include sharing info across non-enterprise-protected apps in addition to sharing enterprise data between other people and devices outside of your enterprise.|
|Allow Overrides|WIP looks for inappropriate data sharing, warning employees if they do something deemed potentially unsafe. However, this management mode lets the employee override the policy and share the data, logging the action to your audit log, accessible through the [Reporting CSP](https://go.microsoft.com/fwlink/p/?LinkID=746459). |
|Silent |WIP runs silently, logging inappropriate data sharing, without blocking anything that wouldve been prompted for employee interaction while in Allow Overrides mode. Unallowed actions, like apps inappropriately trying to access a network resource or WIP-protected data, are still blocked.|
|Off (not recommended) |WIP is turned off and doesn't help to protect or audit your data.<p>After you turn off WIP, an attempt is made to decrypt any WIP-tagged files on the locally attached drives. Be aware that your previous decryption and policy info isnt automatically reapplied if you turn WIP protection back on.|
![Microsoft Intune, Set the protection mode for your data](images/intune-protection-mode.png)

18
windows/threat-protection/windows-information-protection/create-wip-policy-using-sccm.md
View File

@ -63,7 +63,7 @@ During the policy-creation process in System Center Configuration Manager, you c
The steps to add your app rules are based on the type of rule template being applied. You can add a store app (also known as a Universal Windows Platform (UWP) app), a signed Windows desktop app, or an AppLocker policy file.
>[!IMPORTANT]
>WIP-aware apps are expected to prevent enterprise data from going to unprotected network locations and to avoid encrypting personal data. On the other hand, WIP-unaware apps might not respect the corporate network boundary, and WIP-unaware apps will encrypt all files they create or modify. This means that they could encrypt personal data and cause data loss during the revocation process. <p>Care must be taken to get a support statement from the software provider that their app is safe with WIP before adding it to your **App rules** list. If you dont get this statement, its possible that you could experience app compat issues due to an app losing the ability to access a necessary file after revocation.
>Enlightened apps are expected to prevent enterprise data from going to unprotected network locations and to avoid encrypting personal data. On the other hand, WIP-unaware apps might not respect the corporate network boundary, and WIP-unaware apps will encrypt all files they create or modify. This means that they could encrypt personal data and cause data loss during the revocation process.<p>Care must be taken to get a support statement from the software provider that their app is safe with WIP before adding it to your **App rules** list. If you dont get this statement, its possible that you could experience app compat issues due to an app losing the ability to access a necessary file after revocation.
#### Add a store app rule to your policy
For this example, were going to add Microsoft OneNote, a store app, to the **App Rules** list.
@ -94,7 +94,9 @@ If you don't know the publisher or product name, you can find them for both desk
1. Go to the [Windows Store for Business](https://go.microsoft.com/fwlink/p/?LinkID=722910) website, and find your app. For example, Microsoft OneNote.
>**Note**<br>If your app is already installed on desktop devices, you can use the AppLocker local security policy MMC snap-in to gather the info for adding the app to the protected apps list. For info about how to do this, see the steps in the [Add an AppLocker policy file](#add-an-applocker-policy-file) section.
>[!NOTE]
>If your app is already installed on desktop devices, you can use the AppLocker local security policy MMC snap-in to gather the info for adding the app to the protected apps list. For info about how to do this, see the steps in the [Add an AppLocker policy file](#add-an-applocker-policy-file) section.
2. Copy the ID value from the app URL. For example, Microsoft OneNote's ID URL is https://www.microsoft.com/store/apps/onenote/9wzdncrfhvjl, and you'd copy the ID value, `9wzdncrfhvjl`.
@ -111,7 +113,8 @@ If you don't know the publisher or product name, you can find them for both desk
4. Copy the `publisherCertificateName` value and paste them into the **Publisher Name** box, copy the `packageIdentityName` value into the **Product Name** box of Intune.
>**Important**<br>The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app thats using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as “CN=” followed by the `windowsPhoneLegacyId`.<p>For example:<p>
>[!IMPORTANT]
>The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app thats using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as “CN=” followed by the `windowsPhoneLegacyId`.<p>For example:<p>
```json
{
"windowsPhoneLegacyId": "ca05b3ab-f157-450c-8c49-a1f127f5e71d",
@ -121,7 +124,8 @@ If you don't know the publisher or product name, you can find them for both desk
**To find the Publisher and Product Name values for apps installed on Windows 10 mobile phones**
1. If you need to add mobile apps that aren't distributed through the Store for Business, you must use the **Windows Device Portal** feature.
>**Note**<br>Your PC and phone must be on the same wireless network.
>[!NOTE]
>Your PC and phone must be on the same wireless network.
2. On the Windows Phone, go to **Settings**, choose **Update & security**, and then choose **For developers**.
@ -137,7 +141,8 @@ If you don't know the publisher or product name, you can find them for both desk
8. Copy the `publisherCertificateName` value and paste it into the **Publisher Name** box and the `packageIdentityName` value into the **Product Name** box of Intune.
>**Important**<br>The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app thats using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as “CN=” followed by the `windowsPhoneLegacyId`.
>[!IMPORTANT]
>The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app thats using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as “CN=” followed by the `windowsPhoneLegacyId`.
>For example:<p>
```json
{
@ -460,6 +465,9 @@ After you've decided where your protected apps can access enterprise data on you
- **No.** Hides the **Personal** option from employees. Be aware that if you pick this option, apps that use the **Save As** dialog box might encrypt new files as corporate data unless a different file path is given during the original file creation. After this happens, decryption of work files becomes more difficult.
>[!IMPORTANT]
>The **Show the Personal option in the File ownership menus of File Explorer and the Save As dialog box** option is only available for Configuration Manager versions 1610 and below.
- **Prevent corporate data from being accessed by apps when the device is locked. Applies only to Windows 10 Mobile**. Determines whether to encrypt enterprise data using a key that's protected by an employee's PIN code on a locked device. Apps won't be able to read corporate data when the device is locked. The options are:
- **Yes (recommended).** Turns on the feature and provides the additional protection.

43
windows/threat-protection/windows-information-protection/deploy-wip-policy-using-intune-azure.md Normal file
View File

@ -0,0 +1,43 @@
---
title: Deploy your Windows Information Protection (WIP) policy using the Azure portal for Microsoft Intune (Windows 10)
description: After youve created your Windows Information Protection (WIP) policy, you'll need to deploy it to your organization's enrolled devices.
keywords: WIP, Windows Information Protection, EDP, Enterprise Data Protection, Intune
ms.prod: w10
ms.mktglfcycl: explore
ms.sitesec: library
ms.pagetype: security
author: eross-msft
localizationpriority: high
---
# Deploy your Windows Information Protection (WIP) policy using the Azure portal for Microsoft Intune
**Applies to:**
- Windows 10, version 1607 and later
- Windows 10 Mobile, version 1607 and later (except Microsoft Azure Rights Management, which is only available on the desktop)
After youve created your Windows Information Protection (WIP) policy, you'll need to deploy it to your organization's enrolled devices. Enrollment can be done for business or personal devices, allowing the devices to use your managed apps and to sync with your managed content and information.
**To deploy your WIP policy**
1. On the **App policy** pane, click your newly-created policy, click **User groups** from the menu that appears, and then click **Add user group**.
A list of user groups, made up of all of the security groups in your Azure Active Directory, appear in the **Add user group** pane.
2. Choose the group you want your policy to apply to, and then click **Select** to deploy the policy.
The policy is deployed to the selected users' devices.
![Microsoft Intune: Pick your user groups that should get the policy when it's deployed](images/wip-azure-add-user-groups.png)
>[!NOTE]
>Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md).
## Related topics
- [Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune.md)
- [Associate and deploy your Windows Information Protection (WIP) and VPN policies by using Microsoft Intune](create-vpn-and-wip-policy-using-intune.md)
- [General guidance and best practices for Windows Information Protection (WIP)](guidance-and-best-practices-wip.md)

8
windows/threat-protection/windows-information-protection/deploy-wip-policy-using-intune.md
View File

@ -1,5 +1,5 @@
---
title: Deploy your Windows Information Protection (WIP) policy using Microsoft Intune (Windows 10)
title: Deploy your Windows Information Protection (WIP) policy using the classic console for Microsoft Intune (Windows 10)
description: After youve created your Windows Information Protection (WIP) policy, you'll need to deploy it to your organization's enrolled devices.
ms.assetid: 9c4a01e7-0b1c-4f15-95d0-0389f0686211
keywords: WIP, Windows Information Protection, EDP, Enterprise Data Protection, Intune
@ -11,11 +11,11 @@ author: eross-msft
localizationpriority: high
---
# Deploy your Windows Information Protection (WIP) policy using Microsoft Intune
# Deploy your Windows Information Protection (WIP) policy using the classic console for Microsoft Intune
**Applies to:**
- Windows 10, version 1607
- Windows 10 Mobile
- Windows 10, version 1607 and later
- Windows 10 Mobile, version 1607 and later
After youve created your Windows Information Protection (WIP) policy, you'll need to deploy it to your organization's enrolled devices. Enrollment can be done for business or personal devices, allowing the devices to use your managed apps and to sync with your managed content and information.

23
windows/threat-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md
View File

@ -1,6 +1,6 @@
---
title: List of enlightened Microsoft apps for use with Windows Information Protection (WIP) (Windows 10)
description: Learn the difference between enlightened and unenlightened apps, and then review the list of enlightened apps provided by Microsoft along with the text you will need to use to add them to your Protected Apps list.
description: Learn the difference between enlightened and unenlightened apps, and then review the list of enlightened apps provided by Microsoft along with the text you will need to use to add them to your allowed apps list.
ms.assetid: 17c85ea3-9b66-4b80-b511-8f277cb4345f
keywords: WIP, Windows Information Protection, EDP, Enterprise Data Protection
ms.prod: w10
@ -21,7 +21,7 @@ localizationpriority: high
Learn the difference between enlightened and unenlightened apps, and then review the list of enlightened apps provided by Microsoft along with the text you will need to use to add them to your allowed apps list.
## Enlightened versus unenlightened apps
Apps can be enlightened (also referred to as WIP-aware) or unenlightened (also referred to as WIP-unaware).
Apps can be enlightened or unenlightened:
- **Enlightened apps** can differentiate between corporate and personal data, correctly determining which to protect, based on your policies.
@ -31,6 +31,8 @@ Apps can be enlightened (also referred to as WIP-aware) or unenlightened (also r
- Windows **Save As** experiences only allow you to save your files as enterprise.
- **WIP-work only apps** are unenlightened line-of-business apps that have been tested and deemed safe for use in an enterprise with WIP and Mobile App Management (MAM) solutions.
## List of enlightened Microsoft apps
Microsoft has made a concerted effort to enlighten several of our more popular apps, including the following:
@ -42,9 +44,13 @@ Microsoft has made a concerted effort to enlighten several of our more popular a
- Mobile Office apps, including Word, Excel, PowerPoint, OneNote, and Outlook Mail and Calendar
- Microsoft Photos
- Office 365 ProPlus apps, including Word, Excel, PowerPoint, OneNote, and Outlook
<!-- Microsoft OneDrive -->
- OneDrive app
- OneDrive sync client (OneDrive.exe, the next generation sync client)
- Microsoft Photos
- Groove Music
@ -58,6 +64,11 @@ Microsoft has made a concerted effort to enlighten several of our more popular a
- Microsoft Remote Desktop
## List of WIP-work only apps from Microsoft
Microsoft still has apps that are unenlightened, but which have been tested and deemed safe for use in an enterprise with WIP and MAM solutions.
- Skype for Business
## Adding enlightened Microsoft apps to the allowed apps list
You can add any or all of the enlightened Microsoft apps to your allowed apps list. Included here is the **Publisher name**, **Product or File name**, and **App Type** info for both Microsoft Intune and System Center Configuration Manager.
@ -70,12 +81,14 @@ You can add any or all of the enlightened Microsoft apps to your allowed apps li
|PowerPoint Mobile |**Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`<br>**Product Name:** Microsoft.Office.PowerPoint<br>**App Type:** Universal app |
|OneNote |**Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`<br>**Product Name:** Microsoft.Office.OneNote<br>**App Type:** Universal app |
|Outlook Mail and Calendar |**Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`<br>**Product Name:** microsoft.windowscommunicationsapps<br>**App Type:** Universal app |
|Office 365 ProPlus|Office 365 ProPlus apps are set up as a suite. You must use the [O365 ProPlus - Allow and Exempt AppLocker policy files (.zip files)](http://download.microsoft.com/download/7/0/D/70D72459-D72D-4673-B309-F480E3BEBCC9/O365%20ProPlus%20-%20WIP%20Enterprise%20AppLocker%20Policy%20Files.zip) to turn the suite on for WIP.<br>We don't recommend setting up Office by using individual paths or publisher rules.|
|Microsoft Photos |**Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`<br>**Product Name:** Microsoft.Windows.Photos<br>**App Type:** Universal app |
|Groove Music |**Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`<br>**Product Name:** Microsoft.ZuneMusic<br>**App Type:** Universal app |
|Microsoft Movies & TV |**Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`<br>**Product Name:** Microsoft.ZuneVideo<br>**App Type:** Universal app |
|Microsoft Messaging |**Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`<br>**Product Name:** Microsoft.Messaging<br>**App Type:** Universal app |
|IE11 |**Publisher:** `O=Microsoft Corporation, L=Redmond, S=Washington, C=US`<br>**Binary Name:** iexplore.exe<br>**App Type:** Desktop app |
|Microsoft OneDrive |**Publisher:** `O=Microsoft Corporation, L=Redmond, S=Washington, C=US`<br>**Binary Name:** onedrive.exe<br>**App Type:** Desktop app|
|OneDrive Sync Client|**Publisher:** `O=Microsoft Corporation, L=Redmond, S=Washington, C=US`<br>**Binary Name:** onedrive.exe<br>**App Type:** Desktop app|
|OneDrive app|**Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`<br>**Product Name:** Microsoft.Microsoftskydrive<br>**Product Version:**Product version: 17.21.0.0 (and later)<br>**App Type:** Universal app |
|Notepad |**Publisher:** `O=Microsoft Corporation, L=Redmond, S=Washington, C=US`<br>**Binary Name:** notepad.exe<br>**App Type:** Desktop app |
|Microsoft Paint |**Publisher:** `O=Microsoft Corporation, L=Redmond, S=Washington, C=US`<br>**Binary Name:** mspaint.exe<br>**App Type:** Desktop app |
|Microsoft Remote Desktop |**Publisher:** `O=Microsoft Corporation, L=Redmond, S=Washington, C=US`<br>**Binary Name:** mstsc.exe<br>**App Type:** Desktop app |

2
windows/threat-protection/windows-information-protection/mandatory-settings-for-wip.md
View File

@ -24,7 +24,7 @@ This list provides all of the tasks and settings that are required for the opera
|Task|Description|
|----|-----------|
|Add at least one app to the **Allowed apps** list in your WIP policy.|You must have at least one app added to your **Allowed apps** list. For more info about where this area is and how to add apps, see the **Add apps to your Allowed apps list** section of the policy creation topics.|
|Choose your WIP protection level.|You must choose the level of protection you want to apply to your WIP-protected content, including **Override**, **Silent**, or **Block**. For more info about where this area is and how to decide on your protection level, see the **Manage the WIP protection mode for your enterprise data** section of the policy creation topics. For info about how to collect your audit log files, see [How to collect Windows Information Protection (WIP) audit event logs](collect-wip-audit-event-logs.md).|
|Choose your WIP protection level.|You must choose the level of protection you want to apply to your WIP-protected content, including **Allow Overrides**, **Silent**, or **Hide Overrides**. For more info about where this area is and how to decide on your protection level, see the **Manage the WIP protection mode for your enterprise data** section of the policy creation topics. For info about how to collect your audit log files, see [How to collect Windows Information Protection (WIP) audit event logs](collect-wip-audit-event-logs.md).|
|Specify your corporate identity.|This field is automatically filled out for you by Microsoft Intune. However, you must manually correct it if its incorrect or if you need to add additional domains. For more info about where this area is and what it means, see the **Define your enterprise-managed corporate identity** section of the policy creation topics.
|Specify your network domain names.|Starting with Windows 10, version 1703, this field is optional.<br><br>Specify the DNS suffixes used in your environment. All traffic to the fully-qualified domains appearing in this list will be protected. For more info about where this area is and how to add your suffixes, see the table that appears in the **Choose where apps can access enterprise data** section of the policy creation topics.|
|Specify your enterprise IPv4 or IPv6 ranges.|Starting with Windows 10, version 1703, this field is optional.<br><br>Specify the addresses for a valid IPv4 or IPv6 value range within your intranet. These addresses, used with your Network domain names, define your corporate network boundaries. For more info about where this area is and what it means, see the table that appears in the **Define your enterprise-managed corporate identity** section of the policy creation topics.|

3
windows/threat-protection/windows-information-protection/overview-create-wip-policy.md
View File

@ -21,7 +21,8 @@ Microsoft Intune and System Center Configuration Manager helps you create and de
## In this section
|Topic |Description |
|------|------------|
|[Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune.md) |Intune helps you create and deploy your WIP policy, including letting you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network. |
|[Create a Windows Information Protection (WIP) policy using the classic console for Microsoft Intune](create-wip-policy-using-intune.md) |Details about how to use the classic console for Microsoft Intune to create and deploy your WIP policy, including letting you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network. |
|[Create a Windows Information Protection (WIP) with enrollment policy using the Azure portal for Microsoft Intune](create-wip-policy-using-intune-azure.md)|Details about how to use the Azure portal for Microsoft Intune to create and deploy your WIP policy, including letting you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network. |
|[Create and deploy a Windows Information Protection (WIP) policy using System Center Configuration Manager](create-wip-policy-using-sccm.md) |System Center Configuration Manager helps you create and deploy your WIP policy, including letting you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network. |
|[Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](create-and-verify-an-efs-dra-certificate.md) |Steps to create, verify, and perform a quick recovery using a Encrypting File System (EFS) Data Recovery Agent (DRA) certificate. |
|[Determine the Enterprise Context of an app running in Windows Information Protection (WIP)](wip-app-enterprise-context.md) |Use the Task Manager to determine whether an app is considered work, personal or exempt by Windows Information Protection (WIP). |

8
windows/threat-protection/windows-information-protection/protect-enterprise-data-using-wip.md
View File

@ -76,13 +76,13 @@ WIP gives you a new way to manage data policy enforcement for apps and documents
- **Copying or downloading enterprise data.** When an employee or an app downloads content from a location like SharePoint, a network share, or an enterprise web location, while using a WIP-protected device, WIP encrypts the data on the device.
- **Using allowed apps.** Managed apps (apps that you've included on the **Allowed apps** list in your WIP policy) are allowed to access your enterprise data and will interact differently when used with unallowed, non-enterprise aware, or personal-only apps. For example, if WIP management is set to **Block**, your employees can copy and paste from one protected app to another allowed app, but not to personal apps. Imagine an HR person wants to copy a job description from an allowed app to the internal career website, an enterprise-protected location, but goofs and tries to paste into a personal app instead. The paste action fails and a notification pops up, saying that the app couldnt paste because of a policy restriction. The HR person then correctly pastes to the career website without a problem.
- **Using allowed apps.** Managed apps (apps that you've included on the **Allowed apps** list in your WIP policy) are allowed to access your enterprise data and will interact differently when used with unallowed, non-enterprise aware, or personal-only apps. For example, if WIP management is set to **Hide overrides**, your employees can copy and paste from one protected app to another allowed app, but not to personal apps. Imagine an HR person wants to copy a job description from an allowed app to the internal career website, an enterprise-protected location, but goofs and tries to paste into a personal app instead. The paste action fails and a notification pops up, saying that the app couldnt paste because of a policy restriction. The HR person then correctly pastes to the career website without a problem.
- **Managed apps and restrictions.** With WIP you can control which apps can access and use your enterprise data. After adding an app to your allowed apps list, the app is trusted with enterprise data. All apps not on this list are stopped from accessing your enterprise data, depending on your WIP management-mode.
You dont have to modify line-of-business apps that never touch personal data to list them as allowed apps; just include them in the allowed apps list.
- **Deciding your level of data access.** WIP lets you block overrides, allow overrides, or audit employees' data sharing actions. Blocking overrides stops the action immediately. Allowing overrides lets the employee know there's a risk, but lets him or her continue to share the data while recording and auditing the action. Silent just logs the action without stopping anything that the employee could've overridden while using that setting; collecting info that can help you to see patterns of inappropriate sharing so you can take educative action or find apps that should be added to your allowed apps list. For info about how to collect your audit log files, see [How to collect Windows Information Protection (WIP) audit event logs](collect-wip-audit-event-logs.md).
- **Deciding your level of data access.** WIP lets you hide overrides, allow overrides, or audit employees' data sharing actions. Hiding overrides stops the action immediately. Allowing overrides lets the employee know there's a risk, but lets him or her continue to share the data while recording and auditing the action. Silent just logs the action without stopping anything that the employee could've overridden while using that setting; collecting info that can help you to see patterns of inappropriate sharing so you can take educative action or find apps that should be added to your allowed apps list. For info about how to collect your audit log files, see [How to collect Windows Information Protection (WIP) audit event logs](collect-wip-audit-event-logs.md).
- **Data encryption at rest.** WIP helps protect enterprise data on local files and on removable media.
@ -131,8 +131,8 @@ You can set your WIP policy to use 1 of 4 protection and management modes:
|Mode|Description|
|----|-----------|
|Block |WIP looks for inappropriate data sharing practices and stops the employee from completing the action. This can include sharing enterprise data to non-enterprise-protected apps in addition to sharing enterprise data between apps or attempting to share outside of your organizations network.|
|Override |WIP looks for inappropriate data sharing, warning employees if they do something deemed potentially unsafe. However, this management mode lets the employee override the policy and share the data, logging the action to your audit log.|
|Hide overrides |WIP looks for inappropriate data sharing practices and stops the employee from completing the action. This can include sharing enterprise data to non-enterprise-protected apps in addition to sharing enterprise data between apps or attempting to share outside of your organizations network.|
|Allow overrides |WIP looks for inappropriate data sharing, warning employees if they do something deemed potentially unsafe. However, this management mode lets the employee override the policy and share the data, logging the action to your audit log.|
|Silent |WIP runs silently, logging inappropriate data sharing, without stopping anything that wouldve been prompted for employee interaction while in Allow overrides mode. Unallowed actions, like apps inappropriately trying to access a network resource or WIP-protected data, are still stopped.|
|Off |WIP is turned off and doesn't help to protect or audit your data.<p>After you turn off WIP, an attempt is made to decrypt any WIP-tagged files on the locally attached drives. Be aware that your previous decryption and policy info isnt automatically reapplied if you turn WIP protection back on.<p>**Note**<br>For more info about setting your WIP-protection modes, see either [Create a Windows Information Protection (WIP) policy using Intune](create-wip-policy-using-intune.md) or [Create and deploy a Windows Information Protection (WIP) policy using Configuration Manager](create-wip-policy-using-sccm.md), depending on your management solution. |

2
windows/threat-protection/windows-information-protection/recommended-network-definitions-for-wip.md
View File

@ -24,7 +24,7 @@ We recommend that you add the following URLs to the Enterprise Cloud Resources a
## Recommended Enterprise Cloud Resources
This table includes the recommended URLs to add to your Enterprise Cloud Resources network setting, based on the apps you use in your organization.
|If your organization uses... |Add these entries to your Enterprise Cloud Resources network setting<br>(Replace "contoso" with your domain name(s) |
|If your organization uses... |Add these entries to your Enterprise Cloud Resources network setting<br>(Replace "contoso" with your domain name(s)|
|-----------------------------|---------------------------------------------------------------------|
|Office 365 for Business |<ul><li>contoso.sharepoint.com</li><li>contoso-my.sharepoint.com</li><li>contoso-files.sharepoint.com</li><li>tasks.office.com</li><li>protection.office.com</li><li>meet.lync.com</li><li>teams.microsoft.com</li></ul> |
|Yammer |<ul><li>www.yammer.com</li><li>yammer.com</li><li>persona.yammer.com</li></ul> |

8
windows/whats-new/contribute-to-a-topic.md
View File

@ -1,6 +1,6 @@
---
title: Edit an existing topic using the Edit link
description: Instructions about how to edit an existing topic by using the Contribute link on TechNet.
description: Instructions about how to edit an existing topic by using the Edit link on TechNet.
keywords: contribute, edit a topic
ms.prod: w10
ms.mktglfcycl: explore
@ -10,13 +10,13 @@ ms.sitesec: library
# Editing existing Windows IT professional documentation
You can now make suggestions and update existing, public content with a GitHub account and a simple click of a link.
>**Note**<br>
>[!NOTE]
>At this time, only the English (en-us) content is available for editing.
**To edit a topic**
1. All contributors who are ***not*** a Microsoft employee must [sign a Microsoft Contribution Licensing Agreement (CLA)](https://cla.microsoft.com/) before contributing to any Microsoft repositories.
If you've already contributed to Microsoft repositories in the past, congratulations! You've already completed this step.
1. All contributors who are ***not*** a Microsoft employee must [sign a Microsoft Contribution Licensing Agreement (CLA)](https://cla.microsoft.com/) before updating or adding to any Microsoft repositories.
If you've previously contributed to topics in the Microsoft repositories, congratulations! You've already completed this step.
2. Go to the page on TechNet that you want to update, and then click **Edit**.

5
windows/whats-new/docfx.json
View File

@ -33,7 +33,10 @@
"globalMetadata": {
"uhfHeaderId": "MSDocsHeader-WindowsIT",
"breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json",
"ms.technology": "windows"
"ms.technology": "windows",
"ms.topic": "article",
"ms.author": "trudyha",
"ms.date": "04/05/2017"
},
"fileMetadata": {},
"template": [],

4
windows/whats-new/index.md
View File

@ -1,6 +1,6 @@
---
title: What's new in Windows 10 (Windows 10)
description: Learn about new features in Windows 10 for IT professionals, such as Enterprise Data Protection, Windows Hello, Device Guard, and more.
description: Learn about new features in Windows 10 for IT professionals, such as Windows Information Protection, Windows Hello, Device Guard, and more.
ms.assetid: F1867017-76A1-4761-A200-7450B96AEF44
keywords: ["What's new in Windows 10", "Windows 10", "anniversary update", "contribute", "edit topic"]
ms.prod: w10
@ -20,7 +20,7 @@ Windows 10 provides IT professionals with advanced protection against modern sec
- [What's new in Windows 10, versions 1507 and 1511](whats-new-windows-10-version-1507-and-1511.md)
- [Edit an existing topic using the Contribute link](contribute-to-a-topic.md)
- [Edit an existing topic using the Edit link](contribute-to-a-topic.md)
## Learn more