diff --git a/.gitignore b/.gitignore index 604950802e..a39f55da7b 100644 --- a/.gitignore +++ b/.gitignore @@ -12,4 +12,4 @@ Tools/NuGet/ packages.config # User-specific files -.vs/ \ No newline at end of file +.vs/ diff --git a/.openpublishing.publish.config.json b/.openpublishing.publish.config.json index 4658a2f02b..dca5878bff 100644 --- a/.openpublishing.publish.config.json +++ b/.openpublishing.publish.config.json @@ -119,5 +119,7 @@ "git_repository_branch_open_to_public_contributors": "master", "skip_source_output_uploading": false, "dependent_repositories": [], - "need_generate_pdf_url_template": false -} \ No newline at end of file + "need_generate_pdf_url_template": false, + "need_preview_pull_request": true +} + diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json new file mode 100644 index 0000000000..6edf0bae08 --- /dev/null +++ b/.openpublishing.redirection.json @@ -0,0 +1,1124 @@ +{ +"redirections": [ +{ +"source_path": "windows/keep-secure/configure-windows-defender-in-windows-10.md", +"redirect_url": "/itpro/windows/keep-secure/deploy-manage-report-windows-defender-antivirus", +"redirect_document_id": true +}, +{ +"source_path": "windows/keep-secure/enable-pua-windows-defender-for-windows-10.md", +"redirect_url": "/itpro/windows/keep-secure/detect-block-potentially-unwanted-apps-windows-defender-antivirus", +"redirect_document_id": true +}, +{ +"source_path": "windows/keep-secure/get-started-with-windows-defender-for-windows-10.md", +"redirect_url": "/itpro/windows/keep-secure/deploy-manage-report-windows-defender-antivirus", +"redirect_document_id": false +}, +{ +"source_path": "windows/keep-secure/run-cmd-scan-windows-defender-for-windows-10.md", +"redirect_url": "/itpro/windows/keep-secure/command-line-arguments-windows-defender-antivirus", +"redirect_document_id": true +}, +{ +"source_path": "windows/keep-secure/troubleshoot-windows-defender-in-windows-10.md", +"redirect_url": "/itpro/windows/keep-secure/troubleshoot-windows-defender-antivirus", +"redirect_document_id": true +}, +{ +"source_path": "windows/keep-secure/use-powershell-cmdlets-windows-defender-for-windows-10.md", +"redirect_url": "/itpro/windows/keep-secure/use-powershell-cmdlets-windows-defender-antivirus", +"redirect_document_id": true +}, +{ +"source_path": "windows/keep-secure/windows-defender-block-at-first-sight.md", +"redirect_url": "/itpro/windows/keep-secure/configure-block-at-first-sight-windows-defender-antivirus", +"redirect_document_id": true +}, +{ +"source_path": "windows/keep-secure/windows-defender-in-windows-10.md", +"redirect_url": "/itpro/windows/keep-secure/windows-defender-antivirus-in-windows-10", +"redirect_document_id": true +}, +{ +"source_path": "windows/keep-secure/windows-defender-enhanced-notifications.md", +"redirect_url": "/itpro/windows/keep-secure/configure-notifications-windows-defender-antivirus", +"redirect_document_id": true +}, +{ +"source_path": "windows/keep-secure/configure-aad-windows-defender-advanced-threat-protection.md", +"redirect_url": "/itpro/windows/keep-secure/enable-siem-integration-windows-defender-advanced-threat-protection", +"redirect_document_id": true +}, +{ +"source_path": "windows/manage/cortana-at-work-scenario-7.md", +"redirect_url": "/itpro/windows/configure/cortana-at-work-scenario-7", +"redirect_document_id": true +}, +{ +"source_path": "windows/manage/waas-quick-start.md", +"redirect_url": "/itpro/windows/update/waas-quick-start", +"redirect_document_id": true +}, +{ +"source_path": "windows/manage/waas-overview.md", +"redirect_url": "/itpro/windows/update/waas-overview", +"redirect_document_id": true +}, +{ +"source_path": "windows/manage/waas-servicing-strategy-windows-10-updates.md", +"redirect_url": "/itpro/windows/update/waas-servicing-strategy-windows-10-updates", +"redirect_document_id": true +}, +{ +"source_path": "windows/manage/waas-deployment-rings-windows-10-updates.md", +"redirect_url": "/itpro/windows/update/waas-deployment-rings-windows-10-updates", +"redirect_document_id": true +}, +{ +"source_path": "windows/manage/waas-servicing-branches-windows-10-updates.md", +"redirect_url": "/itpro/windows/update/waas-servicing-branches-windows-10-updates", +"redirect_document_id": true +}, +{ +"source_path": "windows/manage/update-compliance-monitor.md", +"redirect_url": "/itpro/windows/update/update-compliance-monitor", +"redirect_document_id": true +}, +{ +"source_path": "windows/manage/update-compliance-get-started.md", +"redirect_url": "/itpro/windows/update/update-compliance-get-started", +"redirect_document_id": true +}, +{ +"source_path": "windows/manage/update-compliance-using.md", +"redirect_url": "/itpro/windows/update/update-compliance-using", +"redirect_document_id": true +}, +{ +"source_path": "windows/manage/waas-optimize-windows-10-updates.md", +"redirect_url": "/itpro/windows/update/waas-optimize-windows-10-updates", +"redirect_document_id": true +}, +{ +"source_path": "windows/manage/waas-delivery-optimization.md", +"redirect_url": "/itpro/windows/update/waas-delivery-optimization", +"redirect_document_id": true +}, +{ +"source_path": "windows/manage/waas-branchcache.md", +"redirect_url": "/itpro/windows/update/waas-branchcache", +"redirect_document_id": true +}, +{ +"source_path": "windows/manage/waas-mobile-updates.md", +"redirect_url": "/itpro/windows/update/waas-mobile-updates", +"redirect_document_id": true +}, +{ +"source_path": "windows/manage/waas-manage-updates-wufb.md", +"redirect_url": "/itpro/windows/update/waas-manage-updates-wufb", +"redirect_document_id": true +}, +{ +"source_path": "windows/manage/waas-configure-wufb.md", +"redirect_url": "/itpro/windows/update/waas-configure-wufb", +"redirect_document_id": true +}, +{ +"source_path": "windows/manage/waas-integrate-wufb.md", +"redirect_url": "/itpro/windows/update/waas-integrate-wufb", +"redirect_document_id": true +}, +{ +"source_path": "windows/manage/waas-wufb-group-policy.md", +"redirect_url": "/itpro/windows/update/waas-wufb-group-policy", +"redirect_document_id": true +}, +{ +"source_path": "windows/manage/waas-wufb-intune.md", +"redirect_url": "/itpro/windows/update/waas-wufb-intune.md", +"redirect_document_id": true +}, +{ +"source_path": "windows/manage/waas-manage-updates-wsus.md", +"redirect_url": "/itpro/windows/update/waas-manage-updates-wsus", +"redirect_document_id": true +}, +{ +"source_path": "windows/manage/waas-manage-updates-configuration-manager.md", +"redirect_url": "/itpro/windows/update/waas-manage-updates-configuration-manager", +"redirect_document_id": true +}, +{ +"source_path": "windows/manage/waas-restart.md", +"redirect_url": "/itpro/windows/update/waas-restart", +"redirect_document_id": true +}, +{ +"source_path": "windows/manage/waas-update-windows-10.md", +"redirect_url": "/itpro/windows/update/index", +"redirect_document_id": false +}, +{ +"source_path": "windows/manage/configure-windows-telemetry-in-your-organization.md", +"redirect_url": "/itpro/windows/configure/configure-windows-telemetry-in-your-organization", +"redirect_document_id": true +}, +{ +"source_path": "windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services.md", +"redirect_url": "/itpro/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services", +"redirect_document_id": false +}, +{ +"source_path": "windows/manage/set-up-a-device-for-anyone-to-use.md", +"redirect_url": "/itpro/windows/configure/set-up-a-device-for-anyone-to-use", +"redirect_document_id": true +}, +{ +"source_path": "windows/manage/set-up-a-kiosk-for-windows-10-for-desktop-editions.md", +"redirect_url": "/itpro/windows/configure/set-up-a-kiosk-for-windows-10-for-desktop-editions", +"redirect_document_id": true +}, +{ +"source_path": "windows/manage/guidelines-for-assigned-access-app.md", +"redirect_url": "/itpro/windows/configure/guidelines-for-assigned-access-app", +"redirect_document_id": true +}, +{ +"source_path": "windows/manage/lock-down-windows-10-to-specific-apps.md", +"redirect_url": "/itpro/windows/configure/lock-down-windows-10-to-specific-apps", +"redirect_document_id": true +}, +{ +"source_path": "windows/manage/set-up-a-kiosk-for-windows-10-for-mobile-edition.md", +"redirect_url": "/itpro/windows/configure/set-up-a-kiosk-for-windows-10-for-mobile-edition", +"redirect_document_id": true +}, +{ +"source_path": "windows/manage/lockdown-xml.md", +"redirect_url": "/itpro/windows/configure/lockdown-xml", +"redirect_document_id": true +}, +{ +"source_path": "windows/manage/settings-that-can-be-locked-down.md", +"redirect_url": "/itpro/windows/configure/settings-that-can-be-locked-down", +"redirect_document_id": true +}, +{ +"source_path": "windows/manage/product-ids-in-windows-10-mobile.md", +"redirect_url": "/itpro/windows/configure/product-ids-in-windows-10-mobile", +"redirect_document_id": true +}, +{ +"source_path": "windows/manage/manage-tips-and-suggestions.md", +"redirect_url": "/itpro/windows/configure/manage-tips-and-suggestions", +"redirect_document_id": true +}, +{ +"source_path": "windows/manage/windows-10-start-layout-options-and-policies.md", +"redirect_url": "/itpro/windows/configure/windows-10-start-layout-options-and-policies", +"redirect_document_id": true +}, +{ +"source_path": "windows/manage/configure-windows-10-taskbar.md", +"redirect_url": "/itpro/windows/configure/configure-windows-10-taskbar", +"redirect_document_id": true +}, +{ +"source_path": "windows/manage/customize-and-export-start-layout.md", +"redirect_url": "/itpro/windows/configure/customize-and-export-start-layout", +"redirect_document_id": true +}, +{ +"source_path": "windows/manage/start-layout-xml-desktop.md", +"redirect_url": "/itpro/windows/configure/start-layout-xml-desktop", +"redirect_document_id": true +}, +{ +"source_path": "windows/manage/start-layout-xml-mobile.md", +"redirect_url": "/itpro/windows/configure/start-layout-xml-mobile", +"redirect_document_id": true +}, +{ +"source_path": "windows/manage/customize-windows-10-start-screens-by-using-group-policy.md", +"redirect_url": "/itpro/windows/configure/customize-windows-10-start-screens-by-using-group-policy", +"redirect_document_id": true +}, +{ +"source_path": "windows/manage/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md", +"redirect_url": "/itpro/windows/configure/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd", +"redirect_document_id": true +}, +{ +"source_path": "windows/manage/customize-windows-10-start-screens-by-using-mobile-device-management.md", +"redirect_url": "/itpro/windows/configure/customize-windows-10-start-screens-by-using-mobile-device-management", +"redirect_document_id": true +}, +{ +"source_path": "windows/manage/cortana-at-work-testing-scenarios.md", +"redirect_url": "/itpro/windows/configure/cortana-at-work-testing-scenarios", +"redirect_document_id": true +}, +{ +"source_path": "windows/manage/cortana-at-work-scenario-1.md", +"redirect_url": "/itpro/windows/configure/cortana-at-work-scenario-1", +"redirect_document_id": true +}, +{ +"source_path": "windows/manage/cortana-at-work-scenario-2.md", +"redirect_url": "/itpro/windows/configure/cortana-at-work-scenario-2", +"redirect_document_id": true +}, +{ +"source_path": "windows/manage/cortana-at-work-scenario-3.md", +"redirect_url": "/itpro/windows/configure/cortana-at-work-scenario-3", +"redirect_document_id": true +}, +{ +"source_path": "windows/manage/cortana-at-work-scenario-4.md", +"redirect_url": "/itpro/windows/configure/cortana-at-work-scenario-4", +"redirect_document_id": true +}, +{ +"source_path": "windows/manage/cortana-at-work-scenario-5.md", +"redirect_url": "/itpro/windows/configure/cortana-at-work-scenario-5", +"redirect_document_id": true +}, +{ +"source_path": "windows/manage/cortana-at-work-scenario-6.md", +"redirect_url": "/itpro/windows/configure/cortana-at-work-scenario-6", +"redirect_document_id": true +}, +{ +"source_path": "windows/manage/cortana-at-work-o365.md", +"redirect_url": "/itpro/windows/configure/cortana-at-work-o365", +"redirect_document_id": true +}, +{ +"source_path": "windows/manage/cortana-at-work-crm.md", +"redirect_url": "/itpro/windows/configure/cortana-at-work-crm", +"redirect_document_id": true +}, +{ +"source_path": "windows/manage/cortana-at-work-powerbi.md", +"redirect_url": "/itpro/windows/configure/cortana-at-work-powerbi", +"redirect_document_id": true +}, +{ +"source_path": "windows/manage/cortana-at-work-voice-commands.md", +"redirect_url": "/itpro/windows/configure/cortana-at-work-voice-commands", +"redirect_document_id": true +}, +{ +"source_path": "windows/manage/cortana-at-work-policy-settings.md", +"redirect_url": "/itpro/windows/configure/cortana-at-work-policy-settings", +"redirect_document_id": true +}, +{ +"source_path": "windows/manage/cortana-at-work-feedback.md", +"redirect_url": "/itpro/windows/configure/cortana-at-work-feedback", +"redirect_document_id": true +}, +{ +"source_path": "windows/manage/stop-employees-from-using-the-windows-store.md", +"redirect_url": "/itpro/windows/configure/stop-employees-from-using-the-windows-store", +"redirect_document_id": true +}, +{ +"source_path": "windows/manage/configure-devices-without-mdm.md", +"redirect_url": "/itpro/windows/configure/configure-devices-without-mdm", +"redirect_document_id": true +}, +{ +"source_path": "windows/manage/changes-to-start-policies-in-windows-10.md", +"redirect_url": "/itpro/windows/configure/changes-to-start-policies-in-windows-10", +"redirect_document_id": true +}, +{ +"source_path": "windows/manage/how-it-pros-can-use-configuration-service-providers.md", +"redirect_url": "/itpro/windows/configure/how-it-pros-can-use-configuration-service-providers", +"redirect_document_id": true +}, +{ +"source_path": "windows/manage/lock-down-windows-10.md", +"redirect_url": "/itpro/windows/configure/index", +"redirect_document_id": true +}, +{ +"source_path": "windows/manage/manage-wifi-sense-in-enterprise.md", +"redirect_url": "/itpro/windows/configure/manage-wifi-sense-in-enterprise", +"redirect_document_id": true +}, +{ +"source_path": "windows/deploy/provisioning-packages.md", +"redirect_url": "/itpro/windows/configure/provisioning-packages", +"redirect_document_id": true +}, +{ +"source_path": "windows/deploy/provisioning-how-it-works.md", +"redirect_url": "/itpro/windows/configure/provisioning-how-it-works", +"redirect_document_id": true +}, +{ +"source_path": "windows/deploy/provisioning-install-icd.md", +"redirect_url": "/itpro/windows/configure/provisioning-install-icd", +"redirect_document_id": true +}, +{ +"source_path": "windows/deploy/provisioning-create-package.md", +"redirect_url": "/itpro/windows/configure/provisioning-create-package", +"redirect_document_id": true +}, +{ +"source_path": "windows/deploy/provisioning-apply-package.md", +"redirect_url": "/itpro/windows/configure/provisioning-apply-package", +"redirect_document_id": true +}, +{ +"source_path": "windows/deploy/provisioning-uninstall-package.md", +"redirect_url": "/itpro/windows/configure/provisioning-uninstall-package", +"redirect_document_id": true +}, +{ +"source_path": "windows/deploy/provision-pcs-for-initial-deployment.md", +"redirect_url": "/itpro/windows/configure/provision-pcs-for-initial-deployment", +"redirect_document_id": true +}, +{ +"source_path": "windows/deploy/provision-pcs-with-apps-and-certificates.md", +"redirect_url": "/itpro/windows/configure/provision-pcs-with-apps", +"redirect_document_id": true +}, +{ +"source_path": "windows/deploy/provisioning-script-to-install-app.md", +"redirect_url": "/itpro/windows/configure/provisioning-script-to-install-app", +"redirect_document_id": true +}, +{ +"source_path": "windows/deploy/provisioning-nfc.md", +"redirect_url": "/itpro/windows/configure/provisioning-nfc", +"redirect_document_id": true +}, +{ +"source_path": "windows/deploy/provisioning-command-line.md", +"redirect_url": "/itpro/windows/configure/provisioning-command-line", +"redirect_document_id": true +}, +{ +"source_path": "windows/deploy/provisioning-multivariant.md", +"redirect_url": "/itpro/windows/configure/provisioning-multivariant", +"redirect_document_id": true +}, +{ +"source_path": "windows/keep-secure/create-edp-policy-using-intune.md", +"redirect_url": "/itpro/windows/keep-secure/create-wip-policy-using-intune", +"redirect_document_id": true +}, +{ +"source_path": "windows/keep-secure/create-edp-policy-using-sccm.md", +"redirect_url": "/itpro/windows/keep-secure/create-wip-policy-using-sccm", +"redirect_document_id": true +}, +{ +"source_path": "windows/keep-secure/create-vpn-and-edp-policy-using-intune.md", +"redirect_url": "/itpro/windows/keep-secure/create-vpn-and-wip-policy-using-intune", +"redirect_document_id": true +}, +{ +"source_path": "windows/keep-secure/hello-enable-phone-signin.md", +"redirect_url": "/itpro/windows/keep-secure/hello-identity-verification", +"redirect_document_id": false +}, +{ +"source_path": "windows/keep-secure/deploy-edp-policy-using-intune.md", +"redirect_url": "/itpro/windows/keep-secure/deploy-wip-policy-using-intune", +"redirect_document_id": true +}, +{ +"source_path": "windows/keep-secure/guidance-and-best-practices-edp.md", +"redirect_url": "/itpro/windows/keep-secure/guidance-and-best-practices-wip", +"redirect_document_id": true +}, +{ +"source_path": "windows/keep-secure/overview-create-edp-policy.md", +"redirect_url": "/itpro/windows/keep-secure/overview-create-wip-policy", +"redirect_document_id": true +}, +{ +"source_path": "windows/keep-secure/protect-enterprise-data-using-edp.md", +"redirect_url": "/itpro/windows/keep-secure/protect-enterprise-data-using-wip", +"redirect_document_id": true +}, +{ +"source_path": "windows/keep-secure/testing-scenarios-for-edp.md", +"redirect_url": "/itpro/windows/keep-secure/testing-scenarios-for-wip", +"redirect_document_id": true +}, +{ +"source_path": "windows/keep-secure/wip-enterprise-overview.md", +"redirect_url": "/itpro/windows/keep-secure/protect-enterprise-data-using-wip", +"redirect_document_id": false +}, +{ +"source_path": "windows/keep-secure/enlightened-microsoft-apps-and-edp.md", +"redirect_url": "/itpro/windows/keep-secure/enlightened-microsoft-apps-and-wip", +"redirect_document_id": true +}, +{ +"source_path": "windows/deploy/update-windows-10-images-with-provisioning-packages.md", +"redirect_url": "/itpro/windows/configure/provisioning-packages", +"redirect_document_id": false +}, +{ +"source_path": "windows/deploy/upgrade-analytics-prepare-your-environment.md", +"redirect_url": "/itpro/windows/deploy/upgrade-analytics-identify-apps", +"redirect_document_id": true +}, +{ +"source_path": "windows/deploy/upgrade-analytics-release-notes.md", +"redirect_url": "/itpro/windows/deploy/upgrade-analytics-requirements", +"redirect_document_id": true +}, +{ +"source_path": "windows/deploy/upgrade-analytics-review-site-discovery.md", +"redirect_url": "/itpro/windows/deploy/upgrade-analytics-additional-insights", +"redirect_document_id": true +}, +{ +"source_path": "windows/keep-secure/additional-configuration-windows-advanced-threat-protection.md", +"redirect_url": "/itpro/windows/keep-secure/configure-endpoints-windows-defender-advanced-threat-protection", +"redirect_document_id": true +}, +{ +"source_path": "windows/keep-secure/ad-ds-schema-extensions-to-support-tpm-backup.md", +"redirect_url": "https://technet.microsoft.com/library/jj635854.aspx", +"redirect_document_id": true +}, +{ +"source_path": "windows/keep-secure/creating-a-device-guard-policy-for-signed-apps.md", +"redirect_url": "/itpro/windows/keep-secure/device-guard-deployment-guide", +"redirect_document_id": true +}, +{ +"source_path": "windows/keep-secure/device-guard-certification-and-compliance.md", +"redirect_url": "/itpro/windows/keep-secure/device-guard-deployment-guide", +"redirect_document_id": false +}, +{ +"source_path": "windows/keep-secure/enable-phone-signin-to-pc-and-vpn.md", +"redirect_url": "/itpro/windows/keep-secure/hello-enable-phone-signin", +"redirect_document_id": true +}, +{ +"source_path": "windows/keep-secure/getting-apps-to-run-on-device-guard-protected-devices.md", +"redirect_url": "/itpro/windows/keep-secure/device-guard-deployment-guide", +"redirect_document_id": false +}, +{ +"source_path": "windows/keep-secure/implement-microsoft-passport-in-your-organization.md", +"redirect_url": "/itpro/windows/keep-secure/hello-manage-in-organization", +"redirect_document_id": true +}, +{ +"source_path": "windows/keep-secure/manage-identity-verification-using-microsoft-passport.md", +"redirect_url": "/itpro/windows/keep-secure/hello-identity-verification", +"redirect_document_id": true +}, +{ +"source_path": "windows/keep-secure/microsoft-passport-and-password-changes.md", +"redirect_url": "/itpro/windows/keep-secure/hello-and-password-changes", +"redirect_document_id": true +}, +{ +"source_path": "windows/keep-secure/microsoft-passport-errors-during-pin-creation.md", +"redirect_url": "/itpro/windows/keep-secure/hello-errors-during-pin-creation", +"redirect_document_id": true +}, +{ +"source_path": "windows/keep-secure/microsoft-passport-guide.md", +"redirect_url": "/itpro/windows/keep-secure/hello-identity-verification", +"redirect_document_id": false +}, +{ +"source_path": "windows/keep-secure/monitor-onboarding-windows-advanced-threat-protection.md", +"redirect_url": "/itpro/windows/keep-secure/configure-endpoints-windows-defender-advanced-threat-protection", +"redirect_document_id": false +}, +{ +"source_path": "windows/keep-secure/passport-event-300.md", +"redirect_url": "/itpro/windows/keep-secure/hello-event-300", +"redirect_document_id": true +}, +{ +"source_path": "windows/keep-secure/prepare-people-to-use-microsoft-passport.md", +"redirect_url": "/itpro/windows/keep-secure/hello-prepare-people-to-use", +"redirect_document_id": true +}, +{ +"source_path": "windows/keep-secure/why-a-pin-is-better-than-a-password.md", +"redirect_url": "/itpro/windows/keep-secure/hello-why-pin-is-better-than-password", +"redirect_document_id": true +}, +{ +"source_path": "windows/keep-secure/windows-hello-in-enterprise.md", +"redirect_url": "/itpro/windows/keep-secure/hello-biometrics-in-enterprise", +"redirect_document_id": true +}, +{ +"source_path": "windows/manage/app-inventory-managemement-windows-store-for-business.md", +"redirect_url": "/itpro/windows/manage/app-inventory-management-windows-store-for-business", +"redirect_document_id": true +}, +{ +"source_path": "windows/manage/application-development-for-windows-as-a-service.md", +"redirect_url": "https://msdn.microsoft.com/windows/uwp/get-started/application-development-for-windows-as-a-service", +"redirect_document_id": true +}, +{ +"source_path": "windows/manage/appv-accessibility.md", +"redirect_url": "/itpro/windows/manage/appv-getting-started", +"redirect_document_id": true +}, +{ +"source_path": "windows/manage/appv-accessing-the-client-management-console.md", +"redirect_url": "/itpro/windows/manage/appv-using-the-client-management-console", +"redirect_document_id": true +}, +{ +"source_path": "windows/manage/appv-install-the-appv-client-for-shared-content-store-mode.md", +"redirect_url": "/itpro/windows/manage/appv-deploying-the-appv-sequencer-and-client", +"redirect_document_id": true +}, +{ +"source_path": "windows/manage/appv-modify-client-configuration-with-the-admx-template-and-group-policy.md", +"redirect_url": "/itpro/windows/manage/appv-deploying-the-appv-sequencer-and-client", +"redirect_document_id": false +}, +{ +"source_path": "windows/manage/appv-planning-for-migrating-from-a-previous-version-of-appv.md", +"redirect_url": "/itpro/windows/manage/appv-migrating-to-appv-from-a-previous-version", +"redirect_document_id": true +}, +{ +"source_path": "windows/manage/configure-windows-10-devices-to-stop-data-flow-to-microsoft.md", +"redirect_url": "/itpro/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services", +"redirect_document_id": true +}, +{ +"source_path": "windows/manage/disconnect-your-organization-from-microsoft.md", +"redirect_url": "/itpro/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services", +"redirect_document_id": false +}, +{ +"source_path": "windows/manage/introduction-to-windows-10-servicing.md", +"redirect_url": "/itpro/windows/update/index", +"redirect_document_id": true +}, +{ +"source_path": "windows/manage/manage-cortana-in-enterprise.md", +"redirect_url": "/itpro/windows/configure/cortana-at-work-overview", +"redirect_document_id": true +}, +{ +"source_path": "windows/manage/cortana-at-work-overview.md", +"redirect_url": "/itpro/windows/configure/cortana-at-work-overview", +"redirect_document_id": false +}, +{ +"source_path": "windows/manage/manage-inventory-windows-store-for-business.md", +"redirect_url": "/itpro/windows/manage/app-inventory-managemement-windows-store-for-business", +"redirect_document_id": true +}, +{ +"source_path": "windows/manage/uev-accessibility.md", +"redirect_url": "/itpro/windows/manage/uev-for-windows", +"redirect_document_id": true +}, +{ +"source_path": "windows/manage/uev-privacy-statement.md", +"redirect_url": "/itpro/windows/manage/uev-security-considerations", +"redirect_document_id": true +}, +{ +"source_path": "windows/plan/act-community-ratings-and-process.md", +"redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", +"redirect_document_id": true +}, +{ +"source_path": "windows/plan/act-database-configuration.md", +"redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", +"redirect_document_id": false +}, +{ +"source_path": "windows/plan/act-database-migration.md", +"redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", +"redirect_document_id": false +}, +{ +"source_path": "windows/plan/act-deployment-options.md", +"redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", +"redirect_document_id": false +}, +{ +"source_path": "windows/plan/act-glossary.md", +"redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", +"redirect_document_id": false +}, +{ +"source_path": "windows/plan/activating-and-closing-windows-in-acm.md", +"redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", +"redirect_document_id": false +}, +{ +"source_path": "windows/plan/act-lps-share-permissions.md", +"redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", +"redirect_document_id": false +}, +{ +"source_path": "windows/plan/act-operatingsystem-application-report.md", +"redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", +"redirect_document_id": false +}, +{ +"source_path": "windows/plan/act-operatingsystem-computer-report.md", +"redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", +"redirect_document_id": false +}, +{ +"source_path": "windows/plan/act-operatingsystem-device-report.md", +"redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", +"redirect_document_id": false +}, +{ +"source_path": "windows/plan/act-product-and-documentation-resources.md", +"redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", +"redirect_document_id": false +}, +{ +"source_path": "windows/plan/act-settings-dialog-box-preferences-tab.md", +"redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", +"redirect_document_id": false +}, +{ +"source_path": "windows/plan/act-settings-dialog-box-settings-tab.md", +"redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", +"redirect_document_id": false +}, +{ +"source_path": "windows/plan/act-toolbar-icons-in-acm.md", +"redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", +"redirect_document_id": false +}, +{ +"source_path": "windows/plan/act-tools-packages-and-services.md", +"redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", +"redirect_document_id": false +}, +{ +"source_path": "windows/plan/act-user-interface-reference.md", +"redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", +"redirect_document_id": false +}, +{ +"source_path": "windows/plan/adding-or-editing-an-issue.md", +"redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", +"redirect_document_id": false +}, +{ +"source_path": "windows/plan/adding-or-editing-a-solution.md", +"redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", +"redirect_document_id": false +}, +{ +"source_path": "windows/plan/analyzing-your-compatibility-data.md", +"redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", +"redirect_document_id": false +}, +{ +"source_path": "windows/plan/application-dialog-box.md", +"redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", +"redirect_document_id": false +}, +{ +"source_path": "windows/plan/categorizing-your-compatibility-data.md", +"redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", +"redirect_document_id": false +}, +{ +"source_path": "windows/plan/chromebook-migration-guide.md", +"redirect_url": "edu/windows/chromebook-migration-guide", +"redirect_document_id": true +}, +{ +"source_path": "windows/plan/common-compatibility-issues.md", +"redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", +"redirect_document_id": false +}, +{ +"source_path": "windows/plan/compatibility-monitor-users-guide.md", +"redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", +"redirect_document_id": false +}, +{ +"source_path": "windows/plan/computer-dialog-box.md", +"redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", +"redirect_document_id": false +}, +{ +"source_path": "windows/plan/configuring-act.md", +"redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", +"redirect_document_id": false +}, +{ +"source_path": "windows/plan/creating-and-editing-issues-and-solutions.md", +"redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", +"redirect_document_id": false +}, +{ +"source_path": "windows/plan/creating-an-enterprise-environment-for-compatibility-testing.md", +"redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", +"redirect_document_id": false +}, +{ +"source_path": "windows/plan/creating-an-inventory-collector-package.md", +"redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", +"redirect_document_id": false +}, +{ +"source_path": "windows/plan/creating-a-runtime-analysis-package.md", +"redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", +"redirect_document_id": false +}, +{ +"source_path": "windows/plan/customizing-your-report-views.md", +"redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", +"redirect_document_id": false +}, +{ +"source_path": "windows/plan/data-sent-through-the-microsoft-compatibility-exchange.md", +"redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", +"redirect_document_id": false +}, +{ +"source_path": "windows/plan/deciding-whether-to-fix-an-application-or-deploy-a-workaround.md", +"redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", +"redirect_document_id": false +}, +{ +"source_path": "windows/plan/deciding-which-applications-to-test.md", +"redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", +"redirect_document_id": false +}, +{ +"source_path": "windows/plan/deleting-a-data-collection-package.md", +"redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", +"redirect_document_id": false +}, +{ +"source_path": "windows/plan/deploying-an-inventory-collector-package.md", +"redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", +"redirect_document_id": false +}, +{ +"source_path": "windows/plan/deploying-a-runtime-analysis-package.md", +"redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", +"redirect_document_id": false +}, +{ +"source_path": "windows/plan/deploy-windows-10-in-a-school.md", +"redirect_url": "/edu/windows/deploy-windows-10-in-a-school", +"redirect_document_id": true +}, +{ +"source_path": "windows/plan/example-filter-queries.md", +"redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", +"redirect_document_id": false +}, +{ +"source_path": "windows/plan/exporting-a-data-collection-package.md", +"redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", +"redirect_document_id": false +}, +{ +"source_path": "windows/plan/filtering-your-compatibility-data.md", +"redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", +"redirect_document_id": false +}, +{ +"source_path": "windows/plan/fixing-compatibility-issues.md", +"redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", +"redirect_document_id": false +}, +{ +"source_path": "windows/plan/identifying-computers-for-inventory-collection.md", +"redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", +"redirect_document_id": false +}, +{ +"source_path": "windows/plan/integration-with-management-solutions-.md", +"redirect_url": "/itpro/windows/update/waas-manage-updates-wufb", +"redirect_document_id": false +}, +{ +"source_path": "windows/plan/internet-explorer-web-site-report.md", +"redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", +"redirect_document_id": false +}, +{ +"source_path": "windows/plan/labeling-data-in-acm.md", +"redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", +"redirect_document_id": false +}, +{ +"source_path": "windows/plan/log-file-locations-for-data-collection-packages.md", +"redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", +"redirect_document_id": false +}, +{ +"source_path": "windows/plan/managing-your-data-collection-packages.md", +"redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", +"redirect_document_id": false +}, +{ +"source_path": "windows/plan/organizational-tasks-for-each-report-type.md", +"redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", +"redirect_document_id": false +}, +{ +"source_path": "windows/plan/organizing-your-compatibility-data.md", +"redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", +"redirect_document_id": false +}, +{ +"source_path": "windows/plan/prioritizing-your-compatibility-data.md", +"redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", +"redirect_document_id": false +}, +{ +"source_path": "windows/plan/ratings-icons-in-acm.md", +"redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", +"redirect_document_id": false +}, +{ +"source_path": "windows/plan/resolving-an-issue.md", +"redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", +"redirect_document_id": false +}, +{ +"source_path": "windows/plan/saving-opening-and-exporting-reports.md", +"redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", +"redirect_document_id": false +}, +{ +"source_path": "windows/plan/selecting-the-send-and-receive-status-for-an-application.md", +"redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", +"redirect_document_id": false +}, +{ +"source_path": "windows/plan/selecting-your-compatibility-rating.md", +"redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", +"redirect_document_id": false +}, +{ +"source_path": "windows/plan/selecting-your-deployment-status.md", +"redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", +"redirect_document_id": false +}, +{ +"source_path": "windows/plan/sending-and-receiving-compatibility-data.md", +"redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", +"redirect_document_id": false +}, +{ +"source_path": "windows/plan/settings-for-acm.md", +"redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", +"redirect_document_id": false +}, +{ +"source_path": "windows/plan/setup-and-deployment.md", +"redirect_url": "/itpro/windows/update/waas-manage-updates-wufb", +"redirect_document_id": false +}, +{ +"source_path": "windows/plan/software-requirements-for-act.md", +"redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", +"redirect_document_id": false +}, +{ +"source_path": "windows/plan/software-requirements-for-rap.md", +"redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", +"redirect_document_id": false +}, +{ +"source_path": "windows/plan/taking-inventory-of-your-organization.md", +"redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", +"redirect_document_id": false +}, +{ +"source_path": "windows/plan/testing-compatibility-on-the-target-platform.md", +"redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", +"redirect_document_id": false +}, +{ +"source_path": "windows/plan/troubleshooting-act.md", +"redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", +"redirect_document_id": false +}, +{ +"source_path": "windows/plan/troubleshooting-act-database-issues.md", +"redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", +"redirect_document_id": false +}, +{ +"source_path": "windows/plan/troubleshooting-the-act-configuration-wizard.md", +"redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", +"redirect_document_id": false +}, +{ +"source_path": "windows/plan/troubleshooting-the-act-log-processing-service.md", +"redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", +"redirect_document_id": false +}, +{ +"source_path": "windows/plan/using-act.md", +"redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", +"redirect_document_id": false +}, +{ +"source_path": "windows/plan/using-compatibility-monitor-to-send-feedback.md", +"redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", +"redirect_document_id": false +}, +{ +"source_path": "windows/plan/viewing-your-compatibility-reports.md", +"redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", +"redirect_document_id": false +}, +{ +"source_path": "windows/plan/websiteurl-dialog-box.md", +"redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", +"redirect_document_id": false +}, +{ +"source_path": "windows/plan/welcome-to-act.md", +"redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", +"redirect_document_id": false +}, +{ +"source_path": "windows/plan/whats-new-in-act-60.md", +"redirect_url": "/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics", +"redirect_document_id": false +}, +{ +"source_path": "windows/plan/windows-10-guidance-for-education-environments.md", +"redirect_url": "/edu/windows/index", +"redirect_document_id": true +}, +{ +"source_path": "windows/plan/windows-10-servicing-options.md", +"redirect_url": "/itpro/windows/update/waas-overview", +"redirect_document_id": false +}, +{ +"source_path": "windows/plan/windows-update-for-business.md", +"redirect_url": "/itpro/windows/update/waas-manage-updates-wufb", +"redirect_document_id": false +}, +{ +"source_path": "windows/whats-new/applocker.md", +"redirect_url": "/itpro/windows/whats-new/whats-new-windows-10-version-1507-and-1511", +"redirect_document_id": true +}, +{ +"source_path": "windows/whats-new/bitlocker.md", +"redirect_url": "/itpro/windows/whats-new/whats-new-windows-10-version-1507-and-1511", +"redirect_document_id": false +}, +{ +"source_path": "windows/whats-new/change-history-for-what-s-new-in-windows-10.md", +"redirect_url": "/itpro/windows/whats-new/index", +"redirect_document_id": true +}, +{ +"source_path": "windows/whats-new/credential-guard.md", +"redirect_url": "/itpro/windows/whats-new/whats-new-windows-10-version-1507-and-1511", +"redirect_document_id": false +}, +{ +"source_path": "windows/whats-new/device-guard-overview.md", +"redirect_url": "/itpro/windows/whats-new/whats-new-windows-10-version-1507-and-1511", +"redirect_document_id": false +}, +{ +"source_path": "windows/whats-new/device-management.md", +"redirect_url": "/itpro/windows/manage/manage-corporate-devices", +"redirect_document_id": true +}, +{ +"source_path": "windows/whats-new/edge-ie11-whats-new-overview.md", +"redirect_url": "/itpro/microsoft-edge/enterprise-guidance-using-microsoft-edge-and-ie11", +"redirect_document_id": true +}, +{ +"source_path": "windows/whats-new/edp-whats-new-overview.md", +"redirect_url": "/itpro/windows/keep-secure/protect-enterprise-data-using-wip", +"redirect_document_id": false +}, +{ +"source_path": "windows/whats-new/lockdown-features-windows-10.md", +"redirect_url": "/itpro/windows/configure/lockdown-features-windows-10", +"redirect_document_id": true +}, +{ +"source_path": "windows/whats-new/microsoft-passport.md", +"redirect_url": "/itpro/windows/keep-secure/hello-identity-verification", +"redirect_document_id": false +}, +{ +"source_path": "windows/whats-new/new-provisioning-packages.md", +"redirect_url": "/itpro/windows/configure/provisioning-packages", +"redirect_document_id": false +}, +{ +"source_path": "windows/whats-new/security-auditing.md", +"redirect_url": "/itpro/windows/whats-new/whats-new-windows-10-version-1507-and-1511", +"redirect_document_id": false +}, +{ +"source_path": "windows/whats-new/trusted-platform-module.md", +"redirect_url": "/itpro/windows/keep-secure/trusted-platform-module-overview", +"redirect_document_id": true +}, +{ +"source_path": "windows/whats-new/user-account-control.md", +"redirect_url": "/itpro/windows/whats-new/whats-new-windows-10-version-1507-and-1511", +"redirect_document_id": false +}, +{ +"source_path": "windows/whats-new/windows-spotlight.md", +"redirect_url": "/itpro/windows/configure/windows-spotlight", +"redirect_document_id": true +}, +{ +"source_path": "windows/whats-new/windows-store-for-business-overview.md", +"redirect_url": "/itpro/windows/manage/windows-store-for-business-overview", +"redirect_document_id": true +}, +{ +"source_path": "windows/whats-new/windows-update-for-business.md", +"redirect_url": "/itpro/windows/whats-new/whats-new-windows-10-version-1507-and-1511", +"redirect_document_id": false +}, +{ +"source_path": "windows/keep-secure/windows-10-security-guide.md", +"redirect_url": "/itpro/windows/keep-secure/overview-of-threat-mitigations-in-windows-10", +"redirect_document_id": true +}, +{ +"source_path": "windows/whats-new/security.md", +"redirect_url": "/itpro/windows/keep-secure/overview-of-threat-mitigations-in-windows-10", +"redirect_document_id": false +} +] +} \ No newline at end of file diff --git a/1.ps1 b/1.ps1 deleted file mode 100644 index 61aa825eeb..0000000000 --- a/1.ps1 +++ /dev/null @@ -1,3 +0,0 @@ -git add . -git commit -m "changes" -git push -u origin vso-10788146 \ No newline at end of file diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index fb6c3024d1..e360930f75 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -20,7 +20,7 @@ We've tried to make editing an existing, public file as simple as possible. 1. Go to the page on TechNet that you want to update, and then click **Contribute**. - ![GitHub Web, showing the Contribute link](images/contribute-link.png) + ![GitHub Web, showing the Contribute link](images/contribute-link.png) 2. Log into (or sign up for) a GitHub account. @@ -28,7 +28,7 @@ We've tried to make editing an existing, public file as simple as possible. 3. Click the **Pencil** icon (in the red box) to edit the content. - ![GitHub Web, showing the Pencil icon in the red box](images/pencil-icon.png) + ![GitHub Web, showing the Pencil icon in the red box](images/pencil-icon.png) 4. Using Markdown language, make your changes to the topic. For info about how to edit content using Markdown, see: - **If you're linked to the Microsoft organization in GitHub:** [Windows Open Publishing Guide Home](http://aka.ms/windows-op-guide) @@ -37,7 +37,7 @@ We've tried to make editing an existing, public file as simple as possible. 5. Make your suggested change, and then click **Preview Changes** to make sure it looks correct. - ![GitHub Web, showing the Preview Changes tab](images/preview-changes.png) + ![GitHub Web, showing the Preview Changes tab](images/preview-changes.png) 6. When you’re done editing the topic, scroll to the bottom of the page, and then click **Propose file change** to create a fork in your personal GitHub account. @@ -48,7 +48,7 @@ We've tried to make editing an existing, public file as simple as possible. 7. On the **Comparing changes** screen, you’ll see if there are any problems with the file you’re checking in. If there are no problems, you’ll see the message, **Able to merge**. - + ![GitHub Web, showing the Comparing changes screen](images/compare-changes.png) 8. Click **Create pull request**. diff --git a/LICENSE b/LICENSE new file mode 100644 index 0000000000..a2c95fc155 --- /dev/null +++ b/LICENSE @@ -0,0 +1,395 @@ +Attribution 4.0 International + +======================================================================= + +Creative Commons Corporation ("Creative Commons") is not a law firm and +does not provide legal services or legal advice. Distribution of +Creative Commons public licenses does not create a lawyer-client or +other relationship. Creative Commons makes its licenses and related +information available on an "as-is" basis. Creative Commons gives no +warranties regarding its licenses, any material licensed under their +terms and conditions, or any related information. Creative Commons +disclaims all liability for damages resulting from their use to the +fullest extent possible. + +Using Creative Commons Public Licenses + +Creative Commons public licenses provide a standard set of terms and +conditions that creators and other rights holders may use to share +original works of authorship and other material subject to copyright +and certain other rights specified in the public license below. The +following considerations are for informational purposes only, are not +exhaustive, and do not form part of our licenses. + + Considerations for licensors: Our public licenses are + intended for use by those authorized to give the public + permission to use material in ways otherwise restricted by + copyright and certain other rights. Our licenses are + irrevocable. Licensors should read and understand the terms + and conditions of the license they choose before applying it. + Licensors should also secure all rights necessary before + applying our licenses so that the public can reuse the + material as expected. Licensors should clearly mark any + material not subject to the license. This includes other CC- + licensed material, or material used under an exception or + limitation to copyright. More considerations for licensors: + wiki.creativecommons.org/Considerations_for_licensors + + Considerations for the public: By using one of our public + licenses, a licensor grants the public permission to use the + licensed material under specified terms and conditions. If + the licensor's permission is not necessary for any reason--for + example, because of any applicable exception or limitation to + copyright--then that use is not regulated by the license. Our + licenses grant only permissions under copyright and certain + other rights that a licensor has authority to grant. Use of + the licensed material may still be restricted for other + reasons, including because others have copyright or other + rights in the material. A licensor may make special requests, + such as asking that all changes be marked or described. + Although not required by our licenses, you are encouraged to + respect those requests where reasonable. More_considerations + for the public: + wiki.creativecommons.org/Considerations_for_licensees + +======================================================================= + +Creative Commons Attribution 4.0 International Public License + +By exercising the Licensed Rights (defined below), You accept and agree +to be bound by the terms and conditions of this Creative Commons +Attribution 4.0 International Public License ("Public License"). To the +extent this Public License may be interpreted as a contract, You are +granted the Licensed Rights in consideration of Your acceptance of +these terms and conditions, and the Licensor grants You such rights in +consideration of benefits the Licensor receives from making the +Licensed Material available under these terms and conditions. + + +Section 1 -- Definitions. + + a. Adapted Material means material subject to Copyright and Similar + Rights that is derived from or based upon the Licensed Material + and in which the Licensed Material is translated, altered, + arranged, transformed, or otherwise modified in a manner requiring + permission under the Copyright and Similar Rights held by the + Licensor. For purposes of this Public License, where the Licensed + Material is a musical work, performance, or sound recording, + Adapted Material is always produced where the Licensed Material is + synched in timed relation with a moving image. + + b. Adapter's License means the license You apply to Your Copyright + and Similar Rights in Your contributions to Adapted Material in + accordance with the terms and conditions of this Public License. + + c. Copyright and Similar Rights means copyright and/or similar rights + closely related to copyright including, without limitation, + performance, broadcast, sound recording, and Sui Generis Database + Rights, without regard to how the rights are labeled or + categorized. For purposes of this Public License, the rights + specified in Section 2(b)(1)-(2) are not Copyright and Similar + Rights. + + d. Effective Technological Measures means those measures that, in the + absence of proper authority, may not be circumvented under laws + fulfilling obligations under Article 11 of the WIPO Copyright + Treaty adopted on December 20, 1996, and/or similar international + agreements. + + e. Exceptions and Limitations means fair use, fair dealing, and/or + any other exception or limitation to Copyright and Similar Rights + that applies to Your use of the Licensed Material. + + f. Licensed Material means the artistic or literary work, database, + or other material to which the Licensor applied this Public + License. + + g. Licensed Rights means the rights granted to You subject to the + terms and conditions of this Public License, which are limited to + all Copyright and Similar Rights that apply to Your use of the + Licensed Material and that the Licensor has authority to license. + + h. Licensor means the individual(s) or entity(ies) granting rights + under this Public License. + + i. Share means to provide material to the public by any means or + process that requires permission under the Licensed Rights, such + as reproduction, public display, public performance, distribution, + dissemination, communication, or importation, and to make material + available to the public including in ways that members of the + public may access the material from a place and at a time + individually chosen by them. + + j. Sui Generis Database Rights means rights other than copyright + resulting from Directive 96/9/EC of the European Parliament and of + the Council of 11 March 1996 on the legal protection of databases, + as amended and/or succeeded, as well as other essentially + equivalent rights anywhere in the world. + + k. You means the individual or entity exercising the Licensed Rights + under this Public License. Your has a corresponding meaning. + + +Section 2 -- Scope. + + a. License grant. + + 1. Subject to the terms and conditions of this Public License, + the Licensor hereby grants You a worldwide, royalty-free, + non-sublicensable, non-exclusive, irrevocable license to + exercise the Licensed Rights in the Licensed Material to: + + a. reproduce and Share the Licensed Material, in whole or + in part; and + + b. produce, reproduce, and Share Adapted Material. + + 2. Exceptions and Limitations. For the avoidance of doubt, where + Exceptions and Limitations apply to Your use, this Public + License does not apply, and You do not need to comply with + its terms and conditions. + + 3. Term. The term of this Public License is specified in Section + 6(a). + + 4. Media and formats; technical modifications allowed. The + Licensor authorizes You to exercise the Licensed Rights in + all media and formats whether now known or hereafter created, + and to make technical modifications necessary to do so. The + Licensor waives and/or agrees not to assert any right or + authority to forbid You from making technical modifications + necessary to exercise the Licensed Rights, including + technical modifications necessary to circumvent Effective + Technological Measures. For purposes of this Public License, + simply making modifications authorized by this Section 2(a) + (4) never produces Adapted Material. + + 5. Downstream recipients. + + a. Offer from the Licensor -- Licensed Material. Every + recipient of the Licensed Material automatically + receives an offer from the Licensor to exercise the + Licensed Rights under the terms and conditions of this + Public License. + + b. No downstream restrictions. You may not offer or impose + any additional or different terms or conditions on, or + apply any Effective Technological Measures to, the + Licensed Material if doing so restricts exercise of the + Licensed Rights by any recipient of the Licensed + Material. + + 6. No endorsement. Nothing in this Public License constitutes or + may be construed as permission to assert or imply that You + are, or that Your use of the Licensed Material is, connected + with, or sponsored, endorsed, or granted official status by, + the Licensor or others designated to receive attribution as + provided in Section 3(a)(1)(A)(i). + + b. Other rights. + + 1. Moral rights, such as the right of integrity, are not + licensed under this Public License, nor are publicity, + privacy, and/or other similar personality rights; however, to + the extent possible, the Licensor waives and/or agrees not to + assert any such rights held by the Licensor to the limited + extent necessary to allow You to exercise the Licensed + Rights, but not otherwise. + + 2. Patent and trademark rights are not licensed under this + Public License. + + 3. To the extent possible, the Licensor waives any right to + collect royalties from You for the exercise of the Licensed + Rights, whether directly or through a collecting society + under any voluntary or waivable statutory or compulsory + licensing scheme. In all other cases the Licensor expressly + reserves any right to collect such royalties. + + +Section 3 -- License Conditions. + +Your exercise of the Licensed Rights is expressly made subject to the +following conditions. + + a. Attribution. + + 1. If You Share the Licensed Material (including in modified + form), You must: + + a. retain the following if it is supplied by the Licensor + with the Licensed Material: + + i. identification of the creator(s) of the Licensed + Material and any others designated to receive + attribution, in any reasonable manner requested by + the Licensor (including by pseudonym if + designated); + + ii. a copyright notice; + + iii. a notice that refers to this Public License; + + iv. a notice that refers to the disclaimer of + warranties; + + v. a URI or hyperlink to the Licensed Material to the + extent reasonably practicable; + + b. indicate if You modified the Licensed Material and + retain an indication of any previous modifications; and + + c. indicate the Licensed Material is licensed under this + Public License, and include the text of, or the URI or + hyperlink to, this Public License. + + 2. You may satisfy the conditions in Section 3(a)(1) in any + reasonable manner based on the medium, means, and context in + which You Share the Licensed Material. For example, it may be + reasonable to satisfy the conditions by providing a URI or + hyperlink to a resource that includes the required + information. + + 3. If requested by the Licensor, You must remove any of the + information required by Section 3(a)(1)(A) to the extent + reasonably practicable. + + 4. If You Share Adapted Material You produce, the Adapter's + License You apply must not prevent recipients of the Adapted + Material from complying with this Public License. + + +Section 4 -- Sui Generis Database Rights. + +Where the Licensed Rights include Sui Generis Database Rights that +apply to Your use of the Licensed Material: + + a. for the avoidance of doubt, Section 2(a)(1) grants You the right + to extract, reuse, reproduce, and Share all or a substantial + portion of the contents of the database; + + b. if You include all or a substantial portion of the database + contents in a database in which You have Sui Generis Database + Rights, then the database in which You have Sui Generis Database + Rights (but not its individual contents) is Adapted Material; and + + c. You must comply with the conditions in Section 3(a) if You Share + all or a substantial portion of the contents of the database. + +For the avoidance of doubt, this Section 4 supplements and does not +replace Your obligations under this Public License where the Licensed +Rights include other Copyright and Similar Rights. + + +Section 5 -- Disclaimer of Warranties and Limitation of Liability. + + a. UNLESS OTHERWISE SEPARATELY UNDERTAKEN BY THE LICENSOR, TO THE + EXTENT POSSIBLE, THE LICENSOR OFFERS THE LICENSED MATERIAL AS-IS + AND AS-AVAILABLE, AND MAKES NO REPRESENTATIONS OR WARRANTIES OF + ANY KIND CONCERNING THE LICENSED MATERIAL, WHETHER EXPRESS, + IMPLIED, STATUTORY, OR OTHER. THIS INCLUDES, WITHOUT LIMITATION, + WARRANTIES OF TITLE, MERCHANTABILITY, FITNESS FOR A PARTICULAR + PURPOSE, NON-INFRINGEMENT, ABSENCE OF LATENT OR OTHER DEFECTS, + ACCURACY, OR THE PRESENCE OR ABSENCE OF ERRORS, WHETHER OR NOT + KNOWN OR DISCOVERABLE. WHERE DISCLAIMERS OF WARRANTIES ARE NOT + ALLOWED IN FULL OR IN PART, THIS DISCLAIMER MAY NOT APPLY TO YOU. + + b. TO THE EXTENT POSSIBLE, IN NO EVENT WILL THE LICENSOR BE LIABLE + TO YOU ON ANY LEGAL THEORY (INCLUDING, WITHOUT LIMITATION, + NEGLIGENCE) OR OTHERWISE FOR ANY DIRECT, SPECIAL, INDIRECT, + INCIDENTAL, CONSEQUENTIAL, PUNITIVE, EXEMPLARY, OR OTHER LOSSES, + COSTS, EXPENSES, OR DAMAGES ARISING OUT OF THIS PUBLIC LICENSE OR + USE OF THE LICENSED MATERIAL, EVEN IF THE LICENSOR HAS BEEN + ADVISED OF THE POSSIBILITY OF SUCH LOSSES, COSTS, EXPENSES, OR + DAMAGES. WHERE A LIMITATION OF LIABILITY IS NOT ALLOWED IN FULL OR + IN PART, THIS LIMITATION MAY NOT APPLY TO YOU. + + c. The disclaimer of warranties and limitation of liability provided + above shall be interpreted in a manner that, to the extent + possible, most closely approximates an absolute disclaimer and + waiver of all liability. + + +Section 6 -- Term and Termination. + + a. This Public License applies for the term of the Copyright and + Similar Rights licensed here. However, if You fail to comply with + this Public License, then Your rights under this Public License + terminate automatically. + + b. Where Your right to use the Licensed Material has terminated under + Section 6(a), it reinstates: + + 1. automatically as of the date the violation is cured, provided + it is cured within 30 days of Your discovery of the + violation; or + + 2. upon express reinstatement by the Licensor. + + For the avoidance of doubt, this Section 6(b) does not affect any + right the Licensor may have to seek remedies for Your violations + of this Public License. + + c. For the avoidance of doubt, the Licensor may also offer the + Licensed Material under separate terms or conditions or stop + distributing the Licensed Material at any time; however, doing so + will not terminate this Public License. + + d. Sections 1, 5, 6, 7, and 8 survive termination of this Public + License. + + +Section 7 -- Other Terms and Conditions. + + a. The Licensor shall not be bound by any additional or different + terms or conditions communicated by You unless expressly agreed. + + b. Any arrangements, understandings, or agreements regarding the + Licensed Material not stated herein are separate from and + independent of the terms and conditions of this Public License. + + +Section 8 -- Interpretation. + + a. For the avoidance of doubt, this Public License does not, and + shall not be interpreted to, reduce, limit, restrict, or impose + conditions on any use of the Licensed Material that could lawfully + be made without permission under this Public License. + + b. To the extent possible, if any provision of this Public License is + deemed unenforceable, it shall be automatically reformed to the + minimum extent necessary to make it enforceable. If the provision + cannot be reformed, it shall be severed from this Public License + without affecting the enforceability of the remaining terms and + conditions. + + c. No term or condition of this Public License will be waived and no + failure to comply consented to unless expressly agreed to by the + Licensor. + + d. Nothing in this Public License constitutes or may be interpreted + as a limitation upon, or waiver of, any privileges and immunities + that apply to the Licensor or You, including from the legal + processes of any jurisdiction or authority. + + +======================================================================= + +Creative Commons is not a party to its public +licenses. Notwithstanding, Creative Commons may elect to apply one of +its public licenses to material it publishes and in those instances +will be considered the “Licensor.” The text of the Creative Commons +public licenses is dedicated to the public domain under the CC0 Public +Domain Dedication. Except for the limited purpose of indicating that +material is shared under a Creative Commons public license or as +otherwise permitted by the Creative Commons policies published at +creativecommons.org/policies, Creative Commons does not authorize the +use of the trademark "Creative Commons" or any other trademark or logo +of Creative Commons without its prior written consent including, +without limitation, in connection with any unauthorized modifications +to any of its public licenses or any other arrangements, +understandings, or agreements concerning use of licensed material. For +the avoidance of doubt, this paragraph does not form part of the +public licenses. + +Creative Commons may be contacted at creativecommons.org. \ No newline at end of file diff --git a/LICENSE-CODE b/LICENSE-CODE new file mode 100644 index 0000000000..b17b032a43 --- /dev/null +++ b/LICENSE-CODE @@ -0,0 +1,17 @@ +The MIT License (MIT) +Copyright (c) Microsoft Corporation + +Permission is hereby granted, free of charge, to any person obtaining a copy of this software and +associated documentation files (the "Software"), to deal in the Software without restriction, +including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, +and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, +subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all copies or substantial +portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT +NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. +IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, +WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE +SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. \ No newline at end of file diff --git a/README.md b/README.md index 8864d2a10e..01059ee91d 100644 --- a/README.md +++ b/README.md @@ -1,3 +1,8 @@ +## Microsoft Open Source Code of Conduct + +This project has adopted the [Microsoft Open Source Code of Conduct](https://opensource.microsoft.com/codeofconduct/). +For more information see the [Code of Conduct FAQ](https://opensource.microsoft.com/codeofconduct/faq/) or contact [opencode@microsoft.com](mailto:opencode@microsoft.com) with any additional questions or comments. + # Windows IT professional documentation Welcome! This repository houses the docs that are written for IT professionals for the following products: diff --git a/ThirdPartyNotices b/ThirdPartyNotices new file mode 100644 index 0000000000..a0bd09d68f --- /dev/null +++ b/ThirdPartyNotices @@ -0,0 +1,15 @@ +##Legal Notices +Microsoft and any contributors grant you a license to the Microsoft documentation and other content +in this repository under the [Creative Commons Attribution 4.0 International Public License](https://creativecommons.org/licenses/by/4.0/legalcode), +see the [LICENSE](LICENSE) file, and grant you a license to any code in the repository under the [MIT License](https://opensource.org/licenses/MIT), see the +[LICENSE-CODE](LICENSE-CODE) file. + +Microsoft, Windows, Microsoft Azure and/or other Microsoft products and services referenced in the documentation +may be either trademarks or registered trademarks of Microsoft in the United States and/or other countries. +The licenses for this project do not grant you rights to use any Microsoft names, logos, or trademarks. +Microsoft's general trademark guidelines can be found at http://go.microsoft.com/fwlink/?LinkID=254653. + +Privacy information can be found at https://privacy.microsoft.com/en-us/ + +Microsoft and any contributors reserve all others rights, whether under their respective copyrights, patents, +or trademarks, whether by implication, estoppel or otherwise. \ No newline at end of file diff --git a/browsers/edge/available-policies.md b/browsers/edge/available-policies.md index 680e73b52a..8c8984005a 100644 --- a/browsers/edge/available-policies.md +++ b/browsers/edge/available-policies.md @@ -5,11 +5,11 @@ author: eross-msft ms.prod: edge ms.mktglfcycl: explore ms.sitesec: library -title: Available policies for Microsoft Edge (Microsoft Edge for IT Pros) +title: Group Policy and Mobile Device Management settings for Microsoft Edge (Microsoft Edge for IT Pros) localizationpriority: high --- -# Available policies for Microsoft Edge +# Group Policy and Mobile Device Management (MDM) settings for Microsoft Edge **Applies to:** @@ -20,98 +20,1015 @@ Microsoft Edge works with Group Policy and Microsoft Intune to help you manage y By using Group Policy and Intune, you can set up a policy setting once, and then copy that setting onto many computers. For example, you can set up multiple security settings in a GPO that's linked to a domain, and then apply all of those settings to every computer in the domain. -> **Note**
-> For more info about Group Policy, see the [Group Policy TechCenter](https://go.microsoft.com/fwlink/p/?LinkId=214514). This site provides links to the latest technical documentation, videos, and downloads for Group Policy. For more info about the tools you can use to change your Group Policy objects, see the Internet Explorer 11 topics, [Group Policy and the Group Policy Management Console (GPMC)](https://go.microsoft.com/fwlink/p/?LinkId=617921), [Group Policy and the Local Group Policy Editor](https://go.microsoft.com/fwlink/p/?LinkId=617922), [Group Policy and the Advanced Group Policy Management (AGPM)](https://go.microsoft.com/fwlink/p/?LinkId=617923), and [Group Policy and Windows Powershell](https://go.microsoft.com/fwlink/p/?LinkId=617924). +> [!NOTE] +> For more info about Group Policy, see the [Group Policy TechCenter](https://go.microsoft.com/fwlink/p/?LinkId=214514). This site provides links to the latest technical documentation, videos, and downloads for Group Policy. For more info about the tools you can use to change your Group Policy objects, see the Internet Explorer 11 topics, [Group Policy and the Group Policy Management Console (GPMC)](https://go.microsoft.com/fwlink/p/?LinkId=617921), [Group Policy and the Local Group Policy Editor](https://go.microsoft.com/fwlink/p/?LinkId=617922), [Group Policy and the Advanced Group Policy Management (AGPM)](https://go.microsoft.com/fwlink/p/?LinkId=617923), and [Group Policy and Windows PowerShell](https://go.microsoft.com/fwlink/p/?LinkId=617924). ## Group Policy settings Microsoft Edge works with these Group Policy settings (`Computer Configuration\Administrative Templates\Windows Components\Microsoft Edge\`) to help you manage your company's web browser configurations: -| Policy name |Supported versions |Description |Options | -|-------------|------------|-------------|--------| -|Allow Developer Tools |Windows 10, Version 1511 or later |This policy setting lets you decide whether F12 Developer Tools are available on Microsoft Edge.

If you enable or don’t configure this setting, the F12 Developer Tools are available in Microsoft Edge.

If you disable this setting, the F12 Developer Tools aren’t available in Microsoft Edge. |**Enabled or not configured (default):** Shows the F12 Developer Tools on Microsoft Edge.

**Disabled:** Hides the F12 Developer Tools on Microsoft Edge. | -|Allow InPrivate browsing |Windows 10, Version 1511 or later |This policy setting lets you decide whether employees can browse using InPrivate website browsing.

If you enable or don’t configure this setting, employees can use InPrivate website browsing.

If you disable this setting, employees can’t use InPrivate website browsing. |**Enabled or not configured (default):** Lets employees use InPrivate website browsing.

**Disabled:** Stops employees from using InPrivate website browsing. | -|Allow web content on New Tab page |Windows 10 or later |This policy setting lets you configure what appears when Microsoft Edge opens a new tab. By default, Microsoft Edge opens the New Tab page. If you use this setting, employees can’t change it.

If you enable this setting, Microsoft Edge opens a new tab with the New Tab page.

If you disable this setting, Microsoft Edge opens a new tab with a blank page.

If you don’t configure this setting, employees can choose how new tabs appears. |**Not configured (default):** Employees see web content on New Tab page, but can change it.

**Enabled:** Employees see web content on New Tab page.

**Disabled:** Employees always see an empty new tab. | -|Configure Autofill |Windows 10 or later |This policy setting lets you decide whether employees can use Autofill to automatically fill in form fields while using Microsoft Edge. By default, employees can choose whether to use Autofill.

If you enable this setting, employees can use Autofill to automatically fill in forms while using Microsoft Edge.

If you disable this setting, employees can’t use Autofill to automatically fill in forms while using Microsoft Edge.

If you don’t configure this setting, employees can choose whether to use Autofill to automatically fill in forms while using Microsoft Edge. |**Not configured (default):** Employees can choose to turn Autofill on or off.

**Enabled:** Employees can use Autofill to complete form fields.

**Disabled:** Employees can’t use Autofill to complete form fields. | -|Configure cookies |Windows 10 or later|This setting lets you configure how to work with cookies.

If you enable this setting, you must also decide whether to:

If you disable or don't configure this setting, all cookies are allowed from all sites. |**Enabled:** Lets you decide how your company treats cookies.
If you use this option, you must also choose whether to:

**Disabled or not configured:** All cookies are allowed from all sites.| -|Configure Do Not Track |Windows 10 or later |This policy setting lets you decide whether employees can send Do Not Track requests to websites that ask for tracking info. By default, Do Not Track requests aren’t sent, but employees can choose to turn on and send requests.

If you enable this setting, Do Not Track requests are always sent to websites asking for tracking info.

If you disable this setting, Do Not Track requests are never sent to websites asking for tracking info.

If you don’t configure this setting, employees can choose whether to send Do Not Track requests to websites asking for tracking info. |**Not configured (default):** Employees can choose to send Do Not Track headers on or off.

**Enabled:** Employees can send Do Not Track requests to websites requesting tracking info.

**Disabled:** Employees can’t send Do Not Track requests to websites requesting tracking info. | -|Allow Extensions |Windows 10, Version 1607 or later |This policy setting lets you decide whether employees can use Edge Extensions.

If you enable or don’t configure this setting, employees can use Edge Extensions.

If you disable this setting, employees can’t use Edge Extensions. |**Enabled or not configured:** Lets employees use Edge Extensions.

**Disabled:** Stops employees from using Edge Extensions. | -|Configure Favorites |Windows 10, Version 1511 or later |This policy setting lets you configure the default list of Favorites that appear for your employees. Employees can change their Favorites by adding or removing items at any time.

If you enable this setting, you can configure what default Favorites appear for your employees. If this setting is enabled, you must also provide a list of Favorites in the Options section. This list is imported after your policy is deployed.

If you disable or don’t configure this setting, employees will see the Favorites that they set in the Favorites hub. |**Enabled:** Configure the default list of Favorites for your employees. If you use this option, you must also add the URLs to the sites.

**Disabled or not configured:** Uses the Favorites list and URLs specified in the Favorites hub. | -|Configure Home pages |Windows 10, Version 1511 or later |This policy setting lets you configure one or more Home pages. for domain-joined devices. Your employees won't be able to change this after you set it.

If you enable this setting, you can configure one or more Home pages. If this setting is enabled, you must also include URLs to the pages, separating multiple pages by using angle brackets in this format:
``

If you disable or don’t configure this setting, your default Home page is the webpage specified in App settings. |**Enabled:** Configure your Home pages. If you use this option, you must also include site URLs.

**Disabled or not configured (default):** Uses the Home pages and URLs specified in the App settings. | -|Configure Password Manager |Windows 10 or later |This policy setting lets you decide whether employees can save their passwords locally, using Password Manager. By default, Password Manager is turned on.

If you enable this setting, employees can use Password Manager to save their passwords locally.

If you disable this setting, employees can’t use Password Manager to save their passwords locally.

If you don’t configure this setting, employees can choose whether to use Password Manager to save their passwords locally. |**Not configured:** Employees can choose whether to use Password Manager.

**Enabled (default):** Employees can use Password Manager to save passwords locally.

**Disabled:** Employees can't use Password Manager to save passwords locally. | -|Configure Pop-up Blocker |Windows 10 or later |This policy setting lets you decide whether to turn on Pop-up Blocker. By default, Pop-up Blocker is turned on.

If you enable this setting, Pop-up Blocker is turned on, stopping pop-up windows from appearing.

If you disable this setting, Pop-up Blocker is turned off, letting pop-ups windows appear.

If you don’t configure this setting, employees can choose whether to use Pop-up Blocker. |**Enabled or not configured (default):** Turns on Pop-up Blocker, stopping pop-up windows.

**Disabled:** Turns off Pop-up Blocker, allowing pop-up windows. | -|Configure search suggestions in Address bar |Windows 10 or later |This policy setting lets you decide whether search suggestions appear in the Address bar of Microsoft Edge. By default, employees can choose whether search suggestions appear in the Address bar of Microsoft Edge.

If you enable this setting, employees can see search suggestions in the Address bar of Microsoft Edge.

If you disable this setting, employees can't see search suggestions in the Address bar of Microsoft Edge.

If you don’t configure this setting, employees can choose whether search suggestions appear in the Address bar of Microsoft Edge. |**Not configured (default):** Employees can choose whether search suggestions appear in the Address bar of Microsoft Edge.

**Enabled:** Employees can see search suggestions in the Address bar of Microsoft Edge.

**Disabled:** Employees can’t see search suggestions in the Address bar of Microsoft Edge. | -|Configure SmartScreen Filter |Windows 10 or later |This policy setting lets you configure whether to turn on SmartScreen Filter. SmartScreen Filter provides warning messages to help protect your employees from potential phishing scams and malicious software. By default, SmartScreen Filter is turned on.

If you enable this setting, SmartScreen Filter is turned on and employees can’t turn it off.

If you disable this setting, SmartScreen Filter is turned off and employees can’t turn it on.

If you don’t configure this setting, employees can choose whether to use SmartScreen Filter. |**Not configured (default):** Employees can choose whether to use SmartScreen Filter.

**Enabled:** Turns on SmartScreen Filter, providing warning messages to your employees about potential phishing scams and malicious software.

**Disabled:** Turns off SmartScreen Filter. | -|Configure the Enterprise Mode Site List |Windows 10 or later| This policy setting lets you configure whether to use Enterprise Mode and the Enterprise Mode Site List to address common compatibility problems with legacy apps.

If you enable this setting, Microsoft Edge looks for the Enterprise Mode Site List XML file. This file includes the sites and domains that need to be viewed using Internet Explorer 11 and Enterprise Mode.

If you disable or don’t configure this setting, Microsoft Edge won’t use the Enterprise Mode Site List XML file. In this case, employees might experience compatibility problems while using legacy apps.

**Note**
If there’s an .xml file in the cache container, IE waits 65 seconds and then checks the local cache for a newer version of the file from the server, based on standard caching rules. If the server file has a different version number than the version in the cache container, the server file is used and stored in the cache container.

If you’re already using a site list, enterprise mode continues to work during the 65 second wait; it just uses your existing site list instead of your new one.|**Enabled:** Lets you use the Enterprise Mode Site List to address common compatibility problems with legacy apps, if it’s configured.

If you use this option, you must also add the location to your site list in the `{URI}` box. When configured, any site on the list will always open in Internet Explorer 11.

**Disabled or not configured (default):** You won't be able to use the Enterprise Mode Site List.| -|Prevent access to the about:flags page |Windows 10, Version 1607 or later|This policy setting lets you decide whether employees can access the about:flags page, which is used to change developer settings and to enable experimental features.

If you enable this policy setting, employees can’t access the about:flags page.

If you disable or don’t configure this setting, employees can access the about:flags page. |**Enabled:** Stops employees from using the about:flags page.

**Disabled or not configured (default):** Lets employees use the about:flags page. | -|Prevent bypassing SmartScreen prompts for files |Windows 10, Version 1511 or later |This policy setting lets you decide whether employees can override the SmartScreen Filter warnings about downloading unverified files.

If you enable this setting, employees can’t ignore SmartScreen Filter warnings and they’re blocked from downloading the unverified files.

If you disable or don’t configure this setting, employees can ignore SmartScreen Filter warnings and continue the download process. |**Enabled:** Stops employees from ignoring the SmartScreen Filter warnings about unverified files.

**Disabled or not configured (default):** Lets employees ignore the SmartScreen Filter warnings about unverified files and lets them continue the download process. | -|Prevent bypassing SmartScreen prompts for sites |Windows 10, Version 1511 or later |This policy setting lets you decide whether employees can override the SmartScreen Filter warnings about potentially malicious websites.

If you enable this setting, employees can’t ignore SmartScreen Filter warnings and they’re blocked from continuing to the site.

If you disable or don’t configure this setting, employees can ignore SmartScreen Filter warnings and continue to the site. |**Enabled:** Stops employees from ignoring the SmartScreen Filter warnings about potentially malicious sites.

**Disabled or not configured (default):** Lets employees ignore the SmartScreen Filter warnings about potentially malicious sites and continue to the site. | -|Prevent using Localhost IP address for WebRTC |Windows 10, Version 1511 or later |This policy setting lets you decide whether an employee’s Localhost IP address shows while making calls using the WebRTC protocol. By default, this setting is turned off.

If you enable this setting, Localhost IP addresses are hidden while making calls using the WebRTC protocol.

If you disable or don’t configure this setting, Localhost IP addresses are shown while making calls using the WebRTC protocol. |**Enabled:** Hides the Localhost IP address during calls using the WebRTC protocol.

**Disabled or not configured (default):** Shows the Localhost IP address during phone calls using the WebRTC protocol. | -|Send all intranet sites to Internet Explorer 11 |Windows 10 or later |This policy setting lets you decide whether your intranet sites should all open using Internet Explorer 11. This setting should only be used if there are known compatibility problems with Microsoft Edge.

If you enable this setting, all intranet sites are automatically opened using Internet Explorer 11.

If you disable or don’t configure this setting, all websites, including intranet sites, are automatically opened using Microsoft Edge. |**Enabled:** Automatically opens all intranet sites using Internet Explorer 11.

**Disabled or not configured (default):** Automatically opens all websites, including intranet sites, using Microsoft Edge. | -|Show message when opening sites in Internet Explorer |Windows 10, Version 1607 and later |This policy setting lets you decide whether employees see an additional page in Microsoft Edge, stating that a site has been opened using Internet Explorer 11.

If you enable this setting, employees see an additional page in Microsoft Edge, stating that a site has been opened using Internet Explorer 11.

If you disable or don’t configure this setting, the default app behavior occurs and no additional page appears. |**Enabled:** Shows an additional page in Microsoft Edge, stating that a site has been opened using Internet Explorer 11.

**Disabled or not configured (default):** Doesn’t show an additional page in Microsoft Edge, stating that a site has been opened using Internet Explorer 11. | +### Allow Address bar drop-down list suggestions +- **Supported versions:** Windows 10, version 1703 -## Using Microsoft Intune to manage your Mobile Data Management (MDM) settings for Microsoft Edge +- **Description:** This policy setting lets you decide whether the Address bar drop-down functionality is available in Microsoft Edge. We recommend disabling this setting if you want to minimize network connections from Microsoft Edge to Microsoft services. + + - If you enable or don't configure this setting (default), employees can see the Address bar drop-down functionality in Microsoft Edge. + + - If you disable this setting, employees won't see the Address bar drop-down functionality in Microsoft Edge. This setting also disables the user-defined setting, "Show search and site suggestions as I type". + + > [!Note] + > Disabling this setting turns off the Address bar drop-down functionality. Therefore, because search suggestions are shown in the drop-down, this setting takes precedence over the "Configure search suggestions in Address bar" setting. + +### Allow Adobe Flash +- **Supported versions:** Windows 10 or later + +- **Description:** This setting lets you decide whether employees can run Adobe Flash in Microsoft Edge. + + - If you enable or don't configure this setting (default), employees can use Adobe Flash. + + - If you disable this setting, employees can't use Adobe Flash. + +### Allow clearing browsing data on exit +- **Supported versions:** Windows 10, version 1703 + +- **Description:** This policy setting allows the automatic clearing of browsing data when Microsoft Edge closes. + + - If you enable this policy setting, clearing browsing history on exit is turned on. + + - If you disable or don't configure this policy setting (default), it can be turned on and configured by the employee in the Clear browsing data options area, under Settings. + +### Allow Developer Tools +- **Supported versions:** Windows 10, version 1511 or later + +- **Description:** This policy setting lets you decide whether F12 Developer Tools are available on Microsoft Edge. + - If you enable or don’t configure this setting (default), the F12 Developer Tools are available in Microsoft Edge. + + - If you disable this setting, the F12 Developer Tools aren’t available in Microsoft Edge. + +### Allow Extensions +- **Supported versions:** Windows 10, version 1607 or later + +- **Description:** This policy setting lets you decide whether employees can use Edge Extensions. + + - If you enable or don’t configure this setting, employees can use Edge Extensions. + + - If you disable this setting, employees can’t use Edge Extensions. + +### Allow InPrivate browsing +- **Supported versions:** Windows 10, version 1511 or later + +- **Description:** This policy setting lets you decide whether employees can browse using InPrivate website browsing. + + - If you enable or don’t configure this setting (default), employees can use InPrivate website browsing. + + - If you disable this setting, employees can’t use InPrivate website browsing. + +### Allow Microsoft Compatibility List +- **Supported versions:** Windows 10, version 1607 or later + +- **Description:** This policy setting lets you decide whether to use the Microsoft Compatibility List (a Microsoft-provided list that helps sites with known compatibility issues to display properly) in Microsoft Edge. By default, the Microsoft Compatibility List is enabled and can be viewed by visiting about:compat. + + - If you enable or don’t configure this setting (default), Microsoft Edge periodically downloads the latest version of the list from Microsoft, applying the updates during browser navigation. Visiting any site on the Microsoft Compatibility List prompts the employee to use Internet Explorer 11, where the site is automatically rendered as though it’s in whatever version of IE is necessary for it to appear properly. + + - If you disable this setting, the Microsoft Compatibility List isn’t used during browser navigation. + +### Allow search engine customization +- **Supported versions:** Windows 10, version 1703 + +- **Description:** This policy setting lets you decide whether users can change their search engine. + + >[!Important] + >This setting can only be used with domain-joined or MDM-enrolled devices. For more info, see the Microsoft browser extension policy (aka.ms/browserpolicy). + + - If you enable or don't configure this policy (default), users can add new search engines and change the default used in the Address bar from within Microsoft Edge Settings. + + - If you disable this setting, users can't add search engines or change the default used in the address bar. + +### Allow web content on New Tab page +- **Supported versions:** Windows 10 or later + +- **Description:** This policy setting lets you configure what appears when Microsoft Edge opens a new tab. By default, Microsoft Edge opens the New Tab page. If you use this setting, employees can’t change it. + + - If you enable this setting, Microsoft Edge opens a new tab with the New Tab page. + + - If you disable this setting, Microsoft Edge opens a new tab with a blank page. + + - If you don’t configure this setting (default), employees can choose how new tabs appears. + +### Configure additional search engines +- **Supported versions:** Windows 10, version 1703 + +- **Description:** This policy setting lets you add up to 5 additional search engines, which can't be removed by your employees, but can be made a personal default engine. This setting doesn't set the default search engine. For that, you must use the "Set default search engine" setting. + + > [!Important] + > This setting can only be used with domain-joined or MDM-enrolled devices. For more info, see the Microsoft browser extension policy (aka.ms/browserpolicy). + + - If you enable this setting, you can add up to 5 additional search engines. For each additional engine, you must also add a link to your OpenSearch XML file, including at least the short name and https: URL of the search engine, using this format: + + https://www.contoso.com/opensearch.xml + + For more info about creating the OpenSearch XML file, see the [Understanding OpenSearch Standards](https://msdn.microsoft.com/en-us/library/dd163546.aspx) topic. + + - If you disable this setting (default), any added search engines are removed from your employee's devices. + + - If you don't configure this setting, the search engine list is set to what is specified in App settings. + +### Configure Autofill +- **Supported versions:** Windows 10 or later + +- **Description:** This policy setting lets you decide whether employees can use Autofill to automatically fill in form fields while using Microsoft Edge. By default, employees can choose whether to use Autofill. + + - If you enable this setting, employees can use Autofill to automatically fill in forms while using Microsoft Edge. + + - If you disable this setting, employees can’t use Autofill to automatically fill in forms while using Microsoft Edge. + + - If you don’t configure this setting (default), employees can choose whether to use Autofill to automatically fill in forms while using Microsoft Edge. + +### Configure cookies +- **Supported versions:** Windows 10 or later + +- **Description:** This setting lets you configure how to work with cookies. + + - If you enable this setting, you must also decide whether to: + - **Allow all cookies (default):** Allows all cookies from all websites. + + - **Block all cookies:** Blocks all cookies from all websites. + + - **Block only 3rd-party cookies:** Blocks only cookies from 3rd-party websites. + + - If you disable or don't configure this setting, all cookies are allowed from all sites. + +### Configure Do Not Track +- **Supported versions:** Windows 10 or later + +- **Description:** This policy setting lets you decide whether employees can send Do Not Track requests to websites that ask for tracking info. By default, Do Not Track requests aren’t sent, but employees can choose to turn on and send requests. + + - If you enable this setting, Do Not Track requests are always sent to websites asking for tracking info. + + - If you disable this setting, Do Not Track requests are never sent to websites asking for tracking info. + + - If you don’t configure this setting (default), employees can choose whether to send Do Not Track requests to websites asking for tracking info. + +### Configure Favorites +- **Supported versions:** Windows 10, version 1511 or later + +- **Description:** This policy setting lets you configure the default list of Favorites that appear for your employees. Employees can change their Favorites by adding or removing items at any time. + + - If you enable this setting, you can configure what default Favorites appear for your employees. If this setting is enabled, you must also provide a list of Favorites in the Options section. This list is imported after your policy is deployed. + + - If you disable or don’t configure this setting, employees will see the Favorites that they set in the Favorites hub. + +### Configure Password Manager +- **Supported versions:** Windows 10 or later + +- **Description:** This policy setting lets you decide whether employees can save their passwords locally, using Password Manager. By default, Password Manager is turned on. + + - If you enable this setting (default), employees can use Password Manager to save their passwords locally. + + - If you disable this setting, employees can’t use Password Manager to save their passwords locally. + + - If you don’t configure this setting, employees can choose whether to use Password Manager to save their passwords locally. + +### Configure Pop-up Blocker +- **Supported versions:** Windows 10 or later + +- **Description:** This policy setting lets you decide whether to turn on Pop-up Blocker. By default, Pop-up Blocker is turned on. + + - If you enable this setting (default), Pop-up Blocker is turned on, stopping pop-up windows from appearing. + + - If you disable this setting, Pop-up Blocker is turned off, letting pop-ups windows appear. + + - If you don’t configure this setting, employees can choose whether to use Pop-up Blocker. + +### Configure search suggestions in Address bar +- **Supported versions:** Windows 10 or later + +- **Description:** This policy setting lets you decide whether search suggestions appear in the Address bar of Microsoft Edge. By default, employees can choose whether search suggestions appear in the Address bar of Microsoft Edge. + + - If you enable this setting, employees can see search suggestions in the Address bar of Microsoft Edge. + + - If you disable this setting, employees can't see search suggestions in the Address bar of Microsoft Edge. + + - If you don’t configure this setting (default), employees can choose whether search suggestions appear in the Address bar of Microsoft Edge. + +### Configure Start pages +- **Supported versions:** Windows 10, version 1511 or later + +- **Description:** This policy setting lets you configure one or more Start pages, for domain-joined devices. Your employees won't be able to change this after you set it. + + - If you enable this setting, you can configure one or more Start pages. If this setting is enabled, you must also include URLs to the pages, separating multiple pages by using angle brackets in this format: + + + + - If you disable or don’t configure this setting (default), your default Start page is the webpage specified in App settings. + +### Configure the Adobe Flash Click-to-Run setting +- **Supported versions:** Windows 10, version 1703 + +- **Description:** This policy setting lets you decide whether employees must take an action, such as clicking the content or a Click-to-Run button, before seeing content in Adobe Flash. + + >[!Important] + >Sites are put on the auto-allowed list based on how frequently employees load and run the content. + + - If you enable or don’t configure the Adobe Flash Click-to-Run setting, an employee must click the content, click a Click-to-Run button, or have the site appear on an auto-allow list before Microsoft Edge loads and runs Adobe Flash content. + + - If you disable this setting, Adobe Flash content is automatically loaded and run by Microsoft Edge. + +### Configure the Enterprise Mode Site List +- **Supported versions:** Windows 10 or later + +- **Description:** This policy setting lets you configure whether to use Enterprise Mode and the Enterprise Mode Site List to address common compatibility problems with legacy apps. + + - If you enable this setting, Microsoft Edge looks for the Enterprise Mode Site List XML file, which includes the sites and domains that need to be viewed using Internet Explorer 11 and Enterprise Mode. If you use this option, you must also add the location to your site list in the **{URI}** box. When configured, any site on the list will always open in Internet Explorer 11. + + - If you disable or don’t configure this setting (default), Microsoft Edge won’t use the Enterprise Mode Site List XML file. In this case, employees might experience compatibility problems while using legacy apps. + + >[!Note] + >If there’s an .xml file in the cache container, IE waits 65 seconds and then checks the local cache for a newer version of the file from the server, based on standard caching rules. If the server file has a different version number than the version in the cache container, the server file is used and stored in the cache container.

+ >If you’re already using a site list, enterprise mode continues to work during the 65 second wait; it just uses your existing site list instead of your new one. + +### Configure Windows Defender SmartScreen +- **Supported versions:** Windows 10 or later + +- **Description:** This policy setting lets you configure whether to turn on Windows Defender SmartScreen. Windows Defender SmartScreen provides warning messages to help protect your employees from potential phishing scams and malicious software. By default, Windows Defender SmartScreen is turned on. + + - If you enable this setting, Windows Defender SmartScreen is turned on and employees can’t turn it off. + + - If you disable this setting, Windows Defender SmartScreen is turned off and employees can’t turn it on. + + - If you don’t configure this setting (default), employees can choose whether to use Windows Defender SmartScreen. + +### Disable lockdown of Start pages +- **Supported versions:** Windows 10, version 1703 + +- **Description:** This policy setting lets you disable the lock down of Start pages, letting employees modify the Start pages when the "Configure Start pages" setting is in effect. + + >[!Important] + >This setting only applies when you're using the “Configure Start pages" setting and can only be used with domain-joined or MDM-enrolled devices. For more info, see the Microsoft browser extension policy (aka.ms/browserpolicy). + + - If you enable this setting, you can't lock down any Start pages that are configured using the "Configure Start pages" setting, which means that employees can modify them. + + - If you disable or don't configure this setting (default), employees can't change any Start pages configured using the "Configure Start pages" setting, thereby locking down the Start pages. + +### Keep favorites in sync between Internet Explorer and Microsoft Edge +- **Supported versions:** Windows 10, version 1703 + +- **Description:** This setting lets you decide whether people can sync their favorites between Internet Explorer and Microsoft Edge, including additions, deletions, changes, and position. + + >[!Note] + >Enabling this setting stops Edge favorites from syncing between connected Windows 10 devices. + + - If you enable this setting, employees can sync their favorites between Internet Explorer and Microsoft Edge. + + - If you disable or don't configure this setting (default), employees can’t sync their favorites between Internet Explorer and Microsoft Edge. + +### Prevent access to the about:flags page +- **Supported versions:** Windows 10, version 1607 or later + +- **Description:** This policy setting lets you decide whether employees can access the about:flags page, which is used to change developer settings and to enable experimental features. + + - If you enable this policy setting, employees can’t access the about:flags page. + + - If you disable or don’t configure this setting (default), employees can access the about:flags page. + +### Prevent bypassing Windows Defender SmartScreen prompts for files +- **Supported versions:** Windows 10, version 1511 or later + +- **Description:** This policy setting lets you decide whether employees can override the Windows Defender SmartScreen warnings about downloading unverified files. + + - If you enable this setting, employees can’t ignore Windows Defender SmartScreen warnings and they’re blocked from downloading the unverified files. + + - If you disable or don’t configure this setting (default), employees can ignore Windows Defender SmartScreen warnings and continue the download process. + +### Prevent bypassing Windows Defender SmartScreen prompts for sites +- **Supported versions:** Windows 10, version 1511 or later + +- **Description:** This policy setting lets you decide whether employees can override the Windows Defender SmartScreen warnings about potentially malicious websites. + + - If you enable this setting, employees can’t ignore Windows Defender SmartScreen warnings and they’re blocked from continuing to the site. + + - If you disable or don’t configure this setting (default), employees can ignore Windows Defender SmartScreen warnings and continue to the site. + +### Prevent Microsoft Edge from gathering Live Tile information when pinning a site to Start +- **Supported versions:** Windows 10, version 1703 + +- **Description:** This policy lets you decide whether Microsoft Edge can gather Live Tile metadata from the ieonline.microsoft.com service to provide a better experience while pinning a Live Tile to the Start menu. + + - If you enable this setting, Microsoft Edge won't gather the Live Tile metadata, providing a minimal experience when a user pins a Live Tile to the Start menu. + + - If you disable or don't configure this setting (default), Microsoft Edge gathers the Live Tile metadata, providing a fuller and more complete experience when a user pins a Live Tile to the Start menu. + +### Prevent the First Run webpage from opening on Microsoft Edge +- **Supported versions:** Windows 10, version 1703 + +- **Description:** This policy setting lets you decide whether employees see Microsoft's First Run webpage when opening Microsoft Edge for the first time. + + - If you enable this setting, employees won't see the First Run page when opening Microsoft Edge for the first time. + + - If you disable or don't configure this setting (default), employees will see the First Run page when opening Microsoft Edge for the first time. + +### Prevent using Localhost IP address for WebRTC +- **Supported versions:** Windows 10, version 1511 or later + +- **Description:** This policy setting lets you decide whether an employee’s Localhost IP address shows while making calls using the WebRTC protocol. By default, this setting is turned off. + + - If you enable this setting, Localhost IP addresses are hidden while making calls using the WebRTC protocol. + + - If you disable or don’t configure this setting (default), Localhost IP addresses are shown while making calls using the WebRTC protocol. + +### Send all intranet sites to Internet Explorer 11 +- **Supported versions:** Windows 10 or later + +- **Description:** This policy setting lets you decide whether your intranet sites should all open using Internet Explorer 11. This setting should only be used if there are known compatibility problems with Microsoft Edge. + + - If you enable this setting, all intranet sites are automatically opened using Internet Explorer 11. + + - If you disable or don’t configure this setting (default), all websites, including intranet sites, are automatically opened using Microsoft Edge. + +### Set default search engine +- **Supported versions:** Windows 10, version 1703 + +- **Description:** This policy setting lets you configure the default search engine for your employees. Employees can change the default search engine at any time unless you disable the "Allow search engine customization" setting, which restricts any changes. + + >[!Important] + >This setting can only be used with domain-joined or MDM-enrolled devices. For more info, see the Microsoft browser extension policy (aka.ms/browserpolicy).

+ >If you'd like your employees to use the default Microsoft Edge settings for each market, you can set the string to EDGEDEFAULT. If you'd like your employees to use Microsoft Bing as the default search engine, you can set the string to EDGEBING. + + - If you enable this setting, you can choose a default search engine for your employees. To choose the default engine, you must add a link to your OpenSearch XML file, including at least the short name and https: URL of the search engine, using this format: + + https://fabrikam.com/opensearch.xml + + - If you disable this setting, the policy-set default search engine is removed. If this is also the current in-use default, the engine changes to the Microsoft Edge specified engine for the market.

If you don't configure this setting, the default search engine is set to the one specified in App settings. + + - If you don't configure this setting (default), the default search engine is set to the one specified in App settings. + +### Show message when opening sites in Internet Explorer +- **Supported versions:** Windows 10, version 1607 and later + +- **Description:** This policy setting lets you decide whether employees see an additional page in Microsoft Edge, stating that a site has been opened using Internet Explorer 11. + + - If you enable this setting, employees see an additional page in Microsoft Edge, stating that a site has been opened using Internet Explorer 11. + + - If you disable or don’t configure this setting (default), the default app behavior occurs and no additional page appears. + +## Using Microsoft Intune to manage your Mobile Device Management (MDM) settings for Microsoft Edge If you manage your policies using Intune, you'll want to use these MDM policy settings. You can see the full list of available policies, on the [Policy CSP]( https://go.microsoft.com/fwlink/p/?LinkId=722885) page. -> **Note**
-> The **Supports** column uses these options: - -- **Desktop.** Supports Windows 10 Pro and Windows 10 Enterprise computers that are enrolled with Intune only. - -- **Mobile.** Supports Windows 10 Mobile devices only. - -- **Both.** Supports both desktop and mobile devices. +> [!NOTE] +> **Supported Devices** uses these options: +> - **Desktop.** Supports Windows 10 Pro and Windows 10 Enterprise computers that are enrolled with Intune only. +> - **Mobile.** Supports Windows 10 Mobile devices only. +> - **Both.** Supports both desktop and mobile devices. All devices must be enrolled with Intune if you want to use the Windows Custom URI Policy. -| Policy name |Supported versions |Supported device |Details | -|-------------|-------------------|-----------------|--------| -|AllowAutofill|Windows 10 or later |Desktop |

-|AllowBrowser |Windows 10 or later |Mobile || -|AllowCookies |Windows 10 or later |Both | | -|AllowDeveloperTools |Windows 10, Version 1511 or later |Desktop | | -|AllowDoNotTrack |Windows 10 or later |Both | | -|AllowExtensions |Windows 10, Version 1607 and later |Desktop | | -|AllowInPrivate |Windows 10, Version 1511 or later |Both | | -|AllowPasswordManager |Windows 10 or later |Both | | -|AllowPopups |Windows 10 or later |Desktop | | -|AllowSearchSuggestions
inAddressBar |Windows 10 or later |Both | | -|AllowSmartScreen |Windows 10 or later |Both | | -|EnterpriseModeSiteList |Windows 10 or later |Desktop || -|Favorites |Windows 10, Version 1511 or later |Both | - +

ExcludeApp (optional)

Lets you specify Office programs that you don’t want included in the App-V package that the Office Deployment Tool creates. For example, you can exclude Access and InfoPath.

@@ -492,13 +441,8 @@ After you download the Office 2016 applications through the Office Deployment To

PACKAGEGUID (optional)

By default, all App-V packages created by the Office Deployment Tool share the same App-V Package ID. You can use PACKAGEGUID to specify a different package ID for each package, which allows you to publish multiple App-V packages, created by the Office Deployment Tool, and manage them by using the App-V Server.

An example of when to use this parameter is if you create different packages for different users. For example, you can create a package with just Office 2016 for some users, and create another package with Office 2016 and Visio 2016 for another set of users.

-
- Note   -

Even if you use unique package IDs, you can still deploy only one App-V package to a single device.

-
-
-   -
+>**Note** Even if you use unique package IDs, you can still deploy only one App-V package to a single device. + @@ -531,7 +475,7 @@ After you download the Office 2016 applications through the Office Deployment To

/packager

-

creates the Office 2016 App-V package with Volume Licensing as specified in the customConfig.xml file.

+

creates the Office 2016 App-V package with the type of licensing specified in the customConfig.xml file.

\\server\Office2016\Customconfig.xml

@@ -552,8 +496,7 @@ After you download the Office 2016 applications through the Office Deployment To - **WorkingDir** - **Note**   - To troubleshoot any issues, see the log files in the %temp% directory (default). + **Note** To troubleshoot any issues, see the log files in the %temp% directory (default).   @@ -563,7 +506,7 @@ After you download the Office 2016 applications through the Office Deployment To 2. Start a few Office 2016 applications, such as Excel or Word, to ensure that your package is working as expected. -## Publishing the Office package for App-V 5.0 +## Publishing the Office package for App-V Use the following information to publish an Office package. @@ -629,8 +572,6 @@ To manage your Office App-V packages, use the same operations as you would for a - [Managing Office 2016 package upgrades](#bkmk-manage-office-pkg-upgrd) -- [Managing Office 2016 licensing upgrades](#bkmk-manage-office-lic-upgrd) - - [Deploying Visio 2016 and Project 2016 with Office](#bkmk-deploy-visio-project) ### Enabling Office plug-ins by using connection groups @@ -641,16 +582,15 @@ Use the steps in this section to enable Office plug-ins with your Office package 1. Add a Connection Group through App-V Server, System Center Configuration Manager, or a PowerShell cmdlet. -2. Sequence your plug-ins using the App-V 5.0 Sequencer. Ensure that Office 2016 is installed on the computer being used to sequence the plug-in. It is recommended you use Office 365 ProPlus(non-virtual) on the sequencing computer when you sequence Office 2016 plug-ins. +2. Sequence your plug-ins using the App-V Sequencer. Ensure that Office 2016 is installed on the computer being used to sequence the plug-in. It is recommended you use Office 365 ProPlus(non-virtual) on the sequencing computer when you sequence Office 2016 plug-ins. -3. Create an App-V 5.0 package that includes the desired plug-ins. +3. Create an App-V package that includes the desired plug-ins. 4. Add a Connection Group through App-V server, System Center Configuration Manager, or a PowerShell cmdlet. 5. Add the Office 2016 App-V package and the plug-ins package you sequenced to the Connection Group you created. - **Important**   - The order of the packages in the Connection Group determines the order in which the package contents are merged. In your Connection group descriptor file, add the Office 2016 App-V package first, and then add the plug-in App-V package. + >**Important** The order of the packages in the Connection Group determines the order in which the package contents are merged. In your Connection group descriptor file, add the Office 2016 App-V package first, and then add the plug-in App-V package.   @@ -672,8 +612,7 @@ Use the steps in this section to enable Office plug-ins with your Office package You may want to disable specific applications in your Office App-V package. For instance, you can disable Access, but leave all other Office application main available. When you disable an application, the end user will no longer see the shortcut for that application. You do not have to re-sequence the application. When you change the Deployment Configuration File after the Office 2016 App-V package has been published, you will save the changes, add the Office 2016 App-V package, and then republish it with the new Deployment Configuration File to apply the new settings to Office 2016 App-V Package applications. -**Note**   -To exclude specific Office applications (for example, Access and InfoPath) when you create the App-V package with the Office Deployment Tool, use the **ExcludeApp** setting. +>**Note** To exclude specific Office applications (for example, Access and InfoPath) when you create the App-V package with the Office Deployment Tool, use the **ExcludeApp** setting.   **To disable an Office 2016 application** @@ -752,36 +691,17 @@ To upgrade an Office 2016 package, use the Office Deployment Tool. To upgrade a 1. Create a new Office 2016 package through the Office Deployment Tool that uses the most recent Office 2016 application software. The most recent Office 2016 bits can always be obtained through the download stage of creating an Office 2016 App-V Package. The newly created Office 2016 package will have the most recent updates and a new Version ID. All packages created using the Office Deployment Tool have the same lineage. - **Note**   - Office App-V packages have two Version IDs: - - - An Office 2016 App-V Package Version ID that is unique across all packages created using the Office Deployment Tool. - - - A second App-V Package Version ID, x.x.x.x for example, in the AppX manifest that will only change if there is a new version of Office itself. For example, if a new Office 2016 release with upgrades is available, and a package is created through the Office Deployment Tool to incorporate these upgrades, the X.X.X.X version ID will change to reflect that the Office version itself has changed. The App-V server will use the X.X.X.X version ID to differentiate this package and recognize that it contains new upgrades to the previously published package, and as a result, publish it as an upgrade to the existing Office 2016 package. - + >**Note** Office App-V packages have two Version IDs: +   2. Globally publish the newly created Office 2016 App-V Packages onto computers where you would like to apply the new updates. Since the new package has the same lineage of the older Office 2016 App-V Package, publishing the new package with the updates will only apply the new changes to the old package, and thus will be fast. 3. Upgrades will be applied in the same manner of any globally published App-V Packages. Because applications will probably be in use, upgrades might be delayed until the computer is rebooted. -### Managing Office 2016 licensing upgrades - -If a new Office 2016 App-V Package has a different license than the Office 2016 App-V Package currently deployed. For instance, the Office 2016 package deployed is a subscription based Office 2016 and the new Office 2016 package is Volume Licensing based, the following instructions must be followed to ensure smooth licensing upgrade: - -**How to upgrade an Office 2016 License** - -1. Unpublish the already deployed Office 2016 Subscription Licensing App-V package. - -2. Remove the unpublished Office 2016 Subscription Licensing App-V package. - -3. Restart the computer. - -4. Add the new Office 2016 App-V Package Volume Licensing. - -5. Publish the added Office 2016 App-V Package with Volume Licensing. - -An Office 2016 App-V Package with your chosen licensing will be successfully deployed. ### Deploying Visio 2016 and Project 2016 with Office @@ -802,7 +722,7 @@ The following table describes the requirements and options for deploying Visio 2

How do I package and publish Visio 2016 and Project 2016 with Office?

You must include Visio 2016 and Project 2016 in the same package with Office.

-

If you aren’t deploying Office, you can create a package that contains Visio and/or Project, as long as you follow [Deploying Microsoft Office 2010 by Using App-V](../appv-v5/deploying-microsoft-office-2010-by-using-app-v.md).

+

If you aren’t deploying Office, you can create a package that contains Visio and/or Project, as long as you follow the packaging, publishing, and deployment requirements described in this topic.

How can I deploy Visio 2016 and Project 2016 to specific users?

@@ -848,17 +768,11 @@ The following table describes the requirements and options for deploying Visio 2 ## Additional resources -**Office 2016 App-V 5.0 Packages 5.0 Additional Resources** - -[Office 2016 Deployment Tool for Click-to-Run](https://www.microsoft.com/download/details.aspx?id=49117) - -[Supported scenarios for deploying Microsoft Office as a sequenced App-V Package](https://go.microsoft.com/fwlink/p/?LinkId=330680) - -**Office 2013 and Office 2010 App-V Packages** - [Deploying Microsoft Office 2013 by Using App-V](deploying-microsoft-office-2013-by-using-app-v.md) -[Deploying Microsoft Office 2011 by Using App-V](deploying-microsoft-office-2010-by-using-app-v.md) +[Deploying Microsoft Office 2010 by Using App-V](deploying-microsoft-office-2010-by-using-app-v.md) + +[Office 2016 Deployment Tool for Click-to-Run](https://www.microsoft.com/download/details.aspx?id=49117) **Connection Groups** @@ -868,7 +782,7 @@ The following table describes the requirements and options for deploying Visio 2 **Dynamic Configuration** -[About App-V 5.0 Dynamic Configuration](about-app-v-50-dynamic-configuration.md) +[About App-V 5.1 Dynamic Configuration](about-app-v-51-dynamic-configuration.md) ## Got a suggestion for App-V? diff --git a/mdop/appv-v5/deploying-microsoft-office-2016-by-using-app-v51.md b/mdop/appv-v5/deploying-microsoft-office-2016-by-using-app-v51.md index efb700aace..bd506092d0 100644 --- a/mdop/appv-v5/deploying-microsoft-office-2016-by-using-app-v51.md +++ b/mdop/appv-v5/deploying-microsoft-office-2016-by-using-app-v51.md @@ -1,4 +1,4 @@ ---- +--- title: Deploying Microsoft Office 2016 by Using App-V description: Deploying Microsoft Office 2016 by Using App-V author: jamiejdt @@ -47,7 +47,7 @@ Use the following table to get information about supported versions of Office an -

[Planning for Using App-V with Office](planning-for-using-app-v-with-office51.md#bkmk-office-vers-supp-appv)

+

[Supported versions of Microsoft Office](planning-for-using-app-v-with-office.md#bkmk-office-vers-supp-appv)

-

[Planning for Using App-V with Office](planning-for-using-app-v-with-office51.md#bkmk-plan-coexisting)

+

[Planning for Using App-V with coexsiting versions of Office](planning-for-using-app-v-with-office.md#bkmk-plan-coexisting)

Considerations for installing different versions of Office on the same computer

  + ### Packaging, publishing, and deployment requirements Before you deploy Office by using App-V, review the following requirements. @@ -80,10 +81,11 @@ Before you deploy Office by using App-V, review the following requirements.

Packaging

-

You must enable [shared computer activation](http://technet.microsoft.com/library/dn782860.aspx).

-

You don’t use shared computer activation if you’re deploying a volume licensed product, such as:

- + @@ -153,10 +150,7 @@ The following table describes the recommended methods for excluding specific Off Complete the following steps to create an Office 2016 package for App-V 5.1 or later. -**Important**   -In App-V 5.1 and later, you must the Office Deployment Tool to create a package. You cannot use the Sequencer to create packages. - -  +>**Important**  In App-V 5.1 and later, you must use the Office Deployment Tool to create a package. You cannot use the Sequencer to create packages. ### Review prerequisites for using the Office Deployment Tool @@ -182,23 +176,20 @@ The computer on which you are installing the Office Deployment Tool must have:

Supported operating systems

+ +>**Note**  In this topic, the term “Office 2016 App-V package” refers to subscription licensing.   -**Note**   -In this topic, the term “Office 2016 App-V package” refers to subscription licensing and volume licensing. +### Create Office 2016 App-V Packages Using Office Deployment Tool -  - -### Create Office 2013 App-V Packages Using Office Deployment Tool - -You create Office 2016 App-V packages by using the Office Deployment Tool. The following instructions explain how to create an Office 2016 App-V package with Volume Licensing or Subscription Licensing. +You create Office 2016 App-V packages by using the Office Deployment Tool. The following instructions explain how to create an Office 2016 App-V package with Subscription Licensing. Create Office 2016 App-V packages on 64-bit Windows computers. Once created, the Office 2016 App-V package will run on 32-bit and 64-bit Windows 7, Windows 8.1, and Windows 10 computers. @@ -206,11 +197,9 @@ Create Office 2016 App-V packages on 64-bit Windows computers. Once created, the Office 2016 App-V Packages are created using the Office Deployment Tool, which generates an Office 2016 App-V Package. The package cannot be created or modified through the App-V sequencer. To begin package creation: -1. Download the [Office 2-16 Deployment Tool for Click-to-Run](https://www.microsoft.com/download/details.aspx?id=49117). - - > [!NOTE] - > You must use the Office 2016 Deployment Tool to create Office 2016 App-V Packages. +1. Download the [Office 2016 Deployment Tool for Click-to-Run](https://www.microsoft.com/download/details.aspx?id=49117). +>**Important** You must use the Office 2016 Deployment Tool to create Office 2016 App-V Packages. 2. Run the .exe file and extract its features into the desired location. To make this process easier, you can create a shared network folder where the features will be saved. Example: \\\\Server\\Office2016 @@ -242,12 +231,9 @@ The XML file that is included in the Office Deployment Tool specifies the produc ``` - **Note**   - The configuration XML is a sample XML file. The file includes lines that are commented out. You can “uncomment” these lines to customize additional settings with the file. To “uncomment” these lines, remove the "" from the end of the line. + >**Note**  The configuration XML is a sample XML file. The file includes lines that are commented out. You can “uncomment” these lines to customize additional settings with the file. To “uncomment” these lines, remove the "" from the end of the line. -   - - The above XML configuration file specifies that Office 2016 ProPlus 32-bit edition, including Visio ProPlus, will be downloaded in English to the \\\\server\\Office2016, which is the location where Office applications will be saved to. Note that the Product ID of the applications will not affect the final licensing of Office. Office 2016 App-V packages with various licensing can be created from the same applications through specifying licensing in a later stage. The table below summarizes the customizable attributes and elements of XML file: + The above XML configuration file specifies that Office 2016 ProPlus 32-bit edition, including Visio ProPlus, will be downloaded in English to the \\\\server\\Office 2016, which is the location where Office applications will be saved to. Note that the Product ID of the applications will not affect the final licensing of Office. Office 2016 App-V packages with various licensing can be created from the same applications through specifying licensing in a later stage. The table below summarizes the customizable attributes and elements of XML file: @@ -276,13 +262,14 @@ The XML file that is included in the Office Deployment Tool specifies the produc - - + + @@ -298,21 +285,19 @@ The XML file that is included in the Office Deployment Tool specifies the produc - + - +

Product element

Specifies the application. Project 2016 and Visio 2016 must be specified here as an added product to be included in the applications.

Product ID ="O365ProPlusRetail"

+

Specifies the application. Project 2016 and Visio 2016 must be specified here as an added product to be included in the applications. + + For more information about the product IDs, see [Product IDs that are supported by the Office Deployment Tool for Click-to-Run](https://support.microsoft.com/kb/2842297) +

Product ID ="O365ProPlusRetail "

Product ID ="VisioProRetail"

Product ID ="ProjectProRetail"

-

Product ID ="ProPlusVolume"

-

Product ID ="VisioProVolume"

-

Product ID = "ProjectProVolume"

Language element

SourcePath (attribute of Add element)

Specifies the location in which the applications will be saved to.

Sourcepath = "\\Server\Office2016"

Sourcepath = "\\Server\Office2016”

Branch (attribute of Add element)

Optional. Specifies the update branch for the product that you want to download or install.

For more information about update branches, see Overview of update branches for Office 365 ProPlus.

Optional. Specifies the update branch for the product that you want to download or install.

For more information about update branches, see Overview of update branches for Office 365 ProPlus.

Branch = "Business"
-   - After editing the configuration.xml file to specify the desired product, languages, and also the location which the Office 2016 applications will be saved onto, you can save the configuration file, for example, as Customconfig.xml. -2. **Download the applications into the specified location:** Use an elevated command prompt and a 64 bit operating system to download the Office 2016 applications that will later be converted into an App-V package. Below is an example command with description of details: +2. **Download the applications into the specified location:** Use an elevated command prompt and a 64 bit operating system to download the Office 2016 applications that will later be converted into an App-V package. Below is an example command with a description of details: ``` syntax \\server\Office2016\setup.exe /download \\server\Office2016\Customconfig.xml @@ -355,41 +340,35 @@ After you download the Office 2016 applications through the Office Deployment To - Create the Office 2016 App-V packages on 64-bit Windows computers. However, the package will run on 32-bit and 64-bit Windows 7, Windows 8 or 8.1, and Windows 10 computers. -- Create an Office App-V package for either Subscription Licensing package or Volume Licensing by using the Office Deployment Tool, and then modify the CustomConfig.xml configuration file. +- Create an Office App-V package for Subscription Licensing package by using the Office Deployment Tool, and then modify the CustomConfig.xml configuration file. The following table summarizes the values you need to enter in the CustomConfig.xml file for the licensing model you’re using. The steps in the sections that follow the table will specify the exact entries you need to make. +>**Note**  You can use the Office Deployment Tool to create App-V packages for Office 365 ProPlus. Creating packages for the volume-licensed versions of Office Professional Plus or Office Standard is not supported. + - - - - - @@ -421,9 +400,7 @@ After you download the Office 2016 applications through the Office Deployment To -
Product IDVolume Licensing Subscription Licensing

Office 2016

ProPlusVolume

O365ProPlusRetail

Office 2016 with Visio 2016

ProPlusVolume

-

VisioProVolume

O365ProPlusRetail

VisioProRetail

Office 2016 with Visio 2016 and Project 2016

ProPlusVolume

-

VisioProVolume

-

ProjectProVolume

O365ProPlusRetail

VisioProRetail

ProjectProRetail

ProductID

Specify the type of licensing, as shown in the following examples:

-
    -

  • Subscription Licensing

    +

Specify Subscription licensing, as shown in the following example:

<Configuration>
        <Add SourcePath= "\\server\Office 2016" OfficeClientEdition="32" >
         <Product ID="O365ProPlusRetail">
@@ -455,65 +432,23 @@ After you download the Office 2016 applications through the Office Deployment To
-

 

-

-

  • Volume Licensing

    - 
    <Configuration>
-       <Add SourcePath= "\\Server\Office2016" OfficeClientEdition="32" >
-        <Product ID="ProPlusVolume">
-          <Language ID="en-us" />
-        </Product>
-        <Product ID="VisioProVolume">
-          <Language ID="en-us" />
-        </Product>
-      </Add>  
-    </Configuration>
    -

    In this example, the following changes were made to create a package with Volume licensing:

    - - - - - - - - - - - - - - - - - - - -

    SourcePath

    is the path, which was changed to point to the Office applications that were downloaded earlier.

    Product ID

    for Office was changed to ProPlusVolume.

    Product ID

    for Visio was changed to VisioProVolume.

    -

     

    -

    • - - +

    ExcludeApp (optional)

    -

    Lets you specify Office programs that you don’t want included in the App-V package that the Office Deployment Tool creates. For example, you can exclude Access.

    +

    Lets you specify Office programs that you don’t want included in the App-V package that the Office Deployment Tool creates. For example, you can exclude Access and InfoPath.

    PACKAGEGUID (optional)

    By default, all App-V packages created by the Office Deployment Tool share the same App-V Package ID. You can use PACKAGEGUID to specify a different package ID for each package, which allows you to publish multiple App-V packages, created by the Office Deployment Tool, and manage them by using the App-V Server.

    An example of when to use this parameter is if you create different packages for different users. For example, you can create a package with just Office 2016 for some users, and create another package with Office 2016 and Visio 2016 for another set of users.

    -
    - Note   -

    Even if you use unique package IDs, you can still deploy only one App-V package to a single device.

    -
    -
    -   -
    + + >**Note** Even if you use unique package IDs, you can still deploy only one App-V package to a single device. +   - 2. Use the /packager command to convert the Office applications to an Office 2016 App-V package. For example: @@ -540,7 +475,7 @@ After you download the Office 2016 applications through the Office Deployment To

    /packager

    -

    creates the Office 2016 App-V package with Volume Licensing as specified in the customConfig.xml file.

    +

    creates the Office 2016 App-V package with the type of licensing specified in the customConfig.xml file.

    \\server\Office2016\Customconfig.xml

    @@ -553,14 +488,15 @@ After you download the Office 2016 applications through the Office Deployment To - After you run the **/packager** command, the following folders appear up in the directory where you specified the package should be saved: +   - - **App-V Packages** – contains an Office 2016 App-V package and two deployment configuration files. + After you run the **/packager** command, the following folders appear up in the directory where you specified the package should be saved: - - **WorkingDir** + - **App-V Packages** – contains an Office 2016 App-V package and two deployment configuration files. - **Note**   - To troubleshoot any issues, see the log files in the %temp% directory (default). + - **WorkingDir** + + **Note** To troubleshoot any issues, see the log files in the %temp% directory (default).   @@ -570,7 +506,7 @@ After you download the Office 2016 applications through the Office Deployment To 2. Start a few Office 2016 applications, such as Excel or Word, to ensure that your package is working as expected. -## Publishing the Office package for App-V 5.1 +## Publishing the Office package for App-V Use the following information to publish an Office package. @@ -636,8 +572,6 @@ To manage your Office App-V packages, use the same operations as you would for a - [Managing Office 2016 package upgrades](#bkmk-manage-office-pkg-upgrd) -- [Managing Office 2016 licensing upgrades](#bkmk-manage-office-lic-upgrd) - - [Deploying Visio 2016 and Project 2016 with Office](#bkmk-deploy-visio-project) ### Enabling Office plug-ins by using connection groups @@ -648,16 +582,15 @@ Use the steps in this section to enable Office plug-ins with your Office package 1. Add a Connection Group through App-V Server, System Center Configuration Manager, or a PowerShell cmdlet. -2. Sequence your plug-ins using the App-V 5.1 Sequencer. Ensure that Office 2016 is installed on the computer being used to sequence the plug-in. It is recommended you use Office 365 ProPlus(non-virtual) on the sequencing computer when you sequence Office 2016 plug-ins. +2. Sequence your plug-ins using the App-V Sequencer. Ensure that Office 2016 is installed on the computer being used to sequence the plug-in. It is recommended you use Office 365 ProPlus(non-virtual) on the sequencing computer when you sequence Office 2016 plug-ins. -3. Create an App-V 5.1 package that includes the desired plug-ins. +3. Create an App-V package that includes the desired plug-ins. 4. Add a Connection Group through App-V server, System Center Configuration Manager, or a PowerShell cmdlet. 5. Add the Office 2016 App-V package and the plug-ins package you sequenced to the Connection Group you created. - **Important**   - The order of the packages in the Connection Group determines the order in which the package contents are merged. In your Connection group descriptor file, add the Office 2016 App-V package first, and then add the plug-in App-V package. + >**Important** The order of the packages in the Connection Group determines the order in which the package contents are merged. In your Connection group descriptor file, add the Office 2016 App-V package first, and then add the plug-in App-V package.   @@ -677,11 +610,9 @@ Use the steps in this section to enable Office plug-ins with your Office package ### Disabling Office 2016 applications -You may want to disable specific applications in your Office App-V package. For instance, you can disable Access, but leave all other Office application main available. When you disable an application, the end user will no longer see the shortcut for that application. You do not have to re-sequence the application. When you change the Deployment Configuration File after the Office 2016 App-V package has been published, you will save the changes, add the Office 2013 App-V package, and then republish it with the new Deployment Configuration File to apply the new settings to Office 2016 App-V Package applications. - -**Note**   -To exclude specific Office applications (for example, Access and InfoPath) when you create the App-V package with the Office Deployment Tool, use the **ExcludeApp** setting. +You may want to disable specific applications in your Office App-V package. For instance, you can disable Access, but leave all other Office application main available. When you disable an application, the end user will no longer see the shortcut for that application. You do not have to re-sequence the application. When you change the Deployment Configuration File after the Office 2016 App-V package has been published, you will save the changes, add the Office 2016 App-V package, and then republish it with the new Deployment Configuration File to apply the new settings to Office 2016 App-V Package applications. +>**Note** To exclude specific Office applications (for example, Access and InfoPath) when you create the App-V package with the Office Deployment Tool, use the **ExcludeApp** setting.   **To disable an Office 2016 application** @@ -734,11 +665,11 @@ You may want to disable shortcuts for certain Office applications instead of unp [{Common Programs}]\Microsoft Office 2016\Access 2016.lnk - [{AppvPackageRoot}])office15\MSACCESS.EXE + [{AppvPackageRoot}])office16\MSACCESS.EXE [{Windows}]\Installer\{90150000-000F-0000-0000-000000FF1CE)\accicons.exe.Ø.ico - Microsoft.Office.MSACCESS.EXE.16 + Microsoft.Office.MSACCESS.EXE.15 true Build a professional app quickly to manage data. l @@ -760,36 +691,17 @@ To upgrade an Office 2016 package, use the Office Deployment Tool. To upgrade a 1. Create a new Office 2016 package through the Office Deployment Tool that uses the most recent Office 2016 application software. The most recent Office 2016 bits can always be obtained through the download stage of creating an Office 2016 App-V Package. The newly created Office 2016 package will have the most recent updates and a new Version ID. All packages created using the Office Deployment Tool have the same lineage. - **Note**   - Office App-V packages have two Version IDs: - - - An Office 2016 App-V Package Version ID that is unique across all packages created using the Office Deployment Tool. - - - A second App-V Package Version ID, x.x.x.x for example, in the AppX manifest that will only change if there is a new version of Office itself. For example, if a new Office 2016 release with upgrades is available, and a package is created through the Office Deployment Tool to incorporate these upgrades, the X.X.X.X version ID will change to reflect that the Office version itself has changed. The App-V server will use the X.X.X.X version ID to differentiate this package and recognize that it contains new upgrades to the previously published package, and as a result, publish it as an upgrade to the existing Office 2016 package. - + >**Note** Office App-V packages have two Version IDs: +
      +
    • An Office 2016 App-V Package Version ID that is unique across all packages created using the Office Deployment Tool.
      • +
    • A second App-V Package Version ID, x.x.x.x for example, in the AppX manifest that will only change if there is a new version of Office itself. For example, if a new Office 2016 release with upgrades is available, and a package is created through the Office Deployment Tool to incorporate these upgrades, the X.X.X.X version ID will change to reflect that the Office version itself has changed. The App-V server will use the X.X.X.X version ID to differentiate this package and recognize that it contains new upgrades to the previously published package, and as a result, publish it as an upgrade to the existing Office 2016 package.
      • +
      2. Globally publish the newly created Office 2016 App-V Packages onto computers where you would like to apply the new updates. Since the new package has the same lineage of the older Office 2016 App-V Package, publishing the new package with the updates will only apply the new changes to the old package, and thus will be fast. 3. Upgrades will be applied in the same manner of any globally published App-V Packages. Because applications will probably be in use, upgrades might be delayed until the computer is rebooted. -### Managing Office 2016 licensing upgrades - -If a new Office 2016 App-V Package has a different license than the Office 2016 App-V Package currently deployed. For instance, the Office 2013 package deployed is a subscription based Office 2016 and the new Office 2016 package is Volume Licensing based, the following instructions must be followed to ensure smooth licensing upgrade: - -**How to upgrade an Office 2016 License** - -1. Unpublish the already deployed Office 2016 Subscription Licensing App-V package. - -2. Remove the unpublished Office 2016 Subscription Licensing App-V package. - -3. Restart the computer. - -4. Add the new Office 2016 App-V Package Volume Licensing. - -5. Publish the added Office 2016 App-V Package with Volume Licensing. - -An Office 2016 App-V Package with your chosen licensing will be successfully deployed. ### Deploying Visio 2016 and Project 2016 with Office @@ -851,28 +763,21 @@ The following table describes the requirements and options for deploying Visio 2 -  ## Additional resources -**Office 2016 App-V Packages Additional Resources** +[Deploying Microsoft Office 2013 by Using App-V](deploying-microsoft-office-2013-by-using-app-v.md) + +[Deploying Microsoft Office 2010 by Using App-V](deploying-microsoft-office-2010-by-using-app-v.md) [Office 2016 Deployment Tool for Click-to-Run](https://www.microsoft.com/download/details.aspx?id=49117) -[Supported scenarios for deploying Microsoft Office as a sequenced App-V Package](https://go.microsoft.com/fwlink/p/?LinkId=330680) - -**Office 2013 and Office 2010 App-V Packages** - -[Deploying Microsoft Office 2013 by Using App-V](deploying-microsoft-office-2013-by-using-app-v51.md) - -[Deploying Microsoft Office 2011 by Using App-V](deploying-microsoft-office-2010-by-using-app-v51.md) - **Connection Groups** [Deploying Connection Groups in Microsoft App-V v5](https://go.microsoft.com/fwlink/p/?LinkId=330683) -[Managing Connection Groups](managing-connection-groups51.md) +[Managing Connection Groups](managing-connection-groups.md) **Dynamic Configuration** diff --git a/mdop/appv-v5/how-to-view-and-configure-applications-and-default-virtual-application-extensions-by-using-the-management-console-51.md b/mdop/appv-v5/how-to-view-and-configure-applications-and-default-virtual-application-extensions-by-using-the-management-console-51.md index 1a49736c59..e61be318ba 100644 --- a/mdop/appv-v5/how-to-view-and-configure-applications-and-default-virtual-application-extensions-by-using-the-management-console-51.md +++ b/mdop/appv-v5/how-to-view-and-configure-applications-and-default-virtual-application-extensions-by-using-the-management-console-51.md @@ -29,7 +29,11 @@ Use the following procedure to view and configure default package extensions. 5. To edit other application extensions, modify the configuration file and click **Import and Overwrite this Configuration**. Select the modified file and click **Open**. In the dialog box, click **Overwrite** to complete the process. - **Got a suggestion for App-V**? Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). **Got an App-V issue?** Use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv). +>**Note** If the upload fails and the size of your configuration file is above 4MB, you will need to increase the maximum file size allowed by the server. This can be done by adding the maxRequestLength attribute with a value greater than the size of your configuration file (in KB) to the httpRuntime element on line 26 of `C:\Program Files\Microsoft Application Virtualization Server\ManagementService\Web.config`. +For example, changing `` to `` will increase the maximum size to 8MB + + +**Got a suggestion for App-V**? Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). **Got an App-V issue?** Use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv). ## Related topics diff --git a/mdop/appv-v5/planning-for-using-app-v-with-office51.md b/mdop/appv-v5/planning-for-using-app-v-with-office51.md index c6edab05da..0f34f1b356 100644 --- a/mdop/appv-v5/planning-for-using-app-v-with-office51.md +++ b/mdop/appv-v5/planning-for-using-app-v-with-office51.md @@ -28,82 +28,15 @@ Use the following information to plan how to deploy Office by using Microsoft Ap You can use the App-V 5.1 Sequencer to create plug-in packages for Language Packs, Language Interface Packs, Proofing Tools and ScreenTip Languages. You can then include the plug-in packages in a Connection Group, along with the Office 2013 package that you create by using the Office Deployment Toolkit. The Office applications and the plug-in Language Packs interact seamlessly in the same connection group, just like any other packages that are grouped together in a connection group. -**Note**   +>**Note**   Microsoft Visio and Microsoft Project do not provide support for the Thai Language Pack.   ## Supported versions of Microsoft Office - -The following table lists the versions of Microsoft Office that App-V supports, methods of Office package creation, supported licensing, and supported deployments. - - ------- - - - - - - - - - - - - - - - - - - - - - - - - - -
    Supported Office VersionSupported App-V VersionsPackage CreationSupported LicensingSupported Deployments

    Office 365 ProPlus

    -

    Also supported:

    -
      -

    • Visio Pro for Office 365

      • -

    • Project Pro for Office 365

      • -
      -

    • App-V 5.0

      • -

    • App-V 5.0 SP1

      • -

    • App-V 5.0 SP2

      • -

    • App-V 5.0 SP3

      • -

    • App-V 5.1

      • -

    Office Deployment Tool

    Subscription

      -

    • Desktop

      • -

    • Personal VDI

      • -

    • Pooled VDI

      • -

    • RDS

      • -

    Office Professional Plus 2013

    -

    Also supported:

    -
      -

    • Visio Professional 2013

      • -

    • Project Professional 2013

      • -
      -

    • App-V 5.0

      • -

    • App-V 5.0 SP1

      • -

    • App-V 5.0 SP2

      • -

    • App-V 5.0 SP3

      • -

    • App-V 5.1

      • -

    Office Deployment Tool

    Volume Licensing

      -

    • Desktop

      • -

    • Personal VDI

      • -

    • Pooled VDI

      • -

    • RDS

      • -
    +See [Microsoft Office Product IDs that App-V supports](https://support.microsoft.com/en-us/help/2842297/product-ids-that-are-supported-by-the-office-deployment-tool-for-click) for a list of supported Office products. +>**Note**  You must use the Office Deployment Tool to create App-V packages for Office 365 ProPlus. Creating packages for the volume-licensed versions of Office Professional Plus or Office Standard is not supported. You cannot use the App-V Sequencer.   @@ -149,7 +82,7 @@ The Office documentation provides extensive guidance on coexistence for Windows The following tables summarize the supported coexistence scenarios. They are organized according to the version and deployment method you’re starting with and the version and deployment method you are migrating to. Be sure to fully test all coexistence solutions before deploying them to a production audience. -**Note**   +>**Note**   Microsoft does not support the use of multiple versions of Office in Windows Server environments that have the Remote Desktop Session Host role service enabled. To run Office coexistence scenarios, you must disable this role service.   diff --git a/mdop/mbam-v25/mbam-25-supported-configurations.md b/mdop/mbam-v25/mbam-25-supported-configurations.md index 8f148097cf..99a8d735a8 100644 --- a/mdop/mbam-v25/mbam-25-supported-configurations.md +++ b/mdop/mbam-v25/mbam-25-supported-configurations.md @@ -283,12 +283,12 @@ MBAM supports the following versions of Configuration Manager. -

    Microsoft System Center Configuration Manager (Current Branch), version 1606

    +

    Microsoft System Center Configuration Manager (Current Branch), version 1610

    64-bit

    -

    Microsoft System Center 2012 R2 Configuration Manager

    +

    Microsoft System Center Configuration Manager (LTSB - version 1606)

    64-bit

    @@ -299,15 +299,11 @@ MBAM supports the following versions of Configuration Manager.

    Microsoft System Center Configuration Manager 2007 R2 or later

    -

    SP1 or later

    +

    64-bit

    -
    -Note   -

    Although Configuration Manager 2007 R2 is 32 bit, you must install it and SQL Server on a 64-bit operating system in order to match the 64-bit MBAM software.

    -
    -
    -  -
    + +>**Note** Although Configuration Manager 2007 R2 is 32 bit, you must install it and SQL Server on a 64-bit operating system in order to match the 64-bit MBAM software. + @@ -339,39 +335,24 @@ You must install SQL Server with the **SQL\_Latin1\_General\_CP1\_CI\_AS** coll +

    Microsoft SQL Server 2016

    +

    Standard, Enterprise, or Datacenter

    +

    SP1

    +

    64-bit

    +

    Microsoft SQL Server 2014

    Standard, Enterprise, or Datacenter

    -

    SP2

    +

    SP1, SP2

    64-bit

    - - -

    Microsoft SQL Server 2014

    -

    Standard, Enterprise, or Datacenter

    -

    SP1

    -

    64-bit

    - - -

    Microsoft SQL Server 2014

    -

    Standard, Enterprise, or Datacenter

    -

    -

    64-bit

    -

    Microsoft SQL Server 2012

    Standard, Enterprise, or Datacenter

    -

    SP2

    +

    SP3

    64-bit

    - -

    Microsoft SQL Server 2012

    -

    Standard, Enterprise, or Datacenter

    -

    SP1

    -

    64-bit

    - -

    Microsoft SQL Server 2008 R2

    Standard or Enterprise

    -

    SP1, SP2, SP3

    +

    SP3

    64-bit

    diff --git a/mdop/solutions/how-to-download-and-deploy-mdop-group-policy--admx--templates.md b/mdop/solutions/how-to-download-and-deploy-mdop-group-policy--admx--templates.md index fa6a813093..5c94f5c77b 100644 --- a/mdop/solutions/how-to-download-and-deploy-mdop-group-policy--admx--templates.md +++ b/mdop/solutions/how-to-download-and-deploy-mdop-group-policy--admx--templates.md @@ -20,7 +20,7 @@ You can manage the feature settings of certain Microsoft Desktop Optimization Pa **How to download and deploy the MDOP Group Policy templates** -1. Download the MDOP Group Policy templates from . +1. Download the latest [MDOP Group Policy templates](https://www.microsoft.com/en-us/download/details.aspx?id=54957) 2. Run the downloaded file to extract the template folders. diff --git a/mdop/uev-v2/get-started-with-ue-v-2x-new-uevv2.md b/mdop/uev-v2/get-started-with-ue-v-2x-new-uevv2.md index 4ec1527347..e94fb17522 100644 --- a/mdop/uev-v2/get-started-with-ue-v-2x-new-uevv2.md +++ b/mdop/uev-v2/get-started-with-ue-v-2x-new-uevv2.md @@ -76,7 +76,7 @@ Before you proceed, make sure your environment includes these requirements for r

    .NET Framework 4 or higher

    -

    Windows 8 and Windows 8.1

    +

    Windows 8.1

    Enterprise or Pro

    None

    32-bit or 64-bit

    @@ -91,10 +91,26 @@ Before you proceed, make sure your environment includes these requirements for r

    Windows PowerShell 3.0 or higher

    .NET Framework 4.5

    + +

    Windows 10, pre-1607 verison

    +

    Enterprise or Pro

    +

    +

    32-bit or 64-bit

    +

    Windows PowerShell 3.0 or higher

    +

    .NET Framework 4.5

    + + +

    Windows Server 2016

    +

    Standard or Datacenter

    +

    None

    +

    64-bit

    +

    Windows PowerShell 3.0 or higher

    +

    .NET Framework 4.5

    + -  +**Note:** Starting with Windows 10, version 1607, UE-V is included with [Windows 10 for Enterprise](https://www.microsoft.com/en-us/WindowsForBusiness/windows-for-enterprise) and is no longer part of the Microsoft Desktop Optimization Pack Also… diff --git a/mdop/uev-v2/microsoft-user-experience-virtualization--ue-v--21-sp1-release-notes.md b/mdop/uev-v2/microsoft-user-experience-virtualization--ue-v--21-sp1-release-notes.md index b4759fe68c..061e95a56a 100644 --- a/mdop/uev-v2/microsoft-user-experience-virtualization--ue-v--21-sp1-release-notes.md +++ b/mdop/uev-v2/microsoft-user-experience-virtualization--ue-v--21-sp1-release-notes.md @@ -130,6 +130,17 @@ If a UE-V 2 settings location template is distributed to a computer installed wi WORKAROUND: When migrating from UE-V 1 to UE-V 2 and it is likely you’ll have computers running the previous version of the agent, create a separate UE-V 2.x catalog to support the UE-V 2.x Agent and templates. +### UE-V logoff delay + +Occassionally on logoff, UE-V takes a long time to sync settings. Typically, this is due to a high latency network or incorrect use of Distrubuted File System (DFS). +For DFS support, see [Microsoft’s Support Statement Around Replicated User Profile Data](https://support.microsoft.com/en-us/kb/2533009) for further details. + +WORKAROUND: Starting with HF03, a new registry key has been introduced +The following registry key provides a mechanism by which the maximum logoff delay can be specified +\\Software\\Microsoft\\UEV\\Agent\\Configuration\\LogOffWaitInterval + +See [UE-V registry settings](https://support.microsoft.com/en-us/kb/2770042) for further details + ## Hotfixes and Knowledge Base articles for UE-V 2.1 SP1 diff --git a/mdop/uev-v2/prepare-a-ue-v-2x-deployment-new-uevv2.md b/mdop/uev-v2/prepare-a-ue-v-2x-deployment-new-uevv2.md index 886b343e52..c1ae38e981 100644 --- a/mdop/uev-v2/prepare-a-ue-v-2x-deployment-new-uevv2.md +++ b/mdop/uev-v2/prepare-a-ue-v-2x-deployment-new-uevv2.md @@ -45,7 +45,7 @@ This workflow diagram provides a high-level understanding of a UE-V deployment a ![deploymentworkflow](images/deploymentworkflow.png) -**Planning a UE-V deployment:** First, you want to do a little bit of planning so that you can determine which UE-V components you’ll be deploying. Planning a UE-V deployment involves these things: +**Planning a UE-V deployment:** First, you want to do a little bit of planning so that you can determine which UE-V components you’ll be deploying. Planning a UE-V deployment involves these things: - [Decide whether to synchronize settings for custom applications](#deciding) @@ -597,15 +597,19 @@ The UE-V settings storage location and settings template catalog support storing - Format the storage volume with an NTFS file system. -- The share can use Distributed File System (DFS) replication, but Distributed File System Replication (DFSR) is specifically not supported. Distributed File System Namespaces (DFSN) are supported. For detailed information, see [Microsoft’s Support Statement Around Replicated User Profile Data](https://go.microsoft.com/fwlink/p/?LinkId=313991). +- The share can use Distributed File System (DFS) but there are restrictions. +Specifically, Distributed File System Replication (DFS-R) single target configuration with or without a Distributed File System Namespace (DFS-N) is supported. +Likewise, only single target configuration is supported with DFS-N. +For detailed information, see [Microsoft’s Support Statement Around Replicated User Profile Data](https://go.microsoft.com/fwlink/p/?LinkId=313991) +and also [Information about Microsoft support policy for a DFS-R and DFS-N deployment scenario](https://support.microsoft.com/kb/2533009). - In addition, because SYSVOL uses DFSR for replication, SYSVOL cannot be used for UE-V data file replication. + In addition, because SYSVOL uses DFS-R for replication, SYSVOL cannot be used for UE-V data file replication. - Configure the share permissions and NTFS access control lists (ACLs) as specified in [Deploying the Settings Storage Location for UE-V 2.x](http://technet.microsoft.com/library/dn458891.aspx#ssl). - Use file server clustering along with the UE-V Agent to provide access to copies of user state data in the event of communications failures. -- You can store the settings storage path data (user data) and settings template catalog templates on clustered shares, on DFSN shares, or on both. +- You can store the settings storage path data (user data) and settings template catalog templates on clustered shares, on DFS-N shares, or on both. ### Synchronize computer clocks for UE-V settings synchronization @@ -663,10 +667,10 @@ Before you proceed, make sure your environment includes these requirements for r

    .NET Framework 4.5 or higher

    -

    Windows 10

    +

    Windows 10, pre-1607 version

    Note   -

    Only UE-V 2.1 SP1 supports Windows 10

    +

    Only UE-V 2.1 SP1 supports Windows 10, pre-1607 version

      @@ -685,6 +689,14 @@ Before you proceed, make sure your environment includes these requirements for r

    Windows PowerShell 3.0 or higher

    .NET Framework 4.5 or higher

    + +

    Windows Server 2016

    +

    Standard or Datacenter

    +

    None

    +

    64-bit

    +

    Windows PowerShell 3.0 or higher

    +

    .NET Framework 4.6 or higher

    + @@ -697,6 +709,9 @@ Also… - **Administrative Credentials** for any computer on which you’ll be installing **Note**   + +- Starting with WIndows 10, version 1607, UE-V is included with [Windows 10 for Enterprise](https://www.microsoft.com/en-us/WindowsForBusiness/windows-for-enterprise) and is no longer part of the Microsoft Desktop Optimization Pack. + - The UE-V Windows PowerShell feature of the UE-V Agent requires .NET Framework 4 or higher and Windows PowerShell 3.0 or higher to be enabled. Download Windows PowerShell 3.0 [here](https://go.microsoft.com/fwlink/?LinkId=309609). - Install .NET Framework 4 or .NET Framework 4.5 on computers that run the Windows 7 or the Windows Server 2008 R2 operating system. The Windows 8, Windows 8.1, and Windows Server 2012 operating systems come with .NET Framework 4.5 installed. The Windows 10 operating system comes with .NET Framework 4.6 installed. diff --git a/smb/TOC.md b/smb/TOC.md index 4c2433fafc..2b4214e907 100644 --- a/smb/TOC.md +++ b/smb/TOC.md @@ -1 +1,2 @@ -# [SMB](index.md) +# [Windows 10 for SMB](index.md) +## [Get started: Deploy and manage a full cloud IT solution for your business](cloud-mode-business-setup.md) diff --git a/smb/cloud-mode-business-setup.md b/smb/cloud-mode-business-setup.md new file mode 100644 index 0000000000..5c56cb0492 --- /dev/null +++ b/smb/cloud-mode-business-setup.md @@ -0,0 +1,578 @@ +--- +title: Deploy and manage a full cloud IT solution for your business +description: Learn how to set up a cloud infrastructure for your business, acquire devices and apps, and configure and deploy policies to your devices. +keywords: smb, full cloud IT solution, small to medium business, deploy, setup, manage, Windows, Intune, Office 365 +ms.prod: w10 +ms.technology: smb-windows +ms.topic: hero-article +ms.author: celested +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: smb +author: CelesteDG +--- + +![Are you ready to move to the cloud?](images/business-cloud-mode.png) + +# Get started: Deploy and manage a full cloud IT solution for your business +**Applies to:** + +- Office 365 Business Premium, Azure AD Premium, Intune, Windows Store for Business, Windows 10 + +In this walkthrough, we'll show you how to deploy and manage a full cloud IT solution for your small to medium business using Office 365 Business Premium, Microsoft Azure AD, Intune, Windows Store for Business, and Windows 10. We'll show you the basics on how to: +- Acquire an Office 365 business domain +- Add Microsoft Intune and Azure Active Directory (AD) Premium licenses to your business tenant +- Set up Windows Store for Business and manage app deployment and sync with Intune +- Add users and groups in Azure AD and Intune +- Create policies and app deployment rules +- Log in as a user and start using your Windows device + +Go to the Microsoft Business site and select **Products** to learn more about pricing and purchasing options for your business. + +## Prerequisites +Here's a few things to keep in mind before you get started: +- You'll need a registered domain to successfully go through the walkthrough. + - If you already own a domain, you can add this during the Office 365 setup. + - If you don't already own a domain, you'll have the option to purchase a domain from the Office 365 admin center. We'll show how to do this as part of the walkthrough. +- You'll need an email address to create your Office 365 tenant. +- We recommend that you use Internet Explorer for the entire walkthrough. Right click on Internet Explorer and then choose **Start InPrivate Browsing**. + +## 1. Set up your cloud infrastructure +To set up a cloud infrastructure for your organization, follow the steps in this section. + +### 1.1 Set up Office 365 for business +See Set up Office 365 for business to learn more about the setup steps for businesses and nonprofits who have Office 365. You can watch video and learn how to: +- Plan your setup +- Create Office 365 accounts and how to add your domain. +- Install Office + +To set up your Office 365 business tenant, see Get Started with Office 365 for business. + +If this is the first time you're setting this up, and you'd like to see how it's done, you can follow these steps to get started: + +1. Go to the Office 365 page in the Microsoft Business site. Select **Try now** to use the Office 365 Business Premium Trial or select **Buy now** to sign up for Office 365 Business Premium. In this walkthrough, we'll select **Try now**. + + **Figure 1** - Try or buy Office 365 + + ![Office 365 for business sign up](images/office365_tryorbuy_now.png) + +2. Fill out the sign up form and provide information about you and your company. +3. Create a user ID and password to use to sign into your account. + + This step creates an onmicrosoft.com email address. You can use this email address to sign in to the various admin centers. Save your sign-in info so you can use it to sign into https://portal.office.com (the admin portal). + +4. Select **Create my account** and then enter the phone number you used in step 2 to verify your identity. You'll be asked to enter your verification code. +5. Select **You're ready to go...** which will take you to the Office 365 portal. + + > [!NOTE] + > In the Office 365 portal, icons that are greyed out are still installing. + + **Figure 2** - Office 365 portal + + ![Office 365 portal](images/office365_portal.png) + + +6. Select the **Admin** tile to go to the Office 365 admin center. +7. In the admin center, click **Next** to see the highlights and welcome info for the admin center. When you're done, click **Go to setup** to complete the Office 365 setup. + + This may take up to a half hour to complete. + + **Figure 3** - Office 365 admin center + + ![Office 365 admin center](images/office365_admin_portal.png) + + +8. Go back to the Office 365 admin center to add or buy a domain. + 1. Select the **Domains** option. + + **Figure 4** - Option to add or buy a domain + + ![Add or buy a domain in Office 365 admin center](images/office365_buy_domain.png) + + + 2. In the **Home > Domains** page, you will see the Microsoft-provided domain, such as *fabrikamdesign.onmicrosoft.com*. + + **Figure 5** - Microsoft-provided domain + + ![Microsoft-provided domain](images/office365_ms_provided_domain.png) + + - If you already have a domain, select **+ Add domain** to add your existing domain. If you select this option, you'll be required to verify that you own the domain. Follow the steps in the wizard to verify your domain. + - If you don't already own a domain, select **+ Buy domain**. If you're using a trial plan, you'll be required to upgrade your trial plan in order to buy a domain. Choose the subscription plan to use for your business and provide the details to complete your order. + + Once you've added your domain, you'll see it listed in addition to the Microsoft-provided onmicrosoft.com domain. + + **Figure 6** - Domains + + ![Verify your domains in Office 365 admin center](images/office365_additional_domain.png) + +### 1.2 Add users and assign product licenses +Once you've set up Office and added your domain, it's time to add users so they have access to Office 365. People in your organization need an account before they can sign in and access Office 365. The easiest way to add users is to add them one at a time in the Office 365 admin center. + +When adding users, you can also assign admin privileges to certain users in your team. You'll also want to assign **Product licenses** to each user so that subscriptions can be assigned to the person. + +**To add users and assign product licenses** + +1. In the Office 365 admin center, select **Users > Active users**. + + **Figure 7** - Add users + + ![Add Office 365 users](images/office365_users.png) + +2. In the **Home > Active users** page, add users individually or in bulk. + - To add users one at a time, select **+ Add a user**. + + If you select this option, you'll see the **New user** screen and you can add details about the new user including their name, user name, role, and so on. You also have the opportunity to assign **Product licenses**. For detailed step-by-step info on adding a user account, see *Add a user account in the Office 365 admin center* in Add users individually or in bulk to Office 365 - Admin Help. + + **Figure 8** - Add an individual user + + ![Add an individual user](images/office365_add_individual_user.png) + + - To add multiple users at once, select **More** and then choose **+ Import multiple users**. If you select this option, you'll need to create and upload a CSV file containing the list of users. + + The **Import multiple users** screen includes a link where you can learn more about importing multiple users and also links for downloading a sample CSV file (one with headers only and another with headers and sample user information). For detailed step-by-step info on adding multiple users to Office 365, see Add several users at the same time to Office 365 - Admin Help. Once you've added all the users, don't forget to assign **Product licenses** to the new users. + + **Figure 9** - Import multiple users + + ![Import multiple users](images/office365_import_multiple_users.png) + +3. Verify that all the users you added appear in the list of **Active users**. The **Status** should indicate the product licenses that were assigned to them. + + **Figure 10** - List of active users + + ![Verify users and assigned product licenses](images/o365_active_users.png) + +### 1.3 Add Microsoft Intune +Microsoft Intune provides mobile device management, app management, and PC management capabilities from the cloud. Using Intune, organizations can provide their employees with access to apps, data, and corporate resources from anywhere on almost any device while helping to keep corporate information secure. To learn more, see What is Intune? + +**To add Microsoft Intune to your tenant** + +1. In the Office 365 admin center, select **Billing > Purchase services**. +2. In the **Home > Purchase services** screen, search for **Microsoft Intune**. Hover over **Microsoft Intune** to see the options to start a free 30-day trial or to buy now. +3. Confirm your order to enable access to Microsoft Intune. +4. In the admin center, the Intune licenses will show as available and ready to be assigned to users. Select **Users > Active users** and then edit the product licenses assigned to the users to turn on **Intune A Direct**. + + **Figure 11** - Assign Intune licenses + + ![Assign Microsoft Intune licenses to users](images/o365_assign_intune_license.png) + +5. In the admin center, confirm that **Intune** shows up in the list under **Admin centers**. If it doesn't, sign out and then sign back in and then check again. +6. Select **Intune**. This will take you to the Intune management portal. + + **Figure 12** - Microsoft Intune management portal + + ![Microsoft Intune management portal](images/intune_portal_home.png) + +Intune should now be added to your tenant. We'll come back to Intune later when we [Configure Windows Store for Business for app distribution](#17-configure-windows-store-for-business-for-app-distribution). + +### 1.4 Add Azure AD to your domain +Microsoft Azure is an open and flexible cloud platform that enables you to quickly build, deploy, and manage apps across a global network of Microsoft-managed datacenters. In this walkthrough, we won't be using the full power of Azure and we'll primarily use it to create groups that we then use for provisioning through Intune. + +**To add Azure AD to your domain** + +1. In the Office 365 admin center, select **Admin centers > Azure AD**. + + > [!NOTE] + > You will need Azure AD Premium to configure automatic MDM enrollment with Intune. + +2. If you have not signed up for Azure AD before, you will see the following message. To proceed with the rest of the walkthrough, you need to activate an Azure subscription. + + **Figure 13** - Access to Azure AD is not available + + ![Access to Azure AD not available](images/azure_ad_access_not_available.png) + +3. From the error message, select the country/region for your business. This should match with the location you specified when you signed up for Office 365. +4. Click **Azure subscription**. This will take you to a free trial sign up screen. + + **Figure 14** - Sign up for Microsoft Azure + + ![Sign up for Microsoft Azure](images/azure_ad_sign_up_screen.png) + +5. In the **Free trial sign up** screen, fill in the required information and then click **Sign up**. +6. After you sign up, you should see the message that your subscription is ready. Click **Start managing my service**. + + **Figure 15** - Start managing your Azure subscription + + ![Start managing your Azure subscription](images/azure_ad_successful_signup.png) + + This will take you to the Microsoft Azure portal. + +### 1.5 Add groups in Azure AD +This section is the walkthrough is optional. However, we recommend that you create groups in Azure AD to manage access to corporate resources, such as apps, policies and settings, and so on. For more information, see Managing access to resources with Azure Active Directory groups. + +To add Azure AD group(s), we will use the classic Azure portal (https://manage.windowsazure.com). See Managing groups in Azure Active Directory for more information about managing groups. + +**To add groups in Azure AD** + +1. If this is the first time you're setting up your directory, when you navigate to the **Azure Active Directory** node in the classic Azure portal, you will see a screen informing you that your directory is ready for use. + + Afterwards, you should see a list of active directories. In the following example, **Fabrikam Design** is the active directory. + + **Figure 16** - Azure first sign-in screen + + ![Select Azure AD](images/azure_portal_classic_configure_directory.png) + +2. Select the directory (such as Fabrikam Design) to go to the directory's home page. + + **Figure 17** - Directory home page + + ![Directory home page](images/azure_portal_classic_directory_ready.png) + +3. From the menu options on top, select **Groups**. + + **Figure 18** - Azure AD groups + + ![Add groups in Azure AD](images/azure_portal_classic_groups.png) + +4. Select **Add a group** (from the top) or **Add group** at the bottom. +5. In the **Add Group** window, add a name, group type, and description for the group and click the checkmark to save your changes. The new group will appear on the groups list. + + **Figure 19** - Newly added group in Azure AD + + ![Verify the new group appears on the list](images/azure_portal_classic_all_users_group.png) + +6. In the **Groups** tab, select the arrow next to the group (such as **All users**), add members to the group, and then save your changes. + + The members that were added to the group will appear on the list. + + **Figure 20** - Members in the new group + + ![Members added to the new group](images/azure_portal_classic_members_added.png) + +7. Repeat steps 2-6 to add other groups. You can add groups based on their roles in your company, based on the apps that each group can use, and so on. + +### 1.6 Configure automatic MDM enrollment with Intune +Now that you have Azure AD Premium and have it properly configured, you can configure automatic MDM enrollment with Intune, which allows users to enroll their Windows devices into Intune management, join their devices directly to Azure AD, and get access to Office 365 resources after sign in. + +You can read this blog post to learn how you can combine login, Azure AD Join, and Intune MDM enrollment into an easy step so that you can bring your devices into a managed state that complies with the policies for your organization. We will use this blog post as our guide for this part of the walkthrough. + +> [!IMPORTANT] +> We will use the classic Azure portal instead of the new portal to configure automatic MDM enrollment with Intune. + +**To enable automatic MDM enrollment** + +1. In to the classic Azure portal, click on your company's Azure Active Directory to go back to the main window. Select **Applications** from the list of directory menu options. + + The list of applications for your company will appear. **Microsoft Intune** will be one of the applications on the list. + + **Figure 21** - List of applications for your company + + ![List of applications for your company](images/azure_portal_classic_applications.png) + +2. Select **Microsoft Intune** to configure the application. +3. In the Microsoft Intune configuration page, click **Configure** to start automatic MDM enrollment configuration with Intune. + + **Figure 22** - Configure Microsoft Intune in Azure + + ![Configure Microsoft Intune in Azure](images/azure_portal_classic_configure_intune_app.png) + +4. In the Microsoft Intune configuration page: + - In the **Properties** section, you should see a list of URLs for MDM discovery, MDM terms of use, and MDM compliance. + + > [!NOTE] + > The URLs are automatically configured for your Azure AD tenant so you don't need to change them. + + - In the **Manage devices for these users** section, you can specify which users' devices should be managed by Intune. + - **All** will enable all users' Windows 10 devices to be managed by Intune. + - **Groups** let you select whether only users that belong to a specific group will have their devices managed by Intune. + + > [!NOTE] + > In this step, choose the group that contains all the users in your organization as members. This is the **All** group. + +5. After you've chosen how to manage devices for users, select **Save** to enable automatic MDM enrollment with Intune. + + **Figure 23** - Configure Microsoft Intune + + ![Configure automatic MDM enrollment with Intune](images/azure_portal_classic_configure_intune_mdm_enrollment.png) + +### 1.7 Configure Windows Store for Business for app distribution +Next, you'll need to configure Windows Store for Business to distribute apps with a management tool such as Intune. + +In this part of the walkthrough, we'll be working on the Microsoft Intune management portal and Windows Store for Business. + +**To associate your Store account with Intune and configure synchronization** + +1. From the Microsoft Intune management portal, select **Admin**. +2. In the **Administration** workspace, click **Mobile Device Management**. If this is the first tiem you're using the portal, click **manage mobile devices** in the **Mobile Device Management** window. The page will refresh and you'll have new options under **Mobile Device Management**. + + **Figure 24** - Mobile device management + + ![Set up mobile device management in Intune](images/intune_admin_mdm_configure.png) + +3. Sign into Windows Store for Business using the same tenant account that you used to sign into Intune. +4. Accept the EULA. +5. In the Store portal, select **Settings > Management tools** to go to the management tools page. +6. In the **Management tools** page, find **Microsoft Intune** on the list and click **Activate** to get Intune ready to use with Windows Store for Business. + + **Figure 25** - Activate Intune as the Store management tool + + ![Activate Intune from the Store portal](images/wsfb_management_tools_activate.png) + +7. Go back to the Intune management portal, select **Admin > Mobile Device Management**, expand **Windows**, and then choose **Store for Business**. +8. In the **Windows Store for Business** page, select **Configure Sync** to sync your Store for Business volume-purchased apps with Intune. + + **Figure 26** - Configure Store for Business sync in Intune + + ![Configure Store for Business sync in Intune](images/intune_admin_mdm_store_sync.png) + +9. In the **Configure Windows Store for Business app sync** dialog box, check **Enable Windows Store for Business sync**. In the **Language** dropdown list, choose the language in which you want apps from the Store to be displayed in the Intune console and then click **OK**. + + **Figure 27** - Enable Windows Store for Business sync in Intune + + ![Enable Store for Business sync in Intune](images/intune_configure_store_app_sync_dialog.png) + + The **Windows Store for Business** page will refresh and it will show the details from the sync. + +**To buy apps from the Store** + +In your Windows Store for Business portal, you can see the list of apps that you own by going to **Manage > Inventory**. You should see the following apps in your inventory: +- Sway +- OneNote +- PowerPoint Mobile +- Excel Mobile +- Word Mobile + +In the Intune management portal, select **Apps > Apps > Volume-Purchased Apps** and verify that you can see the same list of apps appear on Intune. + +In the following example, we'll show you how to buy apps through the Windows Store for Business and then make sure the apps appear on Intune. + +**Example 1 - Add other apps like Reader and InstaNote** + +1. In the Windows Store for Business portal, click **Shop**, scroll down to the **Made by Microsoft** category, and click **Show all** to see all the Microsoft apps in the list. + + **Figure 28** - Shop for Store apps + + ![Shop for Store apps](images/wsfb_shop_microsoft_apps.png) + +2. Click to select an app, such as **Reader**. This opens the app page. +3. In the app's Store page, click **Get the app**. You should see a dialog that confirms your order. Click **Close**. This will refresh the app's Store page. +4. In the app's Store page, click **Add to private store**. +5. Next, search for another app by name (such as **InstaNote**) or repeat steps 1-4 for the **InstaNote** app. +6. Go to **Manage > Inventory** and verify that the apps you purchased appear in your inventory. + + **Figure 29** - App inventory shows the purchased apps + + ![Confirm that your inventory shows purchased apps](images/wsfb_manage_inventory_newapps.png) + + > [!NOTE] + > Sync happens automatically, but it may take up to 24 hours for your organization's private store and 12 hours for Intune to sync all your purchased apps. You can force a sync to make this process happen faster. For more info, see [To sync recently purchased apps](#forceappsync). + +**To sync recently purchased apps** + +If you need to sync your most recently purchased apps and have it appear in your catalog, you can do this by forcing a sync. + +1. In the Intune management portal, select **Admin > Mobile Device Management > Windows > Store for Business**. +2. In the **Windows Store for Business** page, click **Sync now** to force a sync. + + **Figure 30** - Force a sync in Intune + + ![Force a sync in Intune](images/intune_admin_mdm_forcesync.png) + +**To view purchased apps** +- In the Intune management portal, select **Apps > Apps** and then choose **Volume-Purchased Apps** to see the list of available apps. Verify that the apps you purchased were imported correctly. + +**To add more apps** +- If you have other apps that you want to deploy or manage, you must add it to Microsoft Intune. To deploy Win32 apps and Web links, see Add apps for enrolled devices to Intune for more info on how to do this. + +## 2. Set up devices + +### 2.1 Set up new devices +To set up new Windows devices, go through the Windows initial device setup or first-run experience to configure your device. + +**To set up a device** +1. Go through the Windows device setup experience. On a new or reset device, this starts with the **Hi there** screen on devices running Windows 10, version 1607 (Anniversary Update). The setup lets you: + - Fill in the details in the **Hi there** screen including your home country/region, preferred language, keyboard layout, and timezone + - Accept the EULA + - Customize the setup or use Express settings + + **Figure 31** - First screen in Windows device setup + + ![First screen in Windows device setup](images/win10_hithere.png) + + > [!NOTE] + > During setup, if you don't have a Wi-Fi network configured, make sure you connect the device to the Internet through a wired/Ethernet connection. + +2. In the **Who owns this PC?** screen, select **My work or school owns it** and click **Next**. +3. In the **Choose how you'll connect** screen, select **Join Azure Active Directory** and click **Next**. + + **Figure 32** - Choose how you'll connect your Windows device + + ![Choose how you'll connect the Windows device](images/win10_choosehowtoconnect.png) + +4. In the **Let's get you signed in** screen, sign in using one of the user accounts you added in section [1.2 Add users and assign product licenses](#12-add-users-and-assign-product-licenses). We suggest signing in as one of the global administrators. Later, sign in on another device using one of the non-admin accounts. + + **Figure 33** - Sign in using one of the accounts you added + + ![Sign in using one of the accounts you added](images/win10_signin_admin_account.png) + +5. If this is the first time you're signing in, you will be asked to update your password. Update the password and continue with sign-in and setup. + + Windows will continue with setup and you may be asked to set up a PIN for Windows Hello if your organization has it enabled. + +### 2.2 Verify correct device setup +Verify that the device is set up correctly and boots without any issues. + +**To verify that the device was set up correctly** +1. Click on the **Start** menu and select some of the options to make sure everything launches properly. +2. Confirm that the Store and built-in apps are working. + +### 2.3 Verify the device is Azure AD joined +In the Intune management portal, verify that the device is joined to Azure AD and shows up as being managed in Microsoft Intune. + +**To verify if the device is joined to Azure AD** +1. Check the device name on your PC. To do this, on your Windows PC, select **Settings > System > About** and then check **PC name**. + + **Figure 34** - Check the PC name on your device + + ![Check the PC name on your device](images/win10_settings_pcname.png) + +2. Log in to the Intune management portal. +3. Select **Groups** and then go to **Devices**. +4. In the **All Devices** page, look at the list of devices and select the entry that matches the name of your PC. + - Check that the device name appears in the list. Select the device and it will also show the user that's currently logged in in the **General Information** section. + - Check the **Management Channel** column and confirm that it says **Managed by Microsoft Intune**. + - Check the **AAD Registered** column and confirm that it says **Yes**. + + **Figure 35** - Check that the device appears in Intune + + ![Check that the device appears in Intune](images/intune_groups_devices_list.png) + +## 3. Manage device settings and features +You can use Microsoft Intune admin settings and policies to manage features on your organization's mobile devices and computers. For more info, see [Manage settings and features on your devices with Microsoft Intune policies](https://docs.microsoft.com/en-us/intune/deploy-use/manage-settings-and-features-on-your-devices-with-microsoft-intune-policies). + +In this section, we'll show you how to reconfigure app deployment settings and add a new policy that will disable the camera for the Intune-managed devices and turn off Windows Hello and PINs during setup. + +### 3.1 Reconfigure app deployment settings +In some cases, if an app is missing from the device, you need to reconfigure the deployment settings for the app and set the app to require installation as soon as possible. + +**To reconfigure app deployment settings** +1. In the Intune management portal, select **Apps** and go to **Apps > Volume-Purchased Apps**. +2. Select the app, right-click, then select **Manage Deployment...**. +3. Select the group(s) whose apps will be managed, and then click **Add** to add the group. +4. Click **Next** at the bottom of the app deployment settings window or select **Deployment Action** on the left column to check the deployment settings for the app. +5. For each group that you selected, set **Approval** to **Required Install**. This automatically sets **Deadline** to **As soon as possible**. If **Deadline** is not automatically set, set it to **As soon as possible**. + + **Figure 36** - Reconfigure an app's deployment setting in Intune + + ![Reconfigure app deployment settings in Intune](images/intune_apps_deploymentaction.png) + +6. Click **Finish**. +7. Repeat steps 2-6 for other apps that you want to deploy to the device(s) as soon as possible. +6. Verify that the app shows up on the device. To do this: + - Make sure you're logged in to the Windows device. + - Click the **Start** button and check the apps that appear in the **Recently added** section. If you don't see the apps that you deployed in Intune, give it a few minutes. Only apps that aren't already deployed on the device will appear in the **Recently added** section. + + **Figure 37** - Confirm that additional apps were deployed to the device + + ![Confirm that additiional apps were deployed to the device](images/win10_deploy_apps_immediately.png) + +### 3.2 Configure other settings in Intune + +**To disable the camera** +1. In the Intune management portal, select **Policy > Configuration Policies**. +2. In the **Policies** window, click **Add** to create a new policy. +3. On the **Create a New Policy** page, click **Windows** to expand the group, select **General Configuration (Windows 10 Desktop and Mobile and later)**, choose **Create and Deploy a Custom Policy**, and then click **Create Policy**. +4. On the **Create Policy** page, select **Device Capabilities**. +5. In the **General** section, add a name and description for this policy. For example: + - **Name**: Test Policy - Disable Camera + - **Description**: Disables the camera +6. Scroll down to the **Hardware** section, find **Allow camera is not configured**, toggle the button so that it changes to **Allow camera** and choose **No** from the dropdown list. + + **Figure 38** - Add a configuration policy + + ![Add a configuration policy](images/intune_policy_disablecamera.png) + +7. Click **Save Policy**. A confirmation window will pop up. +8. On the **Deploy Policy** confirmation window, select **Yes** to deploy the policy now. +9. On the **Management Deployment** window, select the user group(s) or device group(s) that you want to apply the policy to (for example, **All Users**), and then click **Add**. +10. Click **OK** to close the window. + + **Figure 39** - The new policy should appear in the **Policies** list. + + ![New policy appears on the list](images/intune_policies_newpolicy_deployed.png) + +**To turn off Windows Hello and PINs during device setup** +1. In the Intune management portal, select **Admin**. +2. Go to **Mobile Device Management > Windows > Windows Hello for Business**. +3. In the **Windows Hello for Business** page, select **Disable Windows Hello for Business on enrolled devices**. + + **Figure 40** - Policy to disable Windows Hello for Business + + ![Disable Windows Hello for Business](images/intune_policy_disable_windowshello.png) + +4. Click **Save**. + + > [!NOTE] + > This policy is a tenant-wide Intune setting. It disables Windows Hello and required PINs during setup for all enrolled devices in a tenant. + +To test whether these policies get successfully deployed to your tenant, go through [4. Add more devices and users](#4-add-more-devices-and-users) and setup another Windows device and login as one of the users. + +## 4. Add more devices and users +After your cloud infrastructure is set up and you have a device management strategy in place, you may need to add more devices or users and you want the same policies to apply to these new devices and users. In this section, we'll show you how to do this. + +### 4.1 Connect other devices to your cloud infrastructure +Adding a new device to your cloud-based tenant is easy. For new devices, you can follow the steps in [2. Set up devices](#2-set-up-devices). + +For other devices, such as those personally-owned by employees who need to connect to the corporate network to access corporate resources (BYOD), you can follow the steps in this section to get these devices connected. + + > [!NOTE] + > These steps enable users to get access to the organization's resources, but it also gives the organization some control over the device. + +**To connect a personal device to your work or school** +1. On your Windows device, go to **Settings > Accounts**. +2. Select **Access work or school** and then click **Connect** in the **Connect to work or school** page. +3. In the **Set up a work or school account** window, click **Join this device to Azure Active Directory** to add an Azure AD account to the device. + + **Figure 41** - Add an Azure AD account to the device + + ![Add an Azure AD account to the device](images/win10_add_new_user_join_aad.png) + +4. In the **Let's get you signed in** window, enter the work credentials for the account and then click **Sign in** to authenticate the user. + + **Figure 42** - Enter the account details + + ![Enter the account details](images/win10_add_new_user_account_aadwork.png) + +5. You will be asked to update the password so enter a new password. +6. Verify the details to make sure you're connecting to the right organization and then click **Join**. + + **Figure 43** - Make sure this is your organization + + ![Make sure this is your organization](images/win10_confirm_organization_details.png) + +7. You will see a confirmation window that says the device is now connected to your organization. Click **Done**. + + **Figure 44** - Confirmation that the device is now connected + + ![Confirmation that the device is now connected](images/win10_confirm_device_connected_to_org.png) + +8. The **Connect to work or school** window will refresh and will now include an entry that shows you're connected to your organization's Azure AD. This means the device is now registered in Azure AD and enrolled in MDM and the account should have access to the organization's resources. + + **Figure 45** - Device is now enrolled in Azure AD + + ![Device is enrolled in Azure AD](images/win10_device_enrolled_in_aad.png) + +9. You can confirm that the new device and user are showing up as Intune-managed by going to the Intune management portal and following the steps in [2.3 Verify the device is Azure AD joined](#23-verify-the-device-is-azure-ad-joined). It may take several minutes before the new device shows up so check again later. + +### 4.2 Add a new user +You can add new users to your tenant simply by adding them to the Office 365 groups. Adding new users to Office 365 groups automatically adds them to the corresponding groups in Microsoft Intune. + +See [Add users to Office 365](https://support.office.com/en-us/article/Add-users-to-Office-365-for-business-435ccec3-09dd-4587-9ebd-2f3cad6bc2bc?ui=en-US&rs=en-US&ad=US&fromAR=1) to learn more. Once you're done adding new users, go to the Intune management portal and verify that the same users were added to the Intune groups as well. + +## Get more info + +### For IT admins +To learn more about the services and tools mentioned in this walkthrough, and learn what other tasks you can do, follow these links: +- Set up Office 365 for business +- Common admin tasks in Office 365 including email and OneDrive in Manage Office 365 +- More info about managing devices, apps, data, troubleshooting, and more in Intune documentation +- Learn more about Windows 10 in Windows 10 guide for IT pros +- Info about distributing apps to your employees, managing apps, managing settings, and more in Windows Store for Business + +### For information workers +Whether it's in the classroom, getting the most out of your devices, or learning some of the cool things you can do, we've got teachers covered. Follow these links for more info: +- Office help and training +- Windows 10 help + +## Related topics + +- [Windows 10 and Windows 10 Mobile](https://technet.microsoft.com/itpro/windows/index) diff --git a/smb/images/azure_ad_access_not_available.PNG b/smb/images/azure_ad_access_not_available.PNG new file mode 100644 index 0000000000..754ff011ea Binary files /dev/null and b/smb/images/azure_ad_access_not_available.PNG differ diff --git a/smb/images/azure_ad_sign_up_screen.PNG b/smb/images/azure_ad_sign_up_screen.PNG new file mode 100644 index 0000000000..3c369cfd5b Binary files /dev/null and b/smb/images/azure_ad_sign_up_screen.PNG differ diff --git a/smb/images/azure_ad_successful_signup.PNG b/smb/images/azure_ad_successful_signup.PNG new file mode 100644 index 0000000000..197744f309 Binary files /dev/null and b/smb/images/azure_ad_successful_signup.PNG differ diff --git a/smb/images/azure_portal_azure_ad_management.PNG b/smb/images/azure_portal_azure_ad_management.PNG new file mode 100644 index 0000000000..6401aa910b Binary files /dev/null and b/smb/images/azure_portal_azure_ad_management.PNG differ diff --git a/smb/images/azure_portal_azure_ad_management_users_groups.png b/smb/images/azure_portal_azure_ad_management_users_groups.png new file mode 100644 index 0000000000..5010765800 Binary files /dev/null and b/smb/images/azure_portal_azure_ad_management_users_groups.png differ diff --git a/smb/images/azure_portal_classic.PNG b/smb/images/azure_portal_classic.PNG new file mode 100644 index 0000000000..15132f7a07 Binary files /dev/null and b/smb/images/azure_portal_classic.PNG differ diff --git a/smb/images/azure_portal_classic_add_group.PNG b/smb/images/azure_portal_classic_add_group.PNG new file mode 100644 index 0000000000..417e9b8a72 Binary files /dev/null and b/smb/images/azure_portal_classic_add_group.PNG differ diff --git a/smb/images/azure_portal_classic_all_users_group.PNG b/smb/images/azure_portal_classic_all_users_group.PNG new file mode 100644 index 0000000000..55988d9c6c Binary files /dev/null and b/smb/images/azure_portal_classic_all_users_group.PNG differ diff --git a/smb/images/azure_portal_classic_applications.PNG b/smb/images/azure_portal_classic_applications.PNG new file mode 100644 index 0000000000..9c39a28e08 Binary files /dev/null and b/smb/images/azure_portal_classic_applications.PNG differ diff --git a/smb/images/azure_portal_classic_configure_directory.png b/smb/images/azure_portal_classic_configure_directory.png new file mode 100644 index 0000000000..1cece3e84c Binary files /dev/null and b/smb/images/azure_portal_classic_configure_directory.png differ diff --git a/smb/images/azure_portal_classic_configure_intune.PNG b/smb/images/azure_portal_classic_configure_intune.PNG new file mode 100644 index 0000000000..0daddd7e83 Binary files /dev/null and b/smb/images/azure_portal_classic_configure_intune.PNG differ diff --git a/smb/images/azure_portal_classic_configure_intune_app.png b/smb/images/azure_portal_classic_configure_intune_app.png new file mode 100644 index 0000000000..1110714b7c Binary files /dev/null and b/smb/images/azure_portal_classic_configure_intune_app.png differ diff --git a/smb/images/azure_portal_classic_configure_intune_mdm_enrollment.PNG b/smb/images/azure_portal_classic_configure_intune_mdm_enrollment.PNG new file mode 100644 index 0000000000..a85a28dd7d Binary files /dev/null and b/smb/images/azure_portal_classic_configure_intune_mdm_enrollment.PNG differ diff --git a/smb/images/azure_portal_classic_directory_ready.PNG b/smb/images/azure_portal_classic_directory_ready.PNG new file mode 100644 index 0000000000..d627036ca3 Binary files /dev/null and b/smb/images/azure_portal_classic_directory_ready.PNG differ diff --git a/smb/images/azure_portal_classic_groups.PNG b/smb/images/azure_portal_classic_groups.PNG new file mode 100644 index 0000000000..a746a0b21b Binary files /dev/null and b/smb/images/azure_portal_classic_groups.PNG differ diff --git a/smb/images/azure_portal_classic_members_added.PNG b/smb/images/azure_portal_classic_members_added.PNG new file mode 100644 index 0000000000..5cb5864330 Binary files /dev/null and b/smb/images/azure_portal_classic_members_added.PNG differ diff --git a/smb/images/azure_portal_home.PNG b/smb/images/azure_portal_home.PNG new file mode 100644 index 0000000000..5f0dcf4c5d Binary files /dev/null and b/smb/images/azure_portal_home.PNG differ diff --git a/smb/images/azure_portal_select_azure_ad.png b/smb/images/azure_portal_select_azure_ad.png new file mode 100644 index 0000000000..694d30cbdd Binary files /dev/null and b/smb/images/azure_portal_select_azure_ad.png differ diff --git a/smb/images/business-cloud-mode-graphic.png b/smb/images/business-cloud-mode-graphic.png new file mode 100644 index 0000000000..449b7ca356 Binary files /dev/null and b/smb/images/business-cloud-mode-graphic.png differ diff --git a/smb/images/business-cloud-mode.png b/smb/images/business-cloud-mode.png new file mode 100644 index 0000000000..f524b42372 Binary files /dev/null and b/smb/images/business-cloud-mode.png differ diff --git a/smb/images/deploy.png b/smb/images/deploy.png new file mode 100644 index 0000000000..8fe505f77e Binary files /dev/null and b/smb/images/deploy.png differ diff --git a/smb/images/deploy_art.png b/smb/images/deploy_art.png new file mode 100644 index 0000000000..5f2a6d0978 Binary files /dev/null and b/smb/images/deploy_art.png differ diff --git a/smb/images/intune_admin_mdm.PNG b/smb/images/intune_admin_mdm.PNG new file mode 100644 index 0000000000..3b334b27d5 Binary files /dev/null and b/smb/images/intune_admin_mdm.PNG differ diff --git a/smb/images/intune_admin_mdm_configure.png b/smb/images/intune_admin_mdm_configure.png new file mode 100644 index 0000000000..0a9cb4b99f Binary files /dev/null and b/smb/images/intune_admin_mdm_configure.png differ diff --git a/smb/images/intune_admin_mdm_forcesync.PNG b/smb/images/intune_admin_mdm_forcesync.PNG new file mode 100644 index 0000000000..96d085a261 Binary files /dev/null and b/smb/images/intune_admin_mdm_forcesync.PNG differ diff --git a/smb/images/intune_admin_mdm_store_sync.PNG b/smb/images/intune_admin_mdm_store_sync.PNG new file mode 100644 index 0000000000..3b884371b0 Binary files /dev/null and b/smb/images/intune_admin_mdm_store_sync.PNG differ diff --git a/smb/images/intune_apps_deploymentaction.PNG b/smb/images/intune_apps_deploymentaction.PNG new file mode 100644 index 0000000000..0c769017d2 Binary files /dev/null and b/smb/images/intune_apps_deploymentaction.PNG differ diff --git a/smb/images/intune_configure_store_app_sync_dialog.PNG b/smb/images/intune_configure_store_app_sync_dialog.PNG new file mode 100644 index 0000000000..abb41318f1 Binary files /dev/null and b/smb/images/intune_configure_store_app_sync_dialog.PNG differ diff --git a/smb/images/intune_groups_devices_list.PNG b/smb/images/intune_groups_devices_list.PNG new file mode 100644 index 0000000000..f571847bc7 Binary files /dev/null and b/smb/images/intune_groups_devices_list.PNG differ diff --git a/smb/images/intune_policies_newpolicy_deployed.PNG b/smb/images/intune_policies_newpolicy_deployed.PNG new file mode 100644 index 0000000000..72cb4d5db3 Binary files /dev/null and b/smb/images/intune_policies_newpolicy_deployed.PNG differ diff --git a/smb/images/intune_policy_disable_windowshello.PNG b/smb/images/intune_policy_disable_windowshello.PNG new file mode 100644 index 0000000000..2b7300c9ce Binary files /dev/null and b/smb/images/intune_policy_disable_windowshello.PNG differ diff --git a/smb/images/intune_policy_disablecamera.PNG b/smb/images/intune_policy_disablecamera.PNG new file mode 100644 index 0000000000..53fd969c00 Binary files /dev/null and b/smb/images/intune_policy_disablecamera.PNG differ diff --git a/smb/images/intune_portal_home.PNG b/smb/images/intune_portal_home.PNG new file mode 100644 index 0000000000..b63295fe42 Binary files /dev/null and b/smb/images/intune_portal_home.PNG differ diff --git a/smb/images/learn.png b/smb/images/learn.png new file mode 100644 index 0000000000..9e8f87f436 Binary files /dev/null and b/smb/images/learn.png differ diff --git a/smb/images/learn_art.png b/smb/images/learn_art.png new file mode 100644 index 0000000000..1170f9ca26 Binary files /dev/null and b/smb/images/learn_art.png differ diff --git a/smb/images/o365_active_users.PNG b/smb/images/o365_active_users.PNG new file mode 100644 index 0000000000..8ab381a59d Binary files /dev/null and b/smb/images/o365_active_users.PNG differ diff --git a/smb/images/o365_add_existing_domain.PNG b/smb/images/o365_add_existing_domain.PNG new file mode 100644 index 0000000000..e29cdca3f9 Binary files /dev/null and b/smb/images/o365_add_existing_domain.PNG differ diff --git a/smb/images/o365_additional_domain.PNG b/smb/images/o365_additional_domain.PNG new file mode 100644 index 0000000000..5682fb15f7 Binary files /dev/null and b/smb/images/o365_additional_domain.PNG differ diff --git a/smb/images/o365_admin_portal.PNG b/smb/images/o365_admin_portal.PNG new file mode 100644 index 0000000000..cfbf696310 Binary files /dev/null and b/smb/images/o365_admin_portal.PNG differ diff --git a/smb/images/o365_assign_intune_license.PNG b/smb/images/o365_assign_intune_license.PNG new file mode 100644 index 0000000000..261f096a98 Binary files /dev/null and b/smb/images/o365_assign_intune_license.PNG differ diff --git a/smb/images/o365_domains.PNG b/smb/images/o365_domains.PNG new file mode 100644 index 0000000000..ca79f71f54 Binary files /dev/null and b/smb/images/o365_domains.PNG differ diff --git a/smb/images/o365_microsoft_provided_domain.PNG b/smb/images/o365_microsoft_provided_domain.PNG new file mode 100644 index 0000000000..b2a05eb5a9 Binary files /dev/null and b/smb/images/o365_microsoft_provided_domain.PNG differ diff --git a/smb/images/o365_trynow.PNG b/smb/images/o365_trynow.PNG new file mode 100644 index 0000000000..5810f3e0f9 Binary files /dev/null and b/smb/images/o365_trynow.PNG differ diff --git a/smb/images/o365_users.PNG b/smb/images/o365_users.PNG new file mode 100644 index 0000000000..e0b462a8c5 Binary files /dev/null and b/smb/images/o365_users.PNG differ diff --git a/smb/images/office365_add_individual_user.PNG b/smb/images/office365_add_individual_user.PNG new file mode 100644 index 0000000000..87f674fa10 Binary files /dev/null and b/smb/images/office365_add_individual_user.PNG differ diff --git a/smb/images/office365_additional_domain.png b/smb/images/office365_additional_domain.png new file mode 100644 index 0000000000..940a090477 Binary files /dev/null and b/smb/images/office365_additional_domain.png differ diff --git a/smb/images/office365_admin_center.png b/smb/images/office365_admin_center.png new file mode 100644 index 0000000000..26808fc27c Binary files /dev/null and b/smb/images/office365_admin_center.png differ diff --git a/smb/images/office365_admin_portal.png b/smb/images/office365_admin_portal.png new file mode 100644 index 0000000000..fe0f81bda0 Binary files /dev/null and b/smb/images/office365_admin_portal.png differ diff --git a/smb/images/office365_buy_domain.png b/smb/images/office365_buy_domain.png new file mode 100644 index 0000000000..51ea9c1e6c Binary files /dev/null and b/smb/images/office365_buy_domain.png differ diff --git a/smb/images/office365_create_userid.png b/smb/images/office365_create_userid.png new file mode 100644 index 0000000000..fc3d070841 Binary files /dev/null and b/smb/images/office365_create_userid.png differ diff --git a/smb/images/office365_domains.png b/smb/images/office365_domains.png new file mode 100644 index 0000000000..51ea9c1e6c Binary files /dev/null and b/smb/images/office365_domains.png differ diff --git a/smb/images/office365_import_multiple_users.PNG b/smb/images/office365_import_multiple_users.PNG new file mode 100644 index 0000000000..c1b05fa2c9 Binary files /dev/null and b/smb/images/office365_import_multiple_users.PNG differ diff --git a/smb/images/office365_ms_provided_domain.png b/smb/images/office365_ms_provided_domain.png new file mode 100644 index 0000000000..18479da421 Binary files /dev/null and b/smb/images/office365_ms_provided_domain.png differ diff --git a/smb/images/office365_plan_subscription_checkout.png b/smb/images/office365_plan_subscription_checkout.png new file mode 100644 index 0000000000..340336c39e Binary files /dev/null and b/smb/images/office365_plan_subscription_checkout.png differ diff --git a/smb/images/office365_portal.png b/smb/images/office365_portal.png new file mode 100644 index 0000000000..f3a23d4a65 Binary files /dev/null and b/smb/images/office365_portal.png differ diff --git a/smb/images/office365_signup_page.png b/smb/images/office365_signup_page.png new file mode 100644 index 0000000000..ce2de7f034 Binary files /dev/null and b/smb/images/office365_signup_page.png differ diff --git a/smb/images/office365_trynow.png b/smb/images/office365_trynow.png new file mode 100644 index 0000000000..72aaeb923a Binary files /dev/null and b/smb/images/office365_trynow.png differ diff --git a/smb/images/office365_tryorbuy_now.png b/smb/images/office365_tryorbuy_now.png new file mode 100644 index 0000000000..760e3a74cc Binary files /dev/null and b/smb/images/office365_tryorbuy_now.png differ diff --git a/smb/images/office365_users.png b/smb/images/office365_users.png new file mode 100644 index 0000000000..ec9231de1b Binary files /dev/null and b/smb/images/office365_users.png differ diff --git a/smb/images/smb_portal_banner.png b/smb/images/smb_portal_banner.png new file mode 100644 index 0000000000..e38560ab5a Binary files /dev/null and b/smb/images/smb_portal_banner.png differ diff --git a/smb/images/win10_add_new_user_account_aadwork.PNG b/smb/images/win10_add_new_user_account_aadwork.PNG new file mode 100644 index 0000000000..378339b1e9 Binary files /dev/null and b/smb/images/win10_add_new_user_account_aadwork.PNG differ diff --git a/smb/images/win10_add_new_user_join_aad.PNG b/smb/images/win10_add_new_user_join_aad.PNG new file mode 100644 index 0000000000..7924250993 Binary files /dev/null and b/smb/images/win10_add_new_user_join_aad.PNG differ diff --git a/smb/images/win10_change_your_password.PNG b/smb/images/win10_change_your_password.PNG new file mode 100644 index 0000000000..bf9f164290 Binary files /dev/null and b/smb/images/win10_change_your_password.PNG differ diff --git a/smb/images/win10_choosehowtoconnect.PNG b/smb/images/win10_choosehowtoconnect.PNG new file mode 100644 index 0000000000..0a561b1913 Binary files /dev/null and b/smb/images/win10_choosehowtoconnect.PNG differ diff --git a/smb/images/win10_confirm_device_connected_to_org.PNG b/smb/images/win10_confirm_device_connected_to_org.PNG new file mode 100644 index 0000000000..a70849ebe8 Binary files /dev/null and b/smb/images/win10_confirm_device_connected_to_org.PNG differ diff --git a/smb/images/win10_confirm_organization_details.PNG b/smb/images/win10_confirm_organization_details.PNG new file mode 100644 index 0000000000..54605d39fe Binary files /dev/null and b/smb/images/win10_confirm_organization_details.PNG differ diff --git a/smb/images/win10_deivce_enrolled_in_aad.PNG b/smb/images/win10_deivce_enrolled_in_aad.PNG new file mode 100644 index 0000000000..a2c60c114e Binary files /dev/null and b/smb/images/win10_deivce_enrolled_in_aad.PNG differ diff --git a/smb/images/win10_deploy_apps_immediately.PNG b/smb/images/win10_deploy_apps_immediately.PNG new file mode 100644 index 0000000000..1e63f77939 Binary files /dev/null and b/smb/images/win10_deploy_apps_immediately.PNG differ diff --git a/smb/images/win10_device_enrolled_in_aad.png b/smb/images/win10_device_enrolled_in_aad.png new file mode 100644 index 0000000000..a2c60c114e Binary files /dev/null and b/smb/images/win10_device_enrolled_in_aad.png differ diff --git a/smb/images/win10_device_setup_complete.PNG b/smb/images/win10_device_setup_complete.PNG new file mode 100644 index 0000000000..454e30a441 Binary files /dev/null and b/smb/images/win10_device_setup_complete.PNG differ diff --git a/smb/images/win10_hithere.PNG b/smb/images/win10_hithere.PNG new file mode 100644 index 0000000000..b251b8eb7c Binary files /dev/null and b/smb/images/win10_hithere.PNG differ diff --git a/smb/images/win10_settings_pcname.PNG b/smb/images/win10_settings_pcname.PNG new file mode 100644 index 0000000000..ff815b0a8a Binary files /dev/null and b/smb/images/win10_settings_pcname.PNG differ diff --git a/smb/images/win10_signin_admin_account.PNG b/smb/images/win10_signin_admin_account.PNG new file mode 100644 index 0000000000..e6df613284 Binary files /dev/null and b/smb/images/win10_signin_admin_account.PNG differ diff --git a/smb/images/wsfb_account_details.PNG b/smb/images/wsfb_account_details.PNG new file mode 100644 index 0000000000..7a2594ec3f Binary files /dev/null and b/smb/images/wsfb_account_details.PNG differ diff --git a/smb/images/wsfb_account_details_2.PNG b/smb/images/wsfb_account_details_2.PNG new file mode 100644 index 0000000000..7e38f20099 Binary files /dev/null and b/smb/images/wsfb_account_details_2.PNG differ diff --git a/smb/images/wsfb_account_signup_saveinfo.PNG b/smb/images/wsfb_account_signup_saveinfo.PNG new file mode 100644 index 0000000000..f29280352b Binary files /dev/null and b/smb/images/wsfb_account_signup_saveinfo.PNG differ diff --git a/smb/images/wsfb_manage_inventory_newapps.PNG b/smb/images/wsfb_manage_inventory_newapps.PNG new file mode 100644 index 0000000000..070728fcad Binary files /dev/null and b/smb/images/wsfb_manage_inventory_newapps.PNG differ diff --git a/smb/images/wsfb_management_tools.PNG b/smb/images/wsfb_management_tools.PNG new file mode 100644 index 0000000000..82d11a9a25 Binary files /dev/null and b/smb/images/wsfb_management_tools.PNG differ diff --git a/smb/images/wsfb_management_tools_activate.png b/smb/images/wsfb_management_tools_activate.png new file mode 100644 index 0000000000..bb2ffd99ad Binary files /dev/null and b/smb/images/wsfb_management_tools_activate.png differ diff --git a/smb/images/wsfb_shop_microsoft_apps.PNG b/smb/images/wsfb_shop_microsoft_apps.PNG new file mode 100644 index 0000000000..562f3fd1e3 Binary files /dev/null and b/smb/images/wsfb_shop_microsoft_apps.PNG differ diff --git a/smb/images/wsfb_signup_for_account.PNG b/smb/images/wsfb_signup_for_account.PNG new file mode 100644 index 0000000000..d641587c5e Binary files /dev/null and b/smb/images/wsfb_signup_for_account.PNG differ diff --git a/smb/images/wsfb_store_portal.PNG b/smb/images/wsfb_store_portal.PNG new file mode 100644 index 0000000000..03a4ad928e Binary files /dev/null and b/smb/images/wsfb_store_portal.PNG differ diff --git a/smb/index.md b/smb/index.md index eaeb8132cd..b15093ddee 100644 --- a/smb/index.md +++ b/smb/index.md @@ -1,4 +1,45 @@ --- -title: SMB placeholder -description: SMB placeholder +title: Windows 10 for small to midsize businesses +description: Microsoft products and devices to transform and grow your businessLearn how to use Windows 10 for your small to midsize business. +keywords: Windows 10, SMB, small business, midsize business, business +ms.prod: w10 +ms.technology: smb-windows +ms.topic: article +ms.author: celested +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: smb +author: CelesteDG --- + +![Windows 10 for SMB](images/smb_portal_banner.png) + +# Windows 10 for SMB + + +## ![Learn more about Windows and other resources for SMBs](images/learn.png) Learn + +
    +
    +

    Windows 10 for business
    Learn how Windows 10 and Windows devices can help your business.

    +

    SMB blog
    Read about the latest stories, technology insights, and business strategies for SMBs.

    +
    +
    +

    How to buy
    Go here when you're ready to buy or want to learn more about Microsoft products you can use to help transform your business.

    +
    +
    + +## ![Deploy a Microsoft solution for your business](images/deploy.png) Deploy + +
    +
    +

    [Get started: Deploy and manage a full cloud IT solution for your business](cloud-mode-business-setup.md)
    Find out how easy it is to deploy and manage a full cloud IT solution for your small to midsize business using Microsoft cloud services and tools.

    +
    +
    +

    +
    +
    + + ## Related topics + +- [Windows 10 and Windows 10 Mobile](https://technet.microsoft.com/itpro/windows/index) \ No newline at end of file diff --git a/windows/TOC.md b/windows/TOC.md index 67fcd1b517..7167858dab 100644 --- a/windows/TOC.md +++ b/windows/TOC.md @@ -2,5 +2,7 @@ ## [What's new in Windows 10](whats-new/index.md) ## [Plan for Windows 10 deployment](plan/index.md) ## [Deploy Windows 10](deploy/index.md) +## [Configure Windows 10](configure/index.md) +## [Update Windows 10](update/index.md) ## [Keep Windows 10 secure](keep-secure/index.md) -## [Manage and update Windows 10](manage/index.md) \ No newline at end of file +## [Manage Windows 10](manage/index.md) \ No newline at end of file diff --git a/windows/WaaS-infographic.pdf b/windows/WaaS-infographic.pdf new file mode 100644 index 0000000000..cb1ef988a1 Binary files /dev/null and b/windows/WaaS-infographic.pdf differ diff --git a/windows/breadcrumb/toc.yml b/windows/breadcrumb/toc.yml index fa80416cab..40ff5fde9b 100644 --- a/windows/breadcrumb/toc.yml +++ b/windows/breadcrumb/toc.yml @@ -11,6 +11,12 @@ - name: Deploy tocHref: /itpro/windows/deploy/ topicHref: /itpro/windows/deploy/index + - name: Configure + tocHref: /itpro/windows/configure/ + topicHref: /itpro/windows/configure/index + - name: Update + tocHref: /itpro/windows/update/ + topicHref: /itpro/windows/update/index - name: Keep secure tocHref: /itpro/windows/keep-secure/ topicHref: /itpro/windows/keep-secure/index diff --git a/windows/configure/TOC.md b/windows/configure/TOC.md new file mode 100644 index 0000000000..75766ed065 --- /dev/null +++ b/windows/configure/TOC.md @@ -0,0 +1,64 @@ +# [Configure Windows 10](index.md) +## [Configure Windows telemetry in your organization](configure-windows-telemetry-in-your-organization.md) +## [Basic level Windows diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields.md) +## [Windows 10, version 1703 diagnostic data](windows-diagnostic-data.md) +## [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md) +## [Manage Wi-Fi Sense in your company](manage-wifi-sense-in-enterprise.md) +## [Configure kiosk and shared devices running Windows 10 desktop editions](kiosk-shared-pc.md) +### [Set up a shared or guest PC with Windows 10](set-up-shared-or-guest-pc.md) +### [Set up a kiosk on Windows 10 Pro, Enterprise, or Education](set-up-a-kiosk-for-windows-10-for-desktop-editions.md) +### [Guidelines for choosing an app for assigned access (kiosk mode)](guidelines-for-assigned-access-app.md) +### [Lock down Windows 10 to specific apps (AppLocker)](lock-down-windows-10-to-specific-apps.md) +## [Configure Windows 10 Mobile devices](configure-mobile.md) +### [Set up a kiosk on Windows 10 Mobile or Windows 10 Mobile Enterprise](set-up-a-kiosk-for-windows-10-for-mobile-edition.md) +### [Use Windows Configuration Designer to configure Windows 10 Mobile devices](provisioning-configure-mobile.md) +#### [NFC-based device provisioning](provisioning-nfc.md) +#### [Barcode provisioning and the package splitter tool](provisioning-package-splitter.md) +### [Use the Lockdown Designer app to create a Lockdown XML file](mobile-lockdown-designer.md) +### [Configure Windows 10 Mobile using Lockdown XML](lockdown-xml.md) +### [Settings and quick actions that can be locked down in Windows 10 Mobile](settings-that-can-be-locked-down.md) +### [Product IDs in Windows 10 Mobile](product-ids-in-windows-10-mobile.md) +### [Start layout XML for mobile editions of Windows 10 (reference)](start-layout-xml-mobile.md) +## [Configure Start, taskbar, and lock screen](start-taskbar-lockscreen.md) +### [Configure Windows Spotlight on the lock screen](windows-spotlight.md) +### [Manage Windows 10 and Windows Store tips, tricks, and suggestions](manage-tips-and-suggestions.md) +### [Manage Windows 10 Start and taskbar layout](windows-10-start-layout-options-and-policies.md) +#### [Configure Windows 10 taskbar](configure-windows-10-taskbar.md) +#### [Customize and export Start layout](customize-and-export-start-layout.md) +#### [Add image for secondary tiles](start-secondary-tiles.md) +#### [Start layout XML for desktop editions of Windows 10 (reference)](start-layout-xml-desktop.md) +#### [Customize Windows 10 Start and taskbar with Group Policy](customize-windows-10-start-screens-by-using-group-policy.md) +#### [Customize Windows 10 Start and taskbar with provisioning packages](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md) +#### [Customize Windows 10 Start and tasbkar with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md) +#### [Changes to Start policies in Windows 10](changes-to-start-policies-in-windows-10.md) +## [Cortana integration in your business or enterprise](cortana-at-work-overview.md) +### [Testing scenarios using Cortana in your business or organization](cortana-at-work-testing-scenarios.md) +#### [Test scenario 1 - Sign-in to Azure AD and use Cortana to manage the notebook](cortana-at-work-scenario-1.md) +#### [Test scenario 2 - Perform a quick search with Cortana at work](cortana-at-work-scenario-2.md) +#### [Test scenario 3 - Set a reminder for a specific location using Cortana at work](cortana-at-work-scenario-3.md) +#### [Test scenario 4 - Use Cortana at work to find your upcoming meetings](cortana-at-work-scenario-4.md) +#### [Test scenario 5 - Use Cortana to send email to a co-worker](cortana-at-work-scenario-5.md) +#### [Test scenario 6 - Review a reminder suggested by Cortana based on what you’ve promised in email](cortana-at-work-scenario-6.md) +#### [Test scenario 7 - Use Cortana and Windows Information Protection (WIP) to help protect your organization’s data on a device](cortana-at-work-scenario-7.md) +### [Set up and test Cortana with Office 365 in your organization](cortana-at-work-o365.md) +### [Set up and test Cortana with Microsoft Dynamics CRM (Preview feature) in your organization](cortana-at-work-crm.md) +### [Set up and test Cortana for Power BI in your organization](cortana-at-work-powerbi.md) +### [Set up and test custom voice commands in Cortana for your organization](cortana-at-work-voice-commands.md) +### [Use Group Policy and mobile device management (MDM) settings to configure Cortana in your organization](cortana-at-work-policy-settings.md) +### [Send feedback about Cortana at work back to Microsoft](cortana-at-work-feedback.md) +## [Configure access to Windows Store](stop-employees-from-using-the-windows-store.md) +## [Provisioning packages for Windows 10](provisioning-packages.md) +### [How provisioning works in Windows 10](provisioning-how-it-works.md) +### [Introduction to configuration service providers (CSPs)](how-it-pros-can-use-configuration-service-providers.md) +### [Install Windows Configuration Designer](provisioning-install-icd.md) +### [Create a provisioning package](provisioning-create-package.md) +### [Apply a provisioning package](provisioning-apply-package.md) +### [Settings changed when you uninstall a provisioning package](provisioning-uninstall-package.md) +### [Provision PCs with common settings for initial deployment (desktop wizard)](provision-pcs-for-initial-deployment.md) +### [Provision PCs with apps](provision-pcs-with-apps.md) +### [Use a script to install a desktop app in provisioning packages](provisioning-script-to-install-app.md) +### [PowerShell cmdlets for provisioning Windows 10 (reference)](provisioning-powershell.md) +### [Windows ICD command-line interface (reference)](provisioning-command-line.md) +### [Create a provisioning package with multivariant settings](provisioning-multivariant.md) +## [Lockdown features from Windows Embedded 8.1 Industry](lockdown-features-windows-10.md) +## [Change history for Configure Windows 10](change-history-for-configure-windows-10.md) diff --git a/windows/configure/basic-level-windows-diagnostic-events-and-fields.md b/windows/configure/basic-level-windows-diagnostic-events-and-fields.md new file mode 100644 index 0000000000..0ae4581bb0 --- /dev/null +++ b/windows/configure/basic-level-windows-diagnostic-events-and-fields.md @@ -0,0 +1,4115 @@ +--- +description: Use this article to learn more about what Windows diagnostic data is gathered at the basic level. +title: Windows 10, version 1703 basic diagnostic events and fields (Windows 10) +keywords: privacy, telemetry +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: security +localizationpriority: high +author: brianlic-msft +ms.author: brianlic +--- + + +# Windows 10, version 1703 basic level Windows diagnostic events and fields + + + **Applies to** + +- Windows 10, version 1703 + + +The Basic level gathers a limited set of information that is critical for understanding the device and its configuration including: basic device information, quality-related information, app compatibility, and Windows Store. When the level is set to Basic, it also includes the Security level information. + +The Basic level helps to identify problems that can occur on a particular device hardware or software configuration. For example, it can help determine if crashes are more frequent on devices with a specific amount of memory or that are running a particular driver version. This helps Microsoft fix operating system or app problems. + +Use this article to learn about diagnostic events, grouped by event area, and the fields within each event. A brief description is provided for each field. Every event generated includes common data, which collects device data. + +You can learn more about Windows functional and diagnostic data through these articles: + + +- [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md) +- [Configure Windows telemetry in your organization](configure-windows-telemetry-in-your-organization.md) + + + + +## Common data extensions + +### Common Data Extensions.App + + + +The following fields are available: + +- **expId** Associates a flight, such as an OS flight, or an experiment, such as a web site UX experiment, with an event. +- **userId** The userID as known by the application. +- **env** The environment from which the event was logged. +- **asId** An integer value that represents the app session. This value starts at 0 on the first app launch and increments after each subsequent app launch per boot session. + + +### Common Data Extensions.CS + + + +The following fields are available: + +- **sig** A common schema signature that identifies new and modified event schemas. + + +### Common Data Extensions.CUET + + + +The following fields are available: + +- **stId** Represents the Scenario Entry Point ID. This is a unique GUID for each event in a diagnostic scenario. This used to be Scenario Trigger ID. +- **aId** Represents the ETW ActivityId. Logged via TraceLogging or directly via ETW. +- **raId** Represents the ETW Related ActivityId. Logged via TraceLogging or directly via ETW. +- **op** Represents the ETW Op Code. +- **cat** Represents a bitmask of the ETW Keywords associated with the event. +- **flags** Represents the bitmap that captures various Windows specific flags. +- **cpId** The composer ID, such as Reference, Desktop, Phone, Holographic, Hub, IoT Composer. +- **tickets** A list of strings that represent entries in the HTTP header of the web request that includes this event. +- **bseq** Upload buffer sequence number in the format \:\ +- **mon** Combined monitor and event sequence numbers in the format \:\ + + +### Common Data Extensions.Device + + + +The following fields are available: + +- **ver** Represents the major and minor version of the extension. +- **localId** Represents a locally defined unique ID for the device, not the human readable device name. Most likely equal to the value stored at HKLM\Software\Microsoft\SQMClient\MachineId +- **deviceClass** Represents the classification of the device, the device “family”.  For example, Desktop, Server, or Mobile. + + +### Common Data Extensions.Envelope + + + +The following fields are available: + +- **ver** Represents the major and minor version of the extension. +- **name** Represents the uniquely qualified name for the event. +- **time** Represents the event date time in Coordinated Universal Time (UTC) when the event was generated on the client. This should be in ISO 8601 format. +- **popSample** Represents the effective sample rate for this event at the time it was generated by a client. +- **epoch** Represents the epoch and seqNum fields, which help track how many events were fired and how many events were uploaded, and enables identification of data lost during upload and de-duplication of events on the ingress server. +- **seqNum** Represents the sequence field used to track absolute order of uploaded events. It is an incrementing identifier for each event added to the upload queue.  The Sequence helps track how many events were fired and how many events were uploaded and enables identification of data lost during upload and de-duplication of events on the ingress server. +- **iKey** Represents an ID for applications or other logical groupings of events. +- **flags** Represents a collection of bits that describe how the event should be processed by the Connected User Experience and Telemetry component pipeline. The lowest-order byte is the event persistence. The next byte is the event latency. +- **os** Represents the operating system name. +- **osVer** Represents the OS version, and its format is OS dependent. +- **appId** Represents a unique identifier of the client application currently loaded in the process producing the event; and is used to group events together and understand usage pattern, errors by application. +- **appVer** Represents the version number of the application. Used to understand errors by Version, Usage by Version across an app. +- **cV** Represents the Correlation Vector: A single field for tracking partial order of related telemetry events across component boundaries. + + +### Common Data Extensions.OS + + + +The following fields are available: + +- **ver** Represents the major and minor version of the extension. +- **expId** Represents the experiment ID. The standard for associating a flight, such as an OS flight (pre-release build), or an experiment, such as a web site UX experiment, with an event is to record the flight / experiment IDs in Part A of the common schema. +- **locale** Represents the locale of the operating system. +- **bootId** An integer value that represents the boot session. This value starts at 0 on first boot after OS install and increments after every reboot. + + +### Common Data Extensions.User + + + +The following fields are available: + +- **ver** Represents the major and minor version of the extension. +- **localId** Represents a unique user identity that is created locally and added by the client. This is not the user's account ID. + + +### Common Data Extensions.XBL + + + +The following fields are available: + +- **nbf** Not before time +- **expId** Expiration time +- **sbx** XBOX sandbox identifier +- **dty** XBOX device type +- **did** XBOX device ID +- **xid** A list of base10-encoded XBOX User IDs. +- **uts** A bit field, with 2 bits being assigned to each user ID listed in xid. This field is omitted if all users are retail accounts. + + +### Common Data Extensions.Consent UI Event + +This User Account Control (UAC) telemetry point collects information on elevations that originate from low integrity levels. This occurs when a process running at low integrity level (IL) requires higher (administrator) privileges, and therefore requests for elevation via UAC (consent.exe). By better understanding the processes requesting these elevations, Microsoft can in turn improve the detection and handling of potentially malicious behavior in this path. + +The following fields are available: + +- **eventType** Represents the type of elevation: If it succeeded, was cancelled, or was auto-approved. +- **splitToken** Represents the flag used to distinguish between administrators and standard users. +- **friendlyName** Represents the name of the file requesting elevation from low IL. +- **elevationReason** Represents the distinction between various elevation requests sources (appcompat, installer, COM, MSI and so on). +- **exeName** Represents the name of the file requesting elevation from low IL. +- **signatureState** Represents the state of the signature, if it signed, unsigned, OS signed and so on. +- **publisherName** Represents the name of the publisher of the file requesting elevation from low IL. +- **cmdLine** Represents the full command line arguments being used to elevate. +- **Hash.Length** Represents the length of the hash of the file requesting elevation from low IL. +- **Hash** Represents the hash of the file requesting elevation from low IL. +- **HashAlgId** Represents the algorithm ID of the hash of the file requesting elevation from low IL. +- **telemetryFlags** Represents the details about the elevation prompt for CEIP data. +- **timeStamp** Represents the time stamp on the file requesting elevation. +- **fileVersionMS** Represents the major version of the file requesting elevation. +- **fileVersionLS** Represents the minor version of the file requesting elevation. + + +## Common data fields + +### Common Data Fields.MS.Device.DeviceInventory.Change + +These fields are added whenever Ms.Device.DeviceInventoryChange is included in the event. + +The following fields are available: + +- **syncId** A string used to group StartSync, EndSync, Add, and Remove operations that belong together. This field is unique by Sync period and is used to disambiguate in situations where multiple agents perform overlapping inventories for the same object. +- **objectType** Indicates the object type that the event applies to. +- **Action** The change that was invoked on a device inventory object. +- **inventoryId** Device ID used for Compatibility testing + + +### Common Data Fields.TelClientSynthetic.PrivacySettingsAfterCreatorsUpdate.PreUpgradeSettings + +These fields are added whenever PreUpgradeSettings is included in the event. + +The following fields are available: + +- **HKLM_SensorPermissionState.SensorPermissionState** The state of the Location service before the feature update completed. +- **HKLM_SensorPermissionState.HRESULT** The error code returned when trying to query the Location service for the device. +- **HKCU_SensorPermissionState.SensorPermissionState** The state of the Location service when a user signs on before the feature update completed. +- **HKCU_SensorPermissionState.HRESULT** The error code returned when trying to query the Location service for the current user. +- **HKLM_LocationPlatform.Status** The state of the location platform after the feature update has completed. +- **HKLM_LocationPlatform.HRESULT** The error code returned when trying to query the location platform for the device. +- **HKLM_LocationSyncEnabled.AcceptedPrivacyPolicy** The speech recognition state for the device before the feature update completed. +- **HKLM_LocationSyncEnabled.HRESULT** The error code returned when trying to query the Find My Device service for the device. +- **HKCU_LocationSyncEnabled.AcceptedPrivacyPolicy** The speech recognition state for the current user before the feature update completed. +- **HKCU_LocationSyncEnabled.HRESULT** The error code returned when trying to query the Find My Device service for the current user. +- **HKLM_AllowTelemetry.AllowTelemetry** The state of the Connected User Experiences and Telemetry component for the device before the feature update. +- **HKLM_AllowTelemetry.HRESULT** The error code returned when trying to query the Connected User Experiences and Telemetry conponent for the device. +- **HKLM_TIPC.Enabled** The state of TIPC for the device. +- **HKLM_TIPC.HRESULT** The error code returned when trying to query TIPC for the device. +- **HKCU_TIPC.Enabled** The state of TIPC for the current user. +- **HKCU_TIPC.HRESULT** The error code returned when trying to query TIPC for the current user. +- **HKLM_FlipAhead.FPEnabled** Is Flip Ahead enabled for the device before the feature update was completed? +- **HKLM_FlipAhead.HRESULT** The error code returned when trying to query Flip Ahead for the device. +- **HKCU_FlipAhead.FPEnabled** Is Flip Ahead enabled for the current user before the feature update was completed? +- **HKCU_FlipAhead.HRESULT** The error code returned when trying to query Flip Ahead for the current user. +- **HKLM_TailoredExperiences.TailoredExperiencesWithDiagnosticDataEnabled** Is Tailored Experiences with Diagnostics Data enabled for the current user after the feature update had completed? +- **HKCU_TailoredExperiences.HRESULT** The error code returned when trying to query Tailored Experiences with Diagnostics Data for the current user. +- **HKLM_AdvertisingID.Enabled** Is the adveristing ID enabled for the device? +- **HKLM_AdvertisingID.HRESULT** The error code returned when trying to query the state of the advertising ID for the device. +- **HKCU_AdvertisingID.Enabled** Is the adveristing ID enabled for the current user? +- **HKCU_AdvertisingID.HRESULT** The error code returned when trying to query the state of the advertising ID for the user. + + +### Common Data Fields.TelClientSynthetic.PrivacySettingsAfterCreatorsUpdate.PostUpgradeSettings + +These fields are added whenever PostUpgradeSettings is included in the event. + +The following fields are available: + +- **HKLM_SensorPermissionState.SensorPermissionState** The state of the Location service after the feature update has completed. +- **HKLM_SensorPermissionState.HRESULT** The error code returned when trying to query the Location service for the device. +- **HKCU_SensorPermissionState.SensorPermissionState** The state of the Location service when a user signs on after a feature update has completed. +- **HKCU_SensorPermissionState.HRESULT** The error code returned when trying to query the Location service for the current user. +- **HKLM_LocationPlatform.Status** The state of the location platform after the feature update has completed. +- **HKLM_LocationPlatform.HRESULT** The error code returned when trying to query the location platform for the device. +- **HKLM_LocationSyncEnabled.AcceptedPrivacyPolicy** The speech recognition state for the device after the feature update has completed. +- **HKLM_LocationSyncEnabled.HRESULT** The error code returned when trying to query the Find My Device service for the device. +- **HKCU_LocationSyncEnabled.AcceptedPrivacyPolicy** The speech recognition state for the current user after the feature update has completed. +- **HKCU_LocationSyncEnabled.HRESULT** The error code returned when trying to query the Find My Device service for the current user. +- **HKLM_AllowTelemetry.AllowTelemetry** The state of the Connected User Experiences and Telemetry component for the device after the feature update. +- **HKLM_AllowTelemetry.HRESULT** The error code returned when trying to query the Connected User Experiences and Telemetry conponent for the device. +- **HKLM_TIPC.Enabled** The state of TIPC for the device. +- **HKLM_TIPC.HRESULT** The error code returned when trying to query TIPC for the device. +- **HKCU_TIPC.Enabled** The state of TIPC for the current user. +- **HKCU_TIPC.HRESULT** The error code returned when trying to query TIPC for the current user. +- **HKLM_FlipAhead.FPEnabled** Is Flip Ahead enabled for the device after the feature update has completed? +- **HKLM_FlipAhead.HRESULT** The error code returned when trying to query Flip Ahead for the device. +- **HKCU_FlipAhead.FPEnabled** Is Flip Ahead enabled for the current user after the feature update has completed? +- **HKCU_FlipAhead.HRESULT** The error code returned when trying to query Flip Ahead for the current user. +- **HKLM_TailoredExperiences.TailoredExperiencesWithDiagnosticDataEnabled** Is Tailored Experiences with Diagnostics Data enabled for the current user after the feature update had completed? +- **HKCU_TailoredExperiences.HRESULT** The error code returned when trying to query Tailored Experiences with Diagnostics Data for the current user. +- **HKLM_AdvertisingID.Enabled** Is the adveristing ID enabled for the device? +- **HKLM_AdvertisingID.HRESULT** The error code returned when trying to query the state of the advertising ID for the device. +- **HKCU_AdvertisingID.Enabled** Is the adveristing ID enabled for the current user? +- **HKCU_AdvertisingID.HRESULT** The error code returned when trying to query the state of the advertising ID for the user. + + +## Appraiser events + +### Microsoft.Windows.Appraiser.General.ChecksumTotalPictureCount + +This event lists the types of objects and how many of each exist on the client device. This allows for a quick way to ensure that the records present on the server match what is present on the client. + +The following fields are available: + +- **PCFP** An ID for the system that is calculated by hashing hardware identifiers. +- **InventoryApplicationFile** The total InventoryApplicationFile objects that are present on this device. +- **InventoryMediaCenter** The total InventoryMediaCenter objects that are present on this device. +- **InventoryLanguagePack** The total InventoryLanguagePack objects that are present on this device. +- **InventoryUplevelDriverPackage** The total InventoryUplevelDriverPackage objects that are present on this device. +- **InventorySystemBios** The total InventorySystemBios objects that are present on this device. +- **SystemProcessorCompareExchange** The total SystemProcessorCompareExchange objects that are present on this device. +- **SystemProcessorLahfSahf** The total SystemProcessorLahfSahf objects that are present on this device. +- **SystemMemory** The total SystemMemory objects that are present on this device. +- **SystemProcessorPrefetchW** The total SystemProcessorPrefetchW objects that are present on this device. +- **SystemProcessorSse2** The total SystemProcessorSse2 objects that are present on this device. +- **SystemProcessorNx** The total SystemProcessorNx objects that are present on this device. +- **SystemWlan** The total SystemWlan objects that are present on this device. +- **SystemWim** The total SystemWim objects that are present on this device +- **SystemTouch** The total SystemTouch objects that are present on this device. +- **SystemWindowsActivationStatus** The total SystemWindowsActivationStatus objects that are present on this device. + + +### Microsoft.Windows.Appraiser.General.ChecksumTotalPictureIdHashSha256 + +This event lists the types of objects and the hashed values of all the identifiers for each one. This allows for a more in-depth way to ensure that the records present on the server match what is present on the client. + +The following fields are available: + +- **PCFP** An ID for the system that is calculated by hashing hardware identifiers. +- **InventoryApplicationFile** The SHA256 hash of InventoryApplicationFile objects that are present on this device. +- **InventoryMediaCenter** The SHA256 hash of InventoryMediaCenter objects that are present on this device. +- **InventoryLanguagePack** The SHA256 hash of InventoryLanguagePack objects that are present on this device. +- **InventoryUplevelDriverPackage** The SHA256 hash of InventoryUplevelDriverPackage objects that are present on this device. +- **InventorySystemBios** The SHA256 hash of InventorySystemBios objects that are present on this device. +- **SystemProcessorCompareExchange** The SHA256 hash of SystemProcessorCompareExchange objects that are present on this device. +- **SystemProcessorLahfSahf** The SHA256 hash of SystemProcessorLahfSahf objects that are present on this device. +- **SystemMemory** The SHA256 hash of SystemMemory objects that are present on this device. +- **SystemProcessorPrefetchW** The SHA256 hash of SystemProcessorPrefetchW objects that are present on this device. +- **SystemProcessorSse2** The SHA256 hash of SystemProcessorSse2 objects that are present on this device. +- **SystemProcessorNx** The SHA256 hash of SystemProcessorNx objects that are present on this device. +- **SystemWlan** The SHA256 hash of SystemWlan objects that are present on this device. +- **SystemWim** The SHA256 hash of SystemWim objects that are present on this device. +- **SystemTouch** The SHA256 hash of SystemTouch objects that are present on this device. +- **SystemWindowsActivationStatus** The SHA256 hash of SystemWindowsActivationStatus objects that are present on this device. + + +### Microsoft.Windows.Appraiser.General.DatasourceApplicationFileAdd + +This event sends compatibility information about a file to help keep Windows up-to-date. + +The following fields are available: + +- **AppraiserVersion** The version of the appraiser file that is generating the events. +- **AvDisplayName** If it is an anti-virus app, this is its display name. +- **CompatModelIndex** The compatibility prediction for this file. +- **HasCitData** Is the file present in CIT data? +- **HasUpgradeExe** Does the anti-virus app have an upgrade.exe file? +- **IsAv** Is the file an anti-virus reporting EXE? +- **ResolveAttempted** This will always be an empty string when sending telemetry. +- **SdbEntries** An array of fields that indicates the SDB entries that apply to this file. + + +### Microsoft.Windows.Appraiser.General.DatasourceApplicationFileRemove + +This event indicates that the DatasourceApplicationFile object is no longer present. + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DatasourceApplicationFileStartSync + +This event indicates that a new set of DatasourceApplicationFileAdd events will be sent. + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DatasourceDevicePnpAdd + +This event sends compatibility data for a PNP device, to help keep Windows up-to-date. + +The following fields are available: + +- **AppraiserVersion** The version of the appraiser file generating the events. +- **ActiveNetworkConnection** Is the device an active network device? +- **IsBootCritical** Is the device boot critical? +- **SdbEntries** An array of fields indicating the SDB entries that apply to this device. +- **WuDriverCoverage** Is there a driver uplevel for this device according to Windows Update? +- **WuDriverUpdateID** The Windows Update ID of the applicable uplevel driver. +- **WuPopulatedFromID** The expected uplevel driver matching ID based on driver coverage from Windows Update. + + +### Microsoft.Windows.Appraiser.General.DatasourceDevicePnpRemove + +This event indicates that the DatasourceDevicePnp object is no longer present. + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DatasourceDevicePnpStartSync + +This event indicates that a new set of DatasourceDevicePnpAdd events will be sent. + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DatasourceDriverPackageAdd + +This event sends compatibility database data about driver packages to help keep Windows up-to-date. + +The following fields are available: + +- **AppraiserVersion** The version of the appraiser file generating the events. +- **SdbEntries** An array of fields indicating the SDB entries that apply to this driver package. + + +### Microsoft.Windows.Appraiser.General.DatasourceDriverPackageRemove + +This event indicates that the DatasourceDriverPackage object is no longer present. + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DatasourceDriverPackageStartSync + +This event indicates that a new set of DatasourceDriverPackageAdd events will be sent. + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoBlockAdd + +This event sends blocking data about any compatibility blocking entries hit on the system that are not directly related to specific applications or devices, to help keep Windows up-to-date. + +The following fields are available: + +- **AppraiserVersion** The version of the appraiser file generating the events. +- **SdbEntries** An array of fields indicating the SDB entries that apply to this file. + + +### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoBlockRemove + +This event indicates that the DataSourceMatchingInfoBlock object is no longer present. + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoBlockStartSync + +This event indicates that a full set of DataSourceMatchingInfoBlockStAdd events have been sent. + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPassiveAdd + +This event sends compatibility database information about non-blocking compatibility entries on the system that are not keyed by either applications or devices, to help keep Windows up-to-date. + +The following fields are available: + +- **AppraiserVersion** The version of the appraiser file generating the events. +- **SdbEntries** An array of fields indicating the SDB entries that apply to this file. + + +### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPassiveRemove + +This event indicates that the DataSourceMatchingInfoPassive object is no longer present. + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPassiveStartSync + +This event indicates that a new set of DataSourceMatchingInfoPassiveAdd events will be sent. + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPostUpgradeAdd + +This event sends compatibility database information about entries requiring reinstallation after an upgrade on the system that are not keyed by either applications or devices, to help keep Windows up-to-date. + +The following fields are available: + +- **AppraiserVersion** The version of the appraiser file generating the events. +- **SdbEntries** An array of fields indicating the SDB entries that apply to this file. + + +### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPostUpgradeRemove + +This event indicates that the DataSourceMatchingInfoPostUpgrade object is no longer present. + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPostUpgradeStartSync + +This event indicates that a new set of DataSourceMatchingInfoPostUpgradeAdd events will be sent. + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DatasourceSystemBiosAdd + +This event sends compatibility database information about the BIOS to help keep Windows up-to-date. + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file generating the events. +- **SdbEntries** An array of fields indicating the SDB entries that apply to this BIOS. + + +### Microsoft.Windows.Appraiser.General.DatasourceSystemBiosRemove + +This event indicates that the DatasourceSystemBios object is no longer present. + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DatasourceSystemBiosStartSync + +This event indicates that a new set of DatasourceSystemBiosAdd events will be sent. + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DecisionApplicationFileAdd + +This event sends compatibility decision data about a file to help keep Windows up-to-date. + +The following fields are available: + +- **AppraiserVersion** The version of the appraiser file generating the events. +- **BlockAlreadyInbox** The uplevel runtime block on the file already existed on the current OS. +- **BlockingApplication** Are there any application issues that interfere with upgrade due to the file in question? +- **DisplayGenericMessage** Will be a generic message be shown for this file? +- **HardBlock** This file is blocked in the SDB. +- **HasUxBlockOverride** Does the file have a block that is overridden by a tag in the SDB? +- **MigApplication** Does the file have a MigXML from the SDB associated with it that applies to the current upgrade mode? +- **MigRemoval** Does the file have a MigXML from the SDB that will cause the app to be removed on upgrade? +- **NeedsDismissAction** Will the file cause an action that can be dimissed? +- **NeedsInstallPostUpgradeData** After upgrade, the file will have a post-upgrade notification to install a replacement for the app. +- **NeedsNotifyPostUpgradeData** Does the file have a notification that should be shown after upgrade? +- **NeedsReinstallPostUpgradeData** After upgrade, this file will have a post-upgrade notification to reinstall the app. +- **NeedsUninstallAction** The file must be uninstalled to complete the upgrade. +- **SdbBlockUpgrade** The file is tagged as blocking upgrade in the SDB, +- **SdbBlockUpgradeCanReinstall** The file is tagged as blocking upgrade in the SDB. It can be reinstalled after upgrade. +- **SdbBlockUpgradeUntilUpdate** The file is tagged as blocking upgrade in the SDB. If the app is updated, the upgrade can proceed. +- **SdbReinstallUpgrade** The file is tagged as needing to be reinstalled after upgrade in the SDB. It does not block upgrade. +- **SdbReinstallUpgradeWarn** The file is tagged as needing to be reinstalled after upgrade with a warning in the SDB. It does not block upgrade. +- **SoftBlock** The file is softblocked in the SDB and has a warning. + + +### Microsoft.Windows.Appraiser.General.DecisionApplicationFileRemove + +This event indicates Indicates that the DecisionApplicationFile object is no longer present. + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DecisionApplicationFileStartSync + +This event indicates that a new set of DecisionApplicationFileAdd events will be sent. + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DecisionDevicePnpAdd + +This event sends compatibility decision data about a PNP device to help keep Windows up-to-date. + +The following fields are available: + +- **AppraiserVersion** The version of the appraiser file generating the events. +- **AssociatedDriverIsBlocked** Is the driver associated with this PNP device blocked? +- **BlockAssociatedDriver** Should the driver associated with this PNP device be blocked? +- **BlockUpgradeIfDriverBlocked** Is the PNP device both boot critical and does not have a driver included with the OS? +- **BlockUpgradeIfDriverBlockedAndOnlyActiveNetwork** Is this PNP device the only active network device? +- **BlockingDevice** Is this PNP device blocking upgrade? +- **DisplayGenericMessage** Will a generic message be shown during Setup for this PNP device? +- **DriverAvailableInbox** Is a driver included with the operating system for this PNP device? +- **DriverAvailableOnline** Is there a driver for this PNP device on Windows Update? +- **DriverAvailableUplevel** Is there a driver on Windows Update or included with the operating system for this PNP device? +- **DriverBlockOverridden** Is there is a driver block on the device that has been overridden? +- **NeedsDismissAction** Will the user would need to dismiss a warning during Setup for this device? +- **NotRegressed** Does the device have a problem code on the source OS that is no better than the one it would have on the target OS? +- **SdbDeviceBlockUpgrade** Is there an SDB block on the PNP device that blocks upgrade? +- **SdbDriverBlockOverridden** Is there an SDB block on the PNP device that blocks upgrade, but that block was overridden? + + +### Microsoft.Windows.Appraiser.General.DecisionDevicePnpRemove + +This event indicates that the DecisionDevicePnp object is no longer present. + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DecisionDevicePnpStartSync + +This event indicates that the DecisionDevicePnp object is no longer present. + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DecisionDriverPackageAdd + +This event sends decision data about driver package compatibility to help keep Windows up-to-date. + +The following fields are available: + +- **AppraiserVersion** The version of the appraiser file generating the events. +- **DriverBlockOverridden** Does the driver package have an SDB block that blocks it from migrating, but that block has been overridden? +- **DriverIsDeviceBlocked** Was the driver package was blocked because of a device block? +- **DriverIsDriverBlocked** Is the driver package blocked because of a driver block? +- **DriverShouldNotMigrate** Should the driver package be migrated during upgrade? +- **SdbDriverBlockOverridden** Does the driver package have an SDB block that blocks it from migrating, but that block has been overridden? + + +### Microsoft.Windows.Appraiser.General.DecisionDriverPackageRemove + +This event indicates that the DecisionDriverPackage object is no longer present. + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DecisionDriverPackageStartSync + +This event indicates that a new set of DecisionDriverPackageAdd events will be sent. + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoBlockAdd + +This event sends compatibility decision data about blocking entries on the system that are not keyed by either applications or devices, to help keep Windows up-to-date. + +The following fields are available: + +- **AppraiserVersion** The version of the appraiser file generating the events. +- **BlockingApplication** Are there are any application issues that interfere with upgrade due to matching info blocks? +- **DisplayGenericMessage** Will a generic message be shown for this block? +- **NeedsUninstallAction** Does the user need to take an action in setup due to a matching info block? +- **SdbBlockUpgrade** Is a matching info block blocking upgrade? +- **SdbBlockUpgradeCanReinstall** Is a matching info block blocking upgrade, but has the can reinstall tag? +- **SdbBlockUpgradeUntilUpdate** Is a matching info block blocking upgrade but has the until update tag? + + +### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoBlockRemove + +This event indicates that the DecisionMatchingInfoBlock object is no longer present. + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoBlockStartSync + +This event indicates that a new set of DecisionMatchingInfoBlockAdd events will be sent. + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPassiveAdd + +This event sends compatibility decision data about non-blocking entries on the system that are not keyed by either applications or devices, to help keep Windows up-to-date. + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. +- **BlockingApplication** Are there any application issues that interfere with upgrade due to matching info blocks? +- **MigApplication** Is there a matching info block with a mig for the current mode of upgrade? + + +### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPassiveRemove + +This event Indicates that the DecisionMatchingInfoPassive object is no longer present. + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPassiveStartSync + +This event indicates that a new set of DecisionMatchingInfoPassiveAdd events will be sent. + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPostUpgradeAdd + +This event sends compatibility decision data about entries that require reinstall after upgrade. It's used to help keep Windows up-to-date. + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. +- **NeedsInstallPostUpgradeData** Will the file have a notification after upgrade to install a replacement for the app? +- **NeedsNotifyPostUpgradeData** Should a notification be shown for this file after upgrade? +- **NeedsReinstallPostUpgradeData** Will the file have a notification after upgrade to reinstall the app? +- **SdbReinstallUpgrade** The file is tagged as needing to be reinstalled after upgrade in the compatibility database (but is not blocking upgrade). + + +### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPostUpgradeRemove + +This event indicates that the DecisionMatchingInfoPostUpgrade object is no longer present. + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPostUpgradeStartSync + +This event indicates that a new set of DecisionMatchingInfoPostUpgradeAdd events will be sent. + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DecisionMediaCenterAdd + +This event sends decision data about the presence of Windows Media Center, to help keep Windows up-to-date. + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file generating the events. +- **BlockingApplication** Is there any application issues that interfere with upgrade due to Windows Media Center? +- **MediaCenterActivelyUsed** If Windows Media Center is supported on the edition, has it been run at least once and are the MediaCenterIndicators are true? +- **MediaCenterInUse** Is Windows Media Center actively being used? +- **MediaCenterIndicators** Do any indicators imply that Windows Media Center is in active use? +- **MediaCenterPaidOrActivelyUsed** Is Windows Media Center actively being used or is it running on a supported edition? +- **NeedsDismissAction** Are there any actions that can be dismissed coming from Windows Media Center? + + +### Microsoft.Windows.Appraiser.General.DecisionMediaCenterRemove + +This event indicates that the DecisionMediaCenter object is no longer present. + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DecisionMediaCenterStartSync + +This event indicates that a new set of DecisionMediaCenterAdd events will be sent. + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DecisionSystemBiosAdd + +This event sends compatibility decision data about the BIOS to help keep Windows up-to-date. + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file generating the events. +- **Blocking** Is the device blocked from upgrade due to a BIOS block? +- **HasBiosBlock** Does the device have a BIOS block? + + +### Microsoft.Windows.Appraiser.General.DecisionSystemBiosRemove + +This event indicates that the DecisionSystemBios object is no longer present. + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DecisionSystemBiosStartSync + +This event indicates that a new set of DecisionSystemBiosAdd events will be sent. + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.EnterpriseScenarioWithDiagTrackServiceRunning + +The event that indicates that Appraiser has been triggered to run an enterprise scenario while the DiagTrack service is installed. This event can only be sent if a special flag is used to trigger the enterprise scenario. + +The following fields are available: + +- **Time** The client time of the event. +- **PCFP** An ID for the system calculated by hashing hardware identifiers. + + +### Microsoft.Windows.Appraiser.General.GatedRegChange + +This event sends data about the results of running a set of quick-blocking instructions, to help keep Windows up to date. + +The following fields are available: + +- **Time** The client time of the event. +- **PCFP** An ID for the system calculated by hashing hardware identifiers. +- **RegKey** The registry key name for which a result is being sent. +- **RegValue** The registry value for which a result is being sent. +- **OldData** The previous data in the registry value before the scan ran. +- **NewData** The data in the registry value after the scan completed. + + +### Microsoft.Windows.Appraiser.General.InventoryApplicationFileAdd + +This event represents the basic metadata about a file on the system. The file must be part of an app and either have a block in the compatibility database or are part of an anti-virus program. + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file generating the events. +- **BinFileVersion** An attempt to clean up FileVersion at the client that tries to place the version into 4 octets. +- **BinProductVersion** An attempt to clean up ProductVersion at the client that tries to place the version into 4 octets. +- **BinaryType** A binary type. Example: UNINITIALIZED, ZERO_BYTE, DATA_ONLY, DOS_MODULE, NE16_MODULE, PE32_UNKNOWN, PE32_I386, PE32_ARM, PE64_UNKNOWN, PE64_AMD64, PE64_ARM64, PE64_IA64, PE32_CLR_32, PE32_CLR_IL, PE32_CLR_IL_PREFER32, PE64_CLR_64 +- **BoeProgramId** If there is no entry in Add/Remove Programs, this is the ProgramID that is generated from the file metadata. +- **CompanyName** The company name of the vendor who developed this file. +- **FileId** A hash that uniquely identifies a file. +- **FileVersion** The File version field from the file metadata under Properties -> Details. +- **LinkDate** The date and time that this file was linked on. +- **LowerCaseLongPath** The full file path to the file that was inventoried on the device. +- **Name** The name of the file that was inventoried. +- **ProductName** The Product name field from the file metadata under Properties -> Details. +- **ProductVersion** The Product version field from the file metadata under Properties -> Details. +- **ProgramId** A hash of the Name, Version, Publisher, and Language of an application used to identify it. +- **Size** The size of the file (in hexadecimal bytes). + + +### Microsoft.Windows.Appraiser.General.InventoryApplicationFileRemove + +This event indicates that the InventoryApplicationFile object is no longer present. + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.InventoryApplicationFileStartSync + +This event indicates indicates that a new set of InventoryApplicationFileAdd events will be sent. + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.InventoryLanguagePackAdd + +This event sends data about the number of language packs installed on the system, to help keep Windows up-to-date. + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. +- **HasLanguagePack** Does this device have 2 or more language packs? +- **LanguagePackCount** How many language packs are installed? + + +### Microsoft.Windows.Appraiser.General.InventoryLanguagePackRemove + +This event indicates that the InventoryLanguagePack object is no longer present. + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.InventoryLanguagePackStartSync + +This event indicates that a new set of InventoryLanguagePackAdd events will be sent. + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.InventoryMediaCenterAdd + +This event sends true/false data about decision points used to understand whether Windows Media Center is used on the system, to help keep Windows up to date. + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file generating the events. +- **EverLaunched** Has Windows Media Center ever been launched? +- **HasConfiguredTv** Has the user configured a TV tuner through Windows Media Center? +- **HasExtendedUserAccounts** Are any Windows Media Center Extender user accounts configured? +- **HasWatchedFolders** Are any folders configured for Windows Media Center to watch? +- **IsDefaultLauncher** Is Windows Media Center the default app for opening music or video files? +- **IsPaid** Is the user running a Windows Media Center edition that implies they paid for Windows Media Center? +- **IsSupported** Does the running OS support Windows Media Center? + + +### Microsoft.Windows.Appraiser.General.InventoryMediaCenterRemove + +This event indicates that the InventoryMediaCenter object is no longer present. + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.InventoryMediaCenterStartSync + +This event indicates that a new set of InventoryMediaCenterAdd events will be sent. + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.InventorySystemBiosAdd + +This event sends basic metadata about the BIOS to determine whether it has a compatibility block. + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. +- **BiosDate** The release date of the BIOS in UTC format. +- **BiosName** The name field from Win32_BIOS. +- **Manufacturer** The manufacturer field from Win32_ComputerSystem. +- **Model** The model field from Win32_ComputerSystem. + + +### Microsoft.Windows.Appraiser.General.InventorySystemBiosRemove + +This event indicates that the InventorySystemBios object is no longer present. + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.InventorySystemBiosStartSync + +This event indicates that a new set of InventorySystemBiosAdd events will be sent. + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.InventoryUplevelDriverPackageAdd + +This event is only runs during setup. It provides a listing of the uplevel driver packages that were downloaded before the upgrade. Is critical to understanding if failures in setup can be traced to not having sufficient uplevel drivers before the upgrade. + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. +- **BootCritical** Is the driver package marked as boot critical? +- **Build** The build value from the driver package. +- **CatalogFile** The name of the catalog file within the driver package. +- **ClassGuid** The device class GUID from the driver package. +- **Class** The device class from the driver package. +- **Date** The date from the driver package. +- **SignatureStatus** Indicates if the driver package is signed. Unknown:0, Unsigned:1, Signed: 2 +- **Inbox** Is the driver package of a driver that is included with Windows? +- **VersionMajor** The major version of the driver package. +- **VersionMinor** The minor version of the driver package. +- **OriginalName** The original name of the INF file before it was renamed. Generally a path under $WINDOWS.~BT\Drivers\DU +- **Provider** The provider of the driver package. +- **PublishedName** The name of the INF file, post-rename. +- **Revision** The revision of the driver package. + + +### Microsoft.Windows.Appraiser.General.InventoryUplevelDriverPackageRemove + +This event indicates that the InventoryUplevelDriverPackage object is no longer present. + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.InventoryUplevelDriverPackageStartSync + +This event indicates that a new set of InventoryUplevelDriverPackageAdd events will be sent. + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.IsOnlineTelemetryOutputter + +This event indicates if Appraiser was able to connect successfully to Windows Update to get driver availability information. + +The following fields are available: + +- **Time** The client time of the event. +- **PCFP** A unique hardware identifier that is calculated by hashing hardware identifiers. +- **IsOnlineRun** Was the device able to connect to Windows Update to get driver availability information? + + +### Microsoft.Windows.Appraiser.General.IsOnlineWuDriverDataSource + +This event indicates if Appraiser was able to connect to Windows Update to gather driver coverage information. + +The following fields are available: + +- **Time** The client time of the event. +- **PCFP** A unique hardware identifier that is calculated by hashing hardware identifiers. +- **IsOnlineRun** Was the device able to connect to Windows Update to get driver availability information? +- **TargetVersion** The abbreviated name for the OS version against which Windows Update was queried. + + +### Microsoft.Windows.Appraiser.General.RunContext + +This event indicates what should be expected in the data payload. + +The following fields are available: + +- **AppraiserBranch** The source branch in which the currently running version of Appraiser was built. +- **AppraiserVersion** The version of the Appraiser file generating the events. +- **Context** Indicates what mode Appraiser is running in. Example: Setup or Telemetry. +- **Time** The client time of the event. +- **AppraiserProcess** The name of the process that launched Appraiser. +- **PCFP** An ID for the system calculated by hashing hardware identifiers. + + +### Microsoft.Windows.Appraiser.General.SetupAdlStatus + +This event indicates if Appraiser used data files from the setup image or more up-to-date data files downloaded from a Microsoft server. + +The following fields are available: + +- **Time** The client time of the event. +- **PCFP** An ID for the system calculated by hashing hardware identifiers. +- **Result** The last result of the operation to determine if there is a data file to download. +- **OneSettingsInitialized** Was the query to OneSettings, where the information is stored on if there is a data file to download, initialized? +- **Url** The URL of the data file to download. This will be an empty string if there is no data file to download. +- **UsingAlternateData** Is the client using alternate data file or using the data file in the setup image? + + +### Microsoft.Windows.Appraiser.General.SystemMemoryAdd + +This event sends data on the amount of memory on the system and whether it meets requirements, to help keep Windows up-to-date. + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file generating the events. +- **Blocking** Is the device from upgrade due to memory restrictions? +- **MemoryRequirementViolated** Was a memory requirement violated? +- **pageFile** The current committed memory limit for the system or the current process, whichever is smaller (in bytes). +- **ram** The amount of memory on the device. +- **ramKB** The amount of memory (in KB). +- **virtual** The size of the user-mode portion of the virtual address space of the calling process (in bytes). +- **virtualKB** The amount of virtual memory (in KB). + + +### Microsoft.Windows.Appraiser.General.SystemMemoryRemove + +This event that the SystemMemory object is no longer present. + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.SystemMemoryStartSync + +This event indicates that a new set of SystemMemoryAdd events will be sent. + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.SystemProcessorCompareExchangeAdd + +This event sends data indicating whether the system supports the CompareExchange128 CPU requirement, to help keep Windows up to date. + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file generating the events. +- **Blocking** Is the upgrade blocked due to the processor? +- **CompareExchange128Support** Does the CPU support CompareExchange128? + + +### Microsoft.Windows.Appraiser.General.SystemProcessorCompareExchangeRemove + +This event indicates that the SystemProcessorCompareExchange object is no longer present. + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.SystemProcessorCompareExchangeStartSync + +This event indicates that a new set of SystemProcessorCompareExchangeAdd events will be sent. + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.SystemProcessorLahfSahfAdd + +This event sends data indicating whether the system supports the LahfSahf CPU requirement, to help keep Windows up-to-date. + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file generating the events. +- **Blocking** Is the upgrade blocked due to the processor? +- **LahfSahfSupport** Does the CPU support LAHF/SAHF? + + +### Microsoft.Windows.Appraiser.General.SystemProcessorLahfSahfRemove + +This event indicates that the SystemProcessorLahfSahf object is no longer present. + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.SystemProcessorLahfSahfStartSync + +This event indicates that a new set of SystemProcessorLahfSahfAdd events will be sent. + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.SystemProcessorNxAdd + +This event sends data indicating whether the system supports the NX CPU requirement, to help keep Windows up-to-date. + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. +- **Blocking** Is the upgrade blocked due to the processor? +- **NXDriverResult** The result of the driver used to do a non-deterministic check for NX support. +- **NXProcessorSupport** Does the processor support NX? + + +### Microsoft.Windows.Appraiser.General.SystemProcessorNxRemove + +This event indicates that the SystemProcessorNx object is no longer present. + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.SystemProcessorNxStartSync + +This event indicates that a new set of SystemProcessorNxAdd events will be sent. + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.SystemProcessorPrefetchWAdd + +This event sends data indicating whether the system supports the PrefetchW CPU requirement, to help keep Windows up-to-date. + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. +- **Blocking** Is the upgrade blocked due to the processor? +- **PrefetchWSupport** Does the processor support PrefetchW? + + +### Microsoft.Windows.Appraiser.General.SystemProcessorPrefetchWRemove + +This event indicates that the SystemProcessorPrefetchW object is no longer present. + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.SystemProcessorPrefetchWStartSync + +This event indicates that a new set of SystemProcessorPrefetchWAdd events will be sent. + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.SystemProcessorSse2Add + +This event sends data indicating whether the system supports the SSE2 CPU requirement, to help keep Windows up-to-date. + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. +- **Blocking** Is the upgrade blocked due to the processor? +- **SSE2ProcessorSupport** Does the processor support SSE2? + + +### Microsoft.Windows.Appraiser.General.SystemProcessorSse2Remove + +This event indicates that the SystemProcessorSse2 object is no longer present. + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.SystemProcessorSse2StartSync + +This event indicates that a new set of SystemProcessorSse2Add events will be sent. + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.SystemTouchAdd + +This event sends data indicating whether the system supports touch, to help keep Windows up-to-date. + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. +- **IntegratedTouchDigitizerPresent** Is there an integrated touch digitizer? +- **MaximumTouches** The maximum number of touch points supported by the device hardware. + + +### Microsoft.Windows.Appraiser.General.SystemTouchRemove + +This event indicates that the SystemTouch object is no longer present. + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.SystemTouchStartSync + +This event indicates that a new set of SystemTouchAdd events will be sent. + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.SystemWimAdd + +This event sends data indicating whether the operating system is running from a compressed WIM file, to help keep Windows up-to-date. + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. +- **IsWimBoot** Is the current operating system running from a compressed WIM file? +- **RegistryWimBootValue** The raw value from the registry that is used to indicate if the device is running from a WIM. + + +### Microsoft.Windows.Appraiser.General.SystemWimRemove + +This event indicates that the SystemWim object is no longer present. + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.SystemWimStartSync + +This event indicates that a new set of SystemWimAdd events will be sent. + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.SystemWindowsActivationStatusAdd + +This event sends data indicating whether the current operating system is activated, to help keep Windows up-to-date. + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. +- **WindowsIsLicensedApiValue** The result from the API that's used to indicate if operating system is activated. +- **WindowsNotActivatedDecision** Is the current operating system activated? + + +### Microsoft.Windows.Appraiser.General.SystemWindowsActivationStatusRemove + +This event indicates that the SystemWindowsActivationStatus object is no longer present. + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.SystemWindowsActivationStatusStartSync + +This event indicates that a new set of SystemWindowsActivationStatusAdd events will be sent. + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.SystemWlanAdd + +This event sends data indicating whether the system has WLAN, and if so, whether it uses an emulated driver that could block an upgrade, to help keep Windows up-to-date. + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. +- **Blocking** Is the upgrade blocked because of an emulated WLAN driver? +- **HasWlanBlock** Does the emulated WLAN driver have an upgrade block? +- **WlanEmulatedDriver** Does the device have an emulated WLAN driver? +- **WlanExists** Does the device support WLAN at all? +- **WlanModulePresent** Are any WLAN modules present? +- **WlanNativeDriver** Does the device have a non-emulated WLAN driver? + + +### Microsoft.Windows.Appraiser.General.SystemWlanRemove + +This event indicates that the SystemWlan object is no longer present. + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.SystemWlanStartSync + +This event indicates that a new set of SystemWlanAdd events will be sent. + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.TelemetryRunHealth + +A summary event indicating the parameters and result of a telemetry run. This allows the rest of the data sent over the course of the run to be properly contextualized and understood, which is then used to keep Windows up-to-date. + +The following fields are available: + +- **PerfBackoff** Indicates if the run was invoked with logic to stop running when a user is present. Helps to understand why a run may have a longer elapsed time than normal. +- **RunAppraiser** Indicates if Appraiser was set to run at all. If this if false, it is understood that data events will not be received from this device. +- **ThrottlingUtc** Indicates if the Appraiser client is throttling its output of CUET events to avoid being disabled. This increases runtime but also telemetry reliability. +- **AuxInitial** Obsolete, indicates if Appraiser is writing data files to be read by the Get Windows 10 app. +- **Time** The client time of the event. +- **RunDate** The date that the telemetry run was stated, expressed as a filetime. +- **AppraiserProcess** The name of the process that launched Appraiser. +- **AppraiserVersion** The file version (major, minor and build) of the Appraiser DLL, concatenated without dots. +- **SendingUtc** Indicates if the Appraiser client is sending events during the current telemetry run. +- **DeadlineDate** A timestamp representing the deadline date, which is the time until which appraiser will wait to do a full scan. +- **AppraiserBranch** The source branch in which the version of Appraiser that is running was built. +- **EnterpriseRun** Indicates if the telemetry run is an enterprise run, which means appraiser was run from the command line with an extra enterprise parameter. +- **RunGeneralTel** Indicates if the generaltel.dll component was run. Generaltel collects additional telemetry on an infrequent schedule and only from machines at telemetry levels higher than Basic. +- **PerfBackoffInsurance** Indicates if appraiser is running without performance backoff because it has run with perf backoff and failed to complete several times in a row. +- **AuxFinal** Obsolete, always set to false +- **StoreHandleIsNotNull** Obsolete, always set to false +- **VerboseMode** Indicates if appraiser ran in Verbose mode, which is a test-only mode with extra logging. +- **AppraiserDataVersion** The version of the data files being used by the Appraiser telemetry run. +- **FullSync** Indicates if Appraiser is performing a full sync, which means that full set of events representing the state of the machine are sent. Otherwise, only the changes from the previous run are sent. +- **InventoryFullSync** Indicates if inventory is performing a full sync, which means that the full set of events representing the inventory of machine are sent. +- **PCFP** An ID for the system calculated by hashing hardware identifiers. +- **RunOnline** Indicates if appraiser was able to connect to Windows Update and theefore is making decisions using up-to-date driver coverage information. +- **TelementrySent** Indicates if telemetry was successfully sent. +- **WhyFullSyncWithoutTablePrefix** Indicates the reason or reasons that a full sync was generated. +- **RunResult** The hresult of the Appraiser telemetry run. + + +### Microsoft.Windows.Appraiser.General.WmdrmAdd + +This event sends data about the usage of older digital rights management on the system, to help keep Windows up to date. This data does not indicate the details of the media using the digital rights management, only whether any such files exist. Collecting this data was critical to ensuring the correct mitigation for customers, and should be able to be removed once all mitigations are in place. + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. +- **WmdrmCdRipped** Indicates if the system has any files encrypted with personal DRM, which was used for ripped CDs. +- **WmdrmNonPermanent** Indicates if the system has any files with non-permanent licenses. +- **WmdrmPurchased** Indicates if the system has any files with permanent licenses. +- **WmdrmApiResult** Raw value of the API used to gather DRM state. +- **WmdrmInUse** WmdrmIndicators AND dismissible block in setup was not dismissed. +- **WmdrmIndicators** WmdrmCdRipped OR WmdrmPurchased +- **NeedsDismissAction** Indicates if a dismissible message is needed to warn the user about a potential loss of data due to DRM deprecation. +- **BlockingApplication** Same as NeedsDismissAction + + +### Microsoft.Windows.Appraiser.General.WmdrmRemove + +This event indicates that the Wmdrm object is no longer present. + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.WmdrmStartSync + +This event indicates that a new set of WmdrmAdd events will be sent. + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +## Census events + +### Census.App + +This event sends version data about the Apps running on this device, to help keep Windows up to date. + +The following fields are available: + +- **IEVersion** Retrieves which version of Internet Explorer is running on this device. +- **CensusVersion** The version of Census that generated the current data for this device. + + +### Census.Battery + +This event sends type and capacity data about the battery on the device, as well as the number of connected standby devices in use, type to help keep Windows up to date. + +The following fields are available: + +- **InternalBatteryCapablities** Represents information about what the battery is capable of doing. +- **InternalBatteryCapacityCurrent** Represents the battery's current fully charged capacity in mWh (or relative). Compare this value to DesignedCapacity  to estimate the battery's wear. +- **InternalBatteryCapacityDesign** Represents the theoretical capacity of the battery when new, in mWh. +- **IsAlwaysOnAlwaysConnectedCapable** Represents whether the battery enables the device to be AlwaysOnAlwaysConnected . Boolean value. +- **InternalBatteryNumberOfCharges** Provides the number of battery charges. This is used when creating new products and validating that existing products meets targeted functionality performance. + + +### Census.Camera + +This event sends data about the resolution of cameras on the device, to help keep Windows up to date. + +The following fields are available: + +- **FrontFacingCameraResolution** Represents the resolution of the front facing camera in megapixels. If a front facing camera does not exist, then the value is 0. +- **RearFacingCameraResolution** Represents the resolution of the rear facing camera in megapixels. If a rear facing camera does not exist, then the value is 0. + + +### Census.Enterprise + +This event sends data about Azure presence, type, and cloud domain use in order to provide an understanding of the use and integration of devices in an enterprise, cloud, and server environment. + +The following fields are available: + +- **IsCloudDomainJoined** Is this device joined to an Azure Active Directory (AAD) tenant? true/false +- **IsMDMEnrolled** Whether the device has been MDM Enrolled or not. +- **ServerFeatures** Represents the features installed on a Windows   Server. This can be used by developers and administrators who need to automate the process of determining the features installed on a set of server computers. +- **CommercialId** Represents the GUID for the commercial entity which the device is a member of.  Will be used to reflect insights back to customers. +- **AzureVMType** Represents whether the instance is Azure VM PAAS, Azure VM IAAS or any other VMs. +- **AzureOSIDPresent** Represents the field used to identify an Azure machine. +- **IsDomainJoined** Indicates whether a machine is joined to a domain. +- **HashedDomain** The hashed representation of the user domain used for login. +- **SystemCenterID** The SCCM ID is an anonymized one-way hash of the Active Directory Organization identifier +- **MPNId** Returns the Partner ID/MPN ID from Regkey. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\DeployID +- **SCCMClientId** This ID correlate systems that send data to Compat Analytics (OMS) and other OMS based systems with systems in an Enterprise SCCM environment. +- **CDJType** Represents the type of cloud domain joined for the machine. +- **IsDeviceProtected** Represents if Device protected by BitLocker/Device Encryption +- **IsDERequirementMet** Represents if the device can do device encryption. +- **IsEDPEnabled** Represents if Enterprise data protected on the device. +- **ContainerType** The type of container, such as process or virtual machine hosted. + + +### Census.Firmware + +This event sends data about the BIOS and startup embedded in the device, to help keep Windows up to date. + +The following fields are available: + +- **FirmwareManufacturer** Represents the manufacturer of the device's firmware (BIOS). +- **FirmwareReleaseDate** Represents the date the current firmware was released. +- **FirmwareType** Represents the firmware type. The various types can be unknown, BIOS, UEFI. +- **FirmwareVersion** Represents the version of the current firmware. + + +### Census.Flighting + +This event sends Windows Insider data from customers participating in improvement testing and feedback programs, to help keep Windows up-to-date. + +The following fields are available: + +- **FlightIds** A list of the different Windows Insider builds on this device. +- **MSA_Accounts** Represents a list of hashed IDs of the Microsoft Accounts that are flighting (pre-release builds) on this device. +- **IsFlightsDisabled** Represents if the device is participating in the Windows Insider program. +- **FlightingBranchName** The name of the Windows Insider branch currently used by the device. +- **DeviceSampleRate** The telemetry sample rate assigned to the device. +- **EnablePreviewBuilds** Used to enable Windows Insider builds on a device. +- **SSRK** Retrieves the mobile targeting settings. + + +### Census.Hardware + +This event sends data about the device, including hardware type, OEM brand, model line, model, telemetry level setting, and TPM support, to help keep Windows up-to-date. + +The following fields are available: + +- **ChassisType** Represents the type of device chassis, such as desktop or low profile desktop. The possible values can range between 1 - 36. +- **ComputerHardwareID** Identifies a device class that is represented by a hash of different SMBIOS fields. +- **DeviceColor** Indicates a color of the device. +- **DeviceName** The device name that is set by the user. +- **OEMDigitalMarkerFileName** The name of the file placed in the \Windows\system32\drivers directory that specifies the OEM and model name of the device. +- **OEMManufacturerName** The device manufacturer name. The OEMName for an inactive device is not reprocessed even if the clean OEM name is changed at a later date. +- **OEMModelNumber** The device model number. +- **OEMModelName** The device model name. +- **OEMModelSKU** The device edition that is defined by the manufacturer. +- **OEMOptionalIdentifier** A Microsoft assigned value that represents a specific OEM subsidiary. +- **OEMSerialNumber** The serial number of the device that is set by the manufacturer. +- **PhoneManufacturer** The friendly name of the phone manufacturer. +- **SoCName** The firmware manufacturer of the device. +- **DUID** The device unique ID. +- **InventoryId** The device ID used for compatibility testing. +- **VoiceSupported** Does the device have a cellular radio capable of making voice calls? +- **PowerPlatformRole** The OEM preferred power management profile. It's used to help to identify the basic form factor of the device. +- **TPMVersion** The supported Trusted Platform Module (TPM) on the device. If no TPM is present, the value is 0. +- **StudyID** Used to identify retail and non-retail device. +- **TelemetryLevel** The telemetry level the user has opted into, such as Basic or Enhanced. +- **TelemetrySettingAuthority** Determines who set the telemetry level, such as GP, MDM, or the user. +- **DeviceForm** Indicates the form as per the device classification. +- **DigitizerSupport** Is a digitizer supported? +- **OEMModelBaseBoard** The baseboard model used by the OEM. +- **OEMModelSystemFamily** The system family set on the device by an OEM. +- **OEMModelBaseBoardVersion** Differentiates between developer and retail devices. +- **ActiveMicCount** The number of active microphones attached to the device. +- **OEMModelSystemVersion** The system model version set on the device by the OEM. + + +### Census.Memory + +This event sends data about the memory on the device, including ROM and RAM, to help keep Windows up to date. + +The following fields are available: + +- **TotalPhysicalRAM** Represents the physical memory (in MB). +- **TotalVisibleMemory** Represents the memory that is not reserved by the system. + + +### Census.Network + +This event sends data about the mobile and cellular network used by the device (mobile service provider, network, device ID, and service cost factors), to help keep Windows up to date. + +The following fields are available: + +- **MobileOperatorBilling** Represents the telephone company that provides services for mobile phone users. +- **MobileOperatorCommercialized** Represents which reseller and geography the phone is commercialized for. This is the set of values on the phone for who and where it was intended to be used. For example, the commercialized mobile operator code AT&T in the US would be ATT-US. +- **NetworkCost** Represents the network cost associated with a connection. +- **IMEI0** Represents the International Mobile Station Equipment Identity. This number is usually unique and used by the mobile operator to distinguish different phone hardware. Microsoft does not have access to mobile operator billing data so collecting this data does not expose or identify the user. The two fields represent phone with dual sim coverage. +- **SPN0** Retrieves the Service Provider Name (SPN). For example, these might be AT&T, Sprint, T-Mobile, or Verizon. The two fields represent phone with dual sim coverage. +- **MobileOperatorNetwork0** Represents the operator of the current mobile network that the device is used on. (AT&T, T-Mobile, Vodafone). The two fields represent phone with dual sim coverage. +- **MCC0** Represents the Mobile Country Code (MCC). It used with the Mobile Network Code (MNC) to uniquely identify a mobile network operator. The two fields represent phone with dual sim coverage. +- **MNC0** Retrieves the Mobile Network Code (MNC). It used with the Mobile Country Code (MCC) to uniquely identify a mobile network operator. The two fields represent phone with dual sim coverage. +- **IMEI1** Represents the International Mobile Station Equipment Identity. This number is usually unique and used by the mobile operator to distinguish different phone hardware. Microsoft does not have access to mobile operator billing data so collecting this data does not expose or identify the user. The two fields represent phone with dual sim coverage. +- **SPN1** Retrieves the Service Provider Name (SPN). For example, these might be AT&T, Sprint, T-Mobile, or Verizon. The two fields represent phone with dual sim coverage. +- **MobileOperatorNetwork1** Represents the operator of the current mobile network that the device is used on. (AT&T, T-Mobile, Vodafone). The two fields represent phone with dual sim coverage. +- **MCC1** Represents the Mobile Country Code (MCC). It used with the Mobile Network Code (MNC) to uniquely identify a mobile network operator. The two fields represent phone with dual sim coverage. +- **MNC1** Retrieves the Mobile Network Code (MNC). It used with the Mobile Country Code (MCC) to uniquely identify a mobile network operator. The two fields represent phone with dual sim coverage. +- **MEID** Represents the Mobile Equipment Identity (MEID). MEID is a worldwide unique phone ID assigned to CDMA phones. MEID replaces electronic serial number (ESN), and is equivalent to IMEI for GSM and WCDMA phones. Microsoft does not have access to mobile operator billing data so collecting this data does not expose or identify the user. +- **NetworkAdapterGUID** The GUID of the primary network adapter. + + +### Census.OS + +This event sends data about the operating system such as the version, locale, update service configuration, when and how it was originally installed, and whether it is a virtual device, to help keep Windows up to date. + +The following fields are available: + +- **GenuineState** Retrieves the ID Value specifying the OS Genuine check. +- **IsPortableOperatingSystem** Retrieves whether OS is running Windows-To-Go +- **IsSecureBootEnabled** Retrieves whether Boot chain is signed under UEFI. +- **InstallationType** Retrieves the type of OS installation. (Clean, Upgrade, Reset, Refresh, Update). +- **OSInstallType** Retrieves a numeric description of what install was used on the device i.e. clean, upgrade, refresh, reset, etc +- **OSOOBEDateTime** Retrieves Out of Box Experience (OOBE) Date in Coordinated Universal Time (UTC). +- **OSSKU** Retrieves the Friendly Name of OS Edition. +- **OSTimeZoneBiasInMins** Retrieves the time zone set on machine. +- **OSUILocale** Retrieves the locale of the UI that is currently used by the OS. +- **RACw7Id** Retrieves the Microsoft Reliability Analysis Component (RAC) Win7 Identifier. RAC is used to monitor and analyze system usage and reliability. +- **CompactOS** Indicates if the Compact OS feature from Win10 is enabled. +- **Signature** Retrieves if it is a signature machine sold by Microsoft store. +- **IsDeviceRetailDemo** Retrieves if the device is running in demo mode. +- **ActivationChannel** Retrieves the retail license key or Volume license key for a machine. +- **LicenseStateReason** Retrieves why (or how) a system is licensed or unlicensed. The HRESULT may indicate an error code that indicates a key blocked error, or it may indicate that we are running an OS License granted by the MS store. +- **OA3xOriginalProductKey** Retrieves the License key stamped by the OEM to the machine. +- **ProductKeyID2** Retrieves the License key if the machine is updated with a new license key. +- **ServiceMachineIP** Retrieves the IP address of the KMS host used for anti-piracy. +- **ServiceProductKeyID** Retrieves the License key of the KMS +- **LanguagePacks** The list of language packages installed on the device. +- **InstallLanguage** The first language installed on the user machine. +- **IsEduData** Returns Boolean if the education data policy is enabled. +- **SharedPCMode** Returns Boolean for education devices used as shared cart +- **SLICVersion** Returns OS type/version from SLIC table. +- **SLICStatus** Whether a SLIC table exists on the device. +- **OSEdition** Retrieves the version of the current OS. +- **ProductActivationTime** Returns the OS Activation time for tracking piracy issues. +- **ProductActivationResult** Returns Boolean if the OS Activation was successful. +- **OSSubscriptionTypeId** Returns boolean for enterprise subscription feature for selected PRO machines. +- **OSSubscriptionStatus** Represents the existing status for enterprise subscription feature for PRO machines. +- **ServiceMachinePort** Retrieves the port of the KMS host used for anti-piracy. +- **DeviceTimeZone** The time zone that is set on the device. Example: Pacific Standard Time +- **DeveloperUnlockStatus** Represents if a device has been developer unlocked by the user or Group Policy. + + +### Census.Processor + +This event sends data about the processor (architecture, speed, number of cores, manufacturer, and model number), to help keep Windows up to date. + +The following fields are available: + +- **ProcessorCores** Retrieves the number of cores in the processor. +- **ProcessorPhysicalCores** Number of physical cores in the processor. +- **ProcessorArchitecture** Retrieves the processor architecture of the installed operating system. The complete list of values can be found in DimProcessorArchitecture. +- **ProcessorClockSpeed** Retrieves the clock speed of the processor in MHz. +- **ProcessorManufacturer** Retrieves the name of the processor's manufacturer. +- **ProcessorModel** Retrieves the name of the processor model. +- **SocketCount** Number of physical CPU sockets of the machine. +- **ProcessorIdentifier** The processor identifier of a manufacturer. + + +### Census.Speech + +This event is used to gather basic speech settings on the device. + +The following fields are available: + +- **SpeechServicesEnabled** Windows setting that represents whether a user is opted-in for speech services on the device. +- **KWSEnabled** Cortana setting that represents if a user has enabled the "Hey Cortana" keyword spotter (KWS). +- **SpeakerIdEnabled** Cortana setting that represents if keyword detection has been trained to try to respond to a single user's voice. +- **AboveLockEnabled** Cortana setting that represents if Cortana can be invoked when the device is locked. +- **GPAllowInputPersonalization** Indicates if a Group Policy setting has enabled speech functionalities. +- **HolographicSpeechInputDisabled** Holographic setting that represents if the attached HMD devices have speech functionality disabled by the user. +- **HolographicSpeechInputDisabledRemote** Indicates if a remote policy has disabled speech functionalities for the HMD devices. +- **MDMAllowInputPersonalization** Indicates if an MDM policy has enabled speech functionalities. +- **RemotelyManaged** Indicates if the device is being controlled by a remote admininistrator (MDM or Group Policy) in the context of speech functionalities. + + +### Census.Storage + +This event sends data about the total capacity of the system volume and primary disk, to help keep Windows up to date. + +The following fields are available: + +- **PrimaryDiskTotalCapacity** Retrieves the amount of disk space on the primary disk of the device in MB. +- **SystemVolumeTotalCapacity** Retrieves the size of the partition that the System volume is installed on in MB. +- **PrimaryDiskType** Retrieves an enumerator value of type STORAGE_BUS_TYPE that indicates the type of bus to which the device is connected. This should be used to interpret the raw device properties at the end of this structure (if any). + + +### Census.Userdefault + +This event sends data about the current user's default preferences for browser and several of the most popular extensions and protocols, to help keep Windows up to date. + +The following fields are available: + +- **DefaultBrowserProgId** The ProgramId of the current user's default browser +- **DefaultApp** The current uer's default program selected for the following extension or protocol: .html,.htm,.jpg,.jpeg,.png,.mp3,.mp4, .mov,.pdf + + +### Census.UserDisplay + +This event sends data about the logical/physical display size, resolution and number of internal/external displays, and VRAM on the system, to help keep Windows up to date. + +The following fields are available: + +- **InternalPrimaryDisplayLogicalDPIX** Retrieves the logical DPI in the x-direction of the internal display. +- **InternalPrimaryDisplayLogicalDPIY** Retrieves the logical DPI in the y-direction of the internal display. +- **InternalPrimaryDisplayPhysicalDPIX** Retrieves the physical DPI in the x-direction of the internal display. +- **InternalPrimaryDisplayPhysicalDPIY** Retrieves the physical DPI in the y-direction of the internal display. +- **InternalPrimaryDisplayResolutionHorizontal** Retrieves the number of pixels in the horizontal direction of the internal display. +- **InternalPrimaryDisplayResolutionVertical** Retrieves the number of pixels in the vertical direction of the internal display. +- **InternalPrimaryDisplaySizePhysicalH** Retrieves the physical horizontal length of the display in mm. Used for calculating the diagonal length in inches . +- **InternalPrimaryDisplaySizePhysicalY** Retrieves the physical vertical length of the display in mm. Used for calculating the diagonal length in inches +- **NumberofInternalDisplays** Retrieves the number of internal displays in a machine. +- **NumberofExternalDisplays** Retrieves the number of external displays connected to the machine +- **VRAMDedicated** Retrieves the video RAM in MB. +- **VRAMDedicatedSystem** Retrieves the amount of memory on the dedicated video card. +- **VRAMSharedSystem** Retrieves the amount of RAM memory that the video card can use. + + +### Census.UserNLS + +This event sends data about the default app language, input, and display language preferences set by the user, to help keep Windows up to date. + +The following fields are available: + +- **DefaultAppLanguage** The current user Default App Language. +- **HomeLocation** The current user location, which is populated using GetUserGeoId() function. +- **DisplayLanguage** The current user preferred Windows Display Language. +- **SpeechInputLanguages** The Speech Input languages installed on the device. +- **KeyboardInputLanguages** The Keyboard input languages installed on the device. + + +### Census.VM + +This event sends data indicating whether virtualization is enabled on the device, and its various characteristics, to help keep Windows up to date. + +The following fields are available: + +- **VirtualizationFirmwareEnabled** Represents whether virtualization is enabled in the firmware. +- **SLATSupported** Represents whether Second Level Address Translation (SLAT) is supported by the hardware. +- **IOMMUPresent** Represents if an input/output memory management unit (IOMMU) is present. +- **IsVirtualDevice** Retrieves that when the Hypervisor is Microsoft's Hyper-V Hypervisor or other Hv#1 Hypervisor, this field will be set to FALSE for the Hyper-V host OS and TRUE for any guest OS's. This field should not be relied upon for non-Hv#1 Hypervisors. +- **HyperVisor** Retrieves whether the current OS is running on top of a Hypervisor. + + +### Census.WU + +This event sends data about the Windows update server and other App store policies, to help keep Windows up to date. + +The following fields are available: + +- **WUMachineId** Retrieves the Windows Update (WU) Machine Identifier. +- **WUServer** Retrieves the HTTP(S) URL of the WSUS server that is used by Automatic Updates and API callers (by default). +- **WUDODownloadMode** Retrieves whether DO is turned on and how to acquire/distribute updates Delivery Optimization (DO) allows users to deploy previously downloaded WU updates to other devices on the same network. +- **OSWUAutoUpdateOptions** Retrieves the auto update settings on the device. +- **AppStoreAutoUpdate** Retrieves the Appstore settings for auto upgrade. (Enable/Disabled). +- **AppStoreAutoUpdatePolicy** Retrieves the Windows Store App Auto Update group policy setting +- **AppStoreAutoUpdateMDM** Retrieves the App Auto Update value for MDM: 0 - Disallowed. 1 - Allowed. 2 - Not configured. Default: [2] Not configured +- **DelayUpgrade** Retrieves the Windows upgrade flag for delaying upgrades. +- **UpdateServiceURLConfigured** Retrieves if the device is managed by Windows Server Update Services (WSUS). +- **WUDeferUpgradePeriod** Retrieves if deferral is set for Upgrades +- **WUDeferUpdatePeriod** Retrieves if deferral is set for Updates +- **WUPauseState** Retrieves WU setting to determine if updates are paused +- **OSUninstalled** A flag that represents when a feature update is uninstalled on a device . +- **OSRolledBack** A flag that represents when a feature update has rolled back during setup. +- **OSRollbackCount** The number of times feature updates have rolled back on the device. +- **UninstallActive** A flag that represents when a device has uninstalled a previous upgrade recently. +- **AppraiserGatedStatus** Indicates whether a device has been gated for upgrading. + + +### Census.Xbox + +This event sends data about the Xbox Console, such as Serial Number and DeviceId, to help keep Windows up to date. + +The following fields are available: + +- **XboxLiveDeviceId** Retrieves the unique device id of the console. +- **XboxConsoleSerialNumber** Retrieves the serial number of the Xbox console. +- **XboxLiveSandboxId** Retrieves the developer sandbox id if the device is internal to MS. +- **XboxConsolePreferredLanguage** Retrieves the preferred language selected by the user on Xbox console. + + +## Diagnostic data events + +### TelClientSynthetic.AuthorizationInfo_RuntimeTransition + +This event sends data indicating that a device has undergone a change of telemetry opt-in level during the runtime of the device (not at UTC boot or offline), to help keep Windows up to date. + +The following fields are available: + +- **CanAddMsaToMsTelemetry** True if UTC is allowed to add MSA user identity onto telemetry from the OS provider groups. +- **CanCollectAnyTelemetry** True if UTC is allowed to collect non-OS telemetry. Non-OS telemetry is responsible for providing its own opt-in mechanism. +- **CanCollectCoreTelemetry** True if UTC is allowed to collect data which is tagged with both MICROSOFT_KEYWORD_CRITICAL_DATA and MICROSOFT_EVENTTAG_CORE_DATA. +- **CanCollectHeartbeats** True if UTC is allowed to collect heartbeats. +- **CanCollectOsTelemetry** True if UTC is allowed to collect telemetry from the OS provider groups (often called Microsoft Telemetry). +- **CanPerformDiagnosticEscalations** True if UTC is allowed to perform all scenario escalations. +- **CanPerformScripting** True if UTC is allowed to perform scripting. +- **CanPerformTraceEscalations** True if UTC is allowed to perform scenario escalations with tracing actions. +- **CanReportScenarios** True if UTC is allowed to load and report scenario completion, failure, and cancellation events. +- **TransitionFromEverythingOff** True if this transition is moving from not allowing core telemetry to allowing core telemetry. +- **PreviousPermissions** Bitmask representing the previously configured permissions since the telemetry opt-in level was last changed. + + +### TelClientSynthetic.AuthorizationInfo_Startup + +This event sends data indicating that a device has undergone a change of telemetry opt-in level detected at UTC startup, to help keep Windows up to date. + +The following fields are available: + +- **TransitionFromEverythingOff** True if this transition is moving from not allowing core telemetry to allowing core telemetry. +- **CanCollectAnyTelemetry** True if UTC is allowed to collect non-OS telemetry. Non-OS telemetry is responsible for providing its own opt-in mechanism. +- **CanCollectHeartbeats** True if UTC is allowed to collect heartbeats. +- **CanCollectCoreTelemetry** True if UTC is allowed to collect data which is tagged with both MICROSOFT_KEYWORD_CRITICAL_DATA and MICROSOFT_EVENTTAG_CORE_DATA. +- **CanCollectOsTelemetry** True if UTC is allowed to collect telemetry from the OS provider groups (often called Microsoft Telemetry). +- **CanReportScenarios** True if UTC is allowed to load and report scenario completion, failure, and cancellation events. +- **CanAddMsaToMsTelemetry** True if UTC is allowed to add MSA user identity onto telemetry from the OS provider groups. +- **CanPerformTraceEscalations** True if UTC is allowed to perform scenario escalations with tracing actions. +- **CanPerformDiagnosticEscalations** True if UTC is allowed to perform all scenario escalations. +- **CanPerformScripting** True if UTC is allowed to perform scripting. +- **PreviousPermissions** Bitmask representing the previously configured permissions since the telemetry client was last started. + + +### TelClientSynthetic.ConnectivityHeartBeat_0 + +This event sends data about the connectivity status of the Connected User Experience and Telemetry component that uploads telemetry events. If an unrestricted free network (such as Wi-Fi) is available, this event updates the last successful upload time. Otherwise, it checks whether a Connectivity Heartbeat event was fired in the past 24 hours, and if not, it fires an event. A Connectivity Heartbeat event also fires when a device recovers from costed network to free network. + +The following fields are available: + +- **CensusExitCode** Returns last execution codes from census client run. +- **CensusStartTime** Returns timestamp corresponding to last successful census run. +- **CensusTaskEnabled** Returns Boolean value for the census task (Enable/Disable) on client machine. +- **LastConnectivityLossTime** Retrieves the last time the device lost free network. +- **NetworkState** Retrieves the network state: 0 = No network. 1 = Restricted network. 2 = Free network. +- **NoNetworkTime** Retrieves the time spent with no network (since the last time) in seconds. +- **RestrictedNetworkTime** Retrieves the time spent on a metered (cost restricted) network in seconds. +- **LastConntectivityLossTime** Retrieves the last time the device lost free network. + + +### TelClientSynthetic.HeartBeat_5 + +This event sends data about the health and quality of the telemetry data from the given device, to help keep Windows up to date. It also enables data analysts to determine how 'trusted' the data is from a given device. + +The following fields are available: + +- **PreviousHeartBeatTime** The time of last heartbeat event. This allows chaining of events. +- **EtwDroppedCount** The number of events dropped by the ETW layer of the telemetry client. +- **ConsumerDroppedCount** The number of events dropped by the consumer layer of the telemetry client. +- **DecodingDroppedCount** The number of events dropped because of decoding failures. +- **ThrottledDroppedCount** The number of events dropped due to throttling of noisy providers. +- **DbDroppedCount** The number of events that were dropped because the database was full. +- **EventSubStoreResetCounter** The number of times the event database was reset. +- **EventSubStoreResetSizeSum** The total size of the event database across all resets reports in this instance. +- **CriticalOverflowEntersCounter** The number of times a critical overflow mode was entered into the event database. +- **EnteringCriticalOverflowDroppedCounter** The number of events that was dropped because a critical overflow mode was initiated. +- **UploaderDroppedCount** The number of events dropped by the uploader layer of the telemetry client. +- **InvalidHttpCodeCount** The number of invalid HTTP codes received from Vortex. +- **LastInvalidHttpCode** The last invalid HTTP code received from Vortex. +- **MaxInUseScenarioCounter** The soft maximum number of scenarios loaded by the Connected User Experience and Telemetry component. +- **LastEventSizeOffender** The name of the last event that exceeded the maximum event size. +- **SettingsHttpAttempts** The number of attempts to contact the OneSettings service. +- **SettingsHttpFailures** The number of failures from contacting the OneSettings service. +- **VortexHttpAttempts** The number of attempts to contact the Vortex service. +- **EventsUploaded** The number of events that have been uploaded. +- **DbCriticalDroppedCount** The total number of dropped critical events in the event database. +- **VortexHttpFailures4xx** The number of 400-499 error codes received from Vortex. +- **VortexHttpFailures5xx** The number of 500-599 error codes received from Vortex. +- **VortexFailuresTimeout** The number of timeout failures received from Vortex. +- **HeartBeatSequenceNumber** A monotonically increasing heartbeat counter. +- **EtwDroppedBufferCount** The number of buffers dropped in the CUET ETW session. +- **FullTriggerBufferDroppedCount** The number of events that were dropped because the trigger buffer was full. +- **CriticalDataThrottleDroppedCount** The number of critical data sampled events that were dropped because of throttling. +- **CriticalDataDbDroppedCount** The number of critical data sampled events that were dropped at the database layer. +- **MaxActiveAgentConnectionCount** The maximum number of active agents during this heartbeat timeframe. +- **AgentConnectionErrorsCount** The number of non-timeout errors associated with the host/agent channel. +- **LastAgentConnectionError** The last non-timeout error that happened in the host/agent channel. +- **Flags** Flags that indicate device state, such as network, battery, and opt-in state. +- **CensusTaskEnabled** Indicates whether Census is enabled. +- **CensusExitCode** The last exit code of the Census task. +- **CensusStartTime** The time of the last Census run. + + +### TelClientSynthetic.PrivacySettingsAfterCreatorsUpdate + +This event sends basic data on privacy settings before and after a feature update. This is used to ensure that customer privacy settings are correctly migrated across feature updates. + +The following fields are available: + +- **PostUpgradeSettings** The privacy settings after a feature update. +- **PreUpgradeSettings** The privacy settings before a feature update. + + +## DxgKernelTelemetry events + +### DxgKrnlTelemetry.GPUAdapterInventoryV2 + +This event sends basic GPU and display driver information to keep Windows and display drivers up-to-date. + +The following fields are available: + +- **version** The event version. +- **bootId** The system boot ID. +- **aiSeqId** The event sequence ID. +- **MeasureEnabled** Is the device listening to MICROSOFT_KEYWORD_MEASURES? +- **TelemetryEnabled** Is the device listening to MICROSOFT_KEYWORD_TELEMETRY? +- **InterfaceId** The GPU interface ID. +- **GPUVendorID** The GPU vendor ID. +- **GPUDeviceID** The GPU device ID. +- **SubVendorID** The GPU sub vendor ID. +- **SubSystemID** The subsystem ID. +- **GPURevisionID** The GPU revision ID. +- **DriverVersion** The display driver version. +- **DriverDate** The date of the display driver. +- **DriverRank** The rank of the display driver. +- **IsMiracastSupported** Does the GPU support Miracast? +- **IsMsMiracastSupported** Are the GPU Miracast capabilities driven by a Microsoft solution? +- **IsHybridDiscrete** Does the GPU have discrete GPU capabilities in a hybrid device? +- **IsHybridIntegrated** Does the GPU have integrated GPU capabilities in a hybrid device? +- **IsMPOSupported** Does the GPU support Multi-Plane Overlays? +- **IsLDA** Is the GPU comprised of Linked Display Adapters? +- **IsMismatchLDA** Is at least one device in the Linked Display Adapters chain from a different vendor? +- **IsPostAdapter** Is this GPU the POST GPU in the device? +- **IsSoftwareDevice** Is this a software implementation of the GPU? +- **IsRenderDevice** Does the GPU have rendering capabilities? +- **IsDisplayDevice** Does the GPU have displaying capabilities? +- **WDDMVersion** The Windows Display Driver Model version. +- **DisplayAdapterLuid** The display adapter LUID. +- **GPUPreemptionLevel** The maximum preemption level supported by GPU for graphics payload. +- **ComputePreemptionLevel** The maximum preemption level supported by GPU for compute payload. +- **TelInvEvntTrigger** What triggered this event to be logged? Example: 0 (GPU enumeration) or 1 (DxgKrnlTelemetry provider toggling) +- **DedicatedVideoMemoryB** The amount of dedicated VRAM of the GPU (in bytes). +- **DedicatedSystemMemoryB** The amount of system memory dedicated for GPU use (in bytes). +- **SharedSystemMemoryB** The amount of system memory shared by GPU and CPU (in bytes). +- **NumVidPnSources** The number of supported display output sources. +- **NumVidPnTargets** The number of supported display output targets. + + +## Fault Reporting events + +### Microsoft.Windows.FaultReporting.AppCrashEvent + +This event sends data about crashes for both native and managed applications, to help keep Windows up to date. The data includes information about the crashing process and a summary of its exception record. It does not contain any Watson bucketing information. The bucketing information is recorded in a Windows Error Reporting (WER) event that is generated when the WER client reports the crash to the Watson service, and the WER event will contain the same ReportID (see field 14 of crash event, field 19 of WER event) as the crash event for the crash being reported. AppCrash is emitted once for each crash handled by WER (e.g. from an unhandled exception or FailFast or ReportException). Note that Generic Watson event types (e.g. from PLM) that may be considered crashes" by a user DO NOT emit this event. + +The following fields are available: + +- **ProcessId** The ID of the process that has crashed. +- **ProcessCreateTime** The time of creation of the process that has crashed. +- **ExceptionCode** The exception code returned by the process that has crashed. +- **ExceptionOffset** The address where the exception had occurred. +- **AppName** The name of the app that has crashed. +- **AppVersion** The version of the app that has crashed. +- **AppTimeStamp** The date/time stamp of the app. +- **ModName** Exception module name (e.g. bar.dll). +- **ModVersion** The version of the module that has crashed. +- **ModTimeStamp** The date/time stamp of the module. +- **PackageFullName** Store application identity. +- **PackageRelativeAppId** Store application identity. +- **ProcessArchitecture** Architecture of the crashing process, as one of the PROCESSOR_ARCHITECTURE_* constants: 0: PROCESSOR_ARCHITECTURE_INTEL. 5: PROCESSOR_ARCHITECTURE_ARM. 9: PROCESSOR_ARCHITECTURE_AMD64. 12: PROCESSOR_ARCHITECTURE_ARM64. +- **ReportId** A GUID used to identify the report. This can used to track the report across Watson. +- **Flags** Flags indicating how reporting is done. For example, queue the report, do not offer JIT debugging, or do not terminate the process after reporting. +- **AppSessionGuid** GUID made up of process ID and is used as a correlation vector for process instances in the telemetry backend. +- **TargetAppId** The kernel reported AppId of the application being reported. +- **TargetAppVer** The specific version of the application being reported +- **TargetAsId** The sequence number for the hanging process. + + +## Hang Reporting events + +### Microsoft.Windows.HangReporting.AppHangEvent + +This event sends data about hangs for both native and managed applications, to help keep Windows up to date. It does not contain any Watson bucketing information. The bucketing information is recorded in a Windows Error Reporting (WER) event that is generated when the WER client reports the hang to the Watson service, and the WER event will contain the same ReportID (see field 13 of hang event, field 19 of WER event) as the hang event for the hang being reported. AppHang is reported only on PC devices. It handles classic Win32 hangs and is emitted only once per report. Some behaviors that may be perceived by a user as a hang are reported by app managers (e.g. PLM/RM/EM) as Watson Generics and will not produce AppHang events. + +The following fields are available: + +- **AppName** The name of the app that has hung. +- **TypeCode** Bitmap describing the hang type. +- **ProcessId** The ID of the process that has hung. +- **UTCReplace_TargetAppId** The kernel reported AppId of the application being reported. +- **ProcessCreateTime** The time of creation of the process that has hung. +- **UTCReplace_TargetAppVer** The specific version of the application being reported. +- **WaitingOnAppName** If this is a cross process hang waiting for an application, this has the name of the application. +- **PackageRelativeAppId** Store application identity. +- **ProcessArchitecture** Architecture of the hung process, as one of the PROCESSOR_ARCHITECTURE_* constants: 0: PROCESSOR_ARCHITECTURE_INTEL. 5: PROCESSOR_ARCHITECTURE_ARM. 9: PROCESSOR_ARCHITECTURE_AMD64. 12: PROCESSOR_ARCHITECTURE_ARM64. +- **WaitingOnPackageRelativeAppId** If this is a cross process hang waiting for a package, this has the relative application id of the package. +- **WaitingOnAppVersion** If this is a cross process hang, this has the version of the application for which it is waiting. +- **AppSessionGuid** GUID made up of process id used as a correlation vector for process instances in the telemetry backend. +- **WaitingOnPackageFullName** If this is a cross process hang waiting for a package, this has the full name of the package for which it is waiting. +- **PackageFullName** Store application identity. +- **AppVersion** The version of the app that has hung. +- **ReportId** A GUID used to identify the report. This can used to track the report across Watson. +- **TargetAppId** The kernel reported AppId of the application being reported. +- **TargetAppVer** The specific version of the application being reported. +- **TargetAsId** The sequence number for the hanging process. + + +## Inventory events + +### Microsoft.Windows.Inventory.Core.AmiTelCacheChecksum + +This event captures basic checksum data about the device inventory items stored in the cache for use in validating data completeness for Microsoft.Windows.Inventory.Core events. The fields in this event may change over time, but they will always represent a count of a given object. + +The following fields are available: + +- **Device** A count of device objects in cache +- **DeviceCensus** A count of devicecensus objects in cache +- **DriverPackageExtended** A count of driverpackageextended objects in cache +- **File** A count of file objects in cache +- **Generic** A count of generic objects in cache +- **HwItem** A count of hwitem objects in cache +- **InventoryApplication** A count of application objects in cache +- **InventoryApplicationFile** A count of application file objects in cache +- **InventoryDeviceContainer** A count of device container objects in cache +- **InventoryDeviceMediaClass** A count of device media objects in cache +- **InventoryDevicePnp** A count of devicepnp objects in cache +- **InventoryDriverBinary** A count of driver binary objects in cache +- **InventoryDriverPackage** A count of device objects in cache +- **Metadata** A count of metadata objects in cache +- **Orphan** A count of orphan file objects in cache +- **Programs** A count of program objects in cache +- **FileSigningInfo** A count of file signing info objects in cache. +- **InventoryDeviceInterface** A count of inventory device interface objects in cache. + + +### Microsoft.Windows.Inventory.Core.AmiTelCacheVersions + +This event sends inventory component versions for the Device Inventory data. + +The following fields are available: + +- **aeinv** The version of the App inventory component. +- **devinv** The file version of the Device inventory component. + + +### Microsoft.Windows.Inventory.Core.InventoryApplicationAdd + +This event sends basic metadata about an application on the system to help keep Windows up to date. + +The following fields are available: + +- **ProgramInstanceId** A hash of the file IDs in an app. +- **Name** The name of the application. Location pulled from depends on 'Source' field. +- **Type** One of ("Application", "Hotfix", "BOE", "Service", "Unknown"). Application indicates Win32 or Appx app, Hotfix indicates app updates (KBs), BOE indicates it's an app with no ARP or MSI entry, Service indicates that it is a service. Application and BOE are the ones most likely seen. +- **Publisher** The Publisher of the application. Location pulled from depends on the 'Source' field. +- **Version** The version number of the program. +- **Language** The language code of the program. +- **Source** How the program was installed (ARP, MSI, Appx, etc...) +- **MsiProductCode** A GUID that describe the MSI Product. +- **MsiPackageCode** A GUID that describes the MSI Package. Multiple 'Products' (apps) can make up an MsiPackage. +- **HiddenArp** Indicates whether a program hides itself from showing up in ARP. +- **OSVersionAtInstallTime** The four octets from the OS version at the time of the application's install. +- **RootDirPath** The path to the root directory where the program was installed. +- **InstallDate** The date the application was installed (a best guess based on folder creation date heuristics) +- **InstallDateMsi** The install date if the application was installed via MSI. Passed as an array. +- **InstallDateFromLinkFile** The estimated date of install based on the links to the files. Passed as an array. +- **InstallDateArpLastModified** The date of the registry ARP key for a given application. Hints at install date but not always accurate. Passed as an array. +- **PartB_Ms.Device.DeviceInventoryChange** See the Common Data Fields section. +- **objectInstanceId** ProgramId (a hash of Name, Version, Publisher, and Language of an application used to identify it). +- **PackageFullName** The package full name for a Store application. +- **InventoryVersion** The version of the inventory file generating the events. +- **StoreAppType** A sub-classification for the type of Windows Store app, such as UWP or Win8StoreApp. + + +### Microsoft.Windows.Inventory.Core.InventoryApplicationRemove + +This event indicates that a new set of InventoryDevicePnpAdd events will be sent. + +The following fields are available: + +- **PartB_Ms.Device.DeviceInventoryChange** See the Common Data Fields section. +- **InventoryVersion** The version of the inventory file generating the events. + + +### Microsoft.Windows.Inventory.Core.InventoryApplicationStartSync + +This event indicates that a new set of InventoryApplicationAdd events will be sent. + +The following fields are available: + +- **PartB_Ms.Device.DeviceInventoryChange** See the Common Data Fields section. +- **InventoryVersion** The version of the inventory file generating the events. + + +### Microsoft.Windows.Inventory.Core.InventoryDeviceContainerAdd + +This event sends basic metadata about a device container (such as a monitor or printer as opposed to a PNP device) to help keep Windows up-to-date. + +The following fields are available: + +- **ModelName** The model name. +- **ModelId** A model GUID. +- **PrimaryCategory** The primary category for the device container. +- **Categories** A comma separated list of functional categories in which the container belongs. +- **IsConnected** For a physically attached device, this value is the same as IsPresent. For wireless a device, this value represents a communication link. +- **IsActive** Is the device connected, or has it been seen in the last 14 days? +- **IsPaired** Does the device container require pairing? +- **IsNetworked** Is this a networked device? +- **IsMachineContainer** Is the container the root device itself? +- **FriendlyName** The name of the device container. +- **DiscoveryMethod** The discovery method for the device container. +- **ModelNumber** The model number for the device container. +- **Manufacturer** The manufacturer name for the device container. +- **PartB_Ms.Device.DeviceInventoryChange** See the Common Data Fields section. +- **objectInstanceId** ContainerId +- **InventoryVersion** The version of the inventory file generating the events. + + +### Microsoft.Windows.Inventory.Core.InventoryDeviceContainerRemove + +This event indicates that the InventoryDeviceContainer object is no longer present. + +The following fields are available: + +- **PartB_Ms.Device.DeviceInventoryChange** See the Common Data Fields section. +- **InventoryVersion** The version of the inventory file generating the events. + + +### Microsoft.Windows.Inventory.Core.InventoryDeviceContainerStartSync + +This event indicates that a new set of InventoryDeviceContainerAdd events will be sent. + +The following fields are available: + +- **PartB_Ms.Device.DeviceInventoryChange** See the Common Data Fields section. +- **InventoryVersion** The version of the inventory file generating the events. + + +### Microsoft.Windows.Inventory.Core.InventoryDeviceInterfaceAdd + +This event retrieves information about what sensor interfaces are available on the device. + +The following fields are available: + +- **InventoryVersion** The version of the inventory file generating the events. +- **Accelerometer3D** Indicates if an Accelerator3D sensor is found. +- **ActivityDetection** Indicates if an Activity Detection sensor is found. +- **AmbientLight** Indicates if an Ambient Light sensor is found. +- **Barometer** Indicates if a Barometer sensor is found. +- **Custom** Indicates if a Custom sensor is found. +- **FloorElevation** Indicates if a Floor Elevation sensor is found. +- **GeomagneticOrientation** Indicates if a Geo Magnetic Orientation sensor is found. +- **GravityVector** Indicates if a Gravity Detector sensor is found. +- **Gyrometer3D** Indicates if a Gyrometer3D sensor is found. +- **Humidity** Indicates if a Humidity sensor is found. +- **LinearAccelerometer** Indicates if a Linear Accelerometer sensor is found. +- **Magnetometer3D** Indicates if a Magnetometer3D sensor is found. +- **Orientation** Indicates if an Orientation sensor is found. +- **Pedometer** Indicates if a Pedometer sensor is found. +- **Proximity** Indicates if a Proximity sensor is found. +- **RelativeOrientation** Indicates if a Relative Orientation sensor is found. +- **SimpleDeviceOrientation** Indicates if a Simple Device Orientation sensor is found. +- **Temperature** Indicates if a Temperature sensor is found. + + +### Microsoft.Windows.Inventory.Core.InventoryDeviceInterfaceStartSync + +This event indicates that a new set of InventoryDeviceInterfaceAdd events will be sent. + +The following fields are available: + +- **InventoryVersion** The version of the inventory file generating the events. + + +### Microsoft.Windows.Inventory.Core.InventoryDeviceMediaClassAdd + +This event sends additional metadata about a PNP device that is specific to a particular class of devices to help keep Windows up to date while reducing overall size of data payload. + +The following fields are available: + +- **PartB_Ms.Device.DeviceInventoryChange** See the Common Data Fields section. +- **InventoryVersion** The version of the inventory file generating the events. +- **Audio_CaptureDriver** The Audio device capture driver endpoint. +- **Audio_RenderDriver** The Audio device render driver endpoint. + + +### Microsoft.Windows.Inventory.Core.InventoryDeviceMediaClassRemove + +This event indicates that the InventoryDeviceMediaClassRemove object is no longer present. + +The following fields are available: + +- **PartB_Ms.Device.DeviceInventoryChange** See the Common Data Fields section. +- **InventoryVersion** The version of the inventory file generating the events. + + +### Microsoft.Windows.Inventory.Core.InventoryDeviceMediaClassStartSync + +This event indicates that a new set of InventoryDeviceMediaClassSAdd events will be sent. + +The following fields are available: + +- **PartB_Ms.Device.DeviceInventoryChange** See the Common Data Fields section. +- **InventoryVersion** The version of the inventory file generating the events. + + +### Microsoft.Windows.Inventory.Core.InventoryDevicePnpAdd + +This event sends basic metadata about a PNP device and its associated driver to help keep Windows up-to-date. + +The following fields are available: + +- **HWID** A JSON array that provides the value and order of the HWID tree for the device. +- **COMPID** A JSON array the provides the value and order of the compatible ID tree for the device. +- **InstallState** The device installation state. One of these values: https://msdn.microsoft.com/en-us/library/windows/hardware/ff543130.aspx +- **Enumerator** The bus that enumerated the device. +- **ContainerId** A system-supplied GUID that uniquely groups the functional devices associated with a single-function or multifunction device installed in the device. +- **DeviceState** DeviceState is a bitmask of the following: DEVICE_IS_CONNECTED 0x0001 (currently only for container). DEVICE_IS_NETWORK_DEVICE 0x0002 (currently only for container). DEVICE_IS_PAIRED 0x0004 (currently only for container). DEVICE_IS_ACTIVE 0x0008 (currently never set). DEVICE_IS_MACHINE 0x0010 (currently only for container). DEVICE_IS_PRESENT 0x0020 (currently always set). DEVICE_IS_HIDDEN 0x0040. DEVICE_IS_PRINTER 0x0080 (currently only for container). DEVICE_IS_WIRELESS 0x0100. DEVICE_IS_WIRELESS_FAT 0x0200. The most common values are therefore: 32 (0x20)= device is present. 96 (0x60)= device is present but hidden. 288 (0x120)= device is a wireless device that is present. +- **ParentId** Device instance id of the parent of the device. +- **STACKID** A JSON array that provides the value and order of the STACKID tree for the device. +- **Description** The device description. +- **MatchingID** Represents the hardware ID or compatible ID that Windows uses to install a device instance. +- **Class** The device setup class of the driver loaded for the device. +- **ClassGuid** The device setup class guid of the driver loaded for the device. +- **Manufacturer** The device manufacturer. +- **Model** The device model. +- **Inf** The INF file name. +- **DriverVerVersion** The version of the driver loaded for the device. +- **DriverVerDate** The date of the driver loaded for the device. +- **Provider** The device provider. +- **DriverPackageStrongName** The immediate parent directory name in the Directory field of InventoryDriverPackage. +- **Service** The device service name. +- **LowerClassFilters** Lower filter class drivers IDs installed for the device. +- **LowerFilters** Lower filter drivers IDs installed for the device. +- **UpperClassFilters** Upper filter class drivers IDs installed for the device. +- **UpperFilters** Upper filter drivers IDs installed for the device. +- **PartB_Ms.Device.DeviceInventoryChange** See the Common Data Fields section. +- **DriverId** A unique identifier for the installed device. +- **DriverName** The name of the driver image file. +- **InventoryVersion** The version of the inventory file generating the events. +- **ProblemCode** The current error code for the device. + + +### Microsoft.Windows.Inventory.Core.InventoryDevicePnpRemove + +This event indicates that the InventoryDevicePnpRemove object is no longer present. + +The following fields are available: + +- **PartB_Ms.Device.DeviceInventoryChange** See the Common Data Fields section. +- **InventoryVersion** The version of the inventory file generating the events. + + +### Microsoft.Windows.Inventory.Core.InventoryDevicePnpStartSync + +This event indicates that a new set of InventoryDevicePnpAdd events will be sent. + +The following fields are available: + +- **PartB_Ms.Device.DeviceInventoryChange** See the Common Data Fields section. +- **InventoryVersion** The version of the inventory file generating the events. + + +### Microsoft.Windows.Inventory.Core.InventoryDriverBinaryAdd + +This event sends basic metadata about driver files running on the system to help keep Windows up-to-date. + +The following fields are available: + +- **DriverName** The file name of the driver. +- **Inf** The name of the INF file. +- **DriverPackageStrongName** The strong name of the driver package. +- **DriverCompany** The company name that developed the driver. +- **DriverCheckSum** The checksum of the driver file. +- **DriverTimeStamp** The low 32 bits of the time stamp of the driver file. +- **DriverType** A bitfield of driver attributes: 1. define DRIVER_MAP_DRIVER_TYPE_PRINTER 0x0001. 2. define DRIVER_MAP_DRIVER_TYPE_KERNEL 0x0002. 3. define DRIVER_MAP_DRIVER_TYPE_USER 0x0004. 4. define DRIVER_MAP_DRIVER_IS_SIGNED 0x0008. 5. define DRIVER_MAP_DRIVER_IS_INBOX 0x0010. 6. define DRIVER_MAP_DRIVER_IS_WINQUAL 0x0040. 7. define DRIVER_MAP_DRIVER_IS_SELF_SIGNED 0x0020. 8. define DRIVER_MAP_DRIVER_IS_CI_SIGNED 0x0080. 9. define DRIVER_MAP_DRIVER_HAS_BOOT_SERVICE 0x0100. 10. define DRIVER_MAP_DRIVER_TYPE_I386 0x10000. 11. define DRIVER_MAP_DRIVER_TYPE_IA64 0x20000. 12. define DRIVER_MAP_DRIVER_TYPE_AMD64 0x40000. 13. define DRIVER_MAP_DRIVER_TYPE_ARM 0x100000. 14. define DRIVER_MAP_DRIVER_TYPE_THUMB 0x200000. 15. define DRIVER_MAP_DRIVER_TYPE_ARMNT 0x400000. 16. define DRIVER_MAP_DRIVER_IS_TIME_STAMPED 0x800000. +- **DriverInBox** Is the driver included with the operating system? +- **DriverSigned** Is the driver signed? +- **DriverIsKernelMode** Is it a kernel mode driver? +- **DriverVersion** The version of the driver file. +- **ImageSize** The size of the driver file. +- **Product** The product name that is included in the driver file. +- **ProductVersion** The product version that is included in the driver file. +- **WdfVersion** The Windows Driver Framework version. +- **Service** The name of the service that is installed for the device. +- **PartB_Ms.Device.DeviceInventoryChange** See the Common Data Fields section. +- **InventoryVersion** The version of the inventory file generating the events. + + +### Microsoft.Windows.Inventory.Core.InventoryDriverBinaryRemove + +This event indicates that the InventoryDriverBinary object is no longer present. + +The following fields are available: + +- **PartB_Ms.Device.DeviceInventoryChange** See the Common Data Fields section. +- **InventoryVersion** The version of the inventory file generating the events. + + +### Microsoft.Windows.Inventory.Core.InventoryDriverBinaryStartSync + +This event indicates that a new set of InventoryDriverBinaryAdd events will be sent. + +The following fields are available: + +- **PartB_Ms.Device.DeviceInventoryChange** See the Common Data Fields section. +- **InventoryVersion** The version of the inventory file generating the events. + + +### Microsoft.Windows.Inventory.Core.InventoryDriverPackageAdd + +This event sends basic metadata about drive packages installed on the system to help keep Windows up-to-date. + +The following fields are available: + +- **Inf** The INF name of the driver package. +- **ClassGuid** The class GUID for the device driver. +- **Class** The class name for the device driver. +- **Directory** The path to the driver package. +- **Date** The driver package date. +- **Version** The version of the driver package. +- **Provider** The provider for the driver package. +- **SubmissionId** The HLK submission ID for the driver package. +- **PartB_Ms.Device.DeviceInventoryChange** See the Common Data Fields section. +- **InventoryVersion** The version of the inventory file generating the events. + + +### Microsoft.Windows.Inventory.Core.InventoryDriverPackageRemove + +This event indicates that the InventoryDriverPackageRemove object is no longer present. + +The following fields are available: + +- **PartB_Ms.Device.DeviceInventoryChange** See the Common Data Fields section. +- **InventoryVersion** The version of the inventory file generating the events. + + +### Microsoft.Windows.Inventory.Core.InventoryDriverPackageStartSync + +This event indicates that a new set of InventoryDriverPackageAdd events will be sent. + +The following fields are available: + +- **PartB_Ms.Device.DeviceInventoryChange** See the Common Data Fields section. +- **InventoryVersion** The version of the inventory file generating the events. + + +### Microsoft.Windows.Inventory.Indicators.Checksum + +This event summarizes the counts for the InventoryMiscellaneousUexIndicatorAdd events. + +The following fields are available: + +- **ChecksumDictionary** A count of each operating system indicator. +- **PCFP** Equivalent to the InventoryId field that is found in other core events. + + +### Microsoft.Windows.Inventory.Indicators.InventoryMiscellaneousUexIndicatorAdd + +These events represent the basic metadata about the OS indicators installed on the system which are used for keeping the device up-to-date. + +The following fields are available: + +- **PartB_Ms.Device.DeviceInventoryChange** See the Common Data Fields section. +- **IndicatorValue** The indicator value + + +### Microsoft.Windows.Inventory.Indicators.InventoryMiscellaneousUexIndicatorRemove + +This event is a counterpart to InventoryMiscellaneousUexIndicatorAdd, indicating that the item has been removed. There are no additional unique fields in this event. + +The following fields are available: + +- **PartB_Ms.Device.DeviceInventoryChange** See the Common Data Fields section. + + +### Microsoft.Windows.Inventory.Indicators.InventoryMiscellaneousUexIndicatorStartSync + +This event indicates that a new set of InventoryMiscellaneousUexIndicatorAdd events will be sent. + +The following fields are available: + +- **PartB_Ms.Device.DeviceInventoryChange** See the Common Data Fields section. + + +## OneDrive events + +### Microsoft.OneDrive.Sync.Setup.APIOperation + +This event includes basic data about install and uninstall OneDrive API operations. + +The following fields are available: + +- **APIName** The name of the API. +- **ScenarioName** The name of the scenario. +- **Duration** How long the operation took. +- **isSuccess** Was the operation successful? +- **ResultCode** The result code. + + +### Microsoft.OneDrive.Sync.Setup.EndExperience + +This event includes a success or failure summary of the installation. + +The following fields are available: + +- **APIName** The name of the API. +- **ScenarioName** The name of the scenario. +- **Hresult** The HResult of the operation. +- **isSuccess** Was the operation successful? + + +### Microsoft.OneDrive.Sync.Setup.OSUpgradeInstallationOperation + +This event is related to the OS version when the OS is upgraded with OneDrive installed. + +The following fields are available: + +- **HResult** The HResult of the operation. +- **SourceOSVersion** The source version of the operating system. +- **SourceOSBuildNumber** The source build number of the operating system. +- **SourceOSBuildBranch** The source branch of the operating system. +- **CurrentOSVersion** The current version of the operating system. +- **CurrentOSBuildNumber** The current build number of the operating system. +- **CurrentOSBuildBranch** The current branch of the operating system. +- **CurrentOneDriveVersion** The current version of OneDrive. + + +### Microsoft.OneDrive.Sync.Setup.RegisterStandaloneUpdaterAPIOperation + +This event is related to registering or unregistering the OneDrive update task. + +The following fields are available: + +- **APIName** The name of the API. +- **ScenarioName** The name of the scenario. +- **UnregisterOldTaskResult** The HResult of the UnregisterOldTask operation. +- **RegisterNewTaskResult** The HResult of the RegisterNewTask operation. +- **isSuccess** Was the operation successful? + + +### Microsoft.OneDrive.Sync.Setup.SetupCommonData + +This event contains basic OneDrive configuration data that helps to diagnose failures. + +The following fields are available: + +- **AppVersion** The version of the app. +- **OfficeVersion** The version of Office that is installed. +- **BuildArch** Is the architecture x86 or x64? +- **Market** Which market is this in? +- **OneDriveDeviceId** The OneDrive device ID. +- **MachineGuid** The CEIP machine ID. +- **IsMSFTInternal** Is this an internal Microsoft device? +- **OSDeviceName** Only if the device is internal to Microsoft, the device name. +- **OSUserName** Only if the device is internal to Microsoft, the user name. +- **Environment** Is the device on the production or int service? +- **OfficeVersionString** The version of Office that is installed. +- **BuildArchitecture** Is the architecture x86 or x64? +- **UserGuid** The CEIP user ID. +- **MSFTInternal** Is this an internal Microsoft device? + + +### Microsoft.OneDrive.Sync.Updater.CommonData + +This event contains basic OneDrive configuration data that helps to diagnose failures. + +The following fields are available: + +- **AppVersion** The version of the app. +- **OfficeVersion** The version of Office that is installed. +- **BuildArch** Is the architecture x86 or x64? +- **Market** Which market is this in? +- **OneDriveDeviceId** The OneDrive device ID. +- **MachineGuid** The CEIP machine ID. +- **IsMSFTInternal** Is this an internal Microsoft device? +- **OSDeviceName** Only if the device is internal to Microsoft, the device name. +- **OSUserName** Only if the device is internal to Microsoft, the user name. +- **Environment** Is the device on the production or int service? +- **UserGuid** A unique global user identifier. + + +### Microsoft.OneDrive.Sync.Updater.ComponentInstallState + +This event determines the installation state of dependent OneDrive components. + +The following fields are available: + +- **ComponentName** The name of the dependent component. +- **isInstalled** Is the dependent component installed? + + +### Microsoft.OneDrive.Sync.Updater.OfficeRegistration + +This event determines the status of the OneDrive integration with Microsoft Office. + +The following fields are available: + +- **isValid** Is the Microsoft Office registration valid? + + +### Microsoft.OneDrive.Sync.Updater.OverlayIconStatus + +This event indicates if the OneDrive overlay icon is working correctly. 0 = healthy; 1 = can be fixed; 2 = broken + +The following fields are available: + +- **32bit** The status of the OneDrive overlay icon on a 32-bit operating system. +- **64bit** The status of the OneDrive overlay icon on a 64-bit operating system. + + +### Microsoft.OneDrive.Sync.Updater.RepairResult + +The event determines the result of the installation repair. + +The following fields are available: + +- **hr** The HResult of the operation. + + +### Microsoft.OneDrive.Sync.Updater.SetupBinaryDownloadHResult + +This event indicates the status when downloading the OneDrive setup file. + +The following fields are available: + +- **hr** The HResult of the operation. + + +### Microsoft.OneDrive.Sync.Updater.UpdateOverallResult + +This event determines the outcome of the operation. + +The following fields are available: + +- **UpdaterVersion** The version of the updater. +- **IsLoggingEnabled** Is logging enabled? +- **hr** The HResult of the operation. + + +### Microsoft.OneDrive.Sync.Updater.UpdateTierReg + +This event determines status of the update tier registry values. + +The following fields are available: + +- **regReadEnterpriseHr** The HResult of the enterprise reg read value. +- **regReadTeamHr** The HResult of the team reg read value. + + +### Microsoft.OneDrive.Sync.Updater.UpdateXmlDownloadHResult + +This event determines the status when downloading the OneDrive update configuration file. + +The following fields are available: + +- **hr** The HResult of the operation. + + +### Microsoft.OneDrive.Sync.Updater.WebConnectionStatus + +This event determines the error code that was returned when verifying Internet connectivity. + +The following fields are available: + +- **winInetError** The HResult of the operation. + + +## Setup events + +### SetupPlatformTel.SetupPlatformTelActivityEvent + +This event sends a unique ID that can be used to bind Setup Platform events together, to help keep Windows up to date. + +The following fields are available: + +- **FieldName** Retrieves the event name/data point. Examples: InstallStartTime, InstallEndtime, OverallResult etc. +- **GroupName** Retrieves the groupname the event belongs to. Example: Install Information, DU Information, Disk Space Information etc. +- **Value** Retrieves the value associated with the corresponding event name. For example: For time-related events, this will include the system time. +- **ActivityId** Provides a unique Id to correlate events that occur between a activity start event, and a stop event +- **ActivityName** Provides a friendly name of the package type that belongs to the ActivityId (Setup, LanguagePack, GDR, Driver, etc.) + + +### SetupPlatformTel.SetupPlatformTelActivityStarted + +This event sends basic metadata about the update installation process generated by SetupPlatform to help keep Windows up to date. + +The following fields are available: + +- **Name** The name of the dynamic update type. Example: GDR driver + + +### SetupPlatformTel.SetupPlatformTelActivityStopped + +This event sends basic metadata about the update installation process generated by SetupPlatform to help keep Windows up to date. + + + +### SetupPlatformTel.SetupPlatformTelEvent + +This service retrieves events generated by SetupPlatform, the engine that drives the various deployment scenarios. + +The following fields are available: + +- **FieldName** Retrieves the event name/data point. Examples: InstallStartTime, InstallEndtime, OverallResult etc. +- **Value** Retrieves the value associated with the corresponding event name (Field Name). For example: For time related events this will include the system time. +- **GroupName** Retrieves the groupname the event belongs to. Example: Install Information, DU Information, Disk Space Information etc. + + +## Shared PC events + +### Microsoft.Windows.SharedPC.AccountManager.DeleteUserAccount + +Activity for deletion of a user account for devices set up for Shared PC mode as part of the Transient Account Manager to help keep Windows up to date. Deleting unused user accounts on shared devices frees up disk space to improve Windows Update success rates. + +The following fields are available: + +- **wilActivity** Windows Error Reporting data collected when there is a failure in deleting a user account with the Transient Account Manager. +- **userSid** The security identifier of the account. +- **accountType** The type of account that was deleted. Example: AD, AAD, or Local + + +### Microsoft.Windows.SharedPC.AccountManager.SinglePolicyEvaluation + +Activity for run of the Transient Account Manager that determines if any user accounts should be deleted for devices set up for Shared PC mode to help keep Windows up to date. Deleting unused user accounts on shared devices frees up disk space to improve Windows Update success rates + +The following fields are available: + +- **wilActivity** Windows Error Reporting data collected when there is a failure in evaluating accounts to be deleted with the Transient Account Manager. +- **totalAccountCount** The number of accounts on a device after running the Transient Account Manager policies. +- **evaluationTrigger** When was the Transient Account Manager policies ran? Example: At log off or during maintenance hours + + +## Software update events + +### SoftwareUpdateClientTelemetry.CheckForUpdates + +This event sends tracking data about the software distribution client check for content that is applicable to a device, to help keep Windows up to date + +The following fields are available: + +- **EventScenario** Indicates the purpose of sending this event - whether because the software distribution just started checking for content, or whether it was cancelled, succeeded, or failed. +- **EventInstanceID** A globally unique identifier for event instance. +- **DeviceModel** What is the device model. +- **BiosName** The name of the device BIOS. +- **BIOSVendor** The vendor of the BIOS. +- **BiosVersion** The version of the BIOS. +- **BiosReleaseDate** The release date of the device BIOS. +- **SystemBIOSMajorRelease** Major version of the BIOS. +- **SystemBIOSMinorRelease** Minor version of the BIOS. +- **BiosFamily** The family of the BIOS (Basic Input Output System). +- **BiosSKUNumber** The sku number of the device BIOS. +- **ClientVersion** The version number of the software distribution client. +- **WUDeviceID** The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue. +- **CallerApplicationName** The name provided by the caller who initiated API calls into the software distribution client. +- **ProcessName** The process name of the caller who initiated API calls, in the event where CallerApplicationName was not provided. +- **ServiceGuid** An ID which represents which service the software distribution client is checking for content (Windows Update, Windows Store, etc.). +- **StatusCode** Indicates the result of a CheckForUpdates event (success, cancellation, failure code HResult). +- **ExtendedStatusCode** Secondary error code for certain scenarios where StatusCode wasn't specific enough. +- **FlightRing** The ring (speed of getting builds) that a device is on if participating in flighting (pre-release builds). +- **FlightBranch** The branch that a device is on if participating in flighting (pre-release builds). +- **RelatedCV** The previous Correlation Vector that was used before swapping with a new one +- **IsWUfBEnabled** Indicates if Windows Update for Business is enabled on the device. +- **IsWUfBDualScanEnabled** Indicates if Windows Update for Business dual scan is enabled on the device. +- **ShippingMobileOperator** The mobile operator that a device shipped on. +- **CurrentMobileOperator** The mobile operator the device is currently connected to. +- **HomeMobileOperator** The mobile operator that the device was originally intended to work with. +- **PhonePreviewEnabled** Indicates whether a phone was getting preview build, prior to flighting (pre-release builds) being introduced. +- **ActivityMatchingId** Contains a unique ID identifying a single CheckForUpdates session from initialization to completion. +- **SyncType** Describes the type of scan the event was +- **IPVersion** Indicates whether the download took place over IPv4 or IPv6 +- **NumberOfApplicationsCategoryScanEvaluated** The number of categories (apps) for which an app update scan checked +- **ScanDurationInSeconds** The number of seconds a scan took +- **ScanEnqueueTime** The number of seconds it took to initialize a scan +- **NumberOfLoop** The number of round trips the scan required +- **NumberOfUpdatesEvaluated** The total number of updates which were evaluated as a part of the scan +- **NumberOfNewUpdatesFromServiceSync** The number of updates which were seen for the first time in this scan +- **ServiceUrl** The environment URL a device is configured to scan with +- **Online** Indicates if this was an online scan. +- **AllowCachedResults** Indicates if the scan allowed using cached results. +- **MetadataIntegrityMode** The mode of the update transport metadata integrity check. 0-Unknown, 1-Ignoe, 2-Audit, 3-Enforce +- **TotalNumMetadataSignatures** The total number of metadata signatures checks done for new metadata that was synced down. +- **NumFailedMetadataSignatures** The number of metadata signatures checks which failed for new metadata synced down. +- **MSIError** The last error that was encountered during a scan for updates. +- **DriverError** The error code hit during a driver scan. This is 0 if no error was encountered. +- **FailedUpdatesCount** The number of updates that failed to be evaluated during the scan. +- **FailedUpdateGuids** The GUIDs for the updates that failed to be evaluated during the scan. +- **CapabilityDetectoidGuid** The GUID for a hardware applicability detectoid that could not be evaluated. +- **ExtendedMetadataCabUrl** Hostname that is used to download an update. +- **CDNId** The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue. +- **CDNCountryCode** Two letter country abbreviation for the CDN's location. +- **NetworkConnectivityDetected** Indicates the type of network connectivity that was detected. 0 - IPv4, 1 - IPv6 +- **NumberOfApplicableUpdates** The number of updates which were ultimately deemed applicable to the system after the detection process is complete +- **ApplicableUpdateInfo** Metadata for the updates which were detected as applicable +- **WebServiceRetryMethods** Web service method requests that needed to be retried to complete operation. +- **DeferredUpdates** Update IDs which are currently being deferred until a later time +- **BranchReadinessLevel** The servicing branch configured on the device. +- **DeferralPolicySources** Sources for any update deferral policies defined (GPO = 0x10, MDM = 0x100, Flight = 0x1000, UX = 0x10000). +- **QualityUpdateDeferral** The deferral period configured for quality OS updates on the device (in days). +- **QualityUpdatePause** Indicates whether quality OS updates are paused on the device. +- **QualityUpdatePausePeriod** The pause duration configured for quality OS updates on the device (in days). +- **FeatureUpdateDeferral** The deferral period configured for feature OS updates on the device (in days). +- **FeatureUpdatePause** Indicates whether feature OS updates are paused on the device. +- **FeatureUpdatePausePeriod** The pause duration configured for feature OS updates on the device (in days). +- **DriverExclusionPolicy** Indicates if the policy for not including drivers with Windows Update is enabled. +- **TargetMetadataVersion** For self-initiated healing, this is the target version of the SIH engine to download (if needed). If not, the value is null. +- **CachedEngineVersion** For self-initiated healing, the version of the SIH engine that is cached on the device. If the SIH engine does not exist, the value is null. +- **SearchFilter** Contains information indicating filters applied while checking for content applicable to the device. For example, to filter out all content which may require a reboot. +- **IntentPFNs** Intended application-set metadata for atomic update scenarios. +- **PausedUpdates** A list of UpdateIds which that currently being paused. +- **PauseQualityUpdatesStartTime** If quality OS updates are paused on the device, this is the date and time for the beginning of the pause time window. +- **PauseQualityUpdatesEndTime** If quality OS updates are paused on the device, this is the date and time for the end of the pause time window. +- **PauseFeatureUpdatesStartTime** If feature OS updates are paused on the device, this is the date and time for the beginning of the pause time window. +- **PauseFeatureUpdatesEndTime** If feature OS updates are paused on the device, this is the date and time for the end of the pause time window. +- **Context** Gives context on where the error has occurred. Example: AutoEnable, GetSLSData, AddService, Misc, or Unknown +- **DriverSyncPassPerformed** Were drivers scanned this time? + + +### SoftwareUpdateClientTelemetry.Commit + +This event sends data on whether the Update Service has been called to execute an upgrade, to help keep Windows up to date. + +The following fields are available: + +- **EventScenario** State of call +- **EventInstanceID** A globally unique identifier for event instance. +- **DeviceModel** What is the device model. +- **BiosName** The name of the device BIOS. +- **BIOSVendor** The vendor of the BIOS. +- **BiosVersion** The version of the BIOS. +- **BiosReleaseDate** The release date of the device BIOS. +- **SystemBIOSMajorRelease** Major version of the BIOS. +- **SystemBIOSMinorRelease** Minor version of the BIOS. +- **BiosFamily** The family of the BIOS (Basic Input Output System). +- **BiosSKUNumber** The sku number of the device BIOS. +- **ClientVersion** The version number of the software distribution client. +- **WUDeviceID** UniqueDeviceID +- **ServerId** Identifier for the service to which the software distribution client is connecting, such as Windows Update and Windows Store. +- **EventType** Possible values are "Child", "Bundle", or "Driver". +- **UpdateId** Unique Update ID +- **BundleId** Identifier associated with the specific content bundle; should not be all zeros if the bundleID was found. +- **RevisionNumber** Unique revision number of Update +- **HandlerType** Indicates the kind of content (app, driver, windows patch, etc.) +- **BundleRevisionNumber** Identifies the revision number of the content bundle +- **FlightId** The specific id of the flight the device is getting +- **CallerApplicationName** The name provided by the caller who initiated API calls into the software distribution client + + +### SoftwareUpdateClientTelemetry.Download + +This event sends tracking data about the software distribution client download of the content for that update, to help keep Windows up to date. + +The following fields are available: + +- **EventScenario** Indicates the purpose of sending this event - whether because the software distribution just started downloading content, or whether it was cancelled, succeeded, or failed. +- **EventInstanceID** A globally unique identifier for event instance. +- **DeviceModel** What is the device model. +- **BiosName** The name of the device BIOS. +- **BIOSVendor** The vendor of the BIOS. +- **BiosVersion** The version of the BIOS. +- **BiosReleaseDate** The release date of the device BIOS. +- **SystemBIOSMajorRelease** Major version of the BIOS. +- **SystemBIOSMinorRelease** Minor version of the BIOS. +- **BiosFamily** The family of the BIOS (Basic Input Output System). +- **BiosSKUNumber** The sku number of the device BIOS. +- **ClientVersion** The version number of the software distribution client. +- **WUDeviceID** The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue. +- **CallerApplicationName** The name provided by the caller who initiated API calls into the software distribution client. +- **ProcessName** The process name of the caller who initiated API calls, in the event where CallerApplicationName was not provided. +- **ServiceGuid** An ID which represents which service the software distribution client is installing content for (Windows Update, Windows Store, etc.). +- **StatusCode** Indicates the result of a Download event (success, cancellation, failure code HResult). +- **ExtendedStatusCode** Secondary error code for certain scenarios where StatusCode wasn't specific enough. +- **FlightRing** The ring (speed of getting builds) that a device is on if participating in flighting (pre-release builds). +- **FlightBranch** The branch that a device is on if participating in flighting (pre-release builds). +- **RelatedCV** The previous Correlation Vector that was used before swapping with a new one +- **IsWUfBEnabled** Indicates if Windows Update for Business is enabled on the device. +- **IsWUfBDualScanEnabled** Indicates if Windows Update for Business dual scan is enabled on the device. +- **ShippingMobileOperator** The mobile operator that a device shipped on. +- **CurrentMobileOperator** The mobile operator the device is currently connected to. +- **HomeMobileOperator** The mobile operator that the device was originally intended to work with. +- **PhonePreviewEnabled** Indicates whether a phone was opted-in to getting preview builds, prior to flighting (pre-release builds) being introduced. +- **IPVersion** Indicates whether the download took place over IPv4 or IPv6. +- **NetworkCostBitMask** Indicates what kind of network the device is connected to (roaming, metered, over data cap, etc.) +- **NetworkRestrictionStatus** More general version of NetworkCostBitMask, specifying whether Windows considered the current network to be "metered." +- **TimeToEstablishConnection** Time (in ms) it took to establish the connection prior to beginning downloaded. +- **HostName** The hostname URL the content is downloading from. +- **CDNId** ID which defines which CDN the software distribution client downloaded the content from. +- **CDNCountryCode** Two letter country abbreviation for the CDN's location. +- **ActiveDownloadTime** How long the download took, in seconds, excluding time where the update wasn't actively being downloaded. +- **IsDependentSet** Indicates whether a driver is a part of a larger System Hardware/Firmware Update +- **TargetingVersion** For drivers targeted to a specific device model, this is the version number of the drivers being distributed to the device. +- **HardwareId** If this download was for a driver targeted to a particular device model, this ID indicates the model of the device. +- **UpdateImportance** Indicates whether a piece of content was marked as Important, Recommended, or Optional. +- **TargetGroupId** For drivers targeted to a specific device model, this ID indicates the distribution group of devices receiving that driver. +- **RepeatFailFlag** Indicates whether this specific piece of content had previously failed to download. +- **BytesDownloaded** How many bytes were downloaded for an individual piece of content (not the entire bundle). +- **TotalExpectedBytes** The total count of bytes that the download is expected to be. +- **ThrottlingServiceHResult** Result code (success/failure) while contacting a web service to determine whether this device should download content yet. +- **EventType** Possible values are Child, Bundle, or Driver. +- **UpdateId** An identifier associated with the specific piece of content. +- **RevisionNumber** Identifies the revision number of this specific piece of content. +- **BundleId** Identifier associated with the specific content bundle; should not be all zeros if the bundleID was found. +- **BundleRevisionNumber** Identifies the revision number of the content bundle. +- **HandlerType** Indicates what kind of content is being downloaded (app, driver, windows patch, etc.). +- **DownloadPriority** Indicates whether a download happened at background, normal, or foreground priority. +- **FlightId** The specific id of the flight (pre-release build) the device is getting. +- **Setup360Phase** If the download is for an operating system upgrade, this datapoint indicates which phase of the upgrade is underway. +- **UsedDO** Whether the download used the delivery optimization service. +- **CbsDownloadMethod** Indicates whether the download was a full-file download or a partial/delta download. +- **UsedSystemVolume** Indicates whether the content was downloaded to the device's main system storage drive, or an alternate storage drive. +- **FlightBuildNumber** If this download was for a flight (pre-release build), this indicates the build number of that flight. +- **BundleBytesDownloaded** How many bytes were downloaded for the specific content bundle. +- **BundleRepeatFailFlag** Indicates whether this particular update bundle had previously failed to download. +- **DownloadScenarioId** A unique ID for a given download used to tie together WU and DO events. +- **PackageFullName** The package name of the content. +- **AppXBlockHashValidationFailureCount** A count of the number of blocks that have failed validation after being downloaded. +- **CachedEngineVersion** For self-initiated healing, the version of the SIH engine that is cached on the device. If the SIH engine does not exist, the value is null. +- **TargetMetadataVersion** For self-initiated healing, this is the target version of the SIH engine to download (if needed). If not, the value is null. +- **DownloadType** Differentiates the download type of SIH downloads between Metadata and Payload downloads. +- **WUSetting** Indicates the users' current updating settings. +- **ProcessorArchitecture** Processor architecture of the system (x86, AMD64, ARM). +- **PlatformRole** The PowerPlatformRole as defined on MSDN +- **IsAOACDevice** Is it Always On, Always Connected? +- **EventNamespaceID** Indicates whether the event succeeded or failed. Has the format EventType+Event where Event is Succeeded, Cancelled, Failed, etc. +- **Edition** Indicates the edition of Windows being used. +- **DeviceOEM** What OEM does this device belong to. +- **ClientManagedByWSUSServer** Indicates whether the client is managed by Windows Server Update Services (WSUS). +- **QualityUpdatePause** Indicates whether quality OS updates are paused on the device. +- **FeatureUpdatePause** Indicates whether feature OS updates are paused on the device. +- **AppXDownloadScope** Indicates the scope of the download for application content. For streaming install scenarios, AllContent - non-streaming download, RequiredOnly - streaming download requested content required for launch, AutomaticOnly - streaming download requested automatic streams for the app, and Unknown - for events sent before download scope is determined by the Windows Update client. + + +### SoftwareUpdateClientTelemetry.Install + +This event sends tracking data about the software distribution client installation of the content for that update, to help keep Windows up to date. + +The following fields are available: + +- **EventScenario** Indicates the purpose of sending this event - whether because the software distribution just started installing content, or whether it was cancelled, succeeded, or failed. +- **EventInstanceID** A globally unique identifier for event instance. +- **DeviceModel** What is the device model. +- **BiosName** The name of the device BIOS. +- **BIOSVendor** The vendor of the BIOS. +- **BiosVersion** The version of the BIOS. +- **BiosReleaseDate** The release date of the device BIOS. +- **SystemBIOSMajorRelease** Major version of the BIOS. +- **SystemBIOSMinorRelease** Minor version of the BIOS. +- **BiosFamily** The family of the BIOS (Basic Input Output System). +- **BiosSKUNumber** The sku number of the device BIOS. +- **ClientVersion** The version number of the software distribution client. +- **WUDeviceID** The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue. +- **CallerApplicationName** The name provided by the caller who initiated API calls into the software distribution client. +- **ProcessName** The process name of the caller who initiated API calls, in the event where CallerApplicationName was not provided. +- **ServiceGuid** An ID which represents which service the software distribution client is installing content for (Windows Update, Windows Store, etc.). +- **StatusCode** Indicates the result of an installation event (success, cancellation, failure code HResult). +- **ExtendedStatusCode** Secondary error code for certain scenarios where StatusCode wasn't specific enough. +- **FlightRing** The ring that a device is on if participating in the Windows Insider Program. +- **FlightBranch** The branch that a device is on if participating in the Windows Insider Program. +- **RelatedCV** The previous Correlation Vector that was used before swapping with a new one +- **IsWUfBEnabled** Is Windows Update for Business enabled on the device? +- **IsWUfBDualScanEnabled** Is Windows Update for Business dual scan enabled on the device? +- **ShippingMobileOperator** The mobile operator that a device shipped on. +- **CurrentMobileOperator** Mobile operator that device is currently connected to. +- **HomeMobileOperator** The mobile operator that the device was originally intended to work with. +- **PhonePreviewEnabled** Indicates whether a phone was getting preview build, prior to flighting being introduced. +- **TargetGroupId** For drivers targeted to a specific device model, this ID indicates the distribution group of devices receiving that driver. +- **RepeatFailFlag** Indicates whether this specific piece of content had previously failed to install. +- **EventType** Possible values are Child, Bundle, or Driver. +- **TargetingVersion** For drivers targeted to a specific device model, this is the version number of the drivers being distributed to the device. +- **UpdateImportance** Indicates whether a piece of content was marked as Important, Recommended, or Optional. +- **IsFirmware** Is this update a firmware update? +- **IsFinalOutcomeEvent** Does this event signal the end of the update/upgrade process? +- **IsDependentSet** Is the driver part of a larger System Hardware/Firmware update? +- **DriverPingBack** Contains information about the previous driver and system state. +- **ExtendedErrorCode** The extended error code. +- **CSIErrorType** The stage of CBS installation where it failed. +- **MsiAction** The stage of MSI installation where it failed. +- **MsiProductCode** The unique identifier of the MSI installer. +- **TransactionCode** The ID which represents a given MSI installation +- **HardwareId** If this install was for a driver targeted to a particular device model, this ID indicates the model of the device. +- **IsSuccessFailurePostReboot** Did it succeed and then fail after a restart? +- **UpdateId** Unique update ID +- **RevisionNumber** The revision number of this specific piece of content. +- **BundleId** Identifier associated with the specific content bundle; should not be all zeros if the bundleID was found. +- **BundleRevisionNumber** Identifies the revision number of the content bundle. +- **HandlerType** Indicates what kind of content is being installed. Example: app, driver, Windows update +- **FlightId** The specific ID of the Windows Insider build the device is getting. +- **Setup360Phase** If the install is for an operating system upgrade, indicates which phase of the upgrade is underway. +- **UsedSystemVolume** Indicates whether the content was downloaded and then installed from the device's main system storage drive, or an alternate storage drive. +- **FlightBuildNumber** If this installation was for a Windows Insider build, this is the build number of that build. +- **BundleRepeatFailFlag** Has this particular update bundle previously failed to install? +- **PackageFullName** The package name of the content being installed. +- **CachedEngineVersion** For self-initiated healing, the version of the SIH engine that is cached on the device. If the SIH engine does not exist, the value is null. +- **BundleBytesDownloaded** How many bytes were downloaded for the specific content bundle? +- **CbsDownloadMethod** Was the download a full download or a partial download? +- **ClientManagedByWSUSServer** Is the client managed by Windows Server Update Services (WSUS)? +- **DeviceOEM** What OEM does this device belong to. +- **DownloadPriority** The priority of the download activity. +- **DownloadScenarioId** A unique ID for a given download used to tie together WU and DO events. +- **Edition** Indicates the edition of Windows being used. +- **EventNamespaceID** Indicates whether the event succeeded or failed. Has the format EventType+Event where Event is Succeeded, Cancelled, Failed, etc. +- **IsAOACDevice** Is it Always On, Always Connected? (Mobile device usage model) +- **PlatformRole** The PowerPlatformRole as defined on MSDN. +- **ProcessorArchitecture** Processor architecture of the system (x86, AMD64, ARM). +- **RepeatSuccessInstallFlag** Indicates whether this specific piece of content had previously installed successful, for example if another user had already installed it. +- **WUSetting** Indicates the user's current updating settings. +- **IntentPFNs** Intended application-set metadata for atomic update scenarios. +- **QualityUpdatePause** Are quality OS updates paused on the device? +- **FeatureUpdatePause** Are feature OS updates paused on the device? +- **MergedUpdate** Was the OS update and a BSP update merged for installation? + + +### SoftwareUpdateClientTelemetry.SLSDiscovery + +This event sends data about the ability of Windows to discover the location of a backend server with which it must connect to perform updates or content acquisition, in order to determine disruptions in availability of update services and provide context for Windows Update errors. + +The following fields are available: + +- **EventScenario** Indicates the purpose of sending this event - whether because the software distribution just started checking for content, or whether it was cancelled, succeeded, or failed +- **SusClientId** The unique device ID controlled by the software distribution client +- **WUAVersion** The version number of the software distribution client +- **ServiceID** An ID which represents which service the software distribution client is connecting to (Windows Update, Windows Store, etc.) +- **UrlPath** Path to the SLS cab that was downloaded +- **HResult** Indicates the result code of the event (success, cancellation, failure code HResult) +- **IsBackground** Indicates whether the SLS discovery event took place in the foreground or background +- **NextExpirationTime** Indicates when the SLS cab expires + + +### SoftwareUpdateClientTelemetry.UpdateDetected + +This event sends data about an AppX app that has been updated from the Windows Store, including what app needs an update and what version/architecture is required, in order to understand and address problems with apps getting required updates. + +The following fields are available: + +- **CallerApplicationName** The name provided by the caller who initiated API calls into the software distribution client +- **ApplicableUpdateInfo** Metadata for the updates which were detected as applicable +- **NumberOfApplicableUpdates** The number of updates which were ultimately deemed applicable to the system after the detection process is complete +- **WUDeviceID** The unique device ID controlled by the software distribution client +- **RelatedCV** The previous Correlation Vector that was used before swapping with a new one +- **EventScenario** Indicates the purpose of sending this event - whether because the software distribution just started checking for content, or whether it was cancelled, succeeded, or failed +- **EventInstanceID** A globally unique identifier for event instance +- **DeviceModel** The device's model as defined in system bios +- **BiosName** The name of the device's system bios +- **BIOSVendor** The vendor of the device's system bios +- **BiosVersion** The version of the device's system bios +- **BiosReleaseDate** The release date of the device's system bios +- **SystemBIOSMajorRelease** The major release version of the device's system system +- **SystemBIOSMinorRelease** The minor release version of the device's system system +- **BiosFamily** The device's family as defined in system bios +- **BiosSKUNumber** The device's SKU as defined in system bios +- **ClientVersion** The version number of the software distribution client +- **ProcessName** The process name of the caller who initiated API calls, in the event where CallerApplicationName was not provided +- **ServiceGuid** An ID which represents which service the software distribution client is connecting to (Windows Update, Windows Store, etc.) +- **StatusCode** Indicates the result code of the event (success, cancellation, failure code HResult) +- **ExtendedStatusCode** Secondary status code for certain scenarios where StatusCode wasn't specific enough +- **FlightRing** The ring (speed of getting builds) that a device is on if participating in flighting (pre-release builds). +- **FlightBranch** The branch that a device is on if participating in flighting (pre-release builds). +- **ShippingMobileOperator** The mobile operator that a device shipped on. +- **CurrentMobileOperator** The mobile operator the device is currently connected to. +- **HomeMobileOperator** The mobile operator that the device was originally intended to work with +- **PhonePreviewEnabled** Indicates whether a phone was getting preview build, prior to flighting (pre-release builds) being introduced. +- **ActivityMatchingId** Contains a unique ID identifying a single CheckForUpdates session from initialization to completion +- **SyncType** Describes the type of scan the event was +- **IPVersion** Indicates whether the download took place over IPv4 or IPv6 +- **NumberOfApplicationsCategoryScanEvaluated** The number of categories (apps) for which an app update scan checked +- **ScanDurationInSeconds** The number of seconds a scan took +- **ScanEnqueueTime** The number of seconds it took to initialize a scan +- **NumberOfLoop** The number of round trips the scan required +- **NumberOfUpdatesEvaluated** The total number of updates which were evaluated as a part of the scan +- **NumberOfNewUpdatesFromServiceSync** The number of updates which were seen for the first time in this scan +- **ServiceUrl** The environment URL a device is configured to scan with +- **IntentPFNs** Intended application-set metadata for atomic update scenarios. + + +### SoftwareUpdateClientTelemetry.UpdateMetadataIntegrity + +This event identifies whether updates have been tampered with and protects against man-in-the-middle attacks. + +The following fields are available: + +- **EventScenario** The purpose of this event, such as scan started, scan succeeded, or scan failed. +- **ServiceGuid** Identifies the service to which the software distribution client is connected, Example: Windows Update or Windows Store +- **MetadataIntegrityMode** The mode of the transport metadata integrity check. 0 = unknown; 1 = ignore; 2 = audit; 3 = enforce +- **StatusCode** The status code of the event. +- **ExtendedStatusCode** The secondary status code of the event. +- **RevisionId** The revision ID for a specific piece of content. +- **UpdateId** The update ID for a specific piece of content. +- **RevisionNumber** The revision number for a specific piece of content. +- **TimestampTokenId** The time this was created. It is encoded in a timestamp blob and will be zero if the token is malformed. +- **LeafCertId** Integral ID from the FragmentSigning data for certificate that failed. +- **SHA256OfLeafCertPublicKey** A base64 encoding of the hash of the Base64CertData in the FragmentSigning data of the leaf certificate. +- **MetadataSignature** A base64-encoded string of the signature associated with the update metadata (specified by revision ID). +- **SignatureAlgorithm** The hash algorithm for the metadata signature. +- **SHA256OfTimestampToken** A base64-encoded string of hash of the timestamp token blob. +- **ValidityWindowInDays** The validity window that's in effect when verifying the timestamp. +- **TimestampTokenCertThumbprint** The thumbprint of the encoded timestamp token. +- **RawMode** The raw unparsed mode string from the SLS response. This field is null if not applicable. +- **RawValidityWindowInDays** The raw unparsed validity window string in days of the timestamp token. This field is null if not applicable. +- **SHA256OfLeafCerData** A base64 encoding of the hash for the Base64CerData in the FragmentSigning data of the leaf certificate. +- **ListOfSHA256OfIntermediateCerData** A semicolon delimited list of base64 encoding of hashes for the Base64CerData in the FragmentSigning data of an intermediate certificate. +- **EndpointUrl** The endpoint URL where the device obtains update metadata. This is used to distinguish between test, staging, and production environments. +- **SLSPrograms** A test program to which a device may have opted in. Example: Insider Fast + + +## Update events + +### Update360Telemetry.UpdateAgent_DownloadRequest + +This event sends data during the download request phase of updating Windows. + +The following fields are available: + +- **ErrorCode** The error code returned for the current download request phase. +- **PackageCountTotal** Total number of packages needed. +- **PackageCountRequired** Number of required packages requested. +- **PackageCountOptional** Number of optional packages requested. +- **ObjectId** Unique value for each Update Agent mode. +- **SessionId** Unique value for each Update Agent mode attempt. +- **ScenarioId** The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate +- **RelatedCV** Correlation vector value generated from the latest USO scan. +- **Result** Result of the download request phase of update. +- **PackageSizeCanonical** Size of canonical packages in bytes +- **PackageSizeDiff** Size of diff packages in bytes +- **PackageSizeExpress** Size of express packages in bytes +- **FlightId** Unique ID for each flight. +- **UpdateId** Unique ID for each update. +- **PackageCountTotalCanonical** Total number of canonical packages. +- **PackageCountTotalDiff** Total number of diff packages. +- **PackageCountTotalExpress** Total number of express packages. +- **RangeRequestState** Represents the state of the download range request. +- **DeletedCorruptFiles** Indicates if UpdateAgent found any corrupt payload files and whether the payload was deleted. + + +### Update360Telemetry.UpdateAgent_Initialize + +This event sends data during the initialize phase of updating Windows. + +The following fields are available: + +- **ErrorCode** The error code returned for the current initialize phase. +- **SessionData** Contains instructions to update agent for processing FODs and DUICs (Null for other scenarios). +- **UpdateId** Unique ID for each update. +- **FlightId** Unique ID for each flight. +- **FlightMetadata** Contains the FlightId and the build being flighted. +- **ObjectId** Unique value for each Update Agent mode. +- **SessionId** Unique value for each Update Agent mode attempt . +- **ScenarioId** The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate +- **RelatedCV** Correlation vector value generated from the latest USO scan. +- **Result** Result of the initialize phase of update. 0 = Succeeded, 1 = Failed, 2 = Cancelled, 3 = Blocked, 4 = BlockCancelled + + +### Update360Telemetry.UpdateAgent_Install + +This event sends data during the install phase of updating Windows. + +The following fields are available: + +- **ErrorCode** The error code returned for the current install phase. +- **ObjectId** Unique value for each Update Agent mode. +- **SessionId** Unique value for each Update Agent mode attempt. +- **ScenarioId** The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate +- **RelatedCV** Correlation vector value generated from the latest scan. +- **Result** Result of the install phase of update. 0 = Succeeded 1 = Failed, 2 = Cancelled, 3 = Blocked, 4 = BlockCancelled +- **FlightId** Unique ID for each flight. +- **UpdateId** Unique ID for each update. + + +### Update360Telemetry.UpdateAgent_ModeStart + +This event sends data for the start of each mode during the process of updating Windows. + +The following fields are available: + +- **Mode** Indicates that the Update Agent mode that has started. 1 = Initialize, 2 = DownloadRequest, 3 = Install, 4 = Commit +- **ObjectId** Unique value for each Update Agent mode. +- **SessionId** Unique value for each Update Agent mode attempt. +- **ScenarioId** The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate +- **RelatedCV** The correlation vector value generated from the latest scan. +- **FlightId** Unique ID for each flight. +- **UpdateId** Unique ID for each update. + + +### Update360Telemetry.UpdateAgent_SetupBoxLaunch + +This event sends data during the launching of the setup box when updating Windows. + +The following fields are available: + +- **Quiet** Indicates whether setup is running in quiet mode. 0 = false 1 = true +- **ObjectId** Unique value for each Update Agent mode. +- **SessionId** Unique value for each Update Agent mode attempt. +- **ScenarioId** The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate +- **RelatedCV** Correlation vector value generated from the latest scan. +- **FlightId** Unique ID for each flight. +- **UpdateId** Unique ID for each update. +- **SetupMode** Setup mode 1 = predownload, 2 = install, 3 = finalize +- **SandboxSize** The size of the sandbox folder on the device. + + +## Upgrade events + +### Setup360Telemetry.Downlevel + +This event sends data indicating that the device has invoked the downlevel phase of the upgrade. It's used to help keep Windows up-to-date and secure. + +The following fields are available: + +- **ClientId** If using Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, the default value is Media360, but it can be overwritten by the caller to a unique value. +- **InstanceId** A unique GUID that identifies each instance of setuphost.exe. +- **ReportId** In the Windows Update scenario, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim. +- **WuId** This is the Windows Update Client ID. In the Windows Update scenario, this is the same as the clientId. +- **TestId** A string that uniquely identifies a group of events. +- **State** Exit state of given Setup360 run. Example: succeeded, failed, blocked, cancelled +- **HostOsSkuName** The operating system edition which is running Setup360 instance (downlevel OS). +- **HostOSBuildNumber** The build number of the downlevel OS. +- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT +- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback +- **Setup360Result** The result of Setup360. It's an HRESULT error code that can be used to diagnose errors. +- **Setup360Extended** Extension of result - more granular information about phase/action when the potential failure happened +- **SetupVersionBuildNumber** The build number of Setup360 (build number of the target OS). + + +### Setup360Telemetry.Finalize + +This event sends data indicating that the device has invoked the finalize phase of the upgrade, to help keep Windows up-to-date. + +The following fields are available: + +- **ClientId** With Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. +- **InstanceId** A unique GUID that identifies each instance of setuphost.exe +- **ReportId** With Windows Update, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim. +- **WuId** This is the Windows Update Client ID. With Windows Update, this is the same as the clientId. +- **TestId** A string to uniquely identify a group of events. +- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled +- **HostOsSkuName** The OS edition which is running Setup360 instance (previous OS). +- **HostOSBuildNumber** The build number of the previous OS. +- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT +- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback +- **Setup360Result** The result of Setup360. This is an HRESULT error code that is used to diagnose errors. +- **Setup360Extended** Extension of result - more granular information about phase/action when the potential failure happened +- **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS). + + +### Setup360Telemetry.OsUninstall + +The event sends data regarding OS updates and upgrades from Windows 7, Windows 8, and Windows 10. Specifically, the Setup360Telemetry.OSUninstall indicates the outcome of an OS uninstall. + +The following fields are available: + +- **ClientId** For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. +- **InstanceId** A unique GUID that identifies each instance of setuphost.exe. +- **ReportId** For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, this is the GUID for the install.wim. +- **WuId** Windows Update client ID. +- **TestId** A string to uniquely identify a group of events. +- **State** Exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled +- **HostOsSkuName** The OS edition which is running the Setup360 instance (previous OS). +- **HostOSBuildNumber** The build number of the previous OS. +- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT +- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback +- **Setup360Result** The result of Setup360. This is an HRESULT error code that is used to diagnose errors. +- **Setup360Extended** Extension of result - more granular information about phase/action when the potential failure happened +- **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS). + + +### Setup360Telemetry.PostRebootInstall + +This event sends data indicating that the device has invoked the postrebootinstall phase of the upgrade, to help keep Windows up-to-date. + +The following fields are available: + +- **ClientId** With Windows Update, this is the Windows Update client ID that is passed to Setup. In Media setup, the default value is Media360, but can be overwritten by the caller to a unique value. +- **InstanceId** A unique GUID that identifies each instance of setuphost.exe. +- **ReportId** With Windows Update, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim. +- **WuId** This is the Windows Update Client ID. With Windows Update, this is the same as ClientId. +- **TestId** A string to uniquely identify a group of events. +- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled +- **HostOsSkuName** The OS edition which is running Setup360 instance (previous OS). +- **HostOSBuildNumber** The build number of the previous OS. +- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT +- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback +- **Setup360Result** The result of Setup360. This is an HRESULT error code that's used to diagnose errors. +- **Setup360Extended** Extension of result - more granular information about phase/action when the potential failure happened +- **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS). + + +### Setup360Telemetry.PreDownloadQuiet + +This event sends data indicating that the device has invoked the predownload quiet phase of the upgrade, to help keep Windows up to date. + +The following fields are available: + +- **ClientId** Using Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. +- **InstanceId** A unique GUID that identifies each instance of setuphost.exe +- **ReportId** Using Windows Update, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim. +- **WuId** This is the Windows Update Client ID. Using Windows Update, this is the same as the clientId. +- **TestId** A string to uniquely identify a group of events. +- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, canceled +- **HostOsSkuName** The OS edition which is running Setup360 instance (previous operating system). +- **HostOSBuildNumber** The build number of the previous OS. +- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT +- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback +- **Setup360Result** The result of Setup360. This is an HRESULT error code that is used to diagnose errors. +- **Setup360Extended** Extension of result - more granular information about phase/action when the potential failure happened +- **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS). + + +### Setup360Telemetry.PreDownloadUX + +The event sends data regarding OS updates and upgrades from Windows 7, Windows 8, and Windows 10. Specifically, the Setup360Telemetry.PredownloadUX indicates the outcome of the PredownloadUX portion of the update process. + +The following fields are available: + +- **ClientId** For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. +- **InstanceId** Unique GUID that identifies each instance of setuphost.exe. +- **ReportId** For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, this is the GUID for the install.wim. +- **WuId** Windows Update client ID. +- **TestId** A string to uniquely identify a group of events. +- **State** The exit state of the Setup360 run. Example: succeeded, failed, blocked, cancelled +- **HostOsSkuName** The OS edition which is running the Setup360 instance (previous operating system). +- **HostOSBuildNumber** The build number of the previous operating system. +- **Setup360Scenario** The Setup360 flow type. Examplle: Boot, Media, Update, MCT +- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback +- **Setup360Result** The result of Setup360. This is an HRESULT error code that can be used to diagnose errors. +- **Setup360Extended** Extension of result - more granular information about phase/action when the potential failure happened +- **SetupVersionBuildNumber** The build number of Setup360 (build number of the target OS). + + +### Setup360Telemetry.PreInstallQuiet + +This event sends data indicating that the device has invoked the preinstall quiet phase of the upgrade, to help keep Windows up to date. + +The following fields are available: + +- **ClientId** With Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. +- **InstanceId** A unique GUID that identifies each instance of setuphost.exe +- **ReportId** With Windows Update, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim. +- **WuId** This is the Windows Update Client ID. With Windows Update, this is the same as the clientId. +- **TestId** A string to uniquely identify a group of events. +- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled +- **HostOsSkuName** The OS edition which is running Setup360 instance (previous OS). +- **HostOSBuildNumber** The build number of the previous OS. +- **Setup360Scenario** Setup360 flow type (Boot, Media, Update, MCT) +- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback etc. +- **Setup360Result** The result of Setup360. This is an HRESULT error code that can be used to diagnose errors. +- **Setup360Extended** Extension of result - more granular information about phase/action when the potential failure happened +- **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS). + + +### Setup360Telemetry.PreInstallUX + +This event sends data regarding OS updates and upgrades from Windows 7, Windows 8, and Windows 10. Specifically, the Setup360Telemetry.PreinstallUX indicates the outcome of the PreinstallUX portion of the update process. + +The following fields are available: + +- **ClientId** For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. +- **InstanceId** A unique GUID that identifies each instance of setuphost.exe. +- **ReportId** For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, this is the GUID for the install.wim. +- **WuId** Windows Update client ID. +- **TestId** A string to uniquely identify a group of events. +- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled +- **HostOsSkuName** The OS edition which is running the Setup360 instance (previous OS). +- **HostOSBuildNumber** The build number of the previous OS. +- **Setup360Scenario** The Setup360 flow type, Example: Boot, Media, Update, MCT +- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback +- **Setup360Result** The result of Setup360. This is an HRESULT error code that is used to diagnose errors. +- **Setup360Extended** Extension of result - more granular information about phase/action when the potential failure happened +- **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS). + + +### Setup360Telemetry.Setup360 + +This event sends data about OS deployment scenarios, to help keep Windows up-to-date. + +The following fields are available: + +- **InstanceId** Retrieves a unique identifier for each instance of a setup session. +- **ReportId** Retrieves the report ID. +- **FlightData** Specifies a unique identifier for each group of Windows Insider builds. +- **ScenarioId** Retrieves the deployment scenario. +- **FieldName** Retrieves the data point. +- **Value** Retrieves the value associated with the corresponding FieldName. +- **ClientId** Retrieves the upgrade ID: Upgrades via Windows Update - specifies the WU clientID. All other deployment - static string. + + +### Setup360Telemetry.UnexpectedEvent + +This event sends data indicating that the device has invoked the unexpected event phase of the upgrade, to help keep Windows up to date. + +The following fields are available: + +- **ClientId** With Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. +- **InstanceId** A unique GUID that identifies each instance of setuphost.exe +- **ReportId** With Windows Update, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim. +- **WuId** This is the Windows Update Client ID. With Windows Update, this is the same as the clientId. +- **TestId** A string to uniquely identify a group of events. +- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled +- **HostOsSkuName** The OS edition which is running Setup360 instance (previous OS). +- **HostOSBuildNumber** The build number of the previous OS. +- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT +- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback +- **Setup360Result** The result of Setup360. This is an HRESULT error code that can be used used to diagnose errors. +- **Setup360Extended** Extension of result - more granular information about phase/action when the potential failure happened +- **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS). + + +## Windows Error Reporting events + +### Microsoft.Windows.WERVertical.OSCrash + +This event sends binary data from the collected dump file wheneveer a bug check occurs, to help keep Windows up to date. The is the OneCore version of this event. + +The following fields are available: + +- **ReportId** WER Report Id associated with this bug check (used for finding the corresponding report archive in Watson). +- **BugCheckCode** Uint64 "bugcheck code" that identifies a proximate cause of the bug check. +- **BugCheckParameter1** Uint64 parameter providing additional information. +- **BootId** Uint32 identifying the boot number for this device. +- **BugCheckParameter2** Uint64 parameter providing additional information. +- **BugCheckParameter4** Uint64 parameter providing additional information. +- **BugCheckParameter3** Uint64 parameter providing additional information. +- **IsValidDumpFile** True if the dump file is valid for the debugger, false otherwise +- **DumpFileSize** Size of the dump file +- **DumpFileAttributes** Codes that identify the type of data contained in the dump file + + +## Windows Store events + +### Microsoft.Windows.StoreAgent.Telemetry.AbortedInstallation + +This event is sent when an installation or update is canceled by a user or the system and is used to help keep Windows Apps up to date and secure. + +The following fields are available: + +- **PFN** The product family name of the product being installed. +- **ClientAppId** The identity of the app that initiated this operation. +- **HResult** The result code of the last action performed before this operation. +- **IsUpdate** Flag indicating if this is an update. +- **AttemptNumber** Number of retry attempts before it was canceled. +- **CategoryId** The Item Category ID. +- **ProductId** The identity of the package or packages being installed. +- **IsInteractive** Was this requested by a user? +- **IsRemediation** Was this a remediation install? +- **BundleId** The Item Bundle ID. +- **IsMandatory** Was this a mandatory update? +- **SystemAttemptNumber** The total number of automatic attempts at installation before it was canceled. +- **UserAttemptNumber** The total number of user attempts at installation before it was canceled. +- **IsRestore** Is this automatically restoring a previously acquired product? +- **ParentBundleId** The product ID of the parent (if this product is part of a bundle). +- **IsBundle** Is this a bundle? +- **WUContentId** The Windows Update content ID +- **AggregatedPackageFullNames** The names of all packages to be downloaded and installed. + + +### Microsoft.Windows.StoreAgent.Telemetry.BeginGetInstalledContentIds + +This event is sent when an inventory of the apps installed is started to determine whether updates for those apps are available. It's used to help keep Windows up-to-date and secure. + + + +### Microsoft.Windows.StoreAgent.Telemetry.BeginUpdateMetadataPrepare + +This event is sent when the Store Agent cache is refreshed with any available package updates. It's used to help keep Windows up-to-date and secure. + + + +### Microsoft.Windows.StoreAgent.Telemetry.CancelInstallation + +This event is sent when an app update or installation is canceled while in interactive mode. This can be canceled by the user or the system. It's used to help keep Windows up-to-date and secure. + +The following fields are available: + +- **IsInteractive** Was this requested by a user? +- **AttemptNumber** Total number of installation attempts. +- **BundleId** The identity of the Windows Insider build that is associated with this product. +- **PreviousHResult** The previous HResult code. +- **ClientAppId** The identity of the app that initiated this operation. +- **CategoryId** The identity of the package or packages being installed. +- **PFN** The name of all packages to be downloaded and installed. +- **ProductId** The name of the package or packages requested for installation. +- **IsUpdate** Is this a product update? +- **IsRemediation** Is this repairing a previous installation? +- **RelatedCV** Correlation Vector of a previous performed action on this product. +- **PreviousInstallState** Previous installation state before it was canceled. +- **IsMandatory** Is this a mandatory update? +- **SystemAttemptNumber** Total number of automatic attempts to install before it was canceled. +- **UserAttemptNumber** Total number of user attempts to install before it was canceled. +- **IsRestore** Is this an automatic restore of a previously acquired product? +- **ParentBundleId** The product ID of the parent (if this product is part of a bundle). +- **IsBundle** Is this a bundle? +- **WUContentId** The Windows Update content ID +- **AggregatedPackageFullNames** The names of all package or packages to be downloaded and installed. + + +### Microsoft.Windows.StoreAgent.Telemetry.CompleteInstallOperationRequest + +This event is sent after the app installations or updates. It's used to help keep Windows up-to-date and secure + +The following fields are available: + +- **IsBundle** Is this a bundle? +- **ProductId** The Store Product ID of the product being installed. +- **SkuId** Specific edition of the item being installed. +- **CatalogId** The Store Product ID of the app being installed. +- **PackageFamilyName** The name of the package being installed. +- **HResult** HResult code of the action being performed. + + +### Microsoft.Windows.StoreAgent.Telemetry.EndAcquireLicense + +This event is sent after the license is acquired when a product is being installed. It's used to help keep Windows up-to-date and secure. + +The following fields are available: + +- **PFN** Product Family Name of the product being installed. +- **HResult** HResult code to show the result of the operation (success/failure). +- **ProductId** The Store Product ID for the product being installed. +- **IsInteractive** Did the user initiate the installation? +- **CategoryId** The identity of the package or packages being installed. +- **ClientAppId** The identity of the app that initiated this operation. +- **IsRemediation** Is this repairing a previous installation? +- **UpdateId** The update ID (if this is an update) +- **AttemptNumber** The total number of attempts to acquire this product. +- **IsUpdate** Is this an update? +- **IsMandatory** Is this a mandatory update? +- **SystemAttemptNumber** The number of attempts by the system to acquire this product. +- **UserAttemptNumber** The number of attempts by the user to acquire this product +- **IsRestore** Is this happening after a device restore? +- **IsBundle** Is this a bundle? +- **WUContentId** The Windows Update content ID +- **ParentBundledId** The product's parent bundle ID. +- **AggregatedPackageFullNames** Includes a set of package full names for each app that is part of an atomic set. + + +### Microsoft.Windows.StoreAgent.Telemetry.EndDownload + +This event happens during the app update or installation when content is being downloaded at the end of the process to report success or failure. It's used to help keep Windows up-to-date and secure. + +The following fields are available: + +- **PFN** The Product Family Name of the app being download. +- **IsRemediation** Is this repairing a previous installation? +- **DownloadSize** The total size of the download. +- **ClientAppId** The identity of the app that initiated this operation. +- **CategoryId** The identity of the package or packages being installed. +- **IsUpdate** Is this an update? +- **HResult** The result code of the last action performed. +- **IsInteractive** Is this initiated by the user? +- **AttemptNumber** Number of retry attempts before it was canceled. +- **BundleId** The identity of the Windows Insider build associated with this product. +- **ProductId** The Store Product ID for the product being installed. +- **IsMandatory** Is this a mandatory installation? +- **SystemAttemptNumber** The number of attempts by the system to download. +- **UserAttemptNumber** The number of attempts by the user to download. +- **IsRestore** Is this a restore of a previously acquired product? +- **ParentBundleId** The parent bundle ID (if it's part of a bundle). +- **IsBundle** Is this a bundle? +- **WUContentId** The Windows Update content ID. +- **ExtendedHResult** Any extended HResult error codes. +- **AggregatedPackageFullNames** The name of all packages to be downloaded and installed. + + +### Microsoft.Windows.StoreAgent.Telemetry.EndFrameworkUpdate + +This event happens when an app update requires an updated Framework package and the process starts to download it. It's used to help keep Windows up-to-date and secure. + +The following fields are available: + +- **HResult** The result code of the last action performed before this operation. + + +### Microsoft.Windows.StoreAgent.Telemetry.EndGetInstalledContentIds + +This event is sent after sending the inventory of the products installed to determine whether updates for those products are available. It's used to help keep Windows up-to-date and secure. + +The following fields are available: + +- **HResult** The result code of the last action performed before this operation. + + +### Microsoft.Windows.StoreAgent.Telemetry.EndInstall + +This event is sent after a product has been installed. It's used to help keep Windows up-to-date and secure. + +The following fields are available: + +- **BundleId** The identity of the build associated with this product. +- **PFN** Product Family Name of the product being installed. +- **ClientAppId** The identity of the app that initiated this operation. +- **CategoryId** The identity of the package or packages being installed. +- **ProductId** The Store Product ID for the product being installed. +- **AttemptNumber** The number of retry attempts before it was canceled. +- **HResult** The result code of the last action performed. +- **IsRemediation** Is this repairing a previous installation? +- **IsInteractive** Is this an interactive installation? +- **IsUpdate** Is this an update? +- **IsMandatory** Is this a mandatory installation? +- **SystemAttemptNumber** The total number of system attempts. +- **UserAttemptNumber** The total number of user attempts. +- **IsRestore** Is this automatically restoring a previously acquired product? +- **ParentBundleId** The product ID of the parent (if this product is part of a bundle). +- **IsBundle** Is this a bundle? +- **WUContentId** The Windows Update content ID +- **ExtendedHResult** The extended HResult error code. +- **AggregatedPackageFullNames** The names of all packages to be downloaded and installed. + + +### Microsoft.Windows.StoreAgent.Telemetry.EndScanForUpdates + +This event is sent after a scan for product updates to determine if there are packages to install. It's used to help keep Windows up-to-date and secure. + +The following fields are available: + +- **HResult** The result code of the last action performed. +- **IsApplicability** Is this request to only check if there are any applicable packages to install? +- **IsInteractive** Is this user requested? +- **ClientAppId** The identity of the app that initiated this operation. +- **IsOnline** Is the request doing an online check? + + +### Microsoft.Windows.StoreAgent.Telemetry.EndSearchUpdatePackages + +This event is sent after searching for update packages to install. It's used to help keep Windows up-to-date and secure. + +The following fields are available: + +- **IsRemediation** Is this repairing a previous installation? +- **IsUpdate** Is this an update? +- **ClientAppId** The identity of the app that initiated this operation. +- **HResult** The result code of the last action performed. +- **ProductId** The Store Product ID for the product being installed. +- **AttemptNumber** The total number of retry attempts before it was canceled. +- **IsInteractive** Is this user requested? +- **PFN** The name of the package or packages requested for install. +- **BundleId** The identity of the build associated with this product. +- **CategoryId** The identity of the package or packages being installed. +- **IsMandatory** Is this a mandatory update? +- **SystemAttemptNumber** The total number of system attempts. +- **UserAttemptNumber** The total number of user attempts. +- **IsRestore** Is this restoring previously acquired content? +- **ParentBundleId** The product ID of the parent (if this product is part of a bundle). +- **IsBundle** Is this a bundle? +- **WUContentId** The Windows Update content ID +- **AggregatedPackageFullNames** The names of all packages to be downloaded and installed. + + +### Microsoft.Windows.StoreAgent.Telemetry.EndStageUserData + +This event is sent between download and installation to see if there is app data that needs to be restored from the cloud. It's used to keep Windows up-to-date and secure. + +The following fields are available: + +- **IsInteractive** Is this user requested? +- **PFN** The name of the package or packages requested for install. +- **IsUpdate** Is this an update? +- **CategoryId** The identity of the package or packages being installed. +- **HResult** The result code of the last action performed. +- **AttemptNumber** The total number of retry attempts before it was canceled. +- **ProductId** The Store Product ID for the product being installed. +- **BundleId** The identity of the build associated with this product. +- **IsRemediation** Is this repairing a previous installation? +- **ClientAppId** The identity of the app that initiated this operation. +- **IsMandatory** Is this a mandatory update? +- **SystemAttemptNumber** The total number of system attempts. +- **UserAttemptNumber** The total number of system attempts. +- **IsRestore** Is this restoring previously acquired content? +- **ParentBundleId** The product ID of the parent (if this product is part of a bundle). +- **IsBundle** Is this a bundle? +- **WUContentId** The Windows Update content ID +- **AggregatedPackageFullNames** The name of all packages to be downloaded and installed. + + +### Microsoft.Windows.StoreAgent.Telemetry.EndUpdateMetadataPrepare + +This event happens after a scan for available app updates. It's used to help keep Windows up-to-date and secure. + +The following fields are available: + +- **HResult** The result code of the last action performed. + + +### Microsoft.Windows.StoreAgent.Telemetry.FulfillmentComplete + +This event is sent at the end of an app install or update and is used to track the very end of the install or update process. + +The following fields are available: + +- **ProductId** The product ID of the app that is being updated or installed. +- **PFN** The Package Family Name of the app that is being installed or updated. +- **FailedRetry** Was the installation or update retry successful? +- **HResult** The HResult code of the operation. + + +### Microsoft.Windows.StoreAgent.Telemetry.FulfillmentInitiate + +This event is sent at the beginning of an app install or update and is used to track the very beginning of the install or update process. + +The following fields are available: + +- **ProductId** The product ID of the app that is being updated or installed. +- **PFN** The Package Family Name of the app that is being installed or updated. + + +### Microsoft.Windows.StoreAgent.Telemetry.InstallOperationRequest + +This event happens at the beginning of the install process when an app update or new app is installed. It's used to help keep Windows up-to-date and secure. + +The following fields are available: + +- **CatalogId** If this product is from a private catalog, the Store Product ID for the product being installed. +- **BundleId** The identity of the build associated with this product. +- **SkuId** Specific edition ID being installed. +- **ProductId** The Store Product ID for the product being installed. +- **VolumePath** The disk path of the installation. + + +### Microsoft.Windows.StoreAgent.Telemetry.PauseInstallation + +This event is sent when a product install or update is paused either by a user or the system. It's used to help keep Windows up-to-date and secure. + +The following fields are available: + +- **RelatedCV** Correlation Vector of a previous performed action on this product. +- **IsRemediation** Is this repairing a previous installation? +- **PreviousHResult** The result code of the last action performed before this operation. +- **ProductId** The Store Product ID for the product being installed. +- **IsUpdate** Is this an update? +- **PreviousInstallState** Previous state before the installation or update was paused. +- **CategoryId** The identity of the package or packages being installed. +- **ClientAppId** The identity of the app that initiated this operation. +- **AttemptNumber** The total number of retry attempts before it was canceled. +- **IsInteractive** Is this user requested? +- **BundleId** The identity of the build associated with this product. +- **PFN** The Product Full Name. +- **IsMandatory** Is this a mandatory update? +- **SystemAttemptNumber** The total number of system attempts. +- **UserAttemptNumber** The total number of user attempts. +- **IsRestore** Is this restoring previously acquired content? +- **ParentBundleId** The product ID of the parent (if this product is part of a bundle). +- **IsBundle** Is this a bundle? +- **WUContentId** The Windows Update content ID +- **AggregatedPackageFullNames** The names of all packages to be downloaded and installed. + + +### Microsoft.Windows.StoreAgent.Telemetry.ResumeInstallation + +This event happens when a product install or update is resumed either by a user or the system. It's used to help keep Windows up-to-date and secure. + +The following fields are available: + +- **RelatedCV** Correlation Vector for the original install before it was resumed. +- **AttemptNumber** The number of retry attempts before it was canceled. +- **BundleId** The identity of the build associated with this product. +- **PreviousHResult** The previous HResult error code. +- **ClientAppId** The identity of the app that initiated this operation. +- **CategoryId** The identity of the package or packages being installed. +- **PFN** The name of the package or packages requested for install. +- **IsUpdate** Is this an update? +- **PreviousInstallState** Previous state before the installation was paused. +- **IsRemediation** Is this repairing a previous installation? +- **IsInteractive** Is this user requested? +- **ProductId** The Store Product ID for the product being installed. +- **IsMandatory** Is this a mandatory update? +- **SystemAttemptNumber** The total number of system attempts. +- **UserAttemptNumber** The total number of user attempts. +- **IsRestore** Is this restoring previously acquired content? +- **ParentBundleId** The product ID of the parent (if this product is part of a bundle). +- **IsBundle** Is this a bundle? +- **WUContentId** The Windows Update content ID +- **AggregatedPackageFullNames** The names of all packages to be downloaded and installed. +- **IsUserRetry** Did the user initiate the retry? +- **HResult** The result code of the last action performed before this operation. + + +### Microsoft.Windows.StoreAgent.Telemetry.ResumeOperationRequest + +This event happens when a product install or update is resumed by a user and on installation retries. It's used to help keep Windows up-to-date and secure. + +The following fields are available: + +- **ProductId** The Store Product ID for the product being installed. + + +### Microsoft.Windows.StoreAgent.Telemetry.SearchForUpdateOperationRequest + +This event is sent when searching for update packages to install. It's used to help keep Windows up-to-date and secure. + +The following fields are available: + +- **ProductId** The Store Product ID for the product being installed. +- **SkuId** Specfic edition of the app being updated. +- **CatalogId** The Store Product ID for the product being installed. + + +### Microsoft.Windows.StoreAgent.Telemetry.UpdateAppOperationRequest + +This event happens an app for a user needs to be updated. It's used to help keep Windows up-to-date and secure. + +The following fields are available: + +- **PFamN** The name of the product that is requested for update. + + +## Windows Update Delivery Optimization events + +### Microsoft.OSG.DU.DeliveryOptClient.DownloadCanceled + +This event describes when a download was canceled with Delivery Optimization. It's used to understand and address problems regarding downloads. + +The following fields are available: + +- **bytesFromIntPeers** The number of bytes received from peers not in the same LAN or in the same group. +- **fileID** The ID of the file being downloaded. +- **sessionID** The ID of the file download session. +- **scenarioID** The ID of the scenario. +- **bytesFromCDN** The number of bytes received from a CDN source. +- **updateID** The ID of the update being downloaded. +- **background** Is the download being done in the background? +- **bytesFromPeers** The number of bytes received from a peer in the same LAN. +- **clientTelId** A random number used for device sampling. +- **bytesFromGroupPeers** The number of bytes received from a peer in the same group. +- **errorCode** The error code that was returned. +- **doErrorCode** The Delivery Optimization error code that was returned. +- **cdnErrorCodes** A list of CDN connection errors since the last FailureCDNCommunication event. +- **cdnErrorCounts** The number of times each error in cdnErrorCodes was encountered. +- **experimentId** When running a test, this is used to correlate events that are part of the same test. +- **isVpn** Is the device connected to a Virtual Private Network? +- **usedMemoryStream** Did the download use memory streaming? + + +### Microsoft.OSG.DU.DeliveryOptClient.DownloadCompleted + +This event describes when a download has completed with Delivery Optimization. It's used to understand and address problems regarding downloads. + +The following fields are available: + +- **sessionID** The ID of the download session. +- **scenarioID** The ID of the scenario. +- **bytesFromIntPeers** The number of bytes received from peers not in the same LAN or in the same domain group. +- **updateID** The ID of the update being downloaded. +- **fileSize** The size of the file being downloaded. +- **bytesFromCDN** The number of bytes received from a CDN source. +- **fileID** The ID of the file being downloaded. +- **background** Is the download a background download? +- **bytesFromPeers** The number of bytes received from a peer in the same LAN. +- **totalTime** How long did the download take (in seconds)? +- **restrictedUpload** Is the upload restricted? +- **clientTelId** A random number used for device sampling. +- **bytesFromGroupPeers** The number of bytes received from a peer in the same domain group. +- **downloadMode** The download mode used for this file download session. +- **doErrorCode** The Delivery Optimization error code that was returned. +- **numPeers** The total number of peers used for this download. +- **cdnConnectionCount** The total number of connections made to the CDN. +- **lanConnectionCount** The total number of connections made to peers in the same LAN. +- **groupConnectionCount** The total number of connections made to peers in the same group. +- **internetConnectionCount** The total number of connections made to peers not in the same LAN or the same group. +- **cdnIp** The IP address of the source CDN. +- **downlinkBps** The maximum measured available download bandwidth (in bytes per second). +- **uplinkBps** The maximum measured available upload bandwidth (in bytes per second). +- **downlinkUsageBps** The download speed (in bytes per second). +- **uplinkUsageBps** The upload speed (in bytes per second). +- **totalTimeMs** Duration of the download (in seconds). +- **cdnErrorCodes** A list of CDN connection errors since the last FailureCDNCommunication event. +- **cdnErrorCounts** The number of times each error in cdnErrorCodes was encountered. +- **bytesRequested** The total number of bytes requested for download. +- **experimentId** When running a test, this is used to correlate with other events that are part of the same test. +- **isVpn** Is the device connected to a Virtual Private Network? +- **usedMemoryStream** Did the download use memory streaming? + + +### Microsoft.OSG.DU.DeliveryOptClient.DownloadPaused + +This event represents a temporary suspension of a download with Delivery Optimization. It's used to understand and address problems regarding downloads. + +The following fields are available: + +- **updateID** The ID of the update being paused. +- **errorCode** The error code that was returned. +- **scenarioID** The ID of the scenario. +- **background** Is the download a background download? +- **sessionID** The ID of the download session. +- **clientTelId** A random number used for device sampling. +- **reasonCode** The reason for pausing the download. +- **fileID** The ID of the file being paused. +- **experimentId** When running a test, this is used to correlate with other events that are part of the same test. +- **isVpn** Is the device connected to a Virtual Private Network? + + +### Microsoft.OSG.DU.DeliveryOptClient.DownloadStarted + +This event describes the start of a new download with Delivery Optimization. It's used to understand and address problems regarding downloads. + +The following fields are available: + +- **experimentId** When running a test, this is used to correlate with other events that are part of the same test. +- **errorCode** The error code that was returned. +- **doErrorCode** The Delivery Optimization error code that was returned. +- **peerID** The ID for this Delivery Optimization client. +- **doClientVersion** The version of the Delivery Optimization client. +- **jobID** The ID of the Windows Update job. +- **sessionID** The ID of the download session. +- **updateID** The ID of the update being downloaded. +- **scenarioID** The ID of the scenario. +- **fileID** The ID of the file being downloaded. +- **cdnUrl** The URL of the CDN. +- **filePath** The path where the file will be written. +- **groupID** ID for the group. +- **background** Is the download a background download? +- **downloadMode** The download mode used for this file download session. +- **minFileSizePolicy** The minimum content file size policy to allow the download using Peering. +- **diceRoll** The dice roll value used in sampling events. +- **deviceProfile** Identifies the usage or form factor. Example: Desktop or Xbox +- **isVpn** Is the device connected to a Virtual Private Network? +- **usedMemoryStream** Did the download use memory streaming? +- **minDiskSizePolicyEnforced** Is the minimum disk size enforced via policy? +- **minDiskSizeGB** The minimum disk size (in GB) required for Peering. +- **clientTelId** A random number used for device sampling. +- **costFlags** A set of flags representing network cost. + + +### Microsoft.OSG.DU.DeliveryOptClient.FailureCdnCommunication + +This event represents a failure to download from a CDN with Delivery Optimization. It's used to understand and address problems regarding downloads. + +The following fields are available: + +- **experimentId** When running a test, this is used to correlate with other events that are part of the same test. +- **fileID** The ID of the file being downloaded. +- **errorCode** The error code that was returned. +- **httpStatusCode** The HTTP status code returned by the CDN. +- **errorCount** The total number of times this error code was seen since the last FailureCdnCommunication event was encountered. +- **sessionID** The ID of the download session. +- **cdnUrl** The URL of the CDN. +- **cdnIp** The IP address of the CDN. +- **cdnHeaders** The HTTP headers returned by the CDN. +- **clientTelId** A random number used for device sampling. +- **isHeadRequest** The type of HTTP request that was sent to the CDN. Example: HEAD or GET +- **requestSize** The size of the range requested from the CDN. +- **responseSize** The size of the range response received from the CDN. + + +### Microsoft.OSG.DU.DeliveryOptClient.JobError + +This event represents a Windows Update job error. It allows for investigation of top errors. + +The following fields are available: + +- **jobID** The Windows Update job ID. +- **fileID** The ID of the file being downloaded. +- **errorCode** The error code returned. +- **clientTelId** A random number used for device sampling. +- **experimentId** When running a test, this is used to correlate with other events that are part of the same test. + + +## Windows Update events + +### Microsoft.Windows.Update.DataMigrationFramework.DmfMigrationCompleted + +This event sends data collected at the end of the Data Migration Framework (DMF) and parameters involved in its invocation, to help keep Windows up to date. + +The following fields are available: + +- **MigrationEndtime** A system timestamp of when the DMF migration completed. +- **UpdateIds** A collection of GUIDs for updates that are associated with the DMF session. +- **WuClientid** The GUID of the Windows Update client responsible for triggering the DMF migration. +- **MigrationDurationinmilliseconds** How long the DMF migration took (in milliseconds). +- **RevisionNumbers** A collection of revision numbers for the updates associated with the DMF session. + + +### Microsoft.Windows.Update.DataMigrationFramework.DmfMigrationStarted + +This event sends data collected at the beginning of the Data Migration Framework (DMF) and parameters involved in its invocation, to help keep Windows up to date. + +The following fields are available: + +- **UpdateIds** A collection of GUIDs identifying the upgrades that are running. +- **MigrationStarttime** The timestamp representing the beginning of the DMF migration. +- **MigrationOEMphases** The number of OEM-authored migrators scheduled to be ran by DMF for this upgrade. +- **WuClientid** The GUID of the Windows Update client invoking DMF. +- **MigrationMicrosoftphases** The number of Microsoft-authored migrators scheduled to be ran by DMF for this upgrade. +- **RevisionNumbers** A collection of the revision numbers associated with the UpdateIds. + + +### Microsoft.Windows.Update.DataMigrationFramework.MigratorResult + +This event sends DMF migrator data to help keep Windows up to date. + +The following fields are available: + +- **MigratorGuid** A GUID identifying the migrator that just completed. +- **RunDurationInSeconds** The time it took for the migrator to complete. +- **CurrentStep** This is the last step the migrator reported before returning a result. This tells us how far through the individual migrator the device was before failure. +- **MigratorName** The name of the migrator that just completed. +- **MigratorId** A GUID identifying the migrator that just completed. +- **ErrorCode** The result (as an HRESULT) of the migrator that just completed. +- **TotalSteps** Migrators report progress in number of completed steps against the total steps. This is the total number of steps. + + +### Microsoft.Windows.Update.Orchestrator.CommitFailed + +This events tracks when a device needs to restart after an update but did not. + +The following fields are available: + +- **wuDeviceid** The Windows Update device GUID. +- **errorCode** The error code that was returned. + + +### Microsoft.Windows.Update.Orchestrator.Detection + +This event sends launch data for a Windows Update scan to help keep Windows up to date. + +The following fields are available: + +- **wuDeviceid** Unique device ID used by Windows Update. +- **revisionNumber** Update revision number. +- **eventScenario** End to end update session ID, or indicates the purpose of sending this event - whether because the software distribution just started installing content, or whether it was cancelled, succeeded, or failed. +- **deferReason** Reason why the device could not check for updates. +- **detectionBlockreason** Reason for detection not completing. +- **interactive** Identifies if session is User Initiated. +- **updateId** Update ID. +- **detectionDeferreason** A log of deferral reasons for every update state. +- **flightID** A unique update ID. +- **updateScenarioType** The update session type. +- **errorCode** The returned error code. + + +### Microsoft.Windows.Update.Orchestrator.Download + +This event sends launch data for a Windows Update download to help keep Windows up to date. + +The following fields are available: + +- **detectionDeferreason** Reason for download not completing +- **wuDeviceid** Unique device ID used by Windows Update. +- **interactive** Identifies if session is user initiated. +- **revisionNumber** Update revision number. +- **deferReason** Reason for download not completing +- **updateId** Update ID. +- **eventScenario** End to end update session ID. +- **errorCode** An error code represented as a hexadecimal value +- **flightID** Unique update ID. +- **updateScenarioType** The update session type. + + +### Microsoft.Windows.Update.Orchestrator.FlightInapplicable + +This event sends data on whether the update was applicable to the device, to help keep Windows up to date. + +The following fields are available: + +- **updateId** Unique Update ID +- **revisionNumber** Revision Number of the Update +- **UpdateStatus** Integer that describes Update state +- **EventPublishedTime** time that the event was generated +- **wuDeviceid** Unique Device ID +- **flightID** Unique Update ID +- **updateScenarioType** The update session type. + + +### Microsoft.Windows.Update.Orchestrator.InitiatingReboot + +This event sends data about an Orchestrator requesting a reboot from power management to help keep Windows up to date. + +The following fields are available: + +- **revisionNumber** Revision number of the update. +- **EventPublishedTime** Time of the event. +- **updateId** Update ID. +- **wuDeviceid** Unique device ID used by Windows Update. +- **flightID** Unique update ID +- **interactive** Indicates the reboot initiation stage of the update process was entered as a result of user action or not. +- **rebootOutsideOfActiveHours** Indicates the timing that the reboot was to occur to ensure the correct update process and experience is provided to keep Windows up to date. +- **uxRebootstate** Indicates the exact state of the user experience at the time the required reboot was initiated to ensure the correct update process and experience is provided to keep Windows up to date. +- **updateScenarioType** The update session type. + + +### Microsoft.Windows.Update.Orchestrator.Install + +This event sends launch data for a Windows Update install to help keep Windows up to date. + +The following fields are available: + +- **eventScenario** End to end update session ID. +- **deferReason** Reason for install not completing. +- **interactive** Identifies if session is user initiated. +- **wuDeviceid** Unique device ID used by Windows Update. +- **batteryLevel** Current battery capacity in mWh or percentage left. +- **installCommitfailedtime** The time it took for a reboot to happen but the upgrade failed to progress. +- **errorCode** The error code reppresented by a hexadecimal value. +- **updateId** Update ID. +- **revisionNumber** Update revision number. +- **flightID** Unique update ID +- **installRebootinitiatetime** The time it took for a reboot to be attempted. +- **flightUpdate** Flight update +- **minutesToCommit** The time it took to install updates. +- **ForcedRebootReminderSet** A boolean value that indicates if a forced reboot will happen for updates. +- **rebootOutsideOfActiveHours** Indicates the timing that the reboot was to occur to ensure the correct update process and experience is provided to keep Windows up to date. +- **uxRebootstate** Indicates the exact state of the user experience at the time the required reboot was initiated to ensure the correct update process and experience is provided to keep Windows up to date. +- **updateScenarioType** The update session type. + + +### Microsoft.Windows.Update.Orchestrator.PostInstall + +This event sends data about lite stack devices (mobile, IOT, anything non-PC) immediately before data migration is launched to help keep Windows up to date. + +The following fields are available: + +- **wuDeviceid** Unique device ID used by Windows Update. +- **eventScenario** End to end update session ID. +- **sessionType** Interactive vs. Background. +- **bundleRevisionnumber** Bundle revision number. +- **batteryLevel** Current battery capacity in mWh or percentage left. +- **bundleId** Update grouping ID. +- **errorCode** Hex code for the error message, to allow lookup of the specific error. +- **flightID** Unique update ID. + + +### Microsoft.Windows.Update.Orchestrator.RebootFailed + +This event sends information about whether an update required a reboot and reasons for failure to help keep Windows up to date. + +The following fields are available: + +- **updateId** Update ID. +- **batteryLevel** Current battery capacity in mWh or percentage left. +- **RebootResults** Hex code indicating failure reason. Typically, we expect this to be a specific USO generated hex code. +- **installRebootDeferreason** Reason for reboot not occurring. +- **revisionNumber** Update revision number. +- **EventPublishedTime** The time that the reboot failure occurred. +- **deferReason** Reason for install not completing. +- **wuDeviceid** Unique device ID used by Windows Update. +- **flightID** Unique update ID. +- **rebootOutsideOfActiveHours** Indicates the timing that the reboot was to occur to ensure the correct update process and experience is provided to keep Windows up to date. +- **uxRebootstate** Indicates the exact state of the user experience at the time the required reboot was initiated to ensure the correct update process and experience is provided to keep Windows up to date. +- **updateScenarioType** The update session type. + + +### Microsoft.Windows.Update.Orchestrator.RestoreRebootTask + +This event sends data indicating that a reboot task is missing unexpectedly on a device and the task is restored because a reboot is still required, to help keep Windows up to date. + +The following fields are available: + +- **RebootTaskRestoredTime** Time at which this reboot task was restored. +- **wuDeviceid** Device id on which the reboot is restored +- **revisionNumber** Update revision number. +- **updateId** Update ID. + + +### Microsoft.Windows.Update.Orchestrator.SystemNeeded + +This event sends data about why a device is unable to reboot, to help keep Windows up to date. + +The following fields are available: + +- **eventScenario** End to end update session ID. +- **wuDeviceid** Unique device ID used by Windows Update. +- **systemNeededReason** Reason ID +- **updateId** Update ID. +- **revisionNumber** Update revision number. +- **rebootOutsideOfActiveHours** Indicates the timing that the reboot was to occur to ensure the correct update process and experience is provided to keep Windows up to date. +- **uxRebootstate** Indicates the exact state of the user experience at the time the required reboot was initiated to ensure the correct update process and experience is provided to keep Windows up to date. +- **updateScenarioType** The update session type. + + +### Microsoft.Windows.Update.Orchestrator.UpdatePolicyCacheRefresh + +This event sends data on whether Update Management Policies were enabled on a device, to help keep Windows up to date. + +The following fields are available: + +- **wuDeviceid** Unique device ID used by Windows Update. +- **policyCacherefreshtime** Refresh time +- **policiesNamevaluesource** Policy Name +- **updateInstalluxsetting** This shows whether a user has set policies via UX option +- **configuredPoliciescount** Policy Count + + +### Microsoft.Windows.Update.Orchestrator.UpdateRebootRequired + +This event sends data about whether an update required a reboot to help keep Windows up to date. + +The following fields are available: + +- **updateId** Update ID. +- **revisionNumber** Update revision number. +- **wuDeviceid** Unique device ID used by Windows Update. +- **flightID** Unique update ID. +- **interactive** Indicates the reboot initiation stage of the update process was entered as a result of user action or not. +- **uxRebootstate** Indicates the exact state of the user experience at the time the required reboot was initiated to ensure the correct update process and experience is provided to keep Windows up to date. +- **updateScenarioType** The update session type. + + +### Microsoft.Windows.Update.UpdateStackServicing.CheckForUpdates + +This event sends data about the UpdateStackServicing check for updates, to help keep Windows up to date. + +The following fields are available: + +- **EventScenario** The scenario of the event. Example: Started, Failed, or Succeeded +- **StatusCode** The HRESULT code of the operation. +- **CallerApplicationName** The name of the USS scheduled task. Example UssScheduled or UssBoot +- **ClientVersion** The version of the client. +- **EventInstanceID** The USS session ID. +- **WUDeviceID** The Windows Update device ID. +- **ServiceGuid** The GUID of the service. +- **BspVersion** The version of the BSP. +- **OemName** The name of the manufacturer. +- **DeviceName** The name of the device. +- **CommercializationOperator** The name of the operator. +- **DetectionVersion** The string returned from the GetDetectionVersion export of the downloaded detection DLL. + + +### Microsoft.Windows.Update.Ux.MusNotification.RebootNoLongerNeeded + +This event is sent when a security update has successfully completed. + +The following fields are available: + +- **UtcTime** The Coordinated Universal Time that the restart was no longer needed. + + +### Microsoft.Windows.Update.Ux.MusNotification.RebootScheduled + +This event sends data about a required reboot that is scheduled with no user interaction, to help keep Windows up to date. + +The following fields are available: + +- **updateId** Update ID of the update that is getting installed with this reboot. +- **ScheduledRebootTime** Time of the scheduled reboot. +- **wuDeviceid** Unique device ID used by Windows Update. +- **revisionNumber** Revision number of the update that is getting installed with this reboot. +- **forcedreboot** True, if a reboot is forced on the device. False, otherwise. +- **rebootArgument** Argument for the reboot task. It also represents specific reboot related action. +- **rebootScheduledByUser** True, if a reboot is scheduled by user. False, if a reboot is scheduled automatically. +- **activeHoursApplicable** True, If Active Hours applicable on this device. False, otherwise. +- **rebootOutsideOfActiveHours** True, if a reboot is scheduled outside of active hours. False, otherwise. +- **rebootState** The state of the reboot. + + +### Microsoft.Windows.Update.Ux.MusNotification.ToastDisplayedToScheduleReboot + +This event is sent when a toast notification is shown to the user about scheduling a device restart. + +The following fields are available: + +- **UtcTime** The Coordinated Universal Time when the toast notification was shown. + + +### Microsoft.Windows.Update.Ux.MusUpdateSettings.RebootScheduled + +This event sends basic information for scheduling a device restart to install security updates. It's used to help keep Windows up-to-date. + +The following fields are available: + +- **ScheduledRebootTime** The time that the device was restarted. +- **updateId** The Windows Update device GUID. +- **revisionNumber** The revision number of the OS being updated. +- **wuDeviceid** The Windows Update device GUID. +- **forcedreboot** Is the restart that's being scheduled a forced restart? +- **rebootArgument** The arguments that are passed to the OS for the restarted. +- **rebootScheduledByUser** Was the restart scheduled by the user? If the value is false, the restart was scheduled by the device. +- **activeHoursApplicable** Is the restart respecting Active Hours? +- **rebootOutsideOfActiveHours** Was the restart scheduled outside of Active Hours? +- **rebootState** The state of the restart. + + +## Winlogon events + +### Microsoft.Windows.Security.Winlogon.SetupCompleteLogon + +This event signals the completion of the setup process. It happens only once during the first logon. + + + diff --git a/windows/configure/change-history-for-configure-windows-10.md b/windows/configure/change-history-for-configure-windows-10.md new file mode 100644 index 0000000000..7f36bcbec3 --- /dev/null +++ b/windows/configure/change-history-for-configure-windows-10.md @@ -0,0 +1,26 @@ +--- +title: Change history for Configure Windows 10 (Windows 10) +description: This topic lists changes to documentation for configuring Windows 10. +keywords: +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: security +localizationpriority: high +author: jdeckerMS +--- + +# Change history for Configure Windows 10 + +This topic lists new and updated topics in the [Configure Windows 10](index.md) documentation for [Windows 10 and Windows 10 Mobile](../index.md). + + +## RELEASE: Windows 10, version 1703 + +The topics in this library have been updated for Windows 10, version 1703 (also known as the Creators Update). These topics were previously published in the [Deploy Windows 10](../deploy/index.md) or [Manage and update Windows 10](../manage/index.md) sections. The following new topics have been added: + +- [Use the Lockdown Designer app to create a Lockdown XML file](mobile-lockdown-designer.md) +- [Add image for secondary tiles](start-secondary-tiles.md) +- [Provision PCs with apps](provision-pcs-with-apps.md) +- [Windows 10, version 1703 basic level Windows diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields.md) +- [Windows 10, version 1703 Diagnostic Data](windows-diagnostic-data.md) \ No newline at end of file diff --git a/windows/manage/changes-to-start-policies-in-windows-10.md b/windows/configure/changes-to-start-policies-in-windows-10.md similarity index 91% rename from windows/manage/changes-to-start-policies-in-windows-10.md rename to windows/configure/changes-to-start-policies-in-windows-10.md index 6cba8aeed7..f45dbd39c6 100644 --- a/windows/manage/changes-to-start-policies-in-windows-10.md +++ b/windows/configure/changes-to-start-policies-in-windows-10.md @@ -147,25 +147,14 @@ The Start policy settings listed below do not work on Windows 10. Most of them ## Related topics - -[Manage corporate devices](manage-corporate-devices.md) - -[New policies for Windows 10](new-policies-for-windows-10.md) - -[Manage Windows 10 Start layout options](windows-10-start-layout-options-and-policies.md) - -[Customize and export Start layout](customize-and-export-start-layout.md) - -[Customize Windows 10 Start screens with Group Policy](customize-windows-10-start-screens-by-using-group-policy.md) - -[Customize Windows 10 Start screens with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md) - -[Customize Windows 10 Start screens with ICD and provisioning packages](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md) - -  - -  - +- [Manage Windows 10 Start and taskbar layout](windows-10-start-layout-options-and-policies.md) +- [Configure Windows 10 taskbar](configure-windows-10-taskbar.md) +- [Customize and export Start layout](customize-and-export-start-layout.md) +- [Add image for secondary tiles](start-secondary-tiles.md) +- [Start layout XML for desktop editions of Windows 10 (reference)](start-layout-xml-desktop.md) +- [Customize Windows 10 Start and taskbar with Group Policy](customize-windows-10-start-screens-by-using-group-policy.md) +- [Customize Windows 10 Start and taskbar with provisioning packages](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md) +- [Customize Windows 10 Start and tasbkar with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md) diff --git a/windows/manage/configure-devices-without-mdm.md b/windows/configure/configure-devices-without-mdm.md similarity index 100% rename from windows/manage/configure-devices-without-mdm.md rename to windows/configure/configure-devices-without-mdm.md diff --git a/windows/configure/configure-mobile.md b/windows/configure/configure-mobile.md new file mode 100644 index 0000000000..db4bb93e0f --- /dev/null +++ b/windows/configure/configure-mobile.md @@ -0,0 +1,28 @@ +--- +title: Configure Windows 10 Mobile devices +description: +keywords: Windows 10, MDM, WSUS, Windows update +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: security +localizationpriority: high +author: jdeckerMS +--- + +# Configure Windows 10 Mobile devices + +Windows 10 Mobile enables administrators to define what users can see and do on a device, which you might think of as "configuring" or "customizing" or "device lockdown". Your device configuration can provide a standard Start screen with pre-installed apps, or restrict various settings and features, or even limit the device to run only a single app (kiosk). + +## In this section + +| Topic | Description | +| --- | --- | +| [Set up a kiosk on Windows 10 Mobile or Windows 10 Mobile Enterprise](set-up-a-kiosk-for-windows-10-for-mobile-edition.md) | You can configure a device running Windows 10 Mobile or Windows 10 Mobile Enterprise as a kiosk device, so that users can only interact with a single application that you select. | +| [Use Windows Configuration Designer to configure Windows 10 Mobile devices](provisioning-configure-mobile.md) | Use Windows Configuration Designer to create provisioning packages. Using provisioning packages, you can easily specify desired configuration and settings required to enroll the devices into management and then apply that configuration to target devices in a matter of minutes. | +| [Use the Lockdown Designer app to configure Windows 10 Mobile devices](mobile-lockdown-designer.md) | The Lockdown Designer app provides a guided wizard-like process to generate a Lockdown XML file that you can apply to devices running Windows 10 Mobile. | +| [Configure Windows 10 Mobile using Lockdown XML](lockdown-xml.md) | Windows 10 Mobile allows enterprises to lock down a device, define multiple user roles, and configure custom layouts on a device. | +| [Start layout XML for mobile editions of Windows 10 (reference)](start-layout-xml-mobile.md) | On Windows 10 Mobile, you can use the XML-based layout to modify the Start screen and provide the most robust and complete Start customization experience. This reference topic describes the supported elements and attributes for the LayoutModification.xml file. | +| [Settings and quick actions that can be locked down in Windows 10 Mobile](settings-that-can-be-locked-down.md) | This topic lists the settings and quick actions that can be locked down in Windows 10 Mobile. | +| [Product IDs in Windows 10 Mobile](product-ids-in-windows-10-mobile.md) | You can use the product ID and Application User Model (AUMID) in Lockdown.xml to specify apps that will be available to the user. | + diff --git a/windows/manage/configure-windows-10-taskbar.md b/windows/configure/configure-windows-10-taskbar.md similarity index 91% rename from windows/manage/configure-windows-10-taskbar.md rename to windows/configure/configure-windows-10-taskbar.md index bd5e26f4ba..9ba2624f45 100644 --- a/windows/manage/configure-windows-10-taskbar.md +++ b/windows/configure/configure-windows-10-taskbar.md @@ -42,6 +42,8 @@ To configure the taskbar: >[!IMPORTANT] >If you use a provisioning package to configure the taskbar, your configuration will be reapplied each time the explorer.exe process restarts. If your configuration pins an app and the user then unpins that app, the user's change will be overwritten the next time the configuration is applied. To apply a taskbar configuration that allows users to make changes that will persist, apply your configuration by using Group Policy. +> +>If you use Group Policy and your configuration only contains a taskbar layout, the default Windows tile layout will be applied and cannot be changed by users. If you use Group Policy and your configuration includes taskbar and a full Start layout, users can only make changes to the taskbar. If you use Group Policy and your configuration includes taskbar and a [partial Start layout](https://technet.microsoft.com/itpro/windows/manage/customize-and-export-start-layout#configure-a-partial-start-layout), users can make changes to the taskbar and to tile groups not defined in the partial Start layout. ### Tips for finding AUMID and Desktop Application Link Path @@ -289,17 +291,13 @@ The resulting taskbar for computers in any other country region: ## Related topics -[Manage Windows 10 Start and taskbar layout ](windows-10-start-layout-options-and-policies.md) - -[Customize and export Start layout](customize-and-export-start-layout.md) - -[Customize Windows 10 Start and taskbar with Group Policy](customize-windows-10-start-screens-by-using-group-policy.md) - -[Customize Windows 10 Start with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md) - -[Customize Windows 10 Start and taskbar with ICD and provisioning packages](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md) - -[Changes to Group Policy settings for Windows 10 Start](changes-to-start-policies-in-windows-10.md) - +- [Manage Windows 10 Start and taskbar layout](windows-10-start-layout-options-and-policies.md) +- [Customize and export Start layout](customize-and-export-start-layout.md) +- [Add image for secondary tiles](start-secondary-tiles.md) +- [Start layout XML for desktop editions of Windows 10 (reference)](start-layout-xml-desktop.md) +- [Customize Windows 10 Start and taskbar with Group Policy](customize-windows-10-start-screens-by-using-group-policy.md) +- [Customize Windows 10 Start and taskbar with provisioning packages](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md) +- [Customize Windows 10 Start and tasbkar with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md) +- [Changes to Start policies in Windows 10](changes-to-start-policies-in-windows-10.md) diff --git a/windows/manage/configure-windows-telemetry-in-your-organization.md b/windows/configure/configure-windows-telemetry-in-your-organization.md similarity index 98% rename from windows/manage/configure-windows-telemetry-in-your-organization.md rename to windows/configure/configure-windows-telemetry-in-your-organization.md index a7f9bbef7e..d8710b1bb2 100644 --- a/windows/manage/configure-windows-telemetry-in-your-organization.md +++ b/windows/configure/configure-windows-telemetry-in-your-organization.md @@ -98,17 +98,17 @@ Windows telemetry also helps Microsoft better understand how customers use (or d ### Insights into your own organization -Sharing information with Microsoft helps make Windows and other products better, but it can also help make your internal processes and user experiences better, as well. Microsoft is in the process of developing a set of analytics customized for your internal use. The first of these, called [Windows 10 Upgrade Analytics](../deploy/manage-windows-upgrades-with-upgrade-analytics.md). +Sharing information with Microsoft helps make Windows and other products better, but it can also help make your internal processes and user experiences better, as well. Microsoft is in the process of developing a set of analytics customized for your internal use. The first of these, called [Upgrade Readiness](../deploy/manage-windows-upgrades-with-upgrade-readiness.md). -#### Windows 10 Upgrade Analytics +#### Upgrade Readiness Upgrading to new operating system versions has traditionally been a challenging, complex, and slow process for many enterprises. Discovering applications and drivers and then testing them for potential compatibility issues have been among the biggest pain points. -To better help customers through this difficult process, Microsoft developed Upgrade Analytics to give enterprises the tools to plan and manage the upgrade process end to end and allowing them to adopt new Windows releases more quickly and on an ongoing basis. +To better help customers through this difficult process, Microsoft developed Upgrade Readiness to give enterprises the tools to plan and manage the upgrade process end to end and allowing them to adopt new Windows releases more quickly and on an ongoing basis. With Windows telemetry enabled, Microsoft collects computer, application, and driver compatibility-related information for analysis. We then identify compatibility issues that can block your upgrade and suggest fixes when they are known to Microsoft. -Use Upgrade Analytics to get: +Use Upgrade Readiness to get: - A visual workflow that guides you from pilot to production - Detailed computer, driver, and application inventory @@ -118,7 +118,7 @@ Use Upgrade Analytics to get: - Application usage information, allowing targeted validation; workflow to track validation progress and decisions - Data export to commonly used software deployment tools -The Upgrade Analytics workflow steps you through the discovery and rationalization process until you have a list of computers that are ready to be upgraded. +The Upgrade Readiness workflow steps you through the discovery and rationalization process until you have a list of computers that are ready to be upgraded. ## How is telemetry data handled by Microsoft? @@ -179,7 +179,7 @@ The levels are cumulative and are illustrated in the following diagram. Also, th ### Security level -The Security level gathers only the telemetry info that is required to keep Windows devices, Windows Server, and guests protected with the latest security updates. This level is only available on Windows Server 2016, Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile Enterprise, and Windos IoT Core editions. +The Security level gathers only the telemetry info that is required to keep Windows devices, Windows Server, and guests protected with the latest security updates. This level is only available on Windows Server 2016, Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile Enterprise, and Windows IoT Core editions. > [!NOTE] > If your organization relies on Windows Update for updates, you shouldn’t use the **Security** level. Because no Windows Update information is gathered at this level, important information about update failures is not sent. Microsoft uses this information to fix the causes of those failures and improve the quality of our updates. @@ -216,6 +216,8 @@ No user content, such as user files or communications, is gathered at the **Secu The Basic level gathers a limited set of data that’s critical for understanding the device and its configuration. This level also includes the **Security** level data. This level helps to identify problems that can occur on a particular hardware or software configuration. For example, it can help determine if crashes are more frequent on devices with a specific amount of memory or that are running a particular driver version. The Connected User Experience and Telemetry component does not gather telemetry data about System Center, but it can transmit telemetry for other non-Windows applications if they have user consent. +The normal upload range for the Basic telemetry level is between 109 KB - 159 KB per day, per device. + The data gathered at this level includes: - **Basic device data**. Helps provide an understanding about the types of Windows devices and the configurations and types of native and virtualized Windows Server 2016 in the ecosystem. Examples include: @@ -256,12 +258,15 @@ The data gathered at this level includes: - **Windows Store**. Provides information about how the Windows Store performs, including app downloads, installations, and updates. It also includes Windows Store launches, page views, suspend and resumes, and obtaining licenses. + ### Enhanced level The Enhanced level gathers data about how Windows and apps are used and how they perform. This level also includes data from both the **Basic** and **Security** levels. This level helps to improve the user experience with the operating system and apps. Data from this level can be abstracted into patterns and trends that can help Microsoft determine future improvements. This is the default level for Windows 10 Enterprise and Windows 10 Education editions, and the minimum level needed to quickly identify and address Windows, Windows Server, and System Center quality issues. +The normal upload range for the Enhanced telemetry level is between 239 KB - 348 KB per day, per device. + The data gathered at this level includes: - **Operating system events**. Helps to gain insights into different areas of the operating system, including networking, Hyper-V, Cortana, storage, file system, and other components. diff --git a/windows/manage/cortana-at-work-crm.md b/windows/configure/cortana-at-work-crm.md similarity index 90% rename from windows/manage/cortana-at-work-crm.md rename to windows/configure/cortana-at-work-crm.md index 834bde8a92..4bfca8e08c 100644 --- a/windows/manage/cortana-at-work-crm.md +++ b/windows/configure/cortana-at-work-crm.md @@ -4,17 +4,15 @@ description: How to set up Cortana to help your salespeople get proactive insigh ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library +author: eross-msft localizationpriority: high --- # Set up and test Cortana with Microsoft Dynamics CRM (Preview feature) in your organization **Applies to:** -- Windows 10, Windows Insider Program -- Windows 10 Mobile, Windows Insider Program - ->[!IMPORTANT] ->Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. +- Windows 10, version 1703 +- Windows 10 Mobile, version 1703 Cortana integration is a Preview feature that's available for your test or dev environment, starting with the CRM Online 2016 Update. If you decide to use this Preview feature, you'll need to turn in on and accept the license terms. After that, your salespeople will get proactive insights from Cortana on important CRM activities, including sales leads, accounts, and opportunities; presenting the most relevant info at any given time. This can even include getting company-specific news that surfaces when the person is meeting with a representative from another company. diff --git a/windows/manage/cortana-at-work-feedback.md b/windows/configure/cortana-at-work-feedback.md similarity index 54% rename from windows/manage/cortana-at-work-feedback.md rename to windows/configure/cortana-at-work-feedback.md index ca24c22703..d27d30e1cf 100644 --- a/windows/manage/cortana-at-work-feedback.md +++ b/windows/configure/cortana-at-work-feedback.md @@ -4,21 +4,19 @@ description: How to send feedback to Microsoft about Cortana at work. ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library +author: eross-msft localizationpriority: high --- # Send feedback about Cortana at work back to Microsoft **Applies to:** -- Windows 10, Windows Insider Program -- Windows 10 Mobile, Windows Insider Program - ->[!IMPORTANT] ->Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. +- Windows 10, version 1703 +- Windows 10 Mobile, version 1703 We ask that you report bugs and issues. To provide feedback, you can click the **Feedback** icon in the Cortana window. When you send this form to Microsoft it also includes troubleshooting info, in case you run into problems. ![Cortana at work, showing how to provide feedback to Microsoft](images/cortana-feedback.png) -If you don't want to use the feedback tool in Cortana, you can add feedback through the general Windows Insider Preview feedback app. For info about the Insider Preview feedback app, see [How to use Windows Insider Preview – Updates and feedback](http://windows.microsoft.com/en-us/windows/preview-updates-feedback-pc). +If you don't want to use the feedback tool in Cortana, you can add feedback through the general Windows Insider Program feedback app. For info about the feedback app, see [How to use Windows Insider Preview – Updates and feedback](http://windows.microsoft.com/en-us/windows/preview-updates-feedback-pc). diff --git a/windows/manage/cortana-at-work-o365.md b/windows/configure/cortana-at-work-o365.md similarity index 90% rename from windows/manage/cortana-at-work-o365.md rename to windows/configure/cortana-at-work-o365.md index d58663dc00..be3a27e0f3 100644 --- a/windows/manage/cortana-at-work-o365.md +++ b/windows/configure/cortana-at-work-o365.md @@ -4,17 +4,15 @@ description: How to connect Cortana to Office 365 so your employees are notified ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library +author: eross-msft localizationpriority: high --- # Set up and test Cortana with Office 365 in your organization **Applies to:** -- Windows 10, Windows Insider Program -- Windows 10 Mobile, Windows Insider Program - ->[!IMPORTANT] ->Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. +- Windows 10, version 1703 +- Windows 10 Mobile, version 1703 Cortana in Windows 10 is already great at letting your employees quickly see what the day is going to look like, do meeting prep work like researching people in LinkedIn or getting documents ready, see where and when their meetings are going to be, get a sense of travel times to and from work, and even get updates from a calendar for upcoming trips. @@ -57,7 +55,7 @@ Cortana can only access data in your Office 365 org when it’s turned on. If yo **To turn off Cortana with Office 365** 1. [Sign in to Office 365](http://www.office.com/signin) using your Azure AD account. -2. Go to the [Office 365 admin center](https://support.office.com/en-us/article/Office-365-admin-center-58537702-d421-4d02-8141-e128e3703547). +2. Go to the [Office 365 admin center](https://support.office.com/article/Office-365-admin-center-58537702-d421-4d02-8141-e128e3703547). 3. Expand **Service Settings**, and select **Cortana**. diff --git a/windows/manage/cortana-at-work-overview.md b/windows/configure/cortana-at-work-overview.md similarity index 87% rename from windows/manage/cortana-at-work-overview.md rename to windows/configure/cortana-at-work-overview.md index 96064364c3..9202776ada 100644 --- a/windows/manage/cortana-at-work-overview.md +++ b/windows/configure/cortana-at-work-overview.md @@ -4,17 +4,15 @@ description: The world’s first personal digital assistant helps users get thin ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library +author: eross-msft localizationpriority: high --- # Cortana integration in your business or enterprise **Applies to:** -- Windows 10, Windows Insider Program -- Windows 10 Mobile, Windows Insider Program - ->[!IMPORTANT] ->Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. +- Windows 10, version 1703 +- Windows 10 Mobile, version 1703 ## Who is Cortana? Cortana is Microsoft’s personal digital assistant, who helps busy people get things done, even while at work. @@ -27,7 +25,7 @@ Using Azure AD also means that you can remove an employee’s profile (for examp ## Where is Cortana available for use in my organization? You can use Cortana at work in all countries/regions where Cortana is supported for consumers. This includes the United States, United Kingdom, Canada, France, Italy, Germany, Spain, China, Japan, India, and Australia. As Cortana comes to more countries, she will also become available to enterprise customers. -Cortana is available on Windows 10, Windows Insider Program and with limited functionality on Windows Phone 8.1, Windows Insider Program. +Cortana is available on Windows 10, version 1703 and with limited functionality on Windows 10 Mobile, version 1703. ## Required hardware and software Cortana requires the following hardware and software to successfully run the included scenario in your organization. @@ -41,7 +39,7 @@ Cortana requires the following hardware and software to successfully run the inc |Software |Minimum version | |---------|------------| -|Client operating system |
    • **Desktop:** Windows 10, Windows Insider Program
    • **Mobile:** Windows 8.1, Windows Insider Program (with limited functionality)
      • | +|Client operating system |
      • **Desktop:** Windows 10, version 1703
      • **Mobile:** Windows 10 Mobile, version 1703 (with limited functionality)
        • | |Azure Active Directory (Azure AD) |While all employees signing into Cortana need an Azure AD account; an Azure AD premium tenant isn’t required. | |Additional policies (Group Policy and Mobile Device Management (MDM)) |There is a rich set of policies that can be used to manage various aspects of Cortana. Most of these policies will limit the abilities of Cortana, but won't turn Cortana off.

        For example:

        If you turn **Location** off, Cortana won't be able to provide location-based reminders, such as reminding you to visit the mail room when you get to work.

        If you turn **Speech** off, your employees won't be able to use “Hello Cortana” for hands free usage or voice commands to easily ask for help. | |Windows Information Protection (WIP) (optional) |If you want to secure the calendar, email, and contact info provided to Cortana on a device, you can use WIP. For more info about WIP, see [Protect your enterprise data using Windows Information Protection (WIP)](../keep-secure/protect-enterprise-data-using-wip.md)

        If you decide to use WIP, you must also have a management solution. This can be Microsoft Intune, Microsoft System Center Configuration Manager (version 1606 or later), or your current company-wide 3rd party mobile device management (MDM) solution.| @@ -59,6 +57,6 @@ Cortana is covered under the [Microsoft Privacy Statement](https://privacy.micro - [Cortana and Windows](http://go.microsoft.com/fwlink/?LinkId=717384) -- [Known issues for Windows Desktop Search and Cortana in Windows 10](http://support.microsoft.com/kb/3206883/EN-US) +- [Known issues for Windows Desktop Search and Cortana in Windows 10](https://support.microsoft.com/help/3206883/known-issues-for-windows-desktop-search-and-cortana-in-windows-10) - [Cortana for developers](http://go.microsoft.com/fwlink/?LinkId=717385) diff --git a/windows/manage/cortana-at-work-policy-settings.md b/windows/configure/cortana-at-work-policy-settings.md similarity index 87% rename from windows/manage/cortana-at-work-policy-settings.md rename to windows/configure/cortana-at-work-policy-settings.md index 83f10f7d3e..06a4b3cf08 100644 --- a/windows/manage/cortana-at-work-policy-settings.md +++ b/windows/configure/cortana-at-work-policy-settings.md @@ -4,32 +4,30 @@ description: The list of Group Policy and mobile device management (MDM) policy ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library +author: eross-msft localizationpriority: high --- # Use Group Policy and mobile device management (MDM) settings to configure Cortana in your organization **Applies to:** -- Windows 10, Windows Insider Program -- Windows 10 Mobile, Windows Insider Program - ->[!IMPORTANT] ->Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. +- Windows 10 +- Windows 10 Mobile >[!NOTE] >For specific info about how to set, manage, and use each of these MDM policies to configure Cortana in your enterprise, see the [Policy CSP](http://go.microsoft.com/fwlink/p/?LinkId=717380) topic, located in the configuration service provider reference topics. For specific info about how to set, manage, and use each of these Group Policies to configure Cortana in your enterprise, see the [Group Policy TechCenter](http://go.microsoft.com/fwlink/p/?LinkId=717381). |Group policy |MDM policy |Description | |-------------|-----------|------------| -|Computer Configuration\Administrative Templates\Windows Components\Search\AllowCortanaAboveLock|AboveLock/AllowCortanaAboveLock|Specifies whether an employee can interact with Cortana using voice commands when the system is locked.

        **NOTE**
        This setting only applies to Windows 10 for desktop devices. | +|Computer Configuration\Administrative Templates\Windows Components\Search\AllowCortanaAboveLock|AboveLock/AllowCortanaAboveLock|Specifies whether an employee can interact with Cortana using voice commands when the system is locked.

        **Note**
        This setting only applies to Windows 10 for desktop devices. | |Computer Configuration\Administrative Templates\Control Panel\Regional and Language Options\Allow input personalization|Privacy/AllowInputPersonalization|Specifies whether an employee can use voice commands with Cortana in your organization.

        **In Windows 10, version 1511**
        Cortana won’t work if this setting is turned off (disabled).

        **In Windows 10, version 1607 and later**
        Cortana still works if this setting is turned off (disabled).| |None|System/AllowLocation|Specifies whether to allow app access to the Location service.

        **In Windows 10, version 1511**
        Cortana won’t work if this setting is turned off (disabled).

        **In Windows 10, version 1607 and later**
        Cortana still works if this setting is turned off (disabled).| |None|Accounts/AllowMicrosoftAccountConnection|Specifies whether to allow employees to sign in using a Microsoft account (MSA) from Windows apps.

        Use this setting if you only want to support Azure AD in your organization.| |Computer Configuration\Administrative Templates\Windows Components\Search\Allow search and Cortana to use location|Search/AllowSearchToUseLocation|Specifies whether Cortana can use your current location during searches and for location reminders.| -|Computer Configuration\Administrative Templates\Windows Components\Search\Set the SafeSearch setting for Search|Search/SafeSearchPermissions|Specifies what level of safe search (filtering adult content) is required.

        **NOTE**
        This setting only applies to Windows 10 Mobile.| +|Computer Configuration\Administrative Templates\Windows Components\Search\Set the SafeSearch setting for Search|Search/SafeSearchPermissions|Specifies what level of safe search (filtering adult content) is required.

        **Note**
        This setting only applies to Windows 10 Mobile.| |User Configuration\Administrative Templates\Windows Components\File Explorer\Turn off display of recent search entries in the File Explorer search box|None|Specifies whether the search box can suggest recent queries and prevent entries from being stored in the registry for future reference.| |Computer Configuration\Administrative Templates\Windows Components\Search\Don't search the web or display web results|None|Specifies whether search can perform queries on the web and if the web results are displayed in search.

        **In Windows 10 Pro edition**
        This setting can’t be managed.

        **In Windows 10 Enterprise edition**
        Cortana won't work if this setting is turned off (disabled).| -|Computer Configuration\Administrative Templates\Windows Components\Search\Allow Cortana|Experience/AllowCortana|Specifies whether employees can use Cortana.

        **IMPORTANT**
        Cortana won’t work if this setting is turned off (disabled). However, employees can still perform local searches even with Cortana turned off.| +|Computer Configuration\Administrative Templates\Windows Components\Search\Allow Cortana|Experience/AllowCortana|Specifies whether employees can use Cortana.

        **Important**
        Cortana won’t work if this setting is turned off (disabled). However, employees can still perform local searches even with Cortana turned off.| diff --git a/windows/manage/cortana-at-work-powerbi.md b/windows/configure/cortana-at-work-powerbi.md similarity index 91% rename from windows/manage/cortana-at-work-powerbi.md rename to windows/configure/cortana-at-work-powerbi.md index 98b90f572f..d5fce7c38e 100644 --- a/windows/manage/cortana-at-work-powerbi.md +++ b/windows/configure/cortana-at-work-powerbi.md @@ -4,27 +4,25 @@ description: How to integrate Cortana with Power BI to help your employees get a ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library +author: eross-msft localizationpriority: high --- # Set up and test Cortana for Power BI in your organization **Applies to:** -- Windows 10, Windows Insider Program -- Windows 10 Mobile, Windows Insider Program - ->[!IMPORTANT] ->Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. +- Windows 10, version 1703 +- Windows 10 Mobile, version 1703 Integration between Cortana and Power BI shows how Cortana can work with custom business analytics solutions to enable you to get answers directly from your key business data, including introducing new features that let you create custom Cortana “answers” using the full capabilities of Power BI Desktop. >[!Note] ->Cortana for Power BI is currently only available in English. For more info about Cortana and Power BI, see [Use Power BI to create a custom Answer Page for Cortana](https://powerbi.microsoft.com/en-us/documentation/powerbi-service-cortana-desktop-entity-cards/). +>Cortana for Power BI is currently only available in English. For more info about Cortana and Power BI, see [Use Power BI to create a custom Answer Page for Cortana](https://powerbi.microsoft.com/documentation/powerbi-service-cortana-desktop-entity-cards/). ## Before you begin To use this walkthrough, you’ll need: -- **Windows 10**. You’ll need to be running at least Windows 10 with the latest version from the Windows Insider Program. +- **Windows 10**. You’ll need to be running at least Windows 10, version 1703. - **Cortana**. You need to have Cortana turned on and be logged into your account. @@ -84,8 +82,8 @@ You must create special reports, known as _Answer Pages_, to display the most co After you’ve finished creating your Answer Page, you can continue to the included testing scenarios. - >[!NOTE] - >It can take up to 30 minutes for a custom Answer Page to appear for Power BI and Cortana. Logging in and out of Windows 10, or otherwise restarting Cortana, causes the new content to appear immediately. +>[!NOTE] +>It can take up to 30 minutes for a custom Answer Page to appear for Power BI and Cortana. Logging in and out of Windows 10, or otherwise restarting Cortana, causes the new content to appear immediately. **To create a custom sales data Answer Page for Cortana** 1. In Power BI, click **My Workspace**, click **Create**, and then click **Report**. @@ -135,4 +133,4 @@ Now that you’ve set up your device, you can use Cortana to show your info from ![Cortana at work, showing your custom report from Power BI](images/cortana-powerbi-myreport.png) >[!NOTE] ->For more info about how to connect your own data, build your own custom Power BI cards and Answer Pages for Cortana, and how to share the cards with everyone in your organization, see [Use Power BI to create a custom Answer Page for Cortana](https://powerbi.microsoft.com/en-us/documentation/powerbi-service-cortana-desktop-entity-cards/). +>For more info about how to connect your own data, build your own custom Power BI cards and Answer Pages for Cortana, and how to share the cards with everyone in your organization, see [Use Power BI to create a custom Answer Page for Cortana](https://powerbi.microsoft.com/documentation/powerbi-service-cortana-desktop-entity-cards/). diff --git a/windows/manage/cortana-at-work-scenario-1.md b/windows/configure/cortana-at-work-scenario-1.md similarity index 87% rename from windows/manage/cortana-at-work-scenario-1.md rename to windows/configure/cortana-at-work-scenario-1.md index 4a9714a455..869f6285f7 100644 --- a/windows/manage/cortana-at-work-scenario-1.md +++ b/windows/configure/cortana-at-work-scenario-1.md @@ -4,16 +4,14 @@ description: A test scenario walking you through signing in and managing the not ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library +author: eross-msft localizationpriority: high --- # Test scenario 1 - Sign-in to Azure AD and use Cortana to manage the notebook -- Windows 10, Windows Insider Program -- Windows 10 Mobile, Windows Insider Program - ->[!IMPORTANT] ->Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. +- Windows 10, version 1703 +- Windows 10 Mobile, version 1703 >[!IMPORTANT] >The data created as part of these scenarios will be uploaded to Microsoft’s Cloud to help Cortana learn and help your employees. This is the same info that Cortana uses in the consumer offering. diff --git a/windows/manage/cortana-at-work-scenario-2.md b/windows/configure/cortana-at-work-scenario-2.md similarity index 80% rename from windows/manage/cortana-at-work-scenario-2.md rename to windows/configure/cortana-at-work-scenario-2.md index fb7b00d578..0ae41c64a4 100644 --- a/windows/manage/cortana-at-work-scenario-2.md +++ b/windows/configure/cortana-at-work-scenario-2.md @@ -4,16 +4,14 @@ description: A test scenario about how to perform a quick search with Cortana at ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library +author: eross-msft localizationpriority: high --- # Test scenario 2 - Perform a quick search with Cortana at work -- Windows 10, Windows Insider Program -- Windows 10 Mobile, Windows Insider Program - ->[!IMPORTANT] ->Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. +- Windows 10, version 1703 +- Windows 10 Mobile, version 1703 >[!IMPORTANT] >The data created as part of these scenarios will be uploaded to Microsoft’s Cloud to help Cortana learn and help your employees. This is the same info that Cortana uses in the consumer offering. diff --git a/windows/manage/cortana-at-work-scenario-3.md b/windows/configure/cortana-at-work-scenario-3.md similarity index 92% rename from windows/manage/cortana-at-work-scenario-3.md rename to windows/configure/cortana-at-work-scenario-3.md index 89610c7093..2200f6b5f9 100644 --- a/windows/manage/cortana-at-work-scenario-3.md +++ b/windows/configure/cortana-at-work-scenario-3.md @@ -4,16 +4,14 @@ description: A test scenario about how to set a location-based reminder using Co ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library +author: eross-msft localizationpriority: high --- # Test scenario 3 - Set a reminder for a specific location using Cortana at work -- Windows 10, Windows Insider Program -- Windows 10 Mobile, Windows Insider Program - ->[!IMPORTANT] ->Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. +- Windows 10, version 1703 +- Windows 10 Mobile, version 1703 >[!IMPORTANT] >The data created as part of these scenarios will be uploaded to Microsoft’s Cloud to help Cortana learn and help your employees. This is the same info that Cortana uses in the consumer offering. diff --git a/windows/manage/cortana-at-work-scenario-4.md b/windows/configure/cortana-at-work-scenario-4.md similarity index 85% rename from windows/manage/cortana-at-work-scenario-4.md rename to windows/configure/cortana-at-work-scenario-4.md index 56f1f6af66..736de5db9f 100644 --- a/windows/manage/cortana-at-work-scenario-4.md +++ b/windows/configure/cortana-at-work-scenario-4.md @@ -4,16 +4,14 @@ description: A test scenario about how to use Cortana at work to find your upcom ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library +author: eross-msft localizationpriority: high --- # Test scenario 4 - Use Cortana at work to find your upcoming meetings -- Windows 10, Windows Insider Program -- Windows 10 Mobile, Windows Insider Program - ->[!IMPORTANT] ->Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. +- Windows 10, version 1703 +- Windows 10 Mobile, version 1703 >[!IMPORTANT] >The data created as part of these scenarios will be uploaded to Microsoft’s Cloud to help Cortana learn and help your employees. This is the same info that Cortana uses in the consumer offering. diff --git a/windows/manage/cortana-at-work-scenario-5.md b/windows/configure/cortana-at-work-scenario-5.md similarity index 86% rename from windows/manage/cortana-at-work-scenario-5.md rename to windows/configure/cortana-at-work-scenario-5.md index 8373a4f4c2..a662de7d04 100644 --- a/windows/manage/cortana-at-work-scenario-5.md +++ b/windows/configure/cortana-at-work-scenario-5.md @@ -4,16 +4,14 @@ description: A test scenario about how to use Cortana at work to send email to a ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library +author: eross-msft localizationpriority: high --- # Test scenario 5 - Use Cortana to send email to a co-worker -- Windows 10, Windows Insider Program -- Windows 10 Mobile, Windows Insider Program - ->[!IMPORTANT] ->Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. +- Windows 10, version 1703 +- Windows 10 Mobile, version 1703 >[!IMPORTANT] >The data created as part of these scenarios will be uploaded to Microsoft’s Cloud to help Cortana learn and help your employees. This is the same info that Cortana uses in the consumer offering. diff --git a/windows/configure/cortana-at-work-scenario-6.md b/windows/configure/cortana-at-work-scenario-6.md new file mode 100644 index 0000000000..8c7e307ed1 --- /dev/null +++ b/windows/configure/cortana-at-work-scenario-6.md @@ -0,0 +1,45 @@ +--- +title: Test scenario 6 - Review a reminder suggested by Cortana based on what you’ve promised in email (Windows 10) +description: A test scenario about how to use Cortana with the Suggested reminders feature. +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +author: eross-msft +localizationpriority: high +--- + +# Test scenario 6 - Review a reminder suggested by Cortana based on what you’ve promised in email + +- Windows 10, version 1703 +- Windows 10 Mobile, version 1703 + +>[!IMPORTANT] +>The data created as part of these scenarios will be uploaded to Microsoft’s Cloud to help Cortana learn and help your employees. This is the same info that Cortana uses in the consumer offering. For more info, see the [Microsoft Privacy Statement](https://privacy.microsoft.com/privacystatement) and the [Microsoft Services Agreement](https://www.microsoft.com/en-us/servicesagreement). + +Cortana automatically finds patterns in your email, suggesting reminders based things that you said you would do so you don’t forget about them. For example, Cortana recognizes that if you include the text, _I’ll get this to you by the end of the week_ in an email, you're making a commitment to provide something by a specific date. Cortana can now suggest that you be reminded about this event, letting you decide whether to keep it or to cancel it. + +>[!NOTE] +>The Suggested reminders feature is currently only available in English (en-us). + +**To use Cortana to create Suggested reminders for you** + +1. Make sure that you've connected Cortana to Office 365. For the steps to connect, see [Set up and test Cortana with Office 365 in your organization](cortana-at-work-o365.md). + +2. Click on the **Cortana** search box in the taskbar, click the **Notebook** icon, and then click **Permissions**. + +3. Make sure the **Contacts, email, calendar, and communication history** option is turned on. + + ![Permissions options for Cortana at work](images/cortana-communication-history-permissions.png) + +4. Click the **Notebook** icon again, click the **Suggested reminders** option, click to turn on the **All reminder suggestions cards** option, click the **Notify me when something I mentioned doing is coming up** box, and then click **Save**. + + ![Suggested reminders options for Cortana at work](images/cortana-suggested-reminder-settings.png) + +5. Create and send an email to yourself (so you can see the Suggested reminder), including the text, _I’ll finish this project by end of day today_. + +6. After you get the email, click on the Cortana **Home** icon, and scroll to today’s events. + + If the reminder has a specific date or time associated with it, like end of day, Cortana notifies you at the appropriate time and puts the reminder into the Action Center. Also from the Home screen, you can view the email where you made the promise, set aside time on your calendar, officially set the reminder, or mark the reminder as completed. + + ![Cortana Home screen with your suggested reminder showing](images/cortana-suggested-reminder.png) + diff --git a/windows/manage/cortana-at-work-scenario-6.md b/windows/configure/cortana-at-work-scenario-7.md similarity index 79% rename from windows/manage/cortana-at-work-scenario-6.md rename to windows/configure/cortana-at-work-scenario-7.md index ac15463824..4c2451c969 100644 --- a/windows/manage/cortana-at-work-scenario-6.md +++ b/windows/configure/cortana-at-work-scenario-7.md @@ -1,19 +1,17 @@ --- -title: Test scenario 6 - Use Cortana and Windows Information Protection (WIP) to help protect your organization’s data on a device (Windows 10) +title: Test scenario 7 - Use Cortana and Windows Information Protection (WIP) to help protect your organization’s data on a device (Windows 10) description: An optional test scenario about how to use Cortana at work with Windows Information Protection (WIP). ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library +author: eross-msft localizationpriority: high --- -# Test scenario 6 - Use Cortana and Windows Information Protection (WIP) to help protect your organization’s data on a device +# Test scenario 7 - Use Cortana and Windows Information Protection (WIP) to help protect your organization’s data on a device -- Windows 10, Windows Insider Program -- Windows 10 Mobile, Windows Insider Program - ->[!IMPORTANT] ->Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. +- Windows 10, version 1703 +- Windows 10 Mobile, version 1703 >[!IMPORTANT] >The data created as part of these scenarios will be uploaded to Microsoft’s Cloud to help Cortana learn and help your employees. This is the same info that Cortana uses in the consumer offering. diff --git a/windows/configure/cortana-at-work-testing-scenarios.md b/windows/configure/cortana-at-work-testing-scenarios.md new file mode 100644 index 0000000000..fa88b44c54 --- /dev/null +++ b/windows/configure/cortana-at-work-testing-scenarios.md @@ -0,0 +1,34 @@ +--- +title: Testing scenarios using Cortana in your business or organization (Windows 10) +description: A list of suggested testing scenarios that you can use to test Cortana in your organization. +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +author: eross-msft +localizationpriority: high +--- + +# Testing scenarios using Cortana in your business or organization +**Applies to:** + +- Windows 10, version 1703 +- Windows 10 Mobile, version 1703 + +We've come up with a list of suggested testing scenarios that you can use to test Cortana in your organization. After you complete all the scenarios, you should be able to: + +- [Sign-in to Cortana using Azure AD, manage entries in the notebook, and search for content across your device, Bing, and the cloud, using Cortana](cortana-at-work-scenario-1.md) + +- [Perform a quick search with Cortana at work](cortana-at-work-scenario-2.md) + +- [Set a reminder and have it remind you when you’ve reached a specific location](cortana-at-work-scenario-3.md) + +- [Search for your upcoming meetings on your work calendar](cortana-at-work-scenario-4.md) + +- [Send an email to a co-worker from your work email app](cortana-at-work-scenario-5.md) + +- [Review a reminder suggested by Cortana based on what you’ve promised in email](cortana-at-work-scenario-6.md) + +- [Use Windows Information Protection (WIP) to secure content on a device and then try to manage your organization’s entries in the notebook](cortana-at-work-scenario-7.md) + +>[!IMPORTANT] +>The data created as part of these scenarios will be uploaded to Microsoft’s Cloud to help Cortana learn and help your employees. This is the same info that Cortana uses in the consumer offering. \ No newline at end of file diff --git a/windows/manage/cortana-at-work-voice-commands.md b/windows/configure/cortana-at-work-voice-commands.md similarity index 77% rename from windows/manage/cortana-at-work-voice-commands.md rename to windows/configure/cortana-at-work-voice-commands.md index 766a5914ad..7c4ea66ce4 100644 --- a/windows/manage/cortana-at-work-voice-commands.md +++ b/windows/configure/cortana-at-work-voice-commands.md @@ -4,22 +4,20 @@ description: How to create voice commands that use Cortana to perform voice-enab ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library +author: eross-msft localizationpriority: high --- # Set up and test custom voice commands in Cortana for your organization **Applies to:** -- Windows 10, Windows Insider Program -- Windows 10 Mobile, Windows Insider Program - ->[!IMPORTANT] ->Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. +- Windows 10, version 1703 +- Windows 10 Mobile, version 1703 Working with a developer, you can create voice commands that use Cortana to perform voice-enabled actions in your line-of-business (LOB) Universal Windows Platform (UWP) apps. These voice-enabled actions can reduce the time necessary to access your apps and to complete simple actions. >[!NOTE] ->For more info about how your developer can extend your current apps to work directly with Cortana, see [Cortana interactions in UWP apps](https://msdn.microsoft.com/en-us/windows/uwp/input-and-devices/cortana-interactions). +>For more info about how your developer can extend your current apps to work directly with Cortana, see [The Cortana Skills Kit](https://docs.microsoft.com/cortana/getstarted). ## High-level process Cortana uses a Voice Command Definition (VCD) file, aimed at an installed app, to define the actions that are to happen during certain vocal commands. A VCD file can be very simple to very complex, supporting anything from a single sound to a collection of more flexible, natural language sounds, all with the same intent. @@ -30,13 +28,13 @@ To enable voice commands in Cortana Cortana can perform actions on apps in the foreground (taking focus from Cortana) or in the background (allowing Cortana to keep focus). We recommend that you decide where an action should happen, based on what your voice command is intended to do. For example, if your voice command requires employee input, it’s best for that to happen in the foreground. However, if the app only uses basic commands and doesn’t require interaction, it can happen in the background. - - **Start Cortana with focus on your app, using specific voice-enabled statements.** [Create and install a VCD file that starts a foreground app using voice commands and Cortana](https://msdn.microsoft.com/en-us/windows/uwp/input-and-devices/launch-a-foreground-app-with-voice-commands-in-cortana). + - **Start Cortana with focus on your app, using specific voice-enabled statements.** [Activate a foreground app with voice commands through Cortana](https://docs.microsoft.com/cortana/voicecommands/launch-a-foreground-app-with-voice-commands-in-cortana). - - **Start Cortana removing focus from your app, using specific voice-enabled statements.** [Create and install a VCD file that starts a background app using voice commands and Cortana](https://msdn.microsoft.com/en-us/windows/uwp/input-and-devices/launch-a-background-app-with-voice-commands-in-cortana). + - **Start Cortana removing focus from your app, using specific voice-enabled statements.** [Activate a background app in Cortana using voice commands](https://docs.microsoft.com/cortana/voicecommands/launch-a-background-app-with-voice-commands-in-cortana). 2. **Install the VCD file on employees' devices**. You can use System Center Configuration Manager or Microsoft Intune to deploy and install the VCD file on your employees' devices, the same way you deploy and install any other package in your organization. -## Test Scenario: Use voice commands in a Windows Store app +## Test scenario: Use voice commands in a Windows Store app While these aren't line-of-business apps, we've worked to make sure to implement a VCD file, allowing you to test how the functionality works with Cortana in your organization. **To get a Windows Store app** diff --git a/windows/manage/customize-and-export-start-layout.md b/windows/configure/customize-and-export-start-layout.md similarity index 84% rename from windows/manage/customize-and-export-start-layout.md rename to windows/configure/customize-and-export-start-layout.md index 102272ce54..a7c154e348 100644 --- a/windows/manage/customize-and-export-start-layout.md +++ b/windows/configure/customize-and-export-start-layout.md @@ -36,7 +36,7 @@ You can deploy the resulting .xml file to devices using one of the following met - [Group Policy](customize-windows-10-start-screens-by-using-group-policy.md) -- [Windows Imaging and Configuration Designer provisioning package](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md) +- [Windows Configuration Designer provisioning package](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md) - [Mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md) @@ -47,7 +47,7 @@ To prepare a Start layout for export, you simply customize the Start layout on a **To prepare a test computer** -1. Set up a test computer on which to customize the Start layout. Your test computer should have the operating system that is installed on the users’ computers (Windows 10 Enterprise or Windows 10 Education). Install all apps and services that the Start layout should display. +1. Set up a test computer on which to customize the Start layout. Your test computer should have the operating system that is installed on the users’ computers (Windows 10 Pro, Enterprise, or Education). Install all apps and services that the Start layout should display. 2. Create a new user account that you will use to customize the Start layout. @@ -70,11 +70,15 @@ To prepare a Start layout for export, you simply customize the Start layout on a - **Create your own app groups**. Drag the apps to an empty area. To name a group, click above the group of tiles and then type the name in the **Name group** field that appears above the group. -## Export the Start layout + +## Export the Start layout When you have the Start layout that you want your users to see, use the [Export-StartLayout](https://go.microsoft.com/fwlink/p/?LinkId=620879) cmdlet in Windows PowerShell to export the Start layout to an .xml file. +>[!IMPORTANT] +>If you include secondary Microsoft Edge tiles (tiles that link to specific websites in Microsoft Edge), see [Add custom images to Microsoft Edge secondary tiles](start-secondary-tiles.md) for instructions. + **To export the Start layout to an .xml file** 1. From Start, open **Windows PowerShell**. @@ -147,19 +151,14 @@ If the Start layout is applied by Group Policy or MDM, and the policy is removed ## Related topics -[Manage Windows 10 Start layout options](windows-10-start-layout-options-and-policies.md) - -[Configure Windows 10 taskbar](configure-windows-10-taskbar.md) - -[Customize Windows 10 Start and taskbar with Group Policy](customize-windows-10-start-screens-by-using-group-policy.md) - -[Customize Windows 10 Start and taskbar with ICD and provisioning packages](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md) - -[Customize Windows 10 Start with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md) - -[Changes to Group Policy settings for Windows 10 Start](changes-to-start-policies-in-windows-10.md) - -  +- [Manage Windows 10 Start and taskbar layout](windows-10-start-layout-options-and-policies.md) +- [Configure Windows 10 taskbar](configure-windows-10-taskbar.md) +- [Add image for secondary tiles](start-secondary-tiles.md) +- [Start layout XML for desktop editions of Windows 10 (reference)](start-layout-xml-desktop.md) +- [Customize Windows 10 Start and taskbar with Group Policy](customize-windows-10-start-screens-by-using-group-policy.md) +- [Customize Windows 10 Start and taskbar with provisioning packages](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md) +- [Customize Windows 10 Start and tasbkar with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md) +- [Changes to Start policies in Windows 10](changes-to-start-policies-in-windows-10.md)   diff --git a/windows/manage/customize-windows-10-start-screens-by-using-group-policy.md b/windows/configure/customize-windows-10-start-screens-by-using-group-policy.md similarity index 83% rename from windows/manage/customize-windows-10-start-screens-by-using-group-policy.md rename to windows/configure/customize-windows-10-start-screens-by-using-group-policy.md index 47b68d045b..170d81d10d 100644 --- a/windows/manage/customize-windows-10-start-screens-by-using-group-policy.md +++ b/windows/configure/customize-windows-10-start-screens-by-using-group-policy.md @@ -1,6 +1,6 @@ --- -title: Customize Windows 10 Start with Group Policy (Windows 10) -description: In Windows 10 Enterprise and Windows 10 Education, you can use a Group Policy Object (GPO) to deploy a customized Start layout to users in a domain. +title: Customize Windows 10 Start and tasbkar with Group Policy (Windows 10) +description: In Windows 10, you can use a Group Policy Object (GPO) to deploy a customized Start layout to users in a domain. ms.assetid: F4A47B36-F1EF-41CD-9CBA-04C83E960545 keywords: ["Start layout", "start menu", "layout", "group policy"] ms.prod: w10 @@ -19,7 +19,7 @@ localizationpriority: high >**Looking for consumer information?** See [Customize the Start menu](https://go.microsoft.com/fwlink/p/?LinkId=623630) -In Windows 10 Enterprise and Windows 10 Education, you can use a Group Policy Object (GPO) to deploy a customized Start and taskbar layout to users in a domain. No reimaging is required, and the layout can be updated simply by overwriting the .xml file that contains the layout. This enables you to customize Start and taskbar layouts for different departments or organizations, with minimal management overhead. +In Windows 10 Pro, Enterprise, and Education, you can use a Group Policy Object (GPO) to deploy a customized Start and taskbar layout to users in a domain. No reimaging is required, and the layout can be updated simply by overwriting the .xml file that contains the layout. This enables you to customize Start and taskbar layouts for different departments or organizations, with minimal management overhead. This topic describes how to update Group Policy settings to display a customized Start and taskbar layout when the users sign in. By creating a domain-based GPO with these settings, you can deploy a customized Start and taskbar layout to users in a domain. @@ -33,7 +33,7 @@ This topic describes how to update Group Policy settings to display a customized ## Operating system requirements -Start and taskbar layout control using Group Policy is supported in Windows 10 Enterprise and Windows 10 Education, Version 1607. Start and taskbar layout control is not supported in Windows 10 Pro. +Start and taskbar layout control using Group Policy is supported in Windows 10 Enterprise and Windows 10 Education, version 1607. Start and taskbar layout control is supported in Windows 10 Pro in Windows 10, version 1703. The GPO can be configured from any computer on which the necessary ADMX and ADML files (StartMenu.admx and StartMenu.adml) for Windows 10 are installed. In Group Policy, ADMX files are used to define Registry-based policy settings in the Administrative Templates category. To find out how to create a central store for Administrative Templates files, see [article 929841, written for Windows Vista and still applicable](https://go.microsoft.com/fwlink/p/?LinkId=691687) in the Microsoft Knowledge Base. @@ -119,14 +119,14 @@ After you use Group Policy to apply a customized Start and taskbar layout on a c ## Related topics -[Manage Windows 10 Start and taskbar layout](windows-10-start-layout-options-and-policies.md) - -[Customize and export Start layout](customize-and-export-start-layout.md) - -[Customize Windows 10 Start and taskbar with ICD and provisioning packages](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md) - -[Customize Windows 10 Start with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md) - +- [Manage Windows 10 Start and taskbar layout](windows-10-start-layout-options-and-policies.md) +- [Configure Windows 10 taskbar](configure-windows-10-taskbar.md) +- [Customize and export Start layout](customize-and-export-start-layout.md) +- [Add image for secondary tiles](start-secondary-tiles.md) +- [Start layout XML for desktop editions of Windows 10 (reference)](start-layout-xml-desktop.md) +- [Customize Windows 10 Start and taskbar with provisioning packages](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md) +- [Customize Windows 10 Start and tasbkar with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md) +- [Changes to Start policies in Windows 10](changes-to-start-policies-in-windows-10.md)     diff --git a/windows/manage/customize-windows-10-start-screens-by-using-mobile-device-management.md b/windows/configure/customize-windows-10-start-screens-by-using-mobile-device-management.md similarity index 72% rename from windows/manage/customize-windows-10-start-screens-by-using-mobile-device-management.md rename to windows/configure/customize-windows-10-start-screens-by-using-mobile-device-management.md index 2ccace55f5..5bbbcc8808 100644 --- a/windows/manage/customize-windows-10-start-screens-by-using-mobile-device-management.md +++ b/windows/configure/customize-windows-10-start-screens-by-using-mobile-device-management.md @@ -1,6 +1,6 @@ --- -title: Customize Windows 10 Start with mobile device management (MDM) (Windows 10) -description: In Windows 10 Enterprise and Windows 10 Education, you can use a mobile device management (MDM) policy to deploy a customized Start layout to users. +title: Customize Windows 10 Start and taskbar with mobile device management (MDM) (Windows 10) +description: In Windows 10, you can use a mobile device management (MDM) policy to deploy a customized Start and tasbkar layout to users. ms.assetid: F487850D-8950-41FB-9B06-64240127C1E4 keywords: ["start screen", "start menu"] ms.prod: w10 @@ -10,7 +10,7 @@ author: jdeckerMS localizationpriority: medium --- -# Customize Windows 10 Start with mobile device management (MDM) +# Customize Windows 10 Start and taskbar with mobile device management (MDM) **Applies to** @@ -18,18 +18,17 @@ localizationpriority: medium - Windows 10 - Windows 10 Mobile -**Looking for consumer information?** +>**Looking for consumer information?** [Customize the Start menu](https://go.microsoft.com/fwlink/p/?LinkId=623630) -- [Customize the Start menu](https://go.microsoft.com/fwlink/p/?LinkId=623630) +In Windows 10 Mobile, Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education, you can use a mobile device management (MDM) policy to deploy a customized Start and taskbar layout to users. No reimaging is required, and the layout can be updated simply by overwriting the .xml file that contains the layout. This enables you to customize Start layouts for different departments or organizations, with minimal management overhead. -In Windows 10 Mobile, Windows 10 Enterprise, and Windows 10 Education, you can use a mobile device management (MDM) policy to deploy a customized Start layout to users. No reimaging is required, and the Start layout can be updated simply by overwriting the .xml file that contains the layout. This enables you to customize Start layouts for different departments or organizations, with minimal management overhead. +>[!NOTE] +>Support for applying a customized taskbar using MDM is added in Windows 10, version 1703. -> **Note:** Customized taskbar configuration cannot be applied using MDM at this time. +**Before you begin**: [Customize and export Start layout](customize-and-export-start-layout.md) for desktop editions or [create a Start layout XML](mobile-lockdown-designer.md) for mobile. -**Before you begin**: [Customize and export Start layout](customize-and-export-start-layout.md) for desktop editions or [create a Start layout XML](start-layout-xml-mobile.md) for mobile. - -**Warning**   -When a full Start layout is applied with this method, the users cannot pin, unpin, or uninstall apps from Start. Users can view and open all apps in the **All Apps** view, but they cannot pin any apps to Start. When a partial Start layout is applied, the contents of the specified tile groups cannot be changed, but users can move those groups, and can also create and customize their own groups. +>[!WARNING]  +>When a full Start layout is applied with this method, the users cannot pin, unpin, or uninstall apps from Start. Users can view and open all apps in the **All Apps** view, but they cannot pin any apps to Start. When a partial Start layout is applied, the contents of the specified tile groups cannot be changed, but users can move those groups, and can also create and customize their own groups.   @@ -40,8 +39,8 @@ Two features enable Start layout control: - The **Export-StartLayout** cmdlet in Windows PowerShell exports a description of the current Start layout in .xml file format. - **Note**   - To import the layout of Start to a mounted Windows image, use the [Import-StartLayout](https://go.microsoft.com/fwlink/p/?LinkId=623707) cmdlet. + >[!NOTE]   + >To import the layout of Start to a mounted Windows image, use the [Import-StartLayout](https://go.microsoft.com/fwlink/p/?LinkId=623707) cmdlet.   @@ -130,18 +129,14 @@ This example uses Microsoft Intune to configure an MDM policy that applies a cus ## Related topics -[Manage Windows 10 Start and taskbar layout](windows-10-start-layout-options-and-policies.md) - -[Customize and export Start layout](customize-and-export-start-layout.md) - -[Configure Windows 10 taskbar](configure-windows-10-taskbar.md) - -[Customize Windows 10 Start and taskbar with Group Policy](customize-windows-10-start-screens-by-using-group-policy.md) - -[Customize Windows 10 Start and taskbar with ICD and provisioning packages](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md) - -[Use Windows 10 custom policies to manage device settings with Microsoft Intune](https://go.microsoft.com/fwlink/p/?LinkID=616316) - +- [Manage Windows 10 Start and taskbar layout](windows-10-start-layout-options-and-policies.md) +- [Configure Windows 10 taskbar](configure-windows-10-taskbar.md) +- [Customize and export Start layout](customize-and-export-start-layout.md) +- [Add image for secondary tiles](start-secondary-tiles.md) +- [Start layout XML for desktop editions of Windows 10 (reference)](start-layout-xml-desktop.md) +- [Customize Windows 10 Start and taskbar with Group Policy](customize-windows-10-start-screens-by-using-group-policy.md) +- [Customize Windows 10 Start and taskbar with provisioning packages](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md) +- [Changes to Start policies in Windows 10](changes-to-start-policies-in-windows-10.md)     diff --git a/windows/configure/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md b/windows/configure/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md new file mode 100644 index 0000000000..07d5c016a8 --- /dev/null +++ b/windows/configure/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md @@ -0,0 +1,145 @@ +--- +title: Customize Windows 10 Start and tasbkar with provisioning packages (Windows 10) +description: In Windows 10, you can use a provisioning package to deploy a customized Start layout to users. +ms.assetid: AC952899-86A0-42FC-9E3C-C25F45B1ACAC +keywords: ["Start layout", "start menu"] +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +author: jdeckerMS +localizationpriority: medium +--- + +# Customize Windows 10 Start and taskbar with provisioning packages + + +**Applies to** + +- Windows 10 +- Windows 10 Mobile + +>**Looking for consumer information?** [Customize the Start menu](https://go.microsoft.com/fwlink/p/?LinkId=623630) + +In Windows 10 Mobile, Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education, version 1703, you can use a provisioning package that you create with Windows Configuration Designer to deploy a customized Start and taskbar layout to users. No reimaging is required, and the Start and taskbar layout can be updated simply by overwriting the .xml file that contains the layout. The provisioning package can be applied to a running device. This enables you to customize Start and taskbar layouts for different departments or organizations, with minimal management overhead. + +>[!IMPORTANT] +>If you use a provisioning package to configure the taskbar, your configuration will be reapplied each time the explorer.exe process restarts. If your configuration pins an app and the user unpins that app, the user's change will be overwritten the next time the configuration is applied. To apply a taskbar configuration and allow users to make changes that will persist, apply your configuration by using Group Policy. + +**Before you begin**: [Customize and export Start layout](customize-and-export-start-layout.md) for desktop editions or [create a Start layout XML](mobile-lockdown-designer.md) for mobile. + +## How Start layout control works + + +Three features enable Start and taskbar layout control: + +- The **Export-StartLayout** cmdlet in Windows PowerShell exports a description of the current Start layout in .xml file format. + + >[!NOTE]   + >To import the layout of Start to a mounted Windows image, use the [Import-StartLayout](https://go.microsoft.com/fwlink/p/?LinkId=623707) cmdlet. + +- [You can modify the Start .xml file](configure-windows-10-taskbar.md) to include `` or create an .xml file just for the taskbar configuration. + +- In Windows Configuration Designer, you use the **Policies/Start/StartLayout** setting to provide the contents of the .xml file that defines the Start and taskbar layout. + + +## Prepare the Start layout XML file + +The **Export-StartLayout** cmdlet produces an XML file. Because Windows Configuration Designer produces a customizations.xml file that contains the configuration settings, adding the Start layout section to the customizations.xml file directly would result in an XML file embedded in an XML file. Before you add the Start layout section to the customizations.xml file, you must replace the markup characters in your layout.xml with escape characters. + + +1. Copy the contents of layout.xml into an online tool that escapes characters. + +3. During the procedure to create a provisioning package, you will copy the text with the escape characters and paste it in the customizations.xml file for your project. + +## Create a provisioning package that contains a customized Start layout + + +Use the Windows Configuration Designer tool to create a provisioning package. [Learn how to install Windows Configuration Designer.](provisioning-install-icd.md) + +>[!IMPORTANT] +>When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when they are no longer needed. + +1. Open Windows Configuration Designer (by default, %systemdrive%\\Program Files (x86)\\Windows Kits\\10\\Assessment and Deployment Kit\\Imaging and Configuration Designer\\x86\\ICD.exe). + +2. Choose **Advanced provisioning**. + +3. Name your project, and click **Next**. + +4. Choose **All Windows desktop editions** and click **Next**. + +5. On **New project**, click **Finish**. The workspace for your package opens. + +6. Expand **Runtime settings** > **Policies** > **Start**, and click **StartLayout**. + + >[!TIP] + >If **Start** is not listed, check the type of settings you selected in step 4. You must create the project using settings for **All Windows desktop editions**. + +7. Enter **layout.xml**. This value creates a placeholder in the customizations.xml file that you will replace with the contents of the layout.xml file in a later step. + +7. Save your project and close Windows Configuration Designer. + +7. In File Explorer, open the project's directory. (The default location is C:\Users\\*user name*\Documents\Windows Imaging and Configuration Designer (WICD)\\*project name*) + +7. Open the customizations.xml file in a text editor. The **<Customizations>** section will look like this: + + ![Customizations file with the placeholder text to replace highlighted](images/customization-start.png) + +7. Replace **layout.xml** with the text from the layout.xml file, [with markup characters replaced with escape characters](#escape). + +8. Save and close the customizations.xml file. + +8. Open Windows Configuration Designer and open your project. + +8. On the **File** menu, select **Save.** + +9. On the **Export** menu, select **Provisioning package**. + +10. Change **Owner** to **IT Admin**, which will set the precedence of this provisioning package higher than provisioning packages applied to this device from other sources, and then select **Next.** + +11. Optional. In the **Provisioning package security** window, you can choose to encrypt the package and enable package signing. + + - **Enable package encryption** - If you select this option, an auto-generated password will be shown on the screen. + + - **Enable package signing** - If you select this option, you must select a valid certificate to use for signing the package. You can specify the certificate by clicking **Select...** and choosing the certificate you want to use to sign the package. + +12. Click **Next** to specify the output location where you want the provisioning package to go when it's built. By default, Windows Imaging and Configuration Designer (ICD) uses the project folder as the output location. + + Optionally, you can click **Browse** to change the default output location. + +13. Click **Next**. + +14. Click **Build** to start building the package. The provisioning package doesn't take long to build. The project information is displayed in the build page and the progress bar indicates the build status. + + If you need to cancel the build, click **Cancel**. This cancels the current build process, closes the wizard, and takes you back to the **Customizations Page**. + +15. If your build fails, an error message will show up that includes a link to the project folder. You can scan the logs to determine what caused the error. Once you fix the issue, try building the package again. + + If your build is successful, the name of the provisioning package, output directory, and project directory will be shown. + + - If you choose, you can build the provisioning package again and pick a different path for the output package. To do this, click **Back** to change the output package name and path, and then click **Next** to start another build. + - If you are done, click **Finish** to close the wizard and go back to the **Customizations Page**. + +16. Copy the provisioning package to the target device. + +17. Double-click the ppkg file and allow it to install. + +## Related topics + + +- [Manage Windows 10 Start and taskbar layout](windows-10-start-layout-options-and-policies.md) +- [Configure Windows 10 taskbar](configure-windows-10-taskbar.md) +- [Customize and export Start layout](customize-and-export-start-layout.md) +- [Add image for secondary tiles](start-secondary-tiles.md) +- [Start layout XML for desktop editions of Windows 10 (reference)](start-layout-xml-desktop.md) +- [Customize Windows 10 Start and taskbar with Group Policy](customize-windows-10-start-screens-by-using-group-policy.md) +- [Customize Windows 10 Start and tasbkar with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md) +- [Changes to Start policies in Windows 10](changes-to-start-policies-in-windows-10.md) + +  + +  + + + + + diff --git a/windows/manage/guidelines-for-assigned-access-app.md b/windows/configure/guidelines-for-assigned-access-app.md similarity index 89% rename from windows/manage/guidelines-for-assigned-access-app.md rename to windows/configure/guidelines-for-assigned-access-app.md index 0552f8af1a..30dd845161 100644 --- a/windows/manage/guidelines-for-assigned-access-app.md +++ b/windows/configure/guidelines-for-assigned-access-app.md @@ -20,7 +20,7 @@ localizationpriority: high You can use assigned access to restrict customers at your business to using only one Windows app so your device acts like a kiosk. Administrators can use assigned access to restrict a selected user account to access a single Windows app. You can choose almost any Windows app for assigned access; however, some apps may not provide a good user experience. -The following guidelines may help you choose an appropriate Windows app for your assigned access experience in Windows 10, Version 1607. +The following guidelines may help you choose an appropriate Windows app for your assigned access experience. ## General guidelines @@ -82,19 +82,7 @@ The above guidelines may help you select or develop an appropriate Windows app f [Customizing Your Device Experience with Assigned Access](https://channel9.msdn.com/Events/Build/2016/P508) -## Related topics -[Set up a shared or guest PC with Windows 10](set-up-shared-or-guest-pc.md) - -[Set up a device for anyone to use (kiosk mode)](set-up-a-device-for-anyone-to-use.md) - -[Set up a kiosk on Windows 10 Pro, Enterprise, or Education](set-up-a-kiosk-for-windows-10-for-desktop-editions.md) - -[Set up a kiosk on Windows 10 Mobile or Windows 10 Mobile Enterprise](set-up-a-kiosk-for-windows-10-for-mobile-edition.md) - -[Lock down Windows 10 to specific apps](lock-down-windows-10-to-specific-apps.md) - -    diff --git a/windows/manage/how-it-pros-can-use-configuration-service-providers.md b/windows/configure/how-it-pros-can-use-configuration-service-providers.md similarity index 89% rename from windows/manage/how-it-pros-can-use-configuration-service-providers.md rename to windows/configure/how-it-pros-can-use-configuration-service-providers.md index 26ab03140f..4a4fc4883a 100644 --- a/windows/manage/how-it-pros-can-use-configuration-service-providers.md +++ b/windows/configure/how-it-pros-can-use-configuration-service-providers.md @@ -21,8 +21,8 @@ Configuration service providers (CSPs) expose device configuration settings in W The CSPs are documented on the [Hardware Dev Center](https://go.microsoft.com/fwlink/p/?LinkId=717390) because CSPs are used by mobile device management (MDM) service providers. This topic explains how IT pros and system administrators can take advantage of many settings available through CSPs to configure devices running Windows 10 and Windows 10 Mobile in their organizations. -**Note**   -The explanation of CSPs and CSP documentation also apply to Windows Mobile 5, Windows Mobile 6, Windows Phone 7, and Windows Phone 8, but links to current CSPs are for Windows 10 and Windows 10 Mobile. +>[!NOTE]   +>The explanation of CSPs and CSP documentation also apply to Windows Mobile 5, Windows Mobile 6, Windows Phone 7, and Windows Phone 8, but links to current CSPs are for Windows 10 and Windows 10 Mobile.  [See what's new for CSPs in Windows 10, version 1607.](https://msdn.microsoft.com/library/windows/hardware/mt299056.aspx#whatsnew_1607) @@ -58,17 +58,17 @@ Generally, enterprises rely on Group Policy or MDM to configure and manage devic In addition, you may have unmanaged devices, or a large number of devices that you want to configure before enrolling them in management, or you want to apply custom settings that aren't available through your MDM service. The [CSP documentation](#bkmk-csp-doc) can help you understand the settings that can be configured or queried. -In addition, some of the topics in the [Windows 10 and Windows 10 Mobile](../index.md) library on Technet include links to applicable CSP reference topics, such as [Cortana integration in your business or enterprise](manage-cortana-in-enterprise.md) which links to the [Policy CSP](https://go.microsoft.com/fwlink/p/?LinkID=623244). In the CSP topics, you can learn about all of the available configuration settings. +In addition, some of the topics in the [Windows 10 and Windows 10 Mobile](../index.md) library on Technet include links to applicable CSP reference topics, such as [Cortana integration in your business or enterprise](cortana-at-work-overview.md) which links to the [Policy CSP](https://go.microsoft.com/fwlink/p/?LinkID=623244). In the CSP topics, you can learn about all of the available configuration settings. -### CSPs in Windows Imaging and Configuration Designer (ICD) +### CSPs in Windows Configuration Designer -You can use Windows Imaging and Configuration Designer (ICD) to create [provisioning packages](https://go.microsoft.com/fwlink/p/?LinkId=717466) to apply settings to devices during the out-of-box-experience (OOBE) and after devices are set up. You can use provisioning packages to configure a device's connectivity and enroll the device in MDM. Many of the runtime settings in Windows ICD are based on CSPs. +You can use Windows Configuration Designer to create [provisioning packages](https://go.microsoft.com/fwlink/p/?LinkId=717466) to apply settings to devices during the out-of-box-experience (OOBE) and after devices are set up. You can use provisioning packages to configure a device's connectivity and enroll the device in MDM. Many of the runtime settings in Windows Configuration Designer are based on CSPs. -Many settings in Windows ICD will display documentation for that setting in the center pane, and will include a reference to the CSP if the setting uses one, as shown in the following image. +Many settings in Windows Configuration Designer will display documentation for that setting in the center pane, and will include a reference to the CSP if the setting uses one, as shown in the following image. ![how help content appears in icd](images/cspinicd.png) -[Configure devices without MDM](configure-devices-without-mdm.md) explains how to use the Windows ICD tool included in the Windows Assessment and Deployment Kit (ADK) for Windows 10 to create a runtime provisioning package. +[Provisioning packages in Windows 10](provisioning-packages.md) explains how to use the Windows Configuration Designer tool to create a runtime provisioning package. ### CSPs in MDM @@ -78,7 +78,7 @@ When a CSP is available but is not explicitly included in your MDM solution, you ### CSPs in Lockdown XML -Lockdown XML can be used to configure devices running Windows 10 Mobile. You can manually author a [Lockdown XML file](lockdown-xml.md) to make use of the configuration settings available through the [EnterpriseAssignedAccess configuration service provider (CSP)](https://go.microsoft.com/fwlink/p/?LinkID=618601). +Lockdown XML can be used to configure devices running Windows 10 Mobile. You can manually author a [Lockdown XML file](lockdown-xml.md) to make use of the configuration settings available through the [EnterpriseAssignedAccess configuration service provider (CSP)](https://go.microsoft.com/fwlink/p/?LinkID=618601). In Windows 10, version 1703, you can also use the new [Lockdown Designer app](mobile-lockdown-designer.md) to configure your Lockdown XML. ## How do you use the CSP documentation? @@ -214,19 +214,6 @@ Here is a list of CSPs supported on Windows 10 Enterprise, Windows 10 Mobile E - [WindowsLicensing CSP](https://go.microsoft.com/fwlink/p/?LinkId=723274) - [WindowsSecurityAuditing CSP](https://go.microsoft.com/fwlink/p/?LinkId=723415) -## Related topics - -[What's new in MDM enrollment and management in Windows 10, version 1607](https://msdn.microsoft.com/library/windows/hardware/mt299056.aspx#whatsnew_1607) - -[Lock down Windows 10](lock-down-windows-10.md) - -[Manage corporate devices](manage-corporate-devices.md) - -[New policies for Windows 10](new-policies-for-windows-10.md) - -[Windows 10 Mobile and MDM](windows-10-mobile-and-mdm.md) - -[Changes to Group Policy settings for Start in Windows 10](changes-to-start-policies-in-windows-10.md)   diff --git a/windows/configure/images/ActionCenterXML.jpg b/windows/configure/images/ActionCenterXML.jpg new file mode 100644 index 0000000000..b9832b2708 Binary files /dev/null and b/windows/configure/images/ActionCenterXML.jpg differ diff --git a/windows/configure/images/AppsXML.jpg b/windows/configure/images/AppsXML.jpg new file mode 100644 index 0000000000..ecc1869bb5 Binary files /dev/null and b/windows/configure/images/AppsXML.jpg differ diff --git a/windows/configure/images/AppsXML.png b/windows/configure/images/AppsXML.png new file mode 100644 index 0000000000..3981543264 Binary files /dev/null and b/windows/configure/images/AppsXML.png differ diff --git a/windows/configure/images/ButtonsXML.jpg b/windows/configure/images/ButtonsXML.jpg new file mode 100644 index 0000000000..238eca7e68 Binary files /dev/null and b/windows/configure/images/ButtonsXML.jpg differ diff --git a/windows/configure/images/CSPRunnerXML.jpg b/windows/configure/images/CSPRunnerXML.jpg new file mode 100644 index 0000000000..071b316a9e Binary files /dev/null and b/windows/configure/images/CSPRunnerXML.jpg differ diff --git a/windows/configure/images/ICD.png b/windows/configure/images/ICD.png new file mode 100644 index 0000000000..9cfcb845df Binary files /dev/null and b/windows/configure/images/ICD.png differ diff --git a/windows/configure/images/ICDstart-option.PNG b/windows/configure/images/ICDstart-option.PNG new file mode 100644 index 0000000000..1ba49bb261 Binary files /dev/null and b/windows/configure/images/ICDstart-option.PNG differ diff --git a/windows/configure/images/ISE.PNG b/windows/configure/images/ISE.PNG new file mode 100644 index 0000000000..edf53101f4 Binary files /dev/null and b/windows/configure/images/ISE.PNG differ diff --git a/windows/configure/images/MenuItemsXML.png b/windows/configure/images/MenuItemsXML.png new file mode 100644 index 0000000000..cc681250bb Binary files /dev/null and b/windows/configure/images/MenuItemsXML.png differ diff --git a/windows/configure/images/PoC-big.png b/windows/configure/images/PoC-big.png new file mode 100644 index 0000000000..de73506071 Binary files /dev/null and b/windows/configure/images/PoC-big.png differ diff --git a/windows/configure/images/PoC.png b/windows/configure/images/PoC.png new file mode 100644 index 0000000000..6d7b7eb5af Binary files /dev/null and b/windows/configure/images/PoC.png differ diff --git a/windows/configure/images/SettingsXML.png b/windows/configure/images/SettingsXML.png new file mode 100644 index 0000000000..98a324bdea Binary files /dev/null and b/windows/configure/images/SettingsXML.png differ diff --git a/windows/configure/images/StartGrid.jpg b/windows/configure/images/StartGrid.jpg new file mode 100644 index 0000000000..36136f3201 Binary files /dev/null and b/windows/configure/images/StartGrid.jpg differ diff --git a/windows/configure/images/StartGridPinnedApps.jpg b/windows/configure/images/StartGridPinnedApps.jpg new file mode 100644 index 0000000000..fbade52f53 Binary files /dev/null and b/windows/configure/images/StartGridPinnedApps.jpg differ diff --git a/windows/configure/images/TilesXML.png b/windows/configure/images/TilesXML.png new file mode 100644 index 0000000000..cec52bbbf7 Binary files /dev/null and b/windows/configure/images/TilesXML.png differ diff --git a/windows/configure/images/aadj1.jpg b/windows/configure/images/aadj1.jpg new file mode 100644 index 0000000000..2348fc4c84 Binary files /dev/null and b/windows/configure/images/aadj1.jpg differ diff --git a/windows/configure/images/aadj2.jpg b/windows/configure/images/aadj2.jpg new file mode 100644 index 0000000000..39486bfc66 Binary files /dev/null and b/windows/configure/images/aadj2.jpg differ diff --git a/windows/configure/images/aadj3.jpg b/windows/configure/images/aadj3.jpg new file mode 100644 index 0000000000..80e1f5762f Binary files /dev/null and b/windows/configure/images/aadj3.jpg differ diff --git a/windows/configure/images/aadj4.jpg b/windows/configure/images/aadj4.jpg new file mode 100644 index 0000000000..0db2910012 Binary files /dev/null and b/windows/configure/images/aadj4.jpg differ diff --git a/windows/configure/images/aadjbrowser.jpg b/windows/configure/images/aadjbrowser.jpg new file mode 100644 index 0000000000..c8d909688e Binary files /dev/null and b/windows/configure/images/aadjbrowser.jpg differ diff --git a/windows/configure/images/aadjcal.jpg b/windows/configure/images/aadjcal.jpg new file mode 100644 index 0000000000..1858886f5f Binary files /dev/null and b/windows/configure/images/aadjcal.jpg differ diff --git a/windows/configure/images/aadjcalmail.jpg b/windows/configure/images/aadjcalmail.jpg new file mode 100644 index 0000000000..5a5661259a Binary files /dev/null and b/windows/configure/images/aadjcalmail.jpg differ diff --git a/windows/configure/images/aadjmail1.jpg b/windows/configure/images/aadjmail1.jpg new file mode 100644 index 0000000000..89b1fcc3b7 Binary files /dev/null and b/windows/configure/images/aadjmail1.jpg differ diff --git a/windows/configure/images/aadjmail2.jpg b/windows/configure/images/aadjmail2.jpg new file mode 100644 index 0000000000..0608010c6a Binary files /dev/null and b/windows/configure/images/aadjmail2.jpg differ diff --git a/windows/configure/images/aadjmail3.jpg b/windows/configure/images/aadjmail3.jpg new file mode 100644 index 0000000000..d7154a7e0e Binary files /dev/null and b/windows/configure/images/aadjmail3.jpg differ diff --git a/windows/configure/images/aadjonedrive.jpg b/windows/configure/images/aadjonedrive.jpg new file mode 100644 index 0000000000..6fb1196d5f Binary files /dev/null and b/windows/configure/images/aadjonedrive.jpg differ diff --git a/windows/configure/images/aadjonenote.jpg b/windows/configure/images/aadjonenote.jpg new file mode 100644 index 0000000000..4ccd207f9f Binary files /dev/null and b/windows/configure/images/aadjonenote.jpg differ diff --git a/windows/configure/images/aadjonenote2.jpg b/windows/configure/images/aadjonenote2.jpg new file mode 100644 index 0000000000..1b6941e638 Binary files /dev/null and b/windows/configure/images/aadjonenote2.jpg differ diff --git a/windows/configure/images/aadjonenote3.jpg b/windows/configure/images/aadjonenote3.jpg new file mode 100644 index 0000000000..3ac6911046 Binary files /dev/null and b/windows/configure/images/aadjonenote3.jpg differ diff --git a/windows/configure/images/aadjpin.jpg b/windows/configure/images/aadjpin.jpg new file mode 100644 index 0000000000..dac6cfec30 Binary files /dev/null and b/windows/configure/images/aadjpin.jpg differ diff --git a/windows/configure/images/aadjppt.jpg b/windows/configure/images/aadjppt.jpg new file mode 100644 index 0000000000..268d5fe662 Binary files /dev/null and b/windows/configure/images/aadjppt.jpg differ diff --git a/windows/configure/images/aadjverify.jpg b/windows/configure/images/aadjverify.jpg new file mode 100644 index 0000000000..7b30210f39 Binary files /dev/null and b/windows/configure/images/aadjverify.jpg differ diff --git a/windows/configure/images/aadjword.jpg b/windows/configure/images/aadjword.jpg new file mode 100644 index 0000000000..db2a58406e Binary files /dev/null and b/windows/configure/images/aadjword.jpg differ diff --git a/windows/configure/images/aadjwsfb.jpg b/windows/configure/images/aadjwsfb.jpg new file mode 100644 index 0000000000..428f1a26d4 Binary files /dev/null and b/windows/configure/images/aadjwsfb.jpg differ diff --git a/windows/configure/images/account-management-details.PNG b/windows/configure/images/account-management-details.PNG new file mode 100644 index 0000000000..e4307d8f7b Binary files /dev/null and b/windows/configure/images/account-management-details.PNG differ diff --git a/windows/configure/images/account-management.PNG b/windows/configure/images/account-management.PNG new file mode 100644 index 0000000000..34165dfcd6 Binary files /dev/null and b/windows/configure/images/account-management.PNG differ diff --git a/windows/configure/images/add-applications-details.PNG b/windows/configure/images/add-applications-details.PNG new file mode 100644 index 0000000000..2efd3483ae Binary files /dev/null and b/windows/configure/images/add-applications-details.PNG differ diff --git a/windows/configure/images/add-applications.PNG b/windows/configure/images/add-applications.PNG new file mode 100644 index 0000000000..2316deb2fd Binary files /dev/null and b/windows/configure/images/add-applications.PNG differ diff --git a/windows/configure/images/add-certificates-details.PNG b/windows/configure/images/add-certificates-details.PNG new file mode 100644 index 0000000000..78cd783282 Binary files /dev/null and b/windows/configure/images/add-certificates-details.PNG differ diff --git a/windows/configure/images/add-certificates.PNG b/windows/configure/images/add-certificates.PNG new file mode 100644 index 0000000000..24cb605d1c Binary files /dev/null and b/windows/configure/images/add-certificates.PNG differ diff --git a/windows/configure/images/adk-install.png b/windows/configure/images/adk-install.png new file mode 100644 index 0000000000..c087d3bae5 Binary files /dev/null and b/windows/configure/images/adk-install.png differ diff --git a/windows/configure/images/admin-tools-folder.png b/windows/configure/images/admin-tools-folder.png new file mode 100644 index 0000000000..4831204f73 Binary files /dev/null and b/windows/configure/images/admin-tools-folder.png differ diff --git a/windows/configure/images/admin-tools.png b/windows/configure/images/admin-tools.png new file mode 100644 index 0000000000..1470cffdd5 Binary files /dev/null and b/windows/configure/images/admin-tools.png differ diff --git a/windows/configure/images/allow-rdp.png b/windows/configure/images/allow-rdp.png new file mode 100644 index 0000000000..55c13b53bc Binary files /dev/null and b/windows/configure/images/allow-rdp.png differ diff --git a/windows/configure/images/app-v-in-adk.png b/windows/configure/images/app-v-in-adk.png new file mode 100644 index 0000000000..a36ef9f00f Binary files /dev/null and b/windows/configure/images/app-v-in-adk.png differ diff --git a/windows/configure/images/apprule.png b/windows/configure/images/apprule.png new file mode 100644 index 0000000000..ec5417849a Binary files /dev/null and b/windows/configure/images/apprule.png differ diff --git a/windows/configure/images/apps.png b/windows/configure/images/apps.png new file mode 100644 index 0000000000..5cb3b7ec8f Binary files /dev/null and b/windows/configure/images/apps.png differ diff --git a/windows/configure/images/appwarning.png b/windows/configure/images/appwarning.png new file mode 100644 index 0000000000..877d8afebd Binary files /dev/null and b/windows/configure/images/appwarning.png differ diff --git a/windows/configure/images/azureadjoined.png b/windows/configure/images/azureadjoined.png new file mode 100644 index 0000000000..e1babffb8d Binary files /dev/null and b/windows/configure/images/azureadjoined.png differ diff --git a/windows/configure/images/backicon.png b/windows/configure/images/backicon.png new file mode 100644 index 0000000000..3007e448b1 Binary files /dev/null and b/windows/configure/images/backicon.png differ diff --git a/windows/configure/images/bulk-enroll-mobile-details.PNG b/windows/configure/images/bulk-enroll-mobile-details.PNG new file mode 100644 index 0000000000..8329d39cfc Binary files /dev/null and b/windows/configure/images/bulk-enroll-mobile-details.PNG differ diff --git a/windows/configure/images/bulk-enroll-mobile.PNG b/windows/configure/images/bulk-enroll-mobile.PNG new file mode 100644 index 0000000000..812b57e8e0 Binary files /dev/null and b/windows/configure/images/bulk-enroll-mobile.PNG differ diff --git a/windows/configure/images/check_blu.png b/windows/configure/images/check_blu.png new file mode 100644 index 0000000000..d5c703760f Binary files /dev/null and b/windows/configure/images/check_blu.png differ diff --git a/windows/configure/images/check_grn.png b/windows/configure/images/check_grn.png new file mode 100644 index 0000000000..f9f04cd6bd Binary files /dev/null and b/windows/configure/images/check_grn.png differ diff --git a/windows/configure/images/checklistbox.gif b/windows/configure/images/checklistbox.gif new file mode 100644 index 0000000000..cbcf4a4f11 Binary files /dev/null and b/windows/configure/images/checklistbox.gif differ diff --git a/windows/configure/images/checklistdone.png b/windows/configure/images/checklistdone.png new file mode 100644 index 0000000000..7e53f74d0e Binary files /dev/null and b/windows/configure/images/checklistdone.png differ diff --git a/windows/configure/images/checkmark.png b/windows/configure/images/checkmark.png new file mode 100644 index 0000000000..f9f04cd6bd Binary files /dev/null and b/windows/configure/images/checkmark.png differ diff --git a/windows/configure/images/choose-package.png b/windows/configure/images/choose-package.png new file mode 100644 index 0000000000..2bf7a18648 Binary files /dev/null and b/windows/configure/images/choose-package.png differ diff --git a/windows/configure/images/config-policy.png b/windows/configure/images/config-policy.png new file mode 100644 index 0000000000..b9cba70af6 Binary files /dev/null and b/windows/configure/images/config-policy.png differ diff --git a/windows/configure/images/config-source.png b/windows/configure/images/config-source.png new file mode 100644 index 0000000000..58938bacf7 Binary files /dev/null and b/windows/configure/images/config-source.png differ diff --git a/windows/configure/images/configconflict.png b/windows/configure/images/configconflict.png new file mode 100644 index 0000000000..011a2d76e7 Binary files /dev/null and b/windows/configure/images/configconflict.png differ diff --git a/windows/configure/images/connect-aad.png b/windows/configure/images/connect-aad.png new file mode 100644 index 0000000000..8583866165 Binary files /dev/null and b/windows/configure/images/connect-aad.png differ diff --git a/windows/configure/images/convert.png b/windows/configure/images/convert.png new file mode 100644 index 0000000000..224e763bc0 Binary files /dev/null and b/windows/configure/images/convert.png differ diff --git a/windows/configure/images/copy-to-change.png b/windows/configure/images/copy-to-change.png new file mode 100644 index 0000000000..21aa250c0c Binary files /dev/null and b/windows/configure/images/copy-to-change.png differ diff --git a/windows/configure/images/copy-to-path.png b/windows/configure/images/copy-to-path.png new file mode 100644 index 0000000000..1ef00fc86b Binary files /dev/null and b/windows/configure/images/copy-to-path.png differ diff --git a/windows/configure/images/copy-to.PNG b/windows/configure/images/copy-to.PNG new file mode 100644 index 0000000000..dad84cedc8 Binary files /dev/null and b/windows/configure/images/copy-to.PNG differ diff --git a/windows/configure/images/cortana-about-me.png b/windows/configure/images/cortana-about-me.png new file mode 100644 index 0000000000..32c1ccefab Binary files /dev/null and b/windows/configure/images/cortana-about-me.png differ diff --git a/windows/configure/images/cortana-add-reminder.png b/windows/configure/images/cortana-add-reminder.png new file mode 100644 index 0000000000..3f03528e11 Binary files /dev/null and b/windows/configure/images/cortana-add-reminder.png differ diff --git a/windows/configure/images/cortana-chicago-weather.png b/windows/configure/images/cortana-chicago-weather.png new file mode 100644 index 0000000000..9273bf201b Binary files /dev/null and b/windows/configure/images/cortana-chicago-weather.png differ diff --git a/windows/configure/images/cortana-communication-history-permissions.png b/windows/configure/images/cortana-communication-history-permissions.png new file mode 100644 index 0000000000..db182be13c Binary files /dev/null and b/windows/configure/images/cortana-communication-history-permissions.png differ diff --git a/windows/configure/images/cortana-complete-send-email-coworker-mic.png b/windows/configure/images/cortana-complete-send-email-coworker-mic.png new file mode 100644 index 0000000000..3238c8d31d Binary files /dev/null and b/windows/configure/images/cortana-complete-send-email-coworker-mic.png differ diff --git a/windows/configure/images/cortana-connect-crm.png b/windows/configure/images/cortana-connect-crm.png new file mode 100644 index 0000000000..c70c42f75e Binary files /dev/null and b/windows/configure/images/cortana-connect-crm.png differ diff --git a/windows/configure/images/cortana-connect-o365.png b/windows/configure/images/cortana-connect-o365.png new file mode 100644 index 0000000000..df1ffa449b Binary files /dev/null and b/windows/configure/images/cortana-connect-o365.png differ diff --git a/windows/configure/images/cortana-connect-uber.png b/windows/configure/images/cortana-connect-uber.png new file mode 100644 index 0000000000..724fecb5b5 Binary files /dev/null and b/windows/configure/images/cortana-connect-uber.png differ diff --git a/windows/configure/images/cortana-crm-screen.png b/windows/configure/images/cortana-crm-screen.png new file mode 100644 index 0000000000..ded5d80a59 Binary files /dev/null and b/windows/configure/images/cortana-crm-screen.png differ diff --git a/windows/configure/images/cortana-feedback.png b/windows/configure/images/cortana-feedback.png new file mode 100644 index 0000000000..6e14018c98 Binary files /dev/null and b/windows/configure/images/cortana-feedback.png differ diff --git a/windows/configure/images/cortana-final-reminder.png b/windows/configure/images/cortana-final-reminder.png new file mode 100644 index 0000000000..f114e058e5 Binary files /dev/null and b/windows/configure/images/cortana-final-reminder.png differ diff --git a/windows/configure/images/cortana-meeting-specific-time.png b/windows/configure/images/cortana-meeting-specific-time.png new file mode 100644 index 0000000000..a108355133 Binary files /dev/null and b/windows/configure/images/cortana-meeting-specific-time.png differ diff --git a/windows/configure/images/cortana-meeting-tomorrow.png b/windows/configure/images/cortana-meeting-tomorrow.png new file mode 100644 index 0000000000..13273b6600 Binary files /dev/null and b/windows/configure/images/cortana-meeting-tomorrow.png differ diff --git a/windows/configure/images/cortana-newyork-weather.png b/windows/configure/images/cortana-newyork-weather.png new file mode 100644 index 0000000000..b3879737be Binary files /dev/null and b/windows/configure/images/cortana-newyork-weather.png differ diff --git a/windows/configure/images/cortana-o365-screen.png b/windows/configure/images/cortana-o365-screen.png new file mode 100644 index 0000000000..ba06dd6de5 Binary files /dev/null and b/windows/configure/images/cortana-o365-screen.png differ diff --git a/windows/configure/images/cortana-place-reminder.png b/windows/configure/images/cortana-place-reminder.png new file mode 100644 index 0000000000..89ccdab3e3 Binary files /dev/null and b/windows/configure/images/cortana-place-reminder.png differ diff --git a/windows/configure/images/cortana-powerbi-create-report.png b/windows/configure/images/cortana-powerbi-create-report.png new file mode 100644 index 0000000000..a22789d72a Binary files /dev/null and b/windows/configure/images/cortana-powerbi-create-report.png differ diff --git a/windows/configure/images/cortana-powerbi-expand-nav.png b/windows/configure/images/cortana-powerbi-expand-nav.png new file mode 100644 index 0000000000..c8b47943f9 Binary files /dev/null and b/windows/configure/images/cortana-powerbi-expand-nav.png differ diff --git a/windows/configure/images/cortana-powerbi-field-selection.png b/windows/configure/images/cortana-powerbi-field-selection.png new file mode 100644 index 0000000000..8aef58c23a Binary files /dev/null and b/windows/configure/images/cortana-powerbi-field-selection.png differ diff --git a/windows/configure/images/cortana-powerbi-getdata-samples.png b/windows/configure/images/cortana-powerbi-getdata-samples.png new file mode 100644 index 0000000000..3bfa4792df Binary files /dev/null and b/windows/configure/images/cortana-powerbi-getdata-samples.png differ diff --git a/windows/configure/images/cortana-powerbi-getdata.png b/windows/configure/images/cortana-powerbi-getdata.png new file mode 100644 index 0000000000..55b7b61589 Binary files /dev/null and b/windows/configure/images/cortana-powerbi-getdata.png differ diff --git a/windows/configure/images/cortana-powerbi-myreport.png b/windows/configure/images/cortana-powerbi-myreport.png new file mode 100644 index 0000000000..cc04d9c6f0 Binary files /dev/null and b/windows/configure/images/cortana-powerbi-myreport.png differ diff --git a/windows/configure/images/cortana-powerbi-pagesize.png b/windows/configure/images/cortana-powerbi-pagesize.png new file mode 100644 index 0000000000..fd1c1ef917 Binary files /dev/null and b/windows/configure/images/cortana-powerbi-pagesize.png differ diff --git a/windows/configure/images/cortana-powerbi-report-qna.png b/windows/configure/images/cortana-powerbi-report-qna.png new file mode 100644 index 0000000000..d17949aa8a Binary files /dev/null and b/windows/configure/images/cortana-powerbi-report-qna.png differ diff --git a/windows/configure/images/cortana-powerbi-retail-analysis-dashboard.png b/windows/configure/images/cortana-powerbi-retail-analysis-dashboard.png new file mode 100644 index 0000000000..5b94a2e2fc Binary files /dev/null and b/windows/configure/images/cortana-powerbi-retail-analysis-dashboard.png differ diff --git a/windows/configure/images/cortana-powerbi-retail-analysis-dataset.png b/windows/configure/images/cortana-powerbi-retail-analysis-dataset.png new file mode 100644 index 0000000000..b2ffec3b70 Binary files /dev/null and b/windows/configure/images/cortana-powerbi-retail-analysis-dataset.png differ diff --git a/windows/configure/images/cortana-powerbi-retail-analysis-sample.png b/windows/configure/images/cortana-powerbi-retail-analysis-sample.png new file mode 100644 index 0000000000..e3b61dcaa2 Binary files /dev/null and b/windows/configure/images/cortana-powerbi-retail-analysis-sample.png differ diff --git a/windows/configure/images/cortana-powerbi-search.png b/windows/configure/images/cortana-powerbi-search.png new file mode 100644 index 0000000000..88a8b40296 Binary files /dev/null and b/windows/configure/images/cortana-powerbi-search.png differ diff --git a/windows/configure/images/cortana-powerbi-settings.png b/windows/configure/images/cortana-powerbi-settings.png new file mode 100644 index 0000000000..0f51229895 Binary files /dev/null and b/windows/configure/images/cortana-powerbi-settings.png differ diff --git a/windows/configure/images/cortana-redmond-weather.png b/windows/configure/images/cortana-redmond-weather.png new file mode 100644 index 0000000000..7e8adc1929 Binary files /dev/null and b/windows/configure/images/cortana-redmond-weather.png differ diff --git a/windows/configure/images/cortana-reminder-edit.png b/windows/configure/images/cortana-reminder-edit.png new file mode 100644 index 0000000000..79cc280947 Binary files /dev/null and b/windows/configure/images/cortana-reminder-edit.png differ diff --git a/windows/configure/images/cortana-reminder-list.png b/windows/configure/images/cortana-reminder-list.png new file mode 100644 index 0000000000..1f57fc0f05 Binary files /dev/null and b/windows/configure/images/cortana-reminder-list.png differ diff --git a/windows/configure/images/cortana-reminder-mic.png b/windows/configure/images/cortana-reminder-mic.png new file mode 100644 index 0000000000..46a18e8e0b Binary files /dev/null and b/windows/configure/images/cortana-reminder-mic.png differ diff --git a/windows/configure/images/cortana-reminder-pending-mic.png b/windows/configure/images/cortana-reminder-pending-mic.png new file mode 100644 index 0000000000..159d408e0a Binary files /dev/null and b/windows/configure/images/cortana-reminder-pending-mic.png differ diff --git a/windows/configure/images/cortana-reminder-pending.png b/windows/configure/images/cortana-reminder-pending.png new file mode 100644 index 0000000000..a6b64b5621 Binary files /dev/null and b/windows/configure/images/cortana-reminder-pending.png differ diff --git a/windows/configure/images/cortana-send-email-coworker-mic.png b/windows/configure/images/cortana-send-email-coworker-mic.png new file mode 100644 index 0000000000..0cfa8fb731 Binary files /dev/null and b/windows/configure/images/cortana-send-email-coworker-mic.png differ diff --git a/windows/configure/images/cortana-send-email-coworker.png b/windows/configure/images/cortana-send-email-coworker.png new file mode 100644 index 0000000000..40ce18bdca Binary files /dev/null and b/windows/configure/images/cortana-send-email-coworker.png differ diff --git a/windows/configure/images/cortana-suggested-reminder-settings.png b/windows/configure/images/cortana-suggested-reminder-settings.png new file mode 100644 index 0000000000..176dbff483 Binary files /dev/null and b/windows/configure/images/cortana-suggested-reminder-settings.png differ diff --git a/windows/configure/images/cortana-suggested-reminder.png b/windows/configure/images/cortana-suggested-reminder.png new file mode 100644 index 0000000000..4184bd1b6c Binary files /dev/null and b/windows/configure/images/cortana-suggested-reminder.png differ diff --git a/windows/configure/images/cortana-weather-multipanel.png b/windows/configure/images/cortana-weather-multipanel.png new file mode 100644 index 0000000000..e8db031744 Binary files /dev/null and b/windows/configure/images/cortana-weather-multipanel.png differ diff --git a/windows/configure/images/crossmark.png b/windows/configure/images/crossmark.png new file mode 100644 index 0000000000..69432ff71c Binary files /dev/null and b/windows/configure/images/crossmark.png differ diff --git a/windows/configure/images/csp-placeholder.png b/windows/configure/images/csp-placeholder.png new file mode 100644 index 0000000000..fe6bcf4720 Binary files /dev/null and b/windows/configure/images/csp-placeholder.png differ diff --git a/windows/configure/images/cspinicd.png b/windows/configure/images/cspinicd.png new file mode 100644 index 0000000000..a60ad9e2bf Binary files /dev/null and b/windows/configure/images/cspinicd.png differ diff --git a/windows/configure/images/csptable.png b/windows/configure/images/csptable.png new file mode 100644 index 0000000000..ee210cad69 Binary files /dev/null and b/windows/configure/images/csptable.png differ diff --git a/windows/configure/images/customization-start-edge.PNG b/windows/configure/images/customization-start-edge.PNG new file mode 100644 index 0000000000..333833d8c0 Binary files /dev/null and b/windows/configure/images/customization-start-edge.PNG differ diff --git a/windows/configure/images/customization-start.PNG b/windows/configure/images/customization-start.PNG new file mode 100644 index 0000000000..4942338181 Binary files /dev/null and b/windows/configure/images/customization-start.PNG differ diff --git a/windows/configure/images/dep-win8-l-usmt-migrationcomparemigstores.gif b/windows/configure/images/dep-win8-l-usmt-migrationcomparemigstores.gif new file mode 100644 index 0000000000..c23cf5f98c Binary files /dev/null and b/windows/configure/images/dep-win8-l-usmt-migrationcomparemigstores.gif differ diff --git a/windows/configure/images/dep-win8-l-usmt-pcrefresh.jpg b/windows/configure/images/dep-win8-l-usmt-pcrefresh.jpg new file mode 100644 index 0000000000..79f874d895 Binary files /dev/null and b/windows/configure/images/dep-win8-l-usmt-pcrefresh.jpg differ diff --git a/windows/configure/images/dep-win8-l-usmt-pcreplace.jpg b/windows/configure/images/dep-win8-l-usmt-pcreplace.jpg new file mode 100644 index 0000000000..507f783aff Binary files /dev/null and b/windows/configure/images/dep-win8-l-usmt-pcreplace.jpg differ diff --git a/windows/configure/images/dep-win8-l-vamt-findingcomputerdialog.gif b/windows/configure/images/dep-win8-l-vamt-findingcomputerdialog.gif new file mode 100644 index 0000000000..3d745d4a77 Binary files /dev/null and b/windows/configure/images/dep-win8-l-vamt-findingcomputerdialog.gif differ diff --git a/windows/configure/images/dep-win8-l-vamt-firewallconfigurationformultiplesubnets.gif b/windows/configure/images/dep-win8-l-vamt-firewallconfigurationformultiplesubnets.gif new file mode 100644 index 0000000000..21fc338e12 Binary files /dev/null and b/windows/configure/images/dep-win8-l-vamt-firewallconfigurationformultiplesubnets.gif differ diff --git a/windows/configure/images/dep-win8-l-vamt-image001-enterprise.jpg b/windows/configure/images/dep-win8-l-vamt-image001-enterprise.jpg new file mode 100644 index 0000000000..b7a1411562 Binary files /dev/null and b/windows/configure/images/dep-win8-l-vamt-image001-enterprise.jpg differ diff --git a/windows/configure/images/dep-win8-l-vamt-makindependentactivationscenario.jpg b/windows/configure/images/dep-win8-l-vamt-makindependentactivationscenario.jpg new file mode 100644 index 0000000000..52203b7593 Binary files /dev/null and b/windows/configure/images/dep-win8-l-vamt-makindependentactivationscenario.jpg differ diff --git a/windows/configure/images/dep-win8-l-vamt-makproxyactivationscenario.jpg b/windows/configure/images/dep-win8-l-vamt-makproxyactivationscenario.jpg new file mode 100644 index 0000000000..3a02a1f17e Binary files /dev/null and b/windows/configure/images/dep-win8-l-vamt-makproxyactivationscenario.jpg differ diff --git a/windows/configure/images/deploy-finish.PNG b/windows/configure/images/deploy-finish.PNG new file mode 100644 index 0000000000..4f0d5cb859 Binary files /dev/null and b/windows/configure/images/deploy-finish.PNG differ diff --git a/windows/configure/images/deploymentworkflow.png b/windows/configure/images/deploymentworkflow.png new file mode 100644 index 0000000000..b665a0bfea Binary files /dev/null and b/windows/configure/images/deploymentworkflow.png differ diff --git a/windows/configure/images/developer-setup.PNG b/windows/configure/images/developer-setup.PNG new file mode 100644 index 0000000000..8c93d5ed91 Binary files /dev/null and b/windows/configure/images/developer-setup.PNG differ diff --git a/windows/configure/images/disk2vhd-convert.PNG b/windows/configure/images/disk2vhd-convert.PNG new file mode 100644 index 0000000000..f0614a5ab1 Binary files /dev/null and b/windows/configure/images/disk2vhd-convert.PNG differ diff --git a/windows/configure/images/disk2vhd-gen2.PNG b/windows/configure/images/disk2vhd-gen2.PNG new file mode 100644 index 0000000000..7f8d920f9d Binary files /dev/null and b/windows/configure/images/disk2vhd-gen2.PNG differ diff --git a/windows/configure/images/disk2vhd.PNG b/windows/configure/images/disk2vhd.PNG new file mode 100644 index 0000000000..7b9835f5f6 Binary files /dev/null and b/windows/configure/images/disk2vhd.PNG differ diff --git a/windows/configure/images/disk2vhd4.PNG b/windows/configure/images/disk2vhd4.PNG new file mode 100644 index 0000000000..97f9448441 Binary files /dev/null and b/windows/configure/images/disk2vhd4.PNG differ diff --git a/windows/configure/images/doneicon.png b/windows/configure/images/doneicon.png new file mode 100644 index 0000000000..d80389f35b Binary files /dev/null and b/windows/configure/images/doneicon.png differ diff --git a/windows/configure/images/download_vhd.png b/windows/configure/images/download_vhd.png new file mode 100644 index 0000000000..248a512040 Binary files /dev/null and b/windows/configure/images/download_vhd.png differ diff --git a/windows/configure/images/e3-activated.png b/windows/configure/images/e3-activated.png new file mode 100644 index 0000000000..7cca73443e Binary files /dev/null and b/windows/configure/images/e3-activated.png differ diff --git a/windows/configure/images/edge-with-logo.png b/windows/configure/images/edge-with-logo.png new file mode 100644 index 0000000000..cc3504a678 Binary files /dev/null and b/windows/configure/images/edge-with-logo.png differ diff --git a/windows/configure/images/edge-without-logo.png b/windows/configure/images/edge-without-logo.png new file mode 100644 index 0000000000..52085a2d68 Binary files /dev/null and b/windows/configure/images/edge-without-logo.png differ diff --git a/windows/configure/images/enterprise-e3-ad-connect.png b/windows/configure/images/enterprise-e3-ad-connect.png new file mode 100644 index 0000000000..195058f6f6 Binary files /dev/null and b/windows/configure/images/enterprise-e3-ad-connect.png differ diff --git a/windows/configure/images/enterprise-e3-choose-how.png b/windows/configure/images/enterprise-e3-choose-how.png new file mode 100644 index 0000000000..8e84535bfd Binary files /dev/null and b/windows/configure/images/enterprise-e3-choose-how.png differ diff --git a/windows/configure/images/enterprise-e3-connect-to-work-or-school.png b/windows/configure/images/enterprise-e3-connect-to-work-or-school.png new file mode 100644 index 0000000000..90e1b1131f Binary files /dev/null and b/windows/configure/images/enterprise-e3-connect-to-work-or-school.png differ diff --git a/windows/configure/images/enterprise-e3-lets-get-2.png b/windows/configure/images/enterprise-e3-lets-get-2.png new file mode 100644 index 0000000000..ef523d4af8 Binary files /dev/null and b/windows/configure/images/enterprise-e3-lets-get-2.png differ diff --git a/windows/configure/images/enterprise-e3-lets-get.png b/windows/configure/images/enterprise-e3-lets-get.png new file mode 100644 index 0000000000..582da1ab2d Binary files /dev/null and b/windows/configure/images/enterprise-e3-lets-get.png differ diff --git a/windows/configure/images/enterprise-e3-set-up-work-or-school.png b/windows/configure/images/enterprise-e3-set-up-work-or-school.png new file mode 100644 index 0000000000..72844d7622 Binary files /dev/null and b/windows/configure/images/enterprise-e3-set-up-work-or-school.png differ diff --git a/windows/configure/images/enterprise-e3-sign-in.png b/windows/configure/images/enterprise-e3-sign-in.png new file mode 100644 index 0000000000..3029d3ef2b Binary files /dev/null and b/windows/configure/images/enterprise-e3-sign-in.png differ diff --git a/windows/configure/images/enterprise-e3-who-owns.png b/windows/configure/images/enterprise-e3-who-owns.png new file mode 100644 index 0000000000..c3008869d2 Binary files /dev/null and b/windows/configure/images/enterprise-e3-who-owns.png differ diff --git a/windows/configure/images/enterprise-e3-win-10-activated-enterprise-subscription-active.png b/windows/configure/images/enterprise-e3-win-10-activated-enterprise-subscription-active.png new file mode 100644 index 0000000000..eb888b23b5 Binary files /dev/null and b/windows/configure/images/enterprise-e3-win-10-activated-enterprise-subscription-active.png differ diff --git a/windows/configure/images/enterprise-e3-win-10-activated-enterprise-subscription-not-active.png b/windows/configure/images/enterprise-e3-win-10-activated-enterprise-subscription-not-active.png new file mode 100644 index 0000000000..e4ac7398be Binary files /dev/null and b/windows/configure/images/enterprise-e3-win-10-activated-enterprise-subscription-not-active.png differ diff --git a/windows/configure/images/enterprise-e3-win-10-not-activated-enterprise-subscription-active.png b/windows/configure/images/enterprise-e3-win-10-not-activated-enterprise-subscription-active.png new file mode 100644 index 0000000000..5fedfe5d06 Binary files /dev/null and b/windows/configure/images/enterprise-e3-win-10-not-activated-enterprise-subscription-active.png differ diff --git a/windows/configure/images/enterprise-e3-win-10-not-activated-enterprise-subscription-not-active.png b/windows/configure/images/enterprise-e3-win-10-not-activated-enterprise-subscription-not-active.png new file mode 100644 index 0000000000..84e39071db Binary files /dev/null and b/windows/configure/images/enterprise-e3-win-10-not-activated-enterprise-subscription-not-active.png differ diff --git a/windows/configure/images/export-mgt-desktop.png b/windows/configure/images/export-mgt-desktop.png new file mode 100644 index 0000000000..13349c3b4e Binary files /dev/null and b/windows/configure/images/export-mgt-desktop.png differ diff --git a/windows/configure/images/export-mgt-mobile.png b/windows/configure/images/export-mgt-mobile.png new file mode 100644 index 0000000000..6a74c23e59 Binary files /dev/null and b/windows/configure/images/export-mgt-mobile.png differ diff --git a/windows/configure/images/express-settings.png b/windows/configure/images/express-settings.png new file mode 100644 index 0000000000..99e9c4825a Binary files /dev/null and b/windows/configure/images/express-settings.png differ diff --git a/windows/configure/images/fig1-deferupgrades.png b/windows/configure/images/fig1-deferupgrades.png new file mode 100644 index 0000000000..f8c52b943e Binary files /dev/null and b/windows/configure/images/fig1-deferupgrades.png differ diff --git a/windows/configure/images/fig10-contosoinstall.png b/windows/configure/images/fig10-contosoinstall.png new file mode 100644 index 0000000000..ac4eaf2aa0 Binary files /dev/null and b/windows/configure/images/fig10-contosoinstall.png differ diff --git a/windows/configure/images/fig10-unattend.png b/windows/configure/images/fig10-unattend.png new file mode 100644 index 0000000000..a9d2bc16df Binary files /dev/null and b/windows/configure/images/fig10-unattend.png differ diff --git a/windows/configure/images/fig13-captureimage.png b/windows/configure/images/fig13-captureimage.png new file mode 100644 index 0000000000..678a43ca73 Binary files /dev/null and b/windows/configure/images/fig13-captureimage.png differ diff --git a/windows/configure/images/fig16-contentstatus.png b/windows/configure/images/fig16-contentstatus.png new file mode 100644 index 0000000000..5ea8ba275a Binary files /dev/null and b/windows/configure/images/fig16-contentstatus.png differ diff --git a/windows/configure/images/fig17-win10image.png b/windows/configure/images/fig17-win10image.png new file mode 100644 index 0000000000..d16eee554d Binary files /dev/null and b/windows/configure/images/fig17-win10image.png differ diff --git a/windows/configure/images/fig18-distwindows.png b/windows/configure/images/fig18-distwindows.png new file mode 100644 index 0000000000..d8525ddd3e Binary files /dev/null and b/windows/configure/images/fig18-distwindows.png differ diff --git a/windows/configure/images/fig2-deploymenttimeline.png b/windows/configure/images/fig2-deploymenttimeline.png new file mode 100644 index 0000000000..a8061d2f15 Binary files /dev/null and b/windows/configure/images/fig2-deploymenttimeline.png differ diff --git a/windows/configure/images/fig2-gather.png b/windows/configure/images/fig2-gather.png new file mode 100644 index 0000000000..01ffca2770 Binary files /dev/null and b/windows/configure/images/fig2-gather.png differ diff --git a/windows/configure/images/fig2-importedos.png b/windows/configure/images/fig2-importedos.png new file mode 100644 index 0000000000..ed72d2ef4d Binary files /dev/null and b/windows/configure/images/fig2-importedos.png differ diff --git a/windows/configure/images/fig2-taskseq.png b/windows/configure/images/fig2-taskseq.png new file mode 100644 index 0000000000..1da70bd6e7 Binary files /dev/null and b/windows/configure/images/fig2-taskseq.png differ diff --git a/windows/configure/images/fig21-add-drivers.png b/windows/configure/images/fig21-add-drivers.png new file mode 100644 index 0000000000..f53fe672e2 Binary files /dev/null and b/windows/configure/images/fig21-add-drivers.png differ diff --git a/windows/configure/images/fig22-createcategories.png b/windows/configure/images/fig22-createcategories.png new file mode 100644 index 0000000000..8912ad974f Binary files /dev/null and b/windows/configure/images/fig22-createcategories.png differ diff --git a/windows/configure/images/fig27-driverpackage.png b/windows/configure/images/fig27-driverpackage.png new file mode 100644 index 0000000000..c2f66669be Binary files /dev/null and b/windows/configure/images/fig27-driverpackage.png differ diff --git a/windows/configure/images/fig28-addapp.png b/windows/configure/images/fig28-addapp.png new file mode 100644 index 0000000000..a7ba6b3709 Binary files /dev/null and b/windows/configure/images/fig28-addapp.png differ diff --git a/windows/configure/images/fig3-overlaprelease.png b/windows/configure/images/fig3-overlaprelease.png new file mode 100644 index 0000000000..58747a35cf Binary files /dev/null and b/windows/configure/images/fig3-overlaprelease.png differ diff --git a/windows/configure/images/fig30-settingspack.png b/windows/configure/images/fig30-settingspack.png new file mode 100644 index 0000000000..3479184140 Binary files /dev/null and b/windows/configure/images/fig30-settingspack.png differ diff --git a/windows/configure/images/fig32-deploywiz.png b/windows/configure/images/fig32-deploywiz.png new file mode 100644 index 0000000000..a1387b19d8 Binary files /dev/null and b/windows/configure/images/fig32-deploywiz.png differ diff --git a/windows/configure/images/fig4-oob-drivers.png b/windows/configure/images/fig4-oob-drivers.png new file mode 100644 index 0000000000..b1f6924665 Binary files /dev/null and b/windows/configure/images/fig4-oob-drivers.png differ diff --git a/windows/configure/images/fig5-selectprofile.png b/windows/configure/images/fig5-selectprofile.png new file mode 100644 index 0000000000..452ab4f581 Binary files /dev/null and b/windows/configure/images/fig5-selectprofile.png differ diff --git a/windows/configure/images/fig6-taskseq.png b/windows/configure/images/fig6-taskseq.png new file mode 100644 index 0000000000..8696cc04c4 Binary files /dev/null and b/windows/configure/images/fig6-taskseq.png differ diff --git a/windows/configure/images/fig8-cust-tasks.png b/windows/configure/images/fig8-cust-tasks.png new file mode 100644 index 0000000000..378215ee2b Binary files /dev/null and b/windows/configure/images/fig8-cust-tasks.png differ diff --git a/windows/configure/images/fig8-suspend.png b/windows/configure/images/fig8-suspend.png new file mode 100644 index 0000000000..8094f01274 Binary files /dev/null and b/windows/configure/images/fig8-suspend.png differ diff --git a/windows/configure/images/fig9-resumetaskseq.png b/windows/configure/images/fig9-resumetaskseq.png new file mode 100644 index 0000000000..0a83019f69 Binary files /dev/null and b/windows/configure/images/fig9-resumetaskseq.png differ diff --git a/windows/configure/images/figure4-deployment-workbench.png b/windows/configure/images/figure4-deployment-workbench.png new file mode 100644 index 0000000000..b5d0e7cc32 Binary files /dev/null and b/windows/configure/images/figure4-deployment-workbench.png differ diff --git a/windows/configure/images/finish-details-mobile.PNG b/windows/configure/images/finish-details-mobile.PNG new file mode 100644 index 0000000000..c25a6b4b2f Binary files /dev/null and b/windows/configure/images/finish-details-mobile.PNG differ diff --git a/windows/configure/images/finish-details.png b/windows/configure/images/finish-details.png new file mode 100644 index 0000000000..727efac696 Binary files /dev/null and b/windows/configure/images/finish-details.png differ diff --git a/windows/configure/images/finish-mobile.PNG b/windows/configure/images/finish-mobile.PNG new file mode 100644 index 0000000000..336e24289e Binary files /dev/null and b/windows/configure/images/finish-mobile.PNG differ diff --git a/windows/configure/images/finish.PNG b/windows/configure/images/finish.PNG new file mode 100644 index 0000000000..7c65da1799 Binary files /dev/null and b/windows/configure/images/finish.PNG differ diff --git a/windows/configure/images/five.png b/windows/configure/images/five.png new file mode 100644 index 0000000000..961f0e15b7 Binary files /dev/null and b/windows/configure/images/five.png differ diff --git a/windows/configure/images/four.png b/windows/configure/images/four.png new file mode 100644 index 0000000000..0fef213b37 Binary files /dev/null and b/windows/configure/images/four.png differ diff --git a/windows/configure/images/funfacts.png b/windows/configure/images/funfacts.png new file mode 100644 index 0000000000..71355ec370 Binary files /dev/null and b/windows/configure/images/funfacts.png differ diff --git a/windows/configure/images/genrule.png b/windows/configure/images/genrule.png new file mode 100644 index 0000000000..1d68f1ad0b Binary files /dev/null and b/windows/configure/images/genrule.png differ diff --git a/windows/configure/images/gp-branch.png b/windows/configure/images/gp-branch.png new file mode 100644 index 0000000000..997bcc830a Binary files /dev/null and b/windows/configure/images/gp-branch.png differ diff --git a/windows/configure/images/gp-exclude-drivers.png b/windows/configure/images/gp-exclude-drivers.png new file mode 100644 index 0000000000..0010749139 Binary files /dev/null and b/windows/configure/images/gp-exclude-drivers.png differ diff --git a/windows/configure/images/gp-feature.png b/windows/configure/images/gp-feature.png new file mode 100644 index 0000000000..b862d545d4 Binary files /dev/null and b/windows/configure/images/gp-feature.png differ diff --git a/windows/configure/images/gp-quality.png b/windows/configure/images/gp-quality.png new file mode 100644 index 0000000000..d7ff30172d Binary files /dev/null and b/windows/configure/images/gp-quality.png differ diff --git a/windows/configure/images/hyper-v-feature.png b/windows/configure/images/hyper-v-feature.png new file mode 100644 index 0000000000..d7293d808e Binary files /dev/null and b/windows/configure/images/hyper-v-feature.png differ diff --git a/windows/configure/images/icd-adv-shared-pc.PNG b/windows/configure/images/icd-adv-shared-pc.PNG new file mode 100644 index 0000000000..a8da5fa78a Binary files /dev/null and b/windows/configure/images/icd-adv-shared-pc.PNG differ diff --git a/windows/configure/images/icd-create-options-1703.PNG b/windows/configure/images/icd-create-options-1703.PNG new file mode 100644 index 0000000000..007e740683 Binary files /dev/null and b/windows/configure/images/icd-create-options-1703.PNG differ diff --git a/windows/configure/images/icd-create-options.PNG b/windows/configure/images/icd-create-options.PNG new file mode 100644 index 0000000000..e61cdd8fc0 Binary files /dev/null and b/windows/configure/images/icd-create-options.PNG differ diff --git a/windows/configure/images/icd-desktop-1703.PNG b/windows/configure/images/icd-desktop-1703.PNG new file mode 100644 index 0000000000..7c060af4d0 Binary files /dev/null and b/windows/configure/images/icd-desktop-1703.PNG differ diff --git a/windows/configure/images/icd-export-menu.png b/windows/configure/images/icd-export-menu.png new file mode 100644 index 0000000000..20bd5258eb Binary files /dev/null and b/windows/configure/images/icd-export-menu.png differ diff --git a/windows/configure/images/icd-install.PNG b/windows/configure/images/icd-install.PNG new file mode 100644 index 0000000000..a0c80683ff Binary files /dev/null and b/windows/configure/images/icd-install.PNG differ diff --git a/windows/configure/images/icd-multi-target-true.png b/windows/configure/images/icd-multi-target-true.png new file mode 100644 index 0000000000..5fec405fd6 Binary files /dev/null and b/windows/configure/images/icd-multi-target-true.png differ diff --git a/windows/configure/images/icd-multi-targetstate-true.png b/windows/configure/images/icd-multi-targetstate-true.png new file mode 100644 index 0000000000..7733b9c400 Binary files /dev/null and b/windows/configure/images/icd-multi-targetstate-true.png differ diff --git a/windows/configure/images/icd-runtime.PNG b/windows/configure/images/icd-runtime.PNG new file mode 100644 index 0000000000..d63544e206 Binary files /dev/null and b/windows/configure/images/icd-runtime.PNG differ diff --git a/windows/configure/images/icd-school.PNG b/windows/configure/images/icd-school.PNG new file mode 100644 index 0000000000..e6a944a193 Binary files /dev/null and b/windows/configure/images/icd-school.PNG differ diff --git a/windows/configure/images/icd-script1.png b/windows/configure/images/icd-script1.png new file mode 100644 index 0000000000..6c17f70809 Binary files /dev/null and b/windows/configure/images/icd-script1.png differ diff --git a/windows/configure/images/icd-script2.png b/windows/configure/images/icd-script2.png new file mode 100644 index 0000000000..7da2ae7e59 Binary files /dev/null and b/windows/configure/images/icd-script2.png differ diff --git a/windows/configure/images/icd-setting-help.PNG b/windows/configure/images/icd-setting-help.PNG new file mode 100644 index 0000000000..3f6e5fefa5 Binary files /dev/null and b/windows/configure/images/icd-setting-help.PNG differ diff --git a/windows/configure/images/icd-settings.PNG b/windows/configure/images/icd-settings.PNG new file mode 100644 index 0000000000..8d3ebc3ff6 Binary files /dev/null and b/windows/configure/images/icd-settings.PNG differ diff --git a/windows/configure/images/icd-simple-edit.png b/windows/configure/images/icd-simple-edit.png new file mode 100644 index 0000000000..3608dc18f3 Binary files /dev/null and b/windows/configure/images/icd-simple-edit.png differ diff --git a/windows/configure/images/icd-simple.PNG b/windows/configure/images/icd-simple.PNG new file mode 100644 index 0000000000..7ae8a1728b Binary files /dev/null and b/windows/configure/images/icd-simple.PNG differ diff --git a/windows/configure/images/icd-step1.PNG b/windows/configure/images/icd-step1.PNG new file mode 100644 index 0000000000..d2ad656d35 Binary files /dev/null and b/windows/configure/images/icd-step1.PNG differ diff --git a/windows/configure/images/icd-step2.PNG b/windows/configure/images/icd-step2.PNG new file mode 100644 index 0000000000..54e70d9193 Binary files /dev/null and b/windows/configure/images/icd-step2.PNG differ diff --git a/windows/configure/images/icd-step3.PNG b/windows/configure/images/icd-step3.PNG new file mode 100644 index 0000000000..ecac26f3d6 Binary files /dev/null and b/windows/configure/images/icd-step3.PNG differ diff --git a/windows/configure/images/icd-step4.PNG b/windows/configure/images/icd-step4.PNG new file mode 100644 index 0000000000..8fcfa2863b Binary files /dev/null and b/windows/configure/images/icd-step4.PNG differ diff --git a/windows/configure/images/icd-step5.PNG b/windows/configure/images/icd-step5.PNG new file mode 100644 index 0000000000..9e96edd812 Binary files /dev/null and b/windows/configure/images/icd-step5.PNG differ diff --git a/windows/configure/images/icd-switch.PNG b/windows/configure/images/icd-switch.PNG new file mode 100644 index 0000000000..e46e48a648 Binary files /dev/null and b/windows/configure/images/icd-switch.PNG differ diff --git a/windows/configure/images/icdbrowse.png b/windows/configure/images/icdbrowse.png new file mode 100644 index 0000000000..53c91074c7 Binary files /dev/null and b/windows/configure/images/icdbrowse.png differ diff --git a/windows/configure/images/identitychoices.png b/windows/configure/images/identitychoices.png new file mode 100644 index 0000000000..9a69c04f20 Binary files /dev/null and b/windows/configure/images/identitychoices.png differ diff --git a/windows/configure/images/image.PNG b/windows/configure/images/image.PNG new file mode 100644 index 0000000000..0bbadcb68f Binary files /dev/null and b/windows/configure/images/image.PNG differ diff --git a/windows/configure/images/installing-drivers.png b/windows/configure/images/installing-drivers.png new file mode 100644 index 0000000000..22d7808fad Binary files /dev/null and b/windows/configure/images/installing-drivers.png differ diff --git a/windows/configure/images/kiosk-account-details.PNG b/windows/configure/images/kiosk-account-details.PNG new file mode 100644 index 0000000000..53c31880ea Binary files /dev/null and b/windows/configure/images/kiosk-account-details.PNG differ diff --git a/windows/configure/images/kiosk-account.PNG b/windows/configure/images/kiosk-account.PNG new file mode 100644 index 0000000000..f78f9b9d56 Binary files /dev/null and b/windows/configure/images/kiosk-account.PNG differ diff --git a/windows/configure/images/kiosk-common-details.PNG b/windows/configure/images/kiosk-common-details.PNG new file mode 100644 index 0000000000..5eda9b293e Binary files /dev/null and b/windows/configure/images/kiosk-common-details.PNG differ diff --git a/windows/configure/images/kiosk-common.PNG b/windows/configure/images/kiosk-common.PNG new file mode 100644 index 0000000000..f5873a53aa Binary files /dev/null and b/windows/configure/images/kiosk-common.PNG differ diff --git a/windows/configure/images/launchicon.png b/windows/configure/images/launchicon.png new file mode 100644 index 0000000000..d469c68a2c Binary files /dev/null and b/windows/configure/images/launchicon.png differ diff --git a/windows/configure/images/ld-apps.PNG b/windows/configure/images/ld-apps.PNG new file mode 100644 index 0000000000..ef65ff9a52 Binary files /dev/null and b/windows/configure/images/ld-apps.PNG differ diff --git a/windows/configure/images/ld-buttons.PNG b/windows/configure/images/ld-buttons.PNG new file mode 100644 index 0000000000..d89eff3b35 Binary files /dev/null and b/windows/configure/images/ld-buttons.PNG differ diff --git a/windows/configure/images/ld-connect.PNG b/windows/configure/images/ld-connect.PNG new file mode 100644 index 0000000000..15094b0e2b Binary files /dev/null and b/windows/configure/images/ld-connect.PNG differ diff --git a/windows/configure/images/ld-csp.PNG b/windows/configure/images/ld-csp.PNG new file mode 100644 index 0000000000..6d7caa5163 Binary files /dev/null and b/windows/configure/images/ld-csp.PNG differ diff --git a/windows/configure/images/ld-export.PNG b/windows/configure/images/ld-export.PNG new file mode 100644 index 0000000000..970e5939bc Binary files /dev/null and b/windows/configure/images/ld-export.PNG differ diff --git a/windows/configure/images/ld-other.PNG b/windows/configure/images/ld-other.PNG new file mode 100644 index 0000000000..c8b5f7518a Binary files /dev/null and b/windows/configure/images/ld-other.PNG differ diff --git a/windows/configure/images/ld-pair.PNG b/windows/configure/images/ld-pair.PNG new file mode 100644 index 0000000000..0859810e73 Binary files /dev/null and b/windows/configure/images/ld-pair.PNG differ diff --git a/windows/configure/images/ld-quick.PNG b/windows/configure/images/ld-quick.PNG new file mode 100644 index 0000000000..63a6173103 Binary files /dev/null and b/windows/configure/images/ld-quick.PNG differ diff --git a/windows/configure/images/ld-role.PNG b/windows/configure/images/ld-role.PNG new file mode 100644 index 0000000000..b229af1a17 Binary files /dev/null and b/windows/configure/images/ld-role.PNG differ diff --git a/windows/configure/images/ld-settings.PNG b/windows/configure/images/ld-settings.PNG new file mode 100644 index 0000000000..eb6a37d925 Binary files /dev/null and b/windows/configure/images/ld-settings.PNG differ diff --git a/windows/configure/images/ld-start.PNG b/windows/configure/images/ld-start.PNG new file mode 100644 index 0000000000..4081f3e1e2 Binary files /dev/null and b/windows/configure/images/ld-start.PNG differ diff --git a/windows/configure/images/ld-sync.PNG b/windows/configure/images/ld-sync.PNG new file mode 100644 index 0000000000..3f54d910ac Binary files /dev/null and b/windows/configure/images/ld-sync.PNG differ diff --git a/windows/configure/images/ldstore.PNG b/windows/configure/images/ldstore.PNG new file mode 100644 index 0000000000..63f0eedee7 Binary files /dev/null and b/windows/configure/images/ldstore.PNG differ diff --git a/windows/configure/images/license-terms.png b/windows/configure/images/license-terms.png new file mode 100644 index 0000000000..8dd34b0a18 Binary files /dev/null and b/windows/configure/images/license-terms.png differ diff --git a/windows/configure/images/lily.jpg b/windows/configure/images/lily.jpg new file mode 100644 index 0000000000..eb144d1f2b Binary files /dev/null and b/windows/configure/images/lily.jpg differ diff --git a/windows/configure/images/lockdownapps.png b/windows/configure/images/lockdownapps.png new file mode 100644 index 0000000000..beb73e5370 Binary files /dev/null and b/windows/configure/images/lockdownapps.png differ diff --git a/windows/configure/images/lockscreen.png b/windows/configure/images/lockscreen.png new file mode 100644 index 0000000000..68c64e15ec Binary files /dev/null and b/windows/configure/images/lockscreen.png differ diff --git a/windows/configure/images/lockscreenpolicy.png b/windows/configure/images/lockscreenpolicy.png new file mode 100644 index 0000000000..30b6a7ae9d Binary files /dev/null and b/windows/configure/images/lockscreenpolicy.png differ diff --git a/windows/configure/images/mdm-diag-report-powershell.PNG b/windows/configure/images/mdm-diag-report-powershell.PNG new file mode 100644 index 0000000000..86f5b49211 Binary files /dev/null and b/windows/configure/images/mdm-diag-report-powershell.PNG differ diff --git a/windows/configure/images/mdm.png b/windows/configure/images/mdm.png new file mode 100644 index 0000000000..8ebcc00526 Binary files /dev/null and b/windows/configure/images/mdm.png differ diff --git a/windows/configure/images/mdt-01-fig01.png b/windows/configure/images/mdt-01-fig01.png new file mode 100644 index 0000000000..d7f8c4e452 Binary files /dev/null and b/windows/configure/images/mdt-01-fig01.png differ diff --git a/windows/configure/images/mdt-01-fig02.jpg b/windows/configure/images/mdt-01-fig02.jpg new file mode 100644 index 0000000000..1533bdd336 Binary files /dev/null and b/windows/configure/images/mdt-01-fig02.jpg differ diff --git a/windows/configure/images/mdt-03-fig01.png b/windows/configure/images/mdt-03-fig01.png new file mode 100644 index 0000000000..fc68fb0c25 Binary files /dev/null and b/windows/configure/images/mdt-03-fig01.png differ diff --git a/windows/configure/images/mdt-03-fig02.png b/windows/configure/images/mdt-03-fig02.png new file mode 100644 index 0000000000..d0fd979449 Binary files /dev/null and b/windows/configure/images/mdt-03-fig02.png differ diff --git a/windows/configure/images/mdt-03-fig03.png b/windows/configure/images/mdt-03-fig03.png new file mode 100644 index 0000000000..ba1de39aa0 Binary files /dev/null and b/windows/configure/images/mdt-03-fig03.png differ diff --git a/windows/configure/images/mdt-03-fig04.png b/windows/configure/images/mdt-03-fig04.png new file mode 100644 index 0000000000..26600a2036 Binary files /dev/null and b/windows/configure/images/mdt-03-fig04.png differ diff --git a/windows/configure/images/mdt-03-fig05.png b/windows/configure/images/mdt-03-fig05.png new file mode 100644 index 0000000000..9c44837022 Binary files /dev/null and b/windows/configure/images/mdt-03-fig05.png differ diff --git a/windows/configure/images/mdt-04-fig01.png b/windows/configure/images/mdt-04-fig01.png new file mode 100644 index 0000000000..8a90c1a934 Binary files /dev/null and b/windows/configure/images/mdt-04-fig01.png differ diff --git a/windows/configure/images/mdt-05-fig01.png b/windows/configure/images/mdt-05-fig01.png new file mode 100644 index 0000000000..490f1579d9 Binary files /dev/null and b/windows/configure/images/mdt-05-fig01.png differ diff --git a/windows/configure/images/mdt-05-fig02.png b/windows/configure/images/mdt-05-fig02.png new file mode 100644 index 0000000000..1223432581 Binary files /dev/null and b/windows/configure/images/mdt-05-fig02.png differ diff --git a/windows/configure/images/mdt-05-fig03.png b/windows/configure/images/mdt-05-fig03.png new file mode 100644 index 0000000000..a0ffbec429 Binary files /dev/null and b/windows/configure/images/mdt-05-fig03.png differ diff --git a/windows/configure/images/mdt-05-fig04.png b/windows/configure/images/mdt-05-fig04.png new file mode 100644 index 0000000000..778cbae1b7 Binary files /dev/null and b/windows/configure/images/mdt-05-fig04.png differ diff --git a/windows/configure/images/mdt-05-fig05.png b/windows/configure/images/mdt-05-fig05.png new file mode 100644 index 0000000000..e172a29754 Binary files /dev/null and b/windows/configure/images/mdt-05-fig05.png differ diff --git a/windows/configure/images/mdt-05-fig07.png b/windows/configure/images/mdt-05-fig07.png new file mode 100644 index 0000000000..135a2367c1 Binary files /dev/null and b/windows/configure/images/mdt-05-fig07.png differ diff --git a/windows/configure/images/mdt-05-fig08.png b/windows/configure/images/mdt-05-fig08.png new file mode 100644 index 0000000000..1f4534e89b Binary files /dev/null and b/windows/configure/images/mdt-05-fig08.png differ diff --git a/windows/configure/images/mdt-05-fig09.png b/windows/configure/images/mdt-05-fig09.png new file mode 100644 index 0000000000..a3d0155096 Binary files /dev/null and b/windows/configure/images/mdt-05-fig09.png differ diff --git a/windows/configure/images/mdt-05-fig10.png b/windows/configure/images/mdt-05-fig10.png new file mode 100644 index 0000000000..576da23ea6 Binary files /dev/null and b/windows/configure/images/mdt-05-fig10.png differ diff --git a/windows/configure/images/mdt-06-fig01.png b/windows/configure/images/mdt-06-fig01.png new file mode 100644 index 0000000000..466cfda0f4 Binary files /dev/null and b/windows/configure/images/mdt-06-fig01.png differ diff --git a/windows/configure/images/mdt-06-fig03.png b/windows/configure/images/mdt-06-fig03.png new file mode 100644 index 0000000000..9d2786e46a Binary files /dev/null and b/windows/configure/images/mdt-06-fig03.png differ diff --git a/windows/configure/images/mdt-06-fig04.png b/windows/configure/images/mdt-06-fig04.png new file mode 100644 index 0000000000..216e1f371b Binary files /dev/null and b/windows/configure/images/mdt-06-fig04.png differ diff --git a/windows/configure/images/mdt-06-fig05.png b/windows/configure/images/mdt-06-fig05.png new file mode 100644 index 0000000000..3af74bb5ee Binary files /dev/null and b/windows/configure/images/mdt-06-fig05.png differ diff --git a/windows/configure/images/mdt-06-fig06.png b/windows/configure/images/mdt-06-fig06.png new file mode 100644 index 0000000000..324c8960c1 Binary files /dev/null and b/windows/configure/images/mdt-06-fig06.png differ diff --git a/windows/configure/images/mdt-06-fig07.png b/windows/configure/images/mdt-06-fig07.png new file mode 100644 index 0000000000..399fac75f6 Binary files /dev/null and b/windows/configure/images/mdt-06-fig07.png differ diff --git a/windows/configure/images/mdt-06-fig08.png b/windows/configure/images/mdt-06-fig08.png new file mode 100644 index 0000000000..33cb90327a Binary files /dev/null and b/windows/configure/images/mdt-06-fig08.png differ diff --git a/windows/configure/images/mdt-06-fig10.png b/windows/configure/images/mdt-06-fig10.png new file mode 100644 index 0000000000..1d92505b96 Binary files /dev/null and b/windows/configure/images/mdt-06-fig10.png differ diff --git a/windows/configure/images/mdt-06-fig12.png b/windows/configure/images/mdt-06-fig12.png new file mode 100644 index 0000000000..f33eca6174 Binary files /dev/null and b/windows/configure/images/mdt-06-fig12.png differ diff --git a/windows/configure/images/mdt-06-fig13.png b/windows/configure/images/mdt-06-fig13.png new file mode 100644 index 0000000000..ab578f69fe Binary files /dev/null and b/windows/configure/images/mdt-06-fig13.png differ diff --git a/windows/configure/images/mdt-06-fig14.png b/windows/configure/images/mdt-06-fig14.png new file mode 100644 index 0000000000..13158231fd Binary files /dev/null and b/windows/configure/images/mdt-06-fig14.png differ diff --git a/windows/configure/images/mdt-06-fig15.png b/windows/configure/images/mdt-06-fig15.png new file mode 100644 index 0000000000..2f1a0eba18 Binary files /dev/null and b/windows/configure/images/mdt-06-fig15.png differ diff --git a/windows/configure/images/mdt-06-fig16.png b/windows/configure/images/mdt-06-fig16.png new file mode 100644 index 0000000000..40cb46adbd Binary files /dev/null and b/windows/configure/images/mdt-06-fig16.png differ diff --git a/windows/configure/images/mdt-06-fig20.png b/windows/configure/images/mdt-06-fig20.png new file mode 100644 index 0000000000..475fad7597 Binary files /dev/null and b/windows/configure/images/mdt-06-fig20.png differ diff --git a/windows/configure/images/mdt-06-fig21.png b/windows/configure/images/mdt-06-fig21.png new file mode 100644 index 0000000000..7cbd1d20bc Binary files /dev/null and b/windows/configure/images/mdt-06-fig21.png differ diff --git a/windows/configure/images/mdt-06-fig26.png b/windows/configure/images/mdt-06-fig26.png new file mode 100644 index 0000000000..fc56839b14 Binary files /dev/null and b/windows/configure/images/mdt-06-fig26.png differ diff --git a/windows/configure/images/mdt-06-fig31.png b/windows/configure/images/mdt-06-fig31.png new file mode 100644 index 0000000000..5e98d623b1 Binary files /dev/null and b/windows/configure/images/mdt-06-fig31.png differ diff --git a/windows/configure/images/mdt-06-fig33.png b/windows/configure/images/mdt-06-fig33.png new file mode 100644 index 0000000000..18ae4c82dd Binary files /dev/null and b/windows/configure/images/mdt-06-fig33.png differ diff --git a/windows/configure/images/mdt-06-fig35.png b/windows/configure/images/mdt-06-fig35.png new file mode 100644 index 0000000000..a68750925d Binary files /dev/null and b/windows/configure/images/mdt-06-fig35.png differ diff --git a/windows/configure/images/mdt-06-fig36.png b/windows/configure/images/mdt-06-fig36.png new file mode 100644 index 0000000000..a8350244bd Binary files /dev/null and b/windows/configure/images/mdt-06-fig36.png differ diff --git a/windows/configure/images/mdt-06-fig37.png b/windows/configure/images/mdt-06-fig37.png new file mode 100644 index 0000000000..5a89f2f431 Binary files /dev/null and b/windows/configure/images/mdt-06-fig37.png differ diff --git a/windows/configure/images/mdt-06-fig39.png b/windows/configure/images/mdt-06-fig39.png new file mode 100644 index 0000000000..650aec9a30 Binary files /dev/null and b/windows/configure/images/mdt-06-fig39.png differ diff --git a/windows/configure/images/mdt-06-fig42.png b/windows/configure/images/mdt-06-fig42.png new file mode 100644 index 0000000000..12b0e6817a Binary files /dev/null and b/windows/configure/images/mdt-06-fig42.png differ diff --git a/windows/configure/images/mdt-06-fig43.png b/windows/configure/images/mdt-06-fig43.png new file mode 100644 index 0000000000..015edd21e3 Binary files /dev/null and b/windows/configure/images/mdt-06-fig43.png differ diff --git a/windows/configure/images/mdt-07-fig01.png b/windows/configure/images/mdt-07-fig01.png new file mode 100644 index 0000000000..b2ccfec334 Binary files /dev/null and b/windows/configure/images/mdt-07-fig01.png differ diff --git a/windows/configure/images/mdt-07-fig03.png b/windows/configure/images/mdt-07-fig03.png new file mode 100644 index 0000000000..c178d6a15d Binary files /dev/null and b/windows/configure/images/mdt-07-fig03.png differ diff --git a/windows/configure/images/mdt-07-fig08.png b/windows/configure/images/mdt-07-fig08.png new file mode 100644 index 0000000000..66e2969916 Binary files /dev/null and b/windows/configure/images/mdt-07-fig08.png differ diff --git a/windows/configure/images/mdt-07-fig09.png b/windows/configure/images/mdt-07-fig09.png new file mode 100644 index 0000000000..ce320427ee Binary files /dev/null and b/windows/configure/images/mdt-07-fig09.png differ diff --git a/windows/configure/images/mdt-07-fig10.png b/windows/configure/images/mdt-07-fig10.png new file mode 100644 index 0000000000..7aff3c2d76 Binary files /dev/null and b/windows/configure/images/mdt-07-fig10.png differ diff --git a/windows/configure/images/mdt-07-fig11.png b/windows/configure/images/mdt-07-fig11.png new file mode 100644 index 0000000000..905f8bd572 Binary files /dev/null and b/windows/configure/images/mdt-07-fig11.png differ diff --git a/windows/configure/images/mdt-07-fig13.png b/windows/configure/images/mdt-07-fig13.png new file mode 100644 index 0000000000..849949a2f2 Binary files /dev/null and b/windows/configure/images/mdt-07-fig13.png differ diff --git a/windows/configure/images/mdt-07-fig14.png b/windows/configure/images/mdt-07-fig14.png new file mode 100644 index 0000000000..cfe7843eeb Binary files /dev/null and b/windows/configure/images/mdt-07-fig14.png differ diff --git a/windows/configure/images/mdt-07-fig15.png b/windows/configure/images/mdt-07-fig15.png new file mode 100644 index 0000000000..5271690c89 Binary files /dev/null and b/windows/configure/images/mdt-07-fig15.png differ diff --git a/windows/configure/images/mdt-07-fig16.png b/windows/configure/images/mdt-07-fig16.png new file mode 100644 index 0000000000..80e0925a40 Binary files /dev/null and b/windows/configure/images/mdt-07-fig16.png differ diff --git a/windows/configure/images/mdt-08-fig01.png b/windows/configure/images/mdt-08-fig01.png new file mode 100644 index 0000000000..7f795c42d4 Binary files /dev/null and b/windows/configure/images/mdt-08-fig01.png differ diff --git a/windows/configure/images/mdt-08-fig02.png b/windows/configure/images/mdt-08-fig02.png new file mode 100644 index 0000000000..50c97d8d0c Binary files /dev/null and b/windows/configure/images/mdt-08-fig02.png differ diff --git a/windows/configure/images/mdt-08-fig03.png b/windows/configure/images/mdt-08-fig03.png new file mode 100644 index 0000000000..e80b242192 Binary files /dev/null and b/windows/configure/images/mdt-08-fig03.png differ diff --git a/windows/configure/images/mdt-08-fig05.png b/windows/configure/images/mdt-08-fig05.png new file mode 100644 index 0000000000..62ae133bb8 Binary files /dev/null and b/windows/configure/images/mdt-08-fig05.png differ diff --git a/windows/configure/images/mdt-08-fig06.png b/windows/configure/images/mdt-08-fig06.png new file mode 100644 index 0000000000..97d83a20fb Binary files /dev/null and b/windows/configure/images/mdt-08-fig06.png differ diff --git a/windows/configure/images/mdt-08-fig14.png b/windows/configure/images/mdt-08-fig14.png new file mode 100644 index 0000000000..21b358d1f8 Binary files /dev/null and b/windows/configure/images/mdt-08-fig14.png differ diff --git a/windows/configure/images/mdt-08-fig15.png b/windows/configure/images/mdt-08-fig15.png new file mode 100644 index 0000000000..2a8bc4252e Binary files /dev/null and b/windows/configure/images/mdt-08-fig15.png differ diff --git a/windows/configure/images/mdt-09-fig01.png b/windows/configure/images/mdt-09-fig01.png new file mode 100644 index 0000000000..0549174435 Binary files /dev/null and b/windows/configure/images/mdt-09-fig01.png differ diff --git a/windows/configure/images/mdt-09-fig02.png b/windows/configure/images/mdt-09-fig02.png new file mode 100644 index 0000000000..dd69922d80 Binary files /dev/null and b/windows/configure/images/mdt-09-fig02.png differ diff --git a/windows/configure/images/mdt-09-fig03.png b/windows/configure/images/mdt-09-fig03.png new file mode 100644 index 0000000000..56102b2031 Binary files /dev/null and b/windows/configure/images/mdt-09-fig03.png differ diff --git a/windows/configure/images/mdt-09-fig04.png b/windows/configure/images/mdt-09-fig04.png new file mode 100644 index 0000000000..f123d85af5 Binary files /dev/null and b/windows/configure/images/mdt-09-fig04.png differ diff --git a/windows/configure/images/mdt-09-fig06.png b/windows/configure/images/mdt-09-fig06.png new file mode 100644 index 0000000000..49042d95f3 Binary files /dev/null and b/windows/configure/images/mdt-09-fig06.png differ diff --git a/windows/configure/images/mdt-09-fig07.png b/windows/configure/images/mdt-09-fig07.png new file mode 100644 index 0000000000..431f212f80 Binary files /dev/null and b/windows/configure/images/mdt-09-fig07.png differ diff --git a/windows/configure/images/mdt-09-fig08.png b/windows/configure/images/mdt-09-fig08.png new file mode 100644 index 0000000000..c73ef398e4 Binary files /dev/null and b/windows/configure/images/mdt-09-fig08.png differ diff --git a/windows/configure/images/mdt-09-fig09.png b/windows/configure/images/mdt-09-fig09.png new file mode 100644 index 0000000000..14614aaa42 Binary files /dev/null and b/windows/configure/images/mdt-09-fig09.png differ diff --git a/windows/configure/images/mdt-09-fig10.png b/windows/configure/images/mdt-09-fig10.png new file mode 100644 index 0000000000..c8dbe11eac Binary files /dev/null and b/windows/configure/images/mdt-09-fig10.png differ diff --git a/windows/configure/images/mdt-09-fig11.png b/windows/configure/images/mdt-09-fig11.png new file mode 100644 index 0000000000..dd38911dfc Binary files /dev/null and b/windows/configure/images/mdt-09-fig11.png differ diff --git a/windows/configure/images/mdt-09-fig12.png b/windows/configure/images/mdt-09-fig12.png new file mode 100644 index 0000000000..ed363ae01a Binary files /dev/null and b/windows/configure/images/mdt-09-fig12.png differ diff --git a/windows/configure/images/mdt-09-fig13.png b/windows/configure/images/mdt-09-fig13.png new file mode 100644 index 0000000000..5155b0ecf0 Binary files /dev/null and b/windows/configure/images/mdt-09-fig13.png differ diff --git a/windows/configure/images/mdt-09-fig14.png b/windows/configure/images/mdt-09-fig14.png new file mode 100644 index 0000000000..f294a8d69f Binary files /dev/null and b/windows/configure/images/mdt-09-fig14.png differ diff --git a/windows/configure/images/mdt-09-fig15.png b/windows/configure/images/mdt-09-fig15.png new file mode 100644 index 0000000000..f8de66afbd Binary files /dev/null and b/windows/configure/images/mdt-09-fig15.png differ diff --git a/windows/configure/images/mdt-09-fig16.png b/windows/configure/images/mdt-09-fig16.png new file mode 100644 index 0000000000..ad04b64077 Binary files /dev/null and b/windows/configure/images/mdt-09-fig16.png differ diff --git a/windows/configure/images/mdt-09-fig17.png b/windows/configure/images/mdt-09-fig17.png new file mode 100644 index 0000000000..fe4503b950 Binary files /dev/null and b/windows/configure/images/mdt-09-fig17.png differ diff --git a/windows/configure/images/mdt-09-fig18.png b/windows/configure/images/mdt-09-fig18.png new file mode 100644 index 0000000000..4f087172d9 Binary files /dev/null and b/windows/configure/images/mdt-09-fig18.png differ diff --git a/windows/configure/images/mdt-09-fig19.png b/windows/configure/images/mdt-09-fig19.png new file mode 100644 index 0000000000..917444c811 Binary files /dev/null and b/windows/configure/images/mdt-09-fig19.png differ diff --git a/windows/configure/images/mdt-09-fig20.png b/windows/configure/images/mdt-09-fig20.png new file mode 100644 index 0000000000..6c2d1c4dba Binary files /dev/null and b/windows/configure/images/mdt-09-fig20.png differ diff --git a/windows/configure/images/mdt-09-fig21.png b/windows/configure/images/mdt-09-fig21.png new file mode 100644 index 0000000000..628ea98ad9 Binary files /dev/null and b/windows/configure/images/mdt-09-fig21.png differ diff --git a/windows/configure/images/mdt-09-fig22.png b/windows/configure/images/mdt-09-fig22.png new file mode 100644 index 0000000000..9d71f62796 Binary files /dev/null and b/windows/configure/images/mdt-09-fig22.png differ diff --git a/windows/configure/images/mdt-09-fig23.png b/windows/configure/images/mdt-09-fig23.png new file mode 100644 index 0000000000..4cd29dc389 Binary files /dev/null and b/windows/configure/images/mdt-09-fig23.png differ diff --git a/windows/configure/images/mdt-09-fig24.png b/windows/configure/images/mdt-09-fig24.png new file mode 100644 index 0000000000..89cb67a048 Binary files /dev/null and b/windows/configure/images/mdt-09-fig24.png differ diff --git a/windows/configure/images/mdt-09-fig25.png b/windows/configure/images/mdt-09-fig25.png new file mode 100644 index 0000000000..fb308c0be5 Binary files /dev/null and b/windows/configure/images/mdt-09-fig25.png differ diff --git a/windows/configure/images/mdt-09-fig26.png b/windows/configure/images/mdt-09-fig26.png new file mode 100644 index 0000000000..681c6516cd Binary files /dev/null and b/windows/configure/images/mdt-09-fig26.png differ diff --git a/windows/configure/images/mdt-09-fig27.png b/windows/configure/images/mdt-09-fig27.png new file mode 100644 index 0000000000..396290346d Binary files /dev/null and b/windows/configure/images/mdt-09-fig27.png differ diff --git a/windows/configure/images/mdt-09-fig28.png b/windows/configure/images/mdt-09-fig28.png new file mode 100644 index 0000000000..d36dda43fa Binary files /dev/null and b/windows/configure/images/mdt-09-fig28.png differ diff --git a/windows/configure/images/mdt-09-fig29.png b/windows/configure/images/mdt-09-fig29.png new file mode 100644 index 0000000000..404842d49c Binary files /dev/null and b/windows/configure/images/mdt-09-fig29.png differ diff --git a/windows/configure/images/mdt-09-fig30.png b/windows/configure/images/mdt-09-fig30.png new file mode 100644 index 0000000000..be962f40ec Binary files /dev/null and b/windows/configure/images/mdt-09-fig30.png differ diff --git a/windows/configure/images/mdt-09-fig31.png b/windows/configure/images/mdt-09-fig31.png new file mode 100644 index 0000000000..a40aa9d3bb Binary files /dev/null and b/windows/configure/images/mdt-09-fig31.png differ diff --git a/windows/configure/images/mdt-09-fig32.png b/windows/configure/images/mdt-09-fig32.png new file mode 100644 index 0000000000..446812a3e8 Binary files /dev/null and b/windows/configure/images/mdt-09-fig32.png differ diff --git a/windows/configure/images/mdt-10-fig01.png b/windows/configure/images/mdt-10-fig01.png new file mode 100644 index 0000000000..8a3ebd9711 Binary files /dev/null and b/windows/configure/images/mdt-10-fig01.png differ diff --git a/windows/configure/images/mdt-10-fig02.png b/windows/configure/images/mdt-10-fig02.png new file mode 100644 index 0000000000..d9e5930152 Binary files /dev/null and b/windows/configure/images/mdt-10-fig02.png differ diff --git a/windows/configure/images/mdt-10-fig03.png b/windows/configure/images/mdt-10-fig03.png new file mode 100644 index 0000000000..f652db736c Binary files /dev/null and b/windows/configure/images/mdt-10-fig03.png differ diff --git a/windows/configure/images/mdt-10-fig04.png b/windows/configure/images/mdt-10-fig04.png new file mode 100644 index 0000000000..f98c0501df Binary files /dev/null and b/windows/configure/images/mdt-10-fig04.png differ diff --git a/windows/configure/images/mdt-10-fig05.png b/windows/configure/images/mdt-10-fig05.png new file mode 100644 index 0000000000..64c0c4a6ee Binary files /dev/null and b/windows/configure/images/mdt-10-fig05.png differ diff --git a/windows/configure/images/mdt-10-fig06.png b/windows/configure/images/mdt-10-fig06.png new file mode 100644 index 0000000000..91dc7c5c33 Binary files /dev/null and b/windows/configure/images/mdt-10-fig06.png differ diff --git a/windows/configure/images/mdt-10-fig07.png b/windows/configure/images/mdt-10-fig07.png new file mode 100644 index 0000000000..8613d905a4 Binary files /dev/null and b/windows/configure/images/mdt-10-fig07.png differ diff --git a/windows/configure/images/mdt-10-fig08.png b/windows/configure/images/mdt-10-fig08.png new file mode 100644 index 0000000000..ee00637019 Binary files /dev/null and b/windows/configure/images/mdt-10-fig08.png differ diff --git a/windows/configure/images/mdt-10-fig09.png b/windows/configure/images/mdt-10-fig09.png new file mode 100644 index 0000000000..ccdd05f34e Binary files /dev/null and b/windows/configure/images/mdt-10-fig09.png differ diff --git a/windows/configure/images/mdt-11-fig05.png b/windows/configure/images/mdt-11-fig05.png new file mode 100644 index 0000000000..b03c414fb8 Binary files /dev/null and b/windows/configure/images/mdt-11-fig05.png differ diff --git a/windows/configure/images/mdt-11-fig06.png b/windows/configure/images/mdt-11-fig06.png new file mode 100644 index 0000000000..b5944d909e Binary files /dev/null and b/windows/configure/images/mdt-11-fig06.png differ diff --git a/windows/configure/images/mdt-11-fig07.png b/windows/configure/images/mdt-11-fig07.png new file mode 100644 index 0000000000..b80f0908ab Binary files /dev/null and b/windows/configure/images/mdt-11-fig07.png differ diff --git a/windows/configure/images/mdt-11-fig08.png b/windows/configure/images/mdt-11-fig08.png new file mode 100644 index 0000000000..9c258bdd3e Binary files /dev/null and b/windows/configure/images/mdt-11-fig08.png differ diff --git a/windows/configure/images/mdt-11-fig09.png b/windows/configure/images/mdt-11-fig09.png new file mode 100644 index 0000000000..49b3d0b88f Binary files /dev/null and b/windows/configure/images/mdt-11-fig09.png differ diff --git a/windows/configure/images/mdt-11-fig10.png b/windows/configure/images/mdt-11-fig10.png new file mode 100644 index 0000000000..e5c71225f7 Binary files /dev/null and b/windows/configure/images/mdt-11-fig10.png differ diff --git a/windows/configure/images/mdt-11-fig11.png b/windows/configure/images/mdt-11-fig11.png new file mode 100644 index 0000000000..e3e2c70516 Binary files /dev/null and b/windows/configure/images/mdt-11-fig11.png differ diff --git a/windows/configure/images/mdt-11-fig12.png b/windows/configure/images/mdt-11-fig12.png new file mode 100644 index 0000000000..1e1a7888d6 Binary files /dev/null and b/windows/configure/images/mdt-11-fig12.png differ diff --git a/windows/configure/images/mdt-11-fig13.png b/windows/configure/images/mdt-11-fig13.png new file mode 100644 index 0000000000..36554c72a6 Binary files /dev/null and b/windows/configure/images/mdt-11-fig13.png differ diff --git a/windows/configure/images/mdt-11-fig14.png b/windows/configure/images/mdt-11-fig14.png new file mode 100644 index 0000000000..075d331bc1 Binary files /dev/null and b/windows/configure/images/mdt-11-fig14.png differ diff --git a/windows/configure/images/mdt-11-fig15.png b/windows/configure/images/mdt-11-fig15.png new file mode 100644 index 0000000000..302847c2a6 Binary files /dev/null and b/windows/configure/images/mdt-11-fig15.png differ diff --git a/windows/configure/images/mdt-11-fig16.png b/windows/configure/images/mdt-11-fig16.png new file mode 100644 index 0000000000..608c161797 Binary files /dev/null and b/windows/configure/images/mdt-11-fig16.png differ diff --git a/windows/configure/images/mobile-start-layout.png b/windows/configure/images/mobile-start-layout.png new file mode 100644 index 0000000000..d1055d6c87 Binary files /dev/null and b/windows/configure/images/mobile-start-layout.png differ diff --git a/windows/configure/images/multi-target.png b/windows/configure/images/multi-target.png new file mode 100644 index 0000000000..fb6ddd7a2d Binary files /dev/null and b/windows/configure/images/multi-target.png differ diff --git a/windows/configure/images/nfc.png b/windows/configure/images/nfc.png new file mode 100644 index 0000000000..bfee563205 Binary files /dev/null and b/windows/configure/images/nfc.png differ diff --git a/windows/configure/images/oma-uri-shared-pc.png b/windows/configure/images/oma-uri-shared-pc.png new file mode 100644 index 0000000000..68f9fa3b32 Binary files /dev/null and b/windows/configure/images/oma-uri-shared-pc.png differ diff --git a/windows/configure/images/one.png b/windows/configure/images/one.png new file mode 100644 index 0000000000..7766e7d470 Binary files /dev/null and b/windows/configure/images/one.png differ diff --git a/windows/configure/images/oobe.jpg b/windows/configure/images/oobe.jpg new file mode 100644 index 0000000000..2e700971c1 Binary files /dev/null and b/windows/configure/images/oobe.jpg differ diff --git a/windows/configure/images/package-trust.png b/windows/configure/images/package-trust.png new file mode 100644 index 0000000000..4a996f23d5 Binary files /dev/null and b/windows/configure/images/package-trust.png differ diff --git a/windows/configure/images/package.png b/windows/configure/images/package.png new file mode 100644 index 0000000000..f5e975e3e9 Binary files /dev/null and b/windows/configure/images/package.png differ diff --git a/windows/configure/images/packageaddfileandregistrydata-global.png b/windows/configure/images/packageaddfileandregistrydata-global.png new file mode 100644 index 0000000000..775e290a36 Binary files /dev/null and b/windows/configure/images/packageaddfileandregistrydata-global.png differ diff --git a/windows/configure/images/packageaddfileandregistrydata-stream.png b/windows/configure/images/packageaddfileandregistrydata-stream.png new file mode 100644 index 0000000000..0e1205c62b Binary files /dev/null and b/windows/configure/images/packageaddfileandregistrydata-stream.png differ diff --git a/windows/configure/images/packageaddfileandregistrydata.png b/windows/configure/images/packageaddfileandregistrydata.png new file mode 100644 index 0000000000..603420e627 Binary files /dev/null and b/windows/configure/images/packageaddfileandregistrydata.png differ diff --git a/windows/configure/images/packages-mobile.png b/windows/configure/images/packages-mobile.png new file mode 100644 index 0000000000..4ce63dde78 Binary files /dev/null and b/windows/configure/images/packages-mobile.png differ diff --git a/windows/configure/images/phoneprovision.png b/windows/configure/images/phoneprovision.png new file mode 100644 index 0000000000..01ada29ac9 Binary files /dev/null and b/windows/configure/images/phoneprovision.png differ diff --git a/windows/configure/images/policytocsp.png b/windows/configure/images/policytocsp.png new file mode 100644 index 0000000000..80ca76cb62 Binary files /dev/null and b/windows/configure/images/policytocsp.png differ diff --git a/windows/configure/images/powericon.png b/windows/configure/images/powericon.png new file mode 100644 index 0000000000..b497ff859d Binary files /dev/null and b/windows/configure/images/powericon.png differ diff --git a/windows/configure/images/priv-telemetry-levels.png b/windows/configure/images/priv-telemetry-levels.png new file mode 100644 index 0000000000..9581cee54d Binary files /dev/null and b/windows/configure/images/priv-telemetry-levels.png differ diff --git a/windows/configure/images/prov.jpg b/windows/configure/images/prov.jpg new file mode 100644 index 0000000000..1593ccb36b Binary files /dev/null and b/windows/configure/images/prov.jpg differ diff --git a/windows/configure/images/provisioning-csp-assignedaccess.png b/windows/configure/images/provisioning-csp-assignedaccess.png new file mode 100644 index 0000000000..14d49cdd89 Binary files /dev/null and b/windows/configure/images/provisioning-csp-assignedaccess.png differ diff --git a/windows/configure/images/rdp.png b/windows/configure/images/rdp.png new file mode 100644 index 0000000000..ac088d0b06 Binary files /dev/null and b/windows/configure/images/rdp.png differ diff --git a/windows/configure/images/resetdevice.png b/windows/configure/images/resetdevice.png new file mode 100644 index 0000000000..4e265c3f8d Binary files /dev/null and b/windows/configure/images/resetdevice.png differ diff --git a/windows/configure/images/scanos.PNG b/windows/configure/images/scanos.PNG new file mode 100644 index 0000000000..d53a272018 Binary files /dev/null and b/windows/configure/images/scanos.PNG differ diff --git a/windows/configure/images/sccm-asset.PNG b/windows/configure/images/sccm-asset.PNG new file mode 100644 index 0000000000..4dacaeb565 Binary files /dev/null and b/windows/configure/images/sccm-asset.PNG differ diff --git a/windows/configure/images/sccm-assets.PNG b/windows/configure/images/sccm-assets.PNG new file mode 100644 index 0000000000..2cc50f5758 Binary files /dev/null and b/windows/configure/images/sccm-assets.PNG differ diff --git a/windows/configure/images/sccm-client.PNG b/windows/configure/images/sccm-client.PNG new file mode 100644 index 0000000000..45e0ad8883 Binary files /dev/null and b/windows/configure/images/sccm-client.PNG differ diff --git a/windows/configure/images/sccm-collection.PNG b/windows/configure/images/sccm-collection.PNG new file mode 100644 index 0000000000..01a1cca4a8 Binary files /dev/null and b/windows/configure/images/sccm-collection.PNG differ diff --git a/windows/configure/images/sccm-install-os.PNG b/windows/configure/images/sccm-install-os.PNG new file mode 100644 index 0000000000..53b314b132 Binary files /dev/null and b/windows/configure/images/sccm-install-os.PNG differ diff --git a/windows/configure/images/sccm-post-refresh.PNG b/windows/configure/images/sccm-post-refresh.PNG new file mode 100644 index 0000000000..e116e04312 Binary files /dev/null and b/windows/configure/images/sccm-post-refresh.PNG differ diff --git a/windows/configure/images/sccm-pxe.PNG b/windows/configure/images/sccm-pxe.PNG new file mode 100644 index 0000000000..39cb22c075 Binary files /dev/null and b/windows/configure/images/sccm-pxe.PNG differ diff --git a/windows/configure/images/sccm-site.PNG b/windows/configure/images/sccm-site.PNG new file mode 100644 index 0000000000..92319fdbf7 Binary files /dev/null and b/windows/configure/images/sccm-site.PNG differ diff --git a/windows/configure/images/sccm-software-cntr.PNG b/windows/configure/images/sccm-software-cntr.PNG new file mode 100644 index 0000000000..9c920c6d39 Binary files /dev/null and b/windows/configure/images/sccm-software-cntr.PNG differ diff --git a/windows/configure/images/sec-bios.png b/windows/configure/images/sec-bios.png new file mode 100644 index 0000000000..4498497d59 Binary files /dev/null and b/windows/configure/images/sec-bios.png differ diff --git a/windows/configure/images/set-up-device-details-desktop.PNG b/windows/configure/images/set-up-device-details-desktop.PNG new file mode 100644 index 0000000000..97c8a1b704 Binary files /dev/null and b/windows/configure/images/set-up-device-details-desktop.PNG differ diff --git a/windows/configure/images/set-up-device-details-mobile.PNG b/windows/configure/images/set-up-device-details-mobile.PNG new file mode 100644 index 0000000000..f41fe99a72 Binary files /dev/null and b/windows/configure/images/set-up-device-details-mobile.PNG differ diff --git a/windows/configure/images/set-up-device-details.PNG b/windows/configure/images/set-up-device-details.PNG new file mode 100644 index 0000000000..031dac6fe6 Binary files /dev/null and b/windows/configure/images/set-up-device-details.PNG differ diff --git a/windows/configure/images/set-up-device-mobile.PNG b/windows/configure/images/set-up-device-mobile.PNG new file mode 100644 index 0000000000..b8173385d4 Binary files /dev/null and b/windows/configure/images/set-up-device-mobile.PNG differ diff --git a/windows/configure/images/set-up-device.PNG b/windows/configure/images/set-up-device.PNG new file mode 100644 index 0000000000..0c9eb0e3ff Binary files /dev/null and b/windows/configure/images/set-up-device.PNG differ diff --git a/windows/configure/images/set-up-network-details-desktop.PNG b/windows/configure/images/set-up-network-details-desktop.PNG new file mode 100644 index 0000000000..83911ccbd0 Binary files /dev/null and b/windows/configure/images/set-up-network-details-desktop.PNG differ diff --git a/windows/configure/images/set-up-network-details-mobile.PNG b/windows/configure/images/set-up-network-details-mobile.PNG new file mode 100644 index 0000000000..8f515ba1f6 Binary files /dev/null and b/windows/configure/images/set-up-network-details-mobile.PNG differ diff --git a/windows/configure/images/set-up-network-details.PNG b/windows/configure/images/set-up-network-details.PNG new file mode 100644 index 0000000000..778b8497c4 Binary files /dev/null and b/windows/configure/images/set-up-network-details.PNG differ diff --git a/windows/configure/images/set-up-network-mobile.PNG b/windows/configure/images/set-up-network-mobile.PNG new file mode 100644 index 0000000000..9442b33e90 Binary files /dev/null and b/windows/configure/images/set-up-network-mobile.PNG differ diff --git a/windows/configure/images/set-up-network.PNG b/windows/configure/images/set-up-network.PNG new file mode 100644 index 0000000000..a0e856c103 Binary files /dev/null and b/windows/configure/images/set-up-network.PNG differ diff --git a/windows/configure/images/settings-table.png b/windows/configure/images/settings-table.png new file mode 100644 index 0000000000..ada56513fc Binary files /dev/null and b/windows/configure/images/settings-table.png differ diff --git a/windows/configure/images/settingsicon.png b/windows/configure/images/settingsicon.png new file mode 100644 index 0000000000..0ad27fc558 Binary files /dev/null and b/windows/configure/images/settingsicon.png differ diff --git a/windows/configure/images/setupmsg.jpg b/windows/configure/images/setupmsg.jpg new file mode 100644 index 0000000000..06348dd2b8 Binary files /dev/null and b/windows/configure/images/setupmsg.jpg differ diff --git a/windows/configure/images/seven.png b/windows/configure/images/seven.png new file mode 100644 index 0000000000..285a92df0b Binary files /dev/null and b/windows/configure/images/seven.png differ diff --git a/windows/configure/images/show-more-tiles.png b/windows/configure/images/show-more-tiles.png new file mode 100644 index 0000000000..6922edeb4c Binary files /dev/null and b/windows/configure/images/show-more-tiles.png differ diff --git a/windows/configure/images/sign-in-prov.png b/windows/configure/images/sign-in-prov.png new file mode 100644 index 0000000000..55c9276203 Binary files /dev/null and b/windows/configure/images/sign-in-prov.png differ diff --git a/windows/configure/images/six.png b/windows/configure/images/six.png new file mode 100644 index 0000000000..e8906332ec Binary files /dev/null and b/windows/configure/images/six.png differ diff --git a/windows/configure/images/spotlight.png b/windows/configure/images/spotlight.png new file mode 100644 index 0000000000..515269740b Binary files /dev/null and b/windows/configure/images/spotlight.png differ diff --git a/windows/configure/images/spotlight2.png b/windows/configure/images/spotlight2.png new file mode 100644 index 0000000000..27401c1a2b Binary files /dev/null and b/windows/configure/images/spotlight2.png differ diff --git a/windows/configure/images/start-pinned-app.png b/windows/configure/images/start-pinned-app.png new file mode 100644 index 0000000000..e1e4a24a00 Binary files /dev/null and b/windows/configure/images/start-pinned-app.png differ diff --git a/windows/configure/images/start-screen-size.png b/windows/configure/images/start-screen-size.png new file mode 100644 index 0000000000..6c09d960ef Binary files /dev/null and b/windows/configure/images/start-screen-size.png differ diff --git a/windows/configure/images/startannotated.png b/windows/configure/images/startannotated.png new file mode 100644 index 0000000000..9261fd9078 Binary files /dev/null and b/windows/configure/images/startannotated.png differ diff --git a/windows/configure/images/starticon.png b/windows/configure/images/starticon.png new file mode 100644 index 0000000000..fa8cbdff10 Binary files /dev/null and b/windows/configure/images/starticon.png differ diff --git a/windows/configure/images/startlayoutpolicy.jpg b/windows/configure/images/startlayoutpolicy.jpg new file mode 100644 index 0000000000..d3c8d054fe Binary files /dev/null and b/windows/configure/images/startlayoutpolicy.jpg differ diff --git a/windows/configure/images/starttemplate.jpg b/windows/configure/images/starttemplate.jpg new file mode 100644 index 0000000000..900eed08c5 Binary files /dev/null and b/windows/configure/images/starttemplate.jpg differ diff --git a/windows/configure/images/svr_mgr2.png b/windows/configure/images/svr_mgr2.png new file mode 100644 index 0000000000..dd2e6737c6 Binary files /dev/null and b/windows/configure/images/svr_mgr2.png differ diff --git a/windows/configure/images/sysprep-error.png b/windows/configure/images/sysprep-error.png new file mode 100644 index 0000000000..aa004efbb6 Binary files /dev/null and b/windows/configure/images/sysprep-error.png differ diff --git a/windows/configure/images/taskbar-blank.png b/windows/configure/images/taskbar-blank.png new file mode 100644 index 0000000000..185027f2fd Binary files /dev/null and b/windows/configure/images/taskbar-blank.png differ diff --git a/windows/configure/images/taskbar-default-plus.png b/windows/configure/images/taskbar-default-plus.png new file mode 100644 index 0000000000..8afcebac09 Binary files /dev/null and b/windows/configure/images/taskbar-default-plus.png differ diff --git a/windows/configure/images/taskbar-default-removed.png b/windows/configure/images/taskbar-default-removed.png new file mode 100644 index 0000000000..b3ff924e9f Binary files /dev/null and b/windows/configure/images/taskbar-default-removed.png differ diff --git a/windows/configure/images/taskbar-default.png b/windows/configure/images/taskbar-default.png new file mode 100644 index 0000000000..41c6c72258 Binary files /dev/null and b/windows/configure/images/taskbar-default.png differ diff --git a/windows/configure/images/taskbar-generic.png b/windows/configure/images/taskbar-generic.png new file mode 100644 index 0000000000..6d47a6795a Binary files /dev/null and b/windows/configure/images/taskbar-generic.png differ diff --git a/windows/configure/images/taskbar-region-defr.png b/windows/configure/images/taskbar-region-defr.png new file mode 100644 index 0000000000..6d707b16f4 Binary files /dev/null and b/windows/configure/images/taskbar-region-defr.png differ diff --git a/windows/configure/images/taskbar-region-other.png b/windows/configure/images/taskbar-region-other.png new file mode 100644 index 0000000000..fab367ef7a Binary files /dev/null and b/windows/configure/images/taskbar-region-other.png differ diff --git a/windows/configure/images/taskbar-region-usuk.png b/windows/configure/images/taskbar-region-usuk.png new file mode 100644 index 0000000000..6bba65ee81 Binary files /dev/null and b/windows/configure/images/taskbar-region-usuk.png differ diff --git a/windows/configure/images/taskbarSTARTERBLANK.png b/windows/configure/images/taskbarSTARTERBLANK.png new file mode 100644 index 0000000000..e206bdc196 Binary files /dev/null and b/windows/configure/images/taskbarSTARTERBLANK.png differ diff --git a/windows/configure/images/three.png b/windows/configure/images/three.png new file mode 100644 index 0000000000..887fa270d7 Binary files /dev/null and b/windows/configure/images/three.png differ diff --git a/windows/configure/images/trust-package.png b/windows/configure/images/trust-package.png new file mode 100644 index 0000000000..8a293ea4da Binary files /dev/null and b/windows/configure/images/trust-package.png differ diff --git a/windows/configure/images/twain.png b/windows/configure/images/twain.png new file mode 100644 index 0000000000..53cd5eadc7 Binary files /dev/null and b/windows/configure/images/twain.png differ diff --git a/windows/configure/images/two.png b/windows/configure/images/two.png new file mode 100644 index 0000000000..b8c2d52eaf Binary files /dev/null and b/windows/configure/images/two.png differ diff --git a/windows/configure/images/ua-cg-01.png b/windows/configure/images/ua-cg-01.png new file mode 100644 index 0000000000..4b41bd67ba Binary files /dev/null and b/windows/configure/images/ua-cg-01.png differ diff --git a/windows/configure/images/ua-cg-02.png b/windows/configure/images/ua-cg-02.png new file mode 100644 index 0000000000..4cbfaf26d8 Binary files /dev/null and b/windows/configure/images/ua-cg-02.png differ diff --git a/windows/configure/images/ua-cg-03.png b/windows/configure/images/ua-cg-03.png new file mode 100644 index 0000000000..cfad7911bb Binary files /dev/null and b/windows/configure/images/ua-cg-03.png differ diff --git a/windows/configure/images/ua-cg-04.png b/windows/configure/images/ua-cg-04.png new file mode 100644 index 0000000000..c818d15d02 Binary files /dev/null and b/windows/configure/images/ua-cg-04.png differ diff --git a/windows/configure/images/ua-cg-05.png b/windows/configure/images/ua-cg-05.png new file mode 100644 index 0000000000..a8788f0eb9 Binary files /dev/null and b/windows/configure/images/ua-cg-05.png differ diff --git a/windows/configure/images/ua-cg-06.png b/windows/configure/images/ua-cg-06.png new file mode 100644 index 0000000000..ed983c96c8 Binary files /dev/null and b/windows/configure/images/ua-cg-06.png differ diff --git a/windows/configure/images/ua-cg-07.png b/windows/configure/images/ua-cg-07.png new file mode 100644 index 0000000000..2aba43be53 Binary files /dev/null and b/windows/configure/images/ua-cg-07.png differ diff --git a/windows/configure/images/ua-cg-08.png b/windows/configure/images/ua-cg-08.png new file mode 100644 index 0000000000..4d7f924d76 Binary files /dev/null and b/windows/configure/images/ua-cg-08.png differ diff --git a/windows/configure/images/ua-cg-09.png b/windows/configure/images/ua-cg-09.png new file mode 100644 index 0000000000..b9aa1cea41 Binary files /dev/null and b/windows/configure/images/ua-cg-09.png differ diff --git a/windows/configure/images/ua-cg-10.png b/windows/configure/images/ua-cg-10.png new file mode 100644 index 0000000000..54e222338d Binary files /dev/null and b/windows/configure/images/ua-cg-10.png differ diff --git a/windows/configure/images/ua-cg-11.png b/windows/configure/images/ua-cg-11.png new file mode 100644 index 0000000000..4e930a5905 Binary files /dev/null and b/windows/configure/images/ua-cg-11.png differ diff --git a/windows/configure/images/ua-cg-12.png b/windows/configure/images/ua-cg-12.png new file mode 100644 index 0000000000..2fbe11b814 Binary files /dev/null and b/windows/configure/images/ua-cg-12.png differ diff --git a/windows/configure/images/ua-cg-13.png b/windows/configure/images/ua-cg-13.png new file mode 100644 index 0000000000..f04252796e Binary files /dev/null and b/windows/configure/images/ua-cg-13.png differ diff --git a/windows/configure/images/ua-cg-14.png b/windows/configure/images/ua-cg-14.png new file mode 100644 index 0000000000..6105fdf4d1 Binary files /dev/null and b/windows/configure/images/ua-cg-14.png differ diff --git a/windows/configure/images/ua-cg-15.png b/windows/configure/images/ua-cg-15.png new file mode 100644 index 0000000000..5362db66da Binary files /dev/null and b/windows/configure/images/ua-cg-15.png differ diff --git a/windows/configure/images/ua-cg-16.png b/windows/configure/images/ua-cg-16.png new file mode 100644 index 0000000000..6d5b8a84b6 Binary files /dev/null and b/windows/configure/images/ua-cg-16.png differ diff --git a/windows/configure/images/ua-cg-17.png b/windows/configure/images/ua-cg-17.png new file mode 100644 index 0000000000..d66c41917b Binary files /dev/null and b/windows/configure/images/ua-cg-17.png differ diff --git a/windows/configure/images/uc-01.png b/windows/configure/images/uc-01.png new file mode 100644 index 0000000000..7f4df9f6d7 Binary files /dev/null and b/windows/configure/images/uc-01.png differ diff --git a/windows/configure/images/uc-02.png b/windows/configure/images/uc-02.png new file mode 100644 index 0000000000..8317f051c3 Binary files /dev/null and b/windows/configure/images/uc-02.png differ diff --git a/windows/configure/images/uc-02a.png b/windows/configure/images/uc-02a.png new file mode 100644 index 0000000000..d12544e3a0 Binary files /dev/null and b/windows/configure/images/uc-02a.png differ diff --git a/windows/configure/images/uc-03.png b/windows/configure/images/uc-03.png new file mode 100644 index 0000000000..58494c4128 Binary files /dev/null and b/windows/configure/images/uc-03.png differ diff --git a/windows/configure/images/uc-03a.png b/windows/configure/images/uc-03a.png new file mode 100644 index 0000000000..39412fc8f3 Binary files /dev/null and b/windows/configure/images/uc-03a.png differ diff --git a/windows/configure/images/uc-04.png b/windows/configure/images/uc-04.png new file mode 100644 index 0000000000..ef9a37d379 Binary files /dev/null and b/windows/configure/images/uc-04.png differ diff --git a/windows/configure/images/uc-04a.png b/windows/configure/images/uc-04a.png new file mode 100644 index 0000000000..537d4bbe72 Binary files /dev/null and b/windows/configure/images/uc-04a.png differ diff --git a/windows/configure/images/uc-05.png b/windows/configure/images/uc-05.png new file mode 100644 index 0000000000..21c8e9f9e0 Binary files /dev/null and b/windows/configure/images/uc-05.png differ diff --git a/windows/configure/images/uc-05a.png b/windows/configure/images/uc-05a.png new file mode 100644 index 0000000000..2271181622 Binary files /dev/null and b/windows/configure/images/uc-05a.png differ diff --git a/windows/configure/images/uc-06.png b/windows/configure/images/uc-06.png new file mode 100644 index 0000000000..03a559800b Binary files /dev/null and b/windows/configure/images/uc-06.png differ diff --git a/windows/configure/images/uc-06a.png b/windows/configure/images/uc-06a.png new file mode 100644 index 0000000000..15df1cfea0 Binary files /dev/null and b/windows/configure/images/uc-06a.png differ diff --git a/windows/configure/images/uc-07.png b/windows/configure/images/uc-07.png new file mode 100644 index 0000000000..de1ae35e82 Binary files /dev/null and b/windows/configure/images/uc-07.png differ diff --git a/windows/configure/images/uc-07a.png b/windows/configure/images/uc-07a.png new file mode 100644 index 0000000000..c0f2d9fd73 Binary files /dev/null and b/windows/configure/images/uc-07a.png differ diff --git a/windows/configure/images/uc-08.png b/windows/configure/images/uc-08.png new file mode 100644 index 0000000000..877fcd64c0 Binary files /dev/null and b/windows/configure/images/uc-08.png differ diff --git a/windows/configure/images/uc-08a.png b/windows/configure/images/uc-08a.png new file mode 100644 index 0000000000..89da287d3d Binary files /dev/null and b/windows/configure/images/uc-08a.png differ diff --git a/windows/configure/images/uc-09.png b/windows/configure/images/uc-09.png new file mode 100644 index 0000000000..37d7114f19 Binary files /dev/null and b/windows/configure/images/uc-09.png differ diff --git a/windows/configure/images/uc-09a.png b/windows/configure/images/uc-09a.png new file mode 100644 index 0000000000..f6b6ec5b60 Binary files /dev/null and b/windows/configure/images/uc-09a.png differ diff --git a/windows/configure/images/uc-10.png b/windows/configure/images/uc-10.png new file mode 100644 index 0000000000..3ab72d10d2 Binary files /dev/null and b/windows/configure/images/uc-10.png differ diff --git a/windows/configure/images/uc-10a.png b/windows/configure/images/uc-10a.png new file mode 100644 index 0000000000..1c6b8b01dc Binary files /dev/null and b/windows/configure/images/uc-10a.png differ diff --git a/windows/configure/images/uc-11.png b/windows/configure/images/uc-11.png new file mode 100644 index 0000000000..8b4fc568ea Binary files /dev/null and b/windows/configure/images/uc-11.png differ diff --git a/windows/configure/images/uc-12.png b/windows/configure/images/uc-12.png new file mode 100644 index 0000000000..4198684c99 Binary files /dev/null and b/windows/configure/images/uc-12.png differ diff --git a/windows/configure/images/uc-13.png b/windows/configure/images/uc-13.png new file mode 100644 index 0000000000..117f9b9fd8 Binary files /dev/null and b/windows/configure/images/uc-13.png differ diff --git a/windows/configure/images/uc-14.png b/windows/configure/images/uc-14.png new file mode 100644 index 0000000000..66047984e7 Binary files /dev/null and b/windows/configure/images/uc-14.png differ diff --git a/windows/configure/images/uc-15.png b/windows/configure/images/uc-15.png new file mode 100644 index 0000000000..c241cd9117 Binary files /dev/null and b/windows/configure/images/uc-15.png differ diff --git a/windows/configure/images/uc-16.png b/windows/configure/images/uc-16.png new file mode 100644 index 0000000000..e7aff4d4ed Binary files /dev/null and b/windows/configure/images/uc-16.png differ diff --git a/windows/configure/images/uc-17.png b/windows/configure/images/uc-17.png new file mode 100644 index 0000000000..cb8e42ca5e Binary files /dev/null and b/windows/configure/images/uc-17.png differ diff --git a/windows/configure/images/uc-18.png b/windows/configure/images/uc-18.png new file mode 100644 index 0000000000..5eff59adc9 Binary files /dev/null and b/windows/configure/images/uc-18.png differ diff --git a/windows/configure/images/uc-19.png b/windows/configure/images/uc-19.png new file mode 100644 index 0000000000..791900eafc Binary files /dev/null and b/windows/configure/images/uc-19.png differ diff --git a/windows/configure/images/uc-20.png b/windows/configure/images/uc-20.png new file mode 100644 index 0000000000..7dbb027b9f Binary files /dev/null and b/windows/configure/images/uc-20.png differ diff --git a/windows/configure/images/uc-21.png b/windows/configure/images/uc-21.png new file mode 100644 index 0000000000..418db41fe4 Binary files /dev/null and b/windows/configure/images/uc-21.png differ diff --git a/windows/configure/images/uc-22.png b/windows/configure/images/uc-22.png new file mode 100644 index 0000000000..2ca5c47a61 Binary files /dev/null and b/windows/configure/images/uc-22.png differ diff --git a/windows/configure/images/uc-23.png b/windows/configure/images/uc-23.png new file mode 100644 index 0000000000..58b82db82d Binary files /dev/null and b/windows/configure/images/uc-23.png differ diff --git a/windows/configure/images/uc-24.png b/windows/configure/images/uc-24.png new file mode 100644 index 0000000000..00bc61e3e1 Binary files /dev/null and b/windows/configure/images/uc-24.png differ diff --git a/windows/configure/images/uc-25.png b/windows/configure/images/uc-25.png new file mode 100644 index 0000000000..4e0f0bdb03 Binary files /dev/null and b/windows/configure/images/uc-25.png differ diff --git a/windows/configure/images/uev-adk-select-uev-feature.png b/windows/configure/images/uev-adk-select-uev-feature.png new file mode 100644 index 0000000000..1556f115c0 Binary files /dev/null and b/windows/configure/images/uev-adk-select-uev-feature.png differ diff --git a/windows/configure/images/uev-archdiagram.png b/windows/configure/images/uev-archdiagram.png new file mode 100644 index 0000000000..eae098e666 Binary files /dev/null and b/windows/configure/images/uev-archdiagram.png differ diff --git a/windows/configure/images/uev-checklist-box.gif b/windows/configure/images/uev-checklist-box.gif new file mode 100644 index 0000000000..8af13c51d1 Binary files /dev/null and b/windows/configure/images/uev-checklist-box.gif differ diff --git a/windows/configure/images/uev-deployment-preparation.png b/windows/configure/images/uev-deployment-preparation.png new file mode 100644 index 0000000000..b665a0bfea Binary files /dev/null and b/windows/configure/images/uev-deployment-preparation.png differ diff --git a/windows/configure/images/uev-generator-process.png b/windows/configure/images/uev-generator-process.png new file mode 100644 index 0000000000..e16cedd0a7 Binary files /dev/null and b/windows/configure/images/uev-generator-process.png differ diff --git a/windows/configure/images/upgrade-analytics-apps-known-issues.png b/windows/configure/images/upgrade-analytics-apps-known-issues.png new file mode 100644 index 0000000000..ec99ac92cf Binary files /dev/null and b/windows/configure/images/upgrade-analytics-apps-known-issues.png differ diff --git a/windows/configure/images/upgrade-analytics-apps-no-known-issues.png b/windows/configure/images/upgrade-analytics-apps-no-known-issues.png new file mode 100644 index 0000000000..9fb09ffd65 Binary files /dev/null and b/windows/configure/images/upgrade-analytics-apps-no-known-issues.png differ diff --git a/windows/configure/images/upgrade-analytics-architecture.png b/windows/configure/images/upgrade-analytics-architecture.png new file mode 100644 index 0000000000..93d3acba0b Binary files /dev/null and b/windows/configure/images/upgrade-analytics-architecture.png differ diff --git a/windows/configure/images/upgrade-analytics-create-iedataoptin.png b/windows/configure/images/upgrade-analytics-create-iedataoptin.png new file mode 100644 index 0000000000..60f5ccbc90 Binary files /dev/null and b/windows/configure/images/upgrade-analytics-create-iedataoptin.png differ diff --git a/windows/configure/images/upgrade-analytics-deploy-eligible.png b/windows/configure/images/upgrade-analytics-deploy-eligible.png new file mode 100644 index 0000000000..8da91cebc4 Binary files /dev/null and b/windows/configure/images/upgrade-analytics-deploy-eligible.png differ diff --git a/windows/configure/images/upgrade-analytics-drivers-known.png b/windows/configure/images/upgrade-analytics-drivers-known.png new file mode 100644 index 0000000000..35d61f87c7 Binary files /dev/null and b/windows/configure/images/upgrade-analytics-drivers-known.png differ diff --git a/windows/configure/images/upgrade-analytics-most-active-sites.png b/windows/configure/images/upgrade-analytics-most-active-sites.png new file mode 100644 index 0000000000..180c5ddced Binary files /dev/null and b/windows/configure/images/upgrade-analytics-most-active-sites.png differ diff --git a/windows/configure/images/upgrade-analytics-namepub-rollup.PNG b/windows/configure/images/upgrade-analytics-namepub-rollup.PNG new file mode 100644 index 0000000000..2041f14fd4 Binary files /dev/null and b/windows/configure/images/upgrade-analytics-namepub-rollup.PNG differ diff --git a/windows/configure/images/upgrade-analytics-overview.png b/windows/configure/images/upgrade-analytics-overview.png new file mode 100644 index 0000000000..ba02ee0a8c Binary files /dev/null and b/windows/configure/images/upgrade-analytics-overview.png differ diff --git a/windows/configure/images/upgrade-analytics-pilot.png b/windows/configure/images/upgrade-analytics-pilot.png new file mode 100644 index 0000000000..1c1de328ea Binary files /dev/null and b/windows/configure/images/upgrade-analytics-pilot.png differ diff --git a/windows/configure/images/upgrade-analytics-prioritize.png b/windows/configure/images/upgrade-analytics-prioritize.png new file mode 100644 index 0000000000..d6227694c1 Binary files /dev/null and b/windows/configure/images/upgrade-analytics-prioritize.png differ diff --git a/windows/configure/images/upgrade-analytics-query-activex-name.png b/windows/configure/images/upgrade-analytics-query-activex-name.png new file mode 100644 index 0000000000..5068e7d20e Binary files /dev/null and b/windows/configure/images/upgrade-analytics-query-activex-name.png differ diff --git a/windows/configure/images/upgrade-analytics-ready-for-windows-status-guidance-precedence.PNG b/windows/configure/images/upgrade-analytics-ready-for-windows-status-guidance-precedence.PNG new file mode 100644 index 0000000000..4d22cc9353 Binary files /dev/null and b/windows/configure/images/upgrade-analytics-ready-for-windows-status-guidance-precedence.PNG differ diff --git a/windows/configure/images/upgrade-analytics-ready-for-windows-status.PNG b/windows/configure/images/upgrade-analytics-ready-for-windows-status.PNG new file mode 100644 index 0000000000..c233db2340 Binary files /dev/null and b/windows/configure/images/upgrade-analytics-ready-for-windows-status.PNG differ diff --git a/windows/configure/images/upgrade-analytics-site-activity-by-doc-mode.png b/windows/configure/images/upgrade-analytics-site-activity-by-doc-mode.png new file mode 100644 index 0000000000..d1a46f1791 Binary files /dev/null and b/windows/configure/images/upgrade-analytics-site-activity-by-doc-mode.png differ diff --git a/windows/configure/images/upgrade-analytics-site-domain-detail.png b/windows/configure/images/upgrade-analytics-site-domain-detail.png new file mode 100644 index 0000000000..15a7ee20c4 Binary files /dev/null and b/windows/configure/images/upgrade-analytics-site-domain-detail.png differ diff --git a/windows/configure/images/upgrade-analytics-telemetry.png b/windows/configure/images/upgrade-analytics-telemetry.png new file mode 100644 index 0000000000..bf60935616 Binary files /dev/null and b/windows/configure/images/upgrade-analytics-telemetry.png differ diff --git a/windows/configure/images/upgrade-analytics-unsubscribe.png b/windows/configure/images/upgrade-analytics-unsubscribe.png new file mode 100644 index 0000000000..402db94d6f Binary files /dev/null and b/windows/configure/images/upgrade-analytics-unsubscribe.png differ diff --git a/windows/configure/images/upgrade-process.png b/windows/configure/images/upgrade-process.png new file mode 100644 index 0000000000..b2b77708fc Binary files /dev/null and b/windows/configure/images/upgrade-process.png differ diff --git a/windows/configure/images/upgradecfg-fig2-upgrading.png b/windows/configure/images/upgradecfg-fig2-upgrading.png new file mode 100644 index 0000000000..c53de79c29 Binary files /dev/null and b/windows/configure/images/upgradecfg-fig2-upgrading.png differ diff --git a/windows/configure/images/upgradecfg-fig3-upgrade.png b/windows/configure/images/upgradecfg-fig3-upgrade.png new file mode 100644 index 0000000000..d0c1ceaaf9 Binary files /dev/null and b/windows/configure/images/upgradecfg-fig3-upgrade.png differ diff --git a/windows/configure/images/upgrademdt-fig1-machines.png b/windows/configure/images/upgrademdt-fig1-machines.png new file mode 100644 index 0000000000..38129332e6 Binary files /dev/null and b/windows/configure/images/upgrademdt-fig1-machines.png differ diff --git a/windows/configure/images/upgrademdt-fig2-importedos.png b/windows/configure/images/upgrademdt-fig2-importedos.png new file mode 100644 index 0000000000..93b92efd93 Binary files /dev/null and b/windows/configure/images/upgrademdt-fig2-importedos.png differ diff --git a/windows/configure/images/upgrademdt-fig3-tasksequence.png b/windows/configure/images/upgrademdt-fig3-tasksequence.png new file mode 100644 index 0000000000..1ad66c2098 Binary files /dev/null and b/windows/configure/images/upgrademdt-fig3-tasksequence.png differ diff --git a/windows/configure/images/upgrademdt-fig4-selecttask.png b/windows/configure/images/upgrademdt-fig4-selecttask.png new file mode 100644 index 0000000000..dcbc73871a Binary files /dev/null and b/windows/configure/images/upgrademdt-fig4-selecttask.png differ diff --git a/windows/configure/images/upgrademdt-fig5-winupgrade.png b/windows/configure/images/upgrademdt-fig5-winupgrade.png new file mode 100644 index 0000000000..f3bc05508a Binary files /dev/null and b/windows/configure/images/upgrademdt-fig5-winupgrade.png differ diff --git a/windows/configure/images/uwp-dependencies.PNG b/windows/configure/images/uwp-dependencies.PNG new file mode 100644 index 0000000000..4e2563169f Binary files /dev/null and b/windows/configure/images/uwp-dependencies.PNG differ diff --git a/windows/configure/images/uwp-family.PNG b/windows/configure/images/uwp-family.PNG new file mode 100644 index 0000000000..bec731eec4 Binary files /dev/null and b/windows/configure/images/uwp-family.PNG differ diff --git a/windows/configure/images/uwp-license.PNG b/windows/configure/images/uwp-license.PNG new file mode 100644 index 0000000000..ccb5cf7cf4 Binary files /dev/null and b/windows/configure/images/uwp-license.PNG differ diff --git a/windows/configure/images/vamtuserinterfaceupdated.jpg b/windows/configure/images/vamtuserinterfaceupdated.jpg new file mode 100644 index 0000000000..32ce362c60 Binary files /dev/null and b/windows/configure/images/vamtuserinterfaceupdated.jpg differ diff --git a/windows/configure/images/volumeactivationforwindows81-01.jpg b/windows/configure/images/volumeactivationforwindows81-01.jpg new file mode 100644 index 0000000000..f6042a82a9 Binary files /dev/null and b/windows/configure/images/volumeactivationforwindows81-01.jpg differ diff --git a/windows/configure/images/volumeactivationforwindows81-02.jpg b/windows/configure/images/volumeactivationforwindows81-02.jpg new file mode 100644 index 0000000000..630d9a03e2 Binary files /dev/null and b/windows/configure/images/volumeactivationforwindows81-02.jpg differ diff --git a/windows/configure/images/volumeactivationforwindows81-03.jpg b/windows/configure/images/volumeactivationforwindows81-03.jpg new file mode 100644 index 0000000000..27962b207c Binary files /dev/null and b/windows/configure/images/volumeactivationforwindows81-03.jpg differ diff --git a/windows/configure/images/volumeactivationforwindows81-04.jpg b/windows/configure/images/volumeactivationforwindows81-04.jpg new file mode 100644 index 0000000000..d5b572f1aa Binary files /dev/null and b/windows/configure/images/volumeactivationforwindows81-04.jpg differ diff --git a/windows/configure/images/volumeactivationforwindows81-05.jpg b/windows/configure/images/volumeactivationforwindows81-05.jpg new file mode 100644 index 0000000000..a4bd9776ac Binary files /dev/null and b/windows/configure/images/volumeactivationforwindows81-05.jpg differ diff --git a/windows/configure/images/volumeactivationforwindows81-06.jpg b/windows/configure/images/volumeactivationforwindows81-06.jpg new file mode 100644 index 0000000000..c29a628b05 Binary files /dev/null and b/windows/configure/images/volumeactivationforwindows81-06.jpg differ diff --git a/windows/configure/images/volumeactivationforwindows81-07.jpg b/windows/configure/images/volumeactivationforwindows81-07.jpg new file mode 100644 index 0000000000..346cbaa5c1 Binary files /dev/null and b/windows/configure/images/volumeactivationforwindows81-07.jpg differ diff --git a/windows/configure/images/volumeactivationforwindows81-08.jpg b/windows/configure/images/volumeactivationforwindows81-08.jpg new file mode 100644 index 0000000000..eff421d6bb Binary files /dev/null and b/windows/configure/images/volumeactivationforwindows81-08.jpg differ diff --git a/windows/configure/images/volumeactivationforwindows81-09.jpg b/windows/configure/images/volumeactivationforwindows81-09.jpg new file mode 100644 index 0000000000..1e3cf9c0d8 Binary files /dev/null and b/windows/configure/images/volumeactivationforwindows81-09.jpg differ diff --git a/windows/configure/images/volumeactivationforwindows81-10.jpg b/windows/configure/images/volumeactivationforwindows81-10.jpg new file mode 100644 index 0000000000..d3cd196c34 Binary files /dev/null and b/windows/configure/images/volumeactivationforwindows81-10.jpg differ diff --git a/windows/configure/images/volumeactivationforwindows81-11.jpg b/windows/configure/images/volumeactivationforwindows81-11.jpg new file mode 100644 index 0000000000..72e4b613da Binary files /dev/null and b/windows/configure/images/volumeactivationforwindows81-11.jpg differ diff --git a/windows/configure/images/volumeactivationforwindows81-12.jpg b/windows/configure/images/volumeactivationforwindows81-12.jpg new file mode 100644 index 0000000000..9e44ec24f0 Binary files /dev/null and b/windows/configure/images/volumeactivationforwindows81-12.jpg differ diff --git a/windows/configure/images/volumeactivationforwindows81-13.jpg b/windows/configure/images/volumeactivationforwindows81-13.jpg new file mode 100644 index 0000000000..e599fcd528 Binary files /dev/null and b/windows/configure/images/volumeactivationforwindows81-13.jpg differ diff --git a/windows/configure/images/volumeactivationforwindows81-14.jpg b/windows/configure/images/volumeactivationforwindows81-14.jpg new file mode 100644 index 0000000000..3b3cbc18cb Binary files /dev/null and b/windows/configure/images/volumeactivationforwindows81-14.jpg differ diff --git a/windows/configure/images/volumeactivationforwindows81-15.jpg b/windows/configure/images/volumeactivationforwindows81-15.jpg new file mode 100644 index 0000000000..792b24b282 Binary files /dev/null and b/windows/configure/images/volumeactivationforwindows81-15.jpg differ diff --git a/windows/configure/images/volumeactivationforwindows81-16.jpg b/windows/configure/images/volumeactivationforwindows81-16.jpg new file mode 100644 index 0000000000..facdf1d084 Binary files /dev/null and b/windows/configure/images/volumeactivationforwindows81-16.jpg differ diff --git a/windows/configure/images/volumeactivationforwindows81-17.jpg b/windows/configure/images/volumeactivationforwindows81-17.jpg new file mode 100644 index 0000000000..0f4c683b7e Binary files /dev/null and b/windows/configure/images/volumeactivationforwindows81-17.jpg differ diff --git a/windows/configure/images/volumeactivationforwindows81-18.jpg b/windows/configure/images/volumeactivationforwindows81-18.jpg new file mode 100644 index 0000000000..8728697ed8 Binary files /dev/null and b/windows/configure/images/volumeactivationforwindows81-18.jpg differ diff --git a/windows/configure/images/volumeactivationforwindows81-19.jpg b/windows/configure/images/volumeactivationforwindows81-19.jpg new file mode 100644 index 0000000000..db97a0ba0e Binary files /dev/null and b/windows/configure/images/volumeactivationforwindows81-19.jpg differ diff --git a/windows/configure/images/w10servicing-f1-branches.png b/windows/configure/images/w10servicing-f1-branches.png new file mode 100644 index 0000000000..ac4a549aed Binary files /dev/null and b/windows/configure/images/w10servicing-f1-branches.png differ diff --git a/windows/configure/images/waas-active-hours-policy.PNG b/windows/configure/images/waas-active-hours-policy.PNG new file mode 100644 index 0000000000..af80ef6652 Binary files /dev/null and b/windows/configure/images/waas-active-hours-policy.PNG differ diff --git a/windows/configure/images/waas-active-hours.PNG b/windows/configure/images/waas-active-hours.PNG new file mode 100644 index 0000000000..c262c302ed Binary files /dev/null and b/windows/configure/images/waas-active-hours.PNG differ diff --git a/windows/configure/images/waas-auto-update-policy.PNG b/windows/configure/images/waas-auto-update-policy.PNG new file mode 100644 index 0000000000..52a1629cbf Binary files /dev/null and b/windows/configure/images/waas-auto-update-policy.PNG differ diff --git a/windows/configure/images/waas-do-fig1.png b/windows/configure/images/waas-do-fig1.png new file mode 100644 index 0000000000..2a2b6872e9 Binary files /dev/null and b/windows/configure/images/waas-do-fig1.png differ diff --git a/windows/configure/images/waas-do-fig2.png b/windows/configure/images/waas-do-fig2.png new file mode 100644 index 0000000000..cc42b328eb Binary files /dev/null and b/windows/configure/images/waas-do-fig2.png differ diff --git a/windows/configure/images/waas-do-fig3.png b/windows/configure/images/waas-do-fig3.png new file mode 100644 index 0000000000..d9182d3b20 Binary files /dev/null and b/windows/configure/images/waas-do-fig3.png differ diff --git a/windows/configure/images/waas-do-fig4.png b/windows/configure/images/waas-do-fig4.png new file mode 100644 index 0000000000..a66741ed90 Binary files /dev/null and b/windows/configure/images/waas-do-fig4.png differ diff --git a/windows/configure/images/waas-overview-patch.png b/windows/configure/images/waas-overview-patch.png new file mode 100644 index 0000000000..6ac0a03227 Binary files /dev/null and b/windows/configure/images/waas-overview-patch.png differ diff --git a/windows/configure/images/waas-restart-policy.PNG b/windows/configure/images/waas-restart-policy.PNG new file mode 100644 index 0000000000..936f9aeb08 Binary files /dev/null and b/windows/configure/images/waas-restart-policy.PNG differ diff --git a/windows/configure/images/waas-rings.png b/windows/configure/images/waas-rings.png new file mode 100644 index 0000000000..041a59ce87 Binary files /dev/null and b/windows/configure/images/waas-rings.png differ diff --git a/windows/configure/images/waas-sccm-fig1.png b/windows/configure/images/waas-sccm-fig1.png new file mode 100644 index 0000000000..6bf2b1c621 Binary files /dev/null and b/windows/configure/images/waas-sccm-fig1.png differ diff --git a/windows/configure/images/waas-sccm-fig10.png b/windows/configure/images/waas-sccm-fig10.png new file mode 100644 index 0000000000..ad3b5c922f Binary files /dev/null and b/windows/configure/images/waas-sccm-fig10.png differ diff --git a/windows/configure/images/waas-sccm-fig11.png b/windows/configure/images/waas-sccm-fig11.png new file mode 100644 index 0000000000..6c4f905630 Binary files /dev/null and b/windows/configure/images/waas-sccm-fig11.png differ diff --git a/windows/configure/images/waas-sccm-fig12.png b/windows/configure/images/waas-sccm-fig12.png new file mode 100644 index 0000000000..87464dd5f1 Binary files /dev/null and b/windows/configure/images/waas-sccm-fig12.png differ diff --git a/windows/configure/images/waas-sccm-fig2.png b/windows/configure/images/waas-sccm-fig2.png new file mode 100644 index 0000000000..c83e7bc781 Binary files /dev/null and b/windows/configure/images/waas-sccm-fig2.png differ diff --git a/windows/configure/images/waas-sccm-fig3.png b/windows/configure/images/waas-sccm-fig3.png new file mode 100644 index 0000000000..dcbc83b8ff Binary files /dev/null and b/windows/configure/images/waas-sccm-fig3.png differ diff --git a/windows/configure/images/waas-sccm-fig4.png b/windows/configure/images/waas-sccm-fig4.png new file mode 100644 index 0000000000..782c5ca6ef Binary files /dev/null and b/windows/configure/images/waas-sccm-fig4.png differ diff --git a/windows/configure/images/waas-sccm-fig5.png b/windows/configure/images/waas-sccm-fig5.png new file mode 100644 index 0000000000..cb399a6c6f Binary files /dev/null and b/windows/configure/images/waas-sccm-fig5.png differ diff --git a/windows/configure/images/waas-sccm-fig6.png b/windows/configure/images/waas-sccm-fig6.png new file mode 100644 index 0000000000..77dd02d61e Binary files /dev/null and b/windows/configure/images/waas-sccm-fig6.png differ diff --git a/windows/configure/images/waas-sccm-fig7.png b/windows/configure/images/waas-sccm-fig7.png new file mode 100644 index 0000000000..a74c7c8133 Binary files /dev/null and b/windows/configure/images/waas-sccm-fig7.png differ diff --git a/windows/configure/images/waas-sccm-fig8.png b/windows/configure/images/waas-sccm-fig8.png new file mode 100644 index 0000000000..2dfaf75ddf Binary files /dev/null and b/windows/configure/images/waas-sccm-fig8.png differ diff --git a/windows/configure/images/waas-sccm-fig9.png b/windows/configure/images/waas-sccm-fig9.png new file mode 100644 index 0000000000..311d79dc94 Binary files /dev/null and b/windows/configure/images/waas-sccm-fig9.png differ diff --git a/windows/configure/images/waas-strategy-fig1a.png b/windows/configure/images/waas-strategy-fig1a.png new file mode 100644 index 0000000000..7a924c43bc Binary files /dev/null and b/windows/configure/images/waas-strategy-fig1a.png differ diff --git a/windows/configure/images/waas-wsus-fig1.png b/windows/configure/images/waas-wsus-fig1.png new file mode 100644 index 0000000000..14bf35958a Binary files /dev/null and b/windows/configure/images/waas-wsus-fig1.png differ diff --git a/windows/configure/images/waas-wsus-fig10.png b/windows/configure/images/waas-wsus-fig10.png new file mode 100644 index 0000000000..3efa119693 Binary files /dev/null and b/windows/configure/images/waas-wsus-fig10.png differ diff --git a/windows/configure/images/waas-wsus-fig11.png b/windows/configure/images/waas-wsus-fig11.png new file mode 100644 index 0000000000..ae6d79221a Binary files /dev/null and b/windows/configure/images/waas-wsus-fig11.png differ diff --git a/windows/configure/images/waas-wsus-fig12.png b/windows/configure/images/waas-wsus-fig12.png new file mode 100644 index 0000000000..47479ea1df Binary files /dev/null and b/windows/configure/images/waas-wsus-fig12.png differ diff --git a/windows/configure/images/waas-wsus-fig13.png b/windows/configure/images/waas-wsus-fig13.png new file mode 100644 index 0000000000..f0b1578094 Binary files /dev/null and b/windows/configure/images/waas-wsus-fig13.png differ diff --git a/windows/configure/images/waas-wsus-fig14.png b/windows/configure/images/waas-wsus-fig14.png new file mode 100644 index 0000000000..b5b930ddad Binary files /dev/null and b/windows/configure/images/waas-wsus-fig14.png differ diff --git a/windows/configure/images/waas-wsus-fig15.png b/windows/configure/images/waas-wsus-fig15.png new file mode 100644 index 0000000000..95e38c039e Binary files /dev/null and b/windows/configure/images/waas-wsus-fig15.png differ diff --git a/windows/configure/images/waas-wsus-fig16.png b/windows/configure/images/waas-wsus-fig16.png new file mode 100644 index 0000000000..3848ac1772 Binary files /dev/null and b/windows/configure/images/waas-wsus-fig16.png differ diff --git a/windows/configure/images/waas-wsus-fig17.png b/windows/configure/images/waas-wsus-fig17.png new file mode 100644 index 0000000000..5511da3e5c Binary files /dev/null and b/windows/configure/images/waas-wsus-fig17.png differ diff --git a/windows/configure/images/waas-wsus-fig18.png b/windows/configure/images/waas-wsus-fig18.png new file mode 100644 index 0000000000..f9ac774754 Binary files /dev/null and b/windows/configure/images/waas-wsus-fig18.png differ diff --git a/windows/configure/images/waas-wsus-fig19.png b/windows/configure/images/waas-wsus-fig19.png new file mode 100644 index 0000000000..f69d793afe Binary files /dev/null and b/windows/configure/images/waas-wsus-fig19.png differ diff --git a/windows/configure/images/waas-wsus-fig2.png b/windows/configure/images/waas-wsus-fig2.png new file mode 100644 index 0000000000..167774a6c9 Binary files /dev/null and b/windows/configure/images/waas-wsus-fig2.png differ diff --git a/windows/configure/images/waas-wsus-fig20.png b/windows/configure/images/waas-wsus-fig20.png new file mode 100644 index 0000000000..ea6bbb350a Binary files /dev/null and b/windows/configure/images/waas-wsus-fig20.png differ diff --git a/windows/configure/images/waas-wsus-fig3.png b/windows/configure/images/waas-wsus-fig3.png new file mode 100644 index 0000000000..272e8c05e9 Binary files /dev/null and b/windows/configure/images/waas-wsus-fig3.png differ diff --git a/windows/configure/images/waas-wsus-fig4.png b/windows/configure/images/waas-wsus-fig4.png new file mode 100644 index 0000000000..bb5f27e3da Binary files /dev/null and b/windows/configure/images/waas-wsus-fig4.png differ diff --git a/windows/configure/images/waas-wsus-fig5.png b/windows/configure/images/waas-wsus-fig5.png new file mode 100644 index 0000000000..23faf303c6 Binary files /dev/null and b/windows/configure/images/waas-wsus-fig5.png differ diff --git a/windows/configure/images/waas-wsus-fig6.png b/windows/configure/images/waas-wsus-fig6.png new file mode 100644 index 0000000000..7857351d19 Binary files /dev/null and b/windows/configure/images/waas-wsus-fig6.png differ diff --git a/windows/configure/images/waas-wsus-fig7.png b/windows/configure/images/waas-wsus-fig7.png new file mode 100644 index 0000000000..e7f02649d2 Binary files /dev/null and b/windows/configure/images/waas-wsus-fig7.png differ diff --git a/windows/configure/images/waas-wsus-fig8.png b/windows/configure/images/waas-wsus-fig8.png new file mode 100644 index 0000000000..da5f620425 Binary files /dev/null and b/windows/configure/images/waas-wsus-fig8.png differ diff --git a/windows/configure/images/waas-wsus-fig9.png b/windows/configure/images/waas-wsus-fig9.png new file mode 100644 index 0000000000..f3d5a4eb6a Binary files /dev/null and b/windows/configure/images/waas-wsus-fig9.png differ diff --git a/windows/configure/images/waas-wufb-gp-broad.png b/windows/configure/images/waas-wufb-gp-broad.png new file mode 100644 index 0000000000..92b71c8936 Binary files /dev/null and b/windows/configure/images/waas-wufb-gp-broad.png differ diff --git a/windows/configure/images/waas-wufb-gp-cb2-settings.png b/windows/configure/images/waas-wufb-gp-cb2-settings.png new file mode 100644 index 0000000000..ae6ed4d856 Binary files /dev/null and b/windows/configure/images/waas-wufb-gp-cb2-settings.png differ diff --git a/windows/configure/images/waas-wufb-gp-cb2.png b/windows/configure/images/waas-wufb-gp-cb2.png new file mode 100644 index 0000000000..006a8c02d3 Binary files /dev/null and b/windows/configure/images/waas-wufb-gp-cb2.png differ diff --git a/windows/configure/images/waas-wufb-gp-cbb1-settings.png b/windows/configure/images/waas-wufb-gp-cbb1-settings.png new file mode 100644 index 0000000000..c9e1029b8b Binary files /dev/null and b/windows/configure/images/waas-wufb-gp-cbb1-settings.png differ diff --git a/windows/configure/images/waas-wufb-gp-cbb2-settings.png b/windows/configure/images/waas-wufb-gp-cbb2-settings.png new file mode 100644 index 0000000000..e5aff1cc89 Binary files /dev/null and b/windows/configure/images/waas-wufb-gp-cbb2-settings.png differ diff --git a/windows/configure/images/waas-wufb-gp-cbb2q-settings.png b/windows/configure/images/waas-wufb-gp-cbb2q-settings.png new file mode 100644 index 0000000000..33a02165c6 Binary files /dev/null and b/windows/configure/images/waas-wufb-gp-cbb2q-settings.png differ diff --git a/windows/configure/images/waas-wufb-gp-create.png b/windows/configure/images/waas-wufb-gp-create.png new file mode 100644 index 0000000000..d74eec4b2e Binary files /dev/null and b/windows/configure/images/waas-wufb-gp-create.png differ diff --git a/windows/configure/images/waas-wufb-gp-edit-defer.png b/windows/configure/images/waas-wufb-gp-edit-defer.png new file mode 100644 index 0000000000..c697b42ffd Binary files /dev/null and b/windows/configure/images/waas-wufb-gp-edit-defer.png differ diff --git a/windows/configure/images/waas-wufb-gp-edit.png b/windows/configure/images/waas-wufb-gp-edit.png new file mode 100644 index 0000000000..1b8d21a175 Binary files /dev/null and b/windows/configure/images/waas-wufb-gp-edit.png differ diff --git a/windows/configure/images/waas-wufb-gp-scope-cb2.png b/windows/configure/images/waas-wufb-gp-scope-cb2.png new file mode 100644 index 0000000000..fcacdbea57 Binary files /dev/null and b/windows/configure/images/waas-wufb-gp-scope-cb2.png differ diff --git a/windows/configure/images/waas-wufb-gp-scope.png b/windows/configure/images/waas-wufb-gp-scope.png new file mode 100644 index 0000000000..a04d8194df Binary files /dev/null and b/windows/configure/images/waas-wufb-gp-scope.png differ diff --git a/windows/configure/images/waas-wufb-intune-cb2a.png b/windows/configure/images/waas-wufb-intune-cb2a.png new file mode 100644 index 0000000000..3e8c1ce19e Binary files /dev/null and b/windows/configure/images/waas-wufb-intune-cb2a.png differ diff --git a/windows/configure/images/waas-wufb-intune-cbb1a.png b/windows/configure/images/waas-wufb-intune-cbb1a.png new file mode 100644 index 0000000000..bc394fe563 Binary files /dev/null and b/windows/configure/images/waas-wufb-intune-cbb1a.png differ diff --git a/windows/configure/images/waas-wufb-intune-cbb2a.png b/windows/configure/images/waas-wufb-intune-cbb2a.png new file mode 100644 index 0000000000..a980e0e43a Binary files /dev/null and b/windows/configure/images/waas-wufb-intune-cbb2a.png differ diff --git a/windows/configure/images/waas-wufb-intune-step11a.png b/windows/configure/images/waas-wufb-intune-step11a.png new file mode 100644 index 0000000000..7291484c93 Binary files /dev/null and b/windows/configure/images/waas-wufb-intune-step11a.png differ diff --git a/windows/configure/images/waas-wufb-intune-step19a.png b/windows/configure/images/waas-wufb-intune-step19a.png new file mode 100644 index 0000000000..de132abd28 Binary files /dev/null and b/windows/configure/images/waas-wufb-intune-step19a.png differ diff --git a/windows/configure/images/waas-wufb-intune-step2a.png b/windows/configure/images/waas-wufb-intune-step2a.png new file mode 100644 index 0000000000..9a719b8fda Binary files /dev/null and b/windows/configure/images/waas-wufb-intune-step2a.png differ diff --git a/windows/configure/images/waas-wufb-intune-step7a.png b/windows/configure/images/waas-wufb-intune-step7a.png new file mode 100644 index 0000000000..daa96ba18c Binary files /dev/null and b/windows/configure/images/waas-wufb-intune-step7a.png differ diff --git a/windows/configure/images/wcd-app-commands.PNG b/windows/configure/images/wcd-app-commands.PNG new file mode 100644 index 0000000000..e52908960f Binary files /dev/null and b/windows/configure/images/wcd-app-commands.PNG differ diff --git a/windows/configure/images/wcd-app-name.PNG b/windows/configure/images/wcd-app-name.PNG new file mode 100644 index 0000000000..23ff06eada Binary files /dev/null and b/windows/configure/images/wcd-app-name.PNG differ diff --git a/windows/configure/images/who-owns-pc.png b/windows/configure/images/who-owns-pc.png new file mode 100644 index 0000000000..d3ce1def8d Binary files /dev/null and b/windows/configure/images/who-owns-pc.png differ diff --git a/windows/configure/images/wifisense-grouppolicy.png b/windows/configure/images/wifisense-grouppolicy.png new file mode 100644 index 0000000000..1142d834bd Binary files /dev/null and b/windows/configure/images/wifisense-grouppolicy.png differ diff --git a/windows/configure/images/wifisense-registry.png b/windows/configure/images/wifisense-registry.png new file mode 100644 index 0000000000..cbb1fa8347 Binary files /dev/null and b/windows/configure/images/wifisense-registry.png differ diff --git a/windows/configure/images/wifisense-settingscreens.png b/windows/configure/images/wifisense-settingscreens.png new file mode 100644 index 0000000000..cbb6903177 Binary files /dev/null and b/windows/configure/images/wifisense-settingscreens.png differ diff --git a/windows/configure/images/win-10-adk-select.png b/windows/configure/images/win-10-adk-select.png new file mode 100644 index 0000000000..1dfaa23175 Binary files /dev/null and b/windows/configure/images/win-10-adk-select.png differ diff --git a/windows/configure/images/win10-mobile-mdm-fig1.png b/windows/configure/images/win10-mobile-mdm-fig1.png new file mode 100644 index 0000000000..6ddac1df99 Binary files /dev/null and b/windows/configure/images/win10-mobile-mdm-fig1.png differ diff --git a/windows/configure/images/win10-set-up-work-or-school.png b/windows/configure/images/win10-set-up-work-or-school.png new file mode 100644 index 0000000000..0ca83fb0e1 Binary files /dev/null and b/windows/configure/images/win10-set-up-work-or-school.png differ diff --git a/windows/configure/images/win10servicing-fig2-featureupgrade.png b/windows/configure/images/win10servicing-fig2-featureupgrade.png new file mode 100644 index 0000000000..e4dc76b44f Binary files /dev/null and b/windows/configure/images/win10servicing-fig2-featureupgrade.png differ diff --git a/windows/configure/images/win10servicing-fig3.png b/windows/configure/images/win10servicing-fig3.png new file mode 100644 index 0000000000..688f92b173 Binary files /dev/null and b/windows/configure/images/win10servicing-fig3.png differ diff --git a/windows/configure/images/win10servicing-fig4-upgradereleases.png b/windows/configure/images/win10servicing-fig4-upgradereleases.png new file mode 100644 index 0000000000..961c8bebe2 Binary files /dev/null and b/windows/configure/images/win10servicing-fig4-upgradereleases.png differ diff --git a/windows/configure/images/win10servicing-fig5.png b/windows/configure/images/win10servicing-fig5.png new file mode 100644 index 0000000000..dc4b2fc5b2 Binary files /dev/null and b/windows/configure/images/win10servicing-fig5.png differ diff --git a/windows/configure/images/win10servicing-fig6.png b/windows/configure/images/win10servicing-fig6.png new file mode 100644 index 0000000000..4cdc5f9c6f Binary files /dev/null and b/windows/configure/images/win10servicing-fig6.png differ diff --git a/windows/configure/images/win10servicing-fig7.png b/windows/configure/images/win10servicing-fig7.png new file mode 100644 index 0000000000..0a9a851449 Binary files /dev/null and b/windows/configure/images/win10servicing-fig7.png differ diff --git a/windows/configure/images/windows-10-management-cyod-byod-flow.png b/windows/configure/images/windows-10-management-cyod-byod-flow.png new file mode 100644 index 0000000000..6121e93832 Binary files /dev/null and b/windows/configure/images/windows-10-management-cyod-byod-flow.png differ diff --git a/windows/configure/images/windows-10-management-gp-intune-flow.png b/windows/configure/images/windows-10-management-gp-intune-flow.png new file mode 100644 index 0000000000..c9e3f2ea31 Binary files /dev/null and b/windows/configure/images/windows-10-management-gp-intune-flow.png differ diff --git a/windows/configure/images/windows-10-management-range-of-options.png b/windows/configure/images/windows-10-management-range-of-options.png new file mode 100644 index 0000000000..e4de546709 Binary files /dev/null and b/windows/configure/images/windows-10-management-range-of-options.png differ diff --git a/windows/configure/images/windows-icd.png b/windows/configure/images/windows-icd.png new file mode 100644 index 0000000000..4bc8a18f4c Binary files /dev/null and b/windows/configure/images/windows-icd.png differ diff --git a/windows/configure/images/wsfb-distribute.png b/windows/configure/images/wsfb-distribute.png new file mode 100644 index 0000000000..d0482f6ebe Binary files /dev/null and b/windows/configure/images/wsfb-distribute.png differ diff --git a/windows/configure/images/wsfb-firstrun.png b/windows/configure/images/wsfb-firstrun.png new file mode 100644 index 0000000000..2673567a1e Binary files /dev/null and b/windows/configure/images/wsfb-firstrun.png differ diff --git a/windows/configure/images/wsfb-inventory-viewlicense.png b/windows/configure/images/wsfb-inventory-viewlicense.png new file mode 100644 index 0000000000..9fafad1aff Binary files /dev/null and b/windows/configure/images/wsfb-inventory-viewlicense.png differ diff --git a/windows/configure/images/wsfb-inventory.png b/windows/configure/images/wsfb-inventory.png new file mode 100644 index 0000000000..b060fb30e4 Binary files /dev/null and b/windows/configure/images/wsfb-inventory.png differ diff --git a/windows/configure/images/wsfb-inventoryaddprivatestore.png b/windows/configure/images/wsfb-inventoryaddprivatestore.png new file mode 100644 index 0000000000..bb1152e35b Binary files /dev/null and b/windows/configure/images/wsfb-inventoryaddprivatestore.png differ diff --git a/windows/configure/images/wsfb-landing.png b/windows/configure/images/wsfb-landing.png new file mode 100644 index 0000000000..beae0b52af Binary files /dev/null and b/windows/configure/images/wsfb-landing.png differ diff --git a/windows/configure/images/wsfb-licenseassign.png b/windows/configure/images/wsfb-licenseassign.png new file mode 100644 index 0000000000..5904abb3b9 Binary files /dev/null and b/windows/configure/images/wsfb-licenseassign.png differ diff --git a/windows/configure/images/wsfb-licensedetails.png b/windows/configure/images/wsfb-licensedetails.png new file mode 100644 index 0000000000..53e0f5c935 Binary files /dev/null and b/windows/configure/images/wsfb-licensedetails.png differ diff --git a/windows/configure/images/wsfb-licensereclaim.png b/windows/configure/images/wsfb-licensereclaim.png new file mode 100644 index 0000000000..9f94cd3600 Binary files /dev/null and b/windows/configure/images/wsfb-licensereclaim.png differ diff --git a/windows/configure/images/wsfb-manageinventory.png b/windows/configure/images/wsfb-manageinventory.png new file mode 100644 index 0000000000..9a544ddc21 Binary files /dev/null and b/windows/configure/images/wsfb-manageinventory.png differ diff --git a/windows/configure/images/wsfb-offline-distribute-mdm.png b/windows/configure/images/wsfb-offline-distribute-mdm.png new file mode 100644 index 0000000000..ec0e77a9a9 Binary files /dev/null and b/windows/configure/images/wsfb-offline-distribute-mdm.png differ diff --git a/windows/configure/images/wsfb-onboard-1.png b/windows/configure/images/wsfb-onboard-1.png new file mode 100644 index 0000000000..012e91a845 Binary files /dev/null and b/windows/configure/images/wsfb-onboard-1.png differ diff --git a/windows/configure/images/wsfb-onboard-2.png b/windows/configure/images/wsfb-onboard-2.png new file mode 100644 index 0000000000..2ff98fb1f7 Binary files /dev/null and b/windows/configure/images/wsfb-onboard-2.png differ diff --git a/windows/configure/images/wsfb-onboard-3.png b/windows/configure/images/wsfb-onboard-3.png new file mode 100644 index 0000000000..ed9a61d353 Binary files /dev/null and b/windows/configure/images/wsfb-onboard-3.png differ diff --git a/windows/configure/images/wsfb-onboard-4.png b/windows/configure/images/wsfb-onboard-4.png new file mode 100644 index 0000000000..d99185ddc6 Binary files /dev/null and b/windows/configure/images/wsfb-onboard-4.png differ diff --git a/windows/configure/images/wsfb-onboard-5.png b/windows/configure/images/wsfb-onboard-5.png new file mode 100644 index 0000000000..68049f4425 Binary files /dev/null and b/windows/configure/images/wsfb-onboard-5.png differ diff --git a/windows/configure/images/wsfb-onboard-7.png b/windows/configure/images/wsfb-onboard-7.png new file mode 100644 index 0000000000..38b7348b21 Binary files /dev/null and b/windows/configure/images/wsfb-onboard-7.png differ diff --git a/windows/configure/images/wsfb-online-distribute-mdm.png b/windows/configure/images/wsfb-online-distribute-mdm.png new file mode 100644 index 0000000000..4b0f7cbf3a Binary files /dev/null and b/windows/configure/images/wsfb-online-distribute-mdm.png differ diff --git a/windows/configure/images/wsfb-paid-app-temp.png b/windows/configure/images/wsfb-paid-app-temp.png new file mode 100644 index 0000000000..89e3857d07 Binary files /dev/null and b/windows/configure/images/wsfb-paid-app-temp.png differ diff --git a/windows/configure/images/wsfb-permissions-assignrole.png b/windows/configure/images/wsfb-permissions-assignrole.png new file mode 100644 index 0000000000..de2e1785ba Binary files /dev/null and b/windows/configure/images/wsfb-permissions-assignrole.png differ diff --git a/windows/configure/images/wsfb-private-store-gpo.PNG b/windows/configure/images/wsfb-private-store-gpo.PNG new file mode 100644 index 0000000000..5e7fe44ec2 Binary files /dev/null and b/windows/configure/images/wsfb-private-store-gpo.PNG differ diff --git a/windows/configure/images/wsfb-privatestore.png b/windows/configure/images/wsfb-privatestore.png new file mode 100644 index 0000000000..74c9f1690d Binary files /dev/null and b/windows/configure/images/wsfb-privatestore.png differ diff --git a/windows/configure/images/wsfb-privatestoreapps.png b/windows/configure/images/wsfb-privatestoreapps.png new file mode 100644 index 0000000000..1ddb543796 Binary files /dev/null and b/windows/configure/images/wsfb-privatestoreapps.png differ diff --git a/windows/configure/images/wsfb-renameprivatestore.png b/windows/configure/images/wsfb-renameprivatestore.png new file mode 100644 index 0000000000..c6db282581 Binary files /dev/null and b/windows/configure/images/wsfb-renameprivatestore.png differ diff --git a/windows/configure/images/wsfb-settings-mgmt.png b/windows/configure/images/wsfb-settings-mgmt.png new file mode 100644 index 0000000000..2a7b590d19 Binary files /dev/null and b/windows/configure/images/wsfb-settings-mgmt.png differ diff --git a/windows/configure/images/wsfb-settings-permissions.png b/windows/configure/images/wsfb-settings-permissions.png new file mode 100644 index 0000000000..63d04d270b Binary files /dev/null and b/windows/configure/images/wsfb-settings-permissions.png differ diff --git a/windows/configure/images/wsfb-wsappaddacct.png b/windows/configure/images/wsfb-wsappaddacct.png new file mode 100644 index 0000000000..5c0bd9a4ce Binary files /dev/null and b/windows/configure/images/wsfb-wsappaddacct.png differ diff --git a/windows/configure/images/wsfb-wsappprivatestore.png b/windows/configure/images/wsfb-wsappprivatestore.png new file mode 100644 index 0000000000..9c29e7604c Binary files /dev/null and b/windows/configure/images/wsfb-wsappprivatestore.png differ diff --git a/windows/configure/images/wsfb-wsappsignin.png b/windows/configure/images/wsfb-wsappsignin.png new file mode 100644 index 0000000000..c2c2631a94 Binary files /dev/null and b/windows/configure/images/wsfb-wsappsignin.png differ diff --git a/windows/configure/images/wsfb-wsappworkacct.png b/windows/configure/images/wsfb-wsappworkacct.png new file mode 100644 index 0000000000..5eb9035124 Binary files /dev/null and b/windows/configure/images/wsfb-wsappworkacct.png differ diff --git a/windows/configure/images/wufb-config1a.png b/windows/configure/images/wufb-config1a.png new file mode 100644 index 0000000000..1514b87528 Binary files /dev/null and b/windows/configure/images/wufb-config1a.png differ diff --git a/windows/configure/images/wufb-config2.png b/windows/configure/images/wufb-config2.png new file mode 100644 index 0000000000..f54eef9a50 Binary files /dev/null and b/windows/configure/images/wufb-config2.png differ diff --git a/windows/configure/images/wufb-config3a.png b/windows/configure/images/wufb-config3a.png new file mode 100644 index 0000000000..538028cfdc Binary files /dev/null and b/windows/configure/images/wufb-config3a.png differ diff --git a/windows/configure/images/wufb-do.png b/windows/configure/images/wufb-do.png new file mode 100644 index 0000000000..8d6c9d0b8a Binary files /dev/null and b/windows/configure/images/wufb-do.png differ diff --git a/windows/configure/images/wufb-groups.png b/windows/configure/images/wufb-groups.png new file mode 100644 index 0000000000..13cdea04b0 Binary files /dev/null and b/windows/configure/images/wufb-groups.png differ diff --git a/windows/configure/images/wufb-pause-feature.png b/windows/configure/images/wufb-pause-feature.png new file mode 100644 index 0000000000..afeac43e29 Binary files /dev/null and b/windows/configure/images/wufb-pause-feature.png differ diff --git a/windows/configure/images/wufb-qual.png b/windows/configure/images/wufb-qual.png new file mode 100644 index 0000000000..4a93408522 Binary files /dev/null and b/windows/configure/images/wufb-qual.png differ diff --git a/windows/configure/images/wufb-sccm.png b/windows/configure/images/wufb-sccm.png new file mode 100644 index 0000000000..1d568c1fe4 Binary files /dev/null and b/windows/configure/images/wufb-sccm.png differ diff --git a/windows/configure/images/x_blk.png b/windows/configure/images/x_blk.png new file mode 100644 index 0000000000..69432ff71c Binary files /dev/null and b/windows/configure/images/x_blk.png differ diff --git a/windows/configure/index.md b/windows/configure/index.md new file mode 100644 index 0000000000..41f72b3b92 --- /dev/null +++ b/windows/configure/index.md @@ -0,0 +1,37 @@ +--- +title: Configure Windows 10 (Windows 10) +description: Learn about configuring Windows 10. +keywords: Windows 10, MDM, WSUS, Windows update +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: security +localizationpriority: high +author: jdeckerMS +--- + +# Configure Windows 10 + +Enterprises often need to apply custom configurations to devices for their users. Windows 10 provides a number of features and methods to help you configure or lock down specific parts of Windows 10. + +## In this section + +| Topic | Description | +| --- | --- | +| [Configure Windows telemetry in your organization](configure-windows-telemetry-in-your-organization.md) | Use this article to make informed decisions about how you can configure Windows telemetry in your organization. | +| [Basic level Windows diagnostic data](windows-diagnostic-data.md) | Learn about diagnostic data that is collected at the basic level in Windows 10, version 1703. | +| [Windows 10, version 1703 diagnostic data](windows-diagnostic-data.md) | Learn about the types of data that is collected at the full level in Windows 10, version 1703. | +| [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md) | Learn about the network connections that Windows components make to Microsoft and also the privacy settings that affect data that is shared with either Microsoft or apps and how they can be managed by an IT Pro. | +| [Manage Wi-Fi Sense in your company](manage-wifi-sense-in-enterprise.md) | Wi-Fi Sense automatically connects you to Wi-Fi, so you can get online quickly in more places. It can connect you to open Wi-Fi hotspots it knows about through crowdsourcing, or to Wi-Fi networks your contacts have shared with you by using Wi-Fi Sense. The initial settings for Wi-Fi Sense are determined by the options you chose when you first set up your PC with Windows 10. | +| [Configure kiosk and shared devices running Windows 10 desktop editions](kiosk-shared-pc.md) | These topics help you configure Windows 10 devices to be shared by multiple users or to run as a kiosk device that runs a single app. | +| [Configure Windows 10 Mobile devices](configure-mobile.md) | These topics help you configure the features and apps and Start screen for a device running Windows 10 Mobile, as well as how to configure a kiosk device that runs a single app. | +| [Configure Start, taskbar, and lock screen](start-taskbar-lockscreen.md) | A standard, customized Start layout can be useful on devices that are common to multiple users and devices that are locked down for specialized purposes. Configuring the taskbar allows the organization to pin useful apps for their employees and to remove apps that are pinned by default. | +| [Cortana integration in your business or enterprise](cortana-at-work-overview.md) | The world’s first personal digital assistant helps users get things done, even at work. Cortana includes powerful configuration options specifically to optimize for unique small to medium-sized business and enterprise environments. | +| [Configure access to Windows Store](stop-employees-from-using-the-windows-store.md) | IT Pros can configure access to Windows Store for client computers in their organization. For some organizations, business policies require blocking access to Windows Store. | +| [Provisioning packages for Windows 10](provisioning-packages.md) | Learn how to use the Windows Configuration Designer and provisioning packages to easily configure multiple devices. | +| [Lockdown features from Windows Embedded 8.1 Industry](lockdown-features-windows-10.md) | Many of the lockdown features available in Windows Embedded 8.1 Industry have been modified in some form for Windows 10. | +| [Change history for Configure Windows 10](change-history-for-configure-windows-10.md) | This topic lists new and updated topics in the Configure Windows 10 documentation for Windows 10 and Windows 10 Mobile. | + + + + diff --git a/windows/configure/kiosk-shared-pc.md b/windows/configure/kiosk-shared-pc.md new file mode 100644 index 0000000000..d5d72c26b4 --- /dev/null +++ b/windows/configure/kiosk-shared-pc.md @@ -0,0 +1,23 @@ +--- +title: Configure kiosk and shared devices running Windows desktop editions (Windows 10) +description: +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: security +localizationpriority: medium +author: jdeckerMS +--- + +# Configure kiosk and shared devices running Windows desktop editions + +Some desktop devices in an enterprise serve a special purpose, such as a common PC in a touchdown space that any employee can sign in to, or a PC in the lobby that customers can use to view your product catalog. Windows 10 is easy to configure for shared use or for use as a kiosk (single app). + +## In this section + +| Topic | Description | +| --- | --- | +| [Set up a shared or guest PC with Windows 10](set-up-shared-or-guest-pc.md) | Windows 10, version 1607, introduced *shared PC mode*, which optimizes Windows 10 for shared use scenarios, such as touchdown spaces in an enterprise and temporary customer use in retail. | +| [Set up a kiosk on Windows 10 Pro, Enterprise, or Education](set-up-a-kiosk-for-windows-10-for-desktop-editions.md) | You can configure a device running Windows 10 Pro, Windows 10 Enterprise, or Windows 10 Education as a kiosk device, so that users can only interact with a single application that you select. | +| [Guidelines for choosing an app for assigned access (kiosk mode)](guidelines-for-assigned-access-app.md) | You can choose almost any Windows app for assigned access; however, some apps may not provide a good user experience. This topic provides guidelines to help you choose an approprate app for a kiosk device. | +| [Lock down Windows 10 to specific apps (AppLocker)](lock-down-windows-10-to-specific-apps.md) | Learn how to configure a device running Windows 10 Enterprise or Windows 10 Education so that users can only run a few specific apps. The result is similar to a kiosk device, but with multiple apps available. For example, you might set up a library computer so that users can search the catalog and browse the Internet, but can't run any other apps or change computer settings. | \ No newline at end of file diff --git a/windows/manage/lock-down-windows-10-to-specific-apps.md b/windows/configure/lock-down-windows-10-to-specific-apps.md similarity index 97% rename from windows/manage/lock-down-windows-10-to-specific-apps.md rename to windows/configure/lock-down-windows-10-to-specific-apps.md index 8ab992a6f0..8ae79ef7f2 100644 --- a/windows/manage/lock-down-windows-10-to-specific-apps.md +++ b/windows/configure/lock-down-windows-10-to-specific-apps.md @@ -112,14 +112,11 @@ In addition to specifying the apps that users can run, you should also restrict To learn more about locking down features, see [Customizations for Windows 10 Enterprise](https://go.microsoft.com/fwlink/p/?LinkId=691442). -## Customize Start screen layout for the device +## Customize Start screen layout for the device (recommended) Configure the Start menu on the device to only show tiles for the permitted apps. You will make the changes manually, export the layout to an .xml file, and then apply that file to devices to prevent users from making changes. For instructions, see [Manage Windows 10 Start layout options](windows-10-start-layout-options-and-policies.md). -## Related topics - -- [Provisioning packages for Windows 10](../deploy/provisioning-packages.md)   diff --git a/windows/configure/lock-down-windows-10.md b/windows/configure/lock-down-windows-10.md new file mode 100644 index 0000000000..d4ab1e35cb --- /dev/null +++ b/windows/configure/lock-down-windows-10.md @@ -0,0 +1,15 @@ +--- +title: Lock down Windows 10 (Windows 10) +description: Windows 10 provides a number of features and methods to help you lock down specific parts of a Windows 10 device. +ms.assetid: 955BCD92-0A1A-4C48-98A8-30D7FAF2067D +keywords: lockdown +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: security, mobile +author: jdeckerMS +localizationpriority: high +--- + +# Lock down Windows 10 + diff --git a/windows/manage/lockdown-features-windows-10.md b/windows/configure/lockdown-features-windows-10.md similarity index 100% rename from windows/manage/lockdown-features-windows-10.md rename to windows/configure/lockdown-features-windows-10.md diff --git a/windows/manage/lockdown-xml.md b/windows/configure/lockdown-xml.md similarity index 86% rename from windows/manage/lockdown-xml.md rename to windows/configure/lockdown-xml.md index 936ed8c310..36fa6806f7 100644 --- a/windows/manage/lockdown-xml.md +++ b/windows/configure/lockdown-xml.md @@ -19,9 +19,9 @@ localizationpriority: high Windows 10 Mobile allows enterprises to lock down a device, define multiple user roles, and configure custom layouts on a device. For example, the enterprise can lock down a device so that only applications and settings in an allow list are available. -This topic provides example XML that you can use in your own lockdown XML file that can be included in a provisioning package or when using a mobile device management (MDM) solution to push lockdown settings to enrolled devices. +This is accomplished using Lockdown XML, an XML file that contains settings for Windows 10 Mobile. When you deploy the lockdown XML file to a device, it is saved on the device as **wehlockdown.xml**. When the device boots, it looks for wehlockdown.xml and applies any settings configured in the file. -Lockdown XML is an XML file that contains settings for Windows 10 Mobile. When you deploy the lockdown XML file to a device, it is saved on the device as **wehlockdown.xml**. When the device boots, it looks for wehlockdown.xml and applies any settings configured in the file. In this topic, you'll learn how to create an XML file that contains all lockdown entries available in the AssignedAccessXml area of the [EnterpriseAssignedAccess configuration service provider (CSP)](https://go.microsoft.com/fwlink/p/?LinkID=618601). +In this topic, you'll learn how to create an XML file that contains all lockdown entries available in the AssignedAccessXml area of the [EnterpriseAssignedAccess configuration service provider (CSP)](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/enterpriseassignedaccess-csp). This topic provides example XML that you can use in your own lockdown XML file that can be included in a provisioning package or when using a mobile device management (MDM) solution to push lockdown settings to enrolled devices. You can also use the [Lockdown Designer app](mobile-lockdown-designer.md) to configure and export your lockdown XML file. > [!NOTE] > On Windows 10 desktop editions, *assigned access* is a feature that lets you configure the device to run a single app above the lockscreen ([kiosk mode](set-up-a-device-for-anyone-to-use.md)). On a Windows 10 Mobile device, assigned access refers to the lockdown settings in AssignedAccessXml in the [EnterpriseAssignedAccess configuration service provider (CSP)](https://go.microsoft.com/fwlink/p/?LinkID=618601). @@ -33,17 +33,17 @@ If you're not familiar with CSPs, read [Introduction to configuration service pr Let's start by looking at the basic structure of the lockdown XML file. You can start your file by pasting the following XML (or any other examples in this topic) into a text or XML editor, and saving the file as *filename*.xml. ```xml - - + + - - - - - - - - + + + + + + + + ``` @@ -52,7 +52,8 @@ Let's start by looking at the basic structure of the lockdown XML file. You can The settings for the Default role and other roles must be listed in your XML file in the order presented in this topic. All of the entries are optional. If you don't include a setting, that aspect of the device will operate as it would for an nonconfigured device. -> **Tip**  Keep your XML file easy to work with and to understand by using proper indentation and adding comments for each setting you configure. +>[!TIP] +>Keep your XML file easy to work with and to understand by using proper indentation and adding comments for each setting you configure. ## Action Center @@ -90,7 +91,7 @@ The following example is a complete lockdown XML file that disables Action Cente The Apps setting serves as an allow list and specifies the applications that will be available in the All apps list. Apps that are not included in this setting are hidden from the user and blocked from running. -You provide the product ID for each app in your file. The product ID identifies an app package, and an app package can contain multiple apps, so you should also provide the App User Model ID (AUMID) to differentiate the app. Optionally, you can set an app to run automatically. [Get product ID and AUMID for apps in Windows 10 Mobile.](product-ids-in-windows-10-mobile.md) +You provide the App User Model ID (AUMID) and product ID for each app in your file. The product ID identifies an app package, and an app package can contain multiple apps, so you also provide the ADUMID to differentiate the app. Optionally, you can set an app to run automatically. [Get product ID and AUMID for apps in Windows 10 Mobile.](product-ids-in-windows-10-mobile.md) The following example makes Outlook Calendar available on the device. @@ -325,27 +326,28 @@ Use DisableMenuItems to prevent use of the context menu, which is displayed when ![XML for settings](images/SettingsXML.png) -The **Settings** section contains an `allow` list of pages in the Settings app. The following example allows all settings. +The **Settings** section contains an `allow` list of pages in the Settings app and quick actions. The following example allows all settings. ```xml ``` -In the following example, all system setting pages are enabled. +In earlier versions of Windows 10, you used the page name to define allowed settings. Starting in Windows 10, version 1703, you use the settings URI. + +In the following example for Windows 10, version 1703, all system setting pages that have a settings URI are enabled. ```xml - - - - - - - - - - + + + + + + + + + ``` @@ -372,58 +374,61 @@ For a list of the settings and quick actions that you can allow or block, see [S ## Start screen size Specify the size of the Start screen. In addition to 4/6 columns, you can also use 4/6/8 depending on screen resolutions. Valid values: - * Small sets the width to 4 columns on devices with short axis (less than 400epx) or 6 columns on devices with short axis (greater than or equal to 400epx). - * Large sets the width to 6 columns on devices with short axis (less than 400epx) or 8 columns on devices with short axis (greater than or equal to 400epx). - + - Small sets the width to 4 columns on devices with short axis (less than 400epx) or 6 columns on devices with short axis (greater than or equal to 400epx). + - Large sets the width to 6 columns on devices with short axis (less than 400epx) or 8 columns on devices with short axis (greater than or equal to 400epx). + If you have existing lockdown xml, you must update start screen size if your device has >=400epx on its short axis so that tiles on Start can fill all 8 columns if you want to use all 8 columns instead of 6, or use 6 columns instead of 4. [Learn about effective pixel width (epx) for different device size classes.](https://go.microsoft.com/fwlink/p/?LinkId=733340) - ## Configure additional roles +## Configure additional roles - You can add custom configurations by role. In addition to the role configuration, you must also install a login application on the device. The app displays a list of available roles on the device; the user taps a role, such as "Manager"; the configuration defined for the "Manager" role is applied. +You can add custom configurations by role. In addition to the role configuration, you must also install a login application on the device. The app displays a list of available roles on the device; the user taps a role, such as "Manager"; the configuration defined for the "Manager" role is applied. - [Learn how to create a login application that will work with your Lockdown XML file.](https://github.com/Microsoft/Windows-universal-samples/tree/master/Samples/DeviceLockdownAzureLogin) For reference, see the [Windows.Embedded.DeviceLockdown API](https://msdn.microsoft.com/library/windows/apps/windows.embedded.devicelockdown). +[Learn how to create a login application that will work with your Lockdown XML file.](https://github.com/Microsoft/Windows-universal-samples/tree/master/Samples/DeviceLockdownAzureLogin) For reference, see the [Windows.Embedded.DeviceLockdown API](https://msdn.microsoft.com/library/windows/apps/windows.embedded.devicelockdown). - In the XML file, you define each role with a GUID and name, as shown in the following example: +In the XML file, you define each role with a GUID and name, as shown in the following example: - ```xml - - ``` +```xml + +``` + +You can create a GUID using a GUID generator -- free tools are available online. The GUID needs to be unique within this XML file. - You can create a GUID using a GUID generator -- free tools are available online. The GUID needs to be unique within this XML file. +You can configure the same settings for each role as you did for the default role, except Start screen size which can only be configured for the default role. If you use CSPRunner with roles, be aware that the last CSP setting applied will be retained across roles unless explicitly changed in each role configuration. CSP settings applied by CSPRunner may conflict with settings applied by MDM. - You can configure the same settings for each role as you did for the default role, except Start screen size which can only be configured for the default role. If you use CSPRunner with roles, be aware that the last CSP setting applied will be retained across roles unless explicitly changed in each role configuration. CSP settings applied by CSPRunner may conflict with settings applied by MDM. - - ```xml +```xml - - - - - - - - + + + + + + + + - - - - - - - + + + + + + + - ``` + +## Validate your XML + +You can validate your lockdown XML file against the [EnterpriseAssignedAccess XSD](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/enterpriseassignedaccess-xsd). ## Add lockdown XML to a provisioning package @@ -474,7 +479,7 @@ After you build the provisioning package, follow the instructions for [applying After you deploy your devices, you can still configure lockdown settings through your MDM solution if it supports the [EnterpriseAssignedAccess CSP](https://go.microsoft.com/fwlink/p/?LinkID=618601). -To push lockdown settings to enrolled devices, use the AssignedAccessXML setting and use the lockdown XML as the value. The lockdown XML will be in a HandheldLockdown section that becomes XML embedded in XML, so the XML that you enter must use escaped characters (such as < in place of <). After the MDM provider pushes your lockdown settings to the device, the CSP processes the file and updates the device. +To push lockdown settings to enrolled devices, use the AssignedAccessXML setting and use the lockdown XML as the value. The lockdown XML will be in a HandheldLockdown section that becomes XML embedded in XML, so the XML that you enter must use escaped characters (such as `<` in place of <). After the MDM provider pushes your lockdown settings to the device, the CSP processes the file and updates the device. ## Full Lockdown.xml example @@ -605,13 +610,12 @@ To push lockdown settings to enrolled devices, use the AssignedAccessXML setting - - - - + + + - - + + @@ -706,17 +710,16 @@ To push lockdown settings to enrolled devices, use the AssignedAccessXML setting - - - - - + + + + - - + + - - + + @@ -858,13 +861,4 @@ To push lockdown settings to enrolled devices, use the AssignedAccessXML setting [Settings and quick actions that can be locked down in Windows 10 Mobile](settings-that-can-be-locked-down.md) -[Product IDs in Windows 10 Mobile](product-ids-in-windows-10-mobile.md) - -  - -  - - - - - +[Product IDs in Windows 10 Mobile](product-ids-in-windows-10-mobile.md) \ No newline at end of file diff --git a/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services.md similarity index 66% rename from windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services.md rename to windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index 83ba743e69..8f0ddba047 100644 --- a/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/configure/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -29,21 +29,32 @@ To help make it easier to deploy settings to restrict connections from Windows 1 We are always striving to improve our documentation and welcome your feedback. You can provide feedback by contacting telmhelp@microsoft.com. -## What's new in Windows 10, version 1607 and Windows Server 2016 +## What's new in Windows 10, version 1703 -Here's a list of changes that were made to this article for Windows 10, version 1607 and Windows Server 2016: +Here's a list of changes that were made to this article for Windows 10, version 1703: -- Added instructions on how to turn off speech recognition and speech synthesis model updates in [14.5 Speech, inking, & typing](#bkmk-priv-speech). -- Added instructions on how to turn off flip ahead with an Internet Explorer Group Policy. -- Added a section on how to turn off automatic root updates to stop updating the certificate trust list in [1. Certificate trust lists](#certificate-trust-lists). -- Added a new setting in [25. Windows Update](#bkmk-wu). -- Changed the NCSI URL in [11. Network Connection Status Indicator](#bkmk-ncsi). -- Added a section on how to turn off features that depend on Microsoft Account cloud authentication service [10. Microsoft Account](#bkmk-microsoft-account). +- Added an MDM policy for Font streaming. +- Added an MDM policy for Network Connection Status Indicator. +- Added an MDM policy for the Micosoft Account Sign-In Assistant. +- Added instructions for removing the Sticky Notes app. +- Added registry paths for some Group Policies +- Added the Find My Device section +- Added the Tasks section +- Added the App Diagnostics section - Added the following Group Policies: - - Turn off unsolicited network traffic on the Offline Maps settings page - - Turn off all Windows spotlight features + - Prevent managing SmartScreen Filter + - Turn off Compatibility View + - Turn off Automatic Download and Install of updates + - Do not connect to any Windows Update locations + - Turn off access to all Windows Update features + - Specify Intranet Microsoft update service location + - Enable Windows NTP client + - Turn off Automatic download of the ActiveX VersionList + - Allow Automatic Update of Speech Data + - Accounts: Block Microsoft Accounts + - Do not use diagnostic data for tailored experiences ## Settings @@ -52,55 +63,58 @@ The following sections list the components that make network connections to Micr If you're running Windows 10, they will be included in the next update for the Long Term Servicing Branch. -### Settings for Windows 10 Enterprise, version 1607 +### Settings for Windows 10 Enterprise, version 1703 -See the following table for a summary of the management settings for Windows 10 Enterprise, version 1607. +See the following table for a summary of the management settings for Windows 10 Enterprise, version 1703. | Setting | UI | Group Policy | MDM policy | Registry | Command line | | - | :-: | :-: | :-: | :-: | :-: | | [1. Certificate trust lists](#certificate-trust-lists) | | ![Check mark](images/checkmark.png) | | | | -| [2. Cortana and Search](#bkmk-cortana) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | -| [3. Date & Time](#bkmk-datetime) | ![Check mark](images/checkmark.png) | | | ![Check mark](images/checkmark.png) | | -| [4. Device metadata retrieval](#bkmk-devinst) | | ![Check mark](images/checkmark.png) | | | | -| [5. Font streaming](#font-streaming) | | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | -| [6. Insider Preview builds](#bkmk-previewbuilds) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | -| [7. Internet Explorer](#bkmk-ie) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | | -| [8. Live Tiles](#live-tiles) | | ![Check mark](images/checkmark.png) | | | | -| [9. Mail synchronization](#bkmk-mailsync) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | | -| [10. Microsoft Account](#bkmk-microsoft-account) | | | | ![Check mark](images/checkmark.png) | | -| [11. Microsoft Edge](#bkmk-edge) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | -| [12. Network Connection Status Indicator](#bkmk-ncsi) | | ![Check mark](images/checkmark.png) | | | | -| [13. Offline maps](#bkmk-offlinemaps) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | | -| [14. OneDrive](#bkmk-onedrive) | | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | -| [15. Preinstalled apps](#bkmk-preinstalledapps) | ![Check mark](images/checkmark.png) | | | | ![Check mark](images/checkmark.png) | -| [16. Settings > Privacy](#bkmk-settingssection) | | | | | | -|     [16.1 General](#bkmk-general) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | -|     [16.2 Location](#bkmk-priv-location) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | -|     [16.3 Camera](#bkmk-priv-camera) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | -|     [16.4 Microphone](#bkmk-priv-microphone) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | | -|     [16.5 Notifications](#bkmk-priv-notifications) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | | -|     [16.6 Speech, inking, & typing](#bkmk-priv-speech) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | -|     [16.7 Account info](#bkmk-priv-accounts) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | | -|     [16.8 Contacts](#bkmk-priv-contacts) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | | -|     [16.9 Calendar](#bkmk-priv-calendar) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | | -|     [16.10 Call history](#bkmk-priv-callhistory) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | | -|     [16.11 Email](#bkmk-priv-email) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | | -|     [16.12 Messaging](#bkmk-priv-messaging) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | | -|     [16.13 Radios](#bkmk-priv-radios) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | | -|     [16.14 Other devices](#bkmk-priv-other-devices) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | -|     [16.15 Feedback & diagnostics](#bkmk-priv-feedback) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | -|     [16.16 Background apps](#bkmk-priv-background) | ![Check mark](images/checkmark.png) | | | | | -|     [16.17 Motion](#bkmk-priv-motion) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | | -| [17. Software Protection Platform](#bkmk-spp) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | -| [18. Sync your settings](#bkmk-syncsettings) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | -| [19. Teredo](#bkmk-teredo) | | ![Check mark](images/checkmark.png) | | | ![Check mark](images/checkmark.png) | -| [20. Wi-Fi Sense](#bkmk-wifisense) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | -| [21. Windows Defender](#bkmk-defender) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | -| [22. Windows Media Player](#bkmk-wmp) | ![Check mark](images/checkmark.png) | | | | ![Check mark](images/checkmark.png) | -| [23. Windows spotlight](#bkmk-spotlight) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | | -| [24. Windows Store](#bkmk-windowsstore) | | ![Check mark](images/checkmark.png) | | | | -| [25. Windows Update Delivery Optimization](#bkmk-updates) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | -| [26. Windows Update](#bkmk-wu) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | +| [2. Cortana and Search](#bkmk-cortana) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | +| [3. Date & Time](#bkmk-datetime) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | +| [4. Device metadata retrieval](#bkmk-devinst) | | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | +| [5. Find My Device](#find-my-device) | | ![Check mark](images/checkmark.png) | | | | +| [6. Font streaming](#font-streaming) | | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | +| [7. Insider Preview builds](#bkmk-previewbuilds) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | +| [8. Internet Explorer](#bkmk-ie) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | +| [9. Live Tiles](#live-tiles) | | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | +| [10. Mail synchronization](#bkmk-mailsync) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +| [11. Microsoft Account](#bkmk-microsoft-account) | | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +| [12. Microsoft Edge](#bkmk-edge) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | +| [13. Network Connection Status Indicator](#bkmk-ncsi) | | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | +| [14. Offline maps](#bkmk-offlinemaps) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | +| [15. OneDrive](#bkmk-onedrive) | | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | +| [16. Preinstalled apps](#bkmk-preinstalledapps) | ![Check mark](images/checkmark.png) | | | | ![Check mark](images/checkmark.png) | +| [17. Settings > Privacy](#bkmk-settingssection) | | | | | | +|     [17.1 General](#bkmk-general) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +|     [17.2 Location](#bkmk-priv-location) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +|     [17.3 Camera](#bkmk-priv-camera) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +|     [17.4 Microphone](#bkmk-priv-microphone) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | +|     [17.5 Notifications](#bkmk-priv-notifications) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | +|     [17.6 Speech, inking, & typing](#bkmk-priv-speech) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +|     [17.7 Account info](#bkmk-priv-accounts) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | +|     [17.8 Contacts](#bkmk-priv-contacts) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | +|     [17.9 Calendar](#bkmk-priv-calendar) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | +|     [17.10 Call history](#bkmk-priv-callhistory) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | +|     [17.11 Email](#bkmk-priv-email) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | +|     [17.12 Messaging](#bkmk-priv-messaging) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | +|     [17.13 Radios](#bkmk-priv-radios) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | +|     [17.14 Other devices](#bkmk-priv-other-devices) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | +|     [17.15 Feedback & diagnostics](#bkmk-priv-feedback) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +|     [17.16 Background apps](#bkmk-priv-background) | ![Check mark](images/checkmark.png) | | | | | +|     [17.17 Motion](#bkmk-priv-motion) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | +|     [17.18 Tasks](#bkmk-priv-tasks) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | +|     [17.19 App Diagnostics](#bkmk-priv-diag) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | +| [18. Software Protection Platform](#bkmk-spp) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +| [19. Sync your settings](#bkmk-syncsettings) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +| [20. Teredo](#bkmk-teredo) | | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | +| [21. Wi-Fi Sense](#bkmk-wifisense) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | +| [22. Windows Defender](#bkmk-defender) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +| [23. Windows Media Player](#bkmk-wmp) | ![Check mark](images/checkmark.png) | | | | ![Check mark](images/checkmark.png) | +| [24. Windows spotlight](#bkmk-spotlight) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | +| [25. Windows Store](#bkmk-windowsstore) | | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | +| [26. Windows Update Delivery Optimization](#bkmk-updates) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +| [27. Windows Update](#bkmk-wu) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | ### Settings for Windows Server 2016 with Desktop Experience @@ -109,24 +123,24 @@ See the following table for a summary of the management settings for Windows Ser | Setting | UI | Group Policy | Registry | Command line | | - | :-: | :-: | :-: | :-: | | [1. Certificate trust lists](#certificate-trust-lists) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | -| [2. Cortana and Search](#bkmk-cortana) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | -| [3. Date & Time](#bkmk-datetime) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | -| [4. Device metadata retrieval](#bkmk-devinst) | | ![Check mark](images/checkmark.png) | | | -| [5. Font streaming](#font-streaming) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | -| [6. Insider Preview builds](#bkmk-previewbuilds) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | -| [7. Internet Explorer](#bkmk-ie) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | -| [8. Live Tiles](#live-tiles) | | ![Check mark](images/checkmark.png) | | | -| [10. Microsoft Account](#bkmk-microsoft-account) | | | ![Check mark](images/checkmark.png) | | -| [12. Network Connection Status Indicator](#bkmk-ncsi) | | ![Check mark](images/checkmark.png) | | | -| [14. OneDrive](#bkmk-onedrive) | | ![Check mark](images/checkmark.png) | | | -| [16. Settings > Privacy](#bkmk-settingssection) | | | | | -|     [16.1 General](#bkmk-general) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | -| [17. Software Protection Platform](#bkmk-spp) | | ![Check mark](images/checkmark.png) | | | -| [19. Teredo](#bkmk-teredo) | | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | -| [21. Windows Defender](#bkmk-defender) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | -| [22. Windows Media Player](#bkmk-wmp) | | | | ![Check mark](images/checkmark.png) | -| [24. Windows Store](#bkmk-windowsstore) | | ![Check mark](images/checkmark.png) | | | -| [26. Windows Update](#bkmk-wu) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +| [2. Cortana and Search](#bkmk-cortana) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +| [3. Date & Time](#bkmk-datetime) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +| [4. Device metadata retrieval](#bkmk-devinst) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +| [6. Font streaming](#font-streaming) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +| [7. Insider Preview builds](#bkmk-previewbuilds) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +| [8. Internet Explorer](#bkmk-ie) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +| [9. Live Tiles](#live-tiles) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +| [11. Microsoft Account](#bkmk-microsoft-account) | | | ![Check mark](images/checkmark.png) | | +| [13. Network Connection Status Indicator](#bkmk-ncsi) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +| [15. OneDrive](#bkmk-onedrive) | | ![Check mark](images/checkmark.png) | | | +| [17. Settings > Privacy](#bkmk-settingssection) | | | | | +|     [17.1 General](#bkmk-general) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +| [18. Software Protection Platform](#bkmk-spp) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +| [20. Teredo](#bkmk-teredo) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | +| [22. Windows Defender](#bkmk-defender) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +| [23. Windows Media Player](#bkmk-wmp) | | | | ![Check mark](images/checkmark.png) | +| [25. Windows Store](#bkmk-windowsstore) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +| [27. Windows Update](#bkmk-wu) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ### Settings for Windows Server 2016 Server Core @@ -135,13 +149,13 @@ See the following table for a summary of the management settings for Windows Ser | Setting | Group Policy | Registry | Command line | | - | :-: | :-: | :-: | :-: | :-: | | [1. Certificate trust lists](#certificate-trust-lists) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | -| [3. Date & Time](#bkmk-datetime) | | ![Check mark](images/checkmark.png) | | -| [5. Font streaming](#font-streaming) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | -| [12. Network Connection Status Indicator](#bkmk-ncsi) | ![Check mark](images/checkmark.png) | | | -| [17. Software Protection Platform](#bkmk-spp) | ![Check mark](images/checkmark.png) | | | -| [19. Teredo](#bkmk-teredo) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | -| [21. Windows Defender](#bkmk-defender) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | -| [26. Windows Update](#bkmk-wu) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +| [3. Date & Time](#bkmk-datetime) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +| [6. Font streaming](#font-streaming) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +| [13. Network Connection Status Indicator](#bkmk-ncsi) | ![Check mark](images/checkmark.png) | | | +| [18. Software Protection Platform](#bkmk-spp) | ![Check mark](images/checkmark.png) | | | +| [20. Teredo](#bkmk-teredo) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | +| [22. Windows Defender](#bkmk-defender) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +| [27. Windows Update](#bkmk-wu) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ### Settings for Windows Server 2016 Nano Server @@ -151,8 +165,8 @@ See the following table for a summary of the management settings for Windows Ser | - | :-: | :-: | :-: | :-: | :-: | | [1. Certificate trust lists](#certificate-trust-lists) | ![Check mark](images/checkmark.png) | | | [3. Date & Time](#bkmk-datetime) | ![Check mark](images/checkmark.png) | | -| [19. Teredo](#bkmk-teredo) | | ![Check mark](images/checkmark.png) | -| [26. Windows Update](#bkmk-wu) | ![Check mark](images/checkmark.png) | | +| [20. Teredo](#bkmk-teredo) | | ![Check mark](images/checkmark.png) | +| [27. Windows Update](#bkmk-wu) | ![Check mark](images/checkmark.png) | | ## Settings @@ -164,6 +178,10 @@ A certificate trust list is a predefined list of items, such as a list of certif To turn off the automatic download of an updated certificate trust list, you can turn off automatic root updates, which also includes the disallowed certificate list and the pin rules list. +> [!CAUTION] +> By not automatically downloading the root certificates, the device might have not be able to connect to some websites. + + For Windows 10, Windows Server 2016 with Desktop Experience, and Windows Server 2016 Server Core: - Enable the Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **Internet Communication Management** > **Internet Communication Settings** > **Turn off Automatic Root Certificates Update** @@ -209,6 +227,16 @@ Find the Cortana Group Policy objects under **Computer Configuration** > **Ad | Don't search the web or display web results in Search| Choose whether to search the web from Cortana.

        Enable this policy to stop web queries and results from showing in Search. | | Set what information is shared in Search | Control what information is shared with Bing in Search.

        If you enable this policy and set it to **Anonymous info**, usage information will be shared but not search history, Microsoft Account information, or specific location. | +You can also apply the Group Policies using the following registry keys: + +| Policy | Registry Path | +|------------------------------------------------------|---------------------------------------------------------------------------------------| +| Allow Cortana | HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Search!AllowCortana
        REG_DWORD: 0| +| Allow search and Cortana to use location | HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Search!AllowSearchToUseLocation
        REG_DWORD: 0 | +| Do not allow web search | HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Search!DisableWebSearch
        REG_DWORD: 1 | +| Don't search the web or display web results in Search| HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Search!ConnectedSearchUseWeb
        REG_DWORD: 0 | +| Set what information is shared in Search | HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Search!ConnectedSearchPrivacy
        REG_DWORD: 3 | + In Windows 10, version 1507 and Windows 10, version 1511, when you enable the **Don't search the web or display web results in Search** Group Policy, you can control the behavior of whether Cortana searches the web to display web results. However, this policy only covers whether or not web search is performed. There could still be a small amount of network traffic to Bing.com to evaluate if certain Cortana components are up-to-date or not. In order to turn off that network activity completely, you can create a Windows Firewall rule to prevent outbound traffic. >[!IMPORTANT] @@ -258,17 +286,47 @@ You can prevent Windows from setting the time automatically. -or- +- Disable the Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **Enable Windows NTP Server** > **Windows Time Service** > **Enable Windows NTP Client** + + -or - + +- Create a new REG\_DWORD registry setting **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\W32time\\TimeProviders\\NtpClient!Enabled** to 0 (zero). + + -or- + - Create a REG\_SZ registry setting in **HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\W32Time\\Parameters\\Type** with a value of **NoSync**. ### 4. Device metadata retrieval To prevent Windows from retrieving device metadata from the Internet, apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **Device Installation** > **Prevent device metadata retrieval from the Internet**. -### 5. Font streaming +You can also create a new REG\_DWORD registry setting **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\Device Metadata!PreventDeviceMetadataFromNetwork** to 1 (one). + +### 5. Find My Device + +To turn off Find My Device: + +- Turn off the feature in the UI + + -or + +- Disable the Group Policy: **Computer Configuration** > **Administrative Template** > **Windows Components** > **Find My Device** > **Turn On/Off Find My Device** + +You can also create a new REG\_DWORD registry setting **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\Device Metadata!PreventDeviceMetadataFromNetwork** to 1 (one). + +### 6. Font streaming Fonts that are included in Windows but that are not stored on the local device can be downloaded on demand. -If you're running Windows 10, version 1607 or Windows Server 2016, disable the Group Policy: **Computer Configuration** > **Administrative Templates** > **Network** > **Fonts** > **Enable Font Providers**. +If you're running Windows 10, version 1607, Windows Server 2016, or later: + +- Disable the Group Policy: **Computer Configuration** > **Administrative Templates** > **Network** > **Fonts** > **Enable Font Providers**. + +- In Windows 10, version 1703, you can apply the System/AllowFontProviders MDM policy from the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) where: + + - **false**. Font streaming is disabled. + + - **true**. Font streaming is enabled. If you're running Windows 10, version 1507 or Windows 10, version 1511, create a REG\_DWORD registry setting called **DisableFontProviders** in **HKEY\_LOCAL\_MACHINE\\System\\CurrentControlSet\\Services\\FontCache\\Parameters**, with a value of 1. @@ -276,7 +334,7 @@ If you're running Windows 10, version 1507 or Windows 10, version 1511, create a > After you apply this policy, you must restart the device for it to take effect. -### 6. Insider Preview builds +### 7. Insider Preview builds The Windows Insider Preview program lets you help shape the future of Windows, be part of the community, and get early access to releases of Windows 10. @@ -298,6 +356,10 @@ To turn off Insider Preview builds for Windows 10: - Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Data Collection and Preview Builds** > **Toggle user control over Insider builds**. + -or - + +- Create a new REG\_DWORD registry setting **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\PreviewBuilds!AllowBuildPreview** to 0 (zero) + -or- - Apply the System/AllowBuildPreview MDM policy from the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) where: @@ -318,7 +380,7 @@ To turn off Insider Preview builds for Windows 10: - **2**. (default) Not configured. Users can make their devices available for download and installing preview software. -### 7. Internet Explorer +### 8. Internet Explorer Use Group Policy to manage settings for Internet Explorer. You can find the Internet Explorer Group Policy objects under **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Internet Explorer**. @@ -329,27 +391,64 @@ Use Group Policy to manage settings for Internet Explorer. You can find the Int | Turn off the auto-complete feature for web addresses | Choose whether auto-complete suggests possible matches when employees are typing web address in the address bar.
        Default: Disabled
        You can also turn this off in the UI by clearing the Internet Options > **Advanced** > **Use inline AutoComplete in the Internet Explorer Address Bar and Open Dialog** check box.| | Disable Periodic Check for Internet Explorer software updates| Choose whether Internet Explorer periodically checks for a new version.
        Default: Enabled | | Turn off browser geolocation | Choose whether websites can request location data from Internet Explorer.
        Default: Disabled| +| Prevent managing SmartScreen filter | Choose whether employees can manage the SmartScreen Filter in Internet Explorer.
        Default: Disabled | -There are two more Group Policy objects that are used by Internet Explorer: +Alternatively, you could use the registry to set the Group Policies. + +| Policy | Registry path | +|------------------------------------------------------|-----------------------------------------------------------------------------------------------------| +| Turn on Suggested Sites| HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Internet Explorer\\Suggested Sites!Enabled
        REG_DWORD: 0| +| Allow Microsoft services to provide enhanced suggestions as the user types in the Address Bar | HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Internet Explorer\\AllowServicePoweredQSA
        REG_DWORD: 0| +| Turn off the auto-complete feature for web addresses | HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Explorer\\AutoComplete!AutoSuggest
        REG_SZ: **No** | +| Disable Periodic Check for Internet Explorer software updates| HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Internet Explorer\\Infodelivery\\Restrictions!NoUpdateCheck
        REG_DWORD: 1 | +| Turn off browser geolocation | HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Internet Explorer\\Geolocation!PolicyDisableGeolocation
        REG_DWORD: 1 | +| Prevent managing SmartScreen filter | HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\ Internet Explorer\\PhishingFilter!EnabledV9
        REG_DWORD: 0 | + +There are three more Group Policy objects that are used by Internet Explorer: | Path | Policy | Description | | - | - | - | +| **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Internet Explorer** > **Compatibility View** > **Turn off Compatibility View** | Choose whether employees can configure Compatibility View. | Choose whether an employee can swipe across a screen or click forward to go to the next pre-loaded page of a website.
        Default: Disabled | | **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Internet Explorer** > **Internet Control Panel** > **Advanced Page** | Turn off the flip ahead with page prediction feature | Choose whether an employee can swipe across a screen or click forward to go to the next pre-loaded page of a website.
        Default: Enabled | | **Computer Configuration** > **Administrative Templates** > **Windows Components** > **RSS Feeds** | Turn off background synchronization for feeds and Web Slices | Choose whether to have background synchronization for feeds and Web Slices.
        Default: Enabled | -### 7.1 ActiveX control blocking +You can also use registry entries to set these Group Policies. -ActiveX control blocking periodically downloads a new list of out-of-date ActiveX controls that should be blocked. You can turn this off by changing the REG\_DWORD registry setting **HKEY\_CURRENT\_USER\\Software\\Microsoft\\Internet Explorer\\VersionManager\\DownloadVersionList** to 0 (zero). +| Policy | Registry path | +|------------------------------------------------------|-----------------------------------------------------------------------------------------------------| +| Choose whether employees can configure Compatibility View. | HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\BrowserEmulation!MSCompatibilityMode
        REG_DWORD: 0| +| Turn off the flip ahead with page prediction feature | HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Internet Explorer\\FlipAhead!Enabled
        REG_DWORD: 0| +| Turn off background synchronization for feeds and Web Slices | HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Internet Explorer\\Feeds!BackgroundSyncStatus
        DWORD:0 | + +To turn off the home page, enable the Group Policy: **User Configuration** > **Administrative Templates** > **Windows Components** > **Internet Explorer** > **Disable changing home page settings** + +### 8.1 ActiveX control blocking + +ActiveX control blocking periodically downloads a new list of out-of-date ActiveX controls that should be blocked. + +You can turn this off by: + +- Apply the Group Policy: **User Configuration** > **Administrative Templates** > **Windows Components** > **Internet Explorer** > **Security Features** > **Add-on Management** > **Turn off Automatic download of the ActiveX VersionList** + + -or - + +- Changing the REG\_DWORD registry setting **HKEY\_CURRENT\_USER\\Software\\Microsoft\\Internet Explorer\\VersionManager\\DownloadVersionList** to 0 (zero). For more info, see [Out-of-date ActiveX control blocking](http://technet.microsoft.com/library/dn761713.aspx). -### 8. Live Tiles +### 9. Live Tiles To turn off Live Tiles: - Apply the Group Policy: **User Configuration** > **Administrative Templates** > **Start Menu and Taskbar** > **Notifications** > **Turn Off notifications network usage** -### 9. Mail synchronization + -or- + +- Create a REG\_DWORD registry setting called **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\CurrentVersion\\PushNotifications!NoCloudApplicationNotification**, with a value of 1 (one). + +You must also unpin all tiles that are pinned to Start. + +### 10. Mail synchronization To turn off mail synchronization for Microsoft Accounts that are configured on a device: @@ -367,33 +466,39 @@ To turn off the Windows Mail app: - Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Mail** > **Turn off Windows Mail application** -### 10. Microsoft Account + -or- + +- Create a REG\_DWORD registry setting called **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows Mail!ManualLaunchAllowed**, with a value of 0 (zero). + +### 11. Microsoft Account To prevent communication to the Microsoft Account cloud authentication service. Many apps and system components that depend on Microsoft Account authentication may lose functionality. Some of them could be in unexpected ways. -- Change the **Start** REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\System\\CurrentControlSet\\Services\\wlidsvc** to 4. +- Apply the Group Policy: **Computer Configuration** > **Windows Settings** > **Security Settings** > **Local Policies** > **Security Options** > **Accounts: Block Microsoft Accounts** and set it to **Users can't add Microsoft accounts**. + +To disable the Microsoft Account Sign-In Assistant: + +- Apply the Accounts/AllowMicrosoftAccountSignInAssistant MDM policy from the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) where 0 is turned off and 1 is turned on. -### 11. Microsoft Edge +### 12. Microsoft Edge Use either Group Policy or MDM policies to manage settings for Microsoft Edge. For more info, see [Microsoft Edge and privacy: FAQ](https://go.microsoft.com/fwlink/p/?LinkId=730682). -### 11.1 Microsoft Edge Group Policies +### 12.1 Microsoft Edge Group Policies Find the Microsoft Edge Group Policy objects under **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Edge**. -> [!NOTE] -> The Microsoft Edge Group Policy names were changed in Windows 10, version 1607. The table below reflects those changes. | Policy | Description | |------------------------------------------------------|-----------------------------------------------------------------------------------------------------| -| Configure autofill | Choose whether employees can use autofill on websites.
        Default: Enabled | +| Configure Autofill | Choose whether employees can use autofill on websites.
        Default: Enabled | | Configure Do Not Track | Choose whether employees can send Do Not Track headers.
        Default: Disabled | -| Configure password manager | Choose whether employees can save passwords locally on their devices.
        Default: Enabled | +| Configure Password Manager | Choose whether employees can save passwords locally on their devices.
        Default: Enabled | | Configure search suggestions in Address bar | Choose whether the address bar shows search suggestions.
        Default: Enabled | -| Configure SmartScreen Filter | Choose whether SmartScreen is turned on or off.
        Default: Enabled | +| Configure Windows Defender SmartScreen Filter (Windows 10, version 1703)
        Configure SmartScreen Filter (Windows Server 2016) | Choose whether Windows Defender SmartScreen is turned on or off.
        Default: Enabled | | Allow web content on New Tab page | Choose whether a new tab page appears.
        Default: Enabled | -| Configure Home pages | Choose the corporate Home page for domain-joined devices.
        Set this to **about:blank** | +| Configure Start pages | Choose the Start page for domain-joined devices.
        Set this to **about:blank** | The Windows 10, version 1511 Microsoft Edge Group Policy names are: @@ -408,7 +513,20 @@ The Windows 10, version 1511 Microsoft Edge Group Policy names are: | Open a new tab with an empty tab | Choose whether a new tab page appears.
        Default: Enabled | | Configure corporate Home pages | Choose the corporate Home page for domain-joined devices.
        Set this to **about:blank** | -### 11.2 Microsoft Edge MDM policies +Alternatively, you can configure the Microsoft Group Policies using the following registry entries: + +| Policy | Registry path | +| - | - | +| Configure Autofill | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\Main!Use FormSuggest
        REG_SZ: **about:blank** | +| Configure Do Not Track | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\Main!DoNotTrack
        REG_DWORD: 1 | +| Configure Password Manager | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\Main!FormSuggest Passwords
        REG_SZ: **no** | +| Configure search suggestions in Address bar | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\SearchScopes!ShowSearchSuggestionsGlobal
        REG_DWORD: 0| +| Configure Windows Defender SmartScreen Filter (Windows 10, version 1703) | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\PhishingFilter!EnabledV9
        REG_DWORD: 0 | +| Allow web content on New Tab page | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\SearchScopes!AllowWebContentOnNewTabPage
        REG_DWORD: 0 | +| Configure corporate Home pages | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\ServiceUI!ProvisionedHomePages
        REG_DWORD: 0| + + +### 12.2 Microsoft Edge MDM policies The following Microsoft Edge MDM policies are available in the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx). @@ -423,36 +541,54 @@ The following Microsoft Edge MDM policies are available in the [Policy CSP](http For a complete list of the Microsoft Edge policies, see [Available policies for Microsoft Edge](http://technet.microsoft.com/library/mt270204.aspx). -### 12. Network Connection Status Indicator +### 13. Network Connection Status Indicator Network Connection Status Indicator (NCSI) detects Internet connectivity and corporate network connectivity status. NCSI sends a DNS request and HTTP query to http://www.msftconnecttest.com/connecttest.txt to determine if the device can communicate with the Internet. For more info about NCSI, see [The Network Connection Status Icon](http://blogs.technet.com/b/networking/archive/2012/12/20/the-network-connection-status-icon.aspx). In versions of Windows 10 prior to Windows 10, version 1607 and Windows Server 2016, the URL was http://www.msftncsi.com. -You can turn off NCSI through Group Policy: +You can turn off NCSI by doing one of the following: - Enable the Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **Internet Communication Management** > **Internet Communication Settings** > **Turn off Windows Network Connectivity Status Indicator active tests** +- In Windows 10, version 1703 and later, apply the Connectivity/DisallowNetworkConnectivityActiveTests MDM policy. + > [!NOTE] > After you apply this policy, you must restart the device for the policy setting to take effect. -### 13. Offline maps +-or- + +- Create a REG\_DWORD registry setting called **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\NetworkConnectivityStatusIndicator!NoActiveProbe**, with a value of 0 (zero). + +### 14. Offline maps You can turn off the ability to download and update offline maps. - Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Maps** > **Turn off Automatic Download and Update of Map Data** + -or- + +- Create a REG\_DWORD registry setting called **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\Maps!AutoDownloadAndUpdateMapData**, with a value of 0 (zero). + -and- - In Windows 10, version 1607 and later, apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Maps** > **Turn off unsolicited network traffic on the Offline Maps settings page** -### 14. OneDrive + -or- + +- Create a REG\_DWORD registry setting called **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\Maps!AllowUntriggeredNetworkTrafficOnSettingsPage**, with a value of 0 (zero). + +### 15. OneDrive To turn off OneDrive in your organization: - Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **OneDrive** > **Prevent the usage of OneDrive for file storage** -### 15. Preinstalled apps + -or- + +- Create a REG\_DWORD registry setting called **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\OneDrive!DisableFileSyncNGSC**, with a value of 1 (one). + +### 16. Preinstalled apps Some preinstalled apps get content before they are opened to ensure a great experience. You can remove these using the steps in this section. @@ -564,48 +700,99 @@ To remove the Get Skype app: Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxPackage Microsoft.SkypeApp | Remove-AppxPackage** -### 16. Settings > Privacy +To remove the Sticky notes app: + +- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.MicrosoftStickyNotes"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}** + + -and- + + Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxPackage Microsoft.MicrosoftStickyNotes | Remove-AppxPackage** + +### 17. Settings > Privacy Use Settings > Privacy to configure some settings that may be important to your organization. Except for the Feedback & Diagnostics page, these settings must be configured for every user account that signs into the PC. -- [16.1 General](#bkmk-general) +- [17.1 General](#bkmk-general) -- [16.2 Location](#bkmk-priv-location) +- [17.2 Location](#bkmk-priv-location) -- [16.3 Camera](#bkmk-priv-camera) +- [17.3 Camera](#bkmk-priv-camera) -- [16.4 Microphone](#bkmk-priv-microphone) +- [17.4 Microphone](#bkmk-priv-microphone) -- [16.5 Notifications](#bkmk-priv-notifications) +- [17.5 Notifications](#bkmk-priv-notifications) -- [16.6 Speech, inking, & typing](#bkmk-priv-speech) +- [17.6 Speech, inking, & typing](#bkmk-priv-speech) -- [16.7 Account info](#bkmk-priv-accounts) +- [17.7 Account info](#bkmk-priv-accounts) -- [16.8 Contacts](#bkmk-priv-contacts) +- [17.8 Contacts](#bkmk-priv-contacts) -- [16.9 Calendar](#bkmk-priv-calendar) +- [17.9 Calendar](#bkmk-priv-calendar) -- [16.10 Call history](#bkmk-priv-callhistory) +- [17.10 Call history](#bkmk-priv-callhistory) -- [16.11 Email](#bkmk-priv-email) +- [17.11 Email](#bkmk-priv-email) -- [16.12 Messaging](#bkmk-priv-messaging) +- [17.12 Messaging](#bkmk-priv-messaging) -- [16.13 Radios](#bkmk-priv-radios) +- [17.13 Radios](#bkmk-priv-radios) -- [16.14 Other devices](#bkmk-priv-other-devices) +- [17.14 Other devices](#bkmk-priv-other-devices) -- [16.15 Feedback & diagnostics](#bkmk-priv-feedback) +- [17.15 Feedback & diagnostics](#bkmk-priv-feedback) -- [16.16 Background apps](#bkmk-priv-background) +- [17.16 Background apps](#bkmk-priv-background) -- [16.17 Motion](#bkmk-priv-motion) +- [17.17 Motion](#bkmk-priv-motion) -### 16.1 General +- [17.18 Tasks](#bkmk-priv-tasks) + +- [17.19 App Diagnostics](#bkmk-priv-diag) + +### 17.1 General **General** includes options that don't fall into other areas. +#### Windows 10, version 1703 options + +To turn off **Let apps use advertising ID to make ads more interesting to you based on your app usage (turning this off will reset your ID)**: + +> [!NOTE] +> When you turn this feature off in the UI, it turns off the advertising ID, not just resets it. + +- Turn off the feature in the UI. + + -or- + +- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **User Profiles** > **Turn off the advertising ID**. + + -or- + +- Create a REG\_DWORD registry setting called **Enabled** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AdvertisingInfo**, with a value of 0 (zero). + + -or- + +- Create a REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\AdvertisingInfo!DisabledByGroupPolicy**, with a value of 1 (one). + +To turn off **Let websites provide locally relevant content by accessing my language list**: + +- Turn off the feature in the UI. + + -or- + +- Create a new REG\_DWORD registry setting called **HttpAcceptLanguageOptOut** in **HKEY\_CURRENT\_USER\\Control Panel\\International\\User Profile**, with a value of 1. + +To turn off **Let Windows track app launches to improve Start and search results**: + +- Turn off the feature in the UI. + + -or- + +- Create a REG_DWORD registry setting called **Start_TrackProgs** with value of 0 (zero) in **HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced** + +#### Windows Server 2016 and Windows 10, version 1607 and earlier options + To turn off **Let apps use my advertising ID for experiences across apps (turning this off will reset your ID)**: > [!NOTE] @@ -621,15 +808,21 @@ To turn off **Let apps use my advertising ID for experiences across apps (turnin - Create a REG\_DWORD registry setting called **Enabled** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AdvertisingInfo**, with a value of 0 (zero). + -or- + +- Create a REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\AdvertisingInfo!DisabledByGroupPolicy**, with a value of 1 (one). + To turn off **Turn on SmartScreen Filter to check web content (URLs) that Windows Store apps use**: - Turn off the feature in the UI. -or- -- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Edge** > **Configure SmartScreen Filter**. +- In Windows Server 2016, apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Edge** > **Configure SmartScreen Filter**. + In Windows 10, version 1703, apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Edge** > **Configure Windows Defender SmartScreen Filter**. - Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **File Explorer** > **Configure Windows SmartScreen**. + In Windows Server 2016, apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **File Explorer** > **Configure Windows SmartScreen**. + In Windows 10, version 1703 , apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **File Explorer** > **Configure Windows Defender SmartScreen**. -or- @@ -647,6 +840,10 @@ To turn off **Turn on SmartScreen Filter to check web content (URLs) that Window - Create a REG\_DWORD registry setting called **EnableWebContentEvaluation** in **HKEY\_CURRENT\_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppHost**, with a value of 0 (zero). + -or- + +- Create a REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\System!EnableSmartScreen**, with a value of 0 (zero). + To turn off **Send Microsoft info about how I write to help us improve typing and writing in the future**: > [!NOTE] @@ -680,11 +877,16 @@ To turn off **Let apps on my other devices open apps and continue experiences on - Disable the Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **Group Policy** > **Continue experiences on this device**. + -or- + +- Create a REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\System!EnableCdp**, with a value of 0 (zero). + To turn off **Let apps on my other devices use Bluetooth to open apps and continue experiences on this device**: - Turn off the feature in the UI. -### 16.2 Location + +### 17.2 Location In the **Location** area, you choose whether devices have access to location-specific sensors and which apps have access to the device's location. @@ -696,6 +898,10 @@ To turn off **Location for this device**: - Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Location and Sensors** > **Turn off location**. + -or- + +- Create a REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\AppPrivacy!LetAppsAccessLocation**, with a value of 2 (two). + -or- - Apply the System/AllowLocation MDM policy from the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx), where: @@ -725,6 +931,10 @@ To turn off **Location**: - Set the **Select a setting** box to **Force Deny**. + -or- + +- Create a REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\LocationAndSensors!DisableLocation**, with a value of 1 (one). + -or- To turn off **Location history**: @@ -735,7 +945,7 @@ To turn off **Choose apps that can use your location**: - Turn off each app using the UI. -### 16.3 Camera +### 17.3 Camera In the **Camera** area, you can choose which apps can access a device's camera. @@ -749,6 +959,10 @@ To turn off **Let apps use my camera**: - Set the **Select a setting** box to **Force Deny**. + -or- + +- Create a REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\AppPrivacy!LetAppsAccessCamera**, with a value of 2 (two). + -or- - Apply the Camera/AllowCamera MDM policy from the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx), where: @@ -772,7 +986,7 @@ To turn off **Choose apps that can use your camera**: - Turn off the feature in the UI for each app. -### 16.4 Microphone +### 17.4 Microphone In the **Microphone** area, you can choose which apps can access a device's microphone. @@ -786,11 +1000,15 @@ To turn off **Let apps use my microphone**: - Set the **Select a setting** box to **Force Deny**. + -or- + +- Create a REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\AppPrivacy!LetAppsAccessMicrophone**, with a value of 2 (two) + To turn off **Choose apps that can use your microphone**: - Turn off the feature in the UI for each app. -### 16.5 Notifications +### 17.5 Notifications In the **Notifications** area, you can choose which apps have access to notifications. @@ -800,11 +1018,15 @@ To turn off **Let apps access my notifications**: -or- -- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access my notifications** +- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access notifications** - Set the **Select a setting** box to **Force Deny**. -### 16.6 Speech, inking, & typing + -or- + +- Create a REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\AppPrivacy!LetAppsAccessNotifications**, with a value of 2 (two) + +### 17.6 Speech, inking, & typing In the **Speech, Inking, & Typing** area, you can let Windows and Cortana better understand your employee's voice and written input by sampling their voice and writing, and by comparing verbal and written input to contact names and calendar entrees. @@ -819,6 +1041,10 @@ To turn off the functionality: - Enable the Group Policy: **Computer Configuration** > **Administrative Templates** > **Control Panel** > **Regional and Language Options** > **Handwriting personalization** > **Turn off automatic learning** + -or- + +- Create a REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\InputPersonalization!RestrictImplicitInkCollection**, with a value of 1 (one). + -or- - Create a REG\_DWORD registry setting called **AcceptedPrivacyPolicy** in **HKEY\_CURRENT\_USER\\SOFTWARE\\Microsoft\\Personalization\\Settings**, with a value of 0 (zero). @@ -827,6 +1053,9 @@ To turn off the functionality: - Create a REG\_DWORD registry setting called **HarvestContacts** in **HKEY\_CURRENT\_USER\\SOFTWARE\\Microsoft\\InputPersonalization\\TrainedDataStore**, with a value of 0 (zero). +If you're running at least Windows 10, version 1703, you can turn off updates to the speech recognition and speech synthesis models: + +- Disable the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Speech** > **Allow automatically update of Speech Data** If you're running at least Windows 10, version 1607, you can turn off updates to the speech recognition and speech synthesis models: @@ -839,7 +1068,7 @@ Apply the Speech/AllowSpeechModelUpdate MDM policy from the [Policy CSP](https:/ - Create a REG\_DWORD registry setting called **ModelDownloadAllowed** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\Speech_OneCore\\Preferences**, with a value of 0 (zero). -### 16.7 Account info +### 17.7 Account info In the **Account Info** area, you can choose which apps can access your name, picture, and other account info. @@ -852,12 +1081,16 @@ To turn off **Let apps access my name, picture, and other account info**: - Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access account information** - Set the **Select a setting** box to **Force Deny**. + + -or- + +- Create a REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\Windows\\AppPrivacy!LetAppsAccessContacts**, with a value of 2 (two). To turn off **Choose the apps that can access your account info**: - Turn off the feature in the UI for each app. -### 16.8 Contacts +### 17.8 Contacts In the **Contacts** area, you can choose which apps can access an employee's contacts list. @@ -871,7 +1104,7 @@ To turn off **Choose apps that can access contacts**: - Set the **Select a setting** box to **Force Deny**. -### 16.9 Calendar +### 17.9 Calendar In the **Calendar** area, you can choose which apps have access to an employee's calendar. @@ -885,11 +1118,15 @@ To turn off **Let apps access my calendar**: - Set the **Select a setting** box to **Force Deny**. + -or- + +- Create a REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\Windows\\AppPrivacy!LetAppsAccessCalendar**, with a value of 2 (two). + To turn off **Choose apps that can access calendar**: - Turn off the feature in the UI for each app. -### 16.10 Call history +### 17.10 Call history In the **Call history** area, you can choose which apps have access to an employee's call history. @@ -903,7 +1140,11 @@ To turn off **Let apps access my call history**: - Set the **Select a setting** box to **Force Deny**. -### 16.11 Email + -or- + +- Create a REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\AppPrivacy!LetAppsAccessCallHistory**, with a value of 2 (two). + +### 17.11 Email In the **Email** area, you can choose which apps have can access and send email. @@ -917,7 +1158,11 @@ To turn off **Let apps access and send email**: - Set the **Select a setting** box to **Force Deny**. -### 16.12 Messaging + -or- + +- Create a REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\AppPrivacy!LetAppsAccessEmail**, with a value of 2 (two). + +### 17.12 Messaging In the **Messaging** area, you can choose which apps can read or send messages. @@ -931,11 +1176,15 @@ To turn off **Let apps read or send messages (text or MMS)**: - Set the **Select a setting** box to **Force Deny**. + -or- + +- Create a REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\AppPrivacy!LetAppsAccessMessaging**, with a value of 2 (two). + To turn off **Choose apps that can read or send messages**: - Turn off the feature in the UI for each app. -### 16.13 Radios +### 17.13 Radios In the **Radios** area, you can choose which apps can turn a device's radio on or off. @@ -948,12 +1197,17 @@ To turn off **Let apps control radios**: - Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps control radios** - Set the **Select a setting** box to **Force Deny**. + + -or- + +- Create a REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\AppPrivacy!LetAppsAccessRadios**, with a value of 2 (two). + To turn off **Choose apps that can control radios**: - Turn off the feature in the UI for each app. -### 16.14 Other devices +### 17.14 Other devices In the **Other Devices** area, you can choose whether devices that aren't paired to PCs, such as an Xbox One, can share and sync info. @@ -965,6 +1219,10 @@ To turn off **Let apps automatically share and sync info with wireless devices t - Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps sync with devices** + -or- + +- Create a REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\AppPrivacy!LetAppsSyncWithDevices**, with a value of 2 (two). + To turn off **Let your apps use your trusted devices (hardware you've already connected, or comes with your PC, tablet, or phone)**: - Turn off the feature in the UI. @@ -975,7 +1233,7 @@ To turn off **Let your apps use your trusted devices (hardware you've already co - Set the **Select a setting** box to **Force Deny**. -### 16.15 Feedback & diagnostics +### 17.15 Feedback & diagnostics In the **Feedback & Diagnostics** area, you can choose how often you're asked for feedback and how much diagnostic and usage information is sent to Microsoft. @@ -994,6 +1252,10 @@ To change how frequently **Windows should ask for my feedback**: -or- +- Create a REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\DataCollection!DoNotShowFeedbackNotifications**, with a value of 1 (one). + + -or- + - Create the registry keys (REG\_DWORD type): - HKEY\_CURRENT\_USER\\Software\\Microsoft\\Siuf\\Rules\\PeriodInNanoSeconds @@ -1014,12 +1276,7 @@ To change how frequently **Windows should ask for my feedback**: To change the level of diagnostic and usage data sent when you **Send your device data to Microsoft**: -- To change from **Enhanced**, use the drop-down list in the UI. The other levels are **Basic** and **Full**. - - > [!NOTE] - > You can't use the UI to change the telemetry level to **Security**. - - +- Click either the **Basic** or **Full** options. -or- @@ -1027,6 +1284,10 @@ To change the level of diagnostic and usage data sent when you **Send your devic -or- +- Create a REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\DataCollection!AllowTelemetry**, with a value of 0 (zero). + + -or- + - Apply the System/AllowTelemetry MDM policy from the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx), where: - **0**. Maps to the **Security** level. @@ -1049,17 +1310,29 @@ To change the level of diagnostic and usage data sent when you **Send your devic - **3**. Maps to the **Full** level. -### 16.16 Background apps +To turn off tailored experiences with relevant tips and recommendations by using your diagnostics data: + +- Turn off the feature in the UI. + + -or- + +- Apply the Group Policy: **User Configuration** > **Administrative Templates** > **Windows Components** > **Cloud Content** > **Do not use diagnostic data for tailored experiences** + +### 17.16 Background apps In the **Background Apps** area, you can choose which apps can run in the background. To turn off **Let apps run in the background**: - Turn off the feature in the UI for each app. + + -or- + +- Apply the Group Policy (only applicable for Windows 10, version 1703): **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps run in the background** - Set the **Select a setting** box to **Force Deny**. -### 16.17 Motion +### 17.17 Motion In the **Motion** area, you can choose which apps have access to your motion data. @@ -1071,25 +1344,63 @@ To turn off **Let Windows and your apps use your motion data and collect motion - Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access motion** -### 17. Software Protection Platform + -or- + +- Create a REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\AppPrivacy!LetAppsAccessMotion**, with a value of 2 (two). + +### 17.18 Tasks + +In the **Tasks** area, you can choose which apps have access to your tasks. + +To turn this off: + +- Turn off the feature in the UI. + + -or- + +- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access Tasks** + + - Set the **Select a setting** box to **Force Deny**. + +### 17.19 App Diagnostics + +In the **App diagnostics** area, you can choose which apps have access to your diagnostic information. + +To turn this off: + +- Turn off the feature in the UI. + + -or- + +- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access dignostic information about other apps** + +### 18. Software Protection Platform Enterprise customers can manage their Windows activation status with volume licensing using an on-premise Key Management Server. You can opt out of sending KMS client activation data to Microsoft automatically by doing one of the following: For Windows 10: -- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Software Protection Platform** > **Turn off KMS Client AVS Validation** +- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Software Protection Platform** > **Turn off KMS Client Online AVS Validation** -or- +- Create a REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\Windows\\AppPrivacy!LetAppsAccessContacts**, with a value of 2 (two). + + -or- + - Apply the Licensing/DisallowKMSClientOnlineAVSValidation MDM policy from the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) where 0 is disabled (default) and 1 is enabled. For Windows Server 2016 with Desktop Experience or Windows Server 2016 Server Core: -- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Software Protection Platform** > **Turn off KMS Client AVS Validation** +- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Software Protection Platform** > **Turn off KMS Client Online AVS Validation** + + -or- + +- Create a REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows NT\\CurrentVersion\\Software Protection Platform!NoGenTicket**, with a value of 1 (one). The Windows activation status will be valid for a rolling period of 180 days with weekly activation status checks to the KMS. -### 18. Sync your settings +### 19. Sync your settings You can control if your settings are synchronized: @@ -1101,6 +1412,10 @@ You can control if your settings are synchronized: -or- +- Create a REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\SettingSync!DisableSettingSync**, with a value of 2 (two) and **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\SettingSync!DisableSettingSyncUserOverride**, with a value of 1 (one). + + -or- + - Apply the Experience/AllowSyncMySettings MDM policy from the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) where 0 is not allowed and 1 is allowed. -or- @@ -1115,7 +1430,7 @@ To turn off Messaging cloud sync: - Create a REG\_DWORD registry setting called **CloudServiceSyncEnabled** in **HKEY\_CURRENT\_USER\\SOFTWARE\\Microsoft\\Messaging**, with a value of 0 (zero). -### 19. Teredo +### 20. Teredo You can disable Teredo by using Group Policy or by using the netsh.exe command. For more info on Teredo, see [Internet Protocol Version 6, Teredo, and Related Technologies](http://technet.microsoft.com/library/cc722030.aspx). @@ -1126,9 +1441,13 @@ You can disable Teredo by using Group Policy or by using the netsh.exe command. -or- +- Create a new REG\_SZ registry setting called in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\TCPIP\\v6Transition!Teredo_State**, with a value of **Disabled**. + + -or- + - From an elevated command prompt, run **netsh interface teredo set state disabled** -### 20. Wi-Fi Sense +### 21. Wi-Fi Sense Wi-Fi Sense automatically connects devices to known hotspots and to the wireless networks the person’s contacts have shared with them. @@ -1154,11 +1473,15 @@ To turn off **Connect to suggested open hotspots** and **Connect to networks sha When turned off, the Wi-Fi Sense settings still appear on the Wi-Fi Settings screen, but they’re non-functional and they can’t be controlled by the employee. -### 21. Windows Defender +### 22. Windows Defender You can disconnect from the Microsoft Antimalware Protection Service. -- Disable the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Defender** > **MAPS** > **Join Microsoft MAPS** +- Disable the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Defender Antivirus** > **MAPS** > **Join Microsoft MAPS** + + -or- + +- Delete the registry setting **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\Updates!DefinitionUpdateFileSharesSources**. -or- @@ -1172,9 +1495,11 @@ You can disconnect from the Microsoft Antimalware Protection Service. From an elevated Windows PowerShell prompt, run **set-mppreference -Mapsreporting 0** + + You can stop sending file samples back to Microsoft. -- Set the Group Policy **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Defender** > **MAPS** > **Send file samples when further analysis is required** to **Always Prompt** or **Never Send**. +- Set the Group Policy **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Defender Antivirus** > **MAPS** > **Send file samples when further analysis is required** to **Always Prompt** or **Never Send**. -or- @@ -1194,11 +1519,15 @@ You can stop sending file samples back to Microsoft. You can stop downloading definition updates: -- Enable the Group Policy **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Defender** > **Signature Updates** > **Define the order of sources for downloading definition updates** and set it to **FileShares**. +- Enable the Group Policy **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Defender Antivirus** > **Signature Updates** > **Define the order of sources for downloading definition updates** and set it to **FileShares**. -and- -- Disable the Group Policy **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Defender** > **Signature Updates** > **Define file shares for downloading definition updates** and set it to nothing. +- Disable the Group Policy **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Defender Antivirus** > **Signature Updates** > **Define file shares for downloading definition updates** and set it to nothing. + + -or- + +- Create a new REG\_SZ registry setting in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\Updates!FallbackOrder**, with a value of **FileShares**. For Windows 10 only, you can stop Enhanced Notifications: @@ -1206,7 +1535,7 @@ For Windows 10 only, you can stop Enhanced Notifications: You can also use the registry to turn off Malicious Software Reporting Tool telemetry by setting the REG\_DWORD value **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\MRT\\DontReportInfectionInformation** to 1. -### 22. Windows Media Player +### 23. Windows Media Player To remove Windows Media Player on Windows 10: @@ -1220,7 +1549,7 @@ To remove Windows Media Player on Windows Server 2016: - Run the following DISM command from an elevated command prompt: **dism /online /Disable-Feature /FeatureName:WindowsMediaPlayer** -### 23. Windows spotlight +### 24. Windows spotlight Windows spotlight provides features such as different background images and text on the lock screen, suggested apps, Microsoft account notifications, and Windows tips. You can control it by using the user interface or through Group Policy. @@ -1228,6 +1557,10 @@ If you're running Windows 10, version 1607 or later, you only need to enable the - **User Configuration** > **Administrative Templates** > **Windows Components** > **Cloud Content** > **Turn off all Windows spotlight features** + -or- + + - Create a new REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CloudContent!DisableWindowsSpotlightFeatures**, with a value of 1 (one). + If you're not running Windows 10, version 1607 or later, you can use the other options in this section. - Configure the following in **Settings**: @@ -1251,23 +1584,42 @@ If you're not running Windows 10, version 1607 or later, you can use the other o - Set the **Turn off fun facts, tips, tricks, and more on lock screen** check box. > [!NOTE] - > This will only take effect if the policy is applied before the first logon. If you cannot apply the **Force a specific default lock screen image** policy before the first logon to the device, you can apply this policy: **Computer Configuration** > **Administrative Templates** > **Control Panel** > **Personalization** > **Do not display the lock screen**. + > This will only take effect if the policy is applied before the first logon. If you cannot apply the **Force a specific default lock screen image** policy before the first logon to the device, you can apply this policy: **Computer Configuration** > **Administrative Templates** > **Control Panel** > **Personalization** > **Do not display the lock screen**. Alternatively, you can create a new REG\_SZ registry setting in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Personalization!LockScreenImage**, with a value of **C:\\windows\\web\\screen\\lockscreen.jpg** and create a new REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Personalization!LockScreenOverlaysDisabled**, with a value of 1 (one). + - + - **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Cloud Content** > **Do not show Windows tips**. - - **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Cloud Content** > **Do not show Windows Tips**. + -or- + + - Create a new REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CloudContent!DisableSoftLanding**, with a value of 1 (one). - **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Cloud Content** > **Turn off Microsoft consumer experiences**. -For more info, see [Windows Spotlight on the lock screen](../manage/windows-spotlight.md). + -or- -### 24. Windows Store + - Create a new REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CloudContent!DisableWindowsConsumerFeatures**, with a value of 1 (one). + +For more info, see [Windows Spotlight on the lock screen](../configure/windows-spotlight.md). + +### 25. Windows Store You can turn off the ability to launch apps from the Windows Store that were preinstalled or downloaded. This will also turn off automatic app updates, and the Windows Store will be disabled. On Windows Server 2016, this will block Windows Store calls from Universal Windows Apps. - Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Store** > **Disable all apps from Windows Store**. -### 25. Windows Update Delivery Optimization + -or- + + - Create a new REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\WindowsStore!DisableStoreApps**, with a value of 1 (one). + +- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Store** > **Turn off Automatic Download and Install of updates**. + + -or- + + - Create a new REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\WindowsStore!AutoDownload**, with a value of 2 (two). + +Disable the Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **Group Policy** > **Configure web-to-app linking with URI handlers** + +### 26. Windows Update Delivery Optimization Windows Update Delivery Optimization lets you get Windows updates and Windows Store apps from sources in addition to Microsoft, which not only helps when you have a limited or unreliable Internet connection, but can also help you reduce the amount of bandwidth needed to keep all of your organization's PCs up-to-date. If you have Delivery Optimization turned on, PCs on your network may send and receive updates and apps to other PCs on your local network, if you choose, or to PCs on the Internet. @@ -1277,13 +1629,13 @@ Use the UI, Group Policy, MDM policies, or Windows Provisioning to set up Delive In Windows 10, version 1607, you can stop network traffic related to Windows Update Delivery Optimization by setting **Download Mode** to **Simple** (99) or **Bypass** (100), as described below. -### 25.1 Settings > Update & security +### 26.1 Settings > Update & security You can set up Delivery Optimization from the **Settings** UI. - Go to **Settings** > **Update & security** > **Windows Update** > **Advanced options** > **Choose how updates are delivered**. -### 25.2 Delivery Optimization Group Policies +### 26.2 Delivery Optimization Group Policies You can find the Delivery Optimization Group Policy objects under **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Delivery Optimization**. @@ -1295,7 +1647,9 @@ You can find the Delivery Optimization Group Policy objects under **Computer Con | Max Cache Size | Lets you specify the maximum cache size as a percentage of disk size.
        The default value is 20, which represents 20% of the disk.| | Max Upload Bandwidth | Lets you specify the maximum upload bandwidth (in KB/second) that a device uses across all concurrent upload activity.
        The default value is 0, which means unlimited possible bandwidth.| -### 25.3 Delivery Optimization MDM policies +You can also set the **Download Mode** policy by creating a new REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DeliveryOptimization!DODownloadMode**, with a value of 100 (one hundred). + +### 26.3 Delivery Optimization MDM policies The following Delivery Optimization MDM policies are available in the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx). @@ -1308,7 +1662,7 @@ The following Delivery Optimization MDM policies are available in the [Policy CS | DeliveryOptimization/DOMaxUploadBandwidth | Lets you specify the maximum upload bandwidth (in KB/second) that a device uses across all concurrent upload activity.
        The default value is 0, which means unlimited possible bandwidth.| -### 25.4 Delivery Optimization Windows Provisioning +### 26.4 Delivery Optimization Windows Provisioning If you don't have an MDM server in your enterprise, you can use Windows Provisioning to configure the Delivery Optimization policies @@ -1324,7 +1678,7 @@ Use Windows ICD, included with the [Windows Assessment and Deployment Kit (Windo For more info about Delivery Optimization in general, see [Windows Update Delivery Optimization: FAQ](https://go.microsoft.com/fwlink/p/?LinkId=730684). -### 26. Windows Update +### 27. Windows Update You can turn off Windows Update by setting the following registry entries: @@ -1338,6 +1692,18 @@ You can turn off Windows Update by setting the following registry entries: - Add a REG\_DWORD value called **UseWUServer** to **HKEY\_LOCAL\_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU** and set the value to 1. + -or- + +- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Update** > **Do not connect to any Windows Update Internet locations**. + + -and- + +- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **Intenet Communication Management** > **Internet Communication Settings** > **Turn off access to all Windows Update features**. + + -and- + +- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Update** > **Specify intranet Microsoft update service location** and set the **Set the alternate download server** to "". + You can turn off automatic updates by doing one of the following. This is not recommended. diff --git a/windows/manage/manage-tips-and-suggestions.md b/windows/configure/manage-tips-and-suggestions.md similarity index 97% rename from windows/manage/manage-tips-and-suggestions.md rename to windows/configure/manage-tips-and-suggestions.md index 547f77a1aa..c3394002a8 100644 --- a/windows/manage/manage-tips-and-suggestions.md +++ b/windows/configure/manage-tips-and-suggestions.md @@ -49,7 +49,7 @@ Windows 10, version 1607 (also known as the Anniversary Update), provides organi ## Related topics - [Manage Windows 10 Start layout](windows-10-start-layout-options-and-policies.md) -- [Cortana integration in your business or enterprise](manage-cortana-in-enterprise.md) +- [Cortana integration in your business or enterprise](cortana-at-work-overview.md) - [Windows spotlight on the lock screen](../whats-new/windows-spotlight.md) - [Windows 10 editions for education customers](https://technet.microsoft.com/en-us/edu/windows/windows-editions-for-education-customers) diff --git a/windows/manage/manage-wifi-sense-in-enterprise.md b/windows/configure/manage-wifi-sense-in-enterprise.md similarity index 100% rename from windows/manage/manage-wifi-sense-in-enterprise.md rename to windows/configure/manage-wifi-sense-in-enterprise.md diff --git a/windows/configure/mobile-lockdown-designer.md b/windows/configure/mobile-lockdown-designer.md new file mode 100644 index 0000000000..bc580504e6 --- /dev/null +++ b/windows/configure/mobile-lockdown-designer.md @@ -0,0 +1,170 @@ +--- +title: Use the Lockdown Designer app to create a Lockdown XML file (Windows 10) +description: +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: security +localizationpriority: medium +author: jdeckerMS +--- + +# Use the Lockdown Designer app to create a Lockdown XML file + +![Lockdown Designer in the Store](images/ldstore.png) + +Windows 10 Mobile allows enterprises to lock down a device, define multiple user roles, and configure custom layouts on a device. For example, the enterprise can lock down a device so that only applications and settings in an allow list are available. This is accomplished using Lockdown XML, an XML file that contains settings for Windows 10 Mobile. + +When you deploy the lockdown XML file to a device, it is saved on the device as **wehlockdown.xml**. When the device boots, it looks for wehlockdown.xml and applies any settings configured in the file. + +The Lockdown Designer app helps you configure and create a lockdown XML file that you can apply to devices running Windows 10 Mobile, version 1703, and includes a remote simulation to help you determine the layout for tiles on the Start screen. Lockdown Designer also validates the XML. Using Lockdown Designer is easier than [manually creating a lockdown XML file](lockdown-xml.md). + + + +## Overview + +Lockdown Designer can be installed on a PC running Windows 10, version 1607 or later. After you install the app, you connect a mobile device running Windows 10 Mobile, version 1703, to the PC. + +>[!NOTE] +>Lockdown Designer will not make any changes to the connected device, but we recommend that you use a test device. + +Lockdown Designer will populate the available settings and apps to configure from the connected device. Using the different pages in the app, you select the settings, apps, and layout to be included in the lockdown XML. + +When you're done, you export the configuration to a lockdown XML file. This configuration can be applied to any device running Windows 10 Mobile, version 1703. + +>[!NOTE] +>You can also import an existing WEHLockdown.xml file to Lockdown Designer and modify it in the app. + +## Prepare the test mobile device + +Perform these steps on the device running Windows 10 Mobile that you will use to supply the settings, apps, and layout to Lockdown Designer. + +1. Install all apps on the device that you want to include in the configuration, including line-of-business apps. + +2. On the mobile device, go to **Settings** > **Update & security** > **For developers**, enable **Developer mode**. + +3. Read the disclaimer, then click **Yes** to accept the change. + +4. Enable **Device discovery**, and then turn on **Device Portal**. + +>[!IMPORTANT] +>Check **Settings > Personalization > Start > Show more tiles** on the test mobile device. If **Show more tiles** is **On**, you must select **Large** on the [**Start screen** page](#start) in Lockdown Designer. If you want to apply a **Small** layout, set **Show more tiles** on the test mobile device to **Off**. +> +>![turn off show more tiles for small start screen size](images/show-more-tiles.png) + +## Prepare the PC + +[Install Lockdown Designer](https://www.microsoft.com/store/r/9nblggh40753) on the PC. + +If the PC and the test mobile device are on the same Wi-Fi network, you can connect the devices using Wi-Fi. + +If you want to connect the PC and the test mobile device using a USB cable, perform the following steps on the PC: + +1. [Install the Windows 10 Software Development Kit (SDK)](https://developer.microsoft.com/windows/downloads/windows-10-sdk). This enables the **Windows Phone IP over USB Transport (IpOverUsbSvc)** service. + +2. Open a command prompt as an administrator and run `checknetisolation LoopbackExempt -a -n=microsoft.lockdowndesigner_8wekyb3d8bbwe` + + >[!NOTE] + >Loopback is permitted only for development purposes. To remove the loopback exemption when you're done using Lockdown Designer, run `checknetisolation LoopbackExempt -d -n=microsoft.lockdowndesigner_8wekyb3d8bbwe` + + + + +## Connect the mobile device to Lockdown Designer + +**Using Wi-Fi** + +1. Open Lockdown Designer. + +2. Click **Create new project**. + +3. On the test mobile device, go to **Settings** > **Update & security** > **For developers** > **Connect using:** and get the IP address listed for **Wi-Fi**. + +2. On the **Project setting** > **General settings** page, in **Remote device IP address**, enter the IP address for the test mobile device, using `https://`. + +3. Click **Pair**. + + ![Pair](images/ld-pair.png) + + **Connect to remote device** appears. + +4. On the mobile device, under **Device discovery**, tap **Pair**. A case-sensitive code is displayed. + +5. On the PC, in **Connect to remote device**, enter the code from the mobile device. + +6. Next, click **Sync** to pull information from the device in to Lockdown Designer. + + ![Sync](images/ld-sync.png) + +7. Click the **Save** icon and enter a name for your project. + +**Using a USB cable** + +1. Open Lockdown Designer. + +2. Click **Create new project**. + +2. Connect a Windows 10 Mobile device to the PC by USB and unlock the device. + +3. On the **Project setting** > **General settings** page, click **Pair**. + + ![Pair](images/ld-pair.png) + + **Connect to remote device** appears. + +4. On the mobile device, under **Device discovery**, tap **Pair**. A case-sensitive code is displayed. + +5. On the PC, in **Connect to remote device**, enter the code from the mobile device. + +6. Next, click **Sync** to pull information from the device in to Lockdown Designer. + + ![Sync](images/ld-sync.png) + +7. Click the **Save** icon and enter a name for your project. + + +## Configure your lockdown XML settings + +The apps and settings available in the pages of Lockdown Designer should now be populated from the test mobile device. The following table describes what you can configure on each page. + +| Page | Description | +| --- | --- | +| ![Applications](images/ld-apps.png) | Each app from the test mobile device is listed. Select the apps that you want visible to users.

        You can select an app to run automatically when a user signs in to the device. The **Select Auto-Run** menu is populated by the apps that you select to allow on the device. | +| ![CSP Runner](images/ld-csp.png) | CSPRunner enables you to include settings and policies that are not defined in other sections of the app. To make use of CSPRunner, you must create the SyncML block that contains the settings, and then import the SyncML in Lockdown Designer. [Learn how to use CSPRunner and author SyncML.](lockdown-xml.md#csprunner) | +| ![Settings](images/ld-settings.png) | On this page, you select the settings that you want visible to users. See the [ms settings: URI scheme reference](https://docs.microsoft.com/windows/uwp/launch-resume/launch-settings-app#ms-settings-uri-scheme-reference) to see which Settings page maps to a URI. | +| ![Quick actions](images/ld-quick.png) | On this page, you select the settings that you want visible to users. | +| ![Buttons](images/ld-buttons.png) | Each hardware button on a mobile device has different actions that can be disabled. In addition, the behavior for **Search** button can be changed to open an app other than **Search**.

        Some devices may have additional hardware buttons provided by the OEM. These are listed as Custom1, Custom2, and Custom3. If your device has custom hardware buttons, contact your equipment provider to identify how their custom buttons are defined. | +| ![Other settings](images/ld-other.png) | This page contains several settings that you can configure:

        - The context menu is displayed when a user presses and holds an application in the All Apps list. You can enable or disable the context menu.

        - Tile manipulation allows users to pin, unpin, move, and resize tiles on the Start screen. You can enable or disable tile manipulation.

        - The Action Center setting controls whether the user can open the Action Center on the device. When the Action Center is disabled, notifications on the lockscreen and toasts are also disabled. You can use optional attributes with the Action Center element to change that behavior for either notifications, toasts, or both. | +| ![Start screen](images/ld-start.png) | On this page, you can start a remote simulation session with the test mobile device. Click **Start remote simulation**. You will see a **Start screen remote simulation in progress** message on the PC. (If the **Start remote simulation** button is not active, [pair the mobile device with the PC again](#pair).)

        On the test mobile device, tiles for the apps that you allowed on the **Applications** page are displayed on the screen. You can move, resize, or unpin these tiles to achieve the desired layout.

        When you are done changing the layout on the test mobile device, click **Accept** on the PC. | + + +## Validate and export + +On the **Validate and export** page, click **Validate** to make sure your lockdown XML is valid. + +>[!WARNING] +>Lockdown Designer cannot validate SyncML that you imported to CSPRunner. + +Click **Export** to generate the XML file for your project. You can select the location to save the file. + +## Create and configure multiple roles + +You can create additional roles for the device and have unique configurations for each role. For example, you could have one configuration for a **Manager** role and a different configuration for a **Salesperson** role. + +>[!NOTE] +>Using multiple roles on a device requires a login application that displays the list of roles and allows users to sign in to Azure Active Directory. [Learn how to create a login application that will work with your Lockdown XML file.](https://github.com/Microsoft/Windows-universal-samples/tree/master/Samples/DeviceLockdownAzureLogin) + +**For each role:** + +1. On the **Project setting** page, click **Role management**. + +2. Click **Add a role**. + +3. Enter a name for the role, and then click **Save**. + +4. Configure the settings for the role as above, but make sure on each page that you select the correct role. + + ![Current role selection box](images/ld-role.png) + + + diff --git a/windows/manage/product-ids-in-windows-10-mobile.md b/windows/configure/product-ids-in-windows-10-mobile.md similarity index 90% rename from windows/manage/product-ids-in-windows-10-mobile.md rename to windows/configure/product-ids-in-windows-10-mobile.md index 6fd085952b..f2a3295ba9 100644 --- a/windows/manage/product-ids-in-windows-10-mobile.md +++ b/windows/configure/product-ids-in-windows-10-mobile.md @@ -230,21 +230,8 @@ The following table lists the product ID and AUMID for each app that is included   -## Get product ID and AUMID for other apps -To get the product ID and AUMID for apps that are installed from Windows Store or installed locally ([side-loaded](https://go.microsoft.com/fwlink/p/?LinkID=623433)), use the following steps. - -**Prerequisites**: a device with an SD card inserted and all apps installed that you want to get IDs for - -1. On Start ![start](images/starticon.png), swipe over to the App list, then tap **Settings** ![settings](images/settingsicon.png) > **Accounts** > **Apps Corner**. - -2. Tap **Apps**, tap to select the app that you want to get IDs for, and then tap done ![done button](images/doneicon.png) - -3. Tap **advanced**, and then **tap export to SD card**. - -4. Connect the device to a PC using USB, and then open the WEHLockdown.xml file on the SD card of the device to view the product ID and AUMID for each app. - ## Related topics diff --git a/windows/configure/provision-pcs-for-initial-deployment.md b/windows/configure/provision-pcs-for-initial-deployment.md new file mode 100644 index 0000000000..c23f3d854c --- /dev/null +++ b/windows/configure/provision-pcs-for-initial-deployment.md @@ -0,0 +1,117 @@ +--- +title: Provision PCs with common settings (Windows 10) +description: Create a provisioning package to apply common settings to a PC running Windows 10. +ms.assetid: 66D14E97-E116-4218-8924-E2A326C9367E +keywords: ["runtime provisioning", "provisioning package"] +ms.prod: W10 +ms.mktglfcycl: deploy +ms.sitesec: library +author: jdeckerMS +localizationpriority: high +--- + +# Provision PCs with common settings for initial deployment (desktop wizard) + + +**Applies to** + +- Windows 10 + +This topic explains how to create and apply a provisioning package that contains common enterprise settings to a device running all desktop editions of Windows 10 except Windows 10 Home. + +You can apply a provisioning package on a USB drive to off-the-shelf devices during setup, making it fast and easy to configure new devices. + +## Advantages +- You can configure new devices without reimaging. + +- Works on both mobile and desktop devices. + +- No network connectivity required. + +- Simple to apply. + +[Learn more about the benefits and uses of provisioning packages.](provisioning-packages.md) + +## What does the desktop wizard do? + +The desktop wizard helps you configure the following settings in a provisioning package: + +- Set device name +- Upgrade product edition +- Configure the device for shared use +- Remove pre-installed software +- Configure Wi-Fi network +- Enroll device in Active Directory or Azure Active Directory +- Create local administrator account +- Add applications and certificates + +>[!WARNING] +>You must run Windows Configuration Designer on Windows 10 to configure Azure Active Directory enrollment using any of the wizards. + +Provisioning packages can include management instructions and policies, installation of specific apps, customization of network connections and policies, and more. + +> [!TIP] +> Use the desktop wizard to create a package with the common settings, then switch to the advanced editor to add other settings, apps, policies, etc. +> +>![open advanced editor](images/icd-simple-edit.png) + +## Create the provisioning package + +Use the Windows Configuration Designer tool to create a provisioning package. [Learn how to install Windows Configuration Designer.](provisioning-install-icd.md) + +1. Open Windows Configuration Designer (by default, %windir%\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Imaging and Configuration Designer\x86\ICD.exe). + +2. Click **Provision desktop devices**. + + ![ICD start options](images/icd-create-options-1703.png) + +3. Name your project and click **Finish**. The pages for desktop provisioning will walk you through the following steps. + + ![ICD desktop provisioning](images/icd-desktop-1703.png) + +> [!IMPORTANT] +> When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when they are no longer needed. + +## Configure settings + + + + + + + + + +
        ![step one](images/one.png)![set up device](images/set-up-device.png)

        Enter a name for the device.

        (Optional) Select a license file to upgrade Windows 10 to a different edition. [See the permitted upgrades.](https://technet.microsoft.com/itpro/windows/deploy/windows-10-edition-upgrades)

        Toggle **Yes** or **No** to **Configure devices for shared use**. This setting optimizes Windows 10 for shared use scenarios. [Learn more about shared PC configuration.](set-up-shared-or-guest-pc.md)

        You can also select to remove pre-installed software from the device.         		![device name, upgrade to enterprise, shared use, remove pre-installed software](images/set-up-device-details-desktop.png)
        ![step two](images/two.png) ![set up network](images/set-up-network.png)

        Toggle **On** or **Off** for wireless network connectivity. If you select **On**, enter the SSID, the network type (**Open** or **WPA2-Personal**), and (if **WPA2-Personal**) the password for the wireless network.        		![Enter network SSID and type](images/set-up-network-details-desktop.png)
        ![step three](images/three.png) ![account management](images/account-management.png)

        Enable account management if you want to configure settings on this page.

        You can enroll the device in Active Directory, enroll in Azure Active Directory, or create a local administrator account on the device

        To enroll the device in Active Directory, enter the credentials for a least-privileged user account to join the device to the domain.

        Before you use a Windows Configuration Designer wizard to configure bulk Azure AD enrollment, [set up Azure AD join in your organization](https://docs.microsoft.com/azure/active-directory/active-directory-azureadjoin-setup). The **maximum number of devices per user** setting in your Azure AD tenant determines how many times the bulk token that you get in the wizard can be used. To enroll the device in Azure AD, select that option and enter a friendly name for the bulk token you will get using the wizard. Set an expiration date for the token (maximum is 30 days from the date you get the token). Click **Get bulk token**. In the **Let's get you signed in** window, enter an account that has permissions to join a device to Azure AD, and then the password. Click **Accept** to give Windows Configuration Designer the necessary permissions.

        To create a local administrator account, select that option and enter a user name and password.

        **Important:** If you create a local account in the provisioning package, you must change the password using the **Settings** app every 42 days. If the password is not changed during that period, the account might be locked out and unable to sign in.         		![join Active Directory, Azure AD, or create a local admin account](images/account-management-details.png)
        ![step four](images/four.png) ![add applications](images/add-applications.png)

        You can install multiple applications, both Classic Windows (Win32) apps and Universal Windows Platform (UWP) apps, in a provisioning package. The settings in this step vary according to the application that you select. For help with the settings, see [Provision PCs with apps](provision-pcs-with-apps.md).         		![add an application](images/add-applications-details.png)
        ![step five](images/five.png) ![add certificates](images/add-certificates.png)

        To provision the device with a certificate, click **Add a certificate**. Enter a name for the certificate, and then browse to and select the certificate to be used.        		![add a certificate](images/add-certificates-details.png)
        ![finish](images/finish.png)

        You can set a password to protect your provisioning package. You must enter this password when you apply the provisioning package to a device.        		![Protect your package](images/finish-details.png)
        + +After you're done, click **Create**. It only takes a few seconds. When the package is built, the location where the package is stored is displayed as a hyperlink at the bottom of the page. + + **Next step**: [How to apply a provisioning package](provisioning-apply-package.md) + + +## Learn more + +- Watch the video: [Provisioning Windows 10 Devices with New Tools](https://go.microsoft.com/fwlink/p/?LinkId=615921) + +- Watch the video: [Windows 10 for Mobile Devices: Provisioning Is Not Imaging](https://go.microsoft.com/fwlink/p/?LinkId=615922) + +  +## Related topics + +- [Provisioning packages for Windows 10](provisioning-packages.md) +- [How provisioning works in Windows 10](provisioning-how-it-works.md) +- [Install Windows Configuration Designer](provisioning-install-icd.md) +- [Create a provisioning package](provisioning-create-package.md) +- [Apply a provisioning package](provisioning-apply-package.md) +- [Settings changed when you uninstall a provisioning package](provisioning-uninstall-package.md) +- [Use a script to install a desktop app in provisioning packages](provisioning-script-to-install-app.md) +- [PowerShell cmdlets for provisioning Windows 10 (reference)](provisioning-powershell.md) +- [NFC-based device provisioning](provisioning-nfc.md) +- [Use the package splitter tool](provisioning-package-splitter.md) +- [Windows Configuration Designer command-line interface (reference)](provisioning-command-line.md) +- [Create a provisioning package with multivariant settings](provisioning-multivariant.md) + + + + + diff --git a/windows/deploy/provision-pcs-with-apps-and-certificates.md b/windows/configure/provision-pcs-with-apps-and-certificates.md similarity index 97% rename from windows/deploy/provision-pcs-with-apps-and-certificates.md rename to windows/configure/provision-pcs-with-apps-and-certificates.md index 6e4614a977..b5e03dbb14 100644 --- a/windows/deploy/provision-pcs-with-apps-and-certificates.md +++ b/windows/configure/provision-pcs-with-apps-and-certificates.md @@ -17,6 +17,7 @@ localizationpriority: high - Windows 10 +DEPRECATED - See [Provision PCs with apps](provision-pcs-with-apps.md) This topic explains how to create and apply a provisioning package that contains apps and certificates to a device running all desktop editions of Windows 10 except Windows 10 Home. Provisioning packages can include management instructions and policies, installation of specific apps, customization of network connections and policies, and more. @@ -183,14 +184,15 @@ If your build is successful, the name of the provisioning package, output direct - [Provisioning packages for Windows 10](provisioning-packages.md) - [How provisioning works in Windows 10](provisioning-how-it-works.md) -- [Install Windows Imaging and Configuration Designer](provisioning-install-icd.md) +- [Install Windows Configuration Designer](provisioning-install-icd.md) - [Create a provisioning package](provisioning-create-package.md) - [Apply a provisioning package](provisioning-apply-package.md) - [Settings changed when you uninstall a provisioning package](provisioning-uninstall-package.md) - [Provision PCs with common settings for initial deployment (simple provisioning)](provision-pcs-for-initial-deployment.md) - [Use a script to install a desktop app in provisioning packages](provisioning-script-to-install-app.md) - [NFC-based device provisioning](provisioning-nfc.md) -- [Windows ICD command-line interface (reference)](provisioning-command-line.md) +- [Use the package splitter tool](provisioning-package-splitter.md) +- [Windows Configuration Designer command-line interface (reference)](provisioning-command-line.md) - [Create a provisioning package with multivariant settings](provisioning-multivariant.md) diff --git a/windows/configure/provision-pcs-with-apps.md b/windows/configure/provision-pcs-with-apps.md new file mode 100644 index 0000000000..26703f40c9 --- /dev/null +++ b/windows/configure/provision-pcs-with-apps.md @@ -0,0 +1,207 @@ +--- +title: Provision PCs with apps (Windows 10) +description: Add apps to a Windows 10 provisioning package. +ms.assetid: 66D14E97-E116-4218-8924-E2A326C9367E +keywords: ["runtime provisioning", "provisioning package"] +ms.prod: W10 +ms.mktglfcycl: deploy +ms.sitesec: library +author: jdeckerMS +localizationpriority: high +--- + +# Provision PCs with apps + + +**Applies to** + +- Windows 10 + + +In Windows 10, version 1703, you can install multiple Universal Windows Platform (UWP) apps and Classic Windows (Win32) applications in a provisioning package. This topic explains the various settings in [Windows Configuration Designer](provisioning-install-icd.md) for app install. + +When you add an app in a Windows Configuration Designer wizard, the appropriate settings are displayed based on the app that you select. For instructions on adding an app using the advanced editor in Windows Configuration Designer, see [Add an app using advanced editor](#adv). + +## Settings for UWP apps + +- **License Path**: Specify the license file if it is an app from the Windows Store. This is optional if you have a certificate for the app. + +- **Package family name**: Specify the package family name if you don’t specify a license. This field will be auto-populated after you specify a license. + +- **Required appx dependencies**: Specify the appx dependency packages that are required for the installation of the app + +## Settings for Classic Windows apps + +### MSI installer + +- **Command line arguments**: Optionally, append additional command arguments. The silent flag is appended for you. Example: PROPERTY=VALUE + +- **Continue installations after failure**: Optionally, specify if you want to continue installing additional apps if this app fails to install + +- **Restart required**: Optionally, specify if you want to initiate a reboot after a successful install of this app + +- **Required win32 app dependencies**: Optionally, specify additional files that are required for the installation of the app. For installers that have multiple file dependencies or have directory structures, [create a cab file of the assets](provisioning-script-to-install-app.md#cab). The installation script should [include expansion of the .cab file](provisioning-script-to-install-app.md#cab-extract). + +### Exe or other installer + +- **Command line arguments**: Append the command line arguments with a silent flag (required). Optionally, append additional flags + +- **Return Codes**: Specify the return codes for success and success with restart (0 and 3010 by default respectively) Any return code that is not listed will be interpreted as failure. The text boxes are space delimited. + +- **Continue installations after failure**: Optionally, specify if you want to continue installing additional apps if this app fails to install + +- **Restart required**: Optionally, specify if you want to initiate a reboot after a successful install of this app + +- **Required win32 app dependencies**: Optionally, specify additional files that are required for the installation of the app. For installers that have multiple file dependencies or have directory structures, [create a cab file of the assets](provisioning-script-to-install-app.md#cab). The installation script should [include expansion of the .cab file](provisioning-script-to-install-app.md#cab-extract). + + + +## Add a Classic Windows app using advanced editor in Windows Configuration Designer + + +1. In the **Available customizations** pane, go to **Runtime settings** > **ProvisioningCommands** > **PrimaryContext** > **Command**. + +2. Enter a name for the first app, and then click **Add**. + + ![enter name for first app](images/wcd-app-name.png) + +3. [Configure the settings for the appropriate installer type.](#settings-for-classic-windows-apps) + + ![enter settings for first app](images/wcd-app-commands.png) + +### Add a universal app to your package + +Universal apps that you can distribute in the provisioning package can be line-of-business (LOB) apps developed by your organization, Windows Store for Business apps that you acquire with [offline licensing](../manage/acquire-apps-windows-store-for-business.md), or third-party apps. This procedure will assume you are distributing apps from the Windows Store for Business. For other apps, obtain the necessary information (such as the package family name) from the app developer. + +1. In the **Available customizations** pane, go to **Runtime settings** > **UniversalAppInstall**. + +2. For **DeviceContextApp**, specify the **PackageFamilyName** for the app. In Windows Store for Business, the package family name is listed in the **Package details** section of the download page. + + ![details for offline app package](images/uwp-family.png) + +3. For **ApplicationFile**, click **Browse** to find and select the target app (either an \*.appx or \*.appxbundle). + +4. For **DependencyAppxFiles**, click **Browse** to find and add any dependencies for the app. In Windows Store for Business, any dependencies for the app are listed in the **Required frameworks** section of the download page. + + ![required frameworks for offline app package](images/uwp-dependencies.png) + +5. For **DeviceContextAppLicense**, enter the **LicenseProductID**. + + - In Windows Store for Business, generate the unencoded license for the app on the app's download page. + + ![generate license for offline app](images/uwp-license.png) + + - Open the license file and search for **LicenseID=** to get the GUID, enter the GUID in the **LicenseProductID** field and click **Add**. + +6. In the **Available customizations** pane, click the **LicenseProductId** that you just added. + +7. For **LicenseInstall**, click **Browse**, navigate to the license file that you renamed **.**ms-windows-store-license**, and select the license file. + +[Learn more about distributing offline apps from the Windows Store for Business.](../manage/distribute-offline-apps.md) + +> [!NOTE] +> Removing a provisioning package will not remove any apps installed by device context in that provisioning package. + + + +### Add a certificate to your package + +1. In the **Available customizations** pane, go to **Runtime settings** > **Certificates** > **ClientCertificates**. + +2. Enter a **CertificateName** and then click **Add**. + +2. Enter the **CertificatePassword**. + +3. For **CertificatePath**, browse and select the certificate to be used. + +4. Set **ExportCertificate** to **False**. + +5. For **KeyLocation**, select **Software only**. + + +### Add other settings to your package + +For details about the settings you can customize in provisioning packages, see [Windows Provisioning settings reference]( https://go.microsoft.com/fwlink/p/?LinkId=619012). + +### Build your package + +1. When you are done configuring the provisioning package, on the **File** menu, click **Save**. + +2. Read the warning that project files may contain sensitive information, and click **OK**. +> **Important** When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when they are no longer needed. + +3. On the **Export** menu, click **Provisioning package**. + +1. Change **Owner** to **IT Admin**, which will set the precedence of this provisioning package higher than provisioning packages applied to this device from other sources, and then select **Next.** + +10. Set a value for **Package Version**. + + > [!TIP]   + > You can make changes to existing packages and change the version number to update previously applied packages. + +11. Optional. In the **Provisioning package security** window, you can choose to encrypt the package and enable package signing. + + - **Enable package encryption** - If you select this option, an auto-generated password will be shown on the screen. + + - **Enable package signing** - If you select this option, you must select a valid certificate to use for signing the package. You can specify the certificate by clicking **Select...** and choosing the certificate you want to use to sign the package. + + **Important**   + We recommend that you include a trusted provisioning certificate in your provisioning package. When the package is applied to a device, the certificate is added to the system store and any package signed with that certificate thereafter can be applied silently.  + +12. Click **Next** to specify the output location where you want the provisioning package to go once it's built. By default, Windows ICD uses the project folder as the output location.

        +Optionally, you can click **Browse** to change the default output location. + +13. Click **Next**. + +14. Click **Build** to start building the package. The project information is displayed in the build page and the progress bar indicates the build status.

        +If you need to cancel the build, click **Cancel**. This cancels the current build process, closes the wizard, and takes you back to the **Customizations Page**. + +15. If your build fails, an error message will show up that includes a link to the project folder. You can scan the logs to determine what caused the error. Once you fix the issue, try building the package again.

        +If your build is successful, the name of the provisioning package, output directory, and project directory will be shown. + + - If you choose, you can build the provisioning package again and pick a different path for the output package. To do this, click **Back** to change the output package name and path, and then click **Next** to start another build. + + - If you are done, click **Finish** to close the wizard and go back to the **Customizations Page**. + +16. Select the **output location** link to go to the location of the package. You can provide that .ppkg to others through any of the following methods: + + - Shared network folder + + - SharePoint site + + - Removable media (USB/SD) + + - Email + + - USB tether (mobile only) + + - NFC (mobile only) + + + +**Next step**: [How to apply a provisioning package](provisioning-apply-package.md) + +## Learn more + +- Watch the video: [Provisioning Windows 10 Devices with New Tools](https://go.microsoft.com/fwlink/p/?LinkId=615921) + +- Watch the video: [Windows 10 for Mobile Devices: Provisioning Is Not Imaging](https://go.microsoft.com/fwlink/p/?LinkId=615922) +  + +## Related topics + +- [Provisioning packages for Windows 10](provisioning-packages.md) +- [How provisioning works in Windows 10](provisioning-how-it-works.md) +- [Install Windows Configuration Designer](provisioning-install-icd.md) +- [Create a provisioning package](provisioning-create-package.md) +- [Apply a provisioning package](provisioning-apply-package.md) +- [Settings changed when you uninstall a provisioning package](provisioning-uninstall-package.md) +- [Provision PCs with common settings for initial deployment (simple provisioning)](provision-pcs-for-initial-deployment.md) +- [Use a script to install a desktop app in provisioning packages](provisioning-script-to-install-app.md) +- [PowerShell cmdlets for provisioning Windows 10 (reference)](provisioning-powershell.md) +- [NFC-based device provisioning](provisioning-nfc.md) +- [Use the package splitter tool](provisioning-package-splitter.md) +- [Windows Configuration Designer command-line interface (reference)](provisioning-command-line.md) +- [Create a provisioning package with multivariant settings](provisioning-multivariant.md) + + diff --git a/windows/deploy/provisioning-apply-package.md b/windows/configure/provisioning-apply-package.md similarity index 66% rename from windows/deploy/provisioning-apply-package.md rename to windows/configure/provisioning-apply-package.md index 1125dd6985..2725bb140c 100644 --- a/windows/deploy/provisioning-apply-package.md +++ b/windows/configure/provisioning-apply-package.md @@ -42,29 +42,11 @@ Provisioning packages can be applied to a device during the first-run experience ![Do you trust this package?](images/trust-package.png) -6. Read and accept the Microsoft Software License Terms. - ![Sign in](images/license-terms.png) - -7. Select **Use Express settings**. - - ![Get going fast](images/express-settings.png) - -8. If the PC doesn't use a volume license, you'll see the **Who owns this PC?** screen. Select **My work or school owns it** and tap **Next**. - - ![Who owns this PC?](images/who-owns-pc.png) - -9. On the **Choose how you'll connect** screen, select **Join Azure AD** or **Join a domain** and tap **Next**. - - ![Connect to Azure AD](images/connect-aad.png) - -10. Sign in with your domain, Azure AD, or Office 365 account and password. When you see the progress ring, you can remove the USB drive. - - ![Sign in](images/sign-in-prov.png) ### After setup, from a USB drive, network folder, or SharePoint site -On a desktop computer, navigate to **Settings** > **Accounts** > **Access work or school** > **Add or remove a provisioning package** > **Add a package**, and select the package to install. +Insert the USB drive to a desktop computer, navigate to **Settings** > **Accounts** > **Access work or school** > **Add or remove a provisioning package** > **Add a package**, and select the package to install. For a provisioning package stored on a network forlder or on a SharePoint site, navigate to the provisioning package and double-click it to begin installation. ![add a package option](images/package.png) @@ -97,23 +79,17 @@ On a desktop computer, navigate to **Settings** > **Accounts** > **Access work o -## Learn more - -- Watch the video: [Provisioning Windows 10 Devices with New Tools](https://go.microsoft.com/fwlink/p/?LinkId=615921) - -- Watch the video: [Windows 10 for Mobile Devices: Provisioning Is Not Imaging](https://go.microsoft.com/fwlink/p/?LinkId=615922) ## Related topics - [Provisioning packages for Windows 10](provisioning-packages.md) - [How provisioning works in Windows 10](provisioning-how-it-works.md) -- [Install Windows Imaging and Configuration Designer](provisioning-install-icd.md) +- [Install Windows Configuration Designer](provisioning-install-icd.md) - [Create a provisioning package](provisioning-create-package.md) - [Settings changed when you uninstall a provisioning package](provisioning-uninstall-package.md) - [Provision PCs with common settings for initial deployment (simple provisioning)](provision-pcs-for-initial-deployment.md) -- [Provision PCs with apps and certificates for initial deployments (advanced provisioning)](provision-pcs-with-apps-and-certificates.md) - [Use a script to install a desktop app in provisioning packages](provisioning-script-to-install-app.md) -- [NFC-based device provisioning](provisioning-nfc.md) -- [Windows ICD command-line interface (reference)](provisioning-command-line.md) +- [PowerShell cmdlets for provisioning Windows 10 (reference)](provisioning-powershell.md) +- [Windows Configuration Designer command-line interface (reference)](provisioning-command-line.md) - [Create a provisioning package with multivariant settings](provisioning-multivariant.md) \ No newline at end of file diff --git a/windows/deploy/provisioning-command-line.md b/windows/configure/provisioning-command-line.md similarity index 55% rename from windows/deploy/provisioning-command-line.md rename to windows/configure/provisioning-command-line.md index d5c52aabac..a2e16343b0 100644 --- a/windows/deploy/provisioning-command-line.md +++ b/windows/configure/provisioning-command-line.md @@ -1,5 +1,5 @@ --- -title: Windows ICD command-line interface (Windows 10) +title: Windows Configuration Designer command-line interface (Windows 10) description: ms.prod: w10 ms.mktglfcycl: deploy @@ -8,7 +8,7 @@ author: jdeckerMS localizationpriority: high --- -# Windows ICD command-line interface (reference) +# Windows Configuration Designer command-line interface (reference) **Applies to** @@ -16,11 +16,11 @@ localizationpriority: high - Windows 10 - Windows 10 Mobile -You can use the Windows Imaging and Configuration Designer (ICD) command-line interface (CLI) to automate the building of provisioning packages and Windows 10 for desktop editions (Home, Pro, Enterprise, and Education) and Windows 10 Mobile or Windows 10 IoT Core (IoT Core) images. +You can use the Windows Configuration Designer command-line interface (CLI) to automate the building of provisioning packages and Windows 10 for desktop editions (Home, Pro, Enterprise, and Education) and Windows 10 Mobile or Windows 10 IoT Core (IoT Core) images. -- IT pros can use the Windows ICD CLI to require less re-tooling of existing processes. You must run the Windows ICD CLI from a command window with administrator privileges. +- IT pros can use the Windows Configuration Designer CLI to require less re-tooling of existing processes. You must run the Windows Configuration Designer CLI from a command window with administrator privileges. -- You must use the Windows ICD CLI and edit the customizations.xml sources to create an image and/or provisioning package with multivariant support. You need the customizations.xml file as one of the inputs to the Windows ICD CLI to build a provisioning package. For more information, see [Create a provisioning package with multivariant settings](provisioning-multivariant.md). +- You must use the Windows Configuration Designer CLI and edit the customizations.xml sources to create an image and/or provisioning package with multivariant support. You need the customizations.xml file as one of the inputs to the Windows Configuration Designer CLI to build a provisioning package. For more information, see [Create a provisioning package with multivariant settings](provisioning-multivariant.md). @@ -38,9 +38,9 @@ icd.exe /Build-ProvisioningPackage /CustomizationXML: /PackagePath: | --- | --- | --- | | /CustomizationXML | No | Specifies the path to a Windows provisioning XML file that contains the customization assets and settings. For more information, see Windows provisioning answer file. | | /PackagePath | Yes | Specifies the path and the package name where the built provisioning package will be saved. | -| /StoreFile | No


        See Important note. | For partners using a settings store other than the default store(s) used by Windows ICD, use this parameter to specify the path to one or more comma-separated Windows settings store file. By default, if you don't specify a settings store file, the settings store that's common to all Windows editions will be loaded by Windows ICD.


        **Important** If you use this parameter, you must not use /MSPackageRoot or /OEMInputXML. | +| /StoreFile | No


        See Important note. | For partners using a settings store other than the default store(s) used by Windows Configuration Designer, use this parameter to specify the path to one or more comma-separated Windows settings store file. By default, if you don't specify a settings store file, the settings store that's common to all Windows editions will be loaded by Windows Configuration Designer.


        **Important** If you use this parameter, you must not use /MSPackageRoot or /OEMInputXML. | | /Variables | No | Specifies a semicolon separated and macro pair. The format for the argument must be =. | -| Encrypted | No | Denotes whether the provisioning package should be built with encryption. Windows ICD auto-generates the decryption password and includes this information in the output.


        Precede with + for encryption or - for no encryption. The default is no encryption. | +| Encrypted | No | Denotes whether the provisioning package should be built with encryption. Windows Configuration Designer auto-generates the decryption password and includes this information in the output.


        Precede with + for encryption or - for no encryption. The default is no encryption. | | Overwrite | No | Denotes whether to overwrite an existing provisioning package.


        Precede with + to overwrite an existing package or - if you don't want to overwrite an existing package. The default is false (don't overwrite). | | /? | No | Lists the switches and their descriptions for the command-line tool or for certain commands. | @@ -51,14 +51,13 @@ icd.exe /Build-ProvisioningPackage /CustomizationXML: /PackagePath: - [Provisioning packages for Windows 10](provisioning-packages.md) - [How provisioning works in Windows 10](provisioning-how-it-works.md) -- [Install Windows Imaging and Configuration Designer](provisioning-install-icd.md) +- [Install Windows Configuration Designer](provisioning-install-icd.md) - [Create a provisioning package](provisioning-create-package.md) - [Apply a provisioning package](provisioning-apply-package.md) - [Settings changed when you uninstall a provisioning package](provisioning-uninstall-package.md) - [Provision PCs with common settings for initial deployment (simple provisioning)](provision-pcs-for-initial-deployment.md) -- [Provision PCs with apps and certificates for initial deployments (advanced provisioning)](provision-pcs-with-apps-and-certificates.md) - [Use a script to install a desktop app in provisioning packages](provisioning-script-to-install-app.md) -- [NFC-based device provisioning](provisioning-nfc.md) +- [PowerShell cmdlets for provisioning Windows 10 (reference)](provisioning-powershell.md) - [Create a provisioning package with multivariant settings](provisioning-multivariant.md)   diff --git a/windows/configure/provisioning-configure-mobile.md b/windows/configure/provisioning-configure-mobile.md new file mode 100644 index 0000000000..5c1a5048cf --- /dev/null +++ b/windows/configure/provisioning-configure-mobile.md @@ -0,0 +1,86 @@ +--- +title: Use Windows Configuration Designer to configure Windows 10 Mobile devices (Windows 10) +description: +keywords: phone, handheld, lockdown, customize +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: security +localizationpriority: high +author: jdeckerMS +--- + +# Use Windows Configuration Designer to configure Windows 10 Mobile devices + +Windows provisioning makes it easy for IT administrators to configure end-user devices without imaging. Using provisioning packages, ayou can easily specify desired configuration, settings, and information required to enroll the devices into management, and then apply that configuration to target devices in a matter of minutes. + +A provisioning package (.ppkg) is a container for a collection of configuration settings. Using Windows Configuration Designer, you can create provisioning packages that let you quickly and efficiently configure a device without having to install a new image. + +Windows Configuration Designer can be installed from the [Windows Assessment and Deployment Kit (ADK) for Windows 10](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit). Windows Configuration Designer is also available as an app in the Windows Store. [Learn more about installing Windows Configuration Designer.](provisioning-install-icd.md) + +## Create a provisioning package using the wizard + +The **Provision Windows mobile devices** wizard lets you configure common settings for devices running Windows 10 Mobile in a simple, graphical workflow. + +### Start a new project + +1. Open Windows Configuration Designer: + - From either the Start screen or Start menu search, type 'Windows Configuration Designer' and click the Windows Configuration Designer shortcut, + + or + + - If you installed Windows Configuration Designer from the ADK, navigate to `C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Imaging and Configuration Designer\x86` (on an x64 computer) or `C:\Program Files\Windows Kits\10\Assessment and Deployment Kit\Imaging and Configuration Designer\x86\ICD.exe` (on an x86 computer), and then double-click **ICD.exe**. + +2. On the **Start** page, choose **Provision Windows mobile devices**. + +3. Enter a name for your project, and then click **Next**. + + +### Configure settings in the wizard + + + + + + +
        ![step one](images/one.png)![set up device](images/set-up-device-mobile.png)

        Enter a device name.

        Optionally, you can enter a product key to upgrade the device from Windows 10 Mobile to Windows 10 Mobile Enterprise.         		![device name, upgrade license](images/set-up-device-details-mobile.png)
        ![step two](images/two.png) ![set up network](images/set-up-network-mobile.png)

        Toggle **On** or **Off** for wireless network connectivity.

        If you select **On**, enter the SSID, network type (**Open** or **WPA2-Personal**), and (if **WPA2-Personal**) the password for the wireless network.        		![Enter network SSID and type](images/set-up-network-details-mobile.png)
        ![step three](images/three.png) ![bulk enrollment in Azure Active Directory](images/bulk-enroll-mobile.png)

        Before you use a Windows Configuration Designer wizard to configure bulk Azure AD enrollment, [set up Azure AD join in your organization](https://docs.microsoft.com/azure/active-directory/active-directory-azureadjoin-setup). The **maximum number of devices per user** setting in your Azure AD tenant determines how many times the bulk token that you get in the wizard can be used.

        Set an expiration date for the token (maximum is 30 days from the date you get the token). Click **Get bulk token**. In the **Let's get you signed in** window, enter an account that has permissions to join a device to Azure AD, and then the password. Click **Accept** to give Windows Configuration Designer the necessary permissions.

        **Warning:** You must run Windows Configuration Designer on Windows 10 to configure Azure Active Directory enrollment using any of the wizards.         		![Enter expiration and get bulk token](images/bulk-enroll-mobile-details.png)
        ![step four](images/four.png) ![finish](images/finish-mobile.png)

        You can set a password to protect your provisioning package. You must enter this password when you apply the provisioning package to a device.        		![Protect your package](images/finish-details-mobile.png)
        + +After you're done, click **Create**. It only takes a few seconds. When the package is built, the location where the package is stored is displayed as a hyperlink at the bottom of the page. + +### Apply provisioning package + +You can apply a provisioning package to a device running Windows 10 Mobile by using: + +- removable media +- copying the provisioning package to the device +- [NFC tags](provisioning-nfc.md) +- [barcodes](provisioning-package-splitter.md) + +### Using removable media + +1. Insert an SD card containing the provisioning package into the device. +2. Navigate to **Settings** > **Accounts** > **Access work or school** > **Add or remove a provisioning package** > **Add a package**, and select the package to install. + + ![add a package option](images/packages-mobile.png) + +3. Click **Add**. + +4. On the device, the **Is this package from a source you trust?** message will appear. Tap **Yes, add it**. + + ![Is this package from a source you trust](images/package-trust.png) + +### Copying the provisioning package to the device + +1. Connect the device to your PC through USB. + +2. On the PC, select the provisioning package that you want to use to provision the device and then drag and drop the file to your device. + +3. On the device, the **Is this package from a source you trust?** message will appear. Tap **Yes, add it**. + + ![Is this package from a source you trust](images/package-trust.png) + + +## Related topics + +- [NFC-based device provisioning](provisioning-nfc.md) +- [Use the package splitter tool](provisioning-package-splitter.md) \ No newline at end of file diff --git a/windows/deploy/provisioning-create-package.md b/windows/configure/provisioning-create-package.md similarity index 66% rename from windows/deploy/provisioning-create-package.md rename to windows/configure/provisioning-create-package.md index f543e6d10f..a73b54f4f8 100644 --- a/windows/deploy/provisioning-create-package.md +++ b/windows/configure/provisioning-create-package.md @@ -16,30 +16,40 @@ localizationpriority: high - Windows 10 - Windows 10 Mobile -You use Windows Imaging and Configuration Designer (ICD) to create a provisioning package (.ppkg) that contains customization settings. You can apply the provisioning package to a device running Windows 10. +You use Windows Configuration Designer to create a provisioning package (.ppkg) that contains customization settings. You can apply the provisioning package to a device running Windows 10 or Windows 10 Mobile. ->[Learn how to install Windows ICD.](provisioning-install-icd.md) +>[Learn how to install Windows Configuration Designer.](provisioning-install-icd.md) + +>[!TIP] +>We recommend creating a local admin account when developing and testing your provisioning package. We also recommend using a “least privileged” domain user account to join devices to the Active Directory domain. ## Start a new project -1. Open Windows ICD: - - From either the Start screen or Start menu search, type 'Imaging and Configuration Designer' and click on the Windows ICD shortcut, +1. Open Windows Configuration Designer: + - From either the Start screen or Start menu search, type 'Windows Configuration Designer' and click on the Windows Configuration Designer shortcut, or - - Navigate to `C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Imaging and Configuration Designer\x86` (on an x64 computer) or `C:\Program Files\Windows Kits\10\Assessment and Deployment Kit\Imaging and Configuration Designer\x86\ICD.exe` (on an x86 computer), and then double-click **ICD.exe**. + - If you installed Windows Configuration Designer from the ADK, navigate to `C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Imaging and Configuration Designer\x86` (on an x64 computer) or `C:\Program Files\Windows Kits\10\Assessment and Deployment Kit\Imaging and Configuration Designer\x86\ICD.exe` (on an x86 computer), and then double-click **ICD.exe**. -2. Select your desired option on the **Start** page, which offers three options for creating a provisioning package, as shown in the following image: +2. Select your desired option on the **Start** page, which offers multiple options for creating a provisioning package, as shown in the following image: - ![Simple provisioning or provision school devices or advanced provisioning](images/icd-create-options.png) + ![Configuration Designer wizards](images/icd-create-options-1703.png) - - The **Simple provisioning** and **Provision school devices** options provide wizard-style walkthroughs for creating a provisioning package based on a set of common settings. - - The **Advanced provisioning** option opens a new project with all **Runtime settings** available. + - The wizard options provide a simple interface for configuring common settings for desktop, mobile, and kiosk devices. Wizards are also available for creating provisioning packages for Microsoft Surface Hub and Microsoft HoloLens devices. For a summary of the settings available in the desktop, mobile, and kiosk devices, see [What you can configure using Configuration Designer wizardS](provisioning-packages.md#configuration-designer-wizards). - >[!TIP] - >You can start a project in the simple editor and then switch the project to the advanced editor. - > - >![Switch to advanced editor](images/icd-switch.png) + - [Instructions for the desktop wizard](provision-pcs-for-initial-deployment.md) + - [Instructions for the mobile wizard](provisioning-configure-mobile.md) + - [Instructions for the kiosk wizard](set-up-a-kiosk-for-windows-10-for-desktop-editions.md#wizard) + - [Instructions for HoloLens wizard](https://technet.microsoft.com/itpro/hololens/hololens-provisioning) + - [Instructions for Surface Hub wizard](https://technet.microsoft.com/itpro/surface-hub/provisioning-packages-for-certificates-surface-hub) + + - The **Advanced provisioning** option opens a new project with all **Runtime settings** available. *The rest of this procedure uses advanced provisioning.* + + >[!TIP] + > You can start a project in the simple wizard editor and then switch the project to the advanced editor. + > + > ![Switch to advanced editor](images/icd-switch.png) 3. Enter a name for your project, and then click **Next**. @@ -59,19 +69,18 @@ You use Windows Imaging and Configuration Designer (ICD) to create a provisionin >[!TIP] >**Import a provisioning package** can make it easier to create different provisioning packages that all have certain settings in common. For example, you could create a provisioning package that contains the settings for your organization's network, and then import it into other packages you create so you don't have to reconfigure those common settings repeatedly. -After you click **Finish**, Windows ICD will open the appropriate walkthrough page if you selected **Simple provisioning** or **Provision school devices**, or the **Available customizations** pane if you selected **Advanced provisioning**. The remainder of this topic will explain the **Advanced provisioning scenario**. +After you click **Finish**, Windows Configuration Designer will open the **Available customizations** pane and you can then configure settings for the package. + -- For instructions on **Simple provisioning**, see [Provision PCs with common settings](provision-pcs-for-initial-deployment.md). -- For instructions on **Provision school devices**, see [Set up student PCs to join domain](https://technet.microsoft.com/edu/windows/set-up-students-pcs-to-join-domain). ## Configure settings -For an advanced provisioning project, Windows ICD opens the **Available customizations** pane. The example in the following image is based on **All Windows desktop editions** settings. +For an advanced provisioning project, Windows Configuration Designer opens the **Available customizations** pane. The example in the following image is based on **All Windows desktop editions** settings. ![What the ICD interface looks like](images/icd-runtime.png) -The settings in Windows ICD are based on Windows 10 configuration service providers (CSPs). To learn more about CSPs, see [Introduction to configuration service providers (CSPs) for IT pros](https://technet.microsoft.com/itpro/windows/manage/how-it-pros-can-use-configuration-service-providers). +The settings in Windows Configuration Designer are based on Windows 10 configuration service providers (CSPs). To learn more about CSPs, see [Introduction to configuration service providers (CSPs) for IT pros](https://technet.microsoft.com/itpro/windows/manage/how-it-pros-can-use-configuration-service-providers). The process for configuring settings is similar for all settings. The following table shows an example. @@ -83,9 +92,9 @@ The process for configuring settings is similar for all settings. The following ![step five](images/five.png)
        When the setting is configured, it is displayed in the **Selected customizations** pane.![Selected customizations pane](images/icd-step5.png) -For details on each specific setting, see [Windows Provisioning settings reference](https://msdn.microsoft.com/library/windows/hardware/dn965990.aspx). The reference topic for a setting is also displayed in Windows ICD when you select the setting, as shown in the following image. +For details on each specific setting, see [Windows Provisioning settings reference](https://msdn.microsoft.com/library/windows/hardware/dn965990.aspx). The reference topic for a setting is also displayed in Windows Configuration Designer when you select the setting, as shown in the following image. -![Windows ICD opens the reference topic when you select a setting](images/icd-setting-help.png) +![Windows Configuration Designer opens the reference topic when you select a setting](images/icd-setting-help.png) ## Build package @@ -110,7 +119,7 @@ For details on each specific setting, see [Windows Provisioning settings referen > >If a provisioning package is signed by a trusted provisioner, it can be installed on a device without a prompt for user consent. In order to enable trusted provider certificates, you must set the **TrustedProvisioners** setting prior to installing the trusted provisioning package. This is the only way to install a package without user consent. To provide additional security, you can also set **RequireProvisioningPackageSignature**, which prevents users from installing provisioning packages that are not signed by a trusted provisioner. -4. In the **Select where to save the provisioning package** window, specify the output location where you want the provisioning package to go once it's built, and then click **Next**. By default, Windows ICD uses the project folder as the output location. +4. In the **Select where to save the provisioning package** window, specify the output location where you want the provisioning package to go once it's built, and then click **Next**. By default, Windows Configuration Designer uses the project folder as the output location. 5. In the **Build the provisioning package** window, click **Build**. The provisioning package doesn't take long to build. The project information is displayed in the build page and the progress bar indicates the build status. @@ -128,22 +137,21 @@ For details on each specific setting, see [Windows Provisioning settings referen ## Learn more -- Watch the video: [Provisioning Windows 10 Devices with New Tools](https://go.microsoft.com/fwlink/p/?LinkId=615921) - -- Watch the video: [Windows 10 for Mobile Devices: Provisioning Is Not Imaging](https://go.microsoft.com/fwlink/p/?LinkId=615922) +- Watch the video: [Provisioning Windows 10 Devices with New Tools](https://go.microsoft.com/fwlink/p/?LinkId=615921) +- Watch the video: [Windows 10 for Mobile Devices: Provisioning Is Not Imaging](https://go.microsoft.com/fwlink/p/?LinkId=615922) +- [How to bulk-enroll devices with On-premises Mobile Device Management in System Center Configuration Manager](https://docs.microsoft.com/sccm/mdm/deploy-use/bulk-enroll-devices-on-premises-mdm) ## Related topics - [Provisioning packages for Windows 10](provisioning-packages.md) - [How provisioning works in Windows 10](provisioning-how-it-works.md) -- [Install Windows Imaging and Configuration Designer](provisioning-install-icd.md) +- [Install Windows Configuration Designer](provisioning-install-icd.md) - [Apply a provisioning package](provisioning-apply-package.md) - [Settings changed when you uninstall a provisioning package](provisioning-uninstall-package.md) - [Provision PCs with common settings for initial deployment (simple provisioning)](provision-pcs-for-initial-deployment.md) -- [Provision PCs with apps and certificates for initial deployments (advanced provisioning)](provision-pcs-with-apps-and-certificates.md) - [Use a script to install a desktop app in provisioning packages](provisioning-script-to-install-app.md) -- [NFC-based device provisioning](provisioning-nfc.md) -- [Windows ICD command-line interface (reference)](provisioning-command-line.md) +- [PowerShell cmdlets for provisioning Windows 10 (reference)](provisioning-powershell.md) +- [Windows Configuration Designer command-line interface (reference)](provisioning-command-line.md) - [Create a provisioning package with multivariant settings](provisioning-multivariant.md) \ No newline at end of file diff --git a/windows/deploy/provisioning-how-it-works.md b/windows/configure/provisioning-how-it-works.md similarity index 78% rename from windows/deploy/provisioning-how-it-works.md rename to windows/configure/provisioning-how-it-works.md index 1f9b72eb6c..349dfd08c2 100644 --- a/windows/deploy/provisioning-how-it-works.md +++ b/windows/configure/provisioning-how-it-works.md @@ -16,7 +16,7 @@ localizationpriority: high - Windows 10 - Windows 10 Mobile -Provisioning packages in Windows 10 provide IT administrators with a simplified way to apply configuration settings to Windows 10 devices. Windows Imaging and Configuration Designer (Windows ICD) is a tool that makes it easy to create a provisioning package. Windows ICD is contained in the [Windows Assessment and Deployment Kit (ADK)](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit). +Provisioning packages in Windows 10 provide IT administrators with a simplified way to apply configuration settings to Windows 10 devices. Windows Configuration Designer is a tool that makes it easy to create a provisioning package. Windows Configuration Designer can be installed from the [Windows Assessment and Deployment Kit (ADK)](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit) or through the Windows Store. ## Provisioning packages @@ -58,9 +58,9 @@ When setting conflicts are encountered, the final values provisioned on the devi Windows provisioning XML is the framework that allows Microsoft and OEM components to declare end-user configurable settings and the on-device infrastructure for applying the settings with minimal work by the component owner. -Settings for each component can be declared within that component's package manifest file. These declarations are turned into settings schema that are used by Windows ICD to expose the potential settings to users to create customizations in the image or in provisioning packages. Windows ICD translates the user configuration, which is declared through Windows provisioning answer file(s), into the on-device provisioning format. +Settings for each component can be declared within that component's package manifest file. These declarations are turned into settings schema that are used by Windows Configuration Designer to expose the potential settings to users to create customizations in the image or in provisioning packages. Windows Configuration Designer translates the user configuration, which is declared through Windows provisioning answer file(s), into the on-device provisioning format. -When the provisioning engine selects a configuration, the Windows provisioning XML is contained within the selected provisioning data and is passed through the configuration manager and then to the Windows provisioning CSP. The Windows provisioning CSP then takes and applies the provisioning to the proper location for the actual component to use. +When the provisioning engine selects a configuration, the Windows provisioning XML is contained within the selected provisioning data and is passed through the configuration manager and then to the [Windows provisioning CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/provisioning-csp). The Windows provisioning CSP then takes and applies the provisioning to the proper location for the actual component to use. ## Provisioning engine @@ -77,7 +77,7 @@ The provisioning engine provides the following functionality: ## Configuration manager -The configuration manager provides the unified way of managing Windows 10 devices. Configuration is mainly done through the Open Mobile Alliance (OMA) Device Management (DM) and Client Provisioning (CP) protocols. The configuration manager handles and parses these protocol requests from different channels and passes them down to Configuration Service Providers (CSPs) to perform the specific management requests and settings. +The configuration manager provides the unified way of managing Windows 10 devices. Configuration is mainly done through the Open Mobile Alliance (OMA) Device Management (DM) and Client Provisioning (CP) protocols. The configuration manager handles and parses these protocol requests from different channels and passes them down to [Configuration Service Providers (CSPs)](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/configuration-service-provider-reference) to perform the specific management requests and settings. The provisioning engine relies on configuration manager for all of the actual processing and application of a chosen configuration. The provisioning engine determines the stage of provisioning and, based on a set of keys, determines the set of configuration to send to the configuration manager. The configuration manager in turn parses and calls into the CSPs for the setting to be applied. @@ -115,9 +115,9 @@ When a trigger occurs, provisioning is initiated for a particular provisioning s ## Device provisioning during OOBE -The provisioning engine always applies provisioning packages persisted in the C:\Recovery\Customizations folder on the OS partition. When the provisioning engine applies provisioning packages in the %ProgramData%\Microsoft\Provisioning folder, certain runtime setting applications, such as the setting to install and configure Windows apps, may be extended past the OOBE pass and continually be processed in the background when the device gets to the desktop. Settings for configuring policies and certain crucial system configurations are always be completed before the first point at which they must take effect. +The provisioning engine always applies provisioning packages persisted in the `C:\Recovery\Customizations` folder on the OS partition. When the provisioning engine applies provisioning packages in the `%ProgramData%\Microsoft\Provisioning` folder, certain runtime setting applications, such as the setting to install and configure Windows apps, may be extended past the OOBE pass and continually be processed in the background when the device gets to the desktop. Settings for configuring policies and certain crucial system configurations are always be completed before the first point at which they must take effect. -Device users can apply a provisioning package from a remote source when the device first boots to OOBE. The device provisioning during OOBE is only triggered after the language, locale, time zone, and other settings on the first OOBE UI page are configured. On all Windows devices, device provisioning during OOBE can be triggered by 5 fast taps on the Windows hardware key. When device provisioning is triggered, the provisioning UI is displayed in the OOBE page. The provisioning UI allows users to select a provisioning package acquired from a remote source, such as through NFC or a removable media. +Device users can apply a provisioning package from a remote source when the device first boots to OOBE. The device provisioning during OOBE is only triggered after the language, locale, time zone, and other settings on the first OOBE UI page are configured. When device provisioning is triggered, the provisioning UI is displayed in the OOBE page. The provisioning UI allows users to select a provisioning package acquired from a remote source, such as through NFC or a removable media. The following table shows how device provisioning can be initiated when a user first boots to OOBE. @@ -125,17 +125,15 @@ The following table shows how device provisioning can be initiated when a user f | Package delivery | Initiation method | Supported device | | --- | --- | --- | | Removable media - USB drive or SD card
        (Packages must be placed at media root) | 5 fast taps on the Windows key to launch the provisioning UI |All Windows devices | -| From an administrator device through machine to machine NFC or NFC tag
        (The administrator device must run an app that can transfer the package over NFC) | 5 fast taps on the Windows key to launch the provisioning UI | Windows 10 Mobile devices and IoT Core devices | +| From an administrator device through machine-to-machine NFC or NFC tag
        (The administrator device must run an app that can transfer the package over NFC) | 5 fast taps on the Windows key to launch the provisioning UI | Windows 10 Mobile devices and IoT Core devices | -The provisioning engine always copies the acquired provisioning packages to the %ProgramData%\Microsoft\Provisioning folder before processing them during OOBE. The provisioning engine always applies provisioning packages embedded in the installed Windows image during Windows Setup OOBE pass regardless of whether the package is signed and trusted. When the provisioning engine applies an encrypted provisioning package on an end-user device during OOBE, users must first provide a valid password to decrypt the package. The provisioning engine also checks whether a provisioning package is signed and trusted; if it's not, the user must provide consent before the package is applied to the device. +The provisioning engine always copies the acquired provisioning packages to the `%ProgramData%\Microsoft\Provisioning` folder before processing them during OOBE. The provisioning engine always applies provisioning packages embedded in the installed Windows image during Windows Setup OOBE pass regardless of whether the package is signed and trusted. When the provisioning engine applies an encrypted provisioning package on an end-user device during OOBE, users must first provide a valid password to decrypt the package. The provisioning engine also checks whether a provisioning package is signed and trusted; if it's not, the user must provide consent before the package is applied to the device. When the provisioning engine applies provisioning packages during OOBE, it applies only the runtime settings from the package to the device. Runtime settings can be system-wide configuration settings, including security policy, Windows app install/uninstall, network configuration, bootstrapping MDM enrollment, provisioning of file assets, account and domain configuration, Windows edition upgrade, and more. The provisioning engine also checks for the configuration settings on the device, such as region/locale or SIM card, and applies the multivariant settings with matching condition(s). ## Device provisioning at runtime -At device runtime, standalone provisioning packages can be applied by user initiation. Only runtime configuration settings including multivariant settings contained in a provisioning package can be applied at device runtime. - -The following table shows when provisioning at device runtime can be initiated. +At device runtime, stand-alone provisioning packages can be applied by user initiation. The following table shows when provisioning at device runtime can be initiated. | Package delivery | Initiation method | Supported device | | --- | --- | --- | @@ -147,7 +145,7 @@ When applying provisioning packages from a removable media attached to the devic When applying multiple provisioning packages to a device, the provisioning engine resolves settings with conflicting configuration values from different packages by evaluating the package ranking using the combination of package owner type and package rank level defined in the package metadata. A configuration setting applied from a provisioning package with the highest package ranking will be the final value applied to the device. -After a standalone provisioning package is applied to the device, the package is persisted in the %ProgramData%\Microsoft\Provisioning folder on the device. Provisioning packages can be removed by an administrator by using the **Add or remove a provisioning package** available under **Settings** > **Accounts** > **Access work or school**. However, Windows 10 doesn't provide an uninstall option to revert runtime settings when removing a provisioning package from the device. +After a stand-alone provisioning package is applied to the device, the package is persisted in the `%ProgramData%\Microsoft\Provisioning` folder on the device. Provisioning packages can be removed by an administrator by using the **Add or remove a provisioning package** available under **Settings** > **Accounts** > **Access work or school**. ## Learn more @@ -160,15 +158,14 @@ After a standalone provisioning package is applied to the device, the package is ## Related topics - [Provisioning packages for Windows 10](provisioning-packages.md) -- [Install Windows Imaging and Configuration Designer](provisioning-install-icd.md) +- [Install Windows Configuration Designer](provisioning-install-icd.md) - [Create a provisioning package](provisioning-create-package.md) - [Apply a provisioning package](provisioning-apply-package.md) - [Settings changed when you uninstall a provisioning package](provisioning-uninstall-package.md) - [Provision PCs with common settings for initial deployment (simple provisioning)](provision-pcs-for-initial-deployment.md) -- [Provision PCs with apps and certificates for initial deployments (advanced provisioning)](provision-pcs-with-apps-and-certificates.md) - [Use a script to install a desktop app in provisioning packages](provisioning-script-to-install-app.md) -- [NFC-based device provisioning](provisioning-nfc.md) -- [Windows ICD command-line interface (reference)](provisioning-command-line.md) +- [PowerShell cmdlets for provisioning Windows 10 (reference)](provisioning-powershell.md) +- [Windows Configuration Designer command-line interface (reference)](provisioning-command-line.md) - [Create a provisioning package with multivariant settings](provisioning-multivariant.md) diff --git a/windows/configure/provisioning-install-icd.md b/windows/configure/provisioning-install-icd.md new file mode 100644 index 0000000000..16ae7f94d5 --- /dev/null +++ b/windows/configure/provisioning-install-icd.md @@ -0,0 +1,115 @@ +--- +title: Install Windows Configuration Designer (Windows 10) +description: Learn how to install and run Windows Configuration Designer. +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +author: jdeckerMS +localizationpriority: high +--- + +# Install Windows Configuration Designer + + +**Applies to** + +- Windows 10 +- Windows 10 Mobile + +Use the Windows Configuration Designer tool to create provisioning packages to easily configure devices running Windows 10. Windows Configuration Designer is primarily designed for use by IT departments for business and educational institutions who need to provision bring-your-own-device (BYOD) and business-supplied devices. + +## Supported platforms + +Windows Configuration Designer can create provisioning packages for Windows 10 desktop and mobile editions, including Windows 10 IoT Core, as well as Microsoft Surface Hub and Microsoft HoloLens. You can run Windows Configuration Designer on the following operating systems: + +- Windows 10 - x86 and amd64 +- Windows 8.1 Update - x86 and amd64 +- Windows 8.1 - x86 and amd64 +- Windows 8 - x86 and amd64 +- Windows 7 - x86 and amd64 +- Windows Server 2016 +- Windows Server 2012 R2 Update +- Windows Server 2012 R2 +- Windows Server 2012 +- Windows Server 2008 R2 + +>[!WARNING] +>You must run Windows Configuration Designer on Windows 10 to configure Azure Active Directory enrollment using any of the wizards. + +## Install Windows Configuration Designer + +On devices running Windows 10, you can install [the Windows Configuration Designer app from the Windows Store](https://www.microsoft.com/store/apps/9nblggh4tx22). To run Windows Configuration Designer on other operating systems or in languages other than English, install it from the [Windows Assessment and Deployment Kit (ADK) for Windows 10](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit). + +>[!NOTE] +>If you install Windows Configuration Designer from both the ADK and Windows Store, the Store app will not open. +> +>The Windows Configuration Designer App from Windows Store currently supports only English. For a localized version of the Windows Configuration Designer, install it from the Windows ADK. + +1. Go to [Download the Windows ADK](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit) and select **Get Windows ADK** for the version of Windows 10 that you want to create provisioning packages for (version 1511, 1607, or 1703). + + >[!NOTE] + >The rest of this procedure uses Windows ADK for Windows 10, version 1703 as an example. + +2. Save **adksetup.exe** and then run it. + +3. On the **Specify Location** page, select an installation path and then click **Next**. + >[!NOTE] + >The estimated disk space listed on this page applies to the full Windows ADK. If you only install Windows Configuration Designer, the space requirement is approximately 32 MB. +4. Make a selection on the **Windows Kits Privacy** page, and then click **Next**. + +5. Accept the **License Agreement**, and then click **Next**. + +6. On the **Select the features you want to install** page, clear all selections except **Configuration Designer**, and then click **Install**. + + ![Only Configuration Designer selected for installation](images/icd-install.png) + +## Current Windows Configuration Designer limitations + + +- You can only run one instance of Windows Configuration Designer on your computer at a time. + +- Be aware that when adding apps and drivers, all files stored in the same folder will be imported and may cause errors during the build process. + +- The Windows Configuration Designer UI does not support multivariant configurations. Instead, you must use the Windows Configuration Designer command-line interface to configure multivariant settings. For more information, see [Create a provisioning package with multivariant settings](provisioning-multivariant.md). + +- While you can open multiple projects at the same time within Windows Configuration Designer, you can only build one project at a time. + +- In order to enable the simplified authoring jscripts to work on a server SKU running Windows Configuration Designer, you need to explicitly enable **Allow websites to prompt for information using scripted windows**. Do this by opening Internet Explorer and then navigating to **Settings** > **Internet Options** > **Security** -> **Custom level** > **Allow websites to prompt for information using scripted windows**, and then choose **Enable**. + +- If you copy a Windows Configuration Designer project from one PC to another PC, make sure that all the associated files for the deployment assets, such as apps and drivers, are copied along with the project to the same path as it was on the original PC. + + For example, when you add a driver to a provisioned package, you must copy the .INF file to a local directory on the PC that is running Windows Configuration Designer. If you don't do this, and attempt to use a copied version of this project on a different PC, Windows Configuration Designer might attempt to resolve the path to the files that point to the original PC. + +- **Recommended**: Before starting, copy all source files to the PC running Windows Configuration Designer, rather than using external sources like network shares or removable drives. This reduces the risk of interrupting the build process from a temporary network issue or from disconnecting the USB device. + +**Next step**: [How to create a provisioning package](provisioning-create-package.md) + +## Learn more + +- Watch the video: [Provisioning Windows 10 Devices with New Tools](https://go.microsoft.com/fwlink/p/?LinkId=615921) + +- Watch the video: [Windows 10 for Mobile Devices: Provisioning Is Not Imaging](https://go.microsoft.com/fwlink/p/?LinkId=615922) + +## Related topics + +- [Provisioning packages for Windows 10](provisioning-packages.md) +- [How provisioning works in Windows 10](provisioning-how-it-works.md) +- [Create a provisioning package](provisioning-create-package.md) +- [Apply a provisioning package](provisioning-apply-package.md) +- [Settings changed when you uninstall a provisioning package](provisioning-uninstall-package.md) +- [Provision PCs with common settings for initial deployment (simple provisioning)](provision-pcs-for-initial-deployment.md) +- [Use a script to install a desktop app in provisioning packages](provisioning-script-to-install-app.md) +- [PowerShell cmdlets for provisioning Windows 10 (reference)](provisioning-powershell.md) +- [Windows Configuration Designer command-line interface (reference)](provisioning-command-line.md) +- [Create a provisioning package with multivariant settings](provisioning-multivariant.md) + + + +  + +  + + + + + diff --git a/windows/deploy/provisioning-multivariant.md b/windows/configure/provisioning-multivariant.md similarity index 62% rename from windows/deploy/provisioning-multivariant.md rename to windows/configure/provisioning-multivariant.md index 3bc7652233..d28ac354ee 100644 --- a/windows/deploy/provisioning-multivariant.md +++ b/windows/configure/provisioning-multivariant.md @@ -1,6 +1,6 @@ --- title: Create a provisioning package with multivariant settings (Windows 10) -description: Create a provisioning package with multivariant settings to customize the provisioned settings. +description: Create a provisioning package with multivariant settings to customize the provisioned settings for defined conditions. ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library @@ -16,37 +16,31 @@ localizationpriority: high - Windows 10 - Windows 10 Mobile -Multivariant provisioning packages enable you to create a single provisioning package that can work for multiple locales. -To provision multivariant settings, you must create a provisioning package with defined **Conditions** and **Settings** that are tied to these conditions. When you install this package on a Windows 10 device, the provisioning engine applies the matching condition settings at every event and triggers provisioning. +In your organization, you might have different configuration requirements for devices that you manage. You can create separate provisioning packages for each group of devices in your organization that have different requirements. Or, you can create a multivariant provisioning package, a single provisioning package that can work for multiple conditions. For example, in a single provisioning package, you can define one set of customization settings that will apply to devices set up for French and a different set of customization settings for devices set up for Japanese. -The following events trigger provisioning on Windows 10 devices: +To provision multivariant settings, you use Windows Imaging and Configuration Designer (ICD) to create a provisioning package that contains all of the customization settings that you want to apply to any of your devices. Next, you manually edit the .XML file for that project to define each set of devices (a **Target**). For each **Target**, you specify at least one **Condition** with a value, which identifies the devices to receive the configuration. Finally, for each **Target**, you provide the customization settings to be applied to those devices. -| Event | Windows 10 Mobile | Windows 10 for desktop editions (Home, Pro, Enterprise, and Education) | -| --- | --- | --- | -| System boot | Supported | Supported | -| Operating system update | Supported | Planned | -| Package installation during device first run experience | Supported | Supported | -| Detection of SIM presence or update | Supported | Not supported | -| Package installation at runtime | Supported | Supported | -| Roaming detected | Supported | Not supported | +Let's begin by learning how to define a **Target**. -## Target, TargetState, Condition, and priorities -Targets describe keying for a variant and must be described or pre-declared before being referenced by the variant. +## Define a target -- You can define multiple **Target** child elements for each **Id** that you need for the customization setting. +In the XML file, you provide an **Id**, or friendly name, for each **Target**. Each **Target** is defined by at least one **TargetState** which contains at least one **Condition**. A **Condition** element defines the matching type between the condition and the specified value. -- Within a **Target** you can define multiple **TargetState** elements. +A **Target** can have more than one **TargetState**, and a **TargetState** can have more than one **Condition**. -- Within a **TargetState** element you can create multiple **Condition** elements. +![Target with multiple target states and conditions](images/multi-target.png) -- A **Condition** element defines the matching type between the condition and the specified value. +The following table describes the logic for the target definition. -The following table shows the conditions supported in Windows 10 provisioning: + +
        When all **Condition** elements are TRUE, **TargetState** is TRUE.![Target state is true when all conditions are true](images/icd-multi-targetstate-true.png)
        If any of the **TargetState** elements is TRUE, **Target** is TRUE, and the **Id** can be used for setting customizations.![Target is true if any target state is true](images/icd-multi-target-true.png)
        + +### Conditions + +The following table shows the conditions supported in Windows 10 provisioning for a **TargetState**: ->[!NOTE] ->You can use any of these supported conditions when defining your **TargetState**. | Condition Name | Condition priority | Windows 10 Mobile | Windows 10 for desktop editions | Value type | Value description | | --- | --- | --- | --- | --- | --- | @@ -57,54 +51,47 @@ The following table shows the conditions supported in Windows 10 provisioning: | GID1 | P0 | Supported | N/A | Digit string | Use to target settings based on the Group Identifier (level 1) value. | | ICCID | P0 | Supported | N/A | Digit string | Use to target settings based on the Integrated Circuit Card Identifier (ICCID) value. | | Roaming | P0 | Supported | N/A | Boolean | Use to specify roaming. Set the value to **1** (roaming) or **0** (non-roaming). | -| UICC | P0 | Supported | N/A | Enumeration | Use to specify the UICC state. Set the value to one of the following:


        - 0 - Empty
        - 1 - Ready
        - 2 - Locked | +| UICC | P0 | Supported | N/A | Enumeration | Use to specify the Universal Integrated Circuit Card (UICC) state. Set the value to one of the following:


        - 0 - Empty
        - 1 - Ready
        - 2 - Locked | | UICCSLOT | P0 | Supported | N/A | Digit string | Use to specify the UICC slot. Set the value one of the following:


        - 0 - Slot 0
        - 1 - Slot 1 | | ProcessorType | P1 | Supported | Supported | String | Use to target settings based on the processor type. | | ProcessorName | P1 | Supported | Supported | String | Use to target settings based on the processor name. | -| AoAc | P1 | Supported | Supported | Boolean | Set the value to 0 or 1. | -| PowerPlatformRole | P1 | Supported | Supported | Enumeration | Indicates the preferred power management profile. Set the value based on the POWER_PLATFORM_ROLE enumeration. | +| AoAc ("Always On, Always Connected") | P1 | Supported | Supported | Boolean | Set the value to **0** (false) or **1** (true). If this condition is TRUE, the system supports the S0 low power idle model. | +| PowerPlatformRole | P1 | Supported | Supported | Enumeration | Indicates the preferred power management profile. Set the value based on the [POWER_PLATFORM_ROLE enumeration](https://msdn.microsoft.com/library/windows/desktop/aa373174.aspx). | | Architecture | P1 | Supported | Supported | String | Matches the PROCESSOR_ARCHITECTURE environment variable. | -| Server | P1 | Supported | Supported | Boolean | Set the value to 0 or 1. | -| Region | P1 | Supported | Supported | Enumeration | Use to target settings based on country/region. | -| Lang | P1 | Supported | Supported | Enumeration | Use to target settings based on language code. | -| ROMLANG | P1 | Supported | N/A | Digit string | Use to specify the PhoneROMLanguage that's set for DeviceTargeting. This condition is used primarily to detect variants for China. For example, you can use this condition and set the value to "0804". | +| Server | P1 | Supported | Supported | Boolean | Set the value to **0** (false) or **1** (true) to identify a server. | +| Region | P1 | Supported | Supported | Enumeration | Use to target settings based on country/region, using the 2-digit alpha ISO code per [ISO 3166-1 alpha-2](https://en.wikipedia.org/wiki/ISO_3166-1_alpha-2). | +| Lang | P1 | Supported | Supported | Enumeration | Use to target settings based on language code, using the 2-digit [ISO 639 alpha-2 code](https://en.wikipedia.org/wiki/ISO_639). | + The matching types supported in Windows 10 are: | Matching type | Syntax | Example | | --- | --- | --- | | Straight match | Matching type is specified as-is | <Condition Name="ProcessorName" Value="Barton" /> | -| Regex match | Matching type is prefixed by "Pattern:" | <Condition Name="ProcessorName" Value="Pattern:.*Celeron.*" /> | +| Regular expression (Regex) match | Matching type is prefixed by "Pattern:" | <Condition Name="ProcessorName" Value="Pattern:.*Celeron.*" /> | | Numeric range match | Matching type is prefixed by "!Range:" | <Condition Name="MNC" Value="!Range:400, 550" /> | -- When all **Condition** elements are TRUE, **TargetState** is TRUE (**AND** logic). +### TargetState priorities -- If any of the **TargetState** elements is TRUE, **Target** is TRUE (**OR** logic), and **Id** can be used for the setting customization. +You can define more than one **TargetState** within a provisioning package to apply settings to devices that match device conditions. When the provisioning engine evalues each **TargetState**, more than one **TargetState** may fit current device conditions. To determine the order in which the settings are applied, the system assigns a priority to every **TargetState**. +A setting that matches a **TargetState** with a lower priority is applied before the setting that matches a **TargetState** with a higher priority. This means that a setting for the **TargetState** with the higher priority can overwrite a setting for the **TargetState** with the lower priority. -You can define more than one **TargetState** within a provisioning package to apply variant settings that match device conditions. When the provisioning engine evalues each **TargetState**, more than one **TargetState** may fit current device conditions. To determine the order in which the variant settings are applied, the system assigns a priority to every **TargetState**. +Settings that match more than one **TargetState** with equal priority are applied according to the order that each **TargetState** is defined in the provisioning package. -A variant setting that matches a **TargetState** with a lower priority is applied before the variant that matches a **TargetState** with a higher priority. Variant settings that match more than one **TargetState** with equal priority are applied according to the order that each **TargetState** is defined in the provisioning package. +The **TargetState** priority is assigned based on the condition's priority (see the [Conditions table](#conditions) for priorities). The priority evaluation rules are as followed: -The **TargetState** priority is assigned based on the conditions priority and the priority evaluation rules are as followed: +1. A **TargetState** with P0 conditions is higher than a **TargetState** without P0 conditions. -1. **TargetState** with P0 conditions is higher than **TargetState** without P0 conditions. +2. A **TargetState** with both P0 and P1 conditions is higher than a **TargetState** with only P0 conditions. +2. A **TargetState** with a greater number of matched P0 conditions is higher than **TargetState** with fewer matched P0 conditions, regardless of the number of P1 conditions matched. -2. **TargetState** with P1 conditions is higher than **TargetState** without P0 and P1 conditions. +2. If the number of P0 conditions matched are equivalent, then the **TargetState** with the most matched P1 conditions has higher priority. +3. If both P0 and P1 conditions are equally matched, then the **TargetState** with the greatest total number of matched conditions has highest priority. -3. If N₁>N₂>0, the **TargetState** priority with N₁ P0 conditions is higher than the **TargetState** with N₂ P1 conditions. - - -4. For **TargetState** without P0 conditions, if N₁>N₂>0 **TargetState** with N₁ P1 conditions is higher than the **TargetState** with N₂ P1 conditions. - - -5. For **TargetState** without P0 and P1 conditions, if N₁>N₂>0 **TargetState** priority with N₁ P2 conditions is higher than the **TargetState** with N₂ P2 conditions. - - -6. For rules 3, 4, and 5, if N₁=N₂, **TargetState** priorities are considered equal. ## Create a provisioning package with multivariant settings @@ -112,17 +99,15 @@ The **TargetState** priority is assigned based on the conditions priority and th Follow these steps to create a provisioning package with multivariant capabilities. -1. Build a provisioning package and configure the customizations you need to apply during certain conditions. For more information, see [Create a provisioning package](provisioning-create-package.md). - +1. Build a provisioning package and configure the customizations you want to apply during certain conditions. For more information, see [Create a provisioning package](provisioning-create-package.md). 2. After you've [configured the settings](provisioning-create-package.md#configure-settings), save the project. - -3. Open the project folder and copy the customizations.xml file. +3. Open the project folder and copy the customizations.xml file to any local location. 4. Use an XML or text editor to open the customizations.xml file. - The customizations.xml file holds the package metadata (including the package owner and rank) and the settings that you configured when you created your provisioning package. The Customizations node contains a Common section, which contains the customization settings. + The customizations.xml file holds the package metadata (including the package owner and rank) and the settings that you configured when you created your provisioning package. The **Customizations** node of the file contains a **Common** section, which contains the customization settings. The following example shows the contents of a sample customizations.xml file. @@ -153,7 +138,7 @@ Follow these steps to create a provisioning package with multivariant capabiliti ``` -4. Edit the customizations.xml file and create a **Targets** section to describe the conditions that will handle your multivariant settings. +4. Edit the customizations.xml file to create a **Targets** section to describe the conditions that will handle your multivariant settings. The following example shows the customizations.xml, which has been modified to include several conditions including **ProcessorName**, **ProcessorType**, **MCC**, and **MNC**. @@ -210,10 +195,10 @@ Follow these steps to create a provisioning package with multivariant capabiliti c. Move compliant settings from the **Common** section to the **Variant** section. - If any of the TargetRef elements matches the Target, all settings in the Variant are applied (OR logic). + If any of the **TargetRef** elements matches the **Target**, all settings in the **Variant** are applied. >[!NOTE] - >You can define multiple Variant sections. Settings that reside in the **Common** section are applied unconditionally on every triggering event. + >You can define multiple **Variant** sections. Settings that reside in the **Common** section are applied unconditionally on every triggering event. The following example shows the customizations.xml updated to include a **Variant** section and the moved settings that will be applied if the conditions for the variant are met. @@ -289,7 +274,20 @@ In this example, the **StoreFile** corresponds to the location of the settings s +## Events that trigger provisioning +When you install the multivariant provisioning package on a Windows 10 device, the provisioning engine applies the matching condition settings at every event and triggers provisioning. + +The following events trigger provisioning on Windows 10 devices: + +| Event | Windows 10 Mobile | Windows 10 for desktop editions | +| --- | --- | --- | +| System boot | Supported | Supported | +| Operating system update | Supported | Planned | +| Package installation during device first run experience | Supported | Supported | +| Detection of SIM presence or update | Supported | Supported | +| Package installation at runtime | Supported | Supported | +| Roaming detected | Supported | Not supported | @@ -304,15 +302,14 @@ In this example, the **StoreFile** corresponds to the location of the settings s - [Provisioning packages for Windows 10](provisioning-packages.md) - [How provisioning works in Windows 10](provisioning-how-it-works.md) -- [Install Windows Imaging and Configuration Designer](provisioning-install-icd.md) +- [Install Windows Configuration Designer](provisioning-install-icd.md) - [Create a provisioning package](provisioning-create-package.md) - [Apply a provisioning package](provisioning-apply-package.md) - [Settings changed when you uninstall a provisioning package](provisioning-uninstall-package.md) - [Provision PCs with common settings for initial deployment (simple provisioning)](provision-pcs-for-initial-deployment.md) -- [Provision PCs with apps and certificates for initial deployments (advanced provisioning)](provision-pcs-with-apps-and-certificates.md) - [Use a script to install a desktop app in provisioning packages](provisioning-script-to-install-app.md) -- [NFC-based device provisioning](provisioning-nfc.md) -- [Windows ICD command-line interface (reference)](provisioning-command-line.md) +- [PowerShell cmdlets for provisioning Windows 10 (reference)](provisioning-powershell.md) +- [Windows Configuration Designer command-line interface (reference)](provisioning-command-line.md)   diff --git a/windows/deploy/provisioning-nfc.md b/windows/configure/provisioning-nfc.md similarity index 88% rename from windows/deploy/provisioning-nfc.md rename to windows/configure/provisioning-nfc.md index 114e6d5545..fad3428d0c 100644 --- a/windows/deploy/provisioning-nfc.md +++ b/windows/configure/provisioning-nfc.md @@ -17,7 +17,7 @@ localizationpriority: high Near field communication (NFC) enables Windows 10 Mobile Enterprise and Windows 10 Mobile devices to communicate with an NFC tag or another NFC-enabled transmitting device. Enterprises that do bulk provisioning can use NFC-based device provisioning to provide a provisioning package to the device that's being provisioned. NFC provisioning is simple and convenient and it can easily store an entire provisioning package. -The NFC provisioning option enables the administrator to provide a provisioning package during initial device setup or the out-of-box experience (OOBE) phase. Administrators can use the NFC provisioning option to transfer provisioning information to persistent storage by tapping an unprovisioned mobile device to an NFC tag or NFC-enabled device. To use NFC for pre-provisioning a device, you must either prepare your own NFC tags by storing your provisioning package to a tag as described in this section, or build the infrastructure needed to transmit a provisioning package between an NFC-enabled device and a mobile device during OOBE. +The NFC provisioning option enables the administrator to provide a provisioning package during initial device setup (the out-of-box experience or OOBE phase). Administrators can use the NFC provisioning option to transfer provisioning information to persistent storage by tapping an unprovisioned mobile device to an NFC tag or NFC-enabled device. To use NFC for pre-provisioning a device, you must either prepare your own NFC tags by storing your provisioning package to a tag as described in this section, or build the infrastructure needed to transmit a provisioning package between an NFC-enabled device and a mobile device during OOBE. ## Provisioning OOBE UI @@ -131,18 +131,9 @@ For detailed information and code samples on how to implement an NFC-enabled dev ## Related topics -- [Provisioning packages for Windows 10](provisioning-packages.md) -- [How provisioning works in Windows 10](provisioning-how-it-works.md) -- [Install Windows Imaging and Configuration Designer](provisioning-install-icd.md) -- [Create a provisioning package](provisioning-create-package.md) -- [Apply a provisioning package](provisioning-apply-package.md) -- [Settings changed when you uninstall a provisioning package](provisioning-uninstall-package.md) -- [Provision PCs with common settings for initial deployment (simple provisioning)](provision-pcs-for-initial-deployment.md) -- [Provision PCs with apps and certificates for initial deployments (advanced provisioning)](provision-pcs-with-apps-and-certificates.md) -- [Use a script to install a desktop app in provisioning packages](provisioning-script-to-install-app.md) -- [Windows ICD command-line interface (reference)](provisioning-command-line.md) -- [Create a provisioning package with multivariant settings](provisioning-multivariant.md) +- [Use Windows Configuration Designer to configure Windows 10 Mobile devices](provisioning-configure-mobile.md) +- [Barcode provisioning and the package splitter tool](provisioning-package-splitter.md)     diff --git a/windows/configure/provisioning-package-splitter.md b/windows/configure/provisioning-package-splitter.md new file mode 100644 index 0000000000..00a62a1ae4 --- /dev/null +++ b/windows/configure/provisioning-package-splitter.md @@ -0,0 +1,88 @@ +--- +title: Barcode provisioning and the package splitter tool (Windows 10) +description: +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +author: jdeckerMS +localizationpriority: high +--- + +# Barcode provisioning and the package splitter tool + + +**Applies to** + +- Windows 10 Mobile + +Enterprises that do bulk provisioning can use barcode-based device provisioning to provide a provisioning package to the device that's being provisioned. + +The barcode provisioning option enables the administrator to provide a provisioning package during initial device setup (the out-of-box experience or OOBE phase). To use barcodes to provision a device, your devices must have an integrated barcode scanner. You can get the barcode format that the scanner supports from your OEM or device provider, and use your existing tools and processes to convert a provisioning package into barcodes. + +Enterprise IT professionals who want to use a barcode to provision mobile devices during OOBE can use the package splitter tool, **ppkgtobase64.exe**, which is a command-line tool to split the provisioning package into smaller files. + +The smallest provisioning package is typically 5-6 KB, which cannot fit into one single barcode. The package splitter tool allows partners to split the original provisioning package into multiple smaller sized chunks that are encoded with Base64 so that enterprises can leverage their existing tools to convert these files into barcodes. + +When you [install Windows Configuration Designer](provisioning-install-icd.md) from the Windows Assessment and Deployment Kit (ADK), **ppkgtobase64.exe** is installed to the same folder. + +## Prerequisites + +Before you can use the tool, you must have a built provisioning package. The package file is the input to the package splitter tool. + +- To build a provisioning package using the Windows Configuration Designer UI, see [Use Windows Configuration Designer to configure Windows 10 Mobile devices](provisioning-configure-mobile.md). +- To build a provisioning package using the Windows Configuration Designer CLI, see [Windows Configuration Designer command-line interface](provisioning-command-line.md). + +## To use the package splitter tool (ppkgtobase64.exe) + +1. Open a command-line window with administrator privileges. + + +2. From the command-line, navigate to the Windows Configuration Designer install directory. + + On an x64 computer, type: + ``` + cd C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Imaging and Configuration Designer\x86 + ``` + + - or - + + On an x86 computer, type: + + ``` + cd C:\Program Files\Windows Kits\10\Assessment and Deployment Kit\Imaging and Configuration Designer\x86 + ``` + +3. Run `ppkgtobase64.exe`. The [syntax](#syntax) and [switches and arguments](#switches-and-arguments) sections provide details for the command. + + +### Syntax + +``` +ppkgtobase64.exe -i -o -s [-c] [/?] +``` + +### Switches and arguments + +| Switch | Required? | Arguments | +| --- | --- | --- | +| -i | Yes | Use to specify the path and file name of the provisioning package that you want to divide into smaller files.

        The tool allows you to specify the absolute path of the provisioning package file. However, if you don't specify the path, the tool will search the current folder for a package that matches the file name you specified. | +| -o | Yes | Use to specify the directory where the output files will be saved. | +| -s | Yes | Use to specify the size of the block that will be encoded in Base64. | +| -c | No | Use to delete any files in the output directory if the directory already exists. This parameter is optional. | +| /? | No | Lists the switches and their descriptions for the command-line tool or for certain commands. | + + + + + +## Related topics + + +  + +  + + + + + diff --git a/windows/configure/provisioning-packages.md b/windows/configure/provisioning-packages.md new file mode 100644 index 0000000000..8732d8c5a3 --- /dev/null +++ b/windows/configure/provisioning-packages.md @@ -0,0 +1,169 @@ +--- +title: Provisioning packages (Windows 10) +description: With Windows 10, you can create provisioning packages that let you quickly and efficiently configure a device without having to install a new image. +ms.assetid: 287706E5-063F-4AB5-902C-A0DF6D0730BC +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +author: jdeckerMS +localizationpriority: high +--- + +# Provisioning packages for Windows 10 + + +**Applies to** + +- Windows 10 +- Windows 10 Mobile + +Windows provisioning makes it easy for IT administrators to configure end-user devices without imaging. Using Windows provisioning, an IT administrator can easily specify desired configuration and settings required to enroll the devices into management and then apply that configuration to target devices in a matter of minutes. It is best suited for small- to medium-sized businesses with deployments that range from tens to a few hundred computers. + +A provisioning package (.ppkg) is a container for a collection of configuration settings. With Windows 10, you can create provisioning packages that let you quickly and efficiently configure a device without having to install a new image. + +Provisioning packages are simple enough that with a short set of written instructions, a student or non-technical employee can use them to configure their device. This can result in a significant reduction in the time required to configure multiple devices in your organization. + +The [Windows Assessment and Deployment Kit (ADK) for Windows 10](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit) includes the Windows Configuration Designer, a tool for configuring provisioning packages. Windows Configuration Designer is also available as an [app in the Windows Store](https://www.microsoft.com/store/apps/9nblggh4tx22). + + + + +## New in Windows 10, version 1703 + +- The tool for creating provisioning packages is renamed Windows Configuration Designer, replacing the Windows Imaging and Configuration Designer (ICD) tool. The components for creating images have been removed from Windows Configuration Designer, which now provides access to runtime settings only. +- Windows Configuration Designer can still be installed from the Windows ADK. You can also install it from the Windows Store. +- Windows Configuration Designer adds more wizards to make it easier to create provisioning packages for specific scenarios. See [What you can configure](#configuration-designer-wizards) for wizard descriptions. +- The wizard **Provision desktop devices** (previously called **Simple provisioning**) now enables joining Azure Active Directory (Azure AD) domains and also allows you to remove non-Microsoft software from Windows desktop devices during provisioning. +- When provisioning packages are applied to a device, a status screen indicates successful or failed provisioning. +- Windows 10 includes PowerShell cmdlets that simplify scripted provisioning. Using these cmdlets, you can add provisioning packages, remove provisioning packages and generate log files to investigate provisioning errors. +- The **Provision school devices** wizard is removed from Windows Configuration Designer. Instead, use the [Setup School PCs app](https://www.microsoft.com/store/p/set-up-school-pcs/9nblggh4ls40) from the Windows Store. + + + +## Benefits of provisioning packages + + +Provisioning packages let you: + +- Quickly configure a new device without going through the process of installing a new image. + +- Save time by configuring multiple devices using one provisioning package. + +- Quickly configure employee-owned devices in an organization without a mobile device management (MDM) infrastructure. + +- Set up a device without the device having network connectivity. + +Provisioning packages can be: + +- Installed using removable media such as an SD card or USB flash drive. + +- Attached to an email. + +- Downloaded from a network share. + +- Deployed in NFC tags or barcodes. + +## What you can configure + +### Configuration Designer wizards + +The following table describes settings that you can configure using the wizards in Windows Configuration Designer to create provisioning packages. + + + + + + + + + +
        **Step****Description****Desktop
        wizard**        		**Mobile
        wizard**        		**Kiosk
        wizard**
        Set up deviceAssign device name,
        enter product key to upgrade Windows,
        configure shared used,
        remove pre-installed software        		![yes](images/checkmark.png)![yes](images/checkmark.png)
        (Only device name and upgrade key)        		![yes](images/checkmark.png)
        Set up networkConnect to a Wi-Fit network![yes](images/checkmark.png)![yes](images/checkmark.png)![yes](images/checkmark.png)
        Account managementEnroll device in Active Directory,
        enroll device in Azure Active Directory,
        or create a local administrator account        		![yes](images/checkmark.png)![no](images/crossmark.png)![yes](images/checkmark.png)
        Bulk Enrollment in Azure ADEnroll device in Azure Active Directory

        Before you use a Windows Configuration Designer wizard to configure bulk Azure AD enrollment, [set up Azure AD join in your organization](https://docs.microsoft.com/azure/active-directory/active-directory-azureadjoin-setup).        		![no](images/crossmark.png)![yes](images/checkmark.png)![no](images/crossmark.png)
        Add applicationsInstall applications using the provisioning package.![yes](images/checkmark.png)![no](images/crossmark.png)![yes](images/checkmark.png)
        Add certificatesInclude a certificate file in the provisioning package.![yes](images/checkmark.png)![no](images/crossmark.png)![yes](images/checkmark.png)
        Configure kiosk account and appCreate local account to run the kiosk mode app,
        specify the app to run in kiosk mode        		![no](images/crossmark.png)![no](images/crossmark.png)![yes](images/checkmark.png)
        Configure kiosk common settingsSet tablet mode,
        configure welcome and shutdown screens,
        turn off timeout settings        		![no](images/crossmark.png)![no](images/crossmark.png)![yes](images/checkmark.png)
        + +- [Instructions for the desktop wizard](provision-pcs-for-initial-deployment.md) +- [Instructions for the mobile wizard](provisioning-configure-mobile.md) +- [Instructions for the kiosk wizard](set-up-a-kiosk-for-windows-10-for-desktop-editions.md#wizard) + + + +>[!NOTE] +>After you start a project using a Windows Configuration Designer wizard, you can switch to the advanced editor to configure additional settings in the provisioning package. + +### Configuration Designer advanced editor + +The following table provides some examples of settings that you can configure using the Windows Configuration Designer advanced editor to create provisioning packages. + +| Customization options | Examples | +|--------------------------|-----------------------------------------------------------------------------------------------| +| Bulk Active Directory join and device name | Join devices to Active Directory domain and assign device names using hardware-specific serial numbers or random characters | +| Applications | Windows apps, line-of-business applications | +| Bulk enrollment into MDM | Automatic enrollment into a third-party MDM service\* | +| Certificates | Root certification authority (CA), client certificates | +| Connectivity profiles | Wi-Fi, proxy settings, Email | +| Enterprise policies | Security restrictions (password, device lock, camera, and so on), encryption, update settings | +| Data assets | Documents, music, videos, pictures | +| Start menu customization | Start menu layout, application pinning | +| Other | Home and lock screen wallpaper, computer name, domain join, DNS settings, and so on | +\* Using a provisioning package for auto-enrollment to System Center Configuration Manager or Configuration Manager/Intune hybrid is not supported. Use the Configuration Manager console to enroll devices. +  + +For details about the settings you can customize in provisioning packages, see [Windows Provisioning settings reference]( https://go.microsoft.com/fwlink/p/?LinkId=619012). + +## Changes to provisioning in Windows 10, version 1607 + +>[!NOTE] +>This section is retained for customers using Windows 10, version 1607, on the Current Branch for Business. Some of this information is not applicable in Windows 10, version 1703. + +Windows ICD for Windows 10, version 1607, simplified common provisioning scenarios. + +![Configuration Designer options](images/icd.png) + +Windows ICD in Windows 10, version 1607, supported the following scenarios for IT administrators: + +* **Simple provisioning** – Enables IT administrators to define a desired configuration in Windows ICD and then apply that configuration on target devices. The simple provisioning wizard makes the entire process quick and easy by guiding an IT administrator through common configuration settings in a step-by-step manner. + + > [Learn how to use simple provisioning to configure Windows 10 computers.](provision-pcs-for-initial-deployment.md) + +* **Advanced provisioning (deployment of classic (Win32) and Universal Windows Platform (UWP) apps, and certificates)** – Allows an IT administrator to use Windows ICD to open provisioning packages in the advanced settings editor and include apps for deployment on end-user devices. + +* **Mobile device enrollment into management** - Enables IT administrators to purchase off-the-shelf retail Windows 10 Mobile devices and enroll them into mobile device management (MDM) before handing them to end-users in the organization. IT administrators can use Windows ICD to specify the management end-point and apply the configuration on target devices by connecting them to a Windows PC (tethered deployment) or through an SD card. Supported management end-points include: + + * System Center Configuration Manager and Microsoft Intune hybrid (certificate-based enrollment) + * AirWatch (password-string based enrollment) + * Mobile Iron (password-string based enrollment) + * Other MDMs (cert-based enrollment) + +> [!NOTE] +> Windows ICD in Windows 10, version 1607, also provided a wizard to create provisioning packages for school PCs. To learn more, see [Set up students' PCs to join domain](https://technet.microsoft.com/edu/windows/index). + +## Learn more + +- Watch the video: [Provisioning Windows 10 Devices with New Tools](https://go.microsoft.com/fwlink/p/?LinkId=615921) + +- Watch the video: [Windows 10 for Mobile Devices: Provisioning Is Not Imaging](https://go.microsoft.com/fwlink/p/?LinkId=615922) + +## Related topics + +- [How provisioning works in Windows 10](provisioning-how-it-works.md) +- [Install Windows Configuration Designer](provisioning-install-icd.md) +- [Create a provisioning package](provisioning-create-package.md) +- [Apply a provisioning package](provisioning-apply-package.md) +- [Settings changed when you uninstall a provisioning package](provisioning-uninstall-package.md) +- [Provision PCs with common settings for initial deployment (simple provisioning)](provision-pcs-for-initial-deployment.md) +- [Use a script to install a desktop app in provisioning packages](provisioning-script-to-install-app.md) +- [PowerShell cmdlets for provisioning Windows 10 (reference)](provisioning-powershell.md) +- [Windows Configuration Designer command-line interface (reference)](provisioning-command-line.md) +- [Create a provisioning package with multivariant settings](provisioning-multivariant.md) +- [Use Windows Configuration Designer to configure Windows 10 Mobile devices](provisioning-configure-mobile.md) + + + + + +  + +  + + + + + diff --git a/windows/configure/provisioning-powershell.md b/windows/configure/provisioning-powershell.md new file mode 100644 index 0000000000..508bada17f --- /dev/null +++ b/windows/configure/provisioning-powershell.md @@ -0,0 +1,72 @@ +--- +title: PowerShell cmdlets for provisioning Windows 10 (Windows 10) +description: +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +author: jdeckerMS +localizationpriority: high +--- + +# PowerShell cmdlets for provisioning Windows 10 (reference) + + +**Applies to** + +- Windows 10 +- Windows 10 Mobile + +Windows 10, version 1703, ships with Windows Provisioning PowerShell cmdlets. These cmdlets make it easy to script the following functions. + + + + + + + + + + + +
        CmdletUse this cmdlet toSyntax
        Add-ProvisioningPackage Apply a provisioning package```Add-ProvisioningPackage [-Path] [-ForceInstall] [-LogsFolder ] [-WprpFile ] []```
        Remove-ProvisioningPackageRemove a provisioning package ```Remove-ProvisioningPackage -PackageId [-LogsFolder ] [-WprpFile ] []```
        ```Remove-ProvisioningPackage -Path [-LogsFolder ] [-WprpFile ] []```
        ```Remove-ProvisioningPackage -AllInstalledPackages [-LogsFolder ] [-WprpFile ] []```
        Get-ProvisioningPackage Get information about an installed provisioning package ```Get-ProvisioningPackage -PackageId [-LogsFolder ] [-WprpFile ] []```
        ```Get-ProvisioningPackage -Path [-LogsFolder ] [-WprpFile ] []```
        ```Get-ProvisioningPackage -AllInstalledPackages [-LogsFolder ] [-WprpFile ] []```
        Export-ProvisioningPackage Extract the contents of a provisioning package ```Export-ProvisioningPackage -PackageId -OutputFolder [-Overwrite] [-AnswerFileOnly] [-LogsFolder ] [-WprpFile ] []```
        ```Export-ProvisioningPackage -Path -OutputFolder [-Overwrite] [-AnswerFileOnly] [-LogsFolder ] [-WprpFile ] []```
        Install-TrustedProvisioningCertificate Adds a certificate to the Trusted Certificate store ```Install-TrustedProvisioningCertificate ```
        Get-TrustedProvisioningCertificate List all installed trusted provisioning certificates; use this cmdlet to get the certificate thumbprint to use with the **Uninstall-TrustedProvisioningCertificate** cmdlet```Get-TrustedProvisioningCertificate```
        Uninstall-TrustedProvisioningCertificate Remove a previously installed provisioning certificate```Uninstall-TrustedProvisioningCertificate ```
        + +>[!NOTE] +> You can use Get-Help to get usage help on any command. For example: `Get-Help Add-ProvisioningPackage` + +Trace logs are captured when using cmdlets. The following logs are available in the logs folder after the cmdlet completes: + +- ProvTrace.<timestamp>.ETL - ETL trace file, unfiltered +- ProvTrace.<timestamp>.XML - ETL trace file converted into raw trace events, unfiltered +- ProvTrace.<timestamp>.TXT - TEXT file containing trace output formatted for easy reading, filtered to only show events logged by providers in the WPRP file +- ProvLogReport.<timestamp>.XLS - Excel file containing trace output, filtered to only show events logged by providers in WPRP file + + + +>[!NOTE] +>When applying provisioning packages using Powershell cmdlets, the default behavior is to suppress the prompt that appears when applying an unsigned provisioning package. This is by design so that provisioning packages can be applied as part of existing scripts. + + +## Related topics + +- [How provisioning works in Windows 10](provisioning-how-it-works.md) +- [Install Windows Configuration Designer](provisioning-install-icd.md) +- [Create a provisioning package](provisioning-create-package.md) +- [Apply a provisioning package](provisioning-apply-package.md) +- [Settings changed when you uninstall a provisioning package](provisioning-uninstall-package.md) +- [Provision PCs with common settings for initial deployment (simple provisioning)](provision-pcs-for-initial-deployment.md) +- [Use a script to install a desktop app in provisioning packages](provisioning-script-to-install-app.md) +- [Windows Configuration Designer command-line interface (reference)](provisioning-command-line.md) +- [Create a provisioning package with multivariant settings](provisioning-multivariant.md) + + + + + +  + +  + + + + + diff --git a/windows/deploy/provisioning-script-to-install-app.md b/windows/configure/provisioning-script-to-install-app.md similarity index 72% rename from windows/deploy/provisioning-script-to-install-app.md rename to windows/configure/provisioning-script-to-install-app.md index 8754c66299..0e47014f47 100644 --- a/windows/deploy/provisioning-script-to-install-app.md +++ b/windows/configure/provisioning-script-to-install-app.md @@ -16,7 +16,7 @@ localizationpriority: high - Windows 10 - Windows 10 Mobile -This walkthrough describes how to leverage the ability to include scripts in a Windows 10 provisioning package to install Win32 applications. Scripted operations other than installing apps can also be performed, however, some care is needed in order to avoid unintended behavior during script execution (see Remarks below). +This walkthrough describes how to leverage the ability to include scripts in a Windows 10 provisioning package to install Win32 applications. Scripted operations other than installing apps can also be performed, however, some care is needed in order to avoid unintended behavior during script execution (see [Remarks](#remarks) below). >**Prerequisite**: [Windows Assessment and Deployment Kit (ADK) for Windows 10](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit), version 1511 or higher @@ -29,6 +29,7 @@ This walkthrough describes how to leverage the ability to include scripts in a W 2. If you need to include a directory structure of files, you will need to cab the assets for easy inclusion in the provisioning packages. + ## Cab the application assets 1. Create a .DDF file as below, replacing *file1* and *file2* with the files you want to package, and adding the name of file/directory. @@ -89,7 +90,9 @@ This walkthrough describes how to leverage the ability to include scripts in a W ## Create the script to install the application -Create a script to perform whatever work is needed to install the application(s). The following examples are provided to help get started authoring the orchestrator script that will execute the required installers. In practice, the orchestrator script may reference many more assets than those in these examples. +In Windows 10, version 1607 and earlier, create a script to perform whatever work is needed to install the application(s). The following examples are provided to help get started authoring the orchestrator script that will execute the required installers. In practice, the orchestrator script may reference many more assets than those in these examples. + +In Windows 10, version 1703, you don’t need to create an orchestrator script. You can have one command line per app. If necessary, you can create a script that logs the output per app, as mentioned below (rather than one orchestrator script for the entire provisioning package). >[!NOTE] >All actions performed by the script must happen silently, showing no UI and requiring no user interaction. @@ -138,6 +141,7 @@ PsExec.exe -accepteula -i -s cmd.exe /c powershell.exe my_powershell_script.ps1' echo result: %ERRORLEVEL% >> %LOGFILE% ``` + ### Extract from a .CAB example This example script shows expansion of a .cab from the provisioning commands script, as well as installation of the expanded setup.exe @@ -154,7 +158,9 @@ echo result: %ERRORLEVEL% >> %LOGFILE% ### Calling multiple scripts in the package -You are currently allowed one CommandLine per PPKG. The batch files shown above are orchestrator scripts that manage the installation and calls any other scripts included in the PPKG. The orchestrator script is what should be invoked from the CommandLine specified in the package. +In Windows 10, version 1703, your provisioning package can include multiple CommandLines. + +In Windows 10, version 1607 and earlier, you are allowed one CommandLine per provisioning package. The batch files shown above are orchestrator scripts that manage the installation and call any other scripts included in the provisioning package. The orchestrator script is what should be invoked from the CommandLine specified in the package. Here’s a table describing this relationship, using the PowerShell example from above: @@ -166,23 +172,23 @@ Here’s a table describing this relationship, using the PowerShell example from | ProvisioningCommands/DeviceContext/CommandFiles | my_powershell_script.ps1 | Other assets referenced by the orchestrator script. In this example there is only one, but there could be many assets referenced here. One common use case is using the orchestrator to call a series of install.exe or setup.exe installers to install several applications. Each of those installers must be included as an asset here. | -### Add script to provisioning package +### Add script to provisioning package (Windows 10, version 1607) -When you have the batch file written and the referenced assets ready to include, you can add them to a provisioning package in the Window Imaging and Configuration Designer (Windows ICD). +When you have the batch file written and the referenced assets ready to include, you can add them to a provisioning package in the Window Configuration Designer. -Using ICD, specify the full details of how the script should be run in the CommandLine setting in the provisioning package. This includes flags or any other parameters that you would normally type on the command line. So for example if the package contained an app installer called install.exe and a script used to automate the install called InstallMyApp.bat, the `ProvisioningCommands/DeviceContext/CommandLine` setting should be configured to: +Using Windows Configuration Designer, specify the full details of how the script should be run in the CommandLine setting in the provisioning package. This includes flags or any other parameters that you would normally type on the command line. So for example if the package contained an app installer called install.exe and a script used to automate the install called InstallMyApp.bat, the `ProvisioningCommands/DeviceContext/CommandLine` setting should be configured to: ``` cmd /c InstallMyApp.bat ``` -In ICD, this looks like: +In Windows Configuration Designer, this looks like: ![Command line in Selected customizations](images/icd-script1.png) You also need to add the relevant assets for that command line including the orchestrator script and any other assets it references such as installers or .cab files. -In ICD, that is done by adding files under the `ProvisioningCommands/DeviceContext/CommandFiles` setting. +In Windows Configuration Designer, that is done by adding files under the `ProvisioningCommands/DeviceContext/CommandFiles` setting. ![Command files in Selected customizations](images/icd-script2.png) @@ -197,10 +203,15 @@ When you are done, [build the package](provisioning-create-package.md#build-pack 2. When applied at first boot, provisioning runs early in the boot sequence and before a user context has been established; care must be taken to only include installers that can run at this time. Other installers can be provisioned via a management tool. 3. If the device is put into an unrecoverable state because of a bad script, you can reset it using [recovery options in Windows 10](https://support.microsoft.com/help/12415/windows-10-recovery-options). 4. The CommandFile assets are deployed on the device to a temporary folder unique to each package. - a. For packages added during the out of box experience, this is usually in `%WINDIR%\system32\config\systemprofile\appdata\local\Temp\ProvisioningPkgTmp\<{PackageIdGuid}>\Commands` - b. For packages added by double-clicking on an already deployed device, this will be in the temp folder for the user executing the PPKG: `%TMP%\ProvisioningPkgTmp\<{PackageIdGuid}>\Commands` + - For Windows 10, version 1607 and earlier: + a. For packages added during the out of box experience, this is usually in `%WINDIR%\system32\config\systemprofile\appdata\local\Temp\ProvisioningPkgTmp\<{PackageIdGuid}>\Commands` + b. For packages added by double-clicking on an already deployed device, this will be in the temp folder for the user executing the PPKG: `%TMP%\ProvisioningPkgTmp\<{PackageIdGuid}>\Commands` + - For Windows 10, version 1703: + a. For packages added during the out of box experience, this is usually in `%WINDIR%\system32\config\systemprofile\appdata\local\Temp\ProvisioningPkgTmp\<{PackageIdGuid}>\Commands\0` + The `0` after `Commands\` refers to the installation order and indicates the first app to be installed. The number will increment for each app in the package. + b. For packages added by double-clicking on an already deployed device, this will be in the temp folder for the user executing the provisioning package: `%TMP%\ProvisioningPkgTmp\<{PackageIdGuid}>\Commands\0` 5. The command line will be executed with the directory the CommandFiles were deployed to as the working directory. This means you do not need to specific the full path to assets in the command line or from within any script. -6. The runtime provisioning component will attempt to run the scripts from the PPKG at the earliest point possible, depending on the stage when the PPKG was added. For example, if the package was added during the Out-of-Box Experience, it will be run immediately after the package is applied, while the Out-of-Box Experience is still happening. This is before the user account configuration options are presented to the user. A spinning progress dialog will appear and “please wait” will be displayed on the screen. +6. The runtime provisioning component will attempt to run the scripts from the provisioning package at the earliest point possible, depending on the stage when the PPKG was added. For example, if the package was added during the Out-of-Box Experience, it will be run immediately after the package is applied, while the out of box experience is still happening. This is before the user account configuration options are presented to the user. A spinning progress dialog will appear and “please wait” will be displayed on the screen. >[!NOTE] >There is a timeout of 30 minutes for the provisioning process at this point. All scripts and installs need to complete within this time. @@ -211,12 +222,11 @@ When you are done, [build the package](provisioning-create-package.md#build-pack - [Provisioning packages for Windows 10](provisioning-packages.md) - [How provisioning works in Windows 10](provisioning-how-it-works.md) -- [Install Windows Imaging and Configuration Designer](provisioning-install-icd.md) +- [Install Windows Configuration Designer](provisioning-install-icd.md) - [Create a provisioning package](provisioning-create-package.md) - [Apply a provisioning package](provisioning-apply-package.md) - [Settings changed when you uninstall a provisioning package](provisioning-uninstall-package.md) - [Provision PCs with common settings for initial deployment (simple provisioning)](provision-pcs-for-initial-deployment.md) -- [Provision PCs with apps and certificates for initial deployments (advanced provisioning)](provision-pcs-with-apps-and-certificates.md) -- [NFC-based device provisioning](provisioning-nfc.md) -- [Windows ICD command-line interface (reference)](provisioning-command-line.md) +- [Windows Configuration Designer command-line interface (reference)](provisioning-command-line.md) +- [PowerShell cmdlets for provisioning Windows 10 (reference)](provisioning-powershell.md) - [Create a provisioning package with multivariant settings](provisioning-multivariant.md) \ No newline at end of file diff --git a/windows/deploy/provisioning-uninstall-package.md b/windows/configure/provisioning-uninstall-package.md similarity index 91% rename from windows/deploy/provisioning-uninstall-package.md rename to windows/configure/provisioning-uninstall-package.md index b3836ede88..e4ee9c442e 100644 --- a/windows/deploy/provisioning-uninstall-package.md +++ b/windows/configure/provisioning-uninstall-package.md @@ -27,7 +27,7 @@ Only settings in the following lists are revertible. ## Registry-based settings -The registry-based settings that are revertible when a provisioning package is uninstalled all fall under these categories, which you can find in the Graphical User Interface of the Windows Imaging and Configuration Designer (Windows ICD). +The registry-based settings that are revertible when a provisioning package is uninstalled all fall under these categories, which you can find in the Windows Configuration Designer. - [Wi-Fi Sense](https://msdn.microsoft.com/library/windows/hardware/mt219706.aspx) @@ -78,14 +78,13 @@ Here is the list of revertible settings based on configuration service providers - [Provisioning packages for Windows 10](provisioning-packages.md) - [How provisioning works in Windows 10](provisioning-how-it-works.md) -- [Install Windows Imaging and Configuration Designer](provisioning-install-icd.md) +- [Install Windows Configuration Designer](provisioning-install-icd.md) - [Create a provisioning package](provisioning-create-package.md) - [Apply a provisioning package](provisioning-apply-package.md) - [Provision PCs with common settings for initial deployment (simple provisioning)](provision-pcs-for-initial-deployment.md) -- [Provision PCs with apps and certificates for initial deployments (advanced provisioning)](provision-pcs-with-apps-and-certificates.md) - [Use a script to install a desktop app in provisioning packages](provisioning-script-to-install-app.md) -- [NFC-based device provisioning](provisioning-nfc.md) -- [Windows ICD command-line interface (reference)](provisioning-command-line.md) +- [PowerShell cmdlets for provisioning Windows 10 (reference)](provisioning-powershell.md) +- [Windows Configuration Designer command-line interface (reference)](provisioning-command-line.md) - [Create a provisioning package with multivariant settings](provisioning-multivariant.md)   diff --git a/windows/manage/set-up-a-device-for-anyone-to-use.md b/windows/configure/set-up-a-device-for-anyone-to-use.md similarity index 96% rename from windows/manage/set-up-a-device-for-anyone-to-use.md rename to windows/configure/set-up-a-device-for-anyone-to-use.md index f274498ed1..7a58deaa8f 100644 --- a/windows/manage/set-up-a-device-for-anyone-to-use.md +++ b/windows/configure/set-up-a-device-for-anyone-to-use.md @@ -1,5 +1,5 @@ --- -title: Set up a device for anyone to use (kiosk mode) (Windows 10) +title: Set up a device for anyone to use in kiosk mode (Windows 10) description: You can configure Windows 10 as a kiosk device, so that users can only interact with a single app. ms.assetid: F1F4FF19-188C-4CDC-AABA-977639C53CA8 keywords: ["kiosk", "lockdown", "assigned access"] @@ -8,6 +8,7 @@ ms.mktglfcycl: manage ms.sitesec: library author: jdeckerMS localizationpriority: high +redirect_url: https://technet.microsoft.com/itpro/windows/configure/kiosk-shared-pc --- # Set up a device for anyone to use (kiosk mode) diff --git a/windows/manage/set-up-a-kiosk-for-windows-10-for-desktop-editions.md b/windows/configure/set-up-a-kiosk-for-windows-10-for-desktop-editions.md similarity index 55% rename from windows/manage/set-up-a-kiosk-for-windows-10-for-desktop-editions.md rename to windows/configure/set-up-a-kiosk-for-windows-10-for-desktop-editions.md index 211f47f9c2..e9f19dfa8f 100644 --- a/windows/manage/set-up-a-kiosk-for-windows-10-for-desktop-editions.md +++ b/windows/configure/set-up-a-kiosk-for-windows-10-for-desktop-editions.md @@ -19,52 +19,65 @@ localizationpriority: high > **Looking for Windows Embedded 8.1 Industry information?** See [Assigned Access]( https://go.microsoft.com/fwlink/p/?LinkId=613653) -A single-use or *kiosk* device is easy to set up in Windows 10 for desktop editions (Pro, Enterprise, and Education). For a kiosk device to run a Universal Windows app, use the **assigned access** feature. For a kiosk device (Windows 10 Enterprise or Education) to run a Classic Windows application, use **Shell Launcher** to set a custom user interface as the shell. To return the device to the regular shell, see [Sign out of assigned access](#sign-out-of-assigned-access). +A single-use or *kiosk* device is easy to set up in Windows 10 for desktop editions. -**Note**   -A Universal Windows app is built on the Universal Windows Platform (UWP), which was first introduced in Windows 8 as the Windows Runtime. A Classic Windows application uses the Classic Windows Platform (CWP) (e.g., COM, Win32, WPF, WinForms, etc.) and is typically launched using an .EXE or .DLL file. +- Use the [Provision kiosk devices wizard](#wizard) in Windows Configuration Designer to create a provisioning package that configures a kiosk device running either a Universal Windows app or a Classic Windows application (Windows 10 Enterprise or Education only). + + or + +- For a kiosk device to run a Universal Windows app, use the [assigned access](#assigned-access) feature (Windows 10 Pro, Enterprise, or Education). + + or + +- For a kiosk device to run a Classic Windows application, use [Shell Launcher](#shell-launcher) to set a custom user interface as the shell (Windows 10 Enterprise or Education only). + +To return the device to the regular shell, see [Sign out of assigned access](#sign-out-of-assigned-access). + +>[!NOTE] +>A Universal Windows app is built on the Universal Windows Platform (UWP), which was first introduced in Windows 8 as the Windows Runtime. A Classic Windows application uses the Classic Windows Platform (CWP) (e.g., COM, Win32, WPF, WinForms, etc.) and is typically launched using an .EXE or .DLL file.   -## Other settings to lock down -For a more secure kiosk experience, we recommend that you make the following configuration changes to the device: + +## Set up a kiosk using Windows Configuration Designer -- Put device in **Tablet mode**. +When you use the **Provision kiosk devices** wizard in Windows Configuration Designer, you can configure the kiosk to run either a Universal Windows app or a Classic Windows application. - If you want users to be able to use the touch (on screen) keyboard, go to **Settings** > **System** > **Tablet mode** and choose **On.** +>[!IMPORTANT] +>When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when they are no longer needed. -- Hide **Ease of access** feature on the logon screen. - Go to **Control Panel** > **Ease of Access** > **Ease of Access Center**, and turn off all accessibility tools. +[Install Windows Configuration Designer](provisioning-install-icd.md), then open Windows Configuration Designer and select **Provision kiosk devices**. After you name your project, and click **Next**, configure the settings as shown in the following table. -- Disable the hardware power button. - Go to **Power Options** > **Choose what the power button does**, change the setting to **Do nothing**, and then **Save changes**. -- Remove the power button from the sign-in screen. + + + + + + + + + +
        ![step one](images/one.png)![set up device](images/set-up-device.png)

        Enable device setup if you want to configure settings on this page.

        **If enabled:**

        Enter a name for the device.

        (Optional) Select a license file to upgrade Windows 10 to a different edition. [See the permitted upgrades.](https://technet.microsoft.com/itpro/windows/deploy/windows-10-edition-upgrades)

        Toggle **Configure devices for shared use** off. This setting optimizes Windows 10 for shared use scenarios and isn't necessary for a kiosk scenario.

        You can also select to remove pre-installed software from the device.         		![device name, upgrade to enterprise, shared use, remove pre-installed software](images/set-up-device-details.png)
        ![step two](images/two.png) ![set up network](images/set-up-network.png)

        Enable network setup if you want to configure settings on this page.

        **If enabled:**

        Toggle **On** or **Off** for wireless network connectivity. If you select **On**, enter the SSID, the network type (**Open** or **WPA2-Personal**), and (if **WPA2-Personal**) the password for the wireless network.        		![Enter network SSID and type](images/set-up-network-details.png)
        ![step three](images/three.png) ![account management](images/account-management.png)

        Enable account management if you want to configure settings on this page.

        **If enabled:**

        You can enroll the device in Active Directory, enroll in Azure Active Directory, or create a local administrator account on the device

        To enroll the device in Active Directory, enter the credentials for a least-privileged user account to join the device to the domain.

        Before you use a Windows Configuration Designer wizard to configure bulk Azure AD enrollment, [set up Azure AD join in your organization](https://docs.microsoft.com/azure/active-directory/active-directory-azureadjoin-setup). The **maximum number of devices per user** setting in your Azure AD tenant determines how many times the bulk token that you get in the wizard can be used. To enroll the device in Azure AD, select that option and enter a friendly name for the bulk token you will get using the wizard. Set an expiration date for the token (maximum is 30 days from the date you get the token). Click **Get bulk token**. In the **Let's get you signed in** window, enter an account that has permissions to join a device to Azure AD, and then the password. Click **Accept** to give Windows Configuration Designer the necessary permissions.

        **Warning:** You must run Windows Configuration Designer on Windows 10 to configure Azure Active Directory enrollment using any of the wizards.

        To create a local administrator account, select that option and enter a user name and password.

        **Important:** If you create a local account in the provisioning package, you must change the password using the **Settings** app every 42 days. If the password is not changed during that period, the account might be locked out and unable to sign in.         		![join Active Directory, Azure AD, or create a local admin account](images/account-management-details.png)
        ![step four](images/four.png) ![add applications](images/add-applications.png)

        You can provision the kiosk app in the **Add applications** step. You can install multiple applications, both Classic Windows (Win32) apps and Universal Windows Platform (UWP) apps, in a provisioning package. The settings in this step vary according to the application that you select. For help with the settings, see [Provision PCs with apps](provision-pcs-with-apps.md)

        **Warning:** If you click the plus button to add an application, you must specify an application for the provisioning package to validate. If you click the plus button in error, select any executable file in **Installer Path**, and then a **Cancel** button becomes available, allowing you to complete the provisioning package without an application.         		![add an application](images/add-applications-details.png)
        ![step five](images/five.png) ![add certificates](images/add-certificates.png)

        To provision the device with a certificate for the kiosk app, click **Add a certificate**. Enter a name for the certificate, and then browse to and select the certificate to be used.        		![add a certificate](images/add-certificates-details.png)
        ![step six](images/six.png) ![Configure kiosk account and app](images/kiosk-account.png)

        **Important:** You must use the Windows Configuration Designer app from Windows Store to select a Classic Windows application as the kiosk app in a provisioning package.

        You can create a local standard user account that will be used to run the kiosk app. If you toggle **No**, make sure that you have an existing user account to run the kiosk app.

        If you want to create an account, enter the user name and password, and then toggle **Yes** or **No** to automatically sign in the account when the device starts.

        In **Configure the kiosk mode app**, enter the name of the user account that will run the kiosk mode app. Select the type of app to run in kiosk mode, and then enter the path or filename (for a Classic Windows app) or the AUMID (for a Universal Windows app). For a Classic Windows app, you can use the filename if the path to the file is in the PATH environment variable, otherwise the full path is required.        		![Configure kiosk account and app](images/kiosk-account-details.png)
        ![step seven](images/seven.png) ![configure kiosk common settings](images/kiosk-common.png)

        On this step, select your options for tablet mode, the user experience on the Welcome and shutdown screens, and the timeout settings.        		![set tablet mode and configure welcome and shutdown and turn off timeout settings](images/kiosk-common-details.png)
        ![finish](images/finish.png)

        You can set a password to protect your provisioning package. You must enter this password when you apply the provisioning package to a device.        		![Protect your package](images/finish-details.png)
        - Go to **Computer Configuration** > **Windows Settings** > **Security Settings** > **Local Policies** >**Security Options** > **Shutdown: Allow system to be shut down without having to log on** and select **Disabled.** -- Disable the camera. +>[!NOTE] +>If you want to use the advanced editor in Windows Configuration Designer, specify the user account and app (by AUMID) in **Runtime settings** > **AssignedAccess** > **AssignedAccessSettings** - Go to **Settings** > **Privacy** > **Camera**, and turn off **Let apps use my camera**. -- Turn off app notifications on the lock screen. - Go to **Group Policy Editor** > **Computer Configuration** > **Administrative Templates\\System\\Logon\\Turn off app notifications on the lock screen**. -- Disable removable media. - Go to **Group Policy Editor** > **Computer Configuration** > **Administrative Templates\\System\\Device Installation\\Device Installation Restrictions**. Review the policy settings available in **Device Installation Restrictions** for the settings applicable to your situation. +[Learn how to apply a provisioning package.](provisioning-apply-package.md) - **Note**   - To prevent this policy from affecting a member of the Administrators group, in **Device Installation Restrictions**, enable **Allow administrators to override Device Installation Restriction policies**.   - -## Assigned access method for Universal Windows apps + +## Assigned access method for Universal Windows apps Using assigned access, Windows 10 runs the designated Universal Windows app above the lockscreen, so that the assigned access account has no access to any other functionality on the device. You have these choices for setting up assigned access: @@ -73,7 +86,7 @@ Using assigned access, Windows 10 runs the designated Universal Windows app abo | --- | --- | --- | | [Use Settings on the PC](#set-up-assigned-access-in-pc-settings) | Local standard | Pro, Enterprise, Education | | [Apply a mobile device management (MDM) policy](#set-up-assigned-access-in-mdm) | All (domain, local standard, local administrator, etc) | Enterprise, Education | -| [Create a provisioning package using Windows Imaging and Configuration Designer (ICD)](#icd) | All (domain, local standard, local administrator, etc) | Enterprise, Education | +| [Create a provisioning package using Windows Configuration Designer](#wizard) | All (domain, local standard, local administrator, etc) | Enterprise, Education | | [Run a PowerShell script](#set-up-assigned-access-using-windows-powershell) | Local standard | Pro, Enterprise, Education | @@ -88,8 +101,8 @@ Using assigned access, Windows 10 runs the designated Universal Windows app abo The Universal Windows app must be able to handle multiple views and cannot launch other apps or dialogs. -**Note**   -Assigned access does not work on a device that is connected to more than one monitor. +>[!NOTE]   +>Assigned access does not work on a device that is connected to more than one monitor.   @@ -105,7 +118,7 @@ Assigned access does not work on a device that is connected to more than one mon 5. Close **Settings** – your choices are saved automatically, and will be applied the next time that user account logs on. -To remove assigned access, in step 3, choose **Don't use assigned access**. +To remove assigned access, choose **Turn off assigned access and sign out of the selected account**. ### Set up assigned access in MDM @@ -115,69 +128,9 @@ Assigned Access has one setting, KioskModeApp. In the KioskModeApp setting, you [See the technical reference for the Assigned Access configuration service provider.](https://go.microsoft.com/fwlink/p/?LinkId=626608) -### Set up assigned access using Windows Imaging and Configuration Designer (ICD) + -Use the Windows Imaging and Configuration Designer (ICD) tool included in the Windows Assessment and Deployment Kit (ADK) for Windows 10 to create a provisioning package that configures a device as a kiosk. [Install the ADK.](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit) -> **Important** -When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when they are no longer needed. - -**Create a provisioning package for a kiosk device** - -1. Open Windows ICD (by default, %windir%\\Program Files (x86)\\Windows Kits\\10\\Assessment and Deployment Kit\\Imaging and Configuration Designer\\x86\\ICD.exe). - -2. Choose **Advanced provisioning**. - -3. Name your project, and click **Next**. - -4. Choose **All Windows desktop editions** and click **Next**. - -5. On **New project**, click **Finish**. The workspace for your package opens. - -6. Expand **Runtime settings** > **AssignedAccess**, and click **AssignedAccessSettings**. - -7. Enter a string to specify the user account and app (by AUMID). For example: - - "Account":"contoso\\\\kiosk","AUMID":"8f82d991-f842-44c3-9a95-521b58fc2084" - -8. On the **File** menu, select **Save.** - -9. On the **Export** menu, select **Provisioning package**. - -10. Change **Owner** to **IT Admin**, which will set the precedence of this provisioning package higher than provisioning packages applied to this device from other sources, and then select **Next.** - -11. Optional. In the **Provisioning package security** window, you can choose to encrypt the package and enable package signing. - - - **Enable package encryption** - If you select this option, an auto-generated password will be shown on the screen. - - - **Enable package signing** - If you select this option, you must select a valid certificate to use for signing the package. You can specify the certificate by clicking **Select** and choosing the certificate you want to use to sign the package. - -12. Click **Next** to specify the output location where you want the provisioning package to go when it's built. By default, Windows ICD uses the project folder as the output location. - - Optionally, you can click **Browse** to change the default output location. - -13. Click **Next**. - -14. Click **Build** to start building the package. The provisioning package doesn't take long to build. The project information is displayed in the build page and the progress bar indicates the build status. - - If you need to cancel the build, click **Cancel**. This cancels the current build process, closes the wizard, and takes you back to the **Customizations Page**. - -15. If your build fails, an error message will show up that includes a link to the project folder. You can scan the logs to determine what caused the error. Once you fix the issue, try building the package again. - - If your build is successful, the name of the provisioning package, output directory, and project directory will be shown. - - - If you choose, you can build the provisioning package again and pick a different path for the output package. To do this, click **Back** to change the output package name and path, and then click **Next** to start another build. - - If you are done, click **Finish** to close the wizard and go back to the **Customizations Page**. - -**Apply the provisioning package** - -1. Select the provisioning package that you want to apply, double-click the file, and then allow admin privileges. - -2. Consent to allow the package to be installed. - - After you allow the package to be installed, the settings will be applied to the device - -[Learn how to apply a provisioning package in audit mode or OOBE.](https://go.microsoft.com/fwlink/p/?LinkID=692012) ### Set up assigned access using Windows PowerShell @@ -201,7 +154,9 @@ Set-AssignedAccess -AppName -UserName Set-AssignedAccess -AppName -UserSID ``` -> **Note:** To set up assigned access using `-AppName`, the user account that you specify for assigned access must have logged on at least once. +> [!NOTE] +> To set up assigned access using `-AppName`, the user account that you specify for assigned access must have logged on at least once. + [Learn how to get the AUMID](https://go.microsoft.com/fwlink/p/?LinkId=614867). [Learn how to get the AppName](https://msdn.microsoft.com/library/windows/hardware/mt620046%28v=vs.85%29.aspx) (see **Parameters**). @@ -223,8 +178,8 @@ Edit the registry to have an account automatically logged on. 1. Open Registry Editor (regedit.exe). - **Note**   - If you are not familiar with Registry Editor, [learn how to modify the Windows registry](https://go.microsoft.com/fwlink/p/?LinkId=615002). + >[!NOTE]   + >If you are not familiar with Registry Editor, [learn how to modify the Windows registry](https://go.microsoft.com/fwlink/p/?LinkId=615002).   2. Go to @@ -239,7 +194,8 @@ Edit the registry to have an account automatically logged on. - *DefaultPassword*: set value as the password for the account. - > **Note**  If *DefaultUserName* and *DefaultPassword* aren't there, add them as **New** > **String Value**. + > [!NOTE] + > If *DefaultUserName* and *DefaultPassword* aren't there, add them as **New** > **String Value**. - *DefaultDomainName*: set value for domain, only for domain accounts. For local accounts, do not add this key. @@ -255,11 +211,15 @@ If you press **Ctrl + Alt + Del** and do not sign in to another account, after a To change the default time for assigned access to resume, add *IdleTimeOut* (DWORD) and enter the value data as milliseconds in hexadecimal. -## Shell Launcher for Classic Windows applications + +## Shell Launcher for Classic Windows applications Using Shell Launcher, you can configure a kiosk device that runs a Classic Windows application as the user interface. The application that you specify replaces the default shell (explorer.exe) that usually runs when a user logs on. +>[!NOTE] +>You can also configure a kiosk device that runs a Classic Windows application by using the [Provision kiosk devices wizard](#wizard). + ### Requirements - A domain or local user account. @@ -274,10 +234,13 @@ To set a Classic Windows application as the shell, you first turn on the Shell L **To turn on Shell Launcher in Windows features** -1. Go to Control Panel > **Programs and Features** > **Turn Windows features on or off**. -2. Select **Embedded Shell Launcher** and **OK**. +1. Go to Control Panel > **Programs and features** > **Turn Windows features on or off**. -Alternatively, you can turn on Shell Launcher using the Deployment Image Servicing and Management (DISM.exe) tool. +2. Expand **Device Lockdown**. + +2. Select **Shell Launcher** and **OK**. + +Alternatively, you can turn on Shell Launcher using Windows Configuration Designer in a provisioning package, using `SMISettings > ShellLauncher`, or the Deployment Image Servicing and Management (DISM.exe) tool. **To turn on Shell Launcher using DISM** @@ -425,19 +388,46 @@ $IsShellLauncherEnabled = $ShellLauncherClass.IsEnabled() "`nEnabled is set to " + $IsShellLauncherEnabled.Enabled ``` +## Other settings to lock down + + +For a more secure kiosk experience, we recommend that you make the following configuration changes to the device: + +- Put device in **Tablet mode**. + + If you want users to be able to use the touch (on screen) keyboard, go to **Settings** > **System** > **Tablet mode** and choose **On.** + +- Hide **Ease of access** feature on the logon screen. + + Go to **Control Panel** > **Ease of Access** > **Ease of Access Center**, and turn off all accessibility tools. + +- Disable the hardware power button. + + Go to **Power Options** > **Choose what the power button does**, change the setting to **Do nothing**, and then **Save changes**. + +- Remove the power button from the sign-in screen. + + Go to **Computer Configuration** > **Windows Settings** > **Security Settings** > **Local Policies** >**Security Options** > **Shutdown: Allow system to be shut down without having to log on** and select **Disabled.** + +- Disable the camera. + + Go to **Settings** > **Privacy** > **Camera**, and turn off **Let apps use my camera**. + +- Turn off app notifications on the lock screen. + + Go to **Group Policy Editor** > **Computer Configuration** > **Administrative Templates\\System\\Logon\\Turn off app notifications on the lock screen**. + +- Disable removable media. + + Go to **Group Policy Editor** > **Computer Configuration** > **Administrative Templates\\System\\Device Installation\\Device Installation Restrictions**. Review the policy settings available in **Device Installation Restrictions** for the settings applicable to your situation. + + >[!NOTE]   + >To prevent this policy from affecting a member of the Administrators group, in **Device Installation Restrictions**, enable **Allow administrators to override Device Installation Restriction policies**. + +  ## Related topics - -[Set up a device for anyone to use](set-up-a-device-for-anyone-to-use.md) - -[Set up a kiosk for Windows 10 for mobile edition](set-up-a-kiosk-for-windows-10-for-mobile-edition.md) - -[Manage and update Windows 10](index.md) - -  - -  - +- [Set up a kiosk on Windows 10 Mobile or Windows 10 Mobile Enterprise](set-up-a-kiosk-for-windows-10-for-mobile-edition.md) diff --git a/windows/manage/set-up-a-kiosk-for-windows-10-for-mobile-edition.md b/windows/configure/set-up-a-kiosk-for-windows-10-for-mobile-edition.md similarity index 57% rename from windows/manage/set-up-a-kiosk-for-windows-10-for-mobile-edition.md rename to windows/configure/set-up-a-kiosk-for-windows-10-for-mobile-edition.md index 1a11ff9c20..9cb47b71cd 100644 --- a/windows/manage/set-up-a-kiosk-for-windows-10-for-mobile-edition.md +++ b/windows/configure/set-up-a-kiosk-for-windows-10-for-mobile-edition.md @@ -18,51 +18,18 @@ localizationpriority: high - Windows 10 Mobile -A device in kiosk mode runs a specified app with no access to other device functions, menus, or settings. You configure a device running Windows 10 Mobile or Windows 10 Mobile Enterprise for kiosk mode by using the Apps Corner feature. You can also use the Enterprise Assigned Access configuration service provider (CSP) to configure a kiosk experience. -**Note**   -The specified app must be an above lock screen app. For details on building an above lock screen app, see [Kiosk apps for assigned access: Best practices](https://go.microsoft.com/fwlink/p/?LinkId=708386). - -  - -## Apps Corner +A device in kiosk mode runs a specified app with no access to other device functions, menus, or settings. You use the [Enterprise Assigned Access](#enterprise-assigned-access) configuration service provider (CSP) to configure a kiosk experience. You can also configure a device running Windows 10 Mobile or Windows 10 Mobile Enterprise, version 1607 or earlier, for kiosk mode by using the [Apps Corner](#apps-corner) feature. (Apps Corner is removed in version 1703.) -Apps Corner lets you set up a custom Start screen on your Windows 10 Mobile or Windows 10 Mobile Enterprise device, where you can share only the apps you choose with the people you let use your device. You configure a device for kiosk mode by selecting a single app to use in Apps Corner. - -**To set up Apps Corner** - -1. On Start ![start](images/starticon.png), swipe over to the App list, then tap **Settings** ![settings](images/settingsicon.png) > **Accounts** > **Apps Corner**. - -2. Tap **Apps**, tap to select the app that you want people to use in the kiosk mode, and then tap done ![](images/doneicon.png) - -3. If your phone doesn't already have a lock screen password, you can set one now to ensure that people can't get to your Start screen from Apps Corner. Tap **Protect my phone with a password**, click **Add**, type a PIN in the **New PIN** box, type it again in the **Confirm PIN** box, and then tap **OK**. Press **Back** ![back](images/backicon.png) to the Apps Corner settings. - -4. Turn **Action center** on or off, depending on whether you want people to be able to use these features when using the device in kiosk mode. - -5. Tap **advanced**, and then turn features on or off, depending on whether you want people to be able to use them. - -6. Press **Back** ![back](images/backicon.png) when you're done. - -**To use Apps Corner** - -1. On Start ![start](images/starticon.png), swipe over to the App list, then tap **Settings** ![settings](images/settingsicon.png) > **Accounts** > **Apps Corner** > launch ![launch](images/launchicon.png). - - **Tip**   - Want to get to Apps Corner with one tap? In **Settings**, tap **Apps Corner** > **pin** to pin the Apps Corner tile to your Start screen. - -   - -2. Give the device to someone else, so they can use the device and only the one app you chose. - -3. When they're done and you get the device back, press and hold Power ![power](images/powericon.png), and then swipe right to exit Apps Corner. ## Enterprise Assigned Access -Enterprise Assigned Access allows you to lock down your Windows 10 Mobile or Windows 10 Mobile Enterprise device in kiosk mode by creating a user role that has only a single app, set to run automatically, in the Allow list. +Enterprise Assigned Access allows you to put your Windows 10 Mobile or Windows 10 Mobile Enterprise device in kiosk mode by creating a user role that has only a single app, set to run automatically, in the Allow list. -**Note**  The app can be a Universal Windows app, Universal Windows Phone 8 app, or a legacy Silverlight app. +>[!NOTE] +>The app can be a Universal Windows app, Universal Windows Phone 8 app, or a legacy Silverlight app.   @@ -72,21 +39,24 @@ In AssignedAccessXml, for Application, you enter the product ID for the app to r [See the technical reference for the Enterprise Assigned Access configuration service provider (CSP).](https://go.microsoft.com/fwlink/p/?LinkID=618601) -### Set up assigned access using Windows Imaging and Configuration Designer (ICD) +### Set up assigned access using Windows Configuration Designer -> **Important** -When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when they are no longer needed. +>[!IMPORTANT] +>When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when they are no longer needed. -**To create and apply a provisioning package for a kiosk device** +#### Create the *AssignedAccess*.xml file 1. Create an *AssignedAccess*.xml file that specifies the app the device will run. (You can name use any file name.) For instructions on AssignedAccessXml, see [EnterpriseAssignedAccess CSP](https://go.microsoft.com/fwlink/p/?LinkID=618601). - **Note**   - Do not escape the xml in *AssignedAccess*.xml file as Windows Imaging and Configuration Designer (ICD) will do that when building the package. Providing escaped xml in Windows ICD will cause building the package fail. + >[!NOTE] + >Do not escape the xml in *AssignedAccess*.xml file as Windows Configuration Designer will do that when building the package. Providing escaped xml in Windows ICD will cause building the package fail. + +#### Create the provisioning package -   +1. [Install Windows Configuration Designer.](provisioning-install-icd.md) + +2. Open Windows Configuration Designer (if you installed it from the Windows ADK, `%windir%\\Program Files (x86)\\Windows Kits\\10\\Assessment and Deployment Kit\\Imaging and Configuration Designer\\x86\\ICD.exe`). -2. Open Windows ICD (by default, `%windir%\\Program Files (x86)\\Windows Kits\\10\\Assessment and Deployment Kit\\Imaging and Configuration Designer\\x86\\ICD.exe`). 3. Choose **Advanced provisioning**. @@ -130,55 +100,91 @@ When you build a provisioning package, you may include sensitive information in - If you choose, you can build the provisioning package again and pick a different path for the output package. To do this, click **Back** to change the output package name and path, and then click **Next** to start another build. - If you are done, click **Finish** to close the wizard and go back to the **Customizations Page**. -17. Select the **output location** link to go to the location of the package. You can distribute that .ppkg to mobile devices using any of the following methods: +17. Select the **output location** link to go to the location of the package. - - Removable media (USB/SD) +#### Distribute the provisioning package - **To apply a provisioning package from removable media** +You can distribute that .ppkg to mobile devices using any of the following methods: - 1. Copy the provisioning package file to the root directory on a micro SD card. +- Removable media (USB/SD) - 2. On the device, insert the micro SD card containing the provisioning package. + **To apply a provisioning package from removable media** - 3. Go to **Settings** > **Accounts** > **Provisioning.** + 1. Copy the provisioning package file to the root directory on a micro SD card. - 4. Tap **Add a package**. + 2. On the device, insert the micro SD card containing the provisioning package. - 5. On the **Choose a method** screen, in the **Add from** dropdown menu, select **Removable Media**. + 3. Go to **Settings** > **Accounts** > **Provisioning.** - 6. Select a package will list all available provisioning packages on the micro SD card. Tap the desired package, and then tap **Add**. + 4. Tap **Add a package**. - 7. You will see a message that tells you what the package will do the device, such as **Adding it will: Lock down the user interface**. Tap **Yes, add it**. + 5. On the **Choose a method** screen, in the **Add from** dropdown menu, select **Removable Media**. - 8. Restart the device and verify that the runtime settings that were configured in the provisioning package were applied to the device. + 6. Select a package will list all available provisioning packages on the micro SD card. Tap the desired package, and then tap **Add**. - - Email + 7. You will see a message that tells you what the package will do the device, such as **Adding it will: Lock down the user interface**. Tap **Yes, add it**. - **To apply a provisioning package sent in email** + 8. Restart the device and verify that the runtime settings that were configured in the provisioning package were applied to the device. - 1. Send the provisioning package in email to an account on the device. +- Email - 2. Open the email on the device, and then double-tap the attached file. + **To apply a provisioning package sent in email** - 3. You will see a message that tells you what the package will do the device, such as **Adding it will: Lock down the user interface**. Tap **Yes, add it**. + 1. Send the provisioning package in email to an account on the device. - 4. Restart the device and verify that the runtime settings that were configured in the provisioning package were applied to the device. + 2. Open the email on the device, and then double-tap the attached file. - - USB tether (mobile only) + 3. You will see a message that tells you what the package will do the device, such as **Adding it will: Lock down the user interface**. Tap **Yes, add it**. - **To apply a provisioning package using USB tether** + 4. Restart the device and verify that the runtime settings that were configured in the provisioning package were applied to the device. - 1. Connect the device to your PC by USB. +- USB tether - 2. Select the provisioning package that you want to use to provision the device, and then drag and drop the file to your device. + **To apply a provisioning package using USB tether** - 3. The provisioning package installation dialog will appear on the phone. + 1. Connect the device to your PC by USB. - 4. You will see a message that tells you what the package will do the device, such as **Adding it will: Lock down the user interface**. Tap **Yes, add it**. + 2. Select the provisioning package that you want to use to provision the device, and then drag and drop the file to your device. - 5. Restart the device and verify that the runtime settings that were configured in the provisioning package were applied to the device. + 3. The provisioning package installation dialog will appear on the phone. - [Learn how to apply a provisioning package in audit mode or OOBE.](https://go.microsoft.com/fwlink/p/?LinkID=692012) + 4. You will see a message that tells you what the package will do the device, such as **Adding it will: Lock down the user interface**. Tap **Yes, add it**. + + 5. Restart the device and verify that the runtime settings that were configured in the provisioning package were applied to the device. + + + +## Apps Corner + +>[!NOTE] +>For Windows 10, versions 1507, 1511, and 1607 only. + +Apps Corner lets you set up a custom Start screen on your Windows 10 Mobile or Windows 10 Mobile Enterprise device, where you can share only the apps you choose with the people you let use your device. You configure a device for kiosk mode by selecting a single app to use in Apps Corner. + +**To set up Apps Corner** + +1. On Start ![start](images/starticon.png), swipe over to the App list, then tap **Settings** ![settings](images/settingsicon.png) > **Accounts** > **Apps Corner**. + +2. Tap **Apps**, tap to select the app that you want people to use in the kiosk mode, and then tap done ![done icon](images/doneicon.png). + +3. If your phone doesn't already have a lock screen password, you can set one now to ensure that people can't get to your Start screen from Apps Corner. Tap **Protect my phone with a password**, click **Add**, type a PIN in the **New PIN** box, type it again in the **Confirm PIN** box, and then tap **OK**. Press **Back** ![back](images/backicon.png) to the Apps Corner settings. + +4. Turn **Action center** on or off, depending on whether you want people to be able to use these features when using the device in kiosk mode. + +5. Tap **advanced**, and then turn features on or off, depending on whether you want people to be able to use them. + +6. Press **Back** ![back](images/backicon.png) when you're done. + +**To use Apps Corner** + +1. On Start ![start](images/starticon.png), swipe over to the App list, then tap **Settings** ![settings](images/settingsicon.png) > **Accounts** > **Apps Corner** > launch ![launch](images/launchicon.png). + + >[!TIP]   + >Want to get to Apps Corner with one tap? In **Settings**, tap **Apps Corner** > **pin** to pin the Apps Corner tile to your Start screen. +   +2. Give the device to someone else, so they can use the device and only the one app you chose. + +3. When they're done and you get the device back, press and hold Power ![power](images/powericon.png), and then swipe right to exit Apps Corner. ## Related topics @@ -191,9 +197,5 @@ When you build a provisioning package, you may include sensitive information in   -  - - - diff --git a/windows/manage/set-up-shared-or-guest-pc.md b/windows/configure/set-up-shared-or-guest-pc.md similarity index 72% rename from windows/manage/set-up-shared-or-guest-pc.md rename to windows/configure/set-up-shared-or-guest-pc.md index f641f80569..23d35abc14 100644 --- a/windows/manage/set-up-shared-or-guest-pc.md +++ b/windows/configure/set-up-shared-or-guest-pc.md @@ -16,24 +16,26 @@ localizationpriority: high - Windows 10 -Windows 10, version 1607, introduces *shared PC mode*, which optimizes Windows 10 for shared use scenarios, such as touchdown spaces in an enterprise and temporary customer use in retail. You can apply shared PC mode to Windows 10 Pro, Pro Education, Education, and Enterprise. +Windows 10, version 1607, introduced *shared PC mode*, which optimizes Windows 10 for shared use scenarios, such as touchdown spaces in an enterprise and temporary customer use in retail. You can apply shared PC mode to Windows 10 Pro, Pro Education, Education, and Enterprise. > [!NOTE] > If you're interested in using Windows 10 for shared PCs in a school, see [Use Set up School PCs app](https://technet.microsoft.com/edu/windows/use-set-up-school-pcs-app) which provides a simple way to configure PCs with shared PC mode plus additional settings specific for education. ##Shared PC mode concepts -A Windows 10 PC in shared PC mode is designed to be management- and maintenance-free with high reliability. In shared PC mode, only one user can be signed in at a time. When the PC is locked, the currently signed in user can always be signed out at the lock screen. Users who sign-in are signed in as standard users, not admin users. +A Windows 10 PC in shared PC mode is designed to be management- and maintenance-free with high reliability. In shared PC mode, only one user can be signed in at a time. When the PC is locked, the currently signed in user can always be signed out at the lock screen. ###Account models -It is intended that shared PCs are joined to an Active Directory or Azure Active Directory domain by a user with the necessary rights to perform a domain join as part of a setup process. This enables any user that is part of the directory to sign-in to the PC as a standard user. The user who originally joined the PC to the domain will have administrative rights when they sign in. If using Azure Active Directory Premium, any domain user can also be configured to sign in with administrative rights. Additionally, shared PC mode can be configured to enable a **Start without an account** option on the sign-in screen, which doesn't require any user credentials or authentication and creates a new local account. +It is intended that shared PCs are joined to an Active Directory or Azure Active Directory domain by a user with the necessary rights to perform a domain join as part of a setup process. This enables any user that is part of the directory to sign-in to the PC. If using Azure Active Directory Premium, any domain user can also be configured to sign in with administrative rights. Additionally, shared PC mode can be configured to enable a **Guest** option on the sign-in screen, which doesn't require any user credentials or authentication, and creates a new local account each time it is used. Windows 10, version 1703, introduces a **kiosk mode** account. Shared PC mode can be configured to enable a **Kiosk** option on the sign-in screen, which doesn't require any user credentials or authentication, and creates a new local account each time it is used to run a specified app in assigned access (kiosk) mode. ###Account management -When the account management service is turned on in shared PC mode, accounts are automatically deleted. Account deletion applies to Active Directory, Azure Active Directory, and local accounts that are created by the **Start without an account** option. Account management is performed both at sign-off time (to make sure there is enough disk space for the next user) as well as during system maintenance time periods. Shared PC mode can be configured to delete accounts immediately at sign-out or when disk space is low. +When the account management service is turned on in shared PC mode, accounts are automatically deleted. Account deletion applies to Active Directory, Azure Active Directory, and local accounts that are created by the **Guest** and **Kiosk** options. Account management is performed both at sign-off time (to make sure there is enough disk space for the next user) as well as during system maintenance time periods. Shared PC mode can be configured to delete accounts immediately at sign-out or when disk space is low. In Windows 10, version 1703, an inactive option is added which deletes accounts if they haven't signed in after a specified number of days. ###Maintenance and sleep Shared PC mode is configured to take advantage of maintenance time periods which run while the PC is not in use. Therefore, sleep is strongly recommended so that the PC can wake up when it is not is use to perform maintenance, clean up accounts, and run Windows Update. The recommended settings can be set by choosing **SetPowerPolicies** in the list of shared PC options. Additionally, on devices without Advanced Configuration and Power Interface (ACPI) wake alarms, shared PC mode will always override real-time clock (RTC) wake alarms to be allowed to wake the PC from sleep (by default, RTC wake alarms are off). This ensures that the widest variety of hardware will take advantage of maintenance periods. -While shared PC mode does not configure Windows Update itself, it is strongly recommended to configure Windows Update to automatically install updates and reboot (if necessary) during maintenance hours. This will help ensure the PC is always up to date and not interrupting users with updates. Use one of the following methods to configure Windows Update: +While shared PC mode does not configure Windows Update itself, it is strongly recommended to configure Windows Update to automatically install updates and reboot (if necessary) during maintenance hours. This will help ensure the PC is always up to date and not interrupting users with updates. + +Use one of the following methods to configure Windows Update: - Group Policy: Set **Computer Configuration > Administrative Templates > Windows Components > Windows Update > Configure Automatic Updates** to `4` and check **Install during automatic maintenance**. - MDM: Set **Update/AllowAutoUpdate** to `4`. @@ -43,21 +45,31 @@ While shared PC mode does not configure Windows Update itself, it is strongly re ###App behavior -Apps can take advantage of shared PC mode by changing their app behavior to align with temporary use scenarios. For example, an app might only download content on demand on a device in shared PC mode, or might skip first run experiences. For information on how an app can query for shared PC mode, see [SharedModeSettings class](https://msdn.microsoft.com/en-us/library/windows/apps/windows.system.profile.sharedmodesettings.aspx). +Apps can take advantage of shared PC mode with the following three APIs: + +- [IsEnabled](https://docs.microsoft.com/uwp/api/windows.system.profile.sharedmodesettings) - This informs apps when the PC has been configured for shared use scenarios. For example, an app might only download content on demand on a device in shared PC mode, or might skip first run experiences. +- [ShouldAvoidLocalStorage](https://docs.microsoft.com/uwp/api/windows.system.profile.sharedmodesettings) - This informs apps when the PC has been configured to not allow the user to save to the local storage of the PC. Instead, only cloud save locations should be offered by the app or saved automatically by the app. +- [IsEducationEnvironment](https://docs.microsoft.com/uwp/api/windows.system.profile.educationsettings) - This informs apps when the PC is used in an education environment. Apps may want to handle telemetry differently or hide advertising functionality. + ###Customization Shared PC mode exposes a set of customizations to tailor the behavior to your requirements. These customizations are the options that you'll set either using MDM or a provisioning package as explained in [Configuring shared PC mode on Windows](#configuring-shared-pc-mode-on-windows). The options are listed in the following table. | Setting | Value | |:---|:---| -| EnableSharedPCMode | Set as **True**. If this is not set to **True**, shared PC mode is not turned on and none of the other settings apply. Some of the remaining settings in **SharedPC** are optional, but we strongly recommend that you also set `EnableAccountManager` to **True**. | -| AccountManagement: AccountModel | This option controls how users can sign-in on the PC. Choosing domain-joined will enable any user in the domain to sign-in. Specifying the guest option will add the **Start without an account** option to the sign-in screen and enable anonymous guest access to the PC.
        - **Only guest** allows anyone to use the PC as a local standard (non-admin) account.
        - **Domain-joined only** allows users to sign in with an Active Directory or Azure AD account.
        - **Domain-joined and guest** allows users to sign in with an Active Directory, Azure AD, or local standard account. | -| AccountManagement: DeletionPolicy | - **Delete immediately** will delete the account on sign-out.
        - **Delete at disk space threshold** will start deleting accounts when available disk space falls below the threshold you set for **DiskLevelDeletion**, and it will stop deleting accounts when the available disk space reaches the threshold you set for **DiskLevelCaching**. Accounts are deleted in order of oldest accessed to most recently accessed.

        Example: The caching number is 50 and the deletion number is 25. Accounts will be cached while the free disk space is above 25%. When the free disk space is less than 25% (the deletion number) at a maintenance period, accounts will be deleted (oldest last used first) until the free disk space is above 50% (the caching number). Accounts will be deleted immediately at sign off of an account if free space is under the deletion threshold and disk space is very low, regardless if the PC is actively in use or not. | +| EnableSharedPCMode | Set as **True**. If this is not set to **True**, shared PC mode is not turned on and none of the other settings apply. This setting controls this API: [IsEnabled](https://docs.microsoft.com/uwp/api/windows.system.profile.sharedmodesettings)

        Some of the remaining settings in **SharedPC** are optional, but we strongly recommend that you also set `EnableAccountManager` to **True**. | +| AccountManagement: AccountModel | This option controls how users can sign-in on the PC. Choosing domain-joined will enable any user in the domain to sign-in. Specifying the guest option will add the **Guest** option to the sign-in screen and enable anonymous guest access to the PC.
        - **Only guest** allows anyone to use the PC as a local standard (non-admin) account.
        - **Domain-joined only** allows users to sign in with an Active Directory or Azure AD account.
        - **Domain-joined and guest** allows users to sign in with an Active Directory, Azure AD, or local standard account. | +| AccountManagement: DeletionPolicy | - **Delete immediately** will delete the account on sign-out.
        - **Delete at disk space threshold** will start deleting accounts when available disk space falls below the threshold you set for **DiskLevelDeletion**, and it will stop deleting accounts when the available disk space reaches the threshold you set for **DiskLevelCaching**. Accounts are deleted in order of oldest accessed to most recently accessed.

        Example: The caching number is 50 and the deletion number is 25. Accounts will be cached while the free disk space is above 25%. When the free disk space is less than 25% (the deletion number) at a maintenance period, accounts will be deleted (oldest last used first) until the free disk space is above 50% (the caching number). Accounts will be deleted immediately at sign off of an account if free space is under the deletion threshold and disk space is very low, regardless if the PC is actively in use or not.
        - **Delete at disk space threshold and inactive threshold** will apply the same disk space checks as noted above, but also delete accounts if they have not signed in within the number of days specified by **InactiveThreshold** | | AccountManagement: DiskLevelCaching | If you set **DeletionPolicy** to **Delete at disk space threshold**, set the percent of total disk space to be used as the disk space threshold for account caching. | | AccountManagement: DiskLevelDeletion | If you set **DeletionPolicy** to **Delete at disk space threshold**, set the percent of total disk space to be used as the disk space threshold for account deletion. | +| AccountManagement: InactiveThreshold | If you set **DeletionPolicy** to **Delete at disk space threshold and inactive threshold**, set the number of days after which an account that has not signed in will be deleted. | | AccountManagement: EnableAccountManager | Set as **True** to enable automatic account management. If this is not set to true, no automatic account management will be done. | +| AccountManagement: KioskModeAUMID | Set an Application User Model ID (AUMID) to enable the kiosk account on the sign-in screen. A new account will be created and will use assigned access to only run the app specified by the AUMID. Note that the app must be installed on the PC. Set the name of the account using **KioskModeUserTileDisplayText**, or a default name will be used. [Find the Application User Model ID of an installed app](https://msdn.microsoft.com/library/dn449300.aspx) | +| AccountManagement: KioskModeUserTileDisplayText | Sets the display text on the kiosk account if **KioskModeAUMID** has been set. | | Customization: MaintenanceStartTime | By default, the maintenance start time (which is when automatic maintenance tasks run, such as Windows Update) is midnight. You can adjust the start time in this setting by entering a new start time in minutes from midnight. For example, if you want maintenance to begin at 2 AM, enter `120` as the value. | -| Customization: SetEduPolicies | Set to **True** for PCs that will be used in a school. When **SetEduPolicies** is **True**, the following additional settings are applied:
        - Local storage locations are restricted. Users can only save files to the cloud.
        - Custom Start and taskbar layouts are set.\*
        - A custom sign-in screen background image is set.\*
        - Additional educational policies are applied (see full list below).

        \*Only applies to Windows 10 Pro Education, Enterprise, and Education | +| Customization: MaxPageFileSizeMB | Adjusts the maximum page file size in MB. This can be used to fine-tune page file behavior, especially on low end PCs. | +| Customization: RestrictLocalStorage | Set as **True** to restrict the user from saving or viewing local storage when using File Explorer. This setting controls this API: [ShouldAvoidLocalStorage](https://docs.microsoft.com/uwp/api/windows.system.profile.sharedmodesettings) | +| Customization: SetEduPolicies | Set to **True** for PCs that will be used in a school. This setting controls this API: [IsEducationEnvironment](https://docs.microsoft.com/uwp/api/windows.system.profile.educationsettings) | | Customization: SetPowerPolicies | When set as **True**:
        - Prevents users from changing power settings
        - Turns off hibernate
        - Overrides all power state transitions to sleep (e.g. lid close) | | Customization: SignInOnResume | This setting specifies if the user is required to sign in with a password when the PC wakes from sleep. | | Customization: SleepTimeout | Specifies all timeouts for when the PC should sleep. Enter the amount of idle time in seconds. If you don't set sleep timeout, the default of 1 hour applies. | @@ -69,16 +81,17 @@ You can configure Windows to be in shared PC mode in a couple different ways: ![custom OMA-URI policy in Intune](images/oma-uri-shared-pc.png) -- A provisioning package created with the Windows Imaging and Configuration Designer (ICD): You can apply a provisioning package when you initially set up the PC (also known as the out-of-box-experience or OOBE), or you can apply the provisioning package to a Windows 10 PC that is already in use. The provisioning package is created in Windows Imaging and Configuration Designer (ICD). Shared PC mode is enabled by the [SharedPC configuration service provider (CSP)](https://msdn.microsoft.com/library/windows/hardware/mt723294.aspx), exposed in ICD as SharedPC. +- A provisioning package created with the Windows Configuration Designer: You can apply a provisioning package when you initially set up the PC (also known as the out-of-box-experience or OOBE), or you can apply the provisioning package to a Windows 10 PC that is already in use. The provisioning package is created in Windows Configuration Designer. Shared PC mode is enabled by the [SharedPC configuration service provider (CSP)](https://msdn.microsoft.com/library/windows/hardware/mt723294.aspx), exposed in Windows Configuration Designer as **SharedPC**. ![Shared PC settings in ICD](images/icd-adv-shared-pc.png) +- WMI bridge: Environments that use Group Policy can use the WMI bridge to configure the [SharedPC CSP](https://msdn.microsoft.com/library/windows/hardware/mt723294.aspx). ### Create a provisioning package for shared use -Use the Windows ICD tool included in the Windows Assessment and Deployment Kit (ADK) for Windows 10 to create a provisioning package that configures a device for shared PC mode. [Install the ADK and select **Configuration Designer**.](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit) +1. [install Windows Configuration Designer](provisioning-install-icd.md) -1. Open Windows ICD (by default, %windir%\\Program Files (x86)\\Windows Kits\\10\\Assessment and Deployment Kit\\Imaging and Configuration Designer\\x86\\ICD.exe). +1. Open Windows Configuration Designer. 2. On the **Start page**, select **Advanced provisioning**. @@ -86,7 +99,7 @@ Use the Windows ICD tool included in the Windows Assessment and Deployment Kit ( 4. Select **All Windows desktop editions**, and click **Next**. -5. Click **Finish**. Your project opens in Windows ICD. +5. Click **Finish**. Your project opens in Windows Configuration Designer. 6. Go to **Runtime settings** > **SharedPC**. [Select the desired settings for shared PC mode.](#customization) @@ -104,7 +117,7 @@ Use the Windows ICD tool included in the Windows Assessment and Deployment Kit ( > [!IMPORTANT]   > We recommend that you include a trusted provisioning certificate in your provisioning package. When the package is applied to a device, the certificate is added to the system store and any package signed with that certificate thereafter can be applied silently.   -12. Click **Next** to specify the output location where you want the provisioning package to go once it's built. By default, Windows ICD uses the project folder as the output location. +12. Click **Next** to specify the output location where you want the provisioning package to go once it's built. By default, Windows Configuration Designer uses the project folder as the output location. Optionally, you can click **Browse** to change the default output location. 13. Click **Next**. 14. Click **Build** to start building the package. The project information is displayed in the build page and the progress bar indicates the build status. @@ -127,45 +140,20 @@ Use the Windows ICD tool included in the Windows Assessment and Deployment Kit ( You can apply the provisioning package to a PC during initial setup or to a PC that has already been set up. **During initial setup** -1. Start with a computer on the first-run setup screen. If the PC has gone past this screen, reset the PC to start over. To reset the PC, go to **Settings** > **Update & security** > **Recovery** > **Reset this PC**. + +1. Start with a PC on the setup screen. ![The first screen to set up a new PC](images/oobe.jpg) -2. Insert the USB drive and press the Windows key five times. Windows Setup will recognize the drive and ask if you want to set up the device. If there is only one provisioning package on the USB drive, you don't need to press the Windows key five times, Windows will automatically ask you if you want to set up the device. Select **Set up**. +2. Insert the USB drive. If nothing happens when you insert the USB drive, press the Windows key five times. + + - If there is only one provisioning package on the USB drive, the provisioning package is applied. + + - If there is more than one provisioning package on the USB drive, the **Set up device?** message displays. Click **Set up**, and select the provisioning package that you want to install. ![Set up device?](images/setupmsg.jpg) -3. The next screen asks you to select a provisioning source. Select **Removable Media** and tap **Next**. - - ![Provision this device](images/prov.jpg) - -4. Select the provisioning package (\*.ppkg) that you want to apply, and tap **Next**. - - ![Choose a package](images/choose-package.png) - -5. Select **Yes, add it**. - - ![Do you trust this package?](images/trust-package.png) - -6. Read and accept the Microsoft Software License Terms. - - ![Sign in](images/license-terms.png) - -7. Select **Use Express settings**. - - ![Get going fast](images/express-settings.png) - -8. If the PC doesn't use a volume license, you'll see the **Who owns this PC?** screen. Select **My work or school owns it** and tap **Next**. - - ![Who owns this PC?](images/who-owns-pc.png) - -9. On the **Choose how you'll connect** screen, select **Join Azure AD** or **Join a domain** and tap **Next**. - - ![Connect to Azure AD](images/connect-aad.png) - -10. Sign in with your domain, Azure AD, or Office 365 account and password. When you see the progress ring, you can remove the USB drive. - - ![Sign in](images/sign-in-prov.png) +3. Complete the setup process. **After setup** @@ -180,11 +168,11 @@ On a desktop computer, navigate to **Settings** > **Accounts** > **Work ac ## Guidance for accounts on shared PCs * We recommend no local admin accounts on the PC to improve the reliability and security of the PC. -* When a PC is set up in shared PC mode, accounts will be cached automatically until disk space is low. Then, accounts will be deleted to reclaim disk space. This account managment happens automatically. Both Azure AD and Active Directory domain accounts are managed in this way. Any accounts created through **Start without an account** will also be deleted automatically at sign out. +* When a PC is set up in shared PC mode with the default deletion policy, accounts will be cached automatically until disk space is low. Then, accounts will be deleted to reclaim disk space. This account managment happens automatically. Both Azure AD and Active Directory domain accounts are managed in this way. Any accounts created through **Guest** and **Kiosk** will also be deleted automatically at sign out. * On a Windows PC joined to Azure Active Directory: * By default, the account that joined the PC to Azure AD will have an admin account on that PC. Global administrators for the Azure AD domain will also have admin accounts on the PC. * With Azure AD Premium, you can specify which accounts have admin accounts on a PC using the **Additional administrators on Azure AD Joined devices** setting on the Azure portal. -* Local accounts that already exist on a PC won’t be deleted when turning on shared PC mode. New local accounts that are created using **Settings > Accounts > Other people > Add someone else to this PC** after shared PC mode is turned on won't be deleted. However, any new local accounts created by the **Start without an account** selection on the sign-in screen (if enabled) will automatically be deleted at sign-out. +* Local accounts that already exist on a PC won’t be deleted when turning on shared PC mode. New local accounts that are created using **Settings > Accounts > Other people > Add someone else to this PC** after shared PC mode is turned on won't be deleted. However, any new local accounts created by the **Guest** and **Kiosk** options on the sign-in screen (if enabled) will automatically be deleted at sign-out. * If admin accounts are necessary on the PC * Ensure the PC is joined to a domain that enables accounts to be signed on as admin, or * Create admin accounts before setting up shared PC mode, or @@ -209,7 +197,7 @@ On a desktop computer, navigate to **Settings** > **Accounts** > **Work ac Shared PC mode sets local group policies to configure the device. Some of these are configurable using the shared pc mode options. > [!IMPORTANT] -> It is not recommended to set additional policies on PCs configured for **Shared PC Mode**. The shared PC mode has been optimized to be fast and reliable over time with minimal to no manual maintenance required. +> It is not recommended to set additional policies on PCs configured for **Shared PC Mode**. The shared PC mode has been optimized to be fast and reliable over time with minimal to no manual maintenance required. @@ -240,6 +228,8 @@ Shared PC mode sets local group policies to configure the device. Some of these + + @@ -252,8 +242,8 @@ Shared PC mode sets local group policies to configure the device. Some of these - - + + @@ -264,17 +254,19 @@ Shared PC mode sets local group policies to configure the device. Some of these + - - - - - + + + + + + @@ -287,15 +279,10 @@ Shared PC mode sets local group policies to configure the device. Some of these -## Related topics - -[Set up a device for anyone to use (kiosk)](set-up-a-device-for-anyone-to-use.md)   -  - diff --git a/windows/manage/settings-that-can-be-locked-down.md b/windows/configure/settings-that-can-be-locked-down.md similarity index 85% rename from windows/manage/settings-that-can-be-locked-down.md rename to windows/configure/settings-that-can-be-locked-down.md index c0348677ba..6e0e342400 100644 --- a/windows/manage/settings-that-can-be-locked-down.md +++ b/windows/configure/settings-that-can-be-locked-down.md @@ -20,7 +20,15 @@ localizationpriority: high This topic lists the settings and quick actions that can be locked down in Windows 10 Mobile. -## Settings lockdown +## Settings lockdown in Windows 10, version 1703 + +In earlier versions of Windows 10, you used the page name to define allowed settings. Starting in Windows 10, version 1703, you use the settings URI. + +For example, in place of **SettingsPageDisplay**, you would use **ms-settings:display**. + +See the [ms-settings: URI scheme reference](https://docs.microsoft.com/windows/uwp/launch-resume/launch-settings-app#ms-settings-uri-scheme-reference) to find the URI for each Settings page. + +## Settings lockdown in Windows 10, version 1607 and earlier You can use Lockdown.xml to configure lockdown settings. @@ -451,52 +459,26 @@ You can specify the quick actions as follows: ``` syntax - - - - - - - - - - - - - - + + + + + + + + + + + + + + ``` -Some quick actions are dependent on related settings pages/page groups. When a dependent page/group is not available, then the corresponding quick action will also be hidden. -**Note**   -Dependent settings group/pages will be automatically enabled when a quick action is specified in the lockdown xml file. For example, if the Rotation quick setting is specified, the following group and page will automatically be added to the allow list: “SettingsPageSystemDisplay” and “SettingsPageDisplay”. - -  - -The following table lists the dependencies between quick actions and Settings groups/pages. - -| Quick action | Settings group | Settings page | -|-----|-------|-------| -| SystemSettings\_System\_Display\_QuickAction\_Brightness | SettingsPageSystemDisplay| SettingsPageDisplay | -| SystemSettings\_System\_Display\_Internal\_Rotation | SettingsPageSystemDisplay | SettingsPageDisplay | -| SystemSettings\_QuickAction\_WiFi | SettingsPageNetworkWiFi | SettingsPageNetworkWiFi | -| SystemSettings\_QuickAction\_InternetSharing | SettingsPageNetworkInternetSharing | SettingsPageNetworkInternetSharing | -| SystemSettings\_QuickAction\_CellularData | SettingsGroupCellular | SettingsPageNetworkCellular | -| SystemSettings\_QuickAction\_AirplaneMode | SettingsPageNetworkAirplaneMode | SettingsPageNetworkAirplaneMode | -| SystemSettings\_Privacy\_LocationEnabledUserPhone | SettingsGroupPrivacyLocationGlobals | SettingsPagePrivacyLocation | -| SystemSettings\_Network\_VPN\_QuickAction | SettingsPageNetworkVPN | SettingsPageNetworkVPN | -| SystemSettings\_Launcher\_QuickNote | N/A | N/A | -| SystemSettings\_Flashlight\_Toggle | N/A | N/A | -| SystemSettings\_Device\_BluetoothQuickAction | SettingsPagePCSystemBluetooth | SettingsPagePCSystemBluetooth | -| SystemSettings\_BatterySaver\_LandingPage\_OverrideControl | BatterySaver\_LandingPage\_SettingsConfiguration | SettingsPageBatterySaver | -| QuickActions\_Launcher\_DeviceDiscovery | N/A | N/A | -| QuickActions\_Launcher\_AllSettings | N/A | N/A | -| SystemSettings\_QuickAction\_QuietHours | N/A | N/A | -| SystemSettings\_QuickAction\_Camera | N/A | N/A |   diff --git a/windows/manage/start-layout-xml-desktop.md b/windows/configure/start-layout-xml-desktop.md similarity index 94% rename from windows/manage/start-layout-xml-desktop.md rename to windows/configure/start-layout-xml-desktop.md index 1a48aaad33..b8a3205aa6 100644 --- a/windows/manage/start-layout-xml-desktop.md +++ b/windows/configure/start-layout-xml-desktop.md @@ -26,6 +26,12 @@ On Windows 10 for desktop editions, the customized Start works by: - 2 groups that are 6 columns wide, or equivalent to the width of 3 medium tiles. - 2 medium-sized tile rows in height. Windows 10 ignores any tiles that are pinned beyond the second row. - No limit to the number of apps that can be pinned. There is a theoretical limit of 24 tiles per group (4 small tiles per medium square x 3 columns x 2 rows). + +>[!NOTE] +>Using the layout modification XML to configure Start is not supported with roaming user profiles. For more information, see [Deploy Roaming User Profiles](https://technet.microsoft.com/en-US/library/jj649079.aspx). + +>[!NOTE] +>Using the layout modification XML to configure Start is not supported with roaming user profiles. For more information, see [Deploy Roaming User Profiles](https://technet.microsoft.com/library/jj649079.aspx). ## LayoutModification XML @@ -221,7 +227,7 @@ The following example shows how to create a tile of the Web site's URL using the Column="4"/> ``` -The following table describes the other attributes that you can use with the **start:SecondaryTile** tag in addition to *8Size**, **Row**, and *8Column**. +The following table describes the other attributes that you can use with the **start:SecondaryTile** tag in addition to **Size**, **Row**, and **Column**. | Attribute | Required/optional | Description | | --- | --- | --- | @@ -469,18 +475,15 @@ Once you have created the LayoutModification.xml file and it is present in the d ## Related topics - -[Manage Windows 10 Start layout options](windows-10-start-layout-options-and-policies.md) - -[Configure Windows 10 taskbar](configure-windows-10-taskbar.md) - -[Customize Windows 10 Start and taskbar with Group Policy](customize-windows-10-start-screens-by-using-group-policy.md) - -[Customize Windows 10 Start and taskbar with ICD and provisioning packages](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md) - -[Customize Windows 10 Start with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md) - -[Changes to Group Policy settings for Windows 10 Start](changes-to-start-policies-in-windows-10.md) +- [Manage Windows 10 Start and taskbar layout](windows-10-start-layout-options-and-policies.md) +- [Configure Windows 10 taskbar](configure-windows-10-taskbar.md) +- [Customize and export Start layout](customize-and-export-start-layout.md) +- [Add image for secondary tiles](start-secondary-tiles.md) +- [Customize Windows 10 Start and taskbar with Group Policy](customize-windows-10-start-screens-by-using-group-policy.md) +- [Customize Windows 10 Start and taskbar with provisioning packages](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md) +- [Customize Windows 10 Start and tasbkar with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md) +- [Changes to Start policies in Windows 10](changes-to-start-policies-in-windows-10.md) +- [Start layout XML for mobile editions of Windows 10 (reference)](start-layout-xml-mobile.md)   diff --git a/windows/manage/start-layout-xml-mobile.md b/windows/configure/start-layout-xml-mobile.md similarity index 95% rename from windows/manage/start-layout-xml-mobile.md rename to windows/configure/start-layout-xml-mobile.md index 9d10466302..f25c2d2413 100644 --- a/windows/manage/start-layout-xml-mobile.md +++ b/windows/configure/start-layout-xml-mobile.md @@ -370,17 +370,13 @@ This should set the value of **StartLayout**. The setting appears in the **Selec ## Related topics -[Manage Windows 10 Start layout options](windows-10-start-layout-options-and-policies.md) - -[Configure Windows 10 taskbar](configure-windows-10-taskbar.md) - -[Customize Windows 10 Start and taskbar with Group Policy](customize-windows-10-start-screens-by-using-group-policy.md) - -[Customize Windows 10 Start and taskbar with ICD and provisioning packages](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md) - -[Customize Windows 10 Start with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md) - -[Changes to Group Policy settings for Windows 10 Start](changes-to-start-policies-in-windows-10.md) +- [Manage Windows 10 Start layout options](windows-10-start-layout-options-and-policies.md) +- [Configure Windows 10 taskbar](configure-windows-10-taskbar.md) +- [Customize Windows 10 Start and taskbar with Group Policy](customize-windows-10-start-screens-by-using-group-policy.md) +- [Customize Windows 10 Start and taskbar with ICD and provisioning packages](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md) +- [Customize Windows 10 Start with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md) +- [Changes to Group Policy settings for Windows 10 Start](changes-to-start-policies-in-windows-10.md) +- [Start layout XML for desktop editions of Windows 10 (reference)](start-layout-xml-desktop.md)   diff --git a/windows/configure/start-secondary-tiles.md b/windows/configure/start-secondary-tiles.md new file mode 100644 index 0000000000..2fb633a235 --- /dev/null +++ b/windows/configure/start-secondary-tiles.md @@ -0,0 +1,187 @@ +--- +title: Add image for secondary Microsoft Edge tiles (Windows 10) +description: +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: security +localizationpriority: high +author: jdeckerMS +--- + +# Add image for secondary Microsoft Edge tiles + +**Applies to** + +- Windows 10 +- Windows 10 Mobile + +App tiles are the Start screen tiles that represent and launch an app. A tile that allows a user to go to a specific location in an app is a *secondary tile*. Some examples of secondary tiles include: + +- Weather updates for a specific city in a weather app +- A summary of upcoming events in a calendar app +- Status and updates from an important contact in a social app +- A website in Microsoft Edge + +In a Start layout for Windows 10, version 1703, you can include secondary tiles for Microsoft Edge that display a custom image, rather than a tile with the standard Microsoft Edge logo. + +Suppose that the [Start layout that you export](customize-and-export-start-layout.md) had two secondary tiles, such as in the following image: + +![tile for MSN and for a SharePoint site](images/edge-with-logo.png) + +In prior versions of Windows 10, when you applied the Start layout to a device, the tiles would display as shown in the following image: + +![tile for MSN and for a SharePoint site with no logos](images/edge-without-logo.png) + +In Windows 10, version 1703, by using the PowerShell cmdlet `export-StartLayoutEdgeAssets` and the policy setting `ImportEdgeAssets`, the tiles will now display the same as they did on the device from which you exported the Start layout. + +![tile for MSN and for a SharePoint site](images/edge-with-logo.png) + + +## Export Start layout and assets + +1. Follow the instructions in [Customize and export Start layout](customize-and-export-start-layout.md#bkmkcustomizestartscreen) to customize the Start screen on your test computer. +2. Open Windows PowerShell and enter the following command: + + ``` + Export-StartLayout -path .xml + ``` + In the previous command, `-path` is a required parameter that specifies the path and file name for the export file. You can specify a local path or a UNC path (for example, \\\\FileServer01\\StartLayouts\\StartLayoutMarketing.xml). + + Use a file name of your choice—for example, StartLayoutMarketing.xml. Include the .xml file name extension. The [Export-StartLayout](https://go.microsoft.com/fwlink/p/?LinkId=620879) cmdlet does not append the file name extension, and the policy settings require the extension. + +3. If you’d like to change the image for a secondary tile to your own custom image, open the layout.xml file, and look for the images that the tile references. + - For example, your layout.xml contains `Square150x150LogoUri="ms-appdata:///local/PinnedTiles/21581260870/hires.png" Wide310x150LogoUri="ms-appx:///"` + - Open `C:\Users\\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState` and replace those images with your customized images + >[!TIP] + >A quick method for getting appropriately sized images for each tile size is to upload your image at [BuildMyPinnedSite](http://www.buildmypinnedsite.com/) and then download the resized tile images. + + 4. In Windows PowerShell, enter the following command: + + ``` + Export-StartLayoutEdgeAssets assets.xml + ``` + +## Configure policy settings + +You can apply the customized Start layout with images for secondary tiles by using [mobile device management](customize-windows-10-start-screens-by-using-mobile-device-management.md) or [a provisioning package](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md). However, because you are including the images for secondary tiles, you must configure an additional policy to import the Edge assets. + +### Using MDM + +Follow the instructions to [create a custom policy](customize-windows-10-start-screens-by-using-mobile-device-management.md#bkmk-domaingpodeployment). Replace the markup characters with escape characters in both the layout.xml and the assets.xml. + +In addition to the `./User/Vendor/MSFT/Policy/Config/Start/StartLayout` setting, you must also add the `ImportEdgeAssets` setting. + +| Item | Information | +|----|----| +| **Setting name** | Enter a unique name for the OMA-URI setting to help you identify it in the list of settings. | +| **Setting description** | Provide a description that gives an overview of the setting and other relevant information to help you locate it. | +| **Data type** | **String** | +| **OMA-URI (case sensitive)** | **./User/Vendor/MSFT/Policy/Config/Start/ImportEdgeAssets** +| **Value** | Paste the contents of the assets.xml file that you created. | + +### Using a provisioning package + + +#### Prepare the Start layout and Edge assets XML files + +The **export-StartLayout** and **export-StartLayoutEdgeAssets** cmdlets produce XML files. Because Windows Configuration Designer produces a customizations.xml file that contains the configuration settings, adding the Start layout and Edge assets sections to the customizations.xml file directly would result in an XML file embedded in an XML file. Before you add the Start layout and Edge assets sections to the customizations.xml file, you must replace the markup characters in your layout.xml with escape characters. + + +1. Copy the contents of layout.xml into an online tool that escapes characters. + +2. Copy the contents of assets.xml into an online tool that escapes characters. + +3. During the procedure to create a provisioning package, you will copy the text with the escape characters and paste it in the customizations.xml file for your project. + +#### Create a provisioning package that contains a customized Start layout + + +Use the Windows Configuration Designer tool to create a provisioning package. [Learn how to install Windows Configuration Designer.](provisioning-install-icd.md) + +>[!IMPORTANT] +>When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when they are no longer needed. + +1. Open Windows Configuration Designer (by default, %systemdrive%\\Program Files (x86)\\Windows Kits\\10\\Assessment and Deployment Kit\\Imaging and Configuration Designer\\x86\\ICD.exe). + +2. Choose **Advanced provisioning**. + +3. Name your project, and click **Next**. + +4. Choose **All Windows desktop editions** and click **Next**. + +5. On **New project**, click **Finish**. The workspace for your package opens. + +6. Expand **Runtime settings** > **Policies** > **Start**, and click **StartLayout**. + + >[!TIP] + >If **Start** is not listed, check the type of settings you selected in step 4. You must create the project using settings for **All Windows desktop editions**. + +7. Enter **layout.xml**. This value creates a placeholder in the customizations.xml file that you will replace with the contents of the layout.xml file in a later step. + +8. In the **Available customizations** pane, select **ImportEdgeAssets**. + +9. Enter **assets.xml**. This value creates a placeholder in the customizations.xml file that you will replace with the contents of the assets.xml file in a later step. + +7. Save your project and close Windows Configuration Designer. + +7. In File Explorer, open the project's directory. (The default location is C:\Users\\*user name*\Documents\Windows Imaging and Configuration Designer (WICD)\\*project name*) + +7. Open the customizations.xml file in a text editor. The **<Customizations>** section will look like this: + + ![Customizations file with the placeholder text to replace highlighted](images/customization-start-edge.png) + +7. Replace **layout.xml** with the text from the layout.xml file, [with markup characters replaced with escape characters](#escape). + +8. Replace **assets.xml** with the text from the assets.xml file, [with markup characters replaced with escape characters](#escape). + +8. Save and close the customizations.xml file. + +8. Open Windows Configuration Designer and open your project. + +8. On the **File** menu, select **Save.** + +9. On the **Export** menu, select **Provisioning package**. + +10. Change **Owner** to **IT Admin**, which will set the precedence of this provisioning package higher than provisioning packages applied to this device from other sources, and then select **Next.** + +11. Optional. In the **Provisioning package security** window, you can choose to encrypt the package and enable package signing. + + - **Enable package encryption** - If you select this option, an auto-generated password will be shown on the screen. + + - **Enable package signing** - If you select this option, you must select a valid certificate to use for signing the package. You can specify the certificate by clicking **Select...** and choosing the certificate you want to use to sign the package. + +12. Click **Next** to specify the output location where you want the provisioning package to go when it's built. By default, Windows Imaging and Configuration Designer (ICD) uses the project folder as the output location. + + Optionally, you can click **Browse** to change the default output location. + +13. Click **Next**. + +14. Click **Build** to start building the package. The provisioning package doesn't take long to build. The project information is displayed in the build page and the progress bar indicates the build status. + + If you need to cancel the build, click **Cancel**. This cancels the current build process, closes the wizard, and takes you back to the **Customizations Page**. + +15. If your build fails, an error message will show up that includes a link to the project folder. You can scan the logs to determine what caused the error. Once you fix the issue, try building the package again. + + If your build is successful, the name of the provisioning package, output directory, and project directory will be shown. + + - If you choose, you can build the provisioning package again and pick a different path for the output package. To do this, click **Back** to change the output package name and path, and then click **Next** to start another build. + - If you are done, click **Finish** to close the wizard and go back to the **Customizations Page**. + +16. Copy the provisioning package to the target device. + +17. Double-click the ppkg file and allow it to install. + + ## Related topics + +- [Manage Windows 10 Start and taskbar layout](windows-10-start-layout-options-and-policies.md) +- [Configure Windows 10 taskbar](configure-windows-10-taskbar.md) +- [Customize and export Start layout](customize-and-export-start-layout.md) +- [Start layout XML for desktop editions of Windows 10 (reference)](start-layout-xml-desktop.md) +- [Customize Windows 10 Start and taskbar with Group Policy](customize-windows-10-start-screens-by-using-group-policy.md) +- [Customize Windows 10 Start and taskbar with provisioning packages](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md) +- [Customize Windows 10 Start and tasbkar with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md) +- [Changes to Start policies in Windows 10](changes-to-start-policies-in-windows-10.md) + + + diff --git a/windows/configure/start-taskbar-lockscreen.md b/windows/configure/start-taskbar-lockscreen.md new file mode 100644 index 0000000000..966ef97fca --- /dev/null +++ b/windows/configure/start-taskbar-lockscreen.md @@ -0,0 +1,27 @@ +--- +title: Configure Start layout, taskbar, and lock screen for Windows 10 PCs (Windows 10) +description: +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: security +localizationpriority: high +author: jdeckerMS +--- + +# Configure Start layout, taskbar, and lock screen for Windows 10 PCs + + + +## In this section + +| Topic | Description | +| --- | --- | +| [Windows Spotlight on the lock screen](windows-spotlight.md) | Windows Spotlight is an option for the lock screen background that displays different background images and occasionally offers suggestions on the lock screen.

        **Note:** You can also use the [Personalization CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/personalization-csp) settings to set lock screen and desktop background images. | +| [Manage Windows 10 and Windows Store tips, tricks, and suggestions](manage-tips-and-suggestions.md) | Options to manage the tips, tricks, and suggestions offered by Windows and Windows Store. | +| [Manage Windows 10 Start and taskbar layout](windows-10-start-layout-options-and-policies.md) | Organizations might want to deploy a customized Start screen and menu to devices running Windows 10 Pro, Enterprise, or Education. A standard Start layout can be useful on devices that are common to multiple users and devices that are locked down for specialized purposes. | + + +## Related topics + +- [Configure Windows 10 Mobile devices](configure-mobile.md) \ No newline at end of file diff --git a/windows/manage/stop-employees-from-using-the-windows-store.md b/windows/configure/stop-employees-from-using-the-windows-store.md similarity index 95% rename from windows/manage/stop-employees-from-using-the-windows-store.md rename to windows/configure/stop-employees-from-using-the-windows-store.md index d09e5ae2be..04c5aa20d2 100644 --- a/windows/manage/stop-employees-from-using-the-windows-store.md +++ b/windows/configure/stop-employees-from-using-the-windows-store.md @@ -89,7 +89,7 @@ When your MDM tool supports Windows Store for Business, the MDM can use these CS - [EnterpriseAssignedAccess](https://msdn.microsoft.com/library/windows/hardware/mt157024.aspx) (Windows 10 Mobile, only) -For more information, see [Configure an MDM provider](configure-mdm-provider-windows-store-for-business.md). +For more information, see [Configure an MDM provider](../manage/configure-mdm-provider-windows-store-for-business.md). ## Show private store only using Group Policy Applies to Windows 10 Enterprise, version 1607, Windows 10 Education @@ -110,9 +110,9 @@ If you're using Windows Store for Business and you want employees to only see ap ## Related topics -[Distribute apps using your private store](distribute-apps-from-your-private-store.md) +[Distribute apps using your private store](../manage/distribute-apps-from-your-private-store.md) -[Manage access to private store](manage-access-to-private-store.md) +[Manage access to private store](../manage/manage-access-to-private-store.md)   diff --git a/windows/configure/windows-10-start-layout-options-and-policies.md b/windows/configure/windows-10-start-layout-options-and-policies.md new file mode 100644 index 0000000000..b43919e728 --- /dev/null +++ b/windows/configure/windows-10-start-layout-options-and-policies.md @@ -0,0 +1,119 @@ +--- +title: Manage Windows 10 Start and taskbar layout (Windows 10) +description: Organizations might want to deploy a customized Start and taskbar layout to devices. +ms.assetid: 2E94743B-6A49-463C-9448-B7DD19D9CD6A +keywords: ["start screen", "start menu"] +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +author: jdeckerMS +localizationpriority: high +--- + +# Manage Windows 10 Start and taskbar layout + + +**Applies to** + +- Windows 10 + +> **Looking for consumer information?** See [Customize the Start menu](http://windows.microsoft.com/windows-10/getstarted-see-whats-on-the-menu) + +Organizations might want to deploy a customized Start and taskbar configuration to devices running Windows 10 Pro, Enterprise, or Education. A standard, customized Start layout can be useful on devices that are common to multiple users and devices that are locked down for specialized purposes. Configuring the taskbar allows the organization to pin useful apps for their employees and to remove apps that are pinned by default. + +>[!NOTE] +>Taskbar configuration is available starting in Windows 10, version 1607. +> +>Start and taskbar configuration can be applied to devices running Windows 10 Pro, version 1703. +> +>Using the layout modification XML to configure Start is not supported with roaming user profiles. For more information, see [Deploy Roaming User Profiles](https://technet.microsoft.com/library/jj649079.aspx). + + + +## Start options + +![start layout sections](images/startannotated.png) + +Some areas of Start can be managed using Group Policy. The layout of Start tiles can be managed using either Group Policy or Mobile Device Management (MDM) policy. + +The following table lists the different parts of Start and any applicable policy settings or Settings options. Group Policy settings are in the **User Configuration**\\**Administrative Templates**\\**Start Menu and Taskbar** path except where a different path is listed in the table. + +| Start | Policy | Local setting | +| --- | --- | --- | +| User tile | MDM: **Start/HideUserTile**
        **Start/HideSwitchAccount**
        **Start/HideSignOut**
        **Start/HideLock**
        **Start/HideChangeAccountSettings**

        Group Policy: **Remove Logoff on the Start menu** | none | +| Most used | MDM: **Start/HideFrequentlyUsedApps**

        Group Policy: **Remove frequent programs from the Start menu** | **Settings** > **Personalization** > **Start** > **Show most used apps** | +| Suggestions
        -and-
        Dynamically inserted app tile | MDM: **Allow Windows Consumer Features**

        Group Policy: **Computer Configuration\Administrative Templates\Windows Components\Cloud Content\Turn off Microsoft consumer experiences**

        **Note:** This policy also enables or disables notifications for a user's Microsoft account and app tiles from Microsoft dynamically inserted in the default Start menu. | **Settings** > **Personalization** > **Start** > **Occasionally show suggestions in Start** | +| Recently added | MDM: **Start/HideRecentlyAddedApps** | **Settings** > **Personalization** > **Start** > **Show recently added apps** | +| Pinned folders | MDM: **AllowPinnedFolder** | **Settings** > **Personalization** > **Start** > **Choose which folders appear on Start** | +| Power | MDM: **Start/HidePowerButton**
        **Start/HideHibernate**
        **Start/HideRestart**
        **Start/HideShutDown**
        **Start/HideSleep**

        Group Policy: **Remove and prevent access to the Shut Down, Restart, Sleep, and Hibernate commands** | none | +| Start layout | MDM: **Start layout**
        **ImportEdgeAssets**

        Group Policy: **Prevent users from customizing their Start screen**

        **Note:** When a full Start screen layout is imported with Group Policy or MDM, the users cannot pin, unpin, or uninstall apps from the Start screen. Users can view and open all apps in the **All Apps** view, but they cannot pin any apps to the Start screen. When a partial Start screen layout is imported, users cannot change the tile groups applied by the partial layout, but can modify other tile groups and create their own.

        **Start layout** policy can be used to pin apps to the taskbar based on an XML File that you provide. Users will be able to change the order of pinned apps, unpin apps, and pin additional apps to the taskbar. | none | +| Jump lists | MDM: **Start/HideRecentJumplists**

        Group Policy: **Do not keep history of recently opened documents** | **Settings** > **Personalization** > **Start** > **Show recently opened items in Jump Lists on Start or the taskbar** | +| Start size | MDM: **Force Start size**

        Group Policy: **Force Start to be either full screen size or menu size** | **Settings** > **Personalization** > **Start** > **Use Start full screen** | +| App list | MDM: **Start/HideAppList** | **Settings** > **Personalization** > **Start** > **Show app list in Start menu** | +| All Settings | Group Policy: **Prevent changes to Taskbar and Start Menu Settings** | none | +| Taskbar | MDM: **Start/NoPinningToTaskbar** | none | + + + ## Taskbar options + +Starting in Windows 10, version 1607, you can pin additional apps to the taskbar and remove default pinned apps from the taskbar. You can specify different taskbar configurations based on device locale or region. + +There are three categories of apps that might be pinned to a taskbar: +* Apps pinned by the user +* Default Windows apps, pinned during operating system installation (Microsoft Edge, File Explorer, Store) +* Apps pinned by the enterprise, such as in an unattended Windows setup + + >[!NOTE] + >The earlier method of using [TaskbarLinks](https://go.microsoft.com/fwlink/p/?LinkId=761230) in an unattended Windows setup file is deprecated in Windows 10, version 1607. + +The following example shows how apps will be pinned - Windows default apps to the left (blue circle), apps pinned by the user in the center (orange triangle), and apps that you pin using XML to the right (green square). + +![Windows left, user center, enterprise to the right](images/taskbar-generic.png) + +>[!NOTE] +>In operating systems configured to use a right-to-left language, the taskbar order will be reversed. + + + +Whether you apply the taskbar configuration to a clean install or an update, users will still be able to: +* Pin additional apps +* Change the order of pinned apps +* Unpin any app + +>[!NOTE] +>In Windows 10, version 1703, you can apply an MDM policy, `Start/NoPinningToTaskbar`, to prevents users from pinning and unpinning apps on the taskbar. + +### Taskbar configuration applied to clean install of Windows 10 + +In a clean install, if you apply a taskbar layout, only the apps that you specify and default apps that you do not remove will be pinned to the taskbar. Users can pin additional apps to the taskbar after the layout is applied. + +### Taskbar configuration applied to Windows 10 upgrades + +When a device is upgraded to Windows 10, apps will be pinned to the taskbar already. Some apps may have been pinned to the taskbar by a user, and others may have been pinned to the taskbar through a customized base image or by using Windows Unattend setup. + +The new taskbar layout for upgrades to Windows 10, version 1607 or later, will apply the following behavior: +* If the user pinned the app to the taskbar, those pinned apps remain and new apps will be added to the right. +* If the user didn't pin the app (it was pinned during installation or by policy) and the app is not in updated layout file, the app will be unpinned. +* If the user didn't pin the app and the app is in the updated layout file, the app will be pinned to the right. +* New apps specified in updated layout file are pinned to right of user's pinned apps. + +[Learn how to onfigure Windows 10 taskbar](configure-windows-10-taskbar.md). + +## Related topics + + +- [Configure Windows 10 taskbar](configure-windows-10-taskbar.md) +- [Customize and export Start layout](customize-and-export-start-layout.md) +- [Add image for secondary tiles](start-secondary-tiles.md) +- [Start layout XML for desktop editions of Windows 10 (reference)](start-layout-xml-desktop.md) +- [Customize Windows 10 Start and taskbar with Group Policy](customize-windows-10-start-screens-by-using-group-policy.md) +- [Customize Windows 10 Start and taskbar with provisioning packages](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md) +- [Customize Windows 10 Start and tasbkar with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md) +- [Changes to Start policies in Windows 10](changes-to-start-policies-in-windows-10.md) + +  + + + + + diff --git a/windows/configure/windows-diagnostic-data.md b/windows/configure/windows-diagnostic-data.md new file mode 100644 index 0000000000..7818844702 --- /dev/null +++ b/windows/configure/windows-diagnostic-data.md @@ -0,0 +1,117 @@ +--- +title: Windows 10, version 1703 Diagnostic Data (Windows 10) +description: Use this article to learn about the types of that is collected the the Full telemetry level. +keywords: privacy,Windows 10 +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +localizationpriority: high +author: brianlic-msft +--- + +# Windows 10, version 1703 Diagnostic Data + +Microsoft collects Windows diagnostic data to keep Windows up-to-date, secure, and operating properly. It also helps us improve Windows and, for users who have turned on “tailored experiences”, can be used to provide relevant tips and recommendations to tailor Microsoft products to the user’s needs. This article describes all types diagnostic data collected by Windows at the Full telemetry level (inclusive of data collected at Basic), with comprehensive examples of data we collect per each type. For additional, detailed technical descriptions of Basic data items, see [Windows 10, version 1703 Basic level diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields.md). + + +The data covered in this article is grouped into the following categories: + +- Common Data (diagnostic header information) +- Device, Connectivity, and Configuration data +- Product and Service Usage data +- Product and Service Performance data +- Software Setup and Inventory data +- Content Consumption data +- Browsing, Search and Query data +- Inking, Typing, and Speech Utterance data +- Licensing and Purchase data + +> [!NOTE] +> The majority of diagnostic data falls into the first four categories. + +## Common data + +Most diagnostic events contain a header of common data: + +| Category Name | Examples | +| - | - | +| Common Data | Information that is added to most diagnostic events, if relevant and available:
        • OS name, version, build, and [locale](https://msdn.microsoft.com/library/windows/desktop/dd318716.aspx)
        • User ID -- a unique identifier associated with the user's Microsoft Account (if one is used) or local account. The user's Microsoft Account identifier is not collected from devices configured to send Basic diagnostic data
        • Xbox UserID
        • Environment from which the event was logged -- Application ID of app or component that logged the event, Session GUID. Used to track events over a given period of time such the period an app is running or between boots of the OS.
        • The diagnostic event name, Event ID, [ETW](https://msdn.microsoft.com/library/windows/desktop/bb968803.aspx) opcode, version, schema signature, keywords, and flags
        • HTTP header information including IP address. This is not the IP address of the device but the source address in the network packet header received by the diagnostics ingestion service.
        • Various IDs that are used to correlate and sequence related events together.
        • Device ID. This is not the user provided device name, but an ID that is unique for that device.
        • Device class -- Desktop, Server, or Mobile
        • Event collection time
        • Diagnostic level -- Basic or Full, Sample level -- for sampled data, what sample level is this device opted into
        | + +## ​Device, Connectivity, and Configuration data + +This type of data includes details about the device, its configuration and connectivity capabilities, and status. + +| Category Name | Examples | +| - | - | +| Device properties | Information about the OS and device hardware, such as:
        • OS - version name, Edition
        • Installation type, subscription status, and genuine OS status
        • Processor architecture, speed, number of cores, manufacturer, and model
        • OEM details --manufacturer, model, and serial number
        • Device identifier and Xbox serial number
        • Firmware/BIOS -- type, manufacturer, model, and version
        • Memory -- total memory, video memory, speed, and how much memory is available after the device has reserved memory
        • Storage -- total capacity and disk type
        • Battery -- charge capacity and InstantOn support
        • Hardware chassis type, color, and form factor
        • Is this a virtual machine?
        | +| Device capabilities | Information about the specific device capabilities such as:
        • Camera -- whether the device has a front facing, a rear facing camera, or both.
        • Touch screen -- does the device include a touch screen? If so, how many hardware touch points are supported?
        • Processor capabilities -- CompareExchange128, LahfSahf, NX, PrefetchW, and SSE2
        • Trusted Platform Module (TPM) – whether present and what version
        • Virtualization hardware -- whether an IOMMU is present, SLAT support, is virtualization enabled in the firmware
        • Voice – whether voice interaction is supported and the number of active microphones
        • Number of displays, resolutions, DPI
        • Wireless capabilities
        • OEM or platform face detection
        • OEM or platform video stabilization and quality level set
        • Advanced Camera Capture mode (HDR vs. LowLight), OEM vs. platform implementation, HDR probability, and Low Light probability
        | +| Device preferences and settings | Information about the device settings and user preferences such as:
        • User Settings – System, Device, Network & Internet, Personalization, Cortana, Apps, Accounts, Time & Language, Gaming, Ease of Access, Privacy, Update & Security
        • User-provided device name
        • Whether device is domain-joined, or cloud-domain joined (i.e. part of a company-managed network)
        • Hashed representation of the domain name
        • MDM (mobile device management) enrollment settings and status
        • BitLocker, Secure Boot, encryption settings, and status
        • Windows Update settings and status
        • Developer Unlock settings and status
        • Default app choices
        • Default browser choice
        • Default language settings for app, input, keyboard, speech, and display
        • App store update settings
        • Enterprise OrganizationID, Commercial ID
        | +| Device peripherals | Information about the device peripherals such as:
        • Peripheral name, device model, class, manufacturer and description
        • Peripheral device state, install state, and checksum
        • Driver name, package name, version, and manufacturer
        • HWID - A hardware vendor defined ID to match a device to a driver [INF file](https://msdn.microsoft.com/windows/hardware/drivers/install/hardware-ids)
        • Driver state, problem code, and checksum
        • Whether driver is kernel mode, signed, and image size
        | +| Device network info | Information about the device network configuration such as:
        • Network system capabilities
        • Local or Internet connectivity status
        • Proxy, gateway, DHCP, DNS details and addresses
        • Paid or free network
        • Wireless driver is emulated or not
        • Access point mode capable
        • Access point manufacturer, model, and MAC address
        • WDI Version
        • Name of networking driver service
        • Wi-Fi Direct details
        • Wi-Fi device hardware ID and manufacturer
        • Wi-Fi scan attempt counts and item counts
        • Mac randomization is supported/enabled or not
        • Number of spatial streams and channel frequencies supported
        • Manual or Auto Connect enabled
        • Time and result of each connection attempt
        • Airplane mode status and attempts
        • Interface description provided by the manufacturer
        • Data transfer rates
        • Cipher algorithm
        • Mobile Equipment ID (IMEI) and Mobile Country Code (MCCO)
        • Mobile operator and service provider name
        • Available SSIDs and BSSIDs
        • IP Address type -- IPv4 or IPv6
        • Signal Quality percentage and changes
        • Hotspot presence detection and success rate
        • TCP connection performance
        • Miracast device names
        • Hashed IP address
        + +## Product and Service Usage data + +This type of data includes details about the usage of the device, operating system, applications and services. + +| Category Name | Examples | +| - | - | +| App usage | Information about Windows and application usage such as:
        • OS component and app feature usage
        • User navigation and interaction with app and Windows features. This could potentially include user input, such as name of a new alarm set, user menu choices, or user favorites.
        • Time of and count of app/component launches, duration of use, session GUID, and process ID
        • App time in various states – running foreground or background, sleeping, or receiving active user interaction
        • User interaction method and duration – whether and length of time user used the keyboard, mouse, pen, touch, speech, or game controller
        • Cortana launch entry point/reason
        • Notification delivery requests and status
        • Apps used to edit images and videos
        • SMS, MMS, VCard, and broadcast message usage statistics on primary or secondary line
        • Incoming and Outgoing calls and Voicemail usage statistics on primary or secondary line
        • Emergency alerts are received or displayed statistics
        • Content searches within an app
        • Reading activity -- bookmarking used, print used, layout changed
        | +| App or product state | Information about Windows and application state such as:
        • Start Menu and Taskbar pins
        • Online/Offline status
        • App launch state –- with deep-link such as Groove launched with an audio track to play, or share contract such as MMS launched to share a picture.
        • Personalization impressions delivered
        • Whether the user clicked or hovered on UI controls or hotspots
        • User feedback Like or Dislike or rating was provided
        • Caret location or position within documents and media files -- how much of a book has been read in a single session or how much of a song has been listened to.
        | +| Login properties |
        • Login success or failure
        • Login sessions and state
        | + + +## Product and Service Performance data + +This type of data includes details about the health of the device, operating system, apps and drivers. + +| Category Name | Description and Examples | +| - | - | +| Device health and crash data | Information about the device and software health such as:
        • Error codes and error messages, name and ID of the app, and process reporting the error
        • DLL library predicted to be the source of the error -- xyz.dll
        • System generated files -- app or product logs and trace files to help diagnose a crash or hang
        • System settings such as registry keys
        • User generated files – .doc, .ppt, .csv files where they are indicated as a potential cause for a crash or hang
        • Details and counts of abnormal shutdowns, hangs, and crashes
        • Crash failure data – OS, OS component, driver, device, 1st and 3rd party app data
        • Crash and Hang dumps
          • The recorded state of the working memory at the point of the crash.
          • Memory in use by the kernel at the point of the crash.
          • Memory in use by the application at the point of the crash.
          • All the physical memory used by Windows at the point of the crash.
          • Class and function name within the module that failed.
          | +| Device performance and reliability data | Information about the device and software performance such as:
          • User Interface interaction durations -- Start Menu display times, browser tab switch times, app launch and switch times, and Cortana and search performance and reliability.
          • Device on/off performance -- Device boot, shutdown, power on/off, lock/unlock times, and user authentication times (fingerprint and face recognition durations).
          • In-app responsiveness -- time to set alarm, time to fully render in-app navigation menus, time to sync reading list, time to start GPS navigation, time to attach picture MMS, and time to complete a Windows Store transaction.
          • User input responsiveness – onscreen keyboard invocation times for different languages, time to show auto-complete words, pen or touch latencies, latency for handwriting recognition to words, Narrator screen reader responsiveness, and CPU score.
          • UI and media performance and glitches/smoothness -- video playback frame rate, audio glitches, animation glitches (stutter when bringing up Start), graphics score, time to first frame, play/pause/stop/seek responsiveness, time to render PDF, dynamic streaming of video from OneDrive performance
          • Disk footprint -- Free disk space, out of memory conditions, and disk score.
          • Excessive resource utilization – components impacting performance or battery life through high CPU usage during different screen and power states
          • Background task performance -- download times, Windows Update scan duration, Windows Defender Antivirus scan times, disk defrag times, mail fetch times, service startup and state transition times, and time to index on-device files for search results
          • Peripheral and devices -- USB device connection times, time to connect to a wireless display, printing times, network availability and connection times (time to connect to Wi-Fi, time to get an IP address from DHCP etc.), smart card authentication times, automatic brightness environmental response times
          • Device setup -- first setup experience times (time to install updates, install apps, connect to network etc.), time to recognize connected devices (printer and monitor), and time to setup Microsoft Account.
          • Power and Battery life – power draw by component (Process/CPU/GPU/Display), hours of screen off time, sleep state transition details, temperature and thermal throttling, battery drain in a power state (screen off or screen on), processes and components requesting power use during screen off, auto-brightness details, time device is plugged into AC vs. battery, battery state transitions
          • Service responsiveness - Service URI, operation, latency, service success/error codes, and protocol.
          • Diagnostic heartbeat – regular signal to validate the health of the diagnostics system
          + +## Software Setup and Inventory data + +This type of data includes software installation and update information on the device. + +| Category Name | Data Examples | +| - | - | +| Installed Applications and Install History | Information about apps, drivers, update packages, or OS components installed on the device such as:
          • App, driver, update package, or component’s Name, ID, or Package Family Name
          • Product, SKU, availability, catalog, content, and Bundle IDs
          • OS component, app or driver publisher, language, version and type (Win32 or UWP)
          • Install date, method, and install directory, count of install attempts
          • MSI package code and product code
          • Original OS version at install time
          • User or administrator or mandatory installation/update
          • Installation type – clean install, repair, restore, OEM, retail, upgrade, and update
          | +| Device update information | Information about Windows Update such as:
          • Update Readiness analysis of device hardware, OS components, apps, and drivers (progress, status, and results)
          • Number of applicable updates, importance, type
          • Update download size and source -- CDN or LAN peers
          • Delay upgrade status and configuration
          • OS uninstall and rollback status and count
          • Windows Update server and service URL
          • Windows Update machine ID
          • Windows Insider build details
          + +## Content Consumption data + +This type of data includes diagnostic details about Microsoft applications that provide media consumption functionality (such as Groove Music), and is not intended to capture user viewing, listening or reading habits. + +| Category Name | Examples | +| - | - | +| Movies | Information about movie consumption functionality on the device such as:
          • Video Width, height, color pallet, encoding (compression) type, and encryption type
          • Instructions for how to stream content for the user -- the smooth streaming manifest of chunks of content files that must be pieced together to stream the content based on screen resolution and bandwidth
          • URL for a specific two second chunk of content if there is an error
          • Full screen viewing mode details
          | +| Music & TV | Information about music and TV consumption on the device such as:
          • Service URL for song being downloaded from the music service – collected when an error occurs to facilitate restoration of service
          • Content type (video, audio, surround audio)
          • Local media library collection statistics -- number of purchased tracks, number of playlists
          • Region mismatch -- User OS Region, and Xbox Live region
          | +| Reading | Information about reading consumption functionality on the device such as:
          • App accessing content and status and options used to open a Windows Store book
          • Language of the book
          • Time spent reading content
          • Content type and size details
          | +| Photos App | Information about photos usage on the device such as:
          • File source data -- local, SD card, network device, and OneDrive
          • Image & video resolution, video length, file sizes types and encoding
          • Collection view or full screen viewer use and duration of view
          + +## Browsing, Search and Query data + +This type of data includes details about web browsing, search and query activity in the Microsoft browsers and Cortana, and local file searches on the device. + +| Category Name | Description and Examples | +| - | - | +| Microsoft browser data | Information about Address bar and search box performance on the device such as:
          • Text typed in address bar and search box
          • Text selected for Ask Cortana search
          • Service response time
          • Auto-completed text if there was an auto-complete
          • Navigation suggestions provided based on local history and favorites
          • Browser ID
          • URLs (which may include search terms)
          • Page title
          | +| On-device file query | Information about local search activity on the device such as:
          • Kind of query issued and index type (ConstraintIndex, SystemIndex)
          • Number of items requested and retrieved
          • File extension of search result user interacted with
          • Launched item kind, file extension, index of origin, and the App ID of the opening app.
          • Name of process calling the indexer and time to service the query.
          • A hash of the search scope (file, Outlook, OneNote, IE history)
          • The state of the indices (fully optimized, partially optimized, being built)
          | + + +## Inking Typing and Speech Utterance data + +This type of data gathers details about the voice, inking, and typing input features on the device. + +| Category Name | Description and Examples | +| - | - | +| Voice, inking, and typing | Information about voice, inking and typing features such as:
          • Type of pen used (highlighter, ball point, pencil), pen color, stroke height and width, and how long it is used
          • Pen gestures (click, double click, pan, zoom, rotate)
          • Palm Touch x,y coordinates
          • Input latency, missed pen signals, number of frames, strokes, first frame commit time, sample rate
          • Ink strokes written, text before and after the ink insertion point, recognized text entered, Input language - processed to remove identifiers, sequencing information, and other data (such as names, email addresses, and numeric values) which could be used to reconstruct the original content or associate the input to the user.
          • Text of speech recognition results -- result codes and recognized text
          • Language and model of the recognizer, System Speech language
          • App ID using speech features
          • Whether user is known to be a child
          • Confidence and Success/Failure of speech recognition
          | + +## ​​​​​​​Licensing and Purchase data + +This type of data includes diagnostic details about the purchase and entitlement activity on the device. + +| Category Name | Data Examples | +| - | - | +| Purchase history | Information about purchases made on the device such as:
          • Product ID, edition ID and product URI
          • Offer details -- price
          • Order requested date/time
          • Store client type -- web or native client
          • Purchase quantity and price
          • Payment type -- credit card type and PayPal
          | +| Entitlements | Information about entitlements on the device such as:
          • Service subscription status and errors
          • DRM and license rights details -- Groove subscription or OS volume license
          • Entitlement ID, lease ID, and package ID of the install package
          • Entitlement revocation
          • License type (trial, offline vs online) and duration
          • License usage session
          | \ No newline at end of file diff --git a/windows/configure/windows-spotlight.md b/windows/configure/windows-spotlight.md new file mode 100644 index 0000000000..c3a078d793 --- /dev/null +++ b/windows/configure/windows-spotlight.md @@ -0,0 +1,91 @@ +--- +title: Configure Windows Spotlight on the lock screen (Windows 10) +description: Windows Spotlight is an option for the lock screen background that displays different background images on the lock screen. +ms.assetid: 1AEA51FA-A647-4665-AD78-2F3FB27AD46A +keywords: ["lockscreen"] +ms.prod: w10 +ms.mktglfcycl: explore +ms.sitesec: library +author: jdeckerMS +localizationpriority: high +--- + +# Configure Windows Spotlight on the lock screen + + +**Applies to** + +- Windows 10 + + +Windows Spotlight is an option for the lock screen background that displays different background images and occasionally offers suggestions on the lock screen. Windows Spotlight is available in all desktop editions of Windows 10. + +For managed devices running Windows 10 Enterprise and Windows 10 Education, enterprise administrators can configure a mobile device management (MDM) or Group Policy setting to prevent users from using the Windows Spotlight background. For managed devices running Windows 10 Pro, version 1607, administrators can disable suggestions for third party apps. + + +>[!NOTE] +>In Windows 10, version 1607, the lock screen background does not display if you disable the **Animate windows when minimizing and mazimizing** setting in **This PC** > **Properties** > **Advanced system settings** > **Performance settings** > **Visual Effects**, or if you enable the Group Policy setting **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Desktop Windows Manager** > **Do not allow windows animations**. +> +>In Windows 10, version 1703, you can use the [Personalization CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/personalization-csp) settings to set lock screen and desktop background images. + +## What does Windows Spotlight include? + + +- **Background image** + + The Windows Spotlight displays a new image on the lock screen each day. The initial background image is included during installation. Additional images are downloaded on ongoing basis. + + ![lock screen image](images/lockscreen.png) + +- **Feature suggestions, fun facts, tips** + + The lock screen background will occasionally suggest Windows 10 features that the user hasn't tried yet, such as **Snap assist**. + + ![fun facts](images/funfacts.png) + +## How do you turn off Windows Spotlight locally? + + +To turn off Windows Spotlight locally, go to **Settings** > **Personalization** > **Lock screen** > **Background** > **Windows spotlight** > select a different lock screen background + +![personalization background](images/spotlight.png) + +## How do you disable Windows Spotlight for managed devices? + + +Windows Spotlight is enabled by default. Windows 10 provides Group Policy and mobile device management (MDM) settings to help you manage Windows Spotlight on enterprise computers. + +| Group Policy | MDM | Description | Applies to | +| --- | --- | --- | --- | +| **User Configuration\Administrative Templates\Windows Components\Cloud Content\Do not suggest third-party content in Windows spotlight** | **Experience/Allow ThirdParty Suggestions In Windows Spotlight** | Enables enterprises to restrict suggestions to Microsoft apps and services | Windows 10 Pro, Enterprise, and Education, version 1607 and later | +| **User Configuration\Administrative Templates\Windows Components\Cloud Content\Turn off all Windows Spotlight features** | **Experience/Allow Windows Spotlight** | Enables enterprises to completely disable all Windows Spotlight features in a single setting | Windows 10 Enterprise and Education, version 1607 and later | +| **User Configuration\Administrative Templates\Windows Components\Cloud Content\Configure Spotlight on lock screen** | **Experience/Configure Windows Spotlight On Lock Screen** | Specifically controls the use of the dynamic Windows Spotlight image on the lock screen, and can be enabled or disabled | Windows 10 Enterprise and Education, version 1607 and later | +| **Administrative Templates \ Windows Components \ Cloud Content \ Turn off the Windows Spotlight on Action Center** | **Experience/Allow Windows Spotlight On Action Center** | Turn off Suggestions from Microsoft that show after each clean install, upgrade, or on an on-going basis to introduce users to what is new or changed | Windows 10 Enterprise and Education, version 1703 | +| **User Configuration \ Administrative Templates \ Windows Components \ Cloud Content \ Do not use diagnostic data for tailored experiences** | **Experience/Allow Tailored Experiences With Diagnostic Data** | Prevent Windows from using diagnostic data to provide tailored experiences to the user | Windows 10 Pro, Enterprise, and Education, version 1703 | +| **User Configuration \ Administrative Templates \ Windows Components \ Cloud Content \ Turn off the Windows Welcome Experience** | **Experience/Allow Windows Spotlight Windows Welcome Experience** | Turn off the Windows Spotlight Windows Welcome experience which helps introduce users to Windows, such as launching Microsoft Edge with a web page highlighting new features | Windows 10 Enterprise and Education, version 1703 | + + + In addition to the specific policy settings for Windows Spotlight, administrators can replace Windows Spotlight with a selected image using the Group Policy setting **Computer Configuration** > **Administrative Templates** > **Control Panel** > **Personalization** > **Force a specific default lock screen image**. + +>[!WARNING] +> In Windows 10, version 1607, the **Force a specific default lock screen image** policy setting will prevent users from changing the lock screen image. This behavior will be corrected in a future release. + +![lockscreen policy details](images/lockscreenpolicy.png) + +Pay attention to the checkbox in **Options**. In addition to providing the path to the lock screen image, administrators can choose to allow or **Turn off fun facts, tips, tricks, and more on lock screen**. If the checkbox is not selected, users will see the lock screen image that is defined in the policy setting, and will also see occasional messages. + + + +## Related topics + + +[Manage Windows 10 Start layout options](../manage/windows-10-start-layout-options-and-policies.md) + +  + +  + + + + + diff --git a/windows/deploy/TOC.md b/windows/deploy/TOC.md index 98951382e3..a14e1d9f0d 100644 --- a/windows/deploy/TOC.md +++ b/windows/deploy/TOC.md @@ -1,42 +1,44 @@ # [Deploy Windows 10](index.md) +## [What's new in Windows 10 deployment](deploy-whats-new.md) ## [Windows 10 deployment scenarios](windows-10-deployment-scenarios.md) -## [Manage Windows upgrades with Upgrade Analytics](manage-windows-upgrades-with-upgrade-analytics.md) -### [Upgrade Analytics architecture](upgrade-analytics-architecture.md) -### [Upgrade Analytics requirements](upgrade-analytics-requirements.md) -### [Upgrade Analytics release notes](upgrade-analytics-release-notes.md) -### [Get started with Upgrade Analytics](upgrade-analytics-get-started.md) -#### [Upgrade Analytics deployment script](upgrade-analytics-deployment-script.md) -### [Use Upgrade Analytics to manage Windows upgrades](use-upgrade-analytics-to-manage-windows-upgrades.md) -#### [Upgrade overview](upgrade-analytics-upgrade-overview.md) -#### [Step 1: Identify apps](upgrade-analytics-identify-apps.md) -#### [Step 2: Resolve issues](upgrade-analytics-resolve-issues.md) -#### [Step 3: Deploy Windows](upgrade-analytics-deploy-windows.md) -#### [Additional insights](upgrade-analytics-additional-insights.md) -### [Troubleshoot Upgrade Analytics](troubleshoot-upgrade-analytics.md) +## [Manage Windows upgrades with Upgrade Readiness](manage-windows-upgrades-with-upgrade-readiness.md) +### [Upgrade Readiness architecture](upgrade-readiness-architecture.md) +### [Upgrade Readiness requirements](upgrade-readiness-requirements.md) +### [Upgrade Readiness release notes](upgrade-readiness-release-notes.md) +### [Get started with Upgrade Readiness](upgrade-readiness-get-started.md) +#### [Upgrade Readiness deployment script](upgrade-readiness-deployment-script.md) +### [Use Upgrade Readiness to manage Windows upgrades](use-upgrade-readiness-to-manage-windows-upgrades.md) +#### [Upgrade overview](upgrade-readiness-upgrade-overview.md) +#### [Step 1: Identify apps](upgrade-readiness-identify-apps.md) +#### [Step 2: Resolve issues](upgrade-readiness-resolve-issues.md) +#### [Step 3: Deploy Windows](upgrade-readiness-deploy-windows.md) +#### [Additional insights](upgrade-readiness-additional-insights.md) +### [Troubleshoot Upgrade Readiness](troubleshoot-upgrade-readiness.md) ## [Step by step guide: Configure a test lab to deploy Windows 10](windows-10-poc.md) ### [Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit](windows-10-poc-mdt.md) ### [Deploy Windows 10 in a test lab using System Center Configuration Manager](windows-10-poc-sc-config-mgr.md) ## [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md) ### [Get started with the Microsoft Deployment Toolkit (MDT)](get-started-with-the-microsoft-deployment-toolkit.md) -#### [Key features in MDT 2013 Update 2](key-features-in-mdt-2013.md) -#### [MDT 2013 Update 2 Lite Touch components](mdt-2013-lite-touch-components.md) -#### [Prepare for deployment with MDT 2013 Update 2](prepare-for-windows-deployment-with-mdt-2013.md) +#### [Key features in MDT](key-features-in-mdt.md) +#### [MDT Lite Touch components](mdt-lite-touch-components.md) +#### [Prepare for deployment with MDT](prepare-for-windows-deployment-with-mdt.md) ### [Create a Windows 10 reference image](create-a-windows-10-reference-image.md) -### [Deploy a Windows 10 image using MDT 2013 Update 2](deploy-a-windows-10-image-using-mdt.md) +### [Deploy a Windows 10 image using MDT](deploy-a-windows-10-image-using-mdt.md) ### [Build a distributed environment for Windows 10 deployment](build-a-distributed-environment-for-windows-10-deployment.md) ### [Refresh a Windows 7 computer with Windows 10](refresh-a-windows-7-computer-with-windows-10.md) ### [Replace a Windows 7 computer with a Windows 10 computer](replace-a-windows-7-computer-with-a-windows-10-computer.md) -### [Configure MDT settings](configure-mdt-2013-settings.md) -#### [Set up MDT for BitLocker](set-up-mdt-2013-for-bitlocker.md) +### [Perform an in-place upgrade to Windows 10 with MDT](upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md) +### [Configure MDT settings](configure-mdt-settings.md) +#### [Set up MDT for BitLocker](set-up-mdt-for-bitlocker.md) #### [Configure MDT deployment share rules](configure-mdt-deployment-share-rules.md) -#### [Configure MDT for UserExit scripts](configure-mdt-2013-for-userexit-scripts.md) +#### [Configure MDT for UserExit scripts](configure-mdt-for-userexit-scripts.md) #### [Simulate a Windows 10 deployment in a test environment](simulate-a-windows-10-deployment-in-a-test-environment.md) #### [Use the MDT database to stage Windows 10 deployment information](use-the-mdt-database-to-stage-windows-10-deployment-information.md) -#### [Assign applications using roles in MDT](assign-applications-using-roles-in-mdt-2013.md) -#### [Use web services in MDT](use-web-services-in-mdt-2013.md) -#### [Use Orchestrator runbooks with MDT](use-orchestrator-runbooks-with-mdt-2013.md) +#### [Assign applications using roles in MDT](assign-applications-using-roles-in-mdt.md) +#### [Use web services in MDT](use-web-services-in-mdt.md) +#### [Use Orchestrator runbooks with MDT](use-orchestrator-runbooks-with-mdt.md) ## [Deploy Windows 10 with System Center 2012 R2 Configuration Manager](deploy-windows-10-with-system-center-2012-r2-configuration-manager.md) -### [Integrate Configuration Manager with MDT 2013 Update 2](integrate-configuration-manager-with-mdt-2013.md) +### [Integrate Configuration Manager with MDT](integrate-configuration-manager-with-mdt.md) ### [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md) ### [Create a custom Windows PE boot image with Configuration Manager](create-a-custom-windows-pe-boot-image-with-configuration-manager.md) ### [Add a Windows 10 operating system image using Configuration Manager](add-a-windows-10-operating-system-image-using-configuration-manager.md) @@ -48,24 +50,12 @@ ### [Monitor the Windows 10 deployment with Configuration Manager](monitor-windows-10-deployment-with-configuration-manager.md) ### [Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md) ### [Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](replace-a-windows-7-client-with-windows-10-using-configuration-manager.md) -## [Upgrade to Windows 10 with the Microsoft Deployment Toolkit](upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md) -## [Upgrade to Windows 10 with System Center Configuration Manager](upgrade-to-windows-10-with-system-center-configuraton-manager.md) +### [Perform an in-place upgrade to Windows 10 using Configuration Manager](upgrade-to-windows-10-with-system-center-configuraton-manager.md) ## [Resolve Windows 10 upgrade errors](resolve-windows-10-upgrade-errors.md) +## [Convert MBR partition to GPT](mbr-to-gpt.md) ## [Configure a PXE server to load Windows PE](configure-a-pxe-server-to-load-windows-pe.md) ## [Windows 10 upgrade paths](windows-10-upgrade-paths.md) ## [Windows 10 edition upgrade](windows-10-edition-upgrades.md) -## [Provisioning packages for Windows 10](provisioning-packages.md) -### [How provisioning works in Windows 10](provisioning-how-it-works.md) -### [Install Windows Imaging and Configuration Designer](provisioning-install-icd.md) -### [Create a provisioning package](provisioning-create-package.md) -### [Apply a provisioning package](provisioning-apply-package.md) -### [Settings changed when you uninstall a provisioning package](provisioning-uninstall-package.md) -### [Provision PCs with common settings for initial deployment (simple provisioning)](provision-pcs-for-initial-deployment.md) -### [Provision PCs with apps and certificates for initial deployments (advanced provisioning)](provision-pcs-with-apps-and-certificates.md) -### [Use a script to install a desktop app in provisioning packages](provisioning-script-to-install-app.md) -### [NFC-based device provisioning](provisioning-nfc.md) -### [Windows ICD command-line interface (reference)](provisioning-command-line.md) -### [Create a provisioning package with multivariant settings](provisioning-multivariant.md) ## [Deploy Windows To Go in your organization](deploy-windows-to-go.md) ## [Upgrade a Windows Phone 8.1 to Windows 10 Mobile with Mobile Device Management](upgrade-windows-phone-8-1-to-10.md) ## [Sideload apps in Windows 10](sideload-apps-in-windows-10.md) diff --git a/windows/deploy/add-a-windows-10-operating-system-image-using-configuration-manager.md b/windows/deploy/add-a-windows-10-operating-system-image-using-configuration-manager.md index 8fb81af58a..47176515eb 100644 --- a/windows/deploy/add-a-windows-10-operating-system-image-using-configuration-manager.md +++ b/windows/deploy/add-a-windows-10-operating-system-image-using-configuration-manager.md @@ -48,7 +48,7 @@ For the purposes of this topic, we will use CM01, a machine running Windows Serv ## Related topics -[Integrate Configuration Manager with MDT 2013 Update 2](integrate-configuration-manager-with-mdt-2013.md) +[Integrate Configuration Manager with MDT](integrate-configuration-manager-with-mdt.md) [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md) diff --git a/windows/deploy/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md b/windows/deploy/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md index 878c230d72..5be734a75b 100644 --- a/windows/deploy/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md +++ b/windows/deploy/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md @@ -81,7 +81,7 @@ This section illustrates how to add drivers for Windows 10 through an example in ## Related topics -[Integrate Configuration Manager with MDT 2013 Update 2](integrate-configuration-manager-with-mdt-2013.md) +[Integrate Configuration Manager with MDT](integrate-configuration-manager-with-mdt.md) [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md) diff --git a/windows/deploy/assign-applications-using-roles-in-mdt-2013.md b/windows/deploy/assign-applications-using-roles-in-mdt-2013.md index d8b4505c51..06cc51df9b 100644 --- a/windows/deploy/assign-applications-using-roles-in-mdt-2013.md +++ b/windows/deploy/assign-applications-using-roles-in-mdt-2013.md @@ -1,132 +1,7 @@ --- title: Assign applications using roles in MDT (Windows 10) -description: This topic will show you how to add applications to a role in the MDT database and then assign that role to a computer. -ms.assetid: d82902e4-de9c-4bc4-afe0-41d649b83ce7 -keywords: settings, database, deploy -ms.prod: w10 -ms.mktglfcycl: deploy -localizationpriority: high -ms.sitesec: library -ms.pagetype: mdt -author: mtniehaus +redirect_url: assign-applications-using-roles-in-mdt --- -# Assign applications using roles in MDT - -This topic will show you how to add applications to a role in the MDT database and then assign that role to a computer. For the purposes of this topic, the application we are adding is Adobe Reader XI. In addition to using computer-specific entries in the database, you can use roles in MDT to group settings together. - -## Create and assign a role entry in the database - -1. On MDT01, using Deployment Workbench, in the MDT Production deployment share, expand **Advanced Configuration** and then expand **Database**. -2. In the **Database** node, right-click **Role**, select **New**, and create a role entry with the following settings: - 1. Role name: Standard PC - 2. Applications / Lite Touch Applications: - 3. Install - Adobe Reader XI - x86 - -![figure 12](images/mdt-09-fig12.png) - -Figure 12. The Standard PC role with the application added - -## Associate the role with a computer in the database - -After creating the role, you can associate it with one or more computer entries. -1. Using Deployment Workbench, expand **MDT Production**, expand **Advanced Configuration**, expand **Database**, and select **Computers**. -2. In the **Computers** node, double-click the **PC00075** entry, and add the following setting: - - Roles: Standard PC - -![figure 13](images/mdt-09-fig13.png) - -Figure 13. The Standard PC role added to PC00075 (having ID 1 in the database). - -## Verify database access in the MDT simulation environment - -When the database is populated, you can use the MDT simulation environment to simulate a deployment. The applications are not installed, but you can see which applications would be installed if you did a full deployment of the computer. -1. On PC0001, log on as **CONTOSO\\MDT\_BA**. -2. Modify the C:\\MDT\\CustomSettings.ini file to look like the following: - - ``` syntax - [Settings] - Priority=CSettings, CRoles, RApplications, Default - [Default] - _SMSTSORGNAME=Contoso - OSInstall=Y - UserDataLocation=AUTO - TimeZoneName=Pacific Standard Time - AdminPassword=P@ssw0rd - JoinDomain=contoso.com - DomainAdmin=CONTOSO\MDT_JD - DomainAdminPassword=P@ssw0rd - MachineObjectOU=OU=Workstations,OU=Computers,OU=Contoso,DC=contoso,DC=com - SLShare=\\MDT01\Logs$ - ScanStateArgs=/ue:*\* /ui:CONTOSO\* - USMTMigFiles001=MigApp.xml - USMTMigFiles002=MigUser.xml - HideShell=YES - ApplyGPOPack=NO - SkipAppsOnUpgrade=NO - SkipAdminPassword=YES - SkipProductKey=YES - SkipComputerName=NO - SkipDomainMembership=YES - SkipUserData=NO - SkipLocaleSelection=YES - SkipTaskSequence=NO - SkipTimeZone=YES - SkipApplications=NO - SkipBitLocker=YES - SkipSummary=YES - SkipCapture=YES - SkipFinalSummary=NO - EventService=http://MDT01:9800 - [CSettings] - SQLServer=MDT01 - Instance=SQLEXPRESS - Database=MDT - Netlib=DBNMPNTW - SQLShare=Logs$ - Table=ComputerSettings - Parameters=UUID, AssetTag, SerialNumber, MacAddress - ParameterCondition=OR - [CRoles] - SQLServer=MDT01 - Instance=SQLEXPRESS - Database=MDT - Netlib=DBNMPNTW - SQLShare=Logs$ - Table=ComputerRoles - Parameters=UUID, AssetTag, SerialNumber, MacAddress - ParameterCondition=OR - [RApplications] - SQLServer=MDT01 - Instance=SQLEXPRESS - Database=MDT - Netlib=DBNMPNTW - SQLShare=Logs$ - Table=RoleApplications - Parameters=Role - Order=Sequence - ``` - -3. Using an elevated Windows PowerShell prompt (run as Administrator), run the following commands. Press **Enter** after each command: - - ``` syntax - Set-Location C:\MDT - .\Gather.ps1 - - ``` - -![figure 14](images/mdt-09-fig14.png) - -Figure 14. ZTIGather.log displaying the application GUID belonging to the Adobe Reader XI application that would have been installed if you deployed this machine. - -## Related topics - -[Set up MDT for BitLocker](set-up-mdt-2013-for-bitlocker.md) -
          [Configure MDT deployment share rules](configure-mdt-deployment-share-rules.md) -
          [Configure MDT for UserExit scripts](configure-mdt-2013-for-userexit-scripts.md) -
          [Simulate a Windows 10 deployment in a test environment](simulate-a-windows-10-deployment-in-a-test-environment.md) -
          [Use the MDT database to stage Windows 10 deployment information](use-the-mdt-database-to-stage-windows-10-deployment-information.md) -
          [Use web services in MDT](use-web-services-in-mdt-2013.md) -
          [Use Orchestrator runbooks with MDT](use-orchestrator-runbooks-with-mdt-2013.md)     diff --git a/windows/deploy/assign-applications-using-roles-in-mdt.md b/windows/deploy/assign-applications-using-roles-in-mdt.md new file mode 100644 index 0000000000..c2d8ed9f1b --- /dev/null +++ b/windows/deploy/assign-applications-using-roles-in-mdt.md @@ -0,0 +1,132 @@ +--- +title: Assign applications using roles in MDT (Windows 10) +description: This topic will show you how to add applications to a role in the MDT database and then assign that role to a computer. +ms.assetid: d82902e4-de9c-4bc4-afe0-41d649b83ce7 +keywords: settings, database, deploy +ms.prod: w10 +ms.mktglfcycl: deploy +localizationpriority: high +ms.sitesec: library +ms.pagetype: mdt +author: mtniehaus +--- + +# Assign applications using roles in MDT + +This topic will show you how to add applications to a role in the MDT database and then assign that role to a computer. For the purposes of this topic, the application we are adding is Adobe Reader XI. In addition to using computer-specific entries in the database, you can use roles in MDT to group settings together. + +## Create and assign a role entry in the database + +1. On MDT01, using Deployment Workbench, in the MDT Production deployment share, expand **Advanced Configuration** and then expand **Database**. +2. In the **Database** node, right-click **Role**, select **New**, and create a role entry with the following settings: + 1. Role name: Standard PC + 2. Applications / Lite Touch Applications: + 3. Install - Adobe Reader XI - x86 + +![figure 12](images/mdt-09-fig12.png) + +Figure 12. The Standard PC role with the application added + +## Associate the role with a computer in the database + +After creating the role, you can associate it with one or more computer entries. +1. Using Deployment Workbench, expand **MDT Production**, expand **Advanced Configuration**, expand **Database**, and select **Computers**. +2. In the **Computers** node, double-click the **PC00075** entry, and add the following setting: + - Roles: Standard PC + +![figure 13](images/mdt-09-fig13.png) + +Figure 13. The Standard PC role added to PC00075 (having ID 1 in the database). + +## Verify database access in the MDT simulation environment + +When the database is populated, you can use the MDT simulation environment to simulate a deployment. The applications are not installed, but you can see which applications would be installed if you did a full deployment of the computer. +1. On PC0001, log on as **CONTOSO\\MDT\_BA**. +2. Modify the C:\\MDT\\CustomSettings.ini file to look like the following: + + ``` syntax + [Settings] + Priority=CSettings, CRoles, RApplications, Default + [Default] + _SMSTSORGNAME=Contoso + OSInstall=Y + UserDataLocation=AUTO + TimeZoneName=Pacific Standard Time + AdminPassword=P@ssw0rd + JoinDomain=contoso.com + DomainAdmin=CONTOSO\MDT_JD + DomainAdminPassword=P@ssw0rd + MachineObjectOU=OU=Workstations,OU=Computers,OU=Contoso,DC=contoso,DC=com + SLShare=\\MDT01\Logs$ + ScanStateArgs=/ue:*\* /ui:CONTOSO\* + USMTMigFiles001=MigApp.xml + USMTMigFiles002=MigUser.xml + HideShell=YES + ApplyGPOPack=NO + SkipAppsOnUpgrade=NO + SkipAdminPassword=YES + SkipProductKey=YES + SkipComputerName=NO + SkipDomainMembership=YES + SkipUserData=NO + SkipLocaleSelection=YES + SkipTaskSequence=NO + SkipTimeZone=YES + SkipApplications=NO + SkipBitLocker=YES + SkipSummary=YES + SkipCapture=YES + SkipFinalSummary=NO + EventService=http://MDT01:9800 + [CSettings] + SQLServer=MDT01 + Instance=SQLEXPRESS + Database=MDT + Netlib=DBNMPNTW + SQLShare=Logs$ + Table=ComputerSettings + Parameters=UUID, AssetTag, SerialNumber, MacAddress + ParameterCondition=OR + [CRoles] + SQLServer=MDT01 + Instance=SQLEXPRESS + Database=MDT + Netlib=DBNMPNTW + SQLShare=Logs$ + Table=ComputerRoles + Parameters=UUID, AssetTag, SerialNumber, MacAddress + ParameterCondition=OR + [RApplications] + SQLServer=MDT01 + Instance=SQLEXPRESS + Database=MDT + Netlib=DBNMPNTW + SQLShare=Logs$ + Table=RoleApplications + Parameters=Role + Order=Sequence + ``` + +3. Using an elevated Windows PowerShell prompt (run as Administrator), run the following commands. Press **Enter** after each command: + + ``` syntax + Set-Location C:\MDT + .\Gather.ps1 + + ``` + +![figure 14](images/mdt-09-fig14.png) + +Figure 14. ZTIGather.log displaying the application GUID belonging to the Adobe Reader XI application that would have been installed if you deployed this machine. + +## Related topics + +[Set up MDT for BitLocker](set-up-mdt-for-bitlocker.md) +
          [Configure MDT deployment share rules](configure-mdt-deployment-share-rules.md) +
          [Configure MDT for UserExit scripts](configure-mdt-for-userexit-scripts.md) +
          [Simulate a Windows 10 deployment in a test environment](simulate-a-windows-10-deployment-in-a-test-environment.md) +
          [Use the MDT database to stage Windows 10 deployment information](use-the-mdt-database-to-stage-windows-10-deployment-information.md) +
          [Use web services in MDT](use-web-services-in-mdt.md) +
          [Use Orchestrator runbooks with MDT](use-orchestrator-runbooks-with-mdt.md) +  +  diff --git a/windows/deploy/build-a-distributed-environment-for-windows-10-deployment.md b/windows/deploy/build-a-distributed-environment-for-windows-10-deployment.md index 010284c04f..5d6bf1b687 100644 --- a/windows/deploy/build-a-distributed-environment-for-windows-10-deployment.md +++ b/windows/deploy/build-a-distributed-environment-for-windows-10-deployment.md @@ -26,12 +26,12 @@ Figure 1. The machines used in this topic. ## Replicate deployment shares -Replicating the content between MDT01 (New York) and MDT02 (Stockholm) can be done in a number of different ways. The most common content replication solutions with Microsoft Deployment Toolkit (MDT) 2013 use either the Linked Deployment Shares (LDS) feature or Distributed File System Replication (DFS-R). Some organizations have used a simple robocopy script for replication of the content. +Replicating the content between MDT01 (New York) and MDT02 (Stockholm) can be done in a number of different ways. The most common content replication solutions with Microsoft Deployment Toolkit (MDT) use either the Linked Deployment Shares (LDS) feature or Distributed File System Replication (DFS-R). Some organizations have used a simple robocopy script for replication of the content. **Note**   Robocopy has options that allow for synchronization between folders. It has a simple reporting function; it supports transmission retry; and, by default, it will only copy/remove files from the source that are newer than files on the target.   -### Linked deployment shares in MDT 2013 Update 2 +### Linked deployment shares in MDT LDS is a built-in feature in MDT for replicating content. However, LDS works best with strong connections such as LAN connections with low latency. For most WAN links, DFS-R is the better option. @@ -211,15 +211,14 @@ Now you should have a solution ready for deploying the Windows 10 client to the [Get started with the Microsoft Deployment Toolkit (MDT)](get-started-with-the-microsoft-deployment-toolkit.md) - [Create a Windows 10 reference image](create-a-windows-10-reference-image.md) -[Deploy a Windows 10 image using MDT 2013 Update 2](deploy-a-windows-10-image-using-mdt.md) +[Deploy a Windows 10 image using MDT](deploy-a-windows-10-image-using-mdt.md) [Refresh a Windows 7 computer with Windows 10](refresh-a-windows-7-computer-with-windows-10.md) [Replace a Windows 7 computer with a Windows 10 computer](replace-a-windows-7-computer-with-a-windows-10-computer.md) -[Configure MDT settings](configure-mdt-2013-settings.md) +[Configure MDT settings](configure-mdt-settings.md)     diff --git a/windows/deploy/change-history-for-deploy-windows-10.md b/windows/deploy/change-history-for-deploy-windows-10.md index 1538802653..22008ff62d 100644 --- a/windows/deploy/change-history-for-deploy-windows-10.md +++ b/windows/deploy/change-history-for-deploy-windows-10.md @@ -11,17 +11,30 @@ author: greg-lindsay # Change history for Deploy Windows 10 This topic lists new and updated topics in the [Deploy Windows 10](index.md) documentation for [Windows 10 and Windows 10 Mobile](../index.md). + ## April 2017 | New or changed topic | Description | |----------------------|-------------| | [Deploy Windows 10 in a test lab using System Center Configuration Manager](windows-10-poc-sc-config-mgr.md) | Updated: The "refresh" and "replace" procedures were swapped in order so that it would not be necessary to save and restore VMs. Also a missing step was added to include the State migration point role. | | [Step by step guide: Configure a test lab to deploy Windows 10](windows-10-poc.md)| Updated with minor fixes. | -| [What's new in Windows 10 deployment](deploy-whats-new.md)| New | | [Manage Windows upgrades with Upgrade Readiness](manage-windows-upgrades-with-upgrade-readiness.md)| Updated child topics under this node to include new feature and user interface changes. | +## RELEASE: Windows 10, version 1703 +The topics in this library have been updated for Windows 10, version 1703 (also known as the Creators Update). The provisioning topics have been moved to [Configure Windows 10](../configure/index.md). + +## March 2017 +| New or changed topic | Description | +|----------------------|-------------| +| [What's new in Windows 10 deployment](deploy-whats-new.md) | New | +| [Upgrade to Windows 10 with the Microsoft Deployment Toolkit](upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md) | Topic moved under [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md) in the table of contents and title adjusted to clarify in-place upgrade. | +| [Upgrade to Windows 10 with System Center Configuration Manager](upgrade-to-windows-10-with-system-center-configuraton-manager.md) | Topic moved under [Deploy Windows 10 with System Center 2012 R2 Configuration Manager](deploy-windows-10-with-system-center-2012-r2-configuration-manager.md) in the table of contents and title adjusted to clarify in-place upgrade. | +| [Convert MBR partition to GPT](mbr-to-gpt.md) | New | + + ## February 2017 | New or changed topic | Description | |----------------------|-------------| +| [Manage Windows upgrades with Upgrade Readiness](manage-windows-upgrades-with-upgrade-readiness.md) | Multiple topics updated, name changed from Upgrade Analytics to Upgrade Readiness, and other content updates. | | [USMT Requirements](usmt-requirements.md) | Updated: Vista support removed and other minor changes | | [Get started with Upgrade Analytics](upgrade-analytics-get-started.md) | Updated structure and content | | [Upgrade Analytics deployment script](upgrade-analytics-deployment-script.md) | Added as a separate page from get started | diff --git a/windows/deploy/configure-mdt-2013-for-userexit-scripts.md b/windows/deploy/configure-mdt-2013-for-userexit-scripts.md index c95b0fc69e..f50d92c65e 100644 --- a/windows/deploy/configure-mdt-2013-for-userexit-scripts.md +++ b/windows/deploy/configure-mdt-2013-for-userexit-scripts.md @@ -1,69 +1,4 @@ --- title: Configure MDT for UserExit scripts (Windows 10) -description: In this topic, you will learn how to configure the MDT rules engine to use a UserExit script to generate computer names based on a prefix and the computer MAC Address. -ms.assetid: 29a421d1-12d2-414e-86dc-25b62f5238a7 -keywords: rules, script -ms.prod: w10 -ms.mktglfcycl: deploy -localizationpriority: high -ms.sitesec: library -ms.pagetype: mdt -author: mtniehaus +redirect_url: configure-mdt-for-userexit-scripts --- - -# Configure MDT for UserExit scripts - -In this topic, you will learn how to configure the MDT rules engine to use a UserExit script to generate computer names based on a prefix and the computer MAC Address. MDT supports calling external VBScripts as part of the Gather process; these scripts are referred to as UserExit scripts. The script also removes the colons in the MAC Address. - -## Configure the rules to call a UserExit script - -You can call a UserExit by referencing the script in your rules. Then you can configure a property to be set to the result of a function of the VBScript. In this example, we have a VBScript named Setname.vbs (provided in the book sample files, in the UserExit folder). - -``` syntax -[Settings] -Priority=Default -[Default] -OSINSTALL=YES -UserExit=Setname.vbs -OSDComputerName=#SetName("%MACADDRESS%")# -``` - -The UserExit=Setname.vbs calls the script and then assigns the computer name to what the SetName function in the script returns. In this sample the %MACADDRESS% variable is passed to the script - -## The Setname.vbs UserExit script - -The Setname.vbs script takes the MAC Address passed from the rules. The script then does some string manipulation to add a prefix (PC) and remove the semicolons from the MAC Address. - -``` syntax -Function UserExit(sType, sWhen, sDetail, bSkip) - UserExit = Success -End Function -Function SetName(sMac) - Dim re - Set re = new RegExp - re.IgnoreCase = true - re.Global = true - re.Pattern = ":" - SetName = "PC" & re.Replace(sMac, "") -End Function -``` -The first three lines of the script make up a header that all UserExit scripts have. The interesting part is the lines between Function and End Function. Those lines add a prefix (PC), remove the colons from the MAC Address, and return the value to the rules by setting the SetName value. - -**Note**   -The purpose of this sample is not to recommend that you use the MAC Address as a base for computer naming, but to show you how to take a variable from MDT, pass it to an external script, make some changes to it, and then return the new value to the deployment process. -  -## Related topics - -[Set up MDT for BitLocker](set-up-mdt-2013-for-bitlocker.md) - -[Configure MDT deployment share rules](configure-mdt-deployment-share-rules.md) - -[Simulate a Windows 10 deployment in a test environment](simulate-a-windows-10-deployment-in-a-test-environment.md) - -[Use the MDT database to stage Windows 10 deployment information](use-the-mdt-database-to-stage-windows-10-deployment-information.md) - -[Assign applications using roles in MDT](assign-applications-using-roles-in-mdt-2013.md) - -[Use web services in MDT](use-web-services-in-mdt-2013.md) - -[Use Orchestrator runbooks with MDT](use-orchestrator-runbooks-with-mdt-2013.md) diff --git a/windows/deploy/configure-mdt-2013-settings.md b/windows/deploy/configure-mdt-2013-settings.md index 46c1e30220..9549517323 100644 --- a/windows/deploy/configure-mdt-2013-settings.md +++ b/windows/deploy/configure-mdt-2013-settings.md @@ -1,46 +1,5 @@ --- title: Configure MDT settings (Windows 10) -description: One of the most powerful features in Microsoft Deployment Toolkit (MDT) 2013 is its extension capabilities; there is virtually no limitation to what you can do in terms of customization. -ms.assetid: d3e1280c-3d1b-4fad-8ac4-b65dc711f122 -keywords: customize, customization, deploy, features, tools -ms.prod: w10 -ms.mktglfcycl: deploy -localizationpriority: high -ms.sitesec: library -ms.pagetype: mdt -author: mtniehaus +redirect_url: configure-mdt-settings --- -# Configure MDT settings - -One of the most powerful features in Microsoft Deployment Toolkit (MDT) 2013 is its extension capabilities; there is virtually no limitation to what you can do in terms of customization. In this topic, you learn about configuring customizations for your environment. -For the purposes of this topic, we will use four machines: DC01, MDT01, HV01, and PC0001. DC01 is a domain controller, MDT01 is a Windows Server 2012 R2 Standard server, and PC0001 is a Windows 10 Enterprise x64 client used for the MDT simulation environment. OR01 has Microsoft System Center 2012 R2 Orchestrator installed. MDT01, OR01, and PC0001 are members of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md#proof). - -![figure 1](images/mdt-09-fig01.png) - -Figure 1. The machines used in this topic. - -## In this section - -- [Set up MDT for BitLocker](set-up-mdt-2013-for-bitlocker.md) -- [Configure MDT deployment share rules](configure-mdt-deployment-share-rules.md) -- [Configure MDT for UserExit scripts](configure-mdt-2013-for-userexit-scripts.md) -- [Simulate a Windows 10 deployment in a test environment](simulate-a-windows-10-deployment-in-a-test-environment.md) -- [Use the MDT database to stage Windows 10 deployment information](use-the-mdt-database-to-stage-windows-10-deployment-information.md) -- [Assign applications using roles in MDT](assign-applications-using-roles-in-mdt-2013.md) -- [Use web services in MDT](use-web-services-in-mdt-2013.md) -- [Use Orchestrator runbooks with MDT](use-orchestrator-runbooks-with-mdt-2013.md) - -## Related topics - -[Get started with the Microsoft Deployment Toolkit (MDT)](get-started-with-the-microsoft-deployment-toolkit.md) - -[Create a Windows 10 reference image](create-a-windows-10-reference-image.md) - -[Deploy a Windows 10 image using MDT 2013 Update 2](deploy-a-windows-10-image-using-mdt.md) - -[Build a distributed environment for Windows 10 deployment](build-a-distributed-environment-for-windows-10-deployment.md) - -[Refresh a Windows 7 computer with Windows 10](refresh-a-windows-7-computer-with-windows-10.md) - -[Replace a Windows 7 computer with a Windows 10 computer](replace-a-windows-7-computer-with-a-windows-10-computer.md) diff --git a/windows/deploy/configure-mdt-deployment-share-rules.md b/windows/deploy/configure-mdt-deployment-share-rules.md index 97a448f5da..bfcbdd5e6b 100644 --- a/windows/deploy/configure-mdt-deployment-share-rules.md +++ b/windows/deploy/configure-mdt-deployment-share-rules.md @@ -106,16 +106,16 @@ MachineObjectOU=OU=Laptops,OU=Contoso,DC=contoso,DC=com ## Related topics -[Set up MDT for BitLocker](set-up-mdt-2013-for-bitlocker.md) +[Set up MDT for BitLocker](set-up-mdt-for-bitlocker.md) -[Configure MDT for UserExit scripts](configure-mdt-2013-for-userexit-scripts.md) +[Configure MDT for UserExit scripts](configure-mdt-for-userexit-scripts.md) [Simulate a Windows 10 deployment in a test environment](simulate-a-windows-10-deployment-in-a-test-environment.md) [Use the MDT database to stage Windows 10 deployment information](use-the-mdt-database-to-stage-windows-10-deployment-information.md) -[Assign applications using roles in MDT](assign-applications-using-roles-in-mdt-2013.md) +[Assign applications using roles in MDT](assign-applications-using-roles-in-mdt.md) -[Use web services in MDT](use-web-services-in-mdt-2013.md) +[Use web services in MDT](use-web-services-in-mdt.md) -[Use Orchestrator runbooks with MDT](use-orchestrator-runbooks-with-mdt-2013.md) +[Use Orchestrator runbooks with MDT](use-orchestrator-runbooks-with-mdt.md) diff --git a/windows/deploy/configure-mdt-for-userexit-scripts.md b/windows/deploy/configure-mdt-for-userexit-scripts.md new file mode 100644 index 0000000000..c168bda59d --- /dev/null +++ b/windows/deploy/configure-mdt-for-userexit-scripts.md @@ -0,0 +1,69 @@ +--- +title: Configure MDT for UserExit scripts (Windows 10) +description: In this topic, you will learn how to configure the MDT rules engine to use a UserExit script to generate computer names based on a prefix and the computer MAC Address. +ms.assetid: 29a421d1-12d2-414e-86dc-25b62f5238a7 +keywords: rules, script +ms.prod: w10 +ms.mktglfcycl: deploy +localizationpriority: high +ms.sitesec: library +ms.pagetype: mdt +author: mtniehaus +--- + +# Configure MDT for UserExit scripts + +In this topic, you will learn how to configure the MDT rules engine to use a UserExit script to generate computer names based on a prefix and the computer MAC Address. MDT supports calling external VBScripts as part of the Gather process; these scripts are referred to as UserExit scripts. The script also removes the colons in the MAC Address. + +## Configure the rules to call a UserExit script + +You can call a UserExit by referencing the script in your rules. Then you can configure a property to be set to the result of a function of the VBScript. In this example, we have a VBScript named Setname.vbs (provided in the book sample files, in the UserExit folder). + +``` syntax +[Settings] +Priority=Default +[Default] +OSINSTALL=YES +UserExit=Setname.vbs +OSDComputerName=#SetName("%MACADDRESS%")# +``` + +The UserExit=Setname.vbs calls the script and then assigns the computer name to what the SetName function in the script returns. In this sample the %MACADDRESS% variable is passed to the script + +## The Setname.vbs UserExit script + +The Setname.vbs script takes the MAC Address passed from the rules. The script then does some string manipulation to add a prefix (PC) and remove the semicolons from the MAC Address. + +``` syntax +Function UserExit(sType, sWhen, sDetail, bSkip) + UserExit = Success +End Function +Function SetName(sMac) + Dim re + Set re = new RegExp + re.IgnoreCase = true + re.Global = true + re.Pattern = ":" + SetName = "PC" & re.Replace(sMac, "") +End Function +``` +The first three lines of the script make up a header that all UserExit scripts have. The interesting part is the lines between Function and End Function. Those lines add a prefix (PC), remove the colons from the MAC Address, and return the value to the rules by setting the SetName value. + +**Note**   +The purpose of this sample is not to recommend that you use the MAC Address as a base for computer naming, but to show you how to take a variable from MDT, pass it to an external script, make some changes to it, and then return the new value to the deployment process. +  +## Related topics + +[Set up MDT for BitLocker](set-up-mdt-for-bitlocker.md) + +[Configure MDT deployment share rules](configure-mdt-deployment-share-rules.md) + +[Simulate a Windows 10 deployment in a test environment](simulate-a-windows-10-deployment-in-a-test-environment.md) + +[Use the MDT database to stage Windows 10 deployment information](use-the-mdt-database-to-stage-windows-10-deployment-information.md) + +[Assign applications using roles in MDT](assign-applications-using-roles-in-mdt.md) + +[Use web services in MDT](use-web-services-in-mdt.md) + +[Use Orchestrator runbooks with MDT](use-orchestrator-runbooks-with-mdt.md) diff --git a/windows/deploy/configure-mdt-settings.md b/windows/deploy/configure-mdt-settings.md new file mode 100644 index 0000000000..f5e67fc5c6 --- /dev/null +++ b/windows/deploy/configure-mdt-settings.md @@ -0,0 +1,46 @@ +--- +title: Configure MDT settings (Windows 10) +description: One of the most powerful features in Microsoft Deployment Toolkit (MDT) is its extension capabilities; there is virtually no limitation to what you can do in terms of customization. +ms.assetid: d3e1280c-3d1b-4fad-8ac4-b65dc711f122 +keywords: customize, customization, deploy, features, tools +ms.prod: w10 +ms.mktglfcycl: deploy +localizationpriority: high +ms.sitesec: library +ms.pagetype: mdt +author: mtniehaus +--- + +# Configure MDT settings + +One of the most powerful features in Microsoft Deployment Toolkit (MDT) is its extension capabilities; there is virtually no limitation to what you can do in terms of customization. In this topic, you learn about configuring customizations for your environment. +For the purposes of this topic, we will use four machines: DC01, MDT01, HV01, and PC0001. DC01 is a domain controller, MDT01 is a Windows Server 2012 R2 Standard server, and PC0001 is a Windows 10 Enterprise x64 client used for the MDT simulation environment. OR01 has Microsoft System Center 2012 R2 Orchestrator installed. MDT01, OR01, and PC0001 are members of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md#proof). + +![figure 1](images/mdt-09-fig01.png) + +Figure 1. The machines used in this topic. + +## In this section + +- [Set up MDT for BitLocker](set-up-mdt-for-bitlocker.md) +- [Configure MDT deployment share rules](configure-mdt-deployment-share-rules.md) +- [Configure MDT for UserExit scripts](configure-mdt-for-userexit-scripts.md) +- [Simulate a Windows 10 deployment in a test environment](simulate-a-windows-10-deployment-in-a-test-environment.md) +- [Use the MDT database to stage Windows 10 deployment information](use-the-mdt-database-to-stage-windows-10-deployment-information.md) +- [Assign applications using roles in MDT](assign-applications-using-roles-in-mdt.md) +- [Use web services in MDT](use-web-services-in-mdt.md) +- [Use Orchestrator runbooks with MDT](use-orchestrator-runbooks-with-mdt.md) + +## Related topics + +[Get started with the Microsoft Deployment Toolkit (MDT)](get-started-with-the-microsoft-deployment-toolkit.md) + +[Create a Windows 10 reference image](create-a-windows-10-reference-image.md) + +[Deploy a Windows 10 image using MDT](deploy-a-windows-10-image-using-mdt.md) + +[Build a distributed environment for Windows 10 deployment](build-a-distributed-environment-for-windows-10-deployment.md) + +[Refresh a Windows 7 computer with Windows 10](refresh-a-windows-7-computer-with-windows-10.md) + +[Replace a Windows 7 computer with a Windows 10 computer](replace-a-windows-7-computer-with-a-windows-10-computer.md) diff --git a/windows/deploy/create-a-custom-windows-pe-boot-image-with-configuration-manager.md b/windows/deploy/create-a-custom-windows-pe-boot-image-with-configuration-manager.md index bfb8f98424..acdd78a794 100644 --- a/windows/deploy/create-a-custom-windows-pe-boot-image-with-configuration-manager.md +++ b/windows/deploy/create-a-custom-windows-pe-boot-image-with-configuration-manager.md @@ -17,7 +17,7 @@ author: mtniehaus - Windows 10 -In Microsoft System Center 2012 R2 Configuration Manager, you can create custom Windows Preinstallation Environment (Windows PE) boot images that include extra components and features. This topic shows you how to create a custom Windows PE 5.0 boot image with the Microsoft Deployment Toolkit (MDT) 2013 Update 2 wizard. You can also add the Microsoft Diagnostics and Recovery Toolset (DaRT) 10 to the boot image as part of the boot image creation process. +In Microsoft System Center 2012 R2 Configuration Manager, you can create custom Windows Preinstallation Environment (Windows PE) boot images that include extra components and features. This topic shows you how to create a custom Windows PE 5.0 boot image with the Microsoft Deployment Toolkit (MDT) wizard. You can also add the Microsoft Diagnostics and Recovery Toolset (DaRT) 10 to the boot image as part of the boot image creation process. For the purposes of this topic, we will use two machines: DC01 and CM01. DC01 is a domain controller and CM01 is a machine running Windows Server 2012 R2 Standard. Both are members of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md). @@ -86,7 +86,7 @@ By using the MDT wizard to create the boot image in Configuration Manager, you g ## Related topics -[Integrate Configuration Manager with MDT 2013 Update 2](integrate-configuration-manager-with-mdt-2013.md) +[Integrate Configuration Manager with MDT](integrate-configuration-manager-with-mdt.md) [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md) diff --git a/windows/deploy/create-a-task-sequence-with-configuration-manager-and-mdt.md b/windows/deploy/create-a-task-sequence-with-configuration-manager-and-mdt.md index f259ac4131..98e1ddb768 100644 --- a/windows/deploy/create-a-task-sequence-with-configuration-manager-and-mdt.md +++ b/windows/deploy/create-a-task-sequence-with-configuration-manager-and-mdt.md @@ -59,9 +59,9 @@ This section walks you through the process of creating a System Center 2012 R2 C 6. On the **Boot Image** page, browse and select the **Zero Touch WinPE x64** boot image package. Then click **Next**. -7. On the **MDT Package** page, select **Create a new Microsoft Deployment Toolkit Files package**, and in the **Package source folder to be created (UNC Path):** text box, type **\\\\CM01\\Sources$\\OSD\\MDT\\MDT 2013**. Then click **Next**. +7. On the **MDT Package** page, select **Create a new Microsoft Deployment Toolkit Files package**, and in the **Package source folder to be created (UNC Path):** text box, type **\\\\CM01\\Sources$\\OSD\\MDT\\MDT**. Then click **Next**. -8. On the **MDT Details** page, assign the name **MDT 2013** and click **Next**. +8. On the **MDT Details** page, assign the name **MDT** and click **Next**. 9. On the **OS Image** page, browse and select the **Windows 10 Enterprise x64 RTM** package. Then click **Next**. @@ -160,14 +160,14 @@ While creating the task sequence with the MDT wizard, a few operating system dep 1. On CM01, using the Configuration Manager Console, in the Software Library workspace, expand **Application Management**, and then select **Packages**. -2. Select the **MDT 2013** and **Windows 10 x64 Settings** packages, right-click and select **Move**. +2. Select the **MDT** and **Windows 10 x64 Settings** packages, right-click and select **Move**. 3. In the **Move Selected Items** dialog box, select the **OSD** folder, and click **OK**. ## Related topics -[Integrate Configuration Manager with MDT 2013 Update 2](integrate-configuration-manager-with-mdt-2013.md) +[Integrate Configuration Manager with MDT](integrate-configuration-manager-with-mdt.md) [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md) diff --git a/windows/deploy/create-a-windows-10-reference-image.md b/windows/deploy/create-a-windows-10-reference-image.md index 7f4671ccf1..03ce967435 100644 --- a/windows/deploy/create-a-windows-10-reference-image.md +++ b/windows/deploy/create-a-windows-10-reference-image.md @@ -16,7 +16,7 @@ author: mtniehaus **Applies to** - Windows 10 -Creating a reference image is important because that image serves as the foundation for the devices in your organization. In this topic, you will learn how to create a Windows 10 reference image using the Microsoft Deployment Toolkit (MDT) 2013 Update 2. You will create a deployment share, configure rules and settings, and import all the applications and operating system files required to build a Windows 10 reference image. After completing the steps outlined in this topic, you will have a Windows 10 reference image that can be used in your deployment solution. +Creating a reference image is important because that image serves as the foundation for the devices in your organization. In this topic, you will learn how to create a Windows 10 reference image using the Microsoft Deployment Toolkit (MDT). You will create a deployment share, configure rules and settings, and import all the applications and operating system files required to build a Windows 10 reference image. After completing the steps outlined in this topic, you will have a Windows 10 reference image that can be used in your deployment solution. For the purposes of this topic, we will use four machines: DC01, MDT01, HV01, and PC0001. DC01 is a domain controller, PC0001 is a Windows 10 Enterprise x64 client, and MDT01 is a Windows Server 2012 R2 standard server. HV01 is a Hyper-V host server, but HV01 could be replaced by PC0001 as long as PC0001 has enough memory and is capable of running Hyper-V. MDT01, HV01, and PC0001 are members of the domain contoso.com for the fictitious Contoso Corporation. **Note**   @@ -69,11 +69,11 @@ Figure 3. Permissions configured for the MDT\_BA user. ## Add the setup files -This section will show you how to populate the MDT 2013 Update 2 deployment share with the Windows 10 operating system source files, commonly referred to as setup files, which will be used to create a reference image. Setup files are used during the reference image creation process and are the foundation for the reference image. +This section will show you how to populate the MDT deployment share with the Windows 10 operating system source files, commonly referred to as setup files, which will be used to create a reference image. Setup files are used during the reference image creation process and are the foundation for the reference image. ### Add the Windows 10 installation files -MDT 2013 supports adding both full source Windows 10 DVDs (ISOs) and custom images that you have created. In this case, you create a reference image, so you add the full source setup files from Microsoft. +MDT supports adding both full source Windows 10 DVDs (ISOs) and custom images that you have created. In this case, you create a reference image, so you add the full source setup files from Microsoft. **Note**   Due to the Windows limits on path length, we are purposely keeping the operating system destination directory short, using the folder name W10EX64RTM rather than a more descriptive name like Windows 10 Enterprise x64 RTM. @@ -124,7 +124,7 @@ You can customize Office 2013. In the volume license versions of Office 2013, th ### Add the Microsoft Office Professional Plus 2013 x86 installation files -After adding the Microsoft Office Professional Plus 2013 x86 application, you then automate its setup by running the Office Customization Tool. In fact, MDT 2013 detects that you added the Office Professional Plus 2013 x86 application and creates a shortcut for doing this. +After adding the Microsoft Office Professional Plus 2013 x86 application, you then automate its setup by running the Office Customization Tool. In fact, MDT detects that you added the Office Professional Plus 2013 x86 application and creates a shortcut for doing this. You also can customize the Office installation using a Config.xml file. But we recommend that you use the Office Customization Tool as described in the following steps, as it provides a much richer way of controlling Office 2013 settings. 1. Using the Deployment Workbench in the MDT Build Lab deployment share, expand the **Applications / Microsoft** node, and double-click **Install - Microsoft Office 2013 Pro Plus x86**. 2. In the **Office Products** tab, click **Office Customization Tool**, and click **OK** in the **Information** dialog box. @@ -633,7 +633,7 @@ After some time, you will have a Windows 10 Enterprise x64 image that is fully [Get started with the Microsoft Deployment Toolkit (MDT)](get-started-with-the-microsoft-deployment-toolkit.md) -[Deploy a Windows 10 image using MDT 2013 Update 2](deploy-a-windows-10-image-using-mdt.md) +[Deploy a Windows 10 image using MDT](deploy-a-windows-10-image-using-mdt.md) [Build a distributed environment for Windows 10 deployment](build-a-distributed-environment-for-windows-10-deployment.md) @@ -641,4 +641,4 @@ After some time, you will have a Windows 10 Enterprise x64 image that is fully [Replace a Windows 7 computer with a Windows 10 computer](replace-a-windows-7-computer-with-a-windows-10-computer.md) -[Configure MDT settings](configure-mdt-2013-settings.md) +[Configure MDT settings](configure-mdt-settings.md) diff --git a/windows/deploy/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md b/windows/deploy/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md index 30ed33ca81..7bbe55f078 100644 --- a/windows/deploy/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md +++ b/windows/deploy/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md @@ -71,7 +71,7 @@ The following steps show you how to create the Adobe Reader XI application. This ## Related topics -[Integrate Configuration Manager with MDT 2013 Update 2](integrate-configuration-manager-with-mdt-2013.md) +[Integrate Configuration Manager with MDT](integrate-configuration-manager-with-mdt.md) [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md) diff --git a/windows/deploy/deploy-a-windows-10-image-using-mdt.md b/windows/deploy/deploy-a-windows-10-image-using-mdt.md index 05f3667cb6..d7f9b691ff 100644 --- a/windows/deploy/deploy-a-windows-10-image-using-mdt.md +++ b/windows/deploy/deploy-a-windows-10-image-using-mdt.md @@ -1,6 +1,6 @@ --- -title: Deploy a Windows 10 image using MDT 2013 Update 2 (Windows 10) -description: This topic will show you how to take your reference image for Windows 10, and deploy that image to your environment using the Microsoft Deployment Toolkit (MDT), and MDT 2013 Update 2 specifically. +title: Deploy a Windows 10 image using MDT (Windows 10) +description: This topic will show you how to take your reference image for Windows 10, and deploy that image to your environment using the Microsoft Deployment Toolkit (MDT). ms.assetid: 1d70a3d8-1b1d-4051-b656-c0393a93f83c keywords: deployment, automate, tools, configure ms.prod: w10 @@ -11,12 +11,12 @@ ms.pagetype: mdt author: mtniehaus --- -# Deploy a Windows 10 image using MDT 2013 Update 2 +# Deploy a Windows 10 image using MDT **Applies to** - Windows 10 -This topic will show you how to take your reference image for Windows 10, and deploy that image to your environment using the Microsoft Deployment Toolkit (MDT), and MDT 2013 Update 2 specifically. You will prepare for this by creating a MDT deployment share that is used solely for image deployment. Separating the processes of creating reference images from the processes used to deploy them in production allows greater control of on both processes. You will then configure the deployment share, create a new task sequence, add applications, add drivers, add rules, and configure Active Directory permissions for deployment. +This topic will show you how to take your reference image for Windows 10, and deploy that image to your environment using the Microsoft Deployment Toolkit (MDT). You will prepare for this by creating a MDT deployment share that is used solely for image deployment. Separating the processes of creating reference images from the processes used to deploy them in production allows greater control of on both processes. You will then configure the deployment share, create a new task sequence, add applications, add drivers, add rules, and configure Active Directory permissions for deployment. For the purposes of this topic, we will use three machines: DC01, MDT01, and PC0005. DC01 is a domain controller, MDT01 is a Windows Server 2012 R2 standard server, and PC0005 is a blank machine to which you deploy Windows 10. MDT01 and PC0005 are members of the domain contoso.com for the fictitious Contoso Corporation. @@ -119,7 +119,7 @@ Figure 3. The Adobe Reader application added to the Deployment Workbench. ## Step 5: Prepare the drivers repository -In order to deploy Windows 10 with MDT 2013 Update 2 successfully, you need drivers for the boot images and for the actual operating system. This section will show you how to add drivers for the boot image and operating system, using the following hardware models as examples: +In order to deploy Windows 10 with MDT successfully, you need drivers for the boot images and for the actual operating system. This section will show you how to add drivers for the boot image and operating system, using the following hardware models as examples: - Lenovo ThinkPad T420 - Dell Latitude E6440 - HP EliteBook 8560w @@ -131,7 +131,7 @@ You should only add drivers to the Windows PE images if the default drivers don'   ### Create the driver source structure in the file system -The key to successful management of drivers for MDT 2013 Update 2, as well as for any other deployment solution, is to have a really good driver repository. From this repository, you import drivers into MDT for deployment, but you should always maintain the repository for future use. +The key to successful management of drivers for MDT, as well as for any other deployment solution, is to have a really good driver repository. From this repository, you import drivers into MDT for deployment, but you should always maintain the repository for future use. 1. On MDT01, using File Explorer, create the **E:\\Drivers** folder. 2. In the **E:\\Drivers** folder, create the following folder structure: @@ -151,9 +151,9 @@ The key to successful management of drivers for MDT 2013 Update 2, as well as fo **Note**   Even if you are not going to use both x86 and x64 boot images, we still recommend that you add the support structure for future use.   -### Create the logical driver structure in MDT 2013 Update 2 +### Create the logical driver structure in MDT -When you import drivers to the MDT 2013 Update 2 driver repository, MDT creates a single instance folder structure based on driver class names. However, you can, and should, mimic the driver structure of your driver source repository in the Deployment Workbench. This is done by creating logical folders in the Deployment Workbench. +When you import drivers to the MDT driver repository, MDT creates a single instance folder structure based on driver class names. However, you can, and should, mimic the driver structure of your driver source repository in the Deployment Workbench. This is done by creating logical folders in the Deployment Workbench. 1. On MDT01, using Deployment Workbench, select the **Out-of-Box Drivers** node. 2. In the **Out-Of-Box Drivers** node, create the following folder structure: 1. WinPE x86 @@ -450,7 +450,7 @@ troubleshoot MDT deployments, as well as troubleshoot Windows itself. ### Add DaRT 10 to the boot images -If you have licensing for MDOP and DaRT, you can add DaRT to the boot images using the steps in this section. If you do not have DaRT licensing, or don't want to use it, simply skip to the next section, [Update the Deployment Share](#bkmk-update-deployment). To enable the remote connection feature in MDT 2013 Update 2, you need to do the following: +If you have licensing for MDOP and DaRT, you can add DaRT to the boot images using the steps in this section. If you do not have DaRT licensing, or don't want to use it, simply skip to the next section, [Update the Deployment Share](#bkmk-update-deployment). To enable the remote connection feature in MDT, you need to do the following: - Install DaRT 10 (part of MDOP 2015 R1). - Copy the two tools CAB files (Toolsx86.cab and Toolsx64.cab) to the deployment share. - Configure the deployment share to add DaRT. @@ -519,7 +519,7 @@ At this point, you should have a solution ready for deploying the Windows 10 cl 2. Installs the added application. 3. Updates the operating system via your local Windows Server Update Services (WSUS) server. -### Use the MDT 2013 monitoring feature +### Use the MDT monitoring feature Now that you have enabled the monitoring on the MDT Production deployment share, you can follow your deployment of PC0005 via the monitoring node. @@ -545,7 +545,7 @@ Multicast deployment allows for image deployment with reduced network load durin ### Requirements -Multicast requires that Windows Deployment Services (WDS) is running on Windows Server 2008 or later. In addition to the core MDT 2013 setup for multicast, the network needs to be configured to support multicast. In general, this means involving the organization networking team to make sure that +Multicast requires that Windows Deployment Services (WDS) is running on Windows Server 2008 or later. In addition to the core MDT setup for multicast, the network needs to be configured to support multicast. In general, this means involving the organization networking team to make sure that Internet Group Management Protocol (IGMP) snooping is turned on and that the network is designed for multicast traffic. The multicast solution uses IGMPv3. ### Set up MDT for multicast @@ -651,4 +651,4 @@ Figure 14. The partitions when deploying an UEFI-based machine. [Replace a Windows 7 computer with a Windows 10 computer](replace-a-windows-7-computer-with-a-windows-10-computer.md) -[Configure MDT settings](configure-mdt-2013-settings.md) +[Configure MDT settings](configure-mdt-settings.md) diff --git a/windows/deploy/deploy-whats-new.md b/windows/deploy/deploy-whats-new.md new file mode 100644 index 0000000000..9d6a1b0d15 --- /dev/null +++ b/windows/deploy/deploy-whats-new.md @@ -0,0 +1,123 @@ +--- +title: What's new in Windows 10 deployment +description: Changes and new features related to Windows 10 deployment +keywords: deployment, automate, tools, configure, news +ms.mktglfcycl: deploy +localizationpriority: high +ms.prod: w10 +ms.sitesec: library +ms.pagetype: deploy +author: greg-lindsay +--- + +# What's new in Windows 10 deployment + +**Applies to** +- Windows 10 + + +## In this topic + +This topic provides an overview of new solutions and online content related to deploying Windows 10 in your organization. + +- For an all-up overview of new features in Windows 10, see [What's new in Windows 10](https://technet.microsoft.com/itpro/windows/whats-new/index). +- For a detailed list of changes to Windows 10 ITPro TechNet library content, see [Online content change history](#online-content-change-history). + + +## Windows 10 Enterprise upgrade + +Windows 10 Enterprise E3 launched in the Cloud Solution Provider (CSP) channel on September 1, 2016. Previously, only organizations with a Microsoft Volume Licensing Agreement could deploy Windows 10 Enterprise to their users. With Windows 10 Enterprise E3 in CSP, small and medium-sized organizations can more easily take advantage of Windows 10 Enterprise features. + +For more information, see [Windows 10 Enterprise E3 in CSP Overview](windows-10-enterprise-e3-overview.md) + + +## Deployment solutions and tools + +### Upgrade Readiness + +The Upgrade Readiness tool moved from public preview to general availability on March 2, 2017. + +Upgrade Readiness helps you ensure that applications and drivers are ready for a Windows 10 upgrade. The solution provides up-to-date application and driver inventory, information about known issues, troubleshooting guidance, and per-device readiness and tracking details. + +The development of Upgrade Readiness has been heavily influenced by input from the community the development of new features is ongoing. To begin using Upgrade Readiness, add it to an existing Operation Management Suite (OMS) workspace or sign up for a new OMS workspace with the Upgrade Readiness solution enabled. + +For more information about Upgrade Readiness, see the following topics: + +- [Windows Analytics blog](https://blogs.technet.microsoft.com/upgradeanalytics/) +- [Manage Windows upgrades with Upgrade Readiness](manage-windows-upgrades-with-upgrade-readiness.md) + + +### Update Compliance + +Update Compliance helps you to keep Windows 10 devices in your organization secure and up-to-date. + +Update Compliance is a solution built using OMS Logs and Analytics that provides information about installation status of monthly quality and feature updates. Details are provided about the deployment progress of existing updates and the status of future updates. Information is also provided about devices that might need attention to resolve issues. + +For more information about Update Compliance, see [Monitor Windows Updates with Update Compliance](../manage/update-compliance-monitor.md). + + +### MBR2GPT + +MBR2GPT.EXE converts a disk from Master Boot Record (MBR) to GUID Partition Table (GPT) partition style without modifying or deleting data on the disk. Previously, it was necessary to image, then wipe and reload a disk to change from MBR format to GPT. + +There are many benefits to converting the partition style of a disk to GPT, including the use of larger disk partitions, added data reliability, and faster boot and shutdown speeds. The GPT format also enables you to use the Unified Extensible Firmware Interface (UEFI) which replaces the Basic Input/Output System (BIOS) firmware interface. Security features of Windows 10 that require UEFI mode include: Secure Boot, Early Launch Anti-malware (ELAM) driver, Windows Trusted Boot, Measured Boot, Device Guard, Credential Guard, and BitLocker Network Unlock. + +For more information, see [MBR2GPT.EXE](mbr-to-gpt.md). + + +### Microsoft Deployment Toolkit (MDT) + +MDT build 884 is available, including support for: +- Deployment and upgrade of Windows 10, version 1607 (including Enterprise LTSB and Education editions) and Windows Server 2016. +- The Windows ADK for Windows 10, version 1607. +- Integration with Configuration Manager version 1606. + +For more information about MDT, see the [MDT resource page](https://technet.microsoft.com/en-US/windows/dn475741). + + +### Windows Assessment and Deployment Kit (ADK) + +The Windows Assessment and Deployment Kit (Windows ADK) contains tools that can be used by IT Pros to deploy Windows. See the following topics: + +- [What's new in ADK kits and tools](https://msdn.microsoft.com/windows/hardware/commercialize/what-s-new-in-kits-and-tools) +- [Windows ADK for Windows 10 scenarios for IT Pros](windows-adk-scenarios-for-it-pros.md) + + +## Testing and validation guidance + +### Windows 10 deployment proof of concept (PoC) + +The Windows 10 PoC guide enables you to test Windows 10 deployment in a virtual environment and become familiar with deployment tools such as MDT and Configuration Manager. The PoC guide provides step-by-step instructions for installing and using Hyper-V to create a virtual lab environment. The guide makes extensive use of Windows PowerShell to streamline each phase of the installation and setup. + +For more information, see the following guides: + +- [Step by step guide: Configure a test lab to deploy Windows 10](windows-10-poc.md) +- [Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit](windows-10-poc-mdt.md) +- [Deploy Windows 10 in a test lab using System Center Configuration Manager](windows-10-poc-sc-config-mgr.md) + + +## Troubleshooting guidance + +[Resolve Windows 10 upgrade errors](resolve-windows-10-upgrade-errors.md) was published in October of 2016 and will continue to be updated with new fixes. The topic provides a detailed explanation of the Windows 10 upgrade process and instructions on how to locate, interpret, and resolve specific errors that can be encountered during the upgrade process. + + +## Online content change history + +The following topics provide a change history for Windows 10 ITPro TechNet library content related to deploying and using Windows 10. + +[Change history for Deploy Windows 10](change-history-for-deploy-windows-10.md) +
          [Change history for Plan for Windows 10 deployment](../plan/change-history-for-plan-for-windows-10-deployment.md) +
          [Change history for Manage and update Windows 10](../manage/change-history-for-manage-and-update-windows-10.md) +
          [Change history for Keep Windows 10 secure](../keep-secure/change-history-for-keep-windows-10-secure.md) + + +## Related topics + +[Overview of Windows as a service](../manage/waas-overview.md) +
          [Windows 10 deployment considerations](../plan/windows-10-deployment-considerations.md) +
          [Windows 10 release information](https://technet.microsoft.com/en-us/windows/release-info.aspx) +
          [Windows 10 Specifications & Systems Requirements](https://www.microsoft.com/en-us/windows/windows-10-specifications) +
          [Windows 10 upgrade paths](windows-10-upgrade-paths.md) +
          [Windows 10 deployment tools](windows-deployment-scenarios-and-tools.md) + + \ No newline at end of file diff --git a/windows/deploy/deploy-windows-10-using-pxe-and-configuration-manager.md b/windows/deploy/deploy-windows-10-using-pxe-and-configuration-manager.md index 1a6a52fffb..3994cbff66 100644 --- a/windows/deploy/deploy-windows-10-using-pxe-and-configuration-manager.md +++ b/windows/deploy/deploy-windows-10-using-pxe-and-configuration-manager.md @@ -40,7 +40,7 @@ Figure 32. Typing in the computer name. ## Related topics -[Integrate Configuration Manager with MDT 2013 Update 2](integrate-configuration-manager-with-mdt-2013.md) +[Integrate Configuration Manager with MDT](integrate-configuration-manager-with-mdt.md) [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md) diff --git a/windows/deploy/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md b/windows/deploy/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md index 37ca1c3630..29ef0d6793 100644 --- a/windows/deploy/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md +++ b/windows/deploy/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md @@ -17,7 +17,7 @@ author: mtniehaus - Windows 10 -If you have Microsoft System Center 2012 R2 Configuration Manager in your environment, you will most likely want to use it to deploy Windows 10. This topic will show you how to set up Configuration Manager for operating system deployment and how to integrate Configuration Manager with the Microsoft Deployment Toolkit (MDT) or, more specifically, MDT 2013 Update 2. +If you have Microsoft System Center 2012 R2 Configuration Manager in your environment, you will most likely want to use it to deploy Windows 10. This topic will show you how to set up Configuration Manager for operating system deployment and how to integrate Configuration Manager with the Microsoft Deployment Toolkit (MDT). For the purposes of this topic, we will use four machines: DC01, CM01, PC0003, and PC0004. DC01 is a domain controller and CM01 is a machine running Windows Server 2012 R2 standard. PC0003 and PC0004 are machines with Windows 7 SP1, on which Windows 10 will be deployed via both refresh and replace scenarios. In addition to these four ready-made machines, you could also include a few blank virtual machines to be used for bare-metal deployments. DC01, CM01, PC003, and PC0004 are all members of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md). @@ -28,7 +28,7 @@ Figure 1. The machines used in this topic. ## In this section -- [Integrate Configuration Manager with MDT 2013 Update 2](integrate-configuration-manager-with-mdt-2013.md) +- [Integrate Configuration Manager with MDT](integrate-configuration-manager-with-mdt.md) - [Prepare for Zero Touch Installation of Windows with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md) @@ -69,11 +69,11 @@ Operating system deployment with Configuration Manager is part of the normal sof - **Operating system images.** The operating system image package contains only one file, the custom .wim image. This is typically the production deployment image. -- **Operating system installers.** The operating system installers were originally added to create reference images using Configuration Manager. Instead, we recommend that you use MDT 2013 Update 2 Lite Touch to create your reference images. For more information on how to create a reference image, see [Create a Windows 10 reference image](create-a-windows-10-reference-image.md). +- **Operating system installers.** The operating system installers were originally added to create reference images using Configuration Manager. Instead, we recommend that you use MDT Lite Touch to create your reference images. For more information on how to create a reference image, see [Create a Windows 10 reference image](create-a-windows-10-reference-image.md). -- **Drivers.** Like MDT 2013 Update 2 Lite Touch, Configuration Manager also provides a repository (catalog) of managed device drivers. +- **Drivers.** Like MDT Lite Touch, Configuration Manager also provides a repository (catalog) of managed device drivers. -- **Task sequences.** The task sequences in Configuration Manager look and feel pretty much like the sequences in MDT 2013 Update 2 Lite Touch, and they are used for the same purpose. However, in Configuration Manager the task sequence is delivered to the clients as a policy via the Management Point (MP). MDT 2013 Update 2 provides additional task sequence templates to Configuration Manager. +- **Task sequences.** The task sequences in Configuration Manager look and feel pretty much like the sequences in MDT Lite Touch, and they are used for the same purpose. However, in Configuration Manager the task sequence is delivered to the clients as a policy via the Management Point (MP). MDT provides additional task sequence templates to Configuration Manager. **Note**  Configuration Manager SP1 along with the Windows Assessment and Deployment Kit (ADK) for Windows 10 are required to support management and deployment of Windows 10. diff --git a/windows/deploy/deploy-windows-10-with-the-microsoft-deployment-toolkit.md b/windows/deploy/deploy-windows-10-with-the-microsoft-deployment-toolkit.md index b5bd6bcf7a..3cdcb17cd1 100644 --- a/windows/deploy/deploy-windows-10-with-the-microsoft-deployment-toolkit.md +++ b/windows/deploy/deploy-windows-10-with-the-microsoft-deployment-toolkit.md @@ -1,6 +1,6 @@ --- title: Deploy Windows 10 with the Microsoft Deployment Toolkit (Windows 10) -description: This guide will walk you through the process of deploying Windows 10 in an enterprise environment using the Microsoft Deployment Toolkit (MDT), and MDT 2013 Update 2 specifically. +description: This guide will walk you through the process of deploying Windows 10 in an enterprise environment using the Microsoft Deployment Toolkit (MDT). ms.assetid: 837f009c-617e-4b3f-9028-2246067ee0fb keywords: deploy, tools, configure, script ms.prod: w10 @@ -16,10 +16,10 @@ ms.pagetype: mdt **Applies to** - Windows 10 -This guide will walk you through the process of deploying Windows 10 in an enterprise environment using the Microsoft Deployment Toolkit (MDT), and MDT 2013 Update 2 specifically. +This guide will walk you through the process of deploying Windows 10 in an enterprise environment using the Microsoft Deployment Toolkit (MDT). The Microsoft Deployment Toolkit is a unified collection of tools, processes, and guidance for automating desktop and server deployment. In addition to reducing deployment time and standardizing desktop and server images, MDT enables you to more easily manage security and ongoing configurations. MDT builds on top of the core deployment tools in the Windows Assessment and Deployment Kit (Windows ADK) with additional guidance and features designed to reduce the complexity and time required for deployment in an enterprise environment. -MDT 2013 Update 2 supports the deployment of Windows 10, as well as Windows 7, Windows 8, Windows 8.1, and Windows Server 2012 R2. It also includes support for zero-touch installation (ZTI) with Microsoft System Center 2012 R2 Configuration Manager. +MDT supports the deployment of Windows 10, as well as Windows 7, Windows 8, Windows 8.1, and Windows Server 2012 R2. It also includes support for zero-touch installation (ZTI) with Microsoft System Center 2012 R2 Configuration Manager. To download the latest version of MDT, visit the [MDT resource page](https://go.microsoft.com/fwlink/p/?LinkId=618117). @@ -27,11 +27,11 @@ To download the latest version of MDT, visit the [MDT resource page](https://go. - [Get started with the Microsoft Deployment Toolkit (MDT)](get-started-with-the-microsoft-deployment-toolkit.md) - [Create a Windows 10 reference image](create-a-windows-10-reference-image.md) -- [Deploy a Windows 10 image using MDT 2013 Update 2](deploy-a-windows-10-image-using-mdt.md) +- [Deploy a Windows 10 image using MDT](deploy-a-windows-10-image-using-mdt.md) - [Build a distributed environment for Windows 10 deployment](build-a-distributed-environment-for-windows-10-deployment.md) - [Refresh a Windows 7 computer with Windows 10](refresh-a-windows-7-computer-with-windows-10.md) - [Replace a Windows 7 computer with a Windows 10 computer](replace-a-windows-7-computer-with-a-windows-10-computer.md) -- [Configure MDT settings](configure-mdt-2013-settings.md) +- [Configure MDT settings](configure-mdt-settings.md) ## Proof-of-concept environment diff --git a/windows/deploy/finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md b/windows/deploy/finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md index 635e1c0291..1cd99cefee 100644 --- a/windows/deploy/finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md +++ b/windows/deploy/finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md @@ -138,7 +138,7 @@ This sections provides steps to help you create a deployment for the task sequen ## Configure Configuration Manager to prompt for the computer name during deployment (optional) -You can have Configuration Manager prompt you for a computer name or you can use rules to generate a computer name. For more details on how to do this, see [Configure MDT settings](configure-mdt-2013-settings.md). +You can have Configuration Manager prompt you for a computer name or you can use rules to generate a computer name. For more details on how to do this, see [Configure MDT settings](configure-mdt-settings.md). This section provides steps to help you configure the All Unknown Computers collection to have Configuration Manager prompt for computer names. @@ -162,7 +162,7 @@ This section provides steps to help you configure the All Unknown Computers coll ## Related topics -[Integrate Configuration Manager with MDT 2013 Update 2](integrate-configuration-manager-with-mdt-2013.md) +[Integrate Configuration Manager with MDT](integrate-configuration-manager-with-mdt.md) [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md) diff --git a/windows/deploy/get-started-with-the-microsoft-deployment-toolkit.md b/windows/deploy/get-started-with-the-microsoft-deployment-toolkit.md index 33998a9cbe..7e5bf105f1 100644 --- a/windows/deploy/get-started-with-the-microsoft-deployment-toolkit.md +++ b/windows/deploy/get-started-with-the-microsoft-deployment-toolkit.md @@ -1,6 +1,6 @@ --- title: Get started with the Microsoft Deployment Toolkit (MDT) (Windows 10) -description: This topic will help you gain a better understanding of how to use the Microsoft Deployment Toolkit (MDT), and MDT 2013 Update 2 in particular, as part of a Windows operating system deployment. +description: This topic will help you gain a better understanding of how to use the Microsoft Deployment Toolkit (MDT), as part of a Windows operating system deployment. ms.assetid: a256442c-be47-4bb9-a105-c831f58ce3ee keywords: deploy, image, feature, install, tools ms.prod: w10 @@ -16,9 +16,9 @@ author: mtniehaus **Applies to** - Windows 10 -This topic will help you gain a better understanding of how to use the Microsoft Deployment Toolkit (MDT), and MDT 2013 Update 2 in particular, as part of a Windows operating system deployment. MDT is one of the most important tools available to IT professionals today. You can use it to create reference images or as a complete deployment solution. MDT 2013 Update 2 also can be used to extend the operating system deployment features available in Microsoft System Center 2012 R2 Configuration Manager. +This topic will help you gain a better understanding of how to use the Microsoft Deployment Toolkit (MDT), as part of a Windows operating system deployment. MDT is one of the most important tools available to IT professionals today. You can use it to create reference images or as a complete deployment solution. MDT also can be used to extend the operating system deployment features available in Microsoft System Center 2012 R2 Configuration Manager. -In addition to familiarizing you with the features and options available in MDT 2013 Update 2, this topic will walk you through the process of preparing for deploying Windows 10 using MDT by configuring Active Directory, creating an organizational unit (OU) structure, creating service accounts, configuring log files and folders, and installing the tools needed to view the logs and continue with the deployment process. +In addition to familiarizing you with the features and options available in MDT, this topic will walk you through the process of preparing for deploying Windows 10 using MDT by configuring Active Directory, creating an organizational unit (OU) structure, creating service accounts, configuring log files and folders, and installing the tools needed to view the logs and continue with the deployment process. For the purposes of this topic, we will use two machines: DC01 and MDT01. DC01 is a domain controller and MDT01 is a Windows Server 2012 R2 standard server. MDT01 is a member of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md#proof). @@ -29,9 +29,9 @@ Figure 1. The machines used in this topic. ## In this section -- [Key features in MDT 2013 Update 2](key-features-in-mdt-2013.md) -- [MDT 2013 Update 2 Lite Touch components](mdt-2013-lite-touch-components.md) -- [Prepare for deployment with MDT 2013 Update 2](prepare-for-windows-deployment-with-mdt-2013.md) +- [Key features in MDT](key-features-in-mdt.md) +- [MDT Lite Touch components](mdt-lite-touch-components.md) +- [Prepare for deployment with MDT](prepare-for-windows-deployment-with-mdt.md) ## Related topics @@ -39,7 +39,7 @@ Figure 1. The machines used in this topic. [Create a Windows 10 reference image](create-a-windows-10-reference-image.md) -[Deploy a Windows 10 image using MDT 2013 Update 2](deploy-a-windows-10-image-using-mdt.md) +[Deploy a Windows 10 image using MDT](deploy-a-windows-10-image-using-mdt.md) [Build a distributed environment for Windows 10 deployment](build-a-distributed-environment-for-windows-10-deployment.md) @@ -47,4 +47,4 @@ Figure 1. The machines used in this topic. [Replace a Windows 7 computer with a Windows 10 computer](replace-a-windows-7-computer-with-a-windows-10-computer.md) -[Configure MDT settings](configure-mdt-2013-settings.md) +[Configure MDT settings](configure-mdt-settings.md) diff --git a/windows/deploy/images/icd-create-options-1703.PNG b/windows/deploy/images/icd-create-options-1703.PNG new file mode 100644 index 0000000000..007e740683 Binary files /dev/null and b/windows/deploy/images/icd-create-options-1703.PNG differ diff --git a/windows/deploy/images/mbr2gpt-volume.PNG b/windows/deploy/images/mbr2gpt-volume.PNG new file mode 100644 index 0000000000..d69bed87fb Binary files /dev/null and b/windows/deploy/images/mbr2gpt-volume.PNG differ diff --git a/windows/deploy/images/mbr2gpt-workflow.png b/windows/deploy/images/mbr2gpt-workflow.png new file mode 100644 index 0000000000..f7741cf0c3 Binary files /dev/null and b/windows/deploy/images/mbr2gpt-workflow.png differ diff --git a/windows/deploy/images/ua-cg-08.png b/windows/deploy/images/ua-cg-08.png index 4d7f924d76..f256b2f097 100644 Binary files a/windows/deploy/images/ua-cg-08.png and b/windows/deploy/images/ua-cg-08.png differ diff --git a/windows/deploy/images/ua-cg-09-old.png b/windows/deploy/images/ua-cg-09-old.png new file mode 100644 index 0000000000..b9aa1cea41 Binary files /dev/null and b/windows/deploy/images/ua-cg-09-old.png differ diff --git a/windows/deploy/images/ua-cg-09.png b/windows/deploy/images/ua-cg-09.png index b9aa1cea41..0150a24ee5 100644 Binary files a/windows/deploy/images/ua-cg-09.png and b/windows/deploy/images/ua-cg-09.png differ diff --git a/windows/deploy/images/ua-cg-15.png b/windows/deploy/images/ua-cg-15.png index 5362db66da..009315fc4a 100644 Binary files a/windows/deploy/images/ua-cg-15.png and b/windows/deploy/images/ua-cg-15.png differ diff --git a/windows/deploy/images/ur-arch-diagram.png b/windows/deploy/images/ur-arch-diagram.png new file mode 100644 index 0000000000..9c1da1227c Binary files /dev/null and b/windows/deploy/images/ur-arch-diagram.png differ diff --git a/windows/deploy/images/ur-overview.PNG b/windows/deploy/images/ur-overview.PNG new file mode 100644 index 0000000000..cf9563ece5 Binary files /dev/null and b/windows/deploy/images/ur-overview.PNG differ diff --git a/windows/deploy/images/ur-settings.PNG b/windows/deploy/images/ur-settings.PNG new file mode 100644 index 0000000000..d1724cb821 Binary files /dev/null and b/windows/deploy/images/ur-settings.PNG differ diff --git a/windows/deploy/images/ur-target-version.png b/windows/deploy/images/ur-target-version.png new file mode 100644 index 0000000000..43f0c9aa0c Binary files /dev/null and b/windows/deploy/images/ur-target-version.png differ diff --git a/windows/deploy/index.md b/windows/deploy/index.md index b2d4ab858c..8058cf8890 100644 --- a/windows/deploy/index.md +++ b/windows/deploy/index.md @@ -16,17 +16,16 @@ Learn about deploying Windows 10 for IT professionals. |Topic |Description | |------|------------| +|[What's new in Windows 10 deployment](deploy-whats-new.md) |See this topic for a summary of new features and some recent changes related to deploying Windows 10 in your organization. | |[Windows 10 deployment scenarios](windows-10-deployment-scenarios.md) |To successfully deploy the Windows 10 operating system in your organization, it is important to understand the different ways that it can be deployed, especially now that there are new scenarios to consider. Choosing among these scenarios, and understanding the key capabilities and limitations of each, is a key task. | -|[Manage Windows upgrades with Upgrade Analytics](manage-windows-upgrades-with-upgrade-analytics.md) |With Upgrade Analytics, enterprises now have the tools to plan and manage the upgrade process end to end, allowing them to adopt new Windows releases more quickly. With Windows telemetry enabled, Upgrade Analytics collects system, application, and driver data for analysis. We then identify compatibility issues that can block an upgrade and suggest fixes when they are known to Microsoft. The Upgrade Analytics workflow steps you through the discovery and rationalization process until you have a list of computers that are ready to be upgraded. | +|[Manage Windows upgrades with Upgrade Readiness](manage-windows-upgrades-with-upgrade-readiness.md) |With Upgrade Readiness, enterprises now have the tools to plan and manage the upgrade process end to end, allowing them to adopt new Windows releases more quickly. With Windows telemetry enabled, Upgrade Readiness collects system, application, and driver data for analysis. We then identify compatibility issues that can block an upgrade and suggest fixes when they are known to Microsoft. The Upgrade Readiness workflow steps you through the discovery and rationalization process until you have a list of computers that are ready to be upgraded. | |[Step by step guide: Configure a test lab to deploy Windows 10](windows-10-poc.md) |This guide contains instructions to configure a proof of concept (PoC) environment requiring a minimum amount of resources. The guide makes extensive use of Windows PowerShell and Hyper-V. Subsequent companion guides contain steps to deploy Windows 10 using the PoC environment. After completing this guide, see the following Windows 10 PoC deployment guides: [Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit](windows-10-poc-mdt.md), [Deploy Windows 10 in a test lab using System Center Configuration Manager](windows-10-poc-sc-config-mgr.md). | -|[Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md) |This guide will walk you through the process of deploying Windows 10 in an enterprise environment using the Microsoft Deployment Toolkit (MDT), and MDT 2013 Update 2 specifically. | -|[Deploy Windows 10 with System Center 2012 R2 Configuration Manager](deploy-windows-10-with-system-center-2012-r2-configuration-manager.md) |If you have Microsoft System Center 2012 R2 Configuration Manager in your environment, you will most likely want to use it to deploy Windows 10. This topic will show you how to set up Configuration Manager for operating system deployment and how to integrate Configuration Manager with the Microsoft Deployment Toolkit (MDT) or, more specifically, MDT 2013 Update 2. | -|[Upgrade to Windows 10 with the Microsoft Deployment Toolkit](upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md) |The simplest path to upgrade PCs that are currently running Windows 7, Windows 8, or Windows 8.1 to Windows 10 is through an in-place upgrade. You can use a Microsoft Deployment Toolkit (MDT) 2013 Update 2 task sequence to completely automate the process. | -|[Upgrade to Windows 10 with System Center Configuration Manager](upgrade-to-windows-10-with-system-center-configuraton-manager.md) |The simplest path to upgrade PCs currently running Windows 7, Windows 8, or Windows 8.1 to Windows 10 is through an in-place upgrade. You can use a System Center Configuration Manager task sequence to completely automate the process. | +|[Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md) |This guide will walk you through the process of deploying Windows 10 in an enterprise environment using the Microsoft Deployment Toolkit (MDT). | +|[Deploy Windows 10 with System Center 2012 R2 Configuration Manager](deploy-windows-10-with-system-center-2012-r2-configuration-manager.md) |If you have Microsoft System Center 2012 R2 Configuration Manager in your environment, you will most likely want to use it to deploy Windows 10. This topic will show you how to set up Configuration Manager for operating system deployment and how to integrate Configuration Manager with the Microsoft Deployment Toolkit (MDT) or. | |[Resolve Windows 10 upgrade errors](resolve-windows-10-upgrade-errors.md) |This topic provides a brief introduction to Windows 10 installation processes, and provides resolution procedures that IT administrators can use to resolve issues with Windows 10 upgrade. | +|[Convert MBR partition to GPT](mbr-to-gpt.md) |This topic provides detailed instructions for using the MBR2GPT partition conversion tool. | |[Configure a PXE server to load Windows PE](configure-a-pxe-server-to-load-windows-pe.md) |This guide describes how to configure a PXE server to load Windows PE by booting a client computer from the network. | |[Windows 10 edition upgrade](windows-10-edition-upgrades.md) |With Windows 10, you can quickly upgrade from one edition of Windows 10 to another, provided the upgrade path is supported. | -| [Provisioning packages for Windows 10](provisioning-packages.md) | Learn how to use the Windows Imaging and Configuration Designer (ICD) and provisioning packages to easily configure multiple devices. | |[Windows 10 upgrade paths](windows-10-upgrade-paths.md) |You can upgrade directly to Windows 10 from a previous operating system. | |[Deploy Windows To Go in your organization](deploy-windows-to-go.md) |This topic helps you to deploy Windows To Go in your organization. Before you begin deployment, make sure that you have reviewed the topics [Windows To Go: feature overview](../plan/windows-to-go-overview.md) and [Prepare your organization for Windows To Go](../plan/prepare-your-organization-for-windows-to-go.md) to ensure that you have the correct hardware and are prepared to complete the deployment. You can then use the steps in this topic to start your Windows To Go deployment. | |[Upgrade a Windows Phone 8.1 to Windows 10 Mobile with Mobile Device Management](upgrade-windows-phone-8-1-to-10.md) |This topic describes how to upgrade eligible Windows Phone 8.1 devices to Windows 10 Mobile. | diff --git a/windows/deploy/integrate-configuration-manager-with-mdt-2013.md b/windows/deploy/integrate-configuration-manager-with-mdt-2013.md index 149ba5e250..8ca7faeb78 100644 --- a/windows/deploy/integrate-configuration-manager-with-mdt-2013.md +++ b/windows/deploy/integrate-configuration-manager-with-mdt-2013.md @@ -1,116 +1,4 @@ --- title: Integrate Configuration Manager with MDT 2013 Update 2 (Windows 10) -description: This topic will help you understand the benefits of integrating the Microsoft Deployment Toolkit with Microsoft System Center 2012 R2 Configuration Manager SP1 when you deploy a new or updated version of the Windows operating system. -ms.assetid: 3bd1cf92-81e5-48dc-b874-0f5d9472e5a5 -ms.pagetype: mdt -keywords: deploy, image, customize, task sequence -ms.prod: w10 -localizationpriority: high -ms.mktglfcycl: deploy -ms.sitesec: library -author: mtniehaus +redirect_url: integrate-configuration-manager-with-mdt --- - -# Integrate Configuration Manager with MDT 2013 Update 2 - -**Applies to** -- Windows 10 - -This topic will help you understand the benefits of integrating the Microsoft Deployment Toolkit with Microsoft System Center 2012 R2 Configuration Manager SP1 when you deploy a new or updated version of the Windows operating system. -MDT 2013 is a free, supported download from Microsoft that adds approximately 280 enhancements to Windows operating system deployment with System Center 2012 R2 Configuration Manager SP1. It is, therefore, recommended that you utilize MDT when deploying the Windows operating system with Configuration Manager SP1. In addition to integrating MDT with Configuration Manager, we also recommend using MDT Lite Touch to create the Windows 10 reference images used in Configuration Manager. For more information on how to create a reference image, see [Create a Windows 10 reference image](create-a-windows-10-reference-image.md). - -## Why integrate MDT 2013 Update 2 with Configuration Manager - -As noted above, MDT adds many enhancements to Configuration Manager. While these enhancements are called Zero Touch, that name does not reflect how deployment is conducted. The following sections provide a few samples of the 280 enhancements that MDT 2013 Update 2 adds to Configuration Manager. - -### MDT enables dynamic deployment - -When MDT is integrated with Configuration Manager, the task sequence takes additional instructions from the MDT rules. In its most simple form, these settings are stored in a text file, the CustomSettings.ini file, but you can store the settings in Microsoft SQL Server databases, or have Microsoft Visual Basic Scripting Edition (VBScripts) or web services provide the settings used. - -The task sequence uses instructions that allow you to reduce the number of task sequences in Configuration Manager and instead store settings outside the task sequence. Here are a few examples: -- The following settings instruct the task sequence to install the HP Hotkeys package, but only if the hardware is a HP EliteBook 8570w. Note that you don't have to add the package to the task sequence. - - ``` syntax - [Settings] - Priority=Model - [HP EliteBook 8570w] - Packages001=PS100010:Install HP Hotkeys - ``` -- The following settings instruct the task sequence to put laptops and desktops in different organizational units (OUs) during deployment, assign different computer names, and finally have the task sequence install the Cisco VPN client, but only if the machine is a laptop. - - ``` syntax - [Settings] - Priority= ByLaptopType, ByDesktopType - [ByLaptopType] - Subsection=Laptop-%IsLaptop% - [ByDesktopType] - Subsection=Desktop-%IsDesktop% - [Laptop-True] - Packages001=PS100012:Install Cisco VPN Client - OSDComputerName=LT-%SerialNumber% - MachineObjectOU=ou=laptops,ou=Contoso,dc=contoso,dc=com - [Desktop-True] - OSDComputerName=DT-%SerialNumber% - MachineObjectOU=ou=desktops,ou=Contoso,dc=contoso,dc=com - ``` - -![figure 2](images/fig2-gather.png) - -Figure 2. The Gather action in the task sequence is reading the rules. - -### MDT adds an operating system deployment simulation environment - -When testing a deployment, it is important to be able to quickly test any changes you make to the deployment without needing to run through an entire deployment. MDT rules can be tested very quickly, saving significant testing time in a deployment project. For more information, see [Configure MDT settings](configure-mdt-2013-settings.md). - -![figure 3](images/mdt-06-fig03.png) - -Figure 3. The folder that contains the rules, a few scripts from MDT, and a custom script (Gather.ps1). - -### MDT adds real-time monitoring - -With MDT integration, you can follow your deployments in real time, and if you have access to Microsoft Diagnostics and Recovery Toolkit (DaRT), you can even remote into Windows Preinstallation Environment (Windows PE) during deployment. The real-time monitoring data can be viewed from within the MDT Deployment Workbench, via a web browser, Windows PowerShell, the Event Viewer, or Microsoft Excel 2013. In fact, any script or app that can read an Open Data (OData) feed can read the information. - -![figure 4](images/mdt-06-fig04.png) - -Figure 4. View the real-time monitoring data with PowerShell. - -### MDT adds an optional deployment wizard - -For some deployment scenarios, you may need to prompt the user for information during deployment such as the computer name, the correct organizational unit (OU) for the computer, or which applications should be installed by the task sequence. With MDT integration, you can enable the User-Driven Installation (UDI) wizard to gather the required information, and customize the wizard using the UDI Wizard Designer. - -![figure 5](images/mdt-06-fig05.png) - -Figure 5. The optional UDI wizard open in the UDI Wizard Designer. - -MDT Zero Touch simply extends Configuration Manager with many useful built-in operating system deployment components. By providing well-established, supported solutions, MDT reduces the complexity of deployment in Configuration Manager. - -## Why use MDT Lite Touch to create reference images - -You can create reference images for Configuration Manager in Configuration Manager, but in general we recommend creating them in MDT Lite Touch for the following reasons: -- In a deployment project, it is typically much faster to create a reference image using MDT Lite Touch than Configuration Manager. -- You can use the same image for every type of operating system deployment - Microsoft Virtual Desktop Infrastructure (VDI), Microsoft System Center 2012 R2 Virtual Machine Manager (SCVMM), MDT, Configuration Manager, Windows Deployment Services (WDS), and more. -- Microsoft System Center 2012 R2 performs deployment in the LocalSystem context. This means that you cannot configure the Administrator account with all of the settings that you would like to be included in the image. MDT runs in the context of the Local Administrator, which means you can configure the look and feel of the configuration and then use the CopyProfile functionality to copy these changes to the default user during deployment. -- The Configuration Manager task sequence does not suppress user interface interaction. -- MDT Lite Touch supports a Suspend action that allows for reboots, which is useful when you need to perform a manual installation or check the reference image before it is automatically captured. -- MDT Lite Touch does not require any infrastructure and is easy to delegate. - -## Related topics - -[Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md) - -[Create a custom Windows PE boot image with Configuration Manager](create-a-custom-windows-pe-boot-image-with-configuration-manager.md) - -[Add a Windows 10 operating system image using Configuration Manager](add-a-windows-10-operating-system-image-using-configuration-manager.md) - -[Create an application to deploy with Windows 10 using Configuration Manager](create-an-application-to-deploy-with-windows-10-using-configuration-manager.md) - -[Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md) - -[Create a task sequence with Configuration Manager and MDT](create-a-task-sequence-with-configuration-manager-and-mdt.md) - -[Deploy Windows 10 using PXE and Configuration Manager](deploy-windows-10-using-pxe-and-configuration-manager.md) - - -[Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md) - -[Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](replace-a-windows-7-client-with-windows-10-using-configuration-manager.md)  diff --git a/windows/deploy/integrate-configuration-manager-with-mdt.md b/windows/deploy/integrate-configuration-manager-with-mdt.md new file mode 100644 index 0000000000..2b4560ff12 --- /dev/null +++ b/windows/deploy/integrate-configuration-manager-with-mdt.md @@ -0,0 +1,116 @@ +--- +title: Integrate Configuration Manager with MDT (Windows 10) +description: This topic will help you understand the benefits of integrating the Microsoft Deployment Toolkit with Microsoft System Center 2012 R2 Configuration Manager SP1 when you deploy a new or updated version of the Windows operating system. +ms.assetid: 3bd1cf92-81e5-48dc-b874-0f5d9472e5a5 +ms.pagetype: mdt +keywords: deploy, image, customize, task sequence +ms.prod: w10 +localizationpriority: high +ms.mktglfcycl: deploy +ms.sitesec: library +author: mtniehaus +--- + +# Integrate Configuration Manager with MDT + +**Applies to** +- Windows 10 + +This topic will help you understand the benefits of integrating the Microsoft Deployment Toolkit with Microsoft System Center 2012 R2 Configuration Manager SP1 when you deploy a new or updated version of the Windows operating system. +MDT is a free, supported download from Microsoft that adds approximately 280 enhancements to Windows operating system deployment with System Center 2012 R2 Configuration Manager SP1. It is, therefore, recommended that you utilize MDT when deploying the Windows operating system with Configuration Manager SP1. In addition to integrating MDT with Configuration Manager, we also recommend using MDT Lite Touch to create the Windows 10 reference images used in Configuration Manager. For more information on how to create a reference image, see [Create a Windows 10 reference image](create-a-windows-10-reference-image.md). + +## Why integrate MDT with Configuration Manager + +As noted above, MDT adds many enhancements to Configuration Manager. While these enhancements are called Zero Touch, that name does not reflect how deployment is conducted. The following sections provide a few samples of the 280 enhancements that MDT adds to Configuration Manager. + +### MDT enables dynamic deployment + +When MDT is integrated with Configuration Manager, the task sequence takes additional instructions from the MDT rules. In its most simple form, these settings are stored in a text file, the CustomSettings.ini file, but you can store the settings in Microsoft SQL Server databases, or have Microsoft Visual Basic Scripting Edition (VBScripts) or web services provide the settings used. + +The task sequence uses instructions that allow you to reduce the number of task sequences in Configuration Manager and instead store settings outside the task sequence. Here are a few examples: +- The following settings instruct the task sequence to install the HP Hotkeys package, but only if the hardware is a HP EliteBook 8570w. Note that you don't have to add the package to the task sequence. + + ``` syntax + [Settings] + Priority=Model + [HP EliteBook 8570w] + Packages001=PS100010:Install HP Hotkeys + ``` +- The following settings instruct the task sequence to put laptops and desktops in different organizational units (OUs) during deployment, assign different computer names, and finally have the task sequence install the Cisco VPN client, but only if the machine is a laptop. + + ``` syntax + [Settings] + Priority= ByLaptopType, ByDesktopType + [ByLaptopType] + Subsection=Laptop-%IsLaptop% + [ByDesktopType] + Subsection=Desktop-%IsDesktop% + [Laptop-True] + Packages001=PS100012:Install Cisco VPN Client + OSDComputerName=LT-%SerialNumber% + MachineObjectOU=ou=laptops,ou=Contoso,dc=contoso,dc=com + [Desktop-True] + OSDComputerName=DT-%SerialNumber% + MachineObjectOU=ou=desktops,ou=Contoso,dc=contoso,dc=com + ``` + +![figure 2](images/fig2-gather.png) + +Figure 2. The Gather action in the task sequence is reading the rules. + +### MDT adds an operating system deployment simulation environment + +When testing a deployment, it is important to be able to quickly test any changes you make to the deployment without needing to run through an entire deployment. MDT rules can be tested very quickly, saving significant testing time in a deployment project. For more information, see [Configure MDT settings](configure-mdt-settings.md). + +![figure 3](images/mdt-06-fig03.png) + +Figure 3. The folder that contains the rules, a few scripts from MDT, and a custom script (Gather.ps1). + +### MDT adds real-time monitoring + +With MDT integration, you can follow your deployments in real time, and if you have access to Microsoft Diagnostics and Recovery Toolkit (DaRT), you can even remote into Windows Preinstallation Environment (Windows PE) during deployment. The real-time monitoring data can be viewed from within the MDT Deployment Workbench, via a web browser, Windows PowerShell, the Event Viewer, or Microsoft Excel 2013. In fact, any script or app that can read an Open Data (OData) feed can read the information. + +![figure 4](images/mdt-06-fig04.png) + +Figure 4. View the real-time monitoring data with PowerShell. + +### MDT adds an optional deployment wizard + +For some deployment scenarios, you may need to prompt the user for information during deployment such as the computer name, the correct organizational unit (OU) for the computer, or which applications should be installed by the task sequence. With MDT integration, you can enable the User-Driven Installation (UDI) wizard to gather the required information, and customize the wizard using the UDI Wizard Designer. + +![figure 5](images/mdt-06-fig05.png) + +Figure 5. The optional UDI wizard open in the UDI Wizard Designer. + +MDT Zero Touch simply extends Configuration Manager with many useful built-in operating system deployment components. By providing well-established, supported solutions, MDT reduces the complexity of deployment in Configuration Manager. + +## Why use MDT Lite Touch to create reference images + +You can create reference images for Configuration Manager in Configuration Manager, but in general we recommend creating them in MDT Lite Touch for the following reasons: +- In a deployment project, it is typically much faster to create a reference image using MDT Lite Touch than Configuration Manager. +- You can use the same image for every type of operating system deployment - Microsoft Virtual Desktop Infrastructure (VDI), Microsoft System Center 2012 R2 Virtual Machine Manager (SCVMM), MDT, Configuration Manager, Windows Deployment Services (WDS), and more. +- Microsoft System Center 2012 R2 performs deployment in the LocalSystem context. This means that you cannot configure the Administrator account with all of the settings that you would like to be included in the image. MDT runs in the context of the Local Administrator, which means you can configure the look and feel of the configuration and then use the CopyProfile functionality to copy these changes to the default user during deployment. +- The Configuration Manager task sequence does not suppress user interface interaction. +- MDT Lite Touch supports a Suspend action that allows for reboots, which is useful when you need to perform a manual installation or check the reference image before it is automatically captured. +- MDT Lite Touch does not require any infrastructure and is easy to delegate. + +## Related topics + +[Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md) + +[Create a custom Windows PE boot image with Configuration Manager](create-a-custom-windows-pe-boot-image-with-configuration-manager.md) + +[Add a Windows 10 operating system image using Configuration Manager](add-a-windows-10-operating-system-image-using-configuration-manager.md) + +[Create an application to deploy with Windows 10 using Configuration Manager](create-an-application-to-deploy-with-windows-10-using-configuration-manager.md) + +[Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md) + +[Create a task sequence with Configuration Manager and MDT](create-a-task-sequence-with-configuration-manager-and-mdt.md) + +[Deploy Windows 10 using PXE and Configuration Manager](deploy-windows-10-using-pxe-and-configuration-manager.md) + + +[Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md) + +[Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](replace-a-windows-7-client-with-windows-10-using-configuration-manager.md)  diff --git a/windows/deploy/key-features-in-mdt-2013.md b/windows/deploy/key-features-in-mdt-2013.md index 0264a106c0..d62060296d 100644 --- a/windows/deploy/key-features-in-mdt-2013.md +++ b/windows/deploy/key-features-in-mdt-2013.md @@ -1,62 +1,4 @@ --- title: Key features in MDT 2013 Update 2 (Windows 10) -description: The Microsoft Deployment Toolkit (MDT) has been in existence since 2003, when it was first introduced as Business Desktop Deployment (BDD) 1.0. -ms.assetid: 858e384f-e9db-4a93-9a8b-101a503e4868 -keywords: deploy, feature, tools, upgrade, migrate, provisioning -ms.prod: w10 -ms.mktglfcycl: deploy -localizationpriority: high -ms.sitesec: library -ms.pagetype: mdt -author: mtniehaus ---- - -# Key features in MDT 2013 Update 2 - -**Applies to** -- Windows 10 - -The Microsoft Deployment Toolkit (MDT) has been in existence since 2003, when it was first introduced as Business Desktop Deployment (BDD) 1.0. The toolkit has evolved, both in functionality and popularity, and today it is considered fundamental to Windows operating system and enterprise application deployment. - -MDT 2013 has many useful features, the most important of which are: -- **Windows Client support.** Supports Windows 7, Windows 8, Windows 8.1, and Windows 10. -- **Windows Server support.** Supports Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2. -- **Additional operating systems support.** Supports Windows Thin PC and Windows Embedded POSReady 7, as well as Windows 8.1 Embedded Industry. -- **UEFI support.** Supports deployment to machines using Unified Extensible Firmware Interface (UEFI) version 2.3.1. -- **GPT support.** Supports deployment to machines that require the new GUID (globally unique identifier) partition table (GPT) format. This is related to UEFI. -- **Enhanced Windows PowerShell support.** Provides support for running PowerShell scripts. - - ![figure 2](images/mdt-05-fig02.png) - - Figure 2. The deployment share mounted as a standard PSDrive allows for administration using PowerShell. - -- **Add local administrator accounts.** Allows you to add multiple user accounts to the local Administrators group on the target computers, either via settings or the deployment wizard. -- **Automated participation in CEIP and WER.** Provides configuration for participation in Windows Customer Experience Improvement Program (CEIP) and Windows Error Reporting (WER). -- **Deploy Windows RE.** Enables deployment of a customized Windows Recovery Environment (Windows RE) as part of the task sequence. -- **Deploy to VHD.** Provides ready-made task sequence templates for deploying Windows into a virtual hard disk (VHD) file. -- **Improved deployment wizard.** Provides additional progress information and a cleaner UI for the Lite Touch Deployment Wizard. -- **Monitoring.** Allows you to see the status of currently running deployments. -- **Apply GPO Pack.** Allows you to deploy local group policy objects created by Microsoft Security Compliance Manager (SCM). -- **Partitioning routines.** Provides improved partitioning routines to ensure that deployments work regardless of the current hard drive structure. -- **Offline BitLocker.** Provides the capability to have BitLocker enabled during the Windows Preinstallation Environment (Windows PE) phase, thus saving hours of encryption time. -- **USMT offline user-state migration.** Provides support for running the User State Migration Tool (USMT) capture offline, during the Windows PE phase of the deployment. - - ![figure 3](images/mdt-05-fig03.png) - - Figure 3. The offline USMT backup in action. - -- **Install or uninstall Windows roles or features.** Enables you to select roles and features as part of the deployment wizard. MDT also supports uninstall of roles and features. -- **Microsoft System Center 2012 Orchestrator integration.** Provides the capability to use Orchestrator runbooks as part of the task sequence. -- **Support for DaRT.** Supports optional integration of the DaRT components into the boot image. -- **Support for Office 2013.** Provides added support for deploying Microsoft Office Professional Plus 2013. -- **Support for Modern UI app package provisioning.** Provisions applications based on the new Windows app package standard, which is used in Windows 8 and later. -- **Extensibility.** Provides the capability to extend MDT far beyond the built-in features by adding custom scripts, web services, System Center Orchestrator runbooks, PowerShell scripts, and VBScripts. -- **Upgrade task sequence.** Provides a new upgrade task sequence template that you can use to upgrade existing Windows 7, Windows 8, and Windows 8.1 systems directly to Windows 10, automatically preserving all data, settings, applications, and drivers. For more information about using this new upgrade task sequence, refer to the [Microsoft Deployment Toolkit resource page](https://go.microsoft.com/fwlink/p/?LinkId=618117). - -## Related topics - -[Prepare for deployment with MDT 2013 Update 2](prepare-for-windows-deployment-with-mdt-2013.md) - -[MDT 2013 Update 2 Lite Touch components](mdt-2013-lite-touch-components.md) -  -  +redirect_url: key-features-in-mdt +--- \ No newline at end of file diff --git a/windows/deploy/key-features-in-mdt.md b/windows/deploy/key-features-in-mdt.md new file mode 100644 index 0000000000..faeb651733 --- /dev/null +++ b/windows/deploy/key-features-in-mdt.md @@ -0,0 +1,62 @@ +--- +title: Key features in MDT (Windows 10) +description: The Microsoft Deployment Toolkit (MDT) has been in existence since 2003, when it was first introduced as Business Desktop Deployment (BDD) 1.0. +ms.assetid: 858e384f-e9db-4a93-9a8b-101a503e4868 +keywords: deploy, feature, tools, upgrade, migrate, provisioning +ms.prod: w10 +ms.mktglfcycl: deploy +localizationpriority: high +ms.sitesec: library +ms.pagetype: mdt +author: mtniehaus +--- + +# Key features in MDT + +**Applies to** +- Windows 10 + +The Microsoft Deployment Toolkit (MDT) has been in existence since 2003, when it was first introduced as Business Desktop Deployment (BDD) 1.0. The toolkit has evolved, both in functionality and popularity, and today it is considered fundamental to Windows operating system and enterprise application deployment. + +MDT has many useful features, the most important of which are: +- **Windows Client support.** Supports Windows 7, Windows 8, Windows 8.1, and Windows 10. +- **Windows Server support.** Supports Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2. +- **Additional operating systems support.** Supports Windows Thin PC and Windows Embedded POSReady 7, as well as Windows 8.1 Embedded Industry. +- **UEFI support.** Supports deployment to machines using Unified Extensible Firmware Interface (UEFI) version 2.3.1. +- **GPT support.** Supports deployment to machines that require the new GUID (globally unique identifier) partition table (GPT) format. This is related to UEFI. +- **Enhanced Windows PowerShell support.** Provides support for running PowerShell scripts. + + ![figure 2](images/mdt-05-fig02.png) + + Figure 2. The deployment share mounted as a standard PSDrive allows for administration using PowerShell. + +- **Add local administrator accounts.** Allows you to add multiple user accounts to the local Administrators group on the target computers, either via settings or the deployment wizard. +- **Automated participation in CEIP and WER.** Provides configuration for participation in Windows Customer Experience Improvement Program (CEIP) and Windows Error Reporting (WER). +- **Deploy Windows RE.** Enables deployment of a customized Windows Recovery Environment (Windows RE) as part of the task sequence. +- **Deploy to VHD.** Provides ready-made task sequence templates for deploying Windows into a virtual hard disk (VHD) file. +- **Improved deployment wizard.** Provides additional progress information and a cleaner UI for the Lite Touch Deployment Wizard. +- **Monitoring.** Allows you to see the status of currently running deployments. +- **Apply GPO Pack.** Allows you to deploy local group policy objects created by Microsoft Security Compliance Manager (SCM). +- **Partitioning routines.** Provides improved partitioning routines to ensure that deployments work regardless of the current hard drive structure. +- **Offline BitLocker.** Provides the capability to have BitLocker enabled during the Windows Preinstallation Environment (Windows PE) phase, thus saving hours of encryption time. +- **USMT offline user-state migration.** Provides support for running the User State Migration Tool (USMT) capture offline, during the Windows PE phase of the deployment. + + ![figure 3](images/mdt-05-fig03.png) + + Figure 3. The offline USMT backup in action. + +- **Install or uninstall Windows roles or features.** Enables you to select roles and features as part of the deployment wizard. MDT also supports uninstall of roles and features. +- **Microsoft System Center 2012 Orchestrator integration.** Provides the capability to use Orchestrator runbooks as part of the task sequence. +- **Support for DaRT.** Supports optional integration of the DaRT components into the boot image. +- **Support for Office 2013.** Provides added support for deploying Microsoft Office Professional Plus 2013. +- **Support for Modern UI app package provisioning.** Provisions applications based on the new Windows app package standard, which is used in Windows 8 and later. +- **Extensibility.** Provides the capability to extend MDT far beyond the built-in features by adding custom scripts, web services, System Center Orchestrator runbooks, PowerShell scripts, and VBScripts. +- **Upgrade task sequence.** Provides a new upgrade task sequence template that you can use to upgrade existing Windows 7, Windows 8, and Windows 8.1 systems directly to Windows 10, automatically preserving all data, settings, applications, and drivers. For more information about using this new upgrade task sequence, refer to the [Microsoft Deployment Toolkit resource page](https://go.microsoft.com/fwlink/p/?LinkId=618117). + +## Related topics + +[Prepare for deployment with MDT](prepare-for-windows-deployment-with-mdt.md) + +[MDT Lite Touch components](mdt-lite-touch-components.md) +  +  diff --git a/windows/deploy/manage-windows-upgrades-with-upgrade-analytics.md b/windows/deploy/manage-windows-upgrades-with-upgrade-analytics.md index a7d55fda76..9b25d3cea1 100644 --- a/windows/deploy/manage-windows-upgrades-with-upgrade-analytics.md +++ b/windows/deploy/manage-windows-upgrades-with-upgrade-analytics.md @@ -1,43 +1,4 @@ --- title: Manage Windows upgrades with Upgrade Analytics (Windows 10) -description: Provides an overview of the process of managing Windows upgrades with Upgrade Analytics. -ms.prod: w10 -author: greg-lindsay +redirect_url: manage-windows-upgrades-with-upgrade-readiness --- - -# Manage Windows upgrades with Upgrade Analytics - -Upgrading to new operating systems has traditionally been a challenging, complex, and slow process for many enterprises. Discovering applications and drivers and then testing them for potential compatibility issues have been among the biggest pain points. - -With the release of Upgrade Analytics, enterprises now have the tools to plan and manage the upgrade process end to end, allowing them to adopt new Windows releases more quickly. With new Windows versions being released multiple times a year, ensuring application and driver compatibility on an ongoing basis is key to adopting new Windows versions as they are released. - -Microsoft developed Upgrade Analytics in response to demand from enterprise customers looking for additional direction and details about upgrading to Windows 10. Upgrade Analytics was built taking into account multiple channels of customer feedback, testing, and Microsoft’s experience upgrading millions of devices to Windows 10. - -With Windows telemetry enabled, Upgrade Analytics collects system, application, and driver data for analysis. We then identify compatibility issues that can block an upgrade and suggest fixes when they are known to Microsoft. - -Use Upgrade Analytics to get: - -- A visual workflow that guides you from pilot to production -- Detailed computer and application inventory -- Powerful computer level search and drill-downs -- Guidance and insights into application and driver compatibility issues, with suggested fixes -- Data driven application rationalization tools -- Application usage information, allowing targeted validation; workflow to track validation progress and decisions -- Data export to commonly used software deployment tools, including System Center Configuration Manager - -The Upgrade Analytics workflow steps you through the discovery and rationalization process until you have a list of computers that are ready to be upgraded. - -**Important** For system, application, and driver data to be shared with Microsoft, you must configure user computers to send data. For information about what telemetry data Microsoft collects and how that data is used and protected by Microsoft, see: - -- [Configure Windows telemetry in your organization](https://technet.microsoft.com/itpro/windows/manage/configure-windows-telemetry-in-your-organization) -- [Manage connections from Windows operating system components to Microsoft services](https://technet.microsoft.com/itpro/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services) -- [Windows 7, Windows 8, and Windows 8.1 appraiser telemetry events and fields](https://go.microsoft.com/fwlink/?LinkID=822965) - -##**Related topics** - -[Upgrade Analytics architecture](upgrade-analytics-architecture.md)
          -[Upgrade Analytics requirements](upgrade-analytics-requirements.md)
          -[Upgrade Analytics release notes](upgrade-analytics-release-notes.md)
          -[Get started with Upgrade Analytics](upgrade-analytics-get-started.md)
          -[Use Upgrade Analytics to manage Windows upgrades](use-upgrade-analytics-to-manage-windows-upgrades.md)
          -[Troubleshoot Upgrade Analytics](troubleshoot-upgrade-analytics.md)
          diff --git a/windows/deploy/manage-windows-upgrades-with-upgrade-readiness.md b/windows/deploy/manage-windows-upgrades-with-upgrade-readiness.md new file mode 100644 index 0000000000..de269889bf --- /dev/null +++ b/windows/deploy/manage-windows-upgrades-with-upgrade-readiness.md @@ -0,0 +1,43 @@ +--- +title: Manage Windows upgrades with Upgrade Readiness (Windows 10) +description: Provides an overview of the process of managing Windows upgrades with Upgrade Readiness. +ms.prod: w10 +author: greg-lindsay +--- + +# Manage Windows upgrades with Upgrade Readiness + +Upgrading to new operating systems has traditionally been a challenging, complex, and slow process for many enterprises. Discovering applications and drivers and then testing them for potential compatibility issues have been among the biggest pain points. + +With the release of Upgrade Readiness, enterprises now have the tools to plan and manage the upgrade process end to end, allowing them to adopt new Windows releases more quickly. With new Windows versions being released multiple times a year, ensuring application and driver compatibility on an ongoing basis is key to adopting new Windows versions as they are released. Windows Upgrade Readiness not only supports upgrade management from Windows 7, Windows 8.1 to Windows 10, but also Windows 10 upgrades in the [Windows as a service](https://technet.microsoft.com/en-us/itpro/windows/manage/waas-overview) model. + +Microsoft developed Upgrade Readiness in response to demand from enterprise customers looking for additional direction and details about upgrading to Windows 10. Upgrade Readiness was built taking into account multiple channels of customer feedback, testing, and Microsoft’s experience upgrading millions of devices to Windows 10. + +With Windows telemetry enabled, Upgrade Readiness collects system, application, and driver data for analysis. We then identify compatibility issues that can block an upgrade and suggest fixes when they are known to Microsoft. + +Use Upgrade Readiness to get: + +- A visual workflow that guides you from pilot to production +- Detailed computer and application inventory +- Powerful computer level search and drill-downs +- Guidance and insights into application and driver compatibility issues, with suggested fixes +- Data driven application rationalization tools +- Application usage information, allowing targeted validation; workflow to track validation progress and decisions +- Data export to commonly used software deployment tools, including System Center Configuration Manager + +The Upgrade Readiness workflow steps you through the discovery and rationalization process until you have a list of computers that are ready to be upgraded. + +**Important** For system, application, and driver data to be shared with Microsoft, you must configure user computers to send data. For information about what telemetry data Microsoft collects and how that data is used and protected by Microsoft, see: + +- [Configure Windows telemetry in your organization](https://technet.microsoft.com/itpro/windows/manage/configure-windows-telemetry-in-your-organization) +- [Manage connections from Windows operating system components to Microsoft services](https://technet.microsoft.com/itpro/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services) +- [Windows 7, Windows 8, and Windows 8.1 appraiser telemetry events and fields](https://go.microsoft.com/fwlink/?LinkID=822965) + +##**Related topics** + +[Upgrade Readiness architecture](upgrade-readiness-architecture.md)
          +[Upgrade Readiness requirements](upgrade-readiness-requirements.md)
          +[Upgrade Readiness release notes](upgrade-readiness-release-notes.md)
          +[Get started with Upgrade Readiness](upgrade-readiness-get-started.md)
          +[Use Upgrade Readiness to manage Windows upgrades](use-upgrade-readiness-to-manage-windows-upgrades.md)
          +[Troubleshoot Upgrade Readiness](troubleshoot-upgrade-readiness.md)
          diff --git a/windows/deploy/mbr-to-gpt.md b/windows/deploy/mbr-to-gpt.md new file mode 100644 index 0000000000..46c411919f --- /dev/null +++ b/windows/deploy/mbr-to-gpt.md @@ -0,0 +1,385 @@ +--- +title: MBR2GPT +description: How to use the MBR2GPT tool to convert MBR partitions to GPT +keywords: deploy, troubleshoot, windows, 10, upgrade, partition, mbr, gpt +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: deploy +author: greg-lindsay +localizationpriority: high +--- + +# MBR2GPT.EXE + +**Applies to** +- Windows 10 + +## Summary + +**MBR2GPT.EXE** converts a disk from Master Boot Record (MBR) to GUID Partition Table (GPT) partition style without modifying or deleting data on the disk. The tool is designed to be run from a Windows Preinstallation Environment (Windows PE) command prompt, but can also be run from the full Windows 10 operating system (OS). + +You can use MBR2GPT to perform the following: + +- \[Within the Windows PE environment\]: Convert any attached MBR-formatted disk to GPT, including the system disk. +- \[From within the currently running OS\]: Convert any attached MBR-formatted disk to GPT, including the system disk. + +>MBR2GPT is available in Windows 10 version 1703, also known as Windows 10 Creator's Update, and later versions. +>The tool is available in both the full OS environment and Windows PE. + +You can use MBR2GPT to convert an MBR disk with BitLocker-encrypted volumes as long as protection has been suspended. To resume BitLocker after conversion, you will need to delete the existing protectors and recreate them. + +The MBR2GPT tool can convert operating system disks that have earlier versions of Windows 10 installed, such as versions 1507, 1511, and 1607. However, you must run the tool while booted into Windows 10 version 1703 or later, and perform an offline conversion. + +Offline conversion of system disks with earlier versions of Windows installed, such as Windows 7, 8, or 8.1 are not officially supported. The recommended method to convert these disks is to upgrade the operating system to Windows 10 first, then perform the MBR to GPT conversion. + +>[!IMPORTANT] +>After the disk has been converted to GPT partition style, the firmware must be reconfigured to boot in UEFI mode.
          Make sure that your device supports UEFI before attempting to convert the disk. + +## Syntax + +

        Admin Templates>System>Power Management>Video and Display Settings

        Turn off the display (plugged in)

        *SleepTimeout*

        SetPowerPolicies=True

        Turn off the display (on battery

        *SleepTimeout*

        SetPowerPolicies=True

        Admin Templates>System>Power Management>Energy Saver Settings

        Energy Saver Battery Threshold (on battery)70SetPowerPolicies=True

        Admin Templates>System>Logon

        Show first sign-in animation

        Disabled

        Always

        Hide entry points for Fast User Switching

        Enabled

        Always

        Admin Templates>System>User Profiles

        Turn off the advertising ID

        Enabled

        SetEduPolicies=True

        Admin Templates>Windows Components

        Do not show Windows Tips

        *Only on Pro, Enterprise, Pro Education, and Education*

        Enabled

        SetEduPolicies=True

        Turn off Microsoft consumer experiences

        *Only on Pro, Enterprise, Pro Education, and Education*

        Enabled

        SetEduPolicies=True

        Do not show Windows Tips

        Enabled

        SetEduPolicies=True

        Turn off Microsoft consumer experiences

        Enabled

        SetEduPolicies=True

        Microsoft Passport for Work

        Disabled

        Always

        Prevent the usage of OneDrive for file storage

        Enabled

        Always

        Admin Templates>Windows Components>Biometrics

        Toggle user control over Insider builds

        Disabled

        Always

        Disable pre-release features or settings

        Disabled

        Always

        Do not show feedback notifications

        Enabled

        Always

        Allow TelemetryBasic, 0SetEduPolicies=True

        Admin Templates>Windows Components>File Explorer

        Show lock in the user tile menu

        Disabled

        Always

        Admin Templates>Windows Components>Maintenance Scheduler

        Automatic Maintenance Activation Boundary

        *MaintenanceStartTime*

        Always

        Automatic Maintenance Random Delay

        Enabled, 2 hours

        Always

        Automatic Maintenance WakeUp Policy

        Enabled

        Always

        Admin Templates>Windows Components>Microsoft Edge

        Open a new tab with an empty tab

        Disabled

        SetEduPolicies=True

        Configure corporate home pages

        Enabled, about:blank

        SetEduPolicies=True

        Admin Templates>Windows Components>Search

        Allow Cortana

        Disabled

        SetEduPolicies=True

        Admin Templates>Windows Components>Windows Hello for Business

        Use phone sign-in

        Disabled

        Always

        Use Windows Hello for Business

        Disabled

        Always

        Use biometrics

        Disabled

        Always

        Admin Templates>Windows Components>OneDrive

        Prevent the usage of OneDrive for file storage

        Enabled

        Always

        Windows Settings>Security Settings>Local Policies>Security Options

        Interactive logon: Do not display last user name

        Enabled, Disabled when account model is only guest

        Always

        +
        MBR2GPT /validate|convert [/disk:\] [/logs:\] [/map:\=\] [/allowFullOS] +
        + +### Options + +| Option | Description | +|----|-------------| +|/validate| Instructs MBR2GPT.exe to perform only the disk validation steps and report whether the disk is eligible for conversion. | +|/convert| Instructs MBR2GPT.exe to perform the disk validation and to proceed with the conversion if all validation tests pass. | +|/disk:\| Specifies the disk number of the disk to be converted to GPT. If not specified, the system disk is used. The mechanism used is the same as that used by the diskpart.exe tool **SELECT DISK SYSTEM** command.| +|/logs:\| Specifies the directory where MBR2GPT.exe logs should be written. If not specified, **%windir%** is used. If specified, the directory must already exist, it will not be automatically created or overwritten.| +|/map:\=\| Specifies additional partition type mappings between MBR and GPT. The MBR partition number is specified in decimal notation, not hexidecimal. The GPT GUID can contain brackets, for example: **/map:42={af9b60a0-1431-4f62-bc68-3311714a69ad}**. Multiple /map options can be specified if multiple mappings are required. | +|/allowFullOS| By default, MBR2GPT.exe is blocked unless it is run from Windows PE. This option overrides this block and enables disk conversion while running in the full Windows environment.| + +## Examples + +### Validation example + +In the following example, disk 0 is validated for conversion. Errors and warnings are logged to the default location, **%windir%**. + +``` +X:\>mbr2gpt /validate /disk:0 +MBR2GPT: Attempting to validate disk 0 +MBR2GPT: Retrieving layout of disk +MBR2GPT: Validating layout, disk sector size is: 512 +MBR2GPT: Validation completed successfully +``` + +### Conversion example + +In the following example: + +1. The current disk partition layout is displayed prior to conversion - three partitions are present on the MBR disk (disk 0): a system reserved partition, a Windows partition, and a recovery partition. A DVD-ROM is also present as volume 0. +2. The OS volume is selected, partitions are listed, and partition details are displayed for the OS partition. The [MBR partition type](https://msdn.microsoft.com/library/windows/desktop/aa363990.aspx) is **07** corresponding to the installable file system (IFS) type. +2. The MBR2GPT tool is used to convert disk 0. +3. The DISKPART tool displays that disk 0 is now using the GPT format. +4. The new disk layout is displayed - four partitions are present on the GPT disk: three are identical to the previous partitions and one is the new EFI system partition (volume 3). +5. The OS volume is selected again, and detail displays that it has been converted to the [GPT partition type](https://msdn.microsoft.com/library/windows/desktop/aa365449.aspx) of **ebd0a0a2-b9e5-4433-87c0-68b6b72699c7** corresponding to the **PARTITION_BASIC_DATA_GUID** type. + +>As noted in the output from the MBR2GPT tool, you must make changes to the computer firmware so that the new EFI system partition will boot properly. + +``` +DISKPART> list volume + + Volume ### Ltr Label Fs Type Size Status Info + ---------- --- ----------- ----- ---------- ------- --------- -------- + Volume 0 F CENA_X64FRE UDF DVD-ROM 4027 MB Healthy + Volume 1 C System Rese NTFS Partition 499 MB Healthy + Volume 2 D Windows NTFS Partition 58 GB Healthy + Volume 3 E Recovery NTFS Partition 612 MB Healthy Hidden + +DISKPART> select volume 2 + +Volume 2 is the selected volume. + +DISKPART> list partition + + Partition ### Type Size Offset + ------------- ---------------- ------- ------- + Partition 1 Primary 499 MB 1024 KB +* Partition 2 Primary 58 GB 500 MB + Partition 3 Recovery 612 MB 59 GB + +DISKPART> detail partition + +Partition 2 +Type : 07 +Hidden: No +Active: No +Offset in Bytes: 524288000 + + Volume ### Ltr Label Fs Type Size Status Info + ---------- --- ----------- ----- ---------- ------- --------- -------- +* Volume 2 D Windows NTFS Partition 58 GB Healthy + +DISKPART> exit + +Leaving DiskPart... + +X:\>mbr2gpt /convert /disk:0 + +MBR2GPT will now attempt to convert disk 0. +If conversion is successful the disk can only be booted in GPT mode. +These changes cannot be undone! + +MBR2GPT: Attempting to convert disk 0 +MBR2GPT: Retrieving layout of disk +MBR2GPT: Validating layout, disk sector size is: 512 bytes +MBR2GPT: Trying to shrink the system partition +MBR2GPT: Trying to shrink the OS partition +MBR2GPT: Creating the EFI system partition +MBR2GPT: Installing the new boot files +MBR2GPT: Performing the layout conversion +MBR2GPT: Migrating default boot entry +MBR2GPT: Adding recovery boot entry +MBR2GPT: Fixing drive letter mapping +MBR2GPT: Conversion completed successfully +MBR2GPT: Before the new system can boot properly you need to switch the firmware to boot to UEFI mode! + +X:\>diskpart + +Microsoft DiskPart version 10.0.15048.0 + +Copyright (C) Microsoft Corporation. +On computer: MININT-K71F13N + +DISKPART> list disk + + Disk ### Status Size Free Dyn Gpt + -------- ------------- ------- ------- --- --- + Disk 0 Online 60 GB 0 B * + +DISKPART> select disk 0 + +Disk 0 is now the selected disk. + +DISKPART> list volume + + Volume ### Ltr Label Fs Type Size Status Info + ---------- --- ----------- ----- ---------- ------- --------- -------- + Volume 0 F CENA_X64FRE UDF DVD-ROM 4027 MB Healthy + Volume 1 D Windows NTFS Partition 58 GB Healthy + Volume 2 C System Rese NTFS Partition 499 MB Healthy Hidden + Volume 3 FAT32 Partition 100 MB Healthy Hidden + Volume 4 E Recovery NTFS Partition 612 MB Healthy Hidden + +DISKPART> select volume 1 + +Volume 1 is the selected volume. + +DISKPART> list partition + + Partition ### Type Size Offset + ------------- ---------------- ------- ------- + Partition 1 Recovery 499 MB 1024 KB +* Partition 2 Primary 58 GB 500 MB + Partition 4 System 100 MB 59 GB + Partition 3 Recovery 612 MB 59 GB + +DISKPART> detail partition + +Partition 2 +Type : ebd0a0a2-b9e5-4433-87c0-68b6b72699c7 +Hidden : No +Required: No +Attrib : 0000000000000000 +Offset in Bytes: 524288000 + + Volume ### Ltr Label Fs Type Size Status Info + ---------- --- ----------- ----- ---------- ------- --------- -------- +* Volume 1 D Windows NTFS Partition 58 GB Healthy + +``` + +## Specifications + +### Disk conversion workflow + +The following steps illustrate high-level phases of the MBR-to-GPT conversion process: + +1. Disk validation is performed. +2. The disk is repartitioned to create an EFI system partition (ESP) if one does not already exist. +3. UEFI boot files are installed to the ESP. +4. GPT metatdata and layout information is applied. +5. The boot configuration data (BCD) store is updated. +6. Drive letter assignments are restored. + +### Disk validation + +Before any change to the disk is made, MBR2GPT validates the layout and geometry of the selected disk to ensure that: +- The disk is currently using MBR +- There is enough space not occupied by partitions to store the primary and secondary GPTs: + - 16KB + 2 sectors at the front of the disk + - 16KB + 1 sector at the end of the disk +- There are at most 3 primary partitions in the MBR partition table +- One of the partitions is set as active and is the system partition +- The BCD store on the system partition contains a default OS entry pointing to an OS partition +- The volume IDs can be retrieved for each volume which has a drive letter assigned +- All partitions on the disk are of MBR types recognized by Windows or has a mapping specified using the /map command-line option + +If any of these checks fails, the conversion will not proceed and an error will be returned. + +### Creating an EFI system partition + +For Windows to remain bootable after the conversion, an EFI system partition (ESP) must be in place. MBR2GPT creates the ESP using the following rules: + +1. The existing MBR system partition is reused if it meets these requirements: + a. It is not also the OS or Windows Recovery Environment partition + b. It is at least 100MB (or 260MB for 4K sector size disks) in size + c. It is less than or equal to 1GB in size. This is a safety precaution to ensure it is not a data partition. + d. If the conversion is being performed from the full OS, the disk being converted is not the system disk. +2. If the existing MBR system partition cannot be reused, a new ESP is created by shrinking the OS partition. This new partition has a size of 100MB (or 260MB for 4K sector size disks) and is formatted FAT32. + +If the existing MBR system partition is not reused for the ESP, it is no longer used by the boot process after the conversion. Other partitions are not modified. + +### Partition type mapping and partition attributes + +Since GPT partitions use a different set of type IDs than MBR partitions, each partition on the converted disk must be assigned a new type ID. The partition type mapping follows these rules: + +1. The ESP is always set to partition type PARTITION_SYSTEM_GUID (c12a7328-f81f-11d2-ba4b-00a0c93ec93b). +2. If an MBR partition is of a type that matches one of the entries specified in the /map switch, the specified GPT partition type ID is used. +3. If the MBR partition is of type 0x27, the partition is converted to a GPT partition of type PARTITION_MSFT_RECOVERY_GUID (de94bba4-06d1-4d40-a16a-bfd50179d6ac). +4. All other MBR partitions recognized by Windows are converted to GPT partitions of type PARTITION_BASIC_DATA_GUID (ebd0a0a2-b9e5-4433-87c0-68b6b72699c7). + +In addition to applying the correct partition types, partitions of type PARTITION_MSFT_RECOVERY_GUID also have the following GPT attributes set: +- GPT_ATTRIBUTE_PLATFORM_REQUIRED (0x0000000000000001) +- GPT_BASIC_DATA_ATTRIBUTE_NO_DRIVE_LETTER (0x8000000000000000) + +For more information about partition types, see: +- [GPT partition types](https://msdn.microsoft.com/library/windows/desktop/aa365449.aspx) +- [MBR partition types](https://msdn.microsoft.com/library/windows/desktop/aa363990.aspx) + + +### Persisting drive letter assignments + +The conversion tool will attempt to remap all drive letter assignment information contained in the registry that correspond to the volumes of the converted disk. If a drive letter assignment cannot be restored, an error will be displayed at the console and in the log, so that you can manually perform the correct assignment of the drive letter. **Important**: this code runs after the layout conversion has taken place, so the operation cannot be undone at this stage. + +The conversion tool will obtain volume unique ID data before and after the layout conversion, organizing this information into a lookup table. It will then iterate through all the entries in **HKLM\SYSTEM\MountedDevices**, and for each entry do the following: + +1. Check if the unique ID corresponds to any of the unique IDs for any of the volumes that are part of the converted disk. +2. If found, set the value to be the new unique ID, obtained after the layout conversion. +3. If the new unique ID cannot be set and the value name starts with \DosDevices, issue a console and log warning about the need for manual intervention in properly restoring the drive letter assignment. + +## Troubleshooting + +The tool will display status information in its output. Both validation and conversion are clear if any errors are encountered. For example, if one or more partitions do not translate properly, this is displayed and the conversion not performed. To view more detail about any errors that are encountered, see the associated [log files](#logs). + +### Logs + +Four log files are created by the MBR2GPT tool: + +- diagerr.xml +- diagwrn.xml +- setupact.log +- setuperr.log + +These files contain errors and warnings encountered during disk validation and conversion. Information in these files can be helpful in diagnosing problems with the tool. The setupact.log and setuperr.log files will have the most detailed information about disk layouts, processes, and other information pertaining to disk validation and conversion. Note: The setupact*.log files are different than the Windows Setup files that are found in the %Windir%\Panther directory. + +The default location for all these log files in Windows PE is **%windir%**. + +### Interactive help + +To view a list of options available when using the tool, type **mbr2gpt /?** + +The following text is displayed: + +``` + +C:\> mbr2gpt /? + +Converts a disk from MBR to GPT partitioning without modifying or deleting data on the disk. + +MBR2GPT.exe /validate|convert [/disk:] [/logs:] [/map:=] [/allowFullOS] + +Where: + + /validate + - Validates that the selected disk can be converted + without performing the actual conversion. + + /convert + - Validates that the selected disk can be converted + and performs the actual conversion. + + /disk: + - Specifies the disk number of the disk to be processed. + If not specified, the system disk is processed. + + /logs: + - Specifies the directory for logging. By default logs + are created in the %windir% directory. + + /map:= + - Specifies the GPT partition type to be used for a + given MBR partition type not recognized by Windows. + Multiple /map switches are allowed. + + /allowFullOS + - Allows the tool to be used from the full Windows + environment. By default, this tool can only be used + from the Windows Preinstallation Environment. + +``` + +### Return codes + +MBR2GPT has the following associated return codes: + +| Return code | Description | +|----|-------------| +|0| Conversion completed successfully.| +|1| Conversion was canceled by the user.| +|2| Conversion failed due to an internal error.| +|3| Conversion failed due to an initialization error.| +|4| Conversion failed due to invalid command-line parameters. | +|5| Conversion failed due to error reading the geometry and layout of the selected disk.| +|6| Conversion failed because one or more volumes on the disk is encrypted.| +|7| Conversion failed because the geometry and layout of the selected disk do not meet requirements.| +|8| Conversion failed due to error while creating the EFI system partition.| +|9| Conversion failed due to error installing boot files.| +|10| Conversion failed due to error while applying GPT layout.| +|100| Conversion to GPT layout succeeded, but some boot configuration data entries could not be restored.| + + +### Determining the partition type + +You can type the following command at a Windows PowerShell prompt to display the disk number and partition type. Example output is also shown: + + +``` +PS C:\> Get-Disk | ft -Auto + +Number Friendly Name Serial Number HealthStatus OperationalStatus Total Size Partition Style +------ ------------- ------------- ------------ ----------------- ---------- --------------- +0 MTFDDAK256MAM-1K1 13050928F47C Healthy Online 238.47 GB MBR +1 ST1000DM003-1ER162 Z4Y3GD8F Healthy Online 931.51 GB GPT +``` + +You can also view the partition type of a disk by opening the Disk Management tool, right-clicking the disk number, clicking **Properties**, and then clicking the **Volumes** tab. See the following example: + +![Volumes](images/mbr2gpt-volume.PNG) + + +If Windows PowerShell and Disk Management are not available, such as when you are using Windows PE, you can determine the partition type at a command prompt with the diskpart tool. To determine the partition style, type **diskpart** and then type **list disk**. See the following example: + +``` +DISKPART> list disk + + Disk ### Status Size Free Dyn Gpt + -------- ------------- ------- ------- --- --- + Disk 0 Online 238 GB 0 B + Disk 1 Online 931 GB 0 B * +``` + +In this example, Disk 0 is formatted with the MBR partition style, and Disk 1 is formatted using GPT. + + + + +## Related topics + +[Windows 10 Enterprise system requirements](https://technet.microsoft.com/en-us/windows/dn798752.aspx) +
        [Windows 10 Specifications](https://www.microsoft.com/en-us/windows/Windows-10-specifications) +
        [Windows 10 IT pro forums](https://social.technet.microsoft.com/Forums/en-US/home?category=Windows10ITPro) diff --git a/windows/deploy/mdt-2013-lite-touch-components.md b/windows/deploy/mdt-2013-lite-touch-components.md index 2234092338..5afed1bb8b 100644 --- a/windows/deploy/mdt-2013-lite-touch-components.md +++ b/windows/deploy/mdt-2013-lite-touch-components.md @@ -1,119 +1,4 @@ --- title: MDT 2013 Update 2 Lite Touch components (Windows 10) -description: This topic provides an overview of the features in the Microsoft Deployment Toolkit (MDT) 2013 Update 2 that support Lite Touch Installation (LTI) for Windows 10. -ms.assetid: 7d6fc159-e338-439e-a2e6-1778d0da9089 -keywords: deploy, install, deployment, boot, log, monitor -ms.prod: w10 -ms.mktglfcycl: deploy -localizationpriority: high -ms.sitesec: library -ms.pagetype: mdt -author: mtniehaus ---- - -# MDT 2013 Update 2 Lite Touch components - -**Applies to** -- Windows 10 - -This topic provides an overview of the features in the Microsoft Deployment Toolkit (MDT) 2013 Update 2 that support Lite Touch Installation (LTI) for Windows 10. An LTI deployment strategy requires very little infrastructure or user interaction, and can be used to deploy an operating system from a network share or from a physical media, such as a USB flash drive or disc. -When deploying the Windows operating system using MDT, most of the administration and configuration is done through the Deployment Workbench, but you also can perform many of the tasks using Windows PowerShell. The easiest way to find out how to use PowerShell in MDT is to use the Deployment Workbench to perform an operation and at the end of that task, click View Script. That will give you the PowerShell command. - -![figure 4](images/mdt-05-fig04.png) - -Figure 4. If you click **View Script** on the right side, you will get the PowerShell code that was used to perform the task. - -## Deployment shares - -A deployment share is essentially a folder on the server that is shared and contains all the setup files and scripts needed for the deployment solution. It also holds the configuration files (called rules) that are gathered when a machine is deployed. These configuration files can reach out to other sources, like a database, external script, or web server to get additional settings for the deployment. For Lite Touch deployments, it is common to have two deployment shares: one for creating the reference images and one for deployment. For Zero Touch, it is common to have only the deployment share for creating reference images because Microsoft System Center 2012 R2 Configuration Manager deploys the image in the production environment. - -## Rules - -The rules (CustomSettings.ini and Bootstrap.ini) make up the brain of MDT. The rules control the Windows Deployment Wizard on the client and, for example, can provide the following settings to the machine being deployed: -- Computer name -- Domain to join, and organizational unit (OU) in Active Directory to hold the computer object -- Whether to enable BitLocker -- Regional settings -You can manage hundreds of settings in the rules. For more information, see the [Microsoft Deployment Toolkit resource center](https://go.microsoft.com/fwlink/p/?LinkId=618117). - -![figure 5](images/mdt-05-fig05.png) - -Figure 5. Example of a MDT rule. In this example, the new computer name is being calculated based on PC- plus the first seven (Left) characters from the serial number - -## Boot images - -Boot images are the Windows Preinstallation Environment (Windows PE) images that are used to start the deployment. They can be started from a CD or DVD, an ISO file, a USB device, or over the network using a Pre-Boot Execution Environment (PXE) server. The boot images connect to the deployment -share on the server and start the deployment. - -## Operating systems - -Using the Deployment Workbench, you import the operating systems you want to deploy. You can import either the full source (like the full Windows 10 DVD/ISO) or a custom image that you have created. The full-source operating systems are primarily used to create reference images; however, they also can be used for normal deployments. - -## Applications - -Using the Deployment Workbench, you also add the applications you want to deploy. MDT supports virtually every executable Windows file type. The file can be a standard .exe file with command-line switches for an unattended install, a Microsoft Windows Installer (MSI) package, a batch file, or a VBScript. In fact, it can be just about anything that can be executed unattended. MDT also supports the new Universal Windows apps. - -## Driver repository - -You also use the Deployment Workbench to import the drivers your hardware needs into a driver repository that lives on the server, not in the image. - -## Packages - -With the Deployment Workbench, you can add any Microsoft packages that you want to use. The most commonly added packages are language packs, and the Deployment Workbench Packages node works well for those. You also can add security and other updates this way. However, we generally recommend that you use Windows Server Update Services (WSUS) for operating system updates. The rare exceptions are critical hotfixes that are not available via WSUS, packages for the boot image, or any other package that needs to be deployed before the WSUS update process starts. - -## Task sequences - -Task sequences are the heart and soul of the deployment solution. When creating a task sequence, you need to select a template. The templates are located in the Templates folder in the MDT installation directory, and they determine which default actions are present in the sequence. - -You can think of a task sequence as a list of actions that need to be executed in a certain order. Each action can also have conditions. Some examples of actions are as follows: -- **Gather.** Reads configuration settings from the deployment server. -- **Format and Partition.** Creates the partition(s) and formats them. -- **Inject Drivers.** Finds out which drivers the machine needs and downloads them from the central driver repository. -- **Apply Operating System.** Uses ImageX to apply the image. -- **Windows Update.** Connects to a WSUS server and updates the machine. - -## Task sequence templates - -MDT comes with nine default task sequence templates. You can also create your own templates. As long as you store them in the Templates folder, they will be available when you create a new task sequence. -- **Sysprep and Capture task sequence.** Used to run the System Preparation (Sysprep) tool and capture an image of a reference computer. - - **Note**   - It is preferable to use a complete build and capture instead of the Sysprep and Capture task sequence. A complete build and capture can be automated, whereas Sysprep and Capture cannot. -   -- **Standard Client task sequence.** The most frequently used task sequence. Used for creating reference images and for deploying clients in production. -- **Standard Client Replace task sequence.** Used to run User State Migration Tool (USMT) backup and the optional full Windows Imaging (WIM) backup action. Can also be used to do a secure wipe of a machine that is going to be decommissioned. -- **Custom task sequence.** As the name implies, a custom task sequence with only one default action (one Install Application action). -- **Standard Server task sequence.** The default task sequence for deploying operating system images to servers. The main difference between this template and the Standard Client task sequence template is that it does not contain any USMT actions because USMT is not supported on servers. -- **Lite Touch OEM task sequence.** Used to preload operating systems images on the computer hard drive. Typically used by computer original equipment manufacturers (OEMs) but some enterprise organizations also use this feature. -- **Post OS Installation task sequence.** A task sequence prepared to run actions after the operating system has been deployed. Very useful for server deployments but not often used for client deployments. -- **Deploy to VHD Client task sequence.** Similar to the Standard Client task sequence template but also creates a virtual hard disk (VHD) file on the target computer and deploys the image to the VHD file. -- **Deploy to VHD Server task sequence.** Same as the Deploy to VHD Client task sequence but for servers. -- **Standard Client Upgrade task sequence.** A simple task sequence template used to perform an in-place upgrade from Windows 7, Windows 8, or Windows 8.1 directly to Windows 10, automatically preserving existing data, settings, applications, and drivers. - -## Selection profiles - -Selection profiles, which are available in the Advanced Configuration node, provide a way to filter content in the Deployment Workbench. Selection profiles are used for several purposes in the Deployment Workbench and in Lite Touch deployments. For example, they can be used to: -- Control which drivers and packages are injected into the Lite Touch (and generic) boot images. -- Control which drivers are injected during the task sequence. -- Control what is included in any media that you create. -- Control what is replicated to other deployment shares. -- Filter which task sequences and applications are displayed in the Deployment Wizard. - -## Logging - -MDT uses many log files during operating system deployments. By default the logs are client side, but by configuring the deployment settings, you can have MDT store them on the server, as well. - -**Note**   -The easiest way to view log files is to use Configuration Manager Trace (CMTrace), which is included in the [System Center 2012 R2 Configuration Manager Toolkit](https://go.microsoft.com/fwlink/p/?LinkId=734717). -  -## Monitoring - -On the deployment share, you also can enable monitoring. After you enable monitoring, you will see all running deployments in the Monitor node in the Deployment Workbench. - -## Related topics - -[Key features in MDT 2013 Update 2](key-features-in-mdt-2013.md) - -[Prepare for deployment with MDT 2013 Update 2](prepare-for-windows-deployment-with-mdt-2013.md) -  -  +redirect_url: mdt-lite-touch-components +--- \ No newline at end of file diff --git a/windows/deploy/mdt-lite-touch-components.md b/windows/deploy/mdt-lite-touch-components.md new file mode 100644 index 0000000000..2b004d7fbb --- /dev/null +++ b/windows/deploy/mdt-lite-touch-components.md @@ -0,0 +1,117 @@ +--- +title: MDT Lite Touch components (Windows 10) +description: This topic provides an overview of the features in the Microsoft Deployment Toolkit (MDT) that support Lite Touch Installation (LTI) for Windows 10. +ms.assetid: 7d6fc159-e338-439e-a2e6-1778d0da9089 +keywords: deploy, install, deployment, boot, log, monitor +ms.prod: w10 +ms.mktglfcycl: deploy +localizationpriority: high +ms.sitesec: library +ms.pagetype: mdt +author: mtniehaus +--- + +# MDT Lite Touch components + +**Applies to** +- Windows 10 + +This topic provides an overview of the features in the Microsoft Deployment Toolkit (MDT) that support Lite Touch Installation (LTI) for Windows 10. An LTI deployment strategy requires very little infrastructure or user interaction, and can be used to deploy an operating system from a network share or from a physical media, such as a USB flash drive or disc. +When deploying the Windows operating system using MDT, most of the administration and configuration is done through the Deployment Workbench, but you also can perform many of the tasks using Windows PowerShell. The easiest way to find out how to use PowerShell in MDT is to use the Deployment Workbench to perform an operation and at the end of that task, click View Script. That will give you the PowerShell command. + +![figure 4](images/mdt-05-fig04.png) + +Figure 4. If you click **View Script** on the right side, you will get the PowerShell code that was used to perform the task. + +## Deployment shares + +A deployment share is essentially a folder on the server that is shared and contains all the setup files and scripts needed for the deployment solution. It also holds the configuration files (called rules) that are gathered when a machine is deployed. These configuration files can reach out to other sources, like a database, external script, or web server to get additional settings for the deployment. For Lite Touch deployments, it is common to have two deployment shares: one for creating the reference images and one for deployment. For Zero Touch, it is common to have only the deployment share for creating reference images because Microsoft System Center 2012 R2 Configuration Manager deploys the image in the production environment. + +## Rules + +The rules (CustomSettings.ini and Bootstrap.ini) make up the brain of MDT. The rules control the Windows Deployment Wizard on the client and, for example, can provide the following settings to the machine being deployed: +- Computer name +- Domain to join, and organizational unit (OU) in Active Directory to hold the computer object +- Whether to enable BitLocker +- Regional settings +You can manage hundreds of settings in the rules. For more information, see the [Microsoft Deployment Toolkit resource center](https://go.microsoft.com/fwlink/p/?LinkId=618117). + +![figure 5](images/mdt-05-fig05.png) + +Figure 5. Example of a MDT rule. In this example, the new computer name is being calculated based on PC- plus the first seven (Left) characters from the serial number + +## Boot images + +Boot images are the Windows Preinstallation Environment (Windows PE) images that are used to start the deployment. They can be started from a CD or DVD, an ISO file, a USB device, or over the network using a Pre-Boot Execution Environment (PXE) server. The boot images connect to the deployment +share on the server and start the deployment. + +## Operating systems + +Using the Deployment Workbench, you import the operating systems you want to deploy. You can import either the full source (like the full Windows 10 DVD/ISO) or a custom image that you have created. The full-source operating systems are primarily used to create reference images; however, they also can be used for normal deployments. + +## Applications + +Using the Deployment Workbench, you also add the applications you want to deploy. MDT supports virtually every executable Windows file type. The file can be a standard .exe file with command-line switches for an unattended install, a Microsoft Windows Installer (MSI) package, a batch file, or a VBScript. In fact, it can be just about anything that can be executed unattended. MDT also supports the new Universal Windows apps. + +## Driver repository + +You also use the Deployment Workbench to import the drivers your hardware needs into a driver repository that lives on the server, not in the image. + +## Packages + +With the Deployment Workbench, you can add any Microsoft packages that you want to use. The most commonly added packages are language packs, and the Deployment Workbench Packages node works well for those. You also can add security and other updates this way. However, we generally recommend that you use Windows Server Update Services (WSUS) for operating system updates. The rare exceptions are critical hotfixes that are not available via WSUS, packages for the boot image, or any other package that needs to be deployed before the WSUS update process starts. + +## Task sequences + +Task sequences are the heart and soul of the deployment solution. When creating a task sequence, you need to select a template. The templates are located in the Templates folder in the MDT installation directory, and they determine which default actions are present in the sequence. + +You can think of a task sequence as a list of actions that need to be executed in a certain order. Each action can also have conditions. Some examples of actions are as follows: +- **Gather.** Reads configuration settings from the deployment server. +- **Format and Partition.** Creates the partition(s) and formats them. +- **Inject Drivers.** Finds out which drivers the machine needs and downloads them from the central driver repository. +- **Apply Operating System.** Uses ImageX to apply the image. +- **Windows Update.** Connects to a WSUS server and updates the machine. + +## Task sequence templates + +MDT comes with nine default task sequence templates. You can also create your own templates. As long as you store them in the Templates folder, they will be available when you create a new task sequence. +- **Sysprep and Capture task sequence.** Used to run the System Preparation (Sysprep) tool and capture an image of a reference computer. + + **Note**   + It is preferable to use a complete build and capture instead of the Sysprep and Capture task sequence. A complete build and capture can be automated, whereas Sysprep and Capture cannot. +   +- **Standard Client task sequence.** The most frequently used task sequence. Used for creating reference images and for deploying clients in production. +- **Standard Client Replace task sequence.** Used to run User State Migration Tool (USMT) backup and the optional full Windows Imaging (WIM) backup action. Can also be used to do a secure wipe of a machine that is going to be decommissioned. +- **Custom task sequence.** As the name implies, a custom task sequence with only one default action (one Install Application action). +- **Standard Server task sequence.** The default task sequence for deploying operating system images to servers. The main difference between this template and the Standard Client task sequence template is that it does not contain any USMT actions because USMT is not supported on servers. +- **Lite Touch OEM task sequence.** Used to preload operating systems images on the computer hard drive. Typically used by computer original equipment manufacturers (OEMs) but some enterprise organizations also use this feature. +- **Post OS Installation task sequence.** A task sequence prepared to run actions after the operating system has been deployed. Very useful for server deployments but not often used for client deployments. +- **Deploy to VHD Client task sequence.** Similar to the Standard Client task sequence template but also creates a virtual hard disk (VHD) file on the target computer and deploys the image to the VHD file. +- **Deploy to VHD Server task sequence.** Same as the Deploy to VHD Client task sequence but for servers. +- **Standard Client Upgrade task sequence.** A simple task sequence template used to perform an in-place upgrade from Windows 7, Windows 8, or Windows 8.1 directly to Windows 10, automatically preserving existing data, settings, applications, and drivers. + +## Selection profiles + +Selection profiles, which are available in the Advanced Configuration node, provide a way to filter content in the Deployment Workbench. Selection profiles are used for several purposes in the Deployment Workbench and in Lite Touch deployments. For example, they can be used to: +- Control which drivers and packages are injected into the Lite Touch (and generic) boot images. +- Control which drivers are injected during the task sequence. +- Control what is included in any media that you create. +- Control what is replicated to other deployment shares. +- Filter which task sequences and applications are displayed in the Deployment Wizard. + +## Logging + +MDT uses many log files during operating system deployments. By default the logs are client side, but by configuring the deployment settings, you can have MDT store them on the server, as well. + +**Note**   +The easiest way to view log files is to use Configuration Manager Trace (CMTrace), which is included in the [System Center 2012 R2 Configuration Manager Toolkit](https://go.microsoft.com/fwlink/p/?LinkId=734717). +  +## Monitoring + +On the deployment share, you also can enable monitoring. After you enable monitoring, you will see all running deployments in the Monitor node in the Deployment Workbench. + +## Related topics + +[Key features in MDT](key-features-in-mdt.md) + +[Prepare for deployment with MDT](prepare-for-windows-deployment-with-mdt.md) diff --git a/windows/deploy/monitor-windows-10-deployment-with-configuration-manager.md b/windows/deploy/monitor-windows-10-deployment-with-configuration-manager.md index a2caee8ea8..ecb875e202 100644 --- a/windows/deploy/monitor-windows-10-deployment-with-configuration-manager.md +++ b/windows/deploy/monitor-windows-10-deployment-with-configuration-manager.md @@ -52,7 +52,7 @@ To monitor an operating system deployment conducted through System Center 2012 R ## Related topics -[Integrate Configuration Manager with MDT 2013 Update 2](integrate-configuration-manager-with-mdt-2013.md) +[Integrate Configuration Manager with MDT](integrate-configuration-manager-with-mdt.md) [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md) diff --git a/windows/deploy/prepare-for-windows-deployment-with-mdt-2013.md b/windows/deploy/prepare-for-windows-deployment-with-mdt-2013.md index 546035f735..600b8e9783 100644 --- a/windows/deploy/prepare-for-windows-deployment-with-mdt-2013.md +++ b/windows/deploy/prepare-for-windows-deployment-with-mdt-2013.md @@ -1,122 +1,4 @@ --- title: Prepare for deployment with MDT 2013 Update 2 (Windows 10) -description: This topic will walk you through the steps necessary to create the server structure required to deploy the Windows 10 operating system using the Microsoft Deployment Toolkit (MDT) 2013 Update 2. -ms.assetid: 5103c418-0c61-414b-b93c-a8e8207d1226 -keywords: deploy, system requirements -ms.prod: w10 -ms.mktglfcycl: deploy -localizationpriority: high -ms.sitesec: library -ms.pagetype: mdt -author: mtniehaus +redirect_url: prepare-for-windows-deployment-with-mdt --- - -# Prepare for deployment with MDT 2013 Update 2 - -**Applies to** -- Windows 10 - -This topic will walk you through the steps necessary to create the server structure required to deploy the Windows 10 operating system using the Microsoft Deployment Toolkit (MDT) 2013 Update 2. It covers the installation of the necessary system prerequisites, the creation of shared folders and service accounts, and the configuration of security permissions in the files system and in Active Directory. - -For the purposes of this topic, we will use two machines: DC01 and MDT01. DC01 is a domain controller and MDT01 is a Windows Server 2012 R2 standard server. MDT01 is a member of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md#proof). - -## System requirements - -MDT 2013 Update 2 requires the following components: -- Any of the following operating systems: - - Windows 7 - - Windows 8 - - Windows 8.1 - - Windows 10 - - Windows Server 2008 R2 - - Windows Server 2012 - - Windows Server 2012 R2 -- Windows Assessment and Deployment Kit (ADK) for Windows 10 -- Windows PowerShell -- Microsoft .NET Framework - -## Install Windows ADK for Windows 10 - -These steps assume that you have the MDT01 member server installed and configured and that you have downloaded [Windows ADK for Windows 10](https://go.microsoft.com/fwlink/p/?LinkId=526803) to the E:\\Downloads\\ADK folder. -1. On MDT01, log on as Administrator in the CONTOSO domain using a password of **P@ssw0rd**. -2. Start the **ADK Setup** (E:\\Downloads\\ADK\\adksetup.exe), and on the first wizard page, click **Continue**. -3. On the **Select the features you want to change** page, select the features below and complete the wizard using the default settings: - 1. Deployment Tools - 2. Windows Preinstallation Environment (Windows PE) - 3. User State Migration Tool (UMST) - -## Install MDT 2013 Update 2 - -These steps assume that you have downloaded [MDT 2013 Update 2](https://go.microsoft.com/fwlink/p/?LinkId=618117 ) to the E:\\Downloads\\MDT 2013 folder on MDT01. - -1. On MDT01, log on as Administrator in the CONTOSO domain using a password of **P@ssw0rd**. -2. Install **MDT** (E:\\Downloads\\MDT 2013\\MicrosoftDeploymentToolkit2013\_x64.msi) with the default settings. - -## Create the OU structure - -If you do not have an organizational unit (OU) structure in your Active Directory, you should create one. In this section, you create an OU structure and a service account for MDT 2013 Update 2. -1. On DC01, using Active Directory User and Computers, in the contoso.com domain level, create a top-level OU named **Contoso**. -2. In the **Contoso** OU, create the following OUs: - 1. Accounts - 2. Computers - 3. Groups -3. In the **Contoso / Accounts** OU, create the following underlying OUs: - 1. Admins - 2. Service Accounts - 3. Users -4. In the **Contoso / Computers** OU, create the following underlying OUs: - 1. Servers - 2. Workstations -5. In the **Contoso / Groups** OU, create the following OU: - - Security Groups - -![figure 6](images/mdt-05-fig07.png) - -Figure 6. A sample of how the OU structure will look after all the OUs are created. - -## Create the MDT service account - -When creating a reference image, you need an account for MDT. The MDT Build Account is used for Windows Preinstallation Environment (Windows PE) to connect to MDT01. -1. On DC01, using Active Directory User and Computers, browse to **contoso.com / Contoso / Service Accounts**. -2. Select the **Service Accounts** OU and create the **MDT\_BA** account using the following settings: - 1. Name: MDT\_BA - 2. User logon name: MDT\_BA - 3. Password: P@ssw0rd - 4. User must change password at next logon: Clear - 5. User cannot change password: Selected - 6. Password never expires: Selected - -## Create and share the logs folder - -By default MDT stores the log files locally on the client. In order to capture a reference image, you will need to enable server-side logging and, to do that, you will need to have a folder in which to store the logs. For more information, see [Create a Windows 10 reference image](create-a-windows-10-reference-image.md). - -1. On MDT01, log on as **CONTOSO\\Administrator**. -2. Create and share the **E:\\Logs** folder by running the following commands in an elevated Windows PowerShell prompt: - - ``` syntax - New-Item -Path E:\Logs -ItemType directory - New-SmbShare -Name Logs$ -Path E:\Logs -ChangeAccess EVERYONE - icacls E:\Logs /grant '"MDT_BA":(OI)(CI)(M)' - ``` - -![figure 7](images/mdt-05-fig08.png) - -Figure 7. The Sharing tab of the E:\\Logs folder after sharing it with PowerShell. - -## Use CMTrace to read log files (optional) - -The log files in MDT Lite Touch are formatted to be read by Configuration Manager Trace (CMTrace), which is available as part [of Microsoft System Center 2012 R2 Configuration Manager Toolkit](https://go.microsoft.com/fwlink/p/?LinkId=734717). You can use Notepad, but CMTrace formatting makes the logs easier to read. - -![figure 8](images/mdt-05-fig09.png) - -Figure 8. An MDT log file opened in Notepad. - -![figure 9](images/mdt-05-fig10.png) - - -Figure 9. The same log file, opened in CMTrace, is much easier to read. -## Related topics - -[Key features in MDT 2013 Update 2](key-features-in-mdt-2013.md) - -[MDT 2013 Update 2 Lite Touch components](mdt-2013-lite-touch-components.md) diff --git a/windows/deploy/prepare-for-windows-deployment-with-mdt.md b/windows/deploy/prepare-for-windows-deployment-with-mdt.md new file mode 100644 index 0000000000..9274e2a90d --- /dev/null +++ b/windows/deploy/prepare-for-windows-deployment-with-mdt.md @@ -0,0 +1,122 @@ +--- +title: Prepare for deployment with MDT (Windows 10) +description: This topic will walk you through the steps necessary to create the server structure required to deploy the Windows 10 operating system using the Microsoft Deployment Toolkit (MDT). +ms.assetid: 5103c418-0c61-414b-b93c-a8e8207d1226 +keywords: deploy, system requirements +ms.prod: w10 +ms.mktglfcycl: deploy +localizationpriority: high +ms.sitesec: library +ms.pagetype: mdt +author: mtniehaus +--- + +# Prepare for deployment with MDT + +**Applies to** +- Windows 10 + +This topic will walk you through the steps necessary to create the server structure required to deploy the Windows 10 operating system using the Microsoft Deployment Toolkit (MDT). It covers the installation of the necessary system prerequisites, the creation of shared folders and service accounts, and the configuration of security permissions in the files system and in Active Directory. + +For the purposes of this topic, we will use two machines: DC01 and MDT01. DC01 is a domain controller and MDT01 is a Windows Server 2012 R2 standard server. MDT01 is a member of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md#proof). + +## System requirements + +MDT requires the following components: +- Any of the following operating systems: + - Windows 7 + - Windows 8 + - Windows 8.1 + - Windows 10 + - Windows Server 2008 R2 + - Windows Server 2012 + - Windows Server 2012 R2 +- Windows Assessment and Deployment Kit (ADK) for Windows 10 +- Windows PowerShell +- Microsoft .NET Framework + +## Install Windows ADK for Windows 10 + +These steps assume that you have the MDT01 member server installed and configured and that you have downloaded [Windows ADK for Windows 10](https://go.microsoft.com/fwlink/p/?LinkId=526803) to the E:\\Downloads\\ADK folder. +1. On MDT01, log on as Administrator in the CONTOSO domain using a password of **P@ssw0rd**. +2. Start the **ADK Setup** (E:\\Downloads\\ADK\\adksetup.exe), and on the first wizard page, click **Continue**. +3. On the **Select the features you want to change** page, select the features below and complete the wizard using the default settings: + 1. Deployment Tools + 2. Windows Preinstallation Environment (Windows PE) + 3. User State Migration Tool (UMST) + +## Install MDT + +These steps assume that you have downloaded [MDT](https://go.microsoft.com/fwlink/p/?LinkId=618117 ) to the E:\\Downloads\\MDT folder on MDT01. + +1. On MDT01, log on as Administrator in the CONTOSO domain using a password of **P@ssw0rd**. +2. Install **MDT** (E:\\Downloads\\MDT\\MicrosoftDeploymentToolkit\_x64.msi) with the default settings. + +## Create the OU structure + +If you do not have an organizational unit (OU) structure in your Active Directory, you should create one. In this section, you create an OU structure and a service account for MDT. +1. On DC01, using Active Directory User and Computers, in the contoso.com domain level, create a top-level OU named **Contoso**. +2. In the **Contoso** OU, create the following OUs: + 1. Accounts + 2. Computers + 3. Groups +3. In the **Contoso / Accounts** OU, create the following underlying OUs: + 1. Admins + 2. Service Accounts + 3. Users +4. In the **Contoso / Computers** OU, create the following underlying OUs: + 1. Servers + 2. Workstations +5. In the **Contoso / Groups** OU, create the following OU: + - Security Groups + +![figure 6](images/mdt-05-fig07.png) + +Figure 6. A sample of how the OU structure will look after all the OUs are created. + +## Create the MDT service account + +When creating a reference image, you need an account for MDT. The MDT Build Account is used for Windows Preinstallation Environment (Windows PE) to connect to MDT01. +1. On DC01, using Active Directory User and Computers, browse to **contoso.com / Contoso / Service Accounts**. +2. Select the **Service Accounts** OU and create the **MDT\_BA** account using the following settings: + 1. Name: MDT\_BA + 2. User logon name: MDT\_BA + 3. Password: P@ssw0rd + 4. User must change password at next logon: Clear + 5. User cannot change password: Selected + 6. Password never expires: Selected + +## Create and share the logs folder + +By default MDT stores the log files locally on the client. In order to capture a reference image, you will need to enable server-side logging and, to do that, you will need to have a folder in which to store the logs. For more information, see [Create a Windows 10 reference image](create-a-windows-10-reference-image.md). + +1. On MDT01, log on as **CONTOSO\\Administrator**. +2. Create and share the **E:\\Logs** folder by running the following commands in an elevated Windows PowerShell prompt: + + ``` syntax + New-Item -Path E:\Logs -ItemType directory + New-SmbShare -Name Logs$ -Path E:\Logs -ChangeAccess EVERYONE + icacls E:\Logs /grant '"MDT_BA":(OI)(CI)(M)' + ``` + +![figure 7](images/mdt-05-fig08.png) + +Figure 7. The Sharing tab of the E:\\Logs folder after sharing it with PowerShell. + +## Use CMTrace to read log files (optional) + +The log files in MDT Lite Touch are formatted to be read by Configuration Manager Trace (CMTrace), which is available as part [of Microsoft System Center 2012 R2 Configuration Manager Toolkit](https://go.microsoft.com/fwlink/p/?LinkId=734717). You can use Notepad, but CMTrace formatting makes the logs easier to read. + +![figure 8](images/mdt-05-fig09.png) + +Figure 8. An MDT log file opened in Notepad. + +![figure 9](images/mdt-05-fig10.png) + + +Figure 9. The same log file, opened in CMTrace, is much easier to read. +## Related topics + +[Key features in MDT](key-features-in-mdt.md) + +[MDT Lite Touch components](mdt-lite-touch-components.md) diff --git a/windows/deploy/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md b/windows/deploy/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md index ea62cd3903..7e6facd287 100644 --- a/windows/deploy/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md +++ b/windows/deploy/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md @@ -154,15 +154,15 @@ Figure 7. The E:\\Sources\\OSD folder structure. ## Integrate Configuration Manager with MDT -To extend the Configuration Manager console with MDT 2013 Update 2 wizards and templates, you install MDT 2013 Update 2 in the default location and run the integration setup. In these steps, we assume you have downloaded MDT 2013 Update 2 to the C:\\Setup\\MDT2013 folder on CM01. +To extend the Configuration Manager console with MDT wizards and templates, you install MDT in the default location and run the integration setup. In these steps, we assume you have downloaded MDT to the C:\\Setup\\MDT2013 folder on CM01. 1. On CM01, log on as Administrator in the CONTOSO domain using the password **P@ssw0rd**. 2. Make sure the Configuration Manager Console is closed before continuing. -3. Using File Explorer, navigate to the **C:\\Setup\\MDT 2013** folder. +3. Using File Explorer, navigate to the **C:\\Setup\\MDT** folder. -4. Run the MDT 2013 setup (MicrosoftDeploymentToolkit2013\_x64.msi), and use the default options in the setup wizard. +4. Run the MDT setup (MicrosoftDeploymentToolkit2013\_x64.msi), and use the default options in the setup wizard. 5. From the Start screen, run Configure ConfigManager Integration with the following settings: @@ -172,7 +172,7 @@ To extend the Configuration Manager console with MDT 2013 Update 2 wizards and t ![figure 8](images/mdt-06-fig08.png) -Figure 8. Set up the MDT 2013 Update 2 integration with Configuration Manager. +Figure 8. Set up the MDT integration with Configuration Manager. ## Configure the client settings @@ -248,7 +248,7 @@ Configuration Manager has many options for starting a deployment, but starting v ## Related topics -[Integrate Configuration Manager with MDT 2013 Update 2](integrate-configuration-manager-with-mdt-2013.md) +[Integrate Configuration Manager with MDT](integrate-configuration-manager-with-mdt.md) [Create a custom Windows PE boot image with Configuration Manager](create-a-custom-windows-pe-boot-image-with-configuration-manager.md) diff --git a/windows/deploy/provision-pcs-for-initial-deployment.md b/windows/deploy/provision-pcs-for-initial-deployment.md deleted file mode 100644 index 86c8e234ff..0000000000 --- a/windows/deploy/provision-pcs-for-initial-deployment.md +++ /dev/null @@ -1,123 +0,0 @@ ---- -title: Provision PCs with common settings (Windows 10) -description: Create a provisioning package to apply common settings to a PC running Windows 10. -ms.assetid: 66D14E97-E116-4218-8924-E2A326C9367E -keywords: ["runtime provisioning", "provisioning package"] -ms.prod: W10 -ms.mktglfcycl: deploy -ms.sitesec: library -author: jdeckerMS -localizationpriority: high ---- - -# Provision PCs with common settings for initial deployment (simple provisioning) - - -**Applies to** - -- Windows 10 - -This topic explains how to create and apply a simple provisioning package that contains common enterprise settings to a device running all desktop editions of Windows 10 except Windows 10 Home. - -You can apply a provisioning package on a USB drive to off-the-shelf devices during setup, making it fast and easy to configure new devices. - -## Advantages -- You can configure new devices without reimaging. - -- Works on both mobile and desktop devices. - -- No network connectivity required. - -- Simple to apply. - -[Learn more about the benefits and uses of provisioning packages.](provisioning-packages.md) - -## What does simple provisioning do? - -In a simple provisioning package, you can configure: - -- Device name -- Upgraded product edition -- Wi-Fi network -- Active Directory enrollment -- Local administrator account - -Provisioning packages can include management instructions and policies, installation of specific apps, customization of network connections and policies, and more. To learn about provisioning packages that include more than the settings in a simple provisioning package, see [Provision PCs with apps and certificates](provision-pcs-with-apps-and-certificates.md). - -> [!TIP] -> Use simple provisioning to create a package with the common settings, then switch to the advanced editor to add other settings, apps, policies, etc. - -![open advanced editor](images/icd-simple-edit.png) - -## Create the provisioning package - -Use the Windows Imaging and Configuration Designer (ICD) tool included in the Windows Assessment and Deployment Kit (ADK) for Windows 10 to create a provisioning package. [Install the ADK and select **Configuration Designer**.](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit) - -1. Open Windows ICD (by default, %windir%\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Imaging and Configuration Designer\x86\ICD.exe). - -2. Click **Simple provisioning**. - - ![ICD start options](images/icdstart-option.png) - -3. Name your project and click **Finish**. The screens for simple provisioning will walk you through the following steps. - - ![ICD simple provisioning](images/icd-simple.png) - -4. In the **Set up device** step, enter a unique 15-character name for the device. For help generating a unique name, you can use %SERIAL%, which includes a hardware-specific serial number, or you can use %RAND:x%, which generates random characters of x length. - -5. (*Optional*) You can upgrade the following editions of Windows 10 by providing a product key for the edition to upgrade to. - - Pro to Education - - Pro to Enterprise - - Enterprise to Education - -6. Click **Set up network**. - -7. Toggle **On** or **Off** for wireless network connectivity. If you select **On**, enter the SSID, type, and (if required) password for the wireless network. - -8. Click **Enroll into Active Directory**. - -9. Toggle **Yes** or **No** for Active Directory enrollment. If you select **Yes**, enter the credentials for an account with permissions to enroll the device. (*Optional*) Enter a user name and password to create a local administrator account. - - > **Warning**: If you don't create a local administrator account and the device fails to enroll in Active Directory for any reason, you will have to reimage the device and start over. As a best practice, we recommend: - - Use a least-privileged domain account to join the device to the domain. - - Create a temporary administrator account to use for debugging or reprovisioning if the device fails to enroll successfully. - - [Use Group Policy to delete the temporary administrator account](https://blogs.technet.microsoft.com/canitpro/2014/12/10/group-policy-creating-a-standard-local-admin-account/) after the device is enrolled in Active Directory. - -10. Click **Finish**. - -11. Review your settings in the summary. You can return to previous pages to change your selections. Then, under **Protect your package**, toggle **Yes** or **No** to encrypt the provisioning package. If you select **Yes**, enter a password. This password must be entered to apply the encrypted provisioning package. - -12. Click **Create**. - -> [!IMPORTANT] -> When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when they are no longer needed. - - - **Next step**: [How to apply a provisioning package](provisioning-apply-package.md) - - -## Learn more - -- Watch the video: [Provisioning Windows 10 Devices with New Tools](https://go.microsoft.com/fwlink/p/?LinkId=615921) - -- Watch the video: [Windows 10 for Mobile Devices: Provisioning Is Not Imaging](https://go.microsoft.com/fwlink/p/?LinkId=615922) - -  -## Related topics - -- [Provisioning packages for Windows 10](provisioning-packages.md) -- [How provisioning works in Windows 10](provisioning-how-it-works.md) -- [Install Windows Imaging and Configuration Designer](provisioning-install-icd.md) -- [Create a provisioning package](provisioning-create-package.md) -- [Apply a provisioning package](provisioning-apply-package.md) -- [Settings changed when you uninstall a provisioning package](provisioning-uninstall-package.md) -- [Provision PCs with apps and certificates for initial deployments (advanced provisioning)](provision-pcs-with-apps-and-certificates.md) -- [Use a script to install a desktop app in provisioning packages](provisioning-script-to-install-app.md) -- [NFC-based device provisioning](provisioning-nfc.md) -- [Windows ICD command-line interface (reference)](provisioning-command-line.md) -- [Create a provisioning package with multivariant settings](provisioning-multivariant.md) - - - - - diff --git a/windows/deploy/provisioning-install-icd.md b/windows/deploy/provisioning-install-icd.md deleted file mode 100644 index 9727bc089d..0000000000 --- a/windows/deploy/provisioning-install-icd.md +++ /dev/null @@ -1,106 +0,0 @@ ---- -title: Install Windows Imaging and Configuration Designer (Windows 10) -description: Learn how to install and run Windows ICD. -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -author: jdeckerMS -localizationpriority: high ---- - -# Install Windows Imaging and Configuration Designer (ICD) - - -**Applies to** - -- Windows 10 -- Windows 10 Mobile - -Use the Windows Imaging and Configuration Designer (ICD) tool in the Windows Assessment and Deployment Kit (ADK) to create provisioning packages to easily configure devices running Windows 10. Windows ICD is primarily designed for use by IT departments for business and educational institutions who need to provision bring-your-own-device (BYOD) and business-supplied devices. - -## Supported platforms - -Windows ICD can create provisioning packages for Windows 10 desktop and mobile editions, including Windows 10 IoT Core. You can run Windows ICD on the following operating systems: - -- Windows 10 - x86 and amd64 -- Windows 8.1 Update - x86 and amd64 -- Windows 8.1 - x86 and amd64 -- Windows 8 - x86 and amd64 -- Windows 7 - x86 and amd64 -- Windows Server 2016 -- Windows Server 2012 R2 Update -- Windows Server 2012 R2 -- Windows Server 2012 -- Windows Server 2008 R2 - -## Install Windows ICD - -1. Go to [Download the Windows ADK](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit) and select **Get Windows ADK** for the version of Windows 10 that you want to create provisioning packages for (version 1511 or version 1607). - - >[!NOTE] - >The rest of this procedure uses Windows ADK for Windows 10, version 1607 as an example. - -2. Save **adksetup.exe** and then run it. - -3. On the **Specify Location** page, select an installation path and then click **Next**. - >[!NOTE] - >The estimated disk space listed on this page applies to the full Windows ADK. If you only install Windows ICD, the space requirement is approximately 32 MB. -4. Make a selection on the **Windows Kits Privacy** page, and then click **Next**. - -5. Accept the **License Agreement**, and then click **Next**. - -6. On the **Select the features you want to install** page, clear all selections except **Configuration Designer**, and then click **Install**. - - ![Only Configuration Designer selected for installation](images/icd-install.png) - -## Current Windows ICD limitations - - -- You can only run one instance of Windows ICD on your computer at a time. - -- Be aware that when adding apps and drivers, all files stored in the same folder will be imported and may cause errors during the build process. - -- The Windows ICD UI does not support multivariant configurations. Instead, you must use the Windows ICD command-line interface to configure multivariant settings. For more information, see [Create a provisioning package with multivariant settings](provisioning-multivariant.md). - -- While you can open multiple projects at the same time within Windows ICD, you can only build one project at a time. - -- In order to enable the simplified authoring jscripts to work on a server SKU running Windows ICD, you need to explicitly enable **Allow websites to prompt for information using scripted windows**. Do this by opening Internet Explorer and then navigating to **Settings** > **Internet Options** > **Security** -> **Custom level** > **Allow websites to prompt for information using scripted windows**, and then choose **Enable**. - -- If you copy a Windows ICD project from one PC to another PC, make sure that all the associated files for the deployment assets, such as apps and drivers, are copied along with the project to the same path as it was on the original PC. - - For example, when you add a driver to a provisioned package, you must copy the .INF file to a local directory on the PC that is running Windows ICD. If you don't do this, and attempt to use a copied version of this project on a different PC, Windows ICD might attempt to resolve the path to the files that point to the original PC. - -- **Recommended**: Before starting, copy all source files to the PC running Windows ICD, rather than using external sources like network shares or removable drives. This reduces the risk of interrupting the build process from a temporary network issue or from disconnecting the USB device. - -**Next step**: [How to create a provisioning package](provisioning-create-package.md) - -## Learn more - -- Watch the video: [Provisioning Windows 10 Devices with New Tools](https://go.microsoft.com/fwlink/p/?LinkId=615921) - -- Watch the video: [Windows 10 for Mobile Devices: Provisioning Is Not Imaging](https://go.microsoft.com/fwlink/p/?LinkId=615922) - -## Related topics - -- [Provisioning packages for Windows 10](provisioning-packages.md) -- [How provisioning works in Windows 10](provisioning-how-it-works.md) -- [Create a provisioning package](provisioning-create-package.md) -- [Apply a provisioning package](provisioning-apply-package.md) -- [Settings changed when you uninstall a provisioning package](provisioning-uninstall-package.md) -- [Provision PCs with common settings for initial deployment (simple provisioning)](provision-pcs-for-initial-deployment.md) -- [Provision PCs with apps and certificates for initial deployments (advanced provisioning)](provision-pcs-with-apps-and-certificates.md) -- [Use a script to install a desktop app in provisioning packages](provisioning-script-to-install-app.md) -- [NFC-based device provisioning](provisioning-nfc.md) -- [Windows ICD command-line interface (reference)](provisioning-command-line.md) -- [Create a provisioning package with multivariant settings](provisioning-multivariant.md) - - - -  - -  - - - - - diff --git a/windows/deploy/provisioning-packages.md b/windows/deploy/provisioning-packages.md deleted file mode 100644 index 557bf3e595..0000000000 --- a/windows/deploy/provisioning-packages.md +++ /dev/null @@ -1,127 +0,0 @@ ---- -title: Provisioning packages (Windows 10) -description: With Windows 10, you can create provisioning packages that let you quickly and efficiently configure a device without having to install a new image. -ms.assetid: 287706E5-063F-4AB5-902C-A0DF6D0730BC -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -author: jdeckerMS -localizationpriority: high ---- - -# Provisioning packages for Windows 10 - - -**Applies to** - -- Windows 10 -- Windows 10 Mobile - -Windows provisioning makes it easy for IT administrators to configure end-user devices without imaging. Using Windows provisioning, an IT administrator can easily specify desired configuration and settings required to enroll the devices into management and then apply that configuration to target devices in a matter of minutes. It is best suited for small- to medium-sized businesses with deployments that range from tens to a few hundred computers. - -A provisioning package (.ppkg) is a container for a collection of configuration settings. With Windows 10, you can create provisioning packages that let you quickly and efficiently configure a device without having to install a new image. - -Provisioning packages are simple enough that with a short set of written instructions, a student or non-technical employee can use them to configure their device. This can result in a significant reduction in the time required to configure multiple devices in your organization. - -The [Windows Assessment and Deployment Kit (ADK) for Windows 10](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit) includes the Imaging and Configuration Designer (ICD), a tool for configuring provisioning packages. - -## New in Windows 10, version 1607 - -Windows ICD for Windows 10, version 1607, simplifies common provisioning scenarios. - -![Configuration Designer options](images/icd.png) - -Windows ICD in Windows 10, version 1607, supports the following scenarios for IT administrators: - -* **Simple provisioning** – Enables IT administrators to define a desired configuration in Windows ICD and then apply that configuration on target devices. The simple provisioning wizard makes the entire process quick and easy by guiding an IT administrator through common configuration settings in a step-by-step manner. - - > [Learn how to use simple provisioning to configure Windows 10 computers.](provision-pcs-for-initial-deployment.md) - -* **Advanced provisioning (deployment of classic (Win32) and Universal Windows Platform (UWP) apps, and certificates)** – Allows an IT administrator to use Windows ICD to open provisioning packages in the advanced settings editor and include apps for deployment on end-user devices. - - > [Learn how to use advanced provisioning to configure Windows 10 computers with apps and certificates.](provision-pcs-with-apps-and-certificates.md) - -* **Mobile device enrollment into management** - Enables IT administrators to purchase off-the-shelf retail Windows 10 Mobile devices and enroll them into mobile device management (MDM) before handing them to end-users in the organization. IT administrators can use Windows ICD to specify the management end-point and apply the configuration on target devices by connecting them to a Windows PC (tethered deployment) or through an SD card. Supported management end-points include: - - * System Center Configuration Manager and Microsoft Intune hybrid (certificate-based enrollment) - * AirWatch (password-string based enrollment) - * Mobile Iron (password-string based enrollment) - * Other MDMs (cert-based enrollment) - -> [!NOTE] -> Windows ICD in Windows 10, version 1607, also provides a wizard to create provisioning packages for school PCs. To learn more, see [Set up students' PCs to join domain](https://technet.microsoft.com/edu/windows/index). - -## Benefits of provisioning packages - - -Provisioning packages let you: - -- Quickly configure a new device without going through the process of installing a new image. - -- Save time by configuring multiple devices using one provisioning package. - -- Quickly configure employee-owned devices in an organization without a mobile device management (MDM) infrastructure. - -- Set up a device without the device having network connectivity. - -Provisioning packages can be: - -- Installed using removable media such as an SD card or USB flash drive. - -- Attached to an email. - -- Downloaded from a network share. - -## What you can configure - - -The following table provides some examples of what you can configure using provisioning packages. - -| Customization options | Examples | -|--------------------------|-----------------------------------------------------------------------------------------------| -| Bulk Active Directory join and device name | Join devices to Active Directory domain and assign device names using hardware-specific serial numbers or random characters | -| Applications | Windows apps, line-of-business applications | -| Bulk enrollment into MDM | Automatic enrollment into a third-party MDM service\* | -| Certificates | Root certification authority (CA), client certificates | -| Connectivity profiles | Wi-Fi, proxy settings, Email | -| Enterprise policies | Security restrictions (password, device lock, camera, and so on), encryption, update settings | -| Data assets | Documents, music, videos, pictures | -| Start menu customization | Start menu layout, application pinning | -| Other | Home and lock screen wallpaper, computer name, domain join, DNS settings, and so on | -\* Using a provisioning package for auto-enrollment to System Center Configuration Manager or Configuration Manager/Intune hybrid is not supported. Use the Configuration Manager console to enroll devices. -  - -For details about the settings you can customize in provisioning packages, see [Windows Provisioning settings reference]( https://go.microsoft.com/fwlink/p/?LinkId=619012). - -## Learn more - -- Watch the video: [Provisioning Windows 10 Devices with New Tools](https://go.microsoft.com/fwlink/p/?LinkId=615921) - -- Watch the video: [Windows 10 for Mobile Devices: Provisioning Is Not Imaging](https://go.microsoft.com/fwlink/p/?LinkId=615922) - -## Related topics - -- [How provisioning works in Windows 10](provisioning-how-it-works.md) -- [Install Windows Imaging and Configuration Designer](provisioning-install-icd.md) -- [Create a provisioning package](provisioning-create-package.md) -- [Apply a provisioning package](provisioning-apply-package.md) -- [Settings changed when you uninstall a provisioning package](provisioning-uninstall-package.md) -- [Provision PCs with common settings for initial deployment (simple provisioning)](provision-pcs-for-initial-deployment.md) -- [Provision PCs with apps and certificates for initial deployments (advanced provisioning)](provision-pcs-with-apps-and-certificates.md) -- [Use a script to install a desktop app in provisioning packages](provisioning-script-to-install-app.md) -- [NFC-based device provisioning](provisioning-nfc.md) -- [Windows ICD command-line interface (reference)](provisioning-command-line.md) -- [Create a provisioning package with multivariant settings](provisioning-multivariant.md) - - - - - -  - -  - - - - - diff --git a/windows/deploy/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md b/windows/deploy/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md index 6f41793f47..9e7878aea9 100644 --- a/windows/deploy/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md +++ b/windows/deploy/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md @@ -120,7 +120,7 @@ Now you can start the computer refresh on PC0003. ## Related topics -[Integrate Configuration Manager with MDT 2013 Update 2](integrate-configuration-manager-with-mdt-2013.md) +[Integrate Configuration Manager with MDT](integrate-configuration-manager-with-mdt.md) [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md) diff --git a/windows/deploy/refresh-a-windows-7-computer-with-windows-10.md b/windows/deploy/refresh-a-windows-7-computer-with-windows-10.md index 91eb3986c7..671ef7c573 100644 --- a/windows/deploy/refresh-a-windows-7-computer-with-windows-10.md +++ b/windows/deploy/refresh-a-windows-7-computer-with-windows-10.md @@ -1,6 +1,6 @@ --- title: Refresh a Windows 7 computer with Windows 10 (Windows 10) -description: This topic will show you how to use MDT 2013 Update 2 Lite Touch Installation (LTI) to upgrade a Windows 7 computer to a Windows 10 computer using the computer refresh process. +description: This topic will show you how to use MDT Lite Touch Installation (LTI) to upgrade a Windows 7 computer to a Windows 10 computer using the computer refresh process. ms.assetid: 2866fb3c-4909-4c25-b083-6fc1f7869f6f keywords: reinstallation, customize, template, script, restore ms.prod: w10 @@ -16,7 +16,7 @@ author: mtniehaus **Applies to** - Windows 10 -This topic will show you how to use MDT 2013 Update 2 Lite Touch Installation (LTI) to upgrade a Windows 7 computer to a Windows 10 computer using the computer refresh process. The refresh scenario, or computer refresh, is a reinstallation of an operating system on the same machine. You can refresh the machine to the same operating system as it is currently running, or to a later version. +This topic will show you how to use MDT Lite Touch Installation (LTI) to upgrade a Windows 7 computer to a Windows 10 computer using the computer refresh process. The refresh scenario, or computer refresh, is a reinstallation of an operating system on the same machine. You can refresh the machine to the same operating system as it is currently running, or to a later version. For the purposes of this topic, we will use three machines: DC01, MDT01, and PC0001. DC01 is a domain controller and MDT01 is a Windows Server 2012 R2 Standard server. PC0001 is a machine with Windows 7 Service Pack 1 (SP1) that is going to be refreshed into a Windows 10 machine, with data and settings restored. MDT01 and PC0001 are members of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md#proof). @@ -119,10 +119,10 @@ Figure 2. Starting the computer refresh from the running Windows 7 SP1 client. [Create a Windows 10 reference image](create-a-windows-10-reference-image.md) -[Deploy a Windows 10 image using MDT 2013 Update 2](deploy-a-windows-10-image-using-mdt.md) +[Deploy a Windows 10 image using MDT](deploy-a-windows-10-image-using-mdt.md) [Build a distributed environment for Windows 10 deployment](build-a-distributed-environment-for-windows-10-deployment.md) [Replace a Windows 7 computer with a Windows 10 computer](replace-a-windows-7-computer-with-a-windows-10-computer.md) -[Configure MDT settings](configure-mdt-2013-settings.md) +[Configure MDT settings](configure-mdt-settings.md) diff --git a/windows/deploy/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md b/windows/deploy/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md index 397914bb14..18d714b7ee 100644 --- a/windows/deploy/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md +++ b/windows/deploy/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md @@ -38,7 +38,7 @@ In this topic, you will create a backup-only task sequence that you run on PC000 4. On the **Boot Image** page, browse and select the **Zero Touch WinPE x64** boot image package. Then click **Next**. -5. On the **MDT Package** page, browse and select the **OSD / MDT 2013** package. Then click **Next**. +5. On the **MDT Package** page, browse and select the **OSD / MDT** package. Then click **Next**. 6. On the **USMT Package** page, browse and select the O**SD / Microsoft Corporation User State Migration Tool for Windows 8 10.0.10240.16384** package. Then click **Next**. @@ -204,7 +204,7 @@ When the process is complete, you will have a new Windows 10 machine in your dom ## Related topics -[Integrate Configuration Manager with MDT 2013 Update 2](integrate-configuration-manager-with-mdt-2013.md) +[Integrate Configuration Manager with MDT](integrate-configuration-manager-with-mdt.md) [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md) diff --git a/windows/deploy/replace-a-windows-7-computer-with-a-windows-10-computer.md b/windows/deploy/replace-a-windows-7-computer-with-a-windows-10-computer.md index a3e51c36b6..28c9c32005 100644 --- a/windows/deploy/replace-a-windows-7-computer-with-a-windows-10-computer.md +++ b/windows/deploy/replace-a-windows-7-computer-with-a-windows-10-computer.md @@ -138,10 +138,10 @@ During a computer replace, these are the high-level steps that occur: [Create a Windows 10 reference image](create-a-windows-10-reference-image.md) -[Deploy a Windows 10 image using MDT 2013 Update 2](deploy-a-windows-10-image-using-mdt.md) +[Deploy a Windows 10 image using MDT](deploy-a-windows-10-image-using-mdt.md) [Build a distributed environment for Windows 10 deployment](build-a-distributed-environment-for-windows-10-deployment.md) [Refresh a Windows 7 computer with Windows 10](refresh-a-windows-7-computer-with-windows-10.md) -[Configure MDT settings](configure-mdt-2013-settings.md) +[Configure MDT settings](configure-mdt-settings.md) diff --git a/windows/deploy/resolve-windows-10-upgrade-errors.md b/windows/deploy/resolve-windows-10-upgrade-errors.md index b49144c4ca..ecd6b073b2 100644 --- a/windows/deploy/resolve-windows-10-upgrade-errors.md +++ b/windows/deploy/resolve-windows-10-upgrade-errors.md @@ -1,8 +1,8 @@ --- -title: Resolve Windows 10 upgrade errors -description: Resolve Windows 10 upgrade errors +title: Resolve Windows 10 upgrade errors - Windows IT Pro +description: Resolve Windows 10 upgrade errors for ITPros. Technical information for IT professionals to help diagnose Windows setup errors. ms.assetid: DFEFE22C-4FEF-4FD9-BFC4-9B419C339502 -keywords: deploy, error, troubleshoot, windows, 10, upgrade, code, rollback +keywords: deploy, error, troubleshoot, windows, 10, upgrade, code, rollback, ITPro ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library @@ -11,7 +11,7 @@ author: greg-lindsay localizationpriority: high --- -# Resolve Windows 10 upgrade errors +# Resolve Windows 10 upgrade errors : Technical information for IT Pros **Applies to** - Windows 10 @@ -251,13 +251,15 @@ See the following example: ### Analyze log files +>The following instructions are meant for IT professionals. Also see the [Upgrade error codes](#upgrade-error-codes) section in this guide to familiarize yourself with [result codes](#result-codes) and [extend codes](#extend-codes). +

        To analyze Windows Setup log files:

          -
        1. Determine the Windows Setup error code. +
        2. Determine the Windows Setup error code. This code should be returned by Windows Setup if it is not successful with the upgrade process.
        3. Based on the [extend code](#extend-codes) portion of the error code, determine the type and location of a [log files](#log-files) to investigate.
        4. Open the log file in a text editor, such as notepad. -
        5. Using the result code portion of the Windows Setup error code, search for the result code in the file and find the last occurrence of the code. Alternatively search for the "abort" and abandoning" text strings described in step 7 below. +
        6. Using the [result code](#result-codes) portion of the Windows Setup error code, search for the result code in the file and find the last occurrence of the code. Alternatively search for the "abort" and abandoning" text strings described in step 7 below.
        7. To find the last occurrence of the result code:
          1. Scroll to the bottom of the file and click after the last character. @@ -558,11 +560,13 @@ For more information, see [How to perform a clean boot in Windows](https://suppo + ### 0x800xxxxx + Result codes starting with the digits 0x800 are also important to understand. These error codes indicate general operating system errors, and are not unique to the Windows upgrade process. Examples include timeouts, devices not functioning, and a process stopping unexpectedly. -

            See the following general troubleshooting procedures associated with a result code of 0x800xxxxx: +See the following general troubleshooting procedures associated with a result code of 0x800xxxxx: diff --git a/windows/deploy/set-up-mdt-2013-for-bitlocker.md b/windows/deploy/set-up-mdt-2013-for-bitlocker.md index 16b405ad57..1e417fd432 100644 --- a/windows/deploy/set-up-mdt-2013-for-bitlocker.md +++ b/windows/deploy/set-up-mdt-2013-for-bitlocker.md @@ -1,159 +1,5 @@ --- title: Set up MDT for BitLocker (Windows 10) -ms.assetid: 386e6713-5c20-4d2a-a220-a38d94671a38 -description: -keywords: disk, encryption, TPM, configure, secure, script -ms.prod: w10 -ms.mktglfcycl: deploy -localizationpriority: high -ms.sitesec: library -ms.pagetype: mdt -author: mtniehaus +redirect_url: set-up-mdt-for-bitlocker --- -# Set up MDT for BitLocker - -This topic will show you how to configure your environment for BitLocker, the disk volume encryption built into Windows 10 Enterprise and Windows 10 Pro, using MDT. BitLocker in Windows 10 has two requirements in regard to an operating system deployment: -- A protector, which can either be stored in the Trusted Platform Module (TPM) chip, or stored as a password. Technically, you also can use a USB stick to store the protector, but it's not a practical approach as the USB stick can be lost or stolen. We, therefore, recommend that you instead use a TPM chip and/or a password. -- Multiple partitions on the hard drive. - -To configure your environment for BitLocker, you will need to do the following: - -1. Configure Active Directory for BitLocker. -2. Download the various BitLocker scripts and tools. -3. Configure the operating system deployment task sequence for BitLocker. -4. Configure the rules (CustomSettings.ini) for BitLocker. - -**Note**   -Even though it is not a BitLocker requirement, we recommend configuring BitLocker to store the recovery key and TPM owner information in Active Directory. For additional information about these features, see [Backing Up BitLocker and TPM Recovery Information to AD DS](https://go.microsoft.com/fwlink/p/?LinkId=619548). If you have access to Microsoft BitLocker Administration and Monitoring (MBAM), which is part of Microsoft Desktop Optimization Pack (MDOP), you have additional management features for BitLocker. -  -For the purposes of this topic, we will use DC01, a domain controller that is a member of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md#proof). - -## Configure Active Directory for BitLocker - -To enable BitLocker to store the recovery key and TPM information in Active Directory, you need to create a Group Policy for it in Active Directory. For this section, we are running Windows Server 2012 R2, so you do not need to extend the Schema. You do, however, need to set the appropriate permissions in Active Directory. - -**Note**   -Depending on the Active Directory Schema version, you might need to update the Schema before you can store BitLocker information in Active Directory. -  -In Windows Server 2012 R2 (as well as in Windows Server 2008 R2 and Windows Server 2012), you have access to the BitLocker Drive Encryption Administration Utilities features, which will help you manage BitLocker. When you install the features, the BitLocker Active Directory Recovery Password Viewer is included, and it extends Active Directory Users and Computers with BitLocker Recovery information. - -![figure 2](images/mdt-09-fig02.png) - -Figure 2. The BitLocker Recovery information on a computer object in the contoso.com domain. - -### Add the BitLocker Drive Encryption Administration Utilities - -The BitLocker Drive Encryption Administration Utilities are added as features via Server Manager (or Windows PowerShell): - -1. On DC01, log on as **CONTOSO\\Administrator**, and, using Server Manager, click **Add roles and features**. -2. On the **Before you begin** page, click **Next**. -3. On the **Select installation type** page, select **Role-based or feature-based installation**, and click **Next**. -4. On the **Select destination server** page, select **DC01.contoso.com** and click **Next**. -5. On the **Select server roles** page, click **Next**. -6. On the **Select features** page, expand **Remote Server Administration Tools**, expand **Feature Administration Tools**, select the following features, and then click **Next**: - 1. BitLocker Drive Encryption Administration Utilities - 2. BitLocker Drive Encryption Tools - 3. BitLocker Recovery Password Viewer -7. On the **Confirm installation selections** page, click **Install** and then click **Close**. - -![figure 3](images/mdt-09-fig03.png) - -Figure 3. Selecting the BitLocker Drive Encryption Administration Utilities. - -### Create the BitLocker Group Policy - -Following these steps, you enable the backup of BitLocker and TPM recovery information to Active Directory. You also enable the policy for the TPM validation profile. -1. On DC01, using Group Policy Management, right-click the **Contoso** organizational unit (OU), and select **Create a GPO in this domain, and Link it here**. -2. Assign the name **BitLocker Policy** to the new Group Policy. -3. Expand the **Contoso** OU, right-click the **BitLocker Policy**, and select **Edit**. Configure the following policy settings: - Computer Configuration / Policies / Administrative Templates / Windows Components / BitLocker Drive Encryption / Operating System Drives - 1. Enable the **Choose how BitLocker-protected operating system drives can be recovered** policy, and configure the following settings: - 1. Allow data recovery agent (default) - 2. Save BitLocker recovery information to Active Directory Domain Services (default) - 3. Do not enable BitLocker until recovery information is stored in AD DS for operating system drives - 2. Enable the **Configure TPM platform validation profile for BIOS-based firmware configurations** policy. - 3. Enable the **Configure TPM platform validation profile for native UEFI firmware configurations** policy. - Computer Configuration / Policies / Administrative Templates / System / Trusted Platform Module Services - 4. Enable the **Turn on TPM backup to Active Directory Domain Services** policy. - -**Note**   -If you consistently get the error "Windows BitLocker Drive Encryption Information. The system boot information has changed since BitLocker was enabled. You must supply a BitLocker recovery password to start this system." after encrypting a computer with BitLocker, you might have to change the various "Configure TPM platform validation profile" Group Policies, as well. Whether or not you need to do this will depend on the hardware you are using. -  -### Set permissions in Active Directory for BitLocker - -In addition to the Group Policy created previously, you need to configure permissions in Active Directory to be able to store the TPM recovery information. In these steps, we assume you have downloaded the [Add-TPMSelfWriteACE.vbs script](https://go.microsoft.com/fwlink/p/?LinkId=167133) from Microsoft to C:\\Setup\\Scripts on DC01. -1. On DC01, start an elevated PowerShell prompt (run as Administrator). -2. Configure the permissions by running the following command: - - ``` syntax - cscript C:\Setup\Scripts\Add-TPMSelfWriteACE.vbs - ``` - -![figure 4](images/mdt-09-fig04.png) - -Figure 4. Running the Add-TPMSelfWriteACE.vbs script on DC01. - -## Add BIOS configuration tools from Dell, HP, and Lenovo - -If you want to automate enabling the TPM chip as part of the deployment process, you need to download the vendor tools and add them to your task sequences, either directly or in a script wrapper. - -### Add tools from Dell - -The Dell tools are available via the Dell Client Configuration Toolkit (CCTK). The executable file from Dell is named cctk.exe. Here is a sample command to enable TPM and set a BIOS password using the cctk.exe tool: -``` syntax -cctk.exe --tpm=on --valsetuppwd=Password1234 -``` -### Add tools from HP - -The HP tools are part of HP System Software Manager. The executable file from HP is named BiosConfigUtility.exe. This utility uses a configuration file for the BIOS settings. Here is a sample command to enable TPM and set a BIOS password using the BiosConfigUtility.exe tool: - -``` syntax -BIOSConfigUtility.EXE /SetConfig:TPMEnable.REPSET /NewAdminPassword:Password1234 -``` -And the sample content of the TPMEnable.REPSET file: - -``` syntax -English -Activate Embedded Security On Next Boot -*Enable -Embedded Security Activation Policy -*No prompts -F1 to Boot -Allow user to reject -Embedded Security Device Availability -*Available -``` -### Add tools from Lenovo - -The Lenovo tools are a set of VBScripts available as part of the Lenovo BIOS Setup using Windows Management Instrumentation Deployment Guide. Lenovo also provides a separate download of the scripts. Here is a sample command to enable TPM using the Lenovo tools: -``` syntax -cscript.exe SetConfig.vbs SecurityChip Active -``` -## Configure the Windows 10 task sequence to enable BitLocker - -When configuring a task sequence to run any BitLocker tool, either directly or using a custom script, it is helpful if you also add some logic to detect whether the BIOS is already configured on the machine. In this task sequence, we are using a sample script (ZTICheckforTPM.wsf) from the Deployment Guys web page to check the status on the TPM chip. You can download this script from the Deployment Guys Blog post, [Check to see if the TPM is enabled](https://go.microsoft.com/fwlink/p/?LinkId=619549). In the following task sequence, we have added five actions: -- **Check TPM Status.** Runs the ZTICheckforTPM.wsf script to determine if TPM is enabled. Depending on the status, the script will set the TPMEnabled and TPMActivated properties to either true or false. -- **Configure BIOS for TPM.** Runs the vendor tools (in this case, HP, Dell, and Lenovo). To ensure this action is run only when necessary, add a condition so the action is run only when the TPM chip is not already activated. Use the properties from the ZTICheckforTPM.wsf. - **Note**   - It is common for organizations wrapping these tools in scripts to get additional logging and error handling. -   -- **Restart computer.** Self-explanatory, reboots the computer. -- **Check TPM Status.** Runs the ZTICheckforTPM.wsf script one more time. -- **Enable BitLocker.** Runs the built-in action to activate BitLocker. - -## Related topics - -[Configure MDT deployment share rules](configure-mdt-deployment-share-rules.md) - -[Configure MDT for UserExit scripts](configure-mdt-2013-for-userexit-scripts.md) - -[Simulate a Windows 10 deployment in a test environment](simulate-a-windows-10-deployment-in-a-test-environment.md) - -[Use the MDT database to stage Windows 10 deployment information](use-the-mdt-database-to-stage-windows-10-deployment-information.md) - -[Assign applications using roles in MDT](assign-applications-using-roles-in-mdt-2013.md) - -[Use web services in MDT](use-web-services-in-mdt-2013.md) - -[Use Orchestrator runbooks with MDT](use-orchestrator-runbooks-with-mdt-2013.md) diff --git a/windows/deploy/set-up-mdt-for-bitlocker.md b/windows/deploy/set-up-mdt-for-bitlocker.md new file mode 100644 index 0000000000..5047b0b791 --- /dev/null +++ b/windows/deploy/set-up-mdt-for-bitlocker.md @@ -0,0 +1,159 @@ +--- +title: Set up MDT for BitLocker (Windows 10) +ms.assetid: 386e6713-5c20-4d2a-a220-a38d94671a38 +description: +keywords: disk, encryption, TPM, configure, secure, script +ms.prod: w10 +ms.mktglfcycl: deploy +localizationpriority: high +ms.sitesec: library +ms.pagetype: mdt +author: mtniehaus +--- + +# Set up MDT for BitLocker + +This topic will show you how to configure your environment for BitLocker, the disk volume encryption built into Windows 10 Enterprise and Windows 10 Pro, using MDT. BitLocker in Windows 10 has two requirements in regard to an operating system deployment: +- A protector, which can either be stored in the Trusted Platform Module (TPM) chip, or stored as a password. Technically, you also can use a USB stick to store the protector, but it's not a practical approach as the USB stick can be lost or stolen. We, therefore, recommend that you instead use a TPM chip and/or a password. +- Multiple partitions on the hard drive. + +To configure your environment for BitLocker, you will need to do the following: + +1. Configure Active Directory for BitLocker. +2. Download the various BitLocker scripts and tools. +3. Configure the operating system deployment task sequence for BitLocker. +4. Configure the rules (CustomSettings.ini) for BitLocker. + +**Note**   +Even though it is not a BitLocker requirement, we recommend configuring BitLocker to store the recovery key and TPM owner information in Active Directory. For additional information about these features, see [Backing Up BitLocker and TPM Recovery Information to AD DS](https://go.microsoft.com/fwlink/p/?LinkId=619548). If you have access to Microsoft BitLocker Administration and Monitoring (MBAM), which is part of Microsoft Desktop Optimization Pack (MDOP), you have additional management features for BitLocker. +  +For the purposes of this topic, we will use DC01, a domain controller that is a member of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md#proof). + +## Configure Active Directory for BitLocker + +To enable BitLocker to store the recovery key and TPM information in Active Directory, you need to create a Group Policy for it in Active Directory. For this section, we are running Windows Server 2012 R2, so you do not need to extend the Schema. You do, however, need to set the appropriate permissions in Active Directory. + +**Note**   +Depending on the Active Directory Schema version, you might need to update the Schema before you can store BitLocker information in Active Directory. +  +In Windows Server 2012 R2 (as well as in Windows Server 2008 R2 and Windows Server 2012), you have access to the BitLocker Drive Encryption Administration Utilities features, which will help you manage BitLocker. When you install the features, the BitLocker Active Directory Recovery Password Viewer is included, and it extends Active Directory Users and Computers with BitLocker Recovery information. + +![figure 2](images/mdt-09-fig02.png) + +Figure 2. The BitLocker Recovery information on a computer object in the contoso.com domain. + +### Add the BitLocker Drive Encryption Administration Utilities + +The BitLocker Drive Encryption Administration Utilities are added as features via Server Manager (or Windows PowerShell): + +1. On DC01, log on as **CONTOSO\\Administrator**, and, using Server Manager, click **Add roles and features**. +2. On the **Before you begin** page, click **Next**. +3. On the **Select installation type** page, select **Role-based or feature-based installation**, and click **Next**. +4. On the **Select destination server** page, select **DC01.contoso.com** and click **Next**. +5. On the **Select server roles** page, click **Next**. +6. On the **Select features** page, expand **Remote Server Administration Tools**, expand **Feature Administration Tools**, select the following features, and then click **Next**: + 1. BitLocker Drive Encryption Administration Utilities + 2. BitLocker Drive Encryption Tools + 3. BitLocker Recovery Password Viewer +7. On the **Confirm installation selections** page, click **Install** and then click **Close**. + +![figure 3](images/mdt-09-fig03.png) + +Figure 3. Selecting the BitLocker Drive Encryption Administration Utilities. + +### Create the BitLocker Group Policy + +Following these steps, you enable the backup of BitLocker and TPM recovery information to Active Directory. You also enable the policy for the TPM validation profile. +1. On DC01, using Group Policy Management, right-click the **Contoso** organizational unit (OU), and select **Create a GPO in this domain, and Link it here**. +2. Assign the name **BitLocker Policy** to the new Group Policy. +3. Expand the **Contoso** OU, right-click the **BitLocker Policy**, and select **Edit**. Configure the following policy settings: + Computer Configuration / Policies / Administrative Templates / Windows Components / BitLocker Drive Encryption / Operating System Drives + 1. Enable the **Choose how BitLocker-protected operating system drives can be recovered** policy, and configure the following settings: + 1. Allow data recovery agent (default) + 2. Save BitLocker recovery information to Active Directory Domain Services (default) + 3. Do not enable BitLocker until recovery information is stored in AD DS for operating system drives + 2. Enable the **Configure TPM platform validation profile for BIOS-based firmware configurations** policy. + 3. Enable the **Configure TPM platform validation profile for native UEFI firmware configurations** policy. + Computer Configuration / Policies / Administrative Templates / System / Trusted Platform Module Services + 4. Enable the **Turn on TPM backup to Active Directory Domain Services** policy. + +**Note**   +If you consistently get the error "Windows BitLocker Drive Encryption Information. The system boot information has changed since BitLocker was enabled. You must supply a BitLocker recovery password to start this system." after encrypting a computer with BitLocker, you might have to change the various "Configure TPM platform validation profile" Group Policies, as well. Whether or not you need to do this will depend on the hardware you are using. +  +### Set permissions in Active Directory for BitLocker + +In addition to the Group Policy created previously, you need to configure permissions in Active Directory to be able to store the TPM recovery information. In these steps, we assume you have downloaded the [Add-TPMSelfWriteACE.vbs script](https://go.microsoft.com/fwlink/p/?LinkId=167133) from Microsoft to C:\\Setup\\Scripts on DC01. +1. On DC01, start an elevated PowerShell prompt (run as Administrator). +2. Configure the permissions by running the following command: + + ``` syntax + cscript C:\Setup\Scripts\Add-TPMSelfWriteACE.vbs + ``` + +![figure 4](images/mdt-09-fig04.png) + +Figure 4. Running the Add-TPMSelfWriteACE.vbs script on DC01. + +## Add BIOS configuration tools from Dell, HP, and Lenovo + +If you want to automate enabling the TPM chip as part of the deployment process, you need to download the vendor tools and add them to your task sequences, either directly or in a script wrapper. + +### Add tools from Dell + +The Dell tools are available via the Dell Client Configuration Toolkit (CCTK). The executable file from Dell is named cctk.exe. Here is a sample command to enable TPM and set a BIOS password using the cctk.exe tool: +``` syntax +cctk.exe --tpm=on --valsetuppwd=Password1234 +``` +### Add tools from HP + +The HP tools are part of HP System Software Manager. The executable file from HP is named BiosConfigUtility.exe. This utility uses a configuration file for the BIOS settings. Here is a sample command to enable TPM and set a BIOS password using the BiosConfigUtility.exe tool: + +``` syntax +BIOSConfigUtility.EXE /SetConfig:TPMEnable.REPSET /NewAdminPassword:Password1234 +``` +And the sample content of the TPMEnable.REPSET file: + +``` syntax +English +Activate Embedded Security On Next Boot +*Enable +Embedded Security Activation Policy +*No prompts +F1 to Boot +Allow user to reject +Embedded Security Device Availability +*Available +``` +### Add tools from Lenovo + +The Lenovo tools are a set of VBScripts available as part of the Lenovo BIOS Setup using Windows Management Instrumentation Deployment Guide. Lenovo also provides a separate download of the scripts. Here is a sample command to enable TPM using the Lenovo tools: +``` syntax +cscript.exe SetConfig.vbs SecurityChip Active +``` +## Configure the Windows 10 task sequence to enable BitLocker + +When configuring a task sequence to run any BitLocker tool, either directly or using a custom script, it is helpful if you also add some logic to detect whether the BIOS is already configured on the machine. In this task sequence, we are using a sample script (ZTICheckforTPM.wsf) from the Deployment Guys web page to check the status on the TPM chip. You can download this script from the Deployment Guys Blog post, [Check to see if the TPM is enabled](https://go.microsoft.com/fwlink/p/?LinkId=619549). In the following task sequence, we have added five actions: +- **Check TPM Status.** Runs the ZTICheckforTPM.wsf script to determine if TPM is enabled. Depending on the status, the script will set the TPMEnabled and TPMActivated properties to either true or false. +- **Configure BIOS for TPM.** Runs the vendor tools (in this case, HP, Dell, and Lenovo). To ensure this action is run only when necessary, add a condition so the action is run only when the TPM chip is not already activated. Use the properties from the ZTICheckforTPM.wsf. + **Note**   + It is common for organizations wrapping these tools in scripts to get additional logging and error handling. +   +- **Restart computer.** Self-explanatory, reboots the computer. +- **Check TPM Status.** Runs the ZTICheckforTPM.wsf script one more time. +- **Enable BitLocker.** Runs the built-in action to activate BitLocker. + +## Related topics + +[Configure MDT deployment share rules](configure-mdt-deployment-share-rules.md) + +[Configure MDT for UserExit scripts](configure-mdt-for-userexit-scripts.md) + +[Simulate a Windows 10 deployment in a test environment](simulate-a-windows-10-deployment-in-a-test-environment.md) + +[Use the MDT database to stage Windows 10 deployment information](use-the-mdt-database-to-stage-windows-10-deployment-information.md) + +[Assign applications using roles in MDT](assign-applications-using-roles-in-mdt.md) + +[Use web services in MDT](use-web-services-in-mdt.md) + +[Use Orchestrator runbooks with MDT](use-orchestrator-runbooks-with-mdt.md) diff --git a/windows/deploy/simulate-a-windows-10-deployment-in-a-test-environment.md b/windows/deploy/simulate-a-windows-10-deployment-in-a-test-environment.md index 3677031293..ba135d788d 100644 --- a/windows/deploy/simulate-a-windows-10-deployment-in-a-test-environment.md +++ b/windows/deploy/simulate-a-windows-10-deployment-in-a-test-environment.md @@ -50,16 +50,16 @@ Figure 7. The ZTIGather.log file from PC0001, displaying some of its hardware ca ## Related topics -[Set up MDT for BitLocker](set-up-mdt-2013-for-bitlocker.md) +[Set up MDT for BitLocker](set-up-mdt-for-bitlocker.md) [Configure MDT deployment share rules](configure-mdt-deployment-share-rules.md) -[Configure MDT for UserExit scripts](configure-mdt-2013-for-userexit-scripts.md) +[Configure MDT for UserExit scripts](configure-mdt-for-userexit-scripts.md) [Use the MDT database to stage Windows 10 deployment information](use-the-mdt-database-to-stage-windows-10-deployment-information.md) -[Assign applications using roles in MDT](assign-applications-using-roles-in-mdt-2013.md) +[Assign applications using roles in MDT](assign-applications-using-roles-in-mdt.md) -[Use web services in MDT](use-web-services-in-mdt-2013.md) +[Use web services in MDT](use-web-services-in-mdt.md) -[Use Orchestrator runbooks with MDT](use-orchestrator-runbooks-with-mdt-2013.md) \ No newline at end of file +[Use Orchestrator runbooks with MDT](use-orchestrator-runbooks-with-mdt.md) \ No newline at end of file diff --git a/windows/deploy/troubleshoot-upgrade-analytics.md b/windows/deploy/troubleshoot-upgrade-analytics.md index 03c096cc19..dc7f8428f2 100644 --- a/windows/deploy/troubleshoot-upgrade-analytics.md +++ b/windows/deploy/troubleshoot-upgrade-analytics.md @@ -1,38 +1,4 @@ --- title: Troubleshoot Upgrade Analytics (Windows 10) -description: Provides troubleshooting information for Upgrade Analytics. -ms.prod: w10 -author: greg-lindsay +redirect_url: troubleshoot-upgrade-readiness --- - -# Troubleshoot Upgrade Analytics - -If you’re having issues seeing data in Upgrade Analytics after running the Upgrade Analytics Deployment script, make sure it completes successfully without any errors. Check the output of the script in the command window and/or log UA_dateTime_machineName.txt to ensure all steps were completed successfully. In addition, we recommend that you wait at least 48 hours before checking OMS for data after the script first completes without reporting any error. - -If you still don’t see data in Upgrade Analytics, follow these steps: - -1. Download and extract UpgradeAnalytics.zip. Ensure the “Diagnostics” folder is included. - -2. Edit the script as described in [Upgrade Analytics deployment script](upgrade-analytics-deployment-script.md). - -3. Check that isVerboseLogging is set to $true. - -4. Run the script again. Log files will be saved to the directory specified in the script. - -5. Open a support case with Microsoft Support through your regular channel and provide this information. - -## Disable Upgrade Analytics - -If you want to stop using Upgrade Analytics and stop sending telemetry data to Microsoft, follow these steps: - -1. Unsubscribe from the Upgrade Analytics solution in the OMS portal. In the OMS portal, go to **Settings** > **Connected Sources** > **Windows Telemetry** and choose the **Unsubscribe** option. - - ![Upgrade Analytics unsubscribe](images/upgrade-analytics-unsubscribe.png) - -2. Disable the Commercial Data Opt-in Key on computers running Windows 7 SP1 or 8.1. On computers running Windows 10, set the telemetry level to **Security**: - - **Windows 7 and Windows 8.1**: Delete CommercialDataOptIn registry property from *HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection* - **Windows 10**: Follow the instructions in the [Configure Windows telemetry in your organization](https://technet.microsoft.com/itpro/windows/manage/configure-windows-telemetry-in-your-organization#enterprise-management) topic. - -3. If you enabled **Internet Explorer Site Discovery**, you can disable Internet Explorer data collection by setting the *IEDataOptIn* registry key to value "0". The IEDataOptIn key can be found under: *HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection*. -4. You can also remove the “CommercialId” key from: "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection". **This is an optional step**. diff --git a/windows/deploy/troubleshoot-upgrade-readiness.md b/windows/deploy/troubleshoot-upgrade-readiness.md new file mode 100644 index 0000000000..2cc9bf9340 --- /dev/null +++ b/windows/deploy/troubleshoot-upgrade-readiness.md @@ -0,0 +1,38 @@ +--- +title: Troubleshoot Upgrade Readiness (Windows 10) +description: Provides troubleshooting information for Upgrade Readiness. +ms.prod: w10 +author: greg-lindsay +--- + +# Troubleshoot Upgrade Readiness + +If you’re having issues seeing data in Upgrade Readiness after running the Upgrade Readiness Deployment script, make sure it completes successfully without any errors. Check the output of the script in the command window and/or log UA_dateTime_machineName.txt to ensure all steps were completed successfully. In addition, we recommend that you wait at least 48 hours before checking OMS for data after the script first completes without reporting any error. + +If you still don’t see data in Upgrade Readiness, follow these steps: + +1. Download and extract the [Upgrade Readiness Deployment Script](https://go.microsoft.com/fwlink/?LinkID=822966&clcid=0x409). Ensure the “Pilot/Diagnostics” folder is included . + +2. Edit the script as described in [Upgrade Readiness deployment script](upgrade-readiness-deployment-script.md). + +3. Check that isVerboseLogging is set to $true. + +4. Run the script again. Log files will be saved to the directory specified in the script. + +5. Open a support case with Microsoft Support through your regular channel and provide this information. + +## Disable Upgrade Readiness + +If you want to stop using Upgrade Readiness and stop sending telemetry data to Microsoft, follow these steps: + +1. Unsubscribe from the Upgrade Readiness solution in the OMS portal. In the OMS portal, go to **Settings** > **Connected Sources** > **Windows Telemetry** and choose the **Unsubscribe** option. + + ![Upgrade Readiness unsubscribe](images/upgrade-analytics-unsubscribe.png) + +2. Disable the Commercial Data Opt-in Key on computers running Windows 7 SP1 or 8.1. On computers running Windows 10, set the telemetry level to **Security**: + + **Windows 7 and Windows 8.1**: Delete CommercialDataOptIn registry property from *HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection* + **Windows 10**: Follow the instructions in the [Configure Windows telemetry in your organization](https://technet.microsoft.com/itpro/windows/manage/configure-windows-telemetry-in-your-organization#enterprise-management) topic. + +3. If you enabled **Internet Explorer Site Discovery**, you can disable Internet Explorer data collection by setting the *IEDataOptIn* registry key to value "0". The IEDataOptIn key can be found under: *HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection*. +4. You can also remove the “CommercialId” key from: "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection". **This is an optional step**. diff --git a/windows/deploy/update-windows-10-images-with-provisioning-packages.md b/windows/deploy/update-windows-10-images-with-provisioning-packages.md deleted file mode 100644 index d292a6cba0..0000000000 --- a/windows/deploy/update-windows-10-images-with-provisioning-packages.md +++ /dev/null @@ -1,124 +0,0 @@ ---- -title: Update Windows 10 images with provisioning packages (Windows 10) -description: Use a provisioning package to apply settings, profiles, and file assets to a Windows 10 image. -ms.assetid: 3CA345D2-B60A-4860-A3BF-174713C3D3A6 -keywords: provisioning, bulk deployment, image -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: mobile -author: jdeckerMS ---- - -# Update Windows 10 images with provisioning packages -**Applies to** - -- Windows 10 -- Windows 10 Mobile - -Use a provisioning package to apply settings, profiles, and file assets to a Windows 10 image. - -In Windows 10, you can apply a provisioning package at any time. A provisioning package can include management instructions and policies, installation of specific apps, customization of network connections and policies, and more. - -You can include provisioning packages when you build a Windows image. This way, you can create a single provisioning package that you can add to different hardware-specific images. - -You can also put a provisioning package on a USB drive or SD card to apply to off-the-shelf devices. You can even send the provisioning package to someone in email. - -Rather than wiping a device and applying a new system image when you need to change configuration, you can reset the device to its original state and then apply a new provisioning package. - -For details about the settings you can customize in provisioning packages, see [Windows Provisioning settings reference]( https://go.microsoft.com/fwlink/p/?LinkId=619012). - -## Advantages -- You can configure new devices without reimaging. - -- Works on both mobile and desktop devices. - -- No network connectivity required. - -- Simple for people to apply. - -- Ensure compliance and security before a device is enrolled in MDM. - -## Create package -Use the Windows Imaging and Configuration Designer (ICD) tool included in the Windows Assessment and Deployment Kit (ADK) for Windows 10 to create a runtime provisioning package. [Install the ADK.](https://go.microsoft.com/fwlink/p/?LinkId=526740) - -1. Open Windows ICD (by default, `%windir%\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Imaging and Configuration Designer\x86\ICD.exe`). - -2. Choose **New provisioning package**. - -3. Name your project, and click **Next**. - -4. Choose **Common to all Windows editions** and click **Next**. - -5. On **New project**, click **Finish**. The workspace for your package opens. - -6. Configure settings. [Learn more about specific settings in provisioning packages.]( https://go.microsoft.com/fwlink/p/?LinkId=615916) - -7. On the **File** menu, select **Save.** - -8. On the **Export** menu, select **Provisioning package**. - -9. Change **Owner** to **IT Admin**, which will set the precedence of this provisioning package higher than provisioning packages applied to this device from other sources, and then select **Next.** - -10. Set a value for **Package Version**. - - **Tip**   - You can make changes to existing packages and change the version number to update previously applied packages. - -11. Optional. In the **Provisioning package security** window, you can choose to encrypt the package and enable package signing. - - - **Enable package encryption** - If you select this option, an auto-generated password will be shown on the screen. - - - **Enable package signing** - If you select this option, you must select a valid certificate to use for signing the package. You can specify the certificate by clicking **Select...** and choosing the certificate you want to use to sign the package. - - **Important**   - We recommend that you include a trusted provisioning certificate in your provisioning package. When the package is applied to a device, the certificate is added to the system store and any package signed with that certificate thereafter can be applied silently.  - -12. Click **Next** to specify the output location where you want the provisioning package to go once it's built. By default, Windows ICD uses the project folder as the output location.

            -Optionally, you can click **Browse** to change the default output location. - -13. Click **Next**. - -14. Click **Build** to start building the package. The project information is displayed in the build page and the progress bar indicates the build status.

            -If you need to cancel the build, click **Cancel**. This cancels the current build process, closes the wizard, and takes you back to the **Customizations Page**. - -15. If your build fails, an error message will show up that includes a link to the project folder. You can scan the logs to determine what caused the error. Once you fix the issue, try building the package again.

            -If your build is successful, the name of the provisioning package, output directory, and project directory will be shown. - - - If you choose, you can build the provisioning package again and pick a different path for the output package. To do this, click **Back** to change the output package name and path, and then click **Next** to start another build. - - - If you are done, click **Finish** to close the wizard and go back to the **Customizations Page**. - -16. Select the **output location** link to go to the location of the package. You can provide that .ppkg to others through any of the following methods: - - - Shared network folder - - - SharePoint site - - - Removable media (USB/SD) - - - Email - - - USB tether (mobile only) - - - NFC (mobile only) - -## Add package to image -**To add a provisioning package to Windows 10 for desktop editions (Home, Pro, Enterprise, and Education)** - -- Follow the steps in the "To build an image for Windows 10 for desktop editions" section in [Use the Windows ICD command-line interface]( https://go.microsoft.com/fwlink/p/?LinkId=617371). - -**To add a provisioning package to a Windows 10 Mobile image** - -- Follow the steps in the "To build an image for Windows 10 Mobile or Windows 10 IoT Core (IoT Core)" section in [Use the Windows ICD command-line interface]( https://go.microsoft.com/fwlink/p/?LinkId=617371).

            -The provisioning package is placed in the FFU image and is flashed or sector written to the device. During device setup time, the provisioning engine starts and consumes the packages. - -## Learn more -- [Build and apply a provisioning package]( https://go.microsoft.com/fwlink/p/?LinkId=629651) - -- [Provisioning Windows 10 Devices with New Tools](https://go.microsoft.com/fwlink/p/?LinkId=615921) - -- [Windows 10 for Mobile Devices: Provisioning Is Not Imaging](https://go.microsoft.com/fwlink/p/?LinkId=615922) - -## Related topics -- [Configure devices without MDM](../manage/configure-devices-without-mdm.md) \ No newline at end of file diff --git a/windows/deploy/upgrade-analytics-additional-insights.md b/windows/deploy/upgrade-analytics-additional-insights.md index fd99d97682..3a3dd06910 100644 --- a/windows/deploy/upgrade-analytics-additional-insights.md +++ b/windows/deploy/upgrade-analytics-additional-insights.md @@ -1,81 +1,4 @@ --- title: Upgrade Analytics - Additional insights -description: Explains additional features of Upgrade Analytics. -ms.prod: w10 -author: greg-lindsay +redirect_url: upgrade-readiness-additional-insights --- - -# Upgrade Analytics - Additional insights - -This topic provides information on additional features that are available in Upgrade Analytics to provide insights into your environment. These include: - -- [Site discovery](#site-discovery): An inventory of web sites that are accessed by client computers running Windows 7 or Windows 8.1 using Internet Explorer. -- [Office add-ins](#office-add-ins): A list of the Microsoft Office add-ins that are installed on client computers. - -## Site discovery - -The site discovery feature in Upgrade Analytics provides an inventory of web sites that are accessed by client computers using Internet Explorer on Windows 8.1 and Windows 7. Site discovery does not include sites that are accessed using other Web browsers, such as Microsoft Edge. Site inventory information is provided as optional data related to upgrading to Windows 10 and Internet Explorer 11, and is meant to help prioritize compatibility testing for web applications. You can make more informed decisions about testing based on usage data. - -> Note: Site discovery data is disabled by default; you can find documentation on what is collected in the [Windows 7, Windows 8, and Windows 8.1 appraiser telemetry events and fields](https://go.microsoft.com/fwlink/?LinkID=822965). After you turn on this feature, data is collected on all sites visited by Internet Explorer, except during InPrivate sessions. In addition, the data collection process is silent, without notification to the employee. You are responsible for ensuring that your use of this feature complies with all applicable local laws and regulatory requirements, including any requirements to provide notice to employees. - -### Install prerequisite security update for Internet Explorer - -Ensure the following prerequisites are met before using site discovery: - -1. Install the latest [Windows Monthly Rollup](http://catalog.update.microsoft.com/v7/site/Search.aspx?q=security%20monthly%20quality%20rollup). This functionality has been included in Internet Explorer 11 starting with the July 2016 Cumulative Update. -2. Install the update for customer experience and diagnostic telemetery ([KB3080149](https://support.microsoft.com/kb/3080149)). -3. Enable Internet Explorer data collection, which is disabled by default. The best way to enable it is to modify the [Upgrade Analytics deployment script](upgrade-analytics-deployment-script.md) to allow Internet Explorer data collection before you run it. - - If necessary, you can also enable it by creating the following registry entry. - - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\DataCollection - - Entry name: IEDataOptIn - - Data type: DWORD - - Values: - - > *IEOptInLevel = 0 Internet Explorer data collection is disabled* - > - > *IEOptInLevel = 1 Data collection is enabled for sites in the Local intranet + Trusted sites + Machine local zones* - > - > *IEOptInLevel = 2 Data collection is enabled for sites in the Internet + Restricted sites zones* - > - > *IEOptInLevel = 3 Data collection is enabled for all sites* - - For more information about Internet Explorer Security Zones, see [About URL Security Zones](https://msdn.microsoft.com/library/ms537183.aspx). - - ![Create the IEDataOptIn registry key](images/upgrade-analytics-create-iedataoptin.png) - -### Review most active sites - -This blade indicates the most visited sites by computers in your environment. Review this list to determine which web applications and sites are used most frequently. The number of visits is based on the total number of views, and not by the number of unique devices accessing a page. - -For each site, the fully qualified domain name will be listed. You can sort the data by domain name or by URL. - -![Most active sites](Images/upgrade-analytics-most-active-sites.png) - -Click the name of any site in the list to drill down into more details about the visits, including the time of each visit and the computer name. - -![Site domain detail](images/upgrade-analytics-site-domain-detail.png) - -### Review document modes in use - -This blade provides information about which document modes are used in the sites that are visited in your environment. Document modes are used to provide compatibility with older versions of Internet Explorer. Sites that use older technologies may require additional testing and are less likely to be compatible with Microsoft Edge. Counts are based on total page views and not the number of unique devices. For more information about document modes, see [Deprecated document modes](https://technet.microsoft.com/itpro/internet-explorer/ie11-deploy-guide/deprecated-document-modes). - -![Site activity by document mode](images/upgrade-analytics-site-activity-by-doc-mode.png) - -### Run browser-related queries - -You can run predefined queries to capture more info, such as sites that have Enterprise Mode enabled, or the number of unique computers that have visited a site. For example, this query returns the most used ActiveX controls. You can modify and save the predefined queries. - -![](images/upgrade-analytics-query-activex-name.png) - -## Office add-ins - -Office add-ins provides a list of the Microsoft Office add-ins in your environment, and enumerates the computers that have these add-ins installed. This information should not affect the upgrade decision workflow, but can be helpful to an administrator. - -## Related topics - -[Upgrade Analytics release notes](upgrade-analytics-release-notes.md) diff --git a/windows/deploy/upgrade-analytics-architecture.md b/windows/deploy/upgrade-analytics-architecture.md index e7e639105a..d1ab6fecdb 100644 --- a/windows/deploy/upgrade-analytics-architecture.md +++ b/windows/deploy/upgrade-analytics-architecture.md @@ -1,30 +1,4 @@ --- title: Upgrade Analytics architecture (Windows 10) -description: Describes Upgrade Analytics architecture. -ms.prod: w10 -author: greg-lindsay +redirect_url: upgrade-readiness-architecture --- - -# Upgrade Analytics architecture - -Microsoft analyzes system, application, and driver telemetry data to help you determine when computers are upgrade-ready, allowing you to simplify and accelerate Windows upgrades in your organization. The diagram below illustrates how Upgrade Analytics components work together in a typical installation. - - - -![Upgrade Analytics architecture](images/upgrade-analytics-architecture.png) - -After you enable Windows telemetry on user computers and install the compatibility update KB (1), user computers send computer, application and driver telemetry data to a secure Microsoft data center through the Microsoft Data Management Service (2). After you configure Upgrade Analytics, telemetry data is analyzed by the Upgrade Analytics Service (3) and pushed to your OMS workspace (4). You can then use the Upgrade Analytics solution (5) to plan and manage Windows upgrades. - -For more information about what telemetry data Microsoft collects and how that data is used and protected by Microsoft, see: - -[Configure Windows telemetry in your organization](https://technet.microsoft.com/itpro/windows/manage/configure-windows-telemetry-in-your-organization)
            -[Manage connections from Windows operating system components to Microsoft services](https://technet.microsoft.com/itpro/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services)
            -[Windows 7, Windows 8, and Windows 8.1 appraiser telemetry events and fields](https://go.microsoft.com/fwlink/?LinkID=822965)
            - -##**Related topics** - -[Upgrade Analytics requirements](upgrade-analytics-requirements.md)
            -[Upgrade Analytics release notes](upgrade-analytics-release-notes.md)
            -[Get started with Upgrade Analytics](upgrade-analytics-get-started.md)
            diff --git a/windows/deploy/upgrade-analytics-deploy-windows.md b/windows/deploy/upgrade-analytics-deploy-windows.md index 57b8c26f7f..76c41c573a 100644 --- a/windows/deploy/upgrade-analytics-deploy-windows.md +++ b/windows/deploy/upgrade-analytics-deploy-windows.md @@ -1,97 +1,4 @@ --- title: Upgrade Analytics - Get a list of computers that are upgrade-ready (Windows 10) -description: Describes how to get a list of computers that are ready to be upgraded in Upgrade Analytics. -ms.prod: w10 -author: greg-lindsay +redirect_url: upgrade-readiness-deploy-windows --- - -# Upgrade Analytics - Step 3: Deploy Windows - -All of your work up to now involved reviewing and resolving application and driver issues. Along the way, as you’ve resolved issues and decided which applications and drivers are ready to upgrade, you’ve been building a list of computers that are upgrade ready. -The blades in the **Deploy** section are: - -- [Deploy eligible computers](#deploy-eligible-computers) -- [Deploy computers by group](#computer-groups) - ->Computers that are listed in this step are assigned an **UpgradeDecision** value, and the total count of computers in each upgrade decision category is displayed. Additionally, computers are assigned an **UpgradeAssessment** value. This value is displayed by drilling down into a specific upgrade decision category. For information about upgrade assessment values, see [Upgrade assessment](#upgrade-assessment). - -## Deploy eligible computers - -In this blade, computers grouped by upgrade decision are listed. The upgrade decision on the machines is a calculated value based on the upgrade decision status for the apps and drivers installed on the computer. This value cannot be modified directly. The upgrade decision is calculated in the following ways: -- **Review in progress**: At least one app or driver installed on the computer is marked **Review in progress**. -- **Ready to upgrade**: All apps and drivers installed on the computer are marked as **Ready to Upgrade**. -- **Won’t upgrade**: At least one app or driver installed on the computer is marked as **Won’t upgrade**, or a system requirement is not met. - - - -![Deploy eligible computers](images/ua-cg-16.png) - -Select **Export computers** for more details, including computer name, manufacturer and model, and Windows edition currently running on the computer. Sort or further query the data and then select **Export** to generate and save a comma-separated value (csv) list of upgrade-ready computers. - ->**Important**
            When viewing inventory items in table view, the maximum number of rows that can be viewed and exported is limited to 5,000. If you need to view or export more than 5,000 items, reduce the scope of the query so you can export fewer items at a time. - -## Computer groups - -Computer groups allow you to segment your environment by creating device groups based on OMS log search results, or by importing groups from Active Directory, WSUS or System Center Configuration Manager. Computer groups are an OMS feature. For more information, see [Computer groups in OMS](https://blogs.technet.microsoft.com/msoms/2016/04/04/computer-groups-in-oms/). - -Query based computer groups are recommended in the initial release of this feature. A feature known as **Configuration Manager Upgrade Analytics Connector** is anticipated in a future release that will enable synchronization of **ConfigMgr Collections** with computer groups in OMS. - -### Getting started with Computer Groups - -When you sign in to OMS, you will see a new blade entitled **Computer Groups**. See the following example: - -![Computer groups](images/ua-cg-01.png) - -To create a computer group, open **Log Search** and create a query based on **Type=UAComputer**, for example: - -``` -Type=UAComputer Manufacturer=DELL -``` - -![Computer groups](images/ua-cg-02.png) - -When you are satisfied that the query is returning the intended results, add the following text to your search: - -``` -| measure count() by Computer -``` - -This will ensure every computer only shows up once. Then, save your group by clicking **Save** and **Yes**. See the following example: - -![Computer groups](images/ua-cg-03.png) - -Your new computer group will now be available in Upgrade Analytics. See the following example: - -![Computer groups](images/ua-cg-04.png) - -### Using Computer Groups - -When you drill into a computer group, you will see that computers are categorized by **UpgradeDecision**. For computers with the status **Review in progress** or **Won’t upgrade** you can drill down to view issues that cause a computer to be in each category, or you can simply display a list of the computers in the category. For computers that are designated **Ready to upgrade**, you can go directly to the list of computers that are ready. - -![Computer groups](images/ua-cg-05.png) - -Viewing a list of computers in a certain status is self-explanatory, Let’s look at what happens when you click the details link on **Review in progress**: - -![Computer groups](images/ua-cg-06.png) - -Next, select if you want to see application issues (**UAApp**) or driver issues (**UADriver**). See the following example of selecting **UAApp**: - -![Computer groups](images/ua-cg-07.png) - -A list of apps that require review so that Dell Computers are ready for upgrade to Windows 10 is displayed. - -### Upgrade assessment - -Upgrade assessment and guidance details are explained in the following table. - -| Upgrade assessment | Action required before or after upgrade pilot? | Issue | What it means | Guidance | -|-----------------------|------------------------------------------------|----------|-----------------|---------------| -| No known issues | No | None | Computers will upgrade seamlessly.
            | OK to use as-is in pilot. | -| OK to pilot, fixed during upgrade | No, for awareness only | Application or driver will not migrate to new OS | The currently installed version of an application or driver won’t migrate to the new operating system; however, a compatible version is installed with the new operating system. | OK to use as-is in pilot. | -| OK to pilot with new driver from Windows Update | Yes | Driver will not migrate to new OS | The currently installed version of a driver won’t migrate to the new operating system; however, a newer, compatible version is available from Windows Update. | Although a compatible version of the driver is installed during upgrade, a newer version is available from Windows Update.

            If the computer automatically receives updates from Windows Update, no action is required. Otherwise, replace the new in-box driver with the Windows Update version after upgrading.

            | - -Select **Export computers** to view pilot-ready computers organized by operating system. After you select the computers you want to use in a pilot, click Export to generate and save a comma-separated value (csv) file. - ->**Important**> When viewing inventory items in table view, the maximum number of rows that can be viewed and exported is limited to 5,000. If you need to view or export more than 5,000 items, reduce the scope of the query so you can export fewer items at a time. \ No newline at end of file diff --git a/windows/deploy/upgrade-analytics-deployment-script.md b/windows/deploy/upgrade-analytics-deployment-script.md index a189c5290f..0db5694e53 100644 --- a/windows/deploy/upgrade-analytics-deployment-script.md +++ b/windows/deploy/upgrade-analytics-deployment-script.md @@ -1,101 +1,4 @@ --- title: Upgrade Analytics deployment script (Windows 10) -description: Deployment script for Upgrade Analytics. -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: deploy -author: greg-lindsay ---- - -# Upgrade Analytics deployment script - -To automate the steps provided in [Get started with Upgrade Analytics](upgrade-analytics-get-started.md), and to troubleshoot data sharing issues, you can run the [Upgrade Analytics deployment script](https://go.microsoft.com/fwlink/?LinkID=822966&clcid=0x409), developed by Microsoft. - -For detailed information about using the upgrade analytics deployment script, also see the [Upgrade Analytics blog](https://blogs.technet.microsoft.com/upgradeanalytics/2016/09/20/new-version-of-the-upgrade-analytics-deployment-script-available/). - -> The following guidance applies to version 11.11.16 or later of the Upgrade Analytics deployment script. If you are using an older version, please download the latest from [Download Center](https://go.microsoft.com/fwlink/?LinkID=822966&clcid=0x409). - -The Upgrade Analytics deployment script does the following: - -1. Sets commercial ID key + CommercialDataOptIn + RequestAllAppraiserVersions keys. -2. Verifies that user computers can send data to Microsoft. -3. Checks whether the computer has a pending restart.   -4. Verifies that the latest version of KB package 10.0.x is installed (version 10.0.14348 or later is required, but version 10.0.14913 or later is recommended). -5. If enabled, turns on verbose mode for troubleshooting. -6. Initiates the collection of the telemetry data that Microsoft needs to assess your organization’s upgrade readiness. -7. If enabled, displays the script’s progress in a cmd window, providing you immediate visibility into issues (success or fail for each step) and/or writes to log file. - -To run the Upgrade Analytics deployment script: - -1. Download the [Upgrade Analytics deployment script](https://go.microsoft.com/fwlink/?LinkID=822966&clcid=0x409) and extract UpgradeAnalytics.zip. Inside, there are two folders: Pilot and Deployment. The Pilot folder contains advanced logging that can help troubleshoot issues and is intended to be run from an elevated command prompt. The Deployment folder offers a lightweight script intended for broad deployment through ConfigMgr or other software deployment system. We recommend manually running the Pilot version of the script on 5-10 machines to verify that everything is configured correctly. Once you have confirmed that data is flowing successfully, proceed to run the Deployment version throughout your organization. - -2. Edit the following parameters in RunConfig.bat: - - 1. Provide a storage location for log information. You can store log information on a remote file share or a local directory. If the script is blocked from creating the log file for the given path, it creates the log files in the drive with the Windows directory. Example: %SystemDrive%\\UADiagnostics - - 2. Input your commercial ID key. This can be found in your OMS workspace under Settings -> Connected Sources -> Windows Telemetry. - - 3. By default, the script sends log information to both the console and the log file. To change the default behavior, use one of the following options: - - > *logMode = 0 log to console only* -> - > *logMode = 1 log to file and console* -> - > *logMode = 2 log to file only* - -3. To enable Internet Explorer data collection, set AllowIEData to IEDataOptIn. By default, AllowIEData is set to Disable. Then use one of the following options to determine what Internet Explorer data can be collected: - - > *IEOptInLevel = 0 Internet Explorer data collection is disabled* - > - > *IEOptInLevel = 1 Data collection is enabled for sites in the Local intranet + Trusted sites + Machine local zones* - > - > *IEOptInLevel = 2 Data collection is enabled for sites in the Internet + Restricted sites zones* - > - > *IEOptInLevel = 3 Data collection is enabled for all sites* - -4. After you finish editing the parameters in RunConfig.bat, you are ready to run the script. If you are using the Pilot version, run RunConfig.bat from an elevated command prompt. If you are using the Deployment version, use ConfigMgr or other software deployment service to run RunConfig.bat as system. - -The deployment script displays the following exit codes to let you know if it was successful, or if an error was encountered. - -

            - -
            -
            Exit codeMeaningSuggested fix -
            0Success -
            1Unexpected error occurred while executing the script The files in the deployment script are likely corrupted. Download the [latest script](https://go.microsoft.com/fwlink/?LinkID=822966&clcid=0x409) from the download center and try again. -
            2Error when logging to console. $logMode = 0. Try changing the $logMode value to **1** and try again. -
            3Error when logging to console and file. $logMode = 1.Verify that you have set the logPath parameter in RunConfig.bat, and that the configuration script has access to connect and write to this location. -
            4Error when logging to file. $logMode = 2.Verify that you have set the logPath parameter in RunConfig.bat, and that the configuration script has access to connect and write to this location. -
            5Error when logging to console and file. $logMode = unknown.Verify that you have set the logPath parameter in RunConfig.bat, and that the configuration script has access to connect and write to this location. -
            6The commercialID parameter is set to unknown. Modify the script.Set the value for CommercialID in runconfig.bat file. -
            8Failure to create registry key path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection. Verify that the configuration script has access to this location. -
            9Error when writing CommercialId to registry.Verify that the configuration script has access to this location. -
            10Error when writing CommercialDataOptIn to registry.Verify that the configuration script has access to this location. -
            11Function -SetupCommercialId: Unexpected failure.Verify that the configuration script has access to this location. -
            12Can’t connect to Microsoft – Vortex. Check your network/proxy settings.Verify that the required endpoints are whitelisted correctly. -
            13Can’t connect to Microsoft – setting. Verify that the required endpoints are whitelisted correctly. -
            14Can’t connect to Microsoft – compatexchange. Verify that the required endpoints are whitelisted. -
            15Error connecting to Microsoft:Unexpected failure. -
            16Machine requires reboot. The reboot is required to complete the installation of the compatibility update and related KBs. Reboot the machine before running the Upgrade Analytics deployment script. -
            17Function -CheckRebootRequired: Unexpected failure.The reboot is required to complete the installation of the compatibility update and related KBs. Reboot the machine before running the Upgrade Analytics deployment script. -
            18Outdated compatibility update KB package. Update via Windows Update/WSUS. -The configuration script detected a version of the Compatibility update module that is older than the minimum required to correctly collect the data required by Upgrade Analytics solution. Use the latest version of the Compatibility update for Windows 7 SP1/Windows 8.1. -
            19The compatibility update failed with unexpected exception. The files in the deployment script are likely corrupted. Download the [latest script](https://go.microsoft.com/fwlink/?LinkID=822966&clcid=0x409) from the download center and try again. -
            20Error writing RequestAllAppraiserVersions registry key. This registry key is required for data collection to work correctly. Verify that the configuration script has access to this location. -
            21Function – SetRequestAllAppraiserVersions: Unexpected failure.This registry key is required for data collection to work correctly. Verify that the configuration script has access to this location. -
            22RunAppraiser failed with unexpected exception. Check %windir%\System32 directory for a file called CompatTelRunner.exe. If the file does not exist, reinstall the required compatibility updates which include this file, and check your organization group policy to make sure it does not remove this file. -
            23Error finding system variable %WINDIR%. Make sure that this environment variable is available on the machine. -
            24SetIEDataOptIn failed when writing IEDataOptIn to registry. Verify that the deployment script in running in a context that has access to the registry key. -
            25SetIEDataOptIn failed with unexpected exception. The files in the deployment script are likely corrupted. Download the latest script from the [download center](https://go.microsoft.com/fwlink/?LinkID=822966&clcid=0x409) and try again. -
            26The operating system is Server or LTSB SKU. The script does not support Server or LTSB SKUs. -
            27The script is not running under System account.The Upgrade Analytics configuration script must be run as system. -
            28Could not create log file at the specified logPath. Make sure the deployment script has access to the location specified in the logPath parameter. -
            29 Connectivity check failed for proxy authentication. Install the cumulative updates on the machine and enable the `DisableEnterpriseAuthProxy` authentication proxy setting. The `DisableEnterpriseAuthProxy` setting is enabled by default for Windows 7. For Windows 8.1 machines, set the `DisableEnterpriseAuthProxy` setting to **0** (not disabled). For more information on authentication proxy support, see [this blog post](https://go.microsoft.com/fwlink/?linkid=838688). -
            30Connectivity check failed. Registry key property `DisableEnterpriseAuthProxy` is not enabled. The `DisableEnterpriseAuthProxy` setting is enabled by default for Windows 7. For Windows 8.1 machines, set the `DisableEnterpriseAuthProxy` setting to **0** (not disabled). For more information on authentication proxy support, see [this blog post](https://go.microsoft.com/fwlink/?linkid=838688). -
            31There is more than one instance of the Upgrade Analytics data collector running at the same time on this machine. Use the Windows Task Manager to check if CompatTelRunner.exe is running, and wait until it has completed to rerun the script. -**The Upgrade Analytics task is scheduled to run daily at 3 a.m.** -
            - -

    - +redirect_url: upgrade-readiness-deployment-script +--- \ No newline at end of file diff --git a/windows/deploy/upgrade-analytics-get-started.md b/windows/deploy/upgrade-analytics-get-started.md index 58a6877174..575fd2ed00 100644 --- a/windows/deploy/upgrade-analytics-get-started.md +++ b/windows/deploy/upgrade-analytics-get-started.md @@ -1,130 +1,4 @@ --- title: Get started with Upgrade Analytics (Windows 10) -description: Explains how to get started with Upgrade Analytics. -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: deploy -author: greg-lindsay ---- - -# Get started with Upgrade Analytics - -This topic explains how to obtain and configure Upgrade Analytics for your organization. - -You can use Upgrade Analytics to plan and manage your upgrade project end-to-end. Upgrade Analytics works by establishing communications between computers in your organization and Microsoft. Upgrade Analytics collects computer, application, and driver data for analysis. This data is used to identify compatibility issues that can block your upgrade and to suggest fixes that are known to Microsoft. - -Before you begin, consider reviewing the following helpful information:
    - - [Upgrade Analytics requirements](https://technet.microsoft.com/itpro/windows/deploy/upgrade-analytics-requirements): Provides detailed requirements to use Upgrade Analytics.
    - - [Upgrade Analytics blog](https://blogs.technet.microsoft.com/UpgradeAnalytics): Contains announcements of new features and provides helpful tips for using Upgrade Analytics. - ->If you are using System Center Configuration Manager, also check out information about how to integrate Upgrade Analytics with Configuration Manager: [Integrate Upgrade Analytics with System Center Configuration Manager](https://docs.microsoft.com/sccm/core/clients/manage/upgrade/upgrade-analytics). - -When you are ready to begin using Upgrade Analytics, perform the following steps: - -1. Review [data collection and privacy](#data-collection-and-privacy) information. -2. [Add Upgrade Analytics to OMS](#add-upgrade-analytics-to-operations-management-suite). -3. [Enable data sharing](#enable-data-sharing). -4. [Deploy required updates](#deploy-the-compatibility-update-and-related-kbs) to computers, and validate using a pilot deployment. -5. [Deploy Upgrade Analytics at scale](#deploy-upgrade-analytics-at-scale). - -## Data collection and privacy - -To enable system, application, and driver data to be shared with Microsoft, you must configure user computers to send data. For information about what telemetry data Microsoft collects and how that data is used and protected by Microsoft, see the following topics: - -- [Configure Windows telemetry in your organization](https://technet.microsoft.com/itpro/windows/manage/configure-windows-telemetry-in-your-organization) -- [Manage connections from Windows operating system components to Microsoft services](https://technet.microsoft.com/itpro/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services) -- [Windows 7, Windows 8, and Windows 8.1 appraiser telemetry events and fields](https://go.microsoft.com/fwlink/?LinkID=822965) - -## Add Upgrade Analytics to Operations Management Suite - -Upgrade Analytics is offered as a solution in the Microsoft Operations Management Suite (OMS), a collection of cloud based services for managing your on-premises and cloud environments. For more information about OMS, see [Operations Management Suite overview](http://azure.microsoft.com/documentation/articles/operations-management-suite-overview/). - -If you are already using OMS, you’ll find Upgrade Analytics in the Solutions Gallery. Select the **Upgrade Analytics** tile in the gallery and then click **Add** on the solution's details page. Upgrade Analytics is now visible in your workspace. - -If you are not using OMS: - -1. Go to the [Upgrade Analytics page on Microsoft.com](https://go.microsoft.com/fwlink/?LinkID=799190&clcid=0x409) and click **Sign up** to kick off the onboarding process. -2. Sign in to Operations Management Suite (OMS). You can use either a Microsoft Account or a Work or School account to create a workspace. If your company is already using Azure Active Directory (Azure AD), use a Work or School account when you sign in to OMS. Using a Work or School account allows you to use identities from your Azure AD to manage permissions in OMS. -3. Create a new OMS workspace. Enter a name for the workspace, select the workspace region, and provide the email address that you want associated with this workspace. Select **Create**. -4. If your organization already has an Azure subscription, you can link it to your workspace. Note that you may need to request access from your organization’s Azure administrator. - - > If your organization does not have an Azure subscription, create a new one or select the default OMS Azure subscription from the list. Your workspace opens. - -1. To add the Upgrade Analytics solution to your workspace, go to the **Solutions Gallery**. Select the **Upgrade Analytics** tile in the gallery and then select **Add** on the solution’s details page. The solution is now visible on your workspace. Note that you may need to scroll to find Upgrade Analytics. - -2. Click the **Upgrade Analytics** tile to configure the solution. The **Settings Dashboard** opens. - -### Generate your commercial ID key - -Microsoft uses a unique commercial ID to map information from user computers to your OMS workspace. Generate your commercial ID key in OMS and then deploy it to user computers. - -1. On the Settings Dashboard, navigate to the **Windows telemetry** panel. - - ![upgrade-analytics-telemetry](images/upgrade-analytics-telemetry.png) - -2. On the Windows telemetry panel, copy and save your commercial ID key. You’ll need to insert this key into the Upgrade Analytics deployment script later so it can be deployed to user computers. - - >**Important**
    Regenerate a commercial ID key only if your original ID key can no longer be used. Regenerating a commercial ID key resets the data in your workspace for all solutions that use the ID. Additionally, you’ll need to deploy the new commercial ID key to user computers again. - -### Subscribe to Upgrade Analytics - -For Upgrade Analytics to receive and display upgrade readiness data from Microsoft, subscribe your OMS workspace to Upgrade Analytics. - -1. On the **Windows telemetry** panel, click **Subscribe**. The button changes to **Unsubscribe**. Unsubscribe from the Upgrade Analytics solution if you no longer want to receive upgrade-readiness information from Microsoft. Note that user computer data will continue to be shared with Microsoft for as long as the opt-in keys are set on user computers and the proxy allows the traffic. - -1. Click **Overview** on the Settings Dashboard to return to your OMS workspace portal. The Upgrade Analytics tile now displays summary data. Click the tile to open Upgrade Analytics. - -## Enable data sharing - -To enable data sharing, whitelist the following endpoints. Note that you may need to get approval from your security group to do this. - -Note: The compatibility update KB runs under the computer’s system account. If you are using user authenticated proxies, read [this blog post](https://go.microsoft.com/fwlink/?linkid=838688) to learn what you need to do to run it under the logged on user account. - -| **Endpoint** | **Function** | -|---------------------------------------------------------|-----------| -| `https://v10.vortex-win.data.microsoft.com/collect/v1`
    `https://Vortex-win.data.microsoft.com/health/keepalive` | Connected User Experience and Telemetry component endpoint. User computers send data to Microsoft through this endpoint. | -| `https://settings.data.microsoft.com/qos` | Enables the compatibility update KB to send data to Microsoft. | -| `https://go.microsoft.com/fwlink/?LinkID=544713`
    `https://compatexchange1.trafficmanager.net/CompatibilityExchangeService.svc` | This service provides driver information about whether there will be a driver available post-upgrade for the hardware on the system. | - - -## Deploy the compatibility update and related KBs - -The compatibility update KB scans your computers and enables application usage tracking. If you don’t already have these KBs installed, you can download the applicable version from the Microsoft Update Catalog or deploy it using Windows Server Update Services (WSUS) or your software distribution solution, such as System Center Configuration Manager. - -| **Operating System** | **KBs** | -|----------------------|-----------------------------------------------------------------------------| -| Windows 8.1 | [KB 2976978](http://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB2976978)
    Performs diagnostics on the Windows 8.1 systems that participate in the Windows Customer Experience Improvement Program. These diagnostics help determine whether compatibility issues may be encountered when the latest Windows operating system is installed.
    For more information about this KB, see

    [KB 3150513](https://catalog.update.microsoft.com/v7/site/Search.aspx?q=3150513)
    Provides updated configuration and definitions for compatibility diagnostics performed on the system.
    For more information about this KB, see
    NOTE: KB2976978 must be installed before you can download and install KB3150513. | -| Windows 7 SP1 | [KB2952664](http://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB2952664)
    Performs diagnostics on the Windows 7 SP1 systems that participate in the Windows Customer Experience Improvement Program. These diagnostics help determine whether compatibility issues may be encountered when the latest Windows operating system is installed.
    For more information about this KB, see

    [KB 3150513](https://catalog.update.microsoft.com/v7/site/Search.aspx?q=3150513)
    Provides updated configuration and definitions for compatibility diagnostics performed on the system.
    For more information about this KB, see
    NOTE: KB2952664 must be installed before you can download and install KB3150513. | - -IMPORTANT: Restart user computers after you install the compatibility update KBs for the first time. - -If you are planning to enable IE Site Discovery, you will need to install a few additional KBs. - -| **Site discovery** | **KB** | -|----------------------|-----------------------------------------------------------------------------| -| [Review site discovery](upgrade-analytics-review-site-discovery.md) | [KB3080149](http://www.catalog.update.microsoft.com/Search.aspx?q=3080149)
    Updates the Diagnostic and Telemetry tracking service to existing devices. This update is only necessary on Windows 7 and Windows 8.1 devices.
    For more information about this KB, see

    Install the latest [Windows Monthly Rollup](http://catalog.update.microsoft.com/v7/site/Search.aspx?q=security%20monthly%20quality%20rollup). This functionality has been included in Internet Explorer 11 starting with the July 2016 Cumulative Update. | - -### Deploy the Upgrade Analytics deployment script - -You can use the Upgrade Analytics deployment script to automate and verify your deployment. - -See [Upgrade Analytics deployment script](upgrade-analytics-deployment-script.md) for information on obtaining and running the script, and for a description of the error codes that can be displayed. - ->After data is sent from computers to Microsoft, it generally takes 48 hours for the data to populate in Upgrade Analytics. The compatibility update KB takes several minutes to run. If the KB does not get a chance to finish running or if the computers are inaccessible (turned off or sleeping for example), data will take longer to populate in Upgrade Analytics. For this reason, you can expect most your computers to be populated in OMS in about 1-2 weeks after deploying the KB and configuration to user computers. - -## Deploy Upgrade Analytics at scale - -When you have completed a pilot deployment, you are ready to automate data collection and distribute the deployment script to the remaining computers in your organization. - -### Automate data collection - -To ensure that user computers are receiving the most up to date data from Microsoft, we recommend that you establish the following data sharing and analysis processes. - -- Enable automatic updates for the compatibility update and related KBs. These KBs are updated frequently to include the latest application and driver issue information as we discover it during testing. -- Schedule the Upgrade Analytics deployment script to automatically run so that you don’t have to manually initiate an inventory scan each time the compatibility update KBs are updated. Computers are re-scanned only when the compatibility KBs are updated, so if your inventory changes significantly between KB releases you won’t see the changes in Upgrade Analytics until you run the script again. -- Schedule monthly user computer scans to view monthly active computer and usage information. - -### Distribute the deployment script at scale - -Use a software distribution system such as System Center Configuration Manager to distribute the Upgrade Analytics deployment script at scale. For more information, see the [Upgrade Analytics blog](https://blogs.technet.microsoft.com/upgradeanalytics/2016/09/20/new-version-of-the-upgrade-analytics-deployment-script-available/). \ No newline at end of file +redirect_url: upgrade-readiness-get-started +--- \ No newline at end of file diff --git a/windows/deploy/upgrade-analytics-identify-apps.md b/windows/deploy/upgrade-analytics-identify-apps.md index cfd5df068f..6ff2df414c 100644 --- a/windows/deploy/upgrade-analytics-identify-apps.md +++ b/windows/deploy/upgrade-analytics-identify-apps.md @@ -1,36 +1,5 @@ --- title: Upgrade Analytics - Identify important apps (Windows 10) -description: Describes how to prepare your environment so that you can use Upgrade Analytics to manage Windows upgrades. -ms.prod: w10 -author: greg-lindsay +redirect_url: upgrade-readiness-identify-apps --- -# Upgrade Analytics - Step 1: Identify important apps - -This is the first step of the Upgrade Analytics workflow. In this step, applications are listed and grouped by importance level. Setting the importance level enables you to prioritize applications for upgrade. - - - -![Prioritize applications](images/upgrade-analytics-prioritize.png) - -Select **Assign importance** to change an application’s importance level. By default, applications are marked **Not reviewed** or **Low install count** until you assign a different importance level to them. - -To change an application’s importance level: - -1. Select **Not reviewed** or **Low install count** on the **Prioritize applications** blade to view the list of applications with that importance level. -2. Select the applications you want to change to a specific importance level and then select the appropriate option from the **Select importance level** list. -3. Click **Save** when finished. - -Importance levels include: - -| Importance level | When to use it | Recommendation | -|--------------------|------------------|------------------| -| Low install count | We give you a head start by identifying applications that are installed on 2% or less of your total computer inventory. \[Number of computers application is installed on/total number of computers in your inventory.\]

    Low install count applications are automatically marked as **Ready to upgrade** in the **UpgradeDecision** column unless they have issues that need attention.
    | Be sure to review low install count applications for any business critical or important applications that are not yet upgrade-ready, despite their low installation rates. For example, payroll apps or tax accounting apps tend to be installed on a relatively small number of machines but are still considered business critical applications.

    | -| Not reviewed | Applications that are installed on more than 2% of your total computer inventory are marked not reviewed until you set their importance level.

    | Once you’ve started to investigate an application to determine its importance level and upgrade readiness, change its status to **Review in progress** in both the **Importance** and **UpgradeDecision** columns. | -| Business critical | By default, no applications are marked as business critical because only you can make that determination. If you know that an application is critical to your organization’s functioning, mark it **Business critical**.

    | You may also want to change the application’s status to **Review in progress** in the **UpgradeDecision** column to let other team members know that you’re working on getting this business critical application upgrade-ready. Once you’ve fixed any issues and validated that the application will migrate successfully, change the upgrade decision to **Ready to upgrade**.
    | -| Important | By default, no applications are marked as important because only you can make that determination. If the application is important but not critical to your organization’s functioning, mark it **Important**. | You may also want to change the application’s status to **Review in progress** in the **UpgradeDecision** column to let other team members know that you’re working on getting this important application upgrade-ready. Once you’ve fixed any issues and validated that the application will migrate successfully, change the upgrade decision to **Ready to upgrade**.
    | -| Ignore | By default, no applications are marked as ignore because only you can make that determination. If the application is not important to your organization’s functioning, such as user-installed applications and games, you may not want to spend time and money validating that these applications will migrate successfully. Mark these applications **Ignore**.
    | Set the application’s importance level to **Ignore** to let other team members know that it can be left as-is with no further investigation or testing. If you set the importance level to ignore, and this is an app that you are not planning on testing or validating, consider changing the upgrade decision to **Ready to upgrade**. By marking these apps ready to upgrade, you are indicating that you are comfortable upgrading with the app remaining in its current state.

    | -| Review in progress | Once you’ve started to investigate an application to determine its importance level and upgrade readiness, change its status to **Review in progress** in both the **Importance** and **UpgradeDecision** columns.
    | As you learn more about the application’s importance to your organization’s functioning, change the importance level to **Business critical**, **Important**, or **Ignore**.

    Until you’ve determined that priority applications will migrate successfully, leave the upgrade decision status as **Review in progress**.
    | - diff --git a/windows/deploy/upgrade-analytics-prepare-your-environment.md b/windows/deploy/upgrade-analytics-prepare-your-environment.md deleted file mode 100644 index 78eeaa078b..0000000000 --- a/windows/deploy/upgrade-analytics-prepare-your-environment.md +++ /dev/null @@ -1,4 +0,0 @@ ---- -title: Upgrade Analytics - Identify important apps (Windows 10) -redirect_url: upgrade-analytics-identify-apps ---- \ No newline at end of file diff --git a/windows/deploy/upgrade-analytics-release-notes.md b/windows/deploy/upgrade-analytics-release-notes.md deleted file mode 100644 index dbf92527d7..0000000000 --- a/windows/deploy/upgrade-analytics-release-notes.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Upgrade Analytics release notes (Windows 10) -description: Provides tips and limitations about Upgrade Analytics. -redirect_url: https://technet.microsoft.com/itpro/windows/deploy/upgrade-analytics-requirements#important-information-about-this-release ---- \ No newline at end of file diff --git a/windows/deploy/upgrade-analytics-requirements.md b/windows/deploy/upgrade-analytics-requirements.md index 3875acc090..1b99be1621 100644 --- a/windows/deploy/upgrade-analytics-requirements.md +++ b/windows/deploy/upgrade-analytics-requirements.md @@ -1,88 +1,5 @@ --- title: Upgrade Analytics requirements (Windows 10) -description: Provides requirements for Upgrade Analytics. -ms.prod: w10 -author: greg-lindsay +redirect_url: upgrade-readiness-requirements --- -# Upgrade Analytics requirements - -This article introduces concepts and steps needed to get up and running with Upgrade Analytics. We recommend that you review this list of requirements before getting started as you may need to collect information, such as account credentials, and get approval from internal IT groups, such as your network security group, before you can start using Upgrade Analytics. - -## Supported upgrade paths - -To perform an in-place upgrade, user computers must be running the latest version of either Windows 7 SP1 or Windows 8.1. After you enable Windows telemetry, Upgrade Analytics performs a full inventory of computers so that you can see which version of Windows is installed on each computer. - -The compatibility update KB that sends telemetry data from user computers to Microsoft data centers works with Windows 7 SP1 and Windows 8.1 only. Upgrade Analytics cannot evaluate Windows XP or Windows Vista for upgrade eligibility. - - - -If you need to update user computers to Windows 7 SP1 or Windows 8.1, use Windows Update or download and deploy the applicable package from the Microsoft Download Center. - -Note: Upgrade Analytics is designed to best support in-place upgrades. In-place upgrades do not support migrations from BIOS to UEFI or from 32-bit to 64-bit architecture. If you need to migrate computers in these scenarios, use the wipe-and-reload method. Upgrade Analytics insights are still valuable in this scenario, however, you can ignore in-place upgrade specific guidance. - -See [Windows 10 Specifications](http://www.microsoft.com/en-US/windows/windows-10-specifications) for additional information about computer system requirements. - -## Operations Management Suite - -Upgrade Analytics is offered as a solution in the Microsoft Operations Management Suite (OMS), a collection of cloud based services for managing on premise and cloud computing environments. For more information about OMS, see [Operations Management Suite overview](http://azure.microsoft.com/en-us/documentation/articles/operations-management-suite-overview/). - -If you’re already using OMS, you’ll find Upgrade Analytics in the Solutions Gallery. Click the Upgrade Analytics tile in the gallery and then click Add on the solution’s details page. Upgrade Analytics is now visible in your workspace. - -If you are not using OMS, go to [the Upgrade Analytics page on Microsoft.com](https://www.microsoft.com/en-us/WindowsForBusiness/upgrade-analytics) and select **Sign up** to kick off the OMS onboarding process. During the onboarding process, you’ll create an OMS workspace and add the Upgrade Analytics solution to it. - -Important: You can use either a Microsoft Account or a Work or School account to create a workspace. If your company is already using Azure Active Directory, use a Work or School account when you sign in to OMS. Using a Work or School account allows you to use identities from your Azure AD to manage permissions in OMS. - -## System Center Configuration Manager integration - -Upgrade Analytics can be integrated with your installation of Configuration Manager. For more information, see [Integrate Upgrade Analytics with System Center Configuration Manager](https://docs.microsoft.com/sccm/core/clients/manage/upgrade/upgrade-analytics). - -## Telemetry and data sharing - -After you’ve signed in to Operations Management Suite and added the Upgrade Analytics solution to your workspace, you’ll need to complete the following tasks to allow user computer data to be shared with and assessed by Upgrade Analytics. - -See [Windows 7, Windows 8, and Windows 8.1 appraiser telemetry events and fields](https://go.microsoft.com/fwlink/?LinkID=822965) for more information about what user computer data Upgrade Analytics collects and assesses. See [Configure Windows telemetry in your organization](https://technet.microsoft.com/itpro/windows/manage/configure-windows-telemetry-in-your-organization) for more information about how Microsoft uses Windows telemetry data. - -**Whitelist telemetry endpoints.** To enable telemetry data to be sent to Microsoft, you’ll need to whitelist the following Microsoft telemetry endpoints on your proxy server or firewall. You may need to get approval from your security group to do this. - -`https://v10.vortex-win.data.microsoft.com/collect/v1`
    -`https://vortex-win.data.microsoft.com/health/keepalive`
    -`https://settings-win.data.microsoft.com/settings`
    -`https://vortex.data.microsoft.com/health/keepalive`
    -`https://settings.data.microsoft.com/qos`
    -`https://go.microsoft.com/fwlink/?LinkID=544713`
    -`https://compatexchange1.trafficmanager.net/CompatibilityExchangeService.svc/extended`
    - ->**Note** The compatibility update KB runs under the computer’s system account and does not support user authentication in this release. - -**Generate your commercial ID key.** Microsoft uses a unique commercial ID GUID to map data from your computers to your OMS workspace. You’ll need to generate your commercial ID key in OMS. We recommend that you save your commercial ID key as you’ll need it later. - -**Subscribe your OMS workspace to Upgrade Analytics.** For Upgrade Analytics to receive and display upgrade readiness data from Microsoft, you’ll need to subscribe your OMS workspace to Upgrade Analytics. - -**Enable telemetry and connect data sources.** To allow Upgrade Analytics to collect system, application, and driver data and assess your organization’s upgrade readiness, communication must be established between Upgrade Analytics and user computers. You’ll need to connect Upgrade Analytics to your data sources and enable telemetry to establish communication. - -**Deploy compatibility update and related KBs.** The compatibility update KB scans your systems and enables application usage tracking. If you don’t already have this KB installed, you can download the applicable version from the Microsoft Update Catalog or deploy it using Windows Server Update Services (WSUS) or your software distribution solution, such as System Center Configuration Manager. - ->**Important**
    The compatibility update and related KBs are updated frequently to include new compatibility issues as they become known to Microsoft. We recommend that you use a deployment system that allows for automatic updates of these KBs. The compatibility update KB collects inventory information from computers only when it is updated. - -**Configure and deploy Upgrade Analytics deployment script.** Configure and deploy the Upgrade Analytics deployment script to user computers to finish setting up. - -## Important information about this release - -Before you get started configuring Upgrade Anatlyics, review the following tips and limitations about this release. - -**User authenticated proxies are not supported in this release.** User computers communicate with Microsoft through Windows telemetry. The Windows telemetry client runs in System context and requires a connection to various Microsoft telemetry endpoints. User authenticated proxies are not supported at this time. Work with your Network Administrator to ensure that user computers can communicate with telemetry endpoints. - -**Upgrade Analytics does not support on-premises Windows deployments.** Upgrade Analytics is built as a cloud service, which allows Upgrade Analytics to provide you with insights based on the data from user computers and other Microsoft compatibility services. Cloud services are easy to get up and running and are cost-effective because there is no requirement to physically implement and maintain services on-premises. - -**In-region data storage requirements.** Windows telemetry data from user computers is encrypted, sent to, and processed at Microsoft-managed secure data centers located in the US. Our analysis of the upgrade readiness-related data is then provided to you through the Upgrade Analytics solution in the Microsoft Operations Management Suite (OMS) portal. At the time this topic is being published, only OMS workspaces created in the East US and West Europe are supported. We’re adding support for additional regions and we’ll update this information when new international regions are supported. - -### Tips - -- When viewing inventory items in table view, the maximum number of rows that can be viewed and exported is limited to 5,000. If you need to view or export more than 5,000 items, reduce the scope of the query so you can export a list with fewer items. - -- Sorting data by clicking a column heading may not sort your complete list of items. For information about how to sort data in OMS, see [Sorting DocumentDB data using Order By](https://azure.microsoft.com/documentation/articles/documentdb-orderby). - -## Get started - -See [Get started with Upgrade Analytics](upgrade-analytics-get-started.md) for detailed, step-by-step instructions for configuring Upgrade Analytics and getting started on your Windows upgrade project. diff --git a/windows/deploy/upgrade-analytics-resolve-issues.md b/windows/deploy/upgrade-analytics-resolve-issues.md index ec6f782f9e..9514c81869 100644 --- a/windows/deploy/upgrade-analytics-resolve-issues.md +++ b/windows/deploy/upgrade-analytics-resolve-issues.md @@ -1,145 +1,5 @@ --- title: Upgrade Analytics - Resolve application and driver issues (Windows 10) -description: Describes how to resolve application and driver issues that can occur during an upgrade with Upgrade Analytics. -ms.prod: w10 -author: greg-lindsay +redirect_url: upgrade-readiness-resolve-issues --- -# Upgrade Analytics - Step 2: Resolve app and driver issues - -This section of the Upgrade Analytics workflow reports application and driver inventory and shows you which applications have known issues, which applications have no known issues, and which drivers have issues. We identify applications and drivers that need attention and suggest fixes when we know about them. - -You can change an application’s upgrade decision and a driver’s upgrade decision from the blades in this section. To change an application’s or a driver’s importance level, select **User changes**. Select the item you want to change and then select the appropriate option from the **Select upgrade decision** list. - -Upgrade decisions include: - -| Upgrade decision | When to use it | Guidance | -|--------------------|-------------------|-------------| -| Not reviewed | All drivers are marked as Not reviewed by default.

    Any app that has not been marked **Low install count** will also have an upgrade decision of **Not reviewed** by default.
    | Apps you have not yet reviewed or are waiting to review later should be marked as **Not reviewed**. When you start to investigate an application or a driver to determine upgrade readiness, change their upgrade decision to **Review in progress**.

    | -| Review in progress | When you start to investigate an application or a driver to determine upgrade readiness, change its upgrade decision to **Review in progress**.

    Until you’ve determined that applications and drivers will migrate successfully or you’ve resolved blocking issues, leave the upgrade decision status as **Review in progress**.

    | Once you’ve fixed any issues and validated that the application or driver will migrate successfully, change the upgrade decision to **Ready to upgrade**.
    | -| Ready to upgrade | Mark applications and drivers **Ready to upgrade** once you’ve resolved all blocking issues and you’re confident that they will upgrade successfully, or if you’ve decided to upgrade them as-is. | Applications with no known issues and with low installation rates are marked **Ready to upgrade** by default.

    In Step 1, you might have marked some of your apps as **Ignore**. These should be marked as **Ready to upgrade**. Apps with low installation rates are marked as **Ready to upgrade** by default. Be sure to review any low install count applications for any business critical or important applications that are not yet upgrade-ready, despite their low installation rates.
    | -| Won’t upgrade | By default, no applications or drivers are marked **Won’t upgrade** because only you can make that determination.

    Use **Won’t upgrade** for applications and drivers that you do not work on your target operating system, or that you are unable to upgrade.
    | If, during your investigation into an application or driver, you determine that they should not or cannot be upgraded, mark them **Won’t upgrade**.

    | - -The blades in the **Resolve issues** section are: - -- Review applications with known issues -- Review applications with no known issues -- Review drivers with known issues - -As you review applications with known issues, you can also see ISV support statements or applications using [Ready for Windows](https://www.readyforwindows.com/). - -## Review applications with known issues - -Applications with issues known to Microsoft are listed, grouped by upgrade assessment into **Attention needed** or **Fix available**. - - - -![Review applications with known issues](images/upgrade-analytics-apps-known-issues.png) - -To change an application's upgrade decision: - -1. Select **Decide upgrade readiness** to view applications with issues. -2. In the table view, select an **UpgradeDecision** value. -3. Select **Decide upgrade readiness** to change the upgrade decision for each application. -4. Select the applications you want to change to a specific upgrade decision and then then select the appropriate option from the **Select upgrade decision** list. -5. Click **Save** when finished. - -IMORTANT: Ensure that you have the most recent versions of the compatibility update and related KBs installed to get the most up-to-date compatibility information. - -For applications assessed as **Attention needed**, review the table below for details about known issues and for guidance about how to resolve them, when possible. - -| Upgrade Assessment | Action required prior to upgrade? | Issue | What it means | Guidance | -|--------------------|-----------------------------------|-----------|-----------------|------------| -| Attention needed | No | Application is removed during upgrade | Compatibility issues were detected and the application will not migrate to the new operating system.
    | No action is required for the upgrade to proceed. | -| Attention needed | Yes | Blocking upgrade | Blocking issues were detected and Upgrade Analytics is not able to remove the application during upgrade.

    The application may work on the new operating system.
    | Remove the application before upgrading, and reinstall and test on new operating system. | -| Attention needed | No | Evaluate application on new OS | The application will migrate, but issues were detected that may impact its performance on the new operating system. | No action is required for the upgrade to proceed, but be sure to test the application on the new operating system.
    | -| Attention needed | No | Does not work with new OS, but won’t block upgrade | The application is not compatible with the new operating system, but won’t block the upgrade. | No action is required for the upgrade to proceed, however, you’ll have to install a compatible version of the application on the new operating system.
    | -| Attention needed | Yes | Does not work with new OS, and will block upgrade | The application is not compatible with the new operating system and will block the upgrade. | Remove the application before upgrading.

    A compatible version of the application may be available.
    | -| Attention needed | Yes | May block upgrade, test application | Issues were detected that may interfere with the upgrade, but need to be investigated further.
    | Test the application’s behavior during upgrade. If it blocks the upgrade, remove it before upgrading and reinstall and test it on the new operating system.
    | -| Attention needed | Maybe | Multiple | Multiple issues are affecting the application. See detailed view for more information.| When you see Multiple in the query detailed view, click **Query** to see details about what issues were detected with the different versions of the application. | - -For applications assessed as **Fix available**, review the table below for details about known issues and ways to fix them that are known to Microsoft. - -| Upgrade Assessment | Action required prior to upgrade? | Issue | What it means | Guidance | -|--------------------|-----------------------------------|----------|-----------------|-------------| -| Fix available | Yes | Blocking upgrade, update application to newest version | The existing version of the application is not compatible with the new operating system and won’t migrate. A compatible version of the application is available. | Update the application before upgrading. | -| Fix available | No | Reinstall application after upgrading | The application is compatible with the new operating system, but must be reinstalled after upgrading. The application is removed during the upgrade process.
    | No action is required for the upgrade to proceed. Reinstall application on the new operating system. | -| Fix available | Yes | Blocking upgrade, but can be reinstalled after upgrading | The application is compatible with the new operating system, but won’t migrate. | Remove the application before upgrading and reinstall on the new operating system.
    | -| Fix available | Yes | Disk encryption blocking upgrade | The application’s encryption features are blocking the upgrade. | Disable the encryption feature before upgrading and enable it again after upgrading.
    | - -### ISV support for applications with Ready for Windows - -[Ready for Windows](https://www.readyforwindows.com/) lists software solutions that are supported and in use for Windows 10. This site leverages data about application adoption from commercial Windows 10 installations and helps IT managers upgrade to Windows 10 with confidence. For more information, see [Ready for Windows Frequently Asked Questions](https://developer.microsoft.com/windows/ready-for-windows/#/faq/). - -Click **Review Applications With Known Issues** to see the status of applications for Ready for Windows and corresponding guidance. For example: - -![Upgrade analytics Ready for Windows status](images/upgrade-analytics-ready-for-windows-status.png) - -If there are known issues with an application, the specific guidance for that known issue takes precedence over the Ready for Windows guidance. - -![Upgrade analytics Ready for Windows status guidance precedence](images/upgrade-analytics-ready-for-windows-status-guidance-precedence.png) - -If you query with RollupLevel="NamePublisher", each version of the application can have a different status for Ready for Windows. In this case, different values appear for Ready for Windows. - -![Name publisher rollup](images/upgrade-analytics-namepub-rollup.png) - -The following table lists possible values for **ReadyForWindows** and what they mean. For more information, see [What does the Adoption Status mean?](https://developer.microsoft.com/en-us/windows/ready-for-windows#/faq/?scrollTo=faqStatuses) - -| Ready for Windows Status | Query rollup level | What this means | Guidance | -|-------------------|--------------------------|-----------------|----------| -|Supported version available | Granular | The software provider has declared support for one or more versions of this application on Windows 10. | The ISV has declared support for a version of this application on Windows 10. | -| Highly adopted | Granular | This version of this application has been highly adopted within the Windows 10 Enterprise ecosystem. | This application has been installed on at least 100,000 commercial Windows 10 devices. | -| Adopted | Granular | This version of this application has been adopted within the Windows 10 Enterprise ecosystem. | This application has been installed on at least 10,000 commercial Windows 10 devices. | -| Insufficient Data | Granular | Too few commercial Windows 10 devices are sharing information about this version of this application for Microsoft to categorize its adoption. | N/A | -| Contact developer | Granular | There may be compatibility issues with this version of the application, so Microsoft recommends contacting the software provider to learn more. | Check [Ready for Windows](https://www.readyforwindows.com/) for additional information.| -|Supported version available | NamePublisher | The software provider has declared support for this application on Windows 10. | The ISV has declared support for a version of this application on Windows 10.| -|Adoption status available | NamePublisher | A Ready for Windows adoption status is available for one or more versions of this application. Please check Ready for Windows to learn more. |Check [Ready for Windows](https://www.readyforwindows.com/) for adoption information for this application.| -| Unknown | Any | There is no Ready for Windows information available for this version of this application. Information may be available for other versions of the application at [Ready for Windows](https://www.readyforwindows.com/). | N/A | - -## Review applications with no known issues - -Applications with no issues known to Microsoft are listed, grouped by upgrade decision. - -![Review applications with no known issues](images/upgrade-analytics-apps-no-known-issues.png) - -Applications with no known issues that are installed on 2% or less of your total computer inventory \[number of computers application is installed on/total number of computers in your inventory\] are automatically marked **Ready to upgrade** and included in the applications reviewed count. Applications with no known issues that are installed on more than 2% of your total computer inventory are automatically marked **Not reviewed**. - -Be sure to review low install count applications for any business critical or important applications that may not yet be upgrade-ready, despite their low installation rates. - -To change an application's upgrade decision: - -1. Select **Decide upgrade readiness** to view applications with issues. Select **Table** to view the list in a table. - -2. Select **User changes** to change the upgrade decision for each application. - -3. Select the applications you want to change to a specific upgrade decision and then then select the appropriate option from the **Select upgrade decision** list. - -4. Click **Save** when finished. - -## Review drivers with known issues - -Drivers that won’t migrate to the new operating system are listed, grouped by availability. - -![Review drivers with known issues](images/upgrade-analytics-drivers-known.png) - -Availability categories are explained in the table below. - -| Driver availability | Action required before or after upgrade? | What it means | Guidance | -|-----------------------|------------------------------------------|----------------|--------------| -| Available in-box | No, for awareness only | The currently installed version of an application or driver won’t migrate to the new operating system; however, a compatible version is installed with the new operating system.
    | No action is required for the upgrade to proceed. | -| Import from Windows Update | Yes | The currently installed version of a driver won’t migrate to the new operating system; however, a compatible version is available from Windows Update.
    | If the computer automatically receives updates from Windows Update, no action is required. Otherwise, import a new driver from Windows Update after upgrading.
    | -| Available in-box and from Windows Update | Yes | The currently installed version of a driver won’t migrate to the new operating system.

    Although a new driver is installed during upgrade, a newer version is available from Windows Update.
    | If the computer automatically receives updates from Windows Update, no action is required. Otherwise, import a new driver from Windows Update after upgrading.
    | -| Check with vendor | Yes | The driver won’t migrate to the new operating system and we are unable to locate a compatible version.
    | Check with the independent hardware vendor (IHV) who manufactures the driver for a solution. | - -To change a driver’s upgrade decision: - -1. Select **Decide upgrade readiness** and then select the group of drivers you want to review. Select **Table** to view the list in a table. - -2. Select **User changes** to enable user input. - -3. Select the drivers you want to change to a specific upgrade decision and then select the appropriate option from the **Select upgrade decision** list. - -4. Click **Save** when finished. - diff --git a/windows/deploy/upgrade-analytics-review-site-discovery.md b/windows/deploy/upgrade-analytics-review-site-discovery.md deleted file mode 100644 index e42b53e9d0..0000000000 --- a/windows/deploy/upgrade-analytics-review-site-discovery.md +++ /dev/null @@ -1,7 +0,0 @@ ---- -title: Review site discovery -redirect_url: upgrade-analytics-additional-insights ---- - - - diff --git a/windows/deploy/upgrade-analytics-upgrade-overview.md b/windows/deploy/upgrade-analytics-upgrade-overview.md index 4d1885b34a..72c4b10125 100644 --- a/windows/deploy/upgrade-analytics-upgrade-overview.md +++ b/windows/deploy/upgrade-analytics-upgrade-overview.md @@ -1,51 +1,4 @@ --- title: Upgrade Analytics - Upgrade Overview (Windows 10) -description: Displays the total count of computers sharing data and upgraded. -ms.prod: w10 -author: greg-lindsay +redirect_url: upgrade-readiness-upgrade-overview --- - -# Upgrade Analytics - Upgrade overview - -The first blade in the Upgrade Analytics solution is the upgrade overview blade. This blade displays the total count of computers sharing data with Microsoft, and the count of computers upgraded. As you successfully upgrade computers, the count of computers upgraded increases. - -The upgrade overivew blade displays data refresh status, including the date and time of the most recent data update and whether user changes are reflected. The following status changes are reflected on the upgrade overview blade: - -- Computers with incomplete data: - - Less than 4% = count is displayed in green. - - 4% - 10% = Count is displayed in amber. - - Greater than 10% = Count is displayed in red. -- Delay processing device inventory data = The "Last updated" banner is displayed in amber. -- Pending user changes = User changes count displays "Data refresh pending" in amber. -- No pending user changes = User changes count displays "Up to date" in green. - -In the following example, less than 4% of (3k\355k) computers have incomplete data, and there are no pending user changes: - -![Upgrade overview](images/ua-cg-17.png) - - - -If data processing is delayed, you can continue using your workspace as normal. However, any changes or additional information that is added might not be displayed. Data is typically refreshed and the display will return to normal again within 24 hours. - -Select **Total computers** for a list of computers and details about them, including: - -- Computer ID and computer name -- Computer manufacturer -- Computer model -- Operating system version and build -- Count of system requirement, application, and driver issues per computer -- Upgrade assessment based on analysis of computer telemetry data -- Upgrade decision status - -Select **Total applications** for a list of applications discovered on user computers and details about them, including: - -- Application vendor -- Application version -- Count of computers the application is installed on -- Count of computers that opened the application at least once in the past 30 days -- Percentage of computers in your total computer inventory that opened the application in the past 30 days -- Issues detected, if any -- Upgrade assessment based on analysis of application data -- Rollup level \ No newline at end of file diff --git a/windows/deploy/upgrade-readiness-additional-insights.md b/windows/deploy/upgrade-readiness-additional-insights.md new file mode 100644 index 0000000000..e7a8b7a54c --- /dev/null +++ b/windows/deploy/upgrade-readiness-additional-insights.md @@ -0,0 +1,81 @@ +--- +title: Upgrade Readiness - Additional insights +description: Explains additional features of Upgrade Readiness. +ms.prod: w10 +author: greg-lindsay +--- + +# Upgrade Readiness - Additional insights + +This topic provides information on additional features that are available in Upgrade Readiness to provide insights into your environment. These include: + +- [Site discovery](#site-discovery): An inventory of web sites that are accessed by client computers running Windows 7 or Windows 8.1 using Internet Explorer. +- [Office add-ins](#office-add-ins): A list of the Microsoft Office add-ins that are installed on client computers. + +## Site discovery + +The site discovery feature in Upgrade Readiness provides an inventory of web sites that are accessed by client computers using Internet Explorer on Windows 8.1 and Windows 7. Site discovery does not include sites that are accessed using other Web browsers, such as Microsoft Edge. Site inventory information is provided as optional data related to upgrading to Windows 10 and Internet Explorer 11, and is meant to help prioritize compatibility testing for web applications. You can make more informed decisions about testing based on usage data. + +> Note: Site discovery data is disabled by default; you can find documentation on what is collected in the [Windows 7, Windows 8, and Windows 8.1 appraiser telemetry events and fields](https://go.microsoft.com/fwlink/?LinkID=822965). After you turn on this feature, data is collected on all sites visited by Internet Explorer, except during InPrivate sessions. In addition, the data collection process is silent, without notification to the employee. You are responsible for ensuring that your use of this feature complies with all applicable local laws and regulatory requirements, including any requirements to provide notice to employees. + +### Install prerequisite security update for Internet Explorer + +Ensure the following prerequisites are met before using site discovery: + +1. Install the latest [Windows Monthly Rollup](http://catalog.update.microsoft.com/v7/site/Search.aspx?q=security%20monthly%20quality%20rollup). This functionality has been included in Internet Explorer 11 starting with the July 2016 Cumulative Update. +2. Install the update for customer experience and diagnostic telemetery ([KB3080149](https://support.microsoft.com/kb/3080149)). +3. Enable Internet Explorer data collection, which is disabled by default. The best way to enable it is to modify the [Upgrade Readiness deployment script](upgrade-readiness-deployment-script.md) to allow Internet Explorer data collection before you run it. + + If necessary, you can also enable it by creating the following registry entry. + + HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\DataCollection + + Entry name: IEDataOptIn + + Data type: DWORD + + Values: + + > *IEOptInLevel = 0 Internet Explorer data collection is disabled* + > + > *IEOptInLevel = 1 Data collection is enabled for sites in the Local intranet + Trusted sites + Machine local zones* + > + > *IEOptInLevel = 2 Data collection is enabled for sites in the Internet + Restricted sites zones* + > + > *IEOptInLevel = 3 Data collection is enabled for all sites* + + For more information about Internet Explorer Security Zones, see [About URL Security Zones](https://msdn.microsoft.com/library/ms537183.aspx). + + ![Create the IEDataOptIn registry key](images/upgrade-analytics-create-iedataoptin.png) + +### Review most active sites + +This blade indicates the most visited sites by computers in your environment. Review this list to determine which web applications and sites are used most frequently. The number of visits is based on the total number of views, and not by the number of unique devices accessing a page. + +For each site, the fully qualified domain name will be listed. You can sort the data by domain name or by URL. + +![Most active sites](Images/upgrade-analytics-most-active-sites.png) + +Click the name of any site in the list to drill down into more details about the visits, including the time of each visit and the computer name. + +![Site domain detail](images/upgrade-analytics-site-domain-detail.png) + +### Review document modes in use + +This blade provides information about which document modes are used in the sites that are visited in your environment. Document modes are used to provide compatibility with older versions of Internet Explorer. Sites that use older technologies may require additional testing and are less likely to be compatible with Microsoft Edge. Counts are based on total page views and not the number of unique devices. For more information about document modes, see [Deprecated document modes](https://technet.microsoft.com/itpro/internet-explorer/ie11-deploy-guide/deprecated-document-modes). + +![Site activity by document mode](images/upgrade-analytics-site-activity-by-doc-mode.png) + +### Run browser-related queries + +You can run predefined queries to capture more info, such as sites that have Enterprise Mode enabled, or the number of unique computers that have visited a site. For example, this query returns the most used ActiveX controls. You can modify and save the predefined queries. + +![](images/upgrade-analytics-query-activex-name.png) + +## Office add-ins + +Office add-ins provides a list of the Microsoft Office add-ins in your environment, and enumerates the computers that have these add-ins installed. This information should not affect the upgrade decision workflow, but can be helpful to an administrator. + +## Related topics + +[Upgrade Readiness release notes](upgrade-readiness-release-notes.md) diff --git a/windows/deploy/upgrade-readiness-architecture.md b/windows/deploy/upgrade-readiness-architecture.md new file mode 100644 index 0000000000..93a028f925 --- /dev/null +++ b/windows/deploy/upgrade-readiness-architecture.md @@ -0,0 +1,30 @@ +--- +title: Upgrade Readiness architecture (Windows 10) +description: Describes Upgrade Readiness architecture. +ms.prod: w10 +author: greg-lindsay +--- + +# Upgrade Readiness architecture + +Microsoft analyzes system, application, and driver telemetry data to help you determine when computers are upgrade-ready, allowing you to simplify and accelerate Windows upgrades in your organization. The diagram below illustrates how Upgrade Readiness components work together in a typical installation. + + + +![Upgrade Readiness architecture](images/ur-arch-diagram.png) + +After you enable Windows telemetry on user computers and install the compatibility update KB (1), user computers send computer, application and driver telemetry data to a secure Microsoft data center through the Microsoft Data Management Service (2). After you configure Upgrade Readiness, telemetry data is analyzed by the Upgrade Readiness Service (3) and pushed to your OMS workspace (4). You can then use the Upgrade Readiness solution (5) to plan and manage Windows upgrades. + +For more information about what telemetry data Microsoft collects and how that data is used and protected by Microsoft, see: + +[Configure Windows telemetry in your organization](https://technet.microsoft.com/itpro/windows/manage/configure-windows-telemetry-in-your-organization)
    +[Manage connections from Windows operating system components to Microsoft services](https://technet.microsoft.com/itpro/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services)
    +[Windows 7, Windows 8, and Windows 8.1 appraiser telemetry events and fields](https://go.microsoft.com/fwlink/?LinkID=822965)
    + +##**Related topics** + +[Upgrade Readiness requirements](upgrade-readiness-requirements.md)
    +[Upgrade Readiness release notes](upgrade-readiness-release-notes.md)
    +[Get started with Upgrade Readiness](upgrade-readiness-get-started.md)
    diff --git a/windows/deploy/upgrade-readiness-deploy-windows.md b/windows/deploy/upgrade-readiness-deploy-windows.md new file mode 100644 index 0000000000..bb54670f8d --- /dev/null +++ b/windows/deploy/upgrade-readiness-deploy-windows.md @@ -0,0 +1,97 @@ +--- +title: Upgrade Readiness - Get a list of computers that are upgrade-ready (Windows 10) +description: Describes how to get a list of computers that are ready to be upgraded in Upgrade Readiness. +ms.prod: w10 +author: greg-lindsay +--- + +# Upgrade Readiness - Step 3: Deploy Windows + +All of your work up to now involved reviewing and resolving application and driver issues. Along the way, as you’ve resolved issues and decided which applications and drivers are ready to upgrade, you’ve been building a list of computers that are upgrade ready. +The blades in the **Deploy** section are: + +- [Deploy eligible computers](#deploy-eligible-computers) +- [Deploy computers by group](#computer-groups) + +>Computers that are listed in this step are assigned an **UpgradeDecision** value, and the total count of computers in each upgrade decision category is displayed. Additionally, computers are assigned an **UpgradeAssessment** value. This value is displayed by drilling down into a specific upgrade decision category. For information about upgrade assessment values, see [Upgrade assessment](#upgrade-assessment). + +## Deploy eligible computers + +In this blade, computers grouped by upgrade decision are listed. The upgrade decision on the machines is a calculated value based on the upgrade decision status for the apps and drivers installed on the computer. This value cannot be modified directly. The upgrade decision is calculated in the following ways: +- **Review in progress**: At least one app or driver installed on the computer is marked **Review in progress**. +- **Ready to upgrade**: All apps and drivers installed on the computer are marked as **Ready to Upgrade**. +- **Won’t upgrade**: At least one app or driver installed on the computer is marked as **Won’t upgrade**, or a system requirement is not met. + + + +![Deploy eligible computers](images/ua-cg-16.png) + +Select **Export computers** for more details, including computer name, manufacturer and model, and Windows edition currently running on the computer. Sort or further query the data and then select **Export** to generate and save a comma-separated value (csv) list of upgrade-ready computers. + +>**Important**
    When viewing inventory items in table view, the maximum number of rows that can be viewed and exported is limited to 5,000. If you need to view or export more than 5,000 items, reduce the scope of the query so you can export fewer items at a time. + +## Computer groups + +Computer groups allow you to segment your environment by creating device groups based on OMS log search results, or by importing groups from Active Directory, WSUS or System Center Configuration Manager. Computer groups are an OMS feature. For more information, see [Computer groups in OMS](https://blogs.technet.microsoft.com/msoms/2016/04/04/computer-groups-in-oms/). + +Query based computer groups are recommended in the initial release of this feature. A feature known as **Configuration Manager Upgrade Readiness Connector** is anticipated in a future release that will enable synchronization of **ConfigMgr Collections** with computer groups in OMS. + +### Getting started with Computer Groups + +When you sign in to OMS, you will see a new blade entitled **Computer Groups**. See the following example: + +![Computer groups](images/ua-cg-01.png) + +To create a computer group, open **Log Search** and create a query based on **Type=UAComputer**, for example: + +``` +Type=UAComputer Manufacturer=DELL +``` + +![Computer groups](images/ua-cg-02.png) + +When you are satisfied that the query is returning the intended results, add the following text to your search: + +``` +| measure count() by Computer +``` + +This will ensure every computer only shows up once. Then, save your group by clicking **Save** and **Yes**. See the following example: + +![Computer groups](images/ua-cg-03.png) + +Your new computer group will now be available in Upgrade Readiness. See the following example: + +![Computer groups](images/ua-cg-04.png) + +### Using Computer Groups + +When you drill into a computer group, you will see that computers are categorized by **UpgradeDecision**. For computers with the status **Review in progress** or **Won’t upgrade** you can drill down to view issues that cause a computer to be in each category, or you can simply display a list of the computers in the category. For computers that are designated **Ready to upgrade**, you can go directly to the list of computers that are ready. + +![Computer groups](images/ua-cg-05.png) + +Viewing a list of computers in a certain status is self-explanatory, Let’s look at what happens when you click the details link on **Review in progress**: + +![Computer groups](images/ua-cg-06.png) + +Next, select if you want to see application issues (**UAApp**) or driver issues (**UADriver**). See the following example of selecting **UAApp**: + +![Computer groups](images/ua-cg-07.png) + +A list of apps that require review so that Dell Computers are ready for upgrade to Windows 10 is displayed. + +### Upgrade assessment + +Upgrade assessment and guidance details are explained in the following table. + +| Upgrade assessment | Action required before or after upgrade pilot? | Issue | What it means | Guidance | +|-----------------------|------------------------------------------------|----------|-----------------|---------------| +| No known issues | No | None | Computers will upgrade seamlessly.
    | OK to use as-is in pilot. | +| OK to pilot, fixed during upgrade | No, for awareness only | Application or driver will not migrate to new OS | The currently installed version of an application or driver won’t migrate to the new operating system; however, a compatible version is installed with the new operating system. | OK to use as-is in pilot. | +| OK to pilot with new driver from Windows Update | Yes | Driver will not migrate to new OS | The currently installed version of a driver won’t migrate to the new operating system; however, a newer, compatible version is available from Windows Update. | Although a compatible version of the driver is installed during upgrade, a newer version is available from Windows Update.

    If the computer automatically receives updates from Windows Update, no action is required. Otherwise, replace the new in-box driver with the Windows Update version after upgrading.

    | + +Select **Export computers** to view pilot-ready computers organized by operating system. After you select the computers you want to use in a pilot, click Export to generate and save a comma-separated value (csv) file. + +>**Important**> When viewing inventory items in table view, the maximum number of rows that can be viewed and exported is limited to 5,000. If you need to view or export more than 5,000 items, reduce the scope of the query so you can export fewer items at a time. \ No newline at end of file diff --git a/windows/deploy/upgrade-readiness-deployment-script.md b/windows/deploy/upgrade-readiness-deployment-script.md new file mode 100644 index 0000000000..f8d311cd6b --- /dev/null +++ b/windows/deploy/upgrade-readiness-deployment-script.md @@ -0,0 +1,274 @@ +--- +title: Upgrade Readiness deployment script (Windows 10) +description: Deployment script for Upgrade Readiness. +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: deploy +author: greg-lindsay +--- + +# Upgrade Readiness deployment script + +To automate the steps provided in [Get started with Upgrade Readiness](upgrade-readiness-get-started.md), and to troubleshoot data sharing issues, you can run the [Upgrade Readiness deployment script](https://go.microsoft.com/fwlink/?LinkID=822966&clcid=0x409), developed by Microsoft. + +>[!IMPORTANT] +>Upgrade Readiness was previously called Upgrade Analytics. References to Upgrade Analytics in any scripts or online content pertain to the Upgrade Readiness solution. + +For detailed information about using the Upgrade Readiness (also known as upgrade analytics) deployment script, see the [Upgrade Analytics blog](https://blogs.technet.microsoft.com/upgradeanalytics/2016/09/20/new-version-of-the-upgrade-analytics-deployment-script-available/). + +> The following guidance applies to version 11.11.16 or later of the Upgrade Readiness deployment script. If you are using an older version, please download the latest from the [Download Center](https://go.microsoft.com/fwlink/?LinkID=822966&clcid=0x409). + +The Upgrade Readiness deployment script does the following: + +1. Sets commercial ID key + CommercialDataOptIn + RequestAllAppraiserVersions keys. +2. Verifies that user computers can send data to Microsoft. +3. Checks whether the computer has a pending restart.   +4. Verifies that the latest version of KB package 10.0.x is installed (version 10.0.14348 or later is required, but version 10.0.14913 or later is recommended). +5. If enabled, turns on verbose mode for troubleshooting. +6. Initiates the collection of the telemetry data that Microsoft needs to assess your organization’s upgrade readiness. +7. If enabled, displays the script’s progress in a cmd window, providing you immediate visibility into issues (success or fail for each step) and/or writes to log file. + +To run the Upgrade Readiness deployment script: + +1. Download the [Upgrade Readiness deployment script](https://go.microsoft.com/fwlink/?LinkID=822966&clcid=0x409) and extract the .zip file. Inside, there are two folders: **Pilot** and **Deployment**. The **Pilot** folder contains advanced logging that can help troubleshoot issues and is intended to be run from an elevated command prompt. The **Deployment** folder offers a lightweight script intended for broad deployment through ConfigMgr or other software deployment system. We recommend manually running the Pilot version of the script on 5-10 machines to verify that everything is configured correctly. Once you have confirmed that data is flowing successfully, proceed to run the Deployment version throughout your organization. + +2. Edit the following parameters in RunConfig.bat: + + 1. Provide a storage location for log information. You can store log information on a remote file share or a local directory. If the script is blocked from creating the log file for the given path, it creates the log files in the drive with the Windows directory. Example: %SystemDrive%\\UADiagnostics + + 2. Input your commercial ID key. This can be found in your OMS workspace under Settings -> Connected Sources -> Windows Telemetry. + + 3. By default, the script sends log information to both the console and the log file. To change the default behavior, use one of the following options: + + > *logMode = 0 log to console only* + > + > *logMode = 1 log to file and console* + > + > *logMode = 2 log to file only* + +3. To enable Internet Explorer data collection, set AllowIEData to IEDataOptIn. By default, AllowIEData is set to Disable. Then use one of the following options to determine what Internet Explorer data can be collected: + + > *IEOptInLevel = 0 Internet Explorer data collection is disabled* + > + > *IEOptInLevel = 1 Data collection is enabled for sites in the Local intranet + Trusted sites + Machine local zones* + > + > *IEOptInLevel = 2 Data collection is enabled for sites in the Internet + Restricted sites zones* + > + > *IEOptInLevel = 3 Data collection is enabled for all sites* + +4. The latest version (03.02.17) of the deployment script is configured to collect and send diagnostic and debugging data to Microsoft. If you wish to disable sending diagnostic and debugging data to Microsoft, set **AppInsightsOptIn = false**. By default, **AppInsightsOptIn** is set to **true**. + + The data that is sent is the same data that is collected in the text log file that captures the events and error codes while running the script. This file is named in the following format: **UA_yyyy_mm_dd_hh_mm_ss_machineID.txt**. Log files are created in the drive that is specified in the RunConfig.bat file. By default this is set to: **%SystemDrive%\UADiagnostics**. + + This data gives us the ability to determine the status of your machines and to help troubleshoot issues. If you choose to opt-in to and send this data to Microsoft, you must also allow https traffic to be sent to the following wildcard endpoints: + + \*vortex\*.data.microsoft.com
    + \*settings\*.data.microsoft.com + +5. After you finish editing the parameters in RunConfig.bat, you are ready to run the script. If you are using the Pilot version, run RunConfig.bat from an elevated command prompt. If you are using the Deployment version, use ConfigMgr or other software deployment service to run RunConfig.bat as system. + +The deployment script displays the following exit codes to let you know if it was successful, or if an error was encountered. + +
    + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Exit codeMeaning +Suggested fix + +
    0Success +N/A + +
    1Unexpected error occurred while executing the script. + The files in the deployment script are likely corrupted. Download the [latest script](https://go.microsoft.com/fwlink/?LinkID=822966&clcid=0x409) from the download center and try again. + +
    2Error when logging to console. $logMode = 0.
    (console only) +    		Try changing the $logMode value to **1** and try again.
    $logMode value 1 logs to both console and file. + +
    3Error when logging to console and file. $logMode = 1. +Verify that you have set the logPath parameter in RunConfig.bat, and that the configuration script has access to connect and write to this location. + +
    4Error when logging to file. $logMode = 2. +Verify that you have set the logPath parameter in RunConfig.bat, and that the configuration script has access to connect and write to this location. + +
    5Error when logging to console and file. $logMode = unknown. +Verify that you have set the logPath parameter in RunConfig.bat, and that the configuration script has access to connect and write to this location. + +
    6The commercialID parameter is set to unknown.
    Modify the runConfig.bat file to set the CommercialID value. +    		The value for parameter in the runconfig.bat file should match the Commercial ID key for your workspace. +
    See [Generate your Commercial ID key](https://technet.microsoft.com/itpro/windows/deploy/upgrade-readiness-get-started#generate-your-commercial-id-key) for instructions on generating a Commercial ID key for your workspace. + +
    8Failure to create registry key path:
    **HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection**
    +    		The Commercial Id property is set at the following registry key path:
    **HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection**
    +
    Verify that the context under which the script in running has access to the registry key. + +
    9The script failed to write Commercial Id to registry. +
    Error creating or updating registry key: **CommercialId** at
    **HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection**
    +    		Verify that the context under which the script in running has access to the registry key. + +
    10Error when writing **CommercialDataOptIn** to the registry at
    **HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection**
    +    		Verify that the deployment script is running in a context that has access to the registry key. + +
    11Function **SetupCommercialId** failed with an unexpected exception. +The **SetupCommercialId** function updates the Commercial Id at the registry key path:
    **HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection**

    Verify that the configuration script has access to this location. + +
    12Can’t connect to Microsoft - Vortex. Check your network/proxy settings. +**Http Get** on the end points did not return a success exit code.
    +For Windows 10, connectivity is verified by connecting to https://v10.vortex-win.data.microsoft.com/health/keepalive.
    +For previous operating systems, connectivity is verified by connecting to https://vortex-win.data.microsoft.com/health/keepalive. +
    If there is an error verifying connectivity, this will prevent the collected data from being sent to Upgrade Readiness. To resolve this issue, verify that the required endpoints are correctly whitelisted. For more information, see [Enable data sharing](https://technet.microsoft.com/en-us/itpro/windows/deploy/upgrade-readiness-get-started#enable-data-sharing). + + +
    13Can’t connect to Microsoft - setting. +An error occurred connecting to https://settings.data.microsoft.com/qos. This error will prevent the collected data from being sent to Upgrade Readiness. To resolve this issue, verify that the required endpoints are correctly whitelisted. For more information, see [Enable data sharing](https://technet.microsoft.com/en-us/itpro/windows/deploy/upgrade-readiness-get-started#enable-data-sharing). + + +
    14Can’t connect to Microsoft - compatexchange. +An error occurred connecting to https://compatexchange1.trafficmanager.net/CompatibilityExchangeService.svc . This error will prevent the collected data from being sent to Upgrade Readiness. To resolve this issue, verify that the required endpoints are correctly whitelisted. For more information, see [Enable data sharing](https://technet.microsoft.com/en-us/itpro/windows/deploy/upgrade-readiness-get-started#enable-data-sharing). + +
    15Function CheckVortexConnectivity failed with an unexpected exception. +This error will prevent the collected data from being sent to Upgrade Readiness. To resolve this issue, verify that the required endpoints are correctly whitelisted. For more information, see [Enable data sharing](https://technet.microsoft.com/en-us/itpro/windows/deploy/upgrade-readiness-get-started#enable-data-sharing). Check the logs for the exception message and the HResult. + +
    16The computer requires a reboot before running the script. +A reboot is required to complete the installation of the compatibility update and related KBs. Reboot the computer before running the Upgrade Readiness deployment script. + +
    17Function **CheckRebootRequired** failed with an unexpected exception. +A reboot is required to complete installation of the compatibility update and related KBs. Check the logs for the exception message and the HResult. + +
    18Appraiser KBs not installed or **appraiser.dll** not found. +Either the Appraiser KBs are not installed, or the **appraiser.dll** file was not found. For more information, see appraiser telemetry events and fields information in the [Data collection](https://technet.microsoft.com/itpro/windows/deploy/upgrade-readiness-get-started#data-collection-and-privacy) and privacy topic. + +
    19Function **CheckAppraiserKB**, which checks the compatibility update KBs, failed with unexpected exception. +Check the logs for the Exception message and HResult. The script will not run further if this error is not fixed. + +
    20An error occurred when creating or updating the registry key **RequestAllAppraiserVersions** at
    **HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Appraiser**
    +    		The registry key is required for data collection to work correctly. Verify that the script is running in a context that has access to the registry key. + +
    21Function **SetRequestAllAppraiserVersions** failed with an unexpected exception. +Check the logs for the exception message and HResult. + +
    22**RunAppraiser** failed with unexpected exception. +Check the logs for the exception message and HResult. Check the **%windir%\System32*8 directory for the file **CompatTelRunner.exe**. If the file does not exist, reinstall the required compatibility updates which include this file, and check your organization's Group Policy to verify it does not remove this file. + +
    23Error finding system variable **%WINDIR%**. +Verify that this environment variable is configured on the computer. + +
    24The script failed when writing **IEDataOptIn** to the registry. An error occurred when creating registry key **IEOptInLevel** at
    **HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection**
    +    		This is a required registry key for IE data collection to work correctly. Verify that the deployment script in running in a context that has access to the registry key. Check the logs for the exception message and HResult. + +
    25The function **SetIEDataOptIn** failed with unexpected exception. +Check the logs for the exception message and HResult. + +
    26The operating system is Server or LTSB SKU. + The script does not support Server or LTSB SKUs. + +
    27The script is not running under **System** account. +The Upgrade Readiness configuration script must be run as **System**. + +
    28Could not create log file at the specified **logPath**. + Make sure the deployment script has access to the location specified in the **logPath** parameter. + +
    29Connectivity check failed for proxy authentication. +Install the cumulative updates on the computer and enable the **DisableEnterpriseAuthProxy** authentication proxy setting. +
    The **DisableEnterpriseAuthProxy** setting is enabled by default for Windows 7. +
    For Windows 8.1 computers, set the **DisableEnterpriseAuthProxy** setting to **0** (not disabled). +
    For more information on authentication proxy support, see [this blog post](https://go.microsoft.com/fwlink/?linkid=838688). + +
    30Connectivity check failed. Registry key property **DisableEnterpriseAuthProxy** is not enabled. +The **DisableEnterpriseAuthProxy** setting is enabled by default for Windows 7. +
    For Windows 8.1 computers, set the **DisableEnterpriseAuthProxy** setting to **0** (not disabled). +
    For more information on authentication proxy support, see [this blog post](https://go.microsoft.com/fwlink/?linkid=838688). + +
    31There is more than one instance of the Upgrade Readiness data collector running at the same time on this computer. +Use the Windows Task Manager to check if **CompatTelRunner.exe** is running, and wait until it has completed to rerun the script. The Upgrade Readiness task is scheduled to run daily at 3 a.m. + +
    32Appraiser version on the machine is outdated. +The configuration script detected a version of the compatibility update module that is older than the minimum required to correctly collect the data required by Upgrade Readiness solution. Use the latest version of the [compatibility update](https://technet.microsoft.com/en-us/itpro/windows/deploy/upgrade-readiness-get-started#deploy-the-compatibility-update-and-related-kbs) for Windows 7 SP1/Windows 8.1. + +
    33**CompatTelRunner.exe** exited with an exit code +**CompatTelRunner.exe** runs the appraise task on the machine. If it fails, it will provide a specific exit code. The script will return exit code 33 when **CompatTelRunner.exe** itself exits with an exit code. Please check the logs for more details. + +
    34Function **CheckProxySettings** failed with an unexpected exception. +Check the logs for the exception message and HResult. + +
    35Function **CheckAuthProxy** failed with an unexpected exception. +Check the logs for the exception message and HResult. + +
    36Function **CheckAppraiserEndPointsConnectivity** failed with an unexpected exception. +Check the logs for the exception message and HResult. + +
    37**Diagnose_internal.cmd** failed with an unexpected exception. +Check the logs for the exception message and HResult. + +
    38Function **Get-SqmID** failed with an unexpected exception. +Check the logs for the exception message and HResult. + +
    39For Windows 10: AllowTelemetry property is not set to 1 or higher at registry key path
    **HKLM:\SOFTWARE\Policies\Microsoft\Windows\DataCollection**
    +or
    **HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection**
    +    		For Windows 10 machines, the **AllowTelemetry** property should be set to 1 or greater to enable data collection. The script will throw an error if this is not true. For more information, see [Configure Windows telemetry in your organization](https://technet.microsoft.com/itpro/windows/manage/configure-windows-telemetry-in-your-organization). + +
    40Function **CheckTelemetryOptIn** failed with an unexpected exception. +Check the logs for the exception message and HResult. + +
    41The script failed to impersonate the currently logged on user. +The script mimics the UTC client to collect upgrade readiness data. When auth proxy is set, the UTC client impersonates the logged on user. The script also tries to mimic this, but the process failed. + +
    42Function **StartImpersonatingLoggedOnUser** failed with an unexpected exception. +Check the logs for the exception message and HResult. + +
    43Function **EndImpersonatingLoggedOnUser** failed with an unexpected exception. +Check the logs for the exception message and HResult. + +
    + +
    + + + + + diff --git a/windows/deploy/upgrade-readiness-get-started.md b/windows/deploy/upgrade-readiness-get-started.md new file mode 100644 index 0000000000..7cb98c4cf2 --- /dev/null +++ b/windows/deploy/upgrade-readiness-get-started.md @@ -0,0 +1,133 @@ +--- +title: Get started with Upgrade Readiness (Windows 10) +description: Explains how to get started with Upgrade Readiness. +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: deploy +author: greg-lindsay +--- + +# Get started with Upgrade Readiness + +This topic explains how to obtain and configure Upgrade Readiness for your organization. + +You can use Upgrade Readiness to plan and manage your upgrade project end-to-end. Upgrade Readiness works by establishing communications between computers in your organization and Microsoft. Upgrade Readiness collects computer, application, and driver data for analysis. This data is used to identify compatibility issues that can block your upgrade and to suggest fixes that are known to Microsoft. + +Before you begin, consider reviewing the following helpful information:
    + - [Upgrade Readiness requirements](upgrade-readiness-requirements.md): Provides detailed requirements to use Upgrade Readiness.
    + - [Upgrade Readiness blog](https://blogs.technet.microsoft.com/UpgradeAnalytics): Contains announcements of new features and provides helpful tips for using Upgrade Readiness. + +>If you are using System Center Configuration Manager, also check out information about how to integrate Upgrade Readiness with Configuration Manager: [Integrate Upgrade Readiness with System Center Configuration Manager](https://docs.microsoft.com/sccm/core/clients/manage/upgrade/upgrade-analytics). + +When you are ready to begin using Upgrade Readiness, perform the following steps: + +1. Review [data collection and privacy](#data-collection-and-privacy) information. +2. [Add Upgrade Readiness to OMS](#add-upgrade-readiness-to-operations-management-suite). +3. [Enable data sharing](#enable-data-sharing). +4. [Deploy required updates](#deploy-the-compatibility-update-and-related-kbs) to computers, and validate using a pilot deployment. +5. [Deploy Upgrade Readiness at scale](#deploy-upgrade-readiness-at-scale). + +## Data collection and privacy + +To enable system, application, and driver data to be shared with Microsoft, you must configure user computers to send data. For information about what telemetry data Microsoft collects and how that data is used and protected by Microsoft, see the following topics: + +- [Configure Windows telemetry in your organization](https://technet.microsoft.com/itpro/windows/manage/configure-windows-telemetry-in-your-organization) +- [Manage connections from Windows operating system components to Microsoft services](https://technet.microsoft.com/itpro/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services) +- [Windows 7, Windows 8, and Windows 8.1 appraiser telemetry events and fields](https://go.microsoft.com/fwlink/?LinkID=822965) + +## Add Upgrade Readiness to Operations Management Suite + +Upgrade Readiness is offered as a solution in the Microsoft Operations Management Suite (OMS), a collection of cloud based services for managing your on-premises and cloud environments. For more information about OMS, see [Operations Management Suite overview](http://azure.microsoft.com/documentation/articles/operations-management-suite-overview/). + +If you are already using OMS, you’ll find Upgrade Readiness in the Solutions Gallery. Select the **Upgrade Readiness** tile in the gallery and then click **Add** on the solution's details page. Upgrade Readiness is now visible in your workspace. + +If you are not using OMS: + +1. Go to the [Upgrade Readiness page on Microsoft.com](https://go.microsoft.com/fwlink/?LinkID=799190&clcid=0x409) and click **New Customers >** to kick off the onboarding process. +2. Sign in to Operations Management Suite (OMS). You can use either a Microsoft Account or a Work or School account to create a workspace. If your company is already using Azure Active Directory (Azure AD), use a Work or School account when you sign in to OMS. Using a Work or School account allows you to use identities from your Azure AD to manage permissions in OMS. +3. Create a new OMS workspace. Enter a name for the workspace, select the workspace region, and provide the email address that you want associated with this workspace. Select **Create**. +4. If your organization already has an Azure subscription, you can link it to your workspace. Note that you may need to request access from your organization’s Azure administrator. + + > If your organization does not have an Azure subscription, create a new one or select the default OMS Azure subscription from the list. Your workspace opens. + +1. To add the Upgrade Readiness solution to your workspace, go to the **Solutions Gallery**. Select the **Upgrade Readiness** tile in the gallery and then select **Add** on the solution’s details page. The solution is now visible on your workspace. Note that you may need to scroll to find Upgrade Readiness. + +2. Click the **Upgrade Readiness** tile to configure the solution. The **Settings Dashboard** opens. + +### Generate your commercial ID key + +Microsoft uses a unique commercial ID to map information from user computers to your OMS workspace. Generate your commercial ID key in OMS and then deploy it to user computers. + +1. On the Settings Dashboard, navigate to the **Windows telemetry** panel. + + ![upgrade-readiness-telemetry](images/upgrade-analytics-telemetry.png) + +2. On the Windows telemetry panel, copy and save your commercial ID key. You’ll need to insert this key into the Upgrade Readiness deployment script later so it can be deployed to user computers. + + >**Important**
    Regenerate a commercial ID key only if your original ID key can no longer be used. Regenerating a commercial ID key resets the data in your workspace for all solutions that use the ID. Additionally, you’ll need to deploy the new commercial ID key to user computers again. + +### Subscribe to Upgrade Readiness + +For Upgrade Readiness to receive and display upgrade readiness data from Microsoft, subscribe your OMS workspace to Upgrade Readiness. + +1. On the **Windows telemetry** panel, click **Subscribe**. The button changes to **Unsubscribe**. Unsubscribe from the Upgrade Readiness solution if you no longer want to receive upgrade-readiness information from Microsoft. Note that user computer data will continue to be shared with Microsoft for as long as the opt-in keys are set on user computers and the proxy allows the traffic. + +1. Click **Overview** on the Settings Dashboard to return to your OMS workspace portal. The Upgrade Readiness tile now displays summary data. Click the tile to open Upgrade Readiness. + +## Enable data sharing + +To enable data sharing, whitelist the following endpoints. Note that you may need to get approval from your security group to do this. + +Note: The compatibility update KB runs under the computer’s system account. If you are using user authenticated proxies, read [this blog post](https://blogs.technet.microsoft.com/upgradeanalytics/2017/03/10/understanding-connectivity-scenarios-and-the-deployment-script/) to learn what you need to do to run it under the logged on user account. + +| **Endpoint** | **Function** | +|---------------------------------------------------------|-----------| +| `https://v10.vortex-win.data.microsoft.com/collect/v1`
    `https://Vortex-win.data.microsoft.com/health/keepalive` | Connected User Experience and Telemetry component endpoint. User computers send data to Microsoft through this endpoint. | +| `https://settings.data.microsoft.com/qos` | Enables the compatibility update KB to send data to Microsoft. | +| `https://go.microsoft.com/fwlink/?LinkID=544713`
    `https://compatexchange1.trafficmanager.net/CompatibilityExchangeService.svc` | This service provides driver information about whether there will be a driver available post-upgrade for the hardware on the system. | + + +## Deploy the compatibility update and related KBs + +The compatibility update KB scans your computers and enables application usage tracking. If you don’t already have these KBs installed, you can download the applicable version from the Microsoft Update Catalog or deploy it using Windows Server Update Services (WSUS) or your software distribution solution, such as System Center Configuration Manager. + +| **Operating System** | **KBs** | +|----------------------|-----------------------------------------------------------------------------| +| Windows 10 | The latest cumulative updates must be installed on Windows 10 computers to make sure that the required compatibility KBs are installed. You can find the latest cumulative update on the [Microsoft Update Catalog](https://catalog.update.microsoft.com)

    Note: Windows 10 LTSB is not supported by Upgrade Readiness. See [Upgrade readiness requirements](upgrade-readiness-requirements.md) for more information. | +| Windows 8.1 | [KB 2976978](http://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB2976978)
    Performs diagnostics on the Windows 8.1 systems that participate in the Windows Customer Experience Improvement Program. These diagnostics help determine whether compatibility issues may be encountered when the latest Windows operating system is installed.
    For more information about this KB, see

    [KB 3150513](https://catalog.update.microsoft.com/v7/site/Search.aspx?q=3150513)
    Provides updated configuration and definitions for compatibility diagnostics performed on the system.
    For more information about this KB, see
    NOTE: KB2976978 must be installed before you can download and install KB3150513. | +| Windows 7 SP1 | [KB2952664](http://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB2952664)
    Performs diagnostics on the Windows 7 SP1 systems that participate in the Windows Customer Experience Improvement Program. These diagnostics help determine whether compatibility issues may be encountered when the latest Windows operating system is installed.
    For more information about this KB, see

    [KB 3150513](https://catalog.update.microsoft.com/v7/site/Search.aspx?q=3150513)
    Provides updated configuration and definitions for compatibility diagnostics performed on the system.
    For more information about this KB, see
    NOTE: KB2952664 must be installed before you can download and install KB3150513. | + +IMPORTANT: Restart user computers after you install the compatibility update KBs for the first time. + +If you are planning to enable IE Site Discovery, you will need to install a few additional KBs. + +| **Site discovery** | **KB** | +|----------------------|-----------------------------------------------------------------------------| +| [Review site discovery](https://technet.microsoft.com/en-us/itpro/windows/deploy/upgrade-readiness-additional-insights#site-discovery) | [KB3080149](http://www.catalog.update.microsoft.com/Search.aspx?q=3080149)
    Updates the Diagnostic and Telemetry tracking service to existing devices. This update is only necessary on Windows 7 and Windows 8.1 devices.
    For more information about this KB, see

    Install the latest [Windows Monthly Rollup](http://catalog.update.microsoft.com/v7/site/Search.aspx?q=security%20monthly%20quality%20rollup). This functionality has been included in Internet Explorer 11 starting with the July 2016 Cumulative Update. | + +### Deploy the Upgrade Readiness deployment script + +You can use the Upgrade Readiness deployment script to automate and verify your deployment. + +See [Upgrade Readiness deployment script](upgrade-readiness-deployment-script.md) for information on obtaining and running the script, and for a description of the error codes that can be displayed. + +>After data is sent from computers to Microsoft, it generally takes 48 hours for the data to populate in Upgrade Readiness. The compatibility update KB takes several minutes to run. If the KB does not get a chance to finish running or if the computers are inaccessible (turned off or sleeping for example), data will take longer to populate in Upgrade Readiness. For this reason, you can expect most your computers to be populated in OMS in about 1-2 weeks after deploying the KB and configuration to user computers. + +## Deploy Upgrade Readiness at scale + +When you have completed a pilot deployment, you are ready to automate data collection and distribute the deployment script to the remaining computers in your organization. + +### Automate data collection + +To ensure that user computers are receiving the most up to date data from Microsoft, we recommend that you establish the following data sharing and analysis processes. + +- Enable automatic updates for the compatibility update and related KBs. These KBs are updated frequently to include the latest application and driver issue information as we discover it during testing. +- Schedule the Upgrade Readiness deployment script to automatically run so that you don’t have to manually initiate an inventory scan each time the compatibility update KBs are updated. +- Schedule monthly user computer scans to view monthly active computer and usage information. + +>When you run the deployment script, it initiates a full scan. The daily scheduled task to capture the deltas are created when the update package is installed. A full scan averages to about 2 MB, but the delta scans are very small. For Windows 10 devices, its already part of the OS. This is the **Windows Compat Appraiser** task. Deltas are invoked via the nightly scheduled task. It attempts to run around 3AM, but if system is off at that time, the task will run when the system is turned on. + +### Distribute the deployment script at scale + +Use a software distribution system such as System Center Configuration Manager to distribute the Upgrade Readiness deployment script at scale. For more information, see the [Upgrade Readiness blog](https://blogs.technet.microsoft.com/upgradeanalytics/2016/09/20/new-version-of-the-upgrade-analytics-deployment-script-available/). diff --git a/windows/deploy/upgrade-readiness-identify-apps.md b/windows/deploy/upgrade-readiness-identify-apps.md new file mode 100644 index 0000000000..33b5d248c5 --- /dev/null +++ b/windows/deploy/upgrade-readiness-identify-apps.md @@ -0,0 +1,36 @@ +--- +title: Upgrade Readiness - Identify important apps (Windows 10) +description: Describes how to prepare your environment so that you can use Upgrade Readiness to manage Windows upgrades. +ms.prod: w10 +author: greg-lindsay +--- + +# Upgrade Readiness - Step 1: Identify important apps + +This is the first step of the Upgrade Readiness workflow. In this step, applications are listed and grouped by importance level. Setting the importance level enables you to prioritize applications for upgrade. + + + +![Prioritize applications](images/upgrade-analytics-prioritize.png) + +Select **Assign importance** to change an application’s importance level. By default, applications are marked **Not reviewed** or **Low install count** until you assign a different importance level to them. + +To change an application’s importance level: + +1. Select **Not reviewed** or **Low install count** on the **Prioritize applications** blade to view the list of applications with that importance level. +2. Select the applications you want to change to a specific importance level and then select the appropriate option from the **Select importance level** list. +3. Click **Save** when finished. + +Importance levels include: + +| Importance level | When to use it | Recommendation | +|--------------------|------------------|------------------| +| Low install count | We give you a head start by identifying applications that are installed on 2% or less of your total computer inventory. \[Number of computers application is installed on/total number of computers in your inventory.\]

    Low install count applications are automatically marked as **Ready to upgrade** in the **UpgradeDecision** column unless they have issues that need attention.
    | Be sure to review low install count applications for any business critical or important applications that are not yet upgrade-ready, despite their low installation rates. For example, payroll apps or tax accounting apps tend to be installed on a relatively small number of machines but are still considered business critical applications.

    | +| Not reviewed | Applications that are installed on more than 2% of your total computer inventory are marked not reviewed until you set their importance level.

    | Once you’ve started to investigate an application to determine its importance level and upgrade readiness, change its status to **Review in progress** in both the **Importance** and **UpgradeDecision** columns. | +| Business critical | By default, no applications are marked as business critical because only you can make that determination. If you know that an application is critical to your organization’s functioning, mark it **Business critical**.

    | You may also want to change the application’s status to **Review in progress** in the **UpgradeDecision** column to let other team members know that you’re working on getting this business critical application upgrade-ready. Once you’ve fixed any issues and validated that the application will migrate successfully, change the upgrade decision to **Ready to upgrade**.
    | +| Important | By default, no applications are marked as important because only you can make that determination. If the application is important but not critical to your organization’s functioning, mark it **Important**. | You may also want to change the application’s status to **Review in progress** in the **UpgradeDecision** column to let other team members know that you’re working on getting this important application upgrade-ready. Once you’ve fixed any issues and validated that the application will migrate successfully, change the upgrade decision to **Ready to upgrade**.
    | +| Ignore | By default, no applications are marked as ignore because only you can make that determination. If the application is not important to your organization’s functioning, such as user-installed applications and games, you may not want to spend time and money validating that these applications will migrate successfully. Mark these applications **Ignore**.
    | Set the application’s importance level to **Ignore** to let other team members know that it can be left as-is with no further investigation or testing. If you set the importance level to ignore, and this is an app that you are not planning on testing or validating, consider changing the upgrade decision to **Ready to upgrade**. By marking these apps ready to upgrade, you are indicating that you are comfortable upgrading with the app remaining in its current state.

    | +| Review in progress | Once you’ve started to investigate an application to determine its importance level and upgrade readiness, change its status to **Review in progress** in both the **Importance** and **UpgradeDecision** columns.
    | As you learn more about the application’s importance to your organization’s functioning, change the importance level to **Business critical**, **Important**, or **Ignore**.

    Until you’ve determined that priority applications will migrate successfully, leave the upgrade decision status as **Review in progress**.
    | + diff --git a/windows/deploy/upgrade-readiness-release-notes.md b/windows/deploy/upgrade-readiness-release-notes.md new file mode 100644 index 0000000000..e023406035 --- /dev/null +++ b/windows/deploy/upgrade-readiness-release-notes.md @@ -0,0 +1,5 @@ +--- +title: Upgrade Readiness release notes (Windows 10) +description: Provides tips and limitations about Upgrade Readiness. +redirect_url: https://technet.microsoft.com/itpro/windows/deploy/upgrade-readiness-requirements#important-information-about-this-release +--- \ No newline at end of file diff --git a/windows/deploy/upgrade-readiness-requirements.md b/windows/deploy/upgrade-readiness-requirements.md new file mode 100644 index 0000000000..5593a4eb72 --- /dev/null +++ b/windows/deploy/upgrade-readiness-requirements.md @@ -0,0 +1,93 @@ +--- +title: Upgrade Readiness requirements (Windows 10) +description: Provides requirements for Upgrade Readiness. +ms.prod: w10 +author: greg-lindsay +--- + +# Upgrade Readiness requirements + +This article introduces concepts and steps needed to get up and running with Upgrade Readiness. We recommend that you review this list of requirements before getting started as you may need to collect information, such as account credentials, and get approval from internal IT groups, such as your network security group, before you can start using Upgrade Readiness. + +## Supported upgrade paths + +### Windows 7 and Windows 8.1 + +To perform an in-place upgrade, user computers must be running the latest version of either Windows 7 SP1 or Windows 8.1. After you enable Windows telemetry, Upgrade Readiness performs a full inventory of computers so that you can see which version of Windows is installed on each computer. + +The compatibility update KB that sends telemetry data from user computers to Microsoft data centers works with Windows 7 SP1 and Windows 8.1 only. Upgrade Readiness cannot evaluate Windows XP or Windows Vista for upgrade eligibility. + + + +If you need to update user computers to Windows 7 SP1 or Windows 8.1, use Windows Update or download and deploy the applicable package from the Microsoft Download Center. + +Note: Upgrade Readiness is designed to best support in-place upgrades. In-place upgrades do not support migrations from BIOS to UEFI or from 32-bit to 64-bit architecture. If you need to migrate computers in these scenarios, use the wipe-and-reload method. Upgrade Readiness insights are still valuable in this scenario, however, you can ignore in-place upgrade specific guidance. + +See [Windows 10 Specifications](http://www.microsoft.com/en-US/windows/windows-10-specifications) for additional information about computer system requirements. + +### Windows 10 + +Keeping Windows 10 up to date involves deploying a feature update, and Upgrade Readiness tools help you prepare and plan for these Windows updates. +The latest cumulative updates must be installed on Windows 10 computers to make sure that the required compatibility KBs are installed. You can find the latest cumulative update on the [Microsoft Update Catalog](https://catalog.update.microsoft.com). + +Windows 10 LTSB is not supported by Upgrade Readiness. The LTSB (long term servicing branch) of Windows 10 is not intended for general deployment, and does not receive feature updates, therefore it is not compatible with Upgrade Readiness. See [Windows as a service overview](https://technet.microsoft.com/en-us/itpro/windows/manage/waas-overview#long-term-servicing-branch) to understand more about LTSB. + +## Operations Management Suite + +Upgrade Readiness is offered as a solution in the Microsoft Operations Management Suite (OMS), a collection of cloud based services for managing on premise and cloud computing environments. For more information about OMS, see [Operations Management Suite overview](http://azure.microsoft.com/en-us/documentation/articles/operations-management-suite-overview/). + +If you’re already using OMS, you’ll find Upgrade Readiness in the Solutions Gallery. Click the Upgrade Readiness tile in the gallery and then click Add on the solution’s details page. Upgrade Readiness is now visible in your workspace. + +If you are not using OMS, go to the [Upgrade Readiness page](https://www.microsoft.com/en-us/WindowsForBusiness/upgrade-analytics) on Microsoft.com and select **Sign up** to kick off the OMS onboarding process. During the onboarding process, you’ll create an OMS workspace and add the Upgrade Readiness solution to it. + +Important: You can use either a Microsoft Account or a Work or School account to create a workspace. If your company is already using Azure Active Directory, use a Work or School account when you sign in to OMS. Using a Work or School account allows you to use identities from your Azure AD to manage permissions in OMS. You also need an Azure subscription to link to your OMS workspace. The account you used to create the workspace must have administrator permissions on the Azure subscription in order to link the workspace to the Azure account. Once the link has been established, you can revoke the administrator permissions. + +## System Center Configuration Manager integration + +Upgrade Readiness can be integrated with your installation of Configuration Manager. For more information, see [Integrate Upgrade Readiness with System Center Configuration Manager](https://docs.microsoft.com/sccm/core/clients/manage/upgrade/upgrade-analytics). + +## Telemetry and data sharing + +After you’ve signed in to Operations Management Suite and added the Upgrade Readiness solution to your workspace, you’ll need to complete the following tasks to allow user computer data to be shared with and assessed by Upgrade Readiness. + +See [Windows 7, Windows 8, and Windows 8.1 appraiser telemetry events and fields](https://go.microsoft.com/fwlink/?LinkID=822965) for more information about what user computer data Upgrade Readiness collects and assesses. See [Configure Windows telemetry in your organization](https://technet.microsoft.com/itpro/windows/manage/configure-windows-telemetry-in-your-organization) for more information about how Microsoft uses Windows telemetry data. + +**Whitelist telemetry endpoints.** To enable telemetry data to be sent to Microsoft, you’ll need to whitelist the following Microsoft telemetry endpoints on your proxy server or firewall. You may need to get approval from your security group to do this. + +`https://v10.vortex-win.data.microsoft.com/collect/v1`
    +`https://vortex-win.data.microsoft.com/health/keepalive`
    +`https://settings.data.microsoft.com/qos`
    +`https://go.microsoft.com/fwlink/?LinkID=544713`
    +`https://compatexchange1.trafficmanager.net/CompatibilityExchangeService.svc`
    + +>**Note** The compatibility update KB runs under the computer’s system account and does not support user authentication in this release. + +**Generate your commercial ID key.** Microsoft uses a unique commercial ID GUID to map data from your computers to your OMS workspace. You’ll need to generate your commercial ID key in OMS. We recommend that you save your commercial ID key as you’ll need it later. + +**Subscribe your OMS workspace to Upgrade Readiness.** For Upgrade Readiness to receive and display upgrade readiness data from Microsoft, you’ll need to subscribe your OMS workspace to Upgrade Readiness. + +**Enable telemetry and connect data sources.** To allow Upgrade Readiness to collect system, application, and driver data and assess your organization’s upgrade readiness, communication must be established between Upgrade Readiness and user computers. You’ll need to connect Upgrade Readiness to your data sources and enable telemetry to establish communication. + +**Deploy compatibility update and related KBs.** The compatibility update KB scans your systems and enables application usage tracking. If you don’t already have this KB installed, you can download the applicable version from the Microsoft Update Catalog or deploy it using Windows Server Update Services (WSUS) or your software distribution solution, such as System Center Configuration Manager. + +>**Important**
    The compatibility update and related KBs are updated frequently to include new compatibility issues as they become known to Microsoft. We recommend that you use a deployment system that allows for automatic updates of these KBs. The compatibility update KB collects inventory information from computers only when it is updated. + +**Configure and deploy Upgrade Readiness deployment script.** Configure and deploy the Upgrade Readiness deployment script to user computers to finish setting up. + +## Important information about this release + +Before you get started configuring Upgrade Anatlyics, review the following tips and limitations about this release. + +**Upgrade Readiness does not support on-premises Windows deployments.** Upgrade Readiness is built as a cloud service, which allows Upgrade Readiness to provide you with insights based on the data from user computers and other Microsoft compatibility services. Cloud services are easy to get up and running and are cost-effective because there is no requirement to physically implement and maintain services on-premises. + +**In-region data storage requirements.** Windows telemetry data from user computers is encrypted, sent to, and processed at Microsoft-managed secure data centers located in the US. Our analysis of the upgrade readiness-related data is then provided to you through the Upgrade Readiness solution in the Microsoft Operations Management Suite (OMS) portal. At the time this topic is being published, only OMS workspaces created in the East US and West Europe are supported. We’re adding support for additional regions and we’ll update this information when new international regions are supported. + +### Tips + +- When viewing inventory items in table view, the maximum number of rows that can be viewed and exported is limited to 5,000. If you need to view or export more than 5,000 items, reduce the scope of the query so you can export a list with fewer items. + +- Sorting data by clicking a column heading may not sort your complete list of items. For information about how to sort data in OMS, see [Sorting DocumentDB data using Order By](https://azure.microsoft.com/documentation/articles/documentdb-orderby). + +## Get started + +See [Get started with Upgrade Readiness](upgrade-readiness-get-started.md) for detailed, step-by-step instructions for configuring Upgrade Readiness and getting started on your Windows upgrade project. diff --git a/windows/deploy/upgrade-readiness-resolve-issues.md b/windows/deploy/upgrade-readiness-resolve-issues.md new file mode 100644 index 0000000000..bb0e2c452d --- /dev/null +++ b/windows/deploy/upgrade-readiness-resolve-issues.md @@ -0,0 +1,152 @@ +--- +title: Upgrade Readiness - Resolve application and driver issues (Windows 10) +description: Describes how to resolve application and driver issues that can occur during an upgrade with Upgrade Readiness. +ms.prod: w10 +author: greg-lindsay +--- + +# Upgrade Readiness - Step 2: Resolve app and driver issues + +This section of the Upgrade Readiness workflow reports application and driver inventory and shows you which applications have known issues, which applications have no known issues, and which drivers have issues. We identify applications and drivers that need attention and suggest fixes when we know about them. + +You can change an application’s upgrade decision and a driver’s upgrade decision from the blades in this section. To change an application’s or a driver’s importance level, select **User changes**. Select the item you want to change and then select the appropriate option from the **Select upgrade decision** list. + +Upgrade decisions include: + +| Upgrade decision | When to use it | Guidance | +|--------------------|-------------------|-------------| +| Not reviewed | All drivers are marked as Not reviewed by default.

    Any app that has not been marked **Low install count** will also have an upgrade decision of **Not reviewed** by default.
    | Apps you have not yet reviewed or are waiting to review later should be marked as **Not reviewed**. When you start to investigate an application or a driver to determine upgrade readiness, change their upgrade decision to **Review in progress**.

    | +| Review in progress | When you start to investigate an application or a driver to determine upgrade readiness, change its upgrade decision to **Review in progress**.

    Until you’ve determined that applications and drivers will migrate successfully or you’ve resolved blocking issues, leave the upgrade decision status as **Review in progress**.

    | Once you’ve fixed any issues and validated that the application or driver will migrate successfully, change the upgrade decision to **Ready to upgrade**.
    | +| Ready to upgrade | Mark applications and drivers **Ready to upgrade** once you’ve resolved all blocking issues and you’re confident that they will upgrade successfully, or if you’ve decided to upgrade them as-is. | Applications with no known issues and with low installation rates are marked **Ready to upgrade** by default.

    In Step 1, you might have marked some of your apps as **Ignore**. These should be marked as **Ready to upgrade**. Apps with low installation rates are marked as **Ready to upgrade** by default. Be sure to review any low install count applications for any business critical or important applications that are not yet upgrade-ready, despite their low installation rates.
    | +| Won’t upgrade | By default, no applications or drivers are marked **Won’t upgrade** because only you can make that determination.

    Use **Won’t upgrade** for applications and drivers that you do not work on your target operating system, or that you are unable to upgrade.
    | If, during your investigation into an application or driver, you determine that they should not or cannot be upgraded, mark them **Won’t upgrade**.

    | + +The blades in the **Resolve issues** section are: + +- Review applications with known issues +- Review applications with no known issues +- Review drivers with known issues + +As you review applications with known issues, you can also see ISV support statements or applications using [Ready for Windows](https://www.readyforwindows.com/). + +## Review applications with known issues + +Applications with issues known to Microsoft are listed, grouped by upgrade assessment into **Attention needed** or **Fix available**. + + + +![Review applications with known issues](images/upgrade-analytics-apps-known-issues.png) + +To change an application's upgrade decision: + +1. Select **Decide upgrade readiness** to view applications with issues. +2. In the table view, select an **UpgradeDecision** value. +3. Select **Decide upgrade readiness** to change the upgrade decision for each application. +4. Select the applications you want to change to a specific upgrade decision and then then select the appropriate option from the **Select upgrade decision** list. +5. Click **Save** when finished. + +IMORTANT: Ensure that you have the most recent versions of the compatibility update and related KBs installed to get the most up-to-date compatibility information. + +For applications assessed as **Attention needed**, review the table below for details about known issues and for guidance about how to resolve them, when possible. + +| Upgrade Assessment | Action required prior to upgrade? | Issue | What it means | Guidance | +|--------------------|-----------------------------------|-----------|-----------------|------------| +| Attention needed | No | Application is removed during upgrade | Compatibility issues were detected and the application will not migrate to the new operating system.
    | No action is required for the upgrade to proceed. | +| Attention needed | Yes | Blocking upgrade | Blocking issues were detected and Upgrade Readiness is not able to remove the application during upgrade.

    The application may work on the new operating system.
    | Remove the application before upgrading, and reinstall and test on new operating system. | +| Attention needed | No | Evaluate application on new OS | The application will migrate, but issues were detected that may impact its performance on the new operating system. | No action is required for the upgrade to proceed, but be sure to test the application on the new operating system.
    | +| Attention needed | No | Does not work with new OS, but won’t block upgrade | The application is not compatible with the new operating system, but won’t block the upgrade. | No action is required for the upgrade to proceed, however, you’ll have to install a compatible version of the application on the new operating system.
    | +| Attention needed | Yes | Does not work with new OS, and will block upgrade | The application is not compatible with the new operating system and will block the upgrade. | Remove the application before upgrading.

    A compatible version of the application may be available.
    | +| Attention needed | Yes | May block upgrade, test application | Issues were detected that may interfere with the upgrade, but need to be investigated further.
    | Test the application’s behavior during upgrade. If it blocks the upgrade, remove it before upgrading and reinstall and test it on the new operating system.
    | +| Attention needed | Maybe | Multiple | Multiple issues are affecting the application. See detailed view for more information.| When you see Multiple in the query detailed view, click **Query** to see details about what issues were detected with the different versions of the application. | + +For applications assessed as **Fix available**, review the table below for details about known issues and ways to fix them that are known to Microsoft. + +| Upgrade Assessment | Action required prior to upgrade? | Issue | What it means | Guidance | +|--------------------|-----------------------------------|----------|-----------------|-------------| +| Fix available | Yes | Blocking upgrade, update application to newest version | The existing version of the application is not compatible with the new operating system and won’t migrate. A compatible version of the application is available. | Update the application before upgrading. | +| Fix available | No | Reinstall application after upgrading | The application is compatible with the new operating system, but must be reinstalled after upgrading. The application is removed during the upgrade process.
    | No action is required for the upgrade to proceed. Reinstall application on the new operating system. | +| Fix available | Yes | Blocking upgrade, but can be reinstalled after upgrading | The application is compatible with the new operating system, but won’t migrate. | Remove the application before upgrading and reinstall on the new operating system.
    | +| Fix available | Yes | Disk encryption blocking upgrade | The application’s encryption features are blocking the upgrade. | Disable the encryption feature before upgrading and enable it again after upgrading.
    | + +### ISV support for applications with Ready for Windows + +[Ready for Windows](https://www.readyforwindows.com/) lists software solutions that are supported and in use for Windows 10. This site leverages data about application adoption from commercial Windows 10 installations and helps IT managers upgrade to Windows 10 with confidence. For more information, see [Ready for Windows Frequently Asked Questions](https://developer.microsoft.com/windows/ready-for-windows/#/faq/). + +Click **Review Applications With Known Issues** to see the status of applications for Ready for Windows and corresponding guidance. For example: + +![Upgrade analytics Ready for Windows status](images/upgrade-analytics-ready-for-windows-status.png) + +If there are known issues with an application, the specific guidance for that known issue takes precedence over the Ready for Windows guidance. + +![Upgrade analytics Ready for Windows status guidance precedence](images/upgrade-analytics-ready-for-windows-status-guidance-precedence.png) + +If you query with RollupLevel="NamePublisher", each version of the application can have a different status for Ready for Windows. In this case, different values appear for Ready for Windows. + +![Name publisher rollup](images/upgrade-analytics-namepub-rollup.png) + +>[!TIP] +>Within the Upgrade Readiness data model, an object of Type **UAApp** refers to a particular application installed on a specific computer. + +>To support dynamic aggregation and summation of data the Upgrade Readiness solution "rolls up" (aggregates) data in preprocessing. Rolling up to the **Granular** level enables display of the **App** level. In Upgrade Readiness terminology, an **App** is a unique combination of: app name, app vendor, app version, and app language. Thus, at the Granular level, you can see attributes such as **total install count**, which is the number of machines with a specific **App** installed. + +>Upgrade Readiness also has a roll up level of **NamePublisher**, This level enables you to ignore different app versions within your organization for a particular app. In other words, **NamePublisher** displays statistics about a given app, aggregated across all versions. + +The following table lists possible values for **ReadyForWindows** and what they mean. For more information, see [What does the Adoption Status mean?](https://developer.microsoft.com/en-us/windows/ready-for-windows#/faq/?scrollTo=faqStatuses) + +| Ready for Windows Status | Query rollup level | What this means | Guidance | +|-------------------|--------------------------|-----------------|----------| +|Supported version available | Granular | The software provider has declared support for one or more versions of this application on Windows 10. | The ISV has declared support for a version of this application on Windows 10. | +| Highly adopted | Granular | This version of this application has been highly adopted within the Windows 10 Enterprise ecosystem. | This application has been installed on at least 100,000 commercial Windows 10 devices. | +| Adopted | Granular | This version of this application has been adopted within the Windows 10 Enterprise ecosystem. | This application has been installed on at least 10,000 commercial Windows 10 devices. | +| Insufficient Data | Granular | Too few commercial Windows 10 devices are sharing information about this version of this application for Microsoft to categorize its adoption. | N/A | +| Contact developer | Granular | There may be compatibility issues with this version of the application, so Microsoft recommends contacting the software provider to learn more. | Check [Ready for Windows](https://www.readyforwindows.com/) for additional information.| +|Supported version available | NamePublisher | The software provider has declared support for this application on Windows 10. | The ISV has declared support for a version of this application on Windows 10.| +|Adoption status available | NamePublisher | A Ready for Windows adoption status is available for one or more versions of this application. Please check Ready for Windows to learn more. |Check [Ready for Windows](https://www.readyforwindows.com/) for adoption information for this application.| +| Unknown | Any | There is no Ready for Windows information available for this version of this application. Information may be available for other versions of the application at [Ready for Windows](https://www.readyforwindows.com/). | N/A | + +## Review applications with no known issues + +Applications with no issues known to Microsoft are listed, grouped by upgrade decision. + +![Review applications with no known issues](images/upgrade-analytics-apps-no-known-issues.png) + +Applications with no known issues that are installed on 2% or less of your total computer inventory \[number of computers application is installed on/total number of computers in your inventory\] are automatically marked **Ready to upgrade** and included in the applications reviewed count. Applications with no known issues that are installed on more than 2% of your total computer inventory are automatically marked **Not reviewed**. + +Be sure to review low install count applications for any business critical or important applications that may not yet be upgrade-ready, despite their low installation rates. + +To change an application's upgrade decision: + +1. Select **Decide upgrade readiness** to view applications with issues. Select **Table** to view the list in a table. + +2. Select **User changes** to change the upgrade decision for each application. + +3. Select the applications you want to change to a specific upgrade decision and then then select the appropriate option from the **Select upgrade decision** list. + +4. Click **Save** when finished. + +## Review drivers with known issues + +Drivers that won’t migrate to the new operating system are listed, grouped by availability. + +![Review drivers with known issues](images/upgrade-analytics-drivers-known.png) + +Availability categories are explained in the table below. + +| Driver availability | Action required before or after upgrade? | What it means | Guidance | +|-----------------------|------------------------------------------|----------------|--------------| +| Available in-box | No, for awareness only | The currently installed version of an application or driver won’t migrate to the new operating system; however, a compatible version is installed with the new operating system.
    | No action is required for the upgrade to proceed. | +| Import from Windows Update | Yes | The currently installed version of a driver won’t migrate to the new operating system; however, a compatible version is available from Windows Update.
    | If the computer automatically receives updates from Windows Update, no action is required. Otherwise, import a new driver from Windows Update after upgrading.
    | +| Available in-box and from Windows Update | Yes | The currently installed version of a driver won’t migrate to the new operating system.

    Although a new driver is installed during upgrade, a newer version is available from Windows Update.
    | If the computer automatically receives updates from Windows Update, no action is required. Otherwise, import a new driver from Windows Update after upgrading.
    | +| Check with vendor | Yes | The driver won’t migrate to the new operating system and we are unable to locate a compatible version.
    | Check with the independent hardware vendor (IHV) who manufactures the driver for a solution. | + +To change a driver’s upgrade decision: + +1. Select **Decide upgrade readiness** and then select the group of drivers you want to review. Select **Table** to view the list in a table. + +2. Select **User changes** to enable user input. + +3. Select the drivers you want to change to a specific upgrade decision and then select the appropriate option from the **Select upgrade decision** list. + +4. Click **Save** when finished. + diff --git a/windows/deploy/upgrade-readiness-upgrade-overview.md b/windows/deploy/upgrade-readiness-upgrade-overview.md new file mode 100644 index 0000000000..bf09694a38 --- /dev/null +++ b/windows/deploy/upgrade-readiness-upgrade-overview.md @@ -0,0 +1,68 @@ +--- +title: Upgrade Readiness - Upgrade Overview (Windows 10) +description: Displays the total count of computers sharing data and upgraded. +ms.prod: w10 +author: greg-lindsay +--- + +# Upgrade Readiness - Upgrade overview + +The first blade in the Upgrade Readiness solution is the upgrade overview blade. This blade displays the total count of computers sharing data with Microsoft, and the count of computers upgraded. As you successfully upgrade computers, the count of computers upgraded increases. + +The upgrade overivew blade displays data refresh status, including the date and time of the most recent data update and whether user changes are reflected. The upgrade overview blade also displays the current target OS version. For more information about the target OS version, see [target version](use-upgrade-readiness-to-manage-windows-upgrades.md). + +The following color-coded status changes are reflected on the upgrade overview blade: + +- The "Last updated" banner: + - No delay in processing device inventory data = "Last updated" banner is displayed in green. + - Delay processing device inventory data = "Last updated" banner is displayed in amber. +- Computers with incomplete data: + - Less than 4% = Count is displayed in green. + - 4% - 10% = Count is displayed in amber. + - Greater than 10% = Count is displayed in red. +- Computers with outdated KB: + - Less than 10% = Count is displayed in green. + - 10% - 30% = Count is displayed in amber. + - Greater than 30% = Count is displayed in red. +- User changes: + - Pending user changes = User changes count displays "Data refresh pending" in amber. + - No pending user changes = User changes count displays "Up to date" in green. +- Target version: + - If the current value matches the recommended value, the version is displayed in green. + - If the current value is an older OS version than the recommended value, but not deprecated, the version is displayed in amber. + - If the current value is a deprecated OS version, the version is displayed in red. + +Click on a row to drill down and see details about individual computers. If KBs are missing, see [Deploy the compatibility update and related KBs](https://technet.microsoft.com/en-us/itpro/windows/deploy/upgrade-readiness-get-started#deploy-the-compatibility-update-and-related-kbs) for information on required KBs. + +In the following example, there is no delay in data processing, less than 4% of computers (6k\294k) have incomplete data, there are no pending user changes, and the currently selected target OS version is the same as the recommended version: + +![Upgrade overview](images/ur-overview.png) + + + +If data processing is delayed, you can continue using your workspace as normal. However, any changes or additional information that is added might not be displayed. Data is typically refreshed and the display will return to normal again within 24 hours. + +If there are computers with incomplete data, verify that you have installed the latest compatibilty update and run the most recent [Update Readiness deployment script](https://go.microsoft.com/fwlink/?LinkID=822966&clcid=0x409) from the Microsoft download center. + +Select **Total computers** for a list of computers and details about them, including: + +- Computer ID and computer name +- Computer manufacturer +- Computer model +- Operating system version and build +- Count of system requirement, application, and driver issues per computer +- Upgrade assessment based on analysis of computer telemetry data +- Upgrade decision status + +Select **Total applications** for a list of applications discovered on user computers and details about them, including: + +- Application vendor +- Application version +- Count of computers the application is installed on +- Count of computers that opened the application at least once in the past 30 days +- Percentage of computers in your total computer inventory that opened the application in the past 30 days +- Issues detected, if any +- Upgrade assessment based on analysis of application data +- Rollup level \ No newline at end of file diff --git a/windows/deploy/upgrade-to-windows-10-with-system-center-configuraton-manager.md b/windows/deploy/upgrade-to-windows-10-with-system-center-configuraton-manager.md index 1739910931..4df01c9022 100644 --- a/windows/deploy/upgrade-to-windows-10-with-system-center-configuraton-manager.md +++ b/windows/deploy/upgrade-to-windows-10-with-system-center-configuraton-manager.md @@ -1,6 +1,6 @@ --- -title: Upgrade to Windows 10 with System Center Configuration Manager (Windows 10) -description: The simplest path to upgrade PCs currently running Windows 7, Windows 8, or Windows 8.1 to Windows 10 is through an in-place upgrade. You can use a System Center Configuration Manager task sequence to completely automate the process. +title: Perform an in-place upgrade to Windows 10 using Configuration Manager (Windows 10) +description: The simplest path to upgrade PCs currently running Windows 7, Windows 8, or Windows 8.1 to Windows 10 is through an in-place upgrade. Use a System Center Configuration Manager task sequence to completely automate the process. ms.assetid: F8DF6191-0DB0-4EF5-A9B1-6A11D5DE4878 keywords: upgrade, update, task sequence, deploy ms.prod: w10 @@ -9,7 +9,7 @@ ms.mktglfcycl: deploy author: mtniehaus --- -# Upgrade to Windows 10 with System Center Configuration Manager +# Perform an in-place upgrade to Windows 10 using Configuration Manager **Applies to** diff --git a/windows/deploy/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md b/windows/deploy/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md index a57de8573f..4deadb668f 100644 --- a/windows/deploy/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md +++ b/windows/deploy/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md @@ -1,5 +1,5 @@ --- -title: Upgrade to Windows 10 with the Microsoft Deployment Toolkit (Windows 10) +title: Perform an in-place upgrade to Windows 10 with MDT (Windows 10) description: The simplest path to upgrade PCs that are currently running Windows 7, Windows 8, or Windows 8.1 to Windows 10 is through an in-place upgrade. ms.assetid: B8993151-3C1E-4F22-93F4-2C5F2771A460 keywords: upgrade, update, task sequence, deploy @@ -11,7 +11,7 @@ ms.pagetype: mdt author: mtniehaus --- -# Upgrade to Windows 10 with the Microsoft Deployment Toolkit +# Perform an in-place upgrade to Windows 10 with MDT **Applies to** - Windows 10 @@ -28,7 +28,7 @@ Figure 1. The machines used in this topic. ## Set up the upgrade task sequence -MDT 2013 Update 2 adds support for Windows 10 deployment, including a new in-place upgrade task sequence template that makes the process really simple. +MDT adds support for Windows 10 deployment, including a new in-place upgrade task sequence template that makes the process really simple. ## Create the MDT production deployment share diff --git a/windows/deploy/use-orchestrator-runbooks-with-mdt-2013.md b/windows/deploy/use-orchestrator-runbooks-with-mdt-2013.md index 65fb7d646b..e7e0a319ae 100644 --- a/windows/deploy/use-orchestrator-runbooks-with-mdt-2013.md +++ b/windows/deploy/use-orchestrator-runbooks-with-mdt-2013.md @@ -1,174 +1,4 @@ --- title: Use Orchestrator runbooks with MDT (Windows 10) -description: This topic will show you how to integrate Microsoft System Center 2012 R2 Orchestrator with MDT to replace the existing web services that are used in deployment solutions. -ms.assetid: 68302780-1f6f-4a9c-9407-b14371fdce3f -keywords: web services, database -ms.prod: w10 -ms.mktglfcycl: deploy -localizationpriority: high -ms.sitesec: library -ms.pagetype: mdt -author: mtniehaus +redirect_url: use-orchestrator-runbooks-with-mdt --- - -# Use Orchestrator runbooks with MDT - -This topic will show you how to integrate Microsoft System Center 2012 R2 Orchestrator with MDT to replace the existing web services that are used in deployment solutions. -MDT can integrate with System Center 2012 R2 Orchestrator, which is a component that ties the Microsoft System Center products together, as well as other products from both Microsoft and third-party vendors. The difference between using Orchestrator and "normal" web services, is that with Orchestrator you have a rich drag-and-drop style interface when building the solution, and little or no coding is required. - -**Note**   -If you are licensed to use Orchestrator, we highly recommend that you start using it. To find out more about licensing options for System Center 2012 R2 and Orchestrator, visit the [System Center 2012 R2](https://go.microsoft.com/fwlink/p/?LinkId=619553) website. -  -## Orchestrator terminology - -Before diving into the core details, here is a quick course in Orchestrator terminology: -- **Orchestrator Server.** This is a server that executes runbooks. -- **Runbooks.** A runbook is similar to a task sequence; it is a series of instructions based on conditions. Runbooks consist of workflow activities; an activity could be Copy File, Get User from Active Directory, or even Write to Database. -- **Orchestrator Designer.** This is where you build the runbooks. In brief, you do that by creating an empty runbook, dragging in the activities you need, and then connecting them in a workflow with conditions and subscriptions. -- **Subscriptions.** These are variables that come from an earlier activity in the runbook. So if you first execute an activity in which you type in a computer name, you can then subscribe to that value in the next activity. All these variables are accumulated during the execution of the runbook. -- **Orchestrator Console.** This is the Microsoft Silverlight-based web page you can use interactively to execute runbooks. The console listens to TCP port 81 by default. -- **Orchestrator web services.** These are the web services you use in the Microsoft Deployment Toolkit to execute runbooks during deployment. The web services listen to TCP port 82 by default. -- **Integration packs.** These provide additional workflow activities you can import to integrate with other products or solutions, like the rest of Active Directory, other System Center 2012 R2 products, or Microsoft Exchange Server, to name a few. - -**Note**   -To find and download additional integration packs, see [Integration Packs for System Center 2012 - Orchestrator](https://go.microsoft.com/fwlink/p/?LinkId=619554). -  -## Create a sample runbook - -This section assumes you have Orchestrator 2012 R2 installed on a server named OR01. In this section, you create a sample runbook, which is used to log some of the MDT deployment information into a text file on OR01. - -1. On OR01, using File Explorer, create the **E:\\Logfile** folder, and grant Users modify permissions (NTFS). -2. In the **E:\\Logfile** folder, create the DeployLog.txt file. - **Note**   - Make sure File Explorer is configured to show known file extensions so the file is not named DeployLog.txt.txt. -   - ![figure 23](images/mdt-09-fig23.png) - - Figure 23. The DeployLog.txt file. - -3. Using System Center 2012 R2 Orchestrator Runbook Designer, in the **Runbooks** node, create the **1.0 MDT** folder. - - ![figure 24](images/mdt-09-fig24.png) - - Figure 24. Folder created in the Runbooks node. - -4. In the **Runbooks** node, right-click the **1.0 MDT** folder, and select **New / Runbook**. -5. On the ribbon bar, click **Check Out**. -6. Right-click the **New Runbook** label, select **Rename**, and assign the name **MDT Sample**. -7. Add (using a drag-and-drop operation) the following items from the **Activities** list to the middle pane: - 1. Runbook Control / Initialize Data - 2. Text File Management / Append Line -8. Connect **Initialize Data** to **Append Line**. - - ![figure 25](images/mdt-09-fig25.png) - - Figure 25. Activities added and connected. - -9. Right-click the **Initialize Data** activity, and select **Properties** -10. On **the Initialize Data Properties** page, click **Add**, change **Parameter 1** to **OSDComputerName**, and then click **Finish**. - - ![figure 26](images/mdt-09-fig26.png) - - Figure 26. The Initialize Data Properties window. - -11. Right-click the **Append Line** activity, and select **Properties**. -12. On the **Append Line Properties** page, in the **File** text box, type **E:\\Logfile\\DeployLog.txt**. -13. In the **File** encoding drop-down list, select **ASCII**. -14. In the **Append** area, right-click inside the **Text** text box and select **Expand**. - - ![figure 27](images/mdt-09-fig27.png) - - Figure 27. Expanding the Text area. - -15. In the blank text box, right-click and select **Subscribe / Published Data**. - - ![figure 28](images/mdt-09-fig28.png) - - Figure 28. Subscribing to data. - -16. In the **Published Data** window, select the **OSDComputerName** item, and click **OK**. -17. After the **{OSDComputerName from "Initialize Data"}** text, type in **has been deployed at** and, once again, right-click and select **Subscribe / Published Data**. -18. In the **Published Data** window, select the **Show common Published Data** check box, select the **Activity end time** item, and click **OK**. - - ![figure 29](images/mdt-09-fig29.png) - - Figure 29. The expanded text box after all subscriptions have been added. - -19. On the **Append Line Properties** page, click **Finish**. -## Test the demo MDT runbook -After the runbook is created, you are ready to test it. -1. On the ribbon bar, click **Runbook Tester**. -2. Click **Run**, and in the **Initialize Data Parameters** dialog box, use the following setting and then click **OK**: - - OSDComputerName: PC0010 -3. Verify that all activities are green (for additional information, see each target). -4. Close the **Runbook Tester**. -5. On the ribbon bar, click **Check In**. - -![figure 30](images/mdt-09-fig30.png) - -Figure 30. All tests completed. - -## Use the MDT demo runbook from MDT - -1. On MDT01, using the Deployment Workbench, in the MDT Production deployment share, select the **Task Sequences** node, and create a folder named **Orchestrator**. -2. Right-click the **Orchestrator** node, and select **New Task Sequence**. Use the following settings for the New Task Sequence Wizard: - 1. Task sequence ID: OR001 - 2. Task sequence name: Orchestrator Sample - 3. Task sequence comments: <blank> - 4. Template: Custom Task Sequence -3. In the **Orchestrator** node, double-click the **Orchestrator Sample** task sequence, and then select the **Task Sequence** tab. -4. Remove the default **Application Install** action. -5. Add a **Gather** action and select the **Gather only local data (do not process rules)** option. -6. After the **Gather** action, add a **Set Task Sequence Variable** action with the following settings: - 1. Name: Set Task Sequence Variable - 2. Task Sequence Variable: OSDComputerName - 3. Value: %hostname% -7. After the **Set Task Sequence Variable** action, add a new **Execute Orchestrator Runbook** action with the following settings: - 1. Orchestrator Server: OR01.contoso.com - 2. Use Browse to select **1.0 MDT / MDT Sample**. -8. Click **OK**. - -![figure 31](images/mdt-09-fig31.png) - -Figure 31. The ready-made task sequence. - -## Run the orchestrator sample task sequence - -Since this task sequence just starts a runbook, you can test this on the PC0001 client that you used for the MDT simulation environment. -**Note**   -Make sure the account you are using has permissions to run runbooks on the Orchestrator server. For more information about runbook permissions, see [Runbook Permissions](https://go.microsoft.com/fwlink/p/?LinkId=619555). -  -1. On PC0001, log on as **CONTOSO\\MDT\_BA**. -2. Using an elevated command prompt (run as Administrator), type the following command: - - ``` syntax - cscript \\MDT01\MDTProduction$\Scripts\Litetouch.vbs - ``` -3. Complete the Windows Deployment Wizard using the following information: - 1. Task Sequence: Orchestrator Sample - 2. Credentials: - 1. User Name: MDT\_BA - 2. Password: P@ssw0rd - 3. Domain: CONTOSO -4. Wait until the task sequence is completed and then verify that the DeployLog.txt file in the E:\\Logfile folder on OR01 was updated. - -![figure 32](images/mdt-09-fig32.png) - -Figure 32. The ready-made task sequence. - -## Related topics - -[Set up MDT for BitLocker](set-up-mdt-2013-for-bitlocker.md) - -[Configure MDT deployment share rules](configure-mdt-deployment-share-rules.md) - -[Configure MDT for UserExit scripts](configure-mdt-2013-for-userexit-scripts.md) - -[Simulate a Windows10 deployment in a test environment](simulate-a-windows-10-deployment-in-a-test-environment.md) - -[Use the MDT database to stage Windows 10 deployment information](use-the-mdt-database-to-stage-windows-10-deployment-information.md) - - -[Assign applications using roles in MDT](assign-applications-using-roles-in-mdt-2013.md) - -[Use web services in MDT](use-web-services-in-mdt-2013.md) diff --git a/windows/deploy/use-orchestrator-runbooks-with-mdt.md b/windows/deploy/use-orchestrator-runbooks-with-mdt.md new file mode 100644 index 0000000000..ceb7766904 --- /dev/null +++ b/windows/deploy/use-orchestrator-runbooks-with-mdt.md @@ -0,0 +1,174 @@ +--- +title: Use Orchestrator runbooks with MDT (Windows 10) +description: This topic will show you how to integrate Microsoft System Center 2012 R2 Orchestrator with MDT to replace the existing web services that are used in deployment solutions. +ms.assetid: 68302780-1f6f-4a9c-9407-b14371fdce3f +keywords: web services, database +ms.prod: w10 +ms.mktglfcycl: deploy +localizationpriority: high +ms.sitesec: library +ms.pagetype: mdt +author: mtniehaus +--- + +# Use Orchestrator runbooks with MDT + +This topic will show you how to integrate Microsoft System Center 2012 R2 Orchestrator with MDT to replace the existing web services that are used in deployment solutions. +MDT can integrate with System Center 2012 R2 Orchestrator, which is a component that ties the Microsoft System Center products together, as well as other products from both Microsoft and third-party vendors. The difference between using Orchestrator and "normal" web services, is that with Orchestrator you have a rich drag-and-drop style interface when building the solution, and little or no coding is required. + +**Note**   +If you are licensed to use Orchestrator, we highly recommend that you start using it. To find out more about licensing options for System Center 2012 R2 and Orchestrator, visit the [System Center 2012 R2](https://go.microsoft.com/fwlink/p/?LinkId=619553) website. +  +## Orchestrator terminology + +Before diving into the core details, here is a quick course in Orchestrator terminology: +- **Orchestrator Server.** This is a server that executes runbooks. +- **Runbooks.** A runbook is similar to a task sequence; it is a series of instructions based on conditions. Runbooks consist of workflow activities; an activity could be Copy File, Get User from Active Directory, or even Write to Database. +- **Orchestrator Designer.** This is where you build the runbooks. In brief, you do that by creating an empty runbook, dragging in the activities you need, and then connecting them in a workflow with conditions and subscriptions. +- **Subscriptions.** These are variables that come from an earlier activity in the runbook. So if you first execute an activity in which you type in a computer name, you can then subscribe to that value in the next activity. All these variables are accumulated during the execution of the runbook. +- **Orchestrator Console.** This is the Microsoft Silverlight-based web page you can use interactively to execute runbooks. The console listens to TCP port 81 by default. +- **Orchestrator web services.** These are the web services you use in the Microsoft Deployment Toolkit to execute runbooks during deployment. The web services listen to TCP port 82 by default. +- **Integration packs.** These provide additional workflow activities you can import to integrate with other products or solutions, like the rest of Active Directory, other System Center 2012 R2 products, or Microsoft Exchange Server, to name a few. + +**Note**   +To find and download additional integration packs, see [Integration Packs for System Center 2012 - Orchestrator](https://go.microsoft.com/fwlink/p/?LinkId=619554). +  +## Create a sample runbook + +This section assumes you have Orchestrator 2012 R2 installed on a server named OR01. In this section, you create a sample runbook, which is used to log some of the MDT deployment information into a text file on OR01. + +1. On OR01, using File Explorer, create the **E:\\Logfile** folder, and grant Users modify permissions (NTFS). +2. In the **E:\\Logfile** folder, create the DeployLog.txt file. + **Note**   + Make sure File Explorer is configured to show known file extensions so the file is not named DeployLog.txt.txt. +   + ![figure 23](images/mdt-09-fig23.png) + + Figure 23. The DeployLog.txt file. + +3. Using System Center 2012 R2 Orchestrator Runbook Designer, in the **Runbooks** node, create the **1.0 MDT** folder. + + ![figure 24](images/mdt-09-fig24.png) + + Figure 24. Folder created in the Runbooks node. + +4. In the **Runbooks** node, right-click the **1.0 MDT** folder, and select **New / Runbook**. +5. On the ribbon bar, click **Check Out**. +6. Right-click the **New Runbook** label, select **Rename**, and assign the name **MDT Sample**. +7. Add (using a drag-and-drop operation) the following items from the **Activities** list to the middle pane: + 1. Runbook Control / Initialize Data + 2. Text File Management / Append Line +8. Connect **Initialize Data** to **Append Line**. + + ![figure 25](images/mdt-09-fig25.png) + + Figure 25. Activities added and connected. + +9. Right-click the **Initialize Data** activity, and select **Properties** +10. On **the Initialize Data Properties** page, click **Add**, change **Parameter 1** to **OSDComputerName**, and then click **Finish**. + + ![figure 26](images/mdt-09-fig26.png) + + Figure 26. The Initialize Data Properties window. + +11. Right-click the **Append Line** activity, and select **Properties**. +12. On the **Append Line Properties** page, in the **File** text box, type **E:\\Logfile\\DeployLog.txt**. +13. In the **File** encoding drop-down list, select **ASCII**. +14. In the **Append** area, right-click inside the **Text** text box and select **Expand**. + + ![figure 27](images/mdt-09-fig27.png) + + Figure 27. Expanding the Text area. + +15. In the blank text box, right-click and select **Subscribe / Published Data**. + + ![figure 28](images/mdt-09-fig28.png) + + Figure 28. Subscribing to data. + +16. In the **Published Data** window, select the **OSDComputerName** item, and click **OK**. +17. After the **{OSDComputerName from "Initialize Data"}** text, type in **has been deployed at** and, once again, right-click and select **Subscribe / Published Data**. +18. In the **Published Data** window, select the **Show common Published Data** check box, select the **Activity end time** item, and click **OK**. + + ![figure 29](images/mdt-09-fig29.png) + + Figure 29. The expanded text box after all subscriptions have been added. + +19. On the **Append Line Properties** page, click **Finish**. +## Test the demo MDT runbook +After the runbook is created, you are ready to test it. +1. On the ribbon bar, click **Runbook Tester**. +2. Click **Run**, and in the **Initialize Data Parameters** dialog box, use the following setting and then click **OK**: + - OSDComputerName: PC0010 +3. Verify that all activities are green (for additional information, see each target). +4. Close the **Runbook Tester**. +5. On the ribbon bar, click **Check In**. + +![figure 30](images/mdt-09-fig30.png) + +Figure 30. All tests completed. + +## Use the MDT demo runbook from MDT + +1. On MDT01, using the Deployment Workbench, in the MDT Production deployment share, select the **Task Sequences** node, and create a folder named **Orchestrator**. +2. Right-click the **Orchestrator** node, and select **New Task Sequence**. Use the following settings for the New Task Sequence Wizard: + 1. Task sequence ID: OR001 + 2. Task sequence name: Orchestrator Sample + 3. Task sequence comments: <blank> + 4. Template: Custom Task Sequence +3. In the **Orchestrator** node, double-click the **Orchestrator Sample** task sequence, and then select the **Task Sequence** tab. +4. Remove the default **Application Install** action. +5. Add a **Gather** action and select the **Gather only local data (do not process rules)** option. +6. After the **Gather** action, add a **Set Task Sequence Variable** action with the following settings: + 1. Name: Set Task Sequence Variable + 2. Task Sequence Variable: OSDComputerName + 3. Value: %hostname% +7. After the **Set Task Sequence Variable** action, add a new **Execute Orchestrator Runbook** action with the following settings: + 1. Orchestrator Server: OR01.contoso.com + 2. Use Browse to select **1.0 MDT / MDT Sample**. +8. Click **OK**. + +![figure 31](images/mdt-09-fig31.png) + +Figure 31. The ready-made task sequence. + +## Run the orchestrator sample task sequence + +Since this task sequence just starts a runbook, you can test this on the PC0001 client that you used for the MDT simulation environment. +**Note**   +Make sure the account you are using has permissions to run runbooks on the Orchestrator server. For more information about runbook permissions, see [Runbook Permissions](https://go.microsoft.com/fwlink/p/?LinkId=619555). +  +1. On PC0001, log on as **CONTOSO\\MDT\_BA**. +2. Using an elevated command prompt (run as Administrator), type the following command: + + ``` syntax + cscript \\MDT01\MDTProduction$\Scripts\Litetouch.vbs + ``` +3. Complete the Windows Deployment Wizard using the following information: + 1. Task Sequence: Orchestrator Sample + 2. Credentials: + 1. User Name: MDT\_BA + 2. Password: P@ssw0rd + 3. Domain: CONTOSO +4. Wait until the task sequence is completed and then verify that the DeployLog.txt file in the E:\\Logfile folder on OR01 was updated. + +![figure 32](images/mdt-09-fig32.png) + +Figure 32. The ready-made task sequence. + +## Related topics + +[Set up MDT for BitLocker](set-up-mdt-for-bitlocker.md) + +[Configure MDT deployment share rules](configure-mdt-deployment-share-rules.md) + +[Configure MDT for UserExit scripts](configure-mdt-for-userexit-scripts.md) + +[Simulate a Windows10 deployment in a test environment](simulate-a-windows-10-deployment-in-a-test-environment.md) + +[Use the MDT database to stage Windows 10 deployment information](use-the-mdt-database-to-stage-windows-10-deployment-information.md) + + +[Assign applications using roles in MDT](assign-applications-using-roles-in-mdt.md) + +[Use web services in MDT](use-web-services-in-mdt.md) diff --git a/windows/deploy/use-the-mdt-database-to-stage-windows-10-deployment-information.md b/windows/deploy/use-the-mdt-database-to-stage-windows-10-deployment-information.md index 38ae49c0e7..b2bed4243a 100644 --- a/windows/deploy/use-the-mdt-database-to-stage-windows-10-deployment-information.md +++ b/windows/deploy/use-the-mdt-database-to-stage-windows-10-deployment-information.md @@ -77,16 +77,16 @@ Figure 11. Adding the PC00075 computer to the database. ## Related topics -[Set up MDT for BitLocker](set-up-mdt-2013-for-bitlocker.md) +[Set up MDT for BitLocker](set-up-mdt-for-bitlocker.md) [Configure MDT deployment share rules](configure-mdt-deployment-share-rules.md) -[Configure MDT for UserExit scripts](configure-mdt-2013-for-userexit-scripts.md) +[Configure MDT for UserExit scripts](configure-mdt-for-userexit-scripts.md) [Simulate a Windows 10 deployment in a test environment](simulate-a-windows-10-deployment-in-a-test-environment.md) -[Assign applications using roles in MDT](assign-applications-using-roles-in-mdt-2013.md) +[Assign applications using roles in MDT](assign-applications-using-roles-in-mdt.md) -[Use web services in MDT](use-web-services-in-mdt-2013.md) +[Use web services in MDT](use-web-services-in-mdt.md) -[Use Orchestrator runbooks with MDT](use-orchestrator-runbooks-with-mdt-2013.md) +[Use Orchestrator runbooks with MDT](use-orchestrator-runbooks-with-mdt.md) diff --git a/windows/deploy/use-upgrade-analytics-to-manage-windows-upgrades.md b/windows/deploy/use-upgrade-analytics-to-manage-windows-upgrades.md index 3b686e8dae..3d23267aa8 100644 --- a/windows/deploy/use-upgrade-analytics-to-manage-windows-upgrades.md +++ b/windows/deploy/use-upgrade-analytics-to-manage-windows-upgrades.md @@ -1,52 +1,4 @@ --- title: Use Upgrade Analytics to manage Windows upgrades (Windows 10) -description: Describes how to use Upgrade Analytics to manage Windows upgrades. -ms.prod: w10 -author: greg-lindsay +redirect_url: use-upgrade-readiness-to-manage-windows-upgrades --- - -# Use Upgrade Analytics to manage Windows upgrades - -You can use Upgrade Analytics to prioritize and work through application and driver issues, assign and track issue resolution status, and identify computers that are ready to upgrade. Upgrade Analytics enables you to deploy Windows with confidence, knowing that you’ve addressed potential blocking issues. - -- Based on telemetry data from user computers, Upgrade Analytics identifies application and driver compatibility issues that may block Windows upgrades, allowing you to make data-driven decisions about your organization’s upgrade readiness. -- Information is refreshed daily so you can monitor upgrade progress. Any changes your team makes, such as assigning application importance and marking applications as ready to upgrade, are reflected 24 hours after you make them. - -When you are ready to begin the upgrade process, a workflow is provided to guide you through critical high-level tasks. - -![Workflow](images/ua-cg-15.png) - -Each step in the workflow is enumerated using blue tiles. Helpful data is provided on white tiles to help you get started, to monitor your progress, and to complete each step. - ->**Important**: You can use the [Target OS](#target-os) setting to evaluate computers that are runnign a specified version of Windows before starting the Upgrade Analytics workflow. By default, the Target OS is configured to the released version of Windows 10 for the Current Branch for Business (CBB). - -The following information and workflow is provided: - -- [Upgrade overview](upgrade-analytics-upgrade-overview.md): Review compatibility and usage information about computers, applications, and drivers. -- [Step 1: Identify important apps](upgrade-analytics-identify-apps.md): Assign importance levels to prioritize your applications. -- [Step 2: Resolve issues](upgrade-analytics-resolve-issues.md): Identify and resolve problems with applications. -- [Step 3: Deploy](upgrade-analytics-deploy-windows.md): Start the upgrade process. - -Also see the following topic for information about additional items that can be affected by the upgrade process: - -- [Additional insights](upgrade-analytics-additional-insights.md): Find out which MS Office add-ins are installed, and review web site activity. - -## Target OS - -The target OS setting is used to evaluate the number of computers that are already running the default version of Windows 10, or a later version. - -As mentioned previously, the default target OS in Upgrade Analytics is set to the released version of the Current Branch for Business (CBB). CBB can be determined by reviewing [Windows 10 release information](https://technet.microsoft.com/windows/release-info.aspx). The target OS setting is used to evaluate the number of computers that are already running this version of Windows, or a later version. - -The number displayed under **Computers upgraded** in the Upgrade Overview blade is the total number of computers that are already running the same or a later version of Windows compared to the target OS. It also is used in the evaluation of apps and drivers: Known issues and guidance for the apps and drivers in Upgrade Analytics is based on the target OS version. - -You now have the ability to change the Windows 10 version you wish to target. The available options currently are: Windows 10 version 1507, Windows 10 version 1511, and Windows version 1610. - -To change the target OS setting, click on **Solutions Settings**, which appears at the top when you open you Upgrade Analytics solution: - -![Target OS](images/ua-cg-08.png) - ->You must be signed in to Upgrade Analytics as an administrator to view settings. - -On the **Upgrade Analytics Settings** page, choose one of the options in the drop down box and click **Save**. The changes in the target OS setting are reflected in evaluations when a new snapshot is uploaded to your workspace. - -![Target OS](images/ua-cg-09.png) diff --git a/windows/deploy/use-upgrade-readiness-to-manage-windows-upgrades.md b/windows/deploy/use-upgrade-readiness-to-manage-windows-upgrades.md new file mode 100644 index 0000000000..21ff12135a --- /dev/null +++ b/windows/deploy/use-upgrade-readiness-to-manage-windows-upgrades.md @@ -0,0 +1,54 @@ +--- +title: Use Upgrade Readiness to manage Windows upgrades (Windows 10) +description: Describes how to use Upgrade Readiness to manage Windows upgrades. +ms.prod: w10 +author: greg-lindsay +--- + +# Use Upgrade Readiness to manage Windows upgrades + +You can use Upgrade Readiness to prioritize and work through application and driver issues, assign and track issue resolution status, and identify computers that are ready to upgrade. Upgrade Readiness enables you to deploy Windows with confidence, knowing that you’ve addressed potential blocking issues. + +- Based on telemetry data from user computers, Upgrade Readiness identifies application and driver compatibility issues that may block Windows upgrades, allowing you to make data-driven decisions about your organization’s upgrade readiness. +- Information is refreshed daily so you can monitor upgrade progress. Any changes your team makes, such as assigning application importance and marking applications as ready to upgrade, are reflected 24 hours after you make them. + +When you are ready to begin the upgrade process, a workflow is provided to guide you through critical high-level tasks. + +![Workflow](images/ua-cg-15.png) + +Each step in the workflow is enumerated using blue tiles. Helpful data is provided on white tiles to help you get started, to monitor your progress, and to complete each step. + +>**Important**: You can use the [Target version](#target-version) setting to evaluate computers that are runnign a specified version of Windows before starting the Upgrade Readiness workflow. By default, the Target version is configured to the released version of Windows 10 for the Current Branch for Business (CBB). + +The following information and workflow is provided: + +- [Upgrade overview](upgrade-readiness-upgrade-overview.md): Review compatibility and usage information about computers, applications, and drivers. +- [Step 1: Identify important apps](upgrade-readiness-identify-apps.md): Assign importance levels to prioritize your applications. +- [Step 2: Resolve issues](upgrade-readiness-resolve-issues.md): Identify and resolve problems with applications. +- [Step 3: Deploy](upgrade-readiness-deploy-windows.md): Start the upgrade process. + +Also see the following topic for information about additional items that can be affected by the upgrade process: + +- [Additional insights](upgrade-readiness-additional-insights.md): Find out which MS Office add-ins are installed, and review web site activity. + +## Target version + +The target version setting is used to evaluate the number of computers that are already running the default version of Windows 10, or a later version. The target version of Windows 10 is displayed on the upgrade overview tile. See the following example: + +![Target version](images/ur-target-version.png) + +As mentioned previously, the default target version in Upgrade Readiness is set to the released version of the Current Branch for Business (CBB). CBB can be determined by reviewing [Windows 10 release information](https://technet.microsoft.com/windows/release-info.aspx). The target version setting is used to evaluate the number of computers that are already running this version of Windows, or a later version. + +The number displayed under **Computers upgraded** in the Upgrade Overview blade is the total number of computers that are already running the same or a later version of Windows compared to the target version. It also is used in the evaluation of apps and drivers: Known issues and guidance for the apps and drivers in Upgrade Readiness is based on the target operating system version. + +You now have the ability to change the Windows 10 version you wish to target. The available options currently are: Windows 10 version 1507, Windows 10 version 1511, and Windows version 1607. + +To change the target version setting, click on **Solutions Settings**, which appears at the top when you open you Upgrade Readiness solution: + +![Target version](images/ua-cg-08.png) + +>You must be signed in to Upgrade Readiness as an administrator to view settings. + +On the **Upgrade Readiness Settings** page, choose one of the options in the drop down box and click **Save**. The changes in the target version setting are reflected in evaluations when a new snapshot is uploaded to your workspace. + +![Target version](images/ur-settings.png) diff --git a/windows/deploy/use-web-services-in-mdt-2013.md b/windows/deploy/use-web-services-in-mdt-2013.md index 33f1c9a3a7..6d885294e6 100644 --- a/windows/deploy/use-web-services-in-mdt-2013.md +++ b/windows/deploy/use-web-services-in-mdt-2013.md @@ -1,132 +1,6 @@ --- title: Use web services in MDT (Windows 10) -description: In this topic, you will learn how to create a simple web service that generates computer names and then configure MDT to use that service during your Windows 10 deployment. -ms.assetid: 8f47535e-0551-4ccb-8f02-bb97539c6522 -keywords: deploy, web apps -ms.prod: w10 -ms.mktglfcycl: deploy -localizationpriority: high -ms.pagetype: mdt -ms.sitesec: library -author: mtniehaus +redirect_url: use-web-services-in-mdt --- -# Use web services in MDT - -In this topic, you will learn how to create a simple web service that generates computer names and then configure MDT to use that service during your Windows 10 deployment. Web services provide a powerful way to assign settings during a deployment. Simply put, web services are web applications that run code on the server side, and MDT has built-in functions to call these web services. -Using a web service in MDT is straightforward, but it does require that you have enabled the Web Server (IIS) role on the server. Developing web services involves a little bit of coding, but for most web services used with MDT, you can use the free Microsoft Visual Studio Express 2013 for Web. - -## Create a sample web service - -In these steps we assume you have installed Microsoft Visual Studio Express 2013 for Web on PC0001 (the Windows 10 client) and downloaded the [MDT Sample Web Service](https://go.microsoft.com/fwlink/p/?LinkId=619363) from the Microsoft Download Center and extracted it to C:\\Projects. -1. On PC0001, using Visual Studio Express 2013 for Web, open the C:\\Projects\\MDTSample\\ MDTSample.sln solution file. -2. On the ribbon bar, verify that Release is selected. -3. In the **Debug** menu, select the **Build MDTSample** action. -4. On MDT01, create a folder structure for **E:\\MDTSample\\bin**. -5. From PC0001, copy the C:\\Projects\\MDTSample\\obj\\Release\\MDTSample.dll file to the **E:\\MDTSample\\bin** folder on MDT01. -6. From PC0001, copy the following files from C:\\Projects\\MDTSample file to the **E:\\MDTSample** folder on MDT01: - 1. Web.config - 2. mdtsample.asmx - -![figure 15](images/mdt-09-fig15.png) - -Figure 15. The sample project in Microsoft Visual Studio Express 2013 for Web. - -## Create an application pool for the web service - -This section assumes that you have enabled the Web Server (IIS) role on MDT01. -1. On MDT01, using Server Manager, install the **IIS Management Console** role (available under Web Server (IIS) / Management Tools). -2. Using Internet Information Services (IIS) Manager, expand the **MDT01 (CONTOSO\\Administrator)** node. If prompted with the "Do you want to get started with Microsoft Web Platform?" question, select the **Do not show this message** check box and then click **No**. -3. Right-click **Application Pools**, select **Add Application Pool**, and configure the new application pool with the following settings: - 1. Name: MDTSample - 2. .NET Framework version: .NET Framework 4.0.30319 - 3. Manage pipeline mode: Integrated - 4. Select the **Start application pool immediately** check box. - 5. Click **OK**. - -![figure 16](images/mdt-09-fig16.png) - -Figure 16. The new MDTSample application. - -## Install the web service - -1. On MDT01, using Internet Information Services (IIS) Manager, expand **Sites**, right-click **Default Web Site**, and select **Add Application**. Use the following settings for the application: - 1. Alias: MDTSample - 2. Application pool: MDTSample - 3. Physical Path: E:\\MDTSample - - ![figure 17](images/mdt-09-fig17.png) - - Figure 17. Adding the MDTSample web application. - -2. In the **Default Web Site** node, select the MDTSample web application, and in the right pane, double-click **Authentication**. Use the following settings for the **Authentication** dialog box: - 1. Anonymous Authentication: Enabled - 2. ASP.NET Impersonation: Disabled - -![figure 18](images/mdt-09-fig18.png) - -Figure 18. Configuring Authentication for the MDTSample web service. - -## Test the web service in Internet Explorer - -1. On PC0001, using Internet Explorer, navigate to: **http://MDT01/MDTSample/mdtsample.asmx**. -2. Click the **GetComputerName** link. - - ![figure 19](images/mdt-09-fig19.png) - - Figure 19. The MDT Sample web service. -3. On the **GetComputerName** page, type in the following settings, and click **Invoke**: - 1. Model: Hewlett-Packard - 2. SerialNumber: 123456789 - -![figure 20](images/mdt-09-fig20.png) - -Figure 20. The result from the MDT Sample web service. - -## Test the web service in the MDT simulation environment - -After verifying the web service using Internet Explorer, you are ready to do the same test in the MDT simulation environment. - -1. On PC0001, edit the CustomSettings.ini file in the **C:\\MDT** folder to look like the following: - ``` syntax - [Settings] - Priority=Default, GetComputerName - [Default] - OSInstall=YES - [GetComputerName] - WebService=http://mdt01/MDTSample/mdtsample.asmx/GetComputerName - Parameters=Model,SerialNumber - OSDComputerName=string - ``` - ![figure 21](images/mdt-09-fig21.png) - - Figure 21. The updated CustomSettings.ini file. - -2. Save the CustomSettings.ini file. -3. Using an elevated Windows PowerShell prompt (run as Administrator), run the following commands. Press **Enter** after each command: - ``` syntax - Set-Location C:\MDT - .\Gather.ps1 - ``` -4. Review the ZTIGather.log in the **C:\\MININT\\SMSOSD\\OSDLOGS** folder. - -![figure 22](images/mdt-09-fig22.png) - -Figure 22. The OSDCOMPUTERNAME value obtained from the web service. - -## Related topics - -[Set up MDT for BitLocker](set-up-mdt-2013-for-bitlocker.md) - -[Configure MDT deployment share rules](configure-mdt-deployment-share-rules.md) - -[Configure MDT for UserExit scripts](configure-mdt-2013-for-userexit-scripts.md) - -[Simulate a Windows 10 deployment in a test environment](simulate-a-windows-10-deployment-in-a-test-environment.md) - -[Use the MDT database to stage Windows 10 deployment information](use-the-mdt-database-to-stage-windows-10-deployment-information.md) - -[Assign applications using roles in MDT](assign-applications-using-roles-in-mdt-2013.md) - -[Use Orchestrator runbooks with MDT](use-orchestrator-runbooks-with-mdt-2013.md)   \ No newline at end of file diff --git a/windows/deploy/use-web-services-in-mdt.md b/windows/deploy/use-web-services-in-mdt.md new file mode 100644 index 0000000000..a7f2ce0996 --- /dev/null +++ b/windows/deploy/use-web-services-in-mdt.md @@ -0,0 +1,132 @@ +--- +title: Use web services in MDT (Windows 10) +description: In this topic, you will learn how to create a simple web service that generates computer names and then configure MDT to use that service during your Windows 10 deployment. +ms.assetid: 8f47535e-0551-4ccb-8f02-bb97539c6522 +keywords: deploy, web apps +ms.prod: w10 +ms.mktglfcycl: deploy +localizationpriority: high +ms.pagetype: mdt +ms.sitesec: library +author: mtniehaus +--- + +# Use web services in MDT + +In this topic, you will learn how to create a simple web service that generates computer names and then configure MDT to use that service during your Windows 10 deployment. Web services provide a powerful way to assign settings during a deployment. Simply put, web services are web applications that run code on the server side, and MDT has built-in functions to call these web services. +Using a web service in MDT is straightforward, but it does require that you have enabled the Web Server (IIS) role on the server. Developing web services involves a little bit of coding, but for most web services used with MDT, you can use the free Microsoft Visual Studio Express 2013 for Web. + +## Create a sample web service + +In these steps we assume you have installed Microsoft Visual Studio Express 2013 for Web on PC0001 (the Windows 10 client) and downloaded the [MDT Sample Web Service](https://go.microsoft.com/fwlink/p/?LinkId=619363) from the Microsoft Download Center and extracted it to C:\\Projects. +1. On PC0001, using Visual Studio Express 2013 for Web, open the C:\\Projects\\MDTSample\\ MDTSample.sln solution file. +2. On the ribbon bar, verify that Release is selected. +3. In the **Debug** menu, select the **Build MDTSample** action. +4. On MDT01, create a folder structure for **E:\\MDTSample\\bin**. +5. From PC0001, copy the C:\\Projects\\MDTSample\\obj\\Release\\MDTSample.dll file to the **E:\\MDTSample\\bin** folder on MDT01. +6. From PC0001, copy the following files from C:\\Projects\\MDTSample file to the **E:\\MDTSample** folder on MDT01: + 1. Web.config + 2. mdtsample.asmx + +![figure 15](images/mdt-09-fig15.png) + +Figure 15. The sample project in Microsoft Visual Studio Express 2013 for Web. + +## Create an application pool for the web service + +This section assumes that you have enabled the Web Server (IIS) role on MDT01. +1. On MDT01, using Server Manager, install the **IIS Management Console** role (available under Web Server (IIS) / Management Tools). +2. Using Internet Information Services (IIS) Manager, expand the **MDT01 (CONTOSO\\Administrator)** node. If prompted with the "Do you want to get started with Microsoft Web Platform?" question, select the **Do not show this message** check box and then click **No**. +3. Right-click **Application Pools**, select **Add Application Pool**, and configure the new application pool with the following settings: + 1. Name: MDTSample + 2. .NET Framework version: .NET Framework 4.0.30319 + 3. Manage pipeline mode: Integrated + 4. Select the **Start application pool immediately** check box. + 5. Click **OK**. + +![figure 16](images/mdt-09-fig16.png) + +Figure 16. The new MDTSample application. + +## Install the web service + +1. On MDT01, using Internet Information Services (IIS) Manager, expand **Sites**, right-click **Default Web Site**, and select **Add Application**. Use the following settings for the application: + 1. Alias: MDTSample + 2. Application pool: MDTSample + 3. Physical Path: E:\\MDTSample + + ![figure 17](images/mdt-09-fig17.png) + + Figure 17. Adding the MDTSample web application. + +2. In the **Default Web Site** node, select the MDTSample web application, and in the right pane, double-click **Authentication**. Use the following settings for the **Authentication** dialog box: + 1. Anonymous Authentication: Enabled + 2. ASP.NET Impersonation: Disabled + +![figure 18](images/mdt-09-fig18.png) + +Figure 18. Configuring Authentication for the MDTSample web service. + +## Test the web service in Internet Explorer + +1. On PC0001, using Internet Explorer, navigate to: **http://MDT01/MDTSample/mdtsample.asmx**. +2. Click the **GetComputerName** link. + + ![figure 19](images/mdt-09-fig19.png) + + Figure 19. The MDT Sample web service. +3. On the **GetComputerName** page, type in the following settings, and click **Invoke**: + 1. Model: Hewlett-Packard + 2. SerialNumber: 123456789 + +![figure 20](images/mdt-09-fig20.png) + +Figure 20. The result from the MDT Sample web service. + +## Test the web service in the MDT simulation environment + +After verifying the web service using Internet Explorer, you are ready to do the same test in the MDT simulation environment. + +1. On PC0001, edit the CustomSettings.ini file in the **C:\\MDT** folder to look like the following: + ``` syntax + [Settings] + Priority=Default, GetComputerName + [Default] + OSInstall=YES + [GetComputerName] + WebService=http://mdt01/MDTSample/mdtsample.asmx/GetComputerName + Parameters=Model,SerialNumber + OSDComputerName=string + ``` + ![figure 21](images/mdt-09-fig21.png) + + Figure 21. The updated CustomSettings.ini file. + +2. Save the CustomSettings.ini file. +3. Using an elevated Windows PowerShell prompt (run as Administrator), run the following commands. Press **Enter** after each command: + ``` syntax + Set-Location C:\MDT + .\Gather.ps1 + ``` +4. Review the ZTIGather.log in the **C:\\MININT\\SMSOSD\\OSDLOGS** folder. + +![figure 22](images/mdt-09-fig22.png) + +Figure 22. The OSDCOMPUTERNAME value obtained from the web service. + +## Related topics + +[Set up MDT for BitLocker](set-up-mdt-for-bitlocker.md) + +[Configure MDT deployment share rules](configure-mdt-deployment-share-rules.md) + +[Configure MDT for UserExit scripts](configure-mdt-for-userexit-scripts.md) + +[Simulate a Windows 10 deployment in a test environment](simulate-a-windows-10-deployment-in-a-test-environment.md) + +[Use the MDT database to stage Windows 10 deployment information](use-the-mdt-database-to-stage-windows-10-deployment-information.md) + +[Assign applications using roles in MDT](assign-applications-using-roles-in-mdt.md) + +[Use Orchestrator runbooks with MDT](use-orchestrator-runbooks-with-mdt.md) +  \ No newline at end of file diff --git a/windows/deploy/windows-10-poc-mdt.md b/windows/deploy/windows-10-poc-mdt.md index 0c3696bbf9..7fa7c9fe5e 100644 --- a/windows/deploy/windows-10-poc-mdt.md +++ b/windows/deploy/windows-10-poc-mdt.md @@ -5,6 +5,8 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: deploy +keywords: deployment, automate, tools, configure, mdt +localizationpriority: high author: greg-lindsay --- @@ -636,7 +638,7 @@ Also see [Resolve Windows 10 upgrade errors](resolve-windows-10-upgrade-errors.m ## Related Topics [Microsoft Deployment Toolkit](https://technet.microsoft.com/en-US/windows/dn475741)
    -[Prepare for deployment with MDT 2013](prepare-for-windows-deployment-with-mdt-2013.md) +[Prepare for deployment with MDT](prepare-for-windows-deployment-with-mdt.md)   diff --git a/windows/deploy/windows-10-poc-sc-config-mgr.md b/windows/deploy/windows-10-poc-sc-config-mgr.md index 88cb0c3e43..ee7cfca73f 100644 --- a/windows/deploy/windows-10-poc-sc-config-mgr.md +++ b/windows/deploy/windows-10-poc-sc-config-mgr.md @@ -5,6 +5,8 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: deploy +keywords: deployment, automate, tools, configure, sccm, configuration manager +localizationpriority: high author: greg-lindsay --- diff --git a/windows/deploy/windows-10-poc.md b/windows/deploy/windows-10-poc.md index ad11061479..e57ee7fbfe 100644 --- a/windows/deploy/windows-10-poc.md +++ b/windows/deploy/windows-10-poc.md @@ -5,6 +5,8 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: deploy +keywords: deployment, automate, tools, configure, mdt, sccm +localizationpriority: high author: greg-lindsay --- diff --git a/windows/deploy/windows-10-upgrade-paths.md b/windows/deploy/windows-10-upgrade-paths.md index 0c5b8ff890..3fc038bdd6 100644 --- a/windows/deploy/windows-10-upgrade-paths.md +++ b/windows/deploy/windows-10-upgrade-paths.md @@ -21,9 +21,7 @@ This topic provides a summary of available upgrade paths to Windows 10. You can >**Windows 10 LTSB**: The upgrade paths displayed below do not apply to Windows 10 LTSB. In-place upgrade from Windows 7 or Windows 8.1 to Windows 10 LTSB is not supported. (Note that Windows 10 LTSB 2015 did not block this upgrade path. This was corrected in the Windows 10 LTSB 2016 release, which will now only allow data-only and clean install options.) ->**Windows N/KN**: Windows "N" and "KN" editions follow the same upgrade paths shown below. If the pre-upgrade and post-upgrade editions are not the same type (e.g. Windows 8.1 Pro N to Windows 10 Pro), personal data will be kept but applications and settings will be removed during the upgrade process. - ->**Free upgrade**: The Windows 10 free upgrade offer expired on July 29, 2016. For more information, see [Free upgrade paths](#free-upgrade-paths). +>**Windows N/KN**: Windows "N" and "KN" editions follow the same upgrade paths shown below. If the pre-upgrade and post-upgrade editions are not the same type (e.g. Windows 8.1 Pro N to Windows 10 Pro), personal data will be kept but applications and settings will be removed during the upgrade process. ✔ = Full upgrade is supported including personal data, settings, and applications.
    D = Edition downgrade; personal data is maintained, applications and settings are removed. @@ -334,77 +332,6 @@ D = Edition downgrade; personal data is maintained, applications and settings ar -## Free upgrade paths - -Windows 10 is offered as a free upgrade for the first year after launch of Windows 10, with the following restrictions: -- The offer expires on July 29th, 2016. -- The offer applies to devices connected to the Internet with Windows Update enabled. -- Upgrading to Windows 10 Pro requires a computer running the Pro or Ultimate version of Windows 7/8/8.1. -- Windows Phone 8.0 users must update to Windows 8.1 before upgrading to Windows 10 Mobile1. -- Editions that are excluded from the free upgrade offer include: Windows 7 Enterprise, Windows 8/8.1 Enterprise, and Windows RT/RT 8.12. - ->1The availability of Windows 10 Mobile for Windows 8.1 devices will vary by device manufacturer, device model, country or region, mobile operator or service provider, hardware limitations, and other factors. For a list of eligible phones and important info about the upgrade and Windows 10 Mobile, see [Windows 10 specifications](http://windows.com/specsmobile). - ->2Active Software Assurance customers in volume licensing have the benefit to upgrade to Windows 10 Enterprise outside of this offer. Windows 10 is not supported on devices running the RT versions of Windows 8. - -The following table summarizes the free upgrade paths to Windows 10. For a list of frequently asked questions about the free upgrade to Windows 10, see [Upgrade to Windows 10: FAQ](http://windows.microsoft.com/en-us/windows-10/upgrade-to-windows-10-faq). - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
          FromTo
    Windows 7
    Windows 7 StarterWindows 10 Home
     Windows 7 Home Basic
     Windows 7 Home Premium
    Windows 7 ProfessionalWindows 10 Pro
     Windows 7 Ultimate
    Windows 8/8.1
    Windows Phone 8.1Windows 10 Mobile
    Windows 8/8.1Windows 10 Home
    Windows 8/8.1 ProWindows 10 Pro
     Windows 8/8.1 Pro for Students
    - ## Related Topics [Windows 10 deployment scenarios](windows-10-deployment-scenarios.md)
    diff --git a/windows/deploy/windows-deployment-scenarios-and-tools.md b/windows/deploy/windows-deployment-scenarios-and-tools.md index 1a431a3040..997cf5b753 100644 --- a/windows/deploy/windows-deployment-scenarios-and-tools.md +++ b/windows/deploy/windows-deployment-scenarios-and-tools.md @@ -14,7 +14,7 @@ author: mtniehaus To successfully deploy the Windows 10 operating system and applications for your organization, it is essential that you know about the available tools to help with the process. In this topic, you will learn about the most commonly used tools for Windows 10 deployment. -Microsoft provides many tools, services, and solutions. These tools include Windows Deployment Services (WDS), the Volume Activation Management Tool (VAMT), the User State Migration Tool (USMT), Windows System Image Manager (Windows SIM), Windows Preinstallation Environment (Windows PE), and Windows Recovery Environment (Windows RE). Keep in mind that these are just tools and not a complete solution on their own. It’s when you combine these tools with solutions like [Microsoft Deployment Toolkit (MDT) 2013 Update 1](deploy-windows-10-with-the-microsoft-deployment-toolkit.md) or [Microsoft System Center 2012 R2 Configuration Manager](deploy-windows-10-with-system-center-2012-r2-configuration-manager.md) that you get the complete deployment solution. +Microsoft provides many tools, services, and solutions. These tools include Windows Deployment Services (WDS), the Volume Activation Management Tool (VAMT), the User State Migration Tool (USMT), Windows System Image Manager (Windows SIM), Windows Preinstallation Environment (Windows PE), and Windows Recovery Environment (Windows RE). Keep in mind that these are just tools and not a complete solution on their own. It’s when you combine these tools with solutions like [Microsoft Deployment Toolkit (MDT)](deploy-windows-10-with-the-microsoft-deployment-toolkit.md) or [Microsoft System Center 2012 R2 Configuration Manager](deploy-windows-10-with-system-center-2012-r2-configuration-manager.md) that you get the complete deployment solution. In this topic, you also learn about different types of reference images that you can build, and why reference images are beneficial for most organizations @@ -184,23 +184,23 @@ Also, there are a few new features related to TFTP performance: Figure 10. TFTP changes are now easy to perform. -## Microsoft Deployment Toolkit 2013 Update 1 +## Microsoft Deployment Toolkit -MDT 2013 Update 1 is a free deployment solution from Microsoft. It provides end-to-end guidance, best practices, and tools for planning, building, and deploying Windows operating systems. MDT builds on top of the core deployment tools in the Windows ADK by contributing guidance, reducing complexity, and adding critical features for an enterprise-ready deployment solution. +MDT is a free deployment solution from Microsoft. It provides end-to-end guidance, best practices, and tools for planning, building, and deploying Windows operating systems. MDT builds on top of the core deployment tools in the Windows ADK by contributing guidance, reducing complexity, and adding critical features for an enterprise-ready deployment solution. -MDT 2013 Update 1 has two main parts: the first is Lite Touch, which is a stand-alone deployment solution; the second is Zero Touch, which is an extension to System Center 2012 R2 Configuration Manager. +MDT has two main parts: the first is Lite Touch, which is a stand-alone deployment solution; the second is Zero Touch, which is an extension to System Center 2012 R2 Configuration Manager. **Note**   -Lite Touch and Zero Touch are marketing names for the two solutions that MDT 2013 supports, and the naming has nothing to do with automation. You can fully automate the stand-alone MDT 2013 Update 1 solution (Lite Touch), and you can configure the solution integration with Configuration Manager to prompt for information. +Lite Touch and Zero Touch are marketing names for the two solutions that MDT supports, and the naming has nothing to do with automation. You can fully automate the stand-alone MDT solution (Lite Touch), and you can configure the solution integration with Configuration Manager to prompt for information.   ![figure 11](images/mdt-11-fig13.png) -Figure 11. The Deployment Workbench in MDT 2013, showing a task sequence. +Figure 11. The Deployment Workbench in, showing a task sequence. -For more information on MDT 2013 Update 1, see the [Microsoft Deployment Toolkit](https://go.microsoft.com/fwlink/p/?LinkId=618117) resource center. +For more information on MDT, see the [Microsoft Deployment Toolkit](https://go.microsoft.com/fwlink/p/?LinkId=618117) resource center. ## Microsoft Security Compliance Manager 2013 diff --git a/windows/images/W10-WaaS-poster.PNG b/windows/images/W10-WaaS-poster.PNG new file mode 100644 index 0000000000..d3887faf89 Binary files /dev/null and b/windows/images/W10-WaaS-poster.PNG differ diff --git a/windows/images/front-page-video.PNG b/windows/images/front-page-video.PNG new file mode 100644 index 0000000000..afe78e3564 Binary files /dev/null and b/windows/images/front-page-video.PNG differ diff --git a/windows/images/w10-configure.png b/windows/images/w10-configure.png new file mode 100644 index 0000000000..ebfef8d97b Binary files /dev/null and b/windows/images/w10-configure.png differ diff --git a/windows/images/w10-deploy.png b/windows/images/w10-deploy.png new file mode 100644 index 0000000000..d567f44f1d Binary files /dev/null and b/windows/images/w10-deploy.png differ diff --git a/windows/images/w10-evaluation.png b/windows/images/w10-evaluation.png new file mode 100644 index 0000000000..19d690b694 Binary files /dev/null and b/windows/images/w10-evaluation.png differ diff --git a/windows/images/w10-manage.png b/windows/images/w10-manage.png new file mode 100644 index 0000000000..9ace55b79b Binary files /dev/null and b/windows/images/w10-manage.png differ diff --git a/windows/images/w10-plan.png b/windows/images/w10-plan.png new file mode 100644 index 0000000000..045f85e914 Binary files /dev/null and b/windows/images/w10-plan.png differ diff --git a/windows/images/w10-secure.png b/windows/images/w10-secure.png new file mode 100644 index 0000000000..7799e94849 Binary files /dev/null and b/windows/images/w10-secure.png differ diff --git a/windows/images/w10-update.png b/windows/images/w10-update.png new file mode 100644 index 0000000000..876374904b Binary files /dev/null and b/windows/images/w10-update.png differ diff --git a/windows/images/w10-whatsnew-highlight.png b/windows/images/w10-whatsnew-highlight.png new file mode 100644 index 0000000000..b8534ef41d Binary files /dev/null and b/windows/images/w10-whatsnew-highlight.png differ diff --git a/windows/images/w10-whatsnew.png b/windows/images/w10-whatsnew.png new file mode 100644 index 0000000000..cc040c45aa Binary files /dev/null and b/windows/images/w10-whatsnew.png differ diff --git a/windows/index.md b/windows/index.md index 31050c6bd6..5935b2a3a7 100644 --- a/windows/index.md +++ b/windows/index.md @@ -9,32 +9,89 @@ author: brianlic-msft # Windows 10 and Windows 10 Mobile +This library provides the core content that IT pros need to evaluate, plan, deploy, secure and manage devices running Windows 10 or Windows 10 Mobile. -This library provides the core content that IT pros need to evaluate, plan, deploy, and manage devices running Windows 10 or Windows 10 Mobile. +

    +
    -## In this library + + + + + + + + + + + + + + +
    + + Read what's new in Windows 10 + +
    What's New? +     		+ + Plan your Windows 10 enterprise deployment + +
    Plan +     		+ + Deploy Windows 10 in your enterprise + +
    Deploy +     		+ + Manage Windows 10 in your enterprise + +
    Manage +
    +
    + + Keep Windows 10 secure + +
    Keep Secure +     		+
    + + Configure Windows 10 in your enterprise + +
    Configure +     		+
    + + Update Windows 10 in your enterprise + +
    Update +     		+
    + + Try Windows 10 + +
    Try it +
    +## Get to know Windows as a Service (WaaS) + + + + + +
    Get to know Windows as a Service (WaaS)
    		The Windows 10 operating system introduces a new way to build, deploy, and service Windows: Windows as a service. Microsoft has reimagined each part of the process, to simplify the lives of IT pros and maintain a consistent Windows 10 experience for its customers. -[What's new in Windows 10](whats-new/index.md) + These improvements focus on maximizing customer involvement in Windows development, simplifying the deployment and servicing of Windows client computers, and leveling out the resources needed to deploy and maintain Windows over time. + + - Read more about Windows as a Service -[Plan for Windows 10 deployment](plan/index.md) - -[Deploy Windows 10](deploy/index.md) - -[Keep Windows 10 secure](keep-secure/index.md) - -[Manage and update Windows 10](manage/index.md) +
    ## Related topics - - [Windows 10 TechCenter](https://go.microsoft.com/fwlink/?LinkId=620009)   +   - - - - - diff --git a/windows/keep-secure/TOC.md b/windows/keep-secure/TOC.md index 3a3d3bcda1..38d5a79370 100644 --- a/windows/keep-secure/TOC.md +++ b/windows/keep-secure/TOC.md @@ -3,7 +3,6 @@ ## [Windows Hello for Business](hello-identity-verification.md) ### [How Windows Hello for Business works](hello-how-it-works.md) ### [Manage Windows Hello for Business in your organization](hello-manage-in-organization.md) -### [Enable phone sign-in to PC or VPN](hello-enable-phone-signin.md) ### [Why a PIN is better than a password](hello-why-pin-is-better-than-password.md) ### [Prepare people to use Windows Hello](hello-prepare-people-to-use.md) ### [Windows Hello and password changes](hello-and-password-changes.md) @@ -22,7 +21,14 @@ #### [Deploy code integrity policies: steps](deploy-code-integrity-policies-steps.md) #### [Deploy catalog files to support code integrity policies](deploy-catalog-files-to-support-code-integrity-policies.md) ### [Deploy Device Guard: enable virtualization-based security](deploy-device-guard-enable-virtualization-based-security.md) +## [Mitigate threats by using Windows 10 security features](overview-of-threat-mitigations-in-windows-10.md) ## [Protect derived domain credentials with Credential Guard](credential-guard.md) +### [How Credential Guard works](credential-guard-how-it-works.md) +### [Credential Guard Requirements](credential-guard-requirements.md) +### [Manage Credential Guard](credential-guard-manage.md) +### [Credential Guard protection limits](credential-guard-protection-limits.md) +### [Considerations when using Credential Guard](credential-guard-considerations.md) +### [Credential Guard: Additional mitigations](additional-mitigations.md) ## [Protect Remote Desktop credentials with Remote Credential Guard](remote-credential-guard.md) ## [Protect your enterprise data using Windows Information Protection (WIP)](protect-enterprise-data-using-wip.md) ### [Create a Windows Information Protection (WIP) policy](overview-create-wip-policy.md) @@ -40,7 +46,10 @@ #### [Enlightened apps for use with Windows Information Protection (WIP)](enlightened-microsoft-apps-and-wip.md) #### [Unenlightened and enlightened app behavior while using Windows Information Protection (WIP)](app-behavior-with-wip.md) #### [Recommended Enterprise Cloud Resources and Neutral Resources network settings with Windows Information Protection (WIP)](recommended-network-definitions-for-wip.md) -#### [Using Outlook Web Access with Windows Information Protection (WIP)](using-owa-with-wip.md) +#### [Using Outlook on the web with Windows Information Protection (WIP)](using-owa-with-wip.md) +## [Windows Defender SmartScreen](windows-defender-smartscreen-overview.md) +### [Available Windows Defender SmartScreen Group Policy and mobile device management (MDM) settings](windows-defender-smartscreen-available-settings.md) +### [Set up and use Windows Defender SmartScreen on individual devices](windows-defender-smartscreen-set-individual-device.md) ## [Use Windows Event Forwarding to help with intrusion detection](use-windows-event-forwarding-to-assist-in-instrusion-detection.md) ## [Override Process Mitigation Options to help enforce app-related security policies](override-mitigation-options-for-app-related-security-policies.md) ## [VPN technical guide](vpn-guide.md) @@ -152,6 +161,7 @@ ###### [Using Event Viewer with AppLocker](using-event-viewer-with-applocker.md) ##### [AppLocker Settings](applocker-settings.md) ### [BitLocker](bitlocker-overview.md) +#### [Overview of BitLocker and device encryption in Windows 10](bitlocker-device-encryption-overview-windows-10.md) #### [BitLocker frequently asked questions (FAQ)](bitlocker-frequently-asked-questions.md) #### [Prepare your organization for BitLocker: Planning and policies](prepare-your-organization-for-bitlocker-planning-and-policies.md) #### [BitLocker basic deployment](bitlocker-basic-deployment.md) @@ -168,6 +178,7 @@ ##### [Choose the Right BitLocker Countermeasure](choose-the-right-bitlocker-countermeasure.md) #### [Protecting cluster shared volumes and storage area networks with BitLocker](protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md) ### [Encrypted Hard Drive](encrypted-hard-drive.md) +### [Enterprise Certificate Pinning](enterprise-certificate-pinning.md) ### [Security auditing](security-auditing-overview.md) #### [Basic security audit policies](basic-security-audit-policies.md) ##### [Create a basic audit policy for an event category](create-a-basic-audit-policy-settings-for-an-event-category.md) @@ -572,7 +583,8 @@ ###### [Domain member: Maximum machine account password age](domain-member-maximum-machine-account-password-age.md) ###### [Domain member: Require strong (Windows 2000 or later) session key](domain-member-require-strong-windows-2000-or-later-session-key.md) ###### [Interactive logon: Display user information when the session is locked](interactive-logon-display-user-information-when-the-session-is-locked.md) -###### [Interactive logon: Do not display last user name](interactive-logon-do-not-display-last-user-name.md) +###### [Interactive logon: Don't display last signed-in](interactive-logon-do-not-display-last-user-name.md) +###### [Interactive logon: Don't display username at sign-in](interactive-logon-dont-display-username-at-sign-in.md) ###### [Interactive logon: Do not require CTRL+ALT+DEL](interactive-logon-do-not-require-ctrl-alt-del.md) ###### [Interactive logon: Machine account lockout threshold](interactive-logon-machine-account-lockout-threshold.md) ###### [Interactive logon: Machine inactivity limit](interactive-logon-machine-inactivity-limit.md) @@ -722,6 +734,7 @@ #### [Tpmvscmgr](virtual-smart-card-tpmvscmgr.md) ### [Windows Defender Advanced Threat Protection](windows-defender-advanced-threat-protection.md) #### [Minimum requirements](minimum-requirements-windows-defender-advanced-threat-protection.md) +#### [Preview features](preview-windows-defender-advanced-threat-protection.md) #### [Data storage and privacy](data-storage-privacy-windows-defender-advanced-threat-protection.md) #### [Assign user access to the portal](assign-portal-access-windows-defender-advanced-threat-protection.md) #### [Onboard endpoints and set up access](onboard-configure-windows-defender-advanced-threat-protection.md) @@ -735,34 +748,116 @@ ##### [Troubleshoot onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) #### [Portal overview](portal-overview-windows-defender-advanced-threat-protection.md) #### [Use the Windows Defender ATP portal](use-windows-defender-advanced-threat-protection.md) -##### [View the Dashboard](dashboard-windows-defender-advanced-threat-protection.md) +##### [View the Dashboard](dashboard-windows-defender-advanced-threat-protection.md) ##### [View and organize the Alerts queue](alerts-queue-windows-defender-advanced-threat-protection.md) ##### [Investigate alerts](investigate-alerts-windows-defender-advanced-threat-protection.md) -##### [Investigate machines](investigate-machines-windows-defender-advanced-threat-protection.md) +###### [Alert process tree](investigate-alerts-windows-defender-advanced-threat-protection.md#alert-process-tree) +###### [Incident graph](investigate-alerts-windows-defender-advanced-threat-protection.md#incident-graph) +###### [Alert timeline](investigate-alerts-windows-defender-advanced-threat-protection.md#alert-timeline) ##### [Investigate files](investigate-files-windows-defender-advanced-threat-protection.md) ##### [Investigate an IP address](investigate-ip-windows-defender-advanced-threat-protection.md) ##### [Investigate a domain](investigate-domain-windows-defender-advanced-threat-protection.md) +##### [View and organize the Machines view](machines-view-overview-windows-defender-advanced-threat-protection.md) +##### [Investigate machines](investigate-machines-windows-defender-advanced-threat-protection.md) +###### [Search for specific alerts](investigate-machines-windows-defender-advanced-threat-protection.md#search-for-specific-alerts) +###### [Filter events from a specific date](investigate-machines-windows-defender-advanced-threat-protection.md#filter-events-from-a-specific-date) +###### [Export machine timeline events](investigate-machines-windows-defender-advanced-threat-protection.md#export-machine-timeline-events) +###### [Navigate between pages](investigate-machines-windows-defender-advanced-threat-protection.md#navigate-between-pages) +##### [Investigate a user account](investigate-user-windows-defender-advanced-threat-protection.md) ##### [Manage alerts](manage-alerts-windows-defender-advanced-threat-protection.md) +##### [Take response actions](response-actions-windows-defender-advanced-threat-protection.md) +###### [Take response actions on a machine](respond-machine-alerts-windows-defender-advanced-threat-protection.md) +####### [Isolate machines from the network](respond-machine-alerts-windows-defender-advanced-threat-protection.md#isolate-machines-from-the-network) +####### [Undo machine isolation](respond-machine-alerts-windows-defender-advanced-threat-protection.md#undo-machine-isolation) +####### [Collect investigation package](respond-machine-alerts-windows-defender-advanced-threat-protection.md#collect-investigation-package) +####### [Check activity details in Action center](respond-machine-alerts-windows-defender-advanced-threat-protection.md#check-activity-details-in-action-center) +###### [Take response actions on a file](respond-file-alerts-windows-defender-advanced-threat-protection.md) +####### [Stop and quarantine files in your network](respond-file-alerts-windows-defender-advanced-threat-protection.md#stop-and-quarantine-files-in-your-network) +####### [Remove file from quarantine](respond-file-alerts-windows-defender-advanced-threat-protection.md#remove-file-from-quarantine) +####### [Block files in your network](respond-file-alerts-windows-defender-advanced-threat-protection.md#block-files-in-your-network) +####### [Check activity details in Action center](respond-file-alerts-windows-defender-advanced-threat-protection.md#check-activity-details-in-action-center) +####### [Deep analysis](respond-file-alerts-windows-defender-advanced-threat-protection.md#deep-analysis) +######## [Submit files for analysis](respond-file-alerts-windows-defender-advanced-threat-protection.md#submit-files-for-analysis) +######## [View deep analysis reports](respond-file-alerts-windows-defender-advanced-threat-protection.md#view-deep-analysis-reports) +######## [Troubleshoot deep analysis](respond-file-alerts-windows-defender-advanced-threat-protection.md#troubleshoot-deep-analysis) +#### [Pull alerts to your SIEM tools](configure-siem-windows-defender-advanced-threat-protection.md) +##### [Enable SIEM integration](enable-siem-integration-windows-defender-advanced-threat-protection.md) +##### [Configure Splunk to pull alerts](configure-splunk-windows-defender-advanced-threat-protection.md) +##### [Configure HP ArcSight to pull alerts](configure-arcsight-windows-defender-advanced-threat-protection.md) +##### [Windows Defender ATP alert API fields](api-portal-mapping-windows-defender-advanced-threat-protection.md) +##### [Pull alerts using REST API](pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md) +##### [Troubleshoot SIEM tool integration issues](troubleshoot-siem-windows-defender-advanced-threat-protection.md) +#### [Use the threat intelligence API to create custom alerts](use-custom-ti-windows-defender-advanced-threat-protection.md) +##### [Understand threat intelligence concepts](threat-indicator-concepts-windows-defender-advanced-threat-protection.md) +##### [Enable the custom threat intelligence application](enable-custom-ti-windows-defender-advanced-threat-protection.md) +##### [Create custom threat intelligence alerts](custom-ti-api-windows-defender-advanced-threat-protection.md) +##### [PowerShell code examples](powershell-example-code-windows-defender-advanced-threat-protection.md) +##### [Python code examples](python-example-code-windows-defender-advanced-threat-protection.md) +##### [Experiment with custom threat intelligence alerts](experiment-custom-ti-windows-defender-advanced-threat-protection.md) +##### [Troubleshoot custom threat intelligence issues](troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md) +#### [Check sensor state](check-sensor-status-windows-defender-advanced-threat-protection.md) +##### [Fix unhealthy sensors](fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md) +###### [Inactive machines](fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md#inactive-machines) +###### [Misconfigured machines](fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md#misconfigured-machines) +#### [Configure Windows Defender ATP preferences settings](preferences-setup-windows-defender-advanced-threat-protection.md) +##### [Update general settings](general-settings-windows-defender-advanced-threat-protection.md) +##### [Turn on advanced features](advanced-features-windows-defender-advanced-threat-protection.md) +##### [Turn on preview experience](preview-settings-windows-defender-advanced-threat-protection.md) +##### [Configure email notifications](configure-email-notifications-windows-defender-advanced-threat-protection.md) #### [Windows Defender ATP settings](settings-windows-defender-advanced-threat-protection.md) #### [Windows Defender ATP service status](service-status-windows-defender-advanced-threat-protection.md) -#### [Configure SIEM tools to consume alerts](configure-siem-windows-defender-advanced-threat-protection.md) -##### [Configure an Azure Active Directory application for SIEM integration](configure-aad-windows-defender-advanced-threat-protection.md) -##### [Configure Splunk to consume Windows Defender ATP alerts](configure-splunk-windows-defender-advanced-threat-protection.md) -##### [Configure HP ArcSight to consume Windows Defender ATP alerts](configure-arcsight-windows-defender-advanced-threat-protection.md) -#### [Configure email notifications](configure-email-notifications-windows-defender-advanced-threat-protection.md) #### [Troubleshoot Windows Defender ATP](troubleshoot-windows-defender-advanced-threat-protection.md) #### [Review events and errors on endpoints with Event Viewer](event-error-codes-windows-defender-advanced-threat-protection.md) -#### [Windows Defender compatibility](defender-compatibility-windows-defender-advanced-threat-protection.md) -### [Windows Defender in Windows 10](windows-defender-in-windows-10.md) -#### [Update and manage Windows Defender in Windows 10](get-started-with-windows-defender-for-windows-10.md) -#### [Configure Windows Defender in Windows 10](configure-windows-defender-in-windows-10.md) -#### [Windows Defender Offline in Windows 10](windows-defender-offline.md) -#### [Use PowerShell cmdlets for Windows Defender](use-powershell-cmdlets-windows-defender-for-windows-10.md) -#### [Enable the Block at First Sight feature in Windows 10](windows-defender-block-at-first-sight.md) -#### [Configure enhanced notifications for Windows Defender in Windows 10](windows-defender-enhanced-notifications.md) -#### [Run a Windows Defender scan from the command line](run-cmd-scan-windows-defender-for-windows-10.md) -#### [Detect and block Potentially Unwanted Applications with Windows Defender](enable-pua-windows-defender-for-windows-10.md) -#### [Troubleshoot Windows Defender in Windows 10](troubleshoot-windows-defender-in-windows-10.md) +#### [Windows Defender Antivirus compatibility](defender-compatibility-windows-defender-advanced-threat-protection.md) + + +### [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md) +#### [Windows Defender AV in the Windows Defender Security Center app](windows-defender-security-center-antivirus.md) +#### [Windows Defender Antivirus on Windows Server](windows-defender-antivirus-on-windows-server-2016.md) +#### [Windows Defender Antivirus and Advanced Threat Protection: Better together](windows-defender-antivirus-compatibility.md) +#### [Evaluate Windows Defender Antivirus protection](evaluate-windows-defender-antivirus.md) +#### [Deploy, manage updates, and report on Windows Defender Antivirus](deploy-manage-report-windows-defender-antivirus.md) +##### [Deploy and enable Windows Defender Antivirus](deploy-windows-defender-antivirus.md) +###### [Deployment guide for VDI environments](deployment-vdi-windows-defender-antivirus.md) +##### [Report on Windows Defender Antivirus protection](report-monitor-windows-defender-antivirus.md) +##### [Manage updates and apply baselines](manage-updates-baselines-windows-defender-antivirus.md) +###### [Manage protection and definition updates](manage-protection-updates-windows-defender-antivirus.md) +###### [Manage when protection updates should be downloaded and applied](manage-protection-update-schedule-windows-defender-antivirus.md) +###### [Manage updates for endpoints that are out of date](manage-outdated-endpoints-windows-defender-antivirus.md) +###### [Manage event-based forced updates](manage-event-based-updates-windows-defender-antivirus.md) +###### [Manage updates for mobile devices and VMs](manage-updates-mobile-devices-vms-windows-defender-antivirus.md) +#### [Configure Windows Defender Antivirus features](configure-windows-defender-antivirus-features.md) +##### [Utilize Microsoft cloud-provided protection](utilize-microsoft-cloud-protection-windows-defender-antivirus.md) +###### [Enable cloud-delivered protection](enable-cloud-protection-windows-defender-antivirus.md) +###### [Specify the cloud-delivered protection level](specify-cloud-protection-level-windows-defender-antivirus.md) +###### [Configure and validate network connections](configure-network-connections-windows-defender-antivirus.md) +###### [Enable the Block at First Sight feature](configure-block-at-first-sight-windows-defender-antivirus.md) +###### [Configure the cloud block timeout period](configure-cloud-block-timeout-period-windows-defender-antivirus.md) +##### [Configure behavioral, heuristic, and real-time protection](configure-protection-features-windows-defender-antivirus.md) +###### [Detect and block Potentially Unwanted Applications](detect-block-potentially-unwanted-apps-windows-defender-antivirus.md) +###### [Enable and configure always-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md) +##### [Configure end-user interaction with Windows Defender AV](configure-end-user-interaction-windows-defender-antivirus.md) +###### [Configure the notifications that appear on endpoints](configure-notifications-windows-defender-antivirus.md) +###### [Prevent users from seeing or interacting with the user interface](prevent-end-user-interaction-windows-defender-antivirus.md) +###### [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-windows-defender-antivirus.md) +#### [Customize, initiate, and review the results of scans and remediation](customize-run-review-remediate-scans-windows-defender-antivirus.md) +##### [Configure and validate exclusions in Windows Defender AV scans](configure-exclusions-windows-defender-antivirus.md) +###### [Configure and validate exclusions based on file name, extension, and folder location](configure-extension-file-exclusions-windows-defender-antivirus.md) +###### [Configure and validate exclusions for files opened by processes](configure-process-opened-file-exclusions-windows-defender-antivirus.md) +###### [Configure exclusions in Windows Defender AV on Windows Server 2016](configure-server-exclusions-windows-defender-antivirus.md) +##### [Configure scanning options in Windows Defender AV](configure-advanced-scan-types-windows-defender-antivirus.md) +##### [Configure remediation for scans](configure-remediation-windows-defender-antivirus.md) +##### [Configure scheduled scans](scheduled-catch-up-scans-windows-defender-antivirus.md) +##### [Configure and run scans](run-scan-windows-defender-antivirus.md) +##### [Review scan results](review-scan-results-windows-defender-antivirus.md) +##### [Run and review the results of a Windows Defender Offline scan](windows-defender-offline.md) +#### [Review event logs and error codes to troubleshoot issues](troubleshoot-windows-defender-antivirus.md) +#### [Reference topics for management and configuration tools](configuration-management-reference-windows-defender-antivirus.md) +##### [Use Group Policy settings to configure and manage Windows Defender AV](use-group-policy-windows-defender-antivirus.md) +##### [Use System Center Configuration Manager and Microsoft Intune to configure and manage Windows Defender AV](use-intune-config-manager-windows-defender-antivirus.md) +##### [Use PowerShell cmdlets to configure and manage Windows Defender AV](use-powershell-cmdlets-windows-defender-antivirus.md) +##### [Use Windows Management Instrumentation (WMI) to configure and manage Windows Defender AV](use-wmi-windows-defender-antivirus.md) +##### [Use the mpcmdrun.exe commandline tool to configure and manage Windows Defender AV](command-line-arguments-windows-defender-antivirus.md) ### [Windows Firewall with Advanced Security](windows-firewall-with-advanced-security.md) #### [Isolating Windows Store Apps on Your Network](isolating-apps-on-your-network.md) #### [Securing End-to-End IPsec Connections by Using IKEv2 in Windows Server 2012](securing-end-to-end-ipsec-connections-by-using-ikev2.md) @@ -875,7 +970,6 @@ ## [Enterprise security guides](windows-10-enterprise-security-guides.md) ### [Control the health of Windows 10-based devices](protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md) ### [Windows 10 Mobile security guide](windows-10-mobile-security-guide.md) -### [Windows 10 security overview](windows-10-security-guide.md) ### [Windows 10 credential theft mitigation guide abstract](windows-credential-theft-mitigation-guide-abstract.md) ### [How to use single sign-on (SSO) over VPN and Wi-Fi connections](how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md) ## [Change history for Keep Windows 10 secure](change-history-for-keep-windows-10-secure.md) diff --git a/windows/keep-secure/ad-ds-schema-extensions-to-support-tpm-backup.md b/windows/keep-secure/ad-ds-schema-extensions-to-support-tpm-backup.md deleted file mode 100644 index 0efd393b76..0000000000 --- a/windows/keep-secure/ad-ds-schema-extensions-to-support-tpm-backup.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: AD DS schema extensions to support TPM backup -redirect_url: https://technet.microsoft.com/library/jj635854.aspx ---- - diff --git a/windows/keep-secure/add-apps-to-protected-list-using-custom-uri.md b/windows/keep-secure/add-apps-to-protected-list-using-custom-uri.md index 9176b41ff8..60a66db5c9 100644 --- a/windows/keep-secure/add-apps-to-protected-list-using-custom-uri.md +++ b/windows/keep-secure/add-apps-to-protected-list-using-custom-uri.md @@ -14,7 +14,7 @@ localizationpriority: high # Add apps to your Windows Information Protection (WIP) policy by using the Microsoft Intune custom URI functionality **Applies to:** -- Windows 10, version 1607 +- Windows 10, version 1607 and later - Windows 10 Mobile You can add apps to your Windows Information Protection (WIP) protected app list using the Microsoft Intune custom URI functionality and AppLocker. For more info about how to create a custom URI using Intune, [Windows 10 custom policy settings in Microsoft Intune](https://go.microsoft.com/fwlink/p/?LinkID=691330). @@ -39,14 +39,14 @@ You can add apps to your Windows Information Protection (WIP) protected app list 5. In the **Rules Preferences** screen, keep the default settings, and then click **Next** to start generating the rules. - >[!NOTE] - >We recommend that you use **Publisher** rules because they only work with apps you've specifically defined and they can be configured to not require updating simply because a new version came out.

    If you can't use **Publisher** rules, we then recommend that you use **File hash** rules. **File hash** rules are a secure alternative that can be used on unsigned code. The primary disadvantage to **File hash** is that every time a binary changes (such as, through servicing updates or upgrades), you'll need to create a new rule. + >[!Note] + >We recommend that you use **Publisher** rules because they only work with apps you've specifically defined and they can be configured to not require updating simply because a new version came out.

    If you can't use **Publisher** rules, we then recommend that you use **File hash** rules. **File hash** rules are a secure alternative that can be used on unsigned code. The primary disadvantage to **File hash** is that every time a binary changes (such as, through servicing updates or upgrades), you'll need to create a new rule. 6. In the **Review Rules** screen, look over your rules to make sure they’re right, and then click **Create** to add them to your collection of rules. 7. In the left pane, right-click **AppLocker**, click **Export Policies**, go to where you want to save the XML file and type a file name, click **Save**, and then clear your AppLocker rules. - >[!IMPORTANT] + >[!Important] >Be aware that what you're saving are the actual AppLocker rules using your local policy. You don't want to apply these rules to your employee devices, you just want to use them to create and export the XML content. You must delete the AppLocker rules before you apply your policy. 8. Open the Intune administration console, and go to the **Policy** node, click **Add Policy** from the **Tasks** area, go to **Windows**, click the **Custom Configuration (Windows 10 Desktop and Mobile and later)** policy, click **Create and Deploy a Custom Policy**, and then click **Create Policy**. @@ -67,8 +67,9 @@ You can add apps to your Windows Information Protection (WIP) protected app list ``` -15. Click **OK** to close the **Add or edit OMA-URI Setting** box, and then click **Save Policy**.

    -After saving the policy, you’ll need to deploy it to your employee’s devices. For more info, see the [Deploy your Windows Information Protection (WIP) policy](deploy-wip-policy-using-intune.md) topic. +15. Click **OK** to close the **Add or edit OMA-URI Setting** box, and then click **Save Policy**. + + After saving the policy, you’ll need to deploy it to your employee’s devices. For more info, see the [Deploy your Windows Information Protection (WIP) policy](deploy-wip-policy-using-intune.md) topic. ## Add Desktop apps 1. Open the Local Security Policy snap-in (SecPol.msc). @@ -87,17 +88,17 @@ After saving the policy, you’ll need to deploy it to your employee’s devices 5. In the **Rules Preferences** screen, keep the default settings, and then click **Next** to start generating the rules. - >[!IMPORTANT] + >[!Important] >You can also use **Path** rules instead of the **File hash** if you have concerns about unsigned files potentially changing the hash value if they're updated in the future. - >[!NOTE] - >We recommend that you use **Publisher** rules because they only work with apps you've specifically defined and they can be configured to not require updating simply because a new version came out.

    If you can't use **Publisher** rules, we then recommend that you use **File hash** rules. **File hash** rules are a secure alternative that can be used on unsigned code. The primary disadvantage to **File hash** is that every time a binary changes (such as, through servicing updates or upgrades), you'll need to create a new rule.

    Finally, there's **Path** rules. **Path** rules are easier to set up and maintain, but can let apps bypass Windows Information Protection (WIP) by simply renaming and moving an unallowed file to match one of the apps on the **Protected App** list. For example, if your **Path** rule says to allow `%PROGRAMFILES%/NOTEPAD.EXE`, it becomes possible to rename DisallowedApp.exe to Notepad.exe, move it into the specified path above, and have it suddenly be allowed. + >[!Note] + >We recommend that you use **Publisher** rules because they only work with apps you've specifically defined and they can be configured to not require updating simply because a new version came out.

    If you can't use **Publisher** rules, we then recommend that you use **File hash** rules. **File hash** rules are a secure alternative that can be used on unsigned code. The primary disadvantage to **File hash** is that every time a binary changes (such as, through servicing updates or upgrades), you'll need to create a new rule.

    Finally, there's **Path** rules. **Path** rules are easier to set up and maintain, but can let apps bypass Windows Information Protection (WIP) by simply renaming and moving an unallowed file to match one of the apps on the **Protected App** list. For example, if your **Path** rule says to allow `%PROGRAMFILES%/NOTEPAD.EXE`, it becomes possible to rename DisallowedApp.exe to Notepad.exe, move it into the specified path above, and have it suddenly be allowed. 6. In the **Review Rules** screen, look over your rules to make sure they’re right, and then click **Create** to add them to your collection of rules. 7. In the left pane, right-click **AppLocker**, click **Export Policies**, go to where you want to save the XML file and type a file name, click **Save**, and then clear your AppLocker rules. - >[!IMPORTANT] + >[!Important] >Be aware that what you're saving are the actual AppLocker rules using your local policy. You don't want to apply these rules to your employee devices, you just want to use them to create and export the XML content. You must delete the AppLocker rules before you apply your policy. 8. Open the Intune administration console, and go to the **Policy** node, click **Add Policy** from the **Tasks** area, go to **Windows**, click the **Custom Configuration (Windows 10 Desktop and Mobile and later)** policy, click **Create and Deploy a Custom Policy**, and then click **Create Policy**. diff --git a/windows/keep-secure/additional-configuration-windows-advanced-threat-protection.md b/windows/keep-secure/additional-configuration-windows-advanced-threat-protection.md deleted file mode 100644 index 1f2d6310fd..0000000000 --- a/windows/keep-secure/additional-configuration-windows-advanced-threat-protection.md +++ /dev/null @@ -1,7 +0,0 @@ - --- - redirect_url: https://technet.microsoft.com/itpro/windows/keep-secure/configure-endpoints-windows-defender-advanced-threat-protection - --- - -# Additional Windows Defender ATP configuration settings - -This page has been redirected to [Configure endpoints](https://technet.microsoft.com/itpro/windows/keep-secure/configure-endpoints-windows-defender-advanced-threat-protection) \ No newline at end of file diff --git a/windows/keep-secure/additional-mitigations.md b/windows/keep-secure/additional-mitigations.md new file mode 100644 index 0000000000..706bdef10b --- /dev/null +++ b/windows/keep-secure/additional-mitigations.md @@ -0,0 +1,612 @@ +--- +title: Scripts for Certificate Issuance Policies in Credential Guard (Windows 10) +description: Scripts listed in this topic for obtaining the available issuance policies on the certificate authority for Credential Guard on Windows 10. +ms.prod: w10 +ms.mktglfcycl: explore +ms.sitesec: library +ms.pagetype: security +localizationpriority: high +author: brianlic-msft +--- + +## Additional mitigations + +Credential Guard can provide mitigations against attacks on derived credentials and prevent the use of stolen credentials elsewhere. However, PCs can still be vulnerable to certain attacks, even if the derived credentials are protected by Credential Guard. These attacks can include abusing privileges and use of derived credentials directly from a compromised device, reusing previously stolen credentials prior to Device Guard, and abuse of management tools and weak application configurations. Because of this, additional mitigations also must be deployed to make the domain environment more robust. + +### Restricting domain users to specific domain-joined devices + +Credential theft attacks allow the attacker to steal secrets from one device and use them from another device. If a user can sign on to multiple devices then any device could be used to steal credentials. How do you ensure that users only sign on using devices that have Credential Guard enabled? By deploying authentication policies that restrict them to specific domain-joined devices that have been configured with Credential Guard. For the domain controller to know what device a user is signing on from, Kerberos armoring must be used. + +#### Kerberos armoring + +Kerberos armoring is part of RFC 6113. When a device supports Kerberos armoring, its TGT is used to protect the user's proof of possession which can mitigate offline dictionary attacks. Kerberos armoring also provides the additional benefit of signed KDC errors this mitigates tampering which can result in things such as downgrade attacks. + +**To enable Kerberos armoring for restricting domain users to specific domain-joined devices** + +- Users need to be in domains that are running Windows Server 2012 R2 or higher +- All the domain controllers in these domains must be configured to support Kerberos armoring. Set the **KDC support for claims, compound authentication, and Kerberos armoring** Group Policy setting to either **Supported** or **Always provide claims**. +- All the devices with Credential Guard that the users will be restricted to must be configured to support Kerberos armoring. Enable the **Kerberos client support for claims, compound authentication and Kerberos armoring** Group Policy settings under **Computer Configuration** -> **Administrative Templates** -> **System** -> **Kerberos**. + +#### Protecting domain-joined device secrets + +Since domain-joined devices also use shared secrets for authentication, attackers can steal those secrets as well. By deploying device certificates with Credential Guard, the private key can be protected. Then authentication policies can require that users sign on devices that authenticate using those certificates. This prevents shared secrets stolen from the device to be used with stolen user credentials to sign on as the user. + +Domain-joined device certificate authentication has the following requirements: +- Devices' accounts are in Windows Server 2012 domain functional level or higher. +- All domain controllers in those domains have KDC certificates which satisfy strict KDC validation certificate requirements: + - KDC EKU present + - DNS domain name matches the DNSName field of the SubjectAltName (SAN) extension +- Windows 10 devices have the CA issuing the domain controller certificates in the enterprise store. +- A process is established to ensure the identity and trustworthiness of the device in a similar manner as you would establish the identity and trustworthiness of a user before issuing them a smartcard. + +##### Deploying domain-joined device certificates + +To guarantee that certificates with the required issuance policy are only installed on the devices these users must use, they must be deployed manually on each device. The same security procedures used for issuing smart cards to users should be applied to device certificates. + +For example, let's say you wanted to use the High Assurance policy only on these devices. Using a Windows Server Enterprise certificate authority, you would create a new template. + +**Creating a new certificate template** + +1. From the Certificate Manager console, right-click **Certificate Templates**, and then click **Manage.** +2. Right-click **Workstation Authentication**, and then click **Duplicate Template**. +3. Right-click the new template, and then click **Properties**. +4. On the **Extensions** tab, click **Application Policies**, and then click **Edit**. +5. Click **Client Authentication**, and then click **Remove**. +6. Add the ID-PKInit-KPClientAuth EKU. Click **Add**, click **New**, and then specify the following values: + - Name: Kerberos Client Auth + - Object Identifier: 1.3.6.1.5.2.3.4 +7. On the **Extensions** tab, click **Issuance Policies**, and then click **Edit**. +8. Under **Issuance Policies**, click**High Assurance**. +9. On the **Subject name** tab, clear the **DNS name** check box, and then select the **User Principal Name (UPN)** check box. + +Then on the devices that are running Credential Guard, enroll the devices using the certificate you just created. + +**Enrolling devices in a certificate** + +Run the following command: +``` syntax +CertReq -EnrollCredGuardCert MachineAuthentication +``` + +> [!NOTE] +> You must restart the device after enrolling the machine authentication certificate. +  +##### How a certificate issuance policy can be used for access control + +Beginning with the Windows Server 2008 R2 domain functional level, domain controllers support for authentication mechanism assurance provides a way to map certificate issuance policy OIDs to universal security groups. Windows Server 2012 domain controllers with claim support can map them to claims. To learn more about authentication mechanism assurance, see [Authentication Mechanism Assurance for AD DS in Windows Server 2008 R2 Step-by-Step Guide](https://technet.microsoft.com/en-us/library/dd378897(v=ws.10).aspx) on TechNet. + +**To see the issuance policies available** + +- The [get-IssuancePolicy.ps1](#bkmk-getscript) shows all of the issuance policies that are available on the certificate authority. + From a Windows PowerShell command prompt, run the following command: + + ``` syntax + .\get-IssuancePolicy.ps1 –LinkedToGroup:All + ``` + +**To link an issuance policy to a universal security group** + +- The [set-IssuancePolicyToGroupLink.ps1](#bkmk-setscript) creates a Universal security group, creates an organizational unit, and links the issuance policy to that Universal security group. + From a Windows PowerShell command prompt, run the following command: + + ``` syntax + .\set-IssuancePolicyToGroupLink.ps1 –IssuancePolicyName:"" –groupOU:"" –groupName:”" + ``` + +#### Restricting user sign on + +So we now have completed the following: + +- Created a special certificate issuance policy to identify devices that meet the deployment criteria required for the user to be able to sign on +- Mapped that policy to a universal security group or claim +- Provided a way for domain controllers to get the device authorization data during user sign on using Kerberos armoring. Now what is left to do is to configure the access check on the domain controllers. This is done using authentication policies. + +Authentication policies have the following requirements: +- User accounts are in a Windows Server 2012 domain functional level or higher domain. + +**Creating an authentication policy restricting users to the specific universal security group** + +1. Open Active Directory Administrative Center. +2. Click **Authentication**, click **New**, and then click **Authentication Policy**. +3. In the **Display name** box, enter a name for this authentication policy. +4. Under the **Accounts** heading, click **Add**. +5. In the **Select Users, Computers, or Service Accounts** dialog box, type the name of the user account you wish to restrict, and then click **OK**. +6. Under the **User Sign On** heading, click the **Edit** button. +7. Click **Add a condition**. +8. In the **Edit Access Control Conditions** box, ensure that it reads **User** > **Group** > **Member of each** > **Value**, and then click **Add items**. +9. In the **Select Users, Computers, or Service Accounts** dialog box, type the name of the universal security group that you created with the set-IssuancePolicyToGroupLink script, and then click **OK**. +10. Click **OK** to close the **Edit Access Control Conditions** box. +11. Click **OK** to create the authentication policy. +12. Close Active Directory Administrative Center. + +> [!NOTE] +> When the authentication policy enforces policy restrictions, users will not be able to sign on using devices that do not have a certificate with the appropriate issuance policy deployed. This applies to both local and remote sign on scenarios. Therefore, it is strongly recommended to first only audit policy restrictions to ensure you don't have unexpected failures. + +##### Discovering authentication failures due to authentication policies + +To make tracking authentication failures due to authentication policies easier, an operational log exists with just those events. To enable the logs on the domain controllers, in Event Viewer, navigate to **Applications and Services Logs\\Microsoft\\Windows\\Authentication, right-click AuthenticationPolicyFailures-DomainController**, and then click **Enable Log**. + +To learn more about authentication policy events, see [Authentication Policies and Authentication Policy Silos](https://technet.microsoft.com/en-us/library/dn486813(v=ws.11).aspx). + +### Appendix: Scripts + +Here is a list of scripts mentioned in this topic. + +#### Get the available issuance policies on the certificate authority + +Save this script file as get-IssuancePolicy.ps1. + +``` syntax +####################################### +## Parameters to be defined ## +## by the user ## +####################################### +Param ( +$Identity, +$LinkedToGroup +) +####################################### +## Strings definitions ## +####################################### +Data getIP_strings { +# culture="en-US" +ConvertFrom-StringData -stringdata @' +help1 = This command can be used to retrieve all available Issuance Policies in a forest. The forest of the currently logged on user is targeted. +help2 = Usage: +help3 = The following parameter is mandatory: +help4 = -LinkedToGroup: +help5 = "yes" will return only Issuance Policies that are linked to groups. Checks that the linked Issuance Policies are linked to valid groups. +help6 = "no" will return only Issuance Policies that are not currently linked to any group. +help7 = "all" will return all Issuance Policies defined in the forest. Checks that the linked Issuance policies are linked to valid groups. +help8 = The following parameter is optional: +help9 = -Identity:. If you specify an identity, the option specified in the "-LinkedToGroup" parameter is ignored. +help10 = Output: This script returns the Issuance Policy objects meeting the criteria defined by the above parameters. +help11 = Examples: +errorIPNotFound = Error: no Issuance Policy could be found with Identity "{0}" +ErrorNotSecurity = Error: Issuance Policy "{0}" is linked to group "{1}" which is not of type "Security". +ErrorNotUniversal = Error: Issuance Policy "{0}" is linked to group "{1}" whose scope is not "Universal". +ErrorHasMembers = Error: Issuance Policy "{0}" is linked to group "{1}" which has a non-empty membership. The group has the following members: +LinkedIPs = The following Issuance Policies are linked to groups: +displayName = displayName : {0} +Name = Name : {0} +dn = distinguishedName : {0} + InfoName = Linked Group Name: {0} + InfoDN = Linked Group DN: {0} +NonLinkedIPs = The following Issuance Policies are NOT linked to groups: +'@ +} +##Import-LocalizedData getIP_strings +import-module ActiveDirectory +####################################### +## Help ## +####################################### +function Display-Help { + "" + $getIP_strings.help1 + "" +$getIP_strings.help2 +"" +$getIP_strings.help3 +" " + $getIP_strings.help4 +" " + $getIP_strings.help5 + " " + $getIP_strings.help6 + " " + $getIP_strings.help7 +"" +$getIP_strings.help8 + " " + $getIP_strings.help9 + "" + $getIP_strings.help10 +"" +"" +$getIP_strings.help11 + " " + '$' + "myIPs = .\get-IssuancePolicy.ps1 -LinkedToGroup:All" + " " + '$' + "myLinkedIPs = .\get-IssuancePolicy.ps1 -LinkedToGroup:yes" + " " + '$' + "myIP = .\get-IssuancePolicy.ps1 -Identity:""Medium Assurance""" +"" +} +$root = get-adrootdse +$domain = get-addomain -current loggedonuser +$configNCDN = [String]$root.configurationNamingContext +if ( !($Identity) -and !($LinkedToGroup) ) { +display-Help +break +} +if ($Identity) { + $OIDs = get-adobject -Filter {(objectclass -eq "msPKI-Enterprise-Oid") -and ((name -eq $Identity) -or (displayname -eq $Identity) -or (distinguishedName -like $Identity)) } -searchBase $configNCDN -properties * + if ($OIDs -eq $null) { +$errormsg = $getIP_strings.ErrorIPNotFound -f $Identity +write-host $errormsg -ForegroundColor Red + } + foreach ($OID in $OIDs) { + if ($OID."msDS-OIDToGroupLink") { +# In case the Issuance Policy is linked to a group, it is good to check whether there is any problem with the mapping. + $groupDN = $OID."msDS-OIDToGroupLink" + $group = get-adgroup -Identity $groupDN + $groupName = $group.Name +# Analyze the group + if ($group.groupCategory -ne "Security") { +$errormsg = $getIP_strings.ErrorNotSecurity -f $Identity, $groupName + write-host $errormsg -ForegroundColor Red + } + if ($group.groupScope -ne "Universal") { + $errormsg = $getIP_strings.ErrorNotUniversal -f $Identity, $groupName +write-host $errormsg -ForegroundColor Red + } + $members = Get-ADGroupMember -Identity $group + if ($members) { + $errormsg = $getIP_strings.ErrorHasMembers -f $Identity, $groupName +write-host $errormsg -ForegroundColor Red + foreach ($member in $members) { + write-host " " $member -ForeGroundColor Red + } + } + } + } + return $OIDs + break +} +if (($LinkedToGroup -eq "yes") -or ($LinkedToGroup -eq "all")) { + $LDAPFilter = "(&(objectClass=msPKI-Enterprise-Oid)(msDS-OIDToGroupLink=*)(flags=2))" + $LinkedOIDs = get-adobject -searchBase $configNCDN -LDAPFilter $LDAPFilter -properties * + write-host "" + write-host "*****************************************************" + write-host $getIP_strings.LinkedIPs + write-host "*****************************************************" + write-host "" + if ($LinkedOIDs -ne $null){ + foreach ($OID in $LinkedOIDs) { +# Display basic information about the Issuance Policies + "" + $getIP_strings.displayName -f $OID.displayName + $getIP_strings.Name -f $OID.Name + $getIP_strings.dn -f $OID.distinguishedName +# Get the linked group. + $groupDN = $OID."msDS-OIDToGroupLink" + $group = get-adgroup -Identity $groupDN + $getIP_strings.InfoName -f $group.Name + $getIP_strings.InfoDN -f $groupDN +# Analyze the group + $OIDName = $OID.displayName + $groupName = $group.Name + if ($group.groupCategory -ne "Security") { + $errormsg = $getIP_strings.ErrorNotSecurity -f $OIDName, $groupName + write-host $errormsg -ForegroundColor Red + } + if ($group.groupScope -ne "Universal") { + $errormsg = $getIP_strings.ErrorNotUniversal -f $OIDName, $groupName + write-host $errormsg -ForegroundColor Red + } + $members = Get-ADGroupMember -Identity $group + if ($members) { + $errormsg = $getIP_strings.ErrorHasMembers -f $OIDName, $groupName + write-host $errormsg -ForegroundColor Red + foreach ($member in $members) { + write-host " " $member -ForeGroundColor Red + } + } + write-host "" + } + }else{ +write-host "There are no issuance policies that are mapped to a group" + } + if ($LinkedToGroup -eq "yes") { + return $LinkedOIDs + break + } +} +if (($LinkedToGroup -eq "no") -or ($LinkedToGroup -eq "all")) { + $LDAPFilter = "(&(objectClass=msPKI-Enterprise-Oid)(!(msDS-OIDToGroupLink=*))(flags=2))" + $NonLinkedOIDs = get-adobject -searchBase $configNCDN -LDAPFilter $LDAPFilter -properties * + write-host "" + write-host "*********************************************************" + write-host $getIP_strings.NonLinkedIPs + write-host "*********************************************************" + write-host "" + if ($NonLinkedOIDs -ne $null) { + foreach ($OID in $NonLinkedOIDs) { +# Display basic information about the Issuance Policies +write-host "" +$getIP_strings.displayName -f $OID.displayName +$getIP_strings.Name -f $OID.Name +$getIP_strings.dn -f $OID.distinguishedName +write-host "" + } + }else{ +write-host "There are no issuance policies which are not mapped to groups" + } + if ($LinkedToGroup -eq "no") { + return $NonLinkedOIDs + break + } +} +``` +> [!NOTE] +> If you're having trouble running this script, try replacing the single quote after the ConvertFrom-StringData parameter. +  +#### Link an issuance policy to a group + +Save the script file as set-IssuancePolicyToGroupLink.ps1. + +``` syntax +####################################### +## Parameters to be defined ## +## by the user ## +####################################### +Param ( +$IssuancePolicyName, +$groupOU, +$groupName +) +####################################### +## Strings definitions ## +####################################### +Data ErrorMsg { +# culture="en-US" +ConvertFrom-StringData -stringdata @' +help1 = This command can be used to set the link between a certificate issuance policy and a universal security group. +help2 = Usage: +help3 = The following parameters are required: +help4 = -IssuancePolicyName: +help5 = -groupName:. If no name is specified, any existing link to a group is removed from the Issuance Policy. +help6 = The following parameter is optional: +help7 = -groupOU:. If this parameter is not specified, the group is looked for or created in the Users container. +help8 = Examples: +help9 = This command will link the issuance policy whose display name is "High Assurance" to the group "HighAssuranceGroup" in the Organizational Unit "OU_FOR_IPol_linked_groups". If the group or the Organizational Unit do not exist, you will be prompted to create them. +help10 = This command will unlink the issuance policy whose name is "402.164959C40F4A5C12C6302E31D5476062" from any group. +MultipleIPs = Error: Multiple Issuance Policies with name or display name "{0}" were found in the subtree of "{1}" +NoIP = Error: no issuance policy with name or display name "{0}" could be found in the subtree of "{1}". +IPFound = An Issuance Policy with name or display name "{0}" was successfully found: {1} +MultipleOUs = Error: more than 1 Organizational Unit with name "{0}" could be found in the subtree of "{1}". +confirmOUcreation = Warning: The Organizational Unit that you specified does not exist. Do you want to create it? +OUCreationSuccess = Organizational Unit "{0}" successfully created. +OUcreationError = Error: Organizational Unit "{0}" could not be created. +OUFoundSuccess = Organizational Unit "{0}" was successfully found. +multipleGroups = Error: More than one group with name "{0}" was found in Organizational Unit "{1}". +confirmGroupCreation = Warning: The group that you specified does not exist. Do you want to create it? +groupCreationSuccess = Univeral Security group "{0}" successfully created. +groupCreationError = Error: Univeral Security group "{0}" could not be created. +GroupFound = Group "{0}" was successfully found. +confirmLinkDeletion = Warning: The Issuance Policy "{0}" is currently linked to group "{1}". Do you really want to remove the link? +UnlinkSuccess = Certificate issuance policy successfully unlinked from any group. +UnlinkError = Removing the link failed. +UnlinkExit = Exiting without removing the link from the issuance policy to the group. +IPNotLinked = The Certificate issuance policy is not currently linked to any group. If you want to link it to a group, you should specify the -groupName option when starting this script. +ErrorNotSecurity = Error: You cannot link issuance Policy "{0}" to group "{1}" because this group is not of type "Security". +ErrorNotUniversal = Error: You cannot link issuance Policy "{0}" to group "{1}" because the scope of this group is not "Universal". +ErrorHasMembers = Error: You cannot link issuance Policy "{0}" to group "{1}" because it has a non-empty membership. The group has the following members: +ConfirmLinkReplacement = Warning: The Issuance Policy "{0}" is currently linked to group "{1}". Do you really want to update the link to point to group "{2}"? +LinkSuccess = The certificate issuance policy was successfully linked to the specified group. +LinkError = The certificate issuance policy could not be linked to the specified group. +ExitNoLinkReplacement = Exiting without setting the new link. +'@ +} +# import-localizeddata ErrorMsg +function Display-Help { +"" +write-host $ErrorMsg.help1 +"" +write-host $ErrorMsg.help2 +"" +write-host $ErrorMsg.help3 +write-host "`t" $ErrorMsg.help4 +write-host "`t" $ErrorMsg.help5 +"" +write-host $ErrorMsg.help6 +write-host "`t" $ErrorMsg.help7 +"" +"" +write-host $ErrorMsg.help8 +"" +write-host $ErrorMsg.help9 +".\Set-IssuancePolicyToGroupMapping.ps1 -IssuancePolicyName ""High Assurance"" -groupOU ""OU_FOR_IPol_linked_groups"" -groupName ""HighAssuranceGroup"" " +"" +write-host $ErrorMsg.help10 +'.\Set-IssuancePolicyToGroupMapping.ps1 -IssuancePolicyName "402.164959C40F4A5C12C6302E31D5476062" -groupName $null ' +"" +} +# Assumption: The group to which the Issuance Policy is going +# to be linked is (or is going to be created) in +# the domain the user running this script is a member of. +import-module ActiveDirectory +$root = get-adrootdse +$domain = get-addomain -current loggedonuser +if ( !($IssuancePolicyName) ) { +display-Help +break +} +####################################### +## Find the OID object ## +## (aka Issuance Policy) ## +####################################### +$searchBase = [String]$root.configurationnamingcontext +$OID = get-adobject -searchBase $searchBase -Filter { ((displayname -eq $IssuancePolicyName) -or (name -eq $IssuancePolicyName)) -and (objectClass -eq "msPKI-Enterprise-Oid")} -properties * +if ($OID -eq $null) { +$tmp = $ErrorMsg.NoIP -f $IssuancePolicyName, $searchBase +write-host $tmp -ForeGroundColor Red +break; +} +elseif ($OID.GetType().IsArray) { +$tmp = $ErrorMsg.MultipleIPs -f $IssuancePolicyName, $searchBase +write-host $tmp -ForeGroundColor Red +break; +} +else { +$tmp = $ErrorMsg.IPFound -f $IssuancePolicyName, $OID.distinguishedName +write-host $tmp -ForeGroundColor Green +} +####################################### +## Find the container of the group ## +####################################### +if ($groupOU -eq $null) { +# default to the Users container +$groupContainer = $domain.UsersContainer +} +else { +$searchBase = [string]$domain.DistinguishedName +$groupContainer = get-adobject -searchBase $searchBase -Filter { (Name -eq $groupOU) -and (objectClass -eq "organizationalUnit")} +if ($groupContainer.count -gt 1) { +$tmp = $ErrorMsg.MultipleOUs -f $groupOU, $searchBase +write-host $tmp -ForegroundColor Red +break; +} +elseif ($groupContainer -eq $null) { +$tmp = $ErrorMsg.confirmOUcreation +write-host $tmp " ( (y)es / (n)o )" -ForegroundColor Yellow -nonewline +$userChoice = read-host +if ( ($userChoice -eq "y") -or ($userChoice -eq "yes") ) { +new-adobject -Name $groupOU -displayName $groupOU -Type "organizationalUnit" -ProtectedFromAccidentalDeletion $true -path $domain.distinguishedName +if ($?){ +$tmp = $ErrorMsg.OUCreationSuccess -f $groupOU +write-host $tmp -ForegroundColor Green +} +else{ +$tmp = $ErrorMsg.OUCreationError -f $groupOU +write-host $tmp -ForeGroundColor Red +break; +} +$groupContainer = get-adobject -searchBase $searchBase -Filter { (Name -eq $groupOU) -and (objectClass -eq "organizationalUnit")} +} +else { +break; +} +} +else { +$tmp = $ErrorMsg.OUFoundSuccess -f $groupContainer.name +write-host $tmp -ForegroundColor Green +} +} +####################################### +## Find the group ## +####################################### +if (($groupName -ne $null) -and ($groupName -ne "")){ +##$searchBase = [String]$groupContainer.DistinguishedName +$searchBase = $groupContainer +$group = get-adgroup -Filter { (Name -eq $groupName) -and (objectClass -eq "group") } -searchBase $searchBase +if ($group -ne $null -and $group.gettype().isarray) { +$tmp = $ErrorMsg.multipleGroups -f $groupName, $searchBase +write-host $tmp -ForeGroundColor Red +break; +} +elseif ($group -eq $null) { +$tmp = $ErrorMsg.confirmGroupCreation +write-host $tmp " ( (y)es / (n)o )" -ForegroundColor Yellow -nonewline +$userChoice = read-host +if ( ($userChoice -eq "y") -or ($userChoice -eq "yes") ) { +new-adgroup -samAccountName $groupName -path $groupContainer.distinguishedName -GroupScope "Universal" -GroupCategory "Security" +if ($?){ +$tmp = $ErrorMsg.GroupCreationSuccess -f $groupName +write-host $tmp -ForegroundColor Green +}else{ +$tmp = $ErrorMsg.groupCreationError -f $groupName +write-host $tmp -ForeGroundColor Red +break +} +$group = get-adgroup -Filter { (Name -eq $groupName) -and (objectClass -eq "group") } -searchBase $searchBase +} +else { +break; +} +} +else { +$tmp = $ErrorMsg.GroupFound -f $group.Name +write-host $tmp -ForegroundColor Green +} +} +else { +##### +## If the group is not specified, we should remove the link if any exists +##### +if ($OID."msDS-OIDToGroupLink" -ne $null) { +$tmp = $ErrorMsg.confirmLinkDeletion -f $IssuancePolicyName, $OID."msDS-OIDToGroupLink" +write-host $tmp " ( (y)es / (n)o )" -ForegroundColor Yellow -nonewline +$userChoice = read-host +if ( ($userChoice -eq "y") -or ($userChoice -eq "yes") ) { +set-adobject -Identity $OID -Clear "msDS-OIDToGroupLink" +if ($?) { +$tmp = $ErrorMsg.UnlinkSuccess +write-host $tmp -ForeGroundColor Green +}else{ +$tmp = $ErrorMsg.UnlinkError +write-host $tmp -ForeGroundColor Red +} +} +else { +$tmp = $ErrorMsg.UnlinkExit +write-host $tmp +break +} +} +else { +$tmp = $ErrorMsg.IPNotLinked +write-host $tmp -ForeGroundColor Yellow +} +break; +} +####################################### +## Verify that the group is ## +## Universal, Security, and ## +## has no members ## +####################################### +if ($group.GroupScope -ne "Universal") { +$tmp = $ErrorMsg.ErrorNotUniversal -f $IssuancePolicyName, $groupName +write-host $tmp -ForeGroundColor Red +break; +} +if ($group.GroupCategory -ne "Security") { +$tmp = $ErrorMsg.ErrorNotSecurity -f $IssuancePolicyName, $groupName +write-host $tmp -ForeGroundColor Red +break; +} +$members = Get-ADGroupMember -Identity $group +if ($members -ne $null) { +$tmp = $ErrorMsg.ErrorHasMembers -f $IssuancePolicyName, $groupName +write-host $tmp -ForeGroundColor Red +foreach ($member in $members) {write-host " $member.name" -ForeGroundColor Red} +break; +} +####################################### +## We have verified everything. We ## +## can create the link from the ## +## Issuance Policy to the group. ## +####################################### +if ($OID."msDS-OIDToGroupLink" -ne $null) { +$tmp = $ErrorMsg.ConfirmLinkReplacement -f $IssuancePolicyName, $OID."msDS-OIDToGroupLink", $group.distinguishedName +write-host $tmp "( (y)es / (n)o )" -ForegroundColor Yellow -nonewline +$userChoice = read-host +if ( ($userChoice -eq "y") -or ($userChoice -eq "yes") ) { +$tmp = @{'msDS-OIDToGroupLink'= $group.DistinguishedName} +set-adobject -Identity $OID -Replace $tmp +if ($?) { +$tmp = $Errormsg.LinkSuccess +write-host $tmp -Foreground Green +}else{ +$tmp = $ErrorMsg.LinkError +write-host $tmp -Foreground Red +} +} else { +$tmp = $Errormsg.ExitNoLinkReplacement +write-host $tmp +break +} +} +else { +$tmp = @{'msDS-OIDToGroupLink'= $group.DistinguishedName} +set-adobject -Identity $OID -Add $tmp +if ($?) { +$tmp = $Errormsg.LinkSuccess +write-host $tmp -Foreground Green +}else{ +$tmp = $ErrorMsg.LinkError +write-host $tmp -Foreground Red +} +} +``` + +> [!NOTE] +> If you're having trouble running this script, try replacing the single quote after the ConvertFrom-StringData parameter. + +## See also + +**Deep Dive into Credential Guard: Related videos** + +[Protecting privileged users with Credential Guard](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=JNbjYMJyC_8104300474) diff --git a/windows/keep-secure/advanced-features-windows-defender-advanced-threat-protection.md b/windows/keep-secure/advanced-features-windows-defender-advanced-threat-protection.md new file mode 100644 index 0000000000..1bcbb15c46 --- /dev/null +++ b/windows/keep-secure/advanced-features-windows-defender-advanced-threat-protection.md @@ -0,0 +1,30 @@ +--- +title: Turn on advanced features in Windows Defender ATP +description: Turn on advanced features such as block file in Windows Defender Advanced Threat Protection. +keywords: advanced features, preferences setup, block file +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +author: mjcaparas +localizationpriority: high +--- +# Turn on advanced features in Windows Defender ATP + +**Applies to:** + +- Windows 10 Enterprise +- Windows 10 Education +- Windows 10 Pro +- Windows 10 Pro Education +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + +1. In the navigation pane, select **Preferences setup** > **Advanced features**. +2. Select the advanced feature you want to configure and toggle the setting between **On** and **Off**. +3. Click **Save preferences**. + +## Related topics +- [Update general settings in Windows Defender ATP](general-settings-windows-defender-advanced-threat-protection.md) +- [Turn on the preview experience in Windows Defender ATP](preview-settings-windows-defender-advanced-threat-protection.md) +- [Configure email notifications in Windows Defender ATP](configure-email-notifications-windows-defender-advanced-threat-protection.md) diff --git a/windows/keep-secure/alerts-queue-windows-defender-advanced-threat-protection.md b/windows/keep-secure/alerts-queue-windows-defender-advanced-threat-protection.md index 3a4746998e..921bf48bbb 100644 --- a/windows/keep-secure/alerts-queue-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/alerts-queue-windows-defender-advanced-threat-protection.md @@ -21,55 +21,99 @@ localizationpriority: high - Windows 10 Pro Education - Windows Defender Advanced Threat Protection (Windows Defender ATP) -As a security operations team member, you can manage Windows Defender ATP alerts as part of your routine activities. Alerts will appear in queues according to their current status. +The **Alerts queue** shows a list of alerts that were flagged from endpoints in your network. Alerts are displayed in queues according to their current status. In any of the queues, you'll see details such as the severity of alerts and the number of machines where the alerts were seen. + +Alerts are organized in queues by their workflow status or assignment: + +- **New** +- **In progress** +- **Resolved** +- **Assigned to me** To see a list of alerts, click any of the queues under the **Alerts queue** option in the navigation pane. > [!NOTE] > By default, the queues are sorted from newest to oldest. -The following table and screenshot demonstrate the main areas of the **Alerts queue**. +## Sort and filter the alerts +You can sort and filter the alerts by using the available filters or clicking columns that allows you to sort the view in ascending or descending order. -![Screenshot of the Dashboard showing the New Alerts list and navigation bar](images/alertsq2.png) +![Alerts queue with numbers](images/alerts-queue-numbered.png) Highlighted area|Area name|Description :---|:---|:--- -(1)|**Alerts queue**| Select to show **New**, **In Progress**, or **Resolved alerts** -(2)|Alerts|Each alert shows:

    • The severity of an alert as a colored bar
    • A short description of the alert, including the name of the threat actor (in cases where the attribution is possible)
    • The last occurrence of the alert on any machine
    • The number of days the alert has been in the queue
    • The severity of the alert
    • The general category or type of alert, or the alert's kill-chain stage
    • The affected machine (if there are multiple machines, the number of affected machines will be shown)
    • A **Manage Alert** menu icon ![The menu icon looks like three periods stacked on top of each other](images/menu-icon.png) that allows you to update the alert's status and add comments
    Clicking an alert expands to display more information about the threat and brings you to the date in the timeline when the alert was detected. -(3)|Alerts sorting and filters | You can sort alerts by:
    • **Newest** (when the threat was last seen on your network)
    • **Time in queue** (how long the threat has been in your queue)
    • **Severity**
    You can also filter the displayed alerts by:
    • Severity
    • Time period
    See [Investigate alerts](investigate-alerts-windows-defender-advanced-threat-protection.md) for more details. +1 | Alert filters | Filter the list of alerts by severity, detection source, time period, or change the view from flat to grouped. +2 | Alert selected | Select an alert to bring up the **Alert management** to manage and see details about the alert. +3 | Alert management pane | View and manage alerts without leaving the alerts queue view. -##Sort and filter the Alerts queue -You can filter and sort (or "pivot") the Alerts queue to identify specific alerts based on certain criteria. -There are three mechanisms to pivot the queue against: +### Sort, filter, and group the alerts list +You can use the following filters to limit the list of alerts displayed during an investigation: -1. Sort the queue by opening the drop-down menu in the **Sort by** field and choosing: +**Severity**
    - - **Newest** - Sorts alerts based on when the alert was last seen on an endpoint. - - **Time in queue** - Sorts alerts by the length of time an alert has been in the queue. - - **Severity** - Sorts alerts by their level of severity. +Alert severity | Description +:---|:--- +High
    (Red) | Threats often associated with advanced persistent threats (APT). These alerts indicate a high risk due to the severity of damage they can inflict on endpoints. +Medium
    (Orange) | Threats rarely observed in the organization, such as anomalous registry change, execution of suspicious files, and observed behaviors typical of attack stages. +Low
    (Yellow) | Threats associated with prevalent malware and hack-tools that do not necessarily indicate an advanced threat targeting the organization. +Informational
    (Grey) | Informational alerts are those that might not be considered harmful to the network but might be good to keep track of. -2. Filter alerts by their **Severity** by opening the drop-down menu in the **Filter by** field and selecting one or more of the check boxes: +Reviewing the various alerts and their severity can help you decide on the appropriate action to protect your organization's endpoints. - - High (Red) - Threats often associated with advanced persistent threats (APT). These alerts indicate a high risk due to the severity of damage they can inflict on endpoints. - - Medium (Orange) - Threats rarely observed in the organization, such as anomalous registry change, execution of suspicious files, and observed behaviors typical of attack stages. - - Low (Yellow) - Threats associated with prevalent malware and hack-tools that do not appear to indicate an advanced threat targeting the organization. +**Detection source**
    +- Windows Defender AV +- Windows Defender ATP -3. Limit the queue to see alerts from various set periods by clicking the drop-down menu in the date range field (by default, this is selected as **6 months**): +>[!NOTE] +>The Windows Defender Antivirus filter will only appear if your endpoints are using Windows Defender as the default real-time protection antimalware product. - - **1 day** - - **3 days** - - **7 days** - - **30 days** - - **6 months** +**Time period**
    +- 1 day +- 3 days +- 7 days +- 30 days +- 6 months - > [!NOTE] - > You can change the sort order (for example, from most recent to least recent) by clicking the sort order icon ![the sort order icon looks like two arrows on top of each other](images/sort-order-icon.png) +**View**
    +- **Flat view** - Lists alerts individually with alerts having the latest activity displayed at the top. +- **Grouped view** - Groups alerts by alert ID, file hash, malware family, or other attribute to enable more efficient alert triage and management. Alert grouping reduces the number of rows in the queue by aggregating alerts together. -### Related topics +The group view allows for efficient alert triage and management. + +### Use the Alert management pane +Selecting an alert brings up the **Alert management** pane where you can manage and see details about the alert. + +You can take immediate action on an alert and see details about an alert in the **Alert management** pane: + +- Change the status of an alert from new, to in progress, or resolved. +- Specify the alert classification from true alert or false alert. + Selecting true alert displays the **Determination** drop-down list to provide additional information about the true alert: + - APT + - Malware + - Security personnel + - Security testing + - Unwanted software + - Other +- Assign the alert to yourself if the alert is not yet assigned. +- View related activity on the machine. +- Add and view comments about the alert. + +>[!NOTE] +>You can also access the **Alert management** pane from the machine details view by selecting an alert in the **Alerts related to this machine** section. + +### Bulk edit alerts +Select multiple alerts (Ctrl or Shift select) and manage or edit alerts together, which allows resolving multiple similar alerts in one action. + +![Alerts queue bulk edit](images/alerts-q-bulk.png) + +## Related topics - [View the Windows Defender Advanced Threat Protection Dashboard](dashboard-windows-defender-advanced-threat-protection.md) - [Investigate Windows Defender Advanced Threat Protection alerts](investigate-alerts-windows-defender-advanced-threat-protection.md) -- [Investigate machines in the Windows Defender ATP Machines view](investigate-machines-windows-defender-advanced-threat-protection.md) - [Investigate a file associated with a Windows Defender ATP alert](investigate-files-windows-defender-advanced-threat-protection.md) - [Investigate an IP address associated with a Windows Defender ATP alert](investigate-ip-windows-defender-advanced-threat-protection.md) - [Investigate a domain associated with a Windows Defender ATP alert](investigate-domain-windows-defender-advanced-threat-protection.md) +- [View and organize the Windows Defender ATP Machines view](machines-view-overview-windows-defender-advanced-threat-protection.md) +- [Investigate machines in the Windows Defender ATP Machines view](investigate-machines-windows-defender-advanced-threat-protection.md) +- [Investigate a user account in Windows Defender ATP](investigate-user-windows-defender-advanced-threat-protection.md) - [Manage Windows Defender Advanced Threat Protection alerts](manage-alerts-windows-defender-advanced-threat-protection.md) +- [Take response actions in Windows Defender ATP](response-actions-windows-defender-advanced-threat-protection.md) diff --git a/windows/keep-secure/api-portal-mapping-windows-defender-advanced-threat-protection.md b/windows/keep-secure/api-portal-mapping-windows-defender-advanced-threat-protection.md new file mode 100644 index 0000000000..f0976431f1 --- /dev/null +++ b/windows/keep-secure/api-portal-mapping-windows-defender-advanced-threat-protection.md @@ -0,0 +1,81 @@ +--- +title: Windows Defender ATP alert API fields +description: Understand how the alert API fields map to the values in the Windows Defender ATP portal. +keywords: alerts, alert fields, fields, api, fields, pull alerts, rest api, request, response +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +author: mjcaparas +localizationpriority: high +--- + +# Windows Defender ATP alert API fields + +**Applies to:** + +- Windows 10 Enterprise +- Windows 10 Education +- Windows 10 Pro +- Windows 10 Pro Education +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + +Understand what data fields are exposed as part of the alerts API and how they map to the Windows Defender ATP portal. + + +## Alert API fields and portal mapping +Field numbers match the numbers in the images below. + +Portal label | SIEM field name | Description +:---|:---|:--- +1 | LinkToWDATP | Link back to the alert page in Windows Defender ATP +2 | Alert ID | Alert ID visible in the link: `https://securitycenter.windows.com/alert/` +3 | AlertTitle | Alert title +4 | Actor | Actor name +5 | AlertTime | Last time the alert was observed +6 | Severity | Alert severity +7 | Category | Alert category +8 | Status in queue | Alert status in queue +9 | ComputerDnsName| Computer DNS name and machine name +10| IoaDefinitionId | (Internal only)

    ID for the IOA (Indication of attack) that this alert belongs to. It usually correlates with the title.

    **Note**: This is an internal ID of the rule which triggers the alert. It's provided here as it can be used for aggregations in the SIEM. +11 | UserName | The user context relevant to the activity on the machine which triggered the alert. NOTE: Not yet populated. +12 | FileName | File name +13 | FileHash | Sha1 of file observed +14 | FilePath | File path +15 | IpAddress | IP of the IOC (when relevant) +16 | URL | URL of the IOC (when relevant) +17 | FullId | (Internal only)

    Unique ID for each combination of IOC and Alert ID. Provides the ability to apply dedup logic in the SIEM. +18 | AlertPart | (Internal only)

    Alerts which contain multiple IOCs will be split into several messages, each message contains one IOC and a running counter. The counter provides the ability to reconstruct the alerts in the SIEM. +19 | LastProccesedTimeUtc | (Internal only)

    Time the alert was last processed in Windows Defender ATP. +20 | Source| Alert detection source (Windows Defender AV, Windows Defender ATP, and Device Guard) +21 | ThreatCategory| Windows Defender AV threat category +22 | ThreatFamily | Windows Defender AV family name +23 | RemediationAction | Windows Defender AV threat category | +24 | WasExecutingWhileDetected | Indicates if a file was running while being detected. +25| RemediationIsSuccess | Indicates if an alert was successfully remediated. +26 | Sha1 | Sha1 of file observed in alert timeline and in file side pane (when available) +27 | Md5 | Md5 of file observed (when available) +28 | Sha256 | Sha256 of file observed (when available) +29 | ThreatName | Windows Defender AV threat name + +>[!NOTE] +> Fields #21-29 are related to Windows Defender Antivirus alerts. + +![Image of actor profile with numbers](images/atp-actor.png) + +![Image of alert timeline with numbers](images/atp-alert-timeline-numbered.png) + +![Image of new alerts with numbers](images/atp-alert-source.png) + +![Image of machine timeline with numbers](images/atp-remediated-alert.png) + +![Image of file details](images/atp-file-details.png) + + +## Related topics +- [Enable SIEM integration in Windows Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md) +- [Configure Splunk to pull Windows Defender ATP alerts](configure-splunk-windows-defender-advanced-threat-protection.md) +- [Configure ArcSight to pull Windows Defender ATP alerts](configure-arcsight-windows-defender-advanced-threat-protection.md) +- [Pull Windows Defender ATP alerts using REST API](pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md) +- [Troubleshoot SIEM tool integration issues](troubleshoot-siem-windows-defender-advanced-threat-protection.md) diff --git a/windows/keep-secure/app-behavior-with-wip.md b/windows/keep-secure/app-behavior-with-wip.md index 1f83aad42f..d436e1e7a7 100644 --- a/windows/keep-secure/app-behavior-with-wip.md +++ b/windows/keep-secure/app-behavior-with-wip.md @@ -6,13 +6,14 @@ ms.prod: w10 ms.mktglfcycl: explore ms.pagetype: security ms.sitesec: library +author: eross-msft localizationpriority: high --- # Unenlightened and enlightened app behavior while using Windows Information Protection (WIP) **Applies to:** -- Windows 10, version 1607 +- Windows 10, version 1607 and later - Windows 10 Mobile Windows Information Protection (WIP) classifies apps into two categories: enlightened and unenlightened. Enlighted apps can differentiate between corporate and personal data, correctly determining which to protect based on internal policies. Corporate data is encrypted on the managed device and attempts to copy/paste or share this information with non-corporate apps or people will fail. Unenlightened apps, when marked as corporate-managed, consider all data corporate and encrypt everything by default. diff --git a/windows/keep-secure/assign-portal-access-windows-defender-advanced-threat-protection.md b/windows/keep-secure/assign-portal-access-windows-defender-advanced-threat-protection.md index 129b49f08e..429ac0c65b 100644 --- a/windows/keep-secure/assign-portal-access-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/assign-portal-access-windows-defender-advanced-threat-protection.md @@ -1,5 +1,5 @@ --- -title: Assign user access to the Windows Defender Advanced Threat Protection portal +title: Assign user access to the Windows Defender ATP portal description: Assign read and write or read only access to the Windows Defender Advanced Threat Protection portal. keywords: assign user roles, assign read and write access, assign read only access, user, user roles, roles search.product: eADQiWindows 10XVcnh @@ -22,10 +22,23 @@ localizationpriority: high - Office 365 - Windows Defender Advanced Threat Protection (Windows Defender ATP) -Windows Defender ATP users and access permissions are managed in Azure Active Directory (AAD). You can assign users with one of the following levels of permissions: +Windows Defender ATP users and access permissions are managed in Azure Active Directory (AAD). Use the following methods to assign security roles. + +## Assign user access using Azure PowerShell +You can assign users with one of the following levels of permissions: - Full access (Read and Write) - Read only access +### Before you begin +- Install Azure PowerShell. For more information see, [How to install and configure Azure PowerShell](https://azure.microsoft.com/documentation/articles/powershell-install-configure/).
    + + > [!NOTE] + > You need to run the PowerShell cmdlets in an elevated command-line. + +- Connect to your Azure Active Directory. For more information see, [Connect-MsolService](https://msdn.microsoft.com/library/dn194123.aspx). + + + **Full access**
    Users with full access can log in, view all system information and resolve alerts, submit files for deep analysis, and download the onboarding package. Assigning full access rights requires adding the users to the “Security Administrator” or “Global Administrator” AAD built-in roles. @@ -36,13 +49,7 @@ They will not be able to change alert states, submit files for deep analysis or Assigning read only access rights requires adding the users to the “Security Reader” AAD built-in role. Use the following steps to assign security roles: -- Preparations: - - Install Azure PowerShell. For more information see, [How to install and configure Azure PowerShell](https://azure.microsoft.com/documentation/articles/powershell-install-configure/).
    - > [!NOTE] - > You need to run the PowerShell cmdlets in an elevated command-line. - -- Connect to your Azure Active Directory. For more information see, [Connect-MsolService](https://msdn.microsoft.com/library/dn194123.aspx). - For **read and write** access, assign users to the security administrator role by using the following command: ```text Add-MsolRoleMember -RoleName "Security Administrator" -RoleMemberEmailAddress "secadmin@Contoso.onmicrosoft.com" @@ -53,3 +60,21 @@ Add-MsolRoleMember -RoleName "Security Reader" -RoleMemberEmailAddress “reader ``` For more information see, [Manage Azure AD group and role membership](https://technet.microsoft.com/library/321d532e-407d-4e29-a00a-8afbe23008dd#BKMK_ManageGroups). + +## Assign user access using the Azure portal + +1. Go to the [Azure portal](https://portal.azure.com). + +2. Select **Azure Active Directory**. + +3. Select **Manage** > **Users and groups**. + +4. Select **Manage** > **All users**. + +5. Search or select the user you want to assign the role to. + +6. Select **Manage** > **Directory role**. + +7. Under **Directory role**, select **Limited administrator**, then **Security Reader** or **Security Administrator**. + +![Image of Microsoft Azure portal](images/atp-azure-ui-user-access.png) diff --git a/windows/keep-secure/bitlocker-countermeasures.md b/windows/keep-secure/bitlocker-countermeasures.md index 89261d666c..5cf31239ce 100644 --- a/windows/keep-secure/bitlocker-countermeasures.md +++ b/windows/keep-secure/bitlocker-countermeasures.md @@ -115,7 +115,11 @@ Windows 10 uses Trusted Boot on any hardware platform: It requires neither UEFI Because UEFI-based Secure Boot has protected the bootloader and Trusted Boot has protected the Windows kernel or other Windows startup components, the next opportunity for malware to start is by infecting a non-Microsoft boot-related driver. Traditional antimalware apps don’t start until after the boot-related drivers have been loaded, giving a rootkit disguised as a driver the opportunity to work. -The purpose of ELAM is to load an antimalware driver before drivers that are flagged as boot-start can be executed. This approach provides the ability for an antimalware driver to register as a trusted boot-critical driver. It is launched during the Trusted Boot process, and with that, Windows ensures that it is loaded before any other non-Microsoft software. +Early Launch Antimalware (ELAM) is designed to enable the antimalware solution to start before all non-Microsoft drivers and apps. ELAM checks the integrity of non-Microsoft drivers to determine whether the drivers are trustworthy. Because Windows needs to start as fast as possible, ELAM cannot be a complicated process of checking the driver files against known malware signatures. Instead, ELAM has the simple task of examining every boot driver and determining whether it is on the list of trusted drivers. If malware modifies a boot-related driver, ELAM will detect the change, and Windows will prevent the driver from starting, thus blocking driver-based rootkits. ELAM also allows the registered antimalware provider to scan drivers that are loaded after the boot process is complete. + +Windows Defender in Windows 10 supports ELAM, as do Microsoft System Center 2012 Endpoint Protection and non-Microsoft antimalware apps. + +To do this, ELAM loads an antimalware driver before drivers that are flagged as boot-start can be executed. This approach provides the ability for an antimalware driver to register as a trusted boot-critical driver. It is launched during the Trusted Boot process, and with that, Windows ensures that it is loaded before any other non-Microsoft software. With this solution in place, boot drivers are initialized based on the classification that the ELAM driver returns according to an initialization policy. IT pros have the ability to change this policy through Group Policy. ELAM classifies drivers as follows: diff --git a/windows/keep-secure/bitlocker-device-encryption-overview-windows-10.md b/windows/keep-secure/bitlocker-device-encryption-overview-windows-10.md new file mode 100644 index 0000000000..5a323847e9 --- /dev/null +++ b/windows/keep-secure/bitlocker-device-encryption-overview-windows-10.md @@ -0,0 +1,134 @@ +--- +title: Overview of BitLocker and device encryption in Windows 10 +description: This topic provides an overview of how BitLocker and device encryption can help protect data on devices running Windows 10. +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +author: Justinha +--- + +# Overview of BitLocker and device encryption in Windows 10 + +**Applies to** +- Windows 10 + +This topic provides an overview of the ways that BitLocker and device encryption can help protect data on devices running Windows 10. For a general overview and list of topics about BitLocker, see [BitLocker](bitlocker-overview.md). + +When users travel, their organization’s confidential data goes with them. Wherever confidential data is stored, it must be protected against unauthorized access. Windows has a long history of providing at-rest data-protection solutions that guard against nefarious attackers, beginning with the Encrypting File System in the Windows 2000 operating system. More recently, BitLocker has provided encryption for full drives and portable drives; in Windows 10, BitLocker will even protect individual files, with data loss prevention capabilities. Windows consistently improves data protection by improving existing options and by providing new strategies. + +Table 2 lists specific data-protection concerns and how they are addressed in Windows 10 and Windows 7. + +**Table 2. Data Protection in Windows 10 and Windows 7** + +| Windows 7 | Windows 10 | +|---|---| +| When BitLocker is used with a PIN to protect startup, PCs such as kiosks cannot be restarted remotely. | Modern Windows devices are increasingly protected with device encryption out of the box and support SSO to seamlessly protect the BitLocker encryption keys from cold boot attacks.

    Network Unlock allows PCs to start automatically when connected to the internal network. | +| Users must contact the IT department to change their BitLocker PIN or password. | Modern Windows devices no longer require a PIN in the pre-boot environment to protect BitLocker encryption keys from cold boot attacks.

    Users who have standard privileges can change their BitLocker PIN or password on legacy devices that require a PIN. | +| When BitLocker is enabled, the provisioning process can take several hours. | BitLocker pre-provisioning, encrypting hard drives, and Used Space Only encryption allow administrators to enable BitLocker quickly on new computers. | +| There is no support for using BitLocker with self-encrypting drives (SEDs). | BitLocker supports offloading encryption to encrypted hard drives. | +| Administrators have to use separate tools to manage encrypted hard drives. | BitLocker supports encrypted hard drives with onboard encryption hardware built in, which allows administrators to use the familiar BitLocker administrative tools to manage them. | +| Encrypting a new flash drive can take more than 20 minutes. | Used Space Only encryption in BitLocker To Go allows users to encrypt drives in seconds. | +| BitLocker could require users to enter a recovery key when system configuration changes occur. | BitLocker requires the user to enter a recovery key only when disk corruption occurs or when he or she loses the PIN or password. | +| Users need to enter a PIN to start the PC, and then their password to sign in to Windows. | Modern Windows devices are increasingly protected with device encryption out of the box and support SSO to help protect the BitLocker encryption keys from cold boot attacks. | + +The sections that follow describe these improvements in more detail. Also see: + +- Additional description of improvements in BitLocker: see the [BitLocker](https://technet.microsoft.com/itpro/windows/whats-new/whats-new-windows-10-version-1507-and-1511#bitlocker) section in "What's new in Windows 10, versions 1507 and 1511." +- Introduction and requirements for BitLocker: see [BitLocker](bitlocker-overview.md). + +## Prepare for drive and file encryption + +The best type of security measures are transparent to the user during implementation and use. Every time there is a possible delay or difficulty because of a security feature, there is strong likelihood that users will try to bypass security. This situation is especially true for data protection, and that’s a scenario that organizations need to avoid. +Whether you’re planning to encrypt entire volumes, removable devices, or individual files, Windows 10 meets your needs by providing streamlined, usable solutions. In fact, you can take several steps in advance to prepare for data encryption and make the deployment quick and smooth. + +### TPM pre-provisioning + +In Windows 7, preparing the TPM for use offered a couple of challenges: + +* You can turn on the TPM in the BIOS, which requires someone to either go into the BIOS settings to turn it on or to install a driver to turn it on from within Windows. +* When you enable the TPM, it may require one or more restarts. + +Basically, it was a big hassle. If IT staff were provisioning new PCs, they could handle all of this, but if you wanted to add BitLocker to devices that were already in users’ hands, those users would have struggled with the technical challenges and would either call IT for support or simply leave BitLocker disabled. + +Microsoft includes instrumentation in Windows 10 that enables the operating system to fully manage the TPM. There is no need to go into the BIOS, and all scenarios that required a restart have been eliminated. + +## Deploy hard drive encryption + +BitLocker is capable of encrypting entire hard drives, including both system and data drives. BitLocker pre-provisioning can drastically reduce the time required to provision new PCs with BitLocker enabled. With Windows 10, administrators can turn on BitLocker and the TPM from within the Windows Preinstallation Environment before they install Windows or as part of an automated deployment task sequence without any user interaction. Combined with Used Disk Space Only encryption and a mostly empty drive (because Windows is not yet installed), it takes only a few seconds to enable BitLocker. +With earlier versions of Windows, administrators had to enable BitLocker after Windows had been installed. Although this process could be automated, BitLocker would need to encrypt the entire drive, a process that could take anywhere from several hours to more than a day depending on drive size and performance, which significantly delayed deployment. Microsoft has improved this process through multiple features in Windows 10. + +## Device encryption + +Beginning in Windows 8.1, Windows automatically enables BitLocker device encryption on devices that support InstantGo. With Windows 10, Microsoft offers device encryption support on a much broader range of devices, including those that are InstantGo. Microsoft expects that most devices in the future will pass the testing requirements, which makes device encryption pervasive across modern Windows devices. Device encryption further protects the system by transparently implementing device-wide data encryption. + +Unlike a standard BitLocker implementation, device encryption is enabled automatically so that the device is always protected. The following list outlines how this happens: + +* When a clean installation of Windows 10 is completed and the out-of-box experience is finished, the computer is prepared for first use. As part of this preparation, device encryption is initialized on the operating system drive and fixed data drives on the computer with a clear key (this is the equivalent of standard BitLocker suspended state). +* If the device is not domain joined, a Microsoft account that has been granted administrative privileges on the device is required. When the administrator uses a Microsoft account to sign in, the clear key is removed, a recovery key is uploaded to the online Microsoft account, and a TPM protector is created. Should a device require the recovery key, the user will be guided to use an alternate device and navigate to a recovery key access URL to retrieve the recovery key by using his or her Microsoft account credentials. +* If the user uses a domain account to sign in, the clear key is not removed until the user joins the device to a domain and the recovery key is successfully backed up to Active Directory Domain Services (AD DS). You must enable the **Computer Configuration\\Administrative Templates\\Windows Components\\BitLocker Drive Encryption\\Operating System Drives** Group Policy setting, and select the **Do not enable BitLocker until recovery information is stored in AD DS for operating system drives** option. With this configuration, the recovery password is created automatically when the computer joins the domain, and then the recovery key is backed up to AD DS, the TPM protector is created, and the clear key is removed. +* Similar to signing in with a domain account, the clear key is removed when the user logs on to an Azure AD account on the device. As described in the bullet point above, the recovery password is created automatically when the user authenticates to Azure AD. Then, the recovery key is backed up to Azure AD, the TPM protector is created, and the clear key is removed. + +Microsoft recommends that device encryption be enabled on any systems that support it, but the automatic device encryption process can be prevented by changing the following registry setting: +- **Subkey**: HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\BitLocker +- **Value**: PreventDeviceEncryption equal to True (1) +- **Type**: REG\_DWORD + +Administrators can manage domain-joined devices that have device encryption enabled through Microsoft BitLocker Administration and Monitoring (MBAM). In this case, device encryption automatically makes additional BitLocker options available. No conversion or encryption is required, and MBAM can manage the full BitLocker policy set if any configuration changes are required. + +## Used Disk Space Only encryption + +BitLocker in earlier Windows versions could take a long time to encrypt a drive, because it encrypted every byte on the volume (including parts that did not have data). That is still the most secure way to encrypt a drive, especially if a drive has previously contained confidential data that has since been moved or deleted, in which case traces of the confidential data could remain on portions of the drive marked as unused. +But why encrypt a new drive when you can simply encrypt the data as it is being written? To reduce encryption time, BitLocker in Windows 10 lets users choose to encrypt just their data. Depending on the amount of data on the drive, this option can reduce encryption time by more than 99 percent. +Exercise caution when encrypting only used space on an existing volume on which confidential data may have already been stored in an unencrypted state, however, because those sectors can be recovered through disk-recovery tools until they are overwritten by new encrypted data. In contrast, encrypting only used space on a brand-new volume can significantly decrease deployment time without the security risk because all new data will be encrypted as it is written to the disk. + +## Encrypted hard drive support + +SEDs have been available for years, but Microsoft couldn’t support their use with some earlier versions of Windows because the drives lacked important key management features. Microsoft worked with storage vendors to improve the hardware capabilities, and now BitLocker supports the next generation of SEDs, which are called encrypted hard drives. +Encrypted hard drives provide onboard cryptographic capabilities to encrypt data on drives, which improves both drive and system performance by offloading cryptographic calculations from the PC’s processor to the drive itself and rapidly encrypting the drive by using dedicated, purpose-built hardware. If you plan to use whole-drive encryption with Windows 10, Microsoft recommends that you investigate hard drive manufacturers and models to determine whether any of their encrypted hard drives meet your security and budget requirements. +For more information about encrypted hard drives, see [Encrypted Hard Drive](encrypted-hard-drive.md). + +## Preboot information protection + +An effective implementation of information protection, like most security controls, considers usability as well as security. Users typically prefer a simple security experience. In fact, the more transparent a security solution becomes, the more likely users are to conform to it. +It is crucial that organizations protect information on their PCs regardless of the state of the computer or the intent of users. This protection should not be cumbersome to users. One undesirable and previously commonplace situation is when the user is prompted for input during preboot, and then again during Windows logon. Challenging users for input more than once should be avoided. +Windows 10 can enable a true SSO experience from the preboot environment on modern devices and in some cases even on older devices when robust information protection configurations are in place. The TPM in isolation is able to securely protect the BitLocker encryption key while it is at rest, and it can securely unlock the operating system drive. When the key is in use and thus in memory, a combination of hardware and Windows capabilities can secure the key and prevent unauthorized access through cold-boot attacks. Although other countermeasures like PIN-based unlock are available, they are not as user-friendly; depending on the devices’ configuration they may not offer additional security when it comes to key protection. For more information, see [BitLocker Countermeasures](bitlocker-countermeasures.md) and [Choose the right BitLocker countermeasure](choose-the-right-bitlocker-countermeasure.md). + +## Manage passwords and PINs + +When BitLocker is enabled on a system drive and the PC has a TPM, you can choose to require that users type a PIN before BitLocker will unlock the drive. Such a PIN requirement can prevent an attacker who has physical access to a PC from even getting to the Windows logon, which makes it virtually impossible for the attacker to access or modify user data and system files. + +Requiring a PIN at startup is a useful security feature because it acts as a second authentication factor (a second “something you know”). This configuration comes with some costs, however. One of the most significant is the need to change the PIN regularly. In enterprises that used BitLocker with Windows 7 and the Windows Vista operating system, users had to contact systems administrators to update their BitLocker PIN or password. This requirement not only increased management costs but made users less willing to change their BitLocker PIN or password on a regular basis. +Windows 10 users can update their BitLocker PINs and passwords themselves, without administrator credentials. Not only will this feature reduce support costs, but it could improve security, too, because it encourages users to change their PINs and passwords more often. In addition, InstantGo devices do not require a PIN for startup: They are designed to start infrequently and have other mitigations in place that further reduce the attack surface of the system. +For more information about how startup security works and the countermeasures that Windows 10 provides, see [Protect BitLocker from pre-boot attacks](protect-bitlocker-from-pre-boot-attacks.md). + +## Configure Network Unlock + +Some organizations have location-specific data security requirements. This is most common in environments where high-value data is stored on PCs. The network environment may provide crucial data protection and enforce mandatory authentication; therefore, policy states that those PCs should not leave the building or be disconnected from the corporate network. Safeguards like physical security locks and geofencing may help enforce this policy as reactive controls. Beyond these, a proactive security control that grants data access only when the PC is connected to the corporate network is necessary. + +Network Unlock enables BitLocker-protected PCs to start automatically when connected to a wired corporate network on which Windows Deployment Services runs. Anytime the PC is not connected to the corporate network, a user must type a PIN to unlock the drive (if PIN-based unlock is enabled). +Network Unlock requires the following infrastructure: + +* Client PCs that have Unified Extensible Firmware Interface (UEFI) firmware version 2.3.1 or later, which supports Dynamic Host Configuration Protocol (DHCP) +* A server running at least Windows Server 2012 with the Windows Deployment Services role +* A server with the DHCP server role installed + +For more information about how to configure Network Unlock, see [BitLocker: How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md). + +## Microsoft BitLocker Administration and Monitoring + +Part of the Microsoft Desktop Optimization Pack, MBAM makes it easier to manage and support BitLocker and BitLocker To Go. MBAM 2.5 with Service Pack 1, the latest version, has the following key features: + +* Enables administrators to automate the process of encrypting volumes on client computers across the enterprise. +* Enables security officers to quickly determine the compliance state of individual computers or even of the enterprise itself. +* Provides centralized reporting and hardware management with Microsoft System Center Configuration Manager. +* Reduces the workload on the help desk to assist end users with BitLocker recovery requests. +* Enables end users to recover encrypted devices independently by using the Self-Service Portal. +* Enables security officers to easily audit access to recovery key information. +* Empowers Windows Enterprise users to continue working anywhere with the assurance that their corporate data is protected. +* Enforces the BitLocker encryption policy options that you set for your enterprise. +* Integrates with existing management tools, such as System Center Configuration Manager. +* Offers an IT-customizable recovery user experience. +* Supports Windows 10. + +For more information about MBAM, including how to obtain it, see [Microsoft BitLocker Administration and Monitoring](https://technet.microsoft.com/windows/hh826072.aspx) on the MDOP TechCenter. diff --git a/windows/keep-secure/bitlocker-frequently-asked-questions.md b/windows/keep-secure/bitlocker-frequently-asked-questions.md index 5761c7318a..e0f1bc14e9 100644 --- a/windows/keep-secure/bitlocker-frequently-asked-questions.md +++ b/windows/keep-secure/bitlocker-frequently-asked-questions.md @@ -85,9 +85,9 @@ You should configure the startup options of your computer to have the hard disk ## Upgrading -### Can I upgrade my Windows 7 or Windows 8 computer to Windows 10 with BitLocker enabled? +### Can I upgrade to Windows 10 with BitLocker enabled? -Yes. Open the **BitLocker Drive Encryption** Control Panel, click **Manage BitLocker**, and then and click **Suspend**. Suspending protection does not decrypt the drive; it disables the authentication mechanisms used by BitLocker and uses a clear key on the drive to enable access. After the upgrade has completed, open Windows Explorer, right-click the drive, and then click **Resume Protection**. This reapplies the BitLocker authentication methods and deletes the clear key. +Yes. ### What is the difference between suspending and decrypting BitLocker? @@ -97,44 +97,13 @@ Yes. Open the **BitLocker Drive Encryption** Control Panel, click **Manage BitLo ### Do I have to decrypt my BitLocker-protected drive to download and install system updates and upgrades? -The following table lists what action you need to take before you perform an upgrade or update installation. +No user action is required for BitLocker in order to apply updates from Microsoft, including [Windows quality updates and feature updates](https://technet.microsoft.com/itpro/windows/manage/waas-quick-start). +Users need to suspend BitLocker for Non-Microsoft software updates, such as: + +- Computer manufacturer firmware updates +- TPM firmware updates +- Non-Microsoft application updates that modify boot components -
    ---- - - - - - - - - - - - - - - - - - - - - - - - - -
    Type of updateAction

    Windows Anytime Upgrade

    Decrypt

    Upgrade to Windows 10

    Suspend

    Non-Microsoft software updates, such as:

    -
      -

    • Computer manufacturer firmware updates

      • -

    • TPM firmware updates

      • -

    • Non-Microsoft application updates that modify boot components

      • -

    Suspend

    Software and operating system updates from Windows Update

    Nothing

    -  > **Note:**  If you have suspended BitLocker, you can resume BitLocker protection after you have installed the upgrade or update. Upon resuming protection, BitLocker will reseal the encryption key to the new values of the measured components that changed as a part of the upgrade or update. If these types of upgrades or updates are applied without suspending BitLocker, your computer will enter recovery mode when restarting and will require a recovery key or password to access the computer.   ## Deployment and administration diff --git a/windows/keep-secure/bitlocker-group-policy-settings.md b/windows/keep-secure/bitlocker-group-policy-settings.md index 26cadf522b..252b46ba59 100644 --- a/windows/keep-secure/bitlocker-group-policy-settings.md +++ b/windows/keep-secure/bitlocker-group-policy-settings.md @@ -32,10 +32,12 @@ The following sections provide a comprehensive list of BitLocker Group Policy se The following policy settings can be used to determine how a BitLocker-protected drive can be unlocked. +- [Allow devices with Secure Boot and protected DMA ports to opt out of preboot PIN](#bkmk-hstioptout) - [Allow network unlock at startup](#bkmk-netunlock) - [Require additional authentication at startup](#bkmk-unlockpol1) - [Allow enhanced PINs for startup](#bkmk-unlockpol2) - [Configure minimum PIN length for startup](#bkmk-unlockpol3) +- [Disable new DMA devices when this computer is locked](#disable-new-dma-devices-when-this-computer-is-locked) - [Disallow standard users from changing the PIN or password](#bkmk-dpinchange) - [Configure use of passwords for operating system drives](#bkmk-ospw) - [Require additional authentication at startup (Windows Server 2008 and Windows Vista)](#bkmk-unlockpol4) @@ -85,9 +87,59 @@ The following policies are used to support customized deployment scenarios in yo - [Allow access to BitLocker-protected fixed data drives from earlier versions of Windows](#bkmk-depopt4) - [Allow access to BitLocker-protected removable data drives from earlier versions of Windows](#bkmk-depopt5) +### Allow devices with Secure Boot and protected DMA ports to opt out of preboot PIN + +This policy setting allows users on devices that are compliant with InstantGo or the Microsoft Hardware Security Test Interface (HSTI) to not have a PIN for preboot authentication. + + ++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

    Policy description

    With this policy setting, you can allow TPM-only protection for newer, more secure devices, such as devices that support InstantGo or HSTI, while requiring PIN on older devices.

    Introduced

    Windows 10, version 1703

    Drive type

    Operating system drives

    Policy path

    Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives

    Conflicts

    This setting overrides the Require startup PIN with TPM option of the [Require additional authentication at startup](#bkmk-unlockpol1) policy on compliant hardware. + +

    When enabled

    Users on InstantGo and HSTI compliant devices will have the choice to turn on BitLocker without preboot authentication.

    When disabled or not configured

    The options of the [Require additional authentication at startup](#bkmk-unlockpol1) policy apply.

    +  +**Reference** + +The preboot authentication option Require startup PIN with TPM of the [Require additional authentication at startup](#bkmk-unlockpol1) policy is often enabled to help ensure security for older devices that do not support InstantGo. +But visually impaired users have no audible way to know when to enter a PIN. +This setting enables an exception to the PIN-required policy on secure hardware. + ### Allow network unlock at startup -This policy controls a portion of the behavior of the Network Unlock feature in BitLocker. This policy is required to enable BitLocker Network Unlock on a network because it allows clients running BitLocker to create the necessary network key protector during encryption. This policy is used in addition to the BitLocker Drive Encryption Network Unlock Certificate security policy (located in the **Public Key Policies** folder of Local Computer Policy) to allow systems that are connected to a trusted network to properly utilize the Network Unlock feature. +This policy controls a portion of the behavior of the Network Unlock feature in BitLocker. This policy is required to enable BitLocker Network Unlock on a network because it allows clients running BitLocker to create the necessary network key protector during encryption. +This policy is used in addition to the BitLocker Drive Encryption Network Unlock Certificate security policy (located in the **Public Key Policies** folder of Local Computer Policy) to allow systems that are connected to a trusted network to properly utilize the Network Unlock feature. @@ -304,6 +356,24 @@ This policy setting is used to set a minimum PIN length when you use an unlock m This policy setting is applied when you turn on BitLocker. The startup PIN must have a minimum length of 4 digits and can have a maximum length of 20 digits. +### Disable new DMA devices when this computer is locked + +This policy setting allows you to block direct memory access (DMA) for all hot pluggable PCI ports until a user signs in to Windows. + +| | | +|--------------------|----------------------| +| Policy description | This setting helps prevent attacks that use external PCI-based devices to access BitLocker keys. | +| Introduced | Windows 10, version 1703 | +| Drive type | Operating system drives | +| Policy path | Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives| +| Conflicts | None | +| When enabled | Every time the user locks the screen, DMA will be blocked on hot pluggable PCI ports until the user signs in again. | +| When disabled or not configured | DMA is available on hot pluggable PCI devices if the device is turned on, regardless of whether a user is signed in.| + +**Reference** + +This policy setting is only enforced when BitLocker or device encyption is enabled. + ### Disallow standard users from changing the PIN or password This policy setting allows you to configure whether standard users are allowed to change the PIN or password that is used to protect the operating system drive. diff --git a/windows/keep-secure/bitlocker-overview.md b/windows/keep-secure/bitlocker-overview.md index e3d23d3102..d92c5e1cce 100644 --- a/windows/keep-secure/bitlocker-overview.md +++ b/windows/keep-secure/bitlocker-overview.md @@ -67,6 +67,7 @@ When installing the BitLocker optional component on a server you will also need | Topic | Description | | - | - | +| [Overview of BitLocker and device encryption in Windows 10](bitlocker-device-encryption-overview-windows-10.md) | This topic for the IT professional provides an overview of the ways that BitLocker and device encryption can help protect data on devices running Windows 10. | | [BitLocker frequently asked questions (FAQ)](bitlocker-frequently-asked-questions.md) | This topic for the IT professional answers frequently asked questions concerning the requirements to use, upgrade, deploy and administer, and key management policies for BitLocker.| | [Prepare your organization for BitLocker: Planning and policies](prepare-your-organization-for-bitlocker-planning-and-policies.md)| This topic for the IT professional explains how can you plan your BitLocker deployment. | | [BitLocker basic deployment](bitlocker-basic-deployment.md) | This topic for the IT professional explains how BitLocker features can be used to protect your data through drive encryption. | diff --git a/windows/keep-secure/bitlocker-recovery-guide-plan.md b/windows/keep-secure/bitlocker-recovery-guide-plan.md index 1005d019ad..557719c15c 100644 --- a/windows/keep-secure/bitlocker-recovery-guide-plan.md +++ b/windows/keep-secure/bitlocker-recovery-guide-plan.md @@ -44,8 +44,8 @@ BitLocker recovery is the process by which you can restore access to a BitLocker The following list provides examples of specific events that will cause BitLocker to enter recovery mode when attempting to start the operating system drive: -- On PCs that use either BitLocker or Device Encryption when an attack is detected the device will immediately reboot and enter into BitLocker recovery mode. To take advantage of this functionality Administrators can set the **Interactive logon: Machine account lockout threshold** Group Policy setting located in **\\Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options** in the Local Group Policy Editor, or use the **MaxFailedPasswordAttempts** policy of [Exchange ActiveSync](http://technet.microsoft.com/library/aa998357.aspx) (also configurable through [Windows Intune](http://technet.microsoft.com/library/jj733621.aspx)), to limit the number of failed password attempts before the device goes into Device Lockout. -- Changing the boot order to boot another drive in advance of the hard drive. +- On PCs that use either BitLocker or Device Encryption, when an attack is detected, the device will immediately reboot and enter into BitLocker recovery mode. To take advantage of this functionality Administrators can set the **Interactive logon: Machine account lockout threshold** Group Policy setting located in **\\Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options** in the Local Group Policy Editor, or use the **MaxFailedPasswordAttempts** policy of [Exchange ActiveSync](http://technet.microsoft.com/library/aa998357.aspx) (also configurable through [Windows Intune](http://technet.microsoft.com/library/jj733621.aspx)), to limit the number of failed password attempts before the device goes into Device Lockout. +- On devices with TPM 1.2, changing the BIOS or firmware boot device order causes BitLocker recovery. However, devices with TPM 2.0 do not start BitLocker recovery in this case. TPM 2.0 does not consider a firmware change of boot device order as a security threat because the OS Boot Loader is not compromised. - Having the CD or DVD drive before the hard drive in the BIOS boot order and then inserting or removing a CD or DVD. - Failing to boot from a network drive before booting from the hard drive. - Docking or undocking a portable computer. In some instances (depending on the computer manufacturer and the BIOS), the docking condition of the portable computer is part of the system measurement and must be consistent to validate the system status and unlock BitLocker. This means that if a portable computer is connected to its docking station when BitLocker is turned on, then it might also need to be connected to the docking station when it is unlocked. Conversely, if a portable computer is not connected to its docking station when BitLocker is turned on, then it might need to be disconnected from the docking station when it is unlocked. diff --git a/windows/keep-secure/change-history-for-keep-windows-10-secure.md b/windows/keep-secure/change-history-for-keep-windows-10-secure.md index 2e7879cd8b..fc22dd555a 100644 --- a/windows/keep-secure/change-history-for-keep-windows-10-secure.md +++ b/windows/keep-secure/change-history-for-keep-windows-10-secure.md @@ -13,13 +13,27 @@ author: brianlic-msft This topic lists new and updated topics in the [Keep Windows 10 secure](index.md) documentation for [Windows 10 and Windows 10 Mobile](../index.md). +## March 2017 +|New or changed topic |Description | +|---------------------|------------| +|[Mandatory tasks and settings required to turn on Windows Information Protection (WIP)](mandatory-settings-for-wip.md) |Updated based on Windows 10, version 1703. | +|[Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune.md) |Added new content about Azure Rights Management. | +|[Limitations while using Windows Information Protection (WIP)](limitations-with-wip.md) |Added additional limitations for Windows 10, version 1703. | +|[Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](create-and-verify-an-efs-dra-certificate.md)|Added content about recovering data from a cloud environment.| +|[Protect derived domain credentials with Credential Guard](credential-guard.md) |Updated to include additional security qualifications starting with Window 10, version 1703.| +|[Requirements and deployment planning guidelines for Device Guard](requirements-and-deployment-planning-guidelines-for-device-guard.md) |Updated to include additional security qualifications starting with Window 10, version 1703.| +|[Windows Defender SmartScreen overview](windows-defender-smartscreen-overview.md)|New | +|[Available Windows Defender SmartScreen Group Policy and mobile device management (MDM) settings](windows-defender-smartscreen-available-settings.md)|New | +|[Use Windows Defender Security Center to set Windows Defender SmartScreen for individual devices](windows-defender-smartscreen-set-individual-device.md)|New | +|[Overview of threat mitigations in Windows 10](overview-of-threat-mitigations-in-windows-10.md) | Reorganized from existing content, to provide a better overview of threat mitigations. Explains how mitigations in the Enhanced Mitigation Experience Toolkit (EMET) relate to those in Windows 10. | + ## January 2017 |New or changed topic |Description | |---------------------|------------| |[Determine the Enterprise Context of an app running in Windows Information Protection (WIP)](wip-app-enterprise-context.md) |New | |[Limitations while using Windows Information Protection (WIP)](limitations-with-wip.md) |Updated to include info about USB drives and Azure RMS (Windows Insider Program only) and to add more info about Work Folders and Offline files. | |[Recommended Enterprise Cloud Resources and Neutral Resources network settings with Windows Information Protection (WIP)](recommended-network-definitions-for-wip.md) |New | -|[Using Outlook Web Access with Windows Information Protection (WIP)](using-owa-with-wip.md) |New | +|[Using Outlook on the web with Windows Information Protection (WIP)](using-owa-with-wip.md) |New | | Microsoft Passport guide | Content merged into [Windows Hello for Business](hello-identity-verification.md) topics | ## December 2016 @@ -122,7 +136,6 @@ The topics in this library have been updated for Windows 10, version 1607 (also |New or changed topic | Description | |----------------------|-------------| |[Protect derived domain credentials with Credential Guard](credential-guard.md) |Clarified Credential Guard protections | -|[Windows 10 security overview](windows-10-security-guide.md) |Added SMB hardening improvements for SYSVOL and NETLOGON connections | ## March 2016 diff --git a/windows/keep-secure/check-sensor-status-windows-defender-advanced-threat-protection.md b/windows/keep-secure/check-sensor-status-windows-defender-advanced-threat-protection.md new file mode 100644 index 0000000000..22861fbaa2 --- /dev/null +++ b/windows/keep-secure/check-sensor-status-windows-defender-advanced-threat-protection.md @@ -0,0 +1,54 @@ +--- +title: Check the health state of the sensor in Windows Defender ATP +description: Check the sensor health on machines to identify which ones are misconfigured, inactive, or are not reporting sensor data. +keywords: sensor, sensor health, misconfigured, inactive, no sensor data, sensor data, impaired communication, communication +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +author: mjcaparas +localizationpriority: high +--- + +# Check sensor health state in Windows Defender ATP + +**Applies to:** + +- Windows 10 Enterprise +- Windows 10 Education +- Windows 10 Pro +- Windows 10 Pro Education +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + + +The sensor health tile provides information on the individual endpoint’s ability to provide sensor data and communicate with the Windows Defender ATP service. It reports how many machines require attention and helps you identify problematic machines and take action to correct known issues. + +![Windows Defender ATP sensor health tile](images/atp-sensor-health-filter.png) + +There are two status indicators on the tile that provide information on the number of machines that are not reporting properly to the service: +- **Inactive** - Machines that have stopped reporting to the Windows Defender ATP service for more than seven days in the past month. +- **Misconfigured** - These machines might partially be reporting sensor data to the Windows Defender ATP service and might have configuration errors that need to be corrected. + +Clicking any of the groups directs you to Machines view, filtered according to your choice. + +![Windows Defender ATP sensor filter](images/atp-sensor-filter.png) + +You can filter the health state list by the following status: +- **Active** - Machines that are actively reporting to the Windows Defender ATP service. +- **Inactive** - Machines that have stopped reporting to the Windows Defender ATP service. +- **Misconfigured** - These machines might partially be reporting sensor data to the Windows Defender ATP service but have configuration errors that need to be corrected. Misconfigured machines can have either one or a combination of the following issues: + - **No sensor data** - Machines has stopped sending sensor data. Limited alerts can be triggered from the machine. + - **Impaired communication** - Ability to communicate with machine is impaired. Sending files for deep analysis, blocking files, isolating machine from network and other actions that require communication with the machine may not work. + +You can view the machine details when you click on a misconfigured or inactive machine. You’ll see more specific machine information when you click the information icon. + +![Windows Defender ATP sensor filter](images/atp-machine-health-details.png) + +In the **Machines view**, you can download a full list of all the machines in your organization in a CSV format. To download, click the **Manage Alert** menu icon on the top corner of the page. + +>[!NOTE] +>Export the list in CSV format to display the unfiltered data. The CSV file will include all machines in the organization, regardless of any filtering applied in the view itself and can take a significant amount of time to download, depending on how large your organization is. + +## Related topic +- [Fix unhealthy sensors in Windows Defender ATP](fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md) diff --git a/windows/keep-secure/choose-the-right-bitlocker-countermeasure.md b/windows/keep-secure/choose-the-right-bitlocker-countermeasure.md index 241eadd7f7..f00f1b4e23 100644 --- a/windows/keep-secure/choose-the-right-bitlocker-countermeasure.md +++ b/windows/keep-secure/choose-the-right-bitlocker-countermeasure.md @@ -117,9 +117,10 @@ Tables 1 and 2 summarize the recommended mitigations for different types of atta **Table 2.**  How to choose the best countermeasures for Windows 10 -The latest InstantGo devices, primarily tablets, are designed to be secure by default against all attacks that might compromise the BitLocker encryption key. Other Windows devices can be, too. DMA port–based attacks, which represent the attack vector of choice, are not possible on InstantGo devices, because these port types are prohibited. The inclusion of DMA ports on even non-InstantGo devices is extremely rare on recent devices, particularly on mobile ones. This could change if Thunderbolt is broadly adopted, so IT should consider this when purchasing new devices. In any case DMA ports can be disabled entirely, which is an increasingly popular option because the use of -DMA ports is infrequent in the non-developer space. +The latest InstantGo devices, primarily tablets, are designed to be secure by default against all attacks that might compromise the BitLocker encryption key. Other Windows devices can be secure by default too. DMA port–based attacks, which represent the attack vector of choice, are not possible on InstantGo devices because these port types are prohibited. The inclusion of DMA ports on even non-InstantGo devices is extremely rare on recent devices, particularly on mobile ones. This could change if Thunderbolt is broadly adopted, so IT should consider this when purchasing new devices. In any case, DMA ports can be disabled entirely, which is an increasingly popular option because the use of DMA ports is infrequent in the non-developer space. To prevent DMA port usage unless an authorized user is signed in, you can set the DataProtection/AllowDirectMemoryAccess policy by using Mobile Device Management (MDM) or the Group Policy setting **Disable new DMA devices when this computer is locked** (beginning with Windows 10, version 1703). This setting is **Not configured** by default. The path to the Group Policy setting is: +**Computer Configuration|Administrative Templates|Windows Components|BitLocker Drive Encryption** + Memory remanence attacks can be mitigated with proper configuration; in cases where the system memory is fixed and non-removable, they are not possible using published techniques. Even in cases where system memory can be removed and loaded into another device, attackers will find the attack vector extremely unreliable, as has been shown in the DRDC Valcartier group’s analysis (see [An In-depth Analysis of the Cold Boot Attack](http://www.dtic.mil/cgi-bin/GetTRDoc?AD=ADA545078)). Windows 7 PCs share the same security risks as newer devices but are far more vulnerable to DMA and memory remanence attacks, because Windows 7 devices are more likely to include DMA ports, lack support for UEFI-based Secure Boot, and rarely have fixed memory. To eliminate the need for pre-boot authentication on Windows 7 devices, disable the ability to boot to external media, password-protect the BIOS configuration, and disable the DMA ports. If you believe that your devices may be a target of a memory remanence attack, where the system memory may be removed and put into another computer to gain access to its contents, consider testing your devices to determine whether they are susceptible to this type of attack. diff --git a/windows/keep-secure/command-line-arguments-windows-defender-antivirus.md b/windows/keep-secure/command-line-arguments-windows-defender-antivirus.md new file mode 100644 index 0000000000..90098f1ce1 --- /dev/null +++ b/windows/keep-secure/command-line-arguments-windows-defender-antivirus.md @@ -0,0 +1,63 @@ +--- +title: Use the command line to manage Windows Defender AV +description: Windows Defender AV has a dedicated command-line utility that can run scans and configure protection. +keywords: run windows defender scan, run antivirus scan from command line, run windows defender scan from command line, mpcmdrun, defender +search.product: eADQiWindows 10XVcnh +ms.pagetype: security +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: security +localizationpriority: medium +author: iaanw +--- + + +# Use the mpcmdrun.exe command-line tool to configure and manage Windows Defender Antivirus + +**Applies to:** + +- Windows 10 + +**Audience** + +- Enterprise security administrators + + +You can use a dedicated command-line tool to perform various functions in Windows Defender Antivirus. + +This utility can be useful when you want to automate the use of Windows Defender Antivirus. + +The utility is available in _%Program Files%\Windows Defender\MpCmdRun.exe_ and must be run from a command prompt. + +> [!NOTE] +> You may need to open an administrator-level version of the command prompt. Right-click the item in the Start menu, click **Run as administrator** and click **Yes** at the permissions prompt. + + +The utility has the following commands: + +```DOS +MpCmdRun.exe [command] [-options] +``` + +Command | Description +:---|:--- +\- ? **or** -h | Displays all available options for the tool +\-Scan [-ScanType #] [-File [-DisableRemediation] [-BootSectorScan]][-Timeout ] | Scans for malicious software +\-Trace [-Grouping #] [-Level #]| Starts diagnostic tracing +\-GetFiles | Collects support information +\-RemoveDefinitions [-All] | Restores the installed signature definitions to a previous backup copy or to the original default set of signatures +\-AddDynamicSignature [-Path] | Loads a dynamic signature +\-ListAllDynamicSignature [-Path] | Lists the loaded dynamic signatures +\-RemoveDynamicSignature [-SignatureSetID] | Removes a dynamic signature +\-ValidateMapsConnection | Used to validate connection to the [cloud-delivered protection service](configure-network-connections-windows-defender-antivirus.md) + + + + +## Related topics + +- [Reference topics for management and configuration tools](configuration-management-reference-windows-defender-antivirus.md) +- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md) + + diff --git a/windows/keep-secure/configuration-management-reference-windows-defender-antivirus.md b/windows/keep-secure/configuration-management-reference-windows-defender-antivirus.md new file mode 100644 index 0000000000..edf44cdddc --- /dev/null +++ b/windows/keep-secure/configuration-management-reference-windows-defender-antivirus.md @@ -0,0 +1,44 @@ +--- +title: Windows Defender AV reference for management tools +description: Learn how Group Policy, Configuration Manager, PowerShell, WMI, Intune, and the comman line can be used to manage Windows Defender AV +keywords: group policy, gpo, config manager, sccm, scep, powershell, wmi, intune, defender, antivirus, antimalware, security, protection +search.product: eADQiWindows 10XVcnh +ms.pagetype: security +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: security +localizationpriority: medium +author: iaanw +--- + +# Reference topics for management and configuration tools + +**Applies to:** + +- Windows 10 + +**Audience** + +- Enterprise security administrators + +Windows Defender Antivirus can be managed and configured with the following tools: + +- Group Policy +- System Center Configuration Manager and Microsoft Intune +- PowerShell cmdlets +- Windows Management Instruction (WMI) +- The mpcmdrun.exe utility + +The topics in this section provide further information, links, and resources for using these tools in conjunction with Windows Defender AV. + +## In this section + +Topic | Description +---|--- +[Use Group Policy settings to configure and manage Windows Defender AV](use-group-policy-windows-defender-antivirus.md)|List of all Group Policy settings located in the Windows 10, version 1703 ADMX templates +[Use System Center Configuration Manager and Microsoft Intune to configure and manage Windows Defender AV](use-intune-config-manager-windows-defender-antivirus.md)|Information on using System Center Configuration Manager and Microsoft Intune to deploy, manage, report, and configure Windows Defender AV +[Use PowerShell cmdlets to configure and manage Windows Defender AV](use-powershell-cmdlets-windows-defender-antivirus.md)|Instructions on using PowerShell cmdlets in the Defender Module and links to documentation for all cmdlets and allowed parameters +[Use Windows Management Instrumentation (WMI) to configure and manage Windows Defender AV](use-wmi-windows-defender-antivirus.md)| Instructions on using WMI to manage Windows Defender AV and links to documentation for the Windows Defender WMIv2 APIs (including all classes, methods, and properties) +[Use the mpcmdrun.exe command-line tool to configure and manage Windows Defender Antivirus](command-line-arguments-windows-defender-antivirus.md)|Instructions on using the dedicated command-line tool to manage and use Windows Defender AV + diff --git a/windows/keep-secure/configure-aad-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-aad-windows-defender-advanced-threat-protection.md deleted file mode 100644 index d7147d12a9..0000000000 --- a/windows/keep-secure/configure-aad-windows-defender-advanced-threat-protection.md +++ /dev/null @@ -1,116 +0,0 @@ ---- -title: Configure an Azure Active Directory application for SIEM integration -description: Configure an Azure Active Directory application so that it can communicate with supported SIEM tools. -keywords: configure aad for siem integration, siem integration, application, oauth 2 -search.product: eADQiWindows 10XVcnh -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -author: mjcaparas -localizationpriority: high ---- - -# Configure an Azure Active Directory application for SIEM integration - -**Applies to:** - -- Azure Active Directory -- Windows 10 Enterprise -- Windows 10 Education -- Windows 10 Pro -- Windows 10 Pro Education -- Windows Defender Advanced Threat Protection (Windows Defender ATP) - -You need to add an application in your Azure Active Directory (AAD) tenant then authorize the Windows Defender ATP Alerts Export application to communicate with it so that your security information and events management (SIEM) tool can consume alerts from Windows Defender ATP portal. - -1. Login to the [Azure management portal](https://ms.portal.azure.com). - -2. Select **Active Directory**. - -3. Select your tenant. - -4. Click **Applications**, then select **Add** to create a new application. - -5. Click **Add an application my organization is developing**. - -6. Choose a client name for the application, for example, *Alert Export Client*. - -7. Select **WEB APPLICATION AND/OR WEB API** in the Type section. - -8. Assign a sign-on URL and app ID URI to the application, for example, `https://alertexportclient`. - -9. Confirm the request details and verify that you have successfully added the app. - -10. Select the application you've just created from the directory application list and click the **Configure** tab. - -11. Scroll down to the **keys** section and select a duration for the application key. - -12. Type the following URLs in the **Reply URL** field: - - - `https://DataAccess-PRD.trafficmanager.net:444/api/FetchAccessTokenFromAuthCode` - - `https://localhost:44300/WDATPconnector` - -13. Click **Save** and copy the key in a safe place. You'll need this key to authenticate the client application on Azure Active Directory. - -14. Open a web browser and connect to the following URL: `https://DataAccess-PRD.trafficmanager.net:444/api/FetchToken?clientId=f7c1acd8-0458-48a0-a662-dba6de049d1c&tenantId=&clientSecret=1234`
    - - An Azure login page appears. - > [!NOTE] - > - Replace *tenant ID* with your actual tenant ID. - > - Keep the *clientSecret* as is. This is a dummy value, but the parameter must appear. - -15. Sign in with the credentials of a user from your tenant. - -16. Click **Accept** to provide consent. Ignore the error. - -17. Click **Application configuration** under your tenant. - -18. Click **Permissions to other applications**, then select **Add application**. - -19. Click **All apps** from the **SHOW** field and submit. - -20. Click **WDATPAlertExport**, then select **+** to add the application. You should see it on the **SELECTED** panel. - -21. Submit your changes. - -22. On the **WDATPAlertExport** record, in the **Delegated Permissions** field, select **Access WDATPAlertExport**. - -23. Save the application changes. - -After configuring the application in AAD, you'll need to obtain a refresh token. You'll need to use the token when you configure the connector for your SIEM tool in the next steps. The token lets the connector access Windows Defender ATP events to be consumed by your SIEM. - -## Obtain a refresh token using an events URL -Obtain a refresh token used to retrieve the Windows Defender Advanced Threat Protection events to your SIEM. This section provides information on how you can use an events URL to obtain the required refresh token. ->[!NOTE] ->For HP ArcSight, you can obtain a refresh token using the restutil tool. For more information, see [Configure HP ArcSight to consume alerts](configure-arcsight-windows-defender-advanced-threat-protection.md). - -### Before you begin -Get the following information from your Azure Active Directory (AAD) application by selecting the **View Endpoint** on the application configuration page: - - - OAuth 2 Client ID - - OAuth 2 Client secret - -You'll use these values to obtain a refresh token. - ->[!IMPORTANT] ->Before using the OAuth 2 Client secret described in the next steps, you **must** encode it. Use a URL encoder to transform the OAuth 2 client secret. - -### Obtain a refresh token -1. Open a web browser and connect to the following URL: `https://DataAccess-PRD.trafficmanager.net:444/api/FetchToken?clientId=&tenantId=&clientSecret=` - - >[!NOTE] - >- Replace the *client ID* value with the one you got from your AAD application. - >- Replace *tenant ID* with your actual tenant ID. - >- Replace *client secret* with your encoded client secret. The client secret **must** be pasted encoded. - -2. Click **Accept**. When you authenticate, a web page opens with your refresh token. - -3. Save the refresh token which you'll find it the ``value. You'll need this value when configuring your SIEM tool. - -After configuring your AAD application and generating a refresh token, you can proceed to configure your SIEM tool. - -## Related topics -- [Configure security information and events management (SIEM) tools to consume alerts](configure-siem-windows-defender-advanced-threat-protection.md) -- [Configure Splunk to consume alerts](configure-splunk-windows-defender-advanced-threat-protection.md) -- [Configure HP ArcSight to consume alerts](configure-arcsight-windows-defender-advanced-threat-protection.md) diff --git a/windows/keep-secure/configure-advanced-scan-types-windows-defender-antivirus.md b/windows/keep-secure/configure-advanced-scan-types-windows-defender-antivirus.md new file mode 100644 index 0000000000..18065e7b67 --- /dev/null +++ b/windows/keep-secure/configure-advanced-scan-types-windows-defender-antivirus.md @@ -0,0 +1,103 @@ +--- +title: Configure scanning options for Windows Defender AV +description: You can configure Windows Defender AV to scan email storage files, back-up or reparse points, network files, and archived files (such as .zip files). +keywords: advanced scans, scanning, email, archive, zip, rar, archive, reparse scanning +search.product: eADQiWindows 10XVcnh +ms.pagetype: security +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: security +localizationpriority: medium +author: iaanw +--- + +# Configure scanning options in Windows Defender AV + + +**Applies to** +- Windows 10 + +**Audience** + +- Enterprise security administrators + +**Manageability available with** + +- Group Policy +- PowerShell +- Windows Management Instrumentation (WMI) +- System Center Configuration Manager +- Microsoft Intune + + +To configure the Group Policy settings described in the following table: + +1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. + +3. In the **Group Policy Management Editor** go to **Computer configuration**. + +4. Click **Policies** then **Administrative templates**. + +5. Expand the tree to **Windows components > Windows Defender Antivirus** and then the **Location** specified in the table below. + +6. Double-click the policy **Setting** as specified in the table below, and set the option to your desired configuration. Click **OK**, and repeat for any other settings. + +See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus. + +For using WMI classes, see [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/en-us/library/dn439477(v=vs.85).aspx). + +Description | Location and setting | Default setting (if not configured) | PowerShell `Set-MpPreference` parameter or WMI property for `MSFT_MpPreference` class +---|---|---|--- +See [Email scanning limitations](#ref1)) below | Scan > Turn on e-mail scanning | Disabled | `-DisableEmailScanning` +Scan [reparse points](https://msdn.microsoft.com/library/windows/desktop/aa365503.aspx) | Scan > Turn on reparse point scanning | Disabled | Not available +Scan mapped network drives | Scan > Run full scan on mapped network drives | Disabled | `-DisableScanningMappedNetworkDrivesForFullScan` + Scan archive files (such as .zip or .rar files). The [extensions exclusion list](configure-extension-file-exclusions-windows-defender-antivirus.md) will take precedence over this setting. | Scan > Scan archive files | Enabled | `-DisableArchiveScanning` +Scan files on the network | Scan > Scan network files | Disabled | `-DisableScanningNetworkFiles` +Scan packed executables | Scan > Scan packed executables | Enabled | Not available +Scan removable drives during full scans only | Scan > Scan removable drives | Disabled | `-DisableRemovableDriveScanning` +Specify the level of subfolders within an archive folder to scan | Scan > Specify the maximum depth to scan archive files | 0 | Not available + Specify the maximum CPU load (as a percentage) during a scan. This is a maximum - scans will not always use the maximum load defined here, but they will never exceed it | Scan > Specify the maximum percentage of CPU utilization during a scan | 50 | `-ScanAvgCPULoadFactor` + Specify the maximum size (in kilobytes) of archive files that should be scanned. The default, **0**, applies no limit | Scan > Specify the maximum size of archive files to be scanned | No limit | Not available + +**Use Configuration Manager to configure scanning options:** + +See [How to create and deploy antimalware policies: Scan settings]( https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#scan-settings) for details on configuring System Center Configuration Manager (current branch). + + +**Use Microsoft Intune to configure scanning options** + + + +See [Help secure Windows PCs with Endpoint Protection for Microsoft Intune: Scan options](https://docs.microsoft.com/en-us/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune#specify-scan-options-settings) and [Windows Defender policy settings in Windows 10](https://docs.microsoft.com/en-us/intune/deploy-use/windows-10-policy-settings-in-microsoft-intune#windows-defender-1) for more details. + + + + +### Email scanning limitations +We recommend using [always-on real-time protection](configure-real-time-protection-windows-defender-antivirus.md) to protect against email-based malware. + +Always-on protection scans emails as they arrive and as they are manipulated, just like normal files in the operating system. This provides the strongest form of protection and is the recommended setting for scanning emails. + +You can use this Group Policy to also enable scanning of older email files used by Outlook 2003 and older during on-demand and scheduled scans. Embedded objects within an email file (such as attachments and archived files) are also scanned. The following file format types can be scanned and remediated: +- DBX +- MBX +- MIME + +PST files used by Outlook 2003 or older (where the archive type is set to non-unicode) can also be scanned, but Windows Defender cannot remediate threats detected inside PST files. This is another reason why we recommend using [always-on real-time protection](configure-real-time-protection-windows-defender-antivirus.md) to protect against email-based malware. + +If Windows Defender Antivirus detects a threat inside an email, it will show you the following information to assist you in identifying the compromised email, so you can remediate the threat: +- Email subject +- Attachment name + +>[!WARNING] +>There are some risks associated with scanning some Microsoft Outlook files and email messages. You can read about tips and risks associated with scanning Outlook files and email messages in the following articles: +- [Scanning Outlook files in Outlook 2013](https://technet.microsoft.com/library/dn769141.aspx#bkmk-1) +- [Scanning email messages in Outlook 2013](https://technet.microsoft.com/library/dn769141.aspx#bkmk-2) + +## Related topics + +- [Customize, initiate, and review the results of Windows Defender AV scans and remediation](customize-run-review-remediate-scans-windows-defender-antivirus.md) +- [Configure and run on-demand Windows Defender AV scans](run-scan-windows-defender-antivirus.md) +- [Configure scheduled scans for Windows Defender AV](scheduled-catch-up-scans-windows-defender-antivirus.md) +- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md) \ No newline at end of file diff --git a/windows/keep-secure/configure-arcsight-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-arcsight-windows-defender-advanced-threat-protection.md index a5cd3f4bf4..385a17c7b8 100644 --- a/windows/keep-secure/configure-arcsight-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/configure-arcsight-windows-defender-advanced-threat-protection.md @@ -1,6 +1,6 @@ --- -title: Configure HP ArcSight to consume Windows Defender ATP alerts -description: Configure HP ArcSight to receive and consume alerts from the Windows Defender ATP portal. +title: Configure HP ArcSight to pull Windows Defender ATP alerts +description: Configure HP ArcSight to receive and pull alerts from the Windows Defender ATP portal. keywords: configure hp arcsight, security information and events management tools, arcsight search.product: eADQiWindows 10XVcnh ms.prod: w10 @@ -11,7 +11,7 @@ author: mjcaparas localizationpriority: high --- -# Configure HP ArcSight to consume Windows Defender ATP alerts +# Configure HP ArcSight to pull Windows Defender ATP alerts **Applies to:** @@ -21,86 +21,165 @@ localizationpriority: high - Windows 10 Pro Education - Windows Defender Advanced Threat Protection (Windows Defender ATP) -You'll need to configure HP ArcSight so that it can consume Windows Defender ATP alerts. +You'll need to install and configure some files and tools to use HP ArcSight so that it can pull Windows Defender ATP alerts. ## Before you begin +Configuring the HP ArcSight Connector tool requires several configuration files for it to pull and parse alerts from your Azure Active Directory (AAD) application. -- Get the following information from your Azure Active Directory (AAD) application by selecting **View Endpoint** on the application configuration page: - - OAuth 2 Token refresh URL - - OAuth 2 Client ID - - OAuth 2 Client secret -- Download the [WDATP-connector.properties](http://download.microsoft.com/download/3/9/C/39C703C2-487C-4C3E-AFD8-14C2253C2F12/WDATP-connector.properties) file and update the following values: +This section guides you in getting the necessary information to set and use the required configuration files correctly. - - **client_ID**: OAuth 2 Client ID - - **client_secret**: OAuth 2 Client secret - - **auth_url**: ```https://login.microsoftonline.com/?resource=https%3A%2F%2FWDATPAlertExport.Seville.onmicrosoft.com ``` +- Make sure you have enabled the SIEM integration feature from the **Preferences setup** menu. For more information, see [Enable SIEM integration in Windows Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md). - >[!NOTE] - >Replace *tenantID* with your tenant ID. +- Have the file you saved from enabling the SIEM integration feature ready. You'll need to get the following values: + - OAuth 2.0 Token refresh URL + - OAuth 2.0 Client ID + - OAuth 2.0 Client secret - - **token_url**: `https://login.microsoftonline.com//oauth2/token` +- Have the following configuration files ready: + - WDATP-connector.properties + - WDATP-connector.jsonparser.properties - >[!NOTE] - >Replace the *tenantID* value with your tenant ID. + You would have saved a .zip file which contains these two files when you chose HP ArcSight as the SIEM type you use in your organization. - - **redirect_uri**: ```https://localhost:44300/wdatpconnector``` - - **scope**: Leave the value blank +- Make sure you generate the following tokens and have them ready: + - Access token + - Refresh token -- Download the [WDATP-connector.jsonparser.properties](http://download.microsoft.com/download/0/8/A/08A4957D-0923-4353-B25F-395EAE363E8C/WDATP-connector.jsonparser.properties) file. This file is used to parse the information from Windows Defender ATP to HP ArcSight consumable format. -- Install the HP ArcSight REST FlexConnector package. You can find this in the HPE Software center. Install the package on a server that has access to the Internet. + You can generate these tokens from the **SIEM integration** setup section of the portal. -## Configure HP ArcSight -The following steps assume that you have completed all the required steps in [Before you begin](#before-you-begin). For more information, see the ArcSight FlexConnector Developer's guide. +## Install and configure HP ArcSight SmartConnector +The following steps assume that you have completed all the required steps in [Before you begin](#before-you-begin). -1. Save the [WDATP-connector.jsonparser.properties file](http://download.microsoft.com/download/0/8/A/08A4957D-0923-4353-B25F-395EAE363E8C/WDATP-connector.jsonparser.properties) file into the connector installation folder. The +1. Install the latest 32-bit Windows SmartConnector installer. You can find this in the HPE Software center. The tool is typically installed in the following default location: `C:\Program Files\ArcSightSmartConnectors\current\bin`.

    You can choose where to save the tool, for example C:\\*folder_location*\current\bin where *folder_location* represents the installation location. -2. Save the [WDATP-connector.properties](http://download.microsoft.com/download/3/9/C/39C703C2-487C-4C3E-AFD8-14C2253C2F12/WDATP-connector.properties) file into the `\current\user\agent\flexagent` folder of the connector installation folder. +2. Follow the installation wizard through the following tasks: + - Introduction + - Choose Install Folder + - Choose Install Set + - Choose Shortcut Folder + - Pre-Installation Summary + - Installing... -3. Open an elevated command-line: + You can keep the default values for each of these tasks or modify the selection to suit your requirements. - a. Go to **Start** and type **cmd**. +3. Open File Explorer and locate the two configuration files you saved when you enabled the SIEM integration feature. Put the two files in the SmartConnector installation location, for example: - b. Right-click **Command prompt** and select **Run as administrator**. + - WDATP-connector.jsonparser.properties: C:\\*folder_location*\current\user\agent\flexagent\ -4. Enter the following command and press **Enter**: ```runagentsetup.bat```. The Connector Setup pop-up window appears. + - WDATP-connector.properties: C:\\*folder_location*\current\user\agent\flexagent\ -5. In the form fill in the following required fields with these values: - >[!NOTE] - >All other values in the form are optional and can be left blank. + NOTE: + You must put the configuration files in this location, where *folder_location* represents the location where you installed the tool. -
    - - - - - - - - - - - - - - - - - - - - - - -
    FieldValue
    Configuration FileType in the name of the client property file. It must match the client property file.
    Events URLDepending on the location of your datacenter, select either the EU or the US URL:

    **For EU**: https://wdatp-alertexporter-eu.windows.com/api/alerts/?sinceTimeUtc=$START_AT_TIME -
    **For US:** https://wdatp-alertexporter-us.windows.com/api/alerts/?sinceTimeUtc=$START_AT_TIME
    Authentication TypeOAuth 2
    OAuth 2 Client Properties fileSelect *wdatp-connector.properties*.
    Refresh TokenYou can use the Windows Defender ATP events URL or the restutil tool to get obtain a refresh token.
    For more information on getting your refresh token using the events URL, see [Obtain a refresh token](configure-aad-windows-defender-advanced-threat-protection.md#obtain-a-refresh-token).

    **To get your refresh token using the restutil tool:**
    a. Open a command prompt. Navigate to `C:\ArcSightSmartConnectors\\current\bin`.

    b. Type: `arcsight restutil token -config C:\ArcSightSmartConnectors_Prod\WDATP\WDATP-connector.properties`. A Web browser window will open.

    c. Type in your credentials then click on the password field to let the page redirect. In the login prompt, enter your credentials.

    d. A refresh token is shown in the command prompt.

    e. Paste the value in the form. -
    -6. Select **Next**, then **Save**. +4. After the installation of the core connector completes, the Connector Setup window opens. In the Connector Setup window, select **Add a Connector**. -7. Run the connector. You can choose to run in Service mode or Application mode. +5. Select Type: **ArcSight FlexConnector REST** and click **Next**. -8. In the HP ArcSight console, create a **Windows Defender ATP** channel with intervals and properties suitable to your enterprise needs. Windows Defender ATP alerts will appear as discrete events, with “Microsoft” as the vendor and “Windows Defender ATP” as the device name. +6. Type the following information in the parameter details form. All other values in the form are optional and can be left blank. + + + + + + + + + + + + + + + + + + + + + + + + +
    FieldValue
    Configuration FileType in the name of the client property file. The name must match the file provided in the .zip that you downloaded. + For example, if the configuration file in "flexagent" directory is named "WDATP-Connector.jsonparser.properties", you must type "WDATP-Connector" as the name of the client property file.
    Events URLDepending on the location of your datacenter, select either the EU or the US URL:

    **For EU**: https://wdatp-alertexporter-eu.windows.com/api/alerts/?sinceTimeUtc=$START_AT_TIME +
    **For US:** https://wdatp-alertexporter-us.windows.com/api/alerts/?sinceTimeUtc=$START_AT_TIME
    Authentication TypeOAuth 2
    OAuth 2 Client Properties fileBrowse to the location of the *wdatp-connector.properties* file. The name must match the file provided in the .zip that you downloaded.
    Refresh TokenYou can obtain a refresh token in two ways: by generating a refresh token from the **SIEM integration preferences setup** page or using the restutil tool.

    For more information on generating a refresh token from the **Preferences setup** , see [Enable SIEM integration in Windows Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md).

    **Get your refresh token using the restutil tool:**
    a. Open a command prompt. Navigate to C:\\*folder_location*\current\bin where *folder_location* represents the location where you installed the tool.

    b. Type: `arcsight restutil token -config` from the bin directory. A Web browser window will open.

    c. Type in your credentials then click on the password field to let the page redirect. In the login prompt, enter your credentials.

    d. A refresh token is shown in the command prompt.

    e. Copy and paste it into the **Refresh Token** field. +
    +7. A browser window is opened by the connector. Login with your application credentials. After you log in, you'll be asked to give permission to your OAuth2 Client. You must give permission to your OAuth 2 Client so that the connector configuration can authenticate.

    +If the `redirect_uri` is a https URL, you'll be redirected to a URL on the local host. You'll see a page that requests for you to trust the certificate supplied by the connector running on the local host. You'll need to trust this certificate if the redirect_uri is a https.

    If however you specify a http URL for the redirect_uri, you do not need to provide consent in trusting the certificate. + +8. Continue with the connector setup by returning to the HP ArcSight Connector Setup window. + +9. Select the **ArcSight Manager (encrypted)** as the destination and click **Next**. + +10. Type in the destination IP/hostname in **Manager Hostname** and your credentials in the parameters form. All other values in the form should be retained with the default values. Click **Next**. + +11. Type in a name for the connector in the connector details form. All other values in the form are optional and can be left blank. Click **Next**. + +11. The ESM Manager import certificate window is shown. Select **Import the certificate to connector from destination** and click **Next**. The **Add connector Summary** window is displayed and the certificate is imported. + +12. Verify that the details in the **Add connector Summary** window is correct, then click **Next**. + +13. Select **Install as a service** and click **Next**. + +14. Type a name in the **Service Internal Name** field. All other values in the form can be retained with the default values or left blank . Click **Next**. + +13. Type in the service parameters and click **Next**. A window with the **Install Service Summary** is shown. Click **Next**. + +14. Finish the installation by selecting **Exit** and **Next**. + +## Install and configure the HP ArcSight console +1. Follow the installation wizard through the following tasks: + - Introduction + - License Agreement + - Special Notice + - Choose ArcSight installation directory + - Choose Shortcut Folder + - Pre-Installation Summary + +2. Click **Install**. After the installation completes, the ArcSight Console Configuration Wizard opens. + +3. Type localhost in **Manager Host Name** and 8443 in **Manager Port** then click **Next**. + +4. Select **Use direct connection**, then click **Next**. + +5. Select **Password Based Authentication**, then click **Next**. + +6. Select **This is a single user installation. (Recommended)**, then click **Next**. + +7. Click **Done** to quit the installer. + +8. Login to the HP ArcSight console. + +9. Navigate to **Active channel set** > **New Condition** > **Device** > **Device Product**. + +10. Set **Device Product = Windows Defender ATP**. When you've verified that events are flowing to the tool, stop the process again and go to Windows Services and start the ArcSight FlexConnector REST. + +You can now run queries in the HP ArcSight console. + +Windows Defender ATP alerts will appear as discrete events, with "Microsoft” as the vendor and “Windows Defender ATP” as the device name. + + +## Troubleshooting HP ArcSight connection +**Problem:** Failed to refresh the token. You can find the log located in C:\\*folder_location*\current\logs where *folder_location* represents the location where you installed the tool. Open _agent.log_ and look for `ERROR/FATAL/WARN`. + +**Symptom:** You get the following error message: + +`Failed to refresh the token. Set reauthenticate to true: com.arcsight.common.al.e: Failed to refresh access token: status=HTTP/1.1 400 Bad Request FATAL EXCEPTION: Could not refresh the access token` + +**Solution:** +1. Stop the process by clicking Ctrl + C on the Connector window. Click **Y** when asked "Terminate batch job Y/N?". +2. Navigate to the folder where you stored the WDATP-connector.properties file and edit it to add the following value: +`reauthenticate=true`. + +3. Restart the connector by running the following command: `arcsight.bat connectors`. + + A browser window appears. Allow it to run, it should disappear, and the connector should now be running. + +> [!NOTE] +> Verify that the connector is running by stopping the process again. Then start the connector again, and no browser window should appear. ## Related topics -- [Configure security information and events management (SIEM) tools to consume alerts](configure-siem-windows-defender-advanced-threat-protection.md) -- [Configure Azure Active Directory application for SIEM integration](configure-aad-windows-defender-advanced-threat-protection.md) -- [Configure Splunk to consume alerts](configure-splunk-windows-defender-advanced-threat-protection.md) +- [Enable SIEM integration in Windows Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md) +- [Configure Splunk to pull Windows Defender ATP alerts](configure-splunk-windows-defender-advanced-threat-protection.md) +- [Pull Windows Defender ATP alerts using REST API](pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md) +- [Troubleshoot SIEM tool integration issues](troubleshoot-siem-windows-defender-advanced-threat-protection.md) diff --git a/windows/keep-secure/configure-block-at-first-sight-windows-defender-antivirus.md b/windows/keep-secure/configure-block-at-first-sight-windows-defender-antivirus.md new file mode 100644 index 0000000000..0321537068 --- /dev/null +++ b/windows/keep-secure/configure-block-at-first-sight-windows-defender-antivirus.md @@ -0,0 +1,149 @@ +--- +title: Enable Block at First Sight to detect malware in seconds +description: Enable the Block at First sight feature to detect and block malware within seconds, and validate that it is configured correctly. +keywords: scan, BAFS, malware, first seen, first sight, cloud, defender +search.product: eADQiWindows 10XVcnh +ms.pagetype: security +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: security +localizationpriority: medium +author: iaanw +--- + + + + + +# Enable the Block at First Sight feature + +**Applies to** + +- Windows 10, version 1703 + +**Audience** + +- Enterprise security administrators + +**Manageability available with** + +- Group Policy +- Windows Defender Security Center app + + +Block at First Sight is a feature of Windows Defender Antivirus cloud-delivered protection that provides a way to detect and block new malware within seconds. + +It is enabled by default when certain pre-requisite settings are also enabled. In most cases, these pre-requisite settings are also enabled by default, so the feature is running without any intervention. You can use group policy settings to confirm the feature is enabled. + +You can also [specify how long the file should be prevented from running](configure-cloud-block-timeout-period-windows-defender-antivirus.md) while the cloud-based protection service analyzes the file. + +> [!IMPORTANT] +> There is no specific individual setting in System Center Configuration Manager to enable or disable Block at First Sight. It is enabled by default when the pre-requisite settings are configured correctly. You must use Group Policy settings to enable or disable the feature. + +## How it works + +When a Windows Defender Antivirus client encounters a suspicious but undetected file, it queries our cloud protection backend. The cloud backend will apply heuristics, machine learning, and automated analysis of the file to determine the files as malicious or clean. The following video describes how this feature works. + +The Block at first sight feature only uses the cloud protection backend for executable files that are downloaded from the Internet, or originating from the Internet zone. A hash value of the EXE file is checked via the cloud backend to determine if this is a previously undetected file. + + + +If the cloud backend is unable to make a determination, the file will be locked by Windows Defender AV while a copy is uploaded to the cloud. The cloud will perform additional analysis to reach a determination before it allows the file to run or blocks it in all future encounters, depending on whether the file is determined to be malicious or safe. + +In many cases this process can reduce the response time for new malware from hours to seconds. + + +## Confirm and validate Block at First Sight is enabled + +Block at First Sight requires a number of Group Policy settings to be configured correctly or it will not work. Usually, these settings are already enabled in most default Windows Defender AV deployments in enterprise networks. + + + +### Confirm Block at First Sight is enabled with Group Policy + +1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. + +3. In the **Group Policy Management Editor** go to **Computer configuration**. + +4. Click **Policies** then **Administrative templates**. + +5. Expand the tree to **Windows components > Windows Defender Antivirus > MAPS** and configure the following Group Policies: + + 1. Double-click the **Join Microsoft MAPS** setting and ensure the option is set to **Enabled**. Click **OK**. + + 1. Double-click the **Send file samples when further analysis is required** setting and ensure the option is set to **Enabled** and the additional options are either of the following: + + 1. Send safe samples (1) + + 1. Send all samples (3) + + > [!WARNING] + > Setting to 0 (Always Prompt) will lower the protection state of the device. Setting to 2 (Never send) means the "Block at First Sight" feature will not function. + + 1. Click **OK**. + +1. In the **Group Policy Management Editor**, expand the tree to **Windows components > Windows Defender Antivirus > Real-time Protection**: + + 1. Double-click the **Scan all downloaded files and attachments** setting and ensure the option is set to **Enabled**. Click **OK**. + + 1. Double-click the **Turn off real-time protection** setting and ensure the option is set to **Disabled**. Click **OK**. + +If you had to change any of the settings, you should re-deploy the Group Policy Object across your network to ensure all endpoints are covered. + + +### Confirm Block at First Sight is enabled with the Windows Defender Security Center app + +You can confirm that Block at First Sight is enabled in Windows Settings. + +The feature is automatically enabled as long as **Cloud-based protection** and **Automatic sample submission** are both turned on. + +**Confirm Block at First Sight is enabled on individual clients** + +1. Open the Windows Defender Security Center app by clicking the shield icon in the task bar or searching the start menu for **Defender**. + +2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then the **Virus & threat protection settings** label: + +![Screenshot of the Virus & threat protection settings label in the Windows Defender Security Center app](images/defender/wdav-protection-settings-wdsc.png) + +3. Confirm that **Cloud-based Protection** and **Automatic sample submission** are switched to **On**. + +> [!NOTE] +> If the pre-requisite settings are configured and deployed using Group Policy, the settings described in this section will be greyed-out and unavailable for use on individual endpoints. Changes made through a Group Policy Object must first be deployed to individual endpoints before the setting will be updated in Windows Settings. + + +### Validate Block at First Sight is working + +You can validate that the feature is working by following the steps outlined in the [Validate connections between your network and the cloud](configure-network-connections-windows-defender-antivirus.md#validate) topic. + + +## Disable Block at First Sight + +> [!WARNING] +> Disabling the Block at First Sight feature will lower the protection state of the endpoint and your network. + +You may choose to disable the Block at First Sight feature if you want to retain the pre-requisite settings without using Block at First Sight protection. You might wish to do this if you are experiencing latency issues or you want to test the feature's impact on your network. + +**Disable Block at First Sight with Group Policy** + +1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. + +3. In the **Group Policy Management Editor** go to **Computer configuration**. + +4. Click **Policies** then **Administrative templates**. + +5. Expand the tree through **Windows components > Windows Defender Antivirus > MAPS**. + +1. Double-click the **Configure the 'Block at First Sight' feature** setting and set the option to **Disabled**. + + > [!NOTE] + > Disabling the Block at First Sight feature will not disable or alter the pre-requisite group policies. + + +## Related topics + +- [Windows Defender in Windows 10](windows-defender-antivirus-in-windows-10.md) +- [Enable cloud-delivered protection](enable-cloud-protection-windows-defender-antivirus.md) + + diff --git a/windows/keep-secure/configure-cloud-block-timeout-period-windows-defender-antivirus.md b/windows/keep-secure/configure-cloud-block-timeout-period-windows-defender-antivirus.md new file mode 100644 index 0000000000..09874321a0 --- /dev/null +++ b/windows/keep-secure/configure-cloud-block-timeout-period-windows-defender-antivirus.md @@ -0,0 +1,74 @@ +--- +title: Configure the Windows Defender AV cloud block timeout period +description: You can configure how long Windows Defender Antivirus will block a file from running while waiting for a cloud determination. +keywords: windows defender antivirus, antimalware, security, defender, cloud, timeout, block, period, seconds +search.product: eADQiWindows 10XVcnh +ms.pagetype: security +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: security +localizationpriority: medium +author: iaanw +--- + +# Configure the cloud block timeout period + + + +**Applies to:** + +- Windows 10, version 1703 + +**Audience** + +- Enterprise security administrators + +**Manageability available with** + +- Group Policy + + + + + + +When Windows Defender Antivirus is suspicious of a file, it can prevent the file from running while it queries the [Windows Defender Antivirus cloud-protection service](utilize-microsoft-cloud-protection-windows-defender-antivirus.md). + +The default period that the file will be [blocked](configure-block-at-first-sight-windows-defender-antivirus.md) for is 10 seconds. You can specify an additional period of time to wait before the file is allowed to run. This can help ensure there is enough time to receive a proper determination from the Windows Defender Antivirus cloud. + + + +## Prerequisites to use the extended cloud block timeout + +The [Block at First Sight](configure-block-at-first-sight-windows-defender-antivirus.md) feature and its prerequisites must be enabled before you can specify an extended timeout period. + +## Specify the extended timeout period + +You can use Group Policy to specify an extended timeout for cloud checks. + +**Use Group Policy to specify an extended timeout period:** + +1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. + +2. In the **Group Policy Management Editor** go to **Computer configuration**. + +3. Click **Policies** then **Administrative templates**. + +4. Expand the tree to **Windows components > Windows Defender Antivirus > MpEngine** + +5. Double-click the **Configure extended cloud check** setting and ensure the option is enabled. Specify the additional amount of time to prevent the file from running while waiting for a cloud determination. You can specify the additional time, in seconds, from 1 second to 50 seconds. This time will be added to the default 10 seconds. + +6. Click **OK**. + + +## Related topics + +- [Windows Defender in Windows 10](windows-defender-antivirus-in-windows-10.md) +- [Utilize Microsoft cloud-delivered protection in Windows Defender Antivirus](utilize-microsoft-cloud-protection-windows-defender-antivirus.md) +- [Configure the Block at First Sight feature](configure-block-at-first-sight-windows-defender-antivirus.md) +- [Enable cloud-delivered protection](enable-cloud-protection-windows-defender-antivirus.md) + + + + diff --git a/windows/keep-secure/configure-email-notifications-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-email-notifications-windows-defender-advanced-threat-protection.md index 19e99c915d..8084bd32aa 100644 --- a/windows/keep-secure/configure-email-notifications-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/configure-email-notifications-windows-defender-advanced-threat-protection.md @@ -11,7 +11,7 @@ author: mjcaparas localizationpriority: high --- -# Configure email notifications +# Configure email notifications in Windows Defender ATP **Applies to:** @@ -41,11 +41,16 @@ The email notifications feature is turned off by default. Turn it on to start re - **High** – Select this level to send notifications for high-severity alerts. - **Medium** – Select this level to send notifications for medium-severity alerts. - **Low** - Select this level to send notifications for low-severity alerts. + - **Informational** - Select this level to send notification for alerts that might not be considered harmful but good to keep track of. 4. In **Email recipients to notify on new alerts**, type the email address then select the + sign. 5. Click **Save preferences** when you’ve completed adding all the recipients. Check that email recipients are able to receive the email notifications by selecting **Send test email**. All recipients in the list will receive the test email. +Here's an example email notification: + +![Image of example email notification](images/atp-example-email-notification.png) + ## Remove email recipients 1. Select the trash bin icon beside the email address you’d like to remove. @@ -61,3 +66,8 @@ This section lists various issues that you may encounter when using email notifi 1. Check that the Windows Defender ATP email notifications are not sent to the Junk Email folder. Mark them as Not junk. 2. Check that your email security product is not blocking the email notifications from Windows Defender ATP. 3. Check your email application rules that might be catching and moving your Windows Defender ATP email notifications. + +## Related topics +- [Update general settings in Windows Defender ATP](general-settings-windows-defender-advanced-threat-protection.md) +- [Turn on advanced features in Windows Defender ATP](advanced-features-windows-defender-advanced-threat-protection.md) +- [Turn on the preview experience in Windows Defender ATP](preview-settings-windows-defender-advanced-threat-protection.md) diff --git a/windows/keep-secure/configure-end-user-interaction-windows-defender-antivirus.md b/windows/keep-secure/configure-end-user-interaction-windows-defender-antivirus.md new file mode 100644 index 0000000000..47b2f3f968 --- /dev/null +++ b/windows/keep-secure/configure-end-user-interaction-windows-defender-antivirus.md @@ -0,0 +1,39 @@ +--- +title: Configure how users can interact with Windows Defender AV +description: Configure how end-users interact with Windows Defender AV, what notifications they see, and if they can override settings. +keywords: endpoint, user, interaction, notifications, ui lockdown mode, headless mode, hide interface +search.product: eADQiWindows 10XVcnh +ms.pagetype: security +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: security +localizationpriority: medium +author: iaanw +--- + +# Configure end-user interaction with Windows Defender Antivirus + +**Applies to:** + +- Windows 10 + +**Audience** + +- Enterprise security administrators + +**Manageability available with** + +- Group Policy + +You can configure how users of the endpoints on your network can interact with Windows Defender Antivirus. + +This includes whether they see the Windows Defender AV interface, what notifications they see, and if they can locally override globally deployed Group Policy settings. + +## In this section + +Topic | Description +---|--- +[Configure the notifications that appear on endpoints](configure-notifications-windows-defender-antivirus.md) | Configure and customize additional notifications, customized text for notifications, and notifications about reboots for remediation +[Prevent users from seeing or interacting with the Windows Defender AV user interface](prevent-end-user-interaction-windows-defender-antivirus.md) | Hide the user interface from users +[Prevent users from locally modifying policy settings](configure-local-policy-overrides-windows-defender-antivirus.md) | Prevent (or allow) users from overriding policy settings on their individual endpoints diff --git a/windows/keep-secure/configure-endpoints-gp-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-endpoints-gp-windows-defender-advanced-threat-protection.md index 59f309b4ab..c6e02becaf 100644 --- a/windows/keep-secure/configure-endpoints-gp-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/configure-endpoints-gp-windows-defender-advanced-threat-protection.md @@ -84,7 +84,9 @@ For security reasons, the package used to offboard endpoints will expire 30 days a. Click **Endpoint Management** on the **Navigation pane**. - b. Under **Endpoint offboarding** section, select **Group Policy**, click **Download package** and save the .zip file. + b. Click the **Endpoint offboarding** section. + + c. Select **Group Policy**, click **Download package** and save the .zip file. 2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the endpoints. You should have a file named *WindowsDefenderATPOffboardingScript_valid_until_YYYY-MM-DD.cmd*. diff --git a/windows/keep-secure/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md index c842ea1668..3107054c50 100644 --- a/windows/keep-secure/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md @@ -1,5 +1,5 @@ --- -title: Configure Windows Defender ATP endpoints using Mobile Device Management tools +title: Configure endpoints using Mobile Device Management tools description: Use Mobile Device Management tools to deploy the configuration package on endpoints so that they are onboarded to the service. keywords: configure endpoints using mdm, endpoint management, configure Windows ATP endpoints, configure Windows Defender Advanced Threat Protection endpoints, mdm search.product: eADQiWindows 10XVcnh @@ -92,10 +92,11 @@ Health Status for onboarded machines: Sense Is Running | ./Device/Vendor/MSFT/Wi Health Status for onboarded machines: Onboarding State | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/HealthState/OnBoardingState | Integer | 1 | Onboarded to Windows Defender ATP Health Status for onboarded machines: Organization ID | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/HealthState/OrgId | String | Use OrgID from onboarding file | Onboarded to Organization ID Configuration for onboarded machines | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/Configuration/SampleSharing | Integer | 0 or 1
    Default value: 1 | Windows Defender ATP Sample sharing is enabled - +Configuration for onboarded machines: telemetry reporting frequency | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/Configuration/TelemetryReportingFrequency | Integer | 1 or 2
    1: Normal (default)

    2: Expedite | Windows Defender ATP telemetry reporting > [!NOTE] -> The **Health Status for onboarded machines** policy uses read-only properties and can't be remediated. +> - The **Health Status for onboarded machines** policy uses read-only properties and can't be remediated. +> - Configuration of telemetry reporting frequency is only available for machines on Windows 10, version 1703. ### Offboard and monitor endpoints @@ -108,7 +109,9 @@ For security reasons, the package used to offboard endpoints will expire 30 days a. Click **Endpoint Management** on the **Navigation pane**. - b. Under **Endpoint offboarding** section, select **Mobile Device Management /Microsoft Intune**, click **Download package** and save the .zip file. + b. Click the **Endpoint offboarding** section. + + c. Select **Mobile Device Management /Microsoft Intune**, click **Download package** and save the .zip file. 2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the network administrators who will deploy the package. You should have a file named *WindowsDefenderATP_valid_until_YYYY-MM-DD.offboarding*. diff --git a/windows/keep-secure/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md index 8b193b46c6..89f4c7887d 100644 --- a/windows/keep-secure/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md @@ -1,5 +1,5 @@ --- -title: Configure Windows Defender ATP endpoints using System Center Configuration Manager +title: Configure endpoints using System Center Configuration Manager description: Use System Center Configuration Manager to deploy the configuration package on endpoints so that they are onboarded to the service. keywords: configure endpoints using sccm, endpoint management, configure Windows ATP endpoints, configure Windows Defender Advanced Threat Protection endpoints, sccm search.product: eADQiWindows 10XVcnh @@ -45,14 +45,12 @@ You can use System Center Configuration Manager’s existing functionality to cr 2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the network administrators who will deploy the package. You should have a file named *WindowsDefenderATPOnboardingScript.cmd*. -3. Import the configuration package by following the steps in the [How to Create Packages and Programs in Configuration Manager](https://technet.microsoft.com/library/gg682112.aspx#BKMK_Import) topic. - -4. Deploy the package by following the steps in the [How to Deploy Packages and Programs in Configuration Manager](https://technet.microsoft.com/library/gg682178.aspx) topic. +3. Deploy the package by following the steps in the [How to Deploy Packages and Programs in Configuration Manager](https://technet.microsoft.com/library/gg682178.aspx) topic. a. Choose a predefined device collection to deploy the package to. > [!NOTE] -> Onboarding couldn't be completed during Out-Of-Box Experience (OOBE). Make sure users pass OOBE after running Windows installation or upgrading. +> Windows Defender ATP doesn't support onboarding during the [Out-Of-Box Experience (OOBE)](https://answers.microsoft.com/en-us/windows/wiki/windows_10/how-to-complete-the-windows-10-out-of-box/47e3f943-f000-45e3-8c5c-9d85a1a0cf87) phase. Make sure users complete OOBE after running Windows installation or upgrading. ### Configure sample collection settings @@ -90,7 +88,9 @@ For security reasons, the package used to offboard endpoints will expire 30 days a. Click **Endpoint Management** on the **Navigation pane**. - b. Under **Endpoint offboarding** section, select **System Center Configuration Manager System Center Configuration Manager 2012/2012 R2/1511/1602**, click **Download package**, and save the .zip file. + b. Click the **Endpoint offboarding** section. + + c. Select **System Center Configuration Manager System Center Configuration Manager 2012/2012 R2/1511/1602**, click **Download package**, and save the .zip file. 2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the network administrators who will deploy the package. You should have a file named *WindowsDefenderATPOffboardingScript_valid_until_YYYY-MM-DD.cmd*. diff --git a/windows/keep-secure/configure-endpoints-script-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-endpoints-script-windows-defender-advanced-threat-protection.md index 50903ddc26..31b9b673c4 100644 --- a/windows/keep-secure/configure-endpoints-script-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/configure-endpoints-script-windows-defender-advanced-threat-protection.md @@ -78,7 +78,9 @@ For security reasons, the package used to offboard endpoints will expire 30 days a. Click **Endpoint Management** on the **Navigation pane**. - b. Under **Endpoint offboarding** section, select **Group Policy**, click **Download package** and save the .zip file. + b. Click the **Endpoint offboarding** section. + + c. Select **Group Policy**, click **Download package** and save the .zip file. 2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the endpoints. You should have a file named *WindowsDefenderATPOffboardingScript_valid_until_YYYY-MM-DD.cmd*. diff --git a/windows/keep-secure/configure-endpoints-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-endpoints-windows-defender-advanced-threat-protection.md index cca969958e..73d4781fa1 100644 --- a/windows/keep-secure/configure-endpoints-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/configure-endpoints-windows-defender-advanced-threat-protection.md @@ -1,6 +1,6 @@ --- title: Configure Windows Defender ATP endpoints -description: Configure endpoints so that they are onboarded to the service. +description: Configure endpoints so that they can send sensor data to the Windows Defender ATP sensor. keywords: configure endpoints, endpoint management, configure Windows ATP endpoints, configure Windows Defender Advanced Threat Protection endpoints search.product: eADQiWindows 10XVcnh ms.prod: w10 diff --git a/windows/keep-secure/configure-exclusions-windows-defender-antivirus.md b/windows/keep-secure/configure-exclusions-windows-defender-antivirus.md new file mode 100644 index 0000000000..db1498b7bd --- /dev/null +++ b/windows/keep-secure/configure-exclusions-windows-defender-antivirus.md @@ -0,0 +1,52 @@ +--- +title: Set up exclusions for Windows Defender AV scans +description: You can exclude files (including files modified by specified processes) and folders from being scanned by Windows Defender AV. Validate your exclusions with PowerShell. +keywords: +search.product: eADQiWindows 10XVcnh +ms.pagetype: security +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: security +localizationpriority: medium +author: iaanw +--- + +# Configure and validate file, folder, and process-opened file exclusions in Windows Defender AV scans + + +**Applies to:** + +- Windows 10 + +**Audience** + +- Enterprise security administrators + + +**Manageability available with** + +- Group Policy +- PowerShell +- Windows Management Instrumentation (WMI) +- System Center Configuration Manager +- Microsoft Intune +- Windows Defender Security Center + +You can exclude certain files, folders, processes, and process-opened files from being scanned by Windows Defender Antivirus. + +The exclusions apply to [scheduled scans](scheduled-catch-up-scans-windows-defender-antivirus.md), [on-demand scans](run-scan-windows-defender-antivirus.md), and [always-on real-time protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md). Exclusions for process-opened files only apply to real-time protection. + +Exclusions can be useful to avoid incorrect detections on files or software that are unique or customized to your organization. + +>[!WARNING] +>Defining exclusions lowers the protection offered by Windows Defender AV. You should always evaluate the risks that are associated with implementing exclusions, and you should only exclude files that you are confident are not malicious. + +## In this section + +Topic | Description +---|--- +[Configure and validate exclusions based on file name, extension, and folder location](configure-extension-file-exclusions-windows-defender-antivirus.md) | Exclude files from Windows Defender AV scans based on their file extension, file name, or location +[Configure and validate exclusions for files opened by processes](configure-process-opened-file-exclusions-windows-defender-antivirus.md) | You can exclude files from scans that have been opened by a specific process +[Configure exclusions in Windows Defender AV on Windows Server](configure-server-exclusions-windows-defender-antivirus.md) | Windows Server 2016 includes automatic exclusions, based on the defined Server Role. You can also add custom exclusions + diff --git a/windows/keep-secure/configure-extension-file-exclusions-windows-defender-antivirus.md b/windows/keep-secure/configure-extension-file-exclusions-windows-defender-antivirus.md new file mode 100644 index 0000000000..3d78deccde --- /dev/null +++ b/windows/keep-secure/configure-extension-file-exclusions-windows-defender-antivirus.md @@ -0,0 +1,281 @@ +--- +title: Configure and validate exclusions based on extension, name, or location +description: Exclude files from Windows Defender AV scans based on their file extension, file name, or location. +keywords: exclusions, files, extension, file type, folder name, file name, scans +search.product: eADQiWindows 10XVcnh +ms.pagetype: security +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: security +localizationpriority: medium +author: iaanw +--- + +# Configure and validate exclusions based on file extension and folder location + + +**Applies to:** + +- Windows 10 + +**Audience** + +- Enterprise security administrators + + +**Manageability available with** + +- Group Policy +- PowerShell +- Windows Management Instrumentation (WMI) +- System Center Configuration Manager +- Microsoft Intune +- Windows Defender Security Center + +You can exclude certain files from being scanned by Windows Defender AV by modifying exclusion lists. + +This topic describes how to configure exclusion lists for the following: + +Exclusion | Examples | Exclusion list +---|---|--- +Any file with a specific extension | All files with the .test extension, anywhere on the machine | Extension exclusions +Any file under a specific folder | All files under the c:\test\sample folder | File and folder exclusions +A specific file in a specific folder | The file c:\sample\sample.test only | File and folder exclusions +A specific process | The executable file c:\test\process.exe | File and folder exclusions + +This means the exclusion lists have the following characteristics: +- Folder exclusions will apply to all files and folders under that folder. +- File extensions will apply to any file name with the defined extension, regardless of where the file is located. + + +To exclude files opened by a specific process, see the [Configure and validate exclusions for files opened by processes](configure-process-opened-file-exclusions-windows-defender-antivirus.md) topic. + + +The exclusions apply to [scheduled scans](scheduled-catch-up-scans-windows-defender-antivirus.md), [on-demand scans](run-scan-windows-defender-antivirus.md), and [always-on real-time protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md). + +Changes made via Group Policy to the exclusion lists **will show** in the lists in the [Windows Defender Security Center app](windows-defender-security-center-antivirus.md#exclusions). However, changes made in the Windows Defender Security Center app **will not show** in the Group Policy lists. + +You can add, remove, and review the lists for exclusions in [Group Policy](#gp), [System Center Configuration Manager, Microsoft Intune, and with the Windows Defender Security Center app](#man-tools), and you can [use wildcards](#wildcards) to further customize the lists. + +You can also [use PowerShell cmdlets and WMI to configure the exclusion lists](#ps), including [reviewing](#review) and [validating](#validate) your lists. + + +By default, local changes made to the lists (by users with administrator privileges; this includes changes made with PowerShell and WMI) will be merged with the lists as defined (and deployed) by Group Policy, Configuration Manager, or Intune. The Group Policy lists will take precedence in the case of conflicts. + +You can [configure how locally and globally defined exclusions lists are merged](configure-local-policy-overrides-windows-defender-antivirus.md#merge-lists) to allow local changes to override managed deployment settings. + + + + + + +## Configure the list of exclusions based on folder name or file extension + + +**Use Group Policy to configure folder or file extension exclusions:** + +>[!NOTE] +>If you include a fully qualified path to a file, then only that file will be excluded. If a folder is defined in the exclusion, then all files and subdirectories under that folder will be excluded. + +1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. + +3. In the **Group Policy Management Editor** go to **Computer configuration**. + +4. Click **Policies** then **Administrative templates**. + +5. Expand the tree to **Windows components > Windows Defender Antivirus > Exclusions**. + + +6. Double-click the **Path Exclusions** setting and add the exclusions: + + 1. Set the option to **Enabled**. + 2. Under the **Options** section, click **Show...** + 3. Enter each folder on its own line under the **Value name** column. If you are entering a file, ensure you enter a fully qualified path to the file, including the drive letter, folder path, filename, and extension. Enter **0** in the **Value** column for all processes. + +7. Click **OK**. + +![The Group Policy setting for file and folder exclusions](images/defender/wdav-path-exclusions.png) + +8. Double-click the **Extension Exclusions** setting and add the exclusions: + + 1. Set the option to **Enabled**. + 2. Under the **Options** section, click **Show...** + 3. Enter each file extension on its own line under the **Value name** column. Enter **0** in the **Value** column for all processes. + + +9. Click **OK**. + +![The Group Policy setting for extension exclusions](images/defender/wdav-extension-exclusions.png) + + + +**Use PowerShell cmdlets to configure file name, folder, or file extension exclusions:** + +Using PowerShell to add or remove exclusions for files based on the extension, location, or file name requires using a combination of three cmdlets and the appropriate exclusion list parameter. The cmdlets are all in the [Defender module](https://technet.microsoft.com/en-us/itpro/powershell/windows/defender/defender). + +The format for the cmdlets is: + +```PowerShell + - "" +``` + +The following are allowed as the \: + +Configuration action | PowerShell cmdlet +---|--- +Create or overwrite the list | `Set-MpPreference` +Add to the list | `Add-MpPreference` +Remove item from the list | `Remove-MpPreference` + +The following are allowed as the \: + +Exclusion type | PowerShell parameter +---|--- +All files with a specified file extension | `-ExclusionExtension` +All files under a folder (including files in subdirectories), or a specific file | `-ExclusionPath` + + +>[!IMPORTANT] +>If you have created a list, either with `Set-MpPreference` or `Add-MpPreference`, using the `Set-MpPreference` cmdlet again will overwrite the existing list. + + +For example, the following code snippet would cause Windows Defender AV scans to exclude any file with the **.test** file extension: + +```PowerShell +Add-MpPreference -ExclusionExtension ".test" +``` + +See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus. + + +**Use Windows Management Instruction (WMI) to configure file name, folder, or file extension exclusions:** + +Use the [ **Set**, **Add**, and **Remove** methods of the **MSFT_MpPreference**](https://msdn.microsoft.com/en-us/library/dn455323(v=vs.85).aspx) class for the following properties: + +```WMI +ExclusionExtension +ExclusionPath +``` + +The use of **Set**, **Add**, and **Remove** is analogous to their counterparts in PowerShell: `Set-MpPreference`, `Add-MpPreference`, and `Remove-MpPreference`. + +See the following for more information and allowed parameters: +- [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/en-us/library/dn439477(v=vs.85).aspx) + + +**Use Configuration Manager to configure file name, folder, or file extension exclusions:** + +See [How to create and deploy antimalware policies: Exclusion settings](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#exclusion-settings) for details on configuring System Center Configuration Manager (current branch). + + +**Use Microsoft Intune to configure file name, folder, or file extension exclusions:** + + +See [Help secure Windows PCs with Endpoint Protection for Microsoft Intune](https://docs.microsoft.com/en-us/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune) and [Windows Defender policy settings in Windows 10](https://docs.microsoft.com/en-us/intune/deploy-use/windows-10-policy-settings-in-microsoft-intune#windows-defender-1) for more details. + + +**Use the Windows Defender Security Center app to configure file name, folder, or file extension exclusions:** + +See [Add exclusions in the Windows Defender Security Center app](windows-defender-security-center-antivirus.md#exclusions) for instructions. + + + + +## Use wildcards in the file name and folder path or extension exclusion lists + +You can use the asterisk \*, question mark ?, or environment variables (such as %ALLUSERSPROFILE%) as wildcards when defining items in the file name or folder path exclusion list. + +>[!IMPORTANT] +>Environment variable usage is limited to machine variables and those applicable to processes running as an NT AUTHORITY\SYSTEM account. + +You cannot use a wildcard in place of a drive letter. + + +The following table describes how the wildcards can be used and provides some examples. + +Wildcard | Use | Example use | Example matches +---|---|---|--- +\* (asterisk) | Replaces any number of characters |
    • C:\MyData\my\*.zip
    • C:\somepath\\\*\Data
    |
    • C:\MyData\my-archived-files-43.zip
    • Any file in C:\somepath\folder1\folder2\Data
    +? (question mark) | Replaces a single character |
    • C:\MyData\my\?.zip
    • C:\somepath\\\?\Data
    |
    • C:\MyData\my1.zip
    • Any file in C:\somepath\P\Data
    +Environment variables | The defined variable will be populated as a path when the exclusion is evaluated |
    • %ALLUSERSPROFILE%\CustomLogFiles
    |
    • C:\ProgramData\CustomLogFiles\Folder1\file1.txt
    + + + + + +## Review the list of exclusions + +You can retrieve the items in the exclusion list with PowerShell, [System Center Configuration Manager](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#exclusion-settings), [Intune](https://docs.microsoft.com/en-us/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune), or the [Windows Defender Security Center app](windows-defender-security-center-antivirus.md#exclusions). + +If you use PowerShell, you can retrieve the list in two ways: + +- Retrieve the status of all Windows Defender AV preferences. Each of the lists will be displayed on separate lines, but the items within each list will be combined into the same line. +- Write the status of all preferences to a variable, and use that variable to only call the specific list you are interested in. Each use of `Add-MpPreference` is written to a new line. + +**Review the list of exclusions alongside all other Windows Defender AV preferences:** + +Use the following cmdlet: + +```PowerShell +Get-MpPreference +``` + +In the following example, the items contained in the `ExclusionExtension` list are highlighted: + + +![PowerShell output for Get-MpPreference showing the exclusion list alongside other preferences](images/defender/wdav-powershell-get-exclusions-all.png) + +See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus. + + +**Retrieve a specific exclusions list:** + +Use the following code snippet (enter each line as a separate command); replace **WDAVprefs** with whatever label you want to name the variable: + +```PowerShell +$WDAVprefs = Get-MpPreference +$WDAVprefs.ExclusionExtension +$WDAVprefs.ExclusionPath +``` + +In the following example, the list is split into new lines for each use of the `Add-MpPreference` cmdlet: + +![PowerShell output showing only the entries in the exclusion list](images/defender/wdav-powershell-get-exclusions-variable.png) + + +See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus. + + + + + + +## Validate exclusions lists with the EICAR test file + +You can validate that your exclusion lists are working by using PowerShell with either the `Invoke-WebRequest` cmdlet or the .NET WebClient class to download a test file. + +In the following PowerShell snippet, replace *test.txt* with a file that conforms to your exclusion rules. For example, if you have excluded the .testing extension, replace *test.txt* with *test.testing*. If you are testing a path, ensure you run the cmdlet within that path. + +```PowerShell +Invoke-WebRequest "http://www.eicar.org/download/eicar.com.txt" -OutFile "test.txt" +``` + +If Windows Defender AV reports malware, then the rule is not working. If there is no report of malware, and the downloaded file exists, then the exclusion is working. You can open the file to confirm the contents are the same as what is described on the [EICAR testfile website](http://www.eicar.org/86-0-Intended-use.html). + +You can also use the following PowerShell code, which calls the .NET WebClient class to download the testfile - as with the `Invoke-WebRequest` cmdlet; replace *c:\test.txt* with a file that conforms to the rule you are validating: + +```PowerShell +$client = new-object System.Net.WebClient +$client.DownloadFile("http://www.eicar.org/download/eicar.com.txt","c:\test.txt") +``` + + + +## Related topics + +- [Configure and validate exclusions in Windows Defender AV scans](configure-exclusions-windows-defender-antivirus.md) +- [Configure and validate exclusions for files opened by processes](configure-process-opened-file-exclusions-windows-defender-antivirus.md) +- [Configure exclusions in Windows Defender AV on Windows Server](configure-server-exclusions-windows-defender-antivirus.md) +- [Customize, initiate, and review the results of Windows Defender AV scans and remediation](customize-run-review-remediate-scans-windows-defender-antivirus.md) +- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md) diff --git a/windows/keep-secure/configure-local-policy-overrides-windows-defender-antivirus.md b/windows/keep-secure/configure-local-policy-overrides-windows-defender-antivirus.md new file mode 100644 index 0000000000..728b747ccb --- /dev/null +++ b/windows/keep-secure/configure-local-policy-overrides-windows-defender-antivirus.md @@ -0,0 +1,103 @@ +--- +title: Configure local overrides for Windows Defender AV settings +description: Enable or disable users from locally changing settings in Windows Defender AV. +keywords: local override, local policy, group policy, gpo, lockdown,merge, lists +search.product: eADQiWindows 10XVcnh +ms.pagetype: security +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: security +localizationpriority: medium +author: iaanw +--- + +# Prevent or allow users to locally modify Windows Defender AV policy settings + +**Applies to:** + +- Windows 10 + +**Audience** + +- Enterprise security administrators + +**Manageability available with** + +- Group Policy + + +By default, Windows Defender AV settings that are deployed via a Group Policy Object to the endpoints in your network will prevent users from locally changing the settings. You can change this in some instances. + +For example, it may be necessary to allow certain user groups (such as security researchers and threat investigators) further control over individual settings on the endpoints they use. + +## Configure local overrides for Windows Defender AV settings + +The default setting for these policies is **Disabled**. + +If they are set to **Enabled**, users on endpoints can make changes to the associated setting with the [Windows Defender Security Center](windows-defender-security-center-antivirus.md) app, local Group Policy settings, and PowerShell cmdlets (where appropriate). + +The following table lists each of the override policy setting and the configuration instructions for the associated feature or setting. + +To configure these settings: + +1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. + +3. In the **Group Policy Management Editor** go to **Computer configuration**. + +4. Click **Policies** then **Administrative templates**. + +5. Expand the tree to **Windows components > Windows Defender Antivirus** and then the **Location** specified in the table below. + +6. Double-click the policy **Setting** as specified in the table below, and set the option to your desired configuration. Click **OK**, and repeat for any other settings. + +7. Deploy the Group Policy Object as usual. + +Location | Setting | Configuration topic +---|---|---|--- +MAPS | Configure local setting override for reporting to Microsoft MAPS | [Enable cloud-delivered protection](enable-cloud-protection-windows-defender-antivirus.md) +Quarantine | Configure local setting override for the removal of items from Quarantine folder | [Configure remediation for scans](configure-remediation-windows-defender-antivirus.md) +Real-time protection | Configure local setting override for monitoring file and program activity on your computer | [Enable and configure Windows Defender AV always-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md) +Real-time protection | Configure local setting override for monitoring for incoming and outgoing file activity | [Enable and configure Windows Defender AV always-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md) +Real-time protection | Configure local setting override for scanning all downloaded files and attachments | [Enable and configure Windows Defender AV always-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md) +Real-time protection | Configure local setting override for turn on behavior monitoring | [Enable and configure Windows Defender AV always-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md) +Real-time protection | Configure local setting override to turn on real-time protection | [Enable and configure Windows Defender AV always-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md) +Remediation | Configure local setting override for the time of day to run a scheduled full scan to complete remediation | [Configure remediation for scans](configure-remediation-windows-defender-antivirus.md) +Scan | Configure local setting override for maximum percentage of CPU utilization | [Configure and run scans](run-scan-windows-defender-antivirus.md) +Scan | Configure local setting override for schedule scan day | [Configure scheduled scans](scheduled-catch-up-scans-windows-defender-antivirus.md) +Scan | Configure local setting override for scheduled quick scan time | [Configure scheduled scans](scheduled-catch-up-scans-windows-defender-antivirus.md) +Scan | Configure local setting override for scheduled scan time | [Configure scheduled scans](scheduled-catch-up-scans-windows-defender-antivirus.md) +Scan | Configure local setting override for the scan type to use for a scheduled scan | [Configure scheduled scans](scheduled-catch-up-scans-windows-defender-antivirus.md) + + + + + + +## Configure how locally and globally defined threat remediation and exclusions lists are merged + +You can also configure how locally defined lists are combined or merged with globally defined lists. This setting applies to [exclusion lists](configure-exclusions-windows-defender-antivirus.md) and [specified remediation lists](configure-remediation-windows-defender-antivirus.md). + +By default, lists that have been configured in local group policy and the Windows Defender Security Center app are merged with lists that are defined by the appropriate GPO that you have deployed on your network. Where there are conflicts, the globally defined list takes precedence. + +You can disable this setting to ensure that only globally defined lists (such as those from any deployed GPOs) are used. + + +**Use Group Policy to disable local list merging:** + +1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. + +3. In the **Group Policy Management Editor** go to **Computer configuration**. + +4. Click **Policies** then **Administrative templates**. + +5. Expand the tree to **Windows components > Windows Defender Antivirus**. + +6. Double-click the **Configure local administrator merge behavior for lists** setting and set the option to **Enabled**. Click **OK**. + + + +## Related topics + +- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md) +- [Configure end-user interaction with Windows Defender AV](configure-end-user-interaction-windows-defender-antivirus.md) \ No newline at end of file diff --git a/windows/keep-secure/configure-network-connections-windows-defender-antivirus.md b/windows/keep-secure/configure-network-connections-windows-defender-antivirus.md new file mode 100644 index 0000000000..8abb221880 --- /dev/null +++ b/windows/keep-secure/configure-network-connections-windows-defender-antivirus.md @@ -0,0 +1,197 @@ +--- +title: Configure and test Windows Defender Antivirus network connections +description: Configure and test your connection to the Windows Defender Antivirus cloud-delivered protection service. +keywords: windows defender antivirus, antimalware, security, defender, cloud, aggressiveness, protection level +search.product: eADQiWindows 10XVcnh +ms.pagetype: security +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: security +localizationpriority: medium +author: iaanw +--- + +# Configure and validate network connections for Windows Defender Antivirus + + +**Applies to:** + +- Windows 10, version 1703 + +**Audience** + +- Enterprise security administrators + + +To ensure Windows Defender Antivirus cloud-delivered protection works properly, you need to configure your network to allow connections between your endpoints and certain Microsoft servers. + +This topic lists the connections that must be allowed, such as by using firewall rules, and provides instructions for validating your connection. This will help ensure you receive the best protection from our cloud-delivered protection services. + +See the Enterprise Mobility and Security blog post [Important changes to Microsoft Active Protection Services endpoint](https://blogs.technet.microsoft.com/enterprisemobility/2016/05/31/important-changes-to-microsoft-active-protection-service-maps-endpoint/) for some details about network connectivity. + +## Allow connections to the Windows Defender Antivirus cloud + +The Windows Defender Antivirus cloud provides fast, strong protection for your endpoints. Enabling the cloud-delivered protection service is optional, however it is highly recommend as it provides very important protection against malware on your endpoints and across your network. + +>[!NOTE] +>The Windows Defender Antivirus cloud service is a mechanism for delivering updated protection to your network and endpoints. Although it is called a cloud service, it is not simply protection for files stored in the cloud, rather it uses distributed resources and machine learning to deliver protection to your endpoints at a rate that is far faster than traditional signature updates. + +See the [Enable cloud-delivered protection](enable-cloud-protection-windows-defender-antivirus.md) topic for details on enabling the service with Group Policy, System Center Configuration Manager, PowerShell cmdlets, Microsoft Intune, or on individual clients in the Windows Defender Security Center app. + +After you've enabled the service, you may need to configure your network or firewall to allow connections between it and your endpoints. + +The following table lists the services and their associated URLs that your network must be able to connect to. You should ensure there are no firewall or network filtering rules that would deny access to these URLs, or you may need to create an **allow** rule specifically for them: + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    ServiceDescriptionURL
    + Windows Defender Antivirus cloud-based protection service, also referred to as Microsoft Active Protection Service (MAPS) + + Used by Windows Defender Antivirus to provide cloud-based protection + +*.wdcp.microsoft.com*
    +*.wdcpalt.microsoft.com* +
    +Microsoft Update Service (MU) + +Signature and product updates + +*.updates.microsoft.com +
    + Definition updates alternate download location (ADL) + + Alternate location for Windows Defender Antivirus definition updates if the installed definitions fall out of date (7 or more days behind) + +*.download.microsoft.com +
    + Malware submission storage + + Upload location for files submitted to Microsoft via the Submission form or automatic sample submission + +*.blob.core.windows.net +
    +Certificate Revocation List (CRL) + +Used by Windows when creating the SSL connection to MAPS for updating the CRL + +http://www.microsoft.com/pkiops/crl/
    +http://www.microsoft.com/pkiops/certs
    +http://crl.microsoft.com/pki/crl/products
    +http://www.microsoft.com/pki/certs + +
    +Symbol Store + +Used by Windows Defender Antivirus to restore certain critical files during remediation flows + +https://msdl.microsoft.com/download/symbols +
    +Universal Telemetry Client + +Used by Windows to send client telemetry, Windows Defender Antivirus uses this for product quality monitoring purposes + +This update uses SSL (TCP Port 443) to download manifests and upload telemetry to Microsoft that uses the following DNS endpoints:
    • vortex-win.data.microsoft.com
    • settings-win.data.microsoft.com
    + + + + +## Validate connections between your network and the cloud + +After whitelisting the URLs listed above, you can test if you are connected to the Windows Defender AV cloud and are correctly reporting and receiving information to ensure you are fully protected. + +**Use the cmdline tool to validate cloud-delivered protection:** + +Use the following argument with the Windows Defender AV command line utility (*mpcmdrun.exe*) to verify that your network can communicate with the Windows Defender AV cloud: + +```DOS +MpCmdRun - ValidateMapsConnection +``` + +See [Use the mpcmdrun.exe commandline tool to configure and manage Windows Defender Antivirus](command-line-arguments-windows-defender-antivirus.md) for more information on how to use the *mpcmdrun.exe* utility. + +**Attempt to download a fake malware file from Microsoft:** + +You can download a sample file that Windows Defender AV will detect and block if you are properly connected to the cloud. + +Download the file by visiting the following link: +- http://aka.ms/ioavtest + +>[!NOTE] +>This file is not an actual piece of malware. It is a fake file that is designed to test if you are properly connected to the cloud. + +If you are properly connected, you will see a warning notification from Windows Defender Antivirus: + +![Windows Defender Antivirus notification informing the user that malware was found](images/defender/wdav-malware-detected.png) + +If you are using Microsoft Edge, you'll also see a notification message: + +![Microsoft Edge informing the user that malware was found](images/defender/wdav-bafs-edge.png) + +A similar message occurs if you are using Internet Explorer: + +![Windows Defender Antivirus notification informing the user that malware was found](images/defender/wdav-bafs-ie.png) + +You will also see a detection under **Quarantined threats** in the **Scan history** section in the Windows Defender Security Center app: + +1. Open the Windows Defender Security Center app by clicking the shield icon in the task bar or searching the start menu for **Defender**. + +2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then the **Scan history** label: + + ![Screenshot of the Scan history label in the Windows Defender Security Center app](images/defender/wdav-history-wdsc.png) + +3. Under the **Quarantined threats** section, click the **See full history** label to see the detected fake malware: + + ![Screenshot of quarantined items in the Windows Defender Security Center app](images/defender/wdav-quarantined-history-wdsc.png) + +The Windows event log will also show [Windows Defender client event ID 2050](troubleshoot-windows-defender-antivirus.md). + +>[!IMPORTANT] +>You will not be able to use a proxy auto-config (.pac) file to test network connections to these URLs. You will need to verify your proxy servers and any network filtering tools manually to ensure connectivity. + + +## Related topics + +- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md) +- [Enable cloud-delivered protection](enable-cloud-protection-windows-defender-antivirus.md) +- [Run a Windows Defender scan from the command line](command-line-arguments-windows-defender-antivirus.md) and [Command line arguments](command-line-arguments-windows-defender-antivirus.md) +- [Important changes to Microsoft Active Protection Services endpoint](https://blogs.technet.microsoft.com/enterprisemobility/2016/05/31/important-changes-to-microsoft-active-protection-service-maps-endpoint/) diff --git a/windows/keep-secure/configure-notifications-windows-defender-antivirus.md b/windows/keep-secure/configure-notifications-windows-defender-antivirus.md new file mode 100644 index 0000000000..a692199439 --- /dev/null +++ b/windows/keep-secure/configure-notifications-windows-defender-antivirus.md @@ -0,0 +1,129 @@ +--- +title: Configure notifications for Windows Defender Antivirus +description: Configure and customize notifications from Windows Defender AV. +keywords: notifications, defender, endpoint, management, admin +search.product: eADQiWindows 10XVcnh +ms.pagetype: security +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: security +localizationpriority: medium +author: iaanw +--- + +# Configure the notifications that appear on endpoints + +**Applies to:** + +- Windows 10, version 1703 + +**Audience** + +- Enterprise security administrators + +**Manageability available with** + +- Group Policy +- Windows Defender Security Center app + +In Windows 10, application notifications about malware detection and remediation by Windows Defender are more robust, consistent, and concise. + +Notifications will appear on endpoints when manually triggered and scheduled scans are completed and threats are detected. These notifications will also be seen in the **Notification Center**, and a summary of scans and threat detections will also appear at regular time intervals. + +You can also configure how standard notifications appear on endpoints, such as notifications for reboot or when a threat has been detected and remediated. + +## Configure the additional notifications that appear on endpoints + +You can configure the display of additional notifications, such as recent threat detection summaries, in the [Windows Defender Security Center app](windows-defender-security-center-antivirus.md) and with Group Policy. + +> [!NOTE] +> In Windows 10, version 1607 the feature was called **Enhanced notifications** and could be configured under **Windows Settings** > **Update & security** > **Windows Defender**. In Group Policy settings in all versions of Windows 10 it is called **Enhanced notifications**. + +> [!IMPORTANT] +> Disabling additional notifications will not disable critical notifications, such as threat detection and remediation alerts. + +**Use the Windows Defender Security Center app to disable additional notifications:** + +1. Open the Windows Defender Security Center by clicking the shield icon in the task bar or searching the start menu for **Defender**. + +2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then the **Virus & threat protection settings** label: + +![Screenshot of the Virus & threat protection settings label in the Windows Defender Security Center](images/defender/wdav-protection-settings-wdsc.png) + +3. Scroll to the **Notifications** section and click **Change notification settings**. + +4. Slide the switch to **Off** or **On** to disable or enable additional notifications. + +**Use Group Policy to disable additional notifications:** + +1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. + +3. In the **Group Policy Management Editor** go to **Computer configuration**. + +4. Click **Policies** then **Administrative templates**. + +5. Expand the tree to **Windows components > Windows Defender Antivirus > Reporting**. + +6. Double-click the **Turn off enhanced notifications** setting and set the option to **Enabled**. Click **OK**. This will prevent additional notifications from appearing. + + +## Configure standard notifications on endpoints + +You can use Group Policy to: +- Display additional, customized text on endpoints when the user needs to perform an action +- Hide all notifications on endpoints +- Hide reboot notifications on endpoints + +Hiding notifications can be useful in situations where you cannot hide the entire Windows Defender AV interface. See [Prevent users from seeing or interacting with the Windows Defender AV user interface](prevent-end-user-interaction-windows-defender-antivirus.md) for more information. + +> [!NOTE] +> Hiding notifications will only occur on endpoints to which the policy has been deployed. Notifications related to actions that must be taken (such as a reboot) will still appear on the [System Center Configuration Manager Endpoint Protection monitoring dashboard and reports](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/monitor-endpoint-protection). + +**Use Group Policy to display additional, custom text in notifications:** + +1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. + +3. In the **Group Policy Management Editor** go to **Computer configuration**. + +4. Click **Policies** then **Administrative templates**. + +5. Expand the tree to **Windows components > Windows Defender Antivirus > Client interface**. + +6. Double-click the **Display additional text to clients when they need to perform an action** setting and set the option to **Enabled**. + +7. Enter the additional text you want to be shown to users. Click **OK**. + +**Use Group Policy to hide notifications:** + +1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. + +3. In the **Group Policy Management Editor** go to **Computer configuration**. + +4. Click **Policies** then **Administrative templates**. + +5. Expand the tree to **Windows components > Windows Defender Antivirus > Client interface**. + +6. Double-click the **Suppress all notifications** setting and set the option to **Enabled**. Click **OK**. This will prevent additional notifications from appearing. + +**Use Group Policy to hide reboot notifications:** + +1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. + +3. In the **Group Policy Management Editor** go to **Computer configuration**. + +4. Click **Policies** then **Administrative templates**. + +5. Expand the tree to **Windows components > Windows Defender Antivirus > Client interface**. + +6. Double-click the **Suppresses reboot notifications** setting and set the option to **Enabled**. Click **OK**. This will prevent additional notifications from appearing. + + + + + + +## Related topics + +- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md) +- [Configure end-user interaction with Windows Defender AV](configure-end-user-interaction-windows-defender-antivirus.md) diff --git a/windows/keep-secure/configure-process-opened-file-exclusions-windows-defender-antivirus.md b/windows/keep-secure/configure-process-opened-file-exclusions-windows-defender-antivirus.md new file mode 100644 index 0000000000..50dbbe12a6 --- /dev/null +++ b/windows/keep-secure/configure-process-opened-file-exclusions-windows-defender-antivirus.md @@ -0,0 +1,217 @@ +--- +title: Configure exclusions for files opened by specific processes +description: You can exclude files from scans if they have been opened by a specific process. +keywords: process, exclusion, files, scans +search.product: eADQiWindows 10XVcnh +ms.pagetype: security +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: security +localizationpriority: medium +author: iaanw +--- + +# Configure exclusions for files opened by processes + +**Applies to:** + +- Windows 10 + +**Audience** + +- Enterprise security administrators + + +**Manageability available with** + +- Group Policy +- PowerShell +- Windows Management Instrumentation (WMI) +- System Center Configuration Manager +- Microsoft Intune +- Windows Defender Security Center + +You can exclude files that have been opened by specific processes from being scanned by Windows Defender AV. + +This topic describes how to configure exclusion lists for the following: + + + +Exclusion | Example +---|--- +Any file on the machine that is opened by any process with a specific file name | Specifying "test.exe" would exclude files opened by:
    • c:\sample\test.exe
    • d:\internal\files\test.exe
    +Any file on the machine that is opened by any process under a specific folder | Specifying "c:\test\sample\\*" would exclude files opened by:
    • c:\test\sample\test.exe
    • c:\test\sample\test2.exe
    • c:\test\sample\utility.exe
    +Any file on the machine that is opened by a specific process in a specific folder | Specifying "c:\test\process.exe" would exclude files only opened by c:\test\process.exe + +When you add a process to the process exclusion list, Windows Defender AV will not scan files opened by that process, no matter where the files are located. The process itself, however, will be scanned unless it has also been added to the [file exclusion list](configure-extension-file-exclusions-windows-defender-antivirus.md). + +The exclusions only apply to [always-on real-time protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md). They do not apply to scheduled or on-demand scans. + +Changes made via Group Policy to the exclusion lists **will show** in the lists in the [Windows Defender Security Center app](windows-defender-security-center-antivirus.md#exclusions). However, changes made in the Windows Defender Security Center app **will not show** in the Group Policy lists. + +You can add, remove, and review the lists for exclusions in [Group Policy](#gp), [System Center Configuration Manager, Microsoft Intune, and with the Windows Defender Security Center app](#man-tools), and you can [use wildcards](#wildcards) to further customize the lists. + +You can also [use PowerShell cmdlets and WMI to configure the exclusion lists](#ps), including [reviewing](#review) your lists. + + +By default, local changes made to the lists (by users with administrator privileges; this includes changes made with PowerShell and WMI) will be merged with the lists as defined (and deployed) by Group Policy, Configuration Manager, or Intune. The Group Policy lists will take precedence in the case of conflicts. + +You can [configure how locally and globally defined exclusions lists are merged](configure-local-policy-overrides-windows-defender-antivirus.md#merge-lists) to allow local changes to override managed deployment settings. + + +## Configure the list of exclusions for files opened by specified processes + + + +**Use Group Policy to exclude files that have been opened by specified processes from scans:** + +1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. + +3. In the **Group Policy Management Editor** go to **Computer configuration**. + +4. Click **Policies** then **Administrative templates**. + +5. Expand the tree to **Windows components > Windows Defender Antivirus > Exclusions**. + + +6. Double-click the **Process Exclusions** setting and add the exclusions: + + 1. Set the option to **Enabled**. + 2. Under the **Options** section, click **Show...** + 3. Enter each process on its own line under the **Value name** column. See the [example table](#examples) for the different types of process exclusions. Enter **0** in the **Value** column for all processes. + +7. Click **OK**. + +![The Group Policy setting for specifying process exclusions](images/defender/wdav-process-exclusions.png) + + + +**Use PowerShell cmdlets to exclude files that have been opened by specified processes from scans:** + +Using PowerShell to add or remove exclusions for files that have been opened by processes requires using a combination of three cmdlets with the `-ExclusionProcess` parameter. The cmdlets are all in the [Defender module](https://technet.microsoft.com/en-us/itpro/powershell/windows/defender/defender). + +The format for the cmdlets is: + +```PowerShell + -ExclusionProcess "" +``` + +The following are allowed as the \: + +Configuration action | PowerShell cmdlet +---|--- +Create or overwrite the list | `Set-MpPreference` +Add to the list | `Add-MpPreference` +Remove items from the list | `Remove-MpPreference` + + +>[!IMPORTANT] +>If you have created a list, either with `Set-MpPreference` or `Add-MpPreference`, using the `Set-MpPreference` cmdlet again will overwrite the existing list. + + +For example, the following code snippet would cause Windows Defender AV scans to exclude any file that is opened by the specified process: + +```PowerShell +Add-MpPreference -ExclusionProcess "c:\internal\test.exe" +``` + + +See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus. + + +**Use Windows Management Instruction (WMI) to exclude files that have been opened by specified processes from scans:** + +Use the [ **Set**, **Add**, and **Remove** methods of the **MSFT_MpPreference**](https://msdn.microsoft.com/en-us/library/dn455323(v=vs.85).aspx) class for the following properties: + +```WMI +ExclusionProcess +``` + +The use of **Set**, **Add**, and **Remove** is analogous to their counterparts in PowerShell: `Set-MpPreference`, `Add-MpPreference`, and `Remove-MpPreference`. + +See the following for more information and allowed parameters: +- [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/en-us/library/dn439477(v=vs.85).aspx) + + +**Use Configuration Manager to exclude files that have been opened by specified processes from scans:** + +See [How to create and deploy antimalware policies: Exclusion settings](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#exclusion-settings) for details on configuring System Center Configuration Manager (current branch). + + +**Use Microsoft Intune to exclude files that have been opened by specified processes from scans:** + + +See [Help secure Windows PCs with Endpoint Protection for Microsoft Intune](https://docs.microsoft.com/en-us/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune) and [Windows Defender policy settings in Windows 10](https://docs.microsoft.com/en-us/intune/deploy-use/windows-10-policy-settings-in-microsoft-intune#windows-defender-1) for more details. + + +**Use the Windows Defender Security Center app to exclude files that have been opened by specified processes from scans:** + +See [Add exclusions in the Windows Defender Security Center app](windows-defender-security-center-antivirus.md#exclusions) for instructions. + + + + +## Use wildcards in the process exclusion list + +The use of wildcards in the process exclusion list is different from their use in other exclusion lists. + +In particular, you cannot use the question mark ? wildcard, and the asterisk \* wildcard can only be used at the end of a complete path. You can still use environment variables (such as %ALLUSERSPROFILE%) as wildcards when defining items in the process exclusion list. + +The following table describes how the wildcards can be used in the process exclusion list: + +Wildcard | Use | Example use | Example matches +---|---|---|--- +\* (asterisk) | Replaces any number of characters |
    • C:\MyData\\*
    |
    • Any file opened by C:\MyData\file.exe
    +? (question mark) | Not available | \- | \- +Environment variables | The defined variable will be populated as a path when the exclusion is evaluated |
    • %ALLUSERSPROFILE%\CustomLogFiles\file.exe
    |
    • Any file opened by C:\ProgramData\CustomLogFiles\file.exe
    + + + + + +## Review the list of exclusions + +You can retrieve the items in the exclusion list with PowerShell, [System Center Configuration Manager](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#exclusion-settings), [Intune](https://docs.microsoft.com/en-us/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune), or the [Windows Defender Security Center app](windows-defender-security-center-antivirus.md#exclusions). + +If you use PowerShell, you can retrieve the list in two ways: + +- Retrieve the status of all Windows Defender AV preferences. Each of the lists will be displayed on separate lines, but the items within each list will be combined into the same line. +- Write the status of all preferences to a variable, and use that variable to only call the specific list you are interested in. Each use of `Add-MpPreference` is written to a new line. + +**Review the list of exclusions alongside all other Windows Defender AV preferences:** + +Use the following cmdlet: + +```PowerShell +Get-MpPreference +``` + + +See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus. + + +**Retrieve a specific exclusions list:** + +Use the following code snippet (enter each line as a separate command); replace **WDAVprefs** with whatever label you want to name the variable: + +```PowerShell +$WDAVprefs = Get-MpPreference +$WDAVprefs.ExclusionProcess +``` + + + +See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus. + + + + + +## Related topics + +- [Configure and validate exclusions in Windows Defender AV scans](configure-exclusions-windows-defender-antivirus.md) +- [Configure and validate exclusions based on file name, extension, and folder location](configure-extension-file-exclusions-windows-defender-antivirus.md) +- [Configure exclusions in Windows Defender AV on Windows Server](configure-server-exclusions-windows-defender-antivirus.md) +- [Customize, initiate, and review the results of Windows Defender AV scans and remediation](customize-run-review-remediate-scans-windows-defender-antivirus.md) +- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md) \ No newline at end of file diff --git a/windows/keep-secure/configure-protection-features-windows-defender-antivirus.md b/windows/keep-secure/configure-protection-features-windows-defender-antivirus.md new file mode 100644 index 0000000000..bf1f2f595e --- /dev/null +++ b/windows/keep-secure/configure-protection-features-windows-defender-antivirus.md @@ -0,0 +1,43 @@ +--- +title: Enable and configure protection features in Windows Defender AV +description: Enable behavior-based, heuristic, and real-time protection in Windows Defender AV. +keywords: heuristic, machine-learning, behavior monitor, real-time protection, always-on, windows defender antivirus, antimalware, security, defender +search.product: eADQiWindows 10XVcnh +ms.pagetype: security +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: security +localizationpriority: medium +author: iaanw +--- + +# Configure behavioral, heuristic, and real-time protection + +**Applies to:** + +- Windows 10 + +**Audience** + +- Enterprise security administrators + +Windows Defender Antivirus uses several methods to provide threat protection: + +- Cloud-delivered protection for near-instant detection and blocking of new and emerging threats +- Always-on scanning, using file and process behavior monitoring and other heuristics (also known as "real-time protection") +- Dedicated protection updates based on machine-learning, human and automated big-data analysis, and in-depth threat resistance research + +You can configure how Windows Defender AV uses these methods with Group Policy, System Center Configuration Manage, PowerShell cmdlets, and Windows Management Instrumentation (WMI). + +This section covers configuration for always-on scanning, including how to detect and block apps that are deemed unsafe, but may not be detected as malware. + +See the [Utilize Microsoft cloud-delivered protection](utilize-microsoft-cloud-protection-windows-defender-antivirus.md) section for how to enable and configure Windows Defender AV cloud-delivered protection. + + +## In this section + + Topic | Description +---|--- +[Detect and block potentially unwanted applications](detect-block-potentially-unwanted-apps-windows-defender-antivirus.md) | Detect and block apps that may be unwanted in your network, such as adware, browser modifiers and toolbars, and rogue or fake antivirus apps +[Enable and configure Windows Defender AV protection capabilities](configure-real-time-protection-windows-defender-antivirus.md) | Enable and configure real-time protection, heuristics, and other always-on antivirus monitoring features \ No newline at end of file diff --git a/windows/keep-secure/configure-proxy-internet-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-proxy-internet-windows-defender-advanced-threat-protection.md index dd145bf769..399486b886 100644 --- a/windows/keep-secure/configure-proxy-internet-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/configure-proxy-internet-windows-defender-advanced-threat-protection.md @@ -1,5 +1,5 @@ --- -title: Configure Windows Defender ATP endpoint proxy and Internet connection settings +title: Configure endpoint proxy and Internet connection settings description: Configure the Windows Defender ATP proxy and internet settings to enable communication with the cloud service. keywords: configure, proxy, internet, internet connectivity, settings, proxy settings, netsh, winhttp, proxy server search.product: eADQiWindows 10XVcnh @@ -37,31 +37,32 @@ The WinHTTP configuration setting is independent of the Windows Internet (WinINe - Manual static proxy configuration: - - WinHTTP configured using netsh command - Registry based configuration + - WinHTTP configured using netsh command – Suitable only for desktops in a stable topology (for example: a desktop in a corporate network behind the same proxy) ## Configure the proxy server manually using a registry-based static proxy Configure a registry-based static proxy to allow only Windows Defender ATP sensor to report telemetry and communicate with Windows Defender ATP services if a computer is not be permitted to connect to the Internet. The static proxy is configurable through Group Policy (GP). The group policy can be found under: **Administrative Templates > Windows Components > Data Collection and Preview Builds > Configure connected user experiences and telemetry**. -The registry key that this policy sets can be found at: -```HKLM\Software\Policies\Microsoft\Windows\DataCollection TelemetryProxyServer``` +The policy sets two registry values `TelemetryProxyServer` as REG_SZ and `DisableEnterpriseAuthProxy` as REG_DWORD under the registry key `HKLM\Software\Policies\Microsoft\Windows\DisableEnterpriseAuthProxy\DataCollection`. + +The registry value `TelemetryProxyServer` takes the following string format: -The policy and the registry key takes the following string format: ```text : ``` For example: 10.0.0.6:8080 -If the static proxy settings are configured after onboarding, then you must restart the PC to apply the proxy settings. +The registry value `DisableEnterpriseAuthProxy` should be set to 1. ## Configure the proxy server manually using netsh command Use netsh to configure a system-wide static proxy. > [!NOTE] -> This will affect all applications including Windows services which use WinHTTP with default proxy. +> - This will affect all applications including Windows services which use WinHTTP with default proxy.
    +> - Laptops that are changing topology (for example: from office to home) will malfunction with netsh. Use the registry-based static proxy configuration. 1. Open an elevated command-line: diff --git a/windows/keep-secure/configure-real-time-protection-windows-defender-antivirus.md b/windows/keep-secure/configure-real-time-protection-windows-defender-antivirus.md new file mode 100644 index 0000000000..677e0883be --- /dev/null +++ b/windows/keep-secure/configure-real-time-protection-windows-defender-antivirus.md @@ -0,0 +1,101 @@ +--- +title: Configure always-on real-time protection in Windows Defender AV +description: Enable and configure real-time protectoin features such as behavior monitoring, heuristics, and machine-learning in Windows Defender AV +keywords: real-time protection, rtp, machine-learning, behavior monitoring, heuristics +search.product: eADQiWindows 10XVcnh +ms.pagetype: security +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: security +localizationpriority: medium +author: iaanw +--- + + + +# Enable and configure Windows Defender AV always-on protection and monitoring + + + +**Applies to:** + +- Windows 10 + + +**Audience** + +- Enterprise security administrators + + +**Manageability available with** + +- Group Policy + + + + +Always-on protection consists of real-time protection, behavior monitoring, and heuristics to identify malware based on known suspicious and malicious activities. + +These activities include events such as processes making unusual changes to existing files, modifying or creating automatic startup registry keys and startup locations (also known as auto-start extensibility points, or ASEPs), and other changes to the file system or file structure. + + +## Configure and enable always-on protection + +You can configure how always-on protection works with the Group Policy settings described in this section. + +To configure these settings: + +1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. + +3. In the **Group Policy Management Editor** go to **Computer configuration**. + +4. Click **Policies** then **Administrative templates**. + +5. Expand the tree to **Windows components > Windows Defender Antivirus** and then the **Location** specified in the table below. + +6. Double-click the policy **Setting** as specified in the table below, and set the option to your desired configuration. Click **OK**, and repeat for any other settings. + + + + +Location | Setting | Description | Default setting (if not configured) +---|---|---|--- +Real-time protection | Monitor file and program activity on your computer | The AV engine makes note of any file changes (file writes, such as moves, copies, or modifications) and general program activity (programs that are opened or running and that cause other programs to run) | Enabled +Real-time protection | Scan all downloaded files and attachments | Downloaded files and attachments are automatically scanned. This operates in addition to Windows Defender SmartScreen filter, which scans files before and during downloading | Enabled +Real-time protection | Turn on process scanning whenever real-time protection is enabled | You can independently enable the AV engine to scan running processes for suspicious modifications or behaviors. This is useful if you have disabled real-time protection | Enabled +Real-time protection | Turn on behavior monitoring | The AV engine will monitor file processes, file and registry changes, and other events on your endpoints for suspicious and known malicious activity | Enabled +Real-time protection | Turn on raw volume write notifications | Information about raw volume writes will be analyzed by behavior monitoring | Enabled +Real-time protection | Define the maximum size of downloaded files and attachments to be scanned | You can define the size in kilobytes | Enabled +Real-time protection | Configure monitoring for incoming and outgoing file and program activity | Specify whether monitoring should occur on incoming, outgoing, both, or neither direction. This is relevant for Windows Server installations where you have defined specific servers or Server Roles that see large amounts of file changes in only one direction and you want to improve network performance. Note that fully updated endpoints (and servers) on a network will see little performance impact irrespective of the number or direction of file changes. | Enabled (both directions) +Scan | Turn on heuristics | Heuristic protection will disable or block suspicious activity immediately before the AV engine is asked to detect the activity | Enabled +Root | Allow antimalware service to startup with normal priority | You can lower the priority of the AV engine, which may be useful in lightweight deployments where you want to have as lean a startup process as possible. This may impact protection on the endpoint. | Enabled +Root | Allow antimalware service to remain running always | If protection updates have been disabled, you can set Windows Defender AV to still run. This lowers the protection on the endpoint. | Disabled + + + + +## Disable real-time protection +> [!WARNING] +> Disabling real-time protection will drastically reduce the protection on your endpoints and is not recommended. + +The main real-time protection capability is enabled by default, but you can disable it with Group Policy: + +**Use Group Policy to disable real-time protection:** + +1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. + +3. In the **Group Policy Management Editor** go to **Computer configuration**. + +4. Click **Policies** then **Administrative templates**. + +5. Expand the tree to **Windows components > Windows Defender Antivirus > Real-time protection**. + +6. Double-click the **Turn off real-time protection** setting and set the option to **Enabled**. Click **OK**. + + + +## Related topics + +- [Configure behavioral, heuristic, and real-time protection](configure-protection-features-windows-defender-antivirus.md) +- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md) \ No newline at end of file diff --git a/windows/keep-secure/configure-remediation-windows-defender-antivirus.md b/windows/keep-secure/configure-remediation-windows-defender-antivirus.md new file mode 100644 index 0000000000..b664d78cdf --- /dev/null +++ b/windows/keep-secure/configure-remediation-windows-defender-antivirus.md @@ -0,0 +1,77 @@ +--- +title: Remediate and resolve infections detected by Windows Defender AV +description: Configure what Windows Defender AV should do when it detects a threat, and how long quarantined files should be retained in the quarantine folder +keywords: remediation, fix, remove, threats, quarantine, scan, restore +search.product: eADQiWindows 10XVcnh +ms.pagetype: security +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: security +localizationpriority: medium +author: iaanw +--- + + + +# Configure remediation for Windows Defender AV scans + +**Applies to** +- Windows 10 + +**Audience** + +- Enterprise security administrators + +**Manageability available with** + +- Group Policy +- System Center Configuration Manager +- PowerShell +- Windows Management Instrumentation (WMI) +- Microsoft Intune + +When Windows Defender Antivirus runs a scan, it will attempt to remediate or remove threats that it finds. You can configure how Windows Defender AV should react to certain threats, whether it should create a restore point before remediating, and when it should remove remediated threats. + +This topic describes how to configure these settings with Group Policy, but you can also use [System Center Configuration Manager](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#threat-overrides-settings) and [Microsoft Intune](https://docs.microsoft.com/en-us/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune#choose-default-actions-settings). + +You can also use the [`Set-MpPreference` PowerShell cmdlet](https://technet.microsoft.com/itpro/powershell/windows/defender/set-mppreference) or [`MSFT_MpPreference` WMI class](https://msdn.microsoft.com/en-us/library/dn439477(v=vs.85).aspx) to configure these settings. + +## Configure remediation options + +You can configure how remediation works with the Group Policy settings described in this section. + +To configure these settings: + +1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. + +3. In the **Group Policy Management Editor** go to **Computer configuration**. + +4. Click **Policies** then **Administrative templates**. + +5. Expand the tree to **Windows components > Windows Defender Antivirus** and then the **Location** specified in the table below. + +6. Double-click the policy **Setting** as specified in the table below, and set the option to your desired configuration. Click **OK**, and repeat for any other settings. + + +Location | Setting | Description | Default setting (if not configured) +---|---|---|--- +Scan | Create a system restore point | A system restore point will be created each day before cleaning or scanning is attempted | Disabled +Scan | Turn on removal of items from scan history folder | Specify how many days items should be kept in the scan history | 30 days +Root | Turn off routine remediation | You can specify whether Windows Defender AV automatically remediates threats, or if it should ask the endpoint user what to do. | Disabled (threats are remediated automatically) +Quarantine | Configure removal of items from Quarantine folder | Specify how many days items should be kept in quarantine before being removed | Never removed +Threats | Specify threat alert levels at which default action should not be taken when detected | Every threat that is detected by Windows Defender AV is assigned a threat level (low, medium, high, or severe). You can use this setting to define how all threats for each of the threat levels should be remediated (quarantined, removed, or ignored) | Not applicable +Threats | Specify threats upon which default action should not be taken when detected | Specify how specific threats (using their threat ID) should be remediated. You can specify whether the specific threat should be quarantined, removed, or ignored | Not applicable + + +Also see the [Configure remediation-required scheduled full scans for Windows Defender AV](scheduled-catch-up-scans-windows-defender-antivirus.md#remed) topic for more remediation-related settings. + +## Related topics + +- [Configure scanning options in Windows Defender AV](configure-advanced-scan-types-windows-defender-antivirus.md) +- [Configure scheduled scans for Windows Defender AV](scheduled-catch-up-scans-windows-defender-antivirus.md) +- [Configure and run on-demand Windows Defender AV scans](run-scan-windows-defender-antivirus.md) +- [Configure the notifications that appear on endpoints](configure-notifications-windows-defender-antivirus.md) +- [Configure end-user interaction with Windows Defender AV](configure-end-user-interaction-windows-defender-antivirus.md) +- [Customize, initiate, and review the results of Windows Defender AV scans and remediation](customize-run-review-remediate-scans-windows-defender-antivirus.md) +- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md) \ No newline at end of file diff --git a/windows/keep-secure/configure-server-exclusions-windows-defender-antivirus.md b/windows/keep-secure/configure-server-exclusions-windows-defender-antivirus.md new file mode 100644 index 0000000000..c293dd3358 --- /dev/null +++ b/windows/keep-secure/configure-server-exclusions-windows-defender-antivirus.md @@ -0,0 +1,84 @@ +--- +title: Automatic and customized exclusions for Windows Defender AV on Windows Server 2016 +description: Windows Server 2016 includes automatic exclusions, based on Server Role. You can also add custom exclusions. +keywords: exclusions, server, auto-exclusions, automatic, custom, scans +search.product: eADQiWindows 10XVcnh +ms.pagetype: security +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: security +localizationpriority: medium +author: iaanw +--- + +# Configure exclusions in Windows Defender AV on Windows Server 2016 + + +**Applies to:** + +- Windows Server 2016 + +**Audience** + +- Enterprise security administrators + + +**Manageability available with** + +- Group Policy +- PowerShell +- Windows Management Instrumentation (WMI) + +If you are using Windows Defender Antivirus to protect Windows Server 2016 machines, you are [automatically enrolled in certain exclusions](https://technet.microsoft.com/en-us/windows-server-docs/security/windows-defender/automatic-exclusions-for-windows-defender), as defined by your specified Windows Server Role. + +These exclusions will not appear in the standard exclusion lists shown in the [Windows Defender Security Center app](windows-defender-security-center-antivirus.md#exclusions). + +You can still add or remove custom exclusions (in addition to the Server Role-defined auto exclusions) as described in the other exclusion-related topics: +- [Configure and validate exclusions based on file name, extension, and folder location](configure-extension-file-exclusions-windows-defender-antivirus.md) +- [Configure and validate exclusions for files opened by processes](configure-process-opened-file-exclusions-windows-defender-antivirus.md) + + +You can disable the auto-exclusions lists with Group Policy, PowerShell cmdlets, and WMI. + +**Use Group Policy to disable the auto-exclusions list on Windows Server 2016:** + +1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. + +3. In the **Group Policy Management Editor** go to **Computer configuration**. + +4. Click **Policies** then **Administrative templates**. + +5. Expand the tree to **Windows components > Windows Defender Antivirus > Exclusions**. + +6. Double-click the **Turn off Auto Exclusions** setting and set the option to **Enabled**. Click **OK**. + +**Use PowerShell cmdlets to disable the auto-exclusions list on Windows Server 2016:** + +Use the following cmdlets: + +```PowerShell +Set-MpPreference -DisableAutoExclusions +``` + +See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus. + +**Use Windows Management Instruction (WMI) to disable the auto-exclusions list on Windows Server 2016:** + +Use the [**Set** method of the **MSFT_MpPreference**](https://msdn.microsoft.com/en-us/library/dn455323(v=vs.85).aspx) class for the following properties: + +```WMI +DisableAutoExclusions +``` + +See the following for more information and allowed parameters: +- [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/en-us/library/dn439477(v=vs.85).aspx) + + +## Related topics + +- [Configure and validate exclusions in Windows Defender AV scans](configure-exclusions-windows-defender-antivirus.md) +- [Configure and validate exclusions based on file name, extension, and folder location](configure-extension-file-exclusions-windows-defender-antivirus.md) +- [Configure and validate exclusions for files opened by processes](configure-process-opened-file-exclusions-windows-defender-antivirus.md) +- [Customize, initiate, and review the results of Windows Defender AV scans and remediation](customize-run-review-remediate-scans-windows-defender-antivirus.md) +- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md) \ No newline at end of file diff --git a/windows/keep-secure/configure-siem-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-siem-windows-defender-advanced-threat-protection.md index f8f22a049a..5bd33553ac 100644 --- a/windows/keep-secure/configure-siem-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/configure-siem-windows-defender-advanced-threat-protection.md @@ -1,7 +1,7 @@ --- -title: Configure security information and events management tools -description: Configure supported security information and events management tools to receive and consume alerts. -keywords: configure siem, security information and events management tools, splunk, arcsight +title: Pull alerts to your SIEM tools from Windows Defender Advanced Threat Protection +description: Learn how to use REST API and configure supported security information and events management tools to receive and pull alerts. +keywords: configure siem, security information and events management tools, splunk, arcsight, custom indicators, rest api, alert definitions, indicators of compromise search.product: eADQiWindows 10XVcnh ms.prod: w10 ms.mktglfcycl: deploy @@ -11,7 +11,7 @@ author: mjcaparas localizationpriority: high --- -# Configure security information and events management (SIEM) tools to consume alerts +# Pull alerts to your SIEM tools **Applies to:** @@ -21,7 +21,9 @@ localizationpriority: high - Windows 10 Pro Education - Windows Defender Advanced Threat Protection (Windows Defender ATP) -Windows Defender ATP supports security information and events management (SIEM) tools to consume alerts. Windows Defender ATP exposes alerts through an HTTPS endpoint hosted in Azure. The endpoint can be configured to get alerts from your enterprise tenant in Azure Active Directory (AAD) using the OAuth 2.0 authentication protocol for an AAD application that represents the specific SIEM connector installed in your environment. +## Pull alerts using supported security information and events management (SIEM) tools +Windows Defender ATP supports (SIEM) tools to pull alerts. Windows Defender ATP exposes alerts through an HTTPS endpoint hosted in Azure. The endpoint can be configured to pull alerts from your enterprise tenant in Azure Active Directory (AAD) using the OAuth 2.0 authentication protocol for an AAD application that represents the specific SIEM connector installed in your environment. + Windows Defender ATP currently supports the following SIEM tools: @@ -30,15 +32,27 @@ Windows Defender ATP currently supports the following SIEM tools: To use either of these supported SIEM tools you'll need to: -- [Configure an Azure Active Directory application for SIEM integration in your tenant](configure-aad-windows-defender-advanced-threat-protection.md) +- [Enable SIEM integration in Windows Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md) - Configure the supported SIEM tool: - - [Configure Splunk to consume alerts](configure-splunk-windows-defender-advanced-threat-protection.md) - - [Configure HP ArcSight to consume alerts](configure-arcsight-windows-defender-advanced-threat-protection.md) + - [Configure Splunk to pull Windows Defender ATP alerts](configure-splunk-windows-defender-advanced-threat-protection.md) + - [Configure HP ArcSight to pull Windows Defender ATP alerts](configure-arcsight-windows-defender-advanced-threat-protection.md) + +For more information on the list of fields exposed in the alerts API see, [Windows Defender ATP alert API fields](api-portal-mapping-windows-defender-advanced-threat-protection.md). + + +## Pull Windows Defender ATP alerts using REST API +Windows Defender ATP supports the OAuth 2.0 protocol to pull alerts using REST API. + +For more information, see [Pull Windows Defender ATP alerts using REST API](pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md). + ## In this section Topic | Description :---|:--- -[Configure an Azure Active Directory application](configure-aad-windows-defender-advanced-threat-protection.md)| Learn about configuring an Azure Active Directory application to integrate with supported security information and events management (SIEM) tools. - [Configure Splunk](configure-splunk-windows-defender-advanced-threat-protection.md)| Learn about installing the REST API Modular Input app and other configuration settings to enable Splunk to consume Windows Defender ATP alerts. - [Configure ArcSight](configure-arcsight-windows-defender-advanced-threat-protection.md)| Learn about installing the HP ArcSight REST FlexConnector package and the files you need to configure ArcSight to consume Windows Defender ATP alerts. +[Enable SIEM integration in Windows Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md)| Learn about enabling the SIEM integration feature in the **Preferences setup** page in the portal so that you can use and generate the required information to configure supported SIEM tools. +[Configure Splunk to pull Windows Defender ATP alerts](configure-splunk-windows-defender-advanced-threat-protection.md)| Learn about installing the REST API Modular Input app and other configuration settings to enable Splunk to pull Windows Defender ATP alerts. +[Configure ArcSight to pull Windows Defender ATP alerts](configure-arcsight-windows-defender-advanced-threat-protection.md)| Learn about installing the HP ArcSight REST FlexConnector package and the files you need to configure ArcSight to pull Windows Defender ATP alerts. +[Windows Defender ATP alert API fields](api-portal-mapping-windows-defender-advanced-threat-protection.md) | Understand what data fields are exposed as part of the alerts API and how they map to the Windows Defender ATP portal. +[Pull Windows Defender ATP alerts using REST API](pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md) | Use the Client credentials OAuth 2.0 flow to pull alerts from Windows Defender ATP using REST API. +[Troubleshoot SIEM tool integration issues](troubleshoot-siem-windows-defender-advanced-threat-protection.md) | Address issues you might encounter when using the SIEM integration feature. diff --git a/windows/keep-secure/configure-splunk-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-splunk-windows-defender-advanced-threat-protection.md index 8dc36252d3..24412f45b9 100644 --- a/windows/keep-secure/configure-splunk-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/configure-splunk-windows-defender-advanced-threat-protection.md @@ -1,6 +1,6 @@ --- -title: Configure Splunk to consume Windows Defender ATP alerts -description: Configure Splunk to receive and consume alerts from the Windows Defender ATP portal. +title: Configure Splunk to pull Windows Defender ATP alerts +description: Configure Splunk to receive and pull alerts from the Windows Defender ATP portal. keywords: configure splunk, security information and events management tools, splunk search.product: eADQiWindows 10XVcnh ms.prod: w10 @@ -11,7 +11,7 @@ author: mjcaparas localizationpriority: high --- -# Configure Splunk to consume Windows Defender ATP alerts +# Configure Splunk to pull Windows Defender ATP alerts **Applies to:** @@ -21,16 +21,19 @@ localizationpriority: high - Windows 10 Pro Education - Windows Defender Advanced Threat Protection (Windows Defender ATP) -You'll need to configure Splunk so that it can consume Windows Defender ATP alerts. +You'll need to configure Splunk so that it can pull Windows Defender ATP alerts. ## Before you begin - Install the [REST API Modular Input app](https://splunkbase.splunk.com/app/1546/) in Splunk. -- Obtain your refresh token. For more information, see [Obtain a refresh token](configure-aad-windows-defender-advanced-threat-protection.md#obtain-a-refresh-token). -- Get the following information from your Azure Active Directory (AAD) application by selecting **View Endpoint** on the application configuration page: - - OAuth 2 Token refresh URL - - OAuth 2 Client ID - - OAuth 2 Client secret +- Make sure you have enabled the **SIEM integration** feature from the **Preferences setup** menu. For more information, see [Enable SIEM integration in Windows Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md) + +- Have the details file you saved from enabling the **SIEM integration** feature ready. You'll need to get the following values: + - OAuth 2 Token refresh URL + - OAuth 2 Client ID + - OAuth 2 Client secret + +- Have the refresh token that you generated from the SIEM integration feature ready. ## Configure Splunk @@ -39,14 +42,16 @@ You'll need to configure Splunk so that it can consume Windows Defender ATP aler 2. Click **Search & Reporting**, then **Settings** > **Data inputs**. 3. Click **REST** under **Local inputs**. -> [!NOTE] -> This input will only appear after you install the [REST API Modular Input app](https://splunkbase.splunk.com/app/1546/). + + NOTE: + This input will only appear after you install the [REST API Modular Input app](https://splunkbase.splunk.com/app/1546/). 4. Click **New**. 5. Type the following values in the required fields, then click **Save**: -> [!NOTE] ->All other values in the form are optional and can be left blank. + + NOTE: + All other values in the form are optional and can be left blank. @@ -56,8 +61,7 @@ You'll need to configure Splunk so that it can consume Windows Defender ATP aler - @@ -66,16 +70,24 @@ You'll need to configure Splunk so that it can consume Windows Defender ATP aler + + + + + + + + - + - + - + @@ -102,11 +114,28 @@ You'll need to configure Splunk so that it can consume Windows Defender ATP aler After completing these configuration steps, you can go to the Splunk dashboard and run queries. -You can use the following query as an example in Splunk:
    -```source="rest://windows atp alerts"|spath|table*``` +## View alerts using Splunk solution explorer +Use the solution explorer to view alerts in Splunk. + +1. In Splunk, go to **Settings** > **Searchers, reports, and alerts**. + +2. Select **New**. + +3. Enter the following details: + - Destination app: Select Search & Reporting (search) + - Search name: Enter a name for the query + - Search: Enter a query, for example:
    + `source="rest://windows atp alerts"|spath|table*` + + Other values are optional and can be left with the default values. +4. Click **Save**. The query is saved in the list of searches. + +5. Find the query you saved in the list and click **Run**. The results are displayed based on your query. ## Related topics -- [Configure security information and events management (SIEM) tools to consume alerts](configure-siem-windows-defender-advanced-threat-protection.md) -- [Configure Azure Active Directory application for SIEM integration](configure-aad-windows-defender-advanced-threat-protection.md) -- [Configure HP ArcSight to consume alerts](configure-arcsight-windows-defender-advanced-threat-protection.md) +- [Enable SIEM integration in Windows Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md) +- [Configure ArcSight to pull Windows Defender ATP alerts](configure-arcsight-windows-defender-advanced-threat-protection.md) +- [Windows Defender ATP alert API fields](api-portal-mapping-windows-defender-advanced-threat-protection.md) +- [Pull Windows Defender ATP alerts using REST API](pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md) +- [Troubleshoot SIEM tool integration issues](troubleshoot-siem-windows-defender-advanced-threat-protection.md) diff --git a/windows/keep-secure/configure-windows-defender-antivirus-features.md b/windows/keep-secure/configure-windows-defender-antivirus-features.md new file mode 100644 index 0000000000..d1da91abab --- /dev/null +++ b/windows/keep-secure/configure-windows-defender-antivirus-features.md @@ -0,0 +1,54 @@ +--- +title: Configure Windows Defender Antivirus features (Windows 10) +description: You can configure features for Windows Defender Antivirus using Configuration Manager, MDM software (such as Intune), PowerShell, and with Group Policy settings. +keywords: windows defender antivirus, antimalware, security, defender, configure, configuration, Config Manager, System Center Configuration Manager, SCCM, Intune, MDM, mobile device management, GP, group policy, PowerShell +search.product: eADQiWindows 10XVcnh +ms.pagetype: security +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: security +localizationpriority: medium +author: iaanw +--- + +# Configure Windows Defender Antivirus features + + +**Applies to:** + +- Windows 10 + +**Audience** + +- Enterprise security administrators + +Windows Defender Antivirus can be configured with a number of tools, including: + +- Group Policy settings +- System Center Configuration Manager +- PowerShell cmdlets +- Windows Management Instrumentation (WMI) +- Microsoft Intune + + +The following broad categories of features can be configured: + +- Cloud-delivered protection +- Always-on real-time protection, including behavioral, heuristic, and machine-learning-based protection +- How end-users interact with the client on individual endpoints + +The topics in this section describe how to perform key tasks when configuring Windows Defender AV. Each topic includes instructions for the applicable configuration tool (or tools). + +You can also review the [Reference topics for management and configuration tools](configuration-management-reference-windows-defender-antivirus.md) topic for an overview of each tool and links to further help. + + +## In this section +Topic | Description +:---|:--- +[Utilize Microsoft cloud-provided protection in Windows Defender Antivirus](utilize-microsoft-cloud-protection-windows-defender-antivirus.md) | Cloud-delivered protection provides an advanced level of fast, robust antivirus detection +[Configure behavioral, heuristic, and real-time protection](configure-protection-features-windows-defender-antivirus.md)|Enable behavior-based, heuristic, and real-time protection in Windows Defender AV +[Configure end-user interaction with WDAM](configure-end-user-interaction-windows-defender-antivirus.md)|Configure how end-users interact with Windows Defender AV, what notifications they see, and if they can override settings + + + diff --git a/windows/keep-secure/configure-windows-defender-in-windows-10.md b/windows/keep-secure/configure-windows-defender-in-windows-10.md deleted file mode 100644 index 93469dafa2..0000000000 --- a/windows/keep-secure/configure-windows-defender-in-windows-10.md +++ /dev/null @@ -1,204 +0,0 @@ ---- -title: Configure and use Windows Defender in Windows 10 -description: IT professionals can configure definition updates and cloud-based protection in Windows Defender in Windows 10 through Microsoft Active Directory and Windows Server Update Services (WSUS). -ms.assetid: 22649663-AC7A-40D8-B1F7-5CAD9E49653D -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -ms.pagetype: security -localizationpriority: medium -author: jasesso ---- - -# Configure Windows Defender in Windows 10 - -**Applies to** -- Windows 10 - -You can configure definition updates and cloud-based protection in Windows Defender in Windows 10 through Microsoft Active Directory and Windows Server Update Services (WSUS). - -You can also enable and configure the Microsoft Active Protection Service to ensure endpoints are protected by cloud-based protection technologies. - -## Configure definition updates - -It is important to update definitions regularly to ensure that your endpoints are protected. Definition updates can be configured to suit the requirements of your organization. - -Windows Defender supports the same updating options (such as using multiple definition sources) as other Microsoft endpoint protection products; for more information, see [Configuring Definition Updates](https://technet.microsoft.com/library/gg412502.aspx). - -When you configure multiple definition sources in Windows Defender, you can configure the fallback order using the following values through *Group Policy* settings: - -- InternalDefinitionUpdateServer - WSUS -- MicrosoftUpdateServer - Microsoft Update -- MMPC - [Microsoft Malware Protection Center definitions page](http://www.microsoft.com/security/portal/definitions/adl.aspx) -- FileShares - file share - -Read about deploying administrative template files for Windows Defender in the article [Description of the Windows Defender Group Policy administrative template settings](https://support.microsoft.com/kb/927367). - -You can also manage your Windows Defender update configuration settings through System Center Configuration Manager. See [How to Configure Definition Updates for Endpoint Protection in Configuration Manager](https://technet.microsoft.com/library/jj822983.aspx) for details. - -## Definition update logic - -You can update Windows Defender definitions in four ways depending on your business requirements: - -- WSUS, the managed server. You can manage the distribution of updates that are released through Microsoft Update to computers in your enterprise environment; read more on the [Windows Server Update Services](https://technet.microsoft.com/windowsserver/bb332157.aspx) website. -- Microsoft Update, the unmanaged server. You can use this method to get regular updates from Microsoft Update. -- The [Microsoft Malware Protection Center definitions page](http://www.microsoft.com/security/portal/definitions/adl.aspx), as an alternate download location. You can use this method if you want to download the latest definitions. -- File share, where the definition package is downloaded. You can retrieve definition updates from a file share. The file share must be provisioned on a regular basis with the update files. - -## Update Windows Defender definitions through Active Directory and WSUS - -This section details how to update Windows Defender definitions for Windows 10 endpoints through Active Directory and WSUS. -
    Endpoint URLDepending on the location of your datacenter, select either the EU or the US URL:

    **For EU**: https://wdatp-alertexporter-eu.windows.com/api/alerts
    **For US:** https://wdatp-alertexporter-us.windows.com/api/alerts - +     		Depending on the location of your datacenter, select either the EU or the US URL:

    **For EU**: `https://wdatp-alertexporter-eu.securitycenter.windows.com/api/alerts`
    **For US:**` https://wdatp-alertexporter-us.securitycenter.windows.com/api/alerts`
    HTTP MethodAuthentication Type oauth2
    OAuth 2 Access tokenUse the value that you generated when you enabled the SIEM integration feature.

    NOTE: The access token expires after an hour.
    OAuth 2 Refresh TokenUse the value that you generated when you enabled the **SIEM integration** feature.
    OAuth 2 Token Refresh URL Value taken from AAD applicationUse the value from the details file you saved when you enabled the **SIEM integration** feature.
    OAuth 2 Client IDValue taken from AAD applicationUse the value from the details file you saved when you enabled the **SIEM integration** feature.
    OAuth 2 Client SecretValue taken from AAD applicationUse the value from the details file you saved when you enabled the **SIEM integration** feature.
    Response type
    ---- - - - - - - - - - - - - - - - - - - - - - - - - -
    MethodInstructions

    WSUS

    See [Software Updates and Windows Server Update Services Definition Updates](https://technet.microsoft.com/library/gg398036.aspx) in the [Configuring Definition Updates](https://technet.microsoft.com/library/gg412502.aspx) topic that also applies to Windows Defender.

    Microsoft Update

    Set the following fallback order Group Policy to enable Microsoft Update:

    -
      -
    1. Open the Group Policy Editor.
      2. -
    2. In the Local Computer Policy tree, expand Computer Configuration, then Administrative Templates, then Windows Components, then Windows Defender.
      3. -
    3. Click on Signature Updates.
      4. -

    4. Double-click on Define the order of sources for downloading definition updates.

      -

      This will open the Define the order of sources for downloading definition updates window.

      5. -
    5. Click Enable.
      6. -

    6. In the Options pane, define the following Group Policy to enable Microsoft Update:

      -

      {MicrosoftUpdateServer}

      -

      "Define the order of sources for downloading definition updates" field

      7. -

    7. Click OK.

      -

      The window will close automatically.

      8. -

    [Microsoft Malware Protection Center definitions page](http://www.microsoft.com/security/portal/definitions/adl.aspx)

    Set the following fallback order Group Policy to enable Windows Defender to download updated signatures:

    -
      -
    1. Open the Group Policy Editor.
      2. -
    2. In the Local Computer Policy tree, expand Computer Configuration, then Administrative Templates, then Windows Components, then Windows Defender.
      3. -
    3. Click on Signature Updates.
      4. -

    4. Double-click on Define the order of sources for downloading definition updates.

      -

      This will open the Define the order of sources for downloading definition updates window.

      5. -
    5. Click Enable.
      6. -

    6. In the Options pane, define the following Group Policy to enable Windows Defender to download updated signatures:

      -

      {MMPC}

      -

      "Define the order of sources for downloading definition updates" field

      7. -

    7. Click OK.

      -

      The window will close automatically.

      8. -

    File share

    -
      -
    1. Open the Group Policy Editor.
      2. -
    2. In the Local Computer Policy tree, expand Computer Configuration, then Administrative Templates, then Windows Components, then Windows Defender.
      3. -
    3. Click on Signature Updates.
      4. -

    4. Double-click on Define the order of sources for downloading definition updates.

      -

      This will open the Define the order of sources for downloading definition updates window:

      5. -
    5. Click Enable.
      6. -

    6. In the Options pane, define the following Group Policy to enable Windows Defender to download updated signatures:

      -

      {FileShares}

      -

      "Define the order of sources for downloading definition updates" field

      7. -

    7. Click OK.

      -

      The window will close automatically.

      8. -

    8. Double-click on Define file shares for downloading definition updates.

      -

      This will open the Define file shares for downloading definition updates window.

      9. -
    9. Click Enable.
      10. -

    10. In the Options pane, define the following Group Policy to specify the Universal Naming Convention (UNC) share source:

      -

      {\\unc1\\unc2} - where you define [unc] as the UNC shares.

      -

      "Define the file shares for downloading definition updates" field

      11. -

    11. Click OK.

      -

      The window will close automatically.

      12. -
    -  -## Manage cloud-based protection - -Windows Defender offers improved cloud-based protection and threat intelligence for endpoint protection clients using the Microsoft Active Protection Service. Read more about the Microsoft Active Protection Service community in [Join the Microsoft Active Protection Service community](http://windows.microsoft.com/windows-8/join-maps-community). - -You can enable or disable the Microsoft Active Protection Service using *Group Policy* settings and administrative template files. - -More information on deploying administrative template files for Windows Defender is available in the article [Description of the Windows Defender Group Policy administrative template settings](https://support.microsoft.com/kb/927367). - -The Microsoft Active Protection Service can be configured with the following *Group Policy* settings: - -1. Open the **Group Policy Editor**. -2. In the **Local Computer Policy** tree, expand **Computer Configuration**, then **Administrative Templates**, then **Windows Components**, then **Windows Defender**. -3. Click on **MAPS**. -4. Double-click on **Join Microsoft MAPS**. -5. Select your configuration option from the **Join Microsoft MAPS** list. - - >**Note:**  Any settings modified on an endpoint will be overridden by the administrator's policy setting. -   -Use the Windowsdefender.adm *Group Policy* template file to control the policy settings for Windows Defender in Windows 10: - -Policy setting: **Configure Microsoft SpyNet Reporting** - -Registry key name: **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\SpyNet\\SpyNetReporting** - -Policy description: **Adjusts membership in Microsoft Active Protection Service** - -You can also configure preferences using the following PowerShell parameters: - -- Turn Microsoft Active Protection Service off: *Set-MpPreference -MAPSReporting 0* -- Turn Microsoft Active Protection Service on: *Set-MpPreference -MAPSReporting 2* - -Read more about this in: - -- [Scripting with Windows PowerShell](https://technet.microsoft.com/library/bb978526.aspx) -- [Defender Cmdlets](https://technet.microsoft.com/library/dn433280.aspx) - ->**Note:**  Any information that Windows Defender collects is encrypted in transit to our servers, and then stored in secure facilities. Microsoft takes several steps to avoid collecting any information that directly identifies you, such as your name, email address, or account ID. -  -Read more about how to manage your privacy settings in [Setting your preferences for Windows 10 services](http://windows.microsoft.com/windows-10/services-setting-preferences). - -## Opt-in to Microsoft Update - -You can use Microsoft Update to keep definitions on mobile computers running Windows Defender in Windows 10 up to date when they are not connected to the corporate network. If the mobile computer doesn't have a [Windows Server Update Service](https://technet.microsoft.com/windowsserver/bb332157.aspx) (WSUS) connection, the signatures will still come from Microsoft Update. This means that signatures can be pushed down (via Microsoft Update) even if WSUS overrides Windows Update. - -You need to opt-in to Microsoft Update on the mobile computer before it can retrieve the definition updates from Microsoft Update. - -There are two ways you can opt-in to Microsoft Update in Windows Defender for Windows 10: - -1. Use a VBScript to create a script, then run it on each computer in your network. -2. Manually opt-in every computer on your network through the **Settings** menu. - -You can create a VBScript and run it on each computer on your network; this is an efficient way to opt-in to Microsoft Update. - -**Use a VBScript to opt in to Microsoft Update** - -1. Use the instructions in the MSDN article [Opt-In to Microsoft Update](https://msdn.microsoft.com/library/windows/desktop/aa826676.aspx) to create the VBScript. -2. Run the VBScript you created on each computer in your network. - -You can manually opt-in each individual computer on your network to receive Microsoft Update. - -**Manually opt-in to Microsoft Update** - -1. Open **Windows Update** in **Update & security** settings on the computer you want to opt-in. -2. Click **Advanced** options. -3. Select the checkbox for **Give me updates for other Microsoft products when I update Windows**. - -## Schedule updates for Microsoft Update - -Opting-in to Microsoft Update means that your system administrator can schedule updates to your mobile computer, so that it keeps up-to-date with the latest software versions and security definitions, even when you’re on the road. - -For more information on scheduling updates, see [Configure definition updates](https://technet.microsoft.com/library/mt622088.aspx#configure-definition-updates). - -## Related topics - -- [Update and manage Windows Defender in Windows 10](get-started-with-windows-defender-for-windows-10.md) -- [Troubleshoot Windows Defender in Windows 10](troubleshoot-windows-defender-in-windows-10.md) diff --git a/windows/keep-secure/create-and-verify-an-efs-dra-certificate.md b/windows/keep-secure/create-and-verify-an-efs-dra-certificate.md index 4bd92ff06f..ab2695ebf7 100644 --- a/windows/keep-secure/create-and-verify-an-efs-dra-certificate.md +++ b/windows/keep-secure/create-and-verify-an-efs-dra-certificate.md @@ -6,21 +6,22 @@ ms.prod: w10 ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security +author: eross-msft localizationpriority: high --- # Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate **Applies to:** -- Windows 10, version 1607 -- Windows 10 Mobile +- Windows 10, version 1703 +- Windows 10 Mobile, version 1703 If you don’t already have an EFS DRA certificate, you’ll need to create and extract one from your system before you can use Windows Information Protection (WIP), formerly known as enterprise data protection (EDP), in your organization. For the purposes of this section, we’ll use the file name EFSDRA; however, this name can be replaced with anything that makes sense to you. The recovery process included in this topic only works for desktop devices. WIP deletes the data on Windows 10 Mobile devices. >[!IMPORTANT] ->If you already have an EFS DRA certificate for your organization, you can skip creating a new one. Just use your current EFS DRA certificate in your policy. For more info about when to use a PKI and the general strategy you should use to deploy DRA certificates, see the [Security Watch Deploying EFS: Part 1](https://technet.microsoft.com/magazine/2007.02.securitywatch.aspx) article on TechNet. For more general info about EFS protection, see [Protecting Data by Using EFS to Encrypt Hard Drives](https://msdn.microsoft.com/library/cc875821.aspx).

    If your DRA certificate has expired, you won’t be able to encrypt your files with it. To fix this, you'll need to create a new certificate, using the steps in this topic, and then deploy it through policy. +>If you already have an EFS DRA certificate for your organization, you can skip creating a new one. Just use your current EFS DRA certificate in your policy. For more info about when to use a PKI and the general strategy you should use to deploy DRA certificates, see the [Security Watch Deploying EFS: Part 1](https://technet.microsoft.com/magazine/2007.02.securitywatch.aspx) article on TechNet. For more general info about EFS protection, see [Protecting Data by Using EFS to Encrypt Hard Drives](https://msdn.microsoft.com/library/cc875821.aspx).

    If your DRA certificate has expired, you won’t be able to encrypt your files with it. To fix this, you'll need to create a new certificate, using the steps in this topic, and then deploy it through policy. **To manually create an EFS DRA certificate** @@ -28,20 +29,20 @@ The recovery process included in this topic only works for desktop devices. WIP 2. Run this command: - `cipher /r:` + cipher /r:EFSRA - Where *<EFSRA>* is the name of the .cer and .pfx files that you want to create. + Where *EFSRA* is the name of the .cer and .pfx files that you want to create. 3. When prompted, type and confirm a password to help protect your new Personal Information Exchange (.pfx) file. The EFSDRA.cer and EFSDRA.pfx files are created in the location you specified in Step 1. - >[!IMPORTANT] + >[!Important] >Because the private keys in your DRA .pfx files can be used to decrypt any WIP file, you must protect them accordingly. We highly recommend storing these files offline, keeping copies on a smart card with strong protection for normal use and master copies in a secured physical location. -4. Add your EFS DRA certificate to your WIP policy using a deployment tool, such as Microsoft Intune or System Center Configuration Manager. +4. Add your EFS DRA certificate to your WIP policy using a deployment tool, such as Microsoft Intune or System Center Configuration Manager. - >[!NOTE] + >[!Note] >To add your EFS DRA certificate to your policy by using Microsoft Intune, see the [Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune.md) topic. To add your EFS DRA certificate to your policy by using System Center Configuration Manager, see the [Create a Windows Information Protection (WIP) policy using System Center Configuration Manager](create-wip-policy-using-sccm.md) topic. **To verify your data recovery certificate is correctly set up on a WIP client computer** @@ -52,9 +53,9 @@ The recovery process included in this topic only works for desktop devices. WIP 3. Open a command prompt with elevated rights, navigate to where you stored the file you just created, and then run this command: - `cipher /c ` + cipher /c filename - Where *<filename>* is the name of the file you created in Step 1. + Where *filename* is the name of the file you created in Step 1. 4. Make sure that your data recovery certificate is listed in the **Recovery Certificates** list. @@ -66,11 +67,12 @@ The recovery process included in this topic only works for desktop devices. WIP 3. Open a command prompt with elevated rights, navigate to the encrypted file, and then run this command: - `cipher /d ` + cipher /d encryptedfile.extension - Where *<encryptedfile.extension>* is the name of your encrypted file. For example, corporatedata.docx. + Where *encryptedfile.extension* is the name of your encrypted file. For example, corporatedata.docx. + +**To quickly recover WIP-protected desktop data after unenrollment** -**To quickly recover WIP-protected desktop data after unenrollment**
    It's possible that you might revoke data from an unenrolled device only to later want to restore it all. This can happen in the case of a missing device being returned or if an unenrolled employee enrolls again. If the employee enrolls again using the original user profile, and the revoked key store is still on the device, all of the revoked data can be restored at once, by following these steps. >[!IMPORTANT] @@ -78,24 +80,51 @@ It's possible that you might revoke data from an unenrolled device only to later 1. Have your employee sign in to the unenrolled device, open a command prompt, and type: - `Robocopy “%localappdata%\Microsoft\EDP\Recovery” <“new_location”> /EFSRAW` + Robocopy “%localappdata%\Microsoft\EDP\Recovery” “new_location” /EFSRAW - Where *<”new_location”>* is in a different directory. This can be on the employee’s device or on a Windows 8 or Windows Server 2012 or newer server file share that can be accessed while you're logged in as a data recovery agent. + Where ”*new_location*" is in a different directory. This can be on the employee’s device or on a Windows 8 or Windows Server 2012 or newer server file share that can be accessed while you're logged in as a data recovery agent. 2. Sign in to a different device with administrator credentials that have access to your organization's DRA certificate, and perform the file decryption and recovery by typing: - `cipher.exe /D <“new_location”>` + cipher.exe /D "new_location" 3. Have your employee sign in to the unenrolled device, and type: - `Robocopy <”new_location”> “%localappdata%\Microsoft\EDP\Recovery\Input”` + Robocopy "new_location" “%localappdata%\Microsoft\EDP\Recovery\Input” 4. Ask the employee to lock and unlock the device. - The Windows Credential service automatically recovers the employee’s previously revoked keys from the `Recovery\Input` location. + The Windows Credential service automatically recovers the employee’s previously revoked keys from the Recovery\Input location. ->[!NOTE] ->Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md). +**To quickly recover WIP-protected desktop data in a cloud-based environment** + +If you use a cloud environment in your organization, you may still want to restore an employee's data after revocation. While much of the process is the same as when you're not in a cloud environment, there are a couple of differences. + +>[!IMPORTANT] +>To maintain control over your enterprise data, and to be able to revoke again in the future, you must only perform this process after the employee has re-enrolled the device. + +1. Have your employee sign in to the device that has revoked data for you to restore, open the **Run** command (Windows logo key + R), and type one of the following commands: + + - If the keys are still stored within the employee's profile, type: Robocopy “%localappdata%\Microsoft\EDP\Recovery” “new_location” * /EFSRAW + + -or- + + - If the employee performed a clean installation over the operating system and you need to recover the keys from the System Volume folder, type: Robocopy “drive_letter:\System Volume Information\EDP\Recovery\” "new_location” * /EFSRAW> + + >[!Important] + >The “*new_location*” must be in a different directory, either on the employee’s device or on a Windows 8 or Windows Server 2012 or newer server file share, which can be accessed while you're logged in as a data recovery agent. + +2. Sign in to a different device with administrator credentials that have access to your organization's DRA certificate private key, and perform the file decryption and recovery by typing: + + cipher.exe /D “new_location + +3. Have your employee sign in to the device again, open the **Run** command, and type: + + Robocopy “new_location” “%localappdata%\Microsoft\EDP\Recovery\Input” + +4. Ask the employee to lock and unlock the device. + + The Windows Credential service automatically recovers the employee’s previously revoked keys from the Recovery\Input location. All your company’s previously revoked files should be accessible to the employee again. ## Related topics - [Security Watch Deploying EFS: Part 1](https://technet.microsoft.com/magazine/2007.02.securitywatch.aspx) @@ -109,4 +138,6 @@ It's possible that you might revoke data from an unenrolled device only to later - [Creating a Domain-Based Recovery Agent](https://msdn.microsoft.com/library/cc875821.aspx#EJAA) +>[!Note] +>Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md). diff --git a/windows/keep-secure/create-edp-policy-using-intune.md b/windows/keep-secure/create-edp-policy-using-intune.md deleted file mode 100644 index 77a7c0ee85..0000000000 --- a/windows/keep-secure/create-edp-policy-using-intune.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Create an enterprise data protection (EDP) policy using Microsoft Intune (Windows 10) -description: Microsoft Intune helps you create and deploy your enterprise data protection (EDP) policy, including letting you choose your protected apps, your EDP-protection level, and how to find enterprise data on the network. -redirect_url: https://technet.microsoft.com/itpro/windows/keep-secure/create-wip-policy-using-intune ---- \ No newline at end of file diff --git a/windows/keep-secure/create-edp-policy-using-sccm.md b/windows/keep-secure/create-edp-policy-using-sccm.md deleted file mode 100644 index 354503af96..0000000000 --- a/windows/keep-secure/create-edp-policy-using-sccm.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Create and deploy an enterprise data protection (EDP) policy using System Center Configuration Manager (Windows 10) -description: Configuration Manager (version 1606 or later) helps you create and deploy your enterprise data protection (EDP) policy, including letting you choose your protected apps, your EDP-protection level, and how to find enterprise data on the network. -redirect_url: https://technet.microsoft.com/itpro/windows/keep-secure/create-wip-policy-using-sccm ---- \ No newline at end of file diff --git a/windows/keep-secure/create-vpn-and-edp-policy-using-intune.md b/windows/keep-secure/create-vpn-and-edp-policy-using-intune.md deleted file mode 100644 index edd007a4f0..0000000000 --- a/windows/keep-secure/create-vpn-and-edp-policy-using-intune.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Create and deploy a VPN policy for enterprise data protection (EDP) using Microsoft Intune (Windows 10) -description: After you've created and deployed your enterprise data protection (EDP) policy, you can use Microsoft Intune to create and deploy your Virtual Private Network (VPN) policy, linking it to your EDP policy. -redirect_url: https://technet.microsoft.com/itpro/windows/keep-secure/create-vpn-and-wip-policy-using-intune ---- \ No newline at end of file diff --git a/windows/keep-secure/create-wip-policy-using-intune.md b/windows/keep-secure/create-wip-policy-using-intune.md index f0c94d6dba..76ded492c6 100644 --- a/windows/keep-secure/create-wip-policy-using-intune.md +++ b/windows/keep-secure/create-wip-policy-using-intune.md @@ -11,20 +11,14 @@ localizationpriority: high --- # Create a Windows Information Protection (WIP) policy using Microsoft Intune + **Applies to:** -- Windows 10, version 1607 -- Windows 10 Mobile +- Windows 10, version 1703 +- Windows 10 Mobile (except Microsoft Azure Rights Management, which is only available on the desktop) Microsoft Intune helps you create and deploy your Windows Information Protection (WIP) policy, including letting you choose your allowed apps, your WIP-protection level, and how to find enterprise data on the network. -## Important note about the June service update for Insider Preview -We've received some great feedback from you, our Windows 10 Insider Preview customers, about our Windows Information Protection experiences and processes. Because of that feedback, we're delighted to deliver an enhanced apps policy experience with the June service update. This means that when you open an existing Windows Information Protection policy after we release the June service update in your test environment, your existing Windows 10 Windows Information Protection app rules (formerly in the **Protected Apps** area) will be removed.

    To prepare for this change, we recommend that you make an immediate backup of your current app rules as they are today, so you can use them to help reconfigure your app rules with the enhanced experience. When you open an existing Windows Information Protection policy after we release the June service update, you'll get a dialog box telling you about this change. Click the **OK** button to close the box and to begin reconfiguring your app rules. - -![Microsoft Intune: Reconfigure app rules list dialog box](images/wip-intune-app-reconfig-warning.png) - -Note that if you exit the **Policy** page before you've saved your new policy, your existing deployments won't be affected. However, if you save the policy without reconfiguring your apps, an updated policy will be deployed to your employees with an empty app rules list. - ## Add a WIP policy After you’ve set up Intune for your organization, you must create a WIP-specific policy. @@ -44,10 +38,11 @@ During the policy-creation process in Intune, you can choose the apps you want t The steps to add your app rules are based on the type of rule template being applied. You can add a store app (also known as a Universal Windows Platform (UWP) app), a signed Windows desktop app, or an AppLocker policy file. ->[!IMPORTANT] +>[!Important] >WIP-aware apps are expected to prevent enterprise data from going to unprotected network locations and to avoid encrypting personal data. On the other hand, WIP-unaware apps might not respect the corporate network boundary, and WIP-unaware apps will encrypt all files they create or modify. This means that they could encrypt personal data and cause data loss during the revocation process.

    Care must be taken to get a support statement from the software provider that their app is safe with WIP before adding it to your **App Rules** list. If you don’t get this statement, it’s possible that you could experience app compat issues due to an app losing the ability to access a necessary file after revocation. ->[!NOTE] + +>[!Note] >If you want to use **File hash** or **Path** rules, instead of **Publisher** rules, you must follow the steps in the [Add apps to your Windows Information Protection (WIP) policy by using the Microsoft Intune custom URI functionality](add-apps-to-protected-list-using-custom-uri.md) topic. #### Add a store app rule to your policy @@ -77,8 +72,7 @@ If you don't know the publisher or product name, you can find them for both desk **To find the Publisher and Product Name values for Store apps without installing them** 1. Go to the [Windows Store for Business](https://go.microsoft.com/fwlink/p/?LinkID=722910) website, and find your app. For example, *Microsoft OneNote*. - >[!NOTE] - >If your app is already installed on desktop devices, you can use the AppLocker local security policy MMC snap-in to gather the info for adding the app to the protected apps list. For info about how to do this, see the [Add apps to your Windows Information Protection (WIP) policy by using the Microsoft Intune custom URI functionality](add-apps-to-protected-list-using-custom-uri.md) topic. + >**Note**
    If your app is already installed on desktop devices, you can use the AppLocker local security policy MMC snap-in to gather the info for adding the app to the protected apps list. For info about how to do this, see the [Add apps to your Windows Information Protection (WIP) policy by using the Microsoft Intune custom URI functionality](add-apps-to-protected-list-using-custom-uri.md) topic. 2. Copy the ID value from the app URL. For example, Microsoft OneNote's ID URL is https://www.microsoft.com/store/apps/onenote/9wzdncrfhvjl, and you'd copy the ID value, `9wzdncrfhvjl`. @@ -95,11 +89,8 @@ If you don't know the publisher or product name, you can find them for both desk 4. Copy the `publisherCertificateName` value into the **Publisher Name** box and copy the `packageIdentityName` value into the **Product Name** box of Intune. - >[!IMPORTANT] - >The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app that’s using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as `CN=` followed by the `windowsPhoneLegacyId`. - - For example: - + >[!Important] + >The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app that’s using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as `CN=` followed by the `windowsPhoneLegacyId`.

    For example:
    ```json { "windowsPhoneLegacyId": "ca05b3ab-f157-450c-8c49-a1f127f5e71d", @@ -109,8 +100,7 @@ If you don't know the publisher or product name, you can find them for both desk **To find the Publisher and Product Name values for apps installed on Windows 10 mobile phones** 1. If you need to add mobile apps that aren't distributed through the Store for Business, you must use the **Windows Device Portal** feature. - >[!NOTE] - >Your PC and phone must be on the same wireless network. + >**Note**
    Your PC and phone must be on the same wireless network. 2. On the Windows Phone, go to **Settings**, choose **Update & security**, and then choose **For developers**. @@ -126,15 +116,12 @@ If you don't know the publisher or product name, you can find them for both desk 8. Copy the `publisherCertificateName` value and paste it into the **Publisher Name** box and the `packageIdentityName` value into the **Product Name** box of Intune. - >[!IMPORTANT] - >The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app that’s using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as `CN=` followed by the `windowsPhoneLegacyId`. - - For example: - - ``` json + >[!Important] + >The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app that’s using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as `CN=` followed by the `windowsPhoneLegacyId`.

    For example:
    + ```json { - "windowsPhoneLegacyId": "ca05b3ab-f157-450c-8c49-a1f127f5e71d", - } + "windowsPhoneLegacyId": "ca05b3ab-f157-450c-8c49-a1f127f5e71d", + } ``` #### Add a desktop app rule to your policy @@ -367,49 +354,49 @@ There are no default locations included with WIP, you must add each of your netw 2. Type a name for your corporate network element into the **Name** box, and then pick what type of network element it is, from the **Network element** drop-down box. This can include any of the options in the following table. ![Microsoft Intune, Add your corporate network definitions](images/intune-networklocation.png) -

    +

    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    Network location typeFormatDescription
    Enterprise Cloud ResourcesWith proxy: contoso.sharepoint.com,contoso.internalproxy1.com|
    contoso.visualstudio.com,contoso.internalproxy2.com

    Without proxy: contoso.sharepoint.com|contoso.visualstudio.com

    		Specify the cloud resources to be treated as corporate and protected by WIP.

    For each cloud resource, you may also optionally specify a proxy server from your Enterprise Internal Proxy Servers list to route traffic for this cloud resource. Be aware that all traffic routed through your Enterprise Internal Proxy Servers is considered enterprise.

    If you have multiple resources, you must separate them using the "|" delimiter. If you don’t use proxy servers, you must also include the "," delimiter just before the "|". For example: URL <,proxy>|URL <,proxy>.

    If Windows is unable to determine whether an app should be allowed to connect to a network resource, it will automatically block the connection. If instead you want Windows to allow the connections to happen, you can add the /*AppCompat*/ string to this setting. For example: URL <,proxy>|URL <,proxy>|/*AppCompat*/

    Enterprise Network Domain Names (Required)corp.contoso.com,region.contoso.comSpecify the DNS suffixes used in your environment. All traffic to the fully-qualified domains appearing in this list will be protected.

    This setting works with the IP ranges settings to detect whether a network endpoint is enterprise or personal on private networks.

    If you have multiple resources, you must separate them using the "," delimiter.

    Enterprise Proxy Serversproxy.contoso.com:80;proxy2.contoso.com:443Specify your externally-facing proxy server addresses, along with the port through which traffic accesses the Internet.

    This list must not include any servers listed in the Enterprise Internal Proxy Servers list, because they’re used for WIP-protected traffic.

    This setting is also required if there’s a chance you could end up behind a proxy server on another network. In this situation, if you don't have a proxy server pre-defined, you might find that enterprise resources are unavailable to your client device, such as when you’re visiting another company and not on the guest network. To make sure this doesn’t happen, the client device also needs to be able to reach the pre-defined proxy server through the VPN network.

    If you have multiple resources, you must separate them using the ";" delimiter.

    Enterprise Internal Proxy Serverscontoso.internalproxy1.com;contoso.internalproxy2.comSpecify the proxy servers your devices will go through to reach your cloud resources.

    Using this server type indicates that the cloud resources you’re connecting to are enterprise resources.

    This list shouldn’t include any servers listed in the Enterprise Proxy Servers list, which are used for non-WIP-protected traffic.

    If you have multiple resources, you must separate them using the ";" delimiter.

    Enterprise IPv4 Range (Required, if not using IPv6)**Starting IPv4 Address:** 3.4.0.1
    **Ending IPv4 Address:** 3.4.255.254
    **Custom URI:** 3.4.0.1-3.4.255.254,
    10.0.0.1-10.255.255.254    		Specify the addresses for a valid IPv4 value range within your intranet. These addresses, used with your Enterprise Network Domain Names, define your corporate network boundaries.

    If you have multiple ranges, you must separate them using the "," delimiter.

    Enterprise IPv6 Range (Required, if not using IPv4)**Starting IPv6 Address:** 2a01:110::
    **Ending IPv6 Address:** 2a01:110:7fff:ffff:ffff:ffff:ffff:ffff
    **Custom URI:** 2a01:110:7fff:ffff:ffff:ffff:ffff:ffff,
    fd00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff    		Specify the addresses for a valid IPv6 value range within your intranet. These addresses, used with your Enterprise Network Domain Names, define your corporate network boundaries.

    If you have multiple ranges, you must separate them using the "," delimiter.

    Neutral Resourcessts.contoso.com,sts.contoso2.comSpecify your authentication redirection endpoints for your company.

    These locations are considered enterprise or personal, based on the context of the connection before the redirection.

    If you have multiple resources, you must separate them using the "," delimiter.

    + + Network location type + Format + Description + + + Enterprise Cloud Resources + With proxy: contoso.sharepoint.com,contoso.internalproxy1.com|
    contoso.visualstudio.com,contoso.internalproxy2.com

    Without proxy: contoso.sharepoint.com|contoso.visualstudio.com + Specify the cloud resources to be treated as corporate and protected by WIP.

    For each cloud resource, you may also optionally specify a proxy server from your Enterprise Internal Proxy Servers list to route traffic for this cloud resource. Be aware that all traffic routed through your Enterprise Internal Proxy Servers is considered enterprise.

    If you have multiple resources, you must separate them using the "|" delimiter. If you don’t use proxy servers, you must also include the "," delimiter just before the "|". For example: URL <,proxy>|URL <,proxy>.

    Important
    In some cases, such as when an app connects directly to a cloud resource through an IP address, Windows can’t tell whether it’s attempting to connect to an enterprise cloud resource or to a personal site. In this case, Windows blocks the connection by default. To stop Windows from automatically blocking these connections, you can add the /*AppCompat*/ string to the setting. For example: URL <,proxy>|URL <,proxy>|/*AppCompat*/.

    When using this string, we recommend that you also turn on [Azure Active Directory Conditional Access](https://docs.microsoft.com/en-us/azure/active-directory/active-directory-conditional-access), using the Domain joined or marked as compliant option, which blocks apps from accessing any enterprise cloud resources that are protected by conditional access. + + + Enterprise Network Domain Names (Required) + corp.contoso.com,region.contoso.com + Specify the DNS suffixes used in your environment. All traffic to the fully-qualified domains appearing in this list will be protected.

    This setting works with the IP ranges settings to detect whether a network endpoint is enterprise or personal on private networks.

    If you have multiple resources, you must separate them using the "," delimiter. + + + Enterprise Proxy Servers + proxy.contoso.com:80;proxy2.contoso.com:443 + Specify your externally-facing proxy server addresses, along with the port through which traffic accesses the Internet.

    This list must not include any servers listed in the Enterprise Internal Proxy Servers list, because they’re used for WIP-protected traffic.

    This setting is also required if there’s a chance you could end up behind a proxy server on another network. In this situation, if you don't have a proxy server pre-defined, you might find that enterprise resources are unavailable to your client device, such as when you’re visiting another company and not on the guest network. To make sure this doesn’t happen, the client device also needs to be able to reach the pre-defined proxy server through the VPN network.

    If you have multiple resources, you must separate them using the ";" delimiter. + + + Enterprise Internal Proxy Servers + contoso.internalproxy1.com;contoso.internalproxy2.com + Specify the proxy servers your devices will go through to reach your cloud resources.

    Using this server type indicates that the cloud resources you’re connecting to are enterprise resources.

    This list shouldn’t include any servers listed in the Enterprise Proxy Servers list, which are used for non-WIP-protected traffic.

    If you have multiple resources, you must separate them using the ";" delimiter. + + + Enterprise IPv4 Range (Required, if not using IPv6) + **Starting IPv4 Address:** 3.4.0.1
    **Ending IPv4 Address:** 3.4.255.254
    **Custom URI:** 3.4.0.1-3.4.255.254,
    10.0.0.1-10.255.255.254 + Specify the addresses for a valid IPv4 value range within your intranet. These addresses, used with your Enterprise Network Domain Names, define your corporate network boundaries.

    If you have multiple ranges, you must separate them using the "," delimiter. + + + Enterprise IPv6 Range (Required, if not using IPv4) + **Starting IPv6 Address:** 2a01:110::
    **Ending IPv6 Address:** 2a01:110:7fff:ffff:ffff:ffff:ffff:ffff
    **Custom URI:** 2a01:110:7fff:ffff:ffff:ffff:ffff:ffff,
    fd00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff + Specify the addresses for a valid IPv6 value range within your intranet. These addresses, used with your Enterprise Network Domain Names, define your corporate network boundaries.

    If you have multiple ranges, you must separate them using the "," delimiter. + + + Neutral Resources + sts.contoso.com,sts.contoso2.com + Specify your authentication redirection endpoints for your company.

    These locations are considered enterprise or personal, based on the context of the connection before the redirection.

    If you have multiple resources, you must separate them using the "," delimiter. + + 3. Add as many locations as you need, and then click **OK**. @@ -431,6 +418,16 @@ There are no default locations included with WIP, you must add each of your netw For more info about how to find and export your data recovery certificate, see the [Data Recovery and Encrypting File System (EFS)](https://go.microsoft.com/fwlink/p/?LinkId=761462) topic. For more info about creating and verifying your EFS DRA certificate, see the [Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](create-and-verify-an-efs-dra-certificate.md). +### Choose to set up Azure Rights Management with WIP +WIP can integrate with Microsoft Azure Rights Management to enable secure sharing of files via removable drives such as USB drives. For more info about Azure Rights Management, see [Microsoft Azure Rights Management](https://products.office.com/en-us/business/microsoft-azure-rights-management). To integrate Azure Rights Management with WIP, you must already have Azure Rights Management set up. + +To configure WIP to use Azure Rights Management, you must set the **AllowAzureRMSForEDP** MDM setting to **1** in Microsoft Intune. This setting tells WIP to encrypt files copied to removable drives with Azure Rights Management, so they can be shared amongst your employees on computers running at least Windows 10, version 1703. + +Optionally, if you don’t want everyone in your organization to be able to share your enterprise data, you can set the **RMSTemplateIDForEDP** MDM setting to the **TemplateID** of the Azure Rights Management template used to encrypt the data. You must make sure to mark the template with the **EditRightsData** option. + +>[!NOTE] +>For more info about setting the **AllowAzureRMSForEDP** and the **RMSTemplateIDForEDP** MDM settings, see the [EnterpriseDataProtection CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/enterprisedataprotection-csp) topic. For more info about setting up and using a custom template, see [Configuring custom templates for the Azure Rights Management service](https://docs.microsoft.com/en-us/information-protection/deploy-use/configure-custom-templates) topic. + ### Choose your optional WIP-related settings After you've decided where your protected apps can access enterprise data on your network, you’ll be asked to decide if you want to add any optional WIP settings. @@ -471,11 +468,13 @@ After you've decided where your protected apps can access enterprise data on you 2. Click **Save Policy**. ->[!NOTE] ->Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md). - ## Related topics - [Add apps to your Windows Information Protection (WIP) policy by using the Microsoft Intune custom URI functionality](add-apps-to-protected-list-using-custom-uri.md) - [Deploy your Windows Information Protection (WIP) policy](deploy-wip-policy-using-intune.md) - [Create and deploy a VPN policy for Windows Information Protection (WIP) using Microsoft Intune](create-vpn-and-wip-policy-using-intune.md) -- [General guidance and best practices for Windows Information Protection (WIP)](guidance-and-best-practices-wip.md) \ No newline at end of file +- [General guidance and best practices for Windows Information Protection (WIP)](guidance-and-best-practices-wip.md) +- [Azure RMS Documentation Update for May 2016](https://blogs.technet.microsoft.com/enterprisemobility/2016/05/31/azure-rms-documentation-update-for-may-2016/) +- [What is Azure Rights Management?]( https://docs.microsoft.com/en-us/information-protection/understand-explore/what-is-azure-rms) + +>[!NOTE] +>Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md). \ No newline at end of file diff --git a/windows/keep-secure/create-wip-policy-using-sccm.md b/windows/keep-secure/create-wip-policy-using-sccm.md index 49801ae337..91b8f3df68 100644 --- a/windows/keep-secure/create-wip-policy-using-sccm.md +++ b/windows/keep-secure/create-wip-policy-using-sccm.md @@ -94,8 +94,7 @@ If you don't know the publisher or product name, you can find them for both desk 1. Go to the [Windows Store for Business](https://go.microsoft.com/fwlink/p/?LinkID=722910) website, and find your app. For example, Microsoft OneNote. - >[!NOTE] - >If your app is already installed on desktop devices, you can use the AppLocker local security policy MMC snap-in to gather the info for adding the app to the protected apps list. For info about how to do this, see the steps in the [Add an AppLocker policy file](#add-an-applocker-policy-file) section. + >**Note**
    If your app is already installed on desktop devices, you can use the AppLocker local security policy MMC snap-in to gather the info for adding the app to the protected apps list. For info about how to do this, see the steps in the [Add an AppLocker policy file](#add-an-applocker-policy-file) section. 2. Copy the ID value from the app URL. For example, Microsoft OneNote's ID URL is https://www.microsoft.com/store/apps/onenote/9wzdncrfhvjl, and you'd copy the ID value, `9wzdncrfhvjl`. @@ -112,10 +111,7 @@ If you don't know the publisher or product name, you can find them for both desk 4. Copy the `publisherCertificateName` value and paste them into the **Publisher Name** box, copy the `packageIdentityName` value into the **Product Name** box of Intune. - >[!IMPORTANT] - >The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app that’s using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as “CN=” followed by the `windowsPhoneLegacyId`. - >For example:

    - + >**Important**
    The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app that’s using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as “CN=” followed by the `windowsPhoneLegacyId`.

    For example:

    ```json { "windowsPhoneLegacyId": "ca05b3ab-f157-450c-8c49-a1f127f5e71d", @@ -125,8 +121,7 @@ If you don't know the publisher or product name, you can find them for both desk **To find the Publisher and Product Name values for apps installed on Windows 10 mobile phones** 1. If you need to add mobile apps that aren't distributed through the Store for Business, you must use the **Windows Device Portal** feature. - >[!NOTE] - >Your PC and phone must be on the same wireless network. + >**Note**
    Your PC and phone must be on the same wireless network. 2. On the Windows Phone, go to **Settings**, choose **Update & security**, and then choose **For developers**. @@ -142,10 +137,8 @@ If you don't know the publisher or product name, you can find them for both desk 8. Copy the `publisherCertificateName` value and paste it into the **Publisher Name** box and the `packageIdentityName` value into the **Product Name** box of Intune. - >[!IMPORTANT] - >The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app that’s using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as “CN=” followed by the `windowsPhoneLegacyId`. + >**Important**
    The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app that’s using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as “CN=” followed by the `windowsPhoneLegacyId`. >For example:

    - ```json { "windowsPhoneLegacyId": "ca05b3ab-f157-450c-8c49-a1f127f5e71d", @@ -394,7 +387,7 @@ There are no default locations included with WIP, you must add each of your netw Enterprise Cloud Resources With proxy: contoso.sharepoint.com,contoso.internalproxy1.com|
    contoso.visualstudio.com,contoso.internalproxy2.com

    Without proxy: contoso.sharepoint.com|contoso.visualstudio.com - Specify the cloud resources to be treated as corporate and protected by WIP.

    For each cloud resource, you may also optionally specify a proxy server from your Enterprise Internal Proxy Servers list to route traffic for this cloud resource. Be aware that all traffic routed through your Enterprise Internal Proxy Servers is considered enterprise.

    If you have multiple resources, you must separate them using the "|" delimiter. If you don’t use proxy servers, you must also include the "," delimiter just before the "|". For example: URL <,proxy>|URL <,proxy>.

    If Windows is unable to determine whether an app should be allowed to connect to a network resource, it will automatically block the connection. If instead you want Windows to allow the connections to happen, you can add the /*AppCompat*/ string to this setting. For example: URL <,proxy>|URL <,proxy>|/*AppCompat*/ + Specify the cloud resources to be treated as corporate and protected by WIP.

    For each cloud resource, you may also optionally specify a proxy server from your Enterprise Internal Proxy Servers list to route traffic for this cloud resource. Be aware that all traffic routed through your Enterprise Internal Proxy Servers is considered enterprise.

    If you have multiple resources, you must separate them using the "|" delimiter. If you don’t use proxy servers, you must also include the "," delimiter just before the "|". For example: URL <,proxy>|URL <,proxy>.

    Important
    In some cases, such as when an app connects directly to a cloud resource through an IP address, Windows can’t tell whether it’s attempting to connect to an enterprise cloud resource or to a personal site. In this case, Windows blocks the connection by default. To stop Windows from automatically blocking these connections, you can add the /*AppCompat*/ string to the setting. For example: URL <,proxy>|URL <,proxy>|/*AppCompat*/. Enterprise Network Domain Names (Required) @@ -500,10 +493,10 @@ After you’ve created your WIP policy, you'll need to deploy it to your organiz - [How to Create Configuration Baselines for Compliance Settings in Configuration Manager]( https://go.microsoft.com/fwlink/p/?LinkId=708225) - [How to Deploy Configuration Baselines in Configuration Manager]( https://go.microsoft.com/fwlink/p/?LinkId=708226) ->[!NOTE] ->Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md). - ## Related topics - [System Center Configuration Manager and Endpoint Protection (Version 1606)](https://go.microsoft.com/fwlink/p/?LinkId=717372) - [TechNet documentation for Configuration Manager](https://go.microsoft.com/fwlink/p/?LinkId=691623) -- [Manage mobile devices with Configuration Manager and Microsoft Intune](https://go.microsoft.com/fwlink/p/?LinkId=691624) \ No newline at end of file +- [Manage mobile devices with Configuration Manager and Microsoft Intune](https://go.microsoft.com/fwlink/p/?LinkId=691624) + +>[!NOTE] +>Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md). \ No newline at end of file diff --git a/windows/keep-secure/creating-a-device-guard-policy-for-signed-apps.md b/windows/keep-secure/creating-a-device-guard-policy-for-signed-apps.md deleted file mode 100644 index 6d70cbad2b..0000000000 --- a/windows/keep-secure/creating-a-device-guard-policy-for-signed-apps.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Create a Device Guard code integrity policy based on a reference device (Windows 10) -redirect_url: https://technet.microsoft.com/en-us/itpro/windows/keep-secure/device-guard-deployment-guide ---- - diff --git a/windows/keep-secure/credential-guard-considerations.md b/windows/keep-secure/credential-guard-considerations.md new file mode 100644 index 0000000000..0adc21dd7f --- /dev/null +++ b/windows/keep-secure/credential-guard-considerations.md @@ -0,0 +1,43 @@ +--- +title: Considerations when using Credential Guard (Windows 10) +description: Considerations and recommendations for certain scenarios when using Credential Guard in Windows 10. +ms.prod: w10 +ms.mktglfcycl: explore +ms.sitesec: library +ms.pagetype: security +localizationpriority: high +author: brianlic-msft +--- + +# Considerations when using Credential Guard + +**Applies to** +- Windows 10 +- Windows Server 2016 + +Prefer video? See [Credentials Protected by Credential Guard](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=mD3geLJyC_8304300474) +in the Deep Dive into Credential Guard video series. + +- Passwords are still weak so we recommend that your organization deploy Credential Guard and move away from passwords and to other authentication methods, such as physical smart cards, virtual smart cards, or Windows Hello for Business. +- Some 3rd party Security Support Providers (SSPs and APs) might not be compatible with Credential Guard. Credential Guard does not allow 3rd party SSPs to ask for password hashes from LSA. However, SSPs and APs still get notified of the password when a user logs on and/or changes their password. Any use of undocumented APIs within custom SSPs and APs are not supported. We recommend that custom implementations of SSPs/APs are tested against Credential Guard to ensure that the SSPs and APs do not depend on any undocumented or unsupported behaviors. For example, using the KerbQuerySupplementalCredentialsMessage API is not supported. You should not replace the NTLM or Kerberos SSPs with custom SSPs and APs. For more info, see [Restrictions around Registering and Installing a Security Package](http://msdn.microsoft.com/library/windows/desktop/dn865014.aspx) on MSDN. +- As the depth and breadth of protections provided by Credential Guard are increased, subsequent releases of Windows 10 with Credential Guard running may impact scenarios that were working in the past. For example, Credential Guard may block the use of a particular type of credential or a particular component to prevent malware from taking advantage of vulnerabilities. Therefore, we recommend that scenarios required for operations in an organization are tested before upgrading a device that has Credential Guard running. + +- Starting with Windows 10, version 1511, domain credentials that are stored with Credential Manager are protected with Credential Guard. Credential Manager allows you to store credentials, such as user names and passwords that you use to log on to websites or other computers on a network. The following considerations apply to the Credential Guard protections for Credential Manager: + - Credentials saved by Remote Desktop Services cannot be used to remotely connect to another machine without supplying the password. Attempts to use saved credentials will fail, displaying the error message "Logon attempt failed". + - Applications that extract derived domain credentials from Credential Manager will no longer be able to use those credentials. + - You cannot restore credentials using the Credential Manager control panel if the credentials were backed up from a PC that has Credential Guard turned on. If you need to back up your credentials, you must do this before you enable Credential Guard. Otherwise, you won't be able to restore those credentials. + - Credential Guard uses hardware security so some features, such as Windows To Go, are not supported. + +## NTLM and CHAP Considerations + +When you enable Credential Guard, you can no longer use NTLM v1 authentication. If you are using WiFi and VPN endpoints that are based on MS-CHAPv2, they are subject to similar attacks as NTLMv1. We recommend that organizations use certificated-based authentication for WiFi and VPN connections. + +## Kerberos Considerations + +When you enable Credential Guard, you can no longer use Kerberos unconstrained delegation or DES encryption. Unconstrained delegation could allow attackers to extract Kerberos keys from the isolated LSA process. You must use constrained or resource-based Kerberos delegation instead. + +## See also + +**Deep Dive into Credential Guard: Related videos** + +[Virtualization-based security](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=1CoELLJyC_6704300474) diff --git a/windows/keep-secure/credential-guard-how-it-works.md b/windows/keep-secure/credential-guard-how-it-works.md new file mode 100644 index 0000000000..da731369ea --- /dev/null +++ b/windows/keep-secure/credential-guard-how-it-works.md @@ -0,0 +1,44 @@ +--- +title: How Credential Guard works +description: Using virtualization-based security, Credential Guard features a new component called the isolated LSA process, which stores and protects secrets, isolating them from the rest of the operating system, so that only privileged system software can access them. +ms.prod: w10 +ms.mktglfcycl: explore +ms.sitesec: library +ms.pagetype: security +localizationpriority: high +author: brianlic-msft +--- + +# How Credential Guard works + +**Applies to** +- Windows 10 +- Windows Server 2016 + + +Prefer video? See [Credential Guard Design](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=mD3geLJyC_8304300474) in the Deep Dive into Credential Guard video series. + + +Kerberos, NTLM, and Credential manager isolate secrets by using virtualization-based security. Previous versions of Windows stored secrets in the Local Security Authority (LSA). Prior to Windows 10, the LSA stored secrets used by the operating system in its process memory. With Credential Guard enabled, the LSA process in the operating system talks to a new component called the isolated LSA process that stores and protects those secrets. Data stored by the isolated LSA process is protected using virtualization-based security and is not accessible to the rest of the operating system. LSA uses remote procedure calls to communicate with the isolated LSA process. + +For security reasons, the isolated LSA process doesn't host any device drivers. Instead, it only hosts a small subset of operating system binaries that are needed for security and nothing else. All of these binaries are signed with a certificate that is trusted by virtualization-based security and these signatures are validated before launching the file in the protected environment. + +When Credential Guard is enabled, NTLMv1, MS-CHAPv2, Digest, and CredSSP cannot use the signed-in credentials. Thus, single sign-on does not work with these protocols. However, applications can prompt for credentials or use credentials stored in the Windows Vault which are not protected by Credential Guard with any of these protocols. It is strongly recommended that valuable credentials, such as the sign-in credentials, not be used with any of these protocols. If these protocols must be used by domain or Azure AD users, secondary credentials should be provisioned for these use cases. + +When Credential Guard is enabled, Kerberos does not allow unconstrained Kerberos delegation or DES encryption, not only for signed-in credentials, but also prompted or saved credentials. + +Here's a high-level overview on how the LSA is isolated by using virtualization-based security: + +![Credential Guard overview](images/credguard.png) + +
    + +## See also + +**Deep Dive into Credential Guard: Related videos** + +[Credential Theft and Lateral Traversal](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=cfGBPlIyC_9404300474) + +[Virtualization-based security](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=1CoELLJyC_6704300474) + +[Credentials protected by Credential Guard](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=pdc37LJyC_1204300474) \ No newline at end of file diff --git a/windows/keep-secure/credential-guard-manage.md b/windows/keep-secure/credential-guard-manage.md new file mode 100644 index 0000000000..e4081028d7 --- /dev/null +++ b/windows/keep-secure/credential-guard-manage.md @@ -0,0 +1,212 @@ +--- +title: Manage Credential Guard (Windows 10) +description: Deploying and managing Credential Guard using Group Policy, the registry, or the Device Guard and Credential Guard hardware readiness tool. +ms.prod: w10 +ms.mktglfcycl: explore +ms.sitesec: library +ms.pagetype: security +localizationpriority: high +author: brianlic-msft +--- + +# Manage Credential Guard + +**Applies to** +- Windows 10 +- Windows Server 2016 + +Prefer video? See [Protecting privileged users with Credential Guard](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=JNbjYMJyC_8104300474) +in the Deep Dive into Credential Guard video series. + +## Enable Credential Guard +Credential Guard can be enabled either by using [Group Policy](#turn-on-credential-guard-by-using-group-policy), the [registry](#turn-on-credential-guard-by-using-the-registry), or the Device Guard and Credential Guard [hardware readiness tool](#hardware-readiness-tool). Credential Guard can also protect secrets in a Hyper-V virtual machine, just as it would on a physical machine. +The same set of procedures used to enable Credential Guard on physical machines applies also to virtual machines. + + +### Enable Credential Guard by using Group Policy + +You can use Group Policy to enable Credential Guard. This will add and enable the virtualization-based security features for you if needed. + +1. From the Group Policy Management Console, go to **Computer Configuration** -> **Administrative Templates** -> **System** -> **Device Guard**. +2. Double-click **Turn On Virtualization Based Security**, and then click the **Enabled** option. +3. **Select Platform Security Level** box, choose **Secure Boot** or **Secure Boot and DMA Protection**. +4. In the **Credential Guard Configuration** box, click **Enabled with UEFI lock**, and then click **OK**. If you want to be able to turn off Credential Guard remotely, choose **Enabled without lock**. + + ![Credential Guard Group Policy setting](images/credguard-gp.png) + +5. Close the Group Policy Management Console. + +To enforce processing of the group policy, you can run ```gpupdate /force```. + + +### Enable Credential Guard by using the registry + +If you don't use Group Policy, you can enable Credential Guard by using the registry. Credential Guard uses virtualization-based security features which have to be enabled first on some operating systems. + +#### Add the virtualization-based security features + +Starting with Windows 10, version 1607 and Windows Server 2016, enabling Windows features to use virtualization-based security is not necessary and this step can be skipped. + +If you are using Windows 10, version 1507 (RTM) or Windows 10, version 1511, Windows features have to be enabled to use virtualization-based security. +You can do this by using either the Control Panel or the Deployment Image Servicing and Management tool (DISM). +> [!NOTE] +If you enable Credential Guard by using Group Policy, the steps to enable Windows features through Control Panel or DISM are not required. Group Policy will install Windows features for you. + +  +**Add the virtualization-based security features by using Programs and Features** + +1. Open the Programs and Features control panel. +2. Click **Turn Windows feature on or off**. +3. Go to **Hyper-V** -> **Hyper-V Platform**, and then select the **Hyper-V Hypervisor** check box. +4. Select the **Isolated User Mode** check box at the top level of the feature selection. +5. Click **OK**. + +**Add the virtualization-based security features to an offline image by using DISM** + +1. Open an elevated command prompt. +2. Add the Hyper-V Hypervisor by running the following command: + ``` + dism /image: /Enable-Feature /FeatureName:Microsoft-Hyper-V-Hypervisor /all + ``` +3. Add the Isolated User Mode feature by running the following command: + ``` + dism /image: /Enable-Feature /FeatureName:IsolatedUserMode + ``` + +> [!NOTE] +> You can also add these features to an online image by using either DISM or Configuration Manager. + +#### Enable virtualization-based security and Credential Guard + +1. Open Registry Editor. +2. Enable virtualization-based security: + - Go to HKEY\_LOCAL\_MACHINE\\System\\CurrentControlSet\\Control\\DeviceGuard. + - Add a new DWORD value named **EnableVirtualizationBasedSecurity**. Set the value of this registry setting to 1 to enable virtualization-based security and set it to 0 to disable it. + - Add a new DWORD value named **RequirePlatformSecurityFeatures**. Set the value of this registry setting to 1 to use **Secure Boot** only or set it to 3 to use **Secure Boot and DMA protection**. +3. Enable Credential Guard: + - Go to HKEY\_LOCAL\_MACHINE\\System\\CurrentControlSet\\Control\\LSA. + - Add a new DWORD value named **LsaCfgFlags**. Set the value of this registry setting to 1 to enable Credential Guard with UEFI lock, set it to 2 to enable Credential Guard without lock, and set it to 0 to disable it. +4. Close Registry Editor. + + +> [!NOTE] +> You can also enable Credential Guard by setting the registry entries in the [FirstLogonCommands](http://msdn.microsoft.com/library/windows/hardware/dn922797.aspx) unattend setting. + + +### Enable Credential Guard by using the Device Guard and Credential Guard hardware readiness tool + +You can also enable Credential Guard by using the [Device Guard and Credential Guard hardware readiness tool](https://www.microsoft.com/download/details.aspx?id=53337). + +``` +DG_Readiness_Tool_v3.0.ps1 -Enable -AutoReboot +``` + +### Credential Guard deployment in virtual machines + +Credential Guard can protect secrets in a Hyper-V virtual machine, just as it would on a physical machine. When Credential Guard is deployed on a VM, secrets are protected from attacks inside the VM. Credential Guard does not provide additional protection from privileged system attacks originating from the host. + +#### Requirements for running Credential Guard in Hyper-V virtual machines + +- The Hyper-V host must have an IOMMU, and run at least Windows Server 2016 or Windows 10 version 1607. +- The Hyper-V virtual machine must be Generation 2, have an enabled virtual TPM, and running at least Windows Server 2016 or Windows 10. + +### Review Credential Guard performance + +**Is Credential Guard running?** + +You can view System Information to check that Credential Guard is running on a PC. + +1. Click **Start**, type **msinfo32.exe**, and then click **System Information**. +2. Click **System Summary**. +3. Confirm that **Credential Guard** is shown next to **Device Guard Security Services Running**. + + Here's an example: + + ![System Information](images/credguard-msinfo32.png) + +You can also check that Credential Guard is running by using the [Device Guard and Credential Guard hardware readiness tool](https://www.microsoft.com/download/details.aspx?id=53337). + +``` +DG_Readiness_Tool_v3.0.ps1 -Ready +``` + +> [!NOTE] + +For client machines that are running Windows 10 1703, LSAIso is running whenever Virtualization based security is enabled for other features. + +- If Credential Guard is enabled on a device after it's joined to a domain, the user and device secrets may already be compromised. We recommend that Credential Guard should be enabled before the PC is joined to a domain. + +- You should perform regular reviews of the PCs that have Credential Guard enabled. This can be done with security audit policies or WMI queries. Here's a list of WinInit event IDs to look for: + - **Event ID 13** Credential Guard (LsaIso.exe) was started and will protect LSA credentials. + - **Event ID 14** Credential Guard (LsaIso.exe) configuration: 0x1, 0 + - The first variable: 0x1 means Credential Guard is configured to run. 0x0 means it’s not configured to run. + - The second variable: 0 means it’s configured to run in protect mode. 1 means it's configured to run in test mode. This variable should always be 0. + - **Event ID 15** Credential Guard (LsaIso.exe) is configured but the secure kernel is not running; continuing without Credential Guard. + - **Event ID 16** Credential Guard (LsaIso.exe) failed to launch: \[error code\] + - **Event ID 17** Error reading Credential Guard (LsaIso.exe) UEFI configuration: \[error code\] + You can also verify that TPM is being used for key protection by checking the following event in the **Microsoft** -> **Windows** -> **Kernel-Boot** event source. If you are running with a TPM, the TPM PCR mask value will be something other than 0. + - **Event ID 51** VSM Master Encryption Key Provisioning. Using cached copy status: 0x0. Unsealing cached copy status: 0x1. New key generation status: 0x1. Sealing status: 0x1. TPM PCR mask: 0x0. + +## Disable Credential Guard + +If you have to disable Credential Guard on a PC, you can use the following set of procedures, or you can [use the Device Guard and Credential Guard hardware readiness tool](#turn-off-with-hardware-readiness-tool). + +1. If you used Group Policy, disable the Group Policy setting that you used to enable Credential Guard (**Computer Configuration** -> **Administrative Templates** -> **System** -> **Device Guard** -> **Turn on Virtualization Based Security**). +2. Delete the following registry settings: + - HKEY\_LOCAL\_MACHINE\\System\\CurrentControlSet\\Control\\LSA\LsaCfgFlags + - HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\DeviceGuard\\EnableVirtualizationBasedSecurity + - HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\DeviceGuard\\RequirePlatformSecurityFeatures + + > [!IMPORTANT] + > If you manually remove these registry settings, make sure to delete them all. If you don't remove them all, the device might go into BitLocker recovery. + +3. Delete the Credential Guard EFI variables by using bcdedit. From an elevated command prompt, type the following commands: + ``` syntax + + mountvol X: /s + + copy %WINDIR%\System32\SecConfig.efi X:\EFI\Microsoft\Boot\SecConfig.efi /Y + + bcdedit /create {0cb3b571-2f2e-4343-a879-d86a476d7215} /d "DebugTool" /application osloader + + bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} path "\EFI\Microsoft\Boot\SecConfig.efi" + + bcdedit /set {bootmgr} bootsequence {0cb3b571-2f2e-4343-a879-d86a476d7215} + + bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} loadoptions DISABLE-LSA-ISO + + bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} device partition=X: + + mountvol X: /d + + ``` +2. Restart the PC. +3. Accept the prompt to disable Credential Guard. +4. Alternatively, you can disable the virtualization-based security features to turn off Credential Guard. + +> [!NOTE] +> The PC must have one-time access to a domain controller to decrypt content, such as files that were encrypted with EFS. If you want to turn off both Credential Guard and virtualization-based security, run the following bcdedit command after turning off all virtualization-based security Group Policy and registry settings: bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} loadoptions DISABLE-LSA-ISO,DISABLE-VBS + +For more info on virtualization-based security and Device Guard, see [Device Guard deployment guide](device-guard-deployment-guide.md). + + +#### Disable Credential Guard by using the Device Guard and Credential Guard hardware readiness tool + +You can also disable Credential Guard by using the [Device Guard and Credential Guard hardware readiness tool](https://www.microsoft.com/download/details.aspx?id=53337). + +``` +DG_Readiness_Tool_v3.0.ps1 -Disable -AutoReboot +``` + +#### Disable Credential Guard for a virtual machine + +From the host, you can disable Credential Guard for a virtual machine: + +``` PowerShell +Set-VMSecurity -VMName -VirtualizationBasedSecurityOptOut $true +``` + + + + + diff --git a/windows/keep-secure/credential-guard-not-protected-scenarios.md b/windows/keep-secure/credential-guard-not-protected-scenarios.md new file mode 100644 index 0000000000..bce8580dfb --- /dev/null +++ b/windows/keep-secure/credential-guard-not-protected-scenarios.md @@ -0,0 +1,641 @@ +--- +title: Credential Guard protection limits (Windows 10) +description: Scenarios not protected by Credential Guard in Windows 10. +ms.prod: w10 +ms.mktglfcycl: explore +ms.sitesec: library +ms.pagetype: security +localizationpriority: high +author: brianlic-msft +--- + +# Credential Guard protection limits + +**Applies to** +- Windows 10 +- Windows Server 2016 + +Prefer video? See [Credentials protected by Credential Guard](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=pdc37LJyC_1204300474) +in the Deep Dive into Credential Guard video series. + +Some ways to store credentials are not protected by Credential Guard, including: + +- Software that manages credentials outside of Windows feature protection +- Local accounts and Microsoft Accounts +- Credential Guard does not protect the Active Directory database running on Windows Server 2016 domain controllers. It also does not protect credential input pipelines, such as Windows Server 2016 servers running Remote Desktop Gateway. If you're using a Windows Server 2016 server as a client PC, it will get the same protection as it would when running Windows 10 Enterprise. +- Key loggers +- Physical attacks +- Does not prevent an attacker with malware on the PC from using the privileges associated with any credential. We recommend using dedicated PCs for high value accounts, such as IT Pros and users with access to high value assets in your organization. +- Third-party security packages +- Digest and CredSSP credentials + - When Credential Guard is enabled, neither Digest nor CredSSP have access to users' logon credentials. This implies no Single Sign-On use for these protocols. +- Supplied credentials for NTLM authentication are not protected. If a user is prompted for and enters credentials for NTLM authentication, these credentials are vulnerable to be read from LSASS memory. Note that these same credentials are vulnerable to key loggers as well.- +- When Credential Guard is deployed on a VM, Credential Guard protects secrets from attacks inside the VM. However, it does not provide additional protection from privileged system attacks originating from the host. +- Windows logon cached password verifiers (commonly called "cached credentials") +do not qualify as credentials because they cannot be presented to another computer for authentication, and can only be used locally to verify credentials. They are stored in the registry on the local computer and provide validation for credentials when a domain-joined computer cannot connect to AD DS during user logon. These “cached logons”, or more specifically, cached domain account information, can be managed using the security policy setting **Interactive logon: Number of previous logons to cache** if a domain controller is not available. + +## Additional mitigations + +Credential Guard can provide mitigations against attacks on derived credentials and prevent the use of stolen credentials elsewhere. However, PCs can still be vulnerable to certain attacks, even if the derived credentials are protected by Credential Guard. These attacks can include abusing privileges and use of derived credentials directly from a compromised device, reusing previously stolen credentials prior to Device Guard, and abuse of management tools and weak application configurations. Because of this, additional mitigations also must be deployed to make the domain environment more robust. + +### Restricting domain users to specific domain-joined devices + +Credential theft attacks allow the attacker to steal secrets from one device and use them from another device. If a user can sign on to multiple devices then any device could be used to steal credentials. How do you ensure that users only sign on using devices that have Credential Guard enabled? By deploying authentication policies that restrict them to specific domain-joined devices that have been configured with Credential Guard. For the domain controller to know what device a user is signing on from, Kerberos armoring must be used. + +#### Kerberos armoring + +Kerberos armoring is part of RFC 6113. When a device supports Kerberos armoring, its TGT is used to protect the user's proof of possession which can mitigate offline dictionary attacks. Kerberos armoring also provides the additional benefit of signed KDC errors this mitigates tampering which can result in things such as downgrade attacks. + +**To enable Kerberos armoring for restricting domain users to specific domain-joined devices** + +- Users need to be in domains that are running Windows Server 2012 R2 or higher +- All the domain controllers in these domains must be configured to support Kerberos armoring. Set the **KDC support for claims, compound authentication, and Kerberos armoring** Group Policy setting to either **Supported** or **Always provide claims**. +- All the devices with Credential Guard that the users will be restricted to must be configured to support Kerberos armoring. Enable the **Kerberos client support for claims, compound authentication and Kerberos armoring** Group Policy settings under **Computer Configuration** -> **Administrative Templates** -> **System** -> **Kerberos**. + +#### Protecting domain-joined device secrets + +Since domain-joined devices also use shared secrets for authentication, attackers can steal those secrets as well. By deploying device certificates with Credential Guard, the private key can be protected. Then authentication policies can require that users sign on devices that authenticate using those certificates. This prevents shared secrets stolen from the device to be used with stolen user credentials to sign on as the user. + +Domain-joined device certificate authentication has the following requirements: +- Devices' accounts are in Windows Server 2012 domain functional level or higher. +- All domain controllers in those domains have KDC certificates which satisfy strict KDC validation certificate requirements: + - KDC EKU present + - DNS domain name matches the DNSName field of the SubjectAltName (SAN) extension +- Windows 10 devices have the CA issuing the domain controller certificates in the enterprise store. +- A process is established to ensure the identity and trustworthiness of the device in a similar manner as you would establish the identity and trustworthiness of a user before issuing them a smartcard. + +##### Deploying domain-joined device certificates + +To guarantee that certificates with the required issuance policy are only installed on the devices these users must use, they must be deployed manually on each device. The same security procedures used for issuing smart cards to users should be applied to device certificates. + +For example, let's say you wanted to use the High Assurance policy only on these devices. Using a Windows Server Enterprise certificate authority, you would create a new template. + +**Creating a new certificate template** + +1. From the Certificate Manager console, right-click **Certificate Templates**, and then click **Manage.** +2. Right-click **Workstation Authentication**, and then click **Duplicate Template**. +3. Right-click the new template, and then click **Properties**. +4. On the **Extensions** tab, click **Application Policies**, and then click **Edit**. +5. Click **Client Authentication**, and then click **Remove**. +6. Add the ID-PKInit-KPClientAuth EKU. Click **Add**, click **New**, and then specify the following values: + - Name: Kerberos Client Auth + - Object Identifier: 1.3.6.1.5.2.3.4 +7. On the **Extensions** tab, click **Issuance Policies**, and then click **Edit**. +8. Under **Issuance Policies**, click**High Assurance**. +9. On the **Subject name** tab, clear the **DNS name** check box, and then select the **User Principal Name (UPN)** check box. + +Then on the devices that are running Credential Guard, enroll the devices using the certificate you just created. + +**Enrolling devices in a certificate** + +Run the following command: +``` syntax +CertReq -EnrollCredGuardCert MachineAuthentication +``` + +> [!NOTE] +> You must restart the device after enrolling the machine authentication certificate. +  +##### How a certificate issuance policy can be used for access control + +Beginning with the Windows Server 2008 R2 domain functional level, domain controllers support for authentication mechanism assurance provides a way to map certificate issuance policy OIDs to universal security groups. Windows Server 2012 domain controllers with claim support can map them to claims. To learn more about authentication mechanism assurance, see [Authentication Mechanism Assurance for AD DS in Windows Server 2008 R2 Step-by-Step Guide](https://technet.microsoft.com/en-us/library/dd378897(v=ws.10).aspx) on TechNet. + +**To see the issuance policies available** + +- The [get-IssuancePolicy.ps1](#bkmk-getscript) shows all of the issuance policies that are available on the certificate authority. + From a Windows PowerShell command prompt, run the following command: + + ``` syntax + .\get-IssuancePolicy.ps1 –LinkedToGroup:All + ``` + +**To link an issuance policy to a universal security group** + +- The [set-IssuancePolicyToGroupLink.ps1](#bkmk-setscript) creates a Universal security group, creates an organizational unit, and links the issuance policy to that Universal security group. + From a Windows PowerShell command prompt, run the following command: + + ``` syntax + .\set-IssuancePolicyToGroupLink.ps1 –IssuancePolicyName:"" –groupOU:"" –groupName:”" + ``` + +#### Restricting user sign on + +So we now have completed the following: + +- Created a special certificate issuance policy to identify devices that meet the deployment criteria required for the user to be able to sign on +- Mapped that policy to a universal security group or claim +- Provided a way for domain controllers to get the device authorization data during user sign on using Kerberos armoring. Now what is left to do is to configure the access check on the domain controllers. This is done using authentication policies. + +Authentication policies have the following requirements: +- User accounts are in a Windows Server 2012 domain functional level or higher domain. + +**Creating an authentication policy restricting users to the specific universal security group** + +1. Open Active Directory Administrative Center. +2. Click **Authentication**, click **New**, and then click **Authentication Policy**. +3. In the **Display name** box, enter a name for this authentication policy. +4. Under the **Accounts** heading, click **Add**. +5. In the **Select Users, Computers, or Service Accounts** dialog box, type the name of the user account you wish to restrict, and then click **OK**. +6. Under the **User Sign On** heading, click the **Edit** button. +7. Click **Add a condition**. +8. In the **Edit Access Control Conditions** box, ensure that it reads **User** > **Group** > **Member of each** > **Value**, and then click **Add items**. +9. In the **Select Users, Computers, or Service Accounts** dialog box, type the name of the universal security group that you created with the set-IssuancePolicyToGroupLink script, and then click **OK**. +10. Click **OK** to close the **Edit Access Control Conditions** box. +11. Click **OK** to create the authentication policy. +12. Close Active Directory Administrative Center. + +> [!NOTE] +> When the authentication policy enforces policy restrictions, users will not be able to sign on using devices that do not have a certificate with the appropriate issuance policy deployed. This applies to both local and remote sign on scenarios. Therefore, it is strongly recommended to first only audit policy restrictions to ensure you don't have unexpected failures. + +##### Discovering authentication failures due to authentication policies + +To make tracking authentication failures due to authentication policies easier, an operational log exists with just those events. To enable the logs on the domain controllers, in Event Viewer, navigate to **Applications and Services Logs\\Microsoft\\Windows\\Authentication, right-click AuthenticationPolicyFailures-DomainController**, and then click **Enable Log**. + +To learn more about authentication policy events, see [Authentication Policies and Authentication Policy Silos](https://technet.microsoft.com/en-us/library/dn486813(v=ws.11).aspx). + + + + +### Appendix: Scripts + + +Here is a list of scripts mentioned in this topic. + +#### Get the available issuance policies on the certificate authority + +Save this script file as get-IssuancePolicy.ps1. + +``` syntax +####################################### +## Parameters to be defined ## +## by the user ## +####################################### +Param ( +$Identity, +$LinkedToGroup +) +####################################### +## Strings definitions ## +####################################### +Data getIP_strings { +# culture="en-US" +ConvertFrom-StringData -stringdata @' +help1 = This command can be used to retrieve all available Issuance Policies in a forest. The forest of the currently logged on user is targeted. +help2 = Usage: +help3 = The following parameter is mandatory: +help4 = -LinkedToGroup: +help5 = "yes" will return only Issuance Policies that are linked to groups. Checks that the linked Issuance Policies are linked to valid groups. +help6 = "no" will return only Issuance Policies that are not currently linked to any group. +help7 = "all" will return all Issuance Policies defined in the forest. Checks that the linked Issuance policies are linked to valid groups. +help8 = The following parameter is optional: +help9 = -Identity:. If you specify an identity, the option specified in the "-LinkedToGroup" parameter is ignored. +help10 = Output: This script returns the Issuance Policy objects meeting the criteria defined by the above parameters. +help11 = Examples: +errorIPNotFound = Error: no Issuance Policy could be found with Identity "{0}" +ErrorNotSecurity = Error: Issuance Policy "{0}" is linked to group "{1}" which is not of type "Security". +ErrorNotUniversal = Error: Issuance Policy "{0}" is linked to group "{1}" whose scope is not "Universal". +ErrorHasMembers = Error: Issuance Policy "{0}" is linked to group "{1}" which has a non-empty membership. The group has the following members: +LinkedIPs = The following Issuance Policies are linked to groups: +displayName = displayName : {0} +Name = Name : {0} +dn = distinguishedName : {0} + InfoName = Linked Group Name: {0} + InfoDN = Linked Group DN: {0} +NonLinkedIPs = The following Issuance Policies are NOT linked to groups: +'@ +} +##Import-LocalizedData getIP_strings +import-module ActiveDirectory +####################################### +## Help ## +####################################### +function Display-Help { + "" + $getIP_strings.help1 + "" +$getIP_strings.help2 +"" +$getIP_strings.help3 +" " + $getIP_strings.help4 +" " + $getIP_strings.help5 + " " + $getIP_strings.help6 + " " + $getIP_strings.help7 +"" +$getIP_strings.help8 + " " + $getIP_strings.help9 + "" + $getIP_strings.help10 +"" +"" +$getIP_strings.help11 + " " + '$' + "myIPs = .\get-IssuancePolicy.ps1 -LinkedToGroup:All" + " " + '$' + "myLinkedIPs = .\get-IssuancePolicy.ps1 -LinkedToGroup:yes" + " " + '$' + "myIP = .\get-IssuancePolicy.ps1 -Identity:""Medium Assurance""" +"" +} +$root = get-adrootdse +$domain = get-addomain -current loggedonuser +$configNCDN = [String]$root.configurationNamingContext +if ( !($Identity) -and !($LinkedToGroup) ) { +display-Help +break +} +if ($Identity) { + $OIDs = get-adobject -Filter {(objectclass -eq "msPKI-Enterprise-Oid") -and ((name -eq $Identity) -or (displayname -eq $Identity) -or (distinguishedName -like $Identity)) } -searchBase $configNCDN -properties * + if ($OIDs -eq $null) { +$errormsg = $getIP_strings.ErrorIPNotFound -f $Identity +write-host $errormsg -ForegroundColor Red + } + foreach ($OID in $OIDs) { + if ($OID."msDS-OIDToGroupLink") { +# In case the Issuance Policy is linked to a group, it is good to check whether there is any problem with the mapping. + $groupDN = $OID."msDS-OIDToGroupLink" + $group = get-adgroup -Identity $groupDN + $groupName = $group.Name +# Analyze the group + if ($group.groupCategory -ne "Security") { +$errormsg = $getIP_strings.ErrorNotSecurity -f $Identity, $groupName + write-host $errormsg -ForegroundColor Red + } + if ($group.groupScope -ne "Universal") { + $errormsg = $getIP_strings.ErrorNotUniversal -f $Identity, $groupName +write-host $errormsg -ForegroundColor Red + } + $members = Get-ADGroupMember -Identity $group + if ($members) { + $errormsg = $getIP_strings.ErrorHasMembers -f $Identity, $groupName +write-host $errormsg -ForegroundColor Red + foreach ($member in $members) { + write-host " " $member -ForeGroundColor Red + } + } + } + } + return $OIDs + break +} +if (($LinkedToGroup -eq "yes") -or ($LinkedToGroup -eq "all")) { + $LDAPFilter = "(&(objectClass=msPKI-Enterprise-Oid)(msDS-OIDToGroupLink=*)(flags=2))" + $LinkedOIDs = get-adobject -searchBase $configNCDN -LDAPFilter $LDAPFilter -properties * + write-host "" + write-host "*****************************************************" + write-host $getIP_strings.LinkedIPs + write-host "*****************************************************" + write-host "" + if ($LinkedOIDs -ne $null){ + foreach ($OID in $LinkedOIDs) { +# Display basic information about the Issuance Policies + "" + $getIP_strings.displayName -f $OID.displayName + $getIP_strings.Name -f $OID.Name + $getIP_strings.dn -f $OID.distinguishedName +# Get the linked group. + $groupDN = $OID."msDS-OIDToGroupLink" + $group = get-adgroup -Identity $groupDN + $getIP_strings.InfoName -f $group.Name + $getIP_strings.InfoDN -f $groupDN +# Analyze the group + $OIDName = $OID.displayName + $groupName = $group.Name + if ($group.groupCategory -ne "Security") { + $errormsg = $getIP_strings.ErrorNotSecurity -f $OIDName, $groupName + write-host $errormsg -ForegroundColor Red + } + if ($group.groupScope -ne "Universal") { + $errormsg = $getIP_strings.ErrorNotUniversal -f $OIDName, $groupName + write-host $errormsg -ForegroundColor Red + } + $members = Get-ADGroupMember -Identity $group + if ($members) { + $errormsg = $getIP_strings.ErrorHasMembers -f $OIDName, $groupName + write-host $errormsg -ForegroundColor Red + foreach ($member in $members) { + write-host " " $member -ForeGroundColor Red + } + } + write-host "" + } + }else{ +write-host "There are no issuance policies that are mapped to a group" + } + if ($LinkedToGroup -eq "yes") { + return $LinkedOIDs + break + } +} +if (($LinkedToGroup -eq "no") -or ($LinkedToGroup -eq "all")) { + $LDAPFilter = "(&(objectClass=msPKI-Enterprise-Oid)(!(msDS-OIDToGroupLink=*))(flags=2))" + $NonLinkedOIDs = get-adobject -searchBase $configNCDN -LDAPFilter $LDAPFilter -properties * + write-host "" + write-host "*********************************************************" + write-host $getIP_strings.NonLinkedIPs + write-host "*********************************************************" + write-host "" + if ($NonLinkedOIDs -ne $null) { + foreach ($OID in $NonLinkedOIDs) { +# Display basic information about the Issuance Policies +write-host "" +$getIP_strings.displayName -f $OID.displayName +$getIP_strings.Name -f $OID.Name +$getIP_strings.dn -f $OID.distinguishedName +write-host "" + } + }else{ +write-host "There are no issuance policies which are not mapped to groups" + } + if ($LinkedToGroup -eq "no") { + return $NonLinkedOIDs + break + } +} +``` +> [!NOTE] +> If you're having trouble running this script, try replacing the single quote after the ConvertFrom-StringData parameter. +  +#### Link an issuance policy to a group + +Save the script file as set-IssuancePolicyToGroupLink.ps1. + +``` syntax +####################################### +## Parameters to be defined ## +## by the user ## +####################################### +Param ( +$IssuancePolicyName, +$groupOU, +$groupName +) +####################################### +## Strings definitions ## +####################################### +Data ErrorMsg { +# culture="en-US" +ConvertFrom-StringData -stringdata @' +help1 = This command can be used to set the link between a certificate issuance policy and a universal security group. +help2 = Usage: +help3 = The following parameters are required: +help4 = -IssuancePolicyName: +help5 = -groupName:. If no name is specified, any existing link to a group is removed from the Issuance Policy. +help6 = The following parameter is optional: +help7 = -groupOU:. If this parameter is not specified, the group is looked for or created in the Users container. +help8 = Examples: +help9 = This command will link the issuance policy whose display name is "High Assurance" to the group "HighAssuranceGroup" in the Organizational Unit "OU_FOR_IPol_linked_groups". If the group or the Organizational Unit do not exist, you will be prompted to create them. +help10 = This command will unlink the issuance policy whose name is "402.164959C40F4A5C12C6302E31D5476062" from any group. +MultipleIPs = Error: Multiple Issuance Policies with name or display name "{0}" were found in the subtree of "{1}" +NoIP = Error: no issuance policy with name or display name "{0}" could be found in the subtree of "{1}". +IPFound = An Issuance Policy with name or display name "{0}" was successfully found: {1} +MultipleOUs = Error: more than 1 Organizational Unit with name "{0}" could be found in the subtree of "{1}". +confirmOUcreation = Warning: The Organizational Unit that you specified does not exist. Do you want to create it? +OUCreationSuccess = Organizational Unit "{0}" successfully created. +OUcreationError = Error: Organizational Unit "{0}" could not be created. +OUFoundSuccess = Organizational Unit "{0}" was successfully found. +multipleGroups = Error: More than one group with name "{0}" was found in Organizational Unit "{1}". +confirmGroupCreation = Warning: The group that you specified does not exist. Do you want to create it? +groupCreationSuccess = Univeral Security group "{0}" successfully created. +groupCreationError = Error: Univeral Security group "{0}" could not be created. +GroupFound = Group "{0}" was successfully found. +confirmLinkDeletion = Warning: The Issuance Policy "{0}" is currently linked to group "{1}". Do you really want to remove the link? +UnlinkSuccess = Certificate issuance policy successfully unlinked from any group. +UnlinkError = Removing the link failed. +UnlinkExit = Exiting without removing the link from the issuance policy to the group. +IPNotLinked = The Certificate issuance policy is not currently linked to any group. If you want to link it to a group, you should specify the -groupName option when starting this script. +ErrorNotSecurity = Error: You cannot link issuance Policy "{0}" to group "{1}" because this group is not of type "Security". +ErrorNotUniversal = Error: You cannot link issuance Policy "{0}" to group "{1}" because the scope of this group is not "Universal". +ErrorHasMembers = Error: You cannot link issuance Policy "{0}" to group "{1}" because it has a non-empty membership. The group has the following members: +ConfirmLinkReplacement = Warning: The Issuance Policy "{0}" is currently linked to group "{1}". Do you really want to update the link to point to group "{2}"? +LinkSuccess = The certificate issuance policy was successfully linked to the specified group. +LinkError = The certificate issuance policy could not be linked to the specified group. +ExitNoLinkReplacement = Exiting without setting the new link. +'@ +} +# import-localizeddata ErrorMsg +function Display-Help { +"" +write-host $ErrorMsg.help1 +"" +write-host $ErrorMsg.help2 +"" +write-host $ErrorMsg.help3 +write-host "`t" $ErrorMsg.help4 +write-host "`t" $ErrorMsg.help5 +"" +write-host $ErrorMsg.help6 +write-host "`t" $ErrorMsg.help7 +"" +"" +write-host $ErrorMsg.help8 +"" +write-host $ErrorMsg.help9 +".\Set-IssuancePolicyToGroupMapping.ps1 -IssuancePolicyName ""High Assurance"" -groupOU ""OU_FOR_IPol_linked_groups"" -groupName ""HighAssuranceGroup"" " +"" +write-host $ErrorMsg.help10 +'.\Set-IssuancePolicyToGroupMapping.ps1 -IssuancePolicyName "402.164959C40F4A5C12C6302E31D5476062" -groupName $null ' +"" +} +# Assumption: The group to which the Issuance Policy is going +# to be linked is (or is going to be created) in +# the domain the user running this script is a member of. +import-module ActiveDirectory +$root = get-adrootdse +$domain = get-addomain -current loggedonuser +if ( !($IssuancePolicyName) ) { +display-Help +break +} +####################################### +## Find the OID object ## +## (aka Issuance Policy) ## +####################################### +$searchBase = [String]$root.configurationnamingcontext +$OID = get-adobject -searchBase $searchBase -Filter { ((displayname -eq $IssuancePolicyName) -or (name -eq $IssuancePolicyName)) -and (objectClass -eq "msPKI-Enterprise-Oid")} -properties * +if ($OID -eq $null) { +$tmp = $ErrorMsg.NoIP -f $IssuancePolicyName, $searchBase +write-host $tmp -ForeGroundColor Red +break; +} +elseif ($OID.GetType().IsArray) { +$tmp = $ErrorMsg.MultipleIPs -f $IssuancePolicyName, $searchBase +write-host $tmp -ForeGroundColor Red +break; +} +else { +$tmp = $ErrorMsg.IPFound -f $IssuancePolicyName, $OID.distinguishedName +write-host $tmp -ForeGroundColor Green +} +####################################### +## Find the container of the group ## +####################################### +if ($groupOU -eq $null) { +# default to the Users container +$groupContainer = $domain.UsersContainer +} +else { +$searchBase = [string]$domain.DistinguishedName +$groupContainer = get-adobject -searchBase $searchBase -Filter { (Name -eq $groupOU) -and (objectClass -eq "organizationalUnit")} +if ($groupContainer.count -gt 1) { +$tmp = $ErrorMsg.MultipleOUs -f $groupOU, $searchBase +write-host $tmp -ForegroundColor Red +break; +} +elseif ($groupContainer -eq $null) { +$tmp = $ErrorMsg.confirmOUcreation +write-host $tmp " ( (y)es / (n)o )" -ForegroundColor Yellow -nonewline +$userChoice = read-host +if ( ($userChoice -eq "y") -or ($userChoice -eq "yes") ) { +new-adobject -Name $groupOU -displayName $groupOU -Type "organizationalUnit" -ProtectedFromAccidentalDeletion $true -path $domain.distinguishedName +if ($?){ +$tmp = $ErrorMsg.OUCreationSuccess -f $groupOU +write-host $tmp -ForegroundColor Green +} +else{ +$tmp = $ErrorMsg.OUCreationError -f $groupOU +write-host $tmp -ForeGroundColor Red +break; +} +$groupContainer = get-adobject -searchBase $searchBase -Filter { (Name -eq $groupOU) -and (objectClass -eq "organizationalUnit")} +} +else { +break; +} +} +else { +$tmp = $ErrorMsg.OUFoundSuccess -f $groupContainer.name +write-host $tmp -ForegroundColor Green +} +} +####################################### +## Find the group ## +####################################### +if (($groupName -ne $null) -and ($groupName -ne "")){ +##$searchBase = [String]$groupContainer.DistinguishedName +$searchBase = $groupContainer +$group = get-adgroup -Filter { (Name -eq $groupName) -and (objectClass -eq "group") } -searchBase $searchBase +if ($group -ne $null -and $group.gettype().isarray) { +$tmp = $ErrorMsg.multipleGroups -f $groupName, $searchBase +write-host $tmp -ForeGroundColor Red +break; +} +elseif ($group -eq $null) { +$tmp = $ErrorMsg.confirmGroupCreation +write-host $tmp " ( (y)es / (n)o )" -ForegroundColor Yellow -nonewline +$userChoice = read-host +if ( ($userChoice -eq "y") -or ($userChoice -eq "yes") ) { +new-adgroup -samAccountName $groupName -path $groupContainer.distinguishedName -GroupScope "Universal" -GroupCategory "Security" +if ($?){ +$tmp = $ErrorMsg.GroupCreationSuccess -f $groupName +write-host $tmp -ForegroundColor Green +}else{ +$tmp = $ErrorMsg.groupCreationError -f $groupName +write-host $tmp -ForeGroundColor Red +break +} +$group = get-adgroup -Filter { (Name -eq $groupName) -and (objectClass -eq "group") } -searchBase $searchBase +} +else { +break; +} +} +else { +$tmp = $ErrorMsg.GroupFound -f $group.Name +write-host $tmp -ForegroundColor Green +} +} +else { +##### +## If the group is not specified, we should remove the link if any exists +##### +if ($OID."msDS-OIDToGroupLink" -ne $null) { +$tmp = $ErrorMsg.confirmLinkDeletion -f $IssuancePolicyName, $OID."msDS-OIDToGroupLink" +write-host $tmp " ( (y)es / (n)o )" -ForegroundColor Yellow -nonewline +$userChoice = read-host +if ( ($userChoice -eq "y") -or ($userChoice -eq "yes") ) { +set-adobject -Identity $OID -Clear "msDS-OIDToGroupLink" +if ($?) { +$tmp = $ErrorMsg.UnlinkSuccess +write-host $tmp -ForeGroundColor Green +}else{ +$tmp = $ErrorMsg.UnlinkError +write-host $tmp -ForeGroundColor Red +} +} +else { +$tmp = $ErrorMsg.UnlinkExit +write-host $tmp +break +} +} +else { +$tmp = $ErrorMsg.IPNotLinked +write-host $tmp -ForeGroundColor Yellow +} +break; +} +####################################### +## Verify that the group is ## +## Universal, Security, and ## +## has no members ## +####################################### +if ($group.GroupScope -ne "Universal") { +$tmp = $ErrorMsg.ErrorNotUniversal -f $IssuancePolicyName, $groupName +write-host $tmp -ForeGroundColor Red +break; +} +if ($group.GroupCategory -ne "Security") { +$tmp = $ErrorMsg.ErrorNotSecurity -f $IssuancePolicyName, $groupName +write-host $tmp -ForeGroundColor Red +break; +} +$members = Get-ADGroupMember -Identity $group +if ($members -ne $null) { +$tmp = $ErrorMsg.ErrorHasMembers -f $IssuancePolicyName, $groupName +write-host $tmp -ForeGroundColor Red +foreach ($member in $members) {write-host " $member.name" -ForeGroundColor Red} +break; +} +####################################### +## We have verified everything. We ## +## can create the link from the ## +## Issuance Policy to the group. ## +####################################### +if ($OID."msDS-OIDToGroupLink" -ne $null) { +$tmp = $ErrorMsg.ConfirmLinkReplacement -f $IssuancePolicyName, $OID."msDS-OIDToGroupLink", $group.distinguishedName +write-host $tmp "( (y)es / (n)o )" -ForegroundColor Yellow -nonewline +$userChoice = read-host +if ( ($userChoice -eq "y") -or ($userChoice -eq "yes") ) { +$tmp = @{'msDS-OIDToGroupLink'= $group.DistinguishedName} +set-adobject -Identity $OID -Replace $tmp +if ($?) { +$tmp = $Errormsg.LinkSuccess +write-host $tmp -Foreground Green +}else{ +$tmp = $ErrorMsg.LinkError +write-host $tmp -Foreground Red +} +} else { +$tmp = $Errormsg.ExitNoLinkReplacement +write-host $tmp +break +} +} +else { +$tmp = @{'msDS-OIDToGroupLink'= $group.DistinguishedName} +set-adobject -Identity $OID -Add $tmp +if ($?) { +$tmp = $Errormsg.LinkSuccess +write-host $tmp -Foreground Green +}else{ +$tmp = $ErrorMsg.LinkError +write-host $tmp -Foreground Red +} +} +``` + +> [!NOTE] +> If you're having trouble running this script, try replacing the single quote after the ConvertFrom-StringData parameter. + +## See also + +**Deep Dive into Credential Guard: Related videos** + +[Protecting privileged users with Credential Guard](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=JNbjYMJyC_8104300474) diff --git a/windows/keep-secure/credential-guard-protection-limits.md b/windows/keep-secure/credential-guard-protection-limits.md new file mode 100644 index 0000000000..f159c931c3 --- /dev/null +++ b/windows/keep-secure/credential-guard-protection-limits.md @@ -0,0 +1,41 @@ +--- +title: Credential Guard protection limits (Windows 10) +description: Scenarios not protected by Credential Guard in Windows 10. +ms.prod: w10 +ms.mktglfcycl: explore +ms.sitesec: library +ms.pagetype: security +localizationpriority: high +author: brianlic-msft +--- + +# Credential Guard protection limits + +**Applies to** +- Windows 10 +- Windows Server 2016 + +Prefer video? See [Credentials protected by Credential Guard](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=pdc37LJyC_1204300474) +in the Deep Dive into Credential Guard video series. + +Some ways to store credentials are not protected by Credential Guard, including: + +- Software that manages credentials outside of Windows feature protection +- Local accounts and Microsoft Accounts +- Credential Guard does not protect the Active Directory database running on Windows Server 2016 domain controllers. It also does not protect credential input pipelines, such as Windows Server 2016 servers running Remote Desktop Gateway. If you're using a Windows Server 2016 server as a client PC, it will get the same protection as it would when running Windows 10 Enterprise. +- Key loggers +- Physical attacks +- Does not prevent an attacker with malware on the PC from using the privileges associated with any credential. We recommend using dedicated PCs for high value accounts, such as IT Pros and users with access to high value assets in your organization. +- Third-party security packages +- Digest and CredSSP credentials + - When Credential Guard is enabled, neither Digest nor CredSSP have access to users' logon credentials. This implies no Single Sign-On use for these protocols. +- Supplied credentials for NTLM authentication are not protected. If a user is prompted for and enters credentials for NTLM authentication, these credentials are vulnerable to be read from LSASS memory. Note that these same credentials are vulnerable to key loggers as well.- +- When Credential Guard is deployed on a VM, Credential Guard protects secrets from attacks inside the VM. However, it does not provide additional protection from privileged system attacks originating from the host. +- Windows logon cached password verifiers (commonly called "cached credentials") +do not qualify as credentials because they cannot be presented to another computer for authentication, and can only be used locally to verify credentials. They are stored in the registry on the local computer and provide validation for credentials when a domain-joined computer cannot connect to AD DS during user logon. These “cached logons”, or more specifically, cached domain account information, can be managed using the security policy setting **Interactive logon: Number of previous logons to cache** if a domain controller is not available. + +## See also + +**Deep Dive into Credential Guard: Related videos** + +[Protecting privileged users with Credential Guard](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=JNbjYMJyC_8104300474) diff --git a/windows/keep-secure/credential-guard-requirements.md b/windows/keep-secure/credential-guard-requirements.md new file mode 100644 index 0000000000..e87463063e --- /dev/null +++ b/windows/keep-secure/credential-guard-requirements.md @@ -0,0 +1,120 @@ +--- +title: Credential Guard Requirements (Windows 10) +description: Credential Guard baseline hardware, firmware, and software requirements, and additional protections for improved security associated with available hardware and firmware options. +ms.prod: w10 +ms.mktglfcycl: explore +ms.sitesec: library +ms.pagetype: security +localizationpriority: high +author: brianlic-msft +--- + +# Credential Guard: Requirements + +**Applies to** +- Windows 10 +- Windows Server 2016 + +Prefer video? See +[Credential Guard Deployment](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=sRcyvLJyC_3304300474) +in the Deep Dive into Credential Guard video series. + +For Credential Guard to provide protections, the computers you are protecting must meet certain baseline hardware, firmware, and software requirements which we will refer to as [Hardware and software requirements](#hardware-and-software-requirements). Additionally, Credential Guard blocks specific authentication capabilities, so applications that require such capabilities will break. We will refer to this as [Application requirements](#application-requirements). Beyond that, computers can meet additional hardware and firmware qualifications, and receive additional protections. Those computers will be more hardened against certain threats. For detailed information on baseline protections, plus protections for improved security that are associated with hardware and firmware options available in 2015, 2016, and 2017, refer to the tables in [Security Considerations](#security-considerations). + + + +## Hardware and software requirements + +To provide basic protection against OS level attempts to read Credential Manager domain credentials, NTLM and Kerberos derived credentials, Credential Manager uses: +- Support for Virtualization-based security (required) +- Secure boot (required) +- TPM 2.0 either discrete or firmware (preferred - provides binding to hardware) +- UEFI lock (preferred - prevents attacker from disabling with a simple registry key change) + +The Virtualization-based security requires: +- 64-bit CPU +- CPU virtualization extensions plus extended page tables +- Windows hypervisor + +## Application requirements + +When Credential Guard is enabled, specific authentication capabilities are blocked, so applications that require such capabilities will break. Applications should be tested prior to deployment to ensure compatiblity with the reduced functionality. + +>[!WARNING] +> Enabling Credential Guard on domain controllers is not supported.
    +> The domain controller hosts authentication services which integrate with processes isolated when Credential Guard is enabled, causing crashes. + +>[!NOTE] +> Credential Guard does not provide protections for the Active Directory database or the Security Accounts Manager (SAM). The credentials protected by Kerberos and NTLM when Credential Guard is enabled are also in the Active Directory database (on domain controllers) and the SAM (for local accounts). + +Applications will break if they require: +- Kerberos DES encryption support +- Kerberos unconstrained delegation +- Extracting the Kerberos TGT +- NTLMv1 + +Applications will prompt and expose credentials to risk if they require: +- Digest authentication +- Credential delegation +- MS-CHAPv2 + +Applications may cause performance issues when they attempt to hook the isolated Credential Guard process. + +See this video: [Credentials Protected by Credential Guard](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=pdc37LJyC_1204300474) + + +## Security considerations + +All computers that meet baseline protections for hardware, firmware, and software can use Credential Guard. +Computers that meet additional qualifications can provide additional protections to further reduce the attack surface. +The following tables describe baseline protections, plus protections for improved security that are associated with hardware and firmware options available in 2015, 2016, and 2017. + +> [!NOTE] +> Beginning with Windows 10, version 1607, Trusted Platform Module (TPM 2.0) must be enabled by default on new shipping computers.
    +> If you are an OEM, see [PC OEM requirements for Device Guard and Credential Guard](https://msdn.microsoft.com/library/windows/hardware/mt767514.aspx).
    + +### Baseline protections + +|Baseline Protections | Description | +|---------------------------------------------|----------------------------------------------------| +| Hardware: **64-bit CPU** | A 64-bit computer is required for the Windows hypervisor to provide VBS. | +| Hardware: **CPU virtualization extensions**,
    plus **extended page tables** | **Requirements**: These hardware features are required for VBS:
    One of the following virtualization extensions:
    • VT-x (Intel) or
    • AMD-V
    And:
    • Extended page tables, also called Second Level Address Translation (SLAT).

    **Security benefits**: VBS provides isolation of secure kernel from normal operating system. Vulnerabilities and Day 0s in normal operating system cannot be exploited because of this isolation. | +| Hardware: **Trusted Platform Module (TPM)** |  **Requirement**: TPM 1.2 or TPM 2.0, either discrete or firmware.
    [TPM recommendations](https://technet.microsoft.com/itpro/windows/keep-secure/tpm-recommendations)

    **Security benefits**: A TPM provides protection for VBS encryption keys that are stored in the firmware. This helps protect against attacks involving a physically present user with BIOS access. | +| Firmware: **UEFI firmware version 2.3.1.c or higher with UEFI Secure Boot** | **Requirements**: See the following Windows Hardware Compatibility Program requirement: [System.Fundamentals.Firmware.UEFISecureBoot](http://msdn.microsoft.com/library/windows/hardware/dn932805.aspx#system-fundamentals-firmware-uefisecureboot)

    **Security benefits**: UEFI Secure Boot helps ensure that the device boots only authorized code. This can prevent boot kits and root kits from installing and persisting across reboots. | +| Firmware: **Secure firmware update process** | **Requirements**: UEFI firmware must support secure firmware update found under the following Windows Hardware Compatibility Program requirement: [System.Fundamentals.Firmware.UEFISecureBoot](http://msdn.microsoft.com/library/windows/hardware/dn932805.aspx#system-fundamentals-firmware-uefisecureboot).

    **Security benefits**: UEFI firmware just like software can have security vulnerabilities that, when found, need to be patched through firmware updates. Patching helps prevent root kits from getting installed. | +| Software: Qualified **Windows operating system** | **Requirement**: Windows 10 Enterprise, Windows 10 Education, Windows Server 2016, or Windows 10 IoT Enterprise

    Important:
    Windows Server 2016 running as a domain controller does not support Credential Guard. Only Device Guard is supported in this configuration.


    **Security benefits**: Support for VBS and for management features that simplify configuration of Credential Guard. | + +> [!IMPORTANT] +> The following tables list additional qualifications for improved security. We strongly recommend meeting the additional qualifications to significantly strengthen the level of security that Credential Guard can provide. + +### 2015 Additional security qualifications starting with Windows 10, version 1507, and Windows Server 2016 Technical Preview 4 + +| Protections for Improved Security | Description | +|---------------------------------------------|----------------------------------------------------| +| Hardware: **IOMMU** (input/output memory management unit) | **Requirement**: VT-D or AMD Vi IOMMU

    **Security benefits**: An IOMMU can enhance system resiliency against memory attacks. For more information, see [ACPI description tables](https://msdn.microsoft.com/windows/hardware/drivers/bringup/acpi-system-description-tables). | +| Firmware: **Securing Boot Configuration and Management** | **Requirements**:
    • BIOS password or stronger authentication must be supported.
    • In the BIOS configuration, BIOS authentication must be set.
    • There must be support for protected BIOS option to configure list of permitted boot devices (for example, “Boot only from internal hard drive”) and boot device order, overriding BOOTORDER modification made by operating system.
    • In the BIOS configuration, BIOS options related to security and boot options (list of permitted boot devices, boot order) must be secured to prevent other operating systems from starting and to prevent changes to the BIOS settings.

    **Security benefits**:
    • BIOS password or stronger authentication helps ensure that only authenticated Platform BIOS administrators can change BIOS settings. This helps protect against a physically present user with BIOS access.
    • Boot order when locked provides protection against the computer being booted into WinRE or another operating system on bootable media. | +| Firmware: **Secure MOR, revision 2 implementation** | **Requirement**: Secure MOR, revision 2 implementation

    **Security benefits**: A secure MOR bit prevents advanced memory attacks. For more information, see [Secure MOR implementation](https://msdn.microsoft.com/windows/hardware/drivers/bringup/device-guard-requirements). | + +
    + +### 2016 Additional security qualifications starting with Windows 10, version 1607, and Windows Server 2016 + +> [!IMPORTANT] +> The following tables list additional qualifications for improved security. Systems that meet these additional qualifications can provide more protections. + +| Protections for Improved Security | Description | +|---------------------------------------------|----------------------------------------------------| +| Firmware: **Hardware Rooted Trust Platform Secure Boot** | **Requirements**:
    Boot Integrity (Platform Secure Boot) must be supported. See the Windows Hardware Compatibility Program requirements under [System.Fundamentals.Firmware.CS.UEFISecureBoot.ConnectedStandby](https://msdn.microsoft.com/library/windows/hardware/dn932807(v=vs.85).aspx#system_fundamentals_firmware_cs_uefisecureboot_connectedstandby)
    • The Hardware Security Test Interface (HSTI) must be implemented. See [Hardware Security Testability Specification](https://msdn.microsoft.com/en-us/library/windows/hardware/mt712332(v=vs.85).aspx).

    **Security benefits**:
    • Boot Integrity (Platform Secure Boot) from Power-On provides protections against physically present attackers, and defense-in-depth against malware.
    • HSTI provides additional security assurance for correctly secured silicon and platform. | +| Firmware: **Firmware Update through Windows Update** | **Requirements**: Firmware must support field updates through Windows Update and UEFI encapsulation update.

    **Security benefits**: Helps ensure that firmware updates are fast, secure, and reliable. | +| Firmware: **Securing Boot Configuration and Management** | **Requirements**:
    • Required BIOS capabilities: Ability of OEM to add ISV, OEM, or Enterprise Certificate in Secure Boot DB at manufacturing time.
    • Required configurations: Microsoft UEFI CA must be removed from Secure Boot DB. Support for 3rd-party UEFI modules is permitted but should leverage ISV-provided certificates or OEM certificate for the specific UEFI software.

    **Security benefits**:
    • Enterprises can choose to allow proprietary EFI drivers/applications to run.
    • Removing Microsoft UEFI CA from Secure Boot DB provides full control to enterprises over software that runs before the operating system boots. | + +
    + +### 2017 Additional security qualifications starting with Windows 10, version 1703 + +The following table lists qualifications for Windows 10, version 1703, which are in addition to all preceding qualifications. + +| Protection for Improved Security | Description | +|---------------------------------------------|----------------------------------------------------| +| Firmware: **VBS enablement of NX protection for UEFI runtime services** | **Requirements**:
    • VBS will enable No-Execute (NX) protection on UEFI runtime service code and data memory regions. UEFI runtime service code must support read-only page protections, and UEFI runtime service data must not be executable.
    • UEFI runtime service must meet these requirements:
        - Implement UEFI 2.6 EFI_MEMORY_ATTRIBUTES_TABLE. All UEFI runtime service memory (code and data) must be described by this table.
        - PE sections need to be page-aligned in memory (not required for in non-volatile storage).
        - The Memory Attributes Table needs to correctly mark code and data as RO/NX for configuration by the OS:
            - All entries must include attributes EFI_MEMORY_RO, EFI_MEMORY_XP, or both
            - No entries may be left with neither of the above attributes, indicating memory that is both executable and writable. Memory must be either readable and executable or writeable and non-executable.

    Notes:
    • This only applies to UEFI runtime service memory, and not UEFI boot service memory.
    • This protection is applied by VBS on OS page tables.


    Please also note the following:
    • Do not use sections that are both writeable and executable
    • Do not attempt to directly modify executable system memory
    • Do not use dynamic code

    **Security benefits**:
    • Vulnerabilities in UEFI runtime, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable)
    • Reduces the attack surface to VBS from system firmware. | +| Firmware: **Firmware support for SMM protection** | **Requirements**: The [Windows SMM Security Mitigations Table (WSMT) specification](http://download.microsoft.com/download/1/8/A/18A21244-EB67-4538-BAA2-1A54E0E490B6/WSMT.docx) contains details of an Advanced Configuration and Power Interface (ACPI) table that was created for use with Windows operating systems that support Windows virtualization-based security (VBS) features.

    **Security benefits**:
    • Protects against potential vulnerabilities in UEFI runtime services, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable)
    • Reduces the attack surface to VBS from system firmware.
    • Blocks additional security attacks against SMM. | diff --git a/windows/keep-secure/credential-guard-scripts.md b/windows/keep-secure/credential-guard-scripts.md new file mode 100644 index 0000000000..991d0010f2 --- /dev/null +++ b/windows/keep-secure/credential-guard-scripts.md @@ -0,0 +1,488 @@ +--- +title: Scripts for Certificate Issuance Policies in Credential Guard (Windows 10) +description: Scripts listed in this topic for obtaining the available issuance policies on the certificate authority for Credential Guard on Windows 10. +ms.prod: w10 +ms.mktglfcycl: explore +ms.sitesec: library +ms.pagetype: security +localizationpriority: high +author: brianlic-msft +--- + +# Credential Guard: Scripts for Certificate Authority Issuance Policies + + +Here is a list of scripts mentioned in this topic. + +## Get the available issuance policies on the certificate authority + +Save this script file as get-IssuancePolicy.ps1. + +``` syntax +####################################### +## Parameters to be defined ## +## by the user ## +####################################### +Param ( +$Identity, +$LinkedToGroup +) +####################################### +## Strings definitions ## +####################################### +Data getIP_strings { +# culture="en-US" +ConvertFrom-StringData -stringdata @' +help1 = This command can be used to retrieve all available Issuance Policies in a forest. The forest of the currently logged on user is targeted. +help2 = Usage: +help3 = The following parameter is mandatory: +help4 = -LinkedToGroup: +help5 = "yes" will return only Issuance Policies that are linked to groups. Checks that the linked Issuance Policies are linked to valid groups. +help6 = "no" will return only Issuance Policies that are not currently linked to any group. +help7 = "all" will return all Issuance Policies defined in the forest. Checks that the linked Issuance policies are linked to valid groups. +help8 = The following parameter is optional: +help9 = -Identity:. If you specify an identity, the option specified in the "-LinkedToGroup" parameter is ignored. +help10 = Output: This script returns the Issuance Policy objects meeting the criteria defined by the above parameters. +help11 = Examples: +errorIPNotFound = Error: no Issuance Policy could be found with Identity "{0}" +ErrorNotSecurity = Error: Issuance Policy "{0}" is linked to group "{1}" which is not of type "Security". +ErrorNotUniversal = Error: Issuance Policy "{0}" is linked to group "{1}" whose scope is not "Universal". +ErrorHasMembers = Error: Issuance Policy "{0}" is linked to group "{1}" which has a non-empty membership. The group has the following members: +LinkedIPs = The following Issuance Policies are linked to groups: +displayName = displayName : {0} +Name = Name : {0} +dn = distinguishedName : {0} + InfoName = Linked Group Name: {0} + InfoDN = Linked Group DN: {0} +NonLinkedIPs = The following Issuance Policies are NOT linked to groups: +'@ +} +##Import-LocalizedData getIP_strings +import-module ActiveDirectory +####################################### +## Help ## +####################################### +function Display-Help { + "" + $getIP_strings.help1 + "" +$getIP_strings.help2 +"" +$getIP_strings.help3 +" " + $getIP_strings.help4 +" " + $getIP_strings.help5 + " " + $getIP_strings.help6 + " " + $getIP_strings.help7 +"" +$getIP_strings.help8 + " " + $getIP_strings.help9 + "" + $getIP_strings.help10 +"" +"" +$getIP_strings.help11 + " " + '$' + "myIPs = .\get-IssuancePolicy.ps1 -LinkedToGroup:All" + " " + '$' + "myLinkedIPs = .\get-IssuancePolicy.ps1 -LinkedToGroup:yes" + " " + '$' + "myIP = .\get-IssuancePolicy.ps1 -Identity:""Medium Assurance""" +"" +} +$root = get-adrootdse +$domain = get-addomain -current loggedonuser +$configNCDN = [String]$root.configurationNamingContext +if ( !($Identity) -and !($LinkedToGroup) ) { +display-Help +break +} +if ($Identity) { + $OIDs = get-adobject -Filter {(objectclass -eq "msPKI-Enterprise-Oid") -and ((name -eq $Identity) -or (displayname -eq $Identity) -or (distinguishedName -like $Identity)) } -searchBase $configNCDN -properties * + if ($OIDs -eq $null) { +$errormsg = $getIP_strings.ErrorIPNotFound -f $Identity +write-host $errormsg -ForegroundColor Red + } + foreach ($OID in $OIDs) { + if ($OID."msDS-OIDToGroupLink") { +# In case the Issuance Policy is linked to a group, it is good to check whether there is any problem with the mapping. + $groupDN = $OID."msDS-OIDToGroupLink" + $group = get-adgroup -Identity $groupDN + $groupName = $group.Name +# Analyze the group + if ($group.groupCategory -ne "Security") { +$errormsg = $getIP_strings.ErrorNotSecurity -f $Identity, $groupName + write-host $errormsg -ForegroundColor Red + } + if ($group.groupScope -ne "Universal") { + $errormsg = $getIP_strings.ErrorNotUniversal -f $Identity, $groupName +write-host $errormsg -ForegroundColor Red + } + $members = Get-ADGroupMember -Identity $group + if ($members) { + $errormsg = $getIP_strings.ErrorHasMembers -f $Identity, $groupName +write-host $errormsg -ForegroundColor Red + foreach ($member in $members) { + write-host " " $member -ForeGroundColor Red + } + } + } + } + return $OIDs + break +} +if (($LinkedToGroup -eq "yes") -or ($LinkedToGroup -eq "all")) { + $LDAPFilter = "(&(objectClass=msPKI-Enterprise-Oid)(msDS-OIDToGroupLink=*)(flags=2))" + $LinkedOIDs = get-adobject -searchBase $configNCDN -LDAPFilter $LDAPFilter -properties * + write-host "" + write-host "*****************************************************" + write-host $getIP_strings.LinkedIPs + write-host "*****************************************************" + write-host "" + if ($LinkedOIDs -ne $null){ + foreach ($OID in $LinkedOIDs) { +# Display basic information about the Issuance Policies + "" + $getIP_strings.displayName -f $OID.displayName + $getIP_strings.Name -f $OID.Name + $getIP_strings.dn -f $OID.distinguishedName +# Get the linked group. + $groupDN = $OID."msDS-OIDToGroupLink" + $group = get-adgroup -Identity $groupDN + $getIP_strings.InfoName -f $group.Name + $getIP_strings.InfoDN -f $groupDN +# Analyze the group + $OIDName = $OID.displayName + $groupName = $group.Name + if ($group.groupCategory -ne "Security") { + $errormsg = $getIP_strings.ErrorNotSecurity -f $OIDName, $groupName + write-host $errormsg -ForegroundColor Red + } + if ($group.groupScope -ne "Universal") { + $errormsg = $getIP_strings.ErrorNotUniversal -f $OIDName, $groupName + write-host $errormsg -ForegroundColor Red + } + $members = Get-ADGroupMember -Identity $group + if ($members) { + $errormsg = $getIP_strings.ErrorHasMembers -f $OIDName, $groupName + write-host $errormsg -ForegroundColor Red + foreach ($member in $members) { + write-host " " $member -ForeGroundColor Red + } + } + write-host "" + } + }else{ +write-host "There are no issuance policies that are mapped to a group" + } + if ($LinkedToGroup -eq "yes") { + return $LinkedOIDs + break + } +} +if (($LinkedToGroup -eq "no") -or ($LinkedToGroup -eq "all")) { + $LDAPFilter = "(&(objectClass=msPKI-Enterprise-Oid)(!(msDS-OIDToGroupLink=*))(flags=2))" + $NonLinkedOIDs = get-adobject -searchBase $configNCDN -LDAPFilter $LDAPFilter -properties * + write-host "" + write-host "*********************************************************" + write-host $getIP_strings.NonLinkedIPs + write-host "*********************************************************" + write-host "" + if ($NonLinkedOIDs -ne $null) { + foreach ($OID in $NonLinkedOIDs) { +# Display basic information about the Issuance Policies +write-host "" +$getIP_strings.displayName -f $OID.displayName +$getIP_strings.Name -f $OID.Name +$getIP_strings.dn -f $OID.distinguishedName +write-host "" + } + }else{ +write-host "There are no issuance policies which are not mapped to groups" + } + if ($LinkedToGroup -eq "no") { + return $NonLinkedOIDs + break + } +} +``` +> [!NOTE] +> If you're having trouble running this script, try replacing the single quote after the ConvertFrom-StringData parameter. +  +## Link an issuance policy to a group + +Save the script file as set-IssuancePolicyToGroupLink.ps1. + +``` syntax +####################################### +## Parameters to be defined ## +## by the user ## +####################################### +Param ( +$IssuancePolicyName, +$groupOU, +$groupName +) +####################################### +## Strings definitions ## +####################################### +Data ErrorMsg { +# culture="en-US" +ConvertFrom-StringData -stringdata @' +help1 = This command can be used to set the link between a certificate issuance policy and a universal security group. +help2 = Usage: +help3 = The following parameters are required: +help4 = -IssuancePolicyName: +help5 = -groupName:. If no name is specified, any existing link to a group is removed from the Issuance Policy. +help6 = The following parameter is optional: +help7 = -groupOU:. If this parameter is not specified, the group is looked for or created in the Users container. +help8 = Examples: +help9 = This command will link the issuance policy whose display name is "High Assurance" to the group "HighAssuranceGroup" in the Organizational Unit "OU_FOR_IPol_linked_groups". If the group or the Organizational Unit do not exist, you will be prompted to create them. +help10 = This command will unlink the issuance policy whose name is "402.164959C40F4A5C12C6302E31D5476062" from any group. +MultipleIPs = Error: Multiple Issuance Policies with name or display name "{0}" were found in the subtree of "{1}" +NoIP = Error: no issuance policy with name or display name "{0}" could be found in the subtree of "{1}". +IPFound = An Issuance Policy with name or display name "{0}" was successfully found: {1} +MultipleOUs = Error: more than 1 Organizational Unit with name "{0}" could be found in the subtree of "{1}". +confirmOUcreation = Warning: The Organizational Unit that you specified does not exist. Do you want to create it? +OUCreationSuccess = Organizational Unit "{0}" successfully created. +OUcreationError = Error: Organizational Unit "{0}" could not be created. +OUFoundSuccess = Organizational Unit "{0}" was successfully found. +multipleGroups = Error: More than one group with name "{0}" was found in Organizational Unit "{1}". +confirmGroupCreation = Warning: The group that you specified does not exist. Do you want to create it? +groupCreationSuccess = Univeral Security group "{0}" successfully created. +groupCreationError = Error: Univeral Security group "{0}" could not be created. +GroupFound = Group "{0}" was successfully found. +confirmLinkDeletion = Warning: The Issuance Policy "{0}" is currently linked to group "{1}". Do you really want to remove the link? +UnlinkSuccess = Certificate issuance policy successfully unlinked from any group. +UnlinkError = Removing the link failed. +UnlinkExit = Exiting without removing the link from the issuance policy to the group. +IPNotLinked = The Certificate issuance policy is not currently linked to any group. If you want to link it to a group, you should specify the -groupName option when starting this script. +ErrorNotSecurity = Error: You cannot link issuance Policy "{0}" to group "{1}" because this group is not of type "Security". +ErrorNotUniversal = Error: You cannot link issuance Policy "{0}" to group "{1}" because the scope of this group is not "Universal". +ErrorHasMembers = Error: You cannot link issuance Policy "{0}" to group "{1}" because it has a non-empty membership. The group has the following members: +ConfirmLinkReplacement = Warning: The Issuance Policy "{0}" is currently linked to group "{1}". Do you really want to update the link to point to group "{2}"? +LinkSuccess = The certificate issuance policy was successfully linked to the specified group. +LinkError = The certificate issuance policy could not be linked to the specified group. +ExitNoLinkReplacement = Exiting without setting the new link. +'@ +} +# import-localizeddata ErrorMsg +function Display-Help { +"" +write-host $ErrorMsg.help1 +"" +write-host $ErrorMsg.help2 +"" +write-host $ErrorMsg.help3 +write-host "`t" $ErrorMsg.help4 +write-host "`t" $ErrorMsg.help5 +"" +write-host $ErrorMsg.help6 +write-host "`t" $ErrorMsg.help7 +"" +"" +write-host $ErrorMsg.help8 +"" +write-host $ErrorMsg.help9 +".\Set-IssuancePolicyToGroupMapping.ps1 -IssuancePolicyName ""High Assurance"" -groupOU ""OU_FOR_IPol_linked_groups"" -groupName ""HighAssuranceGroup"" " +"" +write-host $ErrorMsg.help10 +'.\Set-IssuancePolicyToGroupMapping.ps1 -IssuancePolicyName "402.164959C40F4A5C12C6302E31D5476062" -groupName $null ' +"" +} +# Assumption: The group to which the Issuance Policy is going +# to be linked is (or is going to be created) in +# the domain the user running this script is a member of. +import-module ActiveDirectory +$root = get-adrootdse +$domain = get-addomain -current loggedonuser +if ( !($IssuancePolicyName) ) { +display-Help +break +} +####################################### +## Find the OID object ## +## (aka Issuance Policy) ## +####################################### +$searchBase = [String]$root.configurationnamingcontext +$OID = get-adobject -searchBase $searchBase -Filter { ((displayname -eq $IssuancePolicyName) -or (name -eq $IssuancePolicyName)) -and (objectClass -eq "msPKI-Enterprise-Oid")} -properties * +if ($OID -eq $null) { +$tmp = $ErrorMsg.NoIP -f $IssuancePolicyName, $searchBase +write-host $tmp -ForeGroundColor Red +break; +} +elseif ($OID.GetType().IsArray) { +$tmp = $ErrorMsg.MultipleIPs -f $IssuancePolicyName, $searchBase +write-host $tmp -ForeGroundColor Red +break; +} +else { +$tmp = $ErrorMsg.IPFound -f $IssuancePolicyName, $OID.distinguishedName +write-host $tmp -ForeGroundColor Green +} +####################################### +## Find the container of the group ## +####################################### +if ($groupOU -eq $null) { +# default to the Users container +$groupContainer = $domain.UsersContainer +} +else { +$searchBase = [string]$domain.DistinguishedName +$groupContainer = get-adobject -searchBase $searchBase -Filter { (Name -eq $groupOU) -and (objectClass -eq "organizationalUnit")} +if ($groupContainer.count -gt 1) { +$tmp = $ErrorMsg.MultipleOUs -f $groupOU, $searchBase +write-host $tmp -ForegroundColor Red +break; +} +elseif ($groupContainer -eq $null) { +$tmp = $ErrorMsg.confirmOUcreation +write-host $tmp " ( (y)es / (n)o )" -ForegroundColor Yellow -nonewline +$userChoice = read-host +if ( ($userChoice -eq "y") -or ($userChoice -eq "yes") ) { +new-adobject -Name $groupOU -displayName $groupOU -Type "organizationalUnit" -ProtectedFromAccidentalDeletion $true -path $domain.distinguishedName +if ($?){ +$tmp = $ErrorMsg.OUCreationSuccess -f $groupOU +write-host $tmp -ForegroundColor Green +} +else{ +$tmp = $ErrorMsg.OUCreationError -f $groupOU +write-host $tmp -ForeGroundColor Red +break; +} +$groupContainer = get-adobject -searchBase $searchBase -Filter { (Name -eq $groupOU) -and (objectClass -eq "organizationalUnit")} +} +else { +break; +} +} +else { +$tmp = $ErrorMsg.OUFoundSuccess -f $groupContainer.name +write-host $tmp -ForegroundColor Green +} +} +####################################### +## Find the group ## +####################################### +if (($groupName -ne $null) -and ($groupName -ne "")){ +##$searchBase = [String]$groupContainer.DistinguishedName +$searchBase = $groupContainer +$group = get-adgroup -Filter { (Name -eq $groupName) -and (objectClass -eq "group") } -searchBase $searchBase +if ($group -ne $null -and $group.gettype().isarray) { +$tmp = $ErrorMsg.multipleGroups -f $groupName, $searchBase +write-host $tmp -ForeGroundColor Red +break; +} +elseif ($group -eq $null) { +$tmp = $ErrorMsg.confirmGroupCreation +write-host $tmp " ( (y)es / (n)o )" -ForegroundColor Yellow -nonewline +$userChoice = read-host +if ( ($userChoice -eq "y") -or ($userChoice -eq "yes") ) { +new-adgroup -samAccountName $groupName -path $groupContainer.distinguishedName -GroupScope "Universal" -GroupCategory "Security" +if ($?){ +$tmp = $ErrorMsg.GroupCreationSuccess -f $groupName +write-host $tmp -ForegroundColor Green +}else{ +$tmp = $ErrorMsg.groupCreationError -f $groupName +write-host $tmp -ForeGroundColor Red +break +} +$group = get-adgroup -Filter { (Name -eq $groupName) -and (objectClass -eq "group") } -searchBase $searchBase +} +else { +break; +} +} +else { +$tmp = $ErrorMsg.GroupFound -f $group.Name +write-host $tmp -ForegroundColor Green +} +} +else { +##### +## If the group is not specified, we should remove the link if any exists +##### +if ($OID."msDS-OIDToGroupLink" -ne $null) { +$tmp = $ErrorMsg.confirmLinkDeletion -f $IssuancePolicyName, $OID."msDS-OIDToGroupLink" +write-host $tmp " ( (y)es / (n)o )" -ForegroundColor Yellow -nonewline +$userChoice = read-host +if ( ($userChoice -eq "y") -or ($userChoice -eq "yes") ) { +set-adobject -Identity $OID -Clear "msDS-OIDToGroupLink" +if ($?) { +$tmp = $ErrorMsg.UnlinkSuccess +write-host $tmp -ForeGroundColor Green +}else{ +$tmp = $ErrorMsg.UnlinkError +write-host $tmp -ForeGroundColor Red +} +} +else { +$tmp = $ErrorMsg.UnlinkExit +write-host $tmp +break +} +} +else { +$tmp = $ErrorMsg.IPNotLinked +write-host $tmp -ForeGroundColor Yellow +} +break; +} +####################################### +## Verify that the group is ## +## Universal, Security, and ## +## has no members ## +####################################### +if ($group.GroupScope -ne "Universal") { +$tmp = $ErrorMsg.ErrorNotUniversal -f $IssuancePolicyName, $groupName +write-host $tmp -ForeGroundColor Red +break; +} +if ($group.GroupCategory -ne "Security") { +$tmp = $ErrorMsg.ErrorNotSecurity -f $IssuancePolicyName, $groupName +write-host $tmp -ForeGroundColor Red +break; +} +$members = Get-ADGroupMember -Identity $group +if ($members -ne $null) { +$tmp = $ErrorMsg.ErrorHasMembers -f $IssuancePolicyName, $groupName +write-host $tmp -ForeGroundColor Red +foreach ($member in $members) {write-host " $member.name" -ForeGroundColor Red} +break; +} +####################################### +## We have verified everything. We ## +## can create the link from the ## +## Issuance Policy to the group. ## +####################################### +if ($OID."msDS-OIDToGroupLink" -ne $null) { +$tmp = $ErrorMsg.ConfirmLinkReplacement -f $IssuancePolicyName, $OID."msDS-OIDToGroupLink", $group.distinguishedName +write-host $tmp "( (y)es / (n)o )" -ForegroundColor Yellow -nonewline +$userChoice = read-host +if ( ($userChoice -eq "y") -or ($userChoice -eq "yes") ) { +$tmp = @{'msDS-OIDToGroupLink'= $group.DistinguishedName} +set-adobject -Identity $OID -Replace $tmp +if ($?) { +$tmp = $Errormsg.LinkSuccess +write-host $tmp -Foreground Green +}else{ +$tmp = $ErrorMsg.LinkError +write-host $tmp -Foreground Red +} +} else { +$tmp = $Errormsg.ExitNoLinkReplacement +write-host $tmp +break +} +} +else { +$tmp = @{'msDS-OIDToGroupLink'= $group.DistinguishedName} +set-adobject -Identity $OID -Add $tmp +if ($?) { +$tmp = $Errormsg.LinkSuccess +write-host $tmp -Foreground Green +}else{ +$tmp = $ErrorMsg.LinkError +write-host $tmp -Foreground Red +} +} +``` + +> [!NOTE] +> If you're having trouble running this script, try replacing the single quote after the ConvertFrom-StringData parameter. \ No newline at end of file diff --git a/windows/keep-secure/credential-guard.md b/windows/keep-secure/credential-guard.md index 9d3a33d12c..b36d3a7301 100644 --- a/windows/keep-secure/credential-guard.md +++ b/windows/keep-secure/credential-guard.md @@ -16,6 +16,8 @@ author: brianlic-msft - Windows 10 - Windows Server 2016 +Prefer video? See [Credential Theft and Lateral Traversal](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=cfGBPlIyC_9404300474) in the Deep Dive into Credential Guard video series. + Introduced in Windows 10 Enterprise and Windows Server 2016, Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them. Unauthorized access to these secrets can lead to credential theft attacks, such as Pass-the-Hash or Pass-The-Ticket. Credential Guard prevents these attacks by protecting NTLM password hashes, Kerberos Ticket Granting Tickets, and credentials stored by applications as domain credentials. By enabling Credential Guard, the following features and solutions are provided: @@ -24,925 +26,6 @@ By enabling Credential Guard, the following features and solutions are provided: - **Virtualization-based security** Windows NTLM and Kerberos derived credentials and other secrets run in a protected environment that is isolated from the running operating system. - **Better protection against advanced persistent threats** When Credential Manager domain credentials, NTLM, and Kerberos derived credentials are protected using virtualization-based security, the credential theft attack techniques and tools used in many targeted attacks are blocked. Malware running in the operating system with administrative privileges cannot extract secrets that are protected by virtualization-based security. While Credential Guard is a powerful mitigation, persistent threat attacks will likely shift to new attack techniques and you should also incorporate Device Guard and other security strategies and architectures. -## How it works - -Kerberos, NTLM, and Credential manager isolate secrets that previous versions of Windows stored in the Local Security Authority (LSA) by using virtualization-based security. Prior to Windows 10, the LSA stored secrets used by the operating system in its process memory. With Credential Guard enabled, the LSA process in the operating system talks to a new component called the isolated LSA process that stores and protects those secrets. Data stored by the isolated LSA process is protected using virtualization-based security and is not accessible to the rest of the operating system. LSA uses remote procedure calls to communicate with the isolated LSA process. - -For security reasons, the isolated LSA process doesn't host any device drivers. Instead, it only hosts a small subset of operating system binaries that are needed for security and nothing else. All of these binaries are signed with a certificate that is trusted by virtualization-based security and these signatures are validated before launching the file in the protected environment. - -When Credential Guard is enabled, NTLMv1, MS-CHAPv2, Digest, and CredSSP cannot use the signed-in credentials. Thus, single sign-on does not work with these protocols. However, applications can prompt for credentials or use credentials stored in the Windows Vault which are not protected by Credential Guard with any of these protocol. It is strongly recommended that valuable credentials, such as the sign-in credentials, not be used with any of these protocols. If these protocols must be used by domain or Azure AD users, secondary credentials should be provisioned for these use cases. - -When Credential Guard is enabled, Kerberos does not allow unconstrained Kerberos delegation or DES encryption, not only for signed-in credentials, but also prompted or saved credentials. - -Here's a high-level overview on how the LSA is isolated by using virtualization-based security: - -![Credential Guard overview](images/credguard.png) - -## Requirements - -For Credential Guard to provide protections, the computers you are protecting must meet certain baseline hardware, firmware, and software requirements which we will refer to as [Hardware and software requirements](#hardware-and-software-requirements). Additionally Credential Guard blocks specific authentication capabilities, so applications which require blocked capabilities will break. We will refer to this as [Application requirements](#application-requirements). Beyond that, computers can meet additional hardware and firmware requirements, and receive additional protection—those computers will be more hardened against certain threats. To keep this section brief, those will be in [Security Considerations](#security-considerations). - -### Hardware and software requirements - -To deploy Credential Guard, the computers you are protecting must meet certain baseline hardware, firmware, and software requirements. Beyond that, computers can meet additional hardware and firmware requirements, and receive additional protection—those computers will be more hardened against certain threats. - -To provide basic protection against OS level attempts to read Credential Manager domain credentials, NTLM and Kerberos derived credentials, Credential Manager uses: -- Support for Virtualization-based security (required) -- TPM 2.0 either discrete or firmware (preferred - provides binding to hardware) -- UEFI lock (preferred - prevents attacker from disabling with a simple registry key change) - -The Virtualization-based security requires: -- 64 bit CPU -- CPU virtualization extensions plus extended page tables -- Windows hypervisor - -### Application requirements - -When Credential Guard is enabled, specific authentication capabilities are blocked, so applications which require blocked capabilities will break. Applications should be tested prior to deployment to ensure compatiblity with the reduced functionality. - ->[!WARNING] -> Enabling Credential Guard on domain controllers is not supported.
    -> The domain controller hosts authentication services which integrate with processes isolated when Credential Guard is enabled, causing crashes. - ->[!NOTE] -> Credential Guard does not provide protections for the Active Directory database or the Security Accounts Manager (SAM). The credentials protected by Kerberos and NTLM when Credential Guard is enabled are also in the Active Directory database (on domain controllers) and the SAM (for local accounts). - -Applications will break if they require: -- Kerberos DES encryption support -- Kerberos unconstrained delegation -- Extracting the Kerberos TGT -- NTLMv1 - -Applications will prompt & expose credentials to risk if they require: -- Digest authentication -- Credential delegation -- MS-CHAPv2 - -Applications may cause performance issues when they attempt to hook the isolated Credential Guard process. - -### Security considerations - -The following tables provide more information about the hardware, firmware, and software required for deployment of Credential Guard. The tables describe baseline protections, plus protections for improved security that are associated with hardware and firmware options available in 2015, available in 2016, and announced as options for 2017. - -> [!NOTE] -> For new computers running Windows 10, Trusted Platform Module (TPM 2.0) must be enabled by default. This requirement is not restated in the tables that follow.
    -> If you are an OEM, see the requirements information at [PC OEM requirements for Device Guard and Credential Guard](https://msdn.microsoft.com/library/windows/hardware/mt767514.aspx).
    -> Starting in Widows 10, 1607, TPM 2.0 is required. - -#### Baseline protection recommendations - -|Baseline Protections | Description | -|---------------------------------------------|----------------------------------------------------| -| Hardware: **64-bit CPU** | A 64-bit computer is required for the Windows hypervisor to provide VBS. | -| Hardware: **CPU virtualization extensions**,
    plus **extended page tables** | **Requirements**: These hardware features are required for VBS:
    One of the following virtualization extensions:
    - VT-x (Intel) or
    - AMD-V
    And:
    - Extended page tables, also called Second Level Address Translation (SLAT).

    **Security benefits**: VBS provides isolation of secure kernel from normal operating system. Vulnerabilities and Day 0s in normal operating system cannot be exploited because of this isolation. | -| Hardware: **Trusted Platform Module (TPM)** | **Requirement**: TPM 1.2 or TPM 2.0, either discrete or firmware.

    **Security benefits**: A TPM provides protection for VBS encryption keys that are stored in the firmware. This helps protect against attacks involving a physically present user with BIOS access. | -| Firmware: **UEFI firmware version 2.3.1.c or higher with UEFI Secure Boot** | **Requirements**: See the following Windows Hardware Compatibility Program requirement: [System.Fundamentals.Firmware.UEFISecureBoot](http://msdn.microsoft.com/library/windows/hardware/dn932805.aspx#system-fundamentals-firmware-uefisecureboot)

    **Security benefits**: UEFI Secure Boot helps ensure that the device boots only authorized code. This can prevent boot kits and root kits from installing and persisting across reboots. | -| Firmware: **Secure firmware update process** | **Requirements**: UEFI firmware must support secure firmware update found under the following Windows Hardware Compatibility Program requirement: [System.Fundamentals.Firmware.UEFISecureBoot](http://msdn.microsoft.com/library/windows/hardware/dn932805.aspx#system-fundamentals-firmware-uefisecureboot).

    **Security benefits**: UEFI firmware just like software can have security vulnerabilities that, when found, need to be patched through firmware updates. Patching helps prevent root kits from getting installed. | -| Software: Qualified **Windows operating system** | **Requirement**: Windows 10 Enterprise, Windows 10 Education, Windows 2016 Server, or Windows Enterprise IoT

    Important:
    Windows Server 2016 running as a domain controller does not support Credential Guard. Only Device Guard is supported in this configuration.


    **Security benefits**: Support for VBS and for management features that simplify configuration of Credential Guard. | - -> [!IMPORTANT] -> The preceding table lists requirements for baseline protections. The following tables list requirements for improved security. You can use Credential Guard with hardware, firmware, and software that support baseline protections, even if they do not support protections for improved security. However, we strongly recommend meeting the requirements for improved security to significantly strengthen the level of security that Credential Guard can provide. - -#### 2015 Additional Security Recommendations (starting with Windows 10, version 1507, and Windows Server 2016, Technical Preview 4) - -| Protections for Improved Security | Description | -|---------------------------------------------|----------------------------------------------------| -| Hardware: **IOMMU** (input/output memory management unit) | **Requirement**: VT-D or AMD Vi IOMMU

    **Security benefits**: An IOMMU can enhance system resiliency against memory attacks. For more information, see [ACPI description tables](https://msdn.microsoft.com/windows/hardware/drivers/bringup/acpi-system-description-tables). | -| Firmware: **Securing Boot Configuration and Management** | **Requirements**:
    - BIOS password or stronger authentication must be supported.
    - In the BIOS configuration, BIOS authentication must be set.
    - There must be support for protected BIOS option to configure list of permitted boot devices (for example, “Boot only from internal hard drive”) and boot device order, overriding BOOTORDER modification made by operating system.
    - In the BIOS configuration, BIOS options related to security and boot options (list of permitted boot devices, boot order) must be secured to prevent other operating systems from starting and to prevent changes to the BIOS settings.

    **Security benefits**:
    - BIOS password or stronger authentication helps ensure that only authenticated Platform BIOS administrators can change BIOS settings. This helps protect against a physically present user with BIOS access.
    - Boot order when locked provides protection against the computer being booted into WinRE or another operating system on bootable media. | -| Firmware: **Secure MOR implementation** | **Requirement**: Secure MOR implementation

    **Security benefits**: A secure MOR bit prevents advanced memory attacks. For more information, see [Secure MOR implementation](https://msdn.microsoft.com/windows/hardware/drivers/bringup/device-guard-requirements). | - -
    - -#### 2016 Additional Security Recommendations (starting with Windows 10, version 1607, and Windows Server 2016) - -> [!IMPORTANT] -> The following tables list requirements for improved security, beyond the level of protection described in the preceding tables. You can use Credential Guard with hardware, firmware, and software that do not support the following protections for improved security. As your systems meet more requirements, more protections become available to them. - -| Protections for Improved Security | Description | -|---------------------------------------------|----------------------------------------------------| -| Firmware: **Hardware Rooted Trust Platform Secure Boot** | **Requirements**:
    Boot Integrity (Platform Secure Boot) must be supported. See the Windows Hardware Compatibility Program requirements under [System.Fundamentals.Firmware.CS.UEFISecureBoot.ConnectedStandby](https://msdn.microsoft.com/library/windows/hardware/dn932807(v=vs.85).aspx#system_fundamentals_firmware_cs_uefisecureboot_connectedstandby)
    - The Hardware Security Test Interface (HSTI) must be implemented. See [Hardware Security Testability Specification](https://msdn.microsoft.com/en-us/library/windows/hardware/mt712332(v=vs.85).aspx).

    **Security benefits**:
    - Boot Integrity (Platform Secure Boot) from Power-On provides protections against physically present attackers, and defense-in-depth against malware.
    - HSTI provides additional security assurance for correctly secured silicon and platform. | -| Firmware: **Firmware Update through Windows Update** | **Requirements**: Firmware must support field updates through Windows Update and UEFI encapsulation update.

    **Security benefits**: Helps ensure that firmware updates are fast, secure, and reliable. | -| Firmware: **Securing Boot Configuration and Management** | **Requirements**:
    - Required BIOS capabilities: Ability of OEM to add ISV, OEM, or Enterprise Certificate in Secure Boot DB at manufacturing time.
    - Required configurations: Microsoft UEFI CA must be removed from Secure Boot DB. Support for 3rd-party UEFI modules is permitted but should leverage ISV-provided certificates or OEM certificate for the specific UEFI software.

    **Security benefits**:
    - Enterprises can choose to allow proprietary EFI drivers/applications to run.
    - Removing Microsoft UEFI CA from Secure Boot DB provides full control to enterprises over software that runs before the operating system boots. | - -
    - -#### 2017 Additional Security Recommendations (starting with the next major release of Windows 10) - -| Protection for Improved Security | Description | -|---------------------------------------------|----------------------------------------------------| -| Firmware: **Firmware support for SMM protection** | **Requirements**: The [Windows SMM Security Mitigations Table (WSMT) specification](http://download.microsoft.com/download/1/8/A/18A21244-EB67-4538-BAA2-1A54E0E490B6/WSMT.docx) contains details of an Advanced Configuration and Power Interface (ACPI) table that was created for use with Windows operating systems that support Windows virtualization-based security (VBS) features.

    **Security benefits**:
    - Protects against potential vulnerabilities in UEFI runtime in functions such as Update Capsule, Set Variables, and so on, so they can't compromise VBS.
    - Reduces attack surface to VBS from system firmware.
    - Blocks additional security attacks against SMM. | - -## Manage Credential Guard - -### Enable Credential Guard -Credential Guard can be enabled by using [Group Policy](#turn-on-credential-guard-by-using-group-policy), the [registry](#turn-on-credential-guard-by-using-the-registry), or the Device Guard and Credential Guard [hardware readiness tool](#hardware-readiness-tool). - -#### Turn on Credential Guard by using Group Policy - -You can use Group Policy to enable Credential Guard. This will add and enable the virtualization-based security features for you if needed. - -1. From the Group Policy Management Console, go to **Computer Configuration** -> **Administrative Templates** -> **System** -> **Device Guard**. -2. Double-click **Turn On Virtualization Based Security**, and then click the **Enabled** option. -3. **Select Platform Security Level** box, choose **Secure Boot** or **Secure Boot and DMA Protection**. -4. In the **Credential Guard Configuration** box, click **Enabled with UEFI lock**, and then click **OK**. If you want to be able to turn off Credential Guard remotely, choose **Enabled without lock**. - - ![Credential Guard Group Policy setting](images/credguard-gp.png) - -5. Close the Group Policy Management Console. - -To enforce processing of the group policy, you can run ```gpupdate /force```. - -#### Turn on Credential Guard by using the registry - -If you don't use Group Policy, you can enable Credential Guard by using the registry. Credential Guard uses virtualization-based security features which have to be enabled first on some operating systems. - -#### Add the virtualization-based security features - -Starting with Windows 10, version 1607 and Windows Server 2016, enabling Windows features to use virtualization-based security is not necessary and this step can be skipped. - -If you are using Windows 10, version 1507 (RTM) or Windows 10, version 1511, Windows features have to be enabled to use virtualization-based security. -You can do this by using either the Control Panel or the Deployment Image Servicing and Management tool (DISM). -> [!NOTE] -> If you enable Credential Guard by using Group Policy, these steps are not required. Group Policy will install the features for you. - -  -**Add the virtualization-based security features by using Programs and Features** - -1. Open the Programs and Features control panel. -2. Click **Turn Windows feature on or off**. -3. Go to **Hyper-V** -> **Hyper-V Platform**, and then select the **Hyper-V Hypervisor** check box. -4. Select the **Isolated User Mode** check box at the top level of the feature selection. -5. Click **OK**. - -**Add the virtualization-based security features to an offline image by using DISM** - -1. Open an elevated command prompt. -2. Add the Hyper-V Hypervisor by running the following command: - ``` syntax - dism /image: /Enable-Feature /FeatureName:Microsoft-Hyper-V-Hypervisor /all - ``` -3. Add the Isolated User Mode feature by running the following command: - ``` syntax - dism /image: /Enable-Feature /FeatureName:IsolatedUserMode - ``` - -> [!NOTE] -> You can also add these features to an online image by using either DISM or Configuration Manager. - -#### Enable virtualization-based security and Credential Guard - -1. Open Registry Editor. -2. Enable virtualization-based security: - - Go to HKEY\_LOCAL\_MACHINE\\System\\CurrentControlSet\\Control\\DeviceGuard. - - Add a new DWORD value named **EnableVirtualizationBasedSecurity**. Set the value of this registry setting to 1 to enable virtualization-based security and set it to 0 to disable it. - - Add a new DWORD value named **RequirePlatformSecurityFeatures**. Set the value of this registry setting to 1 to use **Secure Boot** only or set it to 3 to use **Secure Boot and DMA protection**. -3. Enable Credential Guard: - - Go to HKEY\_LOCAL\_MACHINE\\System\\CurrentControlSet\\Control\\LSA. - - Add a new DWORD value named **LsaCfgFlags**. Set the value of this registry setting to 1 to enable Credential Guard with UEFI lock, set it to 2 to enable Credential Guard without lock, and set it to 0 to disable it. -4. Close Registry Editor. - - -> [!NOTE] -> You can also turn on Credential Guard by setting the registry entries in the [FirstLogonCommands](http://msdn.microsoft.com/library/windows/hardware/dn922797.aspx) unattend setting. - - -#### Turn on Credential Guard by using the Device Guard and Credential Guard hardware readiness tool - -You can also enable Credential Guard by using the [Device Guard and Credential Guard hardware readiness tool](https://www.microsoft.com/download/details.aspx?id=53337). - -``` -DG_Readiness_Tool_v2.0.ps1 -Enable -AutoReboot -``` - -#### Credential Guard deployment in virtual machines - -Credential Guard can protect secrets in a Hyper-V virtual machine, just as it would on a physical machine. The enablement steps are the same from within the virtual machine. - -Credential Guard protects secrets from non-priviledged access inside the VM. It does not provide additional protection from the host administrator. From the host, you can disable Credential Guard for a virtual machine: - -``` PowerShell -Set-VMSecurity -VMName -VirtualizationBasedSecurityOptOut $true -``` - -Requirements for running Credential Guard in Hyper-V virtual machines -- The Hyper-V host must have an IOMMU, and run at least Windows Server 2016 or Windows 10 version 1607. -- The Hyper-V virtual machine must be Generation 2, have an enabled virtual TPM, and running at least Windows Server 2016 or Windows 10. - -### Remove Credential Guard - -If you have to remove Credential Guard on a PC, you can use the following set of procedures, or you can [use the Device Guard and Credential Guard hardware readiness tool](#turn-off-with-hardware-readiness-tool). - -1. If you used Group Policy, disable the Group Policy setting that you used to enable Credential Guard (**Computer Configuration** -> **Administrative Templates** -> **System** -> **Device Guard** -> **Turn on Virtualization Based Security**). -2. Delete the following registry settings: - - HKEY\_LOCAL\_MACHINE\\System\\CurrentControlSet\\Control\\LSA\LsaCfgFlags - - HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\DeviceGuard\\EnableVirtualizationBasedSecurity - - HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\DeviceGuard\\RequirePlatformSecurityFeatures - - > [!IMPORTANT] - > If you manually remove these registry settings, make sure to delete them all. If you don't remove them all, the device might go into BitLocker recovery. - -3. Delete the Credential Guard EFI variables by using bcdedit. - -**Delete the Credential Guard EFI variables** - -1. From an elevated command prompt, type the following commands: - ``` syntax - - mountvol X: /s - - copy %WINDIR%\System32\SecConfig.efi X:\EFI\Microsoft\Boot\SecConfig.efi /Y - - bcdedit /create {0cb3b571-2f2e-4343-a879-d86a476d7215} /d "DebugTool" /application osloader - - bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} path "\EFI\Microsoft\Boot\SecConfig.efi" - - bcdedit /set {bootmgr} bootsequence {0cb3b571-2f2e-4343-a879-d86a476d7215} - - bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} loadoptions DISABLE-LSA-ISO - - bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} device partition=X: - - mountvol X: /d - - ``` -2. Restart the PC. -3. Accept the prompt to disable Credential Guard. -4. Alternatively, you can disable the virtualization-based security features to turn off Credential Guard. - -> [!NOTE] -> The PC must have one-time access to a domain controller to decrypt content, such as files that were encrypted with EFS. If you want to turn off both Credential Guard and virtualization-based security, run the following bcdedit command after turning off all virtualization-based security Group Policy and registry settings: bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} loadoptions DISABLE-LSA-ISO,DISABLE-VBS - -For more info on virtualization-based security and Device Guard, see [Device Guard deployment guide](device-guard-deployment-guide.md). - - -#### Turn off Credential Guard by using the Device Guard and Credential Guard hardware readiness tool - -You can also disable Credential Guard by using the [Device Guard and Credential Guard hardware readiness tool](https://www.microsoft.com/download/details.aspx?id=53337). - -``` -DG_Readiness_Tool_v2.0.ps1 -Disable -AutoReboot -``` -  -### Check that Credential Guard is running - -You can use System Information to ensure that Credential Guard is running on a PC. - -1. Click **Start**, type **msinfo32.exe**, and then click **System Information**. -2. Click **System Summary**. -3. Confirm that **Credential Guard** is shown next to **Device Guard Security Services Running**. - - Here's an example: - - ![System Information](images/credguard-msinfo32.png) - -You can also check that Credential Guard is running by using the [Device Guard and Credential Guard hardware readiness tool](https://www.microsoft.com/download/details.aspx?id=53337). - -``` -DG_Readiness_Tool_v2.0.ps1 -Ready -``` - -## Considerations when using Credential Guard - -- If Credential Guard is enabled on a device after it's joined to a domain, the user and device secrets may already be compromised. We recommend that Credential Guard is enabled before the PC is joined to a domain. -- You should perform regular reviews of the PCs that have Credential Guard enabled. This can be done with security audit policies or WMI queries. Here's a list of WinInit event IDs to look for: - - **Event ID 13** Credential Guard (LsaIso.exe) was started and will protect LSA credentials. - - **Event ID 14** Credential Guard (LsaIso.exe) configuration: 0x1, 0 - - The first variable: 0x1 means Credential Guard is configured to run. 0x0 means it’s not configured to run. - - The second variable: 0 means it’s configured to run in protect mode. 1 means it's configured to run in test mode. This variable should always be 0. - - **Event ID 15** Credential Guard (LsaIso.exe) is configured but the secure kernel is not running; continuing without Credential Guard. - - **Event ID 16** Credential Guard (LsaIso.exe) failed to launch: \[error code\] - - **Event ID 17** Error reading Credential Guard (LsaIso.exe) UEFI configuration: \[error code\] - You can also verify that TPM is being used for key protection by checking the following event in the **Microsoft** -> **Windows** -> **Kernel-Boot** event source. If you are running with a TPM, the TPM PCR mask value will be something other than 0. - - **Event ID 51** VSM Master Encryption Key Provisioning. Using cached copy status: 0x0. Unsealing cached copy status: 0x1. New key generation status: 0x1. Sealing status: 0x1. TPM PCR mask: 0x0. -- Passwords are still weak so we recommend that your organization deploy Credential Guard and move away from passwords and to other authentication methods, such as physical smart cards, virtual smart cards, Microsoft Passport, or Microsoft Passport for Work. -- Some 3rd party Security Support Providers (SSPs and APs) might not be compatible with Credential Guard. Credential Guard does not allow 3rd party SSPs to ask for password hashes from LSA. However, SSPs and APs still get notified of the password when a user logs on and/or changes their password. Any use of undocumented APIs within custom SSPs and APs are not supported. We recommend that custom implementations of SSPs/APs are tested against Credential Guard to ensure that the SSPs and APs do not depend on any undocumented or unsupported behaviors. For example, using the KerbQuerySupplementalCredentialsMessage API is not supported. You should not replace the NTLM or Kerberos SSPs with custom SSPs and APs. For more info, see [Restrictions around Registering and Installing a Security Package](http://msdn.microsoft.com/library/windows/desktop/dn865014.aspx) on MSDN. -- As the depth and breadth of protections provided by Credential Guard are increased, subsequent releases of Windows 10 with Credential Guard running may impact scenarios that were working in the past. For example, Credential Guard may block the use of a particular type of credential or a particular component to prevent malwar efrom taking advantage of vulnerabilities. Therefore, we recommend that scenarios required for operations in an organization are tested before upgrading a device that has Credential Guard running. - -- Starting with Windows 10, version 1511, domain credentials that are stored with Credential Manager are protected with Credential Guard. Credential Manager allows you to store credentials, such as user names and passwords that you use to log on to websites or other computers on a network. The following considerations apply to the Credential Guard protections for Credential Manager: - - Credentials saved by Remote Desktop Services cannot be used to remotely connect to another machine without supplying the password. Attempts to use saved credentials will fail, displaying the error message "Logon attempt failed". - - Applications that extract derived domain credentials from Credential Manager will no longer be able to use those credentials. - - You cannot restore credentials using the Credential Manager control panel if the credentials were backed up from a PC that has Credential Guard turned on. If you need to back up your credentials, you must do this before you enable Credential Guard. Otherwise, you won't be able to restore those credentials. - - Credential Guard uses hardware security so some features, such as Windows To Go, are not supported. - -### NTLM & CHAP Considerations - -When you enable Credential Guard, you can no longer use NTLM v1 authentication. If you are using WiFi and VPN endpoints that are based on MS-CHAPv2, they are subject to similar attacks as NTLMv1. We recommend that organizations use certificated-based authentication for WiFi and VPN connections. - -### Kerberos Considerations - -When you enable Credential Guard, you can no longer use Kerberos unconstrained delegation or DES encryption. Unconstrained delegation could allow attackers to extract Kerberos keys from the isolated LSA process. You must use constrained or resource-based Kerberos delegation instead. - -## Scenarios not protected by Credential Guard - -Some ways to store credentials are not protected by Credential Guard, including: - -- Software that manages credentials outside of Windows feature protection -- Local accounts and Microsoft Accounts -- Credential Guard does not protect the Active Directory database running on Windows Server 2016 domain controllers. It also does not protect credential input pipelines, such as Windows Server 2016 servers running Remote Desktop Gateway. If you're using a Windows Server 2016 server as a client PC, it will get the same protection as it would be running Windows 10 Enterprise. -- Key loggers -- Physical attacks -- Does not prevent an attacker with malware on the PC from using the privileges associated with any credential. We recommend using dedicated PCs for high value accounts, such as IT Pros and users with access high value assets in your organization. -- Third-party security packages -- Digest and CredSSP credentials - - When Credential Guard is enabled, neither Digest nor CredSSP have access to users' logon credentials. This implies no Single Sign-On use for these protocols. -- Supplied credentials for NTLM authentication are not protected. If a user is prompted for and enters credentials for NTLM authentication, these credentials are vulnerable to be read from LSASS memory. Note that these same credentials are vulnerable to key loggers as well. - -## Additional mitigations - -Credential Guard can provide mitigations against attacks on derived credentials and prevent the use of stolen credentials elsewhere. However, PCs can still be vulnerable to certain attacks, even if the derived credentials are protected by Credential Guard. These attacks can include abusing privileges and use of derived credentials directly from a compromised device, reusing previously stolen credentials prior to Device Guard, and abuse of management tools and weak application configurations. Because of this, additional mitigations also need to be deployed to make the domain environment more robust. - -### Restricting domain users to specific domain-joined devices - -Credential theft attacks allow the attacker to steal secrets from one device and use them from another device. If a user can sign on multiple devices then any device could be used to steal credentials. How do you ensure that users only sign on with devices with Credential Guard? By deploying authentication policies which restrict them to specific domain-joined device that have been configured with Credential Guard. For the domain controller to know what device a user is signing on from, Kerberos armoring must be used. - -#### Kerberos armoring - -Kerberos armoring is part of RFC 6113. When a device supports Kerberos armoring, its TGT is used to protect the user's proof of possession which can mitigate offline dictionary attacks. Kerberos armoring also provides the additional benefit of signed KDC errors this mitigates tampering which can result in things such as downgrade attacks. - -**To enable Kerberos armoring for restricting domain users to specific domain-joined devices** - -- Users need to be in domains which are running Windows Server 2012 R2 or higher -- All the domain controllers in these domains must be configured to support Kerberos armoring. Set the **KDC support for claims, compound authentication, and Kerberos armoring** Group Policy setting to either **Supported** or **Always provide claims**. -- All the devices with Credential Guard which the users will be restricted to must be configured to support Kerberos armoring. Enable the **Kerberos client support for claims, compound authentication and Kerberos armoring** Group Policy settings under **Computer Configuration** -> **Administrative Templates** -> **System** -> **Kerberos**. - -#### Protecting domain-joined device secrets - -Since domain-joined devices also use shared secrets for authentication, attackers can steal those secrets as well. By deploying device certificates with Credential Guard, the private key can be protected. Then authentication policies can require that users sign on devices which authenticate using those certificates. This prevents shared secrets on stolen from the device to be used with stolen user credentials to sign on as the user. - -Domain-joined device certificate authentication has the following requirements: -- Devices' accounts are in Windows Server 2012 domain funcational level or higher domains. -- All domain controllers in those domains have KDC certificates which satisfy strict KDC validation certificate requirements: - - KDC EKU present - - DNS domain name matches the DNSName field of the SubjectAltName (SAN) extension -- Windows 10 devices have the CA issuing the domain controller certificates in the enterprise store. -- A process is established to ensure the identity and trustworthiness of the device in a similar manner as you would establish the identity and trustworthiness of a user before issuing them a smartcard. - -##### Deploying domain-joined device certificates - -To guarantee that certificates with the issuance policy required are only on the devices these users must use, they must be deployed manually on each device. The same security procedures used for issuing smart cards to users should be applied to device certificates. - -For example, let's say you wanted to use the High Assurance policy only on these devices. Using a Windows Server Enterprise certificate authority, you would create a new template. - -**Creating a new certificate template** - -1. From the Certificate Manager console, right-click **Certificate Templates**, and then click **Manage.** -2. Right-click **Workstation Authentication**, and then click **Duplicate Template**. -3. Right-click the new template, and then click **Properties**. -4. On the **Extensions** tab, click **Application Policies**, and then click **Edit**. -5. Click **Client Authentication**, and then click **Remove**. -6. Add the ID-PKInit-KPClientAuth EKU. Click **Add**, click **New**, and then specify the following values: - - Name: Kerberos Client Auth - - Object Identifier: 1.3.6.1.5.2.3.4 -7. On the **Extensions** tab, click **Issuance Policies**, and then click **Edit**. -8. Under **Issuance Policies**, click**High Assurance**. -9. On the **Subject name** tab, clear the **DNS name** check box, and then select the **User Principal Name (UPN)** check box. - -Then on the devices that are running Credential Guard, enroll the devices using the certificate you just created. - -**Enrolling devices in a certificate** - -Run the following command: -``` syntax -CertReq -EnrollCredGuardCert MachineAuthentication -``` - -> [!NOTE] -> You must restart the device after enrolling the machine authentication certificate. -  -#### How a certificate issuance policy can be used for access control - -Beginning with the Windows Server 2008 R2 domain functional level, domain controllers support for authentication mechanism assurance provides a way to map certificate issuance policy OIDs to universal security groups. Windows Server 2012 domain controllers with claim support can map them to claims. To learn more about authentication mechanism assurance, see [Authentication Mechanism Assurance for AD DS in Windows Server 2008 R2 Step-by-Step Guide](https://technet.microsoft.com/en-us/library/dd378897(v=ws.10).aspx) on TechNet. - -**To see the issuance policies available** - -- The [get-IssuancePolicy.ps1](#bkmk-getscript) shows all of the issuance policies that are available on the certificate authority. - From a Windows PowerShell command prompt, run the following command: - - ``` syntax - .\get-IssuancePolicy.ps1 –LinkedToGroup:All - ``` - -**To link a issuance policy to a universal security group** - -- The [set-IssuancePolicyToGroupLink.ps1](#bkmk-setscript) creates a Universal security group, creates an organizational unit, and links the issuance policy to that Universal security group. - From a Windows PowerShell command prompt, run the following command: - - ``` syntax - .\set-IssuancePolicyToGroupLink.ps1 –IssuancePolicyName:"" –groupOU:"" –groupName:”" - ``` - -#### Restricting user sign on - -So we now have the following: - -- Created a special certificate issuance policy to identify devices which meet the deployment criteria required for the user to be able to sign on -- Mapped that policy to a universal security group or claim -- Provided a way for domain controllers to get the device authorization data during user sign on using Kerberos armoring- -so what is left to do is configuring the access check on the domain controllers. This is done with authentication policies. - -Authentication policies have the following requirements: -- User accounts are in a Windows Server 2012 domain functional level or higher domain. - -**Creating an authentication policy restricting to the specific universal security group** - -1. Open Active Directory Administrative Center. -2. Click **Authentication**, click **New**, and then click **Authentication Policy**. -3. In the **Display name** box, enter a name for this authentication policy. -4. Under the **Accounts** heading, click **Add**. -5. In the **Select Users, Computers, or Service Accounts** dialog box, type the name of the user account you with to restrict, and then click **OK**. -6. Under the **User Sign On** heading, click the **Edit** button. -7. Click **Add a condition**. -8. In the **Edit Access Control Conditions** box, ensure that it reads **User** > **Group** > **Member of each** > **Value**, and then click **Add items**. -9. In the **Select Users, Computers, or Service Accounts** dialog box, type the name of the universal security group that you created with the set-IssuancePolicyToGroupLink script, and then click **OK**. -10. Click **OK** to close the **Edit Access Control Conditions** box. -11. Click **OK** to create the authentication policy. -12. Close Active Directory Administrative Center. - -> [!NOTE] -> When the authentication policy enforces policy restrictions, users will not be able to sign on using devices that do not have a certificate with the appropriate issuance policy deployed. This applies to both local and remote sign on scenarios. Therefore, it is strongly recommended to first only audit policy restrictions to ensure you don't have unexpected failures. - -#### Discovering authentication failures due to authentication policies - -To make tracking authentication failures due to authentication policies easier, an operational log exists with just those events. To enable the logs on the domain controllers, in Event Viewer, navigate to **Applications and Services Logs\\Microsoft\\Windows\\Authentication, right-click AuthenticationPolicyFailures-DomainController**, and then click **Enable Log**. - -To learn more about authentication policy events, see [Authentication Policies and Authentication Policy Silos](https://technet.microsoft.com/en-us/library/dn486813(v=ws.11).aspx). - -## Appendix: Scripts - -Here is a list of scripts that are mentioned in this topic. - -### Get the available issuance policies on the certificate authority - -Save this script file as get-IssuancePolicy.ps1. - -``` syntax -####################################### -## Parameters to be defined ## -## by the user ## -####################################### -Param ( -$Identity, -$LinkedToGroup -) -####################################### -## Strings definitions ## -####################################### -Data getIP_strings { -# culture="en-US" -ConvertFrom-StringData -stringdata @' -help1 = This command can be used to retrieve all available Issuance Policies in a forest. The forest of the currently logged on user is targetted. -help2 = Usage: -help3 = The following parameter is mandatory: -help4 = -LinkedToGroup: -help5 = "yes" will return only Issuance Policies that are linked to groups. Checks that the linked Issuance Policies are linked to valid groups. -help6 = "no" will return only Issuance Policies that are not currently linked to any group. -help7 = "all" will return all Issuance Policies defined in the forest. Checks that the linked Issuance policies are linked to valid groups. -help8 = The following parameter is optional: -help9 = -Identity:. If you specify an identity, the option specified in the "-LinkedToGroup" parameter is ignored. -help10 = Output: This script returns the Issuance Policy objects meeting the criteria defined by the above parameters. -help11 = Examples: -errorIPNotFound = Error: no Issuance Policy could be found with Identity "{0}" -ErrorNotSecurity = Error: Issuance Policy "{0}" is linked to group "{1}" which is not of type "Security". -ErrorNotUniversal = Error: Issuance Policy "{0}" is linked to group "{1}" whose scope is not "Universal". -ErrorHasMembers = Error: Issuance Policy "{0}" is linked to group "{1}" which has a non-empty membership. The group has the following members: -LinkedIPs = The following Issuance Policies are linked to groups: -displayName = displayName : {0} -Name = Name : {0} -dn = distinguishedName : {0} - InfoName = Linked Group Name: {0} - InfoDN = Linked Group DN: {0} -NonLinkedIPs = The following Issuance Policies are NOT linked to groups: -'@ -} -##Import-LocalizedData getIP_strings -import-module ActiveDirectory -####################################### -## Help ## -####################################### -function Display-Help { - "" - $getIP_strings.help1 - "" -$getIP_strings.help2 -"" -$getIP_strings.help3 -" " + $getIP_strings.help4 -" " + $getIP_strings.help5 - " " + $getIP_strings.help6 - " " + $getIP_strings.help7 -"" -$getIP_strings.help8 - " " + $getIP_strings.help9 - "" - $getIP_strings.help10 -"" -"" -$getIP_strings.help11 - " " + '$' + "myIPs = .\get-IssuancePolicy.ps1 -LinkedToGroup:All" - " " + '$' + "myLinkedIPs = .\get-IssuancePolicy.ps1 -LinkedToGroup:yes" - " " + '$' + "myIP = .\get-IssuancePolicy.ps1 -Identity:""Medium Assurance""" -"" -} -$root = get-adrootdse -$domain = get-addomain -current loggedonuser -$configNCDN = [String]$root.configurationNamingContext -if ( !($Identity) -and !($LinkedToGroup) ) { -display-Help -break -} -if ($Identity) { - $OIDs = get-adobject -Filter {(objectclass -eq "msPKI-Enterprise-Oid") -and ((name -eq $Identity) -or (displayname -eq $Identity) -or (distinguishedName -like $Identity)) } -searchBase $configNCDN -properties * - if ($OIDs -eq $null) { -$errormsg = $getIP_strings.ErrorIPNotFound -f $Identity -write-host $errormsg -ForegroundColor Red - } - foreach ($OID in $OIDs) { - if ($OID."msDS-OIDToGroupLink") { -# In case the Issuance Policy is linked to a group, it is good to check whether there is any problem with the mapping. - $groupDN = $OID."msDS-OIDToGroupLink" - $group = get-adgroup -Identity $groupDN - $groupName = $group.Name -# Analyze the group - if ($group.groupCategory -ne "Security") { -$errormsg = $getIP_strings.ErrorNotSecurity -f $Identity, $groupName - write-host $errormsg -ForegroundColor Red - } - if ($group.groupScope -ne "Universal") { - $errormsg = $getIP_strings.ErrorNotUniversal -f $Identity, $groupName -write-host $errormsg -ForegroundColor Red - } - $members = Get-ADGroupMember -Identity $group - if ($members) { - $errormsg = $getIP_strings.ErrorHasMembers -f $Identity, $groupName -write-host $errormsg -ForegroundColor Red - foreach ($member in $members) { - write-host " " $member -ForeGroundColor Red - } - } - } - } - return $OIDs - break -} -if (($LinkedToGroup -eq "yes") -or ($LinkedToGroup -eq "all")) { - $LDAPFilter = "(&(objectClass=msPKI-Enterprise-Oid)(msDS-OIDToGroupLink=*)(flags=2))" - $LinkedOIDs = get-adobject -searchBase $configNCDN -LDAPFilter $LDAPFilter -properties * - write-host "" - write-host "*****************************************************" - write-host $getIP_strings.LinkedIPs - write-host "*****************************************************" - write-host "" - if ($LinkedOIDs -ne $null){ - foreach ($OID in $LinkedOIDs) { -# Display basic information about the Issuance Policies - "" - $getIP_strings.displayName -f $OID.displayName - $getIP_strings.Name -f $OID.Name - $getIP_strings.dn -f $OID.distinguishedName -# Get the linked group. - $groupDN = $OID."msDS-OIDToGroupLink" - $group = get-adgroup -Identity $groupDN - $getIP_strings.InfoName -f $group.Name - $getIP_strings.InfoDN -f $groupDN -# Analyze the group - $OIDName = $OID.displayName - $groupName = $group.Name - if ($group.groupCategory -ne "Security") { - $errormsg = $getIP_strings.ErrorNotSecurity -f $OIDName, $groupName - write-host $errormsg -ForegroundColor Red - } - if ($group.groupScope -ne "Universal") { - $errormsg = $getIP_strings.ErrorNotUniversal -f $OIDName, $groupName - write-host $errormsg -ForegroundColor Red - } - $members = Get-ADGroupMember -Identity $group - if ($members) { - $errormsg = $getIP_strings.ErrorHasMembers -f $OIDName, $groupName - write-host $errormsg -ForegroundColor Red - foreach ($member in $members) { - write-host " " $member -ForeGroundColor Red - } - } - write-host "" - } - }else{ -write-host "There are no issuance policies that are mapped to a group" - } - if ($LinkedToGroup -eq "yes") { - return $LinkedOIDs - break - } -} -if (($LinkedToGroup -eq "no") -or ($LinkedToGroup -eq "all")) { - $LDAPFilter = "(&(objectClass=msPKI-Enterprise-Oid)(!(msDS-OIDToGroupLink=*))(flags=2))" - $NonLinkedOIDs = get-adobject -searchBase $configNCDN -LDAPFilter $LDAPFilter -properties * - write-host "" - write-host "*********************************************************" - write-host $getIP_strings.NonLinkedIPs - write-host "*********************************************************" - write-host "" - if ($NonLinkedOIDs -ne $null) { - foreach ($OID in $NonLinkedOIDs) { -# Display basic information about the Issuance Policies -write-host "" -$getIP_strings.displayName -f $OID.displayName -$getIP_strings.Name -f $OID.Name -$getIP_strings.dn -f $OID.distinguishedName -write-host "" - } - }else{ -write-host "There are no issuance policies which are not mapped to groups" - } - if ($LinkedToGroup -eq "no") { - return $NonLinkedOIDs - break - } -} -``` -> [!NOTE] -> If you're having trouble running this script, try replacing the single quote after the ConvertFrom-StringData parameter. -  -### Link an issuance policy to a group - -Save the script file as set-IssuancePolicyToGroupLink.ps1. - -``` syntax -####################################### -## Parameters to be defined ## -## by the user ## -####################################### -Param ( -$IssuancePolicyName, -$groupOU, -$groupName -) -####################################### -## Strings definitions ## -####################################### -Data ErrorMsg { -# culture="en-US" -ConvertFrom-StringData -stringdata @' -help1 = This command can be used to set the link between a certificate issuance policy and a universal security group. -help2 = Usage: -help3 = The following parameters are required: -help4 = -IssuancePolicyName: -help5 = -groupName:. If no name is specified, any existing link to a group is removed from the Issuance Policy. -help6 = The following parameter is optional: -help7 = -groupOU:. If this parameter is not specified, the group is looked for or created in the Users container. -help8 = Examples: -help9 = This command will link the issuance policy whose display name is "High Assurance" to the group "HighAssuranceGroup" in the Organizational Unit "OU_FOR_IPol_linked_groups". If the group or the Organizational Unit do not exist, you will be prompted to create them. -help10 = This command will unlink the issuance policy whose name is "402.164959C40F4A5C12C6302E31D5476062" from any group. -MultipleIPs = Error: Multiple Issuance Policies with name or display name "{0}" were found in the subtree of "{1}" -NoIP = Error: no issuance policy with name or display name "{0}" could be found in the subtree of "{1}". -IPFound = An Issuance Policy with name or display name "{0}" was successfully found: {1} -MultipleOUs = Error: more than 1 Organizational Unit with name "{0}" could be found in the subtree of "{1}". -confirmOUcreation = Warning: The Organizational Unit that you specified does not exist. Do you want to create it? -OUCreationSuccess = Organizational Unit "{0}" successfully created. -OUcreationError = Error: Organizational Unit "{0}" could not be created. -OUFoundSuccess = Organizational Unit "{0}" was successfully found. -multipleGroups = Error: More than one group with name "{0}" was found in Organizational Unit "{1}". -confirmGroupCreation = Warning: The group that you specified does not exist. Do you want to create it? -groupCreationSuccess = Univeral Security group "{0}" successfully created. -groupCreationError = Error: Univeral Security group "{0}" could not be created. -GroupFound = Group "{0}" was successfully found. -confirmLinkDeletion = Warning: The Issuance Policy "{0}" is currently linked to group "{1}". Do you really want to remove the link? -UnlinkSuccess = Certificate issuance policy successfully unlinked from any group. -UnlinkError = Removing the link failed. -UnlinkExit = Exiting without removing the link from the issuance policy to the group. -IPNotLinked = The Certificate issuance policy is not currently linked to any group. If you want to link it to a group, you should specify the -groupName option when starting this script. -ErrorNotSecurity = Error: You cannot link issuance Policy "{0}" to group "{1}" because this group is not of type "Security". -ErrorNotUniversal = Error: You cannot link issuance Policy "{0}" to group "{1}" because the scope of this group is not "Universal". -ErrorHasMembers = Error: You cannot link issuance Policy "{0}" to group "{1}" because it has a non-empty membership. The group has the following members: -ConfirmLinkReplacement = Warning: The Issuance Policy "{0}" is currently linked to group "{1}". Do you really want to update the link to point to group "{2}"? -LinkSuccess = The certificate issuance policy was successfully linked to the specified group. -LinkError = The certificate issuance policy could not be linked to the specified group. -ExitNoLinkReplacement = Exiting without setting the new link. -'@ -} -# import-localizeddata ErrorMsg -function Display-Help { -"" -write-host $ErrorMsg.help1 -"" -write-host $ErrorMsg.help2 -"" -write-host $ErrorMsg.help3 -write-host "`t" $ErrorMsg.help4 -write-host "`t" $ErrorMsg.help5 -"" -write-host $ErrorMsg.help6 -write-host "`t" $ErrorMsg.help7 -"" -"" -write-host $ErrorMsg.help8 -"" -write-host $ErrorMsg.help9 -".\Set-IssuancePolicyToGroupMapping.ps1 -IssuancePolicyName ""High Assurance"" -groupOU ""OU_FOR_IPol_linked_groups"" -groupName ""HighAssuranceGroup"" " -"" -write-host $ErrorMsg.help10 -'.\Set-IssuancePolicyToGroupMapping.ps1 -IssuancePolicyName "402.164959C40F4A5C12C6302E31D5476062" -groupName $null ' -"" -} -# Assumption: The group to which the Issuance Policy is going -# to be linked is (or is going to be created) in -# the domain the user running this script is a member of. -import-module ActiveDirectory -$root = get-adrootdse -$domain = get-addomain -current loggedonuser -if ( !($IssuancePolicyName) ) { -display-Help -break -} -####################################### -## Find the OID object ## -## (aka Issuance Policy) ## -####################################### -$searchBase = [String]$root.configurationnamingcontext -$OID = get-adobject -searchBase $searchBase -Filter { ((displayname -eq $IssuancePolicyName) -or (name -eq $IssuancePolicyName)) -and (objectClass -eq "msPKI-Enterprise-Oid")} -properties * -if ($OID -eq $null) { -$tmp = $ErrorMsg.NoIP -f $IssuancePolicyName, $searchBase -write-host $tmp -ForeGroundColor Red -break; -} -elseif ($OID.GetType().IsArray) { -$tmp = $ErrorMsg.MultipleIPs -f $IssuancePolicyName, $searchBase -write-host $tmp -ForeGroundColor Red -break; -} -else { -$tmp = $ErrorMsg.IPFound -f $IssuancePolicyName, $OID.distinguishedName -write-host $tmp -ForeGroundColor Green -} -####################################### -## Find the container of the group ## -####################################### -if ($groupOU -eq $null) { -# default to the Users container -$groupContainer = $domain.UsersContainer -} -else { -$searchBase = [string]$domain.DistinguishedName -$groupContainer = get-adobject -searchBase $searchBase -Filter { (Name -eq $groupOU) -and (objectClass -eq "organizationalUnit")} -if ($groupContainer.count -gt 1) { -$tmp = $ErrorMsg.MultipleOUs -f $groupOU, $searchBase -write-host $tmp -ForegroundColor Red -break; -} -elseif ($groupContainer -eq $null) { -$tmp = $ErrorMsg.confirmOUcreation -write-host $tmp " ( (y)es / (n)o )" -ForegroundColor Yellow -nonewline -$userChoice = read-host -if ( ($userChoice -eq "y") -or ($userChoice -eq "yes") ) { -new-adobject -Name $groupOU -displayName $groupOU -Type "organizationalUnit" -ProtectedFromAccidentalDeletion $true -path $domain.distinguishedName -if ($?){ -$tmp = $ErrorMsg.OUCreationSuccess -f $groupOU -write-host $tmp -ForegroundColor Green -} -else{ -$tmp = $ErrorMsg.OUCreationError -f $groupOU -write-host $tmp -ForeGroundColor Red -break; -} -$groupContainer = get-adobject -searchBase $searchBase -Filter { (Name -eq $groupOU) -and (objectClass -eq "organizationalUnit")} -} -else { -break; -} -} -else { -$tmp = $ErrorMsg.OUFoundSuccess -f $groupContainer.name -write-host $tmp -ForegroundColor Green -} -} -####################################### -## Find the group ## -####################################### -if (($groupName -ne $null) -and ($groupName -ne "")){ -##$searchBase = [String]$groupContainer.DistinguishedName -$searchBase = $groupContainer -$group = get-adgroup -Filter { (Name -eq $groupName) -and (objectClass -eq "group") } -searchBase $searchBase -if ($group -ne $null -and $group.gettype().isarray) { -$tmp = $ErrorMsg.multipleGroups -f $groupName, $searchBase -write-host $tmp -ForeGroundColor Red -break; -} -elseif ($group -eq $null) { -$tmp = $ErrorMsg.confirmGroupCreation -write-host $tmp " ( (y)es / (n)o )" -ForegroundColor Yellow -nonewline -$userChoice = read-host -if ( ($userChoice -eq "y") -or ($userChoice -eq "yes") ) { -new-adgroup -samAccountName $groupName -path $groupContainer.distinguishedName -GroupScope "Universal" -GroupCategory "Security" -if ($?){ -$tmp = $ErrorMsg.GroupCreationSuccess -f $groupName -write-host $tmp -ForegroundColor Green -}else{ -$tmp = $ErrorMsg.groupCreationError -f $groupName -write-host $tmp -ForeGroundColor Red -break -} -$group = get-adgroup -Filter { (Name -eq $groupName) -and (objectClass -eq "group") } -searchBase $searchBase -} -else { -break; -} -} -else { -$tmp = $ErrorMsg.GroupFound -f $group.Name -write-host $tmp -ForegroundColor Green -} -} -else { -##### -## If the group is not specified, we should remove the link if any exists -##### -if ($OID."msDS-OIDToGroupLink" -ne $null) { -$tmp = $ErrorMsg.confirmLinkDeletion -f $IssuancePolicyName, $OID."msDS-OIDToGroupLink" -write-host $tmp " ( (y)es / (n)o )" -ForegroundColor Yellow -nonewline -$userChoice = read-host -if ( ($userChoice -eq "y") -or ($userChoice -eq "yes") ) { -set-adobject -Identity $OID -Clear "msDS-OIDToGroupLink" -if ($?) { -$tmp = $ErrorMsg.UnlinkSuccess -write-host $tmp -ForeGroundColor Green -}else{ -$tmp = $ErrorMsg.UnlinkError -write-host $tmp -ForeGroundColor Red -} -} -else { -$tmp = $ErrorMsg.UnlinkExit -write-host $tmp -break -} -} -else { -$tmp = $ErrorMsg.IPNotLinked -write-host $tmp -ForeGroundColor Yellow -} -break; -} -####################################### -## Verify that the group is ## -## Universal, Security, and ## -## has no members ## -####################################### -if ($group.GroupScope -ne "Universal") { -$tmp = $ErrorMsg.ErrorNotUniversal -f $IssuancePolicyName, $groupName -write-host $tmp -ForeGroundColor Red -break; -} -if ($group.GroupCategory -ne "Security") { -$tmp = $ErrorMsg.ErrorNotSecurity -f $IssuancePolicyName, $groupName -write-host $tmp -ForeGroundColor Red -break; -} -$members = Get-ADGroupMember -Identity $group -if ($members -ne $null) { -$tmp = $ErrorMsg.ErrorHasMembers -f $IssuancePolicyName, $groupName -write-host $tmp -ForeGroundColor Red -foreach ($member in $members) {write-host " $member.name" -ForeGroundColor Red} -break; -} -####################################### -## We have verified everything. We ## -## can create the link from the ## -## Issuance Policy to the group. ## -####################################### -if ($OID."msDS-OIDToGroupLink" -ne $null) { -$tmp = $ErrorMsg.ConfirmLinkReplacement -f $IssuancePolicyName, $OID."msDS-OIDToGroupLink", $group.distinguishedName -write-host $tmp "( (y)es / (n)o )" -ForegroundColor Yellow -nonewline -$userChoice = read-host -if ( ($userChoice -eq "y") -or ($userChoice -eq "yes") ) { -$tmp = @{'msDS-OIDToGroupLink'= $group.DistinguishedName} -set-adobject -Identity $OID -Replace $tmp -if ($?) { -$tmp = $Errormsg.LinkSuccess -write-host $tmp -Foreground Green -}else{ -$tmp = $ErrorMsg.LinkError -write-host $tmp -Foreground Red -} -} else { -$tmp = $Errormsg.ExitNoLinkReplacement -write-host $tmp -break -} -} -else { -$tmp = @{'msDS-OIDToGroupLink'= $group.DistinguishedName} -set-adobject -Identity $OID -Add $tmp -if ($?) { -$tmp = $Errormsg.LinkSuccess -write-host $tmp -Foreground Green -}else{ -$tmp = $ErrorMsg.LinkError -write-host $tmp -Foreground Red -} -} -``` - -> [!NOTE] -> If you're having trouble running this script, try replacing the single quote after the ConvertFrom-StringData parameter.   ## Related topics @@ -956,4 +39,9 @@ write-host $tmp -Foreground Red - [Authentication Mechanism Assurance for AD DS in Windows Server 2008 R2 Step-by-Step Guide](http://technet.microsoft.com/library/dd378897.aspx) - [Trusted Platform Module](trusted-platform-module-overview.md)   -  + +## See also + +**Deep Dive into Credential Guard: Related videos** + +[Credentials protected by Credential Guard](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=pdc37LJyC_1204300474) \ No newline at end of file diff --git a/windows/keep-secure/custom-ti-api-windows-defender-advanced-threat-protection.md b/windows/keep-secure/custom-ti-api-windows-defender-advanced-threat-protection.md new file mode 100644 index 0000000000..3f71267756 --- /dev/null +++ b/windows/keep-secure/custom-ti-api-windows-defender-advanced-threat-protection.md @@ -0,0 +1,396 @@ +--- +title: Create custom alerts using the threat intelligence API +description: Create your custom alert definitions and indicators of compromise in Windows Defender ATP using the available APIs in Windows Enterprise, Education, and Pro editions. +keywords: alert definitions, indicators of compromise, threat intelligence, custom threat intelligence, rest api, api +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +author: mjcaparas +localizationpriority: high +--- + +# Create custom alerts using the threat intelligence (TI) application program interface (API) + +**Applies to:** + +- Windows 10 Enterprise +- Windows 10 Education +- Windows 10 Pro +- Windows 10 Pro Education +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + +You can define custom alert definitions and indicators of compromise (IOC) using the threat intelligence API. Creating custom threat intelligence alerts allows you to generate specific alerts that are applicable to your organization. + +## Before you begin +Before creating custom alerts, you'll need to enable the threat intelligence application in Azure Active Directory and generate access tokens. For more information, see [Enable the custom threat intelligence application](enable-custom-ti-windows-defender-advanced-threat-protection.md). + +### Use the threat intelligence REST API to create custom threat intelligence alerts +You can call and specify the resource URLs using one of the following operations to access and manipulate a threat intelligence resource, you call and specify the resource URLs using one of the following operations: + +- GET +- POST +- PATCH +- PUT (used for managing entities relations only) +- DELETE + +All threat intelligence API requests use the following basic URL pattern: + +``` + https://TI.SecurityCenter.Windows.com/{version}/{resource}?[query_parameters] +``` + +For this URL: +- `https://TI.SecurityCenter.Windows.com` is the threat intelligence API endpoint. +- `{version}` is the target service version. Currently, the only supported version is: v1.0. +- `{resource}` is resource segment or path, such as: + - AlertDefinitions (for specific single resource, add: (id)) + - IndicatorsOfCompromise (for specific single resource, add: (id)) +- `[query_parameters]` represents additional query parameters such as $filter and $select. + +**Quotas**
    +Each tenant has a defined quota that limits the number of possible alert definitions, IOCs and another quota for IOCs of Action different than “equals” in the system. If you upload data beyond this quota, you'll encounter an HTTP error status code 507 (Insufficient Storage). + +## Request an access token from the token issuing endpoint +Windows Defender ATP Threat Intelligence API uses OAuth 2.0. In the context of Windows Defender ATP, the alert definitions are a protected resource. To issue tokens for ad-hoc, non-automatic operations you can use the **Preferences settings** page and click the **Generate Token** button. However, if you’d like to create an automated client, you need to use the “Client Credentials Grant” flow. For more information, see the [OAuth 2.0 authorization framework](https://tools.ietf.org/html/rfc6749#section-4.4). + +For more information about the authorization flow, see [OAuth 2.0 authorization flow](https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-protocols-oauth-code#oauth-20-authorization-flow). + +Make an HTTP POST request to the token issuing endpoint with the following parameters, replacing ``, ``, and `` with your app's client ID, client secret and authorization server URL. + +>[!NOTE] +> The authorization server URL is `https://login.windows.net//oauth2/token`. Replace `` with your Azure Active Directory tenant ID. + +>[!NOTE] +> The ``, ``, and the `` are all provided to you when enabling the custom threat intelligence application. For more information, see [Enable the custom threat intelligence application](enable-custom-ti-windows-defender-advanced-threat-protection.md). + + +``` +POST HTTP/1.1 +Content-Type: application/x-www-form-urlencoded + +grant_type=client_credentials +&client_id= +&client_secret= +&resource=https://graph.microsoft.com +``` +The response will include an access token and expiry information. + +```json +{ + "token_type": "Bearer", + "expires_in": "3599", + "ext_expires_in": "0", + "expires_on": "1449685363", + "not_before": "1449681463", + "resource": "https://graph.microsoft.com", + "access_token": "" +} + +``` + +## Threat intelligence API metadata +The metadata document ($metadata) is published at the service root. + +For example, you can view the service document for the v1.0 version using the following URL: + +``` + https://TI.SecurityCenter.Windows.com/v1.0/$metadata +``` + +The metadata allows you to see and understand the data model of the custom threat intelligence, including the entity types and sets, complex types, and enums that make up the request and response packets sent to and from the threat intelligence API. + +You can use the metadata to understand the relationships between entities in the custom threat intelligence and establish URLs that navigate between entities. + +The following sections show a few basic programming pattern calls to the threat intelligence API. + +## Create new resource +Typically, you'd need to create an alert definition to start creating custom threat intelligence. An ID is created for that alert definition. +You can then proceed to create an indicator of compromise and associate it to the ID of the alert definition. + +### Create a new alert definition + +```json +POST https://TI.SecurityCenter.Windows.com/v1.0/AlertDefinitions HTTP/1.1 +Authorization: Bearer +Content-Type: application/json; + + +{ + "Name": " The name of the alert definition. Does not appear in the portal. Max length: 100 ", + "Severity": "Low", + "InternalDescription": "Internal description for the alert definition. Does not appear in the portal. Max length: 350", + "Title": "A short, one sentence, description of the alert definition. Max length: 120", + "UxDescription": "Max length: 500", + "RecommendedAction": "Custom text to explain what should be done in case of detection. Max length: 2000", + "Category": "Category from the metadata", + "Enabled": true +} +``` + +The following values correspond to the alert sections surfaced on the Windows Defender ATP portal: +![Image of alert from the portal](images/atp-custom-ti-mapping.png) + +Highlighted section | JSON key name +:---:|:--- +1 | Title +2 | Severity +3 | Category +4 | UX description +5 | Recommended Action + +If successful, you should get a 201 CREATED response containing the representation of the newly created alert definition, for example: + +```json + + "Name": "Connection to restricted company IP address", + "Severity": "Low", + "InternalDescription": "Unusual connection to restricted IP from production machine", + "Title": "Connection to restricted company IP address", + "UxDescription": "Any connection to this IP address from a production machine should be suspicious. Only special build machines should access this IP address.", + "RecommendedAction": "Isolate machine immediately and contact machine owner for awareness.", + "Category": "Trojan", + "Id": 2, + "CreatedAt": "2017-02-01T10:46:22.08Z", + "CreatedBy": "User1", + "LastModifiedAt": null, + "LastModifiedBy": null, + "Enabled": true + +``` + +### Create a new indicator of compromise + +```json +POST https://TI.SecurityCenter.Windows.com/v1.0/IndicatorsOfCompromise HTTP/1.1 +Authorization: Bearer +Content-Type: application/json; + + +{ +"Type": "SHA1", +"Value": "8311e8b377736fb93b18b15372355f3f26c4cd29", +"DetectionFunction": "Equals", +"Enabled": true, +"AlertDefinition@odata.bind": "AlertDefinitions(1)" +} +``` +If successful, you should get a 201 CREATED response containing the representation of the newly created indicators of compromise in the payload. + + +## Bulk upload of alert definitions and IOCs +Bulk upload of multiple entities can be done by sending an HTTP POST request to `/{resource}/Actions.BulkUpload`.
    + +>[!WARNING] +>- This operation is atomic. The entire operation can either succeed or fail. If one alert definition or IOC has a malformed property, the entire upload will fail. +>- If your upload exceeds the IOCs or alert definitions quota, the entire operation will fail. Consider limiting your uploads. + + +The request’s body should contain a single JSON object with a single field. The name of the field in the case that the entity is alert definition is `alertDefinitions` and in the case of IOC is `iocs`. This field’s value should contain a list of the desired entities. + +For example: +Sending an HTTP POST to https://TI.SecurityCenter.Windows.com/V1.0/IndicatorsOfCompromise/Actions.BulkUpload + +JSON Body: + +```json +{ + "iocs": [{ + "Type": "SHA1", + "Value": "b68e0b50420dbb03cb8e56a927105bf4b06f3793", + "DetectionFunction": "Equals", + "Enabled": true, + "AlertDefinition@odata.bind": "AlertDefinitions(1)" + }, + { + "Type": "SHA1", + "Value": "b68e0b50420dbb03cb8e56a927105bf4b06f3793", + "DetectionFunction": "Equals", + "Enabled": true, + "AlertDefinition@odata.bind": "AlertDefinitions(1)" + } + ] +} +``` + +>[!NOTE] +> - Max bulk size is 5000 entities + +## Read existing data +### Get a specific resource + +```json +GET https://TI.SecurityCenter.Windows.com/v1.0/IndicatorsOfCompromise(1) HTTP/1.1 +Authorization: Bearer +Accept: application/json;odata.metadata=none +``` + +If successful, you should get a 200 OK response containing a single indicator of compromise representation (for the specified ID) in the payload, as shown as follows: + +```json +HTTP/1.1 200 OK +content - type: application/json;odata.metadata = none + + +{ + "value": [{ + "Type": "SHA1", + "Value": "abcdeabcde1212121212abcdeabcde1212121212", + "DetectionFunction": "Equals", + "ExpiresAt": null, + "Id": 1, + "CreatedAt": "2016-12-05T15:51:02Z", + "CreatedBy": "user2@Company1.contoso.com", + "LastModifiedAt": null, + "LastModifiedBy": null, + "Enabled": true + }] +} +``` + + +### Get the entire collection of entities of a given resource + + ``` + GET https://TI.SecurityCenter.Windows.com/v1.0/AlertDefinitions HTTP/1.1 + Authorization: Bearer + ``` + + If successful, you should get a 200 OK response containing the collection of alert definitions representation in the payload, as shown as follows: + + ```json + HTTP/1.1 200 OK + content - type: application / json;odata.metadata = none + + + { + "@odata.context": "https://TI.SecurityCenter.Windows.com/V1.0/$metadata#AlertDefinitions", + "value": [{ + "Name": "Demo alert definition", + "Severity": "Medium", + "InternalDescription": "Some description", + "Title": "Demo short ux description", + "UxDescription": "Demo ux description", + "RecommendedAction": "Actions", + "Category": "Malware", + "Id": 1, + "CreatedAt": "2016-12-05T15:50:53Z", + "CreatedBy": "user@Company1.contoso.com", + "LastModifiedAt": null, + "LastModifiedBy": null, + "Enabled": true + }, + { + "Name": "Demo alert definition 2", + "Severity": "Low", + "InternalDescription": "Some description", + "Title": "Demo short ux description2", + "UxDescription": "Demo ux description2", + "RecommendedAction": null, + "Category": "Malware", + "Id": 2, + "CreatedAt": "2016-12-06T13:30:00Z", + "CreatedBy": "user2@Company1.contoso.com", + "LastModifiedAt": null, + "LastModifiedBy": null, + "Enabled": true + } + ] + } + ``` + + +## Update an existing resource +You can use the same pattern for both full and partial updates. + +```json +PATCH https://TI.SecurityCenter.Windows.com/v1.0/AlertDefinitions(2) HTTP/1.1 +Authorization: Bearer +Content-Type: application/json; +Accept: application/json;odata.metadata=none + +{ + "Category": "Backdoor", + "Enabled": false +} +``` + +If successful, you should get a 200 OK response containing the updated alert definition representation (per the specified ID) in the payload. + +## Update the association (relation) between an indicator of compromise to a different alert definition + +```json +PUT https://TI.SecurityCenter.Windows.com/v1.0/IndicatorsOfCompromise(3)/AlertDefinition/$ref HTTP/1.1 +Authorization : Bearer +Content-Type: application/json; + +{ + "@odata.id": "https://TI.SecurityCenter.Windows.com/v1.0/AlertDefinitions(6)" +} +``` + +## Delete a resource + +``` +DELETE https://TI.SecurityCenter.Windows.com/v1.0/IndicatorsOfCompromise(1) HTTP/1.1 +Authorization: Bearer +``` + +If successful, you should get a 204 NO CONTENT response. + +>[!NOTE] + > - Deleting an alert definition also deletes its corresponding IOCs. + > - Deleting an IOC or an alert definition will not delete or hide past alerts matching the alert definition. However, deleting an alert definition and creating a new one with the exact same metadata will result in new alerts in the portal. It's not advised to delete an alert definition and create a new one with the same content. + +## Delete all +You can use the HTTP DELETE method sent to the relevant source to delete all resources. + +``` +DELETE https://TI.SecurityCenter.Windows.com/v1.0/IndicatorsOfCompromise HTTP/1.1 +Authorization : Bearer +``` +If successful, you should get a 204 NO CONTENT response. + +## Delete all IOCs connected to a given alert definition +This action will delete all the IOCs associated with a given alert definition without deleting the alert definition itself. + +For example, deleting all of the IOCs associated with the alert definition with ID `1` deletes all those IOCs without deleting the alert definition itself. + +Send an HTTP POST to `https://TI.SecurityCenter.Windows.com/V1.0/AlertDefinitions(1)/Actions.DeleteIOCs`. + +Upon a successful request the response will be HTTP 204. + +>[!NOTE] +> As with all OData actions, this action is sending an HTTP POST request not DELETE. + + +## Windows Defender ATP optional query parameters +The Windows Defender ATP threat intelligence API provides several optional query parameters that you can use to specify and control the amount of data returned in a response. The threat intelligence API supports the following query options: + +Name | Value | Description +:---|:---|:-- +$select | string | Comma-separated list of properties to include in the response. +$expand | string | Comma-separated list of relationships to expand and include in the response. +$orderby | string | Comma-separated list of properties that are used to sort the order of items in the response collection. +$filter | string | Filters the response based on a set of criteria. +$top | int | The number of items to return in a result set. +$skip | int | The number of items to skip in a result set. +$count | boolean | A collection and the number of items in the collection. + +These parameters are compatible with the [OData V4 query language](http://docs.oasis-open.org/odata/odata/v4.0/errata03/os/complete/part2-url-conventions/odata-v4.0-errata03-os-part2-url-conventions-complete.html#_Toc453752356). + + +## Code examples +The following articles provide detailed code examples that demonstrate how to use the custom threat intelligence API in several programming languages: +- [PowerShell code examples](powershell-example-code-windows-defender-advanced-threat-protection.md) +- [Python code examples](python-example-code-windows-defender-advanced-threat-protection.md) + + +## Related topics +- [Understand threat intelligence concepts](threat-indicator-concepts-windows-defender-advanced-threat-protection.md) +- [Enable the custom threat intelligence API in Windows Defender ATP](enable-custom-ti-windows-defender-advanced-threat-protection.md) +- [PowerShell code examples for the custom threat intelligence API](powershell-example-code-windows-defender-advanced-threat-protection.md) +- [Python code examples for the custom threat intelligence API](python-example-code-windows-defender-advanced-threat-protection.md) +- [Experiment with custom threat intelligence alerts](experiment-custom-ti-windows-defender-advanced-threat-protection.md) +- [Troubleshoot custom threat intelligence issues](troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md) diff --git a/windows/keep-secure/customize-run-review-remediate-scans-windows-defender-antivirus.md b/windows/keep-secure/customize-run-review-remediate-scans-windows-defender-antivirus.md new file mode 100644 index 0000000000..fb622e18eb --- /dev/null +++ b/windows/keep-secure/customize-run-review-remediate-scans-windows-defender-antivirus.md @@ -0,0 +1,40 @@ +--- +title: Run and customize scheduled and on-demand scans +description: Customize and initiate scans using Windows Defender AV on endpoints across your network. +keywords: scan, schedule, customize, exclusions, exclude files, remediation, scan results, quarantine, remove threat, quick scan, full scan +search.product: eADQiWindows 10XVcnh +ms.pagetype: security +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: security +localizationpriority: medium +author: iaanw +--- + +# Customize, initiate, and review the results of Windows Defender AV scans and remediation + +**Applies to:** + +- Windows 10 + +**Audience** + +- Enterprise security administrators + + +You can use Group Policy, PowerShell, and Windows Management Instrumentation (WMI) to configure scans run by Windows Defender Antivirus. + + + +## In this section + +Topic | Description +---|--- +[Configure and validate file, folder, and process-opened file exclusions in Windows Defender AV scans](configure-exclusions-windows-defender-antivirus.md) | You can exclude files (including files modified by specified processes) and folders from on-demand scans, scheduled scans, and always-on real-time protection monitoring and scanning +[Configure scanning options in Windows Defender AV](configure-advanced-scan-types-windows-defender-antivirus.md) | You can configure Windows Defender AV to include certain types of email storage files, back-up or reparse points, and archived files (such as .zip files) in scans. You can also enable network file scanning +[Configure remediation for scans](configure-remediation-windows-defender-antivirus.md) | Configure what Windows Defender AV should do when it detects a threat, and how long quarantined files should be retained in the quarantine folder +[Configure scheduled scans](scheduled-catch-up-scans-windows-defender-antivirus.md) | Set up recurring (scheduled) scans, including when they should run and whether they run as full or quick scans +[Configure and run scans](run-scan-windows-defender-antivirus.md) | Run and configure on-demand scans using PowerShell, Windows Management Instrumentation, or individually on endpoints with the Windows Defender Security Center app +[Review scan results](review-scan-results-windows-defender-antivirus.md) | Review the results of scans using System Center Configuration Manager, Microsoft Intune, or the Windows Defender Security Center app + diff --git a/windows/keep-secure/dashboard-windows-defender-advanced-threat-protection.md b/windows/keep-secure/dashboard-windows-defender-advanced-threat-protection.md index 990e0ac396..e8de1cb1b4 100644 --- a/windows/keep-secure/dashboard-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/dashboard-windows-defender-advanced-threat-protection.md @@ -33,7 +33,7 @@ You can explore and investigate alerts and machines to quickly determine if, whe From the **Dashboard** you will see aggregated events to facilitate the identification of significant events or behaviors on a machine. You can also drill down into granular events and low-level indicators. -It also has clickable tiles that give visual cues on the overall health status of your organization. Each tile opens a detailed view of the corresponding overview. +It also has clickable tiles that give visual cues on the overall health state of your organization. Each tile opens a detailed view of the corresponding overview. ## ATP alerts You can view the overall number of active ATP alerts from the last 30 days in your network from the **ATP alerts** tile. Alerts are grouped into **New** and **In progress**. @@ -42,33 +42,28 @@ You can view the overall number of active ATP alerts from the last 30 days in yo Each group is further sub-categorized into their corresponding alert severity levels. Click the number of alerts inside each alert ring to see a sorted view of that category's queue (**New** or **In progress**). -For more information see, [View and organize the Windows Defender Advanced Threat Protection Alerts queue](alerts-queue-windows-defender-advanced-threat-protection.md). +For more information see, [Alerts overview](alerts-queue-windows-defender-advanced-threat-protection.md). -The **Latest ATP alerts** section includes the latest active alerts in your network. Each row includes an alert severity category and a short description of the alert. Click an alert to see its detailed view, or **Alerts queue** at the top of the list to go directly to the Alerts queue. For more information see, [Investigate Windows Defender Advanced Threat Protection alerts](investigate-alerts-windows-defender-advanced-threat-protection.md) and [View and organize the Windows Defender Advanced Threat Protection Alerts queue](alerts-queue-windows-defender-advanced-threat-protection.md). +The **Latest ATP alerts** section includes the latest active alerts in your network. Each row includes an alert severity category and a short description of the alert. Click an alert to see its detailed view, or **Alerts queue** at the top of the list to go directly to the Alerts queue. For more information see, [Investigate Windows Defender Advanced Threat Protection alerts](investigate-alerts-windows-defender-advanced-threat-protection.md) and [Alerts overview](alerts-queue-windows-defender-advanced-threat-protection.md). ## Machines at risk This tile shows you a list of machines with the highest number of active alerts. The total number of alerts for each machine is shown in a circle next to the machine name, and then further categorized by severity levels at the far end of the tile (hover over each severity bar to see its label). -![The Machines at risk tile shows a list of machines with the highest number of alerts, and a breakdown of the severity of the alerts](images/machines-at-risk.png) +![The Machines at risk tile shows a list of machines with the highest number of alerts, and a breakdown of the severity of the alerts](images/atp-machines-at-risk.png) Click the name of the machine to see details about that machine. For more information see, [Investigate machines in the Windows Defender Advanced Threat Protection Machines view](investigate-machines-windows-defender-advanced-threat-protection.md). -You can also click **Machines view** at the top of the tile to go directly to the **Machines view**, sorted by the number of active alerts. For more information see, [Investigate machines in the Windows Defender Advanced Threat Protection Machines view](investigate-machines-windows-defender-advanced-threat-protection.md). +You can also click **Machines list** at the top of the tile to go directly to the **Machines view**, sorted by the number of active alerts. For more information see, [Investigate machines in the Windows Defender Advanced Threat Protection Machines view](investigate-machines-windows-defender-advanced-threat-protection.md). -## Status -The **Status** tile informs you if the service is active or if there are issues and the unique number of machines (endpoints) reporting to the service over the past 30 days. +## Users at risk +The tile shows you a list of user accounts with the most active alerts. The total number of alerts for each user is shown in a circle next to the user account, and then further categorized by severity levels at the far end of the tile (hover over each severity bar to see its label). -![The Status tile shows an overall indicator of the service and the total number of machines reporting to the service](images/status-tile.png) +![User accounts at risk tile shows a list of user accounts with the highest number of alerts and a breakdown of the severity of the alerts](images/atp-users-at-risk.png) -For more information on the service status, see [Check the Windows Defender ATP service status](service-status-windows-defender-advanced-threat-protection.md). - -## Machines reporting -The **Machines reporting** tile shows a bar graph that represents the number of machines reporting alerts daily. Hover over individual bars on the graph to see the exact number of machines reporting in each day. - -![The Machines reporting tile shows the number of machines reporting each day for the past 30 days](images/machines-reporting-tile.png) +Click the user account to see details about the user account. For more information see [Investigate a user account](investigate-user-windows-defender-advanced-threat-protection.md). ## Machines with active malware detections -The **Machines with active malware detections** tile will only appear if your endpoints are using Windows Defender. +The **Machines with active malware detections** tile will only appear if your endpoints are using Windows Defender Antivirus. Active malware is defined as threats that were actively executing at the time of detection. @@ -89,13 +84,39 @@ Threats are considered "active" if there is a very high probability that the mal Clicking on any of these categories will navigate to the [Machines view](investigate-machines-windows-defender-advanced-threat-protection.md), filtered by the appropriate category. This lets you see a detailed breakdown of which machines have active malware detections, and how many threats were detected per machine. > [!NOTE] -> The **Machines with active malware detections** tile will only appear if your endpoints are using [Windows Defender](https://technet.microsoft.com/library/mt622091(v=vs.85).aspx) as the default real-time protection antimalware product. +> The **Machines with active malware detections** tile will only appear if your endpoints are using [Windows Defender Antivirus](https://technet.microsoft.com/library/mt622091(v=vs.85).aspx) as the default real-time protection antimalware product. -### Related topics -- [View and organize the Windows Defender Advanced Threat Protection Alerts queue](alerts-queue-windows-defender-advanced-threat-protection.md) +## Sensor health +The **Sensor health** tile provides information on the individual endpoint’s ability to provide sensor data to the Windows Defender ATP service. It reports how many machines require attention and helps you identify problematic machines. + +![Sensor health tile](images/atp-tile-sensor-health.png) + +There are two status indicators that provide information on the number of machines that are not reporting properly to the service: +- **Inactive** - Machines that have stopped reporting to the Windows Defender ATP service for more than seven days in the past month. +- **Misconfigured** – These machines might partially be reporting telemetry to the Windows Defender ATP service and might have configuration errors that need to be corrected. + +When you click any of the groups, you’ll be directed to machines list, filtered according to your choice. For more information, see [Check sensor health state](check-sensor-status-windows-defender-advanced-threat-protection.md) and [Investigate machines](investigate-machines-windows-defender-advanced-threat-protection.md). + +## Service health +The **Service health** tile informs you if the service is active or if there are issues. + +![The Service health tile shows an overall indicator of the service](images/status-tile.png) + +For more information on the service status, see [Check the Windows Defender ATP service status](service-status-windows-defender-advanced-threat-protection.md). + +## Daily machines reporting +The **Daily machines reporting** tile shows a bar graph that represents the number of machines reporting alerts daily in the last 30 days. Hover over individual bars on the graph to see the exact number of machines reporting in each day. + +![The Machines reporting tile shows the number of machines reporting each day for the past 30 days](images/machines-reporting-tile.png) + +## Related topics +- [View and organize the Windows Defender Advanced Threat Protection Alerts queue ](alerts-queue-windows-defender-advanced-threat-protection.md) - [Investigate Windows Defender Advanced Threat Protection alerts](investigate-alerts-windows-defender-advanced-threat-protection.md) -- [Investigate machines in the Windows Defender ATP Machines view](investigate-machines-windows-defender-advanced-threat-protection.md) - [Investigate a file associated with a Windows Defender ATP alert](investigate-files-windows-defender-advanced-threat-protection.md) - [Investigate an IP address associated with a Windows Defender ATP alert](investigate-ip-windows-defender-advanced-threat-protection.md) - [Investigate a domain associated with a Windows Defender ATP alert](investigate-domain-windows-defender-advanced-threat-protection.md) +- [View and organize the Windows Defender ATP Machines view](machines-view-overview-windows-defender-advanced-threat-protection.md) +- [Investigate machines in the Windows Defender ATP Machines view](investigate-machines-windows-defender-advanced-threat-protection.md) +- [Investigate a user account in Windows Defender ATP ](investigate-user-windows-defender-advanced-threat-protection.md) - [Manage Windows Defender Advanced Threat Protection alerts](manage-alerts-windows-defender-advanced-threat-protection.md) +- [Take response actions in Windows Defender ATP](response-actions-windows-defender-advanced-threat-protection.md) diff --git a/windows/keep-secure/defender-compatibility-windows-defender-advanced-threat-protection.md b/windows/keep-secure/defender-compatibility-windows-defender-advanced-threat-protection.md index 91bec22e77..314ccc9c79 100644 --- a/windows/keep-secure/defender-compatibility-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/defender-compatibility-windows-defender-advanced-threat-protection.md @@ -1,6 +1,6 @@ --- title: Windows Defender compatibility -description: Learn about how Windows Defender works with Windows Defender ATP. +description: Learn about how Windows Defender works with Windows Defender ATP and how it functions when a third-party antimalware client is used. keywords: windows defender compatibility, defender, windows defender atp search.product: eADQiWindows 10XVcnh ms.prod: w10 @@ -22,12 +22,12 @@ localizationpriority: high - Windows Defender - Windows Defender Advanced Threat Protection (Windows Defender ATP) -The Windows Defender Advanced Threat Protection agent depends on Windows Defender for some capabilities such as file scanning. +The Windows Defender Advanced Threat Protection agent depends on Windows Defender Antivirus for some capabilities such as file scanning. -If an onboarded endpoint is protected by a third-party antimalware client, Windows Defender on that endpoint will enter into passive mode. +If an onboarded endpoint is protected by a third-party antimalware client, Windows Defender Antivirus on that endpoint will enter into passive mode. -Windows Defender will continue to receive updates, and the *mspeng.exe* process will be listed as a running a service, but it will not perform scans and will not replace the running third-party antimalware client. +Windows Defender Antivirus will continue to receive updates, and the *mspeng.exe* process will be listed as a running a service, but it will not perform scans and will not replace the running third-party antimalware client. -The Windows Defender interface will be disabled, and users on the endpoint will not be able to use Windows Defender to perform on-demand scans or configure most options. +The Windows Defender Antivirus interface will be disabled, and users on the endpoint will not be able to use Windows Defender Antivirus to perform on-demand scans or configure most options. -For more information, see the **Compatibility** section in the [Windows Defender in Windows 10 topic](windows-defender-in-windows-10.md). +For more information, see the [Windows Defender Antivirus and Windows Defender ATP compatibility topic](windows-defender-antivirus-compatibility.md). diff --git a/windows/keep-secure/deploy-code-integrity-policies-policy-rules-and-file-rules.md b/windows/keep-secure/deploy-code-integrity-policies-policy-rules-and-file-rules.md index e61e798a6f..e1046621fc 100644 --- a/windows/keep-secure/deploy-code-integrity-policies-policy-rules-and-file-rules.md +++ b/windows/keep-secure/deploy-code-integrity-policies-policy-rules-and-file-rules.md @@ -14,7 +14,7 @@ author: brianlic-msft - Windows 10 - Windows Server 2016 -Code integrity policies maintain the standards by which a computer running Windows 10 determines whether an application is trustworthy and can be run. For an overview of code integrity, see: +Code integrity policies provide control over a computer running Windows 10 by specifying whether a driver or application is trusted and can be run. For an overview of code integrity, see: - [How Device Guard features help protect against threats](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md#how-device-guard-features-help-protect-against-threats) in "Introduction to Device Guard: virtualization-based security and code integrity policies." - [Code integrity policy formats and signing](requirements-and-deployment-planning-guidelines-for-device-guard.md#code-integrity-policy-formats-and-signing) in "Requirements and deployment planning guidelines for Device Guard." @@ -23,7 +23,7 @@ If you already understand the basics of code integrity policy and want procedure This topic includes the following sections: - [Overview of the process of creating code integrity policies](#overview-of-the-process-of-creating-code-integrity-policies): Helps familiarize you with the process described in this and related topics. -- [Code integrity policy rules](#code-integrity-policy-rules): Describes one key element you specify in a policy, the *policy rules*, which control options such as audit mode or whether UMCI is enabled in a code integrity policy. +- [Code integrity policy rules](#code-integrity-policy-rules): Describes one key element you specify in a policy, the *policy rules*, which control options such as audit mode or whether user mode code integrity (UMCI) is enabled in a code integrity policy. - [Code integrity file rule levels](#code-integrity-file-rule-levels): Describes the other key element you specify in a policy, the *file rules* (or *file rule levels*), which specify the level at which applications will be identified and trusted. - [Example of file rule levels in use](#example-of-file-rule-levels-in-use): Gives an example of how file rule levels can be applied. @@ -31,7 +31,7 @@ This topic includes the following sections: A common system imaging practice in today’s IT organization is to establish a “golden” image as a reference for what an ideal system should look like, and then use that image to clone additional company assets. Code integrity policies follow a similar methodology, that begins with the establishment of a golden computer. As with imaging, you can have multiple golden computers based on model, department, application set, and so on. Although the thought process around the creation of code integrity policies is similar to imaging, these policies should be maintained independently. Assess the necessity of additional code integrity policies based on what should be allowed to be installed and run and for whom. For more details on doing this assessment, see the planning steps in [Planning and getting started on the Device Guard deployment process](planning-and-getting-started-on-the-device-guard-deployment-process.md). -> **Note**  Each computer can have only **one** code integrity policy at a time. Whichever way you deploy this policy, it is renamed to SIPolicy.p7b and copied to C:\\Windows\\System32\\CodeIntegrity. Keep this in mind when you create your code integrity policies. +> **Note**  Each computer can have only **one** code integrity policy at a time. Whichever way you deploy this policy, it is renamed to SIPolicy.p7b and copied to **C:\\Windows\\System32\\CodeIntegrity** and, for UEFI computers, **<EFI System Partition>\\Microsoft\\Boot**. Keep this in mind when you create your code integrity policies. Optionally, code integrity policies can align with your software catalog as well as any IT department–approved applications. One straightforward method to implement code integrity policies is to use existing images to create one master code integrity policy. You do so by creating a code integrity policy from each image, and then by merging the policies. This way, what is installed on all of those images will be allowed to run, if the applications are installed on a computer based on a different image. Alternatively, you may choose to create a base applications policy and add policies based on the computer’s role or department. Organizations have a choice of how their policies are created, merged or serviced, and managed. @@ -43,10 +43,12 @@ Code integrity policies include *policy rules*, which control options such as au To modify the policy rule options of an existing code integrity policy, use the [Set-RuleOption](https://technet.microsoft.com/library/mt634483.aspx) Windows PowerShell cmdlet. Note the following examples of how to use this cmdlet to add and remove a rule option on an existing code integrity policy: -- To enable UMCI, add rule option 0 to an existing policy by running the following command: +- To ensure that UMCI is enabled for a code integrity policy that was created with the `-UserPEs` (user mode) option, add rule option 0 to an existing policy by running the following command: ` Set-RuleOption -FilePath -Option 0` + Note that a policy that was created without the `-UserPEs` option is empty of user mode executables, that is, applications. If you enable UMCI (Option 0) for such a policy and then attempt to run an application, Device Guard will see that the application is not on its list (which is empty of applications), and respond. In audit mode, the response is logging an event, and in enforced mode, the response is blocking the application. To create a policy that includes user mode executables (applications), when you run `New-CIPolicy`, include the `-UserPEs` option. + - To disable UMCI on an existing code integrity policy, delete rule option 0 by running the following command: ` Set-RuleOption -FilePath -Option 0 -Delete` diff --git a/windows/keep-secure/deploy-code-integrity-policies-steps.md b/windows/keep-secure/deploy-code-integrity-policies-steps.md index 2febd90862..d13224f45d 100644 --- a/windows/keep-secure/deploy-code-integrity-policies-steps.md +++ b/windows/keep-secure/deploy-code-integrity-policies-steps.md @@ -38,11 +38,11 @@ To create a code integrity policy, copy each of the following commands into an e > **Notes** - > - By specifying the *–UserPEs* parameter, rule option **0 Enabled:UMCI** is automatically added to the code integrity policy. If you do not specify this parameter, to enable UMCI, use [Set-RuleOption](https://technet.microsoft.com/library/mt634483.aspx) as shown in the following command:
    **Set-RuleOption -FilePath $InitialCIPolicy -Option 0** + > - When you specify the **-UserPEs** parameter (to include user mode executables in the scan), rule option **0 Enabled:UMCI** is automatically added to the code integrity policy. In contrast, if you do not specify **-UserPEs**, the policy will be empty of user mode executables and will only have rules for kernel mode binaries like drivers, in other words, the whitelist will not include applications. If you create such a policy and later add rule option **0 Enabled:UMCI**, all attempts to start applications will cause a response from Device Guard. In audit mode, the response is logging an event, and in enforced mode, the response is blocking the application. + + > - You can add the **-Fallback** parameter to catch any applications not discovered using the primary file rule level specified by the **-Level** parameter. For more information about file rule level options, see [Code integrity file rule levels](deploy-code-integrity-policies-policy-rules-and-file-rules.md#code-integrity-file-rule-levels) in “Deploy code integrity policies: policy rules and file rules.” - > - You can add the *–Fallback* parameter to catch any applications not discovered using the primary file rule level specified by the *–Level* parameter. For more information about file rule level options, see [Code integrity file rule levels](deploy-code-integrity-policies-policy-rules-and-file-rules.md#code-integrity-file-rule-levels) in “Deploy code integrity policies: policy rules and file rules.” - - > - To specify that the code integrity policy scan only a specific drive, include the *–ScanPath* parameter followed by a path. Without this parameter, the entire system is scanned. + > - To specify that the code integrity policy scan only a specific drive, include the **-ScanPath** parameter followed by a path. Without this parameter, the entire system is scanned. > - The preceding example includes `3> CIPolicylog.txt`, which redirects warning messages to a text file, **CIPolicylog.txt**. @@ -136,11 +136,37 @@ You can now use this file to update the existing code integrity policy that you > **Note**  You may have noticed that you did not generate a binary version of this policy as you did in [Create a code integrity policy from a golden computer](#create-a-code-integrity-policy-from-a-golden-computer). This is because code integrity policies created from an audit log are not intended to run as stand-alone policies but rather to update existing code integrity policies. +## Use a code integrity policy to control specific plug-ins, add-ins, and modules + +As of Windows 10, version 1703, you can use code integrity policies not only to control applications, but also to control whether specific plug-ins, add-ins, and modules can run from specific apps (such as a line-of-business application or a browser): + +| Approach (as of Windows 10, version 1703) | Guideline | +|---|---| +| You can work from a list of plug-ins, add-ins, or modules that you want only a specific application to be able to run. Other applications would be blocked from running them. | Use `New-CIPolicyRule` with the `-AppID` option. | +| In addition, you can work from a list of plug-ins, add-ins, or modules that you want to block in a specific application. Other applications would be allowed to run them. | Use `New-CIPolicyRule` with the `-AppID` and `-Deny` options. | + +To work with these options, the typical method is to create a policy that only affects plug-ins, add-ins, and modules, then merge it into your ‘master’ policy (merging is described in the next section). + +For example, to create a code integrity policy that allows **addin1.dll** and **addin2.dll** to run in **ERP1.exe**, your organization’s enterprise resource planning (ERP) application, but blocks those add-ins in other applications, run the following commands. Note that in the second command, **+=** is used to add a second rule to the **$rule** variable: + +``` +$rule = New-CIPolicyRule -DriverFilePath '.\temp\addin1.dll' -Level FileName -AppID '.\ERP1.exe' +$rule += New-CIPolicyRule -DriverFilePath '.\temp\addin2.dll' -Level FileName -AppID '.\ERP1.exe' +New-CIPolicy -Rules $rule -FilePath ".\AllowERPAddins.xml" -UserPEs +``` + +As another example, to create a code integrity policy that blocks **addin3.dll** from running in Microsoft Word, run the following command. You must include the `-Deny` option to block the specified add-ins in the specifed application: + +``` +$rule = New-CIPolicyRule -DriverFilePath '.\temp\addin3.dll' -Level FileName -Deny -AppID '.\winword.exe' +New-CIPolicy -Rules $rule -FilePath ".\BlockAddins.xml" -UserPEs +``` + ## Merge code integrity policies When you develop code integrity policies, you will occasionally need to merge two policies. A common example is when a code integrity policy is initially created and audited. Another example is when you create a single master policy by using multiple code integrity policies previously created from golden computers. Because each computer running Windows 10 can have only one code integrity policy, it is important to properly maintain these policies. In this example, audit events have been saved into a secondary code integrity policy that you then merge with the initial code integrity policy. -> **Note**  The following example uses the code integrity policy .xml files that you created in earlier sections in this topic. You can follow this process, however, with any two code integrity policies you would like to combine. +> **Note**  The following example uses several of the code integrity policy .xml files that you created in earlier sections in this topic. You can follow this process, however, with any two code integrity policies you would like to combine. To merge two code integrity policies, complete the following steps in an elevated Windows PowerShell session: diff --git a/windows/keep-secure/deploy-device-guard-enable-virtualization-based-security.md b/windows/keep-secure/deploy-device-guard-enable-virtualization-based-security.md index 9f7be87cbb..68ae726ace 100644 --- a/windows/keep-secure/deploy-device-guard-enable-virtualization-based-security.md +++ b/windows/keep-secure/deploy-device-guard-enable-virtualization-based-security.md @@ -30,10 +30,10 @@ For information about enabling Credential Guard, see [Protect derived domain cre In addition to the hardware requirements found in [Hardware, firmware, and software requirements for Device Guard](requirements-and-deployment-planning-guidelines-for-device-guard.md#hardware-firmware-and-software-requirements-for-device-guard), you must confirm that certain operating system features are enabled before you can enable VBS: -- With Windows 10, version 1607 or Windows Server 2016:
    +- Beginning with Windows 10, version 1607 or Windows Server 2016:
    Hyper-V Hypervisor, which is enabled automatically. No further action is needed. -- With an earlier version of Windows 10, or Windows Server 2016 Technical Preview 5 or earlier:
    +- With an earlier version of Windows 10:
    Hyper-V Hypervisor and Isolated User Mode (shown in Figure 1). > **Note**  You can configure these features by using Group Policy or Deployment Image Servicing and Management, or manually by using Windows PowerShell or the Windows Features dialog box. @@ -42,12 +42,8 @@ Hyper-V Hypervisor and Isolated User Mode (shown in Figure 1). **Figure 1. Enable operating system features for VBS, Windows 10, version 1511** -After you enable the feature or features, you can enable VBS for Device Guard, as described in the following sections. - ## Enable Virtualization Based Security (VBS) and Device Guard -Before you begin this process, verify that the target device meets the hardware and firmware requirements for the features that you want, as described in [Hardware, firmware, and software requirements for Device Guard](requirements-and-deployment-planning-guidelines-for-device-guard.md#hardware-firmware-and-software-requirements-for-device-guard). Also, confirm that you have enabled the Windows features discussed in the previous section, [Windows feature requirements for virtualization-based security](#windows-feature-requirements-for-virtualization-based-security-and-device-guard). - There are multiple ways to configure VBS features for Device Guard: - You can use the [readiness tool](https://www.microsoft.com/en-us/download/details.aspx?id=53337) rather than the procedures in this topic. @@ -68,7 +64,7 @@ There are multiple ways to configure VBS features for Device Guard: 3. Open the Group Policy Management Editor: right-click the new GPO, and then click **Edit**. -4. Within the selected GPO, navigate to Computer Configuration\\Administrative Templates\\System\\Device Guard. Right-click **Turn On Virtualization Based Security**, and then click **Edit**. +4. Within the selected GPO, navigate to Computer Configuration\\Policies\\Administrative Templates\\System\\Device Guard. Right-click **Turn On Virtualization Based Security**, and then click **Edit**. ![Edit the group policy for Virtualization Based Security](images/dg-fig3-enablevbs.png) @@ -91,7 +87,7 @@ There are multiple ways to configure VBS features for Device Guard: - With Windows 10, version 1607 or Windows Server 2016, choose an appropriate option:
    For an initial deployment or test deployment, we recommend **Enabled without lock**.
    When your deployment is stable in your environment, we recommend changing to **Enabled with lock**. This option helps protect the registry from tampering, either through malware or by an unauthorized person. - - With earlier versions of Windows 10, or Windows Server 2016 Technical Preview 5 or earlier:
    Select the **Enable Virtualization Based Protection of Code Integrity** check box. + - With earlier versions of Windows 10:
    Select the **Enable Virtualization Based Protection of Code Integrity** check box. ![Group Policy, Turn On Virtualization Based Security](images/dg-fig7-enablevbsofkmci.png) @@ -148,7 +144,7 @@ reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "EnableVirtualiza reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "RequirePlatformSecurityFeatures" /t REG_DWORD /d 1 /f ``` -> To enable **VBS with Secure Boot and DMA (value 2)**, in the preceding command, change **/d 1** to **/d 2**. +> To enable **VBS with Secure Boot and DMA (value 3)**, in the preceding command, change **/d 1** to **/d 3**. **To enable VBS without UEFI lock (value 0)** @@ -183,7 +179,7 @@ reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "RequirePlatformS reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "HypervisorEnforcedCodeIntegrity" /t REG_DWORD /d 1 /f -reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v " Unlocked" /t REG_DWORD /d 1 /f +reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "Unlocked" /t REG_DWORD /d 1 /f ``` If you want to customize the preceding recommended settings, use the following settings. @@ -200,7 +196,7 @@ reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "EnableVirtualiza reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "RequirePlatformSecurityFeatures" /t REG_DWORD /d 1 /f ``` -> To enable **VBS with Secure Boot and DMA (value 2)**, in the preceding command, change **/d 1** to **/d 2**. +> To enable **VBS with Secure Boot and DMA (value 3)**, in the preceding command, change **/d 1** to **/d 3**. **To enable virtualization-based protection of Code Integrity policies (with the default, UEFI lock)** @@ -211,7 +207,7 @@ reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "HypervisorEnforc **To enable virtualization-based protection of Code Integrity policies without UEFI lock** ``` command -reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v " Unlocked" /t REG_DWORD /d 1 /f +reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "Unlocked" /t REG_DWORD /d 1 /f ``` ### Validate enabled Device Guard hardware-based security features diff --git a/windows/keep-secure/deploy-edp-policy-using-intune.md b/windows/keep-secure/deploy-edp-policy-using-intune.md deleted file mode 100644 index c9528077e0..0000000000 --- a/windows/keep-secure/deploy-edp-policy-using-intune.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Deploy your enterprise data protection (EDP) policy using Microsoft Intune (Windows 10) -description: After you’ve created your enterprise data protection (EDP) policy, you'll need to deploy it to your organization's enrolled devices. -redirect_url: https://technet.microsoft.com/itpro/windows/keep-secure/deploy-wip-policy-using-intune ---- \ No newline at end of file diff --git a/windows/keep-secure/deploy-manage-report-windows-defender-antivirus.md b/windows/keep-secure/deploy-manage-report-windows-defender-antivirus.md new file mode 100644 index 0000000000..3a1c5ca1c6 --- /dev/null +++ b/windows/keep-secure/deploy-manage-report-windows-defender-antivirus.md @@ -0,0 +1,89 @@ +--- +title: Deploy, manage, and report on Windows Defender Antivirus +description: You can deploy and manage Windows Defender Antivirus with Group Policy, Configuration Manager, WMI, PowerShell, or Intune +keywords: deploy, manage, update, protection, windows defender antivirus +search.product: eADQiWindows 10XVcnh +ms.pagetype: security +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: security +localizationpriority: medium +author: iaanw +--- + +# Deploy, manage, and report on Windows Defender Antivirus + +**Applies to:** + +- Windows 10 + +**Audience** + +- IT administrators + +You can deploy, manage, and report on Windows Defender Antivirus in a number of ways. + +As the Windows Defender AV client is installed as a core part of Windows 10, traditional deployment of a client to your endpoints does not apply. + +However, in most cases you will still need to enable the protection service on your endpoints with System Center Configuration Manager, Microsoft Intune, Azure Security Center, or Group Policy Objects, which is described in the following table. + +You'll also see additional links for: +- Managing Windows Defender Antivirus protection, including managing product and protection updates +- Reporting on Windows Defender Antivirus protection + +> [!IMPORTANT] +> In most cases, Windows 10 will disable Windows Defender Antivirus if it finds another antivirus product running and up-to-date. You must disable or uninstall third-party antivirus products before Windows Defender Antivirus will be functioning. If you re-enable or install third-part antivirus products, then Windows 10 will automatically disable Windows Defender Antivirus. + + +Tool|Deployment options (2)|Management options (network-wide configuration and policy or baseline deployment) ([3](#fn3))|Reporting options +---|---|---|--- +System Center Configuration Manager ([1](#fn1))|Use the [Endpoint Protection point site system role][] and [enable Endpoint Protection with custom client settings][]|With [default and customized antimalware policies][] and [client management][]|With the default [Configuration Manager Monitoring workspace][] and [email alerts][] +Microsoft Intune|[Deploy the Microsoft Intune client to endpoints][]|Use and deploy a [custom Intune policy][] and use the Intune console to [manage tasks][]|[Monitor endpoint protection in the Microsoft Intune administration console][] +Windows Management Instrumentation|Deploy with Group Policy, System Center Configuration Manager, or manually on individual endpoints.|Use the [Set method of the MSFT_MpPreference class][] and the [Update method of the MSFT_MpSignature class][]|Use the [MSFT_MpComputerStatus][] class and the get method of associated classes in the [Windows Defender WMIv2 Provider][] +PowerShell|Deploy with Group Policy, System Center Configuration Manager, or manually on individual endpoints.|Use the [Set-MpPreference][] and [Update-MpSignature] [] cmdlets available in the Defender module|Use the appropriate [Get- cmdlets available in the Defender module][] +Group Policy and Active Directory (domain-joined)|Use a Group Policy Object to deploy configuration changes and ensure Windows Defender Antivirus is enabled.|Use Group Policy Objects (GPOs) to [Configure update options for Windows Defender Antivirus][] and [Configure Windows Defender features][]|Endpoint reporting is not available with Group Policy. You can generate a list of [Group Policies to determine if any settings or policies are not applied][] +Microsoft Azure|Deploy Microsoft Antimalware for Azure in the [Azure portal, by using Visual Studio virtual machine configuration, or using Azure PowerShell cmdlets](https://docs.microsoft.com/en-us/azure/security/azure-security-antimalware#antimalware-deployment-scenarios). You can also [Install Endpoint protection in Azure Security Center](https://docs.microsoft.com/en-us/azure/security-center/security-center-install-endpoint-protection)|Configure [Microsoft Antimalware for Virtual Machines and Cloud Services with Azure PowerShell cmdlets](https://docs.microsoft.com/en-us/powershell/servicemanagement/azure.antimalware/v3.4.0/azure.antimalware) or [use code samples](https://gallery.technet.microsoft.com/Antimalware-For-Azure-5ce70efe)|Use [Microsoft Antimalware for Virtual Machines and Cloud Services with Azure PowerShell cmdlets](https://docs.microsoft.com/en-us/powershell/servicemanagement/azure.antimalware/v3.4.0/azure.antimalware) to enable monitoring. You can also review usage reports in Azure Active Directory to determine suspicious activity, including the [Possibly infected devices][] report and configure an SIEM tool to report on [Windows Defender Antivirus events][] and add that tool as an app in AAD. + +1. The availability of some functions and features, especially related to cloud-delivered protection, differ between System Center Configuration Manager, current branch (for example, System Center Configuration Manager 2016) and System Center Configuration Manager 2012. In this library, we've focused on Windows 10, Windows Server 2016, and System Center Configuration Manager, current branch (2016). See the [Utilize Microsoft cloud-provided protection in Windows Defender Antivirus](utilize-microsoft-cloud-protection-windows-defender-antivirus.md) topic for a table that describes the major differences. [(Return to table)](#ref2) + +2. In Windows 10, Windows Defender Antivirus is a component available without installation or deployment of an additional client or service. It will automatically be enabled when third-party antivirus products are either uninstalled or out of date ([except on Windows Server 2016](windows-defender-antivirus-on-windows-server-2016.md)). Traditional deployment therefore is not required. Deployment here refers to ensuring the Windows Defender Antivirus component is available and enabled on endpoints or servers. [(Return to table)](#ref2) + +3. Configuration of features and protection, including configuring product and protection updates, are further described in the [Configure Windows Defender Antivirus features](configure-notifications-windows-defender-antivirus.md) section in this library. [(Return to table)](#ref2) + + + +[Endpoint Protection point site system role]: https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-protection-site-role +[default and customized antimalware policies]: https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies +[client management]: https://docs.microsoft.com/en-us/sccm/core/clients/manage/manage-clients +[enable Endpoint Protection with custom client settings]: https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-protection-configure-client +[Configuration Manager Monitoring workspace]: https://docs.microsoft.com/en-us/sccm/protect/deploy-use/monitor-endpoint-protection +[email alerts]: https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-configure-alerts +[Deploy the Microsoft Intune client to endpoints]: https://docs.microsoft.com/en-us/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune +[custom Intune policy]: https://docs.microsoft.com/en-us/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune#configure-microsoft-intune-endpoint-protection + [custom Intune policy]: https://docs.microsoft.com/en-us/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune#configure-microsoft-intune-endpoint-protection +[manage tasks]: https://docs.microsoft.com/en-us/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune#choose-management-tasks-for-endpoint-protection +[Monitor endpoint protection in the Microsoft Intune administration console]: https://docs.microsoft.com/en-us/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune#monitor-endpoint-protection +[Set method of the MSFT_MpPreference class]: https://msdn.microsoft.com/en-us/library/dn439474 +[Update method of the MSFT_MpSignature class]: https://msdn.microsoft.com/en-us/library/dn439474 +[MSFT_MpComputerStatus]: https://msdn.microsoft.com/en-us/library/dn455321 +[Windows Defender WMIv2 Provider]: https://msdn.microsoft.com/en-us/library/dn439477 +[Set-MpPreference]: https://technet.microsoft.com/itpro/powershell/windows/defender/set-mppreference.md +[Update-MpSignature]: https://technet.microsoft.com/itpro/powershell/windows/defender/update-mpsignature +[Get- cmdlets available in the Defender module]: https://technet.microsoft.com/itpro/powershell/windows/defender/index +[Configure update options for Windows Defender Antivirus]: manage-updates-baselines-windows-defender-antivirus.md +[Configure Windows Defender features]: configure-windows-defender-antivirus-features.md +[Group Policies to determine if any settings or policies are not applied]: https://technet.microsoft.com/en-us/library/cc771389.aspx +[Possibly infected devices]: https://docs.microsoft.com/en-us/azure/active-directory/active-directory-reporting-sign-ins-from-possibly-infected-devices +[Windows Defender Antivirus events]: troubleshoot-windows-defender-antivirus.md + + +## In this section + +Topic | Description +---|--- +[Deploy and enable Windows Defender Antivirus protection](deploy-windows-defender-antivirus.md) | While the client is installed as a core part of Windows 10, and traditional deployment does not apply, you will still need to enable the client on your endpoints with System Center Configuration Manager, Microsoft Intune, or Group Policy Objects. +[Manage Windows Defender Antivirus updates and apply baselines](manage-updates-baselines-windows-defender-antivirus.md) | There are two parts to updating Windows Defender Antivirus: updating the client on endpoints (product updates), and updating definitions (protection updates). You can update definitions in a number of ways, using System Center Configuration Manager, Group Policy, PowerShell, and WMI. +[Monitor and report on Windows Defender Antivirus protection](report-monitor-windows-defender-antivirus.md) | You can use System Center Configuration Manager, a third-party SIEM product (by consuming Windows event logs), or Microsoft Intune to monitor protection status and create reports about endpoint protection + + diff --git a/windows/keep-secure/deploy-windows-defender-antivirus.md b/windows/keep-secure/deploy-windows-defender-antivirus.md new file mode 100644 index 0000000000..0f51f5cf85 --- /dev/null +++ b/windows/keep-secure/deploy-windows-defender-antivirus.md @@ -0,0 +1,40 @@ +--- +title: Deploy and enable Windows Defender Antivirus +description: Deploy Windows Defender AV for protection of your endpoints with Configuration Manager, Microsoft Intune, Group Policy, PowerShell cmdlets, or WMI. +keywords: deploy, enable, windows defender av +search.product: eADQiWindows 10XVcnh +ms.pagetype: security +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: security +localizationpriority: medium +author: iaanw +--- + +# Deploy and enable Windows Defender Antivirus + + +**Applies to:** + +- Windows 10 + +**Audience** + +- Network administrators +- IT administrators + + +Depending on the management tool you are using, you may need to specifically enable or configure Windows Defender AV protection. + +See the table in the [Deploy, manage, and report on Windows Defender AV](deploy-manage-report-windows-defender-antivirus.md#ref2) topic for instructions on how to enable protection with System Center Configuration Manager, Group Policy, Active Directory, Microsoft Azure, Microsoft Intune, PowerShell cmdlets, and Windows Management Instruction (WMI). + +Some scenarios require additional guidance on how to successfully deploy or configure Windows Defender AV protection, such as Virtual Desktop Infrastructure (VDI) environments. + +The remaining topic in this section provides end-to-end advice and best practices for [setting up Windows Defender AV ion virtual machines (VMs) in a VDI or Remote Desktop Services (RDS) environment](deployment-vdi-windows-defender-antivirus.md). + +## Related topics + +- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md) +- [Deploy, manage updates, and report on Windows Defender Antivirus](deploy-manage-report-windows-defender-antivirus.md) +- [Deployment guide for Windows Defender Antivirus in a virtual desktop infrastructure (VDI) environment](deployment-vdi-windows-defender-antivirus.md) \ No newline at end of file diff --git a/windows/keep-secure/deploy-wip-policy-using-intune.md b/windows/keep-secure/deploy-wip-policy-using-intune.md index c9977fec21..76abd68b76 100644 --- a/windows/keep-secure/deploy-wip-policy-using-intune.md +++ b/windows/keep-secure/deploy-wip-policy-using-intune.md @@ -25,13 +25,15 @@ After you’ve created your Windows Information Protection (WIP) policy, you'll ![Microsoft Intune: Click the Manage Deployment link from the Configuration Policies screen](images/intune-managedeployment.png) -2. In the left pane of the **Manage Deployment** box, click the employees or groups that should get the policy, and then click **Add**.

    -The added people move to the **Selected Groups** list on the right-hand pane. +2. In the left pane of the **Manage Deployment** box, click the employees or groups that should get the policy, and then click **Add**. + + The added people move to the **Selected Groups** list on the right-hand pane. ![Microsoft Intune: Pick the group of employees that should get the policy](images/intune-groupselection.png) -3. After you've picked all of the employees and groups that should get the policy, click **OK**.

    -The policy is deployed to the selected users' devices. +3. After you've picked all of the employees and groups that should get the policy, click **OK**. + + The policy is deployed to the selected users' devices. >[!NOTE] >Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md). diff --git a/windows/keep-secure/deployment-vdi-windows-defender-antivirus.md b/windows/keep-secure/deployment-vdi-windows-defender-antivirus.md new file mode 100644 index 0000000000..edd4fc5d3e --- /dev/null +++ b/windows/keep-secure/deployment-vdi-windows-defender-antivirus.md @@ -0,0 +1,317 @@ +--- +title: Windows Defender Antivirus VDI deployment guide +description: Learn how to deploy Windows Defender Antivirus in a VDI environment for the best balance between protection and performance. +keywords: vdi, hyper-v, vm, virtual machine, windows defender, antivirus, av, virtual desktop, rds, remote desktop +search.product: eADQiWindows 10XVcnh +ms.pagetype: security +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: security +localizationpriority: medium +author: iaanw +--- + +# Deployment guide for Windows Defender Antivirus in a virtual desktop infrastructure (VDI) environment + +**Applies to:** + +- Windows 10 + +**Audience** + +- Enterprise security administrators + +**Manageability available with** + +- System Center Configuration Manager (current branch) +- Group Policy + + + +In addition to standard on-premises or hardware configurations, you can also use Windows Defender Antivirus (Windows Defender AV) in a remote desktop (RDS) or virtual desktop infrastructure (VDI) environment. + +Boot storms can be a problem in large-scale VDIs; this guide will help reduce the overall network bandwidth and performance impact on your hardware. + +We recommend setting the following when deploying Windows Defender AV in a VDI environment: + +Location | Setting | Suggested configuration +---|---|--- +Client interface | Enable headless UI mode | Enabled +Client interface | Suppress all notifications | Enabled +Scan | Specify the scan type to use for a scheduled scan | Enabled - Quick +Root | Randomize scheduled task times | Enabled +Signature updates | Turn on scan after signature update | Enabled +Scan | Turn on catch up quick scan | Enabled + +For more details on the best configuration options to ensure a good balance between performance and protection, including detailed instructions for Group Policy and System Center Configuration Manager, see the [Configure endpoints for optimal performance](#configure-endpoints-for-optimal-performance) section. + +See the [Microsoft Desktop virtualization site](https://www.microsoft.com/en-us/server-cloud/products/virtual-desktop-infrastructure/) for more details on Microsoft Remote Desktop Services and VDI support. + +For Azure-based virtual machines, you can also review the [Install Endpoint Protection in Azure Security Center](https://docs.microsoft.com/en-us/azure/security-center/security-center-install-endpoint-protection) topic. + +There are three main steps in this guide to help roll out Windows Defender AV protection across your VDI: + +1. [Create and deploy the base image (for example, as a virtual hard disk (VHD)) that your virtual machines (VMs) will use](#create-and-deploy-the-base-image) +2. [Manage the base image and updates for your VMs](#manage-vms-and-base-image) +3. [Configure the VMs for optimal protection and performance](#configure-endpoints-for-optimal-performance), including: + - [Randomize scheduled scans](#randomize-scheduled-scans) + - [Use quick scans](#use-quick-scans) + - [Prevent notifications](#prevent-notifications) + - [Disable scans from occurring after every update](#disable-scans-after-an-update) + - [Scan out-of-date machines or machines that have been offline for a while](#scan-vms-that-have-been-offline) + +>[!IMPORTANT] +> While the VDI can be hosted on Windows Server 2012 or Windows Server 2016, the virtual machines (VMs) should be running Windows 10, 1607 at a minimum, due to increased protection technologies and features that are unavailable in earlier versions of Windows. + +>[!NOTE] +>When you manage Windows with System Center Configuration Manager, Windows Defender AV protection will be referred to as Endpoint Protection or System Center Endpoint Protection. See the [Endpoint Protection section at the Configuration Manager library]( https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-protection) for more information. + + + +## Create and deploy the base image + +The main steps in this section include: +1. Create your standard base image according to your requirements +2. Apply Windows Defender AV protection updates to your base image +3. Seal or “lock” the image to create a “known-good” image +4. Deploy your image to your VMs + +### Create the base image +First, you should create your base image according to your business needs, applying or installing the relevant line of business (LOB) apps and settings as you normally would. Typically, this would involve creating a VHD or customized .iso, depending on how you will deploy the image to your VMs. + +### Apply protection updates to the base image +After creating the image, you should ensure it is fully updated. See [Configure Windows Defender in Windows 10]( https://technet.microsoft.com/en-us/itpro/windows/keep-secure/configure-windows-defender-in-windows-10) for instructions on how to update Windows Defender AV protection via WSUS, Microsoft Update, the MMPC site, or UNC file shares. You should ensure that your initial base image is also fully patched with Microsoft and Windows updates and patches. + +### Seal the base image +When the base image is fully updated, you should run a quick scan on the image. This “sealing” or “locking” of the image helps Windows Defender AV build a cache of known-good files and avoid scanning them again on your VMs. In turn, this can help ensure performance on the VM is not impacted. + +You can run a quick scan [from the command line](command-line-arguments-windows-defender-antivirus.md) or via [System Center Configuration Manager](run-scan-windows-defender-antivirus.md). + +>[!NOTE] +>Quick scan versus full scan +>Quick scan looks at all the locations where there could be malware registered to start with the system, such as registry keys and known Windows startup folders. Combined with our always on real-time protection capability - which reviews files when they are opened and closed, and whenever a user navigates to a folder – quick scan helps provide strong coverage both for malware that starts with the system and kernel-level malware. +>Therefore, when considering performance – especially for creating a new or updated image in preparation for deployment – it makes sense to use a quick scan only. +>A full scan, however, can be useful on a VM that has encountered a malware threat to identify if there are any inactive components lying around and help perform a thorough clean-up. + + +### Deploy the base image +You'll then need to deploy the base image across your VDI. For example, you can create or clone a VHD from your base image, and then use that VHD when you create or start your VMs. + +The following references provide ways you can create and deploy the base image across your VDI: + +- [Single image management for Virtual Desktop Collections](https://blogs.technet.microsoft.com/enterprisemobility/2012/10/29/single-image-management-for-virtual-desktop-collections-in-windows-server-2012/) +- [Using Hyper-V to create a Base OS image that can be used for VMs and VHDs](https://blogs.technet.microsoft.com/haroldwong/2011/06/12/using-hyper-v-to-create-a-base-os-image-that-can-be-used-for-vms-and-boot-to-vhd/) +- [Plan for Hyper-V security in Windows Server 2016]( https://technet.microsoft.com/en-us/windows-server-docs/compute/hyper-v/plan/plan-for-hyper-v-security-in-windows-server-2016) +- [Create a virtual machine in Hyper-V (with a VHD)](https://technet.microsoft.com/en-us/windows-server-docs/compute/hyper-v/get-started/create-a-virtual-machine-in-hyper-v) +- [Build Virtual Desktop templates]( https://technet.microsoft.com/en-us/library/dn645526(v=ws.11).aspx) + + + + + +## Manage your VMs and base image +How you manage your VDI will affect the performance impact of Windows Defender AV on your VMs and infrastructure. + +Because Windows Defender AV downloads protection updates every day, or [based on your protection update settings](manage-protection-updates-windows-defender-antivirus.md), network bandwidth can be a problem if multiple VMs attempt to download updates at the same time. + +Following the guidelines in this means the VMs will only need to download “delta” updates, which are the differences between an existing definition set and the next one. Delta updates are typically much smaller (a few kilobytes) than a full definition download (which can average around 150 mb). + + +### Manage updates for persistent VDIs + +If you are using a persistent VDI, you should update the base image monthly, and set up protection updates to be delivered daily via a file share, as follows: +1. Create a dedicated file share location on your network that can be accessed by your VMs and your VM host (or other, persistent machine, such as a dedicated admin console that you use to manage your VMs). +2. Set up a scheduled task on your VM host to automatically download updates from the MMPC website or Microsoft Update and save them to the file share (the [SignatureDownloadCustomTask PowerShell script](https://www.powershellgallery.com/packages/SignatureDownloadCustomTask/1.4/DisplayScript) can help with this). +3. [Configure the VMs to pull protection updates from the file share](manage-protection-updates-windows-defender-antivirus.md). +4. Disable or delay automatic Microsoft updates on your VMs. See [Update Windows 10 in the enterprise](https://technet.microsoft.com/en-us/itpro/windows/manage/waas-update-windows-10) for information on managing operating system updates with WSUS, SCCM, and others. +5. On or just after each Patch Tuesday (the second Tuesday of each month), [update your base image with the latest protection updates from the MMPC website, WSUS, or Microsoft Update](manage-protection-updates-windows-defender-antivirus.md) Also apply all other Windows patches and fixes that were delivered on the Patch Tuesday. You can automate this by following the instructions in [Orchestrated offline VM Patching using Service Management Automation](https://blogs.technet.microsoft.com/privatecloud/2013/12/06/orchestrated-offline-vm-patching-using-service-management-automation/). +5. [Run a quick scan](run-scan-windows-defender-antivirus.md) on your base image before deploying it to your VMs. + +A benefit to aligning your image update to the monthly Microsoft Update is that you ensure your VMs will have the latest Windows security patches and other important Microsoft updates without each VM needing to individually download them. + + +### Manage updates for non-persistent VDIs + +If you are using a non-persistent VDI, you can update the base image daily (or nightly) and directly apply the latest updates to the image. + +An example: +1. Every night or other time when you can safely take your VMs offline, update your base image with the latest [protection updates from the MMPC website, WSUS, or Microsoft Update](manage-protection-updates-windows-defender-antivirus.md). +2. [Run a quick scan](run-scan-windows-defender-antivirus.md) on your base image before deploying it to your VMs. + + + + +## Configure endpoints for optimal performance +There are a number of settings that can help ensure optimal performance on your VMs and VDI without affecting the level of protection, including: + - [Randomize scheduled scans](#randomize-scheduled-scans) + - [Use quick scans](#use-quick-scans) + - [Prevent notifications](#prevent-notifications) + - [Disable scans from occurring after every update](#disable-scans-after-an-update) + - [Scan out-of-date machines or machines that have been offline for a while](#scan-vms-that-have-been-offline) + +These settings can be configured as part of creating your base image, or as a day-to-day management function of your VDI infrastructure or network. + + + + +### Randomize scheduled scans + +Windows Defender AV supports the randomization of scheduled scans and signature updates. This can be extremely helpful in reducing boot storms (especially when used in conjunction with [Disable scans from occurring after every update](#disable-scans-after-an-update) and [Scan out-of-date machines or machines that have been offline for a while](#scan-vms-that-have-been-offline). + +Scheduled scans run in addition to [real-time protection and scanning](configure-real-time-protection-windows-defender-antivirus.md). + +The start time of the scan itself is still based on the scheduled scan policy – ScheduleDay, ScheduleTime, ScheduleQuickScanTime. + + + +**Use Group Policy to randomize scheduled scan start times:** + +1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. + +3. In the **Group Policy Management Editor** go to **Computer configuration**. + +4. Click **Policies** then **Administrative templates**. + +5. Expand the tree to **Windows components > Windows Defender** and configure the following setting: + + 1. Double-click the **Randomize scheduled task times** setting and set the option to **Enabled**. Click **OK**. This adds a true randomization (it is still random if the disk image is replicated) of plus or minus 30 minutes (using all of the intervals) to the start of the scheduled scan and the signature update. For example, if the schedule start time was set at 2.30pm, then enabling this setting could cause one machine to scan and update at 2.33pm and another machine to scan and update at 2.14pm. + +**Use Configuration Manager to randomize schedule scans:** + +See [How to create and deploy antimalware policies: Advanced settings]( https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#advanced-settings) for details on configuring System Center Configuration Manager (current branch). + +See [Schedule scans](scheduled-catch-up-scans-windows-defender-antivirus.md) for other configuration options available for scheduled scans. + +### Use quick scans + +You can specify the type of scan that should be performed during a scheduled scan. +Quick scans are the preferred approach as they are designed to look in all places where malware needs to reside to be active. + +**Use Group Policy to specify the type of scheduled scan:** + +1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. + +2. In the **Group Policy Management Editor** go to **Computer configuration**. + +3. Click **Policies** then **Administrative templates**. + +4. Expand the tree to **Windows components > Windows Defender > Scan** and configure the following setting: + 1. Double-click the **Specify the scan type to use for a scheduled scan** setting and set the option to **Enabled** and **Quick scan**. Click **OK**. + +**Use Configuration Manager to specify the type of scheduled scan:** + +See [How to create and deploy antimalware policies: Scheduled scans settings]( https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#scheduled-scans-settings) for details on configuring System Center Configuration Manager (current branch). + +See [Schedule scans](scheduled-catch-up-scans-windows-defender-antivirus.md) for other configuration options available for scheduled scans. + +### Prevent notifications + +Sometimes, Windows Defender AV notifications may be sent to or persist across multiple sessions. In order to minimize this problem, you can use the lock down the user interface for Windows Defender AV. + +**Use Group Policy to hide notifications:** + +1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. + +3. In the **Group Policy Management Editor** go to **Computer configuration**. + +4. Click **Policies** then **Administrative templates**. + +5. Expand the tree to **Windows components > Windows Defender > Client Interface** and configure the following settings: + +1. Double-click the **Suppress all notifications** setting and set the option to **Enabled**. Click **OK**. This prevents notifications from Windows Defender AV appearing in the action center on Windows 10 when scans or remediation is performed. +2. Double-click the **Enable headless UI mode** setting and set the option to **Enabled**. Click **OK**. This hides the entire Windows Defender AV user interface from users. + + +**Use Configuration Manager to hide notifications:** + +1. On your System Center Configuration Manager console, open the antimalware policy you want to change (click **Assets and Compliance** in the navigation pane on the left, then expand the tree to **Overview** > **Endpoint Protection** > **Antimalware Policies**) + +2. Go to the **Advanced** section and configure the following settings: + +1. Set **Disable the client user interface** to **Yes**. This hides the entire Windows Defender AV user interface. +2. Set **Show notifications messages on the client computer...** to **Yes**. This hides notifications from appearing. + +3. Click **OK**. + +3. [Deploy the updated policy as usual](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#deploy-an-antimalware-policy-to-client-computers). + +### Disable scans after an update + +This setting will prevent a scan from occurring after receiving an update. You can apply this when creating the base image if you have also run a quick scan. This prevents the newly updated VM from performing a scan again (as you've already scanned it when you created the base image). + +>[!IMPORTANT] +>Running scans after an update will help ensure your VMs are protected with the latest definition updates. Disabling this option will reduce the protection level of your VMs and should only be used when first creating or deploying the base image. + +**Use Group Policy to disable scans after an update:** + +1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. + +3. In the **Group Policy Management Editor** go to **Computer configuration**. + +4. Click **Policies** then **Administrative templates**. + +5. Expand the tree to **Windows components > Windows Defender > Signature Updates** and configure the following setting: + +1. Double-click the **Turn on scan after signature update** setting and set the option to **Disabled**. Click **OK**. This prevents a scan from running immediately after an update. + + +**Use Configuration Manager to disable scans after an update:** + +1. On your System Center Configuration Manager console, open the antimalware policy you want to change (click **Assets and Compliance** in the navigation pane on the left, then expand the tree to **Overview** > **Endpoint Protection** > **Antimalware Policies**) + +2. Go to the **Scheduled scans** section and configure the following setting: + +1. Set **Check for the latest definition updates before running a scan** to **No**. This prevents a scan after an update. + +3. Click **OK**. + +2. [Deploy the updated policy as usual](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#deploy-an-antimalware-policy-to-client-computers). + + + + + +### Scan VMs that have been offline + +This setting will help ensure protection for a VM that has been offline for some time or has otherwise missed a scheduled scan. + +**Use Group Policy to enable a catch-up scan:** + +1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. + +3. In the **Group Policy Management Editor** go to **Computer configuration**. + +4. Click **Policies** then **Administrative templates**. + +5. Expand the tree to **Windows components > Windows Defender > Scan** and configure the following setting: + +1. Double-click the **Turn on catch-up quick scan** setting and set the option to **Enabled**. Click **OK**. This forces a scan if the VM has missed two or more consecutive scheduled scans. + + + + +**Use Configuration Manager to disable scans after an update:** + +1. On your System Center Configuration Manager console, open the antimalware policy you want to change (click **Assets and Compliance** in the navigation pane on the left, then expand the tree to **Overview** > **Endpoint Protection** > **Antimalware Policies**) + +2. Go to the **Scheduled scans** section and configure the following setting: + +1. Set **Force a scan of the selected scan type if client computer is offline during...** to **Yes**. This forces a scan if the VM has missed two or more consecutive scheduled scans. + +3. Click **OK**. + +2. [Deploy the updated policy as usual](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#deploy-an-antimalware-policy-to-client-computers). + + + +### Exclusions +Windows Server 2016 contains Windows Defender Antivirus and will automatically deliver the right exclusions for servers running a VDI environment. However, if you are running an older Windows server version, you can refer to the exclusions that are applied on this page: +- [Automatic exclusions for Windows Server Antimalware](https://technet.microsoft.com/en-us/windows-server-docs/security/windows-defender/automatic-exclusions-for-windows-defender) + +## Additional resources + +- [Video: Microsoft Senior Program Manager Bryan Keller on how System Center Configuration Manger 2012 manages VDI and integrates with App-V]( http://channel9.msdn.com/Shows/Edge/Edge-Show-5-Manage-VDI-using-SCCM-2012#time=03m02s) +- [Project VRC: Antivirus impact and best practices on VDI](https://blogs.technet.microsoft.com/privatecloud/2013/12/06/orchestrated-offline-vm-patching-using-service-management-automation/) +- [TechNet forums on Remote Desktop Services and VDI](https://social.technet.microsoft.com/Forums/windowsserver/en-US/home?forum=winserverTS) +- [SignatureDownloadCustomTask PowerShell script](https://www.powershellgallery.com/packages/SignatureDownloadCustomTask/1.4/DisplayScript) diff --git a/windows/keep-secure/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md b/windows/keep-secure/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md new file mode 100644 index 0000000000..296bbd7013 --- /dev/null +++ b/windows/keep-secure/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md @@ -0,0 +1,110 @@ +--- +title: Block Potentially Unwanted Applications with Windows Defender AV +description: Enable the Potentially Unwanted Application (PUA) feature in Windows Defender Antivirus to block unwanted software such as adware. +keywords: pua, enable, unwanted software, unwanted apps, adware, browser toolbar, detect, block, windows defender +search.product: eADQiWindows 10XVcnh +ms.pagetype: security +ms.prod: w10 +ms.mktglfcycl: detect +ms.sitesec: library +ms.pagetype: security +localizationpriority: medium +author: iaanw +--- + +# Detect and block Potentially Unwanted Applications + +**Applies to:** + +- Windows 10 + +**Audience** + +- Enterprise security administrators + +**Manageability available with** + +- System Center Configuration Manager +- PowerShell cmdlets +- Microsoft Intune + +The Potentially Unwanted Application (PUA) protection feature in Windows Defender Antivirus can identify and block PUAs from downloading and installing on endpoints in your network. + +These applications are not considered viruses, malware, or other types of threats, but might perform actions on endpoints that adversely affect their performance or use. PUA can also refer to applications that are considered to have a poor reputation. + +Typical PUA behavior includes: +- Various types of software bundling +- Ad-injection into web browsers +- Driver and registry optimizers that detect issues, request payment to fix the errors, but remain on the endpoint and make no changes or optimizations (also known as "rogue antivirus" programs) + +These applications can increase the risk of your network being infected with malware, cause malware infections to be harder to identify, and can waste IT resources in cleaning up the applications. + +## How it works + +PUAs are blocked when a user attempts to download or install the detected file, and if the file meets one of the following conditions: +- The file is being scanned from the browser +- The file is in the %downloads% folder +- The file is in the %temp% folder + +The file is placed in the quarantine section so it won't run. + +When a PUA is detected on an endpoint, the endpoint will present a notification to the user ([unless notifications have been disabled](configure-notifications-windows-defender-antivirus.md)) in the same format as normal threat detections (prefaced with "PUA:"). + +They will also appear in the usual [quarantine list in the Windows Defender Security Center app](windows-defender-security-center-antivirus.md#detection-history). + + +## View PUA events + +PUA events are reported in the Windows Event Viewer and not in System Center Configuration Manager or Intune. + +See [Troubleshoot event IDs](troubleshoot-windows-defender-antivirus.md) for details on viewing Windows Defender Antivirus events. PUA events are recorded under event ID 1160. + + +## Configure the PUA protection feature + +You can enable the PUA protection feature with System Center Configuration Manager, PowerShell cmdlets, or Microsoft Intune. + +You can also use the PUA audit mode to detect PUA without blocking them. The detections will be captured in the Windows event log. + +This feature is useful if your company is conducting an internal software security compliance check and you'd like to avoid any false positives. + + +**Use Configuration Manager to configure the PUA protection feature:** + +PUA protection is enabled by default in System Center Configuration Manager (current branch), including version 1606 and later. + +See [How to create and deploy antimalware policies: Scheduled scans settings](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#real-time-protection-settings) for details on configuring System Center Configuration Manager (current branch). + +For Configuration Manager 2012, see [How to Deploy Potentially Unwanted Application Protection Policy for Endpoint Protection in Configuration Manager](https://technet.microsoft.com/library/hh508770.aspx#BKMK_PUA). + +> [!NOTE] +> PUA events are reported in the Windows Event Viewer and not in System Center Configuration Manager. + +**Use PowerShell cmdlets to configure the PUA protection feature:** + +Use the following cmdlet: + +```PowerShell +Set-MpPreference -PUAProtection +``` + +Setting the value for this cmdlet to `Enabled` will turn the feature on if it has been disabled. + +Setting `AuditMode` will detect PUAs but will not block them. + +See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/en-us/library/dn433280.aspx) for more information on how to use PowerShell with Windows Defender Antivirus. + + + +**Use Intune to configure the PUA protection feature** + +See [Help secure Windows PCs with Endpoint Protection for Microsoft Intune](https://docs.microsoft.com/en-us/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune) and [Windows Defender policy settings in Windows 10](https://docs.microsoft.com/en-us/intune/deploy-use/windows-10-policy-settings-in-microsoft-intune#windows-defender-1) for more details. + + + +## Related topics + +- [Windows Defender Antivirus](windows-defender-antivirus-in-windows-10.md) +- [Configure behavioral, heuristic, and real-time protection](configure-protection-features-windows-defender-antivirus.md) + + diff --git a/windows/keep-secure/device-guard-certification-and-compliance.md b/windows/keep-secure/device-guard-certification-and-compliance.md deleted file mode 100644 index 566a6df4da..0000000000 --- a/windows/keep-secure/device-guard-certification-and-compliance.md +++ /dev/null @@ -1,4 +0,0 @@ ---- -title: Device Guard certification and compliance (Windows 10) -redirect_url: https://technet.microsoft.com/en-us/itpro/windows/keep-secure/device-guard-deployment-guide ---- diff --git a/windows/keep-secure/domain-controller-ldap-server-signing-requirements.md b/windows/keep-secure/domain-controller-ldap-server-signing-requirements.md index 10001b50e6..9ef4617e9f 100644 --- a/windows/keep-secure/domain-controller-ldap-server-signing-requirements.md +++ b/windows/keep-secure/domain-controller-ldap-server-signing-requirements.md @@ -22,9 +22,9 @@ This policy setting determines whether the Lightweight Directory Access Protocol Unsigned network traffic is susceptible to man-in-the-middle attacks, where an intruder captures packets between the server and the client device and modifies them before forwarding them to the client device. In the case of an LDAP server, this means that a malicious user can cause a client device to make decisions based on false records from the LDAP directory. You can lower the risk of a malicious user accomplishing this in a corporate network by implementing strong physical security measures to protect the network infrastructure. Furthermore, implementing Internet Protocol security (IPsec) Authentication Header mode, which provides mutual authentication and packet integrity for IP traffic, can make all types of man-in-the-middle attacks extremely difficult. -This setting does not have any impact on LDAP simple bind or LDAP simple bind through SSL. +This setting does not have any impact on LDAP simple bind through SSL (LDAP TCP/636). -If signing is required, then LDAP simple bind and LDAP simple bind through SSL requests are rejected. +If signing is required, then LDAP simple binds not using SSL are rejected (LDAP TCP/389). >**Caution:**  If you set the server to Require signature, you must also set the client device. Not setting the client device results in loss of connection with the server.   diff --git a/windows/keep-secure/enable-cloud-protection-windows-defender-antivirus.md b/windows/keep-secure/enable-cloud-protection-windows-defender-antivirus.md new file mode 100644 index 0000000000..98c5ae9865 --- /dev/null +++ b/windows/keep-secure/enable-cloud-protection-windows-defender-antivirus.md @@ -0,0 +1,153 @@ +--- +title: Enable cloud-delivered protection in Windows Defender Antivirus +description: Enable cloud-delivered protection to benefit from fast and advanced protection features. +keywords: windows defender antivirus, antimalware, security, cloud, block at first sight +search.product: eADQiWindows 10XVcnh +ms.pagetype: security +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: security +localizationpriority: medium +author: iaanw +--- + +# Enable cloud-delivered protection in Windows Defender AV + + + +**Applies to:** + +- Windows 10, version 1703 + +**Audience** + +- Enterprise security administrators + +**Manageability available with** + +- Group Policy +- System Center Configuration Manager +- PowerShell cmdlets +- Windows Management Instruction (WMI) +- Microsoft Intune +- Windows Defender Security Center app + + +>[!NOTE] +>The Windows Defender Antivirus cloud service is a mechanism for delivering updated protection to your network and endpoints. Although it is called a cloud service, it is not simply protection for files stored in the cloud, rather it uses distributed resources and machine learning to deliver protection to your endpoints at a rate that is far faster than traditional signature updates. + + + +You can enable or disable Windows Defender Antivirus cloud-delivered protection with Group Policy, System Center Configuration Manager, PowerShell cmdlets, Microsoft Intune, or on individual clients in the Windows Defender Security Center app. + +See [Utilize Microsoft cloud-delivered protection in Windows Defender Antivirus](utilize-microsoft-cloud-protection-windows-defender-antivirus.md) for an overview of Windows Defender Antivirus cloud-based protection. + +There are specific network-connectivity requirements to ensure your endpoints can connect to the cloud-delivered protection service. See [Configure and validate network connections for Windows Defender AV](configure-network-connections-windows-defender-antivirus.md) for more details. + +>[!NOTE] +>In Windows 10, there is no difference between the **Basic** and **Advanced** options described in this topic. This is a legacy distinction and choosing either setting will result in the same level of cloud-delivered protection. There is no difference in the type or amount of information that is shared. See the [Microsoft Privacy Statement](https://go.microsoft.com/fwlink/?linkid=521839) for more information on what we collect. + + +**Use Group Policy to enable cloud-delivered protection:** + +1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. + +3. In the **Group Policy Management Editor** go to **Computer configuration**. + +4. Click **Policies** then **Administrative templates**. + +5. Expand the tree to **Windows components > Windows Defender Antivirus > MAPS** + +1. Double-click the **Join Microsoft MAPS** setting and ensure the option is enabled and set to **Basic MAPS** or **Advanced MAPS**. Click **OK**. + +1. Double-click the **Send file samples when further analysis is required** setting and ensure the option is set to **Enabled** and the additional options are either of the following: + + 1. **Send safe samples** (1) + 1. **Send all samples** (3) + + > [!WARNING] + > Setting to 0 (Always Prompt) will lower the protection state of the device. Setting to 2 (Never send) means the [Block at First Sight](configure-block-at-first-sight-windows-defender-antivirus.md) feature will not function. + +1. Click **OK**. + + + +**Use Configuration Manager to enable cloud-delivered protection:** + +See [How to create and deploy antimalware policies: Cloud-protection service](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#cloud-protection-service) for details on configuring System Center Configuration Manager (current branch). + + +**Use PowerShell cmdlets to enable cloud-delivered protection:** + +Use the following cmdlets to enable cloud-delivered protection: + +```PowerShell +Set-MpPreference -MAPSReporting Advanced +Set-MpPreference -SubmitSamplesConsent 3 +``` +>[!NOTE] +>You can also set -SubmitSamplesConsent to 1. Setting it to 0 will lower the protection state of the device, and setting it to 2 means the [Block at First Sight](configure-block-at-first-sight-windows-defender-antivirus.md) feature will not function. + + +See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/en-us/library/dn433280.aspx) for more information on how to use PowerShell with Windows Defender Antivirus. + +**Use Windows Management Instruction (WMI) to enable cloud-delivered protection:** + +Use the [**Set** method of the **MSFT_MpPreference**](https://msdn.microsoft.com/en-us/library/dn439474(v=vs.85).aspx) class for the following properties: + +```WMI +MAPSReporting +SubmitSamplesConsent +``` + +See the following for more information and allowed parameters: +- [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/en-us/library/dn439477(v=vs.85).aspx) + +**Use Intune to enable cloud-delivered protection** + +1. Open the [Microsoft Intune administration console](https://manage.microsoft.com/), and navigate to the associated policy you want to configure. +2. Under the **Endpoint Protection** setting, scroll down to the **Endpoint Protection Service** section set the **Submit files automatically when further analysis is required** setting to either of the following: + 1. **Send samples automatically** + 1. **Send all samples automatically** + + > [!WARNING] + > Setting to **Always Prompt** will lower the protection state of the device. Setting to **Never send** means the [Block at First Sight](configure-block-at-first-sight-windows-defender-antivirus.md) feature will not function. +5. Scroll down to the **Microsoft Active Protection Service** section and set the following settings: + + Setting | Set to + --|-- + Join Microsoft Active Protection Service | Yes + Membership level | Advanced + Receive dynamic definitions based on Microsoft Active Protection Service reports | Yes + +3. Save and [deploy the policy as usual](https://docs.microsoft.com/en-us/intune/deploy-use/common-windows-pc-management-tasks-with-the-microsoft-intune-computer-client). + +See [Help secure Windows PCs with Endpoint Protection for Microsoft Intune](https://docs.microsoft.com/en-us/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune) for more details. + +**Enable cloud-delivered protection on individual clients with the Windows Defender Security Center app** +> [!NOTE] +> If the **Configure local setting override for reporting Microsoft MAPS** Group Policy setting is set to **Disabled**, then the **Cloud-based protection** setting in Windows Settings will be greyed-out and unavailable. Changes made through a Group Policy Object must first be deployed to individual endpoints before the setting will be updated in Windows Settings. + + +1. Open the Windows Defender Security Center app by clicking the shield icon in the task bar or searching the start menu for **Defender**. + +2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then the **Virus & threat protection settings** label: + +![Screenshot of the Virus & threat protection settings label in the Windows Defender Security Center app](images/defender/wdav-protection-settings-wdsc.png) + +3. Confirm that **Cloud-based Protection** and **Automatic sample submission** are switched to **On**. + +>[!NOTE] +>If automatic sample submission has been configured with Group Policy then the setting will be greyed-out and unavailable. + +## Related topics + +- [Configure the cloud block timeout period](configure-cloud-block-timeout-period-windows-defender-antivirus.md) +- [Configure the block at first sight feature](configure-block-at-first-sight-windows-defender-antivirus.md) +- [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) +- [Help secure Windows PCs with Endpoint Protection for Microsoft Intune](https://docs.microsoft.com/en-us/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune)] +- [Defender cmdlets](https://technet.microsoft.com/en-us/library/dn433280.aspx) +- [Utilize Microsoft cloud-delivered protection in Windows Defender Antivirus](utilize-microsoft-cloud-protection-windows-defender-antivirus.md) +- [How to create and deploy antimalware policies: Cloud-protection service](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#cloud-protection-service) +- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md) \ No newline at end of file diff --git a/windows/keep-secure/enable-custom-ti-windows-defender-advanced-threat-protection.md b/windows/keep-secure/enable-custom-ti-windows-defender-advanced-threat-protection.md new file mode 100644 index 0000000000..da53066333 --- /dev/null +++ b/windows/keep-secure/enable-custom-ti-windows-defender-advanced-threat-protection.md @@ -0,0 +1,48 @@ +--- +title: Enable the custom threat intelligence API in Windows Defender ATP +description: Learn how to setup the custom threat intelligence application in Windows Defender ATP to create custom threat intelligence (TI). +keywords: enable custom threat intelligence application, custom ti application, application name, client id, authorization url, resource, client secret, access tokens +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +author: mjcaparas +localizationpriority: high +--- + +# Enable the custom threat intelligence API in Windows Defender ATP + +**Applies to:** + +- Windows 10 Enterprise +- Windows 10 Education +- Windows 10 Pro +- Windows 10 Pro Education +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + +Before you can create custom threat intelligence (TI) using REST API, you'll need to set up the custom threat intelligence application through the Windows Defender ATP portal. + +1. In the navigation pane, select **Preference Setup** > **Threat intel API**. + + ![Image of threat intel API menu](images/atp-threat-intel-api.png) + +2. Select **Enable threat intel API**. This activates the **Azure Active Directory application** setup sections with pre-populated values. + +3. Copy the individual values or select **Save details to file** to download a file that contains all the values. + + WARNING:
    + The client secret is only displayed once. Make sure you keep a copy of it in a safe place.
    + For more information about getting a new secret see, [Learn how to get a new secret](troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md#learn-how-to-get-a-new-client-secret). + +4. Select **Generate tokens** to get an access and refresh token. + +You’ll need to use the access token in the Authorization header when doing REST API calls. + +## Related topics +- [Understand threat intelligence concepts](threat-indicator-concepts-windows-defender-advanced-threat-protection.md) +- [Enable the custom threat intelligence API in Windows Defender ATP](enable-custom-ti-windows-defender-advanced-threat-protection.md) +- [PowerShell code examples for the custom threat intelligence API](powershell-example-code-windows-defender-advanced-threat-protection.md) +- [Python code examples for the custom threat intelligence API](python-example-code-windows-defender-advanced-threat-protection.md) +- [Experiment with custom threat intelligence alerts](experiment-custom-ti-windows-defender-advanced-threat-protection.md) +- [Troubleshoot custom threat intelligence issues](troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md) diff --git a/windows/keep-secure/enable-phone-signin-to-pc-and-vpn.md b/windows/keep-secure/enable-phone-signin-to-pc-and-vpn.md deleted file mode 100644 index b3077d445a..0000000000 --- a/windows/keep-secure/enable-phone-signin-to-pc-and-vpn.md +++ /dev/null @@ -1,19 +0,0 @@ ---- -title: Enable phone sign-in to PC or VPN (Windows 10) -description: You can set policies to allow your users to sign in to a PC or VPN using their Windows 10 phone. -keywords: ["identity", "PIN", "biometric", "Hello"] -ms.prod: W10 -ms.mktglfcycl: deploy -ms.sitesec: library -author: jdeckerMS -redirect_url: https://technet.microsoft.com/en-us/itpro/windows/keep-secure/hello-enable-phone-signin ---- - -# Enable phone sign-in to PC or VPN - - -**Applies to** - -- Windows 10 -- Windows 10 Mobile - diff --git a/windows/keep-secure/enable-pua-windows-defender-for-windows-10.md b/windows/keep-secure/enable-pua-windows-defender-for-windows-10.md deleted file mode 100644 index 82a3908d87..0000000000 --- a/windows/keep-secure/enable-pua-windows-defender-for-windows-10.md +++ /dev/null @@ -1,120 +0,0 @@ ---- -title: Detect and block Potentially Unwanted Application with Windows Defender -description: In Windows 10, you can enable the Potentially Unwanted Application (PUA) feature in Managed Windows Defender to identify and block unwanted software during download and install time. -keywords: pua, enable, detect pua, block pua, windows defender and pua -search.product: eADQiWindows 10XVcnh -ms.pagetype: security -ms.prod: w10 -ms.mktglfcycl: detect -ms.sitesec: library -ms.pagetype: security -localizationpriority: medium -author: dulcemv ---- - -# Detect and block Potentially Unwanted Application in Windows 10 - -**Applies to:** - -- Windows 10 - -You can enable the Potentially Unwanted Application (PUA) feature in Managed Windows Defender to identify and block unwanted software during download and install time. - -Potentially Unwanted Application (PUA) refers to applications that are not considered viruses, malware, or other types of threats, but might perform actions on your computer that adversely affect your computing experience. It also refers to applications considered to have a poor reputation. - -Typical examples of PUA behavior include: -* Various types of software bundling -* Ad-injection into your browsers -* Driver and registry optimizers that detect issues, request payment to fix them, and persist - -These applications can increase the risk of your network being infected with malware, cause malware infections to be harder to identify among the noise, and can waste helpdesk, IT, and user time in cleaning up the applications. - -Since the stakes are higher in an enterprise environment, the potential disaster and potential productivity and performance disruptions that PUA brings can be a cause of concern. Hence, it is important to deliver trusted protection in this field. - -##Enable PUA protection in System Center Configuration Manager and Intune - -The PUA feature is available for enterprise users who are running System Center Configuration Manager or Intune in their infrastructure. - -###Configure PUA in System Center Configuration Manager - -For System Center Configuration Manager users, PUA is enabled by default. See the following topics for configuration details: - -If you are using these versions | See these topics -:---|:--- -System Center Configuration Manager (current branch) version 1606 | [Create a new antimalware policy](https://technet.microsoft.com/en-US/library/mt613199.aspx#To-create-a-new-antimalware-policy)
    [Real-time Protection Settings](https://technet.microsoft.com/en-US/library/mt613199.aspx#Real-time-Protection-Settings) -System Center 2012 R2 Endpoint Protection
    System Center 2012 Configuration Manager
    System Center 2012 Configuration Manager SP1
    System Center 2012 Configuration Manager SP2
    System Center 2012 R2 Configuration Manager
    System Center 2012 Endpoint Protection SP1
    System Center 2012 Endpoint Protection
    System Center 2012 R2 Configuration Manager SP1| [How to Deploy Potentially Unwanted Application Protection Policy for Endpoint Protection in Configuration Manager](https://technet.microsoft.com/library/hh508770.aspx#BKMK_PUA) - -
    -###Use PUA audit mode in System Center Configuration Manager - -You can use PowerShell to detect PUA without blocking them. In fact, you can run audit mode on individual machines. This feature is useful if your company is conducting an internal software security compliance check and you’d like to avoid any false positives. - -1. Open PowerShell as Administrator:
    - - a. Click **Start**, type **powershell**, and press **Enter**. - - b. Click **Windows PowerShell** to open the interface. - >[!NOTE] - >You may need to open an administrator-level version of PowerShell. Right-click the item in the Start menu, click **Run as administrator** and click **Yes** at the permissions prompt. -2. Enter the PowerShell command: - - ```text - set-mpPreference -puaprotection 2 - ``` -> [!NOTE] -> PUA events are reported in the Windows Event Viewer and not in System Center Configuration Manager. - - -###Configure PUA in Intune - - PUA is not enabled by default. You need to [Create and deploy a PUA configuration policy to use it](https://docs.microsoft.com/en-us/intune/deploy-use/manage-settings-and-features-on-your-devices-with-microsoft-intune-policies). See the [Potentially Unwanted Application Detection policy setting](https://docs.microsoft.com/en-us/intune/deploy-use/windows-10-policy-settings-in-microsoft-intune) for details. - - -###Use PUA audit mode in Intune - - You can detect PUA without blocking them from your client so you can gain insights into what can be blocked. - -1. Open PowerShell as Administrator:
    - - a. Click **Start**, type **powershell**, and press **Enter**. - - b. Click **Windows PowerShell** to open the interface. - - >[!NOTE] - >You may need to open an administrator-level version of PowerShell. Right-click the item in the Start menu, click **Run as administrator** and click **Yes** at the permissions prompt. - -2. Enter the PowerShell command: - - ```text - set-mpPreference -puaprotection 1 - ``` - -##View PUA events - -PUA events are reported in the Windows Event Viewer and not in System Center Configuration Manager or Intune. To view PUA events: - -1. Open **Event Viewer**. -2. In the console tree, expand **Applications and Services Logs**, then **Microsoft**, then **Windows**, then **Windows Defender**. -3. Double-click on **Operational**. -4. In the details pane, view the list of individual events to find your event. PUA events are under Event ID 1160 along with detection details. - -You can find a complete list of the Microsoft antimalware event IDs, the symbol, and the description of each ID in [Windows Server Antimalware Events TechNet](https://technet.microsoft.com/library/dn913615.aspx). - - -##What PUA notifications look like - -When a detection occurs, end users who enabled the PUA detection feature will see the following notification: - - -To see historical PUA detections that occurred on a PC, users can go to History, then **Quarantined items** or **All detected items**. - -##PUA threat naming convention - -When enabled, potentially unwanted applications are identified with threat names that start with “PUA:”, such as, PUA:Win32/Creprote. - -##PUA blocking conditions - -PUA protection quarantines the file so they won’t run. PUA will be blocked only at download or install-time. A file will be included for blocking if it has been identified as PUA and meets one of the following conditions: -* The file is being scanned from the browser -* The file is in the %downloads% folder -* Or if the file in the %temp% folder diff --git a/windows/keep-secure/enable-siem-integration-windows-defender-advanced-threat-protection.md b/windows/keep-secure/enable-siem-integration-windows-defender-advanced-threat-protection.md new file mode 100644 index 0000000000..e995968888 --- /dev/null +++ b/windows/keep-secure/enable-siem-integration-windows-defender-advanced-threat-protection.md @@ -0,0 +1,56 @@ +--- +title: Enable SIEM integration in Windows Defender ATP +description: Enable SIEM integration to receive alerts in your security information and event management (SIEM) solution. +keywords: enable siem connector, siem, connector, security information and events +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +author: mjcaparas +localizationpriority: high +--- + +# Enable SIEM integration in Windows Defender ATP + +**Applies to:** + +- Windows 10 Enterprise +- Windows 10 Education +- Windows 10 Pro +- Windows 10 Pro Education +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + +Enable security information and event management (SIEM) integration so you can pull alerts from the Windows Defender ATP portal using your SIEM solution or by connecting directly to the alerts REST API. + +1. In the navigation pane, select **Preferences setup** > **SIEM integration**. + + ![Image of SIEM integration from Preferences setup menu](images/atp-siem-integration.png) + +2. Select **Enable SIEM integration**. This activates the **SIEM connector access details** section with pre-populated values and an application is created under you Azure Active Directory (AAD) tenant. + + WARNING:
    + The client secret is only displayed once. Make sure you keep a copy of it in a safe place.
    + For more information about getting a new secret see, [Learn how to get a new secret](troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md#learn-how-to-get-a-new-client-secret). + +3. Choose the SIEM type you use in your organization. + + NOTE:
    + If you select HP ArcSight, you'll need to save these two configuration files:
    + - WDATP-connector.jsonparser.properties + - WDATP-connector.properties
    + + If you want to connect directly to the alerts REST API through programmatic access, choose **Generic API**. + +4. Copy the individual values or select **Save details to file** to download a file that contains all the values. + +5. Select **Generate tokens** to get an access and refresh token. + +You can now proceed with configuring your SIEM solution or connecting to the alerts REST API through programmatic access. You'll need to use the tokens when configuring your SIEM solution to allow it to receive alerts from the Windows Defender ATP portal. + +## Related topics +- [Configure Splunk to pull Windows Defender ATP alerts](configure-splunk-windows-defender-advanced-threat-protection.md) +- [Configure ArcSight to pull Windows Defender ATP alerts](configure-arcsight-windows-defender-advanced-threat-protection.md) +- [Windows Defender ATP alert API fields](api-portal-mapping-windows-defender-advanced-threat-protection.md) +- [Pull Windows Defender ATP alerts using REST API](pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md) +- [Troubleshoot SIEM tool integration issues](troubleshoot-siem-windows-defender-advanced-threat-protection.md) diff --git a/windows/keep-secure/enlightened-microsoft-apps-and-edp.md b/windows/keep-secure/enlightened-microsoft-apps-and-edp.md deleted file mode 100644 index c152dca1e5..0000000000 --- a/windows/keep-secure/enlightened-microsoft-apps-and-edp.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: List of enlightened Microsoft apps for use with enterprise data protection (EDP) (Windows 10) -description: Learn the difference between enlightened and unenlightened apps, and then review the list of enlightened apps provided by Microsoft along with the text you will need to use to add them to your Protected Apps list. -redirect_url: https://technet.microsoft.com/itpro/windows/keep-secure/enlightened-microsoft-apps-and-wip ---- \ No newline at end of file diff --git a/windows/keep-secure/enlightened-microsoft-apps-and-wip.md b/windows/keep-secure/enlightened-microsoft-apps-and-wip.md index f2e1b3c91c..5555cd3892 100644 --- a/windows/keep-secure/enlightened-microsoft-apps-and-wip.md +++ b/windows/keep-secure/enlightened-microsoft-apps-and-wip.md @@ -15,7 +15,7 @@ localizationpriority: high **Applies to:** -- Windows 10, version 1607 +- Windows 10, version 1607 and later - Windows 10 Mobile Learn the difference between enlightened and unenlightened apps, and then review the list of enlightened apps provided by Microsoft along with the text you will need to use to add them to your allowed apps list. diff --git a/windows/keep-secure/enterprise-certificate-pinning.md b/windows/keep-secure/enterprise-certificate-pinning.md new file mode 100644 index 0000000000..b6b15f7df9 --- /dev/null +++ b/windows/keep-secure/enterprise-certificate-pinning.md @@ -0,0 +1,450 @@ +--- +ms.mktglfcycl: manage +ms.sitesec: library +ms.author: mstephens +author: MikeStephens-MS +description: Enterprise certificate pinning is a Windows feature for remembering, or “pinning” a root, issuing certificate authority, or end entity certificate to a given domain name. +manager: alanth +ms.date: 2016-12-27 +ms.prod: w10 +ms.technology: security +ms.sitesec: library +ms.pagetype: security +localizationpriority: high +--- + +# Enterprise Certificate Pinning + +**Applies to** +- Windows 10 + +Enterprise certificate pinning is a Windows feature for remembering, or “pinning,” a root issuing certificate authority or end entity certificate to a given domain name. +Enterprise certificate pinning helps reduce man-in-the-middle attacks by enabling you to protect your internal domain names from chaining to unwanted certificates or to fraudulently issued certificates. + +>[!NOTE] +> External domain names, where the certificate issued to these domains is issued by a public certificate authority, are not ideal for enterprise certificate pinning. Web administrators should configure their web servers to use HTTP public key pinning (HPKP) and encourage users to use web browsers that support HPKP. + +Windows Certificate APIs (CertVerifyCertificateChainPolicy and WinVerifyTrust) are updated to check if the site’s server authentication certificate chain matches a restricted set of certificates. +These restrictions are encapsulated in a Pin Rules Certificate Trust List (CTL) that is configured and deployed to Windows 10 computers. +Any site certificate triggering a name mismatch causes Windows to write an event to the CAPI2 event log and prevents the user from navigating to the web site using Microsoft Edge or Internet Explorer. + +## Deployment + +To deploy enterprise certificate pinning, you need to: + +- Create a well-formatted certificate pinning rule XML file +- Create a pin rules certificate trust list file from the XML file +- Apply the pin rules certificate trust list file to a reference administrative computer +- Deploy the registry configuration on the reference computer using Group Policy Management Console (GPMC), which is included in the [Remote Server Administration Tools (RSAT)](https://www.microsoft.com/download/details.aspx?id=45520). + +### Create a Pin Rules XML file + +The XML-based pin rules file consists of a sequence of PinRule elements. +Each PinRule element contains a sequence of one or more Site elements and a sequence of zero or more Certificate elements. + +```code + + + + + + + + + + + + + + + + + + + + + + +``` + +#### PinRules Element + +The PinRules element can have the following attributes. +For help with formatting Pin Rules, see [Representing a Date in XML](#representing-a-date-in-xml) or [Representing a Duration in XML](#representing-a-duration-in-xml). + +- **Duration** or **NextUpdate** + + Specifies when the Pin Rules will expire. + Either is required. + **NextUpdate** takes precedence if both are specified. + + **Duration**, represented as an XML TimeSpan data type, does not allow years and months. + You represent the **NextUpdate** attribute as a XML DateTime data type in UTC. + + **Required?** Yes. At least one is required. + +- **LogDuration** or **LogEndDate** + + Configures auditing only to extend beyond the expiration of enforcing the Pin Rules. + + **LogEndDate**, represented as an XML DateTime data type in UTC, takes precedence if both are specified. + + You represent **LogDuration** as an XML TimeSpan data type, which does not allow years and months. + + If neither attribute is specified, auditing expiration uses **Duration** or **NextUpdate** attributes. + + **Required?** No. + +- **ListIdentifier** + + Provides a friendly name for the list of pin rules. + Windows does not use this attribute for certificate pinning enforcement, however it is included when the pin rules are converted to a certificate trust list (CTL). + + **Required?** No. + +#### PinRule Element + +The **PinRule** element can have the following attributes: + +- **Name** + + Uniquely identifies the **PinRule**. + Windows uses this attribute to identify the element for a parsing error or for verbose output. + The attribute is not included in the generated certificate trust list (CTL). + + **Required?** Yes. + +- **Error** + + Describes the action Windows performs when it encounters a PIN mismatch. + You can choose from the following string values: + - **Revoked** - Windows reports the certificate protecting the site as if it was revoked. This typically prevents the user from accessing the site. + - **InvalidName** - Windows reports the certificate protecting the site as if the name on the certificate does not match the name of the site. This typically results in prompting the user before accessing the site. + - **None** - The default value. No error is returned. You can use this setting to audit the pin rules without introducing any user friction. + + **Required?** No. + +- **Log** + + A Boolean value represent as string that equals **true** or **false**. + By default, logging is enabled (**true**). + + **Required?** No. + +#### Certificate element + +The **Certificate** element can have the following attributes: + +- **File** + + Path to a file containing one or more certificates. + Where the certificate(s) can be encoded as: + - single certificate + - p7b + - sst. + + These files can also be Base64 formatted. + All **Site** elements included in the same **PinRule** element can match any of these certificates. + + **Required?** Yes (File, Directory or Base64 must be present). + +- **Directory** + + Path to a directory containing one or more of the above certificate files. + Skips any files not containing any certificates. + + **Required?** Yes (File, Directory or Base64 must be present). + +- **Base64** + + Base64 encoded certificate(s). + Where the certificate(s) can be encoded as: + - single certificate + - p7b + - sst. + + This allows the certificates to be included in the XML file without a file directory dependency. + + > [!Note] + > You can use **certutil -encode** to a .cer file into base64. You can then use Notepad to copy and paste the base64 encoded certificate into the pin rule. + + **Required?** Yes (File, Directory or Base64 must be present). + +- **EndDate** + + Enables you to configure an expiration date for when the certificate is no longer valid in the pin rule. + + If you are in the process of switching to a new root or CA, you can set the **EndDate** to allow matching of this element’s certificates. + + If the current time is past the **EndDate**, then, when creating the certificate trust list (CTL), the parser outputs a warning message and exclude the certificate(s) from the Pin Rule in the generated CTL. + + For help with formatting Pin Rules, see [Representing a Date in XML](#representing-a-date-in-xml). + + **Required?** No. + +#### Site element + +The **Site** element can have the following attributes: + +- **Domain** + + Contains the DNS name to be matched for this pin rule. + When creating the certificate trust list, the parser normalizes the input name string value as follows: + - If the DNS name has a leading "*" it is removed. + - Non-ASCII DNS name are converted to ASCII Puny Code. + - Upper case ASCII characters are converted to lower case. + + If the normalized name has a leading ".", then, wildcard left hand label matching is enabled. + For example, ".xyz.com" would match "abc.xyz.com". + + **Required?** Yes. + +- **AllSubdomains** + + By default, wildcard left hand label matching is restricted to a single left hand label. + This attribute can be set to "true" to enable wildcard matching of all of the left hand labels. + + For example, setting this attribute would also match "123.abc.xyz.com" for the ".xyz.com" domain value. + + **Required?** No. + +### Create a Pin Rules Certificate Trust List + +The command line utility, **Certutil.exe**, includes the **generatePinRulesCTL** argument to parse the XML file and generate the encoded certificate trust list (CTL) that you add to your reference Windows 10 version 1703 computer and subsequently deploy. +The usage syntax is: + +```code +CertUtil [Options] -generatePinRulesCTL XMLFile CTLFile [SSTFile] + Generate Pin Rules CTL + XMLFile -- input XML file to be parsed. + CTLFile -- output CTL file to be generated. + SSTFile -- optional .sst file to be created. + The .sst file contains all of the certificates + used for pinning. + +Options: + -f -- Force overwrite + -v -- Verbose operation +``` + +The same certificate(s) can occur in multiple **PinRule** elements. +The same domain can occur in multiple **PinRule** elements. +Certutil coalesces these in the resultant pin rules certificate trust list. + +Certutil.exe does not strictly enforce the XML schema definition. +It does perform the following to enable other tools to add/consume their own specific elements and attributes: + +- Skips elements before and after the **PinRules** element. +- Skips any element not matching **Certificate** or **Site** within the **PinRules** element. +- Skips any attributes not matching the above names for each element type. + +Use the **certutil** command with the **generatePinRulesCTL** argument along with your XML file that contains your certificate pinning rules. +Lastly, provide the name of an output file that will include your certificate pinning rules in the form of a certificate trust list. + +```code +certutil -generatePinRulesCTL certPinRules.xml pinrules.stl +``` + +### Applying Certificate Pinning Rules to a Reference Computer + +Now that your certificate pinning rules are in the certificate trust list format, you need to apply the settings to a reference computer as a prerequisite to deploying the setting to your enterprise. +To simplify the deployment configuration, it is best to apply your certificate pinning rules to a computer that has the Group Policy Management Console (GPMC) that is include in the Remote Server Administration Tools (RSAT). + +Use **certutil.exe** to apply your certificate pinning rules to your reference computer using the **setreg** argument. +The **setreg** argument takes a secondary argument that determines the location of where certutil writes the certificate pining rules. +This secondary argument is **chain\PinRules**. +The last argument you provide is the name of file that contains your certificate pinning rules in certificate trust list format (.stl). +You’ll pass the name of the file as the last argument; however, you need to prefix the file name with the '@' symbol as shown in the following example. +You need to perform this command from an elevated command prompt. + +```code +Certutil -setreg chain\PinRules @pinrules.stl +``` + +Certutil writes the binary information to the following registration location: + +| Name | Value | +|------|-------| +| Key | HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType0\CertDllCreateCertificateChainEngine\Config | +| Name | PinRules | +| Value | Binary contents from the certificate pin rules certificate trust list file | +| Data type | REG_BINARY | + +![Registry binary information](images/enterprise-pinning-registry-binary-information.png) + +### Deploying Enterprise Pin Rule Settings using Group Policy + +You’ve successfully created a certificate pinning rules XML file. +From the XML file you have created a certificate pinning trust list file, and you have applied the contents of that file to your reference computer from which you can run the Group Policy Management Console. +Now you need to configure a Group Policy object to include the applied certificate pin rule settings and deploy it to your environment. + +Sign-in to the reference computer using domain administrator equivalent credentials. + +1. Start the **Group Policy Management Console** (gpmc.msc) +2. In the navigation pane, expand the forest node and then expand the domain node. +3. Expand the node that has contains your Active Directory’s domain name +4. Select the **Group Policy objects** node. Right-click the **Group Policy objects** node and click **New**. +5. In the **New GPO** dialog box, type _Enterprise Certificate Pinning Rules_ in the **Name** text box and click **OK**. +6. In the content pane, right-click the **Enterprise Certificate Pinning Rules** Group Policy object and click **Edit**. +7. In the **Group Policy Management Editor**, in the navigation pane, expand the **Preferences** node under **Computer Configuration**. Expand **Windows Settings**. +8. Right-click the **Registry** node and click **New**. +9. In the **New Registry Properties** dialog box, select **Update** from the **Action** list. Select **HKEY_LOCAL_MACHINE** from the **Hive** list. +10. For the **Key Path**, click **…** to launch the **Registry Item Browser**. Navigate to the following registry key and select the **PinRules** registry value name: + HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType0\CertDllCreateCertificateChainEngine\Config + Click **Select** to close the **Registry Item Browser**. +11. The **Key Path** should contain the selected registry key. The **Value name** configuration should contain the registry value name **_PinRules_**. **Value type** should read **_REGBINARY_** and **Value data** should contain a long series of numbers from 0-9 and letters ranging from A-F (hexadecimal). Click **OK** to save your settings and close the dialog box. + + ![PinRules Properties](images/enterprise-certificate-pinning-pinrules-properties.png) + +12. Close the **Group Policy Management Editor** to save your settings. +13. Link the **Enterprise Certificate Pinning Rules** Group Policy object to apply to computers that run Windows 10, version 1703 in your enterprise. When these domain-joined computers apply Group Policy, the registry information configured in the Group Policy object is applied to the computer. + +## Additional Pin Rules Logging + +To assist in constructing certificate pinning rules, you can configure the **PinRulesLogDir** setting under the certificate chain configuration registry key to include a parent directory to log pin rules. + +```code +HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType0\CertDllCreateCertificateChainEngine\Config +``` + +| Name | Value | +|------|-------| +| Key | HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType0\CertDllCreateCertificateChainEngine\Config | +| Name | PinRulesLogDir | +| Value | The Parent directory where Windows should write the additional pin rule logs | +| Data type | REG_SZ | + +### Permission for the Pin Rule Log Folder + +The folder in which Windows writes the additional pin rule logs must have permissions so that all users and applications have full access. +You can run the following commands from an elevated command prompt to achieved the proper permissions. + +```code +set PinRulesLogDir=c:\PinRulesLog +mkdir %PinRulesLogDir% +icacls %PinRulesLogDir% /grant *S-1-15-2-1:(OI)(CI)(F) +icacls %PinRulesLogDir% /grant *S-1-1-0:(OI)(CI)(F) +icacls %PinRulesLogDir% /grant *S-1-5-12:(OI)(CI)(F) +icacls %PinRulesLogDir% /inheritance:e /setintegritylevel (OI)(CI)L +``` + +Whenever an application verifies a TLS/SSL certificate chain that contains a server name matching a DNS name in the server certificate, Windows writes a .p7b file consisting of all the certificates in the server’s chain to one of three child folders: + +- AdminPinRules + Matched a site in the enterprise certificate pinning rules. +- AutoUpdatePinRules + Matched a site in the certificate pinning rules managed by Microsoft. +- NoPinRules + Didn’t match any site in the certificate pin rules. + +The output file name consists of the leading 8 ASCII hex digits of the root’s SHA1 thumbprint followed by the server name. +For example: + +- D4DE20D0_xsi.outlook.com.p7b +- DE28F4A4_www.yammer.com.p7b + +If there is either an enterprise certificate pin rule or Microsoft certificate pin rule mismatch, then Windows writes the .p7b file to the **MismatchPinRules** child folder. +If the pin rules have expired, then Windows writes the .p7b to the **ExpiredPinRules** child folder. + +## Representing a Date in XML + +Many attributes within the pin rules xml file are dates. +These dates must be properly formatted and represented in UTC. +You can use Windows PowerShell to format these dates. +You can then copy and paste the output of the cmdlet into the XML file. + +![Representing a date](images/enterprise-certificate-pinning-representing-a-date.png) + +For simplicity, you can truncate decimal point (.) and the numbers after it. +However, be certain to append the uppercase “Z” to the end of the XML date string. + +```code +2015-05-11T07:00:00.2655691Z +2015-05-11T07:00:00Z +``` + +## Converting an XML Date + +You can also use Windows PowerShell to validate convert an XML date into a human readable date to validate it’s the correct date. + +![Converting an XML date](images/enterprise-certificate-pinning-converting-an-xml-date.png) + +## Representing a Duration in XML + +Some elements may be configured to use a duration rather than a date. +You must represent the duration as an XML timespan data type. +You can use Windows PowerShell to properly format and validate durations (timespans) and copy and paste them into your XML file. + +![Representing a duration](images/enterprise-certificate-pinning-representing-a-duration.png) + +## Converting an XML Duration + +You can convert a XML formatted timespan into a timespan variable that you can read. + +![Converting an XML duration](images/enterprise-certificate-pinning-converting-a-duration.png) + +## Certificate Trust List XML Schema Definition (XSD) + +```code + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +``` + + + + + + + + + diff --git a/windows/keep-secure/evaluate-windows-defender-antivirus.md b/windows/keep-secure/evaluate-windows-defender-antivirus.md new file mode 100644 index 0000000000..4f51b16a7a --- /dev/null +++ b/windows/keep-secure/evaluate-windows-defender-antivirus.md @@ -0,0 +1,51 @@ +--- +title: Evaluate Windows Defender Antivirus +description: Businesses of all sizes can use this guide to evaluate and test the protection offered by Windows Defender Antivirus in Windows 10. +keywords: windows defender antivirus, cloud protection, cloud, antimalware, security, defender, evaluate, test, protection, compare, real-time protection +search.product: eADQiWindows 10XVcnh +ms.pagetype: security +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: security +localizationpriority: medium +author: iaanw +--- + +# Evaluate Windows Defender Antivirus protection + + +**Applies to:** + +- Windows 10, version 1703 + +**Audience** + +- Enterprise security administrators + + +If you're an enterprise security administrator, and you want to determine how well Windows Defender Antivirus protects you from viruses, malware, and potentially unwanted applications, then you can use this guide to help you evaluate Microsoft protection. + +It explains the important features available for both small and large enterprises in Windows Defender, and how they will increase malware detection and protection across your network. + +You can choose to configure and evaluate each setting independently, or all at once. We have grouped similar settings based upon typical evaluation scenarios, and include instructions for using PowerShell to enable the settings. + +The guide is available in PDF format for offline viewing: +- [Download the guide in PDF format](https://www.microsoft.com/download/details.aspx?id=54795) + +You can also download a PowerShell that will enable all the settings described in the guide automatically. You can obtain the script alongside the PDF download above, or individually from PowerShell Gallery: +- [Download the PowerShell script to automatically configure the settings](https://www.powershellgallery.com/packages/WindowsDefender_InternalEvaluationSettings/1.0/DisplayScript) + +> [!IMPORTANT] +> The guide is currently intended for single-machine evaluation of Windows Defender Antivirus protection. Enabling all of the settings in this guide may not be suitable for real-world deployment. +> +> For the latest recommendations for real-world deployment and monitoring of Windows Defender Antivirus across a network, see the [Deploy, manage, and report](deploy-manage-report-windows-defender-antivirus.md) topic in this library. + + +## Related topics + +- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md) +- [Deploy, manage, and report](deploy-manage-report-windows-defender-antivirus.md) + + + diff --git a/windows/keep-secure/event-error-codes-windows-defender-advanced-threat-protection.md b/windows/keep-secure/event-error-codes-windows-defender-advanced-threat-protection.md index 2c68fb6704..c32cb54316 100644 --- a/windows/keep-secure/event-error-codes-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/event-error-codes-windows-defender-advanced-threat-protection.md @@ -25,7 +25,7 @@ localizationpriority: high You can review event IDs in the [Event Viewer](https://msdn.microsoft.com/library/aa745633(v=bts.10).aspx) on individual endpoints. -For example, if endpoints are not appearing in the **Machines view** list, you might need to look for event IDs on the endpoints. You can then use this table to determine further troubleshooting steps. +For example, if endpoints are not appearing in the **Machines list** list, you might need to look for event IDs on the endpoints. You can then use this table to determine further troubleshooting steps. > [!NOTE] > It can take several days for endpoints to begin reporting to the Windows Defender ATP service. @@ -192,8 +192,8 @@ See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defen 27 -Windows Defender Advanced Threat Protection service failed to enable SENSE aware mode in Windows Defender. Onboarding process failed. Failure code: ```variable```. -Normally, Windows Defender will enter a special passive state if another real-time antimalware product is running properly on the endpoint, and the endpoint is reporting to Windows Defender ATP. +Windows Defender Advanced Threat Protection service failed to enable SENSE aware mode in Windows Defender Antivirus. Onboarding process failed. Failure code: ```variable```. +Normally, Windows Defender Antivirus will enter a special passive state if another real-time antimalware product is running properly on the endpoint, and the endpoint is reporting to Windows Defender ATP. Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.
    See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md).
    Ensure real-time antimalware protection is running properly. @@ -208,8 +208,8 @@ See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defen 30 -Windows Defender Advanced Threat Protection service failed to disable SENSE aware mode in Windows Defender. Failure code: ```variable```. -Normally, Windows Defender will enter a special passive state if another real-time antimalware product is running properly on the endpoint, and the endpoint is reporting to Windows Defender ATP. +Windows Defender Advanced Threat Protection service failed to disable SENSE aware mode in Windows Defender Antivirus. Failure code: ```variable```. +Normally, Windows Defender Antivirus will enter a special passive state if another real-time antimalware product is running properly on the endpoint, and the endpoint is reporting to Windows Defender ATP. Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.
    See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md)
    Ensure real-time antimalware protection is running properly. diff --git a/windows/keep-secure/experiment-custom-ti-windows-defender-advanced-threat-protection.md b/windows/keep-secure/experiment-custom-ti-windows-defender-advanced-threat-protection.md new file mode 100644 index 0000000000..df1301d438 --- /dev/null +++ b/windows/keep-secure/experiment-custom-ti-windows-defender-advanced-threat-protection.md @@ -0,0 +1,156 @@ +--- +title: Experiment with custom threat intelligence alerts +description: Use this end-to-end guide to start using the Windows Defender ATP threat intelligence API. +keywords: alert definitions, indicators of compromise, threat intelligence, custom threat intelligence, rest api, api +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +author: mjcaparas +localizationpriority: high +--- + +# Experiment with custom threat intelligence (TI) alerts + +**Applies to:** + +- Windows 10 Enterprise +- Windows 10 Education +- Windows 10 Pro +- Windows 10 Pro Education +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + + +With the Windows Defender ATP threat intelligence API, you can create custom threat intelligence alerts that can help you keep track of possible attack activities in your organization. + +For more information about threat intelligence concepts, see [Understand threat intelligence concepts](threat-indicator-concepts-windows-defender-advanced-threat-protection.md). + +This article demonstrates an end-to-end usage of the threat intelligence API to get you started in using the threat intelligence API. + +You'll be guided through sample steps so you can experience how the threat intelligence API feature works. Sample steps include creating alerts definitions and indicators of compromise (IOCs), and examples of how triggered custom TI alerts look like. + +## Step 1: Enable the threat intelligence API and obtain authentication details +To use the threat intelligence API feature, you'll need to enable the feature. For more information, see [Enable the custom threat intelligence application](enable-custom-ti-windows-defender-advanced-threat-protection.md). + +This step is required to generate security credentials that you need to use while working with the API. + +## Step 2: Create a sample alert definition and IOCs +This step will guide you in creating an alert definition and an IOC for a malicious IP. + +1. Open a Windows PowerShell ISE. + +2. Copy and paste the following PowerShell script. This script will upload a sample alert definition and IOC to Windows Defender ATP which you can use to generate an alert. + + NOTE:
    + Make sure you replace the `authUrl`, `clientId`, and `clientSecret` values with your details which you saved in when you enabled the threat intelligence application. + + ``` + $authUrl = 'Your Authorization URL' + $clientId = 'Your Client ID' + $clientSecret = 'Your Client Secret' + + + Try + { + $tokenPayload = @{ + "resource" = 'https://graph.windows.net' + "client_id" = $clientId + "client_secret" = $clientSecret + "grant_type"='client_credentials'} + + "Fetching an access token" + $response = Invoke-RestMethod $authUrl -Method Post -Body $tokenPayload + $token = $response.access_token + "Token fetched successfully" + + $headers = @{ + "Content-Type" = "application/json" + "Accept" = "application/json" + "Authorization" = "Bearer {0}" -f $token } + + $apiBaseUrl = "https://ti.securitycenter.windows.com/V1.0/" + + $alertDefinitionPayload = @{ + "Name" = "Test Alert" + "Severity" = "Medium" + "InternalDescription" = "A test alert used to demonstrate the Windows Defender ATP TI API feature" + "Title" = "Test alert." + "UxDescription" = "This is a test alert based on a sample custom alert definition. This alert was triggered manually using a provided test command. It indicates that the Threat Intelligence API has been properly enabled." + "RecommendedAction" = "No recommended action for this test alert." + "Category" = "SuspiciousNetworkTraffic" + "Enabled" = "true"} + + "Creating an Alert Definition" + $alertDefinition = + Invoke-RestMethod ("{0}AlertDefinitions" -f $apiBaseUrl) ` + -Method Post -Headers $headers -Body ($alertDefinitionPayload | ConvertTo-Json) + + "Alert Definition created successfully" + $alertDefinitionId = $alertDefinition.Id + + $iocPayload = @{ + "Type"="IpAddress" + "Value"="52.184.197.12" + "DetectionFunction"="Equals" + "Enabled"="true" + "AlertDefinition@odata.bind"="AlertDefinitions({0})" -f $alertDefinitionId } + + "Creating an Indicator of Compromise" + $ioc = + Invoke-RestMethod ("{0}IndicatorsOfCompromise" -f $apiBaseUrl) ` + -Method Post -Headers $headers -Body ($iocPayload | ConvertTo-Json) + "Indicator of Compromise created successfully" + + "All done!" + } + Catch + { + 'Something went wrong! Got the following exception message: {0}' -f $_.Exception.Message + } + + ``` + +3. Run the script and verify that the operation succeeded in the results the window. Wait up to 20 minutes until the new or updated alert definition propagates to the detection engines. + + ![Image of the script running](images/atp-running-script.png) + + NOTE:
    + If you get the exception “The remote server returned an error: (407) Proxy Authentication Required", you need to add the proxy configuration by adding the following code to the PowerShell script: + + ```syntax + $webclient=New-Object System.Net.WebClient + $creds=Get-Credential + $webclient.Proxy.Credentials=$creds + ``` + +## Step 3: Simulate a custom TI alert +This step will guide you in simulating an event in connection to a malicious IP that will trigger the Windows Defender ATP custom TI alert. + +1. Open a Windows PowerShell ISE in the machine you onboarded to Windows Defender ATP. + +2. Type `Invoke-WebRequest 52.184.197.12` in the editor and click **Run**. This call will generate a network communication event to a Microsoft's dedicated demo server that will raise an alert based on the custom alert definition. + + ![Image of editor with command to Invoke-WebRequest](images/atp-simulate-custom-ti.png) + +## Step 4: Explore the custom alert in the portal +This step will guide you in exploring the custom alert in the portal. + +1. Open the [Windows Defender ATP portal](http: /securitycenter.windows.com/) on a browser. + +2. Log in with your Windows Defender ATP credentials. + +3. The dashboard should display the custom TI alert for the victim machine resulting from the simulated attack. + + ![Image of sample custom ti alert in the portal](images/atp-sample-custom-ti-alert.png) + +> [!NOTE] +> It can take up to 15 minutes for the alert to appear in the portal. + +## Related topics +- [Understand threat intelligence concepts](threat-indicator-concepts-windows-defender-advanced-threat-protection.md) +- [Create custom alerts using the threat intelligence API](custom-ti-api-windows-defender-advanced-threat-protection.md) +- [Enable the custom threat intelligence API in Windows Defender ATP](enable-custom-ti-windows-defender-advanced-threat-protection.md) +- [PowerShell code examples for the custom threat intelligence API](powershell-example-code-windows-defender-advanced-threat-protection.md) +- [Python code examples for the custom threat intelligence API](python-example-code-windows-defender-advanced-threat-protection.md) +- [Troubleshoot custom threat intelligence issues](troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md) diff --git a/windows/keep-secure/fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md b/windows/keep-secure/fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md new file mode 100644 index 0000000000..a301137ca4 --- /dev/null +++ b/windows/keep-secure/fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md @@ -0,0 +1,78 @@ +--- +title: Fix unhealthy sensors in Windows Defender ATP +description: Fix machine sensors that are reporting as misconfigured or inactive so that the service receives data from the machine. +keywords: misconfigured, inactive, fix sensor, sensor health, no sensor data, sensor data, impaired communication, communication +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +author: mjcaparas +localizationpriority: high +--- + +# Fix unhealthy sensors in Windows Defender ATP + +**Applies to:** + +- Windows 10 Enterprise +- Windows 10 Education +- Windows 10 Pro +- Windows 10 Pro Education +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + +Machines that are categorized as misconfigured or inactive can be flagged due to varying causes. This section provides some explanations as to what might have caused a machine to be categorized as inactive or misconfigured. + +## Inactive machines + +An inactive machine is not necessarily flagged due to an issue. The following actions taken on a machine can cause a machine to be categorized as inactive: + +**Machine is not in use**
    +If the machine has not been in use for more than 7 days for any reason, it will remain in an ‘Inactive’ status in the portal. + +**Machine was reinstalled or renamed**
    +A reinstalled or renamed machine will generate a new machine entity in Windows Defender ATP portal. The previous machine entity will remain with an ‘Inactive’ status in the portal. If you reinstalled a machine and deployed the Windows Defender ATP package, search for the new machine name to verify that the machine is reporting normally. + +**Machine was offboarded**
    +If the machine was offboarded it will still appear in machines list. After 7 days, the machine health state should change to inactive. + +Do you expect a machine to be in ‘Active’ status? [Open a CSS ticket](https://support.microsoft.com/en-us/getsupport?wf=0&tenant=ClassicCommercial&oaspworkflow=start_1.0.0.0&locale=en-us&supportregion=en-us&pesid=16055&ccsid=636206786382823561). + +## Misconfigured machines +Misconfigured machines can further be classified to: + - Impaired communication + - No sensor data + +### Impaired communication +This status indicates that there's limited communication between the machine and the service. + +The following suggested actions can help fix issues related to a misconfigured machine with impaired communication: + +- [Ensure the endpoint has Internet connection](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md#ensure-the-endpoint-has-an-internet-connection)
    + The Window Defender ATP sensor requires Microsoft Windows HTTP (WinHTTP) to report sensor data and communicate with the Windows Defender ATP service. + +- [Verify client connectivity to Windows Defender ATP service URLs](configure-proxy-internet-windows-defender-advanced-threat-protection.md#verify-client-connectivity-to-windows-defender-atp-service-urls)
    + Verify the proxy configuration completed successfully, that WinHTTP can discover and communicate through the proxy server in your environment, and that the proxy server allows traffic to the Windows Defender ATP service URLs. + +If you took corrective actions and the machine status is still misconfigured, [open a support ticket](http://go.microsoft.com/fwlink/?LinkID=761093&clcid=0x409). + +### No sensor data +A misconfigured machine with status ‘No sensor data’ has communication with the service but can only report partial sensor data. +Follow theses actions to correct known issues related to a misconfigured machine with status ‘No sensor data’: + +- [Ensure the endpoint has Internet connection](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md#ensure-the-endpoint-has-an-internet-connection)
    + The Window Defender ATP sensor requires Microsoft Windows HTTP (WinHTTP) to report sensor data and communicate with the Windows Defender ATP service. + +- [Verify client connectivity to Windows Defender ATP service URLs](configure-proxy-internet-windows-defender-advanced-threat-protection.md#verify-client-connectivity-to-windows-defender-atp-service-urls)
    + Verify the proxy configuration completed successfully, that WinHTTP can discover and communicate through the proxy server in your environment, and that the proxy server allows traffic to the Windows Defender ATP service URLs. + +- [Ensure the telemetry and diagnostics service is enabled](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md#ensure-the-telemetry-and-diagnostics-service-is-enabled)
    +If the endpoints aren't reporting correctly, you might need to check that the Windows 10 telemetry and diagnostics service is set to automatically start and is running on the endpoint. + +- [Ensure that Windows Defender is not disabled by policy](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md#ensure-that-windows-defender-is-not-disabled-by-a-policy)
    +If your endpoints are running a third-party antimalware client, the Windows Defender ATP agent needs the Windows Defender Early Launch Antimalware (ELAM) driver to be enabled. + +If you took corrective actions and the machine status is still misconfigured, [open a support ticket](http://go.microsoft.com/fwlink/?LinkID=761093&clcid=0x409). + +## Related topic +- [Check sensor health state in Windows Defender ATP](check-sensor-status-windows-defender-advanced-threat-protection.md) diff --git a/windows/keep-secure/general-settings-windows-defender-advanced-threat-protection.md b/windows/keep-secure/general-settings-windows-defender-advanced-threat-protection.md new file mode 100644 index 0000000000..aca26a9b12 --- /dev/null +++ b/windows/keep-secure/general-settings-windows-defender-advanced-threat-protection.md @@ -0,0 +1,38 @@ +--- +title: Update general Windows Defender Advanced Threat Protection settings +description: Update your general Windows Defender Advanced Threat Protection settings such as data retention or industry after onboarding. +keywords: general settings, settings, update settings +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +author: mjcaparas +localizationpriority: high +--- +# Update general Windows Defender ATP settings + +**Applies to:** + +- Windows 10 Enterprise +- Windows 10 Education +- Windows 10 Pro +- Windows 10 Pro Education +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + +During the onboarding process, a wizard takes you through the general settings of Windows Defender ATP. After onboarding, you might want to update some settings which you'll be able to do through the **Preferences setup** menu. + +1. In the navigation pane, select **Preferences setup** > **General**. + +2. Modify settings such as data retention policy or the industry that best describes your organization. + + > [!NOTE] + > Other settings are not editable. + +3. Click **Save preferences**. + + +## Related topics +- [Turn on advanced features in Windows Defender ATP](advanced-features-windows-defender-advanced-threat-protection.md) +- [Turn on the preview experience in Windows Defender ATP ](preview-settings-windows-defender-advanced-threat-protection.md) +- [Configure email notifications in Windows Defender ATP](configure-email-notifications-windows-defender-advanced-threat-protection.md) diff --git a/windows/keep-secure/get-started-with-windows-defender-for-windows-10.md b/windows/keep-secure/get-started-with-windows-defender-for-windows-10.md deleted file mode 100644 index f7c920bb4f..0000000000 --- a/windows/keep-secure/get-started-with-windows-defender-for-windows-10.md +++ /dev/null @@ -1,190 +0,0 @@ ---- -title: Update and manage Windows Defender in Windows 10 (Windows 10) -description: IT professionals can manage Windows Defender on Windows 10 endpoints in their organization using Microsoft Active Directory or Windows Server Update Services (WSUS), apply updates to endpoints, and manage scans using Group Policy SettingsWindows Management Instrumentation (WMI)PowerShell. -ms.assetid: 045F5BF2-87D7-4522-97E1-C1D508E063A7 -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -ms.pagetype: security -localizationpriority: medium -author: jasesso ---- - -# Update and manage Windows Defender in Windows 10 - -**Applies to** -- Windows 10 - -IT professionals can manage Windows Defender on Windows 10 endpoints in their organization using Microsoft Active Directory or Windows Server Update Services (WSUS), apply updates to endpoints, and manage scans using: - -- Group Policy Settings -- Windows Management Instrumentation (WMI) -- PowerShell - -## Manage Windows Defender endpoints through Active Directory and WSUS - -All Windows 10 endpoints are installed with Windows Defender and include support for management through: -- Active Directory -- WSUS - -You can use the Active Directory to configure the settings; Group policies can be used for centralized configuration and enforcement of many Windows Defender settings including client user interface, scan settings, and exclusions. -WSUS can be used to view basic update compliance and deploy updates manually or through automatic rules. - -Note that System Center 2012 R2 Configuration Manager SP1, System Center 2012 Configuration Manager SP2, and Microsoft Intune can provide centralized management of Windows Defender, including: - -- Settings management -- Definition update management -- Alerts and alert management -- Reports and reporting - -When you enable *Endpoint Protection* on your clients, it will install an additional management layer on Windows Defender to manage the in-box Windows Defender agent. While the client user interface will still appear as Windows Defender, the management layer for System Center Endpoint Protection or Intune will be listed in the **Add/Remove Programs** control panel, though it will appear as if the full product is installed. Learn more about managing *Endpoint Protection*: - -- [Help secure Windows PCs with Endpoint Protection for Microsoft Intune](https://technet.microsoft.com/library/dn646970.aspx) -- [Endpoint Protection in Configuration Manager](https://technet.microsoft.com/library/hh508760.aspx) - -Read more about System Center Configuration Manager in [Introduction to Endpoint Protection in Configuration Manager](https://technet.microsoft.com/library/hh508781.aspx). -> **Important:**  You must be licensed to use *Endpoint Protection* to manage clients in your Configuration Manager hierarchy. -  -## Apply updates to Windows Defender endpoints - -It is important to keep Windows Defender endpoints updated to ensure they are protected. All Windows Defender updates, including General Distribution Release (GDR) updates, are now applied as operating system updates. -You can manage the distribution of updates through the [Windows Server Update Services (WSUS)](https://technet.microsoft.com/windowsserver/bb332157). - -## Manage email scans in Windows Defender - -You can use Windows Defender to scan email files. Malware can install itself and hide in email files, and although real-time protection offers you the best protection from email malware, you can also scan emails stored on your PC or server with Windows Defender. -> **Important:**  Mail scanning only applies to on-demand and scheduled scans, not on-access scans. -  -Windows Defender scans Microsoft Office Outlook 2003 and older email files. We identify the file type at run-time based on the content of the file, not on location or extension. -> **Note: **  Scanning email files might increase the time required to complete a scan. -  -Windows Defender can extract embedded objects within a file (attachments and archived files, for example) and scan internally. -> **Note:**  While Windows Defender can be configured to scan email files, it can only remediate threats detected inside certain files, for example: -- DBX -- MBX -- MIME -  -You can configure Windows Defender to scan PST files used by Outlook 2003 or older versions (where the archive type is set to non-uni-code), but Windows Defender cannot remediate threats detected inside PST files. We recommend using real-time protection to protect against email malware. - -If Windows Defender detects a threat inside an email, it will show you the following information to assist you in identifying the compromised email, so you can remediate the threat: -- Email subject -- Attachment name -Email scanning in Windows Defender is turned off by default. There are three ways you can manage scans through Windows Defender: -- *Group Policy* settings -- WMI -- PowerShell -> **Important:**  There are some risks associated with scanning some Microsoft Outlook files and email messages. You can read about tips and risks associated with scanning Outlook files and email messages in the following articles: -- [Scanning Outlook files in Outlook 2013](https://technet.microsoft.com/library/dn769141.aspx#bkmk-1) -- [Scanning email messages in Outlook 2013](https://technet.microsoft.com/library/dn769141.aspx#bkmk-2) -  -## Use *Group Policy* settings to enable email scans - -This policy setting allows you to turn on email scanning. When email scanning is enabled, the engine will parse the mailbox and mail files to analyze the mail bodies and attachments. - -Turn on email scanning with the following *Group Policy* settings: -1. Open the **Group Policy Editor**. -2. In the **Local Computer Policy** tree, expand **Computer Configuration**, then **Administrative Templates**, then **Windows Components**, then **Windows Defender**. -3. Click **Scan**. -4. Double-click **Turn on e-mail scanning**. - - This will open the **Turn on e-mail scanning** window: - - ![turn on e-mail scanning window](images/defender-scanemailfiles.png) - -5. Select **Enabled**. -6. Click **OK** to apply changes. - -## Use WMI to disable email scans - -You can write a WMI script or application to disable email scanning. Read more about [WMI in this article](https://msdn.microsoft.com/library/windows/desktop/dn439477.aspx), and read about [Windows Preference classes in this article](https://msdn.microsoft.com/library/windows/desktop/dn455323.aspx). - -Use the **DisableEmailScanning** property of the **MSFT\_MpPreference** class (part of the Windows DefenderWMI provider) to enable or disable this setting: -**DisableEmailScanning** -Data type: **boolean** -Access type: Read-only -Disable email scanning. - -## Use PowerShell to enable email scans - -You can also enable email scanning using the following PowerShell parameter: -1. Open PowerShell or PowerShellIntegrated Scripting Environment (ISE). -2. Type **Set-MpPreference -DisableEmailScanning $false**. - -Read more about this in: -- [Scripting with Windows PowerShell](https://technet.microsoft.com/library/bb978526.aspx) -- [Defender Cmdlets](https://technet.microsoft.com/library/dn433280.aspx) - -## Manage archive scans in Windows Defender - -You can use Windows Defender to scan archive files. Malware can install itself and hide in archive files, and although real-time protection offers you the best protection from malware, you can also scan archives stored on your PC or server with Windows Defender. -> **Important:**  Archive scanning only applies to on-demand and scheduled scans, not on-access scans. -  -Archive scanning in Windows Defender is turned on by default. There are four ways you can manage scans through Windows Defender: -- *Group Policy* settings -- WMI -- PowerShell -- Endpoint Protection -> **Note:**  Scanning archive files might increase the time required to complete a scan. -  -If you exclude an archive file type by using the **Extensions** box, Windows Defender will not scan files with that extension (no matter what the content is), even when you have selected the **Scan archive files** check box. For example, if you exclude .rar files but there’s a .r00 file that’s actually .rar content, it will still be scanned if archive scanning is enabled. - -## Use *Group Policy* settings to enable archive scans - -This policy setting allows you to turn on archive scanning. - -Turn on email scanning with the following *Group Policy* settings: -1. Open the **Group Policy Editor**. -2. In the **Local Computer Policy** tree, expand **Computer Configuration**, then **Administrative Templates**, then **Windows Components**, then **Windows Defender**. -3. Click **Scan**. -4. Double-click **Scan archive files**. - - This will open the **Scan archive files** window: - - ![scan archive files window](images/defender-scanarchivefiles.png) - -5. Select **Enabled**. -6. Click **OK** to apply changes. - -There are a number of archive scan settings in the **Scan** repository you can configure through *Group Policy*, for example: -- Maximum directory depth level into which archive files are unpacked during scanning - - ![specify the maximum depth to scan archive files window](images/defender-scanarchivedepth.png) - -- Maximum size of archive files that will be scanned - - ![specify the maximum size of archive files to be scanned window](images/defender-scanarchivesize.png) - -- Maximum percentage CPU utilization permitted during a scan - - ![specify the maximum percentage od cpu utilization during a scan window](images/defender-scanarchivecpu.png) - -## Use WMI to disable archive scans - -You can write a WMI script or application to disable archive scanning. Read more about [WMI in this article](https://msdn.microsoft.com/library/windows/desktop/dn439477.aspx), and read about [Windows Preference classes in this article](https://msdn.microsoft.com/library/windows/desktop/dn455323.aspx). - -Use the **DisableArchiveScanning** property of the **MSFT\_MpPreference** class (part of the Windows DefenderWMI provider) to enable or disable this setting: -**DisableArchiveScanning** -Data type: **boolean** -Access type: Read-only -Disable archive scanning. - -## Use PowerShell to enable archive scans - -You can also enable archive scanning using the following PowerShell parameter: -1. Open PowerShell or PowerShellISE. -2. Type **Set-MpPreference -DisableArchiveScanning $false**. - -Read more about this in: -- [Scripting with Windows PowerShell](https://technet.microsoft.com/library/bb978526.aspx) -- [Defender Cmdlets](https://technet.microsoft.com/library/dn433280.aspx) - -## Use Endpoint Protection to configure archive scans - -In Endpoint Protection, you can use the advanced scanning options to configure archive scanning. For more information, see [What are advanced scanning options?](https://technet.microsoft.com/library/ff823807.aspx) - -## Related topics - -- [Configure Windows Defender in Windows 10](configure-windows-defender-in-windows-10.md) -- [Troubleshoot Windows Defender in Windows 10](troubleshoot-windows-defender-in-windows-10.md) -  -  diff --git a/windows/keep-secure/getting-apps-to-run-on-device-guard-protected-devices.md b/windows/keep-secure/getting-apps-to-run-on-device-guard-protected-devices.md deleted file mode 100644 index 88a3f076b6..0000000000 --- a/windows/keep-secure/getting-apps-to-run-on-device-guard-protected-devices.md +++ /dev/null @@ -1,4 +0,0 @@ ---- -title: Get apps to run on Device Guard-protected devices (Windows 10) -redirect_url: https://technet.microsoft.com/en-us/itpro/windows/keep-secure/device-guard-deployment-guide ---- diff --git a/windows/keep-secure/guidance-and-best-practices-edp.md b/windows/keep-secure/guidance-and-best-practices-edp.md deleted file mode 100644 index cfd70be3cc..0000000000 --- a/windows/keep-secure/guidance-and-best-practices-edp.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: General guidance and best practices for enterprise data protection (EDP) (Windows 10) -description: This section includes info about the enlightened Microsoft apps, including how to add them to your Protected Apps list in Microsoft Intune. It also includes some testing scenarios that we recommend running through with enterprise data protection (EDP). -redirect_url: https://technet.microsoft.com/itpro/windows/keep-secure/guidance-and-best-practices-wip ---- \ No newline at end of file diff --git a/windows/keep-secure/guidance-and-best-practices-wip.md b/windows/keep-secure/guidance-and-best-practices-wip.md index ff64be6d0f..a0cabb4a95 100644 --- a/windows/keep-secure/guidance-and-best-practices-wip.md +++ b/windows/keep-secure/guidance-and-best-practices-wip.md @@ -14,7 +14,7 @@ localizationpriority: high # General guidance and best practices for Windows Information Protection (WIP) **Applies to:** -- Windows 10, version 1607 +- Windows 10, version 1607 and later - Windows 10 Mobile This section includes info about the enlightened Microsoft apps, including how to add them to your allowed apps list in Microsoft Intune. It also includes some testing scenarios that we recommend running through with Windows Information Protection (WIP). @@ -25,7 +25,7 @@ This section includes info about the enlightened Microsoft apps, including how t |[Enlightened apps for use with Windows Information Protection (WIP)](enlightened-microsoft-apps-and-wip.md) |Learn the difference between enlightened and unenlightened apps, and then review the list of enlightened apps provided by Microsoft along with the text you will need to use to add them to your allowed apps list. | |[Unenlightened and enlightened app behavior while using Windows Information Protection (WIP)](app-behavior-with-wip.md) |Learn the difference between enlightened and unenlightened app behaviors. | |[Recommended Enterprise Cloud Resources and Neutral Resources network settings with Windows Information Protection (WIP)](recommended-network-definitions-for-wip.md) |Recommended additions for the Enterprise Cloud Resources and Neutral Resources network settings, when used with Windows Information Protection (WIP). | -|[Using Outlook Web Access with Windows Information Protection (WIP)](using-owa-with-wip.md) |Options for using Outlook Web Access (OWA) with Windows Information Protection (WIP). | +|[Using Outlook on the web with Windows Information Protection (WIP)](using-owa-with-wip.md) |Options for using Outlook on the web with Windows Information Protection (WIP). | >[!NOTE] >Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md). diff --git a/windows/keep-secure/hello-and-password-changes.md b/windows/keep-secure/hello-and-password-changes.md index b9937eeaa8..336c82005d 100644 --- a/windows/keep-secure/hello-and-password-changes.md +++ b/windows/keep-secure/hello-and-password-changes.md @@ -6,7 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security -author: jdeckerMS +author: DaniHalfin localizationpriority: high --- # Windows Hello and password changes @@ -41,7 +41,6 @@ Suppose instead that you sign in on **Device B** and change your password for yo - [Windows Hello for Business](hello-identity-verification.md) - [How Windows Hello for Business works](hello-how-it-works.md) - [Manage Windows Hello for Business in your organization](hello-manage-in-organization.md) -- [Enable phone sign-in to PC or VPN](hello-enable-phone-signin.md) - [Why a PIN is better than a password](hello-why-pin-is-better-than-password.md) - [Prepare people to use Windows Hello](hello-prepare-people-to-use.md) - [Windows Hello errors during PIN creation](hello-errors-during-pin-creation.md) diff --git a/windows/keep-secure/hello-biometrics-in-enterprise.md b/windows/keep-secure/hello-biometrics-in-enterprise.md index 162ff7d762..c57043af82 100644 --- a/windows/keep-secure/hello-biometrics-in-enterprise.md +++ b/windows/keep-secure/hello-biometrics-in-enterprise.md @@ -7,7 +7,7 @@ ms.prod: w10 ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security -author: jdeckerMS +author: DaniHalfin localizationpriority: high --- @@ -79,7 +79,6 @@ To allow facial recognition, you must have devices with integrated special infra - [Windows Hello for Business](hello-identity-verification.md) - [How Windows Hello for Business works](hello-how-it-works.md) - [Manage Windows Hello for Business in your organization](hello-manage-in-organization.md) -- [Enable phone sign-in to PC or VPN](hello-enable-phone-signin.md) - [Why a PIN is better than a password](hello-why-pin-is-better-than-password.md) - [Prepare people to use Windows Hello](hello-prepare-people-to-use.md) - [Windows Hello and password changes](hello-and-password-changes.md) diff --git a/windows/keep-secure/hello-enable-phone-signin.md b/windows/keep-secure/hello-enable-phone-signin.md deleted file mode 100644 index c77dfeeaf1..0000000000 --- a/windows/keep-secure/hello-enable-phone-signin.md +++ /dev/null @@ -1,84 +0,0 @@ ---- -title: Enable phone sign-in to PC or VPN (Windows 10) -description: You can set policies to allow your users to sign in to a PC or VPN using their Windows 10 phone. -keywords: ["identity", "PIN", "biometric", "Hello"] -ms.prod: W10 -ms.mktglfcycl: deploy -ms.sitesec: library -author: jdeckerMS -localizationpriority: high ---- - -# Enable phone sign-in to PC or VPN - - -**Applies to** - -- Windows 10 -- Windows 10 Mobile - -In Windows 10, version 1607, your network users can use Windows Phone with Windows Hello to sign in to a PC, connect to VPN, and sign in to Office 365 in a browser. Phone sign-in uses Bluetooth, which means no need to wait for a phone call -- just unlock the phone and tap the app. - -![Sign in to a device](images/phone-signin-menu.png) - -> [!NOTE] -> Phone sign-in is currently limited to select Technology Adoption Program (TAP) participants. - -You can create a Group Policy or mobile device management (MDM) policy that will allow users to sign in to a work PC or their company's VPN using the credentials stored on their Windows 10 phone. - - ## Prerequisites - - - Both phone and PC must be running Windows 10, version 1607. - - The PC must be running Windows 10 Pro, Enterprise, or Education - - Both phone and PC must have Bluetooth. - - The **Microsoft Authenticator** app must be installed on the phone. - - The PC must be joined to an Active Directory domain that is connected to an Azure Active Directory (Azure AD) domain, or the PC must be joined to Azure AD. - - The phone must be joined to Azure AD or have a work account added. - - The VPN configuration profile must use certificate-based authentication. - -## Set policies - -To enable phone sign-in, you must enable the following policies using Group Policy or MDM. - -- Group Policy: **Computer Configuration** or **User Configuration** > **Policies** > **Administrative Templates** > **Windows Components** > **Windows Hello for Business** - - Enable **Use Windows Hello for Business** - - Enable **Phone Sign-in** -- MDM: - - Set **UsePassportForWork** to **True** - - Set **Remote\UseRemotePassport** to **True** - -## Configure VPN - -To enable phone sign-in to VPN, you must enable the [policy](#set-policies) for phone sign-in and ensure that VPN is configured as follows: - -- For inbox VPN, set up the VPN profile with Extensible Authentication Protocol (EAP) with the **Smart card or other certificate (TLS)** EAP type, also known as EAP-Transport Level Security (EAP-TLS). To exclusively access the VPN certificates on the phone, in the EAP filtering XML, add either **EKU** or **Issuer** (or both) filtering to make sure it picks only the Remote NGC certificate. -- For a Universal Windows Platform (UWP) VPN plug-in, add filtering criteria based on the 3rd party mechanism for the Remote NGC Certificate. - -## Get the app - -If you want to distribute the **Microsoft Authenticator** app, your organization must have set up Windows Store for Business, with Microsoft added as a [Line of Business (LOB) publisher](../manage/working-with-line-of-business-apps.md). - -[Tell people how to sign in using their phone.](hello-prepare-people-to-use.md#bmk-remote) - - -## Related topics - -- [Windows Hello for Business](hello-identity-verification.md) -- [How Windows Hello for Business works](hello-how-it-works.md) -- [Manage Windows Hello for Business in your organization](hello-manage-in-organization.md) -- [Why a PIN is better than a password](hello-why-pin-is-better-than-password.md) -- [Prepare people to use Windows Hello](hello-prepare-people-to-use.md) -- [Windows Hello and password changes](hello-and-password-changes.md) -- [Windows Hello errors during PIN creation](hello-errors-during-pin-creation.md) -- [Event ID 300 - Windows Hello successfully created](hello-event-300.md) -- [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md) - - -  - -  - - - - - diff --git a/windows/keep-secure/hello-errors-during-pin-creation.md b/windows/keep-secure/hello-errors-during-pin-creation.md index a362e1f253..b9f0619b20 100644 --- a/windows/keep-secure/hello-errors-during-pin-creation.md +++ b/windows/keep-secure/hello-errors-during-pin-creation.md @@ -7,7 +7,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security -author: jdeckerMS +author: DaniHalfin localizationpriority: high --- @@ -89,7 +89,7 @@ If the error occurs again, check the error code against the following table to s 0x80090035 Policy requires TPM and the device does not have TPM. -Change the Passport policy to not require a TPM. +Change the Windows Hello for Business policy to not require a TPM. 0x801C0003 @@ -149,7 +149,7 @@ If the error occurs again, check the error code against the following table to s 0x801C03EA Server failed to authorize user or device. -Check if the token is valid and user has permission to register Passport keys. +Check if the token is valid and user has permission to register Windows Hello for Business keys. 0x801C03EB @@ -225,7 +225,6 @@ For errors listed in this table, contact Microsoft Support for assistance. - [Windows Hello for Business](hello-identity-verification.md) - [How Windows Hello for Business works](hello-how-it-works.md) - [Manage Windows Hello for Business in your organization](hello-manage-in-organization.md) -- [Enable phone sign-in to PC or VPN](hello-enable-phone-signin.md) - [Why a PIN is better than a password](hello-why-pin-is-better-than-password.md) - [Prepare people to use Windows Hello](hello-prepare-people-to-use.md) - [Windows Hello and password changes](hello-and-password-changes.md) diff --git a/windows/keep-secure/hello-event-300.md b/windows/keep-secure/hello-event-300.md index ea19c3f794..1eecd8dd53 100644 --- a/windows/keep-secure/hello-event-300.md +++ b/windows/keep-secure/hello-event-300.md @@ -7,7 +7,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security -author: jdeckerMS +author: DaniHalfin localizationpriority: high --- @@ -37,7 +37,6 @@ This is a normal condition. No further action is required. - [Windows Hello for Business](hello-identity-verification.md) - [How Windows Hello for Business works](hello-how-it-works.md) - [Manage Windows Hello for Business in your organization](hello-manage-in-organization.md) -- [Enable phone sign-in to PC or VPN](hello-enable-phone-signin.md) - [Why a PIN is better than a password](hello-why-pin-is-better-than-password.md) - [Prepare people to use Windows Hello](hello-prepare-people-to-use.md) - [Windows Hello and password changes](hello-and-password-changes.md) diff --git a/windows/keep-secure/hello-how-it-works.md b/windows/keep-secure/hello-how-it-works.md index 089387f204..379783c65a 100644 --- a/windows/keep-secure/hello-how-it-works.md +++ b/windows/keep-secure/hello-how-it-works.md @@ -5,7 +5,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security -author: jdeckerMS +author: DaniHalfin localizationpriority: high --- # How Windows Hello for Business works @@ -14,7 +14,7 @@ localizationpriority: high - Windows 10 - Windows 10 Mobile -TWindows Hello for Business requires a registered device. When the device is set up, its user can use the device to authenticate to services. This topic explains how device registration works, what happens when a user requests authentication, how key material is stored and processed, and which servers and infrastructure components are involved in different parts of this process. +Windows Hello for Business requires a registered device. When the device is set up, its user can use the device to authenticate to services. This topic explains how device registration works, what happens when a user requests authentication, how key material is stored and processed, and which servers and infrastructure components are involved in different parts of this process. ## Register a new user or device @@ -112,10 +112,9 @@ Windows Hello depends on having compatible IDPs available to it. As of this writ - [Windows Hello for Business](hello-identity-verification.md) - [Manage Windows Hello for Business in your organization](hello-manage-in-organization.md) -- [Enable phone sign-in to PC or VPN](hello-enable-phone-signin.md) - [Why a PIN is better than a password](hello-why-pin-is-better-than-password.md) - [Prepare people to use Windows Hello](hello-prepare-people-to-use.md) - [Windows Hello and password changes](hello-and-password-changes.md) - [Windows Hello errors during PIN creation](hello-errors-during-pin-creation.md) - [Event ID 300 - Windows Hello successfully created](hello-event-300.md) -- [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md) \ No newline at end of file +- [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md) diff --git a/windows/keep-secure/hello-identity-verification.md b/windows/keep-secure/hello-identity-verification.md index a1e391508f..063ed2cfe2 100644 --- a/windows/keep-secure/hello-identity-verification.md +++ b/windows/keep-secure/hello-identity-verification.md @@ -7,7 +7,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security, mobile -author: jdeckerMS +author: DaniHalfin localizationpriority: high --- # Windows Hello for Business @@ -72,10 +72,6 @@ Imagine that someone is looking over your shoulder as you get money from an ATM Windows Hello helps protect user identities and user credentials. Because the user doesn't enter a password (except during provisioning), it helps circumvent phishing and brute force attacks. It also helps prevent server breaches because Windows Hello credentials are an asymmetric key pair, which helps prevent replay attacks when these keys are protected by TPMs. -For customers using a hybrid Active Directory and Azure Active Directorye environment, Windows Hello also enables Windows 10 Mobile devices to be used as [a remote credential](hello-prepare-people-to-use.md#bmk-remote) when signing into Windows 10 PCs. During the sign-in process, the Windows 10 PC can connect using Bluetooth to access Windows Hello on the user’s Windows 10 Mobile device. Because users carry their phone with them, Windows Hello makes implementing two-factor authentication across the enterprise less costly and complex than other solutions. - -> [!NOTE] ->  Phone sign-in is currently limited to select Technology Adoption Program (TAP) participants.   ## How Windows Hello for Business works: key points @@ -113,15 +109,12 @@ Windows Hello for Business can use either keys (hardware or software) or certifi [Windows 10: The End Game for Passwords and Credential Theft?](https://go.microsoft.com/fwlink/p/?LinkId=533891) -[Authenticating identities without passwords through Microsoft Passport](https://go.microsoft.com/fwlink/p/?LinkId=616778) - -[Microsoft Passport guide](https://go.microsoft.com/fwlink/p/?LinkId=691928) +[Authenticating identities without passwords through Windows Hello for Business](https://go.microsoft.com/fwlink/p/?LinkId=616778) ## Related topics - [How Windows Hello for Business works](hello-how-it-works.md) - [Manage Windows Hello for Business in your organization](hello-manage-in-organization.md) -- [Enable phone sign-in to PC or VPN](hello-enable-phone-signin.md) - [Why a PIN is better than a password](hello-why-pin-is-better-than-password.md) - [Prepare people to use Windows Hello](hello-prepare-people-to-use.md) - [Windows Hello and password changes](hello-and-password-changes.md) diff --git a/windows/keep-secure/hello-manage-in-organization.md b/windows/keep-secure/hello-manage-in-organization.md index f2a43b7df1..44cef02636 100644 --- a/windows/keep-secure/hello-manage-in-organization.md +++ b/windows/keep-secure/hello-manage-in-organization.md @@ -7,7 +7,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security -author: jdeckerMS +author: DaniHalfin localizationpriority: high --- @@ -131,16 +131,12 @@ The following table lists the Group Policy settings that you can configure for W -Phone Sign-in +>Phone Sign-in

    Use Phone Sign-in

    -
    Note  Applies to desktop only. Phone sign-in is currently limited to select Technology Adoption Program (TAP) participants.
    -
     
    -

    Not configured: Phone sign-in is disabled.

    -

    Enabled: Users can use a portable, registered device as a companion device for desktop authentication.

    -

    Disabled: Phone sign-in is disabled.

    +

    Not currently supported.

    @@ -283,14 +279,11 @@ The following table lists the MDM policy settings that you can configure for Win Remote

    UseRemotePassport

    -
    Note  Applies to desktop only. Phone sign-in is currently limited to select Technology Adoption Program (TAP) participants.
    -
     
    Device or user False -

    True: Phone sign-in is enabled.

    -

    False: Phone sign-in is disabled.

    +

    Not currently supported.

    @@ -352,7 +345,7 @@ You’ll need this software to set Windows Hello for Business policies in your e
  • Azure AD subscription
  • [Azure AD Connect](https://go.microsoft.com/fwlink/p/?LinkId=616792)
  • AD CS with NDES
    • -
  • Configuration Manager for domain-joined certificate enrollment, or InTune for non-domain-joined devices, or a non-Microsoft MDM service that supports Passport for Work
    • +
  • Configuration Manager for domain-joined certificate enrollment, or InTune for non-domain-joined devices, or a non-Microsoft MDM service that supports Windows Hello for Business
    • @@ -381,7 +374,6 @@ If you want to use Windows Hello for Business with certificates, you’ll need a - [Windows Hello for Business](hello-identity-verification.md) - [How Windows Hello for Business works](hello-how-it-works.md) -- [Enable phone sign-in to PC or VPN](hello-enable-phone-signin.md) - [Why a PIN is better than a password](hello-why-pin-is-better-than-password.md) - [Prepare people to use Windows Hello](hello-prepare-people-to-use.md) - [Windows Hello and password changes](hello-and-password-changes.md) diff --git a/windows/keep-secure/hello-prepare-people-to-use.md b/windows/keep-secure/hello-prepare-people-to-use.md index e1c079e7ab..8426ced11d 100644 --- a/windows/keep-secure/hello-prepare-people-to-use.md +++ b/windows/keep-secure/hello-prepare-people-to-use.md @@ -7,7 +7,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security -author: jdeckerMS +author: DaniHalfin localizationpriority: high --- @@ -51,56 +51,13 @@ If your policy allows it, people can use biometrics (fingerprint, iris, and faci ![sign in to windows, apps, and services using fingerprint or face](images/hellosettings.png) -## Use a phone to sign in to a PC or VPN -If your enterprise enables phone sign-in, users can pair a phone running Windows 10 Mobile to a PC running Windows 10 and then use an app on the phone to sign in to the PC using their Windows Hello credentials. - -> [!NOTE] -> Phone sign-in is currently limited to select Technology Adoption Program (TAP) participants. - -  -**Prerequisites:** - -- Both phone and PC must be running Windows 10, version 1607. -- The PC must be running Windows 10 Pro, Enterprise, or Education -- Both phone and PC must have Bluetooth. -- The **Microsoft Authenticator** app must be installed on the phone. -- The PC must be joined to an Active Directory domain that is connected to an Azure Active Directory (Azure AD) domain, or the PC must be joined to Azure AD. -- The phone must be joined to Azure AD or have a work account added. -- The VPN configuration profile must use certificate-based authentication. - -**Pair the PC and phone** - -1. On the PC, go to **Settings** > **Devices** > **Bluetooth**. Tap the name of the phone and then tap **Pair** to begin pairing. - - ![bluetooth pairing](images/btpair.png) - -2. On the phone, go to **Settings** > **Devices** > **Bluetooth**, and verify that the passcode for **Pairing accessory** on the phone matches the passcode displayed on the PC, and then tap **ok**. - - ![bluetooth pairing passcode](images/bt-passcode.png) - -3. On the PC, tap **Yes**. - -**Sign in to PC using the phone** - - -1. Open the **Microsoft Authenticator** app, choose your account, and tap the name of the PC to sign in to. - > **Note: **  The first time that you run the **Microsoft Authenticator** app, you must add an account. - - ![select a device](images/phone-signin-device-select.png) -   -2. Enter the work PIN that you set up when you joined the phone to the cloud domain or added a work account. - -**Connect to VPN** - -You simply connect to VPN as you normally would. If the phone's certificates are being used, a notification will be pushed to the phone asking if you approve. If you click **allow** in the notification, you will be prompted for your PIN. After you enter your PIN, the VPN session will connect. ## Related topics - [Windows Hello for Business](hello-identity-verification.md) - [How Windows Hello for Business works](hello-how-it-works.md) - [Manage Windows Hello for Business in your organization](hello-manage-in-organization.md) -- [Enable phone sign-in to PC or VPN](hello-enable-phone-signin.md) - [Why a PIN is better than a password](hello-why-pin-is-better-than-password.md) - [Windows Hello and password changes](hello-and-password-changes.md) - [Windows Hello errors during PIN creation](hello-errors-during-pin-creation.md) diff --git a/windows/keep-secure/hello-why-pin-is-better-than-password.md b/windows/keep-secure/hello-why-pin-is-better-than-password.md index a7606f0264..516d264bef 100644 --- a/windows/keep-secure/hello-why-pin-is-better-than-password.md +++ b/windows/keep-secure/hello-why-pin-is-better-than-password.md @@ -7,7 +7,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security -author: jdeckerMS +author: DaniHalfin localizationpriority: high --- @@ -32,7 +32,7 @@ A password is transmitted to the server -- it can be intercepted in transmission When the PIN is created, it establishes a trusted relationship with the identity provider and creates an asymmetric key pair that is used for authentication. When you enter your PIN, it unlocks the authentication key and uses the key to sign the request that is sent to the authenticating server. >[!NOTE] ->For details on how Hello uses asymetric key pairs for authentication, see [Microsoft Passport guide](https://go.microsoft.com/fwlink/p/?LinkId=691928). +>For details on how Hello uses asymetric key pairs for authentication, see [Windows Hello for Business](hello-identity-verification.md#benefits-of-windows-hello).   ## PIN is backed by hardware @@ -54,17 +54,44 @@ You can provide additional protection for laptops that don't have TPM by enablng **Configure BitLocker without TPM** 1. Use the Local Group Policy Editor (gpedit.msc) to enable the following policy: - **Computer Configuration** > **Administrative Templates** > **Windows Components** > **BitLocker Drive Encryption** > **Operating System Drives** > **Require additional authentication at startup** + **Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives > Require additional authentication at startup** 2. In the policy option, select **Allow BitLocker without a compatible TPM**, and then click **OK.** -3. Go to Control Panel > **System and Security** > **BitLocker Drive Encryption** and select the operating system drive to protect. +3. Go to Control Panel > **System and Security > BitLocker Drive Encryption** and select the operating system drive to protect. **Set account lockout threshold** 1. Use the Local Group Policy Editor (gpedit.msc) to enable the following policy: - **Computer Configuration** >**Windows Settings** ?**Security Settings** >**Account Policies** > **Account Lockout Policy** > **Account lockout threshold** + **Computer Configuration > Windows Settings > Security Settings > Account Policies > Account Lockout Policy > Account lockout threshold** 2. Set the number of invalid logon attempts to allow, and then click OK. + +## What if I forget my PIN? + +Starting with Windows 10, version 1703, devices managed by [Microsoft Intune](https://www.microsoft.com/cloud-platform/microsoft-intune), are be able to reset a forgotten PIN without deleting company managed data or apps. + +### Reset forgotten PIN on Windows Phone + +To reset a forgotten pin on a Windows Phone, you will need to locate the device in the Intune portal. Once you've selected the device, click on **More > New passcode** to generate a new PIN. + +![Intune reset PIN drop-down menu](images/whfb-intune-reset-pin.jpg) + +Once you've done that, the device will receive a notification to unlock the device and you will have to provide them with the generated PIN in order to unlock the device. With the device unlocked, they user can now reset the PIN. + +![Phone unlock notification](images/whfb-pin-reset-phone-notification.png) + +### Reset forgotten PIN on desktop + +Users can reset a forgotten PIN from any Intune managed desktop device. They will need to unlock the device by other means (Password \ Smart Card \ Biometric). + +Once the device is unlocked, go to **Settings > Accounts > Sign-in options** and under **PIN** select **I forgot my PIN**. + +![Forgot my PIN in settings](images/whfb-reset-pin-settings.jpg) + +After signing-in, you will be prompted to change your PIN. + +![Reset PIN prompt](images/whfb-reset-pin-prompt.jpg) + ## Why do you need a PIN to use biometrics? Windows Hello enables biometric sign-in for Windows 10: fingerprint, iris, or facial recognition. When you set up Windows Hello, you're asked to create a PIN first. This PIN enables you to sign in using the PIN when you can’t use your preferred biometric because of an injury or because the sensor is unavailable or not working properly. @@ -75,7 +102,6 @@ If you only had a biometric sign-in configured and, for any reason, were unable - [Windows Hello for Business](hello-identity-verification.md) - [How Windows Hello for Business works](hello-how-it-works.md) - [Manage Windows Hello for Business in your organization](hello-manage-in-organization.md) -- [Enable phone sign-in to PC or VPN](hello-enable-phone-signin.md) - [Prepare people to use Windows Hello](hello-prepare-people-to-use.md) - [Windows Hello and password changes](hello-and-password-changes.md) - [Windows Hello errors during PIN creation](hello-errors-during-pin-creation.md) diff --git a/windows/keep-secure/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md b/windows/keep-secure/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md index c3595ae774..cbe59766be 100644 --- a/windows/keep-secure/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md +++ b/windows/keep-secure/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md @@ -61,7 +61,7 @@ For VPN, the following types of credentials will be added to credential manager - TPM KSP Certificate - Software KSP Certificates - Smart Card Certificate - - Passport for Work Certificate + - Windows Hello for Business Certificate The username should also include a domain that can be reached over the connection (VPN or WiFi). diff --git a/windows/keep-secure/images/alert-details.png b/windows/keep-secure/images/alert-details.png index e2f5a387b0..ad520f97ee 100644 Binary files a/windows/keep-secure/images/alert-details.png and b/windows/keep-secure/images/alert-details.png differ diff --git a/windows/keep-secure/images/alerts-q-bulk.png b/windows/keep-secure/images/alerts-q-bulk.png new file mode 100644 index 0000000000..9aad1b64aa Binary files /dev/null and b/windows/keep-secure/images/alerts-q-bulk.png differ diff --git a/windows/keep-secure/images/alerts-queue-numbered.png b/windows/keep-secure/images/alerts-queue-numbered.png new file mode 100644 index 0000000000..39c6a467aa Binary files /dev/null and b/windows/keep-secure/images/alerts-queue-numbered.png differ diff --git a/windows/keep-secure/images/atp-action-center-with-info.png b/windows/keep-secure/images/atp-action-center-with-info.png new file mode 100644 index 0000000000..ff3c828a38 Binary files /dev/null and b/windows/keep-secure/images/atp-action-center-with-info.png differ diff --git a/windows/keep-secure/images/atp-actor-report.png b/windows/keep-secure/images/atp-actor-report.png new file mode 100644 index 0000000000..c7c4d60928 Binary files /dev/null and b/windows/keep-secure/images/atp-actor-report.png differ diff --git a/windows/keep-secure/images/atp-actor.png b/windows/keep-secure/images/atp-actor.png new file mode 100644 index 0000000000..dc9c9dd6fc Binary files /dev/null and b/windows/keep-secure/images/atp-actor.png differ diff --git a/windows/keep-secure/images/atp-add-intune-policy.png b/windows/keep-secure/images/atp-add-intune-policy.png index 61a47e9f37..e8c914746a 100644 Binary files a/windows/keep-secure/images/atp-add-intune-policy.png and b/windows/keep-secure/images/atp-add-intune-policy.png differ diff --git a/windows/keep-secure/images/atp-alert-process-tree.png b/windows/keep-secure/images/atp-alert-process-tree.png new file mode 100644 index 0000000000..06daaa6ea7 Binary files /dev/null and b/windows/keep-secure/images/atp-alert-process-tree.png differ diff --git a/windows/keep-secure/images/atp-alert-source.png b/windows/keep-secure/images/atp-alert-source.png new file mode 100644 index 0000000000..c2155cc7ee Binary files /dev/null and b/windows/keep-secure/images/atp-alert-source.png differ diff --git a/windows/keep-secure/images/atp-alert-status.png b/windows/keep-secure/images/atp-alert-status.png new file mode 100644 index 0000000000..b2380e0236 Binary files /dev/null and b/windows/keep-secure/images/atp-alert-status.png differ diff --git a/windows/keep-secure/images/atp-alert-timeline-numbered.png b/windows/keep-secure/images/atp-alert-timeline-numbered.png new file mode 100644 index 0000000000..e791757460 Binary files /dev/null and b/windows/keep-secure/images/atp-alert-timeline-numbered.png differ diff --git a/windows/keep-secure/images/atp-alert-timeline.png b/windows/keep-secure/images/atp-alert-timeline.png new file mode 100644 index 0000000000..467c7a321e Binary files /dev/null and b/windows/keep-secure/images/atp-alert-timeline.png differ diff --git a/windows/keep-secure/images/atp-alerts-group.png b/windows/keep-secure/images/atp-alerts-group.png new file mode 100644 index 0000000000..e3bf3d41f0 Binary files /dev/null and b/windows/keep-secure/images/atp-alerts-group.png differ diff --git a/windows/keep-secure/images/atp-alerts-q.png b/windows/keep-secure/images/atp-alerts-q.png new file mode 100644 index 0000000000..1131ead044 Binary files /dev/null and b/windows/keep-secure/images/atp-alerts-q.png differ diff --git a/windows/keep-secure/images/atp-alerts-related-to-file.png b/windows/keep-secure/images/atp-alerts-related-to-file.png new file mode 100644 index 0000000000..ecfb56f1a8 Binary files /dev/null and b/windows/keep-secure/images/atp-alerts-related-to-file.png differ diff --git a/windows/keep-secure/images/atp-azure-ui-user-access.png b/windows/keep-secure/images/atp-azure-ui-user-access.png new file mode 100644 index 0000000000..dd7fe7dc4d Binary files /dev/null and b/windows/keep-secure/images/atp-azure-ui-user-access.png differ diff --git a/windows/keep-secure/images/atp-blockfile.png b/windows/keep-secure/images/atp-blockfile.png new file mode 100644 index 0000000000..9b446a53cc Binary files /dev/null and b/windows/keep-secure/images/atp-blockfile.png differ diff --git a/windows/keep-secure/images/atp-custom-ti-mapping.png b/windows/keep-secure/images/atp-custom-ti-mapping.png new file mode 100644 index 0000000000..251c387646 Binary files /dev/null and b/windows/keep-secure/images/atp-custom-ti-mapping.png differ diff --git a/windows/keep-secure/images/atp-disableantispyware-regkey.png b/windows/keep-secure/images/atp-disableantispyware-regkey.png index ae3d800c69..ed34f9dc65 100644 Binary files a/windows/keep-secure/images/atp-disableantispyware-regkey.png and b/windows/keep-secure/images/atp-disableantispyware-regkey.png differ diff --git a/windows/keep-secure/images/atp-example-email-notification.png b/windows/keep-secure/images/atp-example-email-notification.png new file mode 100644 index 0000000000..c46cc214d7 Binary files /dev/null and b/windows/keep-secure/images/atp-example-email-notification.png differ diff --git a/windows/keep-secure/images/atp-export-machine-timeline-events.png b/windows/keep-secure/images/atp-export-machine-timeline-events.png new file mode 100644 index 0000000000..99f214b11e Binary files /dev/null and b/windows/keep-secure/images/atp-export-machine-timeline-events.png differ diff --git a/windows/keep-secure/images/atp-file-action.png b/windows/keep-secure/images/atp-file-action.png new file mode 100644 index 0000000000..106329f89e Binary files /dev/null and b/windows/keep-secure/images/atp-file-action.png differ diff --git a/windows/keep-secure/images/atp-file-details.png b/windows/keep-secure/images/atp-file-details.png new file mode 100644 index 0000000000..ad92f3af0c Binary files /dev/null and b/windows/keep-secure/images/atp-file-details.png differ diff --git a/windows/keep-secure/images/atp-file-in-org.png b/windows/keep-secure/images/atp-file-in-org.png new file mode 100644 index 0000000000..12f980de0a Binary files /dev/null and b/windows/keep-secure/images/atp-file-in-org.png differ diff --git a/windows/keep-secure/images/atp-file-information.png b/windows/keep-secure/images/atp-file-information.png new file mode 100644 index 0000000000..ea5619c545 Binary files /dev/null and b/windows/keep-secure/images/atp-file-information.png differ diff --git a/windows/keep-secure/images/atp-incident-graph.png b/windows/keep-secure/images/atp-incident-graph.png new file mode 100644 index 0000000000..2968bc4cbb Binary files /dev/null and b/windows/keep-secure/images/atp-incident-graph.png differ diff --git a/windows/keep-secure/images/atp-investigation-package-action-center.png b/windows/keep-secure/images/atp-investigation-package-action-center.png new file mode 100644 index 0000000000..1f9129f05e Binary files /dev/null and b/windows/keep-secure/images/atp-investigation-package-action-center.png differ diff --git a/windows/keep-secure/images/atp-isolate-machine.png b/windows/keep-secure/images/atp-isolate-machine.png new file mode 100644 index 0000000000..4905b60304 Binary files /dev/null and b/windows/keep-secure/images/atp-isolate-machine.png differ diff --git a/windows/keep-secure/images/atp-machine-details-view.png b/windows/keep-secure/images/atp-machine-details-view.png new file mode 100644 index 0000000000..e91eb539fa Binary files /dev/null and b/windows/keep-secure/images/atp-machine-details-view.png differ diff --git a/windows/keep-secure/images/atp-machine-health-details.png b/windows/keep-secure/images/atp-machine-health-details.png new file mode 100644 index 0000000000..63431efa68 Binary files /dev/null and b/windows/keep-secure/images/atp-machine-health-details.png differ diff --git a/windows/keep-secure/images/atp-machine-health.png b/windows/keep-secure/images/atp-machine-health.png new file mode 100644 index 0000000000..ded3475bea Binary files /dev/null and b/windows/keep-secure/images/atp-machine-health.png differ diff --git a/windows/keep-secure/images/atp-machine-investigation-package.png b/windows/keep-secure/images/atp-machine-investigation-package.png new file mode 100644 index 0000000000..2c32d9780d Binary files /dev/null and b/windows/keep-secure/images/atp-machine-investigation-package.png differ diff --git a/windows/keep-secure/images/atp-machine-isolation.png b/windows/keep-secure/images/atp-machine-isolation.png new file mode 100644 index 0000000000..10b778ae73 Binary files /dev/null and b/windows/keep-secure/images/atp-machine-isolation.png differ diff --git a/windows/keep-secure/images/atp-machine-timeline-details-panel.png b/windows/keep-secure/images/atp-machine-timeline-details-panel.png new file mode 100644 index 0000000000..fbb2de4176 Binary files /dev/null and b/windows/keep-secure/images/atp-machine-timeline-details-panel.png differ diff --git a/windows/keep-secure/images/atp-machine-timeline.png b/windows/keep-secure/images/atp-machine-timeline.png new file mode 100644 index 0000000000..9ad30bceec Binary files /dev/null and b/windows/keep-secure/images/atp-machine-timeline.png differ diff --git a/windows/keep-secure/images/atp-machines-at-risk.png b/windows/keep-secure/images/atp-machines-at-risk.png new file mode 100644 index 0000000000..219e958d7d Binary files /dev/null and b/windows/keep-secure/images/atp-machines-at-risk.png differ diff --git a/windows/keep-secure/images/atp-machines-view-list.png b/windows/keep-secure/images/atp-machines-view-list.png new file mode 100644 index 0000000000..ac38039f3a Binary files /dev/null and b/windows/keep-secure/images/atp-machines-view-list.png differ diff --git a/windows/keep-secure/images/atp-main-portal.png b/windows/keep-secure/images/atp-main-portal.png new file mode 100644 index 0000000000..2aa75b7dca Binary files /dev/null and b/windows/keep-secure/images/atp-main-portal.png differ diff --git a/windows/keep-secure/images/atp-mdm-onboarding-package.png b/windows/keep-secure/images/atp-mdm-onboarding-package.png index 23b9c49490..6be87715e9 100644 Binary files a/windows/keep-secure/images/atp-mdm-onboarding-package.png and b/windows/keep-secure/images/atp-mdm-onboarding-package.png differ diff --git a/windows/keep-secure/images/atp-no-network-connection.png b/windows/keep-secure/images/atp-no-network-connection.png new file mode 100644 index 0000000000..ac6eb4b4f8 Binary files /dev/null and b/windows/keep-secure/images/atp-no-network-connection.png differ diff --git a/windows/keep-secure/images/atp-notification-file.png b/windows/keep-secure/images/atp-notification-file.png new file mode 100644 index 0000000000..703719d8a3 Binary files /dev/null and b/windows/keep-secure/images/atp-notification-file.png differ diff --git a/windows/keep-secure/images/atp-notification-isolate.png b/windows/keep-secure/images/atp-notification-isolate.png new file mode 100644 index 0000000000..e81dd276a4 Binary files /dev/null and b/windows/keep-secure/images/atp-notification-isolate.png differ diff --git a/windows/keep-secure/images/atp-observed-in-organization.png b/windows/keep-secure/images/atp-observed-in-organization.png new file mode 100644 index 0000000000..508822a2ad Binary files /dev/null and b/windows/keep-secure/images/atp-observed-in-organization.png differ diff --git a/windows/keep-secure/images/atp-observed-machines.png b/windows/keep-secure/images/atp-observed-machines.png new file mode 100644 index 0000000000..845b97a82a Binary files /dev/null and b/windows/keep-secure/images/atp-observed-machines.png differ diff --git a/windows/keep-secure/images/atp-preferences-setup.png b/windows/keep-secure/images/atp-preferences-setup.png new file mode 100644 index 0000000000..bf67591f66 Binary files /dev/null and b/windows/keep-secure/images/atp-preferences-setup.png differ diff --git a/windows/keep-secure/images/atp-remediated-alert.png b/windows/keep-secure/images/atp-remediated-alert.png new file mode 100644 index 0000000000..d49b681907 Binary files /dev/null and b/windows/keep-secure/images/atp-remediated-alert.png differ diff --git a/windows/keep-secure/images/atp-remove-blocked-file.png b/windows/keep-secure/images/atp-remove-blocked-file.png new file mode 100644 index 0000000000..deed34e291 Binary files /dev/null and b/windows/keep-secure/images/atp-remove-blocked-file.png differ diff --git a/windows/keep-secure/images/atp-running-script.png b/windows/keep-secure/images/atp-running-script.png new file mode 100644 index 0000000000..ebfdebadc5 Binary files /dev/null and b/windows/keep-secure/images/atp-running-script.png differ diff --git a/windows/keep-secure/images/atp-sample-custom-ti-alert.png b/windows/keep-secure/images/atp-sample-custom-ti-alert.png new file mode 100644 index 0000000000..e536f6f4cc Binary files /dev/null and b/windows/keep-secure/images/atp-sample-custom-ti-alert.png differ diff --git a/windows/keep-secure/images/atp-sensor-filter.png b/windows/keep-secure/images/atp-sensor-filter.png new file mode 100644 index 0000000000..76267fb27f Binary files /dev/null and b/windows/keep-secure/images/atp-sensor-filter.png differ diff --git a/windows/keep-secure/images/atp-sensor-health-filter-resized.png b/windows/keep-secure/images/atp-sensor-health-filter-resized.png new file mode 100644 index 0000000000..0c0f7d0eec Binary files /dev/null and b/windows/keep-secure/images/atp-sensor-health-filter-resized.png differ diff --git a/windows/keep-secure/images/atp-sensor-health-filter-tile.png b/windows/keep-secure/images/atp-sensor-health-filter-tile.png new file mode 100644 index 0000000000..8e2da99e51 Binary files /dev/null and b/windows/keep-secure/images/atp-sensor-health-filter-tile.png differ diff --git a/windows/keep-secure/images/atp-sensor-health-filter.png b/windows/keep-secure/images/atp-sensor-health-filter.png new file mode 100644 index 0000000000..b82d66a85a Binary files /dev/null and b/windows/keep-secure/images/atp-sensor-health-filter.png differ diff --git a/windows/keep-secure/images/atp-sensor-health-nonav.png b/windows/keep-secure/images/atp-sensor-health-nonav.png new file mode 100644 index 0000000000..922f8c681b Binary files /dev/null and b/windows/keep-secure/images/atp-sensor-health-nonav.png differ diff --git a/windows/keep-secure/images/atp-sensor-health-tile.png b/windows/keep-secure/images/atp-sensor-health-tile.png new file mode 100644 index 0000000000..067d26d957 Binary files /dev/null and b/windows/keep-secure/images/atp-sensor-health-tile.png differ diff --git a/windows/keep-secure/images/atp-siem-integration.png b/windows/keep-secure/images/atp-siem-integration.png new file mode 100644 index 0000000000..0205980406 Binary files /dev/null and b/windows/keep-secure/images/atp-siem-integration.png differ diff --git a/windows/keep-secure/images/atp-simulate-custom-ti.png b/windows/keep-secure/images/atp-simulate-custom-ti.png new file mode 100644 index 0000000000..2828654c79 Binary files /dev/null and b/windows/keep-secure/images/atp-simulate-custom-ti.png differ diff --git a/windows/keep-secure/images/atp-stop-quarantine-file.png b/windows/keep-secure/images/atp-stop-quarantine-file.png new file mode 100644 index 0000000000..cb58fad705 Binary files /dev/null and b/windows/keep-secure/images/atp-stop-quarantine-file.png differ diff --git a/windows/keep-secure/images/atp-stopnquarantine-file.png b/windows/keep-secure/images/atp-stopnquarantine-file.png new file mode 100644 index 0000000000..a66341935b Binary files /dev/null and b/windows/keep-secure/images/atp-stopnquarantine-file.png differ diff --git a/windows/keep-secure/images/atp-suppression-rules.png b/windows/keep-secure/images/atp-suppression-rules.png new file mode 100644 index 0000000000..4ee5270fd0 Binary files /dev/null and b/windows/keep-secure/images/atp-suppression-rules.png differ diff --git a/windows/keep-secure/images/atp-threat-intel-api.png b/windows/keep-secure/images/atp-threat-intel-api.png new file mode 100644 index 0000000000..ef6720b29e Binary files /dev/null and b/windows/keep-secure/images/atp-threat-intel-api.png differ diff --git a/windows/keep-secure/images/atp-thunderbolt-icon.png b/windows/keep-secure/images/atp-thunderbolt-icon.png new file mode 100644 index 0000000000..d2c31bfab3 Binary files /dev/null and b/windows/keep-secure/images/atp-thunderbolt-icon.png differ diff --git a/windows/keep-secure/images/atp-tile-sensor-health.png b/windows/keep-secure/images/atp-tile-sensor-health.png new file mode 100644 index 0000000000..3aa0b451bc Binary files /dev/null and b/windows/keep-secure/images/atp-tile-sensor-health.png differ diff --git a/windows/keep-secure/images/atp-undo-isolation.png b/windows/keep-secure/images/atp-undo-isolation.png new file mode 100644 index 0000000000..ea42abd060 Binary files /dev/null and b/windows/keep-secure/images/atp-undo-isolation.png differ diff --git a/windows/keep-secure/images/atp-user-details-pane.png b/windows/keep-secure/images/atp-user-details-pane.png new file mode 100644 index 0000000000..200437ab22 Binary files /dev/null and b/windows/keep-secure/images/atp-user-details-pane.png differ diff --git a/windows/keep-secure/images/atp-user-details-view.png b/windows/keep-secure/images/atp-user-details-view.png new file mode 100644 index 0000000000..b0732653d6 Binary files /dev/null and b/windows/keep-secure/images/atp-user-details-view.png differ diff --git a/windows/keep-secure/images/atp-users-at-risk.png b/windows/keep-secure/images/atp-users-at-risk.png new file mode 100644 index 0000000000..cd43cdf607 Binary files /dev/null and b/windows/keep-secure/images/atp-users-at-risk.png differ diff --git a/windows/keep-secure/images/defender/malware-detected.png b/windows/keep-secure/images/defender/malware-detected.png new file mode 100644 index 0000000000..91fce5a44b Binary files /dev/null and b/windows/keep-secure/images/defender/malware-detected.png differ diff --git a/windows/keep-secure/images/defender/order-update-sources-wdav.png b/windows/keep-secure/images/defender/order-update-sources-wdav.png new file mode 100644 index 0000000000..904f314699 Binary files /dev/null and b/windows/keep-secure/images/defender/order-update-sources-wdav.png differ diff --git a/windows/keep-secure/images/defender/quarantine.png b/windows/keep-secure/images/defender/quarantine.png new file mode 100644 index 0000000000..6a908aedec Binary files /dev/null and b/windows/keep-secure/images/defender/quarantine.png differ diff --git a/windows/keep-secure/images/defender/wdav-bafs-edge.png b/windows/keep-secure/images/defender/wdav-bafs-edge.png new file mode 100644 index 0000000000..d7376570b6 Binary files /dev/null and b/windows/keep-secure/images/defender/wdav-bafs-edge.png differ diff --git a/windows/keep-secure/images/defender/wdav-bafs-ie.png b/windows/keep-secure/images/defender/wdav-bafs-ie.png new file mode 100644 index 0000000000..94cb3a30fb Binary files /dev/null and b/windows/keep-secure/images/defender/wdav-bafs-ie.png differ diff --git a/windows/keep-secure/images/defender/wdav-extension-exclusions.png b/windows/keep-secure/images/defender/wdav-extension-exclusions.png new file mode 100644 index 0000000000..e1a86e09e0 Binary files /dev/null and b/windows/keep-secure/images/defender/wdav-extension-exclusions.png differ diff --git a/windows/keep-secure/images/defender/wdav-get-mpthreat.png b/windows/keep-secure/images/defender/wdav-get-mpthreat.png new file mode 100644 index 0000000000..e1671237a6 Binary files /dev/null and b/windows/keep-secure/images/defender/wdav-get-mpthreat.png differ diff --git a/windows/keep-secure/images/defender/wdav-get-mpthreatdetection.png b/windows/keep-secure/images/defender/wdav-get-mpthreatdetection.png new file mode 100644 index 0000000000..3e5de6552f Binary files /dev/null and b/windows/keep-secure/images/defender/wdav-get-mpthreatdetection.png differ diff --git a/windows/keep-secure/images/defender/wdav-headless-mode-1607.png b/windows/keep-secure/images/defender/wdav-headless-mode-1607.png new file mode 100644 index 0000000000..7ccaf5d0ff Binary files /dev/null and b/windows/keep-secure/images/defender/wdav-headless-mode-1607.png differ diff --git a/windows/keep-secure/images/defender/wdav-headless-mode-1703.png b/windows/keep-secure/images/defender/wdav-headless-mode-1703.png new file mode 100644 index 0000000000..d4288ca82c Binary files /dev/null and b/windows/keep-secure/images/defender/wdav-headless-mode-1703.png differ diff --git a/windows/keep-secure/images/defender/wdav-headless-mode-off-1703.png b/windows/keep-secure/images/defender/wdav-headless-mode-off-1703.png new file mode 100644 index 0000000000..d5599ce99b Binary files /dev/null and b/windows/keep-secure/images/defender/wdav-headless-mode-off-1703.png differ diff --git a/windows/keep-secure/images/defender/wdav-history-wdsc.png b/windows/keep-secure/images/defender/wdav-history-wdsc.png new file mode 100644 index 0000000000..cdc75b8852 Binary files /dev/null and b/windows/keep-secure/images/defender/wdav-history-wdsc.png differ diff --git a/windows/keep-secure/images/defender/wdav-malware-detected.png b/windows/keep-secure/images/defender/wdav-malware-detected.png new file mode 100644 index 0000000000..b0add084db Binary files /dev/null and b/windows/keep-secure/images/defender/wdav-malware-detected.png differ diff --git a/windows/keep-secure/images/defender/wdav-order-update-sources.png b/windows/keep-secure/images/defender/wdav-order-update-sources.png new file mode 100644 index 0000000000..fb6fefee98 Binary files /dev/null and b/windows/keep-secure/images/defender/wdav-order-update-sources.png differ diff --git a/windows/keep-secure/images/defender/wdav-path-exclusions.png b/windows/keep-secure/images/defender/wdav-path-exclusions.png new file mode 100644 index 0000000000..2fb0f6e107 Binary files /dev/null and b/windows/keep-secure/images/defender/wdav-path-exclusions.png differ diff --git a/windows/keep-secure/images/defender/wdav-powershell-get-exclusions-all.png b/windows/keep-secure/images/defender/wdav-powershell-get-exclusions-all.png new file mode 100644 index 0000000000..099c1a4a48 Binary files /dev/null and b/windows/keep-secure/images/defender/wdav-powershell-get-exclusions-all.png differ diff --git a/windows/keep-secure/images/defender/wdav-powershell-get-exclusions-variable.png b/windows/keep-secure/images/defender/wdav-powershell-get-exclusions-variable.png new file mode 100644 index 0000000000..68b455b5a3 Binary files /dev/null and b/windows/keep-secure/images/defender/wdav-powershell-get-exclusions-variable.png differ diff --git a/windows/keep-secure/images/defender/wdav-process-exclusions.png b/windows/keep-secure/images/defender/wdav-process-exclusions.png new file mode 100644 index 0000000000..559d65ac2f Binary files /dev/null and b/windows/keep-secure/images/defender/wdav-process-exclusions.png differ diff --git a/windows/keep-secure/images/defender/wdav-protection-settings-wdsc.png b/windows/keep-secure/images/defender/wdav-protection-settings-wdsc.png new file mode 100644 index 0000000000..854e2b209d Binary files /dev/null and b/windows/keep-secure/images/defender/wdav-protection-settings-wdsc.png differ diff --git a/windows/keep-secure/images/defender/wdav-quarantined-history-wdsc.png b/windows/keep-secure/images/defender/wdav-quarantined-history-wdsc.png new file mode 100644 index 0000000000..e8e2eec956 Binary files /dev/null and b/windows/keep-secure/images/defender/wdav-quarantined-history-wdsc.png differ diff --git a/windows/keep-secure/images/defender/wdav-settings-old.png b/windows/keep-secure/images/defender/wdav-settings-old.png new file mode 100644 index 0000000000..05c23e510a Binary files /dev/null and b/windows/keep-secure/images/defender/wdav-settings-old.png differ diff --git a/windows/keep-secure/images/defender/wdav-wdsc.png b/windows/keep-secure/images/defender/wdav-wdsc.png new file mode 100644 index 0000000000..81c50c1635 Binary files /dev/null and b/windows/keep-secure/images/defender/wdav-wdsc.png differ diff --git a/windows/keep-secure/images/defender/wdav-windows-defender-app-old.png b/windows/keep-secure/images/defender/wdav-windows-defender-app-old.png new file mode 100644 index 0000000000..09cea8052c Binary files /dev/null and b/windows/keep-secure/images/defender/wdav-windows-defender-app-old.png differ diff --git a/windows/keep-secure/images/device-guard-gp.png b/windows/keep-secure/images/device-guard-gp.png index 169d2f245b..6d265509ea 100644 Binary files a/windows/keep-secure/images/device-guard-gp.png and b/windows/keep-secure/images/device-guard-gp.png differ diff --git a/windows/keep-secure/images/dg-fig7-enablevbsofkmci.png b/windows/keep-secure/images/dg-fig7-enablevbsofkmci.png index ddc2158a8a..34c1565f67 100644 Binary files a/windows/keep-secure/images/dg-fig7-enablevbsofkmci.png and b/windows/keep-secure/images/dg-fig7-enablevbsofkmci.png differ diff --git a/windows/keep-secure/images/enterprise-certificate-pinning-converting-a-duration.png b/windows/keep-secure/images/enterprise-certificate-pinning-converting-a-duration.png new file mode 100644 index 0000000000..6d14d64c36 Binary files /dev/null and b/windows/keep-secure/images/enterprise-certificate-pinning-converting-a-duration.png differ diff --git a/windows/keep-secure/images/enterprise-certificate-pinning-converting-an-xml-date.png b/windows/keep-secure/images/enterprise-certificate-pinning-converting-an-xml-date.png new file mode 100644 index 0000000000..ab932c226f Binary files /dev/null and b/windows/keep-secure/images/enterprise-certificate-pinning-converting-an-xml-date.png differ diff --git a/windows/keep-secure/images/enterprise-certificate-pinning-pinrules-properties.png b/windows/keep-secure/images/enterprise-certificate-pinning-pinrules-properties.png new file mode 100644 index 0000000000..7a9b31f55f Binary files /dev/null and b/windows/keep-secure/images/enterprise-certificate-pinning-pinrules-properties.png differ diff --git a/windows/keep-secure/images/enterprise-certificate-pinning-representing-a-date.png b/windows/keep-secure/images/enterprise-certificate-pinning-representing-a-date.png new file mode 100644 index 0000000000..929cae9617 Binary files /dev/null and b/windows/keep-secure/images/enterprise-certificate-pinning-representing-a-date.png differ diff --git a/windows/keep-secure/images/enterprise-certificate-pinning-representing-a-duration.png b/windows/keep-secure/images/enterprise-certificate-pinning-representing-a-duration.png new file mode 100644 index 0000000000..dd79819a96 Binary files /dev/null and b/windows/keep-secure/images/enterprise-certificate-pinning-representing-a-duration.png differ diff --git a/windows/keep-secure/images/enterprise-pinning-registry-binary-information.png b/windows/keep-secure/images/enterprise-pinning-registry-binary-information.png new file mode 100644 index 0000000000..ee36266a6d Binary files /dev/null and b/windows/keep-secure/images/enterprise-pinning-registry-binary-information.png differ diff --git a/windows/keep-secure/images/machines-active-threats-tile.png b/windows/keep-secure/images/machines-active-threats-tile.png index 9f347dcf68..9825e05317 100644 Binary files a/windows/keep-secure/images/machines-active-threats-tile.png and b/windows/keep-secure/images/machines-active-threats-tile.png differ diff --git a/windows/keep-secure/images/machines-reporting-tile.png b/windows/keep-secure/images/machines-reporting-tile.png index 96989bd0cf..9825e05317 100644 Binary files a/windows/keep-secure/images/machines-reporting-tile.png and b/windows/keep-secure/images/machines-reporting-tile.png differ diff --git a/windows/keep-secure/images/mva_videos.png b/windows/keep-secure/images/mva_videos.png new file mode 100644 index 0000000000..2a785874bd Binary files /dev/null and b/windows/keep-secure/images/mva_videos.png differ diff --git a/windows/keep-secure/images/privacy-setting-in-sign-in-options.png b/windows/keep-secure/images/privacy-setting-in-sign-in-options.png new file mode 100644 index 0000000000..cf2e499e04 Binary files /dev/null and b/windows/keep-secure/images/privacy-setting-in-sign-in-options.png differ diff --git a/windows/keep-secure/images/rules-legend.png b/windows/keep-secure/images/rules-legend.png index a044d20621..a48783c6e3 100644 Binary files a/windows/keep-secure/images/rules-legend.png and b/windows/keep-secure/images/rules-legend.png differ diff --git a/windows/keep-secure/images/status-tile.png b/windows/keep-secure/images/status-tile.png index 2ab17ccff1..78812e3248 100644 Binary files a/windows/keep-secure/images/status-tile.png and b/windows/keep-secure/images/status-tile.png differ diff --git a/windows/keep-secure/images/submit-file.png b/windows/keep-secure/images/submit-file.png index 63c350c9a9..9240eccabf 100644 Binary files a/windows/keep-secure/images/submit-file.png and b/windows/keep-secure/images/submit-file.png differ diff --git a/windows/keep-secure/images/threat-mitigations-pre-breach-post-breach-conceptual.png b/windows/keep-secure/images/threat-mitigations-pre-breach-post-breach-conceptual.png new file mode 100644 index 0000000000..f23868fdde Binary files /dev/null and b/windows/keep-secure/images/threat-mitigations-pre-breach-post-breach-conceptual.png differ diff --git a/windows/keep-secure/images/whfb-intune-reset-pin.jpg b/windows/keep-secure/images/whfb-intune-reset-pin.jpg new file mode 100644 index 0000000000..0eae3a4546 Binary files /dev/null and b/windows/keep-secure/images/whfb-intune-reset-pin.jpg differ diff --git a/windows/keep-secure/images/whfb-pin-reset-phone-notification.png b/windows/keep-secure/images/whfb-pin-reset-phone-notification.png new file mode 100644 index 0000000000..f86101b1e8 Binary files /dev/null and b/windows/keep-secure/images/whfb-pin-reset-phone-notification.png differ diff --git a/windows/keep-secure/images/whfb-reset-pin-prompt.jpg b/windows/keep-secure/images/whfb-reset-pin-prompt.jpg new file mode 100644 index 0000000000..d9acfd8170 Binary files /dev/null and b/windows/keep-secure/images/whfb-reset-pin-prompt.jpg differ diff --git a/windows/keep-secure/images/whfb-reset-pin-settings.jpg b/windows/keep-secure/images/whfb-reset-pin-settings.jpg new file mode 100644 index 0000000000..21d37405a7 Binary files /dev/null and b/windows/keep-secure/images/whfb-reset-pin-settings.jpg differ diff --git a/windows/keep-secure/images/windows-defender-security-center.png b/windows/keep-secure/images/windows-defender-security-center.png new file mode 100644 index 0000000000..a3286fb528 Binary files /dev/null and b/windows/keep-secure/images/windows-defender-security-center.png differ diff --git a/windows/keep-secure/images/windows-defender-smartscreen-control.png b/windows/keep-secure/images/windows-defender-smartscreen-control.png new file mode 100644 index 0000000000..b2700addba Binary files /dev/null and b/windows/keep-secure/images/windows-defender-smartscreen-control.png differ diff --git a/windows/keep-secure/implement-microsoft-passport-in-your-organization.md b/windows/keep-secure/implement-microsoft-passport-in-your-organization.md deleted file mode 100644 index 20c4be5a7e..0000000000 --- a/windows/keep-secure/implement-microsoft-passport-in-your-organization.md +++ /dev/null @@ -1,19 +0,0 @@ ---- -title: Implement Windows Hello in your organization (Windows 10) -description: You can create a Group Policy or mobile device management (MDM) policy that will implement Windows Hello for Business on devices running Windows 10. -ms.assetid: 47B55221-24BE-482D-BD31-C78B22AC06D8 -keywords: identity, PIN, biometric, Hello -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -author: jdeckerMS -redirect_url: https://technet.microsoft.com/en-us/itpro/windows/keep-secure/hello-manage-in-organization ---- - -# Implement Windows Hello for Business in your organization - -**Applies to** -- Windows 10 -- Windows 10 Mobile - diff --git a/windows/keep-secure/initialize-and-configure-ownership-of-the-tpm.md b/windows/keep-secure/initialize-and-configure-ownership-of-the-tpm.md index 813dde388c..152eec4793 100644 --- a/windows/keep-secure/initialize-and-configure-ownership-of-the-tpm.md +++ b/windows/keep-secure/initialize-and-configure-ownership-of-the-tpm.md @@ -112,7 +112,7 @@ Membership in the local Administrators group, or equivalent, is the minimum requ 5. After the PC restarts, your TPM will be automatically prepared for use by Windows 10. -## Turn on or turn off the TPM (TPM 1.2 with Windows 10, version 1507 or 1511) +## Turn on or turn off the TPM (available only with TPM 1.2 with Windows 10, version 1507 or 1511) Normally, the TPM is turned on as part of the TPM initialization process. You do not normally need to turn the TPM on or off. However, if necessary you can do so by using the TPM MMC. @@ -147,6 +147,20 @@ If you want to stop using the services that are provided by the TPM, you can use - If you do not have the removable storage device with your saved TPM owner password, click **I want to enter the password**. In the **Type your TPM owner password** dialog box, type your password (including hyphens), and then click **Turn TPM Off**. - If you did not save your TPM owner password or no longer know it, click **I do not have the TPM owner password**, and follow the instructions that are provided in the dialog box and subsequent UEFI screens to turn off the TPM without entering the password. + +### Change the TPM Owner Password (available only with Windows 10, version 1607 and earlier versions) + +If you have the [owner password](https://technet.microsoft.com/itpro/windows/keep-secure/change-the-tpm-owner-password) available, you can use TPM.msc to change the TPM Owner Password. + +1. Open the TPM MMC (tpm.msc). + +2. In the **Action** pane, click **Change the Owner Password** + + - If you saved your TPM owner password on a removable storage device, insert it, and then click **I have the owner password file**. In the **Select backup file with the TPM owner password** dialog box, click **Browse** to locate the .tpm file that is saved on your removable storage device, click **Open**, and then click **Turn TPM Off**. + + - If you do not have the removable storage device with your saved TPM owner password, click **I want to enter the password**. In the **Type your TPM owner password** dialog box, type your password (including hyphens), and then click **Turn TPM Off**. + +This capability was fully removed from TPM.msc in later versions of Windows. ## Use the TPM cmdlets diff --git a/windows/keep-secure/interactive-logon-display-user-information-when-the-session-is-locked.md b/windows/keep-secure/interactive-logon-display-user-information-when-the-session-is-locked.md index f82d103fb6..5442141ce8 100644 --- a/windows/keep-secure/interactive-logon-display-user-information-when-the-session-is-locked.md +++ b/windows/keep-secure/interactive-logon-display-user-information-when-the-session-is-locked.md @@ -12,36 +12,86 @@ author: brianlic-msft # Interactive logon: Display user information when the session is locked **Applies to** -- Windows 10 +- Windows 10 Describes the best practices, location, values, and security considerations for the **Interactive logon: Display user information when the session is locked** security policy setting. ## Reference -When a session is locked in a Windows operating system (meaning the user at the computer pressed CTRL+ALT+DEL and the Secure Desktop is displayed), user information is displayed. By default, this information is in the form of **<user name> is logged on**. The displayed user name is the user’s full name as set on the Properties page for that user. These settings do not apply to the logon tiles, which are displayed on the desktop after using the **Switch User** feature. The information that is displayed can be changed to meet your security requirements using the following possible values. +This security setting controls whether details such as email address or domain\username appear with the username on the sign-in screen. +For clients that run Windows 10 version 1511 and 1507 (RTM), this setting works similarly to previous versions of Windows. +However, because of a new **Privacy** setting introduced in Windows 10 version 1607, this security setting affects those clients differently. -### Possible values +### Changes beginning with Windows 10 version 1607 + +Beginning with Windows 10 version 1607, new functionality was added to Windows 10 to hide username details such as email address by default, with the ability to change the default to show the details. +This functionality is controlled by a new **Privacy** setting in **Settings** > **Accounts** > **Sign-in options**. +The Privacy setting is off by default, which hides the details. + +![Privacy setting](images\privacy-setting-in-sign-in-options.png) + +The **Interactive logon: Display user information when the session is locked** Group Policy setting controls the same functionality. + +This setting has these possible values: - **User display name, domain and user names** - If this is a local logon, the user’s full name is displayed on the Secure Desktop. If it is a domain logon, the user’s domain and user’s account name is displayed. + For a local logon, the user's full name is displayed. + If the user signed in using a Microsoft account, the user's email address is displayed. + For a domain logon, the domain\username is displayed. + This has the same effect as turning on the **Privacy** setting. - **User display name only** - The name of the user who locked the session is displayed on the Secure Desktop as the user’s full name. + The full name of the user who locked the session is displayed. + This has the same effect as turning off the **Privacy** setting. - **Do not display user information** - No names are displayed on the Secure Desktop, but user’s full names will be displayed on the **Switch user** desktop. + No names are displayed. + Beginning with Windows 10 version 1607, this option is not supported. + If this option is chosen, the full name of the user who locked the session is displayed instead. + This change makes this setting consistent with the functionality of the new **Privacy** setting. + To display no user information, enable the Group Policy setting **Interactive logon: Don't display last signed-in**. - Blank. - Default setting. This translates to “Not defined,” but it will display the user’s full name in the same manner as the **User display name** option. When an option is set, you cannot reset this policy to blank, or not defined. + Default setting. + This translates to “Not defined,” but it will display the user’s full name in the same manner as the option **User display name only**. + When an option is set, you cannot reset this policy to blank, or not defined. + +### Hotfix for Windows 10 version 1607 + +Clients that run Windows 10 version 1607 will not show details on the sign-in screen even if the **User display name, domain and user names** option is chosen because the **Privacy** setting is off. +If the **Privacy** setting is turned on, details will show. + +The **Privacy** setting cannot be changed for clients in bulk. +Instead, apply [KB 4013429](http://www.catalog.update.microsoft.com/Search.aspx?q=KB4013429) to clients that run Windows 10 version 1607 so they behave similarly to previous versions of Windows. +Clients that run later versions of Windows 10 do not require a hotfix. + +There are related Group Policy settings: + +- **Computer Configuration\Policies\Administrative Templates\System\Logon\Block user from showing account details on sign-in** prevents users from showing account details on the sign-in screen. +- **Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Don’t display last signed-in** prevents the username of the last user to sign in from being shown. +- **Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Don’t display username at sign-in** prevents the username from being shown at Windows sign-in and immediately after credentials are entered and before the desktop appears. + +### Interaction with related Group Policy settings + +For all versions of Windows 10, only the user display name is shown by default. + +If **Block user from showing account details on sign-in** is enabled, then only the user display name is shown regardless of any other Group Policy settings. +Users will not be able to show details. + +If **Block user from showing account details on sign-in** is not enabled, then you can set **Interactive logon: Display user information when the session is locked** to **User display name, domain and user names** to show additional details such as domain\username. +In this case, clients that run Windows 10 version 1607 need [KB 4013429](http://www.catalog.update.microsoft.com/Search.aspx?q=KB4013429) applied. +Users will not be able to hide additional details. + +If **Block user from showing account details on sign-in** is not enabled and **Don’t display last signed-in** is enabled, the username will not be shown. ### Best practices -Your implementation of this policy depends on your security requirements for displayed logon information. If you have devices that store sensitive data, with monitors displayed in unsecured locations, or if you have computers with sensitive data that are remotely accessed, revealing logged on user’s full names or domain account names might contradict your overall security policy. +Your implementation of this policy depends on your security requirements for displayed logon information. If you run computers that store sensitive data, with monitors displayed in unsecured locations, or if you have computers with sensitive data that are remotely accessed, revealing logged on user’s full names or domain account names might contradict your overall security policy. -Depending on your security policy, you might also want to enable the [Interactive logon: Do not display last user name](interactive-logon-do-not-display-last-user-name.md) policy, which will prevent the Windows operating system from displaying the logon name and logon tile of the last user to logon. +Depending on your security policy, you might also want to enable the [Interactive logon: Do not display last user name](interactive-logon-do-not-display-last-user-name.md) policy. ### Location @@ -51,13 +101,13 @@ Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Sec | Server type or Group Policy object (GPO) | Default value | | - | - | -| Default domain policy| Not defined| -| Default domain controller policy | Not defined| -| Stand-alone server default settings | Not defined| -| Domain controller effective default settings | **User display name, domain and user names**| -| Member server effective default settings | **User display name, domain and user names**| -| Effective GPO default settings on client computers | **User display name, domain and user names**| -  +| Default domain policy| Not defined| +| Default domain controller policy | Not defined| +| Stand-alone server default settings | Not defined| +| Domain controller effective default settings | **User display name, domain and user names**| +| Member server effective default settings | **User display name, domain and user names**| +| Effective GPO default settings on client computers | **User display name, domain and user names**| + ## Policy management This section describes features and tools that are available to help you manage this policy. @@ -86,13 +136,7 @@ When a computer displays the Secure Desktop in an unsecured area, certain user i Enabling this policy setting allows the operating system to hide certain user information from being displayed on the Secure Desktop (after the device has been booted or when the session has been locked by using CTRL+ALT+DEL). However, user information is displayed if the **Switch user** feature is used so that the logon tiles are displayed for each logged on user. -You might also want to enable the [Interactive logon: Do not display last user name](interactive-logon-do-not-display-last-user-name.md) policy, which will prevent the Windows operating system from displaying the logon name and logon tile of the last user to logon. - -### Potential impact - -If you do not enable this policy, the effect will be the same as enabling the policy and selecting the **User display name, domain and user names** option. - -If the policy is enabled and set to **Do not display user information**, an observer cannot see who is logged onto the Secure Desktop, but the logon tile is still present if the [Interactive logon: Do not display last user name](interactive-logon-do-not-display-last-user-name.md) policy is not enabled. Depending on how the logon tiles are configured, they could provide visual clues as to who is logged on. In addition, if the Interactive logon: Do not display last user name policy is not enabled, then the **Switch user** feature will show user information. +You might also want to enable the [Interactive logon: Do not display last signed-in](interactive-logon-do-not-display-last-user-name.md) policy, which will prevent the Windows operating system from displaying the logon name and logon tile of the last user to logon. ## Related topics diff --git a/windows/keep-secure/interactive-logon-do-not-display-last-user-name.md b/windows/keep-secure/interactive-logon-do-not-display-last-user-name.md index 5af92d1bcf..302baa44b9 100644 --- a/windows/keep-secure/interactive-logon-do-not-display-last-user-name.md +++ b/windows/keep-secure/interactive-logon-do-not-display-last-user-name.md @@ -1,5 +1,5 @@ --- -title: Interactive logon Do not display last user name (Windows 10) +title: Interactive logon Don't display last signed-in (Windows 10) description: Describes the best practices, location, values, and security considerations for the Interactive logon Do not display last user name security policy setting. ms.assetid: 98b24b03-95fe-4edc-8e97-cbdaa8e314fd ms.prod: w10 @@ -9,12 +9,12 @@ ms.pagetype: security author: brianlic-msft --- -# Interactive logon: Do not display last user name +# Interactive logon: Don't display last signed-in **Applies to** - Windows 10 -Describes the best practices, location, values, and security considerations for the **Interactive logon: Do not display last user name** security policy setting. +Describes the best practices, location, values, and security considerations for the **Interactive logon: Don't display last signed-in** security policy setting. Before Windows 10 version 1703, this policy setting was named **Interactive logon:Do not display last user name.** ## Reference @@ -40,14 +40,14 @@ Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Sec ### Default values -| Server type or Group Policy object (GPO) | Default value| +| Server type or Group Policy object (GPO) | Default value| | - | - | -| Default domain policy| Disabled| -| Default domain controller policy| Disabled| -| Stand-alone server default settings | Disabled| -| Domain controller effective default settings | Disabled| -| Member server effective default settings | Disabled| -| Effective GPO default settings on client computers | Disabled| +| Default domain policy| Disabled| +| Default domain controller policy| Disabled| +| Stand-alone server default settings | Disabled| +| Domain controller effective default settings | Disabled| +| Member server effective default settings | Disabled| +| Effective GPO default settings on client computers | Disabled|   ## Policy management diff --git a/windows/keep-secure/interactive-logon-dont-display-username-at-sign-in.md b/windows/keep-secure/interactive-logon-dont-display-username-at-sign-in.md new file mode 100644 index 0000000000..db24fb9fca --- /dev/null +++ b/windows/keep-secure/interactive-logon-dont-display-username-at-sign-in.md @@ -0,0 +1,86 @@ +--- +title: Interactive logon Don't display username at sign-in (Windows 10) +description: Describes the best practices, location, values, and security considerations for the Interactive logon Don't display username at sign-in security policy setting. +ms.assetid: 98b24b03-95fe-4edc-8e97-cbdaa8e314fd +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +author: brianlic-msft +--- + +# Interactive logon: Don't display username at sign-in + +**Applies to** +- Windows Server 2003, Windows Vista, Windows XP, Windows Server 2008, Windows 7, Windows 8.1, Windows Server 2008 R2, Windows Server 2012 R2, Windows Server 2012, Windows 8, Windows 10 + +Describes the best practices, location, values, and security considerations for the **Interactive logon: Don't display username at sign-in** security policy setting. + +## Reference + +A new policy setting has been introduced in Windows 10 starting with Windows 10 version 1703. This security policy setting determines whether the username is displayed during sign in. This setting only affects the **Other user** tile. + +If the policy is enabled and a user signs in as **Other user**, the full name of the user is not displayed during sign-in. In the same context, if users type their email address and password at the sign in screen and press **Enter**, the displayed text “Other user” remains unchanged, and is no longer replaced by the user’s first and last name, as in previous versions of Windows 10. Additionally,if users enter their domain user name and password and click **Submit**, their full name is not shown until the Start screen displays. + +If the policy is disabled and a user signs in as **Other user**, the “Other user” text is replaced by the user’s first and last name during sign-in. + +### Possible values + +- Enabled +- Disabled +- Not defined + +### Best practices + +Your implementation of this policy depends on your security requirements for displayed logon information. If you have devices that store sensitive data, with monitors displayed in unsecured locations, or if you have devices with sensitive data that are remotely accessed, revealing logged on user’s full names or domain account names might contradict your overall security policy. + +### Location + +Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options + +### Default values + +| Server type or Group Policy object (GPO) | Default value| +| - | - | +| Default domain policy| Not defined| +| Default domain controller policy| Not defined| +| Stand-alone server default settings | Not defined| +| Domain controller effective default settings | Not defined| +| Member server effective default settings | Not defined| +| Effective GPO default settings on client computers | Not defined| +  +## Policy management + +This section describes features and tools that are available to help you manage this policy. + +### Restart requirement + +None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. + +### Policy conflict considerations + +None. + +### Group Policy + +This policy setting can be configured by using the Group Policy Management Console (GPMC) to be distributed through Group Policy Objects (GPOs). If this policy is not contained in a distributed GPO, this policy can be configured on the local computer by using the Local Security Policy snap-in. + +## Security considerations + +This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + +### Vulnerability + +An attacker with access to the console (for example, someone with physical access or someone who can connect to the device through Remote Desktop Session Host) could view the name of the last user who logged on. The attacker could then try to guess the password, use a dictionary, or use a brute-force attack to try to log on. + +### Countermeasure + +Enable the **Interactive logon: Don't display user name at sign-in** setting. + +### Potential impact + +Users must always type their usernames and passwords when they log on locally or to the domain. The logon tiles of all logged on users are not displayed. + +## Related topics + +- [Security Options](security-options.md) diff --git a/windows/keep-secure/interactive-logon-prompt-user-to-change-password-before-expiration.md b/windows/keep-secure/interactive-logon-prompt-user-to-change-password-before-expiration.md index 3b6173cf5c..e188c2bed0 100644 --- a/windows/keep-secure/interactive-logon-prompt-user-to-change-password-before-expiration.md +++ b/windows/keep-secure/interactive-logon-prompt-user-to-change-password-before-expiration.md @@ -43,10 +43,10 @@ The following table lists the actual and effective default values for this polic | - | - | | Default Domain Policy| Not defined| | Default Domain Controller Policy | Not defined| -| Stand-Alone Server Default Settings | 14 days| -| DC Effective Default Settings | 14 days | -| Member Server Effective Default Settings| 14 days | -| Client Computer Effective Default Settings | 14 days| +| Stand-Alone Server Default Settings | 5 days| +| DC Effective Default Settings | 5 days | +| Member Server Effective Default Settings| 5 days | +| Client Computer Effective Default Settings | 5 days|   ## Policy management @@ -74,11 +74,11 @@ If user passwords are configured to expire periodically in your organization, us ### Countermeasure -Configure the **Interactive logon: Prompt user to change password before expiration** setting to 14 days. +Configure the **Interactive logon: Prompt user to change password before expiration** setting to 5 days. ### Potential impact -Users see a dialog-box prompt to change their password each time that they log on to the domain when their password is configured to expire in 14 or fewer days. +Users see a dialog-box prompt to change their password each time that they log on to the domain when their password is configured to expire in 5 or fewer days. ## Related topics diff --git a/windows/keep-secure/introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md b/windows/keep-secure/introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md index 3712b6aed0..73592f2841 100644 --- a/windows/keep-secure/introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md +++ b/windows/keep-secure/introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md @@ -36,6 +36,10 @@ The following table lists security threats and describes the corresponding Devic In this guide, you learn about the individual features found within Device Guard as well as how to plan for, configure, and deploy them. Device Guard with configurable code integrity is intended for deployment alongside additional threat-mitigating Windows features such as [Credential Guard](credential-guard.md) and [AppLocker](applocker-overview.md). +## New and changed functionality + +As of Windows 10, version 1703, you can use code integrity policies not only to control applications, but also to control whether specific plug-ins, add-ins, and modules can run from specific apps (such as a line-of-business application or a browser). For more information, see [Use a code integrity policy to control specific plug-ins, add-ins, and modules](deploy-code-integrity-policies-steps.md#plug-ins). + ## Tools for managing Device Guard features You can easily manage Device Guard features by using familiar enterprise and client-management tools that IT pros use every day: diff --git a/windows/keep-secure/investigate-alerts-windows-defender-advanced-threat-protection.md b/windows/keep-secure/investigate-alerts-windows-defender-advanced-threat-protection.md index ef95089b35..58805fa39c 100644 --- a/windows/keep-secure/investigate-alerts-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/investigate-alerts-windows-defender-advanced-threat-protection.md @@ -21,68 +21,66 @@ localizationpriority: high - Windows 10 Pro Education - Windows Defender Advanced Threat Protection (Windows Defender ATP) -Alerts in Windows Defender ATP indicate possible security breaches on endpoints in your organization. +You can click an alert in any of the [alert queues](alerts-queue-windows-defender-advanced-threat-protection.md) to begin an investigation. Selecting an alert brings up the **Alert management pane**, while clicking an alert brings you the alert details view where general information about the alert, some recommended actions, an alert process tree, an incident graph, and an alert timeline is shown. -There are three alert severity levels, described in the following table. +You can click on the machine link from the alert view to navigate to the machine. The alert will be highlighted automatically, and the timeline will display the appearance of the alert and its evidence in the **Machine timeline**. If the alert appeared more than once on the machine, the latest occurrence will be displayed in the **Machine timeline**. -Alert severity | Description -:---|:--- -High (Red) | Threats often associated with advanced persistent threats (APT). These alerts indicate a high risk due to the severity of damage they can inflict on endpoints. -Medium (Orange) | Threats rarely observed in the organization, such as anomalous registry change, execution of suspicious files, and observed behaviors typical of attack stages. -Low (Yellow) | Threats associated with prevalent malware and hack-tools that do not appear to indicate an advanced threat targeting the organization. - -Reviewing the various alerts and their severity can help you decide on the appropriate action to protect your organization's endpoints. - -Alerts are organized in three queues, by their workflow status: - -- **New** -- **In progress** -- **Resolved** - -To begin investigating, click on an alert in [any of the alert queues](alerts-queue-windows-defender-advanced-threat-protection.md). - -Details displayed about the alert include: -- When the alert was last observed -- Alert description -- Recommended actions -- The incident graph -- The indicators that triggered the alert - -Alerts attributed to an adversary or actor display a colored tile with the actor name. - -Click on the actor's name to see a threat intelligence profile of the actor, including a brief overview of the actor, their interests or targets, tools, tactics, and processes (TTPs) as well as areas where it's active worldwide. You will also see a set of recommended actions to take. - -Some actor profiles include a link to download a more comprehensive threat intelligence report. +Alerts attributed to an adversary or actor display a colored tile with the actor's name. ![A detailed view of an alert when clicked](images/alert-details.png) +Click on the actor's name to see the threat intelligence profile of the actor, including a brief overview of the actor, their interests or targets, their tools, tactics, and processes (TTPs) and areas where they've been observed worldwide. You will also see a set of recommended actions to take. + +Some actor profiles include a link to download a more comprehensive threat intelligence report. + +![Image of detailed actor profile](images/atp-actor-report.png) + +The detailed alert profile helps you understand who the attackers are, who they target, what techniques, tools, and procedures (TTPs) they use, which geolocations they are active in, and finally, what recommended actions you may take. In many cases, you can download a more detailed Threat Intelligence report about this attacker or campaign for offline reading. + +## Alert process tree +The **Alert process tree** takes alert triage and investigation to the next level, displaying the alert and related evidence and other events that occurred within the same execution context and time. This rich triage context of the alert and surrounding events is available on the alert page. + +![Image of the alert process tree](images/atp-alert-process-tree.png) + +The **Alert process tree** expands to display the execution path of the alert, its evidence, and related events that occurred in the minutes - before and after - the alert. + +The alert and related events or evidence have circles with thunderbolt icons inside them. + +>[!NOTE] +>The alert process tree might not be available in some alerts. + +Clicking in the circle immediately to the left of the indicator displays the **Alert details** pane where you can take a deeper look at the details about the alert. It displays rich information about the selected process, file, IP address, and other details taken from the entity's page – while remaining on the alert page, so you never leave the current context of your investigation. + + + ## Incident graph -The incident graph provides a visual representation of where an alert was seen, events that triggered the alert, and which other machines are affected by the event. It provides an illustrated alert footprint on the original machine and expands to show the footprint of each alert event on other machines. +The **Incident Graph** provides a visual representation of the organizational footprint of the alert and its evidence: where the evidence that triggered the alert was observed on other machines. It provides a graphical mapping from the original machine and evidence expanding to show other machines in the organization where the triggering evidence was also observed. -You can click the circles on the incident graph to expand the nodes and view the associated events or files related to the alert. +![Image of the Incident graph](images/atp-incident-graph.png) -## Alert spotlight -The alert spotlight feature helps ease investigations by highlighting alerts related to a specific machine and events. You can highlight an alert and its related events in the machine timeline to increase your focus during an investigation. +The **Incident Graph** previously supported expansion by File and Process, and now supports expansion by additional criteria: known processes and Destination IP Address. -You can click on the machine link from the alert view to see the alerts related to the machine. +The Windows Defender ATP service keeps track of "known processes". Alerts related to known processes mostly include specific command lines, that combined are the basis for the alert. The **Incident Graph** supports expanding known processes with their command line to display other machines where the known process and the same command line were observed. +The **Incident Graph** expansion by destination IP Address, shows the organizational footprint of communications with this IP Address without having to change context by navigating to the IP Address page. - > [!NOTE] - > This shortcut is not available from the Incident graph machine links. +You can click the full circles on the incident graph to expand the nodes and view the expansion to other machines where the matching criteria were observed. -Alerts related to the machine are displayed under the **Alerts related to this machine** section. -Clicking on an alert row takes you the to the date in which the alert was flagged on **Machine timeline**. This eliminates the need to manually filter and drag the machine timeline marker to when the alert was seen on that machine. +## Alert timeline +The **Alert timeline** feature provides an addition view of the evidence that triggered the alert on the machine, and shows the date and time the evidence triggering the alert was observed, as well as the first time it was observed on the machine. This can help in understanding if the evidence was first observed at the time of the alert, or whether it was observed on the machine earlier - without triggering an alert. -You can also choose to highlight an alert from the **Alerts related to this machine** or from the **Machine timeline** section to see the correlation between the alert and other events that occurred on the machine. Right-click on any alert from either section and select **Mark related events**. This highlights alerts and events that are related and helps differentiate between the other alerts listed in the timeline. Highlighted events are displayed in all filtering modes whether you choose to view the timeline by **Detections**, **Behaviours**, or **Verbose**. +![Image of alert timeline](images/atp-alert-timeline.png) -You can also remove the highlight by right-clicking a highlighted alert and selecting **Unmark related events**. +Selecting an alert detail brings up the **Details pane** where you'll be able to see more information about the alert such as file details, detections, instances of it observed worldwide, and in the organization. - -### Related topics +## Related topics - [View the Windows Defender Advanced Threat Protection Dashboard](dashboard-windows-defender-advanced-threat-protection.md) -- [View and organize the Windows Defender Advanced Threat Protection Alerts queue](alerts-queue-windows-defender-advanced-threat-protection.md) -- [Investigate machines in the Windows Defender ATP Machines view](investigate-machines-windows-defender-advanced-threat-protection.md) +- [View and organize the Windows Defender Advanced Threat Protection Alerts queue ](alerts-queue-windows-defender-advanced-threat-protection.md) - [Investigate a file associated with a Windows Defender ATP alert](investigate-files-windows-defender-advanced-threat-protection.md) - [Investigate an IP address associated with a Windows Defender ATP alert](investigate-ip-windows-defender-advanced-threat-protection.md) - [Investigate a domain associated with a Windows Defender ATP alert](investigate-domain-windows-defender-advanced-threat-protection.md) +- [View and organize the Windows Defender ATP Machines view](machines-view-overview-windows-defender-advanced-threat-protection.md) +- [Investigate machines in the Windows Defender ATP Machines view](investigate-machines-windows-defender-advanced-threat-protection.md) +- [Investigate a user account in Windows Defender ATP](investigate-user-windows-defender-advanced-threat-protection.md) - [Manage Windows Defender Advanced Threat Protection alerts](manage-alerts-windows-defender-advanced-threat-protection.md) +- [Take response actions in Windows Defender ATP](response-actions-windows-defender-advanced-threat-protection.md) diff --git a/windows/keep-secure/investigate-domain-windows-defender-advanced-threat-protection.md b/windows/keep-secure/investigate-domain-windows-defender-advanced-threat-protection.md index 4e52c15a2e..d0e04eabe5 100644 --- a/windows/keep-secure/investigate-domain-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/investigate-domain-windows-defender-advanced-threat-protection.md @@ -45,9 +45,12 @@ The **Communication with URL in organization** section provides a chronological ## Related topics - [View the Windows Defender Advanced Threat Protection Dashboard](dashboard-windows-defender-advanced-threat-protection.md) -- [View and organize the Windows Defender Advanced Threat Protection Alerts queue](alerts-queue-windows-defender-advanced-threat-protection.md) +- [View and organize the Windows Defender Advanced Threat Protection Alerts queue ](alerts-queue-windows-defender-advanced-threat-protection.md) - [Investigate Windows Defender Advanced Threat Protection alerts](investigate-alerts-windows-defender-advanced-threat-protection.md) -- [Investigate machines in the Windows Defender ATP Machines view](investigate-machines-windows-defender-advanced-threat-protection.md) - [Investigate a file associated with a Windows Defender ATP alert](investigate-files-windows-defender-advanced-threat-protection.md) - [Investigate an IP address associated with a Windows Defender ATP alert](investigate-ip-windows-defender-advanced-threat-protection.md) +- [View and organize the Windows Defender ATP Machines view](machines-view-overview-windows-defender-advanced-threat-protection.md) +- [Investigate machines in the Windows Defender ATP Machines view](investigate-machines-windows-defender-advanced-threat-protection.md) +- [Investigate a user account in Windows Defender ATP](investigate-user-windows-defender-advanced-threat-protection.md) - [Manage Windows Defender Advanced Threat Protection alerts](manage-alerts-windows-defender-advanced-threat-protection.md) +- [Take response actions in Windows Defender ATP](response-actions-windows-defender-advanced-threat-protection.md) diff --git a/windows/keep-secure/investigate-files-windows-defender-advanced-threat-protection.md b/windows/keep-secure/investigate-files-windows-defender-advanced-threat-protection.md index 5d547bd269..e45a3d17d3 100644 --- a/windows/keep-secure/investigate-files-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/investigate-files-windows-defender-advanced-threat-protection.md @@ -24,119 +24,41 @@ Investigate the details of a file associated with a specific alert, behavior, or You can get information from the following sections in the file view: -- File details -- Deep analysis -- File in organization -- Observed in organization +- File details, Malware detection, Prevalence worldwide +- Deep analysis +- Alerts related to this file +- File in organization +- Most recent observed machines with file -The file details section shows attributes of the file such as its MD5 hash or number and its prevalence worldwide. -The **Deep analysis** section provides the option of submitting a file for deep analysis to gain detailed visibility on observed suspicious behaviors, and associated artifacts. For more information on submitting files for deep analysis, see the **Deep analysis** topic. +The file details, malware detection, and prevalence worldwide sections display various attributes about the file. You’ll see actions you can take on the file. For more information on how to take action on a file, see [Take response action on a file](respond-file-alerts-windows-defender-advanced-threat-protection.md). -The **File in organization** section provides details on the prevalence of the file and the name observed in the organization. +You'll also see details such as the file’s MD5, the VirusTotal detection ratio and Windows Defender AV detection if available, and the file’s prevalence worldwide. You'll also be able to [submit a file for deep analysis](respond-file-alerts-windows-defender-advanced-threat-protection.md#deep-analysis). -The **Observed in organization** section provides a chronological view on the events and associated alerts that were observed on the file. +![Image of file information](images/atp-file-information.png) -You'll see a list of machines associated with the file and a description of the action taken by the file. +The **Alerts related to this file** section provides a list of alerts that are associated with the file. This list is a simplified version of the Alerts queue, and shows the date when the last activity was detected, a short description of the alert, the user associated with the alert, the alert's severity, the alert's status in the queue, and who is addressing the alert. -**Investigate a file** +![Image of alerts related to the file section](images/atp-alerts-related-to-file.png) -1. Select the file you want to investigate. You can select a file from any of the following views or use the Search box: - - Alerts - click the file links from the **Description** or **Details** in the Alert timeline - - Machines view - click the file links in the **Description** or **Details** columns in the **Observed on machine** section - - Search box - select **File** from the drop-down menu and enter the file name -2. View the file details. -3. Use the search filters to define the search criteria. You can also use the timeline search box to further filter displayed search results. +The **File in organization** section provides details on the prevalence of the file, prevalence in email inboxes and the name observed in the organization. -##Deep analysis -Cyber security investigations are typically triggered by an alert. Alerts are related to one or more observed files that are often new or unknown. Clicking a file takes you to the file view where you can see the file's metadata. To enrich the data related to the file, you can submit the file for deep analysis. +![Image of file in organization](images/atp-file-in-org.png) -The deep analysis feature executes a file in a secure, fully instrumented cloud environment. Deep analysis results show the file's activities, observed behaviors, and associated artifacts, such as dropped files, registry modifications, and communication with IPs. -Deep analysis currently supports extensive analysis of PE (portable executable) files (including _.exe_ and _.dll_ files). +The **Most recent observed machines with the file** section allows you to specify a date range to see which machines have been observed with the file. -Deep analysis of a file takes several minutes. When the file analysis is complete, results are made available in the File view page, under a new **Deep analysis summary** section. The summary includes a list of observed *behaviors*, some of which can indicate malicious activity, and *observables*, including contacted IPs and files created on the disk. +![Image of most recent observed machine with the file](images/atp-observed-machines.png) -Results of deep analysis are matched against threat intelligence and any matches will generate appropriate alerts. +This allows for greater accuracy in defining entities to display such as if and when an entity was observed in the organization. For example, if you’re trying to identify the origin of a network communication to a certain IP Address within a 10-minute period on a given date, you can specify that exact time interval, and see only files that communicated with that IP Address at that time, drastically reducing unnecessary scrolling and searching. -## Submit files for analysis - -Use the deep analysis feature to investigate the details of any file, usually during an investigation of an alert or for any other reason where you suspect malicious behavior. This feature is available in the context of the file view. - -In the file's page, **Submit for deep analysis** is enabled when the file is available in the Windows Defender ATP backend sample collection or if it was observed on a Windows 10 machine that supports submitting to deep analysis. - -> [!NOTE] -> Only files from Windows 10 can be automatically collected. - -You can also manually submit a sample through the [Malware Protection Center Portal](https://www.microsoft.com/security/portal/submission/submit.aspx) if the file was not observed on a Windows 10 machine, and wait for **Submit for deep analysis** button to become available. - -> [!NOTE] -> Due to backend processing flows in the Malware Protection Center Portal, there could be up to 10 minutes of latency between file submission and availability of the deep analysis feature in Windows Defender ATP. - -When the sample is collected, Windows Defender ATP runs the file in is a secure environment and creates a detailed report of observed behaviors and associated artifacts, such as files dropped on machines, communication to IPs, and registry modifications. - -**Submit files for deep analysis:** - -1. Select the file that you want to submit for deep analysis. You can select or search a file from any of the following views: - - Alerts - click the file links from the **Description** or **Details** in the Alert timeline - - **Machines View** - click the file links from the **Description** or **Details** in the **Machine in organization** section - - Search box - select **File** from the drop-down menu and enter the file name -2. In the **Deep analysis** section of the file view, click **Submit**. - -![You can only submit PE files in the file details seciton](images/submit-file.png) - ->**Note**  Only portable executable (PE) files are supported, including _.exe_ and _.dll_ files - -A progress bar is displayed and provides information on the different stages of the analysis. You can then view the report when the analysis is done. - -> [!NOTE] -> Depending on machine availability, sample collection time can vary. There is a 3-hour timeout for sample collection. The collection will fail and the operation will abort if there is no online Windows 10 machine reporting at that time. You can re-submit files for deep analysis to get fresh data on the file. - -## View deep analysis report - -View the deep analysis report that Windows Defender ATP provides to see the details of the deep analysis that was conducted on the file you submitted. This feature is available in the file view context. - -You can view the comprehensive report that provides details on: - -- Observed behaviors -- Associated artifacts - -The details provided can help you investigate if there are indications of a potential attack. - -**View deep analysis reports:** - -1. Select the file you submitted for deep analysis. -2. Click **See the report below**. Information on the analysis is displayed. - -![The deep analysis report shows detailed information across a number of categories](images/analysis-results.png) - -## Troubleshooting deep analysis - -If you encounter a problem when trying to submit a file, try each of the following troubleshooting steps. - -**Troubleshoot deep analysis:** - -1. Ensure the file is a PE. PE files typically have _.exe_ or _.dll_ extensions (executable programs or applications). -2. Ensure the service has access to the file, that it still exists, and has not been corrupted or modified. -3. You can wait a short while and try to submit the file again, in case the queue is full or there was a temporary connection or communication error. -4. Verify the policy setting enables sample collection and try to submit the file again. - - a. Change the following registry entry and values to change the policy on specific endpoints: - ``` -HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection - Value = 0 - block sample collection - Value = 1 - allow sample collection -``` -5. Change the organizational unit through the Group Policy. For more information, see [Configure with Group Policy](configure-endpoints-gp-windows-defender-advanced-threat-protection.md). -6. If these steps do not resolve the issue, contact [winatp@microsoft.com](mailto:winatp@microsoft.com). - -> [!NOTE] -> If the value *AllowSampleCollection* is not available, the client will allow sample collection by default. - -### Related topics +## Related topics - [View the Windows Defender Advanced Threat Protection Dashboard](dashboard-windows-defender-advanced-threat-protection.md) -- [View and organize the Windows Defender Advanced Threat Protection Alerts queue](alerts-queue-windows-defender-advanced-threat-protection.md) +- [View and organize the Windows Defender Advanced Threat Protection Alerts queue ](alerts-queue-windows-defender-advanced-threat-protection.md) - [Investigate Windows Defender Advanced Threat Protection alerts](investigate-alerts-windows-defender-advanced-threat-protection.md) -- [Investigate machines in the Windows Defender ATP Machines view](investigate-machines-windows-defender-advanced-threat-protection.md) - [Investigate an IP address associated with a Windows Defender ATP alert](investigate-ip-windows-defender-advanced-threat-protection.md) - [Investigate a domain associated with a Windows Defender ATP alert](investigate-domain-windows-defender-advanced-threat-protection.md) +- [View and organize the Windows Defender ATP Machines view](machines-view-overview-windows-defender-advanced-threat-protection.md) +- [Investigate machines in the Windows Defender ATP Machines view](investigate-machines-windows-defender-advanced-threat-protection.md) +- [Investigate a user account in Windows Defender ATP](investigate-user-windows-defender-advanced-threat-protection.md) - [Manage Windows Defender Advanced Threat Protection alerts](manage-alerts-windows-defender-advanced-threat-protection.md) +- [Take response actions in Windows Defender ATP](response-actions-windows-defender-advanced-threat-protection.md) diff --git a/windows/keep-secure/investigate-ip-windows-defender-advanced-threat-protection.md b/windows/keep-secure/investigate-ip-windows-defender-advanced-threat-protection.md index 381ee7be12..1b792ae89e 100644 --- a/windows/keep-secure/investigate-ip-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/investigate-ip-windows-defender-advanced-threat-protection.md @@ -1,5 +1,5 @@ --- -title: Investigate Windows Defender Advanced Threat Protection IP address +title: Investigate an IP address associated with an alert description: Use the investigation options to examine possible communication between machines and external IP addresses. keywords: investigate, investigation, IP address, alert, windows defender atp, external IP search.product: eADQiWindows 10XVcnh @@ -24,7 +24,7 @@ Examine possible communication between your machines and external internet proto Identifying all machines in the organization that communicated with a suspected or known malicious IP address, such as Command and Control (C2) servers, helps determine the potential scope of breach, associated files, and infected machines. -You can information from the following sections in the IP address view: +You can find information from the following sections in the IP address view: - IP address details - IP in organization @@ -53,9 +53,12 @@ Clicking any of the machine names will take you to that machine's view, where yo ## Related topics - [View the Windows Defender Advanced Threat Protection Dashboard](dashboard-windows-defender-advanced-threat-protection.md) -- [View and organize the Windows Defender Advanced Threat Protection Alerts queue](alerts-queue-windows-defender-advanced-threat-protection.md) +- [View and organize the Windows Defender Advanced Threat Protection Alerts queue ](alerts-queue-windows-defender-advanced-threat-protection.md) - [Investigate Windows Defender Advanced Threat Protection alerts](investigate-alerts-windows-defender-advanced-threat-protection.md) -- [Investigate machines in the Windows Defender ATP Machines view](investigate-machines-windows-defender-advanced-threat-protection.md) - [Investigate a file associated with a Windows Defender ATP alert](investigate-files-windows-defender-advanced-threat-protection.md) - [Investigate a domain associated with a Windows Defender ATP alert](investigate-domain-windows-defender-advanced-threat-protection.md) +- [View and organize the Windows Defender ATP Machines view](machines-view-overview-windows-defender-advanced-threat-protection.md) +- [Investigate machines in the Windows Defender ATP Machines view](investigate-machines-windows-defender-advanced-threat-protection.md) +- [Investigate a user account in Windows Defender ATP](investigate-user-windows-defender-advanced-threat-protection.md) - [Manage Windows Defender Advanced Threat Protection alerts](manage-alerts-windows-defender-advanced-threat-protection.md) +- [Take response actions in Windows Defender ATP](response-actions-windows-defender-advanced-threat-protection.md) diff --git a/windows/keep-secure/investigate-machines-windows-defender-advanced-threat-protection.md b/windows/keep-secure/investigate-machines-windows-defender-advanced-threat-protection.md index bc3e8df73d..5073e541f6 100644 --- a/windows/keep-secure/investigate-machines-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/investigate-machines-windows-defender-advanced-threat-protection.md @@ -1,7 +1,7 @@ --- title: Investigate machines in the Windows Defender ATP Machines view description: Investigate affected machines in your network by reviewing alerts, network connection information, and service health on the Machines view. -keywords: machines, endpoints, machine, endpoint, alerts queue, alerts, machine name, domain, last seen, internal IP, active alerts, active malware detections, threat category, filter, sort, review alerts, network, connection, malware, type, password stealer, ransomware, exploit, threat, low severity +keywords: machines, endpoints, machine, endpoint, alerts queue, alerts, machine name, domain, last seen, internal IP, active alerts, threat category, filter, sort, review alerts, network, connection, type, password stealer, ransomware, exploit, threat, low severity search.product: eADQiWindows 10XVcnh ms.prod: w10 ms.mktglfcycl: deploy @@ -21,62 +21,7 @@ localizationpriority: high - Windows 10 Pro Education - Windows Defender Advanced Threat Protection (Windows Defender ATP) -The **Machines view** shows a list of the machines in your network, the corresponding number of active alerts for each machine categorized by alert severity levels, and the number of active malware detections. This view allows you to identify machines with the highest risk at a glance, and keep track of all the machines that are reporting sensor data in your network. - -Use the Machines view in these two main scenarios: - -- **During onboarding** - - During the onboarding process, the Machines view gradually gets populated with endpoints as they begin to report sensor data. Use this view to track your onboarded endpoints as they appear. Use the available features to sort and filer to see which endpoints have most recently reported sensor data, or download the complete endpoint list as a CSV file for offline analysis. -- **Day-to-day work** - - The **Machines view** enables you to identify machines that are most at risk in a glance. High-risk machines are those with the greatest number and highest-severity alerts. By sorting the machines by risk, you'll be able to identify the most vulnerable machines and take action on them. - -The Machines view contains the following columns: - -- **Machine name** - the name or GUID of the machine -- **Domain** - the domain the machine belongs to -- **Last seen** - when the machine last reported sensor data -- **Internal IP** - the local internal Internet Protocol (IP) address of the machine -- **Active Alerts** - the number of alerts reported by the machine by severity -- **Active malware detections** - the number of active malware detections reported by the machine - -> [!NOTE] -> The **Active alerts** and **Active malware detections** filter column will only appear if your endpoints are using [Windows Defender](https://technet.microsoft.com/library/mt622091(v=vs.85).aspx) as the default real-time protection antimalware product. - -Click any column header to sort the view in ascending or descending order. - -![Screenshot of the Machines view on the portal](images/machines-view.png) - -You can sort the **Machines view** by **Machine name**, **Last seen**, **IP**, **Active Alerts**, and **Active malware detections**. Scroll down the **Machines view** to see additional machines. - -The view contains two filters: time and threat category. - -You can filter the view by the following time periods: - -- 1 day -- 3 days -- 7 days -- 30 days -- 6 months - -> [!NOTE] -> When you select a time period, the list will only display machines that reported within the selected time period. For example, selecting 1 day will only display a list of machines that reported sensor data within the last 24-hour period. - -The threat category filter lets you filter the view by the following categories: - -- Password stealer -- Ransomware -- Exploit -- Threat -- Low severity - -For more information on the description of each category see, [Investigate machines with active alerts](dashboard-windows-defender-advanced-threat-protection.md#machines-with-active-malware-detections). - -You can also download a full list of all the machines in your organization, in CSV format. Click the **Manage Alert** menu icon ![The menu icon looks like three periods stacked on top of each other](images/menu-icon.png) to download the entire list as a CSV file. - - **Note**: Exporting the list depends on the number of machines in your organization. It can take a significant amount of time to download, depending on how large your organization is. -Exporting the list in CSV format displays the data in an unfiltered manner. The CSV file will include all machines in the organization, regardless of any filtering applied in the view itself. - -## Investigate a machine +## Investigate machines Investigate the details of an alert raised on a specific machine to identify other behaviors or events that might be related to the alert or the potential scope of breach. You can click on affected machines whenever you see them in the portal to open a detailed report about that machine. Affected machines are identified in the following areas: @@ -89,70 +34,90 @@ You can click on affected machines whenever you see them in the portal to open a - Any IP address or domain details view When you investigate a specific machine, you'll see: +- Machine details, Logged on user, and Machine Reporting +- Alerts related to this machine +- Machine timeline -- **Machine details**, **Machine IP Addresses**, and **Machine Reporting** -- **Alerts related to this machine** -- **Machine timeline** +![Image of machine details page](images/atp-machine-details-view.png) -The machine details, IP, and reporting sections display some attributes of the machine such as its name, domain, OS, IP address, and how long it's been reporting sensor data to the Windows Defender ATP service. +The machine details, total logged on users and machine reporting sections display various attributes about the machine. You’ll see details such as machine name, health state, actions you can take on the machine. For more information on how to take action on a machine, see [Take response action on a machine](respond-machine-alerts-windows-defender-advanced-threat-protection.md). -The **Alerts related to this machine** section provides a list of alerts that are associated with the machine. This list is a simplified version of the [Alerts queue](alerts-queue-windows-defender-advanced-threat-protection.md), and shows the date that the alert was detected, a short description of the alert, the alert's severity, the alert's threat category, and the alert's status in the queue. +You'll also see other information such as domain, operating system (OS), total logged on users and who frequently and less frequently logged on, IP address, and how long it's been reporting sensor data to the Windows Defender ATP service. + +Clicking on the number of total logged on users in the Logged on user tile opens the Users Details pane that displays the following information for logged on users in the past 30 days: + +- Interactive and remote interactive logins +- Network, batch, and system logins + +![Image of user details pane](images/atp-user-details-pane.png) + +You'll also see details such as logon types for each user account, the user group, and when the account was logged in. + + For more information, see [Investigate user entities](investigate-user-windows-defender-advanced-threat-protection.md). + +The **Alerts related to this machine** section provides a list of alerts that are associated with the machine. This list is a simplified version of the [Alerts queue](alerts-queue-windows-defender-advanced-threat-protection.md), and shows the date when the last activity was detected, a short description of the alert, the user associated with the alert, the alert's severity, the alert's status in the queue, and who is addressing the alert. + +You can also choose to highlight an alert from the **Alerts related to this machine** or from the **Machine timeline** section to see the correlation between the alert and other events that occurred on the machine by right-clicking on the alert and selecting **Select and mark events**. This highlights alerts and related events and helps distinguish from other alerts and events appearing in the timeline. Highlighted events are displayed in all filtering modes whether you choose to view the timeline by **Detections**, **Behaviors**, or **Verbose**. The **Machine timeline** section provides a chronological view of the events and associated alerts that have been observed on the machine. -You'll see an aggregated view of alerts, a short description of the alert, details on the action taken, and which user ran the action. This helps you see significant activities or behaviors that occurred on a machine within your network in relation to a specific time frame. Several icons are used to identify various detections and their current state. For more information, see [Windows Defender ATP icons](portal-overview-windows-defender-advanced-threat-protection.md#windows-defender-atp-icons). +This feature also enables you to selectively drill down into events that occurred within a given time period. You can view the temporal sequence of events that occurred on a machine over a specified time period. -This feature also enables you to selectively drill down into a behavior or event that occurred within a given time period. You can view the temporal sequence of events that occurred on a machine over a specified time period. +![Image of machine timeline with events](images/atp-machine-timeline.png) -You can also use the [Alerts spotlight](investigate-alerts-windows-defender-advanced-threat-protection.md#alert-spotlight) feature to see the correlation between alerts and events on a specific machine. +Windows Defender ATP monitors and captures questionable behavior on Windows 10 machines and displays the process tree flow in the **Machine timeline**. This gives you better context of the behavior which can contribute to understanding the correlation between events, files, and IP addresses in relation to the machine. -![The timeline shows an interactive history of the alerts seen on a machine](images/timeline.png) +### Search for specific alerts +Use the search bar to look for specific alerts or files associated with the machine: -Use the search bar to look for specific alerts or files associated with the machine. +- **Value** – Type in any search keyword to filter the timeline with the attribute you’re searching for. +- **Informational level** – Click the drop-down button to filter by the following levels: + - **Detections mode**: displays Windows ATP Alerts and detections + - **Behaviors mode**: displays "detections" and selected events of interest + - **Verbose mode**: displays "behaviors" (including "detections"), and all reported events +- **User** – Click the drop-down button to filter the machine timeline by the following user associated events: + - Logon users + - System + - Network + - Local service -You can also filter by: - -- Detections mode: displays Windows ATP Alerts and detections -- Behaviors mode: displays "detections" and selected events of interest -- Verbose mode: displays "behaviors" (including "detections"), and all reported events -- Logged on users, System, Network, or Local service +### Filter events from a specific date Use the time-based slider to filter events from a specific date. By default, the machine timeline is set to display the events of the current day. Using the slider updates the listed alerts to the date that you select. Displayed events are filtered from that date and older. The slider is helpful when you're investigating a particular alert on a machine. You can navigate from the **Alerts view** and click on the machine associated with the alert to jump to the specific date when the alert was observed, enabling you to investigate the events that took place around the alert. -From the **Machine view**, you can also navigate to the file, IP, or URL view and the timeline associated with an alert is retained, helping you view the investigation from different angles and retain the context of the event time line. +### Export machine timeline events +You can also export detailed event data from the machine timeline to conduct offline analysis. You can choose to export the machine timeline for the current date or specify a date range. You can export up to seven days of data and specify the specific time between the two dates. + +![Image of export machine timeline events](images/atp-export-machine-timeline-events.png) + +### Navigate between pages +Use the events per page drop-down to choose the number of alerts you’d like to see on the page. You can choose to display 20, 50, or 100 events per page. You can also move between pages by clicking **Older** or **Newer**. + +From the **Machines view**, you can also navigate to the file, IP, or URL view and the timeline associated with an alert is retained, helping you view the investigation from different angles and retain the context of the event time line. From the list of events that are displayed in the timeline, you can examine the behaviors or events in to help identify indicators of interests such as files and IP addresses to help determine the scope of a breach. You can then use the information to respond to events and keep your system secure. -Windows Defender ATP monitors and captures questionable behavior on Windows 10 machines and displays the process tree flow in the **Machine timeline**. This gives you better context of the behavior which can contribute to understanding the correlation between events, files, and IP addresses in relation to the machine. - -![The process tree shows you a hierarchical history of processes and events on the machine](images/machine-investigation.png) - -**Investigate a machine:** - -1. Select the machine that you want to investigate. You can select or search a machine from any of the following views: - - **Dashboard** - click the machine name from the **Top machines with active alerts** section - - **Alerts queue** - click the machine name beside the machine icon - - **Machines view** - click the heading of the machine name - - **Search box** - select **Machine** from the drop-down menu and enter the machine name -2. Information about the specific machine is displayed. +![Image of machine timeline details pane](images/atp-machine-timeline-details-panel.png) -**Use the machine timeline** +You can also use the [Alerts spotlight](investigate-alerts-windows-defender-advanced-threat-protection.md#alert-timeline) feature to see the correlation between alerts and events on a specific machine. -1. Use the sort and filter feature to narrow down the search results. -2. Use the timeline search box to filter specific indicators that appear in the machine timeline. -3. Click the expand icon ![The expand icon looks like a plus symbol](images/expand.png) in the timeline row or click anywhere on the row to see additional information about the alert, behavior, or event. +Expand an event to view associated processes related to the event. Click on the circle next to any process or IP address in the process tree to investigating further into the identified processes. This action brings up the **Details pane** which includes execution context of processes, network communications and a summary of metadata on the file or IP address. +This enhances the ‘in-context’ information across investigation and exploration activities, reducing the need to switch between contexts. It lets you focus on the task of tracing associations between attributes without leaving the current context. -### Related topics +## Related topics - [View the Windows Defender Advanced Threat Protection Dashboard](dashboard-windows-defender-advanced-threat-protection.md) -- [View and organize the Windows Defender Advanced Threat Protection Alerts queue](alerts-queue-windows-defender-advanced-threat-protection.md) +- [View and organize the Windows Defender Advanced Threat Protection Alerts queue ](alerts-queue-windows-defender-advanced-threat-protection.md) - [Investigate Windows Defender Advanced Threat Protection alerts](investigate-alerts-windows-defender-advanced-threat-protection.md) - [Investigate a file associated with a Windows Defender ATP alert](investigate-files-windows-defender-advanced-threat-protection.md) - [Investigate an IP address associated with a Windows Defender ATP alert](investigate-ip-windows-defender-advanced-threat-protection.md) - [Investigate a domain associated with a Windows Defender ATP alert](investigate-domain-windows-defender-advanced-threat-protection.md) +- [View and organize the Windows Defender ATP Machines view](machines-view-overview-windows-defender-advanced-threat-protection.md) +- [Investigate a user account in Windows Defender ATP](investigate-user-windows-defender-advanced-threat-protection.md) - [Manage Windows Defender Advanced Threat Protection alerts](manage-alerts-windows-defender-advanced-threat-protection.md) +- [Take response actions in Windows Defender ATP](response-actions-windows-defender-advanced-threat-protection.md) diff --git a/windows/keep-secure/investigate-user-windows-defender-advanced-threat-protection.md b/windows/keep-secure/investigate-user-windows-defender-advanced-threat-protection.md new file mode 100644 index 0000000000..e0b1346b9e --- /dev/null +++ b/windows/keep-secure/investigate-user-windows-defender-advanced-threat-protection.md @@ -0,0 +1,75 @@ +--- +title: Investigate a user account in Windows Defender ATP +description: Investigate a user account for potential compromised credentials or pivot on the associated user account during an investigation. +keywords: investigate, account, user, user entity, alert, windows defender atp +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +author: mjcaparas +localizationpriority: high +--- +# Investigate a user account in Windows Defender ATP + +**Applies to:** + +- Windows 10 Enterprise +- Windows 10 Education +- Windows 10 Pro +- Windows 10 Pro Education +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + +## Investigate user account entities +Identify user accounts with the most active alerts (displayed on dashboard as "Users at risk") and investigate cases of potential compromised credentials, or pivot on the associated user account when investigating an alert or machine to identify possible lateral movement between machines with that user account. + +You can find user account information in the following views: +- Dashboard +- Alert queue +- Machine details page + +A clickable user account link is available in these views, that will take you to the user account details page where more details about the user account are shown. + +When you investigate a user account entity, you'll see: +- User account details and Logged on machines +- Alerts related to this user +- Observed in organization (machines logged on to) + +![Image of the user account entity details page](images/atp-user-details-view.png) + +The user account entity details and logged on machines section display various attributes about the user account. You'll see details such as when the user was first and last seen and the total number of machines the user logged on to. You'll also see a list of the machines that the user logged on to, and can expand these to see details of the logon events on each machine. + +The **Alerts related to this user** section provides a list of alerts that are associated with the user account. This list is a filtered view of the [Alert queue](alerts-queue-windows-defender-advanced-threat-protection.md), and shows alerts where the user context is the selected user account, the date when the last activity was detected, a short description of the alert, the machine associated with the alert, the alert's severity, the alert's status in the queue, and who is assigned the alert. + +The **Observed in organization** section allows you to specify a date range to see a list of machines where this user was observed logged on to, and the most frequent and least frequent logged on user account on each of these machines. + +The machine health state is displayed in the machine icon and color as well as in a description text. Clicking on the icon displays additional details regarding machine health. + +![Image of observed in organization section](images/atp-observed-in-organization.png) + +## Search for specific user accounts + +1. Select **User** from the **Search bar** drop-down menu. +2. Enter the user account in the **Search** field. +3. Click the search icon or press **Enter**. + +A list of users matching the query text is displayed. You'll see the user account's domain and name, when the user account was last seen, and the total number of machines it was observed logged on to in the last 30 days. + +You can filter the results by the following time periods: +- 1 day +- 3 days +- 7 days +- 30 days +- 6 months + +## Related topics +- [View the Windows Defender Advanced Threat Protection Dashboard](dashboard-windows-defender-advanced-threat-protection.md) +- [View and organize the Windows Defender Advanced Threat Protection Alerts queue ](alerts-queue-windows-defender-advanced-threat-protection.md) +- [Investigate Windows Defender Advanced Threat Protection alerts](investigate-alerts-windows-defender-advanced-threat-protection.md) +- [Investigate a file associated with a Windows Defender ATP alert](investigate-files-windows-defender-advanced-threat-protection.md) +- [Investigate an IP address associated with a Windows Defender ATP alert](investigate-ip-windows-defender-advanced-threat-protection.md) +- [Investigate a domain associated with a Windows Defender ATP alert](investigate-domain-windows-defender-advanced-threat-protection.md) +- [View and organize the Windows Defender ATP Machines view](machines-view-overview-windows-defender-advanced-threat-protection.md) +- [Investigate machines in the Windows Defender ATP Machines view](investigate-machines-windows-defender-advanced-threat-protection.md) +- [Manage Windows Defender Advanced Threat Protection alerts](manage-alerts-windows-defender-advanced-threat-protection.md) +- [Take response actions in Windows Defender ATP](response-actions-windows-defender-advanced-threat-protection.md) diff --git a/windows/keep-secure/limitations-with-wip.md b/windows/keep-secure/limitations-with-wip.md index 39aaeb8dc5..27d6a611ae 100644 --- a/windows/keep-secure/limitations-with-wip.md +++ b/windows/keep-secure/limitations-with-wip.md @@ -13,7 +13,8 @@ localizationpriority: high # Limitations while using Windows Information Protection (WIP) **Applies to:** -- Windows 10, version 1607 + +- Windows 10, version 1703 - Windows 10 Mobile This table provides info about the most common problems you might encounter while running WIP in your organization. @@ -26,18 +27,18 @@ This table provides info about the most common problems you might encounter whil Your enterprise data on USB drives might be tied to the device it was protected on, based on your Azure RMS configuration. - If you’re using Azure RMS: Authenticated users can open enterprise data on USB drives, on computers running the latest build from the Windows Insider Program.

    If you’re not using Azure RMS: Data in the new location remains encrypted, but becomes inaccessible on other devices and for other users. For example, the file won't open or the file opens, but doesn't contain readable text. - Share files with fellow employees through enterprise file servers or enterprise cloud locations. If data must be shared via USB, employees can decrypt protected files, but it will be audited.

    We strongly recommend educating employees about how to limit or eliminate the need for this decryption. + If you’re using Azure RMS: Authenticated users can open enterprise data on USB drives, on computers running Windows 10, version 1703.

    If you’re not using Azure RMS: Data in the new location remains encrypted, but becomes inaccessible on other devices and for other users. For example, the file won't open or the file opens, but doesn't contain readable text. + Share files with fellow employees through enterprise file servers or enterprise cloud locations. If data must be shared via USB, employees can decrypt protected files, but it will be audited.

    We strongly recommend educating employees about how to limit or eliminate the need for this decryption. Direct Access is incompatible with WIP. Direct Access might experience problems with how WIP enforces app behavior and data movement because of how WIP determines what is and isn’t a corporate network resource. - We recommend that you use VPN for client access to your intranet resources.

    Note
    VPN is optional and isn’t required by WIP. + We recommend that you use VPN for client access to your intranet resources.

    Note
    VPN is optional and isn’t required by WIP. - NetworkIsolation Group Policy setting is incompatible with WIP. - The NetworkIsolation Group Policy setting has incompatible network settings that can conflict and cause problems with WIP. - We recommend that you don’t use the NetworkIsolation Group Policy setting. + NetworkIsolation Group Policy setting takes precedence over MDM Policy settings. + The NetworkIsolation Group Policy setting can configure network settings that can also be configured by using MDM. WIP relies on these policies being correctly configured. + If you use both Group Policy and MDM to configure your NetworkIsolation settings, you must make sure that those same settings are deployed to your organization using both Group Policy and MDM. Cortana can potentially allow data leakage if it’s on the allowed apps list. @@ -54,8 +55,8 @@ This table provides info about the most common problems you might encounter whil An app might fail to properly install because it can’t read a necessary configuration or data file, such as a .cab or .xml file needed for installation, which was protected by the copy action. To fix this, you can:

      -
    • Start the installer directly from the file share.

      -OR-

      • -
    • Decrypt the locally copied files needed by the installer.

      -OR-

      • +
    • Start the installer directly from the file share.

      -OR-

      • +
    • Decrypt the locally copied files needed by the installer.

      -OR-

    • Mark the file share with the installation media as “personal”. To do this, you’ll need to set the Enterprise IP ranges as Authoritative and then exclude the IP address of the file server, or you’ll need to put the file server on the Enterprise Proxy Server list.
    @@ -67,7 +68,7 @@ This table provides info about the most common problems you might encounter whil Redirected folders with Client Side Caching are not compatible with WIP. Apps might encounter access errors while attempting to read a cached, offline file. - Migrate to use another file synchronization method, such as Work Folders or OneDrive for Business.

    Note
    For more info about Work Folders and Offline Files, see the blog, [Work Folders and Offline Files support for Windows Information Protection](https://blogs.technet.microsoft.com/filecab/2016/08/29/work-folders-and-offline-files-support-for-windows-information-protection/). If you're having trouble opening files offline while using Offline Files and WIP, see the support article, [Can't open files offline when you use Offline Files and Windows Information Protection](https://support.microsoft.com/en-us/kb/3187045). + Migrate to use another file synchronization method, such as Work Folders or OneDrive for Business.

    Note
    For more info about Work Folders and Offline Files, see the blog, [Work Folders and Offline Files support for Windows Information Protection](https://blogs.technet.microsoft.com/filecab/2016/08/29/work-folders-and-offline-files-support-for-windows-information-protection/). If you're having trouble opening files offline while using Offline Files and WIP, see the support article, [Can't open files offline when you use Offline Files and Windows Information Protection](https://support.microsoft.com/en-us/kb/3187045). You can't upload an enterprise file to a personal location using Microsoft Edge or Internet Explorer. @@ -77,7 +78,28 @@ This table provides info about the most common problems you might encounter whil ActiveX controls should be used with caution. Webpages that use ActiveX controls can potentially communicate with other outside processes that aren’t protected by using WIP. - We recommend that you switch to using Microsoft Edge, the more secure and safer browser that prevents the use of ActiveX controls. We also recommend that you limit the usage of Internet Explorer 11 to only those line-of-business apps that require legacy technology.

    For more info, see [Out-of-date ActiveX control blocking](https://technet.microsoft.com/en-us/itpro/internet-explorer/ie11-deploy-guide/out-of-date-activex-control-blocking). + We recommend that you switch to using Microsoft Edge, the more secure and safer browser that prevents the use of ActiveX controls. We also recommend that you limit the usage of Internet Explorer 11 to only those line-of-business apps that require legacy technology.

    For more info, see [Out-of-date ActiveX control blocking](https://technet.microsoft.com/en-us/itpro/internet-explorer/ie11-deploy-guide/out-of-date-activex-control-blocking). + + + WIP isn’t turned on if any of the following folders have the MakeFolderAvailableOfflineDisabled option set to False: +

      +
    • AppDataRoaming
      • +
    • Desktop
      • +
    • StartMenu
      • +
    • Documents
      • +
    • Pictures
      • +
    • Music
      • +
    • Videos
      • +
    • Favorites
      • +
    • Contacts
      • +
    • Downloads
      • +
    • Links
      • +
    • Searches
      • +
    • SavedGames
      • +
    + + WIP isn’t turned on for employees in your organization. + Don’t set the MakeFolderAvailableOfflineDisabled option to False for any of the specified folders.

    If you currently use redirected folders, we recommend that you migrate to a file synchronization solution that supports WIP, such as Work Folders or OneDrive for Business. Additionally, if you apply redirected folders after WIP is already in place, you might be unable to open your files offline. For more info about these potential access errors, see [Can't open files offline when you use Offline Files and Windows Information Protection](https://support.microsoft.com/en-us/help/3187045/can-t-open-files-offline-when-you-use-offline-files-and-windows-information-protection). diff --git a/windows/keep-secure/machines-view-overview-windows-defender-advanced-threat-protection.md b/windows/keep-secure/machines-view-overview-windows-defender-advanced-threat-protection.md new file mode 100644 index 0000000000..4537784b7b --- /dev/null +++ b/windows/keep-secure/machines-view-overview-windows-defender-advanced-threat-protection.md @@ -0,0 +1,97 @@ +--- +title: View and organize the Windows Defender ATP machines list +description: Learn about the available features that you can use from the Machines list such as sorting, filtering, and exporting the list to enhance investigations. +keywords: sort, filter, export, csv, machine name, domain, last seen, internal IP, health state, active alerts, active malware detections, threat category, review alerts, network, connection, malware, type, password stealer, ransomware, exploit, threat, general malware, unwanted software +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +author: mjcaparas +localizationpriority: high +--- + +# View and organize the Windows Defender ATP Machines list + +**Applies to:** + +- Windows 10 Enterprise +- Windows 10 Education +- Windows 10 Pro +- Windows 10 Pro Education +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + +The **Machines list** shows a list of the machines in your network, the domain of each machine, when it last reported and the local IP Address it reported on, its **Health state**, the number of active alerts on each machine categorized by alert severity level, and the number of active malware detections. This view allows viewing machines ranked by risk or sensor health state, and keeping track of all machines that are reporting sensor data in your network. + +Use the Machines view in these main scenarios: + +- **During onboarding**
    + During the onboarding process, the **Machines list** is gradually populated with endpoints as they begin to report sensor data. Use this view to track your onboarded endpoints as they come online. Sort and filter by time of last report, **Active malware category**, or **Sensor health state**, or download the complete endpoint list as a CSV file for offline analysis. +- **Day-to-day work** + The **Machines list** enables easy identification of machines most at risk in a glance. High-risk machines have the greatest number and highest-severity alerts; **Sensor health state** provides another dimension to rank machines. Sorting machines by **Active alerts**, and then by **Sensor health state** helps identify the most vulnerable machines and take action on them. + +## Sort, filter, and download the list of machines from the Machines view +You can sort the **Machines list** by clicking on any column header to sort the view in ascending or descending order. + +Filter the **Machines list** by time period, **Active malware categories**, or **Sensor health state** to focus on certain sets of machines, according to the desired criteria. + +You can also download the entire list in CSV format using the **Export to CSV** feature. + +![Image of machines list with list of machines](images/atp-machines-view-list.png) + +You can use the following filters to limit the list of machines displayed during an investigation: + +**Time period**
    +- 1 day +- 3 days +- 7 days +- 30 days +- 6 months + +**Malware category**
    +Filter the list to view specific machines grouped together by the following malware categories: + - **Ransomware** – Ransomware use common methods to encrypt files using keys that are known only to attackers. As a result, victims are unable to access the contents of the encrypted files. Most ransomware display or drop a ransom note—an image or an HTML file that contains information about how to obtain the attacker-supplied decryption tool for a fee. + - **Credential theft** – Spying tools, whether commercially available or solely used for unauthorized purposes, include general purpose spyware, monitoring software, hacking programs, and password stealers. + These tools collect credentials and other information from browser records, key presses, email and instant messages, voice and video conversations, and screenshots. They are used in cyberattacks to establish control and steal information. + - **Exploit** – Exploits take advantage of unsecure code in operating system components and applications. Exploits allow attackers to run arbitrary code, elevate privileges, and perform other actions that increase their ability to compromise a targeted machine. Exploits are found in both commodity malware and malware used in targeted attacks. + - **General malware** – Malware are malicious programs that perform unwanted actions, including actions that can disrupt, cause direct damage, and facilitate intrusion and data theft. Some malware can replicate and spread from one machine to another. Others are able to receive commands from remote attackers and perform activities associated with cyberattacks. + - **Unwanted software** – Unwanted software is a category of applications that install and perform undesirable activity without adequate user consent. These applications are not necessarily malicious, but their behaviors often negatively impact the computing experience, even appearing to invade user privacy. Many of these applications display advertising, modify browser settings, and install bundled software. + +**Sensor health state**
    +Filter the list to view specific machines grouped together by the following machine health states: + +- **Active** – Machines that are actively reporting sensor data to the service. +- **Misconfigured** – Machines that have impaired communication with service or are unable to send sensor data. For more information on how to address issues on misconfigured machines see, [Fix unhealthy sensors](fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md). +- **Inactive** – Machines that have completely stopped sending signals for more than 7 days. + +## Export machine list to CSV +You can download a full list of all the machines in your organization, in CSV format. Click the **Manage** menu icon ![The menu icon looks like three periods stacked on top of each other](images/menu-icon.png) to download the entire list as a CSV file. + +**Note**: Exporting the list depends on the number of machines in your organization. It might take a significant amount of time to download, depending on how large your organization is. +Exporting the list in CSV format displays the data in an unfiltered manner. The CSV file will include all machines in the organization, regardless of any filtering applied in the view itself. + +## Sort the Machines view +You can sort the **Machines list** by the following columns: + +- **Machine name** - Name or GUID of the machine +- **Last seen** - Date and time when the machine last reported sensor data +- **Internal IP** - Local internal Internet Protocol (IP) address of the machine +- **Health State** – Indicates if the machine is misconfigured or is not sending sensor data +- **Active Alerts** - Number of alerts reported by the machine by severity +- **Active malware detections** - Number of active malware detections reported by the machine + +> [!NOTE] +> The **Active malware detections** filter column will only appear if your endpoints are using [Windows Defender](windows-defender-in-windows-10.md) as the active real-time protection antimalware product. + + +## Related topics +- [View the Windows Defender Advanced Threat Protection Dashboard](dashboard-windows-defender-advanced-threat-protection.md) +- [View and organize the Windows Defender Advanced Threat Protection Alerts queue ](alerts-queue-windows-defender-advanced-threat-protection.md) +- [Investigate Windows Defender Advanced Threat Protection alerts](investigate-alerts-windows-defender-advanced-threat-protection.md) +- [Investigate a file associated with a Windows Defender ATP alert](investigate-files-windows-defender-advanced-threat-protection.md) +- [Investigate an IP address associated with a Windows Defender ATP alert](investigate-ip-windows-defender-advanced-threat-protection.md) +- [Investigate a domain associated with a Windows Defender ATP alert](investigate-domain-windows-defender-advanced-threat-protection.md) +- [Investigate machines in the Windows Defender ATP Machines view](investigate-machines-windows-defender-advanced-threat-protection.md) +- [Investigate a user account in Windows Defender ATP](investigate-user-windows-defender-advanced-threat-protection.md) +- [Manage Windows Defender Advanced Threat Protection alerts](manage-alerts-windows-defender-advanced-threat-protection.md) +- [Take response actions in Windows Defender ATP](response-actions-windows-defender-advanced-threat-protection.md) diff --git a/windows/keep-secure/manage-alerts-windows-defender-advanced-threat-protection.md b/windows/keep-secure/manage-alerts-windows-defender-advanced-threat-protection.md index d707f81431..4f1523a324 100644 --- a/windows/keep-secure/manage-alerts-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/manage-alerts-windows-defender-advanced-threat-protection.md @@ -21,22 +21,13 @@ localizationpriority: high - Windows 10 Pro Education - Windows Defender Advanced Threat Protection (Windows Defender ATP) -Windows Defender ATP notifies you of detected, possible attacks or breaches through alerts. A summary of new alerts is displayed in the **Dashboard**, and you can access all alerts in the **Alerts queue** menu. +Windows Defender ATP notifies you of possible malicious events, attributes, and contextual information through alerts. A summary of new alerts is displayed in the **Dashboard**, and you can access all alerts in the **Alerts queue** menu. -For more information on how to investigate alerts see, [Investigate Windows Defender ATP alerts](investigate-alerts-windows-defender-advanced-threat-protection.md#investigate-windows-defender-advanced-threat-protection-alerts). +You can manage alerts by selecting an alert in the **Alerts queue** or the **Alerts related to this machine** section of the machine details view. -Click the **Manage Alert** menu icon ![The menu icon looks like three periods stacked on top of each other](images/menu-icon.png) on the top of the alert to access the Manage Alert menu and manage alerts. +Selecting an alert in either of those places brings up the **Alert management pane**. -![The manage alert menu lets you change the status of an alert, create suppression rules, or enter comments](images/manage-alert-menu.png) - -The **Manage alert** icon appears on the alert's heading in the **New**, **In Progress**, or **Resolved** queues, and on the details page for individual alerts. - -You can use the **Manage Alert** menu to: - -- Change the status of an alert -- Resolve an alert -- Suppress alerts so they won't show up in the **Alerts queue** from this point onwards -- View the history and comments of an alert +![Image of alert status](images/atp-alert-status.png) ## Change the status of an alert @@ -46,21 +37,18 @@ For example, a team leader can review all **New** alerts, and decide to assign t Alternatively, the team leader might assign the alert to the **Resolved** queue if they know the alert is benign, coming from a machine that is irrelevant (such as one belonging to a security administrator), or is being dealt with through an earlier alert. -**Change an alert's status:** +## Alert classification +You can specify if an alert is a true alert or a false alert. -1. Click the **Manage Alert** menu icon ![The menu icon looks like three periods stacked on top of each other](images/menu-icon.png) on the heading of the alert. -2. Choose the new status for the alert (the current status is highlighted in bold and appears on the alert). +## Assign alerts +If an alert is no yet assigned, you can select **Assign to me** to assign the alert to yourself. -## Resolve an alert +## Add comments and view the history of an alert +You can add comments and view historical events about an alert to see previous changes made to the alert. -You can resolve an alert by changing the status of the alert to **Resolved**. This causes the **Resolve conclusion** window to appear, where you can indicate why the alert was resolved and enter any additional comments. - -![You can resolve an alert as valid, valid - allowed, or false alarm](images/resolve-alert.png) - -The comments and change of status are recorded in the Comments and history window. - -![The comments window will display a history of status changes](images/comments.png) +Whenever a change or comment is made to an alert, it is recorded in the **Comments and history** section. +Added comments instantly appear on the pane. ## Suppress alerts @@ -85,8 +73,9 @@ The context of the rule lets you tailor the queue to ensure that only alerts you **Suppress an alert and create a suppression rule:** -1. Click the **Manage Alert** menu icon ![The menu icon looks like three periods stacked on top of each other](images/menu-icon.png) on the heading of an existing alert. -2. Choose the context for suppressing the alert. +1. Select the alert you'd like to suppress. This brings up the **Alert management** pane. +2. Scroll down to the **Supression rules** section. +3. Choose the context for suppressing the alert. > [!NOTE] > You cannot create a custom or blank suppression rule. You must start from an existing alert. @@ -96,12 +85,11 @@ The context of the rule lets you tailor the queue to ensure that only alerts you 1. Click the settings icon ![The settings icon looks like a cogwheel or gear](images/settings.png) on the main menu bar at the top of the Windows Defender ATP screen. 2. Click **Suppression rules**. - ![Click the settings icon and then Suppression rules to create and modify rules](images/suppression-rules.png) - -> [!NOTE] -> You can also click **See rules** in the confirmation window that appears when you suppress an alert. + ![Click the settings icon and then Suppression rules to create and modify rules](images/atp-suppression-rules.png) The list of suppression rules shows all the rules that users in your organization have created. +![Suppression rules show the rule name or title, the context, the date, and an icon to delete the rule](images/rules-legend.png) + Each rule shows: - (1) The title of the alert that is suppressed @@ -109,39 +97,15 @@ Each rule shows: - (3) The date when the alert was suppressed - (4) An option to delete the suppression rule, which will cause alerts with this title to be displayed in the queue from this point onwards. -![Suppression rules show the rule name or title, the context, the date, and an icon to delete the rule](images/rules-legend.png) -## View the history and comments of an alert -You can use the **Manage Alert** menu icon ![The menu icon looks like three periods stacked on top of each other](images/menu-icon.png) to see a list of previous changes and comments made to the alert and to add new comments. You can also use the menu to open multiple alerts in different tabs so you can compare several alerts at the same time. - -Whenever a change or comment is made to an alert, it is recorded in the **Comments and history** window. - -**See the history of an alert and its comments:** - -1. Click the **Manage Alert** menu icon ![The menu icon looks like three periods stacked on top of each other](images/menu-icon.png) on the heading of the alert. -2. Click **Comments and history** to view related comments and history on the alert. - -Comments are indicated by a message box icon (![The comments icon looks like a speech bubble](images/comments-icon.png)) and include the username of the commenter and the time the comment was made. - -**Add a new comment:** - -1. Type your comment into the field. -2. Click **Post Comment**. - -The comment will appear instantly. - -You will also be prompted to enter a comment if you change the status of an alert to **Resolved**. - -Changes are indicated by a clock icon (![The changes icon looks like an analog clock face](images/changes-icon.png)), and are automatically recorded when: - -- The alert is created -- The status of the alert is changed - -### Related topics +## Related topics - [View the Windows Defender Advanced Threat Protection Dashboard](dashboard-windows-defender-advanced-threat-protection.md) -- [View and organize the Windows Defender Advanced Threat Protection Alerts queue](alerts-queue-windows-defender-advanced-threat-protection.md) +- [View and organize the Windows Defender Advanced Threat Protection Alerts queue ](alerts-queue-windows-defender-advanced-threat-protection.md) - [Investigate Windows Defender Advanced Threat Protection alerts](investigate-alerts-windows-defender-advanced-threat-protection.md) -- [Investigate machines in the Windows Defender ATP Machines view](investigate-machines-windows-defender-advanced-threat-protection.md) - [Investigate a file associated with a Windows Defender ATP alert](investigate-files-windows-defender-advanced-threat-protection.md) - [Investigate an IP address associated with a Windows Defender ATP alert](investigate-ip-windows-defender-advanced-threat-protection.md) - [Investigate a domain associated with a Windows Defender ATP alert](investigate-domain-windows-defender-advanced-threat-protection.md) +- [View and organize the Windows Defender ATP Machines view](machines-view-overview-windows-defender-advanced-threat-protection.md) +- [Investigate machines in the Windows Defender ATP Machines view](investigate-machines-windows-defender-advanced-threat-protection.md) +- [Investigate a user account in Windows Defender ATP](investigate-user-windows-defender-advanced-threat-protection.md) +- [Take response actions in Windows Defender ATP](response-actions-windows-defender-advanced-threat-protection.md) diff --git a/windows/keep-secure/manage-event-based-updates-windows-defender-antivirus.md b/windows/keep-secure/manage-event-based-updates-windows-defender-antivirus.md new file mode 100644 index 0000000000..9726dfceba --- /dev/null +++ b/windows/keep-secure/manage-event-based-updates-windows-defender-antivirus.md @@ -0,0 +1,183 @@ +--- +title: Apply Windows Defender AV updates after certain events +description: Manage how Windows Defender Antivirus applies proteciton updates after startup or receiving cloud-delivered detection reports. +keywords: updates, protection, force updates, events, startup, check for latest, notifications +search.product: eADQiWindows 10XVcnh +ms.pagetype: security +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: security +localizationpriority: medium +author: iaanw +--- + +# Manage event-based forced updates + +**Applies to** +- Windows 10 + +**Audience** + +- Network administrators + +**Manageability available with** + +- Group Policy +- System Center Configuration Manager +- PowerShell cmdlets +- Windows Management Instruction (WMI) + + +Windows Defender AV allows you to determine if updates should (or should not) occur after certain events, such as at startup or after receiving specific reports from the cloud-delivered protection service. + + +## Check for protection updates before running a scan + +You can use Group Policy, Configuration Manager, PowerShell cmdlets, and WMI to force Windows Defender AV to check and download protection updates before running a scheduled scan. + + +**Use Group Policy to check for protection updates before running a scan:** + +1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. + +3. In the **Group Policy Management Editor** go to **Computer configuration**. + +4. Click **Policies** then **Administrative templates**. + +5. Expand the tree to **Windows components > Windows Defender Antivirus > Scan**. + +6. Double-click the **Check for the latest virus and spyware definitions before running a scheduled scan** setting and set the option to **Enabled**. + +7. Click **OK**. + +**Use Configuration Manager to check for protection updates before running a scan:** + +1. On your System Center Configuration Manager console, open the antimalware policy you want to change (click **Assets and Compliance** in the navigation pane on the left, then expand the tree to **Overview** > **Endpoint Protection** > **Antimalware Policies**) + +2. Go to the **Scheduled scans** section and set **Check for the latest definition updates before running a scan** to **Yes**. + +3. Click **OK**. + +4. [Deploy the updated policy as usual](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#deploy-an-antimalware-policy-to-client-computers). + +**Use PowerShell cmdlets to check for protection updates before running a scan:** + +Use the following cmdlets: + +```PowerShell +Set-MpPreference -CheckForSignaturesBeforeRunningScan +``` + +See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/en-us/library/dn433280.aspx) for more information on how to use PowerShell with Windows Defender Antivirus. + + +**Use Windows Management Instruction (WMI) to check for protection updates before running a scan** + +Use the [**Set** method of the **MSFT_MpPreference**](https://msdn.microsoft.com/en-us/library/dn455323(v=vs.85).aspx) class for the following properties: + +```WMI +CheckForSignaturesBeforeRunningScan +``` + +See the following for more information: +- [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/en-us/library/dn439477(v=vs.85).aspx) + + + + + + +## Check for protection updates on startup + +You can use Group Policy to force Windows Defender AV to check and download protection updates when the machine is started. + +**Use Group Policy to download protection updates at startup:** + +1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. + +3. In the **Group Policy Management Editor** go to **Computer configuration**. + +4. Click **Policies** then **Administrative templates**. + +5. Expand the tree to **Windows components > Windows Defender Antivirus > Signature Updates**. + +5. Double-click the **Check for the latest virus and spyware definitions on startup** setting and set the option to **Enabled**. + +6. Click **OK**. + +You can also use Group Policy, PowerShell, or WMI to configure Windows Defender AV to check for updates at startup even when it is not running. + +**Use Group Policy to download updates when Windows Defender AV is not present:** + +1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. + +3. In the **Group Policy Management Editor** go to **Computer configuration**. + +4. Click **Policies** then **Administrative templates**. + +5. Expand the tree to **Windows components > Windows Defender Antivirus > Signature Updates**. + +6. Double-click the **Initiate definition update on startup** setting and set the option to **Enabled**. + +7. Click **OK**. + +**Use PowerShell cmdlets to download updates when Windows Defender AV is not present:** + +Use the following cmdlets: + +```PowerShell +Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine +``` + +See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/en-us/library/dn433280.aspx) for more information on how to use PowerShell with Windows Defender Antivirus. + + +**Use Windows Management Instruction (WMI) to download updates when Windows Defender AV is not present:** + +Use the [**Set** method of the **MSFT_MpPreference**](https://msdn.microsoft.com/en-us/library/dn455323(v=vs.85).aspx) class for the following properties: + +```WMI +SignatureDisableUpdateOnStartupWithoutEngine +``` + +See the following for more information: +- [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/en-us/library/dn439477(v=vs.85).aspx) + + + + + + +## Allow ad hoc changes to protection based on cloud-delivered protection + +Windows Defender AV can make changes to its protection based on cloud-delivered protection. This can occur outside of normal or scheduled protection updates. + +If you have enabled cloud-delivered protection, Windows Defender AV will send files it is suspicious about to the Windows Defender cloud. If the cloud service reports that the file is malicious, and the file is detected in a recent protection update, you can use Group Policy to configure Windows Defender AV to automatically receive that protection update. Other important protection updates can also be applied. + +**Use Group Policy to automatically download recent updates based on cloud-delivered protection:** + +1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. + +3. In the **Group Policy Management Editor** go to **Computer configuration**. + +4. Click **Policies** then **Administrative templates**. + +5. Expand the tree to **Windows components > Windows Defender Antivirus > Signature Updates** and configure the following: + 1. Double-click the **Allow real-time definition updates based on reports to Microsoft MAPS** setting and set the option to **Enabled**. Click **OK**. + 2. Double-click the **Allow notifications to disable definitions based reports to Microsoft MAPS** setting and set the option to **Enabled**. Click **OK**. + + + +## Related topics + +- [Deploy, manage updates, and report on Windows Defender Antivirus](deploy-manage-report-windows-defender-antivirus.md) +- [Manage Windows Defender Antivirus updates and apply baselines](manage-updates-baselines-windows-defender-antivirus.md) +- [Manage Windows Defender Antivirus protection and definition updates](manage-protection-updates-windows-defender-antivirus.md) +- [Manage when protection updates should be downloaded and applied](manage-protection-update-schedule-windows-defender-antivirus.md) +- [Manage updates for endpoints that are out of date](manage-outdated-endpoints-windows-defender-antivirus.md) +- [Manage updates for mobile devices and virtual machines (VMs)](manage-updates-mobile-devices-vms-windows-defender-antivirus.md) +- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md) + + + diff --git a/windows/keep-secure/manage-identity-verification-using-microsoft-passport.md b/windows/keep-secure/manage-identity-verification-using-microsoft-passport.md deleted file mode 100644 index 81cef9cc41..0000000000 --- a/windows/keep-secure/manage-identity-verification-using-microsoft-passport.md +++ /dev/null @@ -1,18 +0,0 @@ ---- -title: Manage identity verification using Windows Hello for Business (Windows 10) -description: In Windows 10, Windows Hello for Business replaces passwords with strong two-factor authentication on PCs and mobile devices. This authentication consists of a new type of user credential that is tied to a device and a biometric or PIN. -ms.assetid: 5BF09642-8CF5-4FBC-AC9A-5CA51E19387E -keywords: identity, PIN, biometric, Hello, passport -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security, mobile -author: jdeckerMS -redirect_url: https://technet.microsoft.com/en-us/itpro/windows/keep-secure/hello-identity-verification ---- -# Manage identity verification using Windows Hello for Business - -**Applies to** -- Windows 10 -- Windows 10 Mobile - diff --git a/windows/keep-secure/manage-outdated-endpoints-windows-defender-antivirus.md b/windows/keep-secure/manage-outdated-endpoints-windows-defender-antivirus.md new file mode 100644 index 0000000000..32920b478d --- /dev/null +++ b/windows/keep-secure/manage-outdated-endpoints-windows-defender-antivirus.md @@ -0,0 +1,194 @@ +--- +title: Apply Windows Defender AV protection updates to out of date endpoints +description: Define when and how updates should be applied for endpoints that have not updated in a while. +keywords: updates, protection, out-of-date, outdated, old, catch-up +search.product: eADQiWindows 10XVcnh +ms.pagetype: security +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: security +localizationpriority: medium +author: iaanw +--- + +# Manage updates and scans for endpoints that are out of date + +**Applies to** +- Windows 10 + +**Audience** + +- Network administrators + +**Manageability available with** + +- Group Policy +- System Center Configuration Manager +- PowerShell cmdlets +- Windows Management Instruction (WMI) + + + +Windows Defender AV lets you define how long an endpoint can avoid an update or how many scans it can miss before it is required to update and scan itself. This is especially useful in environments where devices are not often connected to a corporate or external network, or devices that are not used on a daily basis. + +For example, an employee that uses a particular PC is on break for three days and does not log on to their PC during that time. + +When the user returns to work and logs on to their PC, Windows Defender AV will immediately check and download the latest protection updates, and run a scan. + +## Set up catch-up protection updates for endpoints that haven't updated for a while + +If Windows Defender AV did not download protection updates for a specified period, you can set it up to automatically check and download the latest update at the next log on. This is useful if you have [globally disabled automatic update downloads on startup](manage-event-based-updates-windows-defender-antivirus.md). + +**Use Group Policy to enable and configure the catch-up update feature:** + +1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. + +3. In the **Group Policy Management Editor** go to **Computer configuration**. + +4. Click **Policies** then **Administrative templates**. + +5. Expand the tree to **Windows components > Windows Defender Antivirus > Signature Updates**. + +6. Double-click the **Define the number of days after which a catch-up definition update is required** setting and set the option to **Enabled**. Enter the number of days after which you want Windows Defender AV to check for and download the latest protection update. + +7. Click **OK**. + +**Use PowerShell cmdlets to configure catch-up protection updates:** + +Use the following cmdlets: + +```PowerShell +Set-MpPreference -SignatureUpdateCatchupInterval +``` + +See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/en-us/library/dn433280.aspx) for more information on how to use PowerShell with Windows Defender Antivirus. + +**Use Windows Management Instruction (WMI) to configure catch-up protection updates:** + +Use the [**Set** method of the **MSFT_MpPreference**](https://msdn.microsoft.com/en-us/library/dn455323(v=vs.85).aspx) class for the following properties: + +```WMI +SignatureUpdateCatchupInterval +``` + +See the following for more information and allowed parameters: +- [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/en-us/library/dn439477(v=vs.85).aspx) + + +**Use Configuration Manager to configure catch-up protection updates:** + +1. On your System Center Configuration Manager console, open the antimalware policy you want to change (click **Assets and Compliance** in the navigation pane on the left, then expand the tree to **Overview** > **Endpoint Protection** > **Antimalware Policies**) + +2. Go to the **Definition updates** section and configure the following settings: + + 1. Set **Force a definition update if the client computer is offline for more than two consecutive scheduled updates** to **Yes**. + 2. For the **If Configuration Manager is used as a source for definition updates...**, specify the hours before which the protection updates delivered by Configuration Manager should be considered out-of-date. This will cause the next update location to be used, based on the defined [fallback source order](manage-protection-updates-windows-defender-antivirus.md#fallback-order). + +3. Click **OK**. + +4. [Deploy the updated policy as usual](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#deploy-an-antimalware-policy-to-client-computers). + + +## Set the number of days before protection is reported as out-of-date + +You can also specify the number of days after which Windows Defender AV protection is considered old or out-of-date. After the specified number of days, the client will report itself as out-of-date, and show an error to the user of the PC. It may also cause Windows Defender AV to attempt to download an update from other sources (based on the defined [fallback source order](manage-protection-updates-windows-defender-antivirus.md#fallback-order)). + +**Use Group Policy to specify the number of days before protection is considered out-of-date:** + +1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. + +3. In the **Group Policy Management Editor** go to **Computer configuration**. + +4. Click **Policies** then **Administrative templates**. + +5. Expand the tree to **Windows components > Windows Defender Antivirus > Signature Updates** and configure the following settings: + + 1. Double-click the **Define the number of days before spyware definitions are considered out of date** setting and set the option to **Enabled**. Enter the number of days after which you want Windows Defender AV to consider spyware definitions as out-of-date. + + 2. Click **OK**. + + 3. Double-click the **Define the number of days before virus definitions are considered out of date** setting and set the option to **Enabled**. Enter the number of days after which you want Windows Defender AV to consider virus and other threat definitions as out-of-date. + + 4. Click **OK**. + + + + +## Set up catch-up scans for endpoints that have not been scanned for a while + +You can set the number of consecutive scheduled scans that can be missed before Windows Defender AV will force a scan. + +The process for enabling this feature is: + +1. Set up at least one scheduled scan (see the [Schedule scans](scheduled-catch-up-scans-windows-defender-antivirus.md) topic). +2. Enable the catch-up scan feature. +3. Define the number of scans that can be skipped before a catch-up scan occurs. + +This feature can be enabled for both full and quick scans. + +**Use Group Policy to enable and configure the catch-up scan feature:** + +1. Ensure you have set up at least one scheduled scan. + +2. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. + +3. In the **Group Policy Management Editor** go to **Computer configuration**. + +4. Click **Policies** then **Administrative templates**. + +5. Expand the tree to **Windows components > Windows Defender Antivirus > Scan** and configure the following settings: + + 1. If you have set up scheduled quick scans, double-click the **Turn on catch-up quick scan** setting and set the option to **Enabled**. + 2. If you have set up scheduled full scans, double-click the **Turn on catch-up full scan** setting and set the option to **Enabled**. Click **OK**. + 3. Double-click the **Define the number of days after which a catch-up scan is forced** setting and set the option to **Enabled**. + 4. Enter the number of scans that can be missed before a scan will be automatically run when the user next logs on to the PC. The type of scan that is run is determined by the **Specify the scan type to use for a scheduled scan** (see the [Schedule scans](scheduled-catch-up-scans-windows-defender-antivirus.md) topic). Click **OK**. + +> [!NOTE] +> The Group Policy setting title refers to the number of days. The setting, however, is applied to the number of scans (not days) before the catch-up scan will be run. + +**Use PowerShell cmdlets to configure catch-up scans:** + +Use the following cmdlets: + +```PowerShell +Set-MpPreference -DisableCatchupFullScan +Set-MpPreference -DisableCatchupQuickScan + +``` + +See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/en-us/library/dn433280.aspx) for more information on how to use PowerShell with Windows Defender Antivirus. + +**Use Windows Management Instruction (WMI) to configure catch-up scans:** + +Use the [**Set** method of the **MSFT_MpPreference**](https://msdn.microsoft.com/en-us/library/dn455323(v=vs.85).aspx) class for the following properties: + +```WMI +DisableCatchupFullScan +DisableCatchupQuickScan +``` + +See the following for more information and allowed parameters: +- [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/en-us/library/dn439477(v=vs.85).aspx) + + +**Use Configuration Manager to configure catch-up scans:** + +1. On your System Center Configuration Manager console, open the antimalware policy you want to change (click **Assets and Compliance** in the navigation pane on the left, then expand the tree to **Overview** > **Endpoint Protection** > **Antimalware Policies**) + +2. Go to the **Scheduled scans** section and **Force a scan of the selected scan type if client computer is offline...** to **Yes**. + +3. Click **OK**. + +4. [Deploy the updated policy as usual](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#deploy-an-antimalware-policy-to-client-computers). + + +## Related topics + +- [Deploy, manage updates, and report on Windows Defender Antivirus](deploy-manage-report-windows-defender-antivirus.md) +- [Manage Windows Defender Antivirus updates and apply baselines](manage-updates-baselines-windows-defender-antivirus.md) +- [Manage Windows Defender Antivirus protection and definition updates](manage-protection-updates-windows-defender-antivirus.md) +- [Manage when protection updates should be downloaded and applied](manage-protection-update-schedule-windows-defender-antivirus.md) +- [Manage event-based forced updates](manage-event-based-updates-windows-defender-antivirus.md) +- [Manage updates for mobile devices and virtual machines (VMs)](manage-updates-mobile-devices-vms-windows-defender-antivirus.md) +- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md) \ No newline at end of file diff --git a/windows/keep-secure/manage-protection-update-schedule-windows-defender-antivirus.md b/windows/keep-secure/manage-protection-update-schedule-windows-defender-antivirus.md new file mode 100644 index 0000000000..feffc5c8b6 --- /dev/null +++ b/windows/keep-secure/manage-protection-update-schedule-windows-defender-antivirus.md @@ -0,0 +1,115 @@ +--- +title: Schedule Windows Defender Antivirus protection updates +description: Schedule the day, time, and interval for when protection updates should be downloaded +keywords: updates, security baselines, schedule updates +search.product: eADQiWindows 10XVcnh +ms.pagetype: security +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: security +localizationpriority: medium +author: iaanw +--- + +# Manage the schedule for when protection updates should be downloaded and applied + +**Applies to** +- Windows 10 + +**Audience** + +- Network administrators + +**Manageability available with** + +- Group Policy +- System Center Configuration Manager +- PowerShell cmdlets +- Windows Management Instruction (WMI) + + +Windows Defender AV lets you determine when it should look for and download updates. + +You can schedule updates for your endpoints by: + +- Specifying the day of the week to check for protection updates +- Specifying the interval to check for protection updates +- Specifying the time to check for protection updates + +You can also randomize the times when each endpoint checks and downloads protection updates. See the [Schedule scans](scheduled-catch-up-scans-windows-defender-antivirus.md) topic for more information. + +**Use Group Policy to schedule protection updates:** + +> [!IMPORTANT] +> By default, Windows Defender AV will check for an update 15 minutes before the time of any scheduled scans. Enabling these settings will override that default. + +1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. + +3. In the **Group Policy Management Editor** go to **Computer configuration**. + +4. Click **Policies** then **Administrative templates**. + +5. Expand the tree to **Windows components > Windows Defender Antivirus > Signature Updates** and configure the following settings: + + 1. Double-click the **Specify the interval to check for definition updates** setting and set the option to **Enabled**. Enter the number of hours between updates. Click **OK**. + 2. Double-click the **Specify the day of the week to check for definition updates** setting and set the option to **Enabled**. Enter the day of the week to check for updates. Click **OK**. + 3. Double-click the **Specify the time to check for definition updates** setting and set the option to **Enabled**. Enter the time when updates should be checked. The time is based on the local time of the endpoint. Click **OK**. + + +**Use Configuration Manager to schedule protection updates:** + +1. On your System Center Configuration Manager console, open the antimalware policy you want to change (click **Assets and Compliance** in the navigation pane on the left, then expand the tree to **Overview** > **Endpoint Protection** > **Antimalware Policies**) + +2. Go to the **Definition updates** section. + +3. To check and download updates at a certain time: + 1. Set **Check for Endpoint Protection definitions at a specific interval...** to **0**. + 2. Set **Check for Endpoint Protection definitions daily at...** to the time when updates should be checked. + 3 +4. To check and download updates on a continual interval, Set **Check for Endpoint Protection definitions at a specific interval...** to the number of hours that should occur between updates. + +5. [Deploy the updated policy as usual](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#deploy-an-antimalware-policy-to-client-computers). + + +**Use PowerShell cmdlets to schedule protection updates:** + +Use the following cmdlets: + +```PowerShell +Set-MpPreference -SignatureScheduleDay +Set-MpPreference -SignatureScheduleTime +Set-MpPreference -SignatureUpdateInterval +``` + +See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/en-us/library/dn433280.aspx) for more information on how to use PowerShell with Windows Defender Antivirus. + +**Use Windows Management Instruction (WMI) to schedule protection updates:** + +Use the [**Set** method of the **MSFT_MpPreference**](https://msdn.microsoft.com/en-us/library/dn455323(v=vs.85).aspx) class for the following properties: + +```WMI +SignatureScheduleDay +SignatureScheduleTime +SignatureUpdateInterval +``` + +See the following for more information and allowed parameters: +- [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/en-us/library/dn439477(v=vs.85).aspx) + + +## Related topics + +- [Deploy, manage updates, and report on Windows Defender Antivirus](deploy-manage-report-windows-defender-antivirus.md) +- [Manage Windows Defender Antivirus updates and apply baselines](manage-updates-baselines-windows-defender-antivirus.md) +- [Manage Windows Defender Antivirus protection and definition updates](manage-protection-updates-windows-defender-antivirus.md) +- [Manage updates for endpoints that are out of date](manage-outdated-endpoints-windows-defender-antivirus.md) +- [Manage event-based forced updates](manage-event-based-updates-windows-defender-antivirus.md) +- [Manage updates for mobile devices and virtual machines (VMs)](manage-updates-mobile-devices-vms-windows-defender-antivirus.md) +- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md) + + + + + + diff --git a/windows/keep-secure/manage-protection-updates-windows-defender-antivirus.md b/windows/keep-secure/manage-protection-updates-windows-defender-antivirus.md new file mode 100644 index 0000000000..a9cc36fc65 --- /dev/null +++ b/windows/keep-secure/manage-protection-updates-windows-defender-antivirus.md @@ -0,0 +1,141 @@ +--- +title: Manage how and where Windows Defender AV receives updates +description: Manage how Windows Defender Antivirus receives protection updates. +keywords: updates, security baselines, protection, fallback order, ADL, MMPC, UNC, file path, share, wsus +search.product: eADQiWindows 10XVcnh +ms.pagetype: security +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: security +localizationpriority: medium +author: iaanw +--- + +# Manage Windows Defender Antivirus protection and definition updates + +**Applies to** +- Windows 10 + +**Audience** + +- Network administrators + +**Manageability available with** + +- Group Policy +- System Center Configuration Manager +- PowerShell cmdlets +- Windows Management Instruction (WMI) + + + + +Windows Defender AV uses both [cloud-delivered protection](utilize-microsoft-cloud-protection-windows-defender-antivirus.md) (also called the Microsoft Advanced Protection Service or MAPS) and periodically downloaded protection updates to provide protection. These protection updates are also known as "definitions" or "signature updates". + +The cloud-based protection is “always-on” and requires an active connection to the Internet to function, while the protection updates generally occur once a day (although this can be configured). + +There are two components to managing protection updates - where the updates are downloaded from, and when updates are downloaded and applied. + +This topic describes the locations + + +## Manage the fallback order for downloading protection updates +There are five locations where you can specify where an endpoint should obtain updates. Typically, you would configure each endpoint to individually download the updates from a primary source and specify fallback sources in case the primary source is unavailable. + +- [Windows Server Update Service (WSUS)](https://technet.microsoft.com/windowsserver/bb332157.aspx) +- Microsoft Update. +- The [Microsoft Malware Protection Center definitions page (MMPC)](http://www.microsoft.com/security/portal/definitions/adl.aspx) +- A network file share +- Configuration manager + +Each location has typical scenarios (in addition to acting as fallback locations) for when you would use that source, as described in the following table: + +Location | Sample scenario +---|--- +WSUS | You are using WSUS to manage updates for your network +Microsoft Update | You want your endpoints to connect directly to Microsoft Update. This can be useful for endpoints that irregularly connect to your enterprise network. +MMPC | You need to download the latest protection updates because of a recent infection or to help provision a strong, base image for [VDI deployment](deployment-vdi-windows-defender-antivirus.md). +File share | You have non-Internet-connected devices (such as VMs). You can use your Internet-connected VM host download the updates to a network share, from which the VMs can obtain the updates. See the [VDI deployment guide](deployment-vdi-windows-defender-antivirus.md) for how file shares can be used in virtual desktop infrastructure (VDI) environments. +Configuration Manager | You are using System Center Configuration Manager to update your endpoints. + +You can manage the order in which update sources are used with Group Policy, System Center Configuration Manager, PowerShell cmdlets, and WMI. + +> [!IMPORTANT] +> If you set WSUS as a download location, you must approve the updates - regardless of what management tool you use to specify the location. You can set up an automatic approval rule with WSUS, which may be useful as updates arrive at least once a day. See [To synchronize endpoint protection updates in standalone WSUS](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-definitions-wsus#to-synchronize-endpoint-protection-definition-updates-in-standalone-wsus) for more details. + + +**Use Group Policy to manage the update location:** + +1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. + +3. In the **Group Policy Management Editor** go to **Computer configuration**. + +4. Click **Policies** then **Administrative templates**. + +5. Expand the tree to **Windows components > Windows Defender > Signature updates** and configure the following settings: + + 1. Double-click the **Define the order of sources for downloading definition updates** setting and set the option to **Enabled**. + + 2. Enter the order of sources, separated by a single pipe, for example: `InternalDefinitionUpdateServer|MicrosoftUpdateServer|MMPC`, shown in the following screenshot. + + ![Screenshot of group policy setting listing the order of sources](images/defender/wdav-order-update-sources.png) + + 3. Click **OK**. This will set the order of protection update sources. + + 1. Double-click the **Define file shares for downloading definition updates** setting and set the option to **Enabled**. + + 2. Enter the file share source. If you have multiple sources, enter each source in the order they should be used, separated by a single pipe. Use [standard UNC notation](https://msdn.microsoft.com/en-us/library/gg465305.aspx) for denoting the path, for example: `\\host-name1\share-name\object-name|\\host-name2\share-name\object-name`. If you do not enter any paths then this source will be skipped when the VM downloads updates. + + 3. Click **OK**. This will set the order of file shares when that source is referenced in the **Define the order of sources...** group policy setting. + + +**Use Configuration Manager to manage the update location:** + +See [Configure Definition Updates for Endpoint Protection](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-definition-updates) for details on configuring System Center Configuration Manager (current branch). + + +**Use PowerShell cmdlets to manage the update location:** + +Use the following PowerShell cmdlets to set the update order. + +```PowerShell +Set-MpPreference -SignatureFallbackOrder {LOCATION|LOCATION|LOCATION|LOCATION} +Set-MpPreference -SignatureDefinitionUpdateFileSharesSouce {\\UNC SHARE PATH|\\UNC SHARE PATH} +``` +See the following for more information: +- [Set-MpPreference -SignatureFallbackOrder](https://technet.microsoft.com/en-us/itpro/powershell/windows/defender/set-mppreference#-signaturefallbackorder) +- [Set-MpPreference -SignatureDefinitionUpdateFileSharesSouce](https://technet.microsoft.com/en-us/itpro/powershell/windows/defender/set-mppreference#-signaturedefinitionupdatefilesharessources) +- [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) +- [Defender cmdlets](https://technet.microsoft.com/en-us/library/dn433280.aspx) + +**Use Windows Management Instruction (WMI) to manage the update location:** + +Use the [**Set** method of the **MSFT_MpPreference**](https://msdn.microsoft.com/en-us/library/dn455323(v=vs.85).aspx) class for the following properties: + +```WMI +SignatureFallbackOrder +SignatureDefinitionUpdateFileSharesSouce +``` + +See the following for more information: +- [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/en-us/library/dn439477(v=vs.85).aspx) + + + + + + + + + + +## Related topics +- [Deploy, manage updates, and report on Windows Defender Antivirus](deploy-manage-report-windows-defender-antivirus.md) +- [Manage Windows Defender Antivirus updates and apply baselines](manage-updates-baselines-windows-defender-antivirus.md) +- [Manage when protection updates should be downloaded and applied](manage-protection-update-schedule-windows-defender-antivirus.md) +- [Manage updates for endpoints that are out of date](manage-outdated-endpoints-windows-defender-antivirus.md) +- [Manage event-based forced updates](manage-event-based-updates-windows-defender-antivirus.md) +- [Manage updates for mobile devices and virtual machines (VMs)](manage-updates-mobile-devices-vms-windows-defender-antivirus.md) +- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md) + diff --git a/windows/keep-secure/manage-updates-baselines-windows-defender-antivirus.md b/windows/keep-secure/manage-updates-baselines-windows-defender-antivirus.md new file mode 100644 index 0000000000..f2036b77ff --- /dev/null +++ b/windows/keep-secure/manage-updates-baselines-windows-defender-antivirus.md @@ -0,0 +1,53 @@ +--- +title: Manage Windows Defender Antivirus updates and apply baselines +description: Manage how Windows Defender Antivirus receives protection and product updates. +keywords: updates, security baselines, protection, schedule updates, force updates, mobile updates, wsus +search.product: eADQiWindows 10XVcnh +ms.pagetype: security +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: security +localizationpriority: medium +author: iaanw +--- + +# Manage Windows Defender Antivirus updates and apply baselines + + +**Applies to:** + +- Windows 10 + +**Audience** + +- Network administrators + +There are two types of updates related to keeping Windows Defender Antivirus: +1. Protection updates +2. Product updates + +You can also apply [Windows security baselines](https://technet.microsoft.com/en-us/itpro/windows/keep-secure/windows-security-baselines) to quickly bring your endpoints up to a uniform level of protection. + +## Protection updates + +Windows Defender AV uses both [cloud-delivered protection](utilize-microsoft-cloud-protection-windows-defender-antivirus.md) (also called the Microsoft Advanced Protection Service or MAPS) and periodically downloaded protection updates to provide protection. These protection updates are also known as "definitions" or "signature updates". + +The cloud-based protection is always-on and requires an active connection to the Internet to function, while the protection updates generally occur once a day (although this can be configured). See the [Utilize Microsoft cloud-provided protection in Windows Defender Antivirus](utilize-microsoft-cloud-protection-windows-defender-antivirus.md) topic for more details about enabling and configuring cloud-provided protection. + + +## Product updates + +Windows Defender AV requires monthly updates (known as "engine updates"), and will receive major feature updates alongside Windows 10 releases. + +You can manage the distribution of updates through Windows Server Update Service (WSUS), with [System Center Configuration Manager](https://docs.microsoft.com/en-us/sccm/sum/understand/software-updates-introduction), or in the normal manner that you deploy Microsoft and Windows updates to endpoints in your network. + +## In this section + +Topic | Description +---|--- +[Manage how protection updates are downloaded and applied](manage-protection-updates-windows-defender-antivirus.md) | Protection updates can be delivered through a number of sources. +[Manage when protection updates should be downloaded and applied](manage-protection-update-schedule-windows-defender-antivirus.md) | You can schedule when protection updates should be downloaded. +[Manage updates for endpoints that are out of date](manage-outdated-endpoints-windows-defender-antivirus.md) | If an endpoint misses an update or scheduled scan, you can force an update or scan at the next log on. +[Manage event-based forced updates](manage-event-based-updates-windows-defender-antivirus.md) | You can set protection updates to be downloaded at startup or after certain cloud-based protection events. +[Manage updates for mobile devices and virtual machines (VMs)](manage-updates-mobile-devices-vms-windows-defender-antivirus.md)| You can specify settings, such as whether updates should occur on battery power, that are especially useful for mobile devices and virtual machines. diff --git a/windows/keep-secure/manage-updates-mobile-devices-vms-windows-defender-antivirus.md b/windows/keep-secure/manage-updates-mobile-devices-vms-windows-defender-antivirus.md new file mode 100644 index 0000000000..6138bb8a05 --- /dev/null +++ b/windows/keep-secure/manage-updates-mobile-devices-vms-windows-defender-antivirus.md @@ -0,0 +1,104 @@ +--- +title: Define how mobile devices are updated by Windows Defender AV +description: Manage how mobile devices, such as laptops, should be updated with Windows Defender AV protection updates. +keywords: updates, protection, schedule updates, battery, mobile device, laptop, notebook, opt-in, microsoft update, wsus, override +search.product: eADQiWindows 10XVcnh +ms.pagetype: security +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: security +localizationpriority: medium +author: iaanw +--- + +# Manage updates for mobile devices and virtual machines (VMs) + +**Applies to** +- Windows 10 + +**Audience** + +- Network administrators + +**Manageability available with** + +- Group Policy + + + + +Mobile devices and VMs may require additional configuration to ensure performance is not impacted by updates. + +There are two settings that are particularly useful for these devices: + +- Opt-in to Microsoft Update on mobile computers without a WSUS connection +- Prevent definition updates when running on battery power + +The following topics may also be useful in these situations: +- [Configuring scheduled and catch-up scans](scheduled-catch-up-scans-windows-defender-antivirus.md) +- [Manage updates for endpoints that are out of date](manage-outdated-endpoints-windows-defender-antivirus.md) +- [Deployment guide for Windows Defender Antivirus in a virtual desktop infrastructure (VDI) environment](deployment-vdi-windows-defender-antivirus.md) + +## Opt-in to Microsoft Update on mobile computers without a WSUS connection + +You can use Microsoft Update to keep definitions on mobile devices running Windows Defender AV up to date when they are not connected to the corporate network or don't otherwise have a WSUS connection. + +This means that protection updates can be delivered to devices (via Microsoft Update) even if you have set WSUS to override Microsoft Update. + +You can opt-in to Microsoft Update on the mobile device in one of the following ways: + +1. Change the setting with Group Policy +2. Use a VBScript to create a script, then run it on each computer in your network. +3. Manually opt-in every computer on your network through the **Settings** menu. + +**Use Group Policy to opt-in to Microsoft Update:** + +1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. + +3. In the **Group Policy Management Editor** go to **Computer configuration**. + +4. Click **Policies** then **Administrative templates**. + +5. Expand the tree to **Windows components > Windows Defender Antivirus > Signature Updates**. + +6. Double-click the **Allow definition updates from Microsoft Update** setting and set the option to **Enabled**. Click **OK**. + + +**Use a VBScript to opt-in to Microsoft Update** + +1. Use the instructions in the MSDN article [Opt-In to Microsoft Update](https://msdn.microsoft.com/library/windows/desktop/aa826676.aspx) to create the VBScript. +2. Run the VBScript you created on each computer in your network. + + +**Manually opt-in to Microsoft Update** + +1. Open **Windows Update** in **Update & security** settings on the computer you want to opt-in. +2. Click **Advanced** options. +3. Select the checkbox for **Give me updates for other Microsoft products when I update Windows**. + +## Prevent definition updates when running on battery power + +You can configure Windows Defender AV to only download protection updates when the PC is connected to a wired power source. + +**Use Group Policy to prevent definition updates on battery power:** + +1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. + +3. In the **Group Policy Management Editor** go to **Computer configuration**. + +4. Click **Policies** then **Administrative templates**. + +5. Expand the tree to **Windows components > Windows Defender Antivirus > Signature Updates** and configure the following setting: + + 1. Double-click the **Allow definition updates when running on battery power** setting and set the option to **Disabled**. + 2. Click **OK**. This will prevent protection updates from downloading when the PC is on battery power. + + + + + +## Related topics + +- [Manage Windows Defender Antivirus updates and apply baselines](manage-updates-baselines-windows-defender-antivirus.md) +- [Update and manage Windows Defender in Windows 10](get-started-with-windows-defender-for-windows-10.md) diff --git a/windows/keep-secure/mandatory-settings-for-wip.md b/windows/keep-secure/mandatory-settings-for-wip.md index 1c7ea0a9ff..856216aac1 100644 --- a/windows/keep-secure/mandatory-settings-for-wip.md +++ b/windows/keep-secure/mandatory-settings-for-wip.md @@ -6,19 +6,20 @@ ms.prod: w10 ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security +author: eross-msft localizationpriority: high --- # Mandatory tasks and settings required to turn on Windows Information Protection (WIP) **Applies to:** -- Windows 10, version 1607 +- Windows 10, version 1607 and later - Windows 10 Mobile This list provides all of the tasks and settings that are required for the operating system to turn on Windows Information Protection (WIP), formerly known as enterprise data protection (EDP), in your enterprise. >[!IMPORTANT] ->All sections provided for more info appear in either the [Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune.md) or [Create a Windows Information Protection (WIP) policy using System Center Configuration Manager](create-wip-policy-using-sccm.md), based on the tool you're using in your enterprise. +>All sections provided for more info appear in either the [Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune.md) or [Create a Windows Information Protection (WIP) policy using System Center Configuration Manager](create-wip-policy-using-sccm.md), based on the tool you're using in your organization. |Task |Description | diff --git a/windows/keep-secure/microsoft-passport-and-password-changes.md b/windows/keep-secure/microsoft-passport-and-password-changes.md deleted file mode 100644 index fffa48b90f..0000000000 --- a/windows/keep-secure/microsoft-passport-and-password-changes.md +++ /dev/null @@ -1,13 +0,0 @@ ---- -title: Windows Hello and password changes (Windows 10) -description: When you change your password on a device, you may need to sign in with a password on other devices to reset Hello. -ms.assetid: 83005FE4-8899-47A6-BEA9-C17CCA0B6B55 -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -author: jdeckerMS -redirect_url: https://technet.microsoft.com/en-us/itpro/windows/keep-secure/hello-and-password-changes ---- -# Windows Hello and password changes - diff --git a/windows/keep-secure/microsoft-passport-errors-during-pin-creation.md b/windows/keep-secure/microsoft-passport-errors-during-pin-creation.md deleted file mode 100644 index aa890d3cd9..0000000000 --- a/windows/keep-secure/microsoft-passport-errors-during-pin-creation.md +++ /dev/null @@ -1,15 +0,0 @@ ---- -title: Windows Hello errors during PIN creation (Windows 10) -description: When you set up Windows Hello in Windows 10, you may get an error during the Create a work PIN step. -ms.assetid: DFEFE22C-4FEF-4FD9-BFC4-9B419C339502 -keywords: PIN, error, create a work PIN -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -author: jdeckerMS -redirect_url: https://technet.microsoft.com/en-us/itpro/windows/keep-secure/hello-errors-during-pin-creation ---- - -# Windows Hello errors during PIN creation - diff --git a/windows/keep-secure/microsoft-passport-guide.md b/windows/keep-secure/microsoft-passport-guide.md deleted file mode 100644 index faa85f4206..0000000000 --- a/windows/keep-secure/microsoft-passport-guide.md +++ /dev/null @@ -1,18 +0,0 @@ ---- -title: Microsoft Passport guide (Windows 10) -description: This guide describes the new Windows Hello and Microsoft Passport technologies that are part of the Windows 10 operating system. -ms.assetid: 11EA7826-DA6B-4E5C-99FB-142CC6BD9E84 -keywords: security, credential, password, authentication -ms.prod: w10 -ms.mktglfcycl: plan -ms.sitesec: library -ms.pagetype: security -author: challum -redirect_url: https://technet.microsoft.com/en-us/itpro/windows/keep-secure/hello-identity-verification ---- - -# Microsoft Passport guide - -**Applies to** -- Windows 10 - diff --git a/windows/keep-secure/minimum-requirements-windows-defender-advanced-threat-protection.md b/windows/keep-secure/minimum-requirements-windows-defender-advanced-threat-protection.md index 7125de6f76..b632c08944 100644 --- a/windows/keep-secure/minimum-requirements-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/minimum-requirements-windows-defender-advanced-threat-protection.md @@ -1,5 +1,5 @@ --- -title: Minimum requirements for Windows Defender Advanced Threat Protection +title: Minimum requirements for Windows Defender ATP description: Minimum network and data storage configuration, endpoint hardware and software requirements, and deployment channel requirements for Windows Defender ATP. keywords: minimum requirements, Windows Defender Advanced Threat Protection minimum requirements, network and data storage, endpoint, endpoint configuration, deployment channel search.product: eADQiWindows 10XVcnh @@ -23,6 +23,8 @@ localizationpriority: high There are some minimum requirements for onboarding your network and endpoints. +>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=technet-wd-atp-abovefoldlink1) + ## Minimum requirements You must be on Windows 10, version 1607 at a minimum. For more information, see [Windows 10 Enterprise edition](https://www.microsoft.com/en-us/WindowsForBusiness/buy). @@ -53,10 +55,7 @@ The hardware requirements for Windows Defender ATP on endpoints is the same as t #### Internet connectivity Internet connectivity on endpoints is required. -SENSE can utilize up to 5MB daily of bandwidth to communicate with the Windows Defender ATP cloud service and report cyber data. - -> [!NOTE] -> SENSE is the internal name used to refer to the behavioral sensor that powers Windows Defender ATP. +The Windows Defender ATP sensor can utilize up to 5MB daily of bandwidth to communicate with the Windows Defender ATP cloud service and report cyber data. For more information on additional proxy configuration settings see, [Configure Windows Defender ATP endpoint proxy and Internet connectivity settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md) . @@ -117,3 +116,5 @@ When Windows Defender is not the active antimalware in your organization and you If you're running Windows Defender as the primary antimalware product on your endpoints, the Windows Defender ATP agent will successfully onboard. If you're running a third-party antimalware client and use Mobile Device Management solutions or System Center Configuration Manager (current branch) version 1606, you'll need to ensure that the Windows Defender ELAM driver is enabled. For more information, see [Ensure that Windows Defender is not disabled by policy](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md#ensure-that-windows-defender-is-not-disabled-by-a-policy). + +>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=technet-wd-atp-minreq-belowfoldlink1) diff --git a/windows/keep-secure/monitor-onboarding-windows-advanced-threat-protection.md b/windows/keep-secure/monitor-onboarding-windows-advanced-threat-protection.md deleted file mode 100644 index 2f8775683c..0000000000 --- a/windows/keep-secure/monitor-onboarding-windows-advanced-threat-protection.md +++ /dev/null @@ -1,7 +0,0 @@ - --- - redirect_url: https://technet.microsoft.com/itpro/windows/keep-secure/configure-endpoints-windows-defender-advanced-threat-protection - --- - -# Monitor the Windows Defender Advanced Threat Protection onboarding - -This page has been redirected to [Configure endpoints](https://technet.microsoft.com/itpro/windows/keep-secure/configure-endpoints-windows-defender-advanced-threat-protection) \ No newline at end of file diff --git a/windows/keep-secure/override-mitigation-options-for-app-related-security-policies.md b/windows/keep-secure/override-mitigation-options-for-app-related-security-policies.md index b686486083..e207ba506e 100644 --- a/windows/keep-secure/override-mitigation-options-for-app-related-security-policies.md +++ b/windows/keep-secure/override-mitigation-options-for-app-related-security-policies.md @@ -24,12 +24,11 @@ Windows 10 includes Group Policy-configurable “Process Mitigation Options” t The Group Policy settings in this topic are related to three types of process mitigations. In Windows 10, all three types are on by default for 64-bit applications, but by using the Group Policy settings described in this topic, you can configure additional protections. The types of process mitigations are: -- **Data Execution Prevention (DEP)** is a system-level memory protection feature that enables the operating system to mark one or more pages of memory as non-executable, preventing code from being run from that region of memory, to help prevent exploitation of buffer overruns. DEP helps prevent code from being run from data pages such as the default heap, stacks, and memory pools. For more information, see [Data Execution Prevention](windows-10-security-guide.md#data-execution-prevention). +- **Data Execution Prevention (DEP)** is a system-level memory protection feature that enables the operating system to mark one or more pages of memory as non-executable, preventing code from being run from that region of memory, to help prevent exploitation of buffer overruns. DEP helps prevent code from being run from data pages such as the default heap, stacks, and memory pools. For more information, see [Data Execution Prevention](overview-of-threat-mitigations-in-windows-10.md#data-execution-prevention). -- **Structured Exception Handling Overwrite Protection (SEHOP)** is designed to block exploits that use the Structured Exception Handler (SEH) overwrite technique. Because this protection mechanism is provided at run-time, it helps to protect apps regardless of whether they have been compiled with the latest improvements. - -- **Address Space Layout Randomization (ASLR)** loads DLLs into random memory addresses at boot time to mitigate against malware that’s designed to attack specific memory locations, where specific DLLs are expected to be loaded. For more information, see [Address Space Layout Randomization](windows-10-security-guide.md#address-space-layout-randomization). +- **Structured Exception Handling Overwrite Protection (SEHOP)** is designed to block exploits that use the Structured Exception Handler (SEH) overwrite technique. Because this protection mechanism is provided at run-time, it helps to protect apps regardless of whether they have been compiled with the latest improvements. For more information, see [Structured Exception Handling Overwrite Protection](overview-of-threat-mitigations-in-windows-10.md#structured-exception-handling-overwrite-protection). +- **Address Space Layout Randomization (ASLR)** loads DLLs into random memory addresses at boot time to mitigate against malware that’s designed to attack specific memory locations, where specific DLLs are expected to be loaded. For more information, see [Address Space Layout Randomization](overview-of-threat-mitigations-in-windows-10.md#address-space-layout-randomization). To find additional ASLR protections in the table below, look for `IMAGES` or `ASLR`. The following procedure describes how to use Group Policy to override individual **Process Mitigation Options** settings. diff --git a/windows/keep-secure/overview-create-edp-policy.md b/windows/keep-secure/overview-create-edp-policy.md deleted file mode 100644 index 74ca414ed7..0000000000 --- a/windows/keep-secure/overview-create-edp-policy.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Create an enterprise data protection (EDP) policy (Windows 10) -description: Microsoft Intune and System Center Configuration Manager Technical Preview version 1605 or later helps you create and deploy your enterprise data protection (EDP) policy, including letting you choose your protected apps, your EDP-protection level, and how to find enterprise data on the network. -redirect_url: https://technet.microsoft.com/itpro/windows/keep-secure/overview-create-wip-policy ---- \ No newline at end of file diff --git a/windows/keep-secure/overview-create-wip-policy.md b/windows/keep-secure/overview-create-wip-policy.md index c3ad6bf5a3..b2b23e5275 100644 --- a/windows/keep-secure/overview-create-wip-policy.md +++ b/windows/keep-secure/overview-create-wip-policy.md @@ -13,7 +13,7 @@ localizationpriority: high # Create a Windows Information Protection (WIP) policy **Applies to:** -- Windows 10, version 1607 +- Windows 10, version 1607 and later - Windows 10 Mobile Microsoft Intune and System Center Configuration Manager helps you create and deploy your enterprise data protection (WIP) policy, including letting you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network. diff --git a/windows/keep-secure/overview-of-threat-mitigations-in-windows-10.md b/windows/keep-secure/overview-of-threat-mitigations-in-windows-10.md new file mode 100644 index 0000000000..ff8d0da12b --- /dev/null +++ b/windows/keep-secure/overview-of-threat-mitigations-in-windows-10.md @@ -0,0 +1,457 @@ +--- +title: Mitigate threats by using Windows 10 security features (Windows 10) +description: This topic provides an overview of software and firmware threats faced in the current security landscape, and the mitigations that Windows 10 offers in response to these threats. +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +localizationpriority: high +author: justinha +--- + +# Mitigate threats by using Windows 10 security features + +**Applies to:** +- Windows 10 + +This topic provides an overview of some of the software and firmware threats faced in the current security landscape, and the mitigations that Windows 10 offers in response to these threats. For information about related types of protection offered by Microsoft, see [Related topics](#related-topics). + +| **Section** | **Contents** | +|--------------|-------------------------| +| [The security threat landscape](#threat-landscape) | Describes the current nature of the security threat landscape, and outlines how Windows 10 is designed to mitigate software exploits and similar threats. | +| [Windows 10 mitigations that you can configure](#windows-10-mitigations-that-you-can-configure) | Provides tables of configurable threat mitigations with links to more information. Product features such as Device Guard appear in [Table 1](#windows-10-mitigations-that-you-can-configure), and memory protection options such as Data Execution Prevention appear in [Table 2](#table-2). | +| [Mitigations that are built in to Windows 10](#mitigations-that-are-built-in-to-windows-10) | Provides descriptions of Windows 10 mitigations that require no configuration—they are built into the operating system. For example, heap protections and kernel pool protections are built into Windows 10. | +| [Understanding Windows 10 in relation to the Enhanced Mitigation Experience Toolkit](#understanding-windows-10-in-relation-to-the-enhanced-mitigation-experience-toolkit) | Describes how mitigations in the [Enhanced Mitigation Experience Toolkit (EMET)](https://support.microsoft.com/kb/2458544) correspond to features built into Windows 10 and how to convert EMET settings into mitigation policies for Windows 10. | + +This topic focuses on pre-breach mitigations aimed at device protection and threat resistance. These protections work with other security defenses in Windows 10, as shown in the following illustration: + +Types of defenses in Windows 10 + +*Figure 1.  Device protection and threat resistance as part of the Windows 10 security defenses* + +## The security threat landscape + +Today’s security threat landscape is one of aggressive and tenacious threats. In previous years, malicious attackers mostly focused on gaining community recognition through their attacks or the thrill of of temporarily taking a system offline. Since then, attacker’s motives have shifted toward making money, including holding devices and data hostage until the owner pays the demanded ransom. Modern attacks increasingly focus on large-scale intellectual property theft; targeted system degradation that can result in financial loss; and now even cyberterrorism that threatens the security of individuals, businesses, and national interests all over the world. These attackers are typically highly trained individuals and security experts, some of whom are in the employ of nation states that have large budgets and seemingly unlimited human resources. Threats like these require an approach that can meet this challenge. + +In recognition of this landscape, Windows 10 Creator's Update (Windows 10, version 1703) includes multiple security features that were created to make it difficult (and costly) to find and exploit many software vulnerabilities. These features are designed to: + +- Eliminate entire classes of vulnerabilities + +- Break exploitation techniques + +- Contain the damage and prevent persistence + +- Limit the window of opportunity to exploit + +The following sections provide more detail about security mitigations in Windows 10, version 1703. + +## Windows 10 mitigations that you can configure + +Windows 10 mitigations that you can configure are listed in the following two tables. The first table covers a wide array of protections for devices and users across the enterprise and the second table drills down into specific memory protections such as Data Execution Prevention. Memory protection options provide specific mitigations against malware that attempts to manipulate memory in order to gain control of a system. + +**Table 1  Windows 10 mitigations that you can configure** + +| Mitigation and corresponding threat | Description and links | +|---|---| +| **Windows Defender SmartScreen**
    helps prevent
    malicious applications
    from being downloaded | Windows Defender SmartScreen can check the reputation of a downloaded application by using a service that Microsoft maintains. The first time a user runs an app that originates from the Internet (even if the user copied it from another PC), SmartScreen checks to see if the app lacks a reputation or is known to be malicious, and responds accordingly.

    **More information**: [Windows Defender SmartScreen](#windows-defender-smartscreen), later in this topic | +| **Credential Guard**
    helps keep attackers
    from gaining access through
    Pass-the-Hash or
    Pass-the-Ticket attacks | Credential Guard uses virtualization-based security to isolate secrets, such as NTLM password hashes and Kerberos Ticket Granting Tickets, so that only privileged system software can access them.
    Credential Guard is included in Windows 10 Enterprise and Windows Server 2016.

    **More information**: [Protect derived domain credentials with Credential Guard](credential-guard.md) | +| **Enterprise certificate pinning**
    helps prevent
    man-in-the-middle attacks
    that leverage PKI | Enterprise certificate pinning enables you to protect your internal domain names from chaining to unwanted certificates or to fraudulently issued certificates. With enterprise certificate pinning, you can “pin” (associate) an X.509 certificate and its public key to its Certification Authority, either root or leaf.

    **More information**: [Enterprise Certificate Pinning](enterprise-certificate-pinning.md) | +| **Device Guard**
    helps keep a device
    from running malware or
    other untrusted apps | Device Guard includes a Code Integrity policy that you create; a whitelist of trusted apps—the only apps allowed to run in your organization. Device Guard also includes a powerful system mitigation called hypervisor-protected code integrity (HVCI), which leverages virtualization-based security (VBS) to protect Windows’ kernel-mode code integrity validation process. HVCI has specific hardware requirements, and works with Code Integrity policies to help stop attacks even if they gain access to the kernel.
    Device Guard is included in Windows 10 Enterprise and Windows Server 2016.

    **More information**: [Introduction to Device Guard](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md) | +| **Windows Defender Antivirus**,
    which helps keep devices
    free of viruses and other
    malware | Windows 10 includes Windows Defender Antivirus, a robust inbox antimalware solution. Windows Defender Antivirus has been significantly improved since it was introduced in Windows 8.

    **More information**: [Windows Defender Antivirus](#windows-defender-antivirus), later in this topic | +| **Blocking of untrusted fonts**
    helps prevent fonts
    from being used in
    elevation-of-privilege attacks | Block Untrusted Fonts is a setting that allows you to prevent users from loading fonts that are "untrusted" onto your network, which can mitigate elevation-of-privilege attacks associated with the parsing of font files. However, as of Windows 10, version 1703, this mitigation is less important, because font parsing is isolated in an [AppContainer sandbox](https://msdn.microsoft.com/library/windows/desktop/mt595898(v=vs.85).aspx) (for a list describing this and other kernel pool protections, see [Kernel pool protections](#kernel-pool-protections), later in this topic).

    **More information**: [Block untrusted fonts in an enterprise](block-untrusted-fonts-in-enterprise.md) | +| **Memory protections**
    help prevent malware
    from using memory manipulation
    techniques such as buffer
    overruns | These mitigations, listed in [Table 2](#table-2), help to protect against memory-based attacks, where malware or other code manipulates memory to gain control of a system (for example, malware that attempts to use buffer overruns to inject malicious executable code into memory. Note:
    A subset of apps will not be able to run if some of these mitigations are set to their most restrictive settings. Testing can help you maximize protection while still allowing these apps to run.

    **More information**: [Table 2](#table-2), later in this topic | +| **UEFI Secure Boot**
    helps protect
    the platform from
    bootkits and rootkits | Unified Extensible Firmware Interface (UEFI) Secure Boot is a security standard for firmware built in to PCs by manufacturers beginning with Windows 8. It helps to protect the boot process and firmware against tampering, such as from a physically present attacker or from forms of malware that run early in the boot process or in kernel after startup.

    **More information**: [UEFI and Secure Boot](bitlocker-countermeasures.md#uefi-and-secure-boot) | +| **Early Launch Antimalware (ELAM)**
    helps protect
    the platform from
    rootkits disguised as drivers | Early Launch Antimalware (ELAM) is designed to enable the antimalware solution to start before all non-Microsoft drivers and apps. If malware modifies a boot-related driver, ELAM will detect the change, and Windows will prevent the driver from starting, thus blocking driver-based rootkits.

    **More information**: [Early Launch Antimalware](bitlocker-countermeasures.md#protection-during-startup) | +| **Device Health Attestation**
    helps prevent
    compromised devices from
    accessing an organization’s
    assets | Device Health Attestation (DHA) provides a way to confirm that devices attempting to connect to an organization's network are in a healthy state, not compromised with malware. When DHA has been configured, a device’s actual boot data measurements can be checked against the expected "healthy" boot data. If the check indicates a device is unhealthy, the device can be prevented from accessing the network.

    **More information**: [Control the health of Windows 10-based devices](protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md) and [Device Health Attestation](https://technet.microsoft.com/windows-server-docs/security/device-health-attestation) | + +Configurable Windows 10 mitigations designed to help protect against memory manipulation require in-depth understanding of these threats and mitigations and knowledge about how the operating system and applications handle memory. The standard process for maximizing these types of mitigations is to work in a test lab to discover whether a given setting interferes with any applications that you use so that you can deploy settings that maximize protection while still allowing apps to run correctly. + +As an IT professional, you can ask application developers and software vendors to deliver applications that include an additional protection called Control Flow Guard (CFG). No configuration is needed in the operating system—the protection is compiled into applications. More information can be found in [Control Flow Guard](#control-flow-guard). + +### Table 2  Configurable Windows 10 mitigations designed to help protect against memory exploits + +| Mitigation and corresponding threat | Description | +|---|---| +| **Data Execution Prevention (DEP)**
    helps prevent
    exploitation of buffer overruns | **Data Execution Prevention (DEP)** is a system-level memory protection feature available in Windows operating systems. DEP enables the operating system to mark one or more pages of memory as non-executable, which prevents code from being run from that region of memory, to help prevent exploitation of buffer overruns.
    DEP helps prevent code from being run from data pages such as the default heap, stacks, and memory pools. Although some applications have compatibility problems with DEP, the vast majority of applications do not.
    **More information**: [Data Execution Prevention](#data-execution-prevention), later in this topic.

    **Group Policy settings**: DEP is on by default for 64-bit applications, but you can configure additional DEP protections by using the Group Policy settings described in [Override Process Mitigation Options to help enforce app-related security policies](override-mitigation-options-for-app-related-security-policies.md). | +| **SEHOP**
    helps prevent
    overwrites of the
    Structured Exception Handler | **Structured Exception Handling Overwrite Protection (SEHOP)** is designed to help block exploits that use the Structured Exception Handler (SEH) overwrite technique. Because this protection mechanism is provided at run-time, it helps to protect apps regardless of whether they have been compiled with the latest improvements. A few applications have compatibility problems with SEHOP, so be sure to test for your environment.
    **More information**: [Structured Exception Handling Overwrite Protection](#structured-exception-handling-overwrite-protection), later in this topic.

    **Group Policy setting**: SEHOP is on by default for 64-bit applications, but you can configure additional SEHOP protections by using the Group Policy setting described in [Override Process Mitigation Options to help enforce app-related security policies](override-mitigation-options-for-app-related-security-policies.md). | +| **ASLR**
    helps mitigate malware
    attacks based on
    expected memory locations | **Address Space Layout Randomization (ASLR)** loads DLLs into random memory addresses at boot time. This helps mitigate malware that's designed to attack specific memory locations, where specific DLLs are expected to be loaded.
    **More information**: [Address Space Layout Randomization](#address-space-layout-randomization), later in this topic.

    **Group Policy settings**: ASLR is on by default for 64-bit applications, but you can configure additional ASLR protections by using the Group Policy settings described in [Override Process Mitigation Options to help enforce app-related security policies](override-mitigation-options-for-app-related-security-policies.md). | + +### Windows Defender SmartScreen + +Windows Defender SmartScreen notifies users if they click on reported phishing and malware websites, and helps protect them against unsafe downloads or make informed decisions about downloads. + +For Windows 10, Microsoft improved SmartScreen (now called Windows Defender SmartScreen) protection capability by integrating its app reputation abilities into the operating system itself, which allows SmartScreen to check the reputation of files downloaded from the Internet and warn users when they’re about to run a high-risk downloaded file. The first time a user runs an app that originates from the Internet, SmartScreen checks the reputation of the application by using digital signatures and other factors against a service that Microsoft maintains. If the app lacks a reputation or is known to be malicious, SmartScreen warns the user or blocks execution entirely, depending on how the administrator has configured Microsoft Intune or Group Policy settings. + +For more information, see [Windows Defender SmartScreen overview](windows-defender-smartscreen-overview.md). + +### Windows Defender Antivirus + +Windows Defender Antivirus in Windows 10 uses a multi-pronged approach to improve antimalware: + +- **Cloud-delivered protection** helps detect and block new malware within seconds, even if the malware has never been seen before. The service, available as of Windows 10, version 1703, uses distributed resources and machine learning to deliver protection to endpoints at a rate that is far faster than traditional signature updates. + +- **Rich local context** improves how malware is identified. Windows 10 informs Windows Defender Antivirus not only about content like files and processes but also where the content came from, where it has been stored, and more. The information about source and history enables Windows Defender Antivirus to apply different levels of scrutiny to different content. + +- **Extensive global sensors** help keep Windows Defender Antivirus current and aware of even the newest malware. This is accomplished in two ways: by collecting the rich local context data from end points and by centrally analyzing that data. + +- **Tamper proofing** helps guard Windows Defender Antivirus itself against malware attacks. For example, Windows Defender Antivirus uses Protected Processes, which prevents untrusted processes from attempting to tamper with Windows Defender Antivirus components, its registry keys, and so on. ([Protected Processes](#protected-processes) is described later in this topic.) + +- **Enterprise-level features** give IT pros the tools and configuration options necessary to make Windows Defender Antivirus an enterprise-class antimalware solution. + + + +For more information, see [Windows Defender in Windows 10](windows-defender-in-windows-10.md) and [Windows Defender Overview for Windows Server](https://technet.microsoft.com/windows-server-docs/security/windows-defender/windows-defender-overview-windows-server). + +For information about Windows Defender Advanced Threat Protection, a service that helps enterprises to detect, investigate, and respond to advanced and targeted attacks on their networks, see [Windows Defender Advanced Threat Protection (ATP)](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp) (resources) and [Windows Defender Advanced Threat Protection (ATP)](https://technet.microsoft.com/itpro/windows/keep-secure/windows-defender-advanced-threat-protection) (documentation). + +### Data Execution Prevention + +Malware depends on its ability to insert a malicious payload into memory with the hope that it will be executed later. Wouldn’t it be great if you could prevent malware from running if it wrote to an area that has been allocated solely for the storage of information? + +Data Execution Prevention (DEP) does exactly that, by substantially reducing the range of memory that malicious code can use for its benefit. DEP uses the No eXecute bit on modern CPUs to mark blocks of memory as read-only so that those blocks can’t be used to execute malicious code that may be inserted by means of a vulnerability exploit. + +**To use Task Manager to see apps that use DEP** + +1. Open Task Manager: Press Ctrl+Alt+Del and select **Task Manager**, or search the Start screen. + +2. Click **More Details** (if necessary), and then click the **Details** tab. + +3. Right-click any column heading, and then click **Select Columns**. + +4. In the **Select Columns** dialog box, select the last **Data Execution Prevention** check box. + +5. Click **OK**. + +You can now see which processes have DEP enabled. + + + +![Processes with DEP enabled in Windows 10](images/security-fig5-dep.png) + +*Figure 2.  Processes on which DEP has been enabled in Windows 10* + +You can use Control Panel to view or change DEP settings. + +#### To use Control Panel to view or change DEP settings on an individual PC + +1. Open Control Panel, System: click Start, type **Control Panel System**, and press ENTER. + +2. Click **Advanced system settings**, and then click the **Advanced** tab. + +3. In the **Performance** box, click **Settings**. + +4. In **Performance Options**, click the **Data Execution Prevention** tab. + +5. Select an option: + + - **Turn on DEP for essential Windows programs and services only** + + - **Turn on DEP for all programs and services except those I select**. If you choose this option, use the **Add** and **Remove** buttons to create the list of exceptions for which DEP will not be turned on. + +#### To use Group Policy to control DEP settings + +You can use the Group Policy setting called **Process Mitigation Options** to control DEP settings. A few applications have compatibility problems with DEP, so be sure to test for your environment. To use the Group Policy setting, see [Override Process Mitigation Options to help enforce app-related security policies](override-mitigation-options-for-app-related-security-policies.md). + +### Structured Exception Handling Overwrite Protection + +Structured Exception Handling Overwrite Protection (SEHOP) helps prevent attackers from being able to use malicious code to exploit the [Structured Exception Handler](https://msdn.microsoft.com/library/windows/desktop/ms680657(v=vs.85).aspx) (SEH), which is integral to the system and allows (non-malicious) apps to handle exceptions appropriately. Because this protection mechanism is provided at run-time, it helps to protect applications regardless of whether they have been compiled with the latest improvements. + +You can use the Group Policy setting called **Process Mitigation Options** to control the SEHOP setting. A few applications have compatibility problems with SEHOP, so be sure to test for your environment. To use the Group Policy setting, see [Override Process Mitigation Options to help enforce app-related security policies](override-mitigation-options-for-app-related-security-policies.md). + +### Address Space Layout Randomization + +One of the most common techniques used to gain access to a system is to find a vulnerability in a privileged process that is already running, guess or find a location in memory where important system code and data have been placed, and then overwrite that information with a malicious payload. Any malware that could write directly to the system memory could simply overwrite it in well-known and predictable locations. + +Address Space Layout Randomization (ASLR) makes that type of attack much more difficult because it randomizes how and where important data is stored in memory. With ASLR, it is more difficult for malware to find the specific location it needs to attack. Figure 3 illustrates how ASLR works by showing how the locations of different critical Windows components can change in memory between restarts. + +![ASLR at work](images/security-fig4-aslr.png) + +**Figure 3.  ASLR at work** + +Windows 10 applies ASLR holistically across the system and increases the level of entropy many times compared with previous versions of Windows to combat sophisticated attacks such as heap spraying. 64-bit system and application processes can take advantage of a vastly increased memory space, which makes it even more difficult for malware to predict where Windows 10 stores vital data. When used on systems that have TPMs, ASLR memory randomization will be increasingly unique across devices, which makes it even more difficult for a successful exploit that works on one system to work reliably on another. + +You can use the Group Policy setting called **Process Mitigation Options** to control ASLR settings (“Force ASLR” and “Bottom-up ASLR”), as described in [Override Process Mitigation Options to help enforce app-related security policies](override-mitigation-options-for-app-related-security-policies.md). + +## Mitigations that are built in to Windows 10 + +Windows 10 provides many threat mitigations to protect against exploits that are built into the operating system and need no configuration within the operating system. The table that follows describes some of these mitigations. + +Control Flow Guard (CFG) is a mitigation that does not need configuration within the operating system, but does require that an application developer configure the mitigation into the application when it’s compiled. CFG is built into Microsoft Edge, IE11, and other areas in Windows 10, and can be built into many other applications when they are compiled. + +### Table 3   Windows 10 mitigations to protect against memory exploits – no configuration needed + +| Mitigation and corresponding threat | Description | +|---|---| +| **SMB hardening for SYSVOL and NETLOGON shares**
    helps mitigate
    man-in-the-middle attacks | Client connections to the Active Directory Domain Services default SYSVOL and NETLOGON shares on domain controllers now require SMB signing and mutual authentication (such as Kerberos).

    **More information**: [SMB hardening improvements for SYSVOL and NETLOGON shares](#smb-hardening-improvements-for-sysvol-and-netlogon-shares), later in this topic. | +| **Protected Processes**
    help prevent one process
    from tampering with another
    process | With the Protected Processes feature, Windows 10 prevents untrusted processes from interacting or tampering with those that have been specially signed.

    **More information**: [Protected Processes](#protected-processes), later in this topic. | +| **Universal Windows apps protections**
    screen downloadable
    apps and run them in
    an AppContainer sandbox | Universal Windows apps are carefully screened before being made available, and they run in an AppContainer sandbox with limited privileges and capabilities.

    **More information**: [Universal Windows apps protections](#universal-windows-apps-protections), later in this topic. | +| **Heap protections**
    help prevent
    exploitation of the heap | Windows 10 includes protections for the heap, such as the use of internal data structures which help protect against corruption of memory used by the heap.

    **More information**: [Windows heap protections](#windows-heap-protections), later in this topic. | +| **Kernel pool protections**
    help prevent
    exploitation of pool memory
    used by the kernel | Windows 10 includes protections for the pool of memory used by the kernel. For example, safe unlinking protects against pool overruns that are combined with unlinking operations that can be used to create an attack.

    **More information**: [Kernel pool protections](#kernel-pool-protections), later in this topic. | +| **Control Flow Guard**
    helps mitigate exploits
    that are based on
    flow between code locations
    in memory | Control Flow Guard (CFG) is a mitigation that requires no configuration within the operating system, but instead is built into software when it’s compiled. It is built into Microsoft Edge, IE11, and other areas in Windows 10. CFG can be built into applications written in C or C++, or applications compiled using Visual Studio 2015.
    For such an application, CFG can detect an attacker’s attempt to change the intended flow of code. If this occurs, CFG terminates the application. You can request software vendors to deliver Windows applications compiled with CFG enabled.

    **More information**: [Control Flow Guard](#control-flow-guard), later in this topic. | +| **Protections built into Microsoft Edge** (the browser)
    helps mitigate multiple
    threats | Windows 10 includes an entirely new browser, Microsoft Edge, designed with multiple security improvements.

    **More information**: [Microsoft Edge and Internet Explorer 11](#microsoft-edge-and-internet-explorer-11), later in this topic. | + +### SMB hardening improvements for SYSVOL and NETLOGON shares + +In Windows 10 and Windows Server 2016, client connections to the Active Directory Domain Services default SYSVOL and NETLOGON shares on domain controllers require Server Message Block (SMB) signing and mutual authentication (such as Kerberos). This reduces the likelihood of man-in-the-middle attacks. If SMB signing and mutual authentication are unavailable, a computer running Windows 10 or Windows Server 2016 won’t process domain-based Group Policy and scripts. + +> [!NOTE] +> The registry values for these settings aren’t present by default, but the hardening rules still apply until overridden by Group Policy or other registry values. For more information on these security improvements, (also referred to as UNC hardening), see [Microsoft Knowledge Base article 3000483](https://support.microsoft.com/en-us/help/3000483/ms15-011-vulnerability-in-group-policy-could-allow-remote-code-execution-february-10,-2015) and [MS15-011 & MS15-014: Hardening Group Policy](https://blogs.technet.microsoft.com/srd/2015/02/10/ms15-011-ms15-014-hardening-group-policy/). + +### Protected Processes + +Most security controls are designed to prevent the initial infection point. However, despite all the best preventative controls, malware might eventually find a way to infect the system. So, some protections are built to place limits on malware that gets on the device. Protected Processes creates limits of this type. + +With Protected Processes, Windows 10 prevents untrusted processes from interacting or tampering with those that have been specially signed. Protected Processes defines levels of trust for processes. Less trusted processes are prevented from interacting with and therefore attacking more trusted processes. Windows 10 uses Protected Processes more broadly across the operating system, and as in Windows 8.1, implements them in a way that can be used by 3rd party anti-malware vendors, as described in [Protecting Anti-Malware Services](https://msdn.microsoft.com/library/windows/desktop/dn313124(v=vs.85).aspx). This helps make the system and antimalware solutions less susceptible to tampering by malware that does manage to get on the system. + +### Universal Windows apps protections + +When users download Universal Windows apps from the Windows Store, it’s unlikely that they will encounter malware because all apps go through a careful screening process before being made available in the store. Apps that organizations build and distribute through sideloading processes will need to be reviewed internally to ensure that they meet organizational security requirements. + +Regardless of how users acquire Universal Windows apps, they can use them with increased confidence. Universal Windows apps run in an AppContainer sandbox with limited privileges and capabilities. For example, Universal Windows apps have no system-level access, have tightly controlled interactions with other apps, and have no access to data unless the user explicitly grants the application permission. + +In addition, all Universal Windows apps follow the security principle of least privilege. Apps receive only the minimum privileges they need to perform their legitimate tasks, so even if an attacker exploits an app, the damage the exploit can do is severely limited and should be contained within the sandbox. The Windows Store displays the exact capabilities the app requires (for example, access to the camera), along with the app’s age rating and publisher. + +### Windows heap protections + +The *heap* is a location in memory that Windows uses to store dynamic application data. Windows 10 continues to improve on earlier Windows heap designs by further mitigating the risk of heap exploits that could be used as part of an attack. + +Windows 10 has several important improvements to the security of the heap: + +- **Heap metadata hardening** for internal data structures that the heap uses, to improve protections against memory corruption. + +- **Heap allocation randomization**, that is, the use of randomized locations and sizes for heap memory allocations, which makes it more difficult for an attacker to predict the location of critical memory to overwrite. Specifically, Windows 10 adds a random offset to the address of a newly allocated heap, which makes the allocation much less predictable. + +- **Heap guard pages** before and after blocks of memory, which work as tripwires. If an attacker attempts to write past a block of memory (a common technique known as a buffer overflow), the attacker will have to overwrite a guard page. Any attempt to modify a guard page is considered a memory corruption, and Windows 10 responds by instantly terminating the app. + +### Kernel pool protections + +The operating system kernel in Windows sets aside two pools of memory, one that remains in physical memory (“nonpaged pool”) and one that can be paged in and out of physical memory (“paged pool”). There are many types of attacks that have been attempted against these pools, such as process quota pointer encoding; lookaside, delay free, and pool page cookies; and PoolIndex bounds checks. Windows 10 has multiple “pool hardening” protections, such as integrity checks, that help protect the kernel pool against such attacks. + +In addition to pool hardening, Windows 10 includes other kernel hardening features: + +- **Kernel DEP** and **Kernel ASLR**: Follow the same principles as [Data Execution Prevention](#data-execution-prevention) and [Address Space Layout Randomization](#address-space-layout-randomization), described earlier in this topic. + +- **Font parsing in AppContainer:** Isolates font parsing in an [AppContainer sandbox](https://msdn.microsoft.com/library/windows/desktop/mt595898(v=vs.85).aspx). + +- **Disabling of NT Virtual DOS Machine (NTVDM)**: The old NTVDM kernel module (for running 16-bit applications) is disabled by default, which neutralizes the associated vulnerabilities. (Enabling NTVDM decreases protection against Null dereference and other exploits.) + +- **Supervisor Mode Execution Prevention (SMEP)**: Helps prevent the kernel (the “supervisor”) from executing code in user pages, a common technique used by attackers for local kernel elevation of privilege (EOP). This requires processor support found in Intel Ivy Bridge or later processors, or ARM with PXN support. + +- **Safe unlinking:** Helps protect against pool overruns that are combined with unlinking operations to create an attack. Windows 10 includes global safe unlinking, which extends heap and kernel pool safe unlinking to all usage of LIST\_ENTRY and includes the “FastFail” mechanism to enable rapid and safe process termination. + +- **Memory reservations**: The lowest 64 KB of process memory is reserved for the system. Apps are not allowed to allocate that portion of the memory. This makes it more difficult for malware to use techniques such as “NULL dereference” to overwrite critical system data structures in memory. + +### Control Flow Guard + +When applications are loaded into memory, they are allocated space based on the size of the code, requested memory, and other factors. When an application begins to execute code, it calls additional code located in other memory addresses. The relationships between the code locations are well known—they are written in the code itself—but previous to Windows 10, the flow between these locations was not enforced, which gave attackers the opportunity to change the flow to meet their needs. + +This kind of threat is mitigated in Windows 10 through the Control Flow Guard (CFG) feature. When a trusted application that was compiled to use CFG calls code, CFG verifies that the code location called is trusted for execution. If the location is not trusted, the application is immediately terminated as a potential security risk. + +An administrator cannot configure CFG; rather, an application developer can take advantage of CFG by configuring it when the application is compiled. Consider asking application developers and software vendors to deliver trustworthy Windows applications compiled with CFG enabled. For example, it can be enabled for applications written in C or C++, or applications compiled using Visual Studio 2015. For information about enabling CFG for a Visual Studio 2015 project, see [Control Flow Guard](https://msdn.microsoft.com/library/windows/desktop/mt637065(v=vs.85).aspx). + +Of course, browsers are a key entry point for attacks, so Microsoft Edge, IE, and other Windows features take full advantage of CFG. + +### Microsoft Edge and Internet Explorer 11 + +Browser security is a critical component of any security strategy, and for good reason: the browser is the user’s interface to the Internet, an environment with many malicious sites and content waiting to attack. Most users cannot perform at least part of their job without a browser, and many users are completely reliant on one. This reality has made the browser the common pathway from which malicious hackers initiate their attacks. + +All browsers enable some amount of extensibility to do things beyond the original scope of the browser. Two common examples of this are Flash and Java extensions that enable their respective applications to run inside a browser. Keeping Windows 10 secure for web browsing and applications, especially for these two content types, is a priority. + +Windows 10 includes an entirely new browser, Microsoft Edge. Microsoft Edge is more secure in multiple ways, especially: + +- **Smaller attack surface; no support for non-Microsoft binary extensions**. Multiple browser components with vulnerable attack surfaces have been removed from Microsoft Edge. Components that have been removed include legacy document modes and script engines, Browser Helper Objects (BHOs), ActiveX controls, and Java. However, Microsoft Edge supports Flash content and PDF viewing by default through built-in extensions. + +- **Runs 64-bit processes.** A 64-bit PC running an older version of Windows often runs in 32-bit compatibility mode to support older and less secure extensions. When Microsoft Edge runs on a 64-bit PC, it runs only 64-bit processes, which are much more secure against exploits. + +- **Includes Memory Garbage Collection (MemGC)**. This helps protect against use-after-free (UAF) issues. + +- **Designed as a Universal Windows app.** Microsoft Edge is inherently compartmentalized and runs in an AppContainer that sandboxes the browser from the system, data, and other apps. IE11 on Windows 10 can also take advantage of the same AppContainer technology through Enhanced Protect Mode. However, because IE11 can run ActiveX and BHOs, the browser and sandbox are susceptible to a much broader range of attacks than Microsoft Edge. + +- **Simplifies security configuration tasks.** Because Microsoft Edge uses a simplified application structure and a single sandbox configuration, there are fewer required security settings. In addition, Microsoft Edge default settings align with security best practices, which makes it more secure by default. + +In addition to Microsoft Edge, Microsoft includes IE11 in Windows 10, primarily for backwards-compatibility with websites and with binary extensions that do not work with Microsoft Edge. It should not be configured as the primary browser but rather as an optional or automatic switchover. We recommend using Microsoft Edge as the primary web browser because it provides compatibility with the modern web and the best possible security. + +For sites that require IE11 compatibility, including those that require binary extensions and plug ins, enable Enterprise mode and use the Enterprise Mode Site List to define which sites have the dependency. With this configuration, when Microsoft Edge identifies a site that requires IE11, users will automatically be switched to IE11. + +### Functions that software vendors can use to build mitigations into apps + +Some of the protections available in Windows 10 are provided through functions that can be called from apps or other software. Such software is less likely to provide openings for exploits. If you are working with a software vendor, you can request that they include these security-oriented functions in the application. The following table lists some types of mitigations and the corresponding security-oriented functions that can be used in apps. + +> [!NOTE] +> Control Flow Guard (CFG) is also an important mitigation that a developer can include in software when it is compiled. For more information, see [Control Flow Guard](#control-flow-guard), earlier in this topic. + +### Table 4   Functions available to developers for building mitigations into apps + +| Mitigation | Function | +|-------------|-----------| +| LoadLib image loading restrictions | [UpdateProcThreadAttribute function](https://msdn.microsoft.com/en-us/library/windows/desktop/ms686880(v=vs.85).aspx)
    \[PROCESS\_CREATION\_MITIGATION\_POLICY\_IMAGE\_LOAD\_NO\_REMOTE\_ALWAYS\_ON\] | +| MemProt dynamic code restriction | [UpdateProcThreadAttribute function](https://msdn.microsoft.com/en-us/library/windows/desktop/ms686880(v=vs.85).aspx)
    \[PROCESS\_CREATION\_MITIGATION\_POLICY\_PROHIBIT\_DYNAMIC\_CODE\_ALWAYS\_ON\] | +| Child Process Restriction to restrict the ability to create child processes | [UpdateProcThreadAttribute function](https://msdn.microsoft.com/en-us/library/windows/desktop/ms686880(v=vs.85).aspx)
    \[PROC\_THREAD\_ATTRIBUTE\_CHILD\_PROCESS\_POLICY\] | +| Code Integrity Restriction to restrict image loading | [SetProcessMitigationPolicy function](https://msdn.microsoft.com/en-us/library/windows/desktop/hh769088(v=vs.85).aspx)
    \[ProcessSignaturePolicy\] | +| Win32k System Call Disable Restriction to restrict ability to use NTUser and GDI | [SetProcessMitigationPolicy function](https://msdn.microsoft.com/en-us/library/windows/desktop/hh769088(v=vs.85).aspx)
    \[ProcessSystemCallDisablePolicy\] | +| High Entropy ASLR for up to 1TB of variance in memory allocations | [UpdateProcThreadAttribute function](https://msdn.microsoft.com/en-us/library/windows/desktop/ms686880(v=vs.85).aspx)
    \[PROCESS\_CREATION\_MITIGATION\_POLICY\_HIGH\_ENTROPY\_ASLR\_ALWAYS\_ON\] | +| Strict handle checks to raise immediate exception upon bad handle reference | [UpdateProcThreadAttribute function](https://msdn.microsoft.com/en-us/library/windows/desktop/ms686880(v=vs.85).aspx)
    \[PROCESS\_CREATION\_MITIGATION\_POLICY\_STRICT\_HANDLE\_CHECKS\_ALWAYS\_ON\] | +| Extension point disable to block the use of certain third-party extension points | [UpdateProcThreadAttribute function](https://msdn.microsoft.com/en-us/library/windows/desktop/ms686880(v=vs.85).aspx)
    \[PROCESS\_CREATION\_MITIGATION\_POLICY\_EXTENSION\_POINT\_DISABLE\_ALWAYS\_ON\] | +| Heap terminate on corruption to protect the system against a corrupted heap | [UpdateProcThreadAttribute function](https://msdn.microsoft.com/en-us/library/windows/desktop/ms686880(v=vs.85).aspx)
    \[PROCESS\_CREATION\_MITIGATION\_POLICY\_HEAP\_TERMINATE\_ALWAYS\_ON\] | + +## Understanding Windows 10 in relation to the Enhanced Mitigation Experience Toolkit + +You might already be familiar with the [Enhanced Mitigation Experience Toolkit (EMET)](https://support.microsoft.com/kb/2458544), which has since 2009 offered a variety of exploit mitigations, and an interface for configuring those mitigations. You can use this section to understand how EMET mitigations relate to those in Windows 10. Many of EMET’s mitigations have been built into Windows 10, some with additional improvements. However, some EMET mitigations carry high performance cost, or appear to be relatively ineffective against modern threats, and therefore have not been brought into Windows 10. + +Because many of EMET’s mitigations and security mechanisms already exist in Windows 10 and have been improved, particularly those assessed to have high effectiveness at mitigating known bypasses, version 5.5*x* has been announced as the final major version release for EMET (see [Enhanced Mitigation Experience Toolkit](https://technet.microsoft.com/security/jj653751)). + +The following table lists EMET features in relation to Windows 10 features. + +### Table 5   EMET features in relation to Windows 10 features + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Specific EMET featuresHow these EMET features map
    +to Windows 10 features
      +

    • DEP

      • +

    • SEHOP

      • +

    • ASLR (Force ASLR, Bottom-up ASLR)

      • +

    DEP, SEHOP and ASLR are included in Windows 10 as configurable features. See Table 2, earlier in this topic.

    +

    You can install the ProcessMitigations PowerShell module to convert your EMET settings for these features into policies that you can apply to Windows 10.

      +

    • Load Library Check (LoadLib)

      • +

    • Memory Protection Check (MemProt)

      • +
    		LoadLib and MemProt are supported in Windows 10, for all applications that are written to use these functions. See Table 4, earlier in this topic.
      +

    • Null Page

      • +
    		Mitigations for this threat are built into Windows 10, as described in the “Memory reservations” item in Kernel pool protections, earlier in this topic.
      +

    • Heap Spray

      • +

    • EAF

      • +

    • EAF+

      • +
    		Windows 10 does not include mitigations that map specifically to these EMET features because they have low impact in the current threat landscape, and do not significantly increase the difficulty of exploiting vulnerabilities. Microsoft remains committed to monitoring the security environment as new exploits appear and taking steps to harden the operating system against them.
      +

    • Caller Check

      • +

    • Simulate Execution Flow

      • +

    • Stack Pivot

      • +

    • Deep Hooks (an ROP “Advanced Mitigation”)

      • +

    • Anti Detours (an ROP “Advanced Mitigation”)

      • +

    • Banned Functions (an ROP “Advanced Mitigation”)

      • +
    		Mitigated in Windows 10 with applications compiled with Control Flow Guard, as described in Control Flow Guard, earlier in this topic.
    + +### Converting an EMET XML settings file into Windows 10 mitigation policies + +One of EMET’s strengths is that it allows you to import and export configuration settings for EMET mitigations as an XML settings file for straightforward deployment. To generate mitigation policies for Windows 10 from an EMET XML settings file, you can install the ProcessMitigations PowerShell module. In an elevated PowerShell session, run this cmdlet: + +```powershell +Install-Module -Name ProcessMitigations +``` + +The Get-ProcessMitigation cmdlet gets the current mitigation settings from the registry or from a running process, or it can save all settings to an XML file. + +To get the current settings on all running instances of notepad.exe: + +```powershell +Get-ProcessMitigation -Name notepad.exe -RunningProcess +``` + +To get the current settings in the registry for notepad.exe: + +```powershell +Get-ProcessMitigation -Name notepad.exe +``` + +To get the current settings for the running process with pid 1304: + +```powershell +Get-ProcessMitigation -Id 1304 +``` + +To get the all process mitigation settings from the registry and save them to the xml file settings.xml: + +```powershell +Get-ProcessMitigation -RegistryConfigFilePath settings.xml +``` + +The Set-ProcessMitigation cmdlet can enable and disable process mitigations or set them in bulk from an XML file. + +To get the current process mitigation for "notepad.exe" from the registry and then enable MicrosoftSignedOnly and disable MandatoryASLR: + +```powershell +Set-ProcessMitigation -Name Notepad.exe -Enable MicrosoftSignedOnly -Disable MandatoryASLR +``` + +To set the process mitigations from an XML file (which can be generated from get-ProcessMitigation -RegistryConfigFilePath settings.xml): + +```powershell +Set-ProcessMitigation -PolicyFilePath settings.xml +``` + +To set the system default to be MicrosoftSignedOnly: + +```powershell +Set-ProcessMitigation -System -Enable MicrosoftSignedOnly +``` + +The ConvertTo-ProcessMitigationPolicy cmdlet converts mitigation policy file formats. The syntax is: + +```powershell +ConvertTo-ProcessMitigationPolicy -EMETFilePath -OutputFilePath [] +``` + +Examples: + +- **Convert EMET settings to Windows 10 settings**: You can run ConvertTo-ProcessMitigationPolicy and provide an EMET XML settings file as input, which will generate a result file of Windows 10 mitigation settings. For example: + + ```powershell + ConvertTo-ProcessMitigationPolicy -EMETFilePath policy.xml -OutputFilePath result.xml + ``` + +- **Audit and modify the converted settings (the output file)**: Additional cmdlets let you apply, enumerate, enable, disable, and save settings in the output file. For example, this cmdlet enables SEHOP and disables MandatoryASLR and DEPATL registry settings for Notepad: + + ```powershell + Set-ProcessMitigation -Name notepad.exe -Enable SEHOP -Disable MandatoryASLR,DEPATL + ``` + +- **Convert Attack Surface Reduction (ASR) settings to a Code Integrity policy file**: If the input file contains any settings for EMET’s Attack Surface Reduction (ASR) mitigation, the converter will also create a Code Integrity policy file. In this case, you can complete the merging, auditing, and deployment process for the Code Integrity policy, as described in [Deploy Device Guard: deploy code integrity policies](deploy-device-guard-deploy-code-integrity-policies.md). This will enable protections on Windows 10 equivalent to EMET’s ASR protections. + +- **Convert Certificate Trust settings to enterprise certificate pinning rules**: If you have an EMET “Certificate Trust” XML file (pinning rules file), you can also use ConvertTo-ProcessMitigationPolicy to convert the pinning rules file into an enterprise certificate pinning rules file. Then you can finish enabling that file as described in [Enterprise Certificate Pinning](enterprise-certificate-pinning.md). For example: + + ```powershell + ConvertTo-ProcessMitigationPolicy -EMETfilePath certtrustrules.xml -OutputFilePath enterprisecertpinningrules.xml + ``` + +#### EMET-related products + +Microsoft Consulting Services (MCS) and Microsoft Support/Premier Field Engineering (PFE) offer a range of options for EMET, support for EMET, and EMET-related reporting and auditing products such as the EMET Enterprise Reporting Service (ERS). For any enterprise customers who use such products today or who are interested in similar capabilities, we recommend evaluating [Windows Defender Advanced Threat Protection](windows-defender-advanced-threat-protection.md) (ATP). + +## Related topics + +- [Keep Windows 10 secure](index.md) +- [Security technologies in Windows 10](security-technologies.md) +- [Security and Assurance in Windows Server 2016](https://technet.microsoft.com/windows-server-docs/security/security-and-assurance) +- [Windows Defender Advanced Threat Protection (ATP) - resources](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp) +- [Windows Defender Advanced Threat Protection (ATP) - documentation](windows-defender-advanced-threat-protection.md) +- [Exchange Online Advanced Threat Protection Service Description](https://technet.microsoft.com/library/exchange-online-advanced-threat-protection-service-description.aspx) +- [Office 365 Advanced Threat Protection](https://products.office.com/en-us/exchange/online-email-threat-protection) +- [Microsoft Malware Protection Center](https://www.microsoft.com/en-us/security/portal/mmpc/default.aspx) + + diff --git a/windows/keep-secure/passport-event-300.md b/windows/keep-secure/passport-event-300.md deleted file mode 100644 index f516f124d0..0000000000 --- a/windows/keep-secure/passport-event-300.md +++ /dev/null @@ -1,15 +0,0 @@ ---- -title: Event ID 300 - Windows Hello successfully created (Windows 10) -description: This event is created when a Windows Hello for Business is successfully created and registered with Azure Active Directory (Azure AD). -ms.assetid: 0DD59E75-1C5F-4CC6-BB0E-71C83884FF04 -keywords: ngc -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -author: jdeckerMS -redirect_url: https://technet.microsoft.com/en-us/itpro/windows/keep-secure/hello-event-300 ---- - -# Event ID 300 - Windows Hello successfully created - diff --git a/windows/keep-secure/planning-and-getting-started-on-the-device-guard-deployment-process.md b/windows/keep-secure/planning-and-getting-started-on-the-device-guard-deployment-process.md index 2846134874..3e922b1c6b 100644 --- a/windows/keep-secure/planning-and-getting-started-on-the-device-guard-deployment-process.md +++ b/windows/keep-secure/planning-and-getting-started-on-the-device-guard-deployment-process.md @@ -25,8 +25,8 @@ This topic provides a roadmap for planning and getting started on the Device Gua 3. **Review how much variety in software and hardware is needed by roles or departments**. When several departments all use the same hardware and software, you might need to deploy only one code integrity policy for them. More variety across departments might mean you need to create and manage more code integrity policies. The following questions can help you clarify how many code integrity policies to create: - How standardized is the hardware?
    This can be relevant because of drivers. You could create a code integrity policy on hardware that uses a particular set of drivers, and if other drivers in your environment use the same signature, they would also be allowed to run. However, you might need to create several code integrity policies on different "reference" hardware, then merge the policies together, to ensure that the resulting policy recognizes all the drivers in your environment. - - Is there already a list of accepted applications?
    A list of accepted applications can be used to help create a baseline code integrity policy. - + - Is there already a list of accepted applications?
    A list of accepted applications can be used to help create a baseline code integrity policy.
    As of Windows 10, version 1703, it might also be useful to have a list of plug-ins, add-ins, or modules that you want to allow only in a specific app (such as a line-of-business app). Similarly, it might be useful to have a list of plug-ins, add-ins, or modules that you want to block in a specific app (such as a browser). + - What software does each department or role need? Should they be able to install and run other departments’ software?
    If multiple departments are allowed to run the same list of software, you might be able to merge several code integrity policies to simplify management. - Are there departments or roles where unique, restricted software is used?
    If one department needs to run an application that no other department is allowed, it might require a separate code integrity policy. Similarly, if only one department must run an old version of an application (while other departments allow only the newer version), it might require a separate code integrity policy. diff --git a/windows/keep-secure/portal-overview-windows-defender-advanced-threat-protection.md b/windows/keep-secure/portal-overview-windows-defender-advanced-threat-protection.md index 8c9f2086ff..3e1b3c8a80 100644 --- a/windows/keep-secure/portal-overview-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/portal-overview-windows-defender-advanced-threat-protection.md @@ -1,7 +1,7 @@ --- title: Windows Defender Advanced Threat Protection portal overview description: Use the Windows Defender ATP portal to monitor your enterprise network and assist in responding to alerts to potential advanced persistent threat (APT) activity or data breaches. -keywords: Windows Defender ATP portal, portal, cybersecurity threat intelligence, dashboard, alerts queue, machines view, preferences setup, endpoint management, advanced attacks +keywords: Windows Defender ATP portal, portal, cybersecurity threat intelligence, dashboard, alerts queue, machines list, preferences setup, endpoint management, advanced attacks search.product: eADQiWindows 10XVcnh ms.prod: w10 ms.mktglfcycl: deploy @@ -30,30 +30,29 @@ You can use the [Windows Defender ATP portal](https://securitycenter.windows.com ## Windows Defender ATP portal When you open the portal, you’ll see the main areas of the application: -- (1) Settings + + ![Windows Defender Advanced Threat Protection portal](images/atp-main-portal.png) + +- (1) Search, Feedback, Settings, Help and support - (2) Navigation pane - (3) Main portal -- (4) Search bar - - - ![Windows Defender Advanced Threat Protection portal](images/portal-image.png) > [!NOTE] -> Malware related detections will only appear if your endpoints are using [Windows Defender](https://technet.microsoft.com/library/mt622091(v=vs.85).aspx) as the default real-time protection antimalware product. +> Malware related detections will only appear if your endpoints are using [Windows Defender Antivirus](https://technet.microsoft.com/library/mt622091(v=vs.85).aspx) as the default real-time protection antimalware product. You can navigate through the portal using the menu options available in all sections. Refer to the following table for a description of each section. Area | Description :---|:--- -(1) Settings | Provides access to configuration settings such as time zone, alert suppression rules, and license information. -(2) Navigation pane | Use the navigation pane to move between the **Dashboard**, **Alerts queue**, **Machines view**, **Preferences setup**, and **Enpoint Management**. +(1) Search bar, Feedback, Settings, Help and support | **Search** - Provides access to the search bar where you can search for file, IP, machine, URL, and user. Displays the Search box: the drop-down list allows you to select the entity type and then enter the search query text.
    **Feedback** -Access the feedback button to provide comments about the portal.
    **Settings** - Gives you access to the configuration settings where you can set time zones, alert suppression rules, and license information.
    **Help and support** - Gives you access to the Windows Defender ATP guide, Microsoft support, and Premier support. +(2) Navigation pane | Use the navigation pane to move between the **Dashboard**, **Alerts queue**, **Machines view**, **Service health**, **Preferences setup**, and **Enpoint Management**. **Dashboard** | Provides clickable tiles that open detailed information on various alerts that have been detected in your organization. **Alerts queue** | Enables you to view separate queues of new, in progress, and resolved alerts. -**Machines view**| Displays the list of machines that are onboarded to Windows Defender ATP, some information about them, and the corresponding number of alerts. -**Preferences setup**| Shows the settings you selected and lets you update your industry preferences and retention policy period. -**Enpoint Management**| Allows you to download the onboarding configuration package. +**Machines view** | Displays the list of machines that are onboarded to Windows Defender ATP, some information about them, and the corresponding number of alerts. +**Service health** | Provides information on the current status of the Window Defender ATP service. You'll be able to verify that the service status is healthy or if there are current issues. +**Preferences setup** | Shows the settings you selected during onboarding and lets you update your industry preferences and retention policy period. You can also set email notifications, activate the preview experience, and enable or turn off advanced features. +**Endpoint Management** | Allows you to download the onboarding configuration package. It provides access to endpoint offboarding. (3) Main portal| Main area where you will see the different views such as the Dashboard, Alerts queue, and Machines view. -(4) Search | Search for machines, files, external IP Addresses, or domains across endpoints. The drop-down combo box allows you to select the entity type. ## Windows Defender ATP icons The following table provides information on the icons used all throughout the portal: @@ -65,7 +64,8 @@ Icon | Description ![Active threat icon](images/active-threat-icon.png)| Active threat – Threats actively executing at the time of detection. ![Remediated icon](images/remediated-icon.png)| Remediated – Threat removed from the machine ![Not remediated icon](images/not-remediated-icon.png)| Not remediated – Threat not removed from the machine. +![Thunderbolt icon](images/atp-thunderbolt-icon.png) | Indicates events that triggered an alert in the **Alert process tree**. -### Related topic +## Related topic [Use the Windows Defender Advanced Threat Protection portal](use-windows-defender-advanced-threat-protection.md) diff --git a/windows/keep-secure/powershell-example-code-windows-defender-advanced-threat-protection.md b/windows/keep-secure/powershell-example-code-windows-defender-advanced-threat-protection.md new file mode 100644 index 0000000000..9bf4342870 --- /dev/null +++ b/windows/keep-secure/powershell-example-code-windows-defender-advanced-threat-protection.md @@ -0,0 +1,180 @@ +--- +title: PowerShell code examples for the custom threat intelligence API +description: Use PowerShell code to create custom threat intelligence using REST API. +keywords: powershell, code examples, threat intelligence, custom threat intelligence, rest api, api +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +author: mjcaparas +localizationpriority: high +--- + +# PowerShell code examples for the custom threat intelligence API + +**Applies to:** + +- Windows 10 Enterprise +- Windows 10 Education +- Windows 10 Pro +- Windows 10 Pro Education +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + +This article provides PowerShell code examples for using the custom threat intelligence API. + +These code examples demonstrate the following tasks: +- [Obtain an Azure AD access token](#token) +- [Create headers](#headers) +- [Create calls to the custom threat intelligence API](#calls) +- [Create a new alert definition](#alert-definition) +- [Create a new indicator of compromise](#ioc) + + +## Step 1: Obtain an Azure AD access token +The following example demonstrates how to obtain an Azure AD access token that you can use to call methods in the custom threat intelligence API. After you obtain a token, you have 60 minutes to use this token in calls to the custom threat intelligence API before the token expires. After the token expires, you can generate a new token. + +Replace the *authUrl*, *clientid*, and *clientSecret* values with the ones you got from **Preferences settings** page in the portal: + +```powershell +$authUrl = 'Your Authorization URL' +$clientId = 'Your Client ID' +$clientSecret = 'Your Client Secret' + +$tokenPayload = @{ + "resource"='https://graph.windows.net' + "client_id" = $clientId + "client_secret" = $clientSecret + "grant_type"='client_credentials'} + +$response = Invoke-RestMethod $authUrl -Method Post -Body $tokenPayload +$token = $response.access_token + +``` + + +## Step 2: Create headers used for the requests with the API +Use the following code to create the headers used for the requests with the API: + +```powershell +$headers = @{ + "Content-Type"="application/json" + "Accept"="application/json" + "Authorization"="Bearer {0}" -f $token } + +$apiBaseUrl = "https://ti.securitycenter.windows.com/V1.0/" +``` + + +## Step 3: Create calls to the custom threat intelligence API +After creating the headers, you can now create calls to the API. The following example demonstrates how you can view all the alert definition entities: + +```powershell +$alertDefinitions = + (Invoke-RestMethod ("{0}AlertDefinitions" -f $apiBaseUrl) -Method Get -Headers $headers).value +``` + +The response is empty on initial use of the API. + + +## Step 4: Create a new alert definition +The following example demonstrates how you to create a new alert definition. + +```powershell +$alertDefinitionPayload = @{ + "Name"= "The alert's name" + "Severity"= "Low" + "InternalDescription"= "An internal description of the Alert" + "Title"= "The Title" + "UxDescription"= "Description of the alerts" + "RecommendedAction"= "The alert's recommended action" + "Category"= "Trojan" + "Enabled"= "true"} + +$alertDefinition = + Invoke-RestMethod ("{0}AlertDefinitions" -f $apiBaseUrl) ` + -Method Post -Headers $headers -Body ($alertDefinitionPayload | ConvertTo-Json) +``` + + +## Step 5: Create a new indicator of compromise +You can now use the alert ID obtained from creating a new alert definition to create a new indicator of compromise. + +```powershell +$iocPayload = @{ + "Type"="Sha1" + "Value"="dead1111eeaabbccddeeaabbccddee11ffffffff" + "DetectionFunction"="Equals" + "Enabled"="true" + "AlertDefinition@odata.bind"="AlertDefinitions({0})" -f $alertDefinitionId } + + +$ioc = + Invoke-RestMethod ("{0}IndicatorsOfCompromise" -f $apiBaseUrl) ` + -Method Post -Headers $headers -Body ($iocPayload | ConvertTo-Json) +``` + +## Complete code +You can use the complete code to create calls to the API. + +```powershell +$authUrl = 'Your Authorization URL' +$clientId = 'Your Client ID' +$clientSecret = 'Your Client Secret' + +$tokenPayload = @{ + "resource"='https://graph.windows.net' + "client_id" = $clientId + "client_secret" = $clientSecret + "grant_type"='client_credentials'} + +$response = Invoke-RestMethod $authUrl -Method Post -Body $tokenPayload +$token = $response.access_token + +$headers = @{ + "Content-Type"="application/json" + "Accept"="application/json" + "Authorization"="Bearer {0}" -f $token } + +$apiBaseUrl = "https://ti.securitycenter.windows.com/V1.0/" + +$alertDefinitions = + (Invoke-RestMethod ("{0}AlertDefinitions" -f $apiBaseUrl) -Method Get -Headers $headers).value + +$alertDefinitionPayload = @{ + "Name"= "The alert's name" + "Severity"= "Low" + "InternalDescription"= "An internal description of the Alert" + "Title"= "The Title" + "UxDescription"= "Description of the alerts" + "RecommendedAction"= "The alert's recommended action" + "Category"= "Trojan" + "Enabled"= "true"} + +$alertDefinition = + Invoke-RestMethod ("{0}AlertDefinitions" -f $apiBaseUrl) ` + -Method Post -Headers $headers -Body ($alertDefinitionPayload | ConvertTo-Json) + +$alertDefinitionId = $alertDefinition.Id + +$iocPayload = @{ + "Type"="Sha1" + "Value"="dead1111eeaabbccddeeaabbccddee11ffffffff" + "DetectionFunction"="Equals" + "Enabled"="true" + "AlertDefinition@odata.bind"="AlertDefinitions({0})" -f $alertDefinitionId } + + +$ioc = + Invoke-RestMethod ("{0}IndicatorsOfCompromise" -f $apiBaseUrl) ` + -Method Post -Headers $headers -Body ($iocPayload | ConvertTo-Json) + +``` + +## Related topics +- [Understand threat intelligence concepts](threat-indicator-concepts-windows-defender-advanced-threat-protection.md) +- [Create custom alerts using the threat intelligence API](custom-ti-api-windows-defender-advanced-threat-protection.md) +- [Enable the custom threat intelligence API in Windows Defender ATP](enable-custom-ti-windows-defender-advanced-threat-protection.md) +- [Python code examples for the custom threat intelligence API](python-example-code-windows-defender-advanced-threat-protection.md) +- [Experiment with custom threat intelligence alerts](experiment-custom-ti-windows-defender-advanced-threat-protection.md) +- [Troubleshoot custom threat intelligence issues](troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md) diff --git a/windows/keep-secure/preferences-setup-windows-defender-advanced-threat-protection.md b/windows/keep-secure/preferences-setup-windows-defender-advanced-threat-protection.md new file mode 100644 index 0000000000..dab6725222 --- /dev/null +++ b/windows/keep-secure/preferences-setup-windows-defender-advanced-threat-protection.md @@ -0,0 +1,32 @@ +--- +title: Configure Windows Defender ATP preferences settings +description: Use the preferences setup to configure and update your preferences settings such as enabling advanced features, preview experience, email notifications, or custom threat intelligence. +keywords: preferences settings, settings, advanced features, preview experience, email notifications, custom threat intelligence +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +author: mjcaparas +localizationpriority: high +--- +# Configure Windows Defender ATP preferences settings + +**Applies to:** + +- Windows 10 Enterprise +- Windows 10 Education +- Windows 10 Pro +- Windows 10 Pro Education +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + +Use the **Preferences setup** menu to modify general settings, advanced features, enable the preview experience, email notifications, and the custom threat intelligence feature. + +## In this section + +Topic | Description +:---|:--- +[Update general settings](general-settings-windows-defender-advanced-threat-protection.md) | Modify your general settings that were previously defined as part of the onboarding process. +[Enable advanced features](advanced-features-windows-defender-advanced-threat-protection.md)| Enable features such as **Block file** and other features that require integration with other products. +[Enable the preview experience](preview-settings-windows-defender-advanced-threat-protection.md) | Allows you to turn on preview features so you can try upcoming features. +[Configure email notifications](configure-email-notifications-windows-defender-advanced-threat-protection.md) | Enables you to configure and identify a group of individuals who will immediately be informed of new alerts through email notifications. diff --git a/windows/keep-secure/prepare-people-to-use-microsoft-passport.md b/windows/keep-secure/prepare-people-to-use-microsoft-passport.md deleted file mode 100644 index 9594deccca..0000000000 --- a/windows/keep-secure/prepare-people-to-use-microsoft-passport.md +++ /dev/null @@ -1,17 +0,0 @@ ---- -title: Prepare people to use Windows Hello (Windows 10) -description: When you set a policy to require Windows Hello for Business in the workplace, you will want to prepare people in your organization. -ms.assetid: 5270B416-CE31-4DD9-862D-6C22A2AE508B -keywords: identity, PIN, biometric, Hello -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -author: jdeckerMS -redirect_url: https://technet.microsoft.com/en-us/itpro/windows/keep-secure/hello-prepare-people-to-use ---- - -# Prepare people to use Windows Hello - - - diff --git a/windows/keep-secure/prevent-end-user-interaction-windows-defender-antivirus.md b/windows/keep-secure/prevent-end-user-interaction-windows-defender-antivirus.md new file mode 100644 index 0000000000..ce95481ff2 --- /dev/null +++ b/windows/keep-secure/prevent-end-user-interaction-windows-defender-antivirus.md @@ -0,0 +1,89 @@ +--- +title: Hide the Windows Defender Antivirus interface +description: You can hide virus and threat protection tile in the Windows Defender Security Center app. +keywords: ui lockdown, headless mode, hide app, hide settings, hide interface +search.product: eADQiWindows 10XVcnh +ms.pagetype: security +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: security +localizationpriority: medium +author: iaanw +--- + +# Prevent users from seeing or interacting with the Windows Defender AV user interface +**Applies to:** + +- Windows 10 + +**Audience** + +- Enterprise security administrators + +**Manageability available with** + +- Group Policy + + +You can use Group Policy to prevent users on endpoints from seeing the Windows Defender Antivirus interface. You can also prevent them from pausing scans. + +## Hide the Windows Defender Antivirus interface + +In Windows 10, versions 1703, hiding the interface will hide Windows Defender AV notifications and prevent the Virus & threat protection tile from appearing in the Windows Defender Security Center app. + +With the setting set to **Enabled**: + +![Screenshot of Windows Defender Security Center without the shield icon and virus and threat protection section](images/defender/wdav-headless-mode-1703.png) + +With the setting set to **Disabled** or not configured: + +![Scheenshot of Windows Defender Security Center showing the shield icon and virus and threat protection section](images/defender/wdav-headless-mode-off-1703.png) + +>[!NOTE] +>Hiding the interface will also prevent Windows Defender AV notifications from appearing on the endpoint. Windows Defender Advanced Threat Protection notifications will still appear. You can also individually [Configure the notifications that appear on endpoints](configure-notifications-windows-defender-antivirus.md) + + +In earlier versions of Windows 10, the setting will hide the Windows Defender client interface. If the user attempts to open it, they will receive a warning "Your system administrator has restricted access to this app.": + +![Warning message when headless mode is enabled in Windows 10, versions earlier than 1703 that says Your system administrator has restricted access to this app](images/defender/wdav-headless-mode-1607.png) + +**Use Group Policy to hide the Windows Defender AV interface from users:** + +1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. + +3. In the **Group Policy Management Editor** go to **Computer configuration**. + +4. Click **Policies** then **Administrative templates**. + +5. Expand the tree to **Windows components > Windows Defender Antivirus > Client interface**. + +6. Double-click the **Enable headless UI mode** setting and set the option to **Enabled**. Click **OK**. + + +Also see the [Prevent users from locally modifying policy settings](configure-local-policy-overrides-windows-defender-antivirus.md) topic for more options on preventing users form modifying protection on their PCs. + +## Prevent users from pausing a scan + +You can prevent users from pausing scans. This can be helpful to ensure scheduled or on-demand scans are not interrupted by users. + + +**Use Group Policy to prevent users from pausing a scan:** + +1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. + +3. In the **Group Policy Management Editor** go to **Computer configuration**. + +4. Click **Policies** then **Administrative templates**. + +5. Expand the tree to **Windows components > Windows Defender Antivirus > Scan**. + +6. Double-click the **Allow users to pause scan** setting and set the option to **Disabled**. Click **OK**. + + +## Related topics + + +- [Configure the notifications that appear on endpoints](configure-notifications-windows-defender-antivirus.md) +- [Configure end-user interaction with Windows Defender AV](configure-end-user-interaction-windows-defender-antivirus.md) +- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md) \ No newline at end of file diff --git a/windows/keep-secure/preview-settings-windows-defender-advanced-threat-protection.md b/windows/keep-secure/preview-settings-windows-defender-advanced-threat-protection.md new file mode 100644 index 0000000000..8ae02a81bb --- /dev/null +++ b/windows/keep-secure/preview-settings-windows-defender-advanced-threat-protection.md @@ -0,0 +1,31 @@ +--- +title: Turn on the preview experience in Windows Defender ATP +description: Turn on the preview experience in Windows Defender Advanced Threat Protection to try upcoming features. +keywords: advanced features, preferences setup, block file +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +author: mjcaparas +localizationpriority: high +--- +# Turn on the preview experience in Windows Defender ATP + +**Applies to:** + +- Windows 10 Enterprise +- Windows 10 Education +- Windows 10 Pro +- Windows 10 Pro Education +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + +Turn on the preview experience setting to be among the first to try upcoming features. + +1. In the navigation pane, select **Preferences setup** > **Preview experience**. +2. Toggle the setting between **On** and **Off** and select **Save preferences**. + +## Related topics +- [Update general settings in Windows Defender ATP](general-settings-windows-defender-advanced-threat-protection.md) +- [Turn on advanced features in Windows Defender ATP](advanced-features-windows-defender-advanced-threat-protection.md) +- [Configure email notifications in Windows Defender ATP](configure-email-notifications-windows-defender-advanced-threat-protection.md) diff --git a/windows/keep-secure/preview-windows-defender-advanced-threat-protection.md b/windows/keep-secure/preview-windows-defender-advanced-threat-protection.md new file mode 100644 index 0000000000..fb768346fe --- /dev/null +++ b/windows/keep-secure/preview-windows-defender-advanced-threat-protection.md @@ -0,0 +1,52 @@ +--- +title: Windows Defender ATP preview features +description: Learn how to access Windows Defender Advanced Threat Protection preview features. +keywords: preview, preview experience, Windows Defender Advanced Threat Protection, features, updates +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +author: mjcaparas +localizationpriority: high +--- + +# Windows Defender ATP preview features + +**Applies to:** + +- Windows 10 Enterprise +- Windows 10 Education +- Windows 10 Pro +- Windows 10 Pro Education +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + + +The Windows Defender ATP service is constantly being updated to include new feature enhancements and capabilities. + +Learn about new features in the Windows Defender ATP preview release and be among the first to try upcoming features by turning on the preview experience. + +You'll have access to upcoming features which you can provide feedback on to help improve the overall experience before features are generally available. + +For more information, see [Turn on the preview experience](preview-settings-windows-defender-advanced-threat-protection.md). + +## Preview features +The following features are included in the preview release: + +- [Take response actions on a machine](respond-machine-alerts-windows-defender-advanced-threat-protection.md) - Quickly respond to detected attacks by isolating machines or collecting an investigation package. + - [Isolate machines from the network](respond-machine-alerts-windows-defender-advanced-threat-protection.md#isolate-machines-from-the-network) + - [Undo machine isolation](respond-machine-alerts-windows-defender-advanced-threat-protection.md#undo-machine-isolation) + - [Collect investigation package](respond-machine-alerts-windows-defender-advanced-threat-protection.md#collect-investigation-package-from-machines) + +- [Take response actions on a file](respond-file-alerts-windows-defender-advanced-threat-protection.md) - Quickly respond to detected attacks by stopping and quarantining files or blocking a file. + - [Stop and quarantine files in your network](respond-file-alerts-windows-defender-advanced-threat-protection.md#stop-and-quarantine-files-in-your-network) + - [Remove file from quarantine](respond-file-alerts-windows-defender-advanced-threat-protection.md#remove-file-from-quarantine) + - [Block files in your network](respond-file-alerts-windows-defender-advanced-threat-protection.md#block-files-in-your-network) + +- [Check sensor health state](check-sensor-status-windows-defender-advanced-threat-protection.md) - Check an endpoint's ability to provide sensor data and communicate with the Windows Defender ATP service and fix known issues. + - [Fix unhealthy sensors](fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md) + +- [Use the threat intelligence API to create custom alerts](use-custom-ti-windows-defender-advanced-threat-protection.md) - Create custom threat intelligence alerts using the threat intelligence API to generate alerts that are applicable to your organization. + +>[!NOTE] +> All response actions require machines to be on the latest Windows 10, version 1703. diff --git a/windows/keep-secure/protect-enterprise-data-using-edp.md b/windows/keep-secure/protect-enterprise-data-using-edp.md deleted file mode 100644 index 3f8df3ef51..0000000000 --- a/windows/keep-secure/protect-enterprise-data-using-edp.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Protect your enterprise data using enterprise data protection (EDP) (Windows 10) -description: With the increase of employee-owned devices in the enterprise, there’s also an increasing risk of accidental data leak through apps and services, like email, social media, and the public cloud, which are outside of the enterprise’s control. -redirect_url: https://technet.microsoft.com/itpro/windows/keep-secure/protect-enterprise-data-using-wip ---- \ No newline at end of file diff --git a/windows/keep-secure/protect-enterprise-data-using-wip.md b/windows/keep-secure/protect-enterprise-data-using-wip.md index a37553eb2c..265ffe048d 100644 --- a/windows/keep-secure/protect-enterprise-data-using-wip.md +++ b/windows/keep-secure/protect-enterprise-data-using-wip.md @@ -14,7 +14,7 @@ localizationpriority: high # Protect your enterprise data using Windows Information Protection (WIP) **Applies to:** -- Windows 10, version 1607 +- Windows 10, version 1607 and later - Windows 10 Mobile >Learn more about what features and functionality are supported in each Windows edition at [Compare Windows 10 Editions](https://www.microsoft.com/en-us/WindowsForBusiness/Compare). @@ -28,7 +28,7 @@ You’ll need this software to run WIP in your enterprise: |Operating system | Management solution | |-----------------|---------------------| -|Windows 10, version 1607 | Microsoft Intune
    -OR-
    System Center Configuration Manager
    -OR-
    Your current company-wide 3rd party mobile device management (MDM) solution. For info about 3rd party MDM solutions, see the documentation that came with your product. If your 3rd party MDM does not have UI support for the policies, refer to the [EnterpriseDataProtection CSP](https://msdn.microsoft.com/en-us/library/windows/hardware/mt697634.aspx) documentation.| +|Windows 10, version 1607 or later | Microsoft Intune

    -OR-

    System Center Configuration Manager

    -OR-

    Your current company-wide 3rd party mobile device management (MDM) solution. For info about 3rd party MDM solutions, see the documentation that came with your product. If your 3rd party MDM does not have UI support for the policies, refer to the [EnterpriseDataProtection CSP](https://msdn.microsoft.com/en-us/library/windows/hardware/mt697634.aspx) documentation.| ## What is enterprise data control? Effective collaboration means that you need to share data with others in your enterprise. This sharing can be from one extreme where everyone has access to everything without any security, all the way to the other extreme where people can’t share anything and it’s all highly secured. Most enterprises fall somewhere in between the two extremes, where success is balanced between providing the necessary access with the potential for improper data disclosure. @@ -93,7 +93,8 @@ WIP gives you a new way to manage data policy enforcement for apps and documents - **Helping prevent accidental data disclosure to removable media.** WIP helps prevent enterprise data from leaking when it's copied or transferred to removable media. For example, if an employee puts enterprise data on a Universal Serial Bus (USB) drive that also has personal data, the enterprise data remains encrypted while the personal data doesn’t. - **Remove access to enterprise data from enterprise-protected devices.** WIP gives admins the ability to revoke enterprise data from one or many MDM-enrolled devices, while leaving personal data alone. This is a benefit when an employee leaves your company, or in the case of a stolen device. After determining that the data access needs to be removed, you can use Microsoft Intune to unenroll the device so when it connects to the network, the user's encryption key for the device is revoked and the enterprise data becomes unreadable. - >[!NOTE] + + >[!Note] >For management of Surface devices it is recommended that you use the Current Branch of System Center Configuration Manager.
    System Center Configuration Manager also allows you to revoke enterprise data. However, it does it by performing a factory reset of the device. ## How WIP works @@ -129,7 +130,7 @@ You can set your WIP policy to use 1 of 4 protection and management modes: |Block |WIP looks for inappropriate data sharing practices and stops the employee from completing the action. This can include sharing enterprise data to non-enterprise-protected apps in addition to sharing enterprise data between apps or attempting to share outside of your organization’s network.| |Override |WIP looks for inappropriate data sharing, warning employees if they do something deemed potentially unsafe. However, this management mode lets the employee override the policy and share the data, logging the action to your audit log, accessible through the [Reporting CSP](https://go.microsoft.com/fwlink/p/?LinkID=746459). | |Silent |WIP runs silently, logging inappropriate data sharing, without blocking anything that would’ve been prompted for employee interaction while in Override mode. Unallowed actions, like apps inappropriately trying to access a network resource or WIP-protected data, are still blocked.| -|Off |WIP is turned off and doesn't help to protect or audit your data.

    After you turn off WIP, an attempt is made to decrypt any WIP-tagged files on the locally attached drives. Be aware that your previous decryption and policy info isn’t automatically reapplied if you turn WIP protection back on.

    **Note**
    For more info about setting your WIP-protection modes, see either [Create a Windows Information Protection (WIP) policy using Intune](create-wip-policy-using-intune.md) or [Create and deploy a Windows Information Protection (WIP) policy using Configuration Manager](create-wip-policy-using-sccm.md), depending on your management solution. | +|Off |WIP is turned off and doesn't help to protect or audit your data.

    After you turn off WIP, an attempt is made to decrypt any WIP-tagged files on the locally attached drives. Be aware that your previous decryption and policy info isn’t automatically reapplied if you turn WIP protection back on.

    **Note**
    For more info about setting your WIP-protection modes, see either [Create a Windows Information Protection (WIP) policy using Intune](create-wip-policy-using-intune.md) or [Create and deploy a Windows Information Protection (WIP) policy using Configuration Manager](create-wip-policy-using-sccm.md), depending on your management solution. | ## Turn off WIP You can turn off all Windows Information Protection and restrictions, decrypting all devices managed by WIP and reverting to where you were pre-WIP, with no data loss. However, this isn’t recommended. If you choose to turn WIP off, you can always turn it back on, but your decryption and policy info won’t be automatically reapplied. diff --git a/windows/keep-secure/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md b/windows/keep-secure/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md index ac0409286d..9791688940 100644 --- a/windows/keep-secure/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md +++ b/windows/keep-secure/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md @@ -365,7 +365,7 @@ The following table details the hardware requirements for both virtualization-ba

    Trusted Platform Module (TPM)

    -

    Required to support health attestation and necessary for additional key protections for virtualization-based security.

    +

    Required to support health attestation and necessary for additional key protections for virtualization-based security. TPM 2.0 is supported; TPM 1.2 is also supported beginnning with Windows 10, version 1703.

    diff --git a/windows/keep-secure/pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md b/windows/keep-secure/pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md new file mode 100644 index 0000000000..2c68f00d27 --- /dev/null +++ b/windows/keep-secure/pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md @@ -0,0 +1,196 @@ +--- +title: Pull Windows Defender ATP alerts using REST API +description: Pull alerts from the Windows Defender ATP portal REST API. +keywords: alerts, pull alerts, rest api, request, response +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +author: mjcaparas +localizationpriority: high +--- + +# Pull Windows Defender ATP alerts using REST API + +**Applies to:** + +- Windows 10 Enterprise +- Windows 10 Education +- Windows 10 Pro +- Windows 10 Pro Education +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + +Windows Defender ATP supports the OAuth 2.0 protocol to pull alerts from the portal. + +In general, the OAuth 2.0 protocol supports four types of flows: +- Authorization grant flow +- Implicit flow +- Client credentials flow +- Resource owner flow + +For more information about the OAuth specifications, see the [OAuth Website](http://www.oauth.net). + +Windows Defender ATP supports the _Authorization grant flow_ and _Client credential flow_ to obtain access to generate alerts from the portal, with Azure Active Directory (AAD) as the authorization server. + +The _Authorization grant flow_ uses user credentials to get an authorization code, which is then used to obtain an access token. + +The _Client credential flow_ uses client credentials to authenticate against the Windows Defender ATP endpoint URL. This flow is suitable for scenarios when an OAuth client creates requests to an API that doesn't require user credentials. + +Use the following method in the Windows Defender ATP API to pull alerts in JSON format. + +## Before you begin +- Before calling the Windows Defender ATP endpoint to pull alerts, you'll need to enable the SIEM integration application in Azure Active Directory (AAD). For more information, see [Enable SIEM integration in Windows Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md). + +- Take note of the following values in your Azure application registration. You need these values to configure the OAuth flow in your service or daemon app: + - Application ID (unique to your application) + - App key, or secret (unique to your application) + - Your app's OAuth 2.0 token endpoint + - Find this value by clicking **View Endpoints** at the bottom of the Azure Management Portal in your app's page. The endpoint will look like `https://login.microsoftonline.com/{tenantId}/oauth2/token`. + +## Get an access token +Before creating calls to the endpoint, you'll need to get an access token. + +You'll use the access token to access the protected resource, which are alerts in Windows Defender ATP. + +To get an access token, you'll need to do a POST request to the token issuing endpoint. Here is a sample request: + +```syntax + +POST /72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/token HTTP/1.1 +Host: login.microsoftonline.com +Content-Type: application/x-www-form-urlencoded + +resource=https%3A%2F%2FWDATPAlertExport.Seville.onmicrosoft.com&client_id=35e0f735-5fe4-4693-9e68-3de80f1d3745&client_secret=IKXc6PxB2eoFNJ%2FIT%2Bl2JZZD9d9032VXz6Ul3D2WyUQ%3D&grant_type=client_credentials +``` +The response will include an access token and expiry information. + +```json +{ + "token type": "Bearer", + "expires in": "3599" + "ext_expires_in": "0", + "expires_on": "1488720683", + "not_before": "1488720683", + "resource": "https://WDATPAlertExport.Seville.onmicrosoft.com", + "access_token":"eyJ0eXaioJJOIneiowiouqSuzNiZ345FYOVkaJL0625TueyaJasjhIjEnbMlWqP..." +} +``` +You can now use the value in the *access_token* field in a request to the Windows Defender ATP API. + +## Request +With an access token, your app can make authenticated requests to the Windows Defender ATP API. Your app must append the access token to the Authorization header of each request. + +### Request syntax +Method | Request URI +:---|:---| +GET| Use the URI applicable for your region.

    **For EU**: `https://wdatp-alertexporter-eu.windows.com/api/alerts`
    **For US**: `https://wdatp-alertexporter-us.windows.com/api/alerts` + +### Request header +Header | Type | Description| +:--|:--|:-- +Authorization | string | Required. The Azure AD access token in the form **Bearer** <*token*>. | + +### Request parameters + +Use optional query parameters to specify and control the amount of data returned in a response. If you call this method without parameters, the response contains all the alerts in your organization. + +Name | Value| Description +:---|:---|:--- +DateTime?sinceTimeUtc | string | Defines the time alerts are retrieved from based from `LastProccesedTimeUtc` time to current time.

    **NOTE**: When not specified, all alerts generated in the last two hours are retrieved. +int?limit | int | Defines the number of alerts to be retrieved. Most recent alerts will be retrieved based on the number defined.

    **NOTE**: When not specified, all alerts available in the time range will be retrieved. + +### Request example +The following example demonstrates how to retrieve all the alerts in your organization. + +```syntax +GET https://wdatp-alertexporter-eu.windows.com/api/alerts +Authorization: Bearer +``` + +The following example demonstrates a request to get the last 20 alerts since 2016-09-12 00:00:00. + +```syntax +GET https://wdatp-alertexporter-eu.windows.com/api/alerts?limit=20&sinceTimeUtc="2016-09-12 00:00:00" +Authorization: Bearer +``` + +## Response +The return value is an array of alert objects in JSON format. + +Here is an example return value: + +```json +{"AlertTime":"2017-01-23T07:32:54.1861171Z", +"ComputerDnsName":"desktop-bvccckk", +"AlertTitle":"Suspicious PowerShell commandline", +"Category":"SuspiciousActivity", +"Severity":"Medium", +"AlertId":"636207535742330111_-1114309685", +"Actor":null, +"LinkToWDATP":"https://securitycenter.windows.com/alert/636207535742330111_-1114309685", +"IocName":null, +"IocValue":null, +"CreatorIocName":null, +"CreatorIocValue":null, +"Sha1":"69484ca722b4285a234896a2e31707cbedc59ef9", +"FileName":"powershell.exe", +"FilePath":"C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0", +"IpAddress":null, +"Url":null, +"IoaDefinitiondId":"7f1c3609-a3ff-40e2-995b-c01770161d68", +"UserName":null, +"AlertPart":0, +"FullId":"636207535742330111_-1114309685:9DE735BA9FF87725E392C6DFBEB2AF279035CDE229FCC00D28C0F3242C5A50AF", +"LastProcessedTimeUtc":"2017-01-23T11:33:45.0760449Z", +"ThreatCategory":null, +"ThreatFamily":null, +"ThreatName":null, +"RemediationAction":null, +"RemediationIsSuccess":null, +"Source":"Windows Defender ATP", +"Md5":null, +"Sha256":null, +"WasExecutingWhileDetected":null, +"FileHash":"69484ca722b4285a234896a2e31707cbedc59ef9", +"IocUniqueId":"9DE735BA9FF87725E392C6DFBEB2AF279035CDE229FCC00D28C0F3242C5A50AF"} +``` + +## Code examples +### Get access token +The following code example demonstrates how to obtain an access token and call the Windows Defender ATP API. + +```syntax +AuthenticationContext context = new AuthenticationContext(string.Format("https://login.windows.net/{0}/oauth2", tenantId)); +ClientCredential clientCredentials = new ClientCredential(clientId, clientSecret); +AuthenticationResult authenticationResult = context.AcquireToken(resource, clientCredentials); +``` +### Use token to connect to the alerts endpoint + +``` +HttpClient httpClient = new HttpClient(); +httpClient.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue(authenticationResult.AccessTokenType, authenticationResult.AccessToken); +HttpResponseMessage response = httpClient.GetAsync("https://wdatp-alertexporter-eu.windows.com/api/alert").GetAwaiter().GetResult(); +string alertsJson = response.Content.ReadAsStringAsync().Result; +Console.WriteLine("Got alert list: {0}", alertsJson); + +``` + + + + +## Error codes +The Windows Defender ATP REST API returns the following error codes caused by an invalid request. + +HTTP error code | Description +:---|:--- +401 | Malformed request or invalid token. +403 | Unauthorized exception - any of the domains is not managed by the tenant administrator or tenant state is deleted. +500 | Error in the service. + +## Related topics +- [Enable SIEM integration in Windows Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md) +- [Configure Splunk to pull Windows Defender ATP alerts](configure-splunk-windows-defender-advanced-threat-protection.md) +- [Configure ArcSight to pull Windows Defender ATP alerts](configure-arcsight-windows-defender-advanced-threat-protection.md) +- [Windows Defender ATP alert API fields](api-portal-mapping-windows-defender-advanced-threat-protection.md) +- [Troubleshoot SIEM tool integration issues](troubleshoot-siem-windows-defender-advanced-threat-protection.md) diff --git a/windows/keep-secure/python-example-code-windows-defender-advanced-threat-protection.md b/windows/keep-secure/python-example-code-windows-defender-advanced-threat-protection.md new file mode 100644 index 0000000000..dc44b7cbea --- /dev/null +++ b/windows/keep-secure/python-example-code-windows-defender-advanced-threat-protection.md @@ -0,0 +1,183 @@ +--- +title: Python code examples for the custom threat intelligence API +description: Use Python code to create custom threat intelligence using REST API. +keywords: python, code examples, threat intelligence, custom threat intelligence, rest api, api +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +author: mjcaparas +localizationpriority: high +--- + +# Python code examples for the custom threat intelligence API + +**Applies to:** + +- Windows 10 Enterprise +- Windows 10 Education +- Windows 10 Pro +- Windows 10 Pro Education +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + + +## Before you begin +You must [install](http://docs.python-requests.org/en/master/user/install/#install) the "[requests](http://docs.python-requests.org/en/master/)" python library. + +These code examples demonstrate the following tasks: +- [Obtain an Azure AD access token](#token) +- [Create request session object](#session-object) +- [Create calls to the custom threat intelligence API](#calls) +- [Create a new alert definition](#alert-definition) +- [Create a new indicator of compromise](#ioc) + + +## Step 1: Obtain an Azure AD access token +The following example demonstrates how to obtain an Azure AD access token that you can use to call methods in the custom threat intelligence API. After you obtain a token, you have 60 minutes to use this token in calls to the custom threat intelligence API before the token expires. After the token expires, you can generate a new token. + +Replace the *auth_url*, *client_id*, and *client_secret* values with the ones you got from **Preferences settings** page in the portal: + +``` +import json +import requests +from pprint import pprint + +auth_url="Your Authorization URL" +client_id="Your Client ID" +client_secret="Your Client Secret" + +payload = {"resource": "https://graph.windows.net", + "client_id": client_id, + "client_secret": client_secret, + "grant_type": "client_credentials"} + +response = requests.post(auth_url, payload) +token = json.loads(response.text)["access_token"] +``` + + + +## Step 2: Create request session object +Add HTTP headers to the session object, including the Authorization header with the token that was obtained. + +``` +with requests.Session() as session: + session.headers = { + 'Authorization': 'Bearer {}'.format(token), + 'Content-Type': 'application/json', + 'Accept': 'application/json'} +``` + + +## Step 3: Create calls to the custom threat intelligence API +After adding HTTP headers to the session object, you can now create calls to the API. The following example demonstrates how you can view all the alert definition entities: + +``` + response = session.get("https://ti.securitycenter.windows.com/V1.0/AlertDefinitions") + pprint(json.loads(response.text)) +``` + +The response is empty on initial use of the API. + + +## Step 4: Create a new alert definition +The following example demonstrates how you to create a new alert definition. + +``` + alert_definition = {"Name": "The alert's name", + "Severity": "Low", + "InternalDescription": "An internal description of the alert", + "Title": "The Title", + "UxDescription": "Description of the alerts", + "RecommendedAction": "The alert's recommended action", + "Category": "Trojan", + "Enabled": True} + + response = session.post( + "https://ti.securitycenter.windows.com/V1.0/AlertDefinitions", + json=alert_definition) +``` + + +## Step 5: Create a new indicator of compromise +You can now use the alert ID obtained from creating a new alert definition to create a new indicator of compromise. + +``` + alert_definition_id = json.loads(response.text)["Id"] + + ioc = {'Type': "Sha1", + 'Value': "dead1111eeaabbccddeeaabbccddee11ffffffff", + 'DetectionFunction': "Equals", + 'Enabled': True, + "AlertDefinition@odata.bind": "AlertDefinitions({0})".format(alert_definition_id)} + + response = session.post( + "https://ti.securitycenter.windows.com/V1.0/IndicatorsOfCompromise", + json=ioc) +``` + +## Complete code +You can use the complete code to create calls to the API. + +```syntax +import json +import requests +from pprint import pprint + +auth_url="Your Authorization URL" +client_id="Your Client ID" +client_secret="Your Client Secret" + +payload = {"resource": "https://graph.windows.net", + "client_id": client_id, + "client_secret": client_secret, + "grant_type": "client_credentials"} + +response = requests.post(auth_url, payload) +token = json.loads(response.text)["access_token"] + +with requests.Session() as session: + session.headers = { + 'Authorization': 'Bearer {}'.format(token), + 'Content-Type': 'application/json', + 'Accept': 'application/json'} + + response = session.get("https://ti.securitycenter.windows.com/V1.0/AlertDefinitions") + pprint(json.loads(response.text)) + + alert_definition = {"Name": "The alert's name", + "Severity": "Low", + "InternalDescription": "An internal description of the alert", + "Title": "The Title", + "UxDescription": "Description of the alerts", + "RecommendedAction": "The alert's recommended action", + "Category": "Trojan", + "Enabled": True} + + response = session.post( + "https://ti.securitycenter.windows.com/V1.0/AlertDefinitions", + json=alert_definition) + + alert_definition_id = json.loads(response.text)["Id"] + + ioc = {'Type': "Sha1", + 'Value': "dead1111eeaabbccddeeaabbccddee11ffffffff", + 'DetectionFunction': "Equals", + 'Enabled': True, + "AlertDefinition@odata.bind": "AlertDefinitions({0})".format(alert_definition_id)} + + response = session.post( + "https://ti.securitycenter.windows.com/V1.0/IndicatorsOfCompromise", + json=ioc) + + pprint(json.loads(response.text)) +``` + +## Related topics +- [Understand threat intelligence concepts](threat-indicator-concepts-windows-defender-advanced-threat-protection.md) +- [Create custom alerts using the threat intelligence API](custom-ti-api-windows-defender-advanced-threat-protection.md) +- [Enable the custom threat intelligence API in Windows Defender ATP](enable-custom-ti-windows-defender-advanced-threat-protection.md) +- [PowerShell code examples for the custom threat intelligence API](powershell-example-code-windows-defender-advanced-threat-protection.md) +- [Experiment with custom threat intelligence alerts](experiment-custom-ti-windows-defender-advanced-threat-protection.md) +- [Troubleshoot custom threat intelligence issues](troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md) diff --git a/windows/keep-secure/recommended-network-definitions-for-wip.md b/windows/keep-secure/recommended-network-definitions-for-wip.md index bf9a7ac22a..ca34c042a9 100644 --- a/windows/keep-secure/recommended-network-definitions-for-wip.md +++ b/windows/keep-secure/recommended-network-definitions-for-wip.md @@ -6,6 +6,7 @@ ms.prod: w10 ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security +author: eross-msft localizationpriority: high --- @@ -13,7 +14,7 @@ localizationpriority: high **Applies to:** -- Windows 10, version 1607 +- Windows 10, version 1607 and later - Windows 10 Mobile >Learn more about what features and functionality are supported in each Windows edition at [Compare Windows 10 Editions](https://www.microsoft.com/en-us/WindowsForBusiness/Compare). diff --git a/windows/keep-secure/report-monitor-windows-defender-antivirus.md b/windows/keep-secure/report-monitor-windows-defender-antivirus.md new file mode 100644 index 0000000000..1ada466447 --- /dev/null +++ b/windows/keep-secure/report-monitor-windows-defender-antivirus.md @@ -0,0 +1,44 @@ +--- +title: Monitor and report on Windows Defender Antivirus protection +description: Use Configuration Manager or SIEM tools to consume reports, and monitor Windows Defender AV with PowerShell and WMI. +keywords: siem, monitor, report, windows defender av +search.product: eADQiWindows 10XVcnh +ms.pagetype: security +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: security +localizationpriority: medium +author: iaanw +--- + +# Report on Windows Defender Antivirus protection + +**Applies to:** + +- Windows 10 + +**Audience** + +- IT administrators + +There are a number of ways you can review protection status and alerts, depending on the management tool you are using for Windows Defender AV. + + + +You can use System Center Configuration Manager to [monitor Windows Defender AV protection](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/monitor-endpoint-protection) or [create email alerts](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-configure-alerts), or you can also monitor protection using the [Microsoft Intune console](https://docs.microsoft.com/en-us/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune#monitor-endpoint-protection). + +If you have a third-party security information and event management (SIEM) tool, you can also consume [Windows Defender client events](https://msdn.microsoft.com/en-us/library/windows/desktop/aa964766(v=vs.85).aspx). + +Windows events comprise several security event sources, including Security Account Manager (SAM) events ([enhanced for Windows 10](https://technet.microsoft.com/library/mt431757.aspx), also see the [Security audting](security-auditing-overview.md) topic) and [Windows Defender events](troubleshoot-windows-defender-antivirus.md). + +These events can be centrally aggregated using the [Windows event collector](https://msdn.microsoft.com/en-us/library/windows/desktop/bb427443(v=vs.85).aspx). It is common practice for SIEMs to have connectors for Windows events. This technique allows for correlation of all security events from the machine in the SIEM. + +You can also [monitor malware events using the Malware Assessment solution in Log Analytics](https://docs.microsoft.com/en-us/azure/log-analytics/log-analytics-malware). + +For monitoring or determining status with PowerShell, WMI, or Microsoft Azure, see the [(Deployment, management, and reporting options table)](deploy-manage-report-windows-defender-antivirus.md#ref2). + +## Related topics + +- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md) +- [Deploy, manage updates, and report on Windows Defender Antivirus](deploy-manage-report-windows-defender-antivirus.md) diff --git a/windows/keep-secure/requirements-and-deployment-planning-guidelines-for-device-guard.md b/windows/keep-secure/requirements-and-deployment-planning-guidelines-for-device-guard.md index fad266b5ee..35cd55629e 100644 --- a/windows/keep-secure/requirements-and-deployment-planning-guidelines-for-device-guard.md +++ b/windows/keep-secure/requirements-and-deployment-planning-guidelines-for-device-guard.md @@ -39,22 +39,22 @@ You can deploy Device Guard in phases, and plan these phases in relation to the > [!WARNING] > Virtualization-based protection of code integrity may be incompatible with some devices and applications. We strongly recommend testing this configuration in your lab before enabling virtualization-based protection of code integrity on production systems. Failure to do so may result in unexpected failures up to and including data loss or a blue screen error (also called a stop error). -The following tables provide more information about the hardware, firmware, and software required for deployment of various Device Guard features. The tables describe baseline protections, plus protections for improved security that are associated with hardware and firmware options available in 2015, available in 2016, and announced as options for 2017. +The following tables provide more information about the hardware, firmware, and software required for deployment of various Device Guard features. The tables describe baseline protections, plus protections for improved security that are associated with hardware and firmware options available in 2015, 2016, and 2017. -> **Notes** -> - To understand the requirements in the following tables, you will need to be familiar with the main features in Device Guard: configurable code integrity policies, virtualization-based security (VBS), and Universal Extensible Firmware Interface (UEFI) Secure Boot. For information about these features, see [How Device Guard features help protect against threats](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md#how-device-guard-features-help-protect-against-threats). -> - For new computers running Windows 10, Trusted Platform Module (TPM 2.0) must be enabled by default. This requirement is not restated in the tables that follow. +> **Notes**
    +> • To understand the requirements in the following tables, you will need to be familiar with the main features in Device Guard: configurable code integrity policies, virtualization-based security (VBS), and Universal Extensible Firmware Interface (UEFI) Secure Boot. For information about these features, see [How Device Guard features help protect against threats](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md#how-device-guard-features-help-protect-against-threats).
    +> • Beginning with Windows 10, version 1607, Trusted Platform Module (TPM 2.0) must be enabled by default on new computers. ## Device Guard requirements for baseline protections |Baseline Protections - requirement | Description | |---------------------------------------------|----------------------------------------------------| | Hardware: **64-bit CPU** | A 64-bit computer is required for the Windows hypervisor to provide VBS. | -| Hardware: **CPU virtualization extensions**,
    plus **extended page tables** | **Requirements**: These hardware features are required for VBS:
    One of the following virtualization extensions:
    - VT-x (Intel) or
    - AMD-V
    And:
    - Extended page tables, also called Second Level Address Translation (SLAT).

    **Security benefits**: VBS provides isolation of secure kernel from normal operating system. Vulnerabilities and Day 0s in normal operating system cannot be exploited because of this isolation. | +| Hardware: **CPU virtualization extensions**,
    plus **extended page tables** | **Requirements**: These hardware features are required for VBS:
    One of the following virtualization extensions:
    • VT-x (Intel) or
    • AMD-V
    And:
    • Extended page tables, also called Second Level Address Translation (SLAT).

    **Security benefits**: VBS provides isolation of the secure kernel from the normal operating system. Vulnerabilities and zero-days in the normal operating system cannot be exploited because of this isolation. | | Firmware: **UEFI firmware version 2.3.1.c or higher with UEFI Secure Boot** | **Requirements**: See the following Windows Hardware Compatibility Program requirement: [System.Fundamentals.Firmware.UEFISecureBoot](http://msdn.microsoft.com/library/windows/hardware/dn932805.aspx#system-fundamentals-firmware-uefisecureboot)

    **Security benefits**: UEFI Secure Boot helps ensure that the device boots only authorized code. This can prevent boot kits and root kits from installing and persisting across reboots. | | Firmware: **Secure firmware update process** | **Requirements**: UEFI firmware must support secure firmware update found under the following Windows Hardware Compatibility Program requirement: [System.Fundamentals.Firmware.UEFISecureBoot](http://msdn.microsoft.com/library/windows/hardware/dn932805.aspx#system-fundamentals-firmware-uefisecureboot).

    **Security benefits**: UEFI firmware just like software can have security vulnerabilities that, when found, need to be patched through firmware updates. Patching helps prevent root kits from getting installed. | | Software: **HVCI compatible drivers** | **Requirements**: See the Windows Hardware Compatibility Program requirements under [Filter.Driver.DeviceGuard.DriverCompatibility](https://msdn.microsoft.com/library/windows/hardware/mt589732(v=vs.85).aspx).

    **Security benefits**: [HVCI Compatible](https://blogs.msdn.microsoft.com/windows_hardware_certification/2015/05/22/driver-compatibility-with-device-guard-in-windows-10/) drivers help ensure that VBS can maintain appropriate memory permissions. This increases resistance to bypassing vulnerable kernel drivers and helps ensure that malware cannot run in kernel. Only code verified through code integrity can run in kernel mode. | -| Software: Qualified **Windows operating system** | **Requirement**: Windows 10 Enterprise, Windows 10 Education, Windows 2016 Server, or Windows Enterprise IoT

    Important:
    Windows Server 2016 running as a domain controller does not support Credential Guard. Only Device Guard is supported in this configuration.


    **Security benefits**: Support for VBS and for management features that simplify configuration of Device Guard. | +| Software: Qualified **Windows operating system** | **Requirement**: Windows 10 Enterprise, Windows 10 Education, Windows Server 2016, or Windows 10 IoT Enterprise

    Important:
    Windows Server 2016 running as a domain controller does not support Credential Guard. Only Device Guard is supported in this configuration.


    **Security benefits**: Support for VBS and for management features that simplify configuration of Device Guard. | > **Important**  The preceding table lists requirements for baseline protections. The following tables list requirements for improved security. You can use Device Guard with hardware, firmware, and software that support baseline protections, even if they do not support protections for improved security. However, we strongly recommend meeting the requirements for improved security, to significantly strengthen the level of security that Device Guard can provide. @@ -62,32 +62,36 @@ The following tables provide more information about the hardware, firmware, and The following tables describes additional hardware and firmware requirements, and the improved security that is available when those requirements are met. -### 2015 Additional Qualification Requirements for Device Guard (starting with Windows 10, version 1507, and Windows Server 2016, Technical Preview 4) + +### Additional security qualifications starting with Windows 10, version 1507, and Windows Server 2016, Technical Preview 4 + | Protections for Improved Security - requirement | Description | |---------------------------------------------|----------------------------------------------------| -| Firmware: **Securing Boot Configuration and Management** | **Requirements**:
    - BIOS password or stronger authentication must be supported.
    - In the BIOS configuration, BIOS authentication must be set.
    - There must be support for protected BIOS option to configure list of permitted boot devices (for example, “Boot only from internal hard drive”) and boot device order, overriding BOOTORDER modification made by operating system.
    - In the BIOS configuration, BIOS options related to security and boot options (list of permitted boot devices, boot order) must be secured to prevent other operating systems from starting and to prevent changes to the BIOS settings.

    **Security benefits**:
    - BIOS password or stronger authentication helps ensure that only authenticated Platform BIOS administrators can change BIOS settings. This helps protect against a physically present user with BIOS access.
    - Boot order when locked provides protection against the computer being booted into WinRE or another operating system on bootable media. | +| Firmware: **Securing Boot Configuration and Management** | **Requirements**:
    • BIOS password or stronger authentication must be supported.
    • In the BIOS configuration, BIOS authentication must be set.
    • There must be support for protected BIOS option to configure list of permitted boot devices (for example, “Boot only from internal hard drive”) and boot device order, overriding BOOTORDER modification made by operating system.
    • In the BIOS configuration, BIOS options related to security and boot options (list of permitted boot devices, boot order) must be secured to prevent other operating systems from starting and to prevent changes to the BIOS settings.

    **Security benefits**:
    • BIOS password or stronger authentication helps ensure that only authenticated Platform BIOS administrators can change BIOS settings. This helps protect against a physically present user with BIOS access.
    • Boot order when locked provides protection against the computer being booted into WinRE or another operating system on bootable media. |
    -### 2016 Additional Qualification Requirements for Device Guard (starting with Windows 10, version 1607, and Windows Server 2016) +### Additional Qualification Requirements starting with Windows 10, version 1607, and Windows Server 2016 > **Important**  The following tables list requirements for improved security, beyond the level of protection described in the preceding tables. You can use Device Guard with hardware, firmware, and software that do not support the following protections for improved security. As your systems meet more requirements, more protections become available to them. | Protections for Improved Security - requirement | Description | |---------------------------------------------|----------------------------------------------------| -| Firmware: **Hardware Rooted Trust Platform Secure Boot** | **Requirements**:
    Boot Integrity (Platform Secure Boot) must be supported. See the Windows Hardware Compatibility Program requirements under [System.Fundamentals.Firmware.CS.UEFISecureBoot.ConnectedStandby](https://msdn.microsoft.com/library/windows/hardware/dn932807(v=vs.85).aspx#system_fundamentals_firmware_cs_uefisecureboot_connectedstandby)
    - The Hardware Security Test Interface (HSTI) must be implemented. See [Hardware Security Testability Specification](https://msdn.microsoft.com/en-us/library/windows/hardware/mt712332(v=vs.85).aspx).

    **Security benefits**:
    - Boot Integrity (Platform Secure Boot) from Power-On provides protections against physically present attackers, and defense-in-depth against malware.
    - HSTI provides additional security assurance for correctly secured silicon and platform. | +| Firmware: **Hardware Rooted Trust Platform Secure Boot** | **Requirements**:
    Boot Integrity (Platform Secure Boot) must be supported. See the Windows Hardware Compatibility Program requirements under [System.Fundamentals.Firmware.CS.UEFISecureBoot.ConnectedStandby](https://msdn.microsoft.com/library/windows/hardware/dn932807(v=vs.85).aspx#system_fundamentals_firmware_cs_uefisecureboot_connectedstandby)
    • The Hardware Security Test Interface (HSTI) 1.1.a must be implemented. See [Hardware Security Testability Specification](https://msdn.microsoft.com/en-us/library/windows/hardware/mt712332.aspx).

    **Security benefits**:
    • Boot Integrity (Platform Secure Boot) from Power-On provides protections against physically present attackers, and defense-in-depth against malware.
    • HSTI 1.1.a provides additional security assurance for correctly secured silicon and platform. | | Firmware: **Firmware Update through Windows Update** | **Requirements**: Firmware must support field updates through Windows Update and UEFI encapsulation update.

    **Security benefits**: Helps ensure that firmware updates are fast, secure, and reliable. | -| Firmware: **Securing Boot Configuration and Management** | **Requirements**:
    - Required BIOS capabilities: Ability of OEM to add ISV, OEM, or Enterprise Certificate in Secure Boot DB at manufacturing time.
    - Required configurations: Microsoft UEFI CA must be removed from Secure Boot DB. Support for 3rd-party UEFI modules is permitted but should leverage ISV-provided certificates or OEM certificate for the specific UEFI software.

    **Security benefits**:
    - Enterprises can choose to allow proprietary EFI drivers/applications to run.
    - Removing Microsoft UEFI CA from Secure Boot DB provides full control to enterprises over software that runs before the operating system boots. | +| Firmware: **Securing Boot Configuration and Management** | **Requirements**:
    • Required BIOS capabilities: Ability of OEM to add ISV, OEM, or Enterprise Certificate in Secure Boot DB at manufacturing time.
    • Required configurations: Microsoft UEFI CA must be removed from Secure Boot DB. Support for 3rd-party UEFI modules is permitted but should leverage ISV-provided certificates or OEM certificate for the specific UEFI software.

    **Security benefits**:
    • Enterprises can choose to allow proprietary EFI drivers/applications to run.
    • Removing Microsoft UEFI CA from Secure Boot DB provides full control to enterprises over software that runs before the operating system boots. |
    -### 2017 Additional Qualification Requirements for Device Guard (announced as options for future Windows operating systems for 2017) +### Additional Qualification Requirements starting with Windows 10, version 1703 -| Protections for Improved Security - requirement | Description | +The following table lists requirements for Windows 10, version 1703, which are in addition to all preceding requirements. + +| Protection for Improved Security | Description | |---------------------------------------------|----------------------------------------------------| -| Firmware: **UEFI NX Protections** | **Requirements**:
    - All UEFI memory that is marked executable must be read only. Memory marked writable must not be executable.

    UEFI Runtime Services:
    - Must implement the UEFI 2.6 EFI_MEMORY_ATTRIBUTES_TABLE. The entire UEFI runtime must be described by this table.
    - All entries must include attributes EFI_MEMORY_RO, EFI_MEMORY_XP, or both.
    - No entries may be left with neither of the above attributes, indicating memory that is both executable and writable. Memory MUST be either readable and executable OR writeable and non-executable.

    **Security benefits**:
    - Protects against potential vulnerabilities in UEFI runtime in functions such as Update Capsule, Set Variables, and so on, so they can't compromise VBS.
    - Reduces attack surface to VBS from system firmware. | -| Firmware: **Firmware support for SMM protection** | **Requirements**: The [Windows SMM Security Mitigations Table (WSMT) specification](http://download.microsoft.com/download/1/8/A/18A21244-EB67-4538-BAA2-1A54E0E490B6/WSMT.docx) contains details of an Advanced Configuration and Power Interface (ACPI) table that was created for use with Windows operating systems that support Windows virtualization-based security (VBS) features.

    **Security benefits**:
    - Protects against potential vulnerabilities in UEFI runtime in functions such as Update Capsule, Set Variables, and so on, so they can't compromise VBS.
    - Reduces attack surface to VBS from system firmware.
    - Blocks additional security attacks against SMM. | +| Firmware: **VBS enablement of NX protection for UEFI runtime services** | **Requirements**:
    • VBS will enable No-Execute (NX) protection on UEFI runtime service code and data memory regions. UEFI runtime service code must support read-only page protections, and UEFI runtime service data must not be exceutable.
    • UEFI runtime service must meet these requirements:
        • Implement UEFI 2.6 EFI_MEMORY_ATTRIBUTES_TABLE. All UEFI runtime service memory (code and data) must be described by this table.
        • PE sections need to be page-aligned in memory (not required for in non-volitile storage).
        • The Memory Attributes Table needs to correctly mark code and data as RO/NX for configuration by the OS:
            • All entries must include attributes EFI_MEMORY_RO, EFI_MEMORY_XP, or both
            • No entries may be left with neither of the above attributes, indicating memory that is both exceutable and writable. Memory must be either readable and executable or writeable and non-executable.

    Notes:
    • This only applies to UEFI runtime service memory, and not UEFI boot service memory.
    • This protection is applied by VBS on OS page tables.


    Please also note the following:
    • Do not use sections that are both writeable and exceutable
    • Do not attempt to directly modify executable system memory
    • Do not use dynamic code

    **Security benefits**:
    • Vulnerabilities in UEFI runtime, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable)
    • Reduces the attack surface to VBS from system firmware. | +| Firmware: **Firmware support for SMM protection** | **Requirements**: The [Windows SMM Security Mitigations Table (WSMT) specification](http://download.microsoft.com/download/1/8/A/18A21244-EB67-4538-BAA2-1A54E0E490B6/WSMT.docx) contains details of an Advanced Configuration and Power Interface (ACPI) table that was created for use with Windows operating systems that support Windows virtualization-based security (VBS) features.

    **Security benefits**:
    • Protects against potential vulnerabilities in UEFI runtime services, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable)
    • Reduces the attack surface to VBS from system firmware.
    • Blocks additional security attacks against SMM. | ## Device Guard deployment in different scenarios: types of devices @@ -95,9 +99,9 @@ Typically, deployment of Device Guard happens best in phases, rather than being | **Type of device** | **How Device Guard relates to this type of device** | **Device Guard components that you can use to protect this kind of device** | |------------------------------------|------------------------------------------------------|--------------------------------------------------------------------------------| -| **Fixed-workload devices**: Perform same tasks every day.
    Lists of approved applications rarely change.
    Examples: kiosks, point-of-sale systems, call center computers. | Device Guard can be deployed fully, and deployment and ongoing administration are relatively straightforward.
    After Device Guard deployment, only approved applications can run. This is because of protections offered by the Hypervisor Code Integrity (HVCI) service. | - VBS (hardware-based) protections, enabled.

    - Code integrity policies in enforced mode, with UMCI enabled. | -| **Fully managed devices**: Allowed software is restricted by IT department.
    Users can request additional software, or install from a list of applications provided by IT department.
    Examples: locked-down, company-owned desktops and laptops. | An initial baseline code integrity policy can be established and enforced. Whenever the IT department approves additional applications, it will update the code integrity policy and (for unsigned LOB applications) the catalog.
    Code integrity policies are supported by the HVCI service. | - VBS (hardware-based) protections, enabled.

    - Code integrity policies in enforced mode, with UMCI enabled. | -| **Lightly managed devices**: Company-owned, but users are free to install software.
    Devices are required to run organization's antivirus solution and client management tools. | Device Guard can be used to help protect the kernel, and to monitor (audit) for problem applications rather than limiting the applications that can be run. | - VBS (hardware-based) protections, enabled. When enabled with a code integrity policy in audit mode only, VBS means the hypervisor helps enforce the default kernel-mode code integrity policy, which protects against unsigned drivers or system files.

    - Code integrity policies, with UMCI enabled, but running in audit mode only. This means applications are not blocked—the policy just logs an event whenever an application outside the policy is started. | +| **Fixed-workload devices**: Perform same tasks every day.
    Lists of approved applications rarely change.
    Examples: kiosks, point-of-sale systems, call center computers. | Device Guard can be deployed fully, and deployment and ongoing administration are relatively straightforward.
    After Device Guard deployment, only approved applications can run. This is because of protections offered by the Hypervisor Code Integrity (HVCI) service. | - VBS (hardware-based) protections, enabled.

    • Code integrity policies in enforced mode, with UMCI enabled. | +| **Fully managed devices**: Allowed software is restricted by IT department.
    Users can request additional software, or install from a list of applications provided by IT department.
    Examples: locked-down, company-owned desktops and laptops. | An initial baseline code integrity policy can be established and enforced. Whenever the IT department approves additional applications, it will update the code integrity policy and (for unsigned LOB applications) the catalog.
    Code integrity policies are supported by the HVCI service. | - VBS (hardware-based) protections, enabled.

    • Code integrity policies in enforced mode, with UMCI enabled. | +| **Lightly managed devices**: Company-owned, but users are free to install software.
    Devices are required to run organization's antivirus solution and client management tools. | Device Guard can be used to help protect the kernel, and to monitor (audit) for problem applications rather than limiting the applications that can be run. | - VBS (hardware-based) protections, enabled. When enabled with a code integrity policy in audit mode only, VBS means the hypervisor helps enforce the default kernel-mode code integrity policy, which protects against unsigned drivers or system files.

    • Code integrity policies, with UMCI enabled, but running in audit mode only. This means applications are not blocked—the policy just logs an event whenever an application outside the policy is started. | | **Bring Your Own Device**: Employees are allowed to bring their own devices, and also use those devices away from work. | Device Guard does not apply. Instead, you can explore other hardening and security features with MDM-based conditional access solutions, such as Microsoft Intune. | N/A | ## Device Guard deployment in virtual machines diff --git a/windows/keep-secure/respond-file-alerts-windows-defender-advanced-threat-protection.md b/windows/keep-secure/respond-file-alerts-windows-defender-advanced-threat-protection.md new file mode 100644 index 0000000000..c768906d08 --- /dev/null +++ b/windows/keep-secure/respond-file-alerts-windows-defender-advanced-threat-protection.md @@ -0,0 +1,231 @@ +--- +title: Take response actions on a file in Windows Defender ATP +description: Take response actions on file related alerts by stopping and quarantining a file or blocking a file and checking activity details. +keywords: respond, stop and quarantine, block file, deep analysis +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +author: mjcaparas +localizationpriority: high +--- + +# Take response actions on a file + +**Applies to:** + +- Windows 10 Enterprise +- Windows 10 Education +- Windows 10 Pro +- Windows 10 Pro Education +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + + +Quickly respond to detected attacks by stopping and quarantining files or blocking a file. After taking action on files, you can check activity details on the Action center. + +>[!NOTE] +> These response actions are only available for machines on Windows 10, version 1703. + +You can also submit files for deep analysis to run the file in a secure cloud sandbox. When the analysis is complete, you'll get a detailed report that provides information about the behavior of the file. + +## Stop and quarantine files in your network +You can contain an attack in your organization by stopping the malicious process and quarantine the file where it was observed. + +The **Stop & Quarantine File** action includes stopping running processes, quarantining the files, and deleting persistency such as registry keys. + +The action takes effect on machines with the latest Windows 10, version 1703 where the file was observed in the last 30 days. + +### Stop and quarantine files +1. Select the file you want to stop and quarantine. You can select a file from any of the following views or use the Search box: + + - **Alerts** - click the corresponding links from the Description or Details in the Alert timeline + - **Search box** - select File from the drop–down menu and enter the file name + +2. Open the **Actions menu** and select **Stop & Quarantine File**. + ![Image of stop and quarantine file action](images/atp-stop-quarantine-file.png) + +3. Type a comment (optional), and select **Yes** to take action on the file. The comment will be saved in the Action center for reference. + + The Action center shows the submission information: + ![Image of stop and quarantine file action center](images/atp-stopnquarantine-file.png) + + - **Submission time** - Shows when the action was submitted.
    + - **Submitting user** - Shows who submitted the action on the file. You can view the comments provided by the user by selecting the information icon.
    + - **Pending** - Shows the number of machines where the file is yet to be stopped and quarantined from. This can take time for cases when the machine is offline or not connected to the network.
    + - **Success** - Shows the number of machines where the file has been stopped and quarantined.
    + - **Failed** - Shows the number of machines where the action failed and details about the failure.
    + +4. Select any of the status indicators to view more information about the action. For example, select **Failed** to see where the action failed. + +**Notification on machine user**:
    +When the file is being removed from an endpoint, the following notification is shown: + +![Image of notification on machine user](images/atp-notification-file.png) + +In the machine timeline, a new event is added for each machine where a file was stopped and quarantined. + +>[!NOTE] +>The **Action** button is turned off for files signed by Microsoft as well as trusted third–party publishers to prevent the removal of critical system files and files used by important applications. + +![Image of action button turned off](images/atp-file-action.png) + +For prevalent files in the organization, a warning is shown before an action is implemented to validate that the operation is intended. + +### Remove file from quarantine +You can roll back and remove a file from quarantine if you’ve determined that it’s clean after an investigation. Run the following command on each machine where the file was quarantined. + +1. Open an elevated command–line prompt on the endpoint: + + a. Go to **Start** and type cmd. + + b. Right–click **Command prompt** and select **Run as administrator**. + +2. Enter the following command, and press **Enter**: + ``` + “%ProgramFiles%\Windows Defender\MpCmdRun.exe” –Restore –Name EUS:Win32/CustomEnterpriseBlock –All + ``` + +> [!NOTE] +> Windows Defender ATP will remove all files that were quarantined on this machine in the last 30 days. + +## Block files in your network +You can prevent further propagation of an attack in your organization by banning potentially malicious files or suspected malware. If you know a potentially malicious file, you can block it. This operation will prevent it from being read, written, or executed on machines in your organization. + +>[!NOTE] +>This feature is only available if your organization uses Windows Defender Antivirus and Cloud–based protection is enabled. For more information, see [Manage cloud–based protection](configure-windows-defender-in-windows-10.md).

    +This feature is designed to prevent suspected malware (or potentially malicious files) from being downloaded from the web. The coverage will be extended over time. The action takes effect on machines with the latest Windows 10 Insider Preview build. + +### Enable the block file feature +1. In the navigation pane, select **Preference Setup** > **Advanced features** > **Block file**. + +2. Toggle the setting between **On** and **Off** and select **Save preferences**. + + ![Image of preferences setup](images/atp-preferences-setup.png) + +3. Type a comment (optional) and select **Yes** to take action on the file. +The Action center shows the submission information: + + ![Image of block file](images/atp-blockfile.png) + + - **Submission time** - Shows when the action was submitted.
    + - **Submitting user** - Shows who submitted the action on the file. You can view the comments provided by the user by selecting the information icon.
    + - **Status** - Indicates whether the file was added to or removed from the blacklist. + +When the file is blocked, there will be a new event in the machine timeline.
    + +**Notification on machine user**:
    +When a file is being blocked on the endpoint, the following notification is displayed to inform the user that the file was blocked: + +![Image of notification on machine user](images/atp-notification-file.png) + +>[!NOTE] +>The **Action** button is turned off for files signed by Microsoft to prevent negative impact on machines in your organization caused by the removal of files that might be related to the operating system. + +![Image of action button turned off](images/atp-file-action.png) + +For prevalent files in the organization, a warning is shown before an action is implemented to validate that the operation is intended. + +### Remove file from blocked list +1. Select the file you want to remove from the blocked list. You can select a file from any of the following views or use the Search box: + + - **Alerts** - Click the file links from the Description or Details in the Alert timeline
    + - **Machines list** - Click the file links in the Description or Details columns in the Observed on machine section
    + - **Search box** - Select File from the drop–down menu and enter the file name + +2. Open the **Actions** menu and select **Remove file from blocked list**. + + ![Image of remove file from blocked list](images/atp-remove-blocked-file.png) + +3. Type a comment and select **Yes** to take action on the file. The file will be allowed to run in the organization. + + +## Check activity details in Action center +The **Action center** provides information on actions that were taken on a machine or file. You’ll be able to view the details on the last action that were taken on a file such as stopped and quarantined files or blocked files. + +![Image of action center with information](images/atp-action-center-with-info.png) + +## Deep analysis +Cyber security investigations are typically triggered by an alert. Alerts are related to one or more observed files that are often new or unknown. Clicking a file takes you to the file view where you can see the file's metadata. To enrich the data related to the file, you can submit the file for deep analysis. + +The deep analysis feature executes a file in a secure, fully instrumented cloud environment. Deep analysis results show the file's activities, observed behaviors, and associated artifacts, such as dropped files, registry modifications, and communication with IPs. +Deep analysis currently supports extensive analysis of portable executable (PE) files (including _.exe_ and _.dll_ files). + +Deep analysis of a file takes several minutes. When the file analysis is complete, results are made available in the File view page, under a new **Deep analysis summary** section. The summary includes a list of observed *behaviors*, some of which can indicate malicious activity, and *observables*, including contacted IPs and files created on the disk. + +Results of deep analysis are matched against threat intelligence and any matches will generate appropriate alerts. + +### Submit files for analysis + +Use the deep analysis feature to investigate the details of any file, usually during an investigation of an alert or for any other reason where you suspect malicious behavior. This feature is available in the context of the file view. + +In the file's page, **Submit for deep analysis** is enabled when the file is available in the Windows Defender ATP backend sample collection or if it was observed on a Windows 10 machine that supports submitting to deep analysis. + +> [!NOTE] +> Only files from Windows 10 can be automatically collected. + +You can also manually submit a sample through the [Malware Protection Center Portal](https://www.microsoft.com/security/portal/submission/submit.aspx) if the file was not observed on a Windows 10 machine, and wait for **Submit for deep analysis** button to become available. + +> [!NOTE] +> Due to backend processing flows in the Malware Protection Center Portal, there could be up to 10 minutes of latency between file submission and availability of the deep analysis feature in Windows Defender ATP. + +When the sample is collected, Windows Defender ATP runs the file in is a secure environment and creates a detailed report of observed behaviors and associated artifacts, such as files dropped on machines, communication to IPs, and registry modifications. + +**Submit files for deep analysis:** + +1. Select the file that you want to submit for deep analysis. You can select or search a file from any of the following views:
    + - Alerts - click the file links from the **Description** or **Details** in the Alert timeline
    + - **Machines list** - click the file links from the **Description** or **Details** in the **Machine in organization** section
    + - Search box - select **File** from the drop–down menu and enter the file name
    +2. In the **Deep analysis** section of the file view, click **Submit**. + +![You can only submit PE files in the file details section](images/submit-file.png) + +>**Note**  Only PE files are supported, including _.exe_ and _.dll_ files + +A progress bar is displayed and provides information on the different stages of the analysis. You can then view the report when the analysis is done. + +> [!NOTE] +> Depending on machine availability, sample collection time can vary. There is a 3–hour timeout for sample collection. The collection will fail and the operation will abort if there is no online Windows 10 machine reporting at that time. You can re–submit files for deep analysis to get fresh data on the file. + +### View deep analysis reports + +View the deep analysis report that Windows Defender ATP provides to see the details of the deep analysis that was conducted on the file you submitted. This feature is available in the file view context. + +You can view the comprehensive report that provides details on: + +– Observed behaviors +– Associated artifacts + +The details provided can help you investigate if there are indications of a potential attack. + + +1. Select the file you submitted for deep analysis. +2. Click **See the report below**. Information on the analysis is displayed. + +![The deep analysis report shows detailed information across a number of categories](images/analysis-results.png) + +### Troubleshooting deep analysis + +If you encounter a problem when trying to submit a file, try each of the following troubleshooting steps. + + +1. Ensure that the file in question is a PE file. PE files typically have _.exe_ or _.dll_ extensions (executable programs or applications). +2. Ensure the service has access to the file, that it still exists, and has not been corrupted or modified. +3. You can wait a short while and try to submit the file again, in case the queue is full or there was a temporary connection or communication error. +4. Verify the policy setting enables sample collection and try to submit the file again. + + a. Change the following registry entry and values to change the policy on specific endpoints: + ``` +HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection + Value = 0 – block sample collection + Value = 1 – allow sample collection +``` +5. Change the organizational unit through the Group Policy. For more information, see [Configure with Group Policy](configure-endpoints-gp-windows-defender-advanced-threat-protection.md). +6. If these steps do not resolve the issue, contact [winatp@microsoft.com](mailto:winatp@microsoft.com). + +> [!NOTE] +> If the value *AllowSampleCollection* is not available, the client will allow sample collection by default. + +## Related topics +– [Take response actions on a machine](respond-machine-alerts-windows-defender-advanced-threat-protection.md) diff --git a/windows/keep-secure/respond-machine-alerts-windows-defender-advanced-threat-protection.md b/windows/keep-secure/respond-machine-alerts-windows-defender-advanced-threat-protection.md new file mode 100644 index 0000000000..d0c899983f --- /dev/null +++ b/windows/keep-secure/respond-machine-alerts-windows-defender-advanced-threat-protection.md @@ -0,0 +1,130 @@ +--- +title: Take response actions on a machine in Windows Defender ATP +description: Take response actions on a machine by isolating machines, collecting an investigation package, and checking activity details. +keywords: respond, isolate, isolate machine, collect investigation package, action center +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +author: mjcaparas +localizationpriority: high +--- + +# Take response actions on a machine + +**Applies to:** + +- Windows 10 Enterprise +- Windows 10 Education +- Windows 10 Pro +- Windows 10 Pro Education +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + + +Quickly respond to detected attacks by isolating machines or collecting an investigation package. After taking action on machines, you can check activity details on the Action center. + +>[!NOTE] +> These response actions are only available for machines on Windows 10, version 1703. + +## Isolate machines from the network +Depending on the severity of the attack and the sensitivity of the machine, you might want to isolate the machine from the network. This action can help prevent the attacker from controlling the compromised machine and performing further activities such as data exfiltration and lateral movement. + +This machine isolation feature disconnects the compromised machine from the network while retaining connectivity to the Windows Defender ATP service, which continues to monitor the machine. + +>[!NOTE] +>You’ll be able to reconnect the machine back to the network at any time. + +1. Select the machine that you want to isolate. You can select or search for a machine from any of the following views: + + - **Dashboard** - Select the machine name from the Top machines with active alerts section. + - **Alerts queue** - Select the machine name beside the machine icon from the alerts queue. + - **Machines list** - Select the machine name from the list of machines. + - **Search box** - Select Machine from the drop-down menu and enter the machine name. + +2. Open the **Actions** menu and select **Isolate machine**. + + ![Image of isolate machine](images/atp-isolate-machine.png) + +3. Type a comment (optional) and select **Yes** to take action on the machine. + >[!NOTE] + >The machine will remain connected to the Windows Defender ATP service even if it is isolated from the network. + + The Action center shows the submission information: + ![Image of machine isolation](images/atp-machine-isolation.png) + + - **Submission time** - Shows when the isolation action was submitted. + - **Submitting user** - Shows who submitted the action on the machine. You can view the comments provided by the user by selecting the information icon. + - **Status** - Indicates any pending actions or the results of completed actions. + +When the isolation configuration is applied, there will be a new event in the machine timeline. + +**Notification on machine user**:
    +When a machine is being isolated, the following notification is displayed to inform the user that the machine is being isolated from the network: + +![Image of no network connection](images/atp-notification-isolate.png) + +## Undo machine isolation +Depending on the severity of the attack and the state of the machine you can choose to release the machine isolation after you have verified that the compromised machine has been remediated. + +1. Select a machine that was previously isolated. + +2. Open the **Actions** menu and select **Undo machine isolation**. + + ![Image of undo isolation](images/atp-undo-isolation.png) + +3. Type a comment (optional) and select **Yes** to take action on the file. The machine will be reconnected to the network. + +## Collect investigation package from machines +As part of the investigation or response process, you can collect an investigation package from a machine. By collecting the investigation package, you can identify the current state of the machine and further understand the tools and techniques used by the attacker. + +You can download the package (Zip file) and investigate the events that occurred on a machine. + +The package contains the following folders: + +Folder | Description +:---|:--- +Autoruns | Contains a set of files that each represent the content of the registry of a known auto start entry point (ASEP) to help identify attacker’s persistency on the machine.

    NOTE: If the registry key is not found, the file will contain the following message: “ERROR: The system was unable to find the specified registry key or value.” +Installed programs | This .CSV file contains the list of installed programs that can help identify what is currently installed on the machine. For more information, see [Win32_Product class](https://go.microsoft.com/fwlink/?linkid=841509). +Network connections | This folder contains a set of data points related to the connectivity information which can help in identifying connectivity to suspicious URLs, attacker’s command and control (C&C) infrastructure, any lateral movement, or remote connections.

    - ActiveNetworkConnections.txt – Displays protocol statistics and current TCP/IP network connections. Provides the ability to look for suspicious connectivity made by a process.

    - Arp.txt – Displays the current address resolution protocol (ARP) cache tables for all interfaces.

    ARP cache can reveal additional hosts on a network that have been compromised or suspicious systems on the network that night have been used to run an internal attack.

    - Dnscache.txt - Displays the contents of the DNS client resolver cache, which includes both entries preloaded from the local Hosts file and any recently obtained resource records for name queries resolved by the computer. This can help in identifying suspicious connections.

    - Ipconfig.txt – Displays the full TCP/IP configuration for all adapters. Adapters can represent physical interfaces, such as installed network adapters, or logical interfaces, such as dial-up connections. +Prefetch files | Windows Prefetch files are designed to speed up the application startup process. It can be used to track all the files recently used in the system and find traces for applications that might have been deleted but can still be found in the prefetch file list.

    - Prefetch folder – Contains a copy of the prefetch files from `%SystemRoot%\Prefetch`. NOTE: It is suggested to download a prefetch file viewer to view the prefetch files.

    - PrefetchFilesList.txt – Contains the list of all the copied files which can be used to track if there were any copy failures to the prefetch folder. +Processes | Contains a .CSV file listing the running processes which provides the ability to identify current processes running on the machine. This can be useful when identifying a suspicious process and its state. +Scheduled tasks | Contains a .CSV file listing the scheduled tasks which can be used to identify routines performed automatically on a chosen machine to look for suspicious code which was set to run automatically. +Security event log | Contains the security event log which contains records of login or logout activity, or other security-related events specified by the system's audit policy.

    NOTE: Open the event log file using Event viewer. +Services | Contains the services.txt file which lists services and their states. +Windows Server Message Block (SMB) sessions | Lists shared access to files, printers, and serial ports and miscellaneous communications between nodes on a network. This can help identify data exfiltration or lateral movement.

    Contains files for SMBInboundSessions and SMBOutboundSession.

    NOTE: If the file contains the following message: “ERROR: The system was unable to find the specified registry key or value.”, it means that there were no SMB sessions of this type (inbound or outbound). +Temp Directories | Contains a set of text files that lists the files located in %Temp% for every user in the system.

    This can help to track suspicious files that an attacker may have dropped on the system.

    NOTE: If the file contains the following message: “The system cannot find the path specified”, it means that there is no temp directory for this user, and might be because the user didn’t log in to the system. +Users and Groups | Provides a list of files that each represent a group and its members. +CollectionSummaryReport.xls | This file is a summary of the investigation package collection, it contains the list of data points, the command used to extract the data, the execution status, and the error code in case of failure. You can use this report to track if the package includes all the expected data and identify if there were any errors. + +1. Select the machine that you want to investigate. You can select or search for a machine from any of the following views: + + - **Dashboard** - Select the machine name from the Top machines with active alerts section. + - **Alerts queue** - Select the machine name beside the machine icon from the alerts queue. + - **Machines list** - Select the heading of the machine name from the machines list. + - **Search box** - Select Machine from the drop-down menu and enter the machine name. + +2. Open the **Actions** menu and select **Collect investigation package**. + + The Action center shows the submission information: + ![Image of investigation package in action center](images/atp-investigation-package-action-center.png) + + - **Submission time** - Shows when the action was submitted. + - **Submitting user** - Shows who submitted the action on the file. You can view the comments provided by the user by selecting the information icon. + - **Status** - Indicates if the package was successfully collected from the network. When the collection is complete, you can download the package. + +3. Select **Package available** to download the package.
    + When the package is available a new event will be added to the machine timeline.
    + You can download the package from the machine page, or the Action center. + + ![Image of investigation package from machine view](images/atp-machine-investigation-package.png) + + You can also search for historical packages in the machine timeline. + +## Check activity details in Action center +The **Action center** provides information on actions that were taken on a machine or file. You’ll be able to view if a machine was isolated and if an investigation package is available from a machine. All related details are also shown, for example, submission time, submitting user, and if the action succeeded or failed. + +![Image of action center with information](images/atp-action-center-with-info.png) + +## Related topics +- [Take response actions on a file](respond-file-alerts-windows-defender-advanced-threat-protection.md) diff --git a/windows/keep-secure/response-actions-windows-defender-advanced-threat-protection.md b/windows/keep-secure/response-actions-windows-defender-advanced-threat-protection.md new file mode 100644 index 0000000000..a22e882c62 --- /dev/null +++ b/windows/keep-secure/response-actions-windows-defender-advanced-threat-protection.md @@ -0,0 +1,46 @@ +--- +title: Take response actions on files and machines in Windows Defender ATP +description: Take response actions on files and machines by stopping and quarantining files, blocking a file, isolating machines, or collecting an investigation package. +keywords: respond, stop and quarantine, block file, deep analysis, isolate machine, collect investigation package, action center +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +author: mjcaparas +localizationpriority: high +--- + +# Take response actions in Windows Defender ATP + +**Applies to:** + +- Windows 10 Enterprise +- Windows 10 Education +- Windows 10 Pro +- Windows 10 Pro Education +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + + +You can take response actions on machines and files to quickly respond to detected attacks so that you can contain or reduce and prevent further damage caused by malicious attackers in your organization. + +>[!NOTE] +> These response actions are only available for machines on Windows 10, version 1703. + +## In this section +Topic | Description +:---|:--- +[Take response actions on a machine](respond-machine-alerts-windows-defender-advanced-threat-protection.md)| Isolate machines or collect an investigation package. +[Take response actions on a file](respond-file-alerts-windows-defender-advanced-threat-protection.md)| Stop and quarantine files or block a file from your network. + +## Related topics +- [View the Windows Defender Advanced Threat Protection Dashboard](dashboard-windows-defender-advanced-threat-protection.md) +- [View and organize the Windows Defender Advanced Threat Protection Alerts queue ](alerts-queue-windows-defender-advanced-threat-protection.md) +- [Investigate Windows Defender Advanced Threat Protection alerts](investigate-alerts-windows-defender-advanced-threat-protection.md) +- [Investigate a file associated with a Windows Defender ATP alert](investigate-files-windows-defender-advanced-threat-protection.md) +- [Investigate an IP address associated with a Windows Defender ATP alert](investigate-ip-windows-defender-advanced-threat-protection.md) +- [Investigate a domain associated with a Windows Defender ATP alert](investigate-domain-windows-defender-advanced-threat-protection.md) +- [View and organize the Windows Defender ATP Machines view](machines-view-overview-windows-defender-advanced-threat-protection.md) +- [Investigate machines in the Windows Defender ATP Machines view](investigate-machines-windows-defender-advanced-threat-protection.md) +- [Investigate a user account in Windows Defender ATP](investigate-user-windows-defender-advanced-threat-protection.md) +- [Manage Windows Defender Advanced Threat Protection alerts](manage-alerts-windows-defender-advanced-threat-protection.md) diff --git a/windows/keep-secure/review-scan-results-windows-defender-antivirus.md b/windows/keep-secure/review-scan-results-windows-defender-antivirus.md new file mode 100644 index 0000000000..63d6ce419e --- /dev/null +++ b/windows/keep-secure/review-scan-results-windows-defender-antivirus.md @@ -0,0 +1,91 @@ +--- +title: Review the results of Windows Defender AV scans +description: Review the results of scans using System Center Configuration Manager, Microsoft Intune, or the Windows Defender Security Center app +keywords: scan results, remediation, full scan, quick scan +search.product: eADQiWindows 10XVcnh +ms.pagetype: security +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: security +localizationpriority: medium +author: iaanw +--- + +# Review Windows Defender AV scan results + + +**Applies to:** + +- Windows 10 + +**Audience** + +- Enterprise security administrators + +**Manageability available with** + +- PowerShell +- Windows Management Instrumentation (WMI) +- System Center Configuration Manager +- Microsoft Intune +- Windows Defender Security Center app + + +After Windows Defender Antivirus has completed a scan, whether it is an [on-demand](run-scan-windows-defender-antivirus.md) or [scheduled scan](scheduled-catch-up-scans-windows-defender-antivirus.md), the results are recorded and you can view the results. + + +**Use Configuration Manager to review Windows Defender AV scan results:** + +See [How to monitor Endpoint Protection status](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/monitor-endpoint-protection). + + +**Use the Windows Defender Security Center app to review Windows Defender AV scan results:** + +1. Open the Windows Defender Security Center by clicking the shield icon in the task bar or searching the start menu for **Defender**. + +2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then the **Scan history** label. + + - Click **See full history** for any of the sections to see previous detections and the action taken. You can also clear the list. + - Information about the last scan is displayed at the bottom of the page. + + + + +**Use PowerShell cmdlets to review Windows Defender AV scan results:** + +The following cmdlet will return each detection on the endpoint. If there are multiple detections of the same threat, each detection will be listed separately, based on the time of each detection: + +```PowerShell +Get-MpThreatDetection +``` + +![IMAGEALT](images/defender/wdav-get-mpthreatdetection.png) + +You can specify `-ThreatID` to limit the output to only show the detections for a specific threat. + +If you want to list threat detections, but combine detections of the same threat into a single item, you can use the following cmdlet: + +```PowerShell +Get-MpThreat +``` + +![IMAGEALT](images/defender/wdav-get-mpthreat.png) + +See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus. + +**Use Windows Management Instruction (WMI) to review Windows Defender AV scan results:** + +Use the [**Get** method of the **MSFT_MpThreat** and **MSFT_MpThreatDetection**](https://msdn.microsoft.com/en-us/library/dn439477(v=vs.85).aspx) classes. + + +**Use Microsoft Intune to review Windows Defender AV scan results:** + +See [Help secure Windows PCs with Endpoint Protection for Microsoft Intune: Monitor Endpoint Protection](https://docs.microsoft.com/en-us/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune#monitor-endpoint-protection). + + + +## Related topics + +- [Customize, initiate, and review the results of Windows Defender AV scans and remediation](customize-run-review-remediate-scans-windows-defender-antivirus.md) +- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md) \ No newline at end of file diff --git a/windows/keep-secure/run-cmd-scan-windows-defender-for-windows-10.md b/windows/keep-secure/run-cmd-scan-windows-defender-for-windows-10.md deleted file mode 100644 index 2234eebd86..0000000000 --- a/windows/keep-secure/run-cmd-scan-windows-defender-for-windows-10.md +++ /dev/null @@ -1,55 +0,0 @@ ---- -title: Learn how to run a scan from command line in Windows Defender (Windows 10) -description: Windows Defender utility enables IT professionals to use command line to run antivirus scans. -keywords: run windows defender scan, run antivirus scan from command line, run windows defender scan from command line, mpcmdrun, defender -search.product: eADQiWindows 10XVcnh -ms.pagetype: security -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -ms.pagetype: security -localizationpriority: medium -author: mjcaparas ---- - -# Run a Windows Defender scan from the command line - -**Applies to:** - -- Windows 10 - -IT professionals can use a command-line utility to run a Windows Defender scan. - -The utility is available in _%Program Files%\Windows Defender\MpCmdRun.exe_. - -This utility can be handy when you want to automate the use of Windows Defender. - -**To run a quick scan from the command line** - -1. Click **Start**, type **cmd**, and press **Enter**. -2. Navigate to _%ProgramFiles%\Windows Defender_ and enter the following command, and press **Enter**: - -``` -C:\Program Files\Windows Defender\mpcmdrun.exe -scan -scantype 1 -``` -The quick scan will start. When the scan completes, you'll see a message indicating that the scan is finished. - - -The utility also provides other commands that you can run: - -``` -MpCmdRun.exe [command] [-options] -``` - -Command | Description -:---|:--- -\- ? / -h | Displays all available options for the tool -\-Scan [-ScanType #] [-File [-DisableRemediation] [-BootSectorScan]][-Timeout ] | Scans for malicious software -\-Trace [-Grouping #] [-Level #]| Starts diagnostic tracing -\-GetFiles | Collects support information -\-RemoveDefinitions [-All] | Restores the installed signature definitions to a previous backup copy or to the original default set of signatures -\-AddDynamicSignature [-Path] | Loads a dynamic signature -\-ListAllDynamicSignature [-Path] | Lists the loaded dynamic signatures -\-RemoveDynamicSignature [-SignatureSetID] | Removes a dynamic signature -
    -The command-line utility provides detailed information on the other commands supported by the tool. diff --git a/windows/keep-secure/run-scan-windows-defender-antivirus.md b/windows/keep-secure/run-scan-windows-defender-antivirus.md new file mode 100644 index 0000000000..4e29084ea1 --- /dev/null +++ b/windows/keep-secure/run-scan-windows-defender-antivirus.md @@ -0,0 +1,108 @@ +--- +title: Run and customize on-demand scans in Windows Defender AV +description: Run and configure on-demand scans using PowerShell, Windows Management Instrumentation, or individually on endpoints with the Windows Defender Security Center app +keywords: scan, on-demand, dos, intune, instant scan +search.product: eADQiWindows 10XVcnh +ms.pagetype: security +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: security +localizationpriority: medium +author: iaanw +--- + + + + + +# Configure and run on-demand Windows Defender AV scans + +**Applies to:** + +- Windows 10 + +**Audience** + +- Enterprise security administrators + +**Manageability available with** + +- Windows Defender AV mpcmdrun utility +- PowerShell +- Windows Management Instrumentation (WMI) +- System Center Configuration Manager +- Microsoft Intune +- Windows Defender Security Center app + +You can run an on-demand scan on individual endpoints. These scans will start immediately, and you can define parameters for the scan, such as the location or type. + + +## Quick scan versus full scan + +Quick scan looks at all the locations where there could be malware registered to start with the system, such as registry keys and known Windows startup folders. + +Combined with [always-on real-time protection capability](configure-real-time-protection-windows-defender-antivirus.md) - which reviews files when they are opened and closed, and whenever a user navigates to a folder - a quick scan helps provide strong coverage both for malware that starts with the system and kernel-level malware. + +In most instances, this means a quick scan is adequate to find malware that wasn't picked up by real-time protection. + +A full scan can be useful on endpoints that have encountered a malware threat to identify if there are any inactive components that require a more thorough clean-up, and can be ideal when running on-demand scans. + + +**Use the mpcmdrum.exe command-line utility to run a scan:** + +Use the following `-scan` parameter: + +```DOS +mpcmdrun.exe -scan -scantype 1 +``` + + + +See [Use the mpcmdrun.exe commandline tool to configure and manage Windows Defender Antivirus](command-line-arguments-windows-defender-antivirus.md) for more information on how to use the tool and additional parameters, including starting a full scan or defining paths. + + + +**Use Configuration Manager to run a scan:** + +See [Antimalware and firewall tasks: How to perform an on-demand scan](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-firewall#how-to-perform-an-on-demand-scan-of-computers) for details on using System Center Configuration Manager (current branch) to run a scan. + + + +**Use the Windows Defender Security Center app to run a scan:** + +See [Run a scan in the Windows Defender Security Center app](windows-defender-security-center-antivirus.md#scan) for instructions on running a scan on individual endpoints. + + + +**Use PowerShell cmdlets to run a scan:** + +Use the following cmdlet: + +```PowerShell +Start-MpScan +``` + + +See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus. + +**Use Windows Management Instruction (WMI) to run a scan:** + +Use the [**Start** method of the **MSFT_MpScan**](https://msdn.microsoft.com/en-us/library/dn455324(v=vs.85).aspx#methods) class. + +See the following for more information and allowed parameters: +- [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/en-us/library/dn439477(v=vs.85).aspx) + + +**Use Microsoft Intune to run a scan:** + + +See [Help secure Windows PCs with Endpoint Protection for Microsoft Intune: Run a malware scan](https://docs.microsoft.com/en-us/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune#run-a-malware-scan-or-update-malware-definitions-on-a-computer) and [Windows Defender policy settings in Windows 10](https://docs.microsoft.com/en-us/intune/deploy-use/windows-10-policy-settings-in-microsoft-intune#windows-defender-1) for more details. + + +## Related topics + + +- [Configure scanning options in Windows Defender AV](configure-advanced-scan-types-windows-defender-antivirus.md) +- [Configure scheduled scans for Windows Defender AV](scheduled-catch-up-scans-windows-defender-antivirus.md) +- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md) \ No newline at end of file diff --git a/windows/keep-secure/scheduled-catch-up-scans-windows-defender-antivirus.md b/windows/keep-secure/scheduled-catch-up-scans-windows-defender-antivirus.md new file mode 100644 index 0000000000..a4826a52ae --- /dev/null +++ b/windows/keep-secure/scheduled-catch-up-scans-windows-defender-antivirus.md @@ -0,0 +1,244 @@ +--- +title: Schedule regular scans with Windows Defender AV +description: Set up recurring (scheduled) scans, including when they should run and whether they run as full or quick scans +keywords: schedule scan, daily, weekly, time, scheduled, recurring, regular +search.product: eADQiWindows 10XVcnh +ms.pagetype: security +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: security +localizationpriority: medium +author: iaanw +--- + + +# Configure scheduled scans for Windows Defender AV + + + +**Applies to** +- Windows 10 + +**Audience** + +- Enterprise security administrators + +**Manageability available with** + +- Group Policy +- System Center Configuration Manager +- PowerShell cmdlets +- Windows Management Instruction (WMI) + + + +> [!NOTE] +> By default, Windows Defender AV will check for an update 15 minutes before the time of any scheduled scans. You can [Manage the schedule for when protection updates should be downloaded and applied](manage-protection-update-schedule-windows-defender-antivirus.md) to override this default. + + +In addition to always-on real-time protection and [on-demand](run-scan-windows-defender-antivirus.md) scans, you can set up regular, scheduled scans. + +You can configure the type of scan, when the scan should occur, and if the scan should occur after a [protection update](manage-protection-updates-windows-defender-antivirus.md) or if the endpoint is being used. You can also specify when special scans to complete remediation should occur. + +This topic describes how to configure scheduled scans with Group Policy, PowerShell cmdlets, and WMI. You can also configure schedules scans with [System Center Configuration Manager](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#scheduled-scans-settings) or [Microsoft Intune](https://docs.microsoft.com/en-us/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intunespecify-scan-schedule-settings). + +To configure the Group Policy settings described in this topic: + +1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. + +3. In the **Group Policy Management Editor** go to **Computer configuration**. + +4. Click **Policies** then **Administrative templates**. + +5. Expand the tree to **Windows components > Windows Defender Antivirus** and then the **Location** specified in the table below. + +6. Double-click the policy **Setting** as specified in the table below, and set the option to your desired configuration. Click **OK**, and repeat for any other settings. + + +Also see the [Manage when protection updates should be downloaded and applied](manage-protection-update-schedule-windows-defender-antivirus.md) and [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-windows-defender-antivirus.md) topics. + +## Quick scan versus full scan + +When you set up scheduled scans, you can set up whether the scan should be a full or quick scan. + +Quick scans look at all the locations where there could be malware registered to start with the system, such as registry keys and known Windows startup folders. + +Combined with [always-on real-time protection capability](configure-real-time-protection-windows-defender-antivirus.md) - which reviews files when they are opened and closed, and whenever a user navigates to a folder - a quick scan helps provide strong coverage both for malware that starts with the system and kernel-level malware. + +In most instances, this means a quick scan is adequate to find malware that wasn't picked up by real-time protection. + +A full scan can be useful on endpoints that have encountered a malware threat to identify if there are any inactive components that require a more thorough clean-up. In this instance, you may want to use a full scan when running an [on-demand scan](run-scan-windows-defender-antivirus.md). + +## Set up scheduled scans + +Scheduled scans will run at the day and time you specify. You can use Group Policy, PowerShell, and WMI to configure scheduled scans. + + +**Use Group Policy to schedule scans:** + +Location | Setting | Description | Default setting (if not configured) +---|---|---|--- +Scan | Specify the scan type to use for a scheduled scan | Quick scan +Scan | Specify the day of the week to run a scheduled scan | Specify the day (or never) to run a scan. | Never +Scan | Specify the time of day to run a scheduled scan | Specify the number of minutes after midnight (for example, enter **60** for 1 am) | 2 am +Root | Randomize scheduled task times | Randomize the start time of the scan to any interval plus or minus 30 minutes. This can be useful in VM or VDI deployments | Enabled + +**Use PowerShell cmdlets to schedule scans:** + +Use the following cmdlets: + +```PowerShell +Set-MpPreference -ScanParameters +Set-MpPreference -ScanScheduleDay +Set-MpPreference -ScanScheduleTime +Set-MpPreference -RandomizeScheduleTaskTimes + +``` + +See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus. + +**Use Windows Management Instruction (WMI) to schedule scans:** + +Use the [**Set** method of the **MSFT_MpPreference**](https://msdn.microsoft.com/en-us/library/dn455323(v=vs.85).aspx) class for the following properties: + +```WMI +SignatureFallbackOrder +SignatureDefinitionUpdateFileSharesSouce +``` + +See the following for more information and allowed parameters: +- [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/en-us/library/dn439477(v=vs.85).aspx) + + + + +## Start scheduled scans only when the endpoint is not in use + +You can set the scheduled scan to only occur when the endpoint is turned on but not in use with Group Policy, PowerShell, or WMI. + +**Use Group Policy to schedule scans** + +Location | Setting | Description | Default setting (if not configured) +---|---|---|--- +Scan | Start the scheduled scan only when computer is on but not in use | Scheduled scans will not run, unless the computer is on but not in use | Enabled + +**Use PowerShell cmdlets:** + +Use the following cmdlets: + +```PowerShell +Set-MpPreference -ScanOnlyIfIdleEnabled +``` + +See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus. + +**Use Windows Management Instruction (WMI):** + +Use the [**Set** method of the **MSFT_MpPreference**](https://msdn.microsoft.com/en-us/library/dn455323(v=vs.85).aspx) class for the following properties: + +```WMI +SignatureFallbackOrder +SignatureDefinitionUpdateFileSharesSouce +``` + +See the following for more information and allowed parameters: +- [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/en-us/library/dn439477(v=vs.85).aspx) + + +## Configure when full scans should be run to complete remediation + +Some threats may require a full scan to complete their removal and remediation. You can schedule when these scans should occur with Group Policy, PowerShell, or WMI. + + +**Use Group Policy to schedule remediation-required scans** + +Location | Setting | Description | Default setting (if not configured) +---|---|---|--- +Remediation | Specify the day of the week to run a scheduled full scan to complete remediation | Specify the day (or never) to run a scan. | Never +Remediation | Specify the time of day to run a scheduled full scan to complete remediation | Specify the number of minutes after midnight (for example, enter **60** for 1 am) | 2 am + +**Use PowerShell cmdlets:** + +Use the following cmdlets: + +```PowerShell +Set-MpPreference -RemediationScheduleDay +Set-MpPreference -RemediationScheduleTime +``` + +See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus. + +**Use Windows Management Instruction (WMI):** + +Use the [**Set** method of the **MSFT_MpPreference**](https://msdn.microsoft.com/en-us/library/dn455323(v=vs.85).aspx) class for the following properties: + +```WMI +SignatureFallbackOrder +SignatureDefinitionUpdateFileSharesSouce +``` + +See the following for more information and allowed parameters: +- [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/en-us/library/dn439477(v=vs.85).aspx) + + + + +## Set up daily quick scans + +You can enable a daily quick scan that can be run in addition to your other scheduled scans with Group Policy, PowerShell, or WMI. + + +**Use Group Policy to schedule daily scans:** + +Location | Setting | Description | Default setting (if not configured) +---|---|---|--- +Scan | Specify the interval to run quick scans per day | Specify how many hours should elapse before the next quick scan. For example, to run every two hours, enter **2**, for once a day, enter **24**. Enter **0** to never run a daily quick scan. | Never +Scan | Specify the time for a daily quick scan | Specify the number of minutes after midnight (for example, enter **60** for 1 am) | 2 am + +**Use PowerShell cmdlets to schedule daily scans:** + +Use the following cmdlets: + +```PowerShell +Set-MpPreference -ScanScheduleQuickTime +``` + +See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus. + +**Use Windows Management Instruction (WMI) to schedule daily scans:** + +Use the [**Set** method of the **MSFT_MpPreference**](https://msdn.microsoft.com/en-us/library/dn455323(v=vs.85).aspx) class for the following properties: + +```WMI +SignatureFallbackOrder +SignatureDefinitionUpdateFileSharesSouce +``` + +See the following for more information and allowed parameters: +- [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/en-us/library/dn439477(v=vs.85).aspx) + + +## Enable scans after protection updates + +You can force a scan to occur after every [protection update](manage-protection-updates-windows-defender-antivirus.md) with Group Policy. + +**Use Group Policy to schedule scans after protection updates** + +Location | Setting | Description | Default setting (if not configured) +---|---|---|--- +Signature updates | Turn on scan after signature update | A scan will occur immediately after a new protection update is downloaded | Enabled + + + + + +## Related topics + + +- [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-windows-defender-antivirus.md) +- [Configure and run on-demand Windows Defender AV scans](run-scan-windows-defender-antivirus.md) +- [Configure scanning options in Windows Defender AV](configure-advanced-scan-types-windows-defender-antivirus.md) +- [Manage Windows Defender Antivirus updates and apply baselines](manage-updates-baselines-windows-defender-antivirus.md) +- [Manage when protection updates should be downloaded and applied](manage-protection-update-schedule-windows-defender-antivirus.md) +- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md) diff --git a/windows/keep-secure/settings-windows-defender-advanced-threat-protection.md b/windows/keep-secure/settings-windows-defender-advanced-threat-protection.md index a5df900c1d..caaafb618e 100644 --- a/windows/keep-secure/settings-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/settings-windows-defender-advanced-threat-protection.md @@ -50,8 +50,8 @@ Setting the time zone also changes the times for all Windows Defender ATP views. To set the time zone: 1. Click the **Settings** menu ![Settings icon](images/settings.png). -2. Select the **Timezone:UTC** indicator. -3. The time zone indicator changes to **Timezone:Local**. Click it again to change back to **Timezone:UTC**. +2. Select the **Timezone UTC** indicator. +3. Select **Timezone Local** or **-8:00**. ## Suppression rules The suppression rules control what alerts are suppressed. You can suppress alerts so that certain activities are not flagged as suspicious. For more information see, [Suppress alerts](manage-alerts-windows-defender-advanced-threat-protection.md#suppress-alerts). diff --git a/windows/keep-secure/specify-cloud-protection-level-windows-defender-antivirus.md b/windows/keep-secure/specify-cloud-protection-level-windows-defender-antivirus.md new file mode 100644 index 0000000000..321924a398 --- /dev/null +++ b/windows/keep-secure/specify-cloud-protection-level-windows-defender-antivirus.md @@ -0,0 +1,69 @@ +--- +title: Specify cloud-delivered protection level in Windows Defender Antivirus +description: Set the aggressiveness of cloud-delivered protection in Windows Defender Antivirus. +keywords: windows defender antivirus, antimalware, security, defender, cloud, aggressiveness, protection level +search.product: eADQiWindows 10XVcnh +ms.pagetype: security +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: security +localizationpriority: medium +author: iaanw +--- + +# Specify the cloud-delivered protection level + + + +**Applies to:** + +- Windows 10, version 1703 + +**Audience** + +- Enterprise security administrators + +**Manageability available with** + +- Group Policy +- System Center Configuration Manager (current branch) + +You can specify the level of cloud-protection offered by Windows Defender Antivirus with Group Policy and System Center Configuration Manager. + +>[!NOTE] +>The Windows Defender Antivirus cloud service is a mechanism for delivering updated protection to your network and endpoints. Although it is called a cloud service, it is not simply protection for files stored in the cloud, rather it uses distributed resources and machine learning to deliver protection to your endpoints at a rate that is far faster than traditional signature updates. + + + +**Use Group Policy to specify the level of cloud-delivered protection:** + +1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. + +3. In the **Group Policy Management Editor** go to **Computer configuration**. + +4. Click **Policies** then **Administrative templates**. + +5. Expand the tree to **Windows components > Windows Defender Antivirus > MpEngine**. + +1. Double-click the **Select cloud protection level** setting and set it to **Enabled**. Select the level of protection: + 1. Setting to **Default Windows Defender Antivirus blocking level** will provide strong detection without increasing the risk of detecting legitimate files. + 2. Setting to **High blocking level** will apply a strong level of detection. While unlikely, some legitimate files may be detected (although you will have the option to unblock or dispute that detection). + +1. Click **OK**. + + +**Use Configuration Manager to specify the level of cloud-delivered protection:** + +1. See [How to create and deploy antimalware policies: Cloud-protection service](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#cloud-protection-service) for details on configuring System Center Configuration Manager (current branch). + + + + +## Related topics + +- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md) +- [Enable cloud-delivered protection](enable-cloud-protection-windows-defender-antivirus.md) +- [How to create and deploy antimalware policies: Cloud-protection service](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#cloud-protection-service) + + diff --git a/windows/keep-secure/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md b/windows/keep-secure/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md index a1a1738dad..2d68063ec7 100644 --- a/windows/keep-secure/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md +++ b/windows/keep-secure/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md @@ -38,6 +38,7 @@ For encrypting Remote Desktop Services network communication, this policy settin For BitLocker, this policy setting needs to be enabled before any encryption key is generated. Recovery passwords created on Windows Server 2012 R2 and Windows 8.1 and later when this policy is enabled are incompatible with BitLocker on operating systems prior to Windows Server 2012 R2 and Windows 8.1; BitLocker will prevent the creation or use of recovery passwords on these systems, so recovery keys should be used instead. +Additionally, if a data drive is password-protected, it can be accessed by a FIPS-compliant computer after the password is supplied, but the drive will be read-only. ### Possible values diff --git a/windows/keep-secure/testing-scenarios-for-edp.md b/windows/keep-secure/testing-scenarios-for-edp.md deleted file mode 100644 index 3d16ef00df..0000000000 --- a/windows/keep-secure/testing-scenarios-for-edp.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Testing scenarios for enterprise data protection (EDP) (Windows 10) -description: We've come up with a list of suggested testing scenarios that you can use to test enterprise data protection (EDP) in your company. -redirect_url: https://technet.microsoft.com/itpro/windows/keep-secure/testing-scenarios-for-wip ---- \ No newline at end of file diff --git a/windows/keep-secure/testing-scenarios-for-wip.md b/windows/keep-secure/testing-scenarios-for-wip.md index cca0a2fa52..a2d5c9f975 100644 --- a/windows/keep-secure/testing-scenarios-for-wip.md +++ b/windows/keep-secure/testing-scenarios-for-wip.md @@ -14,7 +14,7 @@ localizationpriority: high # Testing scenarios for Windows Information Protection (WIP) **Applies to:** -- Windows 10, version 1607 +- Windows 10, version 1607 and later - Windows 10 Mobile We've come up with a list of suggested testing scenarios that you can use to test Windows Information Protection (WIP) in your company. @@ -29,12 +29,12 @@ You can try any of the processes included in these scenarios, but you should foc Encrypt and decrypt files using File Explorer. - For desktop:

    + For desktop:

    1. Open File Explorer, right-click a work document, and then click Work from the File Ownership menu.
      Make sure the file is encrypted by right-clicking the file again, clicking Advanced from the General tab, and then clicking Details from the Compress or Encrypt attributes area. The file should show up under the heading, This enterprise domain can remove or revoke access: <your_enterprise_identity>. For example, contoso.com.
    2. In File Explorer, right-click the same document, and then click Personal from the File Ownership menu.
      Make sure the file is decrypted by right-clicking the file again, clicking Advanced from the General tab, and then verifying that the Details button is unavailable.
    - For mobile:

    + For mobile:

    1. Open the File Explorer app, browse to a file location, click the elipsis (...), and then click Select to mark at least one file as work-related.
    2. Click the elipsis (...) again, click File ownership from the drop down menu, and then click Work.
      Make sure the file is encrypted, by locating the Briefcase icon next to the file name.
      3. @@ -44,11 +44,11 @@ You can try any of the processes included in these scenarios, but you should foc Create work documents in enterprise-allowed apps. - For desktop:

      + For desktop:

        -
      • Start an unenlightened but allowed app, such as a line-of-business app, and then create a new document, saving your changes.
        Make sure the document is encrypted to your Enterprise Identity. This might take a few minutes and require you to close and re-open the file.

        Important
        Certain file types like .exe and .dll, along with certain file paths, such as %windir% and %programfiles% are excluded from automatic encryption.

        For more info about your Enterprise Identity and adding apps to your allowed apps list, see either [Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune.md) or [Create a Windows Information Protection (WIP) policy using Microsoft System Center Configuration Manager](create-wip-policy-using-sccm.md), based on your deployment system.

        • +
      • Start an unenlightened but allowed app, such as a line-of-business app, and then create a new document, saving your changes.
        Make sure the document is encrypted to your Enterprise Identity. This might take a few minutes and require you to close and re-open the file.

        Important
        Certain file types like .exe and .dll, along with certain file paths, such as %windir% and %programfiles% are excluded from automatic encryption.

        For more info about your Enterprise Identity and adding apps to your allowed apps list, see either [Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune.md) or [Create a Windows Information Protection (WIP) policy using Microsoft System Center Configuration Manager](create-wip-policy-using-sccm.md), based on your deployment system.
      - For mobile:

      + For mobile:

      1. Start an allowed mobile app, such as Word Mobile, create a new document, and then save your changes as Work to a local, work-related location.
        Make sure the document is encrypted, by locating the Briefcase icon next to the file name.
      2. Open the same document and attempt to save it to a non-work-related location.
        WIP should stop you from saving the file to this location.
        3. @@ -104,7 +104,7 @@ You can try any of the processes included in these scenarios, but you should foc
        1. Start Windows Journal and Internet Explorer 11, creating, editing, and saving files in both apps.
          Make sure that all of the files you worked with are encrypted to your configured Enterprise Identity. In some cases, you might need to close the file and wait a few moments for it to be automatically encrypted.
        2. Open File Explorer and make sure your modified files are appearing with a Lock icon.
          3. -
        3. Try copying and pasting, dragging and dropping, and sharing using these apps with other apps that appear both on and off the allowed apps list.

          Note
          Most Windows-signed components like File Explorer (when running in the user’s context), should have access to enterprise data.

          A few notable exceptions include some of the user-facing in-box apps, like Wordpad, Notepad, and Microsoft Paint. These apps don't have access by default, but can be added to your allowed apps list.

          4. +
        4. Try copying and pasting, dragging and dropping, and sharing using these apps with other apps that appear both on and off the allowed apps list.

          Note
          Most Windows-signed components like File Explorer (when running in the user’s context), should have access to enterprise data.

          A few notable exceptions include some of the user-facing in-box apps, like Wordpad, Notepad, and Microsoft Paint. These apps don't have access by default, but can be added to your allowed apps list.
        @@ -133,7 +133,7 @@ You can try any of the processes included in these scenarios, but you should foc
        1. Add both Internet Explorer 11 and Microsoft Edge to your allowed apps list.
        2. Open SharePoint (or another cloud resource that's part of your policy) and access a WIP-enabled resource by using both IE11 and Microsoft Edge.
          Both browsers should respect the enterprise and personal boundary.
          3. -
        3. Remove Internet Explorer 11 from your allowed app list and then try to access an intranet site or enterprise-related cloud resource.
          IE11 shouldn't be able to access the sites.

          Note
          Any file downloaded from your work SharePoint site, or any other WIP-enabled cloud resource, is automatically marked as Work.

          4. +
        4. Remove Internet Explorer 11 from your allowed app list and then try to access an intranet site or enterprise-related cloud resource.
          IE11 shouldn't be able to access the sites.

          Note
          Any file downloaded from your work SharePoint site, or any other WIP-enabled cloud resource, is automatically marked as Work.
        @@ -141,7 +141,7 @@ You can try any of the processes included in these scenarios, but you should foc Verify your Virtual Private Network (VPN) can be auto-triggered.
          -
        1. Set up your VPN network to start based on the WIPModeID setting.
          For specific info about how to do this, see the [Create and deploy a VPN policy for Windows Information Protection (WIP) using Microsoft Intune](create-wip-policy-using-intune.md) topic.
          2. +
        2. Set up your VPN network to start based on the WIPModeID setting.
          For specific info about how to do this, see the [Create and deploy a VPN policy for Windows Information Protection (WIP) using Microsoft Intune](create-vpn-and-wip-policy-using-intune.md) topic.
        3. Start an app from your allowed apps list.
          The VPN network should automatically start.
        4. Disconnect from your network and then start an app that isn't on your allowed apps list.
          The VPN shouldn't start and the app shouldn't be able to access your enterprise network.
        @@ -151,7 +151,7 @@ You can try any of the processes included in these scenarios, but you should foc Unenroll client devices from WIP.
          -
        • Unenroll a device from WIP by going to Settings, click Accounts, click Work, click the name of the device you want to unenroll, and then click Remove.
          The device should be removed and all of the enterprise content for that managed account should be gone.

          Important
          On desktop devices, the data isn't removed and can be recovered, so you must make sure they content is marked as Revoked and that access is denied for the employee. On mobile devices, the data is removed.

          • +
        • Unenroll a device from WIP by going to Settings, click Accounts, click Work, click the name of the device you want to unenroll, and then click Remove.
          The device should be removed and all of the enterprise content for that managed account should be gone.

          Important
          On desktop devices, the data isn't removed and can be recovered, so you must make sure they content is marked as Revoked and that access is denied for the employee. On mobile devices, the data is removed.
        diff --git a/windows/keep-secure/threat-indicator-concepts-windows-defender-advanced-threat-protection.md b/windows/keep-secure/threat-indicator-concepts-windows-defender-advanced-threat-protection.md new file mode 100644 index 0000000000..d1968d5761 --- /dev/null +++ b/windows/keep-secure/threat-indicator-concepts-windows-defender-advanced-threat-protection.md @@ -0,0 +1,54 @@ +--- +title: Understand threat intelligence concepts in Windows Defender ATP +description: Create custom threat alerts for your organization and learn the concepts around threat intelligence in Windows Defender Advanced Threat Protection. +keywords: threat intelligence, alert definitions, indicators of compromise, ioc +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +author: mjcaparas +localizationpriority: high +--- + +# Understand threat intelligence concepts + +**Applies to:** + +- Windows 10 Enterprise +- Windows 10 Education +- Windows 10 Pro +- Windows 10 Pro Education +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + +Advanced cybersecurity attacks comprise of multiple complex malicious events, attributes, and contextual information. Identifying and deciding which of these activities qualify as suspicious can be a challenging task. Your knowledge of known attributes and abnormal activities specific to your industry is fundamental in knowing when to call an observed behavior as suspicious. + +With Windows Defender ATP, you can create custom threat alerts that can help you keep track of possible attack activities in your organization. You can flag suspicious events to piece together clues and possibly stop an attack chain. These custom threat alerts will only appear in your organization and will flag events that you set it to track. + +Before creating custom threat alerts, it's important to know the concepts behind alert definitions and indicators of compromise (IOCs) and the relationship between them. + +## Alert definitions +Alert definitions are contextual attributes that can be used collectively to identify early clues on a possible cybersecurity attack. These indicators are typically a combination of activities, characteristics, and actions taken by an attacker to successfully achieve the objective of an attack. Monitoring these combinations of attributes is critical in gaining a vantage point against attacks and possibly interfering with the chain of events before an attacker's objective is reached. + +## Indicators of compromise (IOC) +IOCs are individually-known malicious events that indicate that a network or machine has already been breached. Unlike alert definitions, these indicators are considered as evidence of a breach. They are often seen after an attack has already been carried out and the objective has been reached, such as exfiltration. Keeping track of IOCs is also important during forensic investigations. Although it might not provide the ability to intervene with an attack chain, gathering these indicators can be useful in creating better defenses for possible future attacks. + +## Relationship between alert definitions and IOCs +In the context of Windows Defender ATP, alert definitions are containers for IOCs and defines the alert, including the metadata that is raised in case of a specific IOC match. Various metadata is provided as part of the alert definitions. Metadata such as alert definition name of attack, severity, and description is provided along with other options. For more information on available metadata options, see [Threat Intelligence API metadata](custom-ti-api-windows-defender-advanced-threat-protection.md#threat-intelligence-api-metadata). + +Each IOC defines the concrete detection logic based on its type and value as well as its action, which determines how it is matched. It is bound to a specific alert definition that defines how a detection is displayed as an alert on the Windows Defender ATP console. + +Here is an example of an IOC: + - Type: Sha1 + - Value: 92cfceb39d57d914ed8b14d0e37643de0797ae56 + - Action: Equals + +IOCs have a many-to-one relationship with alert definitions such that an alert definition can have many IOCs that correspond to it. + +## Related topics +- [Create custom alerts using the threat intelligence API](custom-ti-api-windows-defender-advanced-threat-protection.md) +- [Enable the custom threat intelligence API in Windows Defender ATP](enable-custom-ti-windows-defender-advanced-threat-protection.md) +- [PowerShell code examples for the custom threat intelligence API](powershell-example-code-windows-defender-advanced-threat-protection.md) +- [Python code examples for the custom threat intelligence API](python-example-code-windows-defender-advanced-threat-protection.md) +- [Experiment with custom threat intelligence alerts](experiment-custom-ti-windows-defender-advanced-threat-protection.md) +- [Troubleshoot custom threat intelligence issues](troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md) diff --git a/windows/keep-secure/troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md b/windows/keep-secure/troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md new file mode 100644 index 0000000000..40fc971abf --- /dev/null +++ b/windows/keep-secure/troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md @@ -0,0 +1,54 @@ +--- +title: Troubleshoot custom threat intelligence issues in Windows Defender ATP +description: Troubleshoot issues that might arise when using the custom threat intelligence feature in Windows Defender ATP. +keywords: troubleshoot, custom threat intelligence, custom ti, rest api, api, alert definitions, indicators of compromise +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +author: mjcaparas +localizationpriority: high +--- + +# Troubleshoot custom threat intelligence issues + +**Applies to:** + +- Windows 10 Enterprise +- Windows 10 Education +- Windows 10 Pro +- Windows 10 Pro Education +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + + +You might need to troubleshoot issues while using the custom threat intelligence feature. + +This page provides detailed steps to troubleshoot issues you might encounter while using the feature. + + +## Learn how to get a new client secret +If your client secret expires or if you've misplaced the copy provided when you were enabling the custom threat intelligence application, you'll need to get a new secret. + +1. Login to the [Azure management portal](https://ms.portal.azure.com). + +2. Select **Active Directory**. + +3. Select your tenant. + +4. Click **Application**, then select your custom threat intelligence application. The application name is **WindowsDefenderATPThreatIntelAPI** (formerly known as **WindowsDefenderATPCustomerTiConnector**). + +5. Select **Keys** section, then provide a key description and specify the key validity duration. + +6. Click **Save**. The key value is displayed. + +7. Copy the value and save it in a safe place. + + +## Related topics +- [Understand threat intelligence concepts](threat-indicator-concepts-windows-defender-advanced-threat-protection.md) +- [Create custom alerts using the threat intelligence API](custom-ti-api-windows-defender-advanced-threat-protection.md) +- [Enable the custom threat intelligence API in Windows Defender ATP](enable-custom-ti-windows-defender-advanced-threat-protection.md) +- [PowerShell code examples for the custom threat intelligence API](powershell-example-code-windows-defender-advanced-threat-protection.md) +- [Python code examples for the custom threat intelligence API](python-example-code-windows-defender-advanced-threat-protection.md) +- [Experiment with custom threat intelligence alerts](experiment-custom-ti-windows-defender-advanced-threat-protection.md) diff --git a/windows/keep-secure/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md b/windows/keep-secure/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md index e95197be01..a02feda9ea 100644 --- a/windows/keep-secure/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md @@ -45,7 +45,7 @@ Deployment with the above-mentioned versions of System Center Configuration Mana If the deployment fails, you can check the output of the script on the endpoints. For more information, see [Troubleshoot onboarding when deploying with a script on the endpoint](#troubleshoot-onboarding-when-deploying-with-a-script-on-the-endpoint). -If the onboarding completed successfully but the endpoints are not showing up in the **Machines view** after an hour, see [Troubleshoot onboarding issues on the endpoint](#troubleshoot-onboarding-issues-on-the-endpoint) for additional errors that might occur. +If the onboarding completed successfully but the endpoints are not showing up in the **Machines list** after an hour, see [Troubleshoot onboarding issues on the endpoint](#troubleshoot-onboarding-issues-on-the-endpoint) for additional errors that might occur. ## Troubleshoot onboarding when deploying with a script on the endpoint @@ -119,7 +119,7 @@ ID | Severity | Event description | Troubleshooting steps 1819 | Error | Windows Defender Advanced Threat Protection CSP: Failed to Set Node's Value. NodeId: (%1), TokenName: (%2), Result: (%3). | Download the [Cumulative Update for Windows 10, 1607](https://go.microsoft.com/fwlink/?linkid=829760). ## Troubleshoot onboarding issues on the endpoint -If the deployment tools used does not indicate an error in the onboarding process, but endpoints are still not appearing in the machines view an hour, go through the following verification topics to check if an error occurred with the Windows Defender ATP agent: +If the deployment tools used does not indicate an error in the onboarding process, but endpoints are still not appearing in the machines list in an hour, go through the following verification topics to check if an error occurred with the Windows Defender ATP agent: - [View agent onboarding errors in the endpoint event log](#view-agent-onboarding-errors-in-the-endpoint-event-log) - [Ensure the telemetry and diagnostics service is enabled](#ensure-the-telemetry-and-diagnostics-service-is-enabled) - [Ensure the service is set to start](#ensure-the-service-is-set-to-start) @@ -151,8 +151,21 @@ Event ID | Message | Resolution steps 5 | Windows Defender Advanced Threat Protection service failed to connect to the server at _variable_ | [Ensure the endpoint has Internet access](#ensure-the-endpoint-has-an-internet-connection). 6 | Windows Defender Advanced Threat Protection service is not onboarded and no onboarding parameters were found. Failure code: _variable_ | [Run the onboarding script again](configure-endpoints-windows-defender-advanced-threat-protection.md). 7 | Windows Defender Advanced Threat Protection service failed to read the onboarding parameters. Failure code: _variable_ | [Ensure the endpoint has Internet access](#ensure-the-endpoint-has-an-internet-connection), then run the entire onboarding process again. +9 | Windows Defender Advanced Threat Protection service failed to change its start type. Failure code: variable | If the event happened during onboarding, reboot and re-attempt running the onboarding script. For more information, see [Run the onboarding script again](configure-endpoints-windows-defender-advanced-threat-protection.md).

        If the event happened during offboarding, contact support. +10 | Windows Defender Advanced Threat Protection service failed to persist the onboarding information. Failure code: variable | If the event happened during onboarding, re-attempt running the onboarding script. For more information, see [Run the onboarding script again](configure-endpoints-windows-defender-advanced-threat-protection.md).

        If the problem persists, contact support. 15 | Windows Defender Advanced Threat Protection cannot start command channel with URL: _variable_ | [Ensure the endpoint has Internet access](#ensure-the-endpoint-has-an-internet-connection). +17 | Windows Defender Advanced Threat Protection service failed to change the Connected User Experiences and Telemetry service location. Failure code: variable | [Run the onboarding script again](configure-endpoints-windows-defender-advanced-threat-protection.md). If the problem persists, contact support. 25 | Windows Defender Advanced Threat Protection service failed to reset health status in the registry. Failure code: _variable_ | Contact support. +27 | Failed to enable Windows Defender Advanced Threat Protection mode in Windows Defender. Onboarding process failed. Failure code: variable | Contact support. +29 | Failed to read the offboarding parameters. Error type: %1, Error code: %2, Description: %3 | Ensure the endpoint has Internet access, then run the entire offboarding process again. +30 | Failed to disable $(build.sense.productDisplayName) mode in Windows Defender Advanced Threat Protection. Failure code: %1 | Contact support. +32 | $(build.sense.productDisplayName) service failed to request to stop itself after offboarding process. Failure code: %1 | Verify that the service start type is manual and reboot the machine. +55 | Failed to create the Secure ETW autologger. Failure code: %1 | Reboot the machine. +63 | Updating the start type of external service. Name: %1, actual start type: %2, expected start type: %3, exit code: %4 | Identify what is causing changes in start type of mentioned service. If the exit code is not 0, fix the start type manually to expected start type. +64 | Starting stopped external service. Name: %1, exit code: %2 | Contact support if the event keeps re-appearing. +68 | The start type of the service is unexpected. Service name: %1, actual start type: %2, expected start type: %3 | Identify what is causing changes in start type. Fix mentioned service start type. +69 | The service is stopped. Service name: %1 | Start the mentioned service. Contact support if persists. +
        There are additional components on the endpoint that the Windows Defender ATP agent depends on to function properly. If there are no onboarding related errors in the Windows Defender ATP agent event log, proceed with the following steps to ensure that the additional components are configured correctly. @@ -229,22 +242,21 @@ If the verification fails and your environment is using a proxy to connect to th **Solution**: If your endpoints are running a third-party antimalware client, the Windows Defender ATP agent needs the Windows Defender Early Launch Antimalware (ELAM) driver to be enabled. You must ensure that it's not disabled in system policy. -- Depending on the tool that you use to implement policies, you'll need to verify that the following Windows Defender policies are set to ```0``` or that the settings are cleared: +- Depending on the tool that you use to implement policies, you'll need to verify that the following Windows Defender policies are cleared: - - ```DisableAntiSpyware``` - - ```DisableAntiVirus``` + - DisableAntiSpyware + - DisableAntiVirus - For example, in Group Policy: + For example, in Group Policy there should be no entries such as the following values: - ``` - ``` + - `````` + - `````` - After clearing the policy, run the onboarding steps again on the endpoint. - You can also check the following registry key values to verify that the policy is disabled: - 1. Open the registry ```key HKEY_LOCAL_MACHINE\ SOFTWARE\Policies\Microsoft\Windows Defender```. - 2. Find the value ```DisableAntiSpyware```. - 3. Ensure that the value is set to 0. + 1. Open the registry ```key HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender```. + 2. Ensure that the value ```DisableAntiSpyware``` is not present. ![Image of registry key for Windows Defender](images/atp-disableantispyware-regkey.png) diff --git a/windows/keep-secure/troubleshoot-siem-windows-defender-advanced-threat-protection.md b/windows/keep-secure/troubleshoot-siem-windows-defender-advanced-threat-protection.md new file mode 100644 index 0000000000..c782fef5df --- /dev/null +++ b/windows/keep-secure/troubleshoot-siem-windows-defender-advanced-threat-protection.md @@ -0,0 +1,52 @@ +--- +title: Troubleshoot SIEM tool integration issues in Windows Defender ATP +description: Troubleshoot issues that might arise when using SIEM tools with Windows Defender ATP. +keywords: troubleshoot, siem, client secret, secret +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +author: mjcaparas +localizationpriority: high +--- + +# Troubleshoot SIEM tool integration issues + +**Applies to:** + +- Windows 10 Enterprise +- Windows 10 Education +- Windows 10 Pro +- Windows 10 Pro Education +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + +You might need to troubleshoot issues while pulling alerts in your SIEM tools. + +This page provides detailed steps to troubleshoot issues you might encounter. + + +## Learn how to get a new client secret +If your client secret expires or if you've misplaced the copy provided when you were enabling the SIEM tool application, you'll need to get a new secret. + +1. Login to the [Azure management portal](https://ms.portal.azure.com). + +2. Select **Active Directory**. + +3. Select your tenant. + +4. Click **Application**, then select your SIEM tool application. The application name is `https://windowsdefenderatpsiemconnector`. + +5. Select **Keys** section, then provide a key description and specify the key validity duration. + +6. Click **Save**. The key value is displayed. + +7. Copy the value and save it in a safe place. + + +## Related topics +- [Enable SIEM integration in Windows Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md) +- [Configure Splunk to pull Windows Defender ATP alerts](configure-splunk-windows-defender-advanced-threat-protection.md) +- [Configure ArcSight to pull Windows Defender ATP alerts](configure-arcsight-windows-defender-advanced-threat-protection.md) +- [Windows Defender ATP alert API fields](api-portal-mapping-windows-defender-advanced-threat-protection.md) +- [Pull Windows Defender ATP alerts using REST API](pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md) diff --git a/windows/keep-secure/troubleshoot-windows-defender-advanced-threat-protection.md b/windows/keep-secure/troubleshoot-windows-defender-advanced-threat-protection.md index 4cb0a35b53..088a82e8d9 100644 --- a/windows/keep-secure/troubleshoot-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/troubleshoot-windows-defender-advanced-threat-protection.md @@ -26,40 +26,15 @@ This section addresses issues that might arise as you use the Windows Defender A If you encounter a server error when trying to access the service, you’ll need to change your browser cookie settings. Configure your browser to allow cookies. -### No data is shown on the portal -If no data is displayed on the Dashboard portal even if no errors were encountered in the portal logs or in the browser console, you'll need to whitelist the threat intelligence, data access, and detonation endpoints that also use this protocol. +### Elements or data missing on the portal +If some UI elements or data is missing on the Windows Defender ATP portal it’s possible that proxy settings are blocking it. + +Make sure that `*.securitycenter.windows.com` is included the proxy whitelist. + > [!NOTE] > You must use the HTTPS protocol when adding the following endpoints. -Depending on your region, add the following endpoints to the whitelist: - -U.S. region: - -- daasmon-cus-prd.cloudapp.net -- daasmon-eus-prd.cloudapp.net -- dataaccess-cus-prd.cloudapp.net -- dataaccess-eus-prd.cloudapp.net -- threatintel-cus-prd.cloudapp.net -- threatintel-eus-prd.cloudapp.net -- winatpauthorization.windows.com -- winatpfeedback.windows.com -- winatpmanagement.windows.com -- winatponboarding.windows.com -- winatpservicehealth.windows.com - -EU region: - -- dataaccess-neu-prd.cloudapp.net -- dataaccess-weu-prd.cloudapp.net -- threatintel-neu-prd.cloudapp.net -- threatintel-weu-prd.cloudapp.net -- winatpauthorization.windows.com -- winatpfeedback.windows.com -- winatpmanagement.windows.com -- winatponboarding.windows.com -- winatpservicehealth.windows.com - ### Windows Defender ATP service shows event or error logs in the Event Viewer See the topic [Review events and errors on endpoints with Event Viewer](event-error-codes-windows-defender-advanced-threat-protection.md) for a list of event IDs that are reported by the Windows Defender ATP service. The topic also contains troubleshooting steps for event errors. diff --git a/windows/keep-secure/troubleshoot-windows-defender-in-windows-10.md b/windows/keep-secure/troubleshoot-windows-defender-antivirus.md similarity index 94% rename from windows/keep-secure/troubleshoot-windows-defender-in-windows-10.md rename to windows/keep-secure/troubleshoot-windows-defender-antivirus.md index 3730d58e83..4e7c275117 100644 --- a/windows/keep-secure/troubleshoot-windows-defender-in-windows-10.md +++ b/windows/keep-secure/troubleshoot-windows-defender-antivirus.md @@ -1,32 +1,45 @@ --- -title: Troubleshoot Windows Defender in Windows 10 (Windows 10) -description: IT professionals can review information about event IDs in Windows Defender for Windows 10 and see any relevant action they can take. -ms.assetid: EE488CC1-E340-4D47-B50B-35BD23CB4D70 +title: Windows Defender AV event IDs and error codes +description: Look up the causes and solutions for Windows Defender Antivirus event IDs and errors +keywords: event, error code, siem, logging, troubleshooting, wef, windows event forwarding +search.product: eADQiWindows 10XVcnh +ms.pagetype: security ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security localizationpriority: medium -author: jasesso +author: iaanw --- -# Troubleshoot Windows Defender in Windows 10 +# Review event logs and error codes to troubleshoot issues with Windows Defender AV + **Applies to** -- Windows 10 +- Windows 10 -IT professionals can review information about event IDs in Windows Defender for Windows 10 and see any relevant action they can take. +**Audience** -## Windows Defender client event IDs +- Enterprise security administrators -This section provides the following information about Windows Defender client events: -- The text of the message as it appears in the event -- The name of the source of the message -- The symbolic name that identifies each message in the programming source code -- Additional information about the message +If you encounter a problem with Windows Defender Antivirus, you can search the tables in this topic to find a matching issue and potential solution. -Use the information in this table to help troubleshoot Windows Defender client events; these are located in the **Windows Event Viewer**, under **Windows Logs**. +The tables list: + +- [Windows Defender AV client event IDs](#windows-defender-av-ids) +- [Windows Defender AV client error codes](#error-codes) +- [Internal Windows Defender AV client error codes (used by Microsoft during development and testing)](#internal-error-codes) + + + +## Windows Defender AV client event IDs + +Windows Defender AV records event IDs in the Windows event log. + +You can directly view the event log, or if you have a third-party security information and event management (SIEM) tool, you can also consume [Windows Defender client event IDs](troubleshoot-windows-defender-antivirus.md#windows-defender-av-ids) to review specific events and errors from your endpoints. + +The table in this section lists the main Windows Defender Antivirus client event IDs and, where possible, provides suggested solutions to fix or resolve the error. **To view a Windows Defender client event** @@ -36,7 +49,7 @@ Use the information in this table to help troubleshoot Windows Defender client e 4. In the details pane, view the list of individual events to find your event. 5. Click the event to see specific details about an event in the lower pane, under the **General** and **Details** tabs. -You can find a complete list of the Microsoft antimalware event IDs, the symbol, and the description of each ID in [Windows Server Antimalware Events TechNet](https://technet.microsoft.com/library/dn913615.aspx). + @@ -78,7 +91,7 @@ You can find a complete list of the Microsoft antimalware event IDs, the symbol,
        Scan Resources: <Resources (such as files/directories/BHO) that were scanned.>
        -
        User: <Domain>\<User>
        +
        User: <Domain>\\<User>

        @@ -120,7 +133,7 @@ You can find a complete list of the Microsoft antimalware event IDs, the symbol,
      3. Customer scan
        4. -
        User: <Domain>\<User>
        +
        User: <Domain>\\<User>
        Scan Time: <The duration of a scan.>

        @@ -210,7 +223,7 @@ You can find a complete list of the Microsoft antimalware event IDs, the symbol,
      4. Customer scan
        5. -
        User: <Domain>\<User>
        +
        User: <Domain>\\<User>

        @@ -254,7 +267,7 @@ You can find a complete list of the Microsoft antimalware event IDs, the symbol,
      5. Customer scan
        6. -
        User: <Domain>\<User>
        +
        User: <Domain>\\<User>

        @@ -298,7 +311,7 @@ You can find a complete list of the Microsoft antimalware event IDs, the symbol,
      6. Customer scan
        7. -
        User: <Domain>\<User>
        +
        User: <Domain>\\<User>
        Error Code: <Error code> Result code associated with threat status. Standard HRESULT values.
        Error Description: <Error description> @@ -390,7 +403,7 @@ Description of the error.
        Antimalware Scan Interface (AMSI). Primarily used to protect scripts (PS, VBS), though it can be invoked by third parties as well. UAC
        Status: <Status>
        -
        User: <Domain>\<User>
        +
        User: <Domain>\\<User>
        Process Name: <Process in the PID>
        Signature Version: <Definition version>
        Engine Version: <Antimalware Engine version>
        @@ -425,7 +438,7 @@ UAC

        Windows Defender has taken action to protect this machine from malware or other potentially unwanted software. For more information please see the following:

        -
        User: <Domain>\<User>
        +
        User: <Domain>\\<User>
        Name: <Threat name>
        ID: <Threat ID>
        Severity: <Severity>, for example:
          @@ -478,7 +491,7 @@ UAC

        Windows Defender has encountered an error when taking action on malware or other potentially unwanted software. For more information please see the following:

        -
        User: <Domain>\<User>
        +
        User: <Domain>\\<User>
        Name: <Threat name>
        ID: <Threat ID>
        Severity: <Severity>, for example:
          @@ -549,7 +562,7 @@ Description of the error.
        Category: <Category description>, for example, any threat or malware type.
        Path: <File path>
        -
        User: <Domain>\<User>
        +
        User: <Domain>\\<User>
        Signature Version: <Definition version>
        Engine Version: <Antimalware Engine version>
        @@ -594,7 +607,7 @@ Description of the error.
        Category: <Category description>, for example, any threat or malware type.
        Path: <File path>
        -
        User: <Domain>\<User>
        +
        User: <Domain>\\<User>
        Error Code: <Error code> Result code associated with threat status. Standard HRESULT values.
        Error Description: <Error description> @@ -643,7 +656,7 @@ For more information please see the following:

        Category: <Category description>, for example, any threat or malware type.
        Path: <File path>
        -
        User: <Domain>\<User>
        +
        User: <Domain>\\<User>
        Signature Version: <Definition version>
        Engine Version: <Antimalware Engine version>
        @@ -688,7 +701,7 @@ For more information please see the following:

        Category: <Category description>, for example, any threat or malware type.
        Path: <File path>
        -
        User: <Domain>\<User>
        +
        User: <Domain>\\<User>
        Error Code: <Error code> Result code associated with threat status. Standard HRESULT values.
        Error Description: <Error description> @@ -726,7 +739,7 @@ Description of the error.

        Windows Defender has removed history of malware and other potentially unwanted software.

        Time: The time when the event occurred, for example when the history is purged. Note that this parameter is not used in threat events so that there is no confusion regarding whether it is remediation time or infection time. For those, we specifically call them as Action Time or Detection Time.
        -
        User: <Domain>\<User>
        +
        User: <Domain>\\<User>

        @@ -758,7 +771,7 @@ Description of the error.

        Windows Defender has encountered an error trying to remove history of malware and other potentially unwanted software.

        Time: The time when the event occurred, for example when the history is purged. Note that this parameter is not used in threat events so that there is no confusion regarding whether it is remediation time or infection time. For those, we specifically call them as Action Time or Detection Time.
        -
        User: <Domain>\<User>
        +
        User: <Domain>\\<User>
        Error Code: <Error code> Result code associated with threat status. Standard HRESULT values.
        Error Description: <Error description> @@ -834,7 +847,7 @@ For more information please see the following:

        Antimalware Scan Interface (AMSI). Primarily used to protect scripts (PS, VBS), though it can be invoked by third parties as well. UAC
        Status: <Status>
        -
        User: <Domain>\<User>
        +
        User: <Domain>\\<User>
        Process Name: <Process in the PID>
        Signature ID: Enumeration matching severity.
        Signature Version: <Definition version>
        @@ -912,7 +925,7 @@ For more information please see the following:

      7. Remote attestation
        8. Antimalware Scan Interface (AMSI). Primarily used to protect scripts (PS, VBS), though it can be invoked by third parties as well. UAC -
        User: <Domain>\<User>
        +
        User: <Domain>\\<User>
        Process Name: <Process in the PID>
        Signature Version: <Definition version>
        Engine Version: <Antimalware Engine version>
        @@ -995,7 +1008,7 @@ For more information please see the following:

      8. Remote attestation
        9. Antimalware Scan Interface (AMSI). Primarily used to protect scripts (PS, VBS), though it can be invoked by third parties as well. UAC -
        User: <Domain>\<User>
        +
        User: <Domain>\\<User>
        Process Name: <Process in the PID>
        Action: <Action>, for example:
        • Clean: The resource was cleaned
          • @@ -1016,7 +1029,7 @@ Description of the error.
        Engine Version: <Antimalware Engine version>

        NOTE:

        Whenever Windows Defender, Microsoft Security Essentials, Malicious Software Removal Tool, or System Center Endpoint Protection detects a malware, it will restore the following system settings and services which the malware might have changed:

          -
        • Default Internet Explorer or Edge setting
          • +
        • Default Internet Explorer or Microsoft Edge setting
        • User Access Control settings
        • Chrome settings
        • Boot Control Data
          • @@ -1124,7 +1137,7 @@ For more information please see the following:

        • Remote attestation
        Antimalware Scan Interface (AMSI). Primarily used to protect scripts (PS, VBS), though it can be invoked by third parties as well. UAC -
        User: <Domain>\<User>
        +
        User: <Domain>\\<User>
        Process Name: <Process in the PID>
        Action: <Action>, for example:
        • Clean: The resource was cleaned
          • @@ -1221,7 +1234,7 @@ For more information please see the following:

        • Remote attestation
        Antimalware Scan Interface (AMSI). Primarily used to protect scripts (PS, VBS), though it can be invoked by third parties as well. UAC
        -
        User: <Domain>\<User>
        +
        User: <Domain>\\<User>
        Process Name: <Process in the PID>
        Action: <Action>, for example:
        • Clean: The resource was cleaned
          • @@ -1288,7 +1301,7 @@ Description of the error.
        -

         

        +

        If this event persists:

        1. Run the scan again.
        2. If it fails in the same way, go to the Microsoft Support site, enter the error number in the Search box to look for the error code.
          3. @@ -1333,8 +1346,8 @@ Description of the error. -
          Note  This event will only be logged if the following policy is set: ThreatFileHashLogging unsigned.
          -
           
          +
          Note This event will only be logged if the following policy is set: ThreatFileHashLogging unsigned.
          +
          @@ -1375,7 +1388,7 @@ Description of the error.

          User action:

          -

          No action is necessary. The Windows Defenderclient is in a healthy state. This event is reported on an hourly basis.

          +

          No action is necessary. The Windows Defender Antivirus client is in a healthy state. This event is reported on an hourly basis.

          @@ -1415,7 +1428,7 @@ Description of the error.
          Update Type: <Update type>, either Full or Delta.
          -
          User: <Domain>\<User>
          +
          User: <Domain>\\<User>
          Current Engine Version: <Current engine version>
          Previous Engine Version: <Previous engine version>
          @@ -1483,7 +1496,7 @@ Description of the error.
          Update Type: <Update type>, either Full or Delta.
          -
          User: <Domain>\<User>
          +
          User: <Domain>\\<User>
          Current Engine Version: <Current engine version>
          Previous Engine Version: <Previous engine version>
          Error Code: <Error code> @@ -1546,7 +1559,7 @@ Description of the error.
          Current Engine Version: <Current engine version>
          Previous Engine Version: <Previous engine version>
          Engine Type: <Engine type>, either antimalware engine or Network Inspection System engine.
          -
          User: <Domain>\<User>
          +
          User: <Domain>\\<User>

          @@ -1588,7 +1601,7 @@ Description of the error.
          New Engine Version:
          Previous Engine Version: <Previous engine version>
          Engine Type: <Engine type>, either antimalware engine or Network Inspection System engine.
          -
          User: <Domain>\<User>
          +
          User: <Domain>\\<User>
          Error Code: <Error code> Result code associated with threat status. Standard HRESULT values.
          Error Description: <Error description> @@ -2223,19 +2236,6 @@ Description of the error.

          The support for your operating system has expired. Windows Defender is no longer supported on your operating system, has stopped functioning, and is not protecting against malware threats.

          -Event ID: 2050

          Symbolic name:

          MALWAREPROTECTION_SAMPLESUBMISSION_UPLOAD

          Message:

          The antimalware engine has uploaded a file for further analysis.
          Filename <uploaded filename>
          Sha256: <file SHA>

          Description:

          A file was uploaded to the Windows Defender Antimalware cloud for further analysis or processing.

          - -Event ID: 2051

          Symbolic name:

          MALWAREPROTECTION_SAMPLESUBMISSION_UPLOADED_FAILED

          Message:

          The antimalware engine has encountered an error trying to upload a suspicious file for further analysis.
          -Filename: <uploaded filename>
          -Sha256: <file SHA>
          -Current Signature Version: <signature version number>
          -Current Engine Version: <engine version number>
          -Error code: <error code>

          Description:

          A file could not be uploaded to the Windows Defender Antimalware cloud.

          User action:

          You can attempt to manually submit the file.

          - - - - - Event ID: 3002 @@ -2284,9 +2284,9 @@ Description of the error.

          User action:

          -

          You should restart the system then run a full scan because it’s possible the system was not protected for some time. +

          You should restart the system then run a full scan because it's possible the system was not protected for some time.

          -

          The Windows Defender client’s real-time protection feature encountered an error because one of the services failed to start. +

          The Windows Defender client's real-time protection feature encountered an error because one of the services failed to start.

          If it is followed by a 3007 event ID, the failure was temporary and the antimalware client recovered from the failure.

          @@ -2710,13 +2710,15 @@ Description of the error. + ## Windows Defender client error codes -If Windows Defender experiences any issues it will usually give you an error code to help you troubleshoot the issue. Most often an error means there was a problem installing an update. -This section provides the following information about Windows Defender client errors. +If Windows Defender Antivirus experiences any issues it will usually give you an error code to help you troubleshoot the issue. Most often an error means there was a problem installing an update. +This section provides the following information about Windows Defender Antivirus client errors. - The error code - The possible reason for the error - Advice on what to do now -Use the information in these tables to help troubleshoot Windows Defender error codes. + +Use the information in these tables to help troubleshoot Windows Defender Antivirus error codes. @@ -2963,12 +2965,15 @@ article.

          External error codes -

          You can only use Windows Defender in Windows 10. For Windows 8, Windows 7 and Windows Vista, you can use System Center Endpoint Protection. +

          You can only use Windows Defender in Windows 10. For Windows 8, Windows 7 and Windows Vista, you can use System Center Endpoint Protection.

          -

           

          + + +The following error codes are used during internal testing of Windows Defender AV. + @@ -3318,5 +3323,5 @@ article.

          ## Related topics -- [Configure Windows Defender in Windows 10](configure-windows-defender-in-windows-10.md) -- [Update and manage Windows Defender in Windows 10](get-started-with-windows-defender-for-windows-10.md) +- [Report on Windows Defender Antivirus protection](report-monitor-windows-defender-antivirus.md) +- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md) diff --git a/windows/keep-secure/types-of-attacks-for-volume-encryption-keys.md b/windows/keep-secure/types-of-attacks-for-volume-encryption-keys.md index 96a64490d0..efc97f3e17 100644 --- a/windows/keep-secure/types-of-attacks-for-volume-encryption-keys.md +++ b/windows/keep-secure/types-of-attacks-for-volume-encryption-keys.md @@ -14,7 +14,7 @@ author: brianlic-msft **Applies to** - Windows 10 -There are many ways Windows helps protect your organization from attacks, including Unified Extensible Firmware Interface (UEFI) secure boot, Trusted Platform Module (TPM), Group Policy, complex passwords, and account lockouts. +There are many ways Windows helps protect your organization from attacks, including Unified Extensible Firmware Interface (UEFI) Secure Boot, Trusted Platform Module (TPM), Group Policy, complex passwords, and account lockouts. The next few sections describe each type of attack that could be used to compromise a volume encryption key, whether for BitLocker or a non-Microsoft encryption solution. After an attacker has compromised a volume encryption key, the attacker can read data from your system drive or even install malware while Windows is offline. Each section begins with a graphical overview of the attack’s strengths and weaknesses as well as suggested mitigations. @@ -40,7 +40,7 @@ Although password protection of the UEFI configuration is important for protecti For this reason, when BitLocker is configured on devices that include a TPM, the TPM and its PCRs are always used to secure and confirm the integrity of the pre–operating system environment before making encrypted volumes accessible. -Any changes to the UEFI configuration invalidates the PCR7 and require the user to enter the BitLocker recovery key. Because of this feature, it’s not critical to password-protect your UEFI configuration. If an attacker successfully turns off Secure Boot or otherwise changes the UEFI configuration, they will need to enter the BitLocker recovery key, but UEFI password protection is a best practice and is still required for systems not using a TPM (such as non-Microsoft alternatives). +Any change to the UEFI configuration invalidates the PCR7 and requires the user to enter the BitLocker recovery key. Because of this feature, it’s not critical to password-protect your UEFI configuration. But UEFI password protection is a best practice and is still required for systems not using a TPM (such as non-Microsoft alternatives). ### Brute-force Sign-in Attacks diff --git a/windows/keep-secure/use-custom-ti-windows-defender-advanced-threat-protection.md b/windows/keep-secure/use-custom-ti-windows-defender-advanced-threat-protection.md new file mode 100644 index 0000000000..ba2be9225a --- /dev/null +++ b/windows/keep-secure/use-custom-ti-windows-defender-advanced-threat-protection.md @@ -0,0 +1,37 @@ +--- +title: Use the custom threat intelligence API to create custom alerts +description: Use the threat intelligence API in Windows Defender Advanced Threat Protection to create custom alerts +keywords: threat intelligence, alert definitions, indicators of compromise +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +author: mjcaparas +localizationpriority: high +--- + +# Use the threat intelligence API to create custom alerts + +**Applies to:** + +- Windows 10 Enterprise +- Windows 10 Education +- Windows 10 Pro +- Windows 10 Pro Education +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + +Understand threat intelligence concepts, then enable the custom threat intelligence application so that you can proceed to create custom threat intelligence alerts that are specific to your organization. + +You can use the code examples to guide you in creating calls to the custom threat intelligence API. + +## In this section + +Topic | Description +:---|:--- +[Understand threat intelligence concepts](threat-indicator-concepts-windows-defender-advanced-threat-protection.md) | Understand the concepts around threat intelligence so that you can effectively create custom intelligence for your organization. +[Enable the custom threat intelligence application](enable-custom-ti-windows-defender-advanced-threat-protection.md) | Set up the custom threat intelligence application through the Windows Defender ATP portal so that you can create custom threat intelligence (TI) using REST API. +[Create custom threat intelligence alerts](custom-ti-api-windows-defender-advanced-threat-protection.md) | Create custom threat intelligence alerts so that you can generate specific alerts that are applicable to your organization. +[PowerShell code examples](powershell-example-code-windows-defender-advanced-threat-protection.md) | Use the PowerShell code examples to guide you in using the custom threat intelligence API. +[Python code examples](python-example-code-windows-defender-advanced-threat-protection.md) | Use the Python code examples to guide you in using the custom threat intelligence API. +[Troubleshoot custom threat intelligence issues](troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md) | Learn how to address possible issues you might encounter while using the threat intelligence API. diff --git a/windows/keep-secure/use-group-policy-windows-defender-antivirus.md b/windows/keep-secure/use-group-policy-windows-defender-antivirus.md new file mode 100644 index 0000000000..661ce72277 --- /dev/null +++ b/windows/keep-secure/use-group-policy-windows-defender-antivirus.md @@ -0,0 +1,150 @@ +--- +title: Configure Windows Defender AV with Group Policy +description: Configure Windows Defender AV settings with Group Policy +keywords: group policy, GPO, configuration, settings +search.product: eADQiWindows 10XVcnh +ms.pagetype: security +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: security +localizationpriority: medium +author: iaanw +--- + +# Use Group Policy settings to configure and manage Windows Defender AV + +**Applies to:** + +- Windows 10, version 1703 + +You can use [Group Policy](https://msdn.microsoft.com/en-us/library/ee663280(v=vs.85).aspx) to configure and manage Windows Defender Antivirus on your endpoints. + +In general, you can use the following procedure to configure or change Windows Defender AV group policy settings: + +1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object (GPO) you want to configure and click **Edit**. + +3. In the **Group Policy Management Editor** go to **Computer configuration**. + +4. Click **Policies** then **Administrative templates**. + +5. Expand the tree to **Windows components > Windows Defender Antivirus**. + +6. Expand the section (referred to as **Location** in the table in this topic) that contains the setting you want to configure, double-click the setting to open it, and make configuration changes. + +7. [Deploy the updated GPO as you normally do](https://msdn.microsoft.com/en-us/library/ee663280(v=vs.85).aspx). + +The following table in this topic lists the Group Policy settings available in Windows 10, version 1703, and provides links to the appropriate topic in this documentation library (where applicable). + + +Location | Setting | Documented in topic +---|---|--- +Client interface | Enable headless UI mode | [Prevent users from seeing or interacting with the Windows Defender AV user interface](prevent-end-user-interaction-windows-defender-antivirus.md) +Client interface | Display additional text to clients when they need to perform an action | [Configure the notifications that appear on endpoints](configure-notifications-windows-defender-antivirus.md) +Client interface | Suppress all notifications | [Configure the notifications that appear on endpoints](configure-notifications-windows-defender-antivirus.md) +Client interface | Suppresses reboot notifications | [Configure the notifications that appear on endpoints](configure-notifications-windows-defender-antivirus.md) +Exclusions | Extension Exclusions | [Configure and validate exclusions in Windows Defender AV scans](configure-exclusions-windows-defender-antivirus.md) +Exclusions | Path Exclusions | [Configure and validate exclusions in Windows Defender AV scans](configure-exclusions-windows-defender-antivirus.md) +Exclusions | Process Exclusions | [Configure and validate exclusions in Windows Defender AV scans](configure-exclusions-windows-defender-antivirus.md) +Exclusions | Turn off Auto Exclusions | [Configure and validate exclusions in Windows Defender AV scans](configure-exclusions-windows-defender-antivirus.md) +MAPS | Configure the 'Block at First Sight' feature | [Enable the Block at First Sight feature](configure-block-at-first-sight-windows-defender-antivirus.md) +MAPS | Join Microsoft MAPS | [Enable cloud-delivered protection](enable-cloud-protection-windows-defender-antivirus.md) +MAPS | Send file samples when further analysis is required | [Enable cloud-delivered protection](enable-cloud-protection-windows-defender-antivirus.md) +MAPS | Configure local setting override for reporting to Microsoft MAPS | [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-windows-defender-antivirus.md) +MpEngine | Configure extended cloud check | [Configure the cloud block timeout period](configure-cloud-block-timeout-period-windows-defender-antivirus.md) +MpEngine | Select cloud protection level | [Specify the cloud-delivered protection level](specify-cloud-protection-level-windows-defender-antivirus.md) +Network inspection system | Specify additional definition sets for network traffic inspection | Not used +Network inspection system | Turn on definition retirement | Not used +Network inspection system | Turn on protocol recognition | Not used +Quarantine | Configure local setting override for the removal of items from Quarantine folder | [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-windows-defender-antivirus.md) +Quarantine | Configure removal of items from Quarantine folder | [Configure remediation for Windows Defender AV scans](configure-remediation-windows-defender-antivirus.md) +Real-time protection | Configure local setting override for monitoring file and program activity on your computer | [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-windows-defender-antivirus.md) +Real-time protection | Configure local setting override for monitoring for incoming and outgoing file activity | [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-windows-defender-antivirus.md) +Real-time protection | Configure local setting override for scanning all downloaded files and attachments | [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-windows-defender-antivirus.md) +Real-time protection | Configure local setting override for turn on behavior monitoring | [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-windows-defender-antivirus.md) +Real-time protection | Configure local setting override to turn on real-time protection | [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-windows-defender-antivirus.md) +Real-time protection | Define the maximum size of downloaded files and attachments to be scanned | [Enable and configure Windows Defender AV always-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md) +Real-time protection | Monitor file and program activity on your computer | [Enable and configure Windows Defender AV always-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md) +Real-time protection | Scan all downloaded files and attachments | [Enable and configure Windows Defender AV always-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md) +Real-time protection | Turn off real-time protection | [Enable and configure Windows Defender AV always-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md) +Real-time protection | Turn on behavior monitoring | [Enable and configure Windows Defender AV always-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md) +Real-time protection | Turn on process scanning whenever real-time protection is enabled | [Enable and configure Windows Defender AV always-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md) +Real-time protection | Turn on raw volume write notifications | [Enable and configure Windows Defender AV always-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md) +Real-time protection | Configure monitoring for incoming and outgoing file and program activity | [Enable and configure Windows Defender AV always-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md) +Remediation | Configure local setting override for the time of day to run a scheduled full scan to complete remediation | [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-windows-defender-antivirus.md) +Remediation | Specify the day of the week to run a scheduled full scan to complete remediation | [Configure scheduled scans for Windows Defender AV](scheduled-catch-up-scans-windows-defender-antivirus.md) +Remediation | Specify the time of day to run a scheduled full scan to complete remediation | [Configure scheduled scans for Windows Defender AV](scheduled-catch-up-scans-windows-defender-antivirus.md) +Reporting | Configure Watson events | Not used +Reporting | Configure Windows software trace preprocessor components | Not used +Reporting | Configure WPP tracing level | Not used +Reporting | Configure time out for detections in critically failed state | Not used +Reporting | Configure time out for detections in non-critical failed state | Not used +Reporting | Configure time out for detections in recently remediated state | Not used +Reporting | Configure time out for detections requiring additional action | Not used +Reporting | Turn off enhanced notifications | [Configure the notifications that appear on endpoints](configure-notifications-windows-defender-antivirus.md) +Root | Turn off Windows Defender Antivirus | Not used +Root | Define addresses to bypass proxy server | Not used +Root | Define proxy auto-config (.pac) for connecting to the network | Not used +Root | Define proxy server for connecting to the network | Not used +Root | Configure local administrator merge behavior for lists | [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-windows-defender-antivirus.md) +Root | Allow antimalware service to startup with normal priority | [Configure remediation for Windows Defender AV scans](configure-remediation-windows-defender-antivirus.md) +Root | Allow antimalware service to remain running always | [Configure remediation for Windows Defender AV scans](configure-remediation-windows-defender-antivirus.md) +Root | Turn off routine remediation | [Configure remediation for Windows Defender AV scans](configure-remediation-windows-defender-antivirus.md) +Root | Randomize scheduled task times | [Configure scheduled scans for Windows Defender AV](scheduled-catch-up-scans-windows-defender-antivirus.md) +Scan | Allow users to pause scan | [Prevent users from seeing or interacting with the Windows Defender AV user interface](prevent-end-user-interaction-windows-defender-antivirus.md) +Scan | Check for the latest virus and spyware definitions before running a scheduled scan | [Manage event-based forced updates](manage-event-based-updates-windows-defender-antivirus.md) +Scan | Define the number of days after which a catch-up scan is forced | [Manage updates for endpoints that are out of date](manage-outdated-endpoints-windows-defender-antivirus.md) +Scan | Turn on catch up full scan | [Manage updates for endpoints that are out of date](manage-outdated-endpoints-windows-defender-antivirus.md) +Scan | Turn on catch up quick scan | [Manage updates for endpoints that are out of date](manage-outdated-endpoints-windows-defender-antivirus.md) +Scan | Configure local setting override for maximum percentage of CPU utilization | [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-windows-defender-antivirus.md) +Scan | Configure local setting override for schedule scan day | [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-windows-defender-antivirus.md) +Scan | Configure local setting override for scheduled quick scan time | [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-windows-defender-antivirus.md) +Scan | Configure local setting override for scheduled scan time | [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-windows-defender-antivirus.md) +Scan | Configure local setting override for the scan type to use for a scheduled scan | [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-windows-defender-antivirus.md) +Scan | Create a system restore point | [Configure remediation for Windows Defender AV scans](configure-remediation-windows-defender-antivirus.md) +Scan | Turn on removal of items from scan history folder | [Configure remediation for Windows Defender AV scans](configure-remediation-windows-defender-antivirus.md) +Scan | Turn on heuristics | [Enable and configure Windows Defender AV always-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md) +Scan | Turn on e-mail scanning | [Configure scanning options in Windows Defender AV](configure-advanced-scan-types-windows-defender-antivirus.md) +Scan | Turn on reparse point scanning | [Configure scanning options in Windows Defender AV](configure-advanced-scan-types-windows-defender-antivirus.md) +Scan | Run full scan on mapped network drives | [Configure scanning options in Windows Defender AV](configure-advanced-scan-types-windows-defender-antivirus.md) +Scan | Scan archive files | [Configure scanning options in Windows Defender AV](configure-advanced-scan-types-windows-defender-antivirus.md) +Scan | Scan network files | [Configure scanning options in Windows Defender AV](configure-advanced-scan-types-windows-defender-antivirus.md) +Scan | Scan packed executables | [Configure scanning options in Windows Defender AV](configure-advanced-scan-types-windows-defender-antivirus.md) +Scan | Scan removable drives | [Configure scanning options in Windows Defender AV](configure-advanced-scan-types-windows-defender-antivirus.md) +Scan | Specify the maximum depth to scan archive files | [Configure scanning options in Windows Defender AV](configure-advanced-scan-types-windows-defender-antivirus.md) +Scan | Specify the maximum percentage of CPU utilization during a scan | [Configure scanning options in Windows Defender AV](configure-advanced-scan-types-windows-defender-antivirus.md) +Scan | Specify the maximum size of archive files to be scanned | [Configure scanning options in Windows Defender AV](configure-advanced-scan-types-windows-defender-antivirus.md) +Scan | Specify the day of the week to run a scheduled scan | [Configure scheduled scans for Windows Defender AV](scheduled-catch-up-scans-windows-defender-antivirus.md) +Scan | Specify the interval to run quick scans per day | [Configure scheduled scans for Windows Defender AV](scheduled-catch-up-scans-windows-defender-antivirus.md) +Scan | Specify the scan type to use for a scheduled scan | [Configure scheduled scans for Windows Defender AV](scheduled-catch-up-scans-windows-defender-antivirus.md) +Scan | Specify the time for a daily quick scan | [Configure scheduled scans for Windows Defender AV](scheduled-catch-up-scans-windows-defender-antivirus.md) +Scan | Specify the time of day to run a scheduled scan | [Configure scheduled scans for Windows Defender AV](scheduled-catch-up-scans-windows-defender-antivirus.md) +Scan | Start the scheduled scan only when computer is on but not in use | [Configure scheduled scans for Windows Defender AV](scheduled-catch-up-scans-windows-defender-antivirus.md) +Signature updates | Allow definition updates from Microsoft Update | [Manage updates for mobile devices and virtual machines (VMs)](manage-updates-mobile-devices-vms-windows-defender-antivirus.md) +Signature updates | Allow definition updates when running on battery power | [Manage updates for mobile devices and virtual machines (VMs)](manage-updates-mobile-devices-vms-windows-defender-antivirus.md) +Signature updates | Allow notifications to disable definitions based repots to Microsoft MAPS | [Manage event-based forced updates](manage-event-based-updates-windows-defender-antivirus.md) +Signature updates | Allow real-time definition updates based on reports to Microsoft MAPS | [Manage event-based forced updates](manage-event-based-updates-windows-defender-antivirus.md) +Signature updates | Check for the latest virus and spyware definitions on startup | [Manage event-based forced updates](manage-event-based-updates-windows-defender-antivirus.md) +Signature updates | Define file shares for downloading definition updates | [Manage Windows Defender Antivirus protection and definition updates](manage-protection-updates-windows-defender-antivirus.md) +Signature updates | Define the number of days after which a catch up definition update is required | [Manage updates for endpoints that are out of date](manage-outdated-endpoints-windows-defender-antivirus.md) +Signature updates | Define the number of days before spyware definitions are considered out of date | [Manage updates for endpoints that are out of date](manage-outdated-endpoints-windows-defender-antivirus.md) +Signature updates | Define the number of days before virus definitions are considered out of date | [Manage updates for endpoints that are out of date](manage-outdated-endpoints-windows-defender-antivirus.md) +Signature updates | Define the order of sources for downloading definition updates | [Manage Windows Defender Antivirus protection and definition updates](manage-protection-updates-windows-defender-antivirus.md) +Signature updates | Initiate definition update on startup | [Manage event-based forced updates](manage-event-based-updates-windows-defender-antivirus.md) +Signature updates | Specify the day of the week to check for definition updates | [Manage when protection updates should be downloaded and applied](manage-protection-update-schedule-windows-defender-antivirus.md) +Signature updates | Specify the interval to check for definition updates | [Manage when protection updates should be downloaded and applied](manage-protection-update-schedule-windows-defender-antivirus.md) +Signature updates | Specify the time to check for definition updates | [Manage when protection updates should be downloaded and applied](manage-protection-update-schedule-windows-defender-antivirus.md) +Signature updates | Turn on scan after signature update | [Configure scheduled scans for Windows Defender AV](scheduled-catch-up-scans-windows-defender-antivirus.md) +Threats | Specify threat alert levels at which default action should not be taken when detected | [Configure remediation for Windows Defender AV scans](configure-remediation-windows-defender-antivirus.md) +Threats | Specify threats upon which default action should not be taken when detected | [Configure remediation for Windows Defender AV scans](configure-remediation-windows-defender-antivirus.md) + + + + + + + +## Related topics + +- [Reference topics for management and configuration tools](configuration-management-reference-windows-defender-antivirus.md) +- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md) \ No newline at end of file diff --git a/windows/keep-secure/use-intune-config-manager-windows-defender-antivirus.md b/windows/keep-secure/use-intune-config-manager-windows-defender-antivirus.md new file mode 100644 index 0000000000..d7904ec127 --- /dev/null +++ b/windows/keep-secure/use-intune-config-manager-windows-defender-antivirus.md @@ -0,0 +1,29 @@ +--- +title: Configure Windows Defender AV with Configuration Manager and Intune +description: Use System Center Configuration Manager and Microsoft Intune to configure Windows Defender AV and Endpoint Protection +keywords: scep, intune, endpoint protection, configuration +search.product: eADQiWindows 10XVcnh +ms.pagetype: security +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: security +localizationpriority: medium +author: iaanw +--- + +# Use System Center Configuration Manager and Microsoft Intune to configure and manage Windows Defender AV + +If you are using System Center Configuration Manager or Microsoft Intune to manage the endpoints on your network, you can also use them to manage Windows Defender AV. + +In some cases, the protection will be labeled as Endpoint Protection, although the engine is the same as that used by Windows Defender AV. + +See the [Endpoint Protection](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-protection) library on docs.microsoft.com for information on using Configuration Manager. + +For Microsoft Intune, consult the [Help secure Windows PCs with Endpoint Protection for Microsoft Intune library](https://docs.microsoft.com/en-us/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune). + + +## Related topics + +- [Reference topics for management and configuration tools](configuration-management-reference-windows-defender-antivirus.md) +- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md) \ No newline at end of file diff --git a/windows/keep-secure/use-powershell-cmdlets-windows-defender-for-windows-10.md b/windows/keep-secure/use-powershell-cmdlets-windows-defender-antivirus.md similarity index 66% rename from windows/keep-secure/use-powershell-cmdlets-windows-defender-for-windows-10.md rename to windows/keep-secure/use-powershell-cmdlets-windows-defender-antivirus.md index 0ab40df034..ae1135c98c 100644 --- a/windows/keep-secure/use-powershell-cmdlets-windows-defender-for-windows-10.md +++ b/windows/keep-secure/use-powershell-cmdlets-windows-defender-antivirus.md @@ -1,6 +1,6 @@ --- -title: Use PowerShell cmdlets to configure and run Windows Defender in Windows 10 -description: In Windows 10, you can use PowerShell cmdlets to run scans, update definitions, and change settings in Windows Defender. +title: Use PowerShell cmdlets to configure and run Windows Defender AV +description: In Windows 10, you can use PowerShell cmdlets to run scans, update definitions, and change settings in Windows Defender Antivirus. keywords: scan, command line, mpcmdrun, defender search.product: eADQiWindows 10XVcnh ms.pagetype: security @@ -12,7 +12,7 @@ localizationpriority: medium author: iaanw --- -# Use PowerShell cmdlets to configure and run Windows Defender +# Use PowerShell cmdlets to configure and manage Windows Defender AV **Applies to:** @@ -27,24 +27,30 @@ PowerShell cmdlets are most useful in Windows Server environments that don't rel > [!NOTE] > PowerShell cmdlets should not be used as a replacement for a full network policy management infrastructure, such as [System Center Configuration Manager](https://technet.microsoft.com/en-us/library/gg682129.aspx), [Group Policy Management Console](https://technet.microsoft.com/en-us/library/cc731212.aspx), or [Windows Defender Group Policy ADMX templates](https://support.microsoft.com/en-us/kb/927367). +Changes made with PowerShell will affect local settings on the endpoint where the changes are deployed or made. This means that deployments of policy with Group Policy, System Center Configuration Manager, or Microsoft Intune can overwrite changes made with PowerShell. + +You can [configure which settings can be overridden locally with local policy overrides](configure-local-policy-overrides-windows-defender-antivirus.md). + PowerShell is typically installed under the folder _%SystemRoot%\system32\WindowsPowerShell_. -**Use Windows Defender PowerShell cmdlets** +**Use Windows Defender AV PowerShell cmdlets:** 1. Click **Start**, type **powershell**, and press **Enter**. 2. Click **Windows PowerShell** to open the interface. - > [!NOTE] - > You may need to open an administrator-level version of PowerShell. Right-click the item in the Start menu, click **Run as administrator** and click **Yes** at the permissions prompt. 3. Enter the command and parameters. +> [!NOTE] +> You may need to open an administrator-level version of PowerShell. Right-click the item in the Start menu, click **Run as administrator** and click **Yes** at the permissions prompt. + To open online help for any of the cmdlets type the following: -```text +```PowerShell Get-Help -Online ``` Omit the `-online` parameter to get locally cached help. ## Related topics -- [Windows Defender in Windows 10](windows-defender-in-windows-10.md) \ No newline at end of file +- [Reference topics for management and configuration tools](configuration-management-reference-windows-defender-antivirus.md) +- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md) \ No newline at end of file diff --git a/windows/keep-secure/use-windows-defender-advanced-threat-protection.md b/windows/keep-secure/use-windows-defender-advanced-threat-protection.md index 2f238a4d6d..e614c969ca 100644 --- a/windows/keep-secure/use-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/use-windows-defender-advanced-threat-protection.md @@ -41,8 +41,11 @@ Topic | Description [View the Dashboard](dashboard-windows-defender-advanced-threat-protection.md) | The Windows Defender ATP **Dashboard** provides a snapshot of your network. You can view aggregates of alerts, the overall status of the service of the endpoints on your network, investigate machines, files, and URLs, and see snapshots of threats seen on machines. [View and organize the Alerts queue](alerts-queue-windows-defender-advanced-threat-protection.md) | You can sort and filter alerts across your network, and drill down on individual alert queues such as new, in progress, or resolved queues. [Investigate alerts](investigate-alerts-windows-defender-advanced-threat-protection.md)| Investigate alerts in Windows Defender ATP which might indicate possible security breaches on endpoints in your organization. -[Investigate machines](investigate-machines-windows-defender-advanced-threat-protection.md) | The **Machines view** shows a list of the machines in your network, the corresponding number of active alerts for each machine categorized by alert severity levels, as well as the number of threats. [Investigate files](investigate-files-windows-defender-advanced-threat-protection.md) | Investigate the details of a file associated with a specific alert, behavior, or event to help determine if the file exhibits malicious activities, identify the attack motivation, and understand the potential scope of the breach. [Investigate an IP address](investigate-ip-windows-defender-advanced-threat-protection.md) | Examine possible communication between your machines and external Internet protocol (IP) addresses. [Investigate a domain](investigate-domain-windows-defender-advanced-threat-protection.md) | Investigate a domain to see if machines and servers in your enterprise network have been communicating with a known malicious domain. +[View and organize the Machines view](machines-view-overview-windows-defender-advanced-threat-protection.md)| You can sort, filter, and exporting the machine list. +[Investigate machines](investigate-machines-windows-defender-advanced-threat-protection.md) | The **Machines list** shows a list of the machines in your network, the corresponding number of active alerts for each machine categorized by alert severity levels, as well as the number of threats. +[Investigate a user account](investigate-user-windows-defender-advanced-threat-protection.md)| Investigate user accounts with the most active alerts. [Manage alerts](manage-alerts-windows-defender-advanced-threat-protection.md) | The **Manage Alert** menu on every alert lets you change an alert's status, resolve it, suppress it, or contribute comments about the alert. +[Take response actions](response-actions-windows-defender-advanced-threat-protection.md)| Take action on a machine or file to quickly respond to detected attacks. diff --git a/windows/keep-secure/use-wmi-windows-defender-antivirus.md b/windows/keep-secure/use-wmi-windows-defender-antivirus.md new file mode 100644 index 0000000000..39b5a2ad99 --- /dev/null +++ b/windows/keep-secure/use-wmi-windows-defender-antivirus.md @@ -0,0 +1,36 @@ +--- +title: Configure Windows Defender AV with WMI +description: Use WMI scripts to configure Windows Defender AV. +keywords: wmi, scripts, windows management instrumentation, configuration +search.product: eADQiWindows 10XVcnh +ms.pagetype: security +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: security +localizationpriority: medium +author: iaanw +--- + +# Use Windows Management Instrumentation (WMI) to configure and manage Windows Defender AV + +**Applies to:** + +- Windows 10 + +Windows Management Instrumentation (WMI) is a scripting interface that allows you to retrieve, modify, and update settings. + +Read more about WMI at the [Microsoft Developer Network System Administration library](https://msdn.microsoft.com/en-us/library/aa394582(v=vs.85).aspx). + +Windows Defender AV has a number of specific WMI classes that can be used to perform most of the same functions as Group Policy and other management tools. Many of the classes are analogous to [Defender PowerShell cmdlets](use-powershell-cmdlets-windows-defender-antivirus.md). + +The [MSDN Windows Defender WMIv2 Provider reference library](https://msdn.microsoft.com/en-us/library/dn439477(v=vs.85).aspx) lists the available WMI classes for Windows Defender AV, and includes example scripts. + +Changes made with WMI will affect local settings on the endpoint where the changes are deployed or made. This means that deployments of policy with Group Policy, System Center Configuration Manager, or Microsoft Intune can overwrite changes made with WMI. + +You can [configure which settings can be overridden locally with local policy overrides](configure-local-policy-overrides-windows-defender-antivirus.md). + +## Related topics + +- [Reference topics for management and configuration tools](configuration-management-reference-windows-defender-antivirus.md) +- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md) \ No newline at end of file diff --git a/windows/keep-secure/using-owa-with-wip.md b/windows/keep-secure/using-owa-with-wip.md index f99f10fb6f..eaf4299596 100644 --- a/windows/keep-secure/using-owa-with-wip.md +++ b/windows/keep-secure/using-owa-with-wip.md @@ -1,32 +1,33 @@ --- -title: Using Outlook Web Access with Windows Information Protection (WIP) (Windows 10) -description: Options for using Outlook Web Access (OWA) with Windows Information Protection (WIP). -keywords: WIP, Windows Information Protection, EDP, Enterprise Data Protection, WIP and OWA configuration +title: Using Outlook on the web with Windows Information Protection (WIP) (Windows 10) +description: Options for using Outlook on the web with Windows Information Protection (WIP). +keywords: WIP, Windows Information Protection, EDP, Enterprise Data Protection, WIP and OWA configuration, OWA, Outlook Web access ms.prod: w10 ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security +author: eross-msft localizationpriority: high --- -# Using Outlook Web Access with Windows Information Protection (WIP) +# Using Outlook on the web with Windows Information Protection (WIP) **Applies to:** -- Windows 10, version 1607 +- Windows 10, version 1607 and later - Windows 10 Mobile >Learn more about what features and functionality are supported in each Windows edition at [Compare Windows 10 Editions](https://www.microsoft.com/en-us/WindowsForBusiness/Compare). -Because Outlook Web Access (OWA) can be used both personally and as part of your organization, you have the following options to configure it with Windows Information Protection (WIP): +Because Outlook on the web can be used both personally and as part of your organization, you have the following options to configure it with Windows Information Protection (WIP): -|Option |OWA behavior | +|Option |Outlook on the web behavior | |-------|-------------| -|Disable OWA. Employees can only use Microsoft Outlook 2016 or the Office 365 Mail app. | Disabled. | -|Don't configure outlook.office.com in any of your networking settings. |All mailboxes are automatically marked as personal. This means employees attempting to copy work content into OWA receive prompts and that files downloaded from OWA aren't automatically protected as corporate data. | -|Add outlook.office.com to the Enterprise Cloud Resources network element in your WIP policy. |All mailboxes are automatically marked as corporate. This means any personal inboxes hosted on Office 365 are also automatically marked as corporate data. | +|Disable Outlook on the web. Employees can only use Microsoft Outlook 2016 or the Mail for Windows 10 app. | Disabled. | +|Don't configure outlook.office.com in any of your networking settings. |All mailboxes are automatically marked as personal. This means employees attempting to copy work content into Outlook on the web receive prompts and that files downloaded from Outlook on the web aren't automatically protected as corporate data. | +|Add outlook.office.com to the Cloud resources network element in your WIP policy. |All mailboxes are automatically marked as corporate. This means any personal inboxes hosted on Office 365 are also automatically marked as corporate data. | >[!NOTE] ->These limitations don’t apply to Outlook 2016 or to the Office 365 Mail and Calendar apps. These apps will work properly, marking an employee’s mailbox as corporate data, regardless of how you’ve configured outlook.office.com in your network settings. +>These limitations don’t apply to Outlook 2016, the Mail for Windows 10 app, or the Calendar for Windows 10 app. These apps will work properly, marking an employee’s mailbox as corporate data, regardless of how you’ve configured outlook.office.com in your network settings. diff --git a/windows/keep-secure/utilize-microsoft-cloud-protection-windows-defender-antivirus.md b/windows/keep-secure/utilize-microsoft-cloud-protection-windows-defender-antivirus.md new file mode 100644 index 0000000000..bd45aa1d5f --- /dev/null +++ b/windows/keep-secure/utilize-microsoft-cloud-protection-windows-defender-antivirus.md @@ -0,0 +1,57 @@ +--- +title: Utilize cloud-delivered protection in Windows Defender Antivirus +description: Cloud-delivered protection provides an advanced level of fast, robust antivirus detection. +keywords: windows defender antivirus, antimalware, security, defender, cloud, cloud-delivered protection +search.product: eADQiWindows 10XVcnh +ms.pagetype: security +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: security +localizationpriority: medium +author: iaanw +--- + +# Utilize Microsoft cloud-delivered protection in Windows Defender Antivirus + +**Applies to:** + +- Windows 10, version 1703 + +**Audience** + +- Enterprise security administrators + +Cloud-delivered protection for Windows Defender Antivirus, also referred to as Microsoft Advanced Protection Service (MAPS), provides you with strong, fast protection in addition to our standard real-time protection. + + + +>[!NOTE] +>The Windows Defender Antivirus cloud service is a mechanism for delivering updated protection to your network and endpoints. Although it is called a cloud service, it is not simply protection for files stored in the cloud, rather it uses distributed resources and machine learning to deliver protection to your endpoints at a rate that is far faster than traditional signature updates. + +Enabling cloud-delivered protection helps detect and block new malware - even if the malware has never been seen before - without needing to wait for a traditionally delivered definition update to block it. Definition updates can take hours to prepare and deliver, while our cloud service can deliver updated protection in seconds. + +Cloud-delivered protection is enabled by default, however you may need to re-enable it if it has been disabled as part of previous organizational policies. + +The following table describes the differences in cloud-based protection between recent versions of Windows and System Center Configuration Manager. + + +Feature | Windows 8.1 (Group Policy) | Windows 10, version 1607 (Group Policy) | Windows 10, version 1703 (Group Policy) | Configuration manager 2012 | Configuration manager (current branch) | Microsoft Intune +---|---|---|---|---|---|--- +Cloud-protection service label | Microsoft Advanced Protection Service | Microsoft Advanced Protection Service | Cloud-based Protection | NA | Cloud protection service | Microsoft Advanced Protection Service +Reporting level (MAPS membership level) | Basic, Advanced | Advanced | Advanced | Dependent on Windows version | Dependent on Windows version | Dependent on Windows version +Block at first sight availability | No | Yes | Yes | Not configurable | Configurable | No +Cloud block timeout period | No | No | Configurable | Not configurable | Configurable | No + +You can also [configure Windows Defender AV to automatically receive new protection updates based on reports from our cloud service](manage-event-based-updates-windows-defender-antivirus.md#cloud-report-updates). + + +## In this section + + Topic | Description +---|--- +[Enable cloud-delivered protection](enable-cloud-protection-windows-defender-antivirus.md) | You can enable cloud-delivered protection with System Center Configuration Manager, Group Policy, Microsoft Intune, and PowerShell cmdlets. +[Specify the cloud-delivered protection level](specify-cloud-protection-level-windows-defender-antivirus.md) | You can specify the level of protection offered by the cloud with Group Policy and System Center Configuration Manager. The protection level will affect the amount of information shared with the cloud and how aggressively new files are blocked. +[Configure and validate network connections for Windows Defender Antivirus](configure-network-connections-windows-defender-antivirus.md) | There are certain Microsoft URLs that your network and endpoints must be able to connect to for cloud-delivered protection to work effectively. This topic lists the URLs that should be allowed via firewall or network filtering rules, and instructions for confirming your network is properly enrolled in cloud-delivered protection. +[Configure the Block at First Sight feature](configure-block-at-first-sight-windows-defender-antivirus.md) | The Block at First Sight feature can block new malware within seconds, without having to wait hours for a traditional signature. You can enable and configure it with System Center Configuration Manager and Group Policy. +[Configure the cloud block timeout period](configure-cloud-block-timeout-period-windows-defender-antivirus.md) | Windows Defender Antivirus can block suspicious files from running while it queries our cloud-based protection service. You can configure the amount of time the file will be prevented from running with System Center Configuration Manager and Group Policy. \ No newline at end of file diff --git a/windows/keep-secure/why-a-pin-is-better-than-a-password.md b/windows/keep-secure/why-a-pin-is-better-than-a-password.md deleted file mode 100644 index 1640262ffd..0000000000 --- a/windows/keep-secure/why-a-pin-is-better-than-a-password.md +++ /dev/null @@ -1,15 +0,0 @@ ---- -title: Why a PIN is better than a password (Windows 10) -description: Windows Hello in Windows 10 enables users to sign in to their device using a PIN. How is a PIN different from (and better than) a password . -ms.assetid: A6FC0520-01E6-4E90-B53D-6C4C4E780212 -keywords: pin, security, password, hello -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -author: jdeckerMS -redirect_url: https://technet.microsoft.com/en-us/itpro/windows/keep-secure/hello-why-pin-is-better-than-password ---- - -# Why a PIN is better than a password - diff --git a/windows/keep-secure/windows-10-enterprise-security-guides.md b/windows/keep-secure/windows-10-enterprise-security-guides.md index 0ed2aa1d28..496bb6addb 100644 --- a/windows/keep-secure/windows-10-enterprise-security-guides.md +++ b/windows/keep-secure/windows-10-enterprise-security-guides.md @@ -14,7 +14,7 @@ author: challum ## Purpose -Get proven guidance to help you better secure and protect your enterprise by using technologies such as Credential Guard, Microsoft Passport, and Windows Hello. This section offers technology overviews and step-by-step guides. +This section offers overviews to help you understand selected enterprise-level security technologies, such as technologies to control the health of Windows 10-based devices. ## In this section @@ -39,8 +39,12 @@ Get proven guidance to help you better secure and protect your enterprise by usi - - + + + + + +
          Internal error codes

          This guide provides a detailed description of the most important security features in the Windows 10 Mobile operating system—identity access and control, data protection, malware resistance, and app platform security.

          [Windows 10 security overview](windows-10-security-guide.md)

          This guide provides a detailed description of the most important security improvements in the Windows 10 operating system, with links to more detailed articles about many of its security features. Wherever possible, specific recommendations are provided to help you implement and configure Windows 10 security features.

          [Windows 10 Credential Theft Mitigation Guide Abstract](windows-credential-theft-mitigation-guide-abstract.md)

          This topic provides a summary of the Windows 10 credential theft mitigation guide, which can be downloaded from the Microsoft Download Center.

          [How to use single sign on (SSO) over VPN and Wi-Fi connections](how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md)

          This topic explains requirements to enable Single Sign-On (SSO) to on-premises domain resources over WiFi or VPN connections.
          diff --git a/windows/keep-secure/windows-10-security-guide.md b/windows/keep-secure/windows-10-security-guide.md deleted file mode 100644 index 6333401752..0000000000 --- a/windows/keep-secure/windows-10-security-guide.md +++ /dev/null @@ -1,806 +0,0 @@ ---- -title: Windows 10 security overview (Windows 10) -description: This guide provides a detailed description of the most important security improvements in the Windows 10 operating system, with links to more detailed articles about many of its security features. -ms.assetid: 4561D80B-A914-403C-A17C-3BE6FC95B59B -keywords: configure, feature, file encryption -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -ms.pagetype: security -localizationpriority: high -author: challum ---- - -# Windows 10 security overview - -**Applies to** -- Windows 10 - -This guide provides a detailed description of the most important security improvements in the Windows 10 operating system, with links to more detailed articles about many of its security features. Wherever possible, specific recommendations are provided to help you implement and configure Windows 10 security features. - -#### Introduction - -Windows 10 is designed to protect against known and emerging security threats across the spectrum of attack vectors. Three broad categories of security work went into Windows 10: -- [**Identity and access control**](#identity-and-access-control) features have been greatly expanded to both simplify and enhance the security of user authentication. These features include Windows Hello for Business, which better protects user identities through easy-to-deploy and easy-to-use multifactor authentication (MFA). Another new feature is Credential Guard, which uses virtualization-based security (VBS) to help protect the Windows authentication subsystems and users’ credentials. -- [**Information protection**](#information) that guards information at rest, in use, and in transit. In addition to BitLocker and BitLocker To Go for protection of data at rest, Windows 10 includes file-level encryption with Enterprise Data Protection that performs data separation and containment and, when combined with Rights Management services, can keep data encrypted when it leaves the corporate network. Windows 10 can also help keep data secure by using virtual private networks (VPNs) and Internet Protocol Security. -- [**Malware resistance**](#malware) includes architectural changes that can isolate critical system and security components from threats. Several new features in Windows 10 help reduce the threat of malware, including VBS, Device Guard, Microsoft Edge, and an entirely new version of Windows Defender. In addition, the many antimalware features from the Windows 8.1 operating system— including AppContainers for application sandboxing and numerous boot-protection features, such as Trusted Boot—have been carried forward and improved in Windows 10. - -## Identity and access control - -Traditionally, access control is a process that has three components: -- **Identification** - when a user asserts a unique identity to the computer system for the purpose of gaining access to a resource, such as a file or a printer. In some definitions, the user is called the subject and the resource is the object. -- **Authentication** - the process of proving the asserted identity and verification that the subject is indeed *the* subject. -- **Authorization** - performed by the system to compare the authenticated subject’s access rights against the object’s permissions and either allow or deny the requested access. - -The way these components are implemented makes the difference in stopping attackers from accessing secret data. Only a user who proves his or her identity – and is authorized to access that data – will access it. But in security, there are varying degrees of identity proof and many different requirements for authorization limits. The access control flexibility needed in most corporate environments presents a challenge for any operating system. Table 1 lists typical Windows access control challenges and the Windows 10 solutions. - -Table 1. Windows 10 solutions to typical access control challenges - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
          Access control challengeWindows 10 solutions

          Organizations frequently use passwords because the alternative methods are too complex and costly to deploy.

          -

          Organizations that choose password alternatives such as smart cards must purchase and manage smart card readers, smart cards, and management software. These solutions delay productivity when the MFA component is lost or damaged. Consequently, MFA solutions like smart cards tend to be used only for VPN and select assets.

          Windows Hello for Business enables simpler MFA.

          Tablet users must type their password on a touchscreen, which is error prone and less efficient than a keyboard.

          Windows Hello enables secure facial recognition–based authentication.

          IT must purchase and manage non-Microsoft tools to meet regulatory requirements for access control and auditing.

          Combined with the Windows Server 2012 operating system, Dynamic Access Control provides flexible access control and auditing designed to meet many government security and regulatory requirements.

          Users dislike typing their passwords.

          Single sign-on (SSO) allows users to sign in once with Windows Hello and get access to all corporate resources without the need to re-authenticate.

          -

          Windows Hello enables secure fingerprint- and facial recognition–based authentication and can be used to revalidate user presence when sensitive resources are accessed.

          Windows adds increasing delays between logon attempts and can lock out a user account when it detects brute-force attacks.

          When BitLocker is enabled on the system drive and brute-force protection is enabled, Windows can restart the PC after a specified number of incorrect password entries, lock access to the hard drive, and require the user to type the 48-character BitLocker recovery key to start the device and access the disk.

          -  -The sections that follow describe these challenges and solutions in more detail. - -### Windows Hello - -Windows Hello provides strong two-factor authentication (2FA), fully integrated into Windows, and replaces passwords with the combination of an enrolled device and either a PIN or biometric gesture. Windows Hello is conceptually similar to smart cards but more flexible. Authentication is performed by using an asymmetric key pair instead of a string comparison (for example, password), and the user’s key material can be secured by using hardware. -Unlike smart cards, Windows Hello does not require the extra infrastructure components required for smart card deployment. In particular, you do not need public key infrastructure (PKI). If you already use PKI – for example, in secure email or VPN authentication – you can use the existing infrastructure with Windows Hello. Windows Hello combines the major advantages of smart card technology – deployment flexibility for virtual smart cards and robust security for physical smart cards – without any of their drawbacks. - ->[!NOTE] ->When Windows 10 first shipped, it included **Microsoft Passport** and **Windows Hello**, which worked together to provide multifactor authentication. To simplify deployment and improve supportability, Microsoft has combined these technologies into a single solution under the **Windows Hello** name. Customers who have already deployed these technologies will not experience any change in functionality. Customers who have yet to evaluate Windows Hello will find it easier to deploy due to simplified policies, documentation, and semantics. - -Windows Hello offers three significant advantages over the current state of Windows authentication: It’s more flexible, it’s based on industry standards, and it effectively mitigates risks. The sections that follow look at each of these advantages in more detail. - -#### It’s flexible - -Windows Hello offers unprecedented flexibility. Although the format and use of passwords and smart cards is fixed, Windows Hello gives both administrators and users options to manage authentication. First and foremost, Windows Hello works with biometric sensors and PINs. Next, you can use your PC or even your phone as one of the factors to authenticate on your PC. Finally, your user credentials can come from your PKI infrastructure, or Windows can create the credential itself. - -MWindows Hello gives you options beyond long, complex passwords. Instead of requiring users to memorize and retype frequently-changed passwords, Windows Hello enables PIN- and biometrics-based authentication to securely identify users. - -With Windows Hello for Business, you gain flexibility in the data center, too. To deploy it, you must add Windows Server 2016 domain controllers to your Active Directory environment, but you do not have to replace or remove your existing Active Directory servers: Windows Hello for Business builds on and adds to your existing infrastructure. You can either add on premises servers or use Microsoft Azure Active Directory to deploy Windows Hello for Business to your network. The choice of which users to enable for Windows Hello for Business use is completely up to you – you choose which items to protect and which authentication factors you want to support. This flexibility makes it easy to use Windows Hello for Business to supplement existing smart card or token deployments by adding 2FA to users who do not currently have it, or to deploy Windows Hello for Business in scenarios that call for extra protection for sensitive resources or systems. - -#### It’s standardized - -Both software vendors and enterprise customers have come to realize that proprietary identity and authentication systems are a dead end: The future lies with open, interoperable systems that allow secure authentication across a variety of devices, line of business (LOB) apps, and external applications and websites. To this end, a group of industry players formed FIDO, the Fast IDentity Online Alliance. The FIDO Alliance is a nonprofit organization intended to address the lack of interoperability among strong authentication devices, as well as the problems users face when they need to create and remember multiple user names and passwords. The FIDO Alliance plans to change the nature of authentication by developing specifications that define an open, scalable, interoperable set of mechanisms that supplant reliance on passwords to securely authenticate users of online services. This new standard for security devices and browser plug ins will allow any website or cloud application to interface with a broad variety of existing and future FIDO-enabled devices that the user has for online security. - -In 2014, Microsoft joined the board of the [FIDO Alliance](https://go.microsoft.com/fwlink/p/?LinkId=626934). FIDO standards enable a universal framework that a global ecosystem delivers for a consistent and greatly improved user experience of strong password-less authentication. The FIDO 1.0 specifications, published in December 2014, provide for two types of authentications: password-less (known as UAF) and second factor (U2F). The FIDO Alliance is working on a set of 2.0 proposals that incorporate the best ideas from its U2F and UAF FIDO 1.0 standards, and of course, on new ideas. Microsoft has contributed Windows Hello technology to the FIDO 2.0 specification workgroup for review and feedback and continues to work with the FIDO Alliance as the FIDO 2.0 specification moves forward. Interoperability of FIDO products is a hallmark of FIDO authentication. Microsoft believes that bringing a FIDO solution to market will help solve a critical need for enterprises and consumers alike. - -#### It’s effective - -Windows Hello effectively mitigates two major security risks. First, it eliminates the use of passwords for sign-in and so reduces the risk that a nefarious attacker will steal and reuse the user’s credentials. User key material is generated and available within the Trusted Platform Module (TPM) of the user device, which protects it from attackers who want to capture the key material and reuse it. Second, because Windows Hello uses asymmetrical key pairs, users credentials can’t be stolen in cases where the identity provider or websites the user accesses have been compromised. - -To compromise a Windows Hello credential that TPM protects, an attacker must have access to the physical device, and then must find a way to spoof the user’s biometrics or guess his or her PIN—and all of this must be done before TPM anti-hammer capabilities lock the device. This sets the bar magnitudes of order higher than password phishing attacks. - -### Biometric sign-in - -Because biometric authentication is built directly into the operating system, Windows Hello allows users to unlock their devices by using their face or fingerprint. From here, authentication to the devices and resources is enabled through a combination of the user’s unique biometric identifier and the device itself. - -The user’s biometric data that is used for Windows Hello is considered a local gesture and consequently doesn’t roam among a user’s devices and is not centrally stored. The biometric image of the user the sensor takes is converted into an algorithmic form that cannot be converted back into the original image that the sensor took. Devices that have TPM 2.0 encrypt the biometric data in a form that makes it unreadable if the data is ever removed from the device. If multiple users share a device, each user will be able to enroll and use Windows Hello for his or her Windows profile. - -Windows Hello supports two biometric sensor options that are suitable for enterprise scenarios: - -- **Facial recognition** uses special infrared cameras to reliably tell the difference between a photograph or scan and a living person. Several vendors are shipping external cameras that incorporate this technology, and major manufacturers are already shipping integrated devices with facial-recognition technology. -- **Fingerprint recognition** uses a fingerprint sensor to scan the user’s fingerprint. Although fingerprint readers have been available for computers running Windows for years, the detection, antispoofing, and recognition algorithms in Windows 10 are more advanced than previous Windows versions. Most existing fingerprint readers (whether external or integrated into laptops or USB keyboards) can be used with Windows Hello. - -Windows Hello offers several major benefits. First, it addresses the problems of credential theft and sharing, because an attacker must obtain the device and impersonate the user’s biometric identity, which is more difficult than stealing a password or PIN. Second, the use of biometrics gives users an authenticator that’s always with them – there’s nothing to forget, lose, or leave behind. Instead of worrying about memorizing long, complex passwords, users can take advantage of a convenient, secure method for logging in to all their Windows devices. Finally, there’s nothing additional to deploy or manage. Because Windows Hello support is built directly into the operating system, -there are no additional drivers to deploy. - -### Brute-force attack resistance - -A brute-force attack is the process used to break into a device simply by guessing a user’s password, PIN, or even his or her biometric identity over and over until the attacker gets it right. Over the last several versions of Windows, Microsoft has added features that dramatically reduce the chances that such an attack would succeed. - -The Windows 7 operating system and previous versions defended against brute-force attacks in a straightforward way: they slowed or prevented additional guesses after multiple mistakes. When users use a full password to log on, Windows forces users to wait several seconds between attempts if they type their password incorrectly multiple times. You can even choose to have Windows lock out an account for a period of time when it detects a brute-force attack. -Windows 8.1 and Windows 10 support an even more powerful – but optional – form of brute-force protection when the credentials are tied to TPM. If the operating system detects a brute-force attack against the Windows sign-in and BitLocker protects the system drive, Windows can automatically restart the device and put it in BitLocker recovery mode until someone enters a recovery key password. This password is a virtually unguessable 48-character recovery code that must be used before Windows will be able to start normally. - -If you’re interested in learning how to configure brute-force protection, use a test Windows 10 PC on which BitLocker protection is enabled for the system drive, and then print the BitLocker recovery key to ensure that you have it available. Then, open the Local Group Policy Editor by running **gpedit.msc**, and go to Computer Configuration\\Windows Settings\\Security Settings\\Security Options. Open the policy **Interactive Login: Machine Account Lockout Threshold**, and set the value to **5**, as shown in Figure 1. - -![Machine lockout threshold](images/security-fig1-invalidaccess.png "Machine lockout threshold") - -Figure 1. Set the number of invalid access attempts prior to lockout - -Now, your PC is configured with brute-force protection. Restart your PC. When prompted to log on, mistype your password until the PC restarts. Now, try to guess the 48-character recovery key. You will be glad you printed it out beforehand. - -## Information protection - -When users travel, their organization’s confidential data goes with them. Wherever confidential data is stored, it must be protected against unauthorized access. Windows has a long history of providing at-rest data-protection solutions that guard against nefarious attackers, beginning with the Encrypting File System in the Windows 2000 operating system. More recently, BitLocker has provided encryption for full drives and portable drives; in Windows 10, BitLocker will even protect individual files, with data loss prevention capabilities. Windows consistently improves data protection by improving existing options and by providing new strategies. - -Table 2 lists specific data-protection concerns and how they are addressed in Windows 10 and Windows 7. - -Table 2. Data Protection in Windows 10 and Windows 7 - - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
          Windows 7Windows 10

          When BitLocker is used with a PIN to protect startup, PCs such as kiosks cannot be restarted remotely.

          Modern Windows devices are increasingly protected with device encryption out of the box and support SSO to seamlessly protect the BitLocker encryption keys from cold boot attacks.

          -

          Network Unlock allows PCs to start automatically when connected to the internal network.

          Users must contact the IT department to change their BitLocker PIN or password.

          Modern Windows devices no longer require a PIN in the pre-boot environment to protect BitLocker encryption keys from cold boot attacks.

          -

          Users who have standard privileges can change their BitLocker PIN or password on legacy devices that require a PIN.

          When BitLocker is enabled, the provisioning process can take several hours.

          BitLocker pre-provisioning, encrypting hard drives, and Used Space Only encryption allow administrators to enable BitLocker quickly on new computers.

          There is no support for using BitLocker with self-encrypting drives (SEDs).

          BitLocker supports offloading encryption to encrypted hard drives.

          Administrators have to use separate tools to manage encrypted hard drives.

          BitLocker supports encrypted hard drives with onboard encryption hardware built in, which allows administrators to use the familiar BitLocker administrative tools to manage them.

          Encrypting a new flash drive can take more than 20 minutes.

          Used Space Only encryption in BitLocker To Go allows users to encrypt drives in seconds.

          BitLocker could require users to enter a recovery key when system configuration changes occur.

          BitLocker requires the user to enter a recovery key only when disk corruption occurs or when he or she loses the PIN or password.

          Users need to enter a PIN to start the PC, and then their password to sign in to Windows.

          Modern Windows devices are increasingly protected with device encryption out of the box and support SSO to help protect the BitLocker encryption keys from cold boot attacks.

          - -The sections that follow describe these improvements in more detail. - -### Prepare for drive and file encryption - -The best type of security measures are transparent to the user during implementation and use. Every time there is a possible delay or difficulty because of a security feature, there is strong likelihood that users will try to bypass security. This situation is especially true for data protection, and that’s a scenario that organizations need to avoid. -Whether you’re planning to encrypt entire volumes, removable devices, or individual files, Windows 10 meets your needs by providing streamlined, usable solutions. In fact, you can take several steps in advance to prepare for data encryption and make the deployment quick and smooth. - -#### TPM pre-provisioning - -In Windows 7, preparing the TPM for use offered a couple of challenges: - -* You can turn on the TPM in the BIOS, which requires someone to either go into the BIOS settings to turn it on or to install a driver to turn it on from within Windows. -* When you enable the TPM, it may require one or more restarts. - -Basically, it was a big hassle. If IT staff were provisioning new PCs, they could handle all of this, but if you wanted to add BitLocker to devices that were already in users’ hands, those users would have struggled with the technical challenges and would either call IT for support or simply leave BitLocker disabled. - -Microsoft includes instrumentation in Windows 10 that enables the operating system to fully manage the TPM. There is no need to go into the BIOS, and all scenarios that required a restart have been eliminated. - -### Deploy hard drive encryption - -BitLocker is capable of encrypting entire hard drives, including both system and data drives. BitLocker pre-provisioning can drastically reduce the time required to provision new PCs with BitLocker enabled. With Windows 10, administrators can turn on BitLocker and the TPM from within the Windows Preinstallation Environment before they install Windows or as part of an automated deployment task sequence without any user interaction. Combined with Used Disk Space Only encryption and a mostly empty drive (because Windows is not yet installed), it takes only a few seconds to enable BitLocker. -With earlier versions of Windows, administrators had to enable BitLocker after Windows had been installed. Although this process could be automated, BitLocker would need to encrypt the entire drive, a process that could take anywhere from several hours to more than a day depending on drive size and performance, which significantly delayed deployment. Microsoft has improved this process through multiple features in Windows 10. - -#### Device encryption - -Beginning in Windows 8.1, Windows automatically enables BitLocker device encryption on devices that support InstantGo. With Windows 10, Microsoft offers device encryption support on a much broader range of devices, including those that are InstantGo. Microsoft expects that most devices in the future will pass the testing requirements, which makes device encryption pervasive across modern Windows devices. Device encryption further protects the system by transparently implementing device-wide data encryption. - -Unlike a standard BitLocker implementation, device encryption is enabled automatically so that the device is always protected. The following list outlines how this happens: - -* When a clean installation of Windows 10 is completed and the out-of-box experience is finished, the computer is prepared for first use. As part of this preparation, device encryption is initialized on the operating system drive and fixed data drives on the computer with a clear key (this is the equivalent of standard BitLocker suspended state). -* If the device is not domain joined, a Microsoft account that has been granted administrative privileges on the device is required. When the administrator uses a Microsoft account to sign in, the clear key is removed, a recovery key is uploaded to the online Microsoft account, and a TPM protector is created. Should a device require the recovery key, the user will be guided to use an alternate device and navigate to a recovery key access URL to retrieve the recovery key by using his or her Microsoft account credentials. -* If the user uses a domain account to sign in, the clear key is not removed until the user joins the device to a domain and the recovery key is successfully backed up to Active Directory Domain Services (AD DS). You must enable the **Computer Configuration\\Administrative Templates\\Windows Components\\BitLocker Drive Encryption\\Operating System Drives** Group Policy setting, and select the **Do not enable BitLocker until recovery information is stored in AD DS for operating system drives** option. With this configuration, the recovery password is created automatically when the computer joins the domain, and then the recovery key is backed up to AD DS, the TPM protector is created, and the clear key is removed. -* Similar to signing in with a domain account, the clear key is removed when the user logs on to an Azure AD account on the device. As described in the bullet point above, the recovery password is created automatically when the user authenticates to Azure AD. Then, the recovery key is backed up to Azure AD, the TPM protector is created, and the clear key is removed. - -Microsoft recommends that device encryption be enabled on any systems that support it, but the automatic device encryption process can be prevented by changing the following registry setting: -- **Subkey**: HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\BitLocker -- **Value**: PreventDeviceEncryption equal to True (1) -- **Type**: REG\_DWORD - -Administrators can manage domain-joined devices that have device encryption enabled through Microsoft BitLocker Administration and Monitoring (MBAM). In this case, device encryption automatically makes additional BitLocker options available. No conversion or encryption is required, and MBAM can manage the full BitLocker policy set if any configuration changes are required. - -#### Used Disk Space Only encryption - -BitLocker in earlier Windows versions could take a long time to encrypt a drive, because it encrypted every byte on the volume (including parts that did not have data). That is still the most secure way to encrypt a drive, especially if a drive has previously contained confidential data that has since been moved or deleted, in which case traces of the confidential data could remain on portions of the drive marked as unused. -But why encrypt a new drive when you can simply encrypt the data as it is being written? To reduce encryption time, BitLocker in Windows 10 lets users choose to encrypt just their data. Depending on the amount of data on the drive, this option can reduce encryption time by more than 99 percent. -Exercise caution when encrypting only used space on an existing volume on which confidential data may have already been stored in an unencrypted state, however, because those sectors can be recovered through disk-recovery tools until they are overwritten by new encrypted data. In contrast, encrypting only used space on a brand-new volume can significantly decrease deployment time without the security risk because all new data will be encrypted as it is written to the disk. - -#### Encrypted hard drive support - -SEDs have been available for years, but Microsoft couldn’t support their use with some earlier versions of Windows because the drives lacked important key management features. Microsoft worked with storage vendors to improve the hardware capabilities, and now BitLocker supports the next generation of SEDs, which are called encrypted hard drives. -Encrypted hard drives provide onboard cryptographic capabilities to encrypt data on drives, which improves both drive and system performance by offloading cryptographic calculations from the PC’s processor to the drive itself and rapidly encrypting the drive by using dedicated, purpose-built hardware. If you plan to use whole-drive encryption with Windows 10, Microsoft recommends that you investigate hard drive manufacturers and models to determine whether any of their encrypted hard drives meet your security and budget requirements. -For more information about encrypted hard drives, see [Encrypted Hard Drive](https://go.microsoft.com/fwlink/p/?LinkId=733880). - -### Preboot information protection - -An effective information protection implementation, like most security controls, considers usability as well as security. Users typically prefer a simple security experience. In fact, the more transparent a security solution becomes, the more likely users are to conform to it. -It is crucial that organizations protect information on their PCs regardless of the state of the computer or the intent of users. This protection should not be cumbersome to users. One undesirable and previously commonplace situation is when the user is prompted for input during preboot, and then again during Windows logon. Challenging users for input more than once should be avoided. -Windows 10 can enable a true SSO experience from the preboot environment on modern devices and in some cases even on older devices when robust information protection configurations are in place. The TPM in isolation is able to securely protect the BitLocker encryption key while it is at rest, and it can securely unlock the operating system drive. When the key is in use and thus in memory, a combination of hardware and Windows capabilities can secure the key and prevent unauthorized access through cold-boot attacks. Although other countermeasures like PIN-based unlock are available, they are not as user-friendly; depending on the devices’ configuration they may not offer additional security when it comes to key protection. For more information about how to configure BitLocker for SSO, see [BitLocker Countermeasures](bitlocker-countermeasures.md). - -### Manage passwords and PINs - -When BitLocker is enabled on a system drive and the PC has a TPM, you can choose to require that users type a PIN before BitLocker will unlock the drive. Such a PIN requirement can prevent an attacker who has physical access to a PC from even getting to the Windows logon, which makes it virtually impossible for the attacker to access or modify user data and system files. - -Requiring a PIN at startup is a useful security feature because it acts as a second authentication factor (a second “something you know”). This configuration comes with some costs, however. One of the most significant is the need to change the PIN regularly. In enterprises that used BitLocker with Windows 7 and the Windows Vista operating system, users had to contact systems administrators to update their BitLocker PIN or password. This requirement not only increased management costs but made users less willing to change their BitLocker PIN or password on a regular basis. -Windows 10 users can update their BitLocker PINs and passwords themselves, without administrator credentials. Not only will this feature reduce support costs, but it could improve security, too, because it encourages users to change their PINs and passwords more often. In addition, InstantGo devices do not require a PIN for startup: They are designed to start infrequently and have other mitigations in place that further reduce the attack surface of the system. -For more information about how startup security works and the countermeasures that Windows 10 provides, see [Protect BitLocker from pre-boot attacks](protect-bitlocker-from-pre-boot-attacks.md). - -### Configure Network Unlock - -Some organizations have location-specific data security requirements. This is most common in environments where high-value data is stored on PCs. The network environment may provide crucial data protection and enforce mandatory authentication; therefore, policy states that those PCs should not leave the building or be disconnected from the corporate network. Safeguards like physical security locks and geofencing may help enforce this policy as reactive controls. Beyond these, a proactive security control that grants data access only when the PC is connected to the corporate network is necessary. - -Network Unlock enables BitLocker-protected PCs to start automatically when connected to a wired corporate network on which Windows Deployment Services runs. Anytime the PC is not connected to the corporate network, a user must type a PIN to unlock the drive (if PIN-based unlock is enabled). -Network Unlock requires the following infrastructure: - -* Client PCs that have Unified Extensible Firmware Interface (UEFI) firmware version 2.3.1 or later, which supports Dynamic Host Configuration Protocol (DHCP) -* A server running Windows Server 2012 with the Windows Deployment Services role -* A server with the DHCP server role installed - -For more information about how to configure Network Unlock, see [BitLocker: How to enable Network Unlock](https://go.microsoft.com/fwlink/p/?LinkId=733905). - -### Microsoft BitLocker Administration and Monitoring - -Part of the Microsoft Desktop Optimization Pack, MBAM makes it easier to manage and support BitLocker and BitLocker To Go. MBAM 2.5 with Service Pack 1, the latest version, has the following key features: - -* Enables administrators to automate the process of encrypting volumes on client computers across the enterprise. -* Enables security officers to quickly determine the compliance state of individual computers or even of the enterprise itself. -* Provides centralized reporting and hardware management with Microsoft System Center Configuration Manager. -* Reduces the workload on the help desk to assist end users with BitLocker recovery requests. -* Enables end users to recover encrypted devices independently by using the Self-Service Portal. -* Enables security officers to easily audit access to recovery key information. -* Empowers Windows Enterprise users to continue working anywhere with the assurance that their corporate data is protected. -* Enforces the BitLocker encryption policy options that you set for your enterprise. -* Integrates with existing management tools, such as System Center Configuration Manager. -* Offers an IT-customizable recovery user experience. -* Supports Windows 10. - -For more information about MBAM, including how to obtain it, see [Microsoft BitLocker Administration and Monitoring](https://go.microsoft.com/fwlink/p/?LinkId=626935) on the MDOP TechCenter. - -## Malware resistance - -In movies, security threats always seem to be initiated by a nefarious hacker sitting in front of a monitor with green text scrolling across it. In the real world, the vast majority of security threats occur without any human interaction at all. Just as software has automated so much of our lives, malware has automated attacks on our PCs. Those attacks are relentless. Malware is constantly changing, and when it infects a PC, it can in some cases be extremely difficult to detect and remove. - -Prevention is the best bet, and Windows 10 provides strong malware resistance because it takes advantage of secure hardware, which secures the startup process, the core operating system architecture, and the desktop. - -Table 3 lists specific malware threats and the mitigation that Windows 10 provides. - -Table 3. Threats and Windows 10 mitigations - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
          ThreatWindows 10 mitigation

          "Man in the middle" attacks, when an attacker reroutes communications between two users through the attacker's computer without the knowledge of the two communicating users

          Client connections to the Active Directory Domain Services default SYSVOL and NETLOGON shares on domain controllers now require SMB signing and mutual authentication (such as Kerberos).

          Firmware bootkits replace the firmware with malware.

          All certified PCs include a UEFI with Secure Boot, which requires signed firmware for updates to UEFI and Option ROMs.

          Bootkits start malware before Windows starts.

          UEFI Secure Boot verifies Windows bootloader integrity to ensure that no malicious operating system can start before Windows.

          System or driver rootkits start kernel-level malware while Windows is starting, before Windows Defender and antimalware solutions can start.

          Windows Trusted Boot verifies Windows boot components; Microsoft drivers; and the Early Launch Antimalware (ELAM) antimalware driver, which verifies non-Microsoft drivers.

          -

          Measured Boot runs in parallel with Trusted Boot and can provide information to a remote server that verifies the boot state of the device to help ensure Trusted Boot and other boot components successfully checked the system.

          User-level malware exploits a vulnerability in the system or an application and owns the device.

          Improvements to address space layout randomization (ASLR), Data Execution Prevention (DEP), the heap architecture, and memory-management algorithms reduce the likelihood that vulnerabilities can enable successful exploits.

          -

          Protected Processes isolates nontrusted processes from each other and from sensitive operating system components.

          -

          VBS, built on top of Microsoft Hyper-V, protects sensitive Windows processes from the Windows operating system by isolating them from user mode processes and the Windows kernel.

          -

          Configurable code integrity enforces administrative policies to select exactly which applications are allowed to run in user mode. No other applications are permitted to run.

          Users download dangerous software (for example, a seemingly legitimate application with an embedded Trojan horse) and run it without knowledge of the risk.

          The SmartScreen Application Reputation feature is part of the core operating system; Microsoft Edge and Internet Explorer can use this feature either to warn users or to block users from downloading or running potentially malicious software.

          Malware exploits a vulnerability in a browser add-on.

          Microsoft Edge is a Universal App that does not run older binary extensions, including Microsoft Active X and Browser Helper Objects (BHO) frequently used for toolbars, thus eliminating these risks.

          A website that includes malicious code exploits a vulnerability in Microsoft Edge and IE to run malware on the client PC.

          Both Microsoft Edge and IE include Enhanced Protected Mode, which uses AppContainer-based sandboxing to protect the system from vulnerabilities that may be discovered in the extensions running in the browser (for example, Adobe Flash, Java) or the browser itself.

          -  -The sections that follow describe these improvements in more detail. - -**SMB hardening improvements for SYSVOL and NETLOGON connections** - -In Windows 10 and Windows Server 2016, client connections to the Active Directory Domain Services default SYSVOL and NETLOGON shares on domain controllers now require Server Message Block (SMB) signing and mutual authentication (such as Kerberos). -- **What value does this change add?** -This change reduces the likelihood of man-in-the-middle attacks. -- **What works differently?** -If SMB signing and mutual authentication are unavailable, a Windows 10 or Windows Server 2016 computer won’t process domain-based Group Policy and scripts. ->[!NOTE] ->The registry values for these settings aren’t present by default, but the hardening rules still apply until overridden by Group Policy or other registry values. - -For more information on these security improvements, (also referred to as UNC hardening), see [Microsoft Knowledge Base article 3000483](https://go.microsoft.com/fwlink/p/?LinkId=789216) and [MS15-011 & MS15-014: Hardening Group Policy](https://go.microsoft.com/fwlink/p/?LinkId=789215). - -#### Secure hardware - -Although Windows 10 is designed to run on almost any hardware capable of running Windows 8, Windows 7, or Windows Vista, taking full advantage of Windows 10 security requires advancements in hardware-based security, including UEFI with Secure Boot, CPU virtualization features (for example, Intel VT-x), CPU memory-protection features (for example, Intel VT-d), TPM, and biometric sensors. - -#### UEFI with Secure Boot - -When a PC starts, it begins the process of loading the operating system by locating the bootloader on the PC’s hard drive. Without safeguards in place, the PC may simply hand control over to the bootloader without even determining whether it is a trusted operating system or malware. - -UEFI is a standards-based solution that offers a modern-day replacement for the BIOS. In fact, it provides the same functionality as BIOS while adding security features and other advanced capabilities. Like BIOS, UEFI initializes devices, but UEFI components with the Secure Boot feature (version 2.3.1 or later) also ensure that only trusted firmware in Option ROMs, UEFI apps, and operating system bootloaders can start on the device. - -UEFI can run internal integrity checks that verify the firmware’s digital signature before running it. Because only the PC’s hardware manufacturer has access to the digital certificate required to create a valid firmware signature, UEFI has protection from firmware bootkits. Thus, UEFI is the first link in the chain of trust. - -UEFI with Secure Boot became a hardware requirement starting with Windows 8 devices. If a PC supports UEFI, it must be enabled by default. It is possible to disable the Secure Boot feature on many devices, but Microsoft strongly discourages doing so because it dramatically reduces the security of the startup process. - -When a PC with UEFI and Secure Boot starts, the UEFI firmware verifies the bootloader’s digital signature to verify that it has not been modified after it was digitally signed. The firmware also verifies that a trusted authority issued the bootloader’s digital signature. This check helps to ensure that the system starts only after checking that the bootloader is both trusted and unmodified since signing. - -All Windows 8 certified PCs must meet several requirements related to Secure Boot: - -* They must have Secure Boot enabled by default. -* They must trust Microsoft’s certification authority (CA) and thus any bootloader Microsoft has signed. -* They must allow the user to add signatures and hashes to the UEFI database. -* They must allow the user to completely disable Secure Boot (although administrators can restrict this). - -This behavior doesn’t limit the choice of operating system. In fact, users typically have three options for running non-Microsoft operating systems: - -- **Use an operating system with a Microsoft-signed bootloader.** Microsoft offers a service to sign non-Microsoft bootloaders so that they can be used on the device. In this case, a signature from the Microsoft third-party UEFI -CA is used to sign the non-Microsoft bootloader, and the signature itself is added to the UEFI database. Several non-Microsoft operating systems, including several varieties of Linux, have had their bootloaders signed by Microsoft so that they can take advantage of the Secure Boot capability. For more information about the Microsoft third-party UEFI signing policy, read [Microsoft UEFI CA Signing policy updates](https://go.microsoft.com/fwlink/p/?LinkId=626936) and [Pre-submission testing for UEFI submissions](https://go.microsoft.com/fwlink/p/?LinkId=626937). - - >[!NOTE]  - >PCs configured to use Device Guard boot only a secured version of Windows and do not permit a third-party bootloader. For more information, see the [Device Guard](#device-guard) section of this document. -   -- **Configure UEFI to trust a non–Microsoft-signed bootloader or hashes.** Some Certified For Windows 8 or later PCs allow users to add noncertified bootloaders through a signature or hashes sent to the UEFI database, which allows them to run any operating system without Microsoft signing it. -- **Turn off Secure Boot.**Windows 8 certified PCs allow users to turn off Secure Boot so they can run unsigned operating systems. In this mode, the behavior is identical to PCs that have BIOS: The PC simply runs the bootloader without any verification. Microsoft strongly recommends that Secure Boot remain enabled whenever the device starts so that it can help prevent bootkit infections. - ->[!NOTE]   ->With Windows 10, original equipment manufacturers (OEMs) have the ability to ship built-to-order PCs that lock down UEFI Secure Boot so that it cannot be disabled and allows only the operating system of the customer’s choice to start on the device. -   -Windows, apps, and even malware cannot change the UEFI configuration. Instead, users must be physically present to manually boot a PC into a UEFI shell, and then change UEFI firmware settings. For more information about UEFI Secure Boot, read [Protecting the pre-OS environment with UEFI](https://go.microsoft.com/fwlink/p/?LinkId=626938). - -#### Virtualization-based security - -One of the most powerful changes to Windows 10 is virtual-based security. Virtual-based security (VBS) takes advantage of advances in PC virtualization to change the game when it comes to protecting system components from compromise. VBS is able to isolate some of the most sensitive security components of Windows 10. These security components aren’t just isolated through application programming interface (API) restrictions or a middle-layer: They actually run in a different virtual environment and are isolated from the Windows 10 operating system itself. - -VBS and the isolation it provides is accomplished through the novel use of the Hyper V hypervisor. In this case, instead of running other operating systems on top of the hypervisor as virtual guests, the hypervisor supports running the VBS environment in parallel with Windows and enforces a tightly limited set of interactions and access between the environments. - -Think of the VBS environment as a miniature operating system: It has its own kernel and processes. Unlike Windows, however, the VBS environment runs a micro-kernel and only two processes called trustlets: - -- **Local Security Authority (LSA)** enforces Windows authentication and authorization policies. LSA is a well-known security component that has been part of Windows since 1993. Sensitive portions of LSA are isolated within the VBS environment and are protected by a new feature called Credential Guard. -- **Hypervisor-enforced code integrity** verifies the integrity of kernel-mode code prior to execution. This is a part of the [Device Guard](#device-guard) feature described later in this document. -VBS provides two major improvements in Windows 10 security: a new trust boundary between key Windows system components and a secure execution environment within which they run. A trust boundary between key Windows system components is enabled though the VBS environment’s use of platform virtualization to isolate the VBS environment from the Windows operating system. Running the VBS environment and Windows operating system as guests on top of Hyper-V and the processor’s virtualization extensions inherently prevents the guests from interacting with each other outside the limited and highly structured communication channels between the trustlets within the VBS environment and Windows operating system. - -VBS acts as a secure execution environment because the architecture inherently prevents processes that run within the Windows environment – even those that have full system privileges – from accessing the kernel, trustlets, or any allocated memory within the VBS environment. In addition, the VBS environment uses TPM 2.0 to protect any data that is persisted to disk. Similarly, a user who has access to the physical disk is unable to access the data in an unencrypted form. - -The VBS architecture is illustrated in Figure 2. - -![Example of VBS architecture](images/security-fig2-vbsarchitecture-redo.png "Example of VBS architecture") - -Figure 2. The VBS architecture - -Note that VBS requires a system that includes: - -* Windows 10 Enterprise Edition -* A 64-bit processor -* UEFI with Secure Boot -* Second-Level Address Translation (SLAT) technologies (for example, Intel Extended Page Tables \[EPT\], AMD Rapid Virtualization Indexing \[RVI\]) -* Virtualization extensions (for example, Intel VT-x, AMD RVI) -* I/O memory management unit (IOMMU) chipset virtualization (Intel VT-d or AMD-Vi) -* TPM 2.0 - -#### Trusted Platform Module - -A TPM is a tamper-resistant cryptographic module designed to enhance the security and privacy of computing platforms. The TPM is incorporated as a component in a trusted computing platform like a personal computer, tablet, or phone. The computing platform is specially designed to work with the TPM to support privacy and security scenarios that cannot be achieved through software alone. A proper implementation of a TPM as part of a trusted computing platform provides a hardware root of trust, meaning that the hardware behaves in a trusted way. For example, a key created in a TPM with the property that it can never be exported from the TPM really means the key cannot leave the TPM. The close integration of a TPM with a platform increases the transparency of the boot process and supports device health scenarios by enabling reliable report of the software used to start a platform. -The functionality a TPM provides includes: - -- **Cryptographic key management.** Create, store, and permit the use of keys in defined ways. -- **Safeguarding and reporting integrity measurements.** Software used to boot the platform can be recorded in the TPM and used to establish trust in the software running on the platform. -- **Prove a TPM is really a TPM.** The TPM’s capabilities are so central to protecting privacy and security that a TPM needs to be able to differentiate itself from malware that masquerades as a TPM. - -Microsoft combined this small list of TPM benefits with Windows 10 and other hardware security technologies to provide practical security and privacy benefits. - -Among other functions, Windows 10 uses the TPM to protect the encryption keys for BitLocker volumes, virtual smart cards, certificates, and the many other keys that the TPM is used to generate. Windows 10 also uses the TPM to securely record and protect integrity-related measurements of select hardware and Windows boot components for the [Measured Boot](#measured-boot) feature described later in this document. In this scenario, Measured Boot measures each component, from firmware up through the drivers, and then stores those measurements in the PC’s TPM. From there, you can test the measurement log remotely so that a separate system verifies the boot state of the Windows 10 PC. - -Windows 10 supports TPM implementations that comply with either the 1.2 or 2.0 standards. Several improvements have been made in the TPM 2.0 standard, the most notable of which is cryptographic agility. TPM 1.2 is restricted to a fixed set of encryption and hash algorithms. At the time the TPM 1.2 standard was created in the early 2000s, these algorithms were considered cryptographically strong. Since that time, advances in cryptographic algorithms and cryptanalysis attacks have increased expectations for stronger cryptography. TPM 2.0 supports additional algorithms that offer stronger cryptographic protection as well as the ability to plug in algorithms that may be preferred in certain geographies or industries. It also opens the possibility for inclusion of future algorithms without changing the TPM component itself. - -TPM is usually assumed to be implanted in hardware on a motherboard as a discrete module, but TPM can also be effective when implemented in firmware. Windows 10 supports both discrete and firmware TPM that complies with the 2.0 standard (1.2 can only be discrete). Windows does not differentiate between discrete and firmware-based solutions because they must meet the same requirements; therefore, any Windows feature that can take advantage of TPM can use either implementation. - ->[!NOTE]  ->Microsoft will not initially require new Windows 10 PCs to include TPM support. Microsoft will require systems to include a TPM 2.0 beginning one year from the launch of Windows 10, however, to give manufacturers enough time to incorporate this critical functionality and to give IT pros enough time to determine which benefits they will leverage. -  -Several Windows 10 security features require TPM: -* Virtual smart cards -* Measured Boot -* Health attestation (requires TPM 2.0 or later) -* InstantGo (requires TPM 2.0 or later) - -Other Windows 10 security features like BitLocker may take advantage of TPM if it is available but do not require it to work. An example of this is Windows Hello for Business. - -All of these features are covered in this document. - -#### Biometrics - -You read in the [Windows Hello](#windows-hello) section of this document that Windows 10 has built-in support for biometric hardware. Windows has included some amount of built-in biometric support since the Windows XP operating system, so what’s different about this in Windows 10? - -Windows 10 makes biometrics a core security feature. Biometrics is fully integrated into the Windows 10 security components, not just tacked on as an extra part of a larger scheme. This is a big change. Earlier biometric implementations were largely front-end methods to simplify authentication. Under the hood, biometrics was used to access a password, which was then used for authentication behind the scenes. Biometrics may have provided convenience but not necessarily enterprise-grade authentication. - -Microsoft has evangelized the importance of enterprise-grade biometric sensors to the OEMs that create Windows PCs and peripherals. Many OEMs already ship systems that have integrated fingerprint sensors and are transitioning from swipe-based to touch-based sensors. Facial-recognition sensors were already available when Windows 10 launched and are becoming more commonplace as integrated system components. - -In the future, Microsoft expects OEMs to produce even more enterprise-grade biometric sensors and to continue to integrate them into systems as well as provide separate peripherals. As a result, biometrics will become a commonplace authentication method as part of an MFA system. - -#### Secure Windows startup - -UEFI Secure Boot uses hardware technologies to help protect users from bootkits. Secure Boot can validate the integrity of the devices, firmware, and bootloader. After the bootloader launches, users must rely on the operating system to protect the integrity of the remainder of the system. - -#### Trusted Boot - -When UEFI Secure Boot verifies that the bootloader is trusted and starts Windows, the Windows Trusted Boot feature protects the rest of the startup process by verifying that all Windows startup components are trustworthy (for example, signed by a trusted source) and have integrity. The bootloader verifies the digital signature of the Windows kernel before loading it. The Windows kernel, in turn, verifies every other component of the Windows startup process, including the boot drivers, startup files, and ELAM component. - -If a file has been modified (for example, if malware has tampered with it or it has been corrupted), Trusted Boot will detect the problem and automatically repair the corrupted component. When repaired, Windows will start normally after only a brief delay. - -#### Early Launch Antimalware - -Malware that targeted previous versions of Windows often attempted to start before the antimalware solution. To do this, some types of malware would update or replace a non-Microsoft–related driver that starts during the Windows startup process. The malicious driver would then use its system access privileges to modify critical parts of the system and disguise its presence so it could not be detected when the antimalware solution later started. - -Early Launch Antimalware (ELAM) is part of the Trusted Boot feature set and is designed to enable the antimalware solution to start before all non-Microsoft drivers and apps. ELAM checks the integrity of non-Microsoft drivers to determine whether the drivers are trustworthy. Because Windows needs to start as fast as possible, ELAM cannot be a complicated process of checking the driver files against known malware signatures; doing so would delay startup too much. Instead, ELAM has the simple task of examining every boot driver and determining whether it is on the list of trusted drivers. If malware modifies a boot-related driver, ELAM will detect the change, and Windows will prevent the driver from starting, thus blocking driver-based rootkits. ELAM also allows the registered antimalware provider to scan drivers that are loaded after the boot process is complete. - -The design is simple but effective. ELAM is a component of a full-featured antimalware solution, and it helps prevent malicious drivers and apps from starting before the rest of the antimalware solution starts later during the boot process. Indeed, ELAM runs only for a few seconds each time a PC starts. Windows Defender in Windows 10 supports ELAM, as does Microsoft System Center 2012 Endpoint Protection and several non-Microsoft antimalware apps. - -If you want to learn how to configure ELAM, you can use Group Policy settings to configure how ELAM responds to potentially malicious boot drivers. In the Group Policy Management Editor, go to Computer Configuration\\Administrative Templates\\System\\Early Launch Antimalware, and enable the **Boot-Start Driver Initialization Policy** setting. Now, you can select which driver classifications ELAM loads. When you select the **Good Only** setting, it provides the highest level of security, but test it thoroughly to ensure that it does not prevent users with healthy PCs from starting. - -#### Measured Boot - -The biggest challenge with rootkits and bootkits in earlier versions of Windows is that they can frequently be undetectable to the client. Because they often start before Windows defenses and the antimalware solution and they have system-level privileges, rootkits and bootkits can completely disguise themselves while continuing to access system resources. Although UEFI Secure Boot and Trusted Boot can prevent most rootkits and bootkits, intruders could still potentially exploit a few attack vectors (for example, if UEFI with Secure Boot is disabled or if the signature used to sign a boot component, such as a non-Microsoft driver, has been compromised and is used to sign a malicious one). - -Windows 10 implements the Measured Boot feature, which uses the TPM hardware component built into newer PCs to record a series of measurements for critical startup-related components, including firmware, Windows boot components, drivers, and even the ELAM driver. Because Measured Boot leverages the hardware-based security capabilities of TPM, which isolates and protects the measurement data from malware attacks, the log data is well protected against even sophisticated attacks. - -Measured Boot focuses on acquiring the measurement data and protecting it from tampering. It must be coupled with a service that can analyze the data to determine device health and provide a more complete security service. The next section introduces just such a service. - -#### Verify device compliance for conditional access to corporate resources - -Measured Boot itself does not prevent malware from loading during the startup process – that is the job of Secure Boot, Device Guard, and ELAM. Instead, Measured Boot provides a TPM-protected audit log that allows a trusted remote health attestation service to evaluate the PC’s startup components, state, and overall configuration. If the health attestation service detects that the PC loaded an untrustworthy component and is therefore out of compliance, the service can block the PC’s access to specific network resources or the entire network. You can even couple a health attestation service with a management system to facilitate conditional access capabilities that can initiate the quarantine and remediation processes to fix an infected PC and return it to a compliant state. - -![Health Attestation in Windows 10](images/security-fig3-healthattestation.png "Health Attestation in Windows 10") - -Figure 3. Health Attestation in Windows 10 - -Figure 3 illustrates the following process for device compliance verification and conditional access implementation: - -1. The PC uses the TPM to record measurements of the bootloader, boot drivers, and ELAM driver. The TPM prevents anyone from tampering with these measurements, so even if malware is successfully loaded, it will not be able to modify the measurements. These measurements are signed with an Attestation Identity Key (AIK) that is stored in the TPM. Because the TPM hardware has signed the measurements, malware cannot modify them without being detected. - -2. Health Attestation is not enabled by default and requires an enrollment with a mobile device management (MDM) server in order to enable it. If it is enabled, the health attestation client will contact a remote server, called a health attestation server. Microsoft provides a cloud-based Windows Health Attestation service that can help evaluate the health of a device. The health attestation client sends the signed measurements, the device’s TPM boot log, and an AIK certificate (if present), which lets the health attestation server verify that the key used to sign the measurements was issued to a trusted TPM. - -3. The health attestation server analyzes the measurements and boot log and creates a statement of device health. This statement is encrypted to help ensure the confidentiality of the data. - -4. A management system, such as an MDM server, can request that an enrolled device present a statement of device health. Windows 10 supports both Microsoft and non-Microsoft MDM server requests for device health. To prevent theft of device health statements and reuse from other devices, an MDM server sends the enrolled device a “number used only once” (nonce) request along with this request for the device health statement. - -5. The enrolled device digitally signs the nonce with its AIK (which is stored in the TPM) and sends the MDM server the encrypted statement of device health, the digitally signed nonce, and a signed boot counter, which asserts that the device has not been restarted since it obtained the statement of health. - -6. The MDM server can send the same data to the health attestation server. The server decrypts the statement of health, asserts that the boot counter in the statement matches the boot counter that was sent to the MDM server, and compiles a list of health attributes. - -7. The health attestation server sends this list of health attributes back to the MDM server. The MDM server now enforces access and compliance policies if configured to do so. - - -For a list of data points that the health attestation server verifies, along with a description of the data, see the [HealthAttestation CSP article on MSDN](http://go.microsoft.com/fwlink/p/?LinkId=626940). - -The management system’s implementation determines which attributes within the statement of device health are evaluated when assessing a device’s health. Broadly speaking, the management server receives information about how the device booted, what kind of policy is enforced on the device, and how data on the device is secured. Depending on the implementation, the management server may add checks that go beyond what the statement of device health provides—for example, Windows patch level and other device attributes. - -Based on these data points, the management server can determine whether the client is healthy and grant it access to either a limited quarantine network or to the full network. Individual network resources, such as servers, can also grant or deny access based on whether the remote attestation client were able to retrieve a valid health certification from the remote attestation server. - -Because this solution can detect and prevent low-level malware that may be extremely difficult to detect any other way, Microsoft recommends that you consider the implementation of a management system, like Microsoft Intune, or any management solutions that take advantage of the Windows 10 cloud-based Health Attestation Server feature to detect and block devices that have been infected with advanced malware from network resources. - -### Secure the Windows core - -Applications built for Windows are designed to be secure and free of defects, but the reality is that as long as human beings are writing code, vulnerabilities will continue to crop up. When identified, malicious users and software may attempt to exploit vulnerabilities by manipulating data in memory in the hope that they can bootstrap a successful exploit. - -To mitigate these risks, Windows 10 includes core improvements to make it more difficult for malware to perform buffer overflow, heap spraying, and other low-level attacks and even which code is allowed to run on the PC. In addition, these improvements dramatically reduce the likelihood that newly discovered vulnerabilities result in a successful exploit. It takes detailed knowledge of operating system architecture and malware exploit techniques to fully appreciate the impact of these improvements, but the sections that follow explain them at a high level. - -#### Device Guard - -Today’s security threat landscape is more aggressive than ever before. Modern malicious attacks are focused on revenue generation, intellectual property theft, and targeted system degradation resulting in financial loss. Many of these nefarious attackers are sponsored by nation states that have ulterior motives and large cyber-terrorism budgets. These threats can enter a company through something as simple as an email and can permanently damage the organization’s reputation for securing employee and customer data and intellectual property, not to mention having a significant financial impact. The Windows 10 operating system introduces several new security features that help mitigate a large percentage of today’s known threats. - -It is estimated that more than 300,000 new malware variants are discovered daily. Unfortunately, companies currently use an ancient method to discover this infectious software and prevent its use. In fact, current PCs trust everything that runs until antimalware signatures determine whether a threat exists; then, the antimalware software attempts to clean the PC, often after the malicious software’s effect has already occurred. This signature-based system focuses on reacting to an infection and then ensuring that that particular infection does not happen again. In this model, the system that drives malware detection relies on the discovery of malicious software; only then can a signature be provided to the client to remediate it, which implies that a computer has often already been infected. The time between detection of the malware and a client being issued a signature could mean the difference between losing data and staying safe. - -In addition to antimalware solutions, “app control” or “whitelisting” technologies are available, including AppLocker. These perform single-instance or blanket allow or deny rules for running applications. In Windows 10, these types of solutions are most effective when deployed alongside the Windows 10 Device Guard feature. - -Device Guard breaks the current model of detection first-block later and allows only trusted applications to run, period. This methodology is consistent with the successful prevention strategy for mobile phone security. With Device Guard, Microsoft has changed how the Windows operating system handles untrusted applications, which makes its defenses difficult for malware to penetrate. This new prevention versus detection model will provide Windows clients with the necessary security for modern threats and, when implemented, mitigates many of today’s threats from day one. - -#### Device Guard overview - -Device Guard is a feature set that consists of both hardware and software system integrity hardening features. These features revolutionize the Windows operating system’s security by taking advantage of new VBS options to protect the system core and the processes and drivers running in kernel mode—the trust-nothing model you see in mobile device operating systems. A key feature used with Device Guard is *configurable code integrity*, which allows your organization to choose exactly which software from trusted software publishers is allowed to run code on your client machines—exactly what has made mobile phone security on some platforms, such as Windows Mobile, so successful. Trusted applications are those signed directly (in other words, binaries) or indirectly by using a signed file that lists the hash values for application binaries that are considered trustworthy. In addition, Device Guard offers organizations a way to sign existing LOB applications so that they can trust their own code without the requirement that the application be rebuilt or packaged. Also, this same method of signing can provide organizations a way to trust non-Microsoft applications, including those that may not have been signed directly. Device Guard with configurable code integrity, Credential Guard, and AppLocker present the most complete security defense that any Microsoft product has ever been able to offer a Windows client. - -Advanced hardware features such as CPU virtualization extensions, IOMMUs, and SLAT drive these new client security offerings. By integrating these hardware features further into the core operating system, Windows 10 can leverage them in new ways. For example, the same type 1 hypervisor technology that is used to run virtual machines in Hyper V isolates core Windows services into a virtualization-based, protected container. This is just one example of how -Windows 10 integrates advanced hardware features deeper into the operating system to offer comprehensive modern security to its users. - -To deliver this additional security, Device Guard has the following hardware and software requirements: -- UEFI Secure Boot (optionally with a non-Microsoft UEFI CA removed from the UEFI database) -- Virtualization support enabled by default in the system firmware (BIOS): - - Virtualization extensions (for example, Intel VT-x, AMD RVI) - - SLAT (for example, Intel EPT, AMD RVI) - - IOMMU (for example, Intel VT-d, AMD-Vi) -- UEFI BIOS configured to prevent an unauthorized user from disabling Device Guard–dependent hardware security features (for example, Secure Boot) -- Kernel mode drivers signed and compatible with hypervisor-enforced code integrity -- Windows 10 Enterprise only -- X64 version of Windows - -Along with these new features, some components of Device Guard are existing tools or technologies that have been included in this strategic security offering to provide customers with the most secure Windows operating system possible. Device Guard is intended as a set of client security features to be used in conjunction with the other threat-resistance features available in the Windows operating system, some of which are mentioned in this guide. - -#### Configurable code integrity - -The Windows operating system consists of two operating modes: user mode and kernel mode. The base of the operating system runs within the kernel mode, which is where the Windows operating system directly interfaces with hardware resources. User mode is primarily responsible for running applications and brokering information to and from the kernel mode for hardware resource requests. For example, when an application running in user mode needs additional memory, the user mode process must request the resources from the kernel, not directly from RAM. - -Code integrity is the component of the Windows operating system that verifies that the code Windows is running came from a trusted source and is tamper free. Like the operating system, Windows code integrity contains two primary components: kernel mode code integrity (KMCI) and user mode code integrity (UMCI). KMCI has been used in recent versions of the Windows operating system to protect the kernel mode from executing unsigned drivers. Although effective, drivers are not the only route that malware can take to penetrate the kernel mode space of the operating system. In Windows 10, however, Microsoft has raised the requirements for kernel mode code out of the box as well as provided enterprises with a way to set their own UMCI and KMCI policies. Starting with the Code Integrity service itself and continuing through the policies a Windows client uses to verify that an application should be allowed to run, Microsoft has made Windows 10 more secure than any previous Windows release. Historically, UMCI has been available only in Windows RT and on Windows Mobile devices, which has made it difficult to infect these devices with viruses and malware. These same successful UMCI policies are available in Windows 10Windows 10. - -Historically, most malware has been unsigned. Simply by deploying code integrity policies, organizations will immediately protect themselves against unsigned malware, which is estimated to be responsible for the vast majority of current attacks. By using code integrity policies, an enterprise can also select exactly which binaries are allowed to run in both user mode and kernel mode based on the signer, binary hash, or both. When completely enforced, it makes user mode in Windows function like some mobile platforms, trusting and running only specific applications or specific signatures. This feature alone fundamentally changes security in an enterprise. This additional security is *not* limited to Windows apps and does *not* require an application rewrite to be compatible with your existing and possibly unsigned applications. You can run configurable code integrity independent of Device Guard, thus making it available to devices that don’t meet Device Guard hardware requirements. - -#### Hardware security features and VBS - -The core functionality and protection of Device Guard starts at the hardware level. Devices that have processors equipped with SLAT technologies and virtualization extensions, such as Intel VT x and AMD V, will be able to take advantage of a VBS environment that dramatically enhances Windows security by isolating critical Windows services from the operating system itself. This isolation is necessary, because you must assume that the operating system kernel will be compromised, and you need assurance that some processes will remain secure. - -Device Guard leverages VBS to isolate its Hypervisor Code Integrity (HVCI) service, which enables Device Guard to help protect kernel mode processes and drivers from vulnerability exploits and zero days. HVCI uses the processor’s IOMMU functionality to force all software running in kernel mode to safely allocate memory. This means that after memory has been allocated, its state must be changed from writable to read only or execute only. By forcing memory into these states, it helps ensure that attacks are unable to inject malicious code into kernel mode processes and drivers through techniques such as buffer overruns or heap spraying. In the end, the VBS environment protects the Device Guard HVCI service from tampering even if the operating system’s kernel has been fully compromised, and HVCI protects kernel mode processes and drivers so that a compromise of this magnitude can't happen in the first place. - -Another Windows 10 feature that employs VBS is Credential Guard. Credential Guard protects credentials by running the Windows authentication service known as LSA, and then storing the user’s derived credentials (for example, NTLM hashes; Kerberos tickets) within the same VBS environment that Device Guard uses to protect its HVCI service. By isolating the LSA service and the user’s derived credentials from both user mode and kernel mode, an attacker that has compromised the operating system core will still be unable to tamper with authentication or access derived credential data. Credential Guard prevents pass-the-hash and ticket types of attacks, which are central to the success of nearly every major network breach you’ve read about, which makes Credential Guard one of the most impactful and important features to deploy within your environment. For more information about how Credential Guard complements Device Guard, see the [Device Guard with Credential Guard](#device-guard-with-credential-guard) section. - -#### Device Guard with AppLocker - -Although AppLocker is not considered a new Device Guard feature, you can use it to complement configurable code integrity functionality when enforced code integrity cannot be fully implemented or its functionality does not cover every desired scenario. There are many scenarios in which you could use code integrity policies alongside AppLocker rules. As a best practice, enforce code integrity policies at the most restrictive level possible for your organization, and then use AppLocker to fine-tune the restrictions to an even lower level. - ->[!NOTE]   ->One example in which Device Guard functionality needs AppLocker supplementation is when your organization would like to limit which universal applications from the Windows Store users can install on a device. Microsoft has already validated universal applications from the Windows Store as trustworthy to run, but an organization may not want to allow specific universal applications to run in its environment. You could use an AppLocker rule to enforce such a stance. - -In another example, you could enable a configurable code integrity policy to allow users to run all the apps from a specific publisher. To do so, you would add the publisher’s signature to the policy. If your organization decides that only specific apps from that publisher should be allowed to run, you would add the signature for the publisher to the configurable code integrity policy, and then use AppLocker to determine which specific apps can run. -  -AppLocker and Device Guard can run side-by-side in your organization, which offers the best of both security features at the same time and provides the most comprehensive security to as many devices as possible. In addition to these features, Microsoft recommends that you continue to maintain an enterprise antivirus solution for a well-rounded enterprise security portfolio. - -#### Device Guard with Credential Guard - -Although Credential Guard isn’t a feature within Device Guard, many organizations will likely deploy Credential Guard alongside Device Guard for additional protection against derived credential theft. Similar to virtualization-based protection of kernel mode through the Device Guard HVCI service, Credential Guard leverages hypervisor technology to protect the Windows authentication service (the LSA) and users’ derived credentials. This mitigation is targeted at preventing the use of pass-the-hash and pass-the-ticket techniques. - -Because Credential Guard uses VBS, it is decisive in its ability to prevent pass-the-hash and pass-the-ticket attacks from occurring on Windows 10 devices. Microsoft recognizes, however, that most organizations will have a blend of Windows versions running in their environments. Mitigations for devices not capable of running Credential Guard on both the client side and the server side are available to help with this scenario. Microsoft will be releasing details to TechNet regarding these additional mitigations in the near future. - -#### Unified manageability through Device Guard - -You can easily manage Device Guard features through the familiar enterprise and client-management tools that IT pros use every day. Use the following management tools to enable and manage Device Guard: -- **Group Policy.**Windows 10 provides an administrative template that you can use to configure and deploy the configurable code integrity policies for your organization. This template also allows you to specify which hardware-based security features you would like to enable and deploy. You can manage these settings with your existing Group Policy objects, which makes it simple to implement Device Guard features. In addition to the code integrity and hardware-based security features, Group Policy can help you manage your catalog files. -- **System Center Configuration Manager.** Use System Center Configuration Manager to simplify deployment and management of catalog files, code integrity policies, and hardware-based security features as well as to provide version control. -- **MDM systems.** Organizations will be able to use Microsoft Intune and non-Microsoft MDM systems for deployment and management of code integrity policies and catalog files. -- **Windows PowerShell.** You use Windows PowerShell primarily to create and service code integrity policies. These policies represent the most impactful component of Device Guard. -These options provide the same experience you’re used to for management of your existing enterprise management solutions. - -#### Address Space Layout Randomization - -One of the most common techniques used to gain access to a system is to find a vulnerability in a privileged process that is already running, guess or find a location in memory where important system code and data have been placed, and then overwrite that information with a malicious payload. In the early days of operating systems, any malware that could write directly to the system memory could do such a thing; the malware would simply overwrite system memory in well-known and predictable locations. -Address Space Layout Randomization (ASLR) makes that type of attack much more difficult because it randomizes how and where important data is stored in memory. With ASLR, it is more difficult for malware to find the specific location it needs to attack. Figure 4 illustrates how ASLR works by showing how the locations of different critical Windows components can change in memory between restarts. - -![ASLR at work](images/security-fig4-aslr.png "ASLR at work") - -Figure 4. ASLR at work - -Although the ASLR implementation in Windows 7 was effective, it wasn’t applied holistically across the operating system, and the level of entropy (cryptographic randomization) wasn’t always at the highest possible level. To decrease the likelihood that sophisticated attacks such as heap spraying could succeed in the Windows 8 operating system, Microsoft applied ASLR holistically across the system and increased the level of entropy many times. -The ASLR implementation in Windows 8 and Windows 10 is greatly improved over Windows 7, especially with 64-bit system and application processes that can take advantage of a vastly increased memory space, which makes it even more difficult for malware to predict where Windows 10 stores vital data. When used on systems that have TPMs, ASLR memory randomization will be increasingly unique across devices, which makes it even more difficult for a successful exploit that works on one system to work reliably on another. - -#### Data Execution Prevention - -Malware depends on its ability to put a malicious payload into memory with the hope that it will be executed later, and ASLR will make that much more difficult. Wouldn’t it be great if you could prevent malware from running if it wrote to an area that has been allocated solely for the storage of information? - -Data Execution Prevention (DEP) does exactly that, by substantially reducing the range of memory that malicious code can use for its benefit. DEP uses the No eXecute bit on modern CPUs to mark blocks of memory as read-only so that those blocks can’t be used to execute malicious code that may be inserted within through a vulnerability exploit. - -Because of the importance of DEP, users cannot install Windows 10 on a computer that does not have DEP capability. Fortunately, most processors released since the mid-2000s support DEP. - -If you want to see which apps use DEP, complete these steps: -1. Open Task Manager: Press Ctrl+Alt+Esc or by searching the Start screen. -2. Click **More Details** (if necessary), and then click the **Details** tab. -3. Right-click any column heading, and then click **Select Columns**. -4. In the **Select Columns** dialog box, select the last **Data Execution Prevention** check box. -5. Click **OK**. - -You can now see which processes have DEP enabled. Figure 5 shows the processes running on a Windows 10 PC with a single process that does not support DEP. - -![Processes with DEP enabled in Windows 10](images/security-fig5-dep.png "Processes with DEP enabled in Windows 10") - -Figure 5. Processes on which DEP has been enabled in Windows 10 - -#### Windows Heap - -The *heap* is a location in memory that Windows uses to store dynamic application data. Windows 10 continues to improve on earlier Windows heap designs by further mitigating the risk of heap exploits that could be used as part of an attack. - -Windows 10 has several important improvements to the security of the heap over Windows 7: -- Internal data structures that the heap uses are now better protected against memory corruption. -- Heap memory allocations now have randomized locations and sizes, which makes it more difficult for an attacker to predict the location of critical memory to overwrite. Specifically, Windows 10 adds a random offset to the address of a newly allocated heap, which makes the allocation much less predictable. -- Windows 10 uses “guard pages” before and after blocks of memory as tripwires. If an attacker attempts to write past a block of memory (a common technique known as a buffer overflow), the attacker will have to overwrite a guard page. Any attempt to modify a guard page is considered a memory corruption, and Windows 10 responds by instantly terminating the app. - -Windows 10 resolves known heap attacks that could be used to compromise a PC running previous versions of Windows. - -#### Memory reservations - -The lowest 64 KB of process memory is reserved for the system. Apps are no longer allowed to allocate that portion of the memory, which makes it more difficult for malware to overwrite critical system data structures in memory. - -#### Control Flow Guard - -When applications are loaded into memory, they are allocated space based on the size of the code, requested memory, and other factors. When an application begins to execute code, it calls additional code located in other memory addresses. The relationships between the code locations are well known—they are written in the code itself—but previous to Windows 10, the flow between these locations was not enforced, which gives attackers the opportunity to change the flow to meet their needs. In other words, an application exploit takes advantage of this behavior by running code that the application may not typically run. - -This kind of threat is mitigated in Windows 10 through the Control Flow Guard (CFG) feature. When a trusted application that was compiled to use CFG calls code, CFG verifies that the code location called is trusted for execution. If the location is not trusted, the application is immediately terminated as a potential security risk. - -An administrator cannot configure CFG; rather, an application developer can take advantage of CFG by configuring it when the application is compiled. Administrators should consider asking application developers and software vendors to deliver trustworthy Windows applications compiled with CFG enabled. Of course, browsers are a key entry point for attacks; thus Microsoft Edge, IE, and other Windows features take full advantage of CFG. - -#### Protected Processes - -Benjamin Franklin once said that "an ounce of prevention is worth a pound of cure." His wisdom directly applies to PC security. Most security controls are designed to prevent the initial infection point. The reasoning is that if malware cannot infect the system, the system is immune to malware. - -No computer is immune to malware, however. Despite all the best preventative controls, malware can eventually find a way to infect any operating system or hardware platform. So, although prevention with a defense-in-depth strategy is important, it cannot be the only type of malware control. - -The key security scenario is to assume that malware is running on a system but limit what it can do. Windows 10 has security controls and design features in place to reduce compromise from existing malware infections. Protected Processes is one such feature. - -With Protected Processes, Windows 10 prevents untrusted processes from interacting or tampering with those that have been specially signed. Protected Processes defines levels of trust for processes. Less trusted processes are prevented from interacting with and therefore attacking more trusted processes. Windows 10 uses Protected Processes more broadly across the operating system, and for the first time, you can put antimalware solutions into the protected process space, which helps make the system and antimalware solutions less susceptible to tampering by malware that does manage to get on the system. - -### Secure the Windows desktop - -Windows 10 includes critical improvements to the Windows core and the desktop environment, where attacks and malware most frequently enter. The desktop environment is now more resistant to malware thanks to significant improvements to Windows Defender and SmartScreen Filters. Internet browsing is a safer experience because of Microsoft Edge, a completely new browser. The Windows Store reduces the likelihood that malware will infect devices by ensuring that all applications that enter the Windows Store ecosystem have been thoroughly reviewed before being made available. Universal Windows apps are inherently more secure than typical applications because they are sandboxed. Sandboxing restricts the application’s risk of being compromised or tampered with in a way that would put the system, data, and other applications at risk. -The sections that follow describe Windows 10 improvements to application security in more detail. - -### Microsoft Edge and Internet Explorer 11 - -Browser security is a critical component of any security strategy, and for good reason: The browser is the user’s interface to the Internet, an environment that is quite literally overwhelmed with malicious sites and content waiting to attack. Most users cannot perform at least part of their job without a browser, and many users are completely reliant on one. This reality has made the browser the number one pathway from which malicious hackers initiate their attacks. - -All browsers enable some amount of extensibility to do things beyond the original scope of the browser. Two common examples of this are Flash and Java extensions that enable their respective applications to run inside a browser. -Keeping Windows 10 secure for web browsing and applications, especially for these two content types, is a priority. - -Microsoft includes an entirely new browser, Microsoft Edge, in Windows 10. Microsoft Edge is more secure in several ways, especially: -- **Microsoft Edge does not support non-Microsoft binary extensions.** Microsoft Edge supports Flash content and PDF viewing by default through built-in extensions but no other binary extensions, including ActiveX controls and Java. -- **Microsoft Edge runs 64-bit processes.** A 64-bit PC running an older version of Windows often runs in 32-bit compatibility mode to support older and less secure extensions. When Microsoft Edge runs on a 64-bit PC, it runs only 64-bit processes, which are much more secure when vulnerabilities are discovered and attempts are made to exploit them. -- **Microsoft Edge is designed as a Universal Windows app.** It is inherently compartmentalized and runs in an AppContainer that sandboxes the browser from the system, data, and other apps. IE11 on Windows 10 can also take advantage of the same AppContainer technology through Enhanced Protect Mode. However, because it can run ActiveX and BHOs, the browser and sandbox are susceptible to a much broader range of attacks than Microsoft Edge. -- **Microsoft Edge simplifies security configuration tasks.** Because Microsoft Edge uses a simplified application structure and a single sandbox configuration, there are fewer required security settings. In addition, Microsoft created Microsoft Edge default settings that align with security best practices, which makes it secure by default. - -In addition to Microsoft Edge, Microsoft includes IE11 in Windows 10 primarily for backwards-compatibility with websites and binary extensions that do not work with Microsoft Edge. It should not be configured as the primary browser but rather as an optional or automatic switchover, as shown in Figure 6. - -![Configure Windows 10 for backwards-compatibility with IE11](images/security-fig6-edge2.png "Configure Windows 10 for backwards-compatibility with IE11") - -Figure 6. Configure Windows 10 to switch from Microsoft Edge to IE11 for backwards-compatibility. - -Microsoft’s recommendation is to use Microsoft Edge as the primary web browser because it provides compatibility with the modern web and the best possible security. For sites that require IE11 compatibility, including those that require binary extensions and plug ins, enable Enterprise mode and use the Enterprise Mode Site List to define which sites have the dependency. When configured, when users use Microsoft Edge and it identifies a site that requires IE11, they will automatically be switched to IE11. - -### The SmartScreen Filter - -Recent versions of Windows have many effective techniques to prevent malware from installing itself without the user’s knowledge. To work around those restrictions, malware attacks often use social engineering techniques to trick users into running software. For example, malware known as a Trojan horse pretends to be something useful, such as a utility, but carries an additional, malicious payload. - -Starting with Windows Internet Explorer 8, the SmartScreen Filter has helped protect users from both malicious applications and nefarious websites by using the SmartScreen Filter’s application and URL reputation services. The SmartScreen Filter in Internet Explorer would check URLs and newly downloaded apps against an online reputation service that Microsoft maintained. If the app or URL were not known to be safe, SmartScreen Filter would warn the user or even prevent the app or URL from loading, depending on how systems administrators had configured Group Policy settings. - -For Windows 10, Microsoft further developed the SmartScreen Filter by integrating its app reputation abilities into the operating system itself, which allows the filter to protect users regardless of the web browser they are using or the path that the app uses to arrive on the device (for example, email, USB flash drive). The first time a user runs an app that originates from the Internet, even if the user copied it from another PC, the SmartScreen Filter checks the reputation of the application by using digital signatures and other factors against a service that Microsoft maintains. If the app lacks a reputation or is known to be malicious, the SmartScreen Filter warns the user or blocks execution entirely, depending on how the administrator has configured Group Policy (see Figure 7). - -![SmartScreen Filter at work in Windows 10](images/security-fig7-smartscreenfilter.png "SmartScreen Filter at work in Windows 10") - -Figure 7. The SmartScreen Filter at work in Windows 10 - -By default, users have the option to bypass SmartScreen Filter protection so that it will not prevent a user from running a legitimate app. You can use Control Panel or Group Policy settings to disable the SmartScreen Filter or to completely prevent users from running apps that the SmartScreen Filter does not recognize. The Control Panel settings are shown in Figure 8. - -![SmartScreen configuration options](images/security-fig8-smartscreenconfig.png "SmartScreen configuration options") - -Figure 8. The Windows SmartScreen configuration options in Control Panel - -If you want to try the SmartScreen Filter, use Windows 7 to download this simulated (but not dangerous) malware file:[freevideo.exe](https://go.microsoft.com/fwlink/p/?LinkId=626943). Save it to your computer, and then run it from Windows Explorer. As shown in Figure 9, Windows runs the app without much warning. In Windows 7, you might receive a warning message about the app not having a certificate, but you can easily bypass it. - -![Windows 7 allows the app to run](images/security-fig9-windows7allow.png "Windows 7 allows the app to run") - -Figure 9. Windows 7 allows the app to run - -Now, repeat the test on a computer running Windows 10 by copying the file to a Windows 10 PC or by downloading the file again and saving it to your local computer. Run the file directly from File Explorer, and the SmartScreen Filter will warn you before it allows it to run. Microsoft’s data shows that for a vast majority of users, that extra warning is enough to save them from a malware infection. - -### Universal Windows apps - -The good news is that the download and use of Universal Windows apps or even Windows Classic applications (Win32) from the Windows Store will dramatically reduce the likelihood that you encounter malware on your PC because all apps go through a careful screening process before being made available in the store. Apps that organizations build and distribute through sideloading processes will need to be reviewed internally to ensure that they meet organizational security requirements. - -Regardless of how users acquire Universal Windows apps, they can use them with increased confidence. Unlike Windows Classic applications, which can run with elevated privileges and have potentially sweeping access to the system and data, Universal Windows apps run in an AppContainer sandbox with limited privileges and capabilities. For example, Universal Windows apps have no system-level access, have tightly controlled interactions with other apps, and have no access to data unless the user explicitly grants the application permission. - -In addition, all Universal Windows apps follow the security principle of least privilege. Apps receive only the minimum privileges they need to perform their legitimate tasks, so even if an attacker exploits an app, the damage the exploit can do is severely limited and should be contained within the sandbox. The Windows Store displays the exact capabilities the app requires (for example, access to the camera), along with the app’s age rating and publisher. - -In the end, the Windows Store app distribution process and the app sandboxing capabilities of Windows 10 will dramatically reduce the likelihood that users encounter malicious apps on the system. - -### Windows Defender - -Antimalware software, also generically called virus scanners, antivirus, and a host of other names, has been around for a long time. Microsoft shipped its first program in this category, Microsoft Anti-Virus, in 1993 for MS DOS 6.0. At the time, the approach of running a standalone MS DOS program to locate and remove viruses was sufficient. - -Times change and technology progresses, and antimalware software has also evolved. It is crucial to have multilayered defense with interoperability when you manage modern threats. Windows Defender uses the operating system extensively to achieve interoperability across the varying layers of defense. It is important to have an effective antimalware solution in place as an important obstacle between malware and enterprise assets, and it complements features like Device Guard. For example, an antimalware solution could help detect malicious behavior in memory or even within trusted applications, an area that Device Guard is not designed to address. -Windows Defender has evolved to meet the growing complexity of IT and the challenges that come with this complexity. Windows included Windows Defender, a robust inbox antimalware solution, starting with Windows 8. Now, with Windows 10, Microsoft has significantly improved Windows Defender. - -Windows Defender in Windows 10 uses a four-pronged approach to improve antimalware: rich local context, extensive global sensors, tamper proofing, and the empowerment of IT security professionals. This section explains each prong. - -**Rich, local context** improves how malware is identified. Windows 10 informs Windows Defender not only about content like files and processes but also where the content came from, where it has been stored, and more. The information about source and history enables Windows Defender to apply different levels of scrutiny to different content. - -For example, an application downloaded from the Internet would be more heavily scrutinized than an application installed from a trusted server. Windows 10 persists the history of the Internet-sourced application at the operating system level so that the app cannot erase its own tracks. The history is tracked and stored by the Persisted Store, a new feature in Windows 10 that securely manages the rich local context and prevents unauthorized modification or deletion. The rich local context improvements also help prevent malware from using tactics such as obfuscation as a means to evade detection. - -Local context also extends to how antimalware software exposes interfaces. Windows Defender implements the Antimalware Scan Interface (AMSI), a generic public interface standard that allows applications and services to request Windows Defender to scan and analyze obfuscated code before execution. AMSI is available for any application and antimalware solution to implement. In Windows 10, AMSI is accessible through Windows PowerShell, the Windows Script Host, JavaScript, and Microsoft JScript. - -In Windows 10, Microsoft implemented a new technology that allows Windows Defender to work closely with User Account Control (UAC) requests. When the UAC system is triggered, it requests a scan from Windows Defender before it prompts for elevation. Windows Defender scans the file or process and determines whether it's malicious. If it’s malicious, the user will see a message that explains that Windows Defender blocked the file or process from executing; if it's not malicious, then UAC will run and display the usual elevation request prompt. - -**Extensive global sensors** help keep Windows Defender current and aware of even the newest malware. This is accomplished in two ways: by collecting the rich local context data from end points and by centrally analyzing that data. The goal is to identify new, emerging malware and block it in the first critical hours of its lifetime to limit exposure to the broader PC ecosystem. - -With Windows Defender in Windows 8, Microsoft first introduced Windows Defender Cloud Protection, which helps to better react in the quickly evolving malware landscape. The goal is to block malware the "first time it’s seen" in the first critical hours of a malware attack. - -To help preserve the privacy of customers, Microsoft allows customers to opt in or out of the system. To participate, you simply opt into the program. To opt in for Windows 10, click **Settings**, click **Update & Security**, and then click **Windows Defender**. The opt-in choices are shown in Figure 10. - -![figure 10](images/security-fig10-optinsettings.png) - -Figure 10. Windows Defender opt-in settings in Windows 10 - -Of course, system administrators have centralized control of all Windows Defender settings through Group Policy. The Windows Defender configuration settings are shown under Computer Configuration/Windows Components/Windows Defender, as shown in Figure 11. - -![Windows Defender settings in Group Policy](images/security-fig11-defendersettings.png "Windows Defender settings in Group Policy") - -Figure 11. Windows Defender settings in Group Policy – the sample submission options are listed under MAPS - -**Tamper proofing** is the safeguarding of Windows Defender itself against malware attacks. Malware creators assume that antimalware software is implemented on most PCs. Many malware creators choose to overcome that obstacle by designing malware that modifies the antimalware software in some way, such as disabling real-time scanning or by hiding specific processes. Some malware goes as far as completely disabling the antimalware software while making it appear fully functional to the user. - -Windows Defender is designed to resist tampering; it uses several security technologies available in Windows 10, the primary of which is Protected Processes, which prevents untrusted processes from attempting to tamper with Windows Defender components, its registry keys, and so on. Tamper proofing in Windows Defender is also the indirect result of system-wide security components, including UEFI with Secure Boot and ELAM. These components help provide a more secure environment in which Windows Defender can launch in before it begins to defend itself. - -**Empowerment of IT security professionals** means that Windows Defender gives IT pros the tools and configuration options necessary to make it an enterprise-class antimalware solution. It has numerous enterprise-level features -that put it on par with the top products in this category: - -* Integration with centralized management software, including Microsoft Intune, System Center Configuration Manager, and Microsoft System Center Operations Manager. Unlike Windows 8.1, no additional client is necessary, because Windows Defender is now integrated into Windows and only a management layer needs to be added. -* Windows Defender supports the Open Mobile Alliance Device Management standard for centralized management by many non-Microsoft device management solutions. -* It includes integrated classic command-line and Windows PowerShell cmdlet support. -* Support for Windows Management Instrumentation reporting and application management is built in. -* Full integration with Group Policy offers complete IT configuration management. - -In addition, Windows Defender now integrates the Windows Defender Offline Tool, which formerly required the creation of a bootable, standalone version of Windows Defender into the Windows Recovery Environment. This simplifies the process of remediating low-level malware infections, which may prove difficult to detect and remove with the antimalware solution running on the Windows desktop. You can update signatures for this environment automatically from within the Windows Defender Offline experience. - -Beyond Windows Defender, Windows 10 provides deep operating system access for antimalware products. Non-Microsoft antimalware vendors can take advantage of Microsoft’s new APIs and interfaces to gain unprecedented access to Windows 10 resources for malware detection and removal. Non-Microsoft antimalware solutions can implement ELAM drivers, which scan Windows 10 while it’s in its initial startup process. The broad set of new low-level interfaces lets non-Microsoft antimalware solutions perform advanced malware detection in a way that enables them to retain application compatibility even when Microsoft makes significant changes to Windows internals, such as are often made between major operating system versions. - -This access presents a security challenge, however: How does Windows 10 grant antimalware software generous access while ensuring that malware doesn’t take advantage of the very same access? Microsoft has been hard at work with several non-Microsoft software vendors to meet this challenge. If a third party wants this level of access, it must meet certain criteria and vetting requirements, and then Microsoft must digitally sign its software. This allows Microsoft to verify the authenticity of the software vendors and prevent nefarious individuals from creating their own self-signed fake malware scanners. - -To be clear, Microsoft is not restricting the antimalware vendors or their innovations. Nor is Microsoft changing software distribution channels. When Microsoft has signed the antimalware application, you can deploy and install it through any means. Microsoft is basically ensuring that these software developers are authentic, industry-recognized entities before signing their antimalware software and, in doing so, granting extended privileges to it. -Another security threat that customers face particularly in consumer and bring your own device (BYOD) scenarios is a disabled or outdated antimalware product. A BYOD computer that has an installed but ineffective antimalware product can be more dangerous than no product at all, because it gives the illusion of security. Windows Defender in Windows 10 mitigates this threat by helping ensure that either Windows Defender or the customer’s preferred non-Microsoft solution is running and in a healthy state. - -Whenever non-Microsoft real-time protection is in an inoperable state (for example, disabled, expired) for 24 hours, Windows Defender automatically turns on to ensure that the device is protected. Windows attempts to help the user remediate the issue with the non-Microsoft antimalware solution by notifying him or her as early as 5 days before the software expires. If the solution expires, Windows enables Windows Defender and continues to remind the user to renew the non-Microsoft solution. When the user updates or reactivates the solution, Windows Defender is automatically disabled. In the end, the goal is to make sure that an operable antimalware solution is running at all times. - -#### Conclusion - -Windows 10 is the culmination of many years of effort from Microsoft, and its impact from a security perspective will be significant. Many of us still remember the years of Windows XP, when the attacks on the Windows operating system, applications, and data increased in volume and matured into serious threats. With the existing platforms and security solutions that you’ve likely deployed, you’re better defended than ever. But as attackers have become more advanced, there is no doubt that they have exceeded your ability to defend your organization and users. Evidence of this fact can be found in the news virtually every day as yet another major organization falls victim. Microsoft specifically designed Windows 10 to address these modern threats and tactics from the most advanced adversaries. It can truly change the game for your organization, and it can restore your advantage against those would like to make you their next victim. - -## Related topics - -[Windows 10 Specifications](https://go.microsoft.com/fwlink/p/?LinkId=625077 ) - -[HealthAttestation CSP](https://go.microsoft.com/fwlink/p/?LinkId=626940 ) - -[Making Windows 10 More Personal and More Secure with Windows Hello](https://go.microsoft.com/fwlink/p/?LinkId=626945) - -[Protect BitLocker from pre-boot attacks](protect-bitlocker-from-pre-boot-attacks.md) diff --git a/windows/keep-secure/windows-defender-advanced-threat-protection.md b/windows/keep-secure/windows-defender-advanced-threat-protection.md index 0a9feddff7..0963cb7037 100644 --- a/windows/keep-secure/windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/windows-defender-advanced-threat-protection.md @@ -27,6 +27,8 @@ localizationpriority: high Windows Defender Advanced Threat Protection (Windows Defender ATP) is a security service that enables enterprise customers to detect, investigate, and respond to advanced threats on their networks. +Get a quick, but in-depth overview of Windows Defender ATP for Windows 10 and the new capabilities in Windows 10, version 1703 see (Windows Defender ATP for Windows 10 Creators Update)[https://technet.microsoft.com/en-au/windows/mt782787]. + Windows Defender ATP uses the following combination of technology built into Windows 10 and Microsoft's robust cloud service: - **Endpoint behavioral sensors**: Embedded in Windows 10, these sensors diff --git a/windows/keep-secure/windows-defender-antivirus-compatibility.md b/windows/keep-secure/windows-defender-antivirus-compatibility.md new file mode 100644 index 0000000000..4945834e0f --- /dev/null +++ b/windows/keep-secure/windows-defender-antivirus-compatibility.md @@ -0,0 +1,43 @@ +--- +title: Windows Defender Antivirus and Windows Defender ATP +description: Windows Defender AV and Windows Defender ATP work together to provide threat detection, remediation, and investigation. +keywords: windows defender, atp, advanced threat protection, compatibility, passive mode +search.product: eADQiWindows 10XVcnh +ms.pagetype: security +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: security +localizationpriority: medium +author: iaanw +--- + + +# Windows Defender Antivirus and Advanced Threat Protection: Better together + + +**Applies to:** + +- Windows 10 + +**Audience** + +- Enterprise security administrators + + + +Windows Defender Advanced Threat Protection (ATP) is an additional service beyond Windows Defender Antivirus that helps enterprises detect, investigate, and respond to advanced persistent threats on their network. +See the [Windows Defender Advanced Threat Protection](windows-defender-advanced-threat-protection.md) topics for more information about the service. + +If you are enrolled in Windows Defender ATP, and you are not using Windows Defender AV as your real-time protection service on your endpoints, Windows Defender will automatically enter into a passive mode. On Windows Server 2016 SKUs, Windows Defender AV will not enter into the passive mode and will run alongside your other antivirus product. + +In passive mode, Windows Defender will continue to run (using the *msmpeng.exe* process), and will continue to be updated, however there will be no Windows Defender user interface, scheduled scans won't run, and Windows Defender will not provide real-time protection from malware. + +You can still [manage updates for Windows Defender](manage-updates-baselines-windows-defender-antivirus.md), however you can't move Windows Defender into the normal active mode if your endpoints have an up-to-date third-party product providing real-time protection from malware. + +If you uninstall the other product, and choose to use Windows Defender to provide protection to your endpoints, Windows Defender will automatically return to its normal active mode. + + +## Related topics + +- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md) \ No newline at end of file diff --git a/windows/keep-secure/windows-defender-antivirus-in-windows-10.md b/windows/keep-secure/windows-defender-antivirus-in-windows-10.md new file mode 100644 index 0000000000..bcce59abef --- /dev/null +++ b/windows/keep-secure/windows-defender-antivirus-in-windows-10.md @@ -0,0 +1,82 @@ +--- +title: Windows Defender Antivirus +description: Learn how to manage, configure, and use Windows Defender AV, the built-in antimalware and antivirus product available in Windows 10. +keywords: windows defender antivirus, windows defender, antimalware, scep, system center endpoint protection, system center configuration manager, virus, malware, threat, detection, protection, security +search.product: eADQiWindows 10XVcnh +ms.pagetype: security +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: security +localizationpriority: medium +author: iaanw +--- + +# Windows Defender Antivirus in Windows 10 + +**Applies to** +- Windows 10 + +Windows Defender Antivirus is a built-in antimalware solution that provides security and antimalware management for desktops, portable computers, and servers. + +This library of documentation is aimed for enterprise security administrators who are either considering deployment, or have already deployed and are wanting to manage and configure Windows Defender AV on PC endpoints in their network. + +For more important information about running Windows Defender on a server platform, see [Windows Defender Overview for Windows Server](https://technet.microsoft.com/library/dn765478.aspx). + +Windows Defender AV can be managed with: +- System Center Configuration Manager (as System Center Endpoint Protection, or SCEP) +- Microsoft Intune + +It can be configured with: +- System Center Configuration Manager (as System Center Endpoint Protection, or SCEP) +- Microsoft Intune +- PowerShell +- Windows Management Instrumentation (WMI) +- Group Policy + +Some of the highlights of Windows Defender AV include: +- [Cloud-delivered protection](utilize-microsoft-cloud-protection-windows-defender-antivirus.md) for near-instant detection and blocking of new and emerging threats +- [Always-on scanning](configure-real-time-protection-windows-defender-antivirus.md), using advanced file and process behavior monitoring and other heuristics (also known as "real-time protection") +- [Dedicated protection updates](manage-updates-baselines-windows-defender-antivirus.md) based on machine-learning, human and automated big-data analysis, and in-depth threat resistance research + +## What's new in Windows 10, version 1703 + +New features for Windows Defender AV in Windows 10, version 1703 include: +- [Updates to how the Block at First Sight feature can be configured](configure-block-at-first-sight-windows-defender-antivirus.md) +- [The ability to specify the level of cloud-protection](specify-cloud-protection-level-windows-defender-antivirus.md) +- [Windows Defender Antivirus protection in the Windows Defender Security Center app](windows-defender-security-center-antivirus.md) + +We've expanded this documentation library to cover end-to-end deployment, management, and configuration for Windows Defender AV, and we've added some new guides that can help with evaluating and deploying Windows Defender AV in certain scenarios: +- [Evaluation guide for Windows Defender AV](evaluate-windows-defender-antivirus.md) +- [Deployment guide for Windows Defender AV in a virtual desktop infrastructure environment](deployment-vdi-windows-defender-antivirus.md) + +See the [In this library](#in-this-library) list at the end of this topic for links to each of the updated sections in this library. + + + + +## Minimum system requirements + +Windows Defender has the same hardware requirements as Windows 10. For more information, see: +- [Minimum hardware requirements](https://msdn.microsoft.com/library/windows/hardware/dn915086.aspx) +- [Hardware component guidelines](https://msdn.microsoft.com/library/windows/hardware/dn915049.aspx) + + +Some features require a certain version of Windows 10 - the minimum version required is specified at the top of each topic. + +Functionality, configuration, and management is largely the same when using Windows Defender Antivirus on Windows Server 2016, however [there are some differences](windows-defender-antivirus-on-windows-server-2016.md). + + + + +## In this library + +Topic | Description +:---|:--- +[Evaluate Windows Defender Antivirus protection](evaluate-windows-defender-antivirus.md) | Evaluate the protection capabilities of Windows Defender Antivirus with a specialized evaluation guide and PowerShell script +[Deploy, manage updates, and report on Windows Defender Antivirus](deploy-manage-report-windows-defender-antivirus.md) | While traditional client deployment is not required for Windows Defender AV, you will need to enable the service. You can also manage how protection and product updates are applies, and receive reports from Configuration Manager, Intune, and with some security information and event monitoring (SIEM) tools +[Configure Windows Defender features](configure-windows-defender-antivirus-features.md) | Windows Defender AV has a large set of configurable features and options. You can configure options such as cloud-delivered protection, always-on monitoring and scanning, and how end-users can interact or override global policy settings +[Customize, initiate, and review the results of scans and remediation](customize-run-review-remediate-scans-windows-defender-antivirus.md) | You can set up scheduled scans, run on-demand scans, and configure how remediation works when threats are detected +[Troubleshoot Windows Defender in Windows 10](troubleshoot-windows-defender-antivirus.md)|Review event IDs and error codes in Windows Defender Antivirus to determine causes of problems and troubleshoot issues +[Reference topics for management and configuration tools](configuration-management-reference-windows-defender-antivirus.md)|The management and configuration tools that you can use with Windows Defender AV are listed and described here + diff --git a/windows/keep-secure/windows-defender-antivirus-on-windows-server-2016.md b/windows/keep-secure/windows-defender-antivirus-on-windows-server-2016.md new file mode 100644 index 0000000000..3510bcb390 --- /dev/null +++ b/windows/keep-secure/windows-defender-antivirus-on-windows-server-2016.md @@ -0,0 +1,50 @@ +--- +title: Windows Defender Antivirus on Windows Server 2016 +description: Compare the differences when Windows Defender AV is on a Windows Server SKU versus a Windows 10 endpoint +keywords: windows defender, server, scep, system center endpoint protection, server 2016, current branch, server 2012 +search.product: eADQiWindows 10XVcnh +ms.pagetype: security +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: security +localizationpriority: medium +author: iaanw +--- + + +# Windows Defender Antivirus on Windows Server + + +**Applies to:** + +- Windows Server 2016 + +**Audience** + +- Enterprise security administrators +- Network administrators + + +**Manageability available with** + +- Group Policy +- System Center Configuration Manager +- PowerShell +- Windows Management Instrumentation (WMI) + + +Windows Defender Antivirus is available on Windows Server 2016. In some instances it is referred to as Endpoint Protection - however, the protection engine is the same. + +See [Windows Defender Overview for Windows Server](https://technet.microsoft.com/windows-server-docs/security/windows-defender/windows-defender-overview-windows-server) for more information on enabling the client interface and configuring roles and specific server features. + +While the functionality, configuration, and management is largely the same for Windows Defender AV either on Windows 10 or Windows Server 2016, there are a few key differences: + +- In Windows Server 2016, [automatic exclusions](configure-server-exclusions-windows-defender-antivirus.md) are applied based on your defined Server Role. +- In Windows Server 2016, [Windows Defender AV will not disable itself if you are running another antivirus product](windows-defender-antivirus-on-windows-server-2016.md#sysreq). + + +## Related topics + +- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md) +- [Deploy, manage updates, and report on Windows Defender Antivirus](deploy-manage-report-windows-defender-antivirus.md) \ No newline at end of file diff --git a/windows/keep-secure/windows-defender-block-at-first-sight.md b/windows/keep-secure/windows-defender-block-at-first-sight.md deleted file mode 100644 index a31f43f6ee..0000000000 --- a/windows/keep-secure/windows-defender-block-at-first-sight.md +++ /dev/null @@ -1,130 +0,0 @@ ---- -title: Enable the Block at First Sight feature to detect malware within seconds -description: In Windows 10 the Block at First Sight feature determines and blocks new malware variants in seconds. You can enable the feature with Group Policy. -keywords: scan, BAFS, malware, first seen, first sight, cloud, MAPS, defender -search.product: eADQiWindows 10XVcnh -ms.pagetype: security -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -ms.pagetype: security -localizationpriority: medium -author: iaanw ---- - -# Block at First Sight - -**Applies to** - -- Windows 10, version 1607 - -**Audience** - -- Network administrators - -Block at First Sight is a feature of Windows Defender cloud protection that provides a way to detect and block new malware within seconds. - -It is enabled by default when certain pre-requisite settings are also enabled. In most cases, these pre-requisite settings are also enabled by default, so the feature is running without any intervention. - -## How it works - -When a Windows Defender client encounters a suspicious but undetected file, it queries our cloud protection backend. The cloud backend will apply heuristics, machine learning, and automated analysis of the file to determine the files as malicious or clean. - -> [!NOTE] -> The Block at first sight feature only use the cloud protection backend for executable files that are downloaded from the Internet, or originating from the Internet zone. A hash value of the EXE file is checked via the cloud backend to determine if this is a previously undetected file. - -If the cloud backend is unable to make a determination, the file will be locked by Windows Defender while a copy is uploaded to the cloud. Only after the cloud has received the file will Windows Defender release the lock and let the file run. The cloud will perform additional analysis to reach a determination, blocking all future encounters of that file. - -In many cases this process can reduce the response time to new malware from hours to seconds. - -> [!NOTE] -> Suspicious file downloads requiring additional backend processing to reach a determination will be locked by Windows Defender on the first machine where the file is encountered, until it is finished uploading to the backend. Users will see a longer "Running security scan" message in the browser while the file is being uploaded. This might result in what appear to be slower download times for some files. - - -## Confirm Block at First Sight is enabled - -Block at First Sight requires a number of Group Policy settings to be configured correctly or it will not work. Usually, these settings are already enabled in most default Windows Defender deployments in enterprise networks. - -> [!IMPORTANT] -> There is no specific individual setting in System Center Configuration Manager to enable Block at First Sight. It is enabled by default when the pre-requisite settings are configured correctly. - -### Confirm Block at First Sight is enabled with Group Policy - -1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. - -3. In the **Group Policy Management Editor** go to **Computer configuration**. - -4. Click **Policies** then **Administrative templates**. - -5. Expand the tree to **Windows components > Windows Defender > MAPS** and configure the following Group Policies: - - 1. Double-click the **Join Microsoft MAPS** setting and ensure the option is set to **Enabled**. Click **OK**. - - 1. Double-click the **Send file samples when further analysis is required** setting and ensure the option is set to **Enabled** and the additional options are either of the following: - - 1. Send safe samples (1) - - 1. Send all samples (3) - - > [!WARNING] - > Setting to 0 (Always Prompt) will lower the protection state of the device. Setting to 2 (Never send) means the "Block at First Sight" feature will not function. - - 1. Click **OK**. - -1. In the **Group Policy Management Editor**, expand the tree to **Windows components > Windows Defender > Real-time Protection**: - - 1. Double-click the **Scan all downloaded files and attachments** setting and ensure the option is set to **Enabled**. Click **OK**. - - 1. Double-click the **Turn off real-time protection** setting and ensure the option is set to **Disabled**. Click **OK**. - -If you had to change any of the settings, you should re-deploy the Group Policy Object across your network to ensure all endpoints are covered. - - -### Confirm Block at First Sight is enabled with Windows Settings - -> [!NOTE] -> If the pre-requisite settings are configured and deployed using Group Policy, the settings described in this section will be greyed-out and unavailable for use on individual endpoints. Changes made through a Group Policy Object must first be deployed to individual endpoints before the setting will be updated in Windows Settings. - -You can confirm that Block at First Sight is enabled in Windows Settings. The feature is automatically enabled, as long as **Cloud-based protection** and **Automatic sample submission** are both turned on. - -**Confirm Block at First Sight is enabled on individual clients** - -1. Open Windows Defender settings: - - a. Open the Windows Defender app and click **Settings**. - - b. On the main Windows Settings page, click **Update & Security** and then **Windows Defender**. - -2. Confirm that **Cloud-based Protection** and **Automatic sample submission** are switched to **On**. - -## Disable Block at First Sight - -> [!WARNING] -> Disabling the Block at First Sight feature will lower the protection state of the endpoint and your network. - -> [!NOTE] -> You cannot disable Block at First Sight with System Center Configuration Manager - -You may choose to disable the Block at First Sight feature if you want to retain the pre-requisite settings without using Block at First Sight protection. You might wish to do this if you are experiencing latency issues or you want to test the feature's impact on your network. - -**Disable Block at First Sight with Group Policy** - -1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. - -3. In the **Group Policy Management Editor** go to **Computer configuration**. - -4. Click **Policies** then **Administrative templates**. - -5. Expand the tree through **Windows components > Windows Defender > MAPS**. - -1. Double-click the **Configure the ‘Block at First Sight’ feature** setting and set the option to **Disabled**. - - > [!NOTE] - > Disabling the Block at First Sight feature will not disable or alter the pre-requisite group policies. - - -## Related topics - -- [Windows Defender in Windows 10](windows-defender-in-windows-10.md) - - diff --git a/windows/keep-secure/windows-defender-enhanced-notifications.md b/windows/keep-secure/windows-defender-enhanced-notifications.md deleted file mode 100644 index e70fede4fd..0000000000 --- a/windows/keep-secure/windows-defender-enhanced-notifications.md +++ /dev/null @@ -1,46 +0,0 @@ ---- -title: Configure enhanced notifications for Windows Defender -description: In Windows 10, you can enable advanced notifications for endpoints throughout your enterprise network. -keywords: notifications, defender, endpoint, management, admin -search.product: eADQiWindows 10XVcnh -ms.pagetype: security -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -ms.pagetype: security -localizationpriority: medium -author: iaanw ---- - -# Configure enhanced notifications for Windows Defender in Windows 10 - -**Applies to:** - -- Windows 10, version 1607 - -In Windows 10, application notifications about malware detection and remediation by Windows Defender are more robust, consistent, and concise. - -Notifications will appear on endpoints when manually triggered and scheduled scans are completed and threats are detected. These notifications will also be seen in the **Notification Center**, and a summary of scans and threat detections will also appear at regular time intervals. - -You can enable and disable enhanced notifications in Windows Settings. - -## Disable notifications - -You can disable enhanced notifications on individual endpoints in Windows Settings. - -**Use Windows Settings to disable enhanced notifications on individual endpoints** - -1. Open the **Start** menu and click or type **Settings**. - -1. Click **Update & Security** and then **Windows Defender**. Scroll to the bottom of the settings page until you see the **Enhanced notifications** section. - -1. Toggle the setting between **On** and **Off**. - -![Windows Defender enhanced notifications](images/defender/enhanced-notifications.png) - - - - -## Related topics - -- [Windows Defender in Windows 10](windows-defender-in-windows-10.md) diff --git a/windows/keep-secure/windows-defender-in-windows-10.md b/windows/keep-secure/windows-defender-in-windows-10.md deleted file mode 100644 index 58ecb02cde..0000000000 --- a/windows/keep-secure/windows-defender-in-windows-10.md +++ /dev/null @@ -1,79 +0,0 @@ ---- -title: Windows Defender in Windows 10 (Windows 10) -description: This topic provides an overview of Windows Defender, including a list of system requirements and new features. -ms.assetid: 6A9EB85E-1F3A-40AC-9A47-F44C4A2B55E2 -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -ms.pagetype: security -localizationpriority: medium -author: jasesso ---- - -# Windows Defender in Windows 10 - -**Applies to** -- Windows 10 - -Windows Defender in Windows 10 is a built-in antimalware solution that provides security and antimalware management for desktops, portable computers, and servers. -This topic provides an overview of Windows Defender, including a list of system requirements and new features. - -For more important information about running Windows Defender on a server platform, see [Windows Defender Overview for Windows Server](https://technet.microsoft.com/windows-server-docs/security/windows-defender/windows-defender-overview-windows-server). - -Take advantage of Windows Defender by configuring settings and definitions using the following tools: -- Microsoft Active Directory *Group Policy* for settings -- Windows Server Update Services (WSUS) for definitions - -Windows Defender provides the most protection when cloud-based protection is enabled. Learn how to enable cloud-based protection in [Configure Windows Defender in Windows 10](configure-windows-defender-in-windows-10.md). -> **Note:**  System Center 2012 R2 Configuration Manager SP1, System Center 2012 Configuration Manager SP2, and Microsoft Intune can provide centralized management of Windows Defender, including: -- Settings management -- Definition update management -- Alerts and alert management -- Reports and report management - -When you enable endpoint protection for your clients, it will install an additional management layer on Windows Defender to manage the in-box Windows Defender agent. While the client user interface will still appear as Windows Defender, the management layer for Endpoint Protection will be listed in the **Add/Remove Programs** control panel, though it will appear as if the full product is installed. - - -### Compatibility with Windows Defender Advanced Threat Protection - -Windows Defender Advanced Threat Protection (ATP) is an additional service that helps enterprises to detect, investigate, and respond to advanced persistent threats on their network. - -See the [Windows Defender Advanced Threat Protection](windows-defender-advanced-threat-protection.md) topics for more information about the service. - -If you are enrolled in Windows Defender ATP, and you are not using Windows Defender as your real-time protection service on your endpoints, Windows Defender will automatically enter into a passive mode. - -In passive mode, Windows Defender will continue to run (using the *msmpeng.exe* process), and will continue to be updated, however there will be no Windows Defender user interface, scheduled scans won’t run, and Windows Defender will not provide real-time protection from malware. - -You can [configure updates for Windows Defender](configure-windows-defender-in-windows-10.md), however you can't move Windows Defender into the normal active mode if your endpoints have an up-to-date third-party product providing real-time protection from malware. - -If you uninstall the other product, and choose to use Windows Defender to provide protection to your endpoints, Windows Defender will automatically return to its normal active mode. - - -  -### Minimum system requirements - -Windows Defender has the same hardware requirements as Windows 10. For more information, see: -- [Minimum hardware requirements](https://msdn.microsoft.com/library/windows/hardware/dn915086.aspx) -- [Hardware component guidelines](https://msdn.microsoft.com/library/windows/hardware/dn915049.aspx) - -### New and changed functionality - -- **Improved detection for unwanted applications and emerging threats using cloud-based protection.** Use the Microsoft Active Protection Service to improve protection against unwanted applications and advanced persistent threats in your enterprise. -- **Windows 10 integration.** All Windows Defender in Windows 10 endpoints will show the Windows Defender user interface, even when the endpoint is managed. -- **Operating system, enterprise-level management, and bring your own device (BYOD) integration.** Windows 10 introduces a mobile device management (MDM) interface for devices running Windows 10. Administrators can use MDM-capable products, such as Intune, to manage Windows Defender on Windows 10 devices. - -For more information about what's new in Windows Defender in Windows 10, see [Windows Defender in Windows 10: System integration](https://www.microsoft.com/security/portal/enterprise/threatreports_august_2015.aspx) on the Microsoft Active Protection Service website. - -## In this section - -Topic | Description -:---|:--- -[Update and manage Windows Defender in Windows 10](get-started-with-windows-defender-for-windows-10.md)|Use Active Directory or Windows Server Update Services to manage and deploy updates to endpoints on your network. Configure and run special scans, including archive and email scans. -[Configure updates for Windows Defender in Windows 10](configure-windows-defender-in-windows-10.md)|Configure definition updates and cloud-based protection with Active Directory and Windows Server Update Services. -[Windows Defender Offline in Windows 10](windows-defender-offline.md)|Manually run an offline scan directly from winthin Windows without having to download and create bootable media. -[Use PowerShell cmdlets for Windows Defender](use-powershell-cmdlets-windows-defender-for-windows-10.md)|Run scans and configure Windows Defender options with Windows PowerShell cmdlets in Windows 10. -[Enable the Block at First Sight feature in Windows 10](windows-defender-block-at-first-sight.md)|Use the Block at First Sight feature to leverage the Windows Defender cloud. -[Configure enhanced notifications for Windows Defender in Windows 10](windows-defender-enhanced-notifications.md)|Enable or disable enhanced notifications on endpoints running Windows Defender for greater details about threat detections and removal. -[Run a Windows Defender scan from the command line](run-cmd-scan-windows-defender-for-windows-10.md)|Use the command-line utility to run a Windows Defender scan. -[Detect and block Potentially Unwanted Applications with Windows Defender](enable-pua-windows-defender-for-windows-10.md)|Use the Potentially Unwanted Application (PUA) feature in Managed Windows Defender to identify and block unwanted software during download and install time. -[Troubleshoot Windows Defender in Windows 10](troubleshoot-windows-defender-in-windows-10.md)|Review event IDs in Windows Defender for Windows 10 and take the appropriate actions. diff --git a/windows/keep-secure/windows-defender-offline.md b/windows/keep-secure/windows-defender-offline.md index a90a308ed7..af07823d3a 100644 --- a/windows/keep-secure/windows-defender-offline.md +++ b/windows/keep-secure/windows-defender-offline.md @@ -1,6 +1,6 @@ --- title: Windows Defender Offline in Windows 10 -description: You can use Windows Defender Offline straight from the Windows Defender client. You can also manage how it is deployed in your network. +description: You can use Windows Defender Offline straight from the Windows Defender Antivirus app. You can also manage how it is deployed in your network. keywords: scan, defender, offline search.product: eADQiWindows 10XVcnh ms.pagetype: security @@ -12,15 +12,28 @@ localizationpriority: medium author: iaanw --- -# Windows Defender Offline in Windows 10 +# Run and review the results of a Windows Defender Offline scan + **Applies to:** - Windows 10, version 1607 +**Audience** + +- Enterprise security administrators + +**Manageability available with** + +- Group Policy +- PowerShell cmdlets +- Windows Management Instruction (WMI) + Windows Defender Offline is an antimalware scanning tool that lets you boot and run a scan from a trusted environment. The scan runs from outside the normal Windows kernel so it can target malware that attempts to bypass the Windows shell, such as viruses and rootkits that infect or overwrite the master boot record (MBR). -In Windows 10, Windows Defender Offline can be run with one click directly from the Windows Defender client. In previous versions of Windows, a user had to install Windows Defender Offline to bootable media, restart the endpoint, and load the bootable media. +You can use Windows Defender Offline if you suspect a malware infection, or you want to confirm a thorough clean of the endpoint after a malware outbreak. + +In Windows 10, Windows Defender Offline can be run with one click directly from the [Windows Defender Security Center app](windows-defender-security-center-antivirus.md). In previous versions of Windows, a user had to install Windows Defender Offline to bootable media, restart the endpoint, and load the bootable media. ## Pre-requisites and requirements @@ -39,16 +52,18 @@ To run Windows Defender Offline from the endpoint, the user must be logged in wi ## Windows Defender Offline updates -Windows Defender Offline uses the most up-to-date signature definitions available on the endpoint; it's updated whenever Windows Defender is updated with new signature definitions. Depending on your setup, this is usually though Microsoft Update or through the [Microsoft Malware Protection Center](https://www.microsoft.com/security/portal/definitions/adl.aspx). +Windows Defender Offline uses the most recent protection updates available on the endpoint; it's updated whenever Windows Defender Antivirus is updated. > [!NOTE] -> Before running an offline scan, you should attempt to update the definitions on the endpoint. You can either force an update via Group Policy or however you normally deploy updates to endpoints, or you can manually download and install the latest updates from the [Microsoft Malware Protection Center](https://www.microsoft.com/security/portal/definitions/adl.aspx). +> Before running an offline scan, you should attempt to update Windows Defender AV protection. You can either force an update with Group Policy or however you normally deploy updates to endpoints, or you can manually download and install the latest protection updates from the [Microsoft Malware Protection Center](https://www.microsoft.com/security/portal/definitions/adl.aspx). -For information on setting up Windows Defender updates, see the [Configure Windows Defender in Windows 10](configure-windows-defender-in-windows-10.md) topic. +See the [Manage Windows Defender Antivirus protection and definition updates](manage-protection-updates-windows-defender-antivirus.md) topic for more information. ## Usage scenarios -In Windows 10, version 1607, you can manually force an offline scan. Alternatively, if Windows Defender determines that Windows Defender Offline needs to run, it will prompt the user on the endpoint. The need to perform an offline scan will also be revealed in System Center Configuration Manager, if you're using it to manage your endpoints. +In Windows 10, version 1607, you can manually force an offline scan. Alternatively, if Windows Defender determines that Windows Defender Offline needs to run, it will prompt the user on the endpoint. + +The need to perform an offline scan will also be revealed in System Center Configuration Manager if you're using it to manage your endpoints. The prompt can occur via a notification, similar to the following: @@ -58,125 +73,76 @@ The user will also be notified within the Windows Defender client: ![Windows Defender showing the requirement to run Windows Defender Offline](images/defender/client.png) -In Configuration Manager, you can identify the status of endpoints by navigating to **Monitoring > Overview > Security > Endpoint Protection Status > System Center Endpoint Protection Status**. Windows Defender Offline scans are indicated under **Malware remediation status** as **Offline scan required**. +In Configuration Manager, you can identify the status of endpoints by navigating to **Monitoring > Overview > Security > Endpoint Protection Status > System Center Endpoint Protection Status**. + +Windows Defender Offline scans are indicated under **Malware remediation status** as **Offline scan required**. ![System Center Configuration Manager indicating a Windows Defender Offline scan is required](images/defender/sccm-wdo.png) -## Manage notifications +## Configure notifications -You can suppress Windows Defender Offline notifications with Group Policy. +Windows Defender Offline notifications are configured in the same policy setting as other Windows Defender AV notifications. -> [!NOTE] -> Changing these settings will affect *all* notifications from Windows Defender. Disabling notifications will mean the endpoint user will not see any messages about any threats detected, removed, or if additional steps are required. - -**Use Group Policy to suppress Windows Defender notifications:** - -1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. - -3. In the **Group Policy Management Editor** go to **Computer configuration**. - -4. Click **Policies** then **Administrative templates**. - -5. Expand the tree to **Windows components > Windows Defender > Client Interface**. - -1. Double-click the **Suppress all notifications** setting and set the option to **Enabled**. Click **OK**. This will disable all notifications shown by the Windows Defender client. - -## Configure Windows Defender Offline settings - -You can use Windows Management Instrumentation to enable and disable certain features in Windows Defender Offline. For example, you can use `Set-MpPreference` to change the `UILockdown` setting to disable and enable notifications. - -For more information about using Windows Management Instrumentation to configure Windows Defender Offline, including configuration parameters and options, see the following topics: - -- [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/en-us/library/windows/desktop/dn439477(v=vs.85).aspx) - -- [Windows Defender MSFT_MpPreference class](https://msdn.microsoft.com/en-us/library/windows/desktop/dn455323(v=vs.85).aspx) - -For more information about notifications in Windows Defender, see the [Configure enhanced notifications in Windows Defender](windows-defender-enhanced-notifications.md)] topic. +For more information about notifications in Windows Defender, see the [Configure the notifications that appear on endpoints](configure-notifications-windows-defender-antivirus.md) topic. ## Run a scan -Windows Defender Offline uses up-to-date threat definitions to scan the endpoint for malware that might be hidden. In Windows 10, version 1607, you can manually force an offline scan using Windows Update and Security settings. +> [!IMPORTANT] +> Before you use Windows Defender Offline, make sure you save any files and shut down running programs. The Windows Defender Offline scan takes about 15 minutes to run. It will restart the endpoint when the scan is complete. The scan is performed outside of the usual Windows operating environment. The user interface will appear different to a normal scan performed by Windows Defender. After the scan is completed, the endpoint will be restarted and Windows will load normally. -> [!NOTE] -> Before you use Windows Defender Offline, make sure you save any files and shut down running programs. The Windows Defender Offline scan takes about 15 minutes to run. It will restart the endpoint when the scan is complete. +You can run a Windows Defender Offline scan with the following: -You can set up a Windows Defender Offline scan with the following: - -- Windows Update and Security settings - -- Windows Defender - -- Windows Management Instrumentation - -- Windows PowerShell - -- Group Policy - -> [!NOTE] -> The scan is performed outside of the usual Windows operating environment. The user interface will appear different to a normal scan performed by Windows Defender. After the scan is completed, the endpoint will be restarted and Windows will load normally. - -**Run Windows Defender Offline from Windows Settings:** - -1. Open the **Start** menu and click or type **Settings**. - -1. Click **Update & Security** and then **Windows Defender**. Scroll to the bottom of the settings page until you see the **Windows Defender Offline** section. - -1. Click **Scan offline**. - - ![Windows Defender Offline setting](images/defender/settings-wdo.png) - -1. Follow the prompts to continue with the scan. You might be warned that you'll be signed out of Windows and that the endpoint will restart. - -**Run Windows Defender Offline from Windows Defender:** - -1. Open the **Start** menu, type **windows defender**, and press **Enter** to open the Windows Defender client. - -1. On the **Home** tab click **Download and Run**. - - ![Windows Defender home tab showing the Download and run button](images/defender/download-wdo.png) - -1. Follow the prompts to continue with the scan. You might be warned that you'll be signed out of Windows and that the endpoint will restart. +- PowerShell +- Windows Management Instrumentation (WMI) +- The Windows Defender Security Center app -**Use Windows Management Instrumentation to configure and run Windows Defender Offline:** -Use the `MSFT_MpWDOScan` class (part of the Windows Defender Windows Management Instrumentation provider) to run a Windows Defender Offline scan. - -The following Windows Management Instrumentation script snippet will immediately run a Windows Defender Offline scan, which will cause the endpoint to restart, run the offline scan, and then restart and boot into Windows. +**Use PowerShell cmdlets to run an offline scan:** + +Use the following cmdlets: + +```PowerShell +Start-MpWDOScan +``` + +See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/en-us/library/dn433280.aspx) for more information on how to use PowerShell with Windows Defender Antivirus. + +**Use Windows Management Instruction (WMI) to run an offline scan:** + +Use the [**MSFT_MpWDOScan**](https://msdn.microsoft.com/en-us/library/dn455323(v=vs.85).aspx) class to run an offline scan. + +The following WMI script snippet will immediately run a Windows Defender Offline scan, which will cause the endpoint to restart, run the offline scan, and then restart and boot into Windows. ```WMI wmic /namespace:\\root\Microsoft\Windows\Defender path MSFT_MpWDOScan call Start ``` -For more information about using Windows Management Instrumentation to run a scan in Windows Defender, including configuration parameters and options, see the following topics: +See the following for more information: +- [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/en-us/library/dn439477(v=vs.85).aspx) -- [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/en-us/library/windows/desktop/dn439477(v=vs.85).aspx) -- [MSFT_MpWDOScan class article](https://msdn.microsoft.com/library/windows/desktop/mt622458(v=vs.85).aspx) +**Use the Windows Defender Security app to run an offline scan:** -**Run Windows Defender Offline using PowerShell:** +1. Open the Windows Defender Security Center by clicking the shield icon in the task bar or searching the start menu for **Defender**. -Use the PowerShell parameter `Start-MpWDOScan` to run a Windows Defender Offline scan. +2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then the **Advanced scan** label: + + +3. Select **Windows Defender Offline scan** and click **Scan now**. + + +> [!NOTE] +> In Windows 10, version 1607, the offline scan could be run from under **Windows Settings** > **Update & security** > **Windows Defender** or from the Windows Defender client. -For more information on available cmdlets and optios, see the [Use PowerShell cmdlets to configure and run Windows Defender](use-powershell-cmdlets-windows-defender-for-windows-10.md) topic. ## Review scan results -Windows Defender Offline scan results will be listed in the main Windows Defender user interface after performing the scan. +Windows Defender Offline scan results will be listed in the [Scan history section of the Windows Defender Security Center app](windows-defender-security-center-antivirus.md#detection-history). -1. Open the **Start** menu, type **windows defender**, and press **Enter** to open the Windows Defender client. - -1. Go to the **History** tab. - -1. Select **All detected items**. - -1. Click **View details**. - -Any detected items will display. Items that are detected by Windows Defender Offline will be listed as **Offline** in the **Detection source**: - -![Windows Defender detection source showing as Offline](images/defender/detection-source.png) ## Related topics -- [Windows Defender in Windows 10](windows-defender-in-windows-10.md) \ No newline at end of file +- [Customize, initiate, and review the results of scans and remediation](customize-run-review-remediate-scans-windows-defender-antivirus.md) +- [Windows Defender Antivirus](windows-defender-antivirus-in-windows-10.md) \ No newline at end of file diff --git a/windows/keep-secure/windows-defender-security-center-antivirus.md b/windows/keep-secure/windows-defender-security-center-antivirus.md new file mode 100644 index 0000000000..dec5bc9ff3 --- /dev/null +++ b/windows/keep-secure/windows-defender-security-center-antivirus.md @@ -0,0 +1,148 @@ +--- +title: Windows Defender Antivirus in the Windows Defender Security Center app +description: Windows Defender AV is now included in the Windows Defender Security Center app. +keywords: wdav, antivirus, firewall, security, windows +search.product: eADQiWindows 10XVcnh +ms.pagetype: security +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: security +localizationpriority: medium +author: iaanw +--- + + + + + +# Windows Defender Antivirus in the Windows Defender Security Center app + +**Applies to** + +- Windows 10, version 1703 + +**Audience** + +- End-users + +**Manageability available with** + +- Windows Defender Security Center app + + +In Windows 10, version 1703 (also known as the Creators Update), the Windows Defender app is now part of the Windows Defender Security Center. + +Settings that were previously part of the Windows Defender client and main Windows Settings have been combined and moved to the new app, which is installed by default as part of Windows 10, version 1703. + +The app also includes the settings and status of: + +- The PC (as "device health") +- Windows Firewall +- Windows Defender SmartScreen Filter +- Parental and Family Controls + +>[!NOTE] +>The Windows Defender Security Center app is a client interface on Windows 10, version 1703. It is not the Windows Defender Advanced Security Center, which is the web portal used to review and manage [Windows Defender Advanced Threat Protection](windows-defender-advanced-threat-protection.md). + +**Review virus and threat protection settings in the Windows Defender Security Center app:** + +1. Open the Windows Defender Security Center app by clicking the shield icon in the task bar or searching the start menu for **Defender**. + +2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar). + +![Screenshot of the Virus & threat protection settings label in the Windows Defender Security Center](images/defender/wdav-protection-settings-wdsc.png) + +## Comparison of settings and functions of the old app and the new app + +All of the previous functions and settings from the Windows Defender app (in versions of Windows 10 before version 1703) are now found in the new Windows Defender Security Center app. Settings that were previously located in Windows Settings under **Update & security** > **Windows Defender** are also now in the new app. + +The following diagrams compare the location of settings and functions between the old and new apps: + +![Version of Windows Defender in Windows 10 before version 1703](images/defender/wdav-windows-defender-app-old.png) + +![Windows Defender Antivirus in Windows 10, version 1703 and later](images/defender/wdav-wdsc.png) + +Item | Windows 10, before version 1703 | Windows 10, version 1703 | Description +---|---|---|--- +1 | **Update** tab | **Protection updates** | Update the protection ("definition updates") +2 | **History** tab | **Scan history** | Review threats that were quarantined, removed, or allowed +3 | **Settings** (links to **Windows Settings**) | **Virus & threat protection settings** | Enable various features, including Real-time protection, Cloud-delivered protection, Advanced notifications, and Automatic ample submission +4 | **Scan options** | **Advanced scan** | Run a full scan, custom scan, or a Windows Defender Offline scan +5 | Run a scan (based on the option chosen under **Scan options** | **Quick scan** | In Windows 10, version 1703 you can run custom and full scans under the **Advanced scan** option + + +## Common tasks + +This section describes how to perform some of the most common tasks when reviewing or interacting with the threat protection provided by Windows Defender Antivirus in the new Windows Defender Security Center app. + +> [!NOTE] +> If these settings are configured and deployed using Group Policy, the settings described in this section will be greyed-out and unavailable for use on individual endpoints. Changes made through a Group Policy Object must first be deployed to individual endpoints before the setting will be updated in Windows Settings. The [Configure end-user interaction with Windows Defender Antivirus](configure-end-user-interaction-windows-defender-antivirus.md) topic describes how local policy override settings can be configured. + + +**Run a scan with the Windows Defender Security Center app** +1. Open the Windows Defender Security Center app by clicking the shield icon in the task bar or searching the start menu for **Defender**. + +2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar). + +3. Click **Quick scan**. + +4. Click **Advanced scan** to specify different types of scans, such as a full scan. + + +**Download protection updates in the Windows Defender Security Center app** +1. Open the Windows Defender Security Center app by clicking the shield icon in the task bar or searching the start menu for **Defender**. + +2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar). + +3. Click **Protection updates**. + +4. Click **Check for updates** to download new protection updates (if there are any). + + + +**Ensure Windows Defender Antivirus is enabled in the Windows Defender Security Center app** + +1. Open the Windows Defender Security Center app by clicking the shield icon in the task bar or searching the start menu for **Defender**. + +2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar). + +3. Click **Virus & threat protection settings**. + +4. Toggle the **Real-time protection** switch to **On**. + +>[!NOTE] +>If you switch **Real-time protection** off, it will automatically turn back on after a short delay. This is to ensure you are protected from malware and threats. +>If you install another antivirus product, Windows Defender AV will automatically disable itself and will indicate this in the Windows Defender Security Center app. A setting will appear that will allow you to enable limited periodic scanning. + + + +**Add exclusions for Windows Defender Antivirus in the Windows Defender Security Center app** +1. Open the Windows Defender Security Center app by clicking the shield icon in the task bar or searching the start menu for **Defender**. + +2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar). + +3. Click **Virus & threat protection settings**. + +4. Under the **Exclusions** setting, click **Add or remove exclusions**. + +5. Click the plus icon to choose the type and set the options for each exclusion. + + +**Review threat detection history in the Windows Defender Security Center app** +1. Open the Windows Defender Security Center app by clicking the shield icon in the task bar or searching the start menu for **Defender**. + +2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar). + +3. Click **Scan history**. + +4. Click **See full history** under each of the categories (**Current threats**, **Quarantined threats**, **Allowed threats**). + + + + +## Related topics + +- [Windows Defender Antivirus](windows-defender-antivirus-in-windows-10.md) + + diff --git a/windows/keep-secure/windows-defender-smartscreen-available-settings.md b/windows/keep-secure/windows-defender-smartscreen-available-settings.md new file mode 100644 index 0000000000..fb399e44b3 --- /dev/null +++ b/windows/keep-secure/windows-defender-smartscreen-available-settings.md @@ -0,0 +1,215 @@ +--- +title: Available Windows Defender SmartScreen Group Policy and mobile device management (MDM) settings (Windows 10) +description: A list of all available setttings for Windows Defender SmartScreen using Group Policy and mobile device management (MDM) settings. +keywords: SmartScreen Filter, Windows SmartScreen +ms.prod: w10 +ms.mktglfcycl: explore +ms.sitesec: library +ms.pagetype: security +author: eross-msft +localizationpriority: high +--- + +# Available Windows Defender SmartScreen Group Policy and mobile device management (MDM) settings +**Applies to:** + +- Windows 10 +- Windows 10 Mobile + +Windows Defender SmartScreen works with Group Policy and mobile device management (MDM) settings to help you manage your organization's computer settings. Based on how you set up Windows Defender SmartScreen, you can show employees a warning page and let them continue to the site, or you can block the site entirely. + +## Group Policy settings +SmartScreen uses registry-based Administrative Template policy settings. For more info about Group Policy, see the [Group Policy TechCenter](https://go.microsoft.com/fwlink/p/?LinkId=214514). This site provides links to the latest technical documentation, videos, and downloads for Group Policy. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
          SettingSupported onDescription
          Windows 10, version 1703:
          Administrative Templates\Windows Components\Windows Defender SmartScreen\Explorer\Configure Windows Defender SmartScreen

          Windows 10, Version 1607 and earlier:
          Administrative Templates\Windows Components\File Explorer\Configure Windows SmartScreen

          		At least Windows Server 2012, Windows 8 or Windows RTThis policy setting turns on Windows Defender SmartScreen.

          If you enable this setting, it turns on Windows Defender SmartScreen and your employees are unable to turn it off. Additionally, when enabling this feature, you must also pick whether SmartScreen should Warn your employees or Warn and prevent bypassing the message (effectively blocking the employee from the site).

          If you disable this setting, it turns off Windows Defender SmartScreen and your employees are unable to turn it on.

          If you don't configure this setting, your employees can decide whether to use Windows Defender SmartScreen.

          Administrative Templates\Windows Components\Windows Defender SmartScreen\Explorer\Configure App Install ControlWindows 10, version 1703This setting helps protect PCs by allowing users to install apps only from the Windows Store. SmartScreen must be enabled for this feature to work properly.

          If you enable this setting, your employees can only install apps from the Windows Store.

          If you disable this setting, your employees can install apps from anywhere, including as a download from the Internet.

          If you don't configure this setting, your employees can choose whether they can install from anywhere or only from Windows Store.

          Windows 10, version 1703:
          Administrative Templates\Windows Components\Windows Defender SmartScreen\Microsoft Edge\Configure Windows Defender SmartScreen

          Windows 10, Version 1607 and earlier:
          Administrative Templates\Windows Components\Microsoft Edge\Configure Windows SmartScreen

          		Microsoft Edge on Windows 10 or laterThis policy setting turns on Windows Defender SmartScreen.

          If you enable this setting, it turns on Windows Defender SmartScreen and your employees are unable to turn it off.

          If you disable this setting, it turns off Windows Defender SmartScreen and your employees are unable to turn it on.

          If you don't configure this setting, your employees can decide whether to use Windows Defender SmartScreen.

          Windows 10, version 1703:
          Administrative Templates\Windows Components\Windows Defender SmartScreen\Microsoft Edge\Prevent bypassing Windows Defender SmartScreen prompts for files

          Windows 10, Version 1511 and 1607:
          Administrative Templates\Windows Components\Microsoft Edge\Prevent bypassing Windows SmartScreen prompts for files

          		Microsoft Edge on Windows 10, version 1511 or laterThis policy setting stops employees from bypassing the Windows Defender SmartScreen warnings about potentially malicious files.

          If you enable this setting, it stops employees from bypassing the warning, stopping the file download.

          If you disable or don't configure this setting, your employees can bypass the warnings and continue to download potentially malicious files.

          Windows 10, version 1703:
          Administrative Templates\Windows Components\Windows Defender SmartScreen\Microsoft Edge\Prevent bypassing Windows Defender SmartScreen prompts for sites

          Windows 10, Version 1511 and 1607:
          Administrative Templates\Windows Components\Microsoft Edge\Prevent bypassing Windows SmartScreen prompts for sites

          		Microsoft Edge on Windows 10, version 1511 or laterThis policy setting stops employees from bypassing the Windows Defender SmartScreen warnings about potentially malicious sites.

          If you enable this setting, it stops employees from bypassing the warning, stopping them from going to the site.

          If you disable or don't configure this setting, your employees can bypass the warnings and continue to visit a potentially malicious site.

          Administrative Templates\Windows Components\Internet Explorer\Prevent managing SmartScreen FilterInternet Explorer 9 or laterThis policy setting prevents the employee from managing SmartScreen Filter.

          If you enable this policy setting, the employee isn't prompted to turn on SmartScreen Filter. All website addresses that are not on the filter's allow list are sent automatically to Microsoft without prompting the employee.

          If you disable or don't configure this policy setting, the employee is prompted to decide whether to turn on SmartScreen Filter during the first-run experience.

          Administrative Templates\Windows Components\Internet Explorer\Prevent bypassing SmartScreen Filter warningsInternet Explorer 8 or laterThis policy setting determines whether an employee can bypass warnings from SmartScreen Filter.

          If you enable this policy setting, SmartScreen Filter warnings block the employee.

          If you disable or don't configure this policy setting, the employee can bypass SmartScreen Filter warnings.

          Administrative Templates\Windows Components\Internet Explorer\Prevent bypassing SmartScreen Filter warnings about files that are not commonly downloaded from the InternetInternet Explorer 9 or laterThis policy setting determines whether the employee can bypass warnings from SmartScreen Filter. SmartScreen Filter warns the employee about executable files that Internet Explorer users do not commonly download from the Internet.

          If you enable this policy setting, SmartScreen Filter warnings block the employee.

          If you disable or don't configure this policy setting, the employee can bypass SmartScreen Filter warnings.

          + +## MDM settings +If you manage your policies using Microsoft Intune, you'll want to use these MDM policy settings. All settings support both desktop computers (running Windows 10 Pro or Windows 10 Enterprise, enrolled with Microsoft Intune) and Windows 10 Mobile devices. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
          SettingSupported versionsDetails
          AllowSmartScreenWindows 10 +
            +
          • URI full path. ./Vendor/MSFT/Policy/Config/Browser/AllowSmartScreen
            • +
          • Data type. Integer
            • +
          • Allowed values:
              +
            • 0 . Turns off Windows Defender SmartScreen.
              • +
            • 1. Turns on Windows Defender SmartScreen.
          +
          EnableAppInstallControlWindows 10, version 1703 +
            +
          • URI full path. ./Vendor/MSFT/Policy/Config/SmartScreen/EnableAppInstallControl
            • +
          • Data type. Integer
            • +
          • Allowed values:
              +
            • 0 . Turns off Application Installation Control, allowing users to download and install files from anywhere on the web.
              • +
            • 1. Turns on Application Installation Control, allowing users to install apps from the Windows Store only.
          +
          EnableSmartScreenInShellWindows 10, version 1703 +
            +
          • URI full path. ./Vendor/MSFT/Policy/Config/SmartScreen/EnableSmartScreenInShell
            • +
          • Data type. Integer
            • +
          • Allowed values:
              +
            • 0 . Turns off SmartScreen in Windows.
              • +
            • 1. Turns on SmartScreen in Windows.
          +
          PreventOverrideForFilesInShellWindows 10, version 1703 +
            +
          • URI full path. ./Vendor/MSFT/Policy/Config/SmartScreen/PreventOverrideForFilesInShell
            • +
          • Data type. Integer
            • +
          • Allowed values:
              +
            • 0 . Employees can ignore SmartScreen warnings and run malicious files.
              • +
            • 1. Employees can't ignore SmartScreen warnings and run malicious files.
          +
          PreventSmartScreenPromptOverrideWindows 10, Version 1511 and later +
            +
          • URI full path. ./Vendor/MSFT/Policy/Config/Browser/PreventSmartscreenPromptOverride
            • +
          • Data type. Integer
            • +
          • Allowed values:
              +
            • 0 . Employees can ignore SmartScreen warnings.
              • +
            • 1. Employees can't ignore SmartScreen warnings.
          +
          PreventSmartScreenPromptOverrideForFilesWindows 10, Version 1511 and later +
            +
          • URI full path. ./Vendor/MSFT/Policy/Config/Browser/PreventSmartScreenPromptOverrideForFiles
            • +
          • Data type. Integer
            • +
          • Allowed values:
              +
            • 0 . Employees can ignore SmartScreen warnings for files.
              • +
            • 1. Employees can't ignore SmartScreen warnings for files.
          +
          + +## Recommended Group Policy and MDM settings for your organization +By default, Windows Defender SmartScreen lets employees bypass warnings. Unfortunately, this can let employees continue to an unsafe site or to continue to download an unsafe file, even after being warned. Because of this possibility, we strongly recommend that you set up Windows Defender SmartScreen to block high-risk interactions instead of providing just a warning. + +To better help you protect your organization, we recommend turning on and using these specific Windows Defender SmartScreen Group Policy and MDM settings. + + + + + + + + + + + + + + + + + + + + + +
          Group Policy settingRecommendation
          Administrative Templates\Windows Components\Microsoft Edge\Configure Windows Defender SmartScreenEnable. Turns on Windows Defender SmartScreen.
          Administrative Templates\Windows Components\Microsoft Edge\Prevent bypassing Windows Defender SmartScreen prompts for sitesEnable. Stops employees from ignoring warning messages and continuing to a potentially malicious website.
          Administrative Templates\Windows Components\Microsoft Edge\Prevent bypassing Windows Defender SmartScreen prompts for filesEnable. Stops employees from ingnoring warning messages and continuing to download potentially malicious files.
          Administrative Templates\Windows Components\File Explorer\Configure Windows Defender SmartScreenEnable with the Warn and prevent bypass option. Stops employees from ignoring warning messages about malicious files downloaded from the Internet.
          +

          + + + + + + + + + + + + + + + + + + + + + + + + + +
          MDM settingRecommendation
          Browser/AllowSmartScreen1. Turns on Windows Defender SmartScreen.
          Browser/PreventSmartScreenPromptOverride1. Stops employees from ignoring warning messages and continuing to a potentially malicious website.
          Browser/PreventSmartScreenPromptOverrideForFiles1. Stops employees from ingnoring warning messages and continuing to download potentially malicious files.
          SmartScreen/EnableSmartScreenInShell1. Turns on Windows Defender SmartScreen in Windows.

          Requires at least Windows 10, version 1703.

          SmartScreen/PreventOverrideForFilesInShell1. Stops employees from ignoring warning messages about malicious files downloaded from the Internet.

          Requires at least Windows 10, version 1703.

          + +## Related topics +- [Keep Windows 10 secure](https://technet.microsoft.com/itpro/windows/keep-secure/index) + +- [Security technologies in Windows 10](https://technet.microsoft.com/itpro/windows/keep-secure/security-technologies) + +- [Available Group Policy and Mobile Device Management (MDM) settings for Microsoft Edge](https://technet.microsoft.com/itpro/microsoft-edge/available-policies) + +>[!NOTE] +>Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md). \ No newline at end of file diff --git a/windows/keep-secure/windows-defender-smartscreen-overview.md b/windows/keep-secure/windows-defender-smartscreen-overview.md new file mode 100644 index 0000000000..e48e138b84 --- /dev/null +++ b/windows/keep-secure/windows-defender-smartscreen-overview.md @@ -0,0 +1,63 @@ +--- +title: Windows Defender SmartScreen overview (Windows 10) +description: Conceptual info about Windows Defender SmartScreen. +keywords: SmartScreen Filter, Windows SmartScreen +ms.prod: w10 +ms.mktglfcycl: explore +ms.sitesec: library +ms.pagetype: security +author: eross-msft +localizationpriority: high +--- + +# Windows Defender SmartScreen +**Applies to:** + +- Windows 10 +- Windows 10 Mobile + +Windows Defender SmartScreen helps to protect your employees if they try to visit sites previously reported as phishing or malware websites, or if an employee tries to download potentially malicious files. + +**SmartScreen determines whether a site is potentially malicious by:** + +- Analyzing visited webpages looking for indications of suspicious behavior. If it finds suspicious pages, SmartScreen shows a warning page, advising caution. + +- Checking the visited sites against a dynamic list of reported phishing sites and malicious software sites. If it finds a match, SmartScreen shows a warning to let the user know that the site might be malicious. + +**SmartScreen determines whether a downloaded app or app installer is potentially malicious by:** + +- Checking downloaded files against a list of reported malicious software sites and programs known to be unsafe. If it finds a match, SmartScreen shows a warning to let the user know that the site might be malicious. + +- Checking downloaded files against a list of files that are well known and downloaded by many Windows users. If the file isn't on that list, SmartScreen shows a warning, advising caution. + + >[!NOTE] + >Before Windows 10, version 1703 this feature was called the SmartScreen Filter when used within the browser and Windows SmartScreen when used outside of the browser. + +## Benefits of Windows Defender SmartScreen +Windows Defender SmartScreen helps to provide an early warning system against websites that might engage in phishing attacks or attempt to distribute malware through a socially-engineered attack. The primary benefits are: + +- **Anti-phishing and anti-malware support.** SmartScreen helps to protect your employees from sites that are reported to host phishing attacks or attempt to distribute malicious software. It can also help protect against deceptive advertisements, scam sites, and drive-by attacks. Drive-by attacks are web-based attacks that tend to start on a trusted site, targeting security vulnerabilities in commonly-used software. Because drive-by attacks can happen even if the user does not click or download anything on the page, the danger often goes unnoticed. For more info about drive-by attacks, see [Evolving Microsoft SmartScreen to protect you from drive-by attacks](https://blogs.windows.com/msedgedev/2015/12/16/SmartScreen-drive-by-improvements/#3B7Bb8bzeAPq8hXE.97) + +- **Reputation-based URL and app protection.** SmartScreen evaluates a website's URLs to determine if they're known to distribute or host unsafe content. It also provides reputation checks for apps, checking downloaded programs and the digital signature used to sign a file. If a URL, a file, an app, or a certificate has an established reputation, your employees won't see any warnings. If however there's no reputation, the item is marked as a higher risk and presents a warning to the employee. + +- **Operating system integration.** SmartScreen is integrated into the Windows 10 operating system, meaning that it checks any files an app (including 3rd-party browsers and email clients) attempts to download and run. + +- **Improved heuristics and telemetry.** SmartScreen is constantly learning and endeavoring to stay up-to-date, so it can help to protect you against potentially malicious sites and files. + +- **Management through Group Policy and Microsoft Intune.** SmartScreen supports using both Group Policy and Microsoft Intune settings. For more info about all available settings, see [Available Windows Defender SmartScreen Group Policy and mobile device management (MDM) settings](windows-defender-smartscreen-available-settings.md). + +## Viewing Windows Defender SmartScreen anti-phishing events +When Windows Defender SmartScreen warns or blocks an employee from a website, it's logged as [Event 1035 - Anti-Phishing](https://technet.microsoft.com/en-us/scriptcenter/dd565657(v=msdn.10).aspx). + +## Related topics +- [SmartScreen Frequently Asked Questions (FAQ)](https://feedback.smartscreen.microsoft.com/smartscreenfaq.aspx) + +- [How to recognize phishing email messages, links, or phone calls](https://www.microsoft.com/en-us/safety/online-privacy/phishing-symptoms.aspx) + +- [Keep Windows 10 secure](https://technet.microsoft.com/itpro/windows/keep-secure/index) + +- [Security technologies in Windows 10](https://technet.microsoft.com/itpro/windows/keep-secure/security-technologies) + + +>[!NOTE] +>Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md). \ No newline at end of file diff --git a/windows/keep-secure/windows-defender-smartscreen-set-individual-device.md b/windows/keep-secure/windows-defender-smartscreen-set-individual-device.md new file mode 100644 index 0000000000..482d88a367 --- /dev/null +++ b/windows/keep-secure/windows-defender-smartscreen-set-individual-device.md @@ -0,0 +1,80 @@ +--- +title: Set up and use Windows Defender SmartScreen on individual devices (Windows 10) +description: Steps about what happens when an employee tries to run an app, how employees can report websites as safe or unsafe, and how employees can use the Windows Defender Security Center to set Windows Defender SmartScreen for individual devices. +keywords: SmartScreen Filter, Windows SmartScreen +ms.prod: w10 +ms.mktglfcycl: explore +ms.sitesec: library +ms.pagetype: security +author: eross-msft +localizationpriority: high +--- + +# Set up and use Windows Defender SmartScreen on individual devices + +**Applies to:** +- Windows 10, version 1703 +- Windows 10 Mobile + +Windows Defender SmartScreen helps to protect your employees if they try to visit sites previously reported as phishing or malware websites, or if an employee tries to download potentially malicious files. + +## How employees can use Windows Defender Security Center to set up Windows Defender SmartScreen +Starting with Windows 10, version 1703 your employees can use Windows Defender Security Center to set up Windows Defender SmartScreen for an individual device; unless you've used Group Policy or Microsoft Intune to prevent it. + +>[!NOTE] +>If any of the following settings are managed through Group Policy or mobile device management (MDM) settings, it appears as unavailable to the employee. + +**To use Windows Defender Security Center to set up Windows Defender SmartScreen on a device** +1. Open the Windows Defender Security Center app, and then click **App & browser control**. + + ![Windows Defender Security Center](images/windows-defender-security-center.png) + +2. In the **App & browser control** screen, choose from the following options: + + - In the **Check apps and files** area: + + - **Block.** Stops employees from downloading and running unrecognized apps and files from the web. + + - **Warn.** Warns employees that the apps and files being downloaded from the web are potentially dangerous, but allows the action to continue. + + - **Off.** Turns off SmartScreen, so an employee isn't alerted or stopped from downloading potentially malicious apps and files. + + - In the **SmartScreen for Microsoft Edge** area: + + - **Block.** Stops employees from downloading and running unrecognized apps and files from the web, while using Microsoft Edge. + + - **Warn.** Warns employees that sites and downloads are potentially dangerous, but allows the action to continue while running in Microsoft Edge. + + - **Off.** Turns off SmartScreen, so an employee isn't alerted or stopped from downloading potentially malicious apps and files. + + - In the **SmartScreen from Windows Store apps** area: + + - **Block** or **Warn.** Warns employees that the sites and downloads used by Windows Store apps are potentially dangerous, but allows the action to continue. + + - **Off.** Turns off SmartScreen, so an employee isn't alerted or stopped from visiting sites or from downloading potentially malicious apps and files. + + ![Windows Defender Security Center, SmartScreen controls](images/windows-defender-smartscreen-control.png) + +## How SmartScreen works when an employee tries to run an app +Windows Defender SmartScreen checks the reputation of any web-based app the first time it's run from the Internet, checking digital signatures and other factors against a Microsoft-maintained service. If an app has no reputation or is known to be malicious, SmartScreen can warn the employee or block the app from running entirely, depending on how you've configured the feature to run in your organization. + +By default, your employees can bypass SmartScreen protection, letting them run legitimate apps after accepting a warning message prompt. You can also use Group Policy or Microsoft Intune to block employees from using unrecognized apps, or to entirely turn off Windows Defender SmartScreen (not recommended). + +## How employees can report websites as safe or unsafe +You can configure Windows Defender SmartScreen to warn employees from going to a potentially dangerous site. Employees can then choose to report a website as safe from the warning message or as unsafe from within Microsoft Edge and Internet Explorer 11. + +**To report a website as safe from the warning message** +- On the warning screen for the site, click **More Information**, and then click **Report that this site does not contain threats**. The site info is sent to the Microsoft feedback site, which provides further instructions. + +**To report a website as unsafe from Microsoft Edge** +- If a site seems potentially dangerous, employees can report it to Microsoft by clicking **More (...)**, clicking **Send feedback**, and then clicking **Report unsafe site**. + +**To report a website as unsafe from Internet Explorer 11** +- If a site seems potentially dangerous, employees can report it to Microsoft by clicking on the **Tools** menu, clicking **Windows Defender SmartScreen**, and then clicking **Report unsafe website**. + +## Related topics +- [Keep Windows 10 secure](https://technet.microsoft.com/itpro/windows/keep-secure/index) +- [Security technologies in Windows 10](https://technet.microsoft.com/itpro/windows/keep-secure/security-technologies) + +>[!NOTE] +>Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md). \ No newline at end of file diff --git a/windows/keep-secure/windows-hello-in-enterprise.md b/windows/keep-secure/windows-hello-in-enterprise.md deleted file mode 100644 index 379a453284..0000000000 --- a/windows/keep-secure/windows-hello-in-enterprise.md +++ /dev/null @@ -1,14 +0,0 @@ ---- -title: Windows Hello biometrics in the enterprise (Windows 10) -description: Windows Hello is the biometric authentication feature that helps strengthen authentication and helps to guard against potential spoofing through fingerprint matching and facial recognition. -ms.assetid: d3f27d94-2226-4547-86c0-65c84d6df8Bc -keywords: Windows Hello, enterprise biometrics -ms.prod: w10 -ms.mktglfcycl: explore -ms.sitesec: library -ms.pagetype: security -author: jdeckerMS -redirect_url: https://technet.microsoft.com/en-us/itpro/windows/keep-secure/hello-biometrics-in-enterprise ---- - -# Windows Hello biometrics in the enterprise diff --git a/windows/keep-secure/wip-app-enterprise-context.md b/windows/keep-secure/wip-app-enterprise-context.md index b4ebd4ced4..107cfa5c1f 100644 --- a/windows/keep-secure/wip-app-enterprise-context.md +++ b/windows/keep-secure/wip-app-enterprise-context.md @@ -6,13 +6,14 @@ ms.prod: w10 ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security +author: eross-msft localizationpriority: high --- # Determine the Enterprise Context of an app running in Windows Information Protection (WIP) **Applies to:** -- Windows 10, version 1607 +- Windows 10, version 1607 and later - Windows 10 Mobile >Learn more about what features and functionality are supported in each Windows edition at [Compare Windows 10 Editions](https://www.microsoft.com/en-us/WindowsForBusiness/Compare). @@ -45,8 +46,7 @@ The **Enterprise Context** column shows you what each app can do with your enter - **Exempt.** Shows the text, *Exempt*. WIP policies don't apply to these apps (such as, system components). - >[!IMPORTANT] - >Enlightened apps can change between Work and Personal, depending on the data being touched. For example, Microsoft Word 2016 shows as **Personal** when an employee opens a personal letter, but changes to **Work** when that same employee opens the company financials. + >**Important**
          Enlightened apps can change between Work and Personal, depending on the data being touched. For example, Microsoft Word 2016 shows as **Personal** when an employee opens a personal letter, but changes to **Work** when that same employee opens the company financials. diff --git a/windows/keep-secure/wip-enterprise-overview.md b/windows/keep-secure/wip-enterprise-overview.md deleted file mode 100644 index 2b0b45fd93..0000000000 --- a/windows/keep-secure/wip-enterprise-overview.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Windows Information Protection overview (Windows 10) -description: Conceptual info about Windows Information Protection (WIP), formerly known as Windows Information Protection (WIP). -redirect_url: https://technet.microsoft.com/itpro/windows/keep-secure/protect-enterprise-data-using-wip ---- diff --git a/windows/manage/TOC.md b/windows/manage/TOC.md index f5417ba0f7..15a5dc3d5d 100644 --- a/windows/manage/TOC.md +++ b/windows/manage/TOC.md @@ -1,81 +1,47 @@ -# [Manage and update Windows 10](index.md) +# [Manage Windows 10](index.md) +## [Manage Windows 10 in your organization - transitioning to modern management](manage-windows-10-in-your-organization-modern-management.md) +## [Windows 10 Mobile and MDM](windows-10-mobile-and-mdm.md) ## [Administrative Tools in Windows 10](administrative-tools-in-windows-10.md) -## [Cortana integration in your business or enterprise](cortana-at-work-overview.md) -### [Testing scenarios using Cortana in your business or organization](cortana-at-work-testing-scenarios.md) -#### [Test scenario 1 - Sign-in to Azure AD and use Cortana to manage the notebook](cortana-at-work-scenario-1.md) -#### [Test scenario 2 - Test scenario 2 - Perform a quick search with Cortana at work](cortana-at-work-scenario-2.md) -#### [Test scenario 3 - Set a reminder for a specific location using Cortana at work](cortana-at-work-scenario-3.md) -#### [Test scenario 4 - Use Cortana at work to find your upcoming meetings](cortana-at-work-scenario-4.md) -#### [Test scenario 5 - Use Cortana to send email to a co-worker](cortana-at-work-scenario-5.md) -#### [Test scenario 6 - Use Cortana and Windows Information Protection (WIP) to help protect your organization’s data on a device](cortana-at-work-scenario-6.md) -### [Set up and test Cortana with Office 365 in your organization](cortana-at-work-o365.md) -### [Set up and test Cortana with Microsoft Dynamics CRM (Preview feature) in your organization](cortana-at-work-crm.md) -### [Set up and test Cortana for Power BI in your organization](cortana-at-work-powerbi.md) -### [Set up and test custom voice commands in Cortana for your organization](cortana-at-work-voice-commands.md) -### [Use Group Policy and mobile device management (MDM) settings to configure Cortana in your organization](cortana-at-work-policy-settings.md) -### [Send feedback about Cortana at work back to Microsoft](cortana-at-work-feedback.md) -## [Update Windows 10 in the enterprise](waas-update-windows-10.md) -### [Quick guide to Windows as a service](waas-quick-start.md) -### [Overview of Windows as a service](waas-overview.md) -### [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md) -### [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) -### [Assign devices to servicing branches for Windows 10 updates](waas-servicing-branches-windows-10-updates.md) -### [Monitor Windows Updates with Update Compliance](update-compliance-monitor.md) -#### [Get started with Update Compliance](update-compliance-get-started.md) -#### [Use Update Compliance](update-compliance-using.md) -### [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md) -#### [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md) -#### [Configure BranchCache for Windows 10 updates](waas-branchcache.md) -### [Manage updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md) -### [Manage updates using Windows Update for Business](waas-manage-updates-wufb.md) -#### [Configure Windows Update for Business](waas-configure-wufb.md) -#### [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md) -#### [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md) -#### [Walkthrough: use Intune to configure Windows Update for Business](waas-wufb-intune.md) -### [Manage Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md) -### [Manage Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md) -### [Manage device restarts after updates](waas-restart.md) -## [Manage corporate devices](manage-corporate-devices.md) -### [Manage Windows 10 in your organization - transitioning to modern management](manage-windows-10-in-your-organization-modern-management.md) -### [Connect to remote Azure Active Directory-joined PC](connect-to-remote-aadj-pc.md) -### [Manage Windows 10 and Windows Store tips, tricks, and suggestions](manage-tips-and-suggestions.md) -### [New policies for Windows 10](new-policies-for-windows-10.md) -### [Group Policies that apply only to Windows 10 Enterprise and Windows 10 Education](group-policies-for-enterprise-and-education-editions.md) -### [Changes to Group Policy settings for Windows 10 Start menu](changes-to-start-policies-in-windows-10.md) -### [Windows 10 Mobile and MDM](windows-10-mobile-and-mdm.md) -### [Introduction to configuration service providers (CSPs)](how-it-pros-can-use-configuration-service-providers.md) -## [Windows Spotlight on the lock screen](windows-spotlight.md) -## [Manage Windows 10 Start and taskbar layout](windows-10-start-layout-options-and-policies.md) -### [Configure Windows 10 taskbar](configure-windows-10-taskbar.md) -### [Customize and export Start layout](customize-and-export-start-layout.md) -### [Start layout XML for desktop editions of Windows 10 (reference)](start-layout-xml-desktop.md) -### [Start layout XML for mobile editions of Windows 10 (reference)](start-layout-xml-mobile.md) -### [Customize Windows 10 Start and taskbar with Group Policy](customize-windows-10-start-screens-by-using-group-policy.md) -### [Customize Windows 10 Start and taskbar with ICD and provisioning packages](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md) -### [Customize Windows 10 Start with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md) +## [Windows Store for Business](windows-store-for-business.md) +### [Sign up and get started](sign-up-windows-store-for-business-overview.md) +####[Windows Store for Business overview](windows-store-for-business-overview.md) +#### [Prerequisites for Windows Store for Business](prerequisites-windows-store-for-business.md) +#### [Sign up for Windows Store for Business](sign-up-windows-store-for-business.md) +#### [Roles and permissions in the Windows Store for Business](roles-and-permissions-windows-store-for-business.md) +#### [Settings reference: Windows Store for Business](settings-reference-windows-store-for-business.md) +### [Find and acquire apps](find-and-acquire-apps-overview.md) +#### [Apps in the Windows Store for Business](apps-in-windows-store-for-business.md) +#### [Acquire apps in the Windows Store for Business](acquire-apps-windows-store-for-business.md) +#### [Working with line-of-business apps](working-with-line-of-business-apps.md) +### [Distribute apps to your employees from the Windows Store for Business](distribute-apps-to-your-employees-windows-store-for-business.md) +#### [Distribute apps using your private store](distribute-apps-from-your-private-store.md) +#### [Assign apps to employees](assign-apps-to-employees.md) +#### [Distribute apps with a management tool](distribute-apps-with-management-tool.md) +#### [Distribute offline apps](distribute-offline-apps.md) +### [Manage apps](manage-apps-windows-store-for-business-overview.md) +#### [App inventory managemement for Windows Store for Business](app-inventory-management-windows-store-for-business.md) +#### [Manage app orders in Windows Store for Business](manage-orders-windows-store-for-business.md) +#### [Manage access to private store](manage-access-to-private-store.md) +#### [Manage private store settings](manage-private-store-settings.md) +#### [Configure MDM provider](configure-mdm-provider-windows-store-for-business.md) +### [Device Guard signing portal](device-guard-signing-portal.md) +#### [Add unsigned app to code integrity policy](add-unsigned-app-to-code-integrity-policy.md) +#### [Sign code integrity policy with Device Guard signing](sign-code-integrity-policy-with-device-guard-signing.md) +### [Manage settings in the Windows Store for Business](manage-settings-windows-store-for-business.md) +#### [Update Windows Store for Business account settings](update-windows-store-for-business-account-settings.md) +#### [Manage user accounts in Windows Store for Business](manage-users-and-groups-windows-store-for-business.md) +### [Troubleshoot Windows Store for Business](troubleshoot-windows-store-for-business.md) ## [Create mandatory user profiles](mandatory-user-profile.md) -## [Lock down Windows 10](lock-down-windows-10.md) -### [Lockdown features from Windows Embedded 8.1 Industry](lockdown-features-windows-10.md) -### [Set up a shared or guest PC with Windows 10](set-up-shared-or-guest-pc.md) -### [Set up a device for anyone to use (kiosk mode)](set-up-a-device-for-anyone-to-use.md) -#### [Set up a kiosk on Windows 10 Pro, Enterprise, or Education](set-up-a-kiosk-for-windows-10-for-desktop-editions.md) -#### [Set up a kiosk on Windows 10 Mobile or Windows 10 Mobile Enterprise](set-up-a-kiosk-for-windows-10-for-mobile-edition.md) -#### [Guidelines for choosing an app for assigned access (kiosk mode)](guidelines-for-assigned-access-app.md) -### [Lock down Windows 10 to specific apps](lock-down-windows-10-to-specific-apps.md) -### [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md) -### [Configure Windows telemetry in your organization](configure-windows-telemetry-in-your-organization.md) -### [Configure access to Windows Store](stop-employees-from-using-the-windows-store.md) -### [Manage Wi-Fi Sense in your company](manage-wifi-sense-in-enterprise.md) -### [Configure Windows 10 Mobile using Lockdown XML](lockdown-xml.md) -#### [Settings and quick actions that can be locked down in Windows 10 Mobile](settings-that-can-be-locked-down.md) -#### [Product IDs in Windows 10 Mobile](product-ids-in-windows-10-mobile.md) -### [Reset a Windows 10 Mobile device](reset-a-windows-10-mobile-device.md) +## [Connect to remote Azure Active Directory-joined PC](connect-to-remote-aadj-pc.md) ## [Join Windows 10 Mobile to Azure Active Directory](join-windows-10-mobile-to-azure-active-directory.md) -## [Configure devices without MDM](configure-devices-without-mdm.md) +## [New policies for Windows 10](new-policies-for-windows-10.md) +## [Group Policies that apply only to Windows 10 Enterprise and Windows 10 Education](group-policies-for-enterprise-and-education-editions.md) +## [Reset a Windows 10 Mobile device](reset-a-windows-10-mobile-device.md) ## [Application Virtualization (App-V) for Windows](appv-for-windows.md) ### [Getting Started with App-V](appv-getting-started.md) -#### [What's new in App-V](appv-about-appv.md) -##### [Release Notes for App-V](appv-release-notes-for-appv-for-windows.md) +#### [What's new in App-V for Windows 10, version 1703 and earlier](appv-about-appv.md) +##### [Release Notes for App-V for Windows 10, version 1607](appv-release-notes-for-appv-for-windows.md) +##### [Release Notes for App-V for Windows 10, version 1703](appv-release-notes-for-appv-for-windows-1703.md) #### [Evaluating App-V](appv-evaluating-appv.md) #### [High Level Architecture for App-V](appv-high-level-architecture.md) ### [Planning for App-V](appv-planning-for-appv.md) @@ -112,7 +78,10 @@ #### [Deploying Microsoft Office 2010 by Using App-V](appv-deploying-microsoft-office-2010-wth-appv.md) ### [Operations for App-V](appv-operations.md) #### [Creating and Managing App-V Virtualized Applications](appv-creating-and-managing-virtualized-applications.md) -##### [How to Sequence a New Application with App-V](appv-sequence-a-new-application.md) +##### [Automatically provision your sequencing environment using Microsoft Application Virtualization Sequencer (App-V Sequencer)](appv-auto-provision-a-vm.md) +##### [Automatically sequence multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer)](appv-auto-batch-sequencing.md) +##### [Automatically update multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer)](appv-auto-batch-updating.md) +##### [Manually sequence a new app using Microsoft Application Virtualization Sequencer (App-V Sequencer)](appv-sequence-a-new-application.md) ##### [How to Modify an Existing Virtual Application Package](appv-modify-an-existing-virtual-application-package.md) ##### [How to Create and Use a Project Template](appv-create-and-use-a-project-template.md) ##### [How to Create a Package Accelerator](appv-create-a-package-accelerator.md) @@ -143,6 +112,7 @@ ##### [How to deploy App-V Packages Using Electronic Software Distribution](appv-deploy-appv-packages-with-electronic-software-distribution-solutions.md) ##### [How to Enable Only Administrators to Publish Packages by Using an ESD](appv-enable-administrators-to-publish-packages-with-electronic-software-distribution-solutions.md) #### [Using the App-V Client Management Console](appv-using-the-client-management-console.md) +##### [Automatically clean-up unpublished packages on the App-V client](appv-auto-clean-unpublished-packages.md) #### [Migrating to App-V from a Previous Version](appv-migrating-to-appv-from-a-previous-version.md) ##### [How to Convert a Package Created in a Previous Version of App-V](appv-convert-a-package-created-in-a-previous-version-of-appv.md) #### [Maintaining App-V](appv-maintaining-appv.md) @@ -161,6 +131,7 @@ ##### [How to Install the App-V Databases and Convert the Associated Security Identifiers by Using Windows PowerShell](appv-install-the-appv-databases-and-convert-the-associated-security-identifiers-with-powershell.md) ### [Troubleshooting App-V](appv-troubleshooting.md) ### [Technical Reference for App-V](appv-technical-reference.md) +#### [Available Mobile Device Management (MDM) settings for App-V](appv-available-mdm-settings.md) #### [Performance Guidance for Application Virtualization](appv-performance-guidance.md) #### [Application Publishing and Client Interaction](appv-application-publishing-and-client-interaction.md) #### [Viewing App-V Server Publishing Metadata](appv-viewing-appv-server-publishing-metadata.md) @@ -192,33 +163,4 @@ #### [Synchronizing Microsoft Office with UE-V](uev-synchronizing-microsoft-office-with-uev.md) #### [Application Template Schema Reference for UE-V](uev-application-template-schema-reference.md) #### [Security Considerations for UE-V](uev-security-considerations.md) -## [Windows Store for Business](windows-store-for-business.md) -### [Sign up and get started](sign-up-windows-store-for-business-overview.md) -####[Windows Store for Business overview](windows-store-for-business-overview.md) -#### [Prerequisites for Windows Store for Business](prerequisites-windows-store-for-business.md) -#### [Sign up for Windows Store for Business](sign-up-windows-store-for-business.md) -#### [Roles and permissions in the Windows Store for Business](roles-and-permissions-windows-store-for-business.md) -#### [Settings reference: Windows Store for Business](settings-reference-windows-store-for-business.md) -### [Find and acquire apps](find-and-acquire-apps-overview.md) -#### [Apps in the Windows Store for Business](apps-in-windows-store-for-business.md) -#### [Acquire apps in the Windows Store for Business](acquire-apps-windows-store-for-business.md) -#### [Working with line-of-business apps](working-with-line-of-business-apps.md) -### [Distribute apps to your employees from the Windows Store for Business](distribute-apps-to-your-employees-windows-store-for-business.md) -#### [Distribute apps using your private store](distribute-apps-from-your-private-store.md) -#### [Assign apps to employees](assign-apps-to-employees.md) -#### [Distribute apps with a management tool](distribute-apps-with-management-tool.md) -#### [Distribute offline apps](distribute-offline-apps.md) -### [Manage apps](manage-apps-windows-store-for-business-overview.md) -#### [App inventory managemement for Windows Store for Business](app-inventory-management-windows-store-for-business.md) -#### [Manage app orders in Windows Store for Business](manage-orders-windows-store-for-business.md) -#### [Manage access to private store](manage-access-to-private-store.md) -#### [Manage private store settings](manage-private-store-settings.md) -#### [Configure MDM provider](configure-mdm-provider-windows-store-for-business.md) -### [Device Guard signing portal](device-guard-signing-portal.md) -#### [Add unsigned app to code integrity policy](add-unsigned-app-to-code-integrity-policy.md) -#### [Sign code integrity policy with Device Guard signing](sign-code-integrity-policy-with-device-guard-signing.md) -### [Manage settings in the Windows Store for Business](manage-settings-windows-store-for-business.md) -#### [Update Windows Store for Business account settings](update-windows-store-for-business-account-settings.md) -#### [Manage user accounts in Windows Store for Business](manage-users-and-groups-windows-store-for-business.md) -### [Troubleshoot Windows Store for Business](troubleshoot-windows-store-for-business.md) -## [Change history for Manage and update Windows 10](change-history-for-manage-and-update-windows-10.md) +## [Change history for Manage Windows 10](change-history-for-manage-and-update-windows-10.md) diff --git a/windows/manage/app-inventory-managemement-windows-store-for-business.md b/windows/manage/app-inventory-managemement-windows-store-for-business.md deleted file mode 100644 index 1dedc043ff..0000000000 --- a/windows/manage/app-inventory-managemement-windows-store-for-business.md +++ /dev/null @@ -1,12 +0,0 @@ ---- -title: App inventory management for Windows Store for Business (Windows 10) -description: You can manage all apps that you've acquired on your Inventory page. -ms.assetid: 44211937-801B-4B85-8810-9CA055CDB1B2 -redirect_url: https://technet.microsoft.com/itpro/windows/manage/app-inventory-management-windows-store-for-business -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -ms.pagetype: store -author: TrudyHa ---- - diff --git a/windows/manage/application-development-for-windows-as-a-service.md b/windows/manage/application-development-for-windows-as-a-service.md deleted file mode 100644 index 080fccc711..0000000000 --- a/windows/manage/application-development-for-windows-as-a-service.md +++ /dev/null @@ -1,165 +0,0 @@ ---- -title: Application development for Windows as a service (Windows 10) -description: Microsoft recommends that our ISV partners decouple their app release and support from specific Windows builds. -ms.assetid: 28E0D103-B0EE-4B14-8680-6F30BD373ACF -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -ms.pagetype: security, servicing -author: jdeckerMS -redirect_url: https://msdn.microsoft.com/windows/uwp/get-started/application-development-for-windows-as-a-service ---- - -# Application development for Windows as a service - -**Applies to** -- Windows 10 -- Windows 10 Mobile -- Windows 10 IoT Core - -In today’s environment, where user expectations frequently are set by device-centric experiences, complete product cycles need to be measured in months, not years. Additionally, new releases must be made available on a continual basis, and must be deployable with minimal impact on users. Microsoft designed Windows 10 to meet these requirements by implementing a new approach to innovation, development, and delivery called [Windows as a service (WaaS)](introduction-to-windows-10-servicing.md). The key to enabling significantly shorter product cycles while maintaining high quality levels is an innovative community-centric approach to testing that Microsoft has implemented for Windows 10. The community, known as Windows Insiders, is comprised of millions of users around the world. When Windows Insiders opt in to the community, they test many builds over the course of a product cycle and provide feedback to Microsoft through an iterative methodology called flighting. - -Builds distributed as flights provide the Windows engineering team with significant data regarding how well builds are performing in actual use. Flighting with Windows Insiders also enables Microsoft to test builds in much more diverse hardware, application, and networking environments than in the past, and to identify issues far more quickly. As a result, Microsoft believes that community-focused flighting will enable both a faster pace of innovation delivery and better public release quality than ever. - -## Windows 10 release types and cadences - -Although Microsoft releases flight builds to Windows Insiders, Microsoft will publish two types of Windows 10 releases broadly to the public on an ongoing basis: - -**Feature updates** install the latest new features, experiences, and capabilities on devices that are already running Windows 10. Because feature updates contain an entire copy of Windows, they are also what customers use to install Windows 10 on existing devices running Windows 7 or Windows 8.1, and on new devices where no operating system is installed. Microsoft expects to publish an average of one to two new feature updates per year. - -**Quality updates** deliver security issue resolutions and other important bug fixes. Quality updates will be provided to improve each feature currently in support, on a cadence of one or more times per month. Microsoft will continue publishing quality updates on Update Tuesday (sometimes referred to as Patch Tuesday). Additionally, Microsoft may publish additional quality updates for Windows 10 outside the Update Tuesday process when required to address customer needs. - -During Windows 10 development, Microsoft streamlined the Windows product engineering and release cycle so that we can deliver the features, experiences, and functionality customers want, more quickly than ever. We also created new ways to deliver and install feature updates and quality updates that simplify deployments and on-going management, broaden the base of employees who can be kept current with the latest Windows capabilities and experiences, and lower total cost of ownership. Hence we have implemented new servicing options – referred to as Current Branch (CB), Current Branch for Business (CBB), and Long-Term Servicing Branch (LTSB) – that provide pragmatic solutions to keep more devices more current in enterprise environments than was previously possible. - -The following table shows describes the various servicing branches and their key attributes. - -| Servicing option | Availability of new feature upgrades for installation | Minimum length of servicing lifetime | Key benefits | Supported editions | -|-----------------------------------|-----------------------------------------------------------|--------------------------------------|-------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------| -| Current Branch (CB) | Immediately after first published by Microsoft | Approximately 4 months | Makes new features available to users as soon as possible | Home, Pro, Education, Enterprise, Mobile, IoT Core, Windows 10 IoT Core Pro (IoT Core Pro) | -| Current Branch for Business (CBB) | Approximately 4 months after first published by Microsoft | Approximately 8 months | Provides additional time to test new feature upgrades before deployment | Pro, Education, Enterprise, Mobile Enterprise, IoT Core Pro | -| Long-Term Servicing Branch (LTSB) | Immediately after published by Microsoft | 10 Years | Enables long-term deployment of selected Windows 10 releases in low-change configurations | Enterprise LTSB | -  -For more information, see [Windows 10 servicing options for updates and upgrades](introduction-to-windows-10-servicing.md). - -## Supporting apps in Windows as a service - -The traditional approach for supporting apps has been to release a new app version in response to a Windows release. This assumes that there are breaking changes in the underlying OS that could potentially cause a regression with the application. This model involves a dedicated development and validation cycle that requires our ISV partners to align with the Windows release cadence. - -In the Windows as a service model, Microsoft is making a commitment to maintaining the compatibility of the underlying OS. This means Microsoft will make a concerted effort to ensure that there are no breaking changes that impact the app ecosystem negatively. In this scenario, when there is a release of a Windows build, most apps (those with no kernel dependencies) will continue to work. - -In view of this change, Microsoft recommends that our ISV partners decouple their app release and support from specific Windows builds. Our mutual customers are better served by an application lifecycle approach. This means when an application version is released it will be supported for a certain period of time irrespective of however many Windows builds are released in the interim. The ISV makes a commitment to provide support for that specific version of the app as long as it is supported in the lifecycle. Microsoft follows a similar lifecycle approach for Windows that can be referenced [here](https://go.microsoft.com/fwlink/?LinkID=780549). - -This approach will reduce the burden of maintaining an app schedule that aligns with Windows releases. ISV partners should be free to release features or updates at their own cadence. We feel that our partners can keep their customer base updated with the latest app updates independent of a Windows release. In addition, our customers do not have to seek an explicit support statement whenever a Windows build is released. Here is an example of a support statement that covers how an app may be supported across different versions of the OS: - -| Example of an application lifecycle support statement | -|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| Contoso is a software development company and is the owner of the popular Mojave app which has a major share in the enterprise space. Contoso releases its next major release Mojave 14.0 and declares mainstream support for a period of three years from the release date. During mainstream support all updates and support are complimentary for the licensed product. Contoso also declares an additional two years of extended support where customers can purchase updates and support for a grace period. Beyond the extended support end date this product version is no longer supported. During the period of mainstream support Contoso will support Mojave 14.0 on all released builds of Windows. Contoso will also release updates to Mojave as necessary and independent of the Windows product releases. | -  -In the following sections, you will find additional information about the steps Microsoft takes to maintain the compatibility of the underlying OS. You will also find guidance on steps you can take to help maintain the compatibility of the combined OS and app ecosystem. There is a section on how to leverage Windows flighting builds to detect app regressions before a Windows build is released. Lastly, we describe how we use an instrumentation and telemetry-driven approach to increase the quality of Windows builds. We recommend ISVs adopt a similar approach with their app portfolio. - -## Key changes since Windows 7 to ensure app compatibility - -We understand that compatibility matters to developers. ISVs and developers want to ensure their apps will run as expected on all supported versions of the Windows OS. Consumers and businesses have a key investment here—they want to ensure that the apps they have paid for will continue to work. We know that compatibility is the primary criteria for purchase decisions. Apps that are well written based on best practices will lead to much less code churn when -a new Windows version is released and will reduce fragmentation—these apps have a reduced engineering investment to maintain, and a faster time to market. - -In the Windows 7 timeframe, compatibility was very much a reactive approach. In Windows 8, we started looking at this differently, working within Windows to ensure that compatibility was by design rather than an afterthought. -Windows 10 is the most compatible-by-design version of the OS to date. Here are some key ways we accomplished this: -- **App telemetry**: This helps us understand app popularity in the Windows ecosystem to inform compatibility testing. -- **ISV partnerships**: Work directly with external partners to provide them with data and help fix issues that our users experience. -- **Design reviews, upstream detection**: Partner with feature teams to reduce the number of breaking changes in Windows. Compatibility review is a gate that our feature teams must pass. -- **Communication**: Tighter control over API changes and improved communication. -- **Flighting and feedback loop**: Windows insiders receive flighted builds that help improve our ability to find compatibility issues before a final build is released to customers. This feedback process not only exposes bugs, but ensures we are shipping features our users want. - -## Best practices for app compatibility - -Microsoft uses diagnostic and usage data to identify and troubleshoot problems, improve our products and services, and provide our users with personalized experiences. The usage data we collect also extends to the apps that PCs in the Windows ecosystem are running. Based on what our customers use, we build our list to test these apps, devices, and drivers against new versions of the Windows OS. Windows 10 has been the most compatible version of Windows to-date, with over 90% compatibility against thousands of popular apps. The Windows Compatibility team commonly reaches out to our ISV partners to provide feedback if issues are discovered, so that we can partner together on solutions. Ideally, we’d like our common customers to be able to update Windows seamlessly and without losing functionality in either their OS or the apps they depend on for their productivity or entertainment. - -The following sections contain some best practices Microsoft recommends so you can ensure your apps are compatible with Windows 10. - -### Windows version check - -The OS version has been incremented with Windows 10. This means that the internal version number has been changed to 10.0. As in the past, we go to great lengths to maintain application and device compatibility after an OS version change. For most app categories (without any kernel dependencies), the change will not negatively impact app functionality, and existing apps will continue to work fine on Windows 10. - -The manifestation of this change is app-specific. This means any app that specifically checks for the OS version will get a higher version number, which can lead to one or more of the following situations: -- App installers might not be able to install the app, and apps might not be able to start. -- Apps might become unstable or crash. -- Apps might generate error messages, but continue to function properly. - -Some apps perform a version check and simply pass a warning to users. However, there are apps that are bound very tightly to a version check (in the drivers, or in kernel mode to avoid detection). In these cases, the app will fail if an incorrect version is found. Rather than a version check, we recommend one of the following approaches: -- If the app is dependent on specific API functionality, ensure you target the correct API version. -- Ensure you detect the change via APISet or another public API, and do not use the version as a proxy for some feature or fix. If there are breaking changes and a proper check is not exposed, then that is a bug. -- Ensure the app does NOT check for version in odd ways, such as via the registry, file versions, offsets, kernel mode, drivers, or other means. If the app absolutely needs to check the version, use the GetVersion APIs, which should return the major, minor, and build number. -- If you are using the [GetVersion](https://go.microsoft.com/fwlink/?LinkID=780555) API, remember that the behavior of this API has changed since Windows 8.1. - -If you own apps such as antimalware or firewall apps, you should work through your usual feedback channels and via the Windows Insider program. - -### Undocumented APIs - -Your apps should not call undocumented Windows APIs, or take dependency on specific Windows file exports or registry keys. This can lead to broken functionality, data loss, and potential security issues. If there is functionality your app requires that is not available, this is an opportunity to provide feedback through your usual feedback channels and via the Windows Insider program. - -### Develop Universal Windows Platform (UWP) and Centennial apps - -We encourage all Win32 app ISVs to develop [Universal Windows Platform (UWP)](https://go.microsoft.com/fwlink/?LinkID=780560) and, specifically, [Centennial](https://go.microsoft.com/fwlink/?LinkID=780562) apps moving forward. There are great benefits to developing these app packages rather than using traditional Win32 installers. UWP apps are also supported in the [Windows Store](https://go.microsoft.com/fwlink/?LinkID=780563), so it’s easier for you to update your users to a consistent version automatically, lowering your support costs. - -If your Win32 app types do not work with the Centennial model, we highly recommend that you use the right installer and ensure this is fully tested. An installer is your user or customer’s first experience with your app, so ensure that this works well. All too often, this doesn’t work well or it hasn’t been fully tested for all scenarios. The [Windows App Certification Kit](https://go.microsoft.com/fwlink/?LinkID=780565) can help you test the install and uninstall of your Win32 app and help you identify use of undocumented APIs, as well as other basic performance-related best-practice issues, before your users do. - -**Best practices:** -- Use installers that work for both 32-bit and 64-bit versions of Windows. -- Design your installers to run on multiple scenarios (user or machine level). -- Keep all Windows redistributables in the original packaging – if you repackage these, it’s possible that this will break the installer. -- Schedule development time for your installers—these are often overlooked as a deliverable during the software development lifecycle. - -## Optimized test strategies and flighting - -Windows OS flighting refers to the interim builds available to Windows Insiders before a final build is released to the general population. The more Insiders that flight these interim builds, the more feedback we receive on the build quality, compatibility, etc., and this helps improve quality of the final builds. You can participate in this flighting program to ensure that your apps work as expected on iterative builds of the OS. We also encourage you to provide feedback on how these flighted builds are working for you, issues you run into, and so on. - -If your app is in the Store, you can flight your app via the Store, which means that your app will be available for our Windows Insider population to install. Users can install your app and you can receive preliminary feedback on your app before you release it to the general population. The follow sections outline the steps for testing your apps against Windows flighted builds. - -### Step 1: Become a Windows Insider and participate in flighting -As a [Windows Insider,](https://go.microsoft.com/fwlink/p/?LinkId=521639) you can help shape the future of Windows—your feedback will help us improve features and functionality in the platform. This is a vibrant community where you can connect with other enthusiasts, join forums, trade advice, and learn about upcoming Insider-only events. - -Since you’ll have access to preview builds of Windows 10, Windows 10 Mobile, and the latest Windows SDK and Emulator, you’ll have all the tools at your disposal to develop great apps and explore what's new in the Universal Windows Platform and the Windows Store. - -This is also a great opportunity to build great hardware, with preview builds of the hardware development kits so you can develop universal drivers for Windows. The IoT Core Insider Preview is also available on supported IoT development boards, so you can build amazing connected solutions using the Universal Windows Platform. - -Before you become a Windows Insider, please note that participation is intended for users who: -- Want to try out software that’s still in development. -- Want to share feedback about the software and the platform. -- Don’t mind lots of updates or a UI design that might change significantly over time. -- Really know their way around a PC and feel comfortable troubleshooting problems, backing up data, formatting a hard drive, installing an operating system from scratch, or restoring an old one if necessary. -- Know what an ISO file is and how to use it. -- Aren't installing it on their everyday computer or device. - -### Step 2: Test your scenarios - -Once you have updated to a flighted build, the following are some sample test cases to help you get started on testing and gathering feedback. For most of these tests, ensure you cover both x86 and AMD64 systems. -**Clean install test:** On a clean install of Windows 10, ensure your app is fully functional. If your app fails this test and the upgrade test, then it’s likely that the issue is caused by underlying OS changes or bugs in the app. -If after investigation, the former is the case, be sure to use the Windows Insider program to provide feedback and partner on solutions. - -**Upgrade Test:** Check that your app works after upgrading from a down-level version of Windows (i.e. Windows 7 or Windows 8.1) to Windows 10. Your app shouldn’t cause roll backs during upgrade, and should continue to work as expected after upgrade—this is crucial to achieve a seamless upgrade experience. - -**Reinstall Test:** Ensure that app functionality can be restored by reinstalling your app after you upgrade the PC to Windows 10 from a down-level OS. If your app didn’t pass the upgrade test and you have not been able to narrow down the cause of these issues, it’s possible that a reinstall can restore lost functionality. A passing reinstall test indicates that parts of the app may not have been migrated to Windows 10. - -**OS\\Device Features Test:** Ensure that your app works as expected if your app relies on specific functionality in the OS. Common areas for testing include the following, often against a selection of the commonly used PC models to ensure coverage: -- Audio -- USB device functionality (keyboard, mouse, memory stick, external hard disk, and so on) -- Bluetooth -- Graphics\\display (multi-monitor, projection, screen rotation, and so on) -- Touch screen (orientation, on-screen keyboard, pen, gestures, and so on) -- Touchpad (left\\right buttons, tap, scroll, and so on) -- Pen (single\\double tap, press, hold, eraser, and so on) -- Print\\Scan -- Sensors (accelerometer, fusion, and so on) -- Camera - -### Step 3: Provide feedback - -Let us know how your app is performing against flighted builds. As you discover issues with your app during testing, please log bugs via the partner portal if you have access, or through your Microsoft representative. We encourage this information so that we can build a quality experience for our users together. - -### Step 4: Register on Windows 10 -The [Ready for Windows 10](https://go.microsoft.com/fwlink/?LinkID=780580) website is a directory of software that supports Windows 10. It’s intended for IT administrators at companies and organizations worldwide that are considering Windows 10 for their deployments. IT administrators can check the site to see whether software deployed in their enterprise is supported in Windows 10. - -## Related topics -[Windows 10 servicing options for updates and upgrades](introduction-to-windows-10-servicing.md) -  -  diff --git a/windows/manage/appv-about-appv.md b/windows/manage/appv-about-appv.md index ef43aeed3d..9fc61c9b7d 100644 --- a/windows/manage/appv-about-appv.md +++ b/windows/manage/appv-about-appv.md @@ -1,26 +1,43 @@ --- -title: What's new in App-V for Windows 10 (Windows 10) -description: Information about what's new in App-V for Windows 10. -author: MaggiePucciEvans +title: What's new in App-V for Windows 10, version 1703 and earlier (Windows 10) +description: Information about what's new in App-V for Windows 10, version 1703 and earlier. +author: eross-msft ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library ms.prod: w10 --- - -# What's new in App-V +# What's new in App-V for Windows 10, version 1703 and earlier **Applies to** -- Windows 10, version 1607 +- Windows 10, version 1703 and earlier -Microsoft Application Virtualization (App-V) enables organizations to deliver Win32 applications to users as virtual applications. Virtual applications are installed on centrally managed servers and delivered to users as a service – in real time and on as as-needed basis. Users launch virtual applications from familiar access points and interact with them as if they were installed locally. +Microsoft Application Virtualization (App-V) helps organizations to deliver Win32 applications to employees as virtual apps. Virtual apps are installed on centrally managed servers and delivered to employees as a service – in real time and on an as-needed basis. Employees start virtual apps from familiar access points and interact with them as if they were installed locally. -Application Virtualization (App-V) for Windows 10, version 1607, includes these new features and capabilities compared to App-V 5.1. See [App-V release notes](appv-release-notes-for-appv-for-windows.md) for more information about the App-V for Windows 10, version 1607 release. +## What's new in App-V Windows 10, version 1703 +The following are new features in App-V for Windows 10, version 1703. +### Auto sequence and update your App-V packages singly or as a batch +Previous versions of the App-V Sequencer have required you to manually sequence and update your app packages. This was time-consuming and required extensive interaction, causing many companies to deploy brand-new packages rather than update an existing one. Windows 10, version 1703 introduces the App-V Auto-Sequencer, which automatically sequences your app packages, improving your overall experience by streamlining the provisioning of the prerequisite environment, automating app installation, and expediting the package updating setup. + +Using the automatic sequencer to package your apps provides: +- Automatic virtual machine (VM) provisioning of the sequencing environment. For info about this, see [Automatically provision your sequencing environment using Microsoft Application Virtualization Sequencer (App-V Sequencer)](appv-auto-provision-a-vm.md). + +- Batch-sequencing of packages. This means that multiple apps can be sequenced at the same time, in a single group. For info about this, see [Automatically sequence multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer)](appv-auto-batch-sequencing.md). + +- Batch-updating of packages. This means that multiple apps can be updated at the same time, in a single group. For info about this, see [Automatically update multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer)](appv-auto-batch-updating.md). + +### Updates to the App-V project template +Starting with Windows 10, version 1703, you can save an App-V project template (.appvt) file as part of a sequenced App-V package, so it's automatically loaded every time the package opens for editing or updates. Your template can include general option settings, file exclusion list settings, and target operating system settings. For more info about this, see [Create and apply an App-V project template to a sequenced App-V package](appv-create-and-use-a-project-template.md) + +### Automatically cleanup unpublished App-V packages from the App-V client +Previous versions of App-V have required you to manually remove your unpublished packages from your client devices, to free up additional storage space. Windows 10, version 1703 introduces the ability to use PowerShell or Group Policy settings to automatically cleanup your unpublished packages after a device restart. For more info about this, see [Automatically cleanup unpublished packages on the App-V client](appv-auto-clean-unpublished-packages.md) + +## What's new in App-V in Windows 10, version 1607 +The following are new features in App-V for Windows 10, version 1607. ## App-V is now a feature in Windows 10 - With Windows 10, version 1607 and later releases, Application Virtualization (App-V) is included with [Windows 10 for Enterprise and Windows 10 for Education](https://www.microsoft.com/en-us/WindowsForBusiness/windows-product-home) and is no longer part of the Microsoft Desktop Optimization Pack. For information about earlier versions of App-V, see [MDOP Information Experience](https://technet.microsoft.com/itpro/mdop/index). @@ -29,26 +46,25 @@ The changes in App-V for Windows 10, version 1607 impact already existing implem - The App-V client is installed on user devices automatically with Windows 10, version 1607, and no longer has to be deployed separately. Performing an in-place upgrade to Windows 10, version 1607, on user devices automatically installs the App-V client. -- The App-V application sequencer is available from the [Windows 10 Assessment and Deployment Kit (ADK)](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit). In previous releases of App-V, the application sequencer was included in the Microsoft Desktop Optimization Pack. Although you’ll need to use the new application sequencer to create new virtualized applications, existing virtualized applications will continue to work. +- The App-V application sequencer is available from the [Windows 10 Assessment and Deployment Kit (ADK)](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit). In previous releases of App-V, the application sequencer was included in the Microsoft Desktop Optimization Pack. Although you’ll need to use the new application sequencer to create new virtualized applications, existing virtualized applications will continue to work. ->**Note**
          If you're already using App-V 5.x, you don't need to re-deploy the App-V server components as they haven't changed since App-V 5.0 was released. + >[!NOTE] + >If you're already using App-V 5.x, you don't need to re-deploy the App-V server components as they haven't changed since App-V 5.0 was released. For more information about how to configure an existing App-V installation after upgrading user devices to Windows 10, see [Upgrading to App-V for Windows 10 from an existing installation](appv-upgrading-to-app-v-for-windows-10-from-an-existing-installation.md) and [Migrating to App-V for Windows 10 from a previous version](appv-migrating-to-appv-from-a-previous-version.md). ->**Important** -You can upgrade your existing App-V installation to Windows 10, version 1607 from App-V versions 5.0 SP2 and higher only. If you are using a previous version of App-V, you’ll need to upgrade from that version to App-V 5.0 SP2 before you upgrade to Windows 10, version 1607. - +>[!IMPORTANT] +>You can upgrade your existing App-V installation to Windows 10, version 1607 from App-V versions 5.0 SP2 and higher only. If you are using a previous version of App-V, you’ll need to upgrade from that version to App-V 5.0 SP2 before you upgrade to Windows 10, version 1607.   ## Support for System Center - App-V supports System Center 2016 and System Center 2012 R2 Configuration Manager SP1. See [Planning for App-V Integration with Configuration Manager](https://technet.microsoft.com/library/jj822982.aspx) for information about integrating your App-V environment with Configuration Manager. +## Related topics +- [Release Notes for App-V for Windows 10, version 1607](appv-release-notes-for-appv-for-windows.md) + +- [Release Notes for App-V for Windows 10, version 1703](appv-release-notes-for-appv-for-windows-1703.md) ## Have a suggestion for App-V? - Add or vote on suggestions on the [Application Virtualization feedback site](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization).
          For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv). -## Related topics - -[Release Notes for App-V](appv-release-notes-for-appv-for-windows.md) diff --git a/windows/manage/appv-accessibility.md b/windows/manage/appv-accessibility.md deleted file mode 100644 index 34a3ab0a09..0000000000 --- a/windows/manage/appv-accessibility.md +++ /dev/null @@ -1,4 +0,0 @@ ---- -title: Accessibility for App-V (Windows 10) -redirect_url: https://technet.microsoft.com/itpro/windows/manage/appv-getting-started ---- diff --git a/windows/manage/appv-accessing-the-client-management-console.md b/windows/manage/appv-accessing-the-client-management-console.md deleted file mode 100644 index d6ad0b2b1a..0000000000 --- a/windows/manage/appv-accessing-the-client-management-console.md +++ /dev/null @@ -1,4 +0,0 @@ ---- -title: How to access the client management console (Windows 10) -redirect_url: https://technet.microsoft.com/itpro/windows/manage/appv-using-the-client-management-console ---- diff --git a/windows/manage/appv-auto-batch-sequencing.md b/windows/manage/appv-auto-batch-sequencing.md new file mode 100644 index 0000000000..2722febd18 --- /dev/null +++ b/windows/manage/appv-auto-batch-sequencing.md @@ -0,0 +1,173 @@ +--- +title: Automatically sequence multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer) (Windows 10) +description: How to automatically sequence multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer). +author: eross-msft +ms.pagetype: mdop, appcompat, virtualization +ms.mktglfcycl: deploy +ms.sitesec: library +ms.prod: w10 +--- + +# Automatically sequence multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer) + +**Applies to** +- Windows 10, version 1703 + +Sequencing multiple apps at the same time requires you to install and start Microsoft Application Virtualization Sequencer (App-V Sequencer), and to install the necessary apps to collect any changes made to the operating system during the installation and building of the App-V package. + +In Windows 10, version 1703, running the App-V Sequencer automatically captures and stores your customizations as an App-V project template (.appvt) file. If you want to make changes to this package later, your customizations will be automatically loaded from this template file. This is applicable to all of the sequencing scenarios: + +- Using the New-BatchAppVSequencerPackages cmdlet + +- Using the App-V Sequencer interface + +- Using the new-AppVSequencerPackage cmdlet + +>[!NOTE] +>If you're trying to update multiple apps at the same time, see the [Automatically update multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer)](appv-auto-batch-updating.md) topic. + +### Sequence multiple apps by using a PowerShell cmdlet +Sequencing multiple apps at the same time requires that you create a **ConfigFile** with info related to each round of sequencing. This file is then used by the cmdlet to start the VM at a "clean" checkpoint, to copy the installer from the Host device to the VM, and then to start the App-V Sequencer to monitor your specified app installations. + +**To create your ConfigFile for use by the PowerShell cmdlet** + +1. Determine the apps that need to be included in your App-V sequencing package, and then open a text editor, such as Notepad. + +2. Add the following required XML info for each app: + + - **<Name>.** The name of the app you're adding to the package. + + - **<InstallerFolder>.** The file path to the folder with the app installer. + + - **<Installer>.** The file name for the app executable. This will typically be an .exe or .msi file. + + - **<InstallerOptions>.** The command-line options required for the app installation. + + - **<TimeoutInMinutes>.** The maximum amount of time, in minutes, that the cmdlet should wait for sequencing to complete. You can enter a different value for each app, based on the size and complexity of the app itself. + + - **<Cmdlet>.** Determines whether the sequencer uses the cmdlet or the App-V Sequencer interface. **True** tells the sequencer to use cmdlet-based sequencing, while **False** tells the sequencer to use the App-V Sequencer interface. You can use both the cmdlet and the interface together in the same ConfigFile, for different apps. + + - **<Enabled>.** Indicates whether the app should be sequenced. **True** includes the app, while **False** ignores it. You can include as many apps as you want in the batch file, but optionally enable only a few of them. + + **Example:** + + ```XML + + + + Skype for Windows + D:\Install\New\SkypeforWindows + SkypeSetup.exe + /S + 20 + True + True + + + Power BI + D:\Install\New\MicrosoftPowerBI + PBIDesktop.msi + /S + 20 + True + True + + + + ``` +3. Save your completed file, using the name **ConfigFile**. + + +**To start the App-V Sequencer interface and app installation process** +- Open PowerShell as an admin on the Host computer and run the following commands to start the batch sequencing: + + ```ps1 + New-BatchAppVSequencerPackages –ConfigFile –VMName -OutputPath + ``` + Where _VMName_ is the name of the virtual machine (VM) with the App-V Sequencer installed, where you'll run the batch sequencing, and _OutputPath_ is the full path to where the sequenced packages should be copied. + + The cmdlet creates a "clean" checkpoint on the VM. Next, the cmdlet copies the first app installer listed in the ConfigFile from the Host computer to the VM, and finally a new session of the VM opens (through VMConnect) and sequencing of the app begins from the command-line. After completing sequencing and package creation for the first app on the VM, the package is copied from the VM to the Host computer, specified in the OutputPath parameter. The cmdlet then goes to the second app on your list, reverting the VM back to a "clean" checkpoint and running through all of the steps again, until the second app package is copied to your output folder. This process continues until all apps included in your list are done. After the last app, the VM is reverted back to a "clean" checkpoint and turned off. + +### Sequence multiple apps by using the App-V Sequencer interface +Sequencing multipe apps at the same time requires that you create a **ConfigFIle** to collect all of the info related to each round of sequencing. This file is then used by the App-V Sequencer interface after creating a "clean" checkpoint on your VM. + +**To create your ConfigFile for use by the App-V Sequencer interface** + +1. Determine the apps that need to be included in your App-V sequencing package, and then open a text editor, such as Notepad. + +2. Add the following required XML info for each app: + + - **<Name>.** The name of the app you're adding to the package. + + - **<InstallerFolder>.** The file path to the folder with the app installer. + + - **<Installer>.** The file name for the app executable. This will typically be an .exe or .msi file. + + - **<TimeoutInMinutes>.** The maximum amount of time, in minutes, that the cmdlet should wait for sequencing to complete. You can enter a different value for each app, based on the size and complexity of the app itself. + + - **<Cmdlet>.** Determines whether the sequencer uses the cmdlet or the App-V Sequencer interface. **True** tells the sequencer to usea cmdlet-based sequencing, while **False** tells the sequencer to use the App-V Sequencer interface. You can use both the cmdlet and the interface together in the same ConfigFile, for different apps. + + - **<Enabled>.** Indicates whether the app should be sequenced. **True** includes the app, while **False** ignores it. You can include as many apps as you want in the batch file, but optionally enable only a few of them. + + **Example:** + + ```XML + + + + Skype for Windows + D:\Install\New\SkypeforWindows + SkypeSetup.exe + 20 + False + True + + + Power BI + D:\Install\New\MicrosoftPowerBI + PBIDesktop.msi + 20 + False + True + + + + ``` + + +**To start the App-V Sequencer interface and app installation process** +- Open PowerShell as an admin on the Host computer and run the following commands to start the batch sequencing: + + ```ps1 + New-BatchAppVSequencerPackages –ConfigFile –VMName -OutputPath + ``` + Where _VMName_ is the name of the virtual machine (VM) with the App-V Sequencer installed, where you'll run the batch sequencing, and _OutputPath_ is the full path to where the sequenced packages should be copied. + + The cmdlet creates a "clean" checkpoint on the VM. Next, the cmdlet copies the first app installer listed in the ConfigFile from the Host computer to the VM, and finally a new session of the VM opens (through VMConnect) and sequencing of the app begins from the command-line. After completing sequencing and package creation for the first app on the VM, the package is copied from the VM to the Host computer, specified in the OutputPath parameter. The cmdlet then goes to the second app on your list, reverting the VM back to a "clean" checkpoint and running through all of the steps again, until the second app package is copied to your output folder. This process continues until all apps included in your list are done. After the last app, the VM is reverted back to a "clean" checkpoint and turned off. + +### Review the log files +There are 3 types of log files that occur when you sequence multiple apps at the same time: + +- **New-BatchAppVSequencerPackages-<*time_stamp*>.txt**. Located in the %temp%\AutoSequencer\Logs directory. This log contains info about the sequencing activities, such as "Copying installer to VM", "Scheduling sequencing task", and so on for each app. Additionally, if an app times out, this log contains the failure along with the checkpoint for troubleshooting the problem. + +- **New-BatchAppVSequencerPackages-report-<*time_stamp*>.txt**. Located in the **OutputPath** folder you specified earlier. This log contains info about the connections made to the VM, showing if there were any failures. Additionally, it briefly includes success or failure info for all of the apps. + +- **Log.txt file**. Located in the **Output Package** folder. This file contains all code included in the NewAppVSequencerPackage cmdlet, including the allowed parameters. + +### Related topics +- [Download the Windows ADK](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit) + +- [How to install the App-V Sequencer](appv-install-the-sequencer.md) + +- [Learn about Hyper-V on Windows Server 2016](https://technet.microsoft.com/en-us/windows-server-docs/compute/hyper-v/hyper-v-on-windows-server) + +- [Automatically provision your sequencing environment using Microsoft Application Virtualization Sequencer (App-V Sequencer)](appv-auto-provision-a-vm.md) + +- [Manually sequence a single app using Microsoft Application Virtualization Sequencer (App-V Sequencer)](appv-sequence-a-new-application.md) + +- [Automatically update multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer)](appv-auto-batch-updating.md) + +- [Automatically cleanup unpublished packages on the App-V client](appv-auto-clean-unpublished-packages.md) + +**Have a suggestion for App-V?**

          +Add or vote on suggestions on the [Application Virtualization feedback site](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization).
          For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv). \ No newline at end of file diff --git a/windows/manage/appv-auto-batch-updating.md b/windows/manage/appv-auto-batch-updating.md new file mode 100644 index 0000000000..3c9a7531bc --- /dev/null +++ b/windows/manage/appv-auto-batch-updating.md @@ -0,0 +1,177 @@ +--- +title: Automatically update multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer) (Windows 10) +description: How to automatically update multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer). +author: eross-msft +ms.pagetype: mdop, appcompat, virtualization +ms.mktglfcycl: deploy +ms.sitesec: library +ms.prod: w10 +--- + +# Automatically update multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer) + +**Applies to** +- Windows 10, version 1703 + +Updating multiple apps at the same time follows the same process as [automatically sequencing multiple apps at the same time](appv-auto-batch-sequencing.md). However for updating, you'll pass your previously created app package files to the App-V Sequencer cmdlet for updating. + +Starting with Windows 10, version 1703, running the New-BatchAppVSequencerPackages cmdlet or the App-V Sequencer interface captures and stores all of your customizations as an App-V project template. If you want to make changes to this package later, your customizations are automatically loaded from this template file. + +>[!NOTE] +>If you're trying to sequence multiple apps at the same time, see the [Automatically sequence multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer)](appv-auto-batch-sequencing.md) topic. + +### Update multiple apps by using a PowerShell cmdlet +Updating multiple apps at the same time requires that you create a **ConfigFile** with info related to each round of updating. This file is then used by the cmdlet to start the VM at a "clean" checkpoint, to copy the installer from the Host device to the VM, and then to start the App-V Sequencer to monitor your specified app installations. + +**To create your ConfigFile for use by the PowerShell cmdlet** + +1. Determine the apps that need to be included in your app package, and then open a text editor, such as Notepad. + +2. Add the following XML info for each app: + + - **<Name>.** The name of the app you're adding to the package. + + - **<InstallerFolder>.** The file path to the folder with the app installer. + + - **<Installer>.** The file name for the app executable. This will typically be an .exe or .msi file. + + - **<InstallerOptions>.** The command-line options required for the app installation. + + - **<Package>.** The file path to the location of your App-V packages. These packages were created when you sequenced your apps. + + - **<TimeoutInMinutes>.** The maximum amount of time, in minutes, that the cmdlet should wait for updating to complete. You can enter a different value for each app, based on the size and complexity of the app itself. + + - **<Cmdlet>.** Determines whether the sequencer uses the cmdlet or the App-V Sequencer interface. **True** tells the sequencer to use cmdlet-based updating, while **False** tells the sequencer to use the App-V Sequencer interface. You can use both the cmdlet and the interface together in the same ConfigFile, for different apps. + + - **<Enabled>.** Indicates whether the app should be sequenced. **True** includes the app, while **False** ignores it. You can include as many apps as you want in the batch file, but optionally enable only a few of them. + + **Example:** + ```XML + + + + Skype for Windows Update + D:\Install\Update\SkypeforWindows + SkypeSetup.exe + /S + C:\App-V_Package\Microsoft_Apps\skypeupdate.appv + 20 + True + True + + + Microsoft Power BI Update + D:\Install\Update\PowerBI + PBIDesktop.msi + /S + C:\App-V_Package\MS_Apps\powerbiupdate.appv + 20 + True + True + + + + ``` + +3. Save your completed file, using the name **ConfigFile**. + + +**To start the App-V Sequencer interface and app installation process** +- Open PowerShell as an admin on the Host computer and run the following commands to start the batch updating: + + ```ps1 + New-BatchAppVSequencerPackages –ConfigFile –VMName -OutputPath + ``` + Where _VMName_ is the name of the virtual machine (VM) with the App-V Sequencer installed, where you'll run the batch updating, and _OutputPath_ is the full path to where the updated packages should be copied. + + The cmdlet creates a "clean" checkpoint on the VM. Next, the cmdlet copies the first app installer listed in the ConfigFile from the Host computer to the VM, and finally a new session of the VM opens (through VMConnect) and updating of the app begins from the command-line. After completing updating and package creation for the first app on the VM, the package is copied from the VM to the Host computer, specified in the OutputPath parameter. The cmdlet then goes to the second app on your list, reverting the VM back to a "clean" checkpoint and running through all of the steps again, until the second app package is copied to your output folder. This process continues until all apps included in your list are done. After the last app, the VM is reverted back to a "clean" checkpoint and turned off. + +### Update multiple apps by using the App-V Sequencer interface +Updating multipe apps at the same time requires that you create a **ConfigFile** to collect all of the info related to each round of updating. This file is then used by the App-V Sequencer interface after creating a "clean" checkpoint on your VM. + +**To create your ConfigFile for use by the App-V Sequencer interface** + +1. Determine the apps that need to be updated and then open a text editor, such as Notepad. + +2. Add the following XML info for each app: + + - **<Name>.** The name of the app you're adding to the package. + + - **<InstallerFolder>.** The file path to the folder with the app installer. + + - **<Installer>.** The file name for the app executable. This will typically be an .exe or .msi file. + + - **<Package>.** The file path to the location of your App-V packages. These packages were created when you sequenced your apps. + + - **<TimeoutInMinutes>.** The maximum amount of time, in minutes, the cmdlet should wait for updating to complete. You can enter a different value for each app, based on the size and complexity of the app itself. + + - **<Cmdlet>.** Determines whether the sequencer uses the cmdlet or the App-V Sequencer interface. **True** tells the sequencer to usea cmdlet-based updating, while **False** tells the sequencer to use the App-V Sequencer interface. You can use both the cmdlet and the interface together in the same ConfigFile, for different apps. + + - **<Enabled>.** Indicates whether the app should be sequenced. **True** includes the app, while **False** ignores it. You can include as many apps as you want in the batch file, but optionally enable only a few of them. + + **Example:** + + ```XML + + + + Skype for Windows Update + D:\Install\Update\SkypeforWindows + SkypeSetup.exe + /S + C:\App-V_Package\Microsoft_Apps\skypeupdate.appv + 20 + False + True + + + Microsoft Power BI Update + D:\Install\Update\PowerBI + PBIDesktop.msi + /S + C:\App-V_Package\MS_Apps\powerbiupdate.appv + 20 + False + True + + + + ``` + +**To start the App-V Sequencer interface and app installation process** +- Open PowerShell as an admin on the Host computer and run the following commands to start the batch updating: + + ```ps1 + New-BatchAppVSequencerPackages –ConfigFile –VMName -OutputPath + ``` + Where _VMName_ is the name of the virtual machine (VM) with the App-V Sequencer installed, where you'll run the batch updating, and _OutputPath_ is the full path to where the updated packages should be copied. + + The cmdlet creates a "clean" checkpoint on the VM. Next, the cmdlet copies the first app installer listed in the ConfigFile from the Host computer to the VM, and finally a new session of the VM opens (through VMConnect) and updating of the app begins from the command-line. After completing updating and package creation for the first app on the VM, the package is copied from the VM to the Host computer, specified in the OutputPath parameter. The cmdlet then goes to the second app on your list, reverting the VM back to a "clean" checkpoint and running through all of the steps again, until the second app package is copied to your output folder. This process continues until all apps included in your list are done. After the last app, the VM is reverted back to a "clean" checkpoint and turned off. + +### Review the log files +There are 3 types of log files that occur when you sequence multiple apps at the same time: + +- **New-BatchAppVSequencerPackages-<*time_stamp*>.txt**. Located in the %temp%\AutoSequencer\Logs directory. This log contains info about the updating activities, such as "Copying installer to VM", "Scheduling updating task", and so on for each app. Additionally, if an app times out, this log contains the failure along with the checkpoint for troubleshooting the problem. + +- **New-BatchAppVSequencerPackages-report-<*time_stamp*>.txt**. Located in the **OutputPath** folder you specified earlier. This log contains info about the connections made to the VM, showing if there were any failures. Additionally, it briefly includes success or failure info for all of the apps. + +- **Log.txt file**. Located in the **Output Package** folder. This file contains all code included in the NewAppVSequencerPackage cmdlet, including the allowed parameters. + +### Related topics +- [Download the Windows ADK](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit) + +- [How to install the App-V Sequencer](appv-install-the-sequencer.md) + +- [Learn about Hyper-V on Windows Server 2016](https://technet.microsoft.com/en-us/windows-server-docs/compute/hyper-v/hyper-v-on-windows-server) + +- [Automatically provision your sequencing environment using Microsoft Application Virtualization Sequencer (App-V Sequencer)](appv-auto-provision-a-vm.md) + +- [Manually sequence a single app using Microsoft Application Virtualization Sequencer (App-V Sequencer)](appv-sequence-a-new-application.md) + +- [Automatically sequence multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer)](appv-auto-batch-sequencing.md) + +- [Automatically cleanup unpublished packages on the App-V client](appv-auto-clean-unpublished-packages.md) + + +**Have a suggestion for App-V?**

          +Add or vote on suggestions on the [Application Virtualization feedback site](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization).
          For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv). \ No newline at end of file diff --git a/windows/manage/appv-auto-clean-unpublished-packages.md b/windows/manage/appv-auto-clean-unpublished-packages.md new file mode 100644 index 0000000000..234222854e --- /dev/null +++ b/windows/manage/appv-auto-clean-unpublished-packages.md @@ -0,0 +1,76 @@ +--- +title: Automatically cleanup unpublished packages on the App-V client (Windows 10) +description: How to automatically clean-up any unpublished packages on your App-V client devices. +author: eross-msft +ms.pagetype: mdop, appcompat, virtualization +ms.mktglfcycl: deploy +ms.sitesec: library +ms.prod: w10 +--- + + +# Automatically cleanup unpublished packages on the App-V client + +**Applies to** +- Windows 10, version 1703 + +Previous versions of App-V have required you to manually remove your unpublished packages from your client devices, to free up additional storage space. Windows 10, version 1703 introduces the ability to use PowerShell or Group Policy settings to automatically cleanup your unpublished packages after a device restart. + +## Cleanup by using PowerShell commands +Using PowerShell, you can turn on the **AutoCleanupEnabled** setting to automatically cleanup your unpublished App-V packages from your App-V client devices. + +**To turn on the AutoCleanupEnabled option** + +1. Open PowerShell as an admin and run the following command to turn on the automatic package cleanup functionality: + + ```ps1 + Set-AppvClientConfiguration -AutoCleanupEnabled 1 + ``` + + The command runs and you should see the following info on the PowerShell screen: + + + + + + + + + + + + + + + + +
          NameValueSetbyGroupPolicy
          AutoCleanupEnabled1False
          + +2. Run the following command to make sure the configuration is ready to automatically cleanup your packages. + + ```ps1 + Get-AppvClientConfiguration + ``` + You should see the **AutoCleanupEnabled** option turned on (shows a value of "1") in the configuration list. + +## Cleanup by using Group Policy settings +Using Group Policy, you can turn on the **Enable automatic cleanup of unused appv packages** setting to automatically cleanup your unpublished App-V packages from your App-V client devices. + +**To turn on the Enable automatic cleanup of unused appv packages setting** + +1. Open your Group Policy editor and double-click the Administrative Templates\System\App-V\PackageManagement\Enable automatic cleanup of unused appv packages setting. + +2. Click **Enabled**, and then click **OK**. + + After your Group Policy updates, the setting is turned on and will cleanup any unpublished App-V packages on the App-V Client after restarting. + +### Related topics +- [Download the Windows ADK](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit) + +- [Download the Microsoft Application Virtualization 5.0 Client UI Application](https://www.microsoft.com/en-us/download/details.aspx?id=41186) + +- [Using the App-V Client Management Console](appv-using-the-client-management-console.md) + + +**Have a suggestion for App-V?**

          +Add or vote on suggestions on the [Application Virtualization feedback site](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization).
          For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv). \ No newline at end of file diff --git a/windows/manage/appv-auto-provision-a-vm.md b/windows/manage/appv-auto-provision-a-vm.md new file mode 100644 index 0000000000..b4b1819a25 --- /dev/null +++ b/windows/manage/appv-auto-provision-a-vm.md @@ -0,0 +1,127 @@ +--- +title: Automatically provision your sequencing environment using Microsoft Application Virtualization Sequencer (App-V Sequencer) (Windows 10) +description: How to automatically provision your sequencing environment using Microsoft Application Virtualization Sequencer (App-V Sequencer) PowerShell cmdlet or the user interface. +author: eross-msft +ms.pagetype: mdop, appcompat, virtualization +ms.mktglfcycl: deploy +ms.sitesec: library +ms.prod: w10 +--- + + +# Automatically provision your sequencing environment using Microsoft Application Virtualization Sequencer (App-V Sequencer) + +**Applies to** +- Windows 10, version 1703 + +Previous versions of the App-V Sequencer have required you to manually create your sequencing environment. Windows 10, version 1703 introduces two new PowerShell cmdlets, New-AppVSequencerVM and Connect-AppvSequencerVM, which automatically create your sequencing environment for you, including provisioning your virtual machine. + +## Automatic VM provisioning of the sequencing environment +You have 2 options for provisioning an VM for auto-sequencing: +- Using a Virtual Hard Disk (VHD) + + -OR- + +- Updating an existing VM + + >[!NOTE] + >We have reduced the number of environmental checks performed by the App-V Sequencer, narrowing down the list of apps that need to be disabled or turned off for a clean sequencing experience. We've also suppressed antivirus and other similar app warnings. + +### Provision a new VM by using a VHD file +Provisioning your new VM includes creating a VHD file, setting up a user account, turning on remote PowerShell scripting, and installing the App-V Sequencer. + +#### Create a VHD file +For this process to work, you must have a base operating system available as a VHD image file, we recommend using the [Convert-WindowsImage.ps1](https://gallery.technet.microsoft.com/scriptcenter/Convert-WindowsImageps1-0fe23a8f) command-line tool. + +**To create a VHD file by using the Convert-WindowsImage command-line tool** +1. Open PowerShell as an admin and run the Convert-WindowsImage tool, using the following commands: + + ```ps1 + Convert-WindowsImage -SourcePath "" -VHDFormat "VHD" -VHDPartitionStyle "MBR" + ``` + Where *<path_to_iso_image>* is the full path to your ISO image. + + >[!IMPORTANT] + >You must specify the _VHDPartitionStyle_ as **MBR**. Using the default value, **GPT**, will cause a boot failure in your VHD image. + +#### Provision your VM using your VHD file +After you have a VHD file, you must provision your VM for auto-sequencing. + +**To provision your VM using your VHD file** +1. On the Host device, install Windows 10, version 1703 and the **Microsoft Application Virtualization (App-V) Auto Sequencer** component from the matching version of the Windows Assessment and Deployment Kit (ADK). For more info on how to install the App-V Sequencer, see [Install the App-V Sequencer](appv-install-the-sequencer.md). + +2. Make sure that Hyper-V is turned on. For more info about turning on and using Hyper-V, see [Hyper-V on Windows Server 2016](https://technet.microsoft.com/en-us/windows-server-docs/compute/hyper-v/hyper-v-on-windows-server). + +3. Open PowerShell as an admin and run the **New-AppVSequencerVM** cmdlet, using the following parameters: + + ```ps1 + New-AppVSequencerVM -VMName "" -ADKPath "" -VHDPath "" -VMMemory -VMSwitch "" + ``` + +This command creates a new Hyper-V VM file using the provided VHD file and also creates a "clean" checkpoint, from where all sequencing and updating will start. + + +### Provision an existing VM for auto-sequencing +If your apps require custom prerequisites, such as Microsoft SQL Server, we recommend that you preinstall the prerequisites on your VM and then use that VM for auto-sequencing. Using these steps will establish a connection to your existing VM. + +**To connect to your existing VM** +- Open PowerShell as an admin and run the following commands on your existing VM: + + - **Set the network category of your connection profile on the VM to _Private_:** + + ```ps1 + Get-netconnectionprofile | set-netconnectionprofile -NetworkCategory Private + ``` + + - **Enable firewall rules for _Remote Desktop_ and _Windows Remote Management_:** + + ```ps1 + Enable-NetFirewallRule -DisplayGroup “Remote Desktop” + Enable-NetFirewallRule -DisplayGroup “Windows Remote Management” + ``` + + - **Set the VM to receive remote commands without a confirmation prompt:** + + ```ps1 + Enable-PSRemoting –Force + ``` + +**To provision an existing VM** +1. On the Host device, install Windows 10, version 1703 and the **Microsoft Application Virtualization (App-V) Auto Sequencer** component from the matching version of the Windows Assessment and Deployment Kit (ADK). For more info on how to install the App-V Sequencer, see [Install the App-V Sequencer](appv-install-the-sequencer.md). + +2. Open PowerShell as an admin and run the **Connect-AppvSequencerVM** cmdlet, using the following parameters: + + ```ps1 + Connect-AppvSequencerVM -VMName "" -ADKPath "" + ``` + + Where *<name_of_vm>* is the name of the VM granted during its creation and shown in the Hyper-V Manager tool. + +This command creates a new Hyper-V VM file using the provided VHD file and also creates a "clean" checkpoint, from where all sequencing and updating will start. + + +### Review the provisioning log files +The 2 types of provisioning log files, located at %temp%\AutoSequencer\Logs, are: + +- **New-AppVSequencerVM-<*time_stamp*>.txt**. Includes info about the provisioning activities, such as "Waiting for VM session", "Copying installer for Sequencer", and so on. + +- **Connect-AppvSequencerVM-report-<*time_stamp*>.txt**. Includes info about the connections made to the VM, showing whether there were any failures. + + +### Next steps +After provisioning your sequencing environment, you must sequence your apps, either as a group or individually. For more info about sequencing your apps, see [Manually sequence a single new app using Microsoft Application Virtualization Sequencer (App-V Sequencer)](appv-sequence-a-new-application.md), [Automatically sequence multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer)](appv-auto-batch-sequencing.md), and [Automatically update multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer)](appv-auto-batch-updating.md). + +After you sequence your packages, you can automatically cleanup any unpublished packages on the App-V client. For more info, see [Automatically cleanup unpublished packages on the App-V client](appv-auto-clean-unpublished-packages.md). + +### Related topics +- [Download the Convert-WindowsImage tool](https://gallery.technet.microsoft.com/scriptcenter/Convert-WindowsImageps1-0fe23a8f) + +- [Download the Windows ADK](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit) + +- [How to install the App-V Sequencer](appv-install-the-sequencer.md) + +- [Learn about Hyper-V on Windows Server 2016](https://technet.microsoft.com/en-us/windows-server-docs/compute/hyper-v/hyper-v-on-windows-server) + + +**Have a suggestion for App-V?**

          +Add or vote on suggestions on the [Application Virtualization feedback site](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization).
          For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv). \ No newline at end of file diff --git a/windows/manage/appv-available-mdm-settings.md b/windows/manage/appv-available-mdm-settings.md new file mode 100644 index 0000000000..1fc2a529b1 --- /dev/null +++ b/windows/manage/appv-available-mdm-settings.md @@ -0,0 +1,211 @@ +--- +title: Available Mobile Device Management (MDM) settings for App-V (Windows 10) +description: A list of the available MDM settings for App-V on Windows 10. +author: eross-msft +ms.pagetype: mdop, appcompat, virtualization +ms.mktglfcycl: deploy +ms.sitesec: library +ms.prod: w10 +--- + +# Available Mobile Device Management (MDM) settings for App-V +With Windows 10, version 1703, you can configure, deploy, and manage your App-V apps by using these Mobile Device Management (MDM) settings. For the full list of available settings, see the [EnterpriseAppVManagement CSP](https://msdn.microsoft.com/en-us/windows/hardware/commercialize/customize/mdm/enterpriseappvmanagement-csp) page. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
          Policy nameSupported versionsDetails
          NameWindows 10, version 1703 +
            +
          • URI full path. ./Vendor/MSFT/EnterpriseAppVManagement/AppVPackageManagement/<enterprise_id>/<package_family_name>/<package_full_name>/Name
            • +
          • Data type. String
            • +
          • Value. Read-only data, provided by your App-V packages.
            • +
          +
          VersionWindows 10, version 1703 +
            +
          • URI full path. ./Vendor/MSFT/EnterpriseAppVManagement/AppVPackageManagement/<enterprise_id>/<package_family_name>/<package_full_name>/Version
            • +
          • Data type. String
            • +
          • Value. Read-only data, provided by your App-V packages.
            • +
          +
          PublisherWindows 10, version 1703 +
            +
          • URI full path. ./Vendor/MSFT/EnterpriseAppVManagement/AppVPackageManagement/<enterprise_id>/<package_family_name>/<package_full_name>/Publisher
            • +
          • Data type. String
            • +
          • Value. Read-only data, provided by your App-V packages.
            • +
          +
          InstallLocationWindows 10, version 1703 +
            +
          • URI full path. ./Vendor/MSFT/EnterpriseAppVManagement/AppVPackageManagement/<enterprise_id>/<package_family_name>/<package_full_name>/InstallLocation
            • +
          • Data type. String
            • +
          • Value. Read-only data, provided by your App-V packages.
            • +
          +
          InstallDateWindows 10, version 1703 +
            +
          • URI full path. ./Vendor/MSFT/EnterpriseAppVManagement/AppVPackageManagement/<enterprise_id>/<package_family_name>/<package_full_name>/InstallDate
            • +
          • Data type. String
            • +
          • Value. Read-only data, provided by your App-V packages.
            • +
          +
          UsersWindows 10, version 1703 +
            +
          • URI full path. ./Vendor/MSFT/EnterpriseAppVManagement/AppVPackageManagement/<enterprise_id>/<package_family_name>/<package_full_name>/Users
            • +
          • Data type. String
            • +
          • Value. Read-only data, provided by your App-V packages.
            • +
          +
          AppVPackageIDWindows 10, version 1703 +
            +
          • URI full path. ./Vendor/MSFT/EnterpriseAppVManagement/AppVPackageManagement/<enterprise_id>/<package_family_name>/<package_full_name>/AppVPackageID
            • +
          • Data type. String
            • +
          • Value. Read-only data, provided by your App-V packages.
            • +
          +
          AppVVersionIDWindows 10, version 1703 +
            +
          • URI full path. ./Vendor/MSFT/EnterpriseAppVManagement/AppVPackageManagement/<enterprise_id>/<package_family_name>/<package_full_name>/AppVVersionID
            • +
          • Data type. String
            • +
          • Value. Read-only data, provided by your App-V packages.
            • +
          +
          AppVPackageUriWindows 10, version 1703 +
            +
          • URI full path. ./Vendor/MSFT/EnterpriseAppVManagement/AppVPackageManagement/<enterprise_id>/<package_family_name>/<package_full_name>/AppVPackageUri
            • +
          • Data type. String
            • +
          • Value. Read-only data, provided by your App-V packages.
            • +
          +
          LastErrorWindows 10, version 1703 +
            +
          • URI full path. ./Vendor/MSFT/EnterpriseAppVManagement/AppVPublishing/LastSync/LastError
            • +
          • Data type. String
            • +
          • Value. Read-only data, provided by your App-V client.
            • +
          +
          LastErrorDescriptionWindows 10, version 1703 +
            +
          • URI full path. ./Vendor/MSFT/EnterpriseAppVManagement/AppVPublishing/LastSync/LastErrorDescription
            • +
          • Data type. String
            • +
          • Values. +
              +
            • 0. No errors returned during publish.
              • +
            • 1. Unpublish groups failed during publish.
              • +
            • 2. Publish no-group packages failed during publish.
              • +
            • 3. Publish group packages failed during publish.
              • +
            • 4. Unpublish packages failed during publish.
              • +
            • 5. New policy write failed during publish.
              • +
            • 6. Multiple non-fatal errors occurred during publish.
              • +
            +
            • +
          +
          SyncStatusDescriptionWindows 10, version 1703 +
            +
          • URI full path. ./Vendor/MSFT/EnterpriseAppVManagement/AppVPublishing/LastSync/SyncStatusDescription
            • +
          • Data type. String
            • +
          • Values. +
              +
            • 0. App-V publishing is idle.
              • +
            • 1. App-V connection groups publish in progress.
              • +
            • 2. App-V packages (non-connection group) publish in progress.
              • +
            • 3. App-V packages (connection group) publish in progress.
              • +
            • 4. App-V packages unpublish in progress.
              • +
            +
            • +
          +
          SyncProgressWindows 10, version 1703 +
            +
          • URI full path. ./Vendor/MSFT/EnterpriseAppVManagement/AppVPublishing/LastSync/SyncProgress
            • +
          • Data type. String
            • +
          • Values. +
              +
            • 0. App-V Sync is idle.
              • +
            • 1. App-V Sync is initializing.
              • +
            • 2. App-V Sync is in progress.
              • +
            • 3. App-V Sync is complete.
              • +
            • 4. App-V Sync requires device reboot.
              • +
            +
            • +
          +
          PublishXMLWindows 10, version 1703 +
            +
          • URI full path. ./Vendor/MSFT/EnterpriseAppVManagement/AppVPublishing/Sync/PublishXML
            • +
          • Data type. String
            • +
          • Value. Custom value, entered by admin.
            • +
          +
          PolicyWindows 10, version 1703 +
            +
          • URI full path. ./Vendor/MSFT/EnterpriseAppVManagement/AppVDynamicPolicy/configurationid/Policy
            • +
          • Data type. String
            • +
          • Value. Custom value, entered by admin.
            • +
          +
          \ No newline at end of file diff --git a/windows/manage/appv-create-and-use-a-project-template.md b/windows/manage/appv-create-and-use-a-project-template.md index c6a0be63bb..1496e43518 100644 --- a/windows/manage/appv-create-and-use-a-project-template.md +++ b/windows/manage/appv-create-and-use-a-project-template.md @@ -1,55 +1,64 @@ --- -title: How to Create and Use a Project Template (Windows 10) -description: How to Create and Use a Project Template -author: MaggiePucciEvans +title: Create and apply an App-V project template to a sequenced App-V package (Windows 10) +description: Steps for how to create and apply an App-V project template (.appvt) to a sequenced App-V package. +author: eross-msft ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library ms.prod: w10 --- - -# How to Create and Use a Project Template +# Create and apply an App-V project template to a sequenced App-V package **Applies to** - Windows 10, version 1607 -You can use an App-V project template to save commonly applied settings associated with an existing virtual application package. These settings can then be applied when you create new virtual application packages in your environment. Using a project template can streamline the process of creating virtual application packages. +You can use an App-V project template (.appvt) file to save commonly applied settings associated with an existing virtual application package. These settings can then be applied when you create new virtual application packages in your environment. Using a project template can streamline the process of creating virtual application packages. App-V project templates differ from App-V Package Accelerators because App-V Package Accelerators are application-specific, while App-V project templates can be applied to multiple applications. For more info about Package Accelerators, see the [How to create a Package Accelerator](appv-create-a-package-accelerator.md) topic. -> **Note**  You can, and often should apply an App-V project template during a package upgrade. For example, if you sequenced an application with a custom exclusion list, it is recommended that an associated template is created and saved for later use while upgrading the sequenced application. +>[!IMPORTANT] +>In Windows 10, version 1703, running the new-appvsequencerpackage or the update-appvsequencepackage cmdlets automatically captures and stores all of your customizations as an App-V project template. If you want to make changes to this package later, your customizations are automatically loaded from this template file. If you have an auto-saved template and you attempt to load another template through the _TemplateFilePath_ parameter, the customization value from the parameter will override the auto-saved template. -App-V project templates differ from App-V Application Accelerators because App-V Application Accelerators are application-specific, and App-V project templates can be applied to multiple applications. -Use the following procedures to create and apply a new template. +## Create a project template +You must first create and save a project template, including a virtual app package with settings to be used by the template. **To create a project template** -1. To start the App-V sequencer, on the computer that is running the sequencer, click **Start** / **All Programs** / **Microsoft Application Virtualization** / **Microsoft Application Virtualization Sequencer**. +1. On the device running the App-V Sequencer, click **Start**, click **All Programs**, click **Microsoft Application Virtualization**, and then click **Microsoft Application Virtualization Sequencer**. - > **Note**  If the virtual application package is currently open in the App-V Sequencer console, skip to step 3 of this procedure. + >[!NOTE] + >If the virtual app package is currently open in the App-V Sequencer console, skip to Step 3 of this procedure. -2. To open the existing virtual application package that contains the settings you want to save with the App-V project template, click **File** / **Open**, and then click **Edit Package**. On the **Select Package** page, click **Browse** and locate the virtual application package that you want to open. Click **Edit**. +2. On the **File** menu, click **Open**, click **Edit Package**, browse for the virtual app package that includes the settings you want to save with the App-V project template, and then click **Edit** to change any of the settings or info included in the file. -3. In the App-V Sequencer console, to save the template file, click **File** / **Save As Template**. After you have reviewed the settings that will be saved with the new template, click **OK**. Specify a name that will be associated with the new App-V project template. Click Save. +3. On the **File** menu, click **Save As Template**, review the settings associated with the new template, click **OK**, name your new template, and then click **Save**. The new App-V project template is saved in the folder you specified. -**To apply a project template** +## Apply a project template +After creating the template, you can apply it to all of your new virtual app packages, automatically including all of the settings. -> **Important**  Creating a virtual application package using a project template in conjunction with a Package Accelerator is not supported. +>[!IMPORTANT] +>Virtual app packages don't support using both a project template and a Package Accelerator together. -1. To start the App-V sequencer, on the computer that is running the sequencer, click **Start** / **All Programs** / **Microsoft Application Virtualization** / **Microsoft Application Virtualization Sequencer**. +1. On the device running the App-V Sequencer, click **Start**, click **All Programs**, click **Microsoft Application Virtualization**, and then click **Microsoft Application Virtualization Sequencer**. -2. To create or upgrade a new virtual application package by using an App-V project template, click **File** / **New From Template**. +2. On the **File** menu, click **New From Template**, browse to your newly created project template, and then click **Open**. -3. To select the project template that you want to use, browse to the directory where the project template is saved, select the project template, and then click **Open**. +3. Create your new virtual app package. The settings saved with your template are automatically applied. - Create the new virtual application package. The settings saved with the specified template will be applied to the new virtual application package that you are creating. +### Related topics +- [Download the Windows ADK](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit) -## Have a suggestion for App-V? +- [How to install the App-V Sequencer](appv-install-the-sequencer.md) +- [Learn about Hyper-V on Windows Server 2016](https://technet.microsoft.com/en-us/windows-server-docs/compute/hyper-v/hyper-v-on-windows-server) + +- [Automatically sequence multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer)](appv-auto-batch-sequencing.md) + +- [Automatically update multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer)](appv-auto-batch-updating.md) + +- [Manually sequence a new app using Microsoft Application Virtualization Sequencer (App-V Sequencer)](appv-sequence-a-new-application.md) + +**Have a suggestion for App-V?**

          Add or vote on suggestions on the [Application Virtualization feedback site](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization).
          For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv). - -## Related topics - -[Operations for App-V](appv-operations.md) diff --git a/windows/manage/appv-creating-and-managing-virtualized-applications.md b/windows/manage/appv-creating-and-managing-virtualized-applications.md index 861034a883..b6aeefb413 100644 --- a/windows/manage/appv-creating-and-managing-virtualized-applications.md +++ b/windows/manage/appv-creating-and-managing-virtualized-applications.md @@ -68,7 +68,9 @@ The **Options** dialog box in the sequencer console contains the following tabs: App-V supports applications that include Microsoft Windows Services. If an application includes a Windows service, the Service will be included in the sequenced virtual package as long as it is installed while being monitored by the sequencer. If a virtual application creates a Windows service when it initially runs, then later, after installation, the application must be run while the sequencer is monitoring so that the Windows Service will be added to the package. Only Services that run under the Local System account are supported. Services that are configured for AutoStart or Delayed AutoStart are started before the first virtual application in a package runs inside the package’s Virtual Environment. Windows Services that are configured to be started on demand by an application are started when the virtual application inside the package starts the Service via API call. -[How to Sequence a New Application with App-V](appv-sequence-a-new-application.md) +- [Automatically provision your sequencing environment using Microsoft Application Virtualization Sequencer (App-V Sequencer)](appv-auto-provision-a-vm.md) +- [How to Sequence a New Application with App-V](appv-sequence-a-new-application.md) +- [Automatically sequence multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer)](appv-auto-batch-sequencing.md) ## App-V shell extension support @@ -166,11 +168,7 @@ You can use the sequencer to modify an existing package. The computer on which y [How to Modify an Existing Virtual Application Package](appv-modify-an-existing-virtual-application-package.md) ## Creating a project template - - -A .appvt file is a project template that can be used to save commonly applied, customized settings. You can then more easily use these settings for future sequencings. - -App-V project templates differ from App-V Application Accelerators because App-V Application Accelerators are application-specific, and App-V project templates can be applied to multiple applications. Additionally, you cannot use a project template when you use a Package Accelerator to create a virtual application package. The following general settings are saved with an App-V project template: +An App-V project template (.appvt) file is a project template that can be used to save commonly applied, customized settings. You can then more easily use these settings for future sequencings. App-V project templates differ from App-V Application Accelerators because App-V Application Accelerators are application-specific, and App-V project templates can be applied to multiple applications. Additionally, you cannot use a project template when you use a Package Accelerator to create a virtual application package. The following general settings are saved with an App-V project template: A template can specify and store multiple settings as follows: @@ -180,10 +178,15 @@ A template can specify and store multiple settings as follows: - **Exclusion Items.** Contains the Exclusion pattern list. +In Windows 10, version 1703, running the new-appvsequencerpackage or the update-appvsequencepackage cmdlets automatically captures and stores all of your customizations as an App-V project template. If you want to make changes to this package later, your customizations are automatically loaded from this template file. + +>[!IMPORTANT] +>If you have an auto-saved template and you attempt to load another template through the _TemplateFilePath_ parameter, the customization value from the parameter will override the auto-saved template. + [How to Create and Use a Project Template](appv-create-and-use-a-project-template.md) -## Creating a package accelerator +## Creating a package accelerator **Note**   Package accelerators created using a previous version of App-V must be recreated using App-V. diff --git a/windows/manage/appv-for-windows.md b/windows/manage/appv-for-windows.md index 3938202a14..ed4d234781 100644 --- a/windows/manage/appv-for-windows.md +++ b/windows/manage/appv-for-windows.md @@ -42,10 +42,14 @@ The topics in this section provide information and step-by-step procedures to he [Operations for App-V](appv-operations.md) - [Creating and Managing App-V Virtualized Applications](appv-creating-and-managing-virtualized-applications.md) +- [Automatically provision your sequencing environment using Microsoft Application Virtualization Sequencer (App-V Sequencer)](appv-auto-provision-a-vm.md) +- [Automatically sequence multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer)](appv-auto-batch-sequencing.md) +- [Automatically update multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer)](appv-auto-batch-updating.md) - [Administering App-V Virtual Applications by Using the Management Console](appv-administering-virtual-applications-with-the-management-console.md) - [Managing Connection Groups](appv-managing-connection-groups.md) - [Deploying App-V Packages by Using Electronic Software Distribution (ESD)](appv-deploying-packages-with-electronic-software-distribution-solutions.md) - [Using the App-V Client Management Console](appv-using-the-client-management-console.md) +- [Automatically cleanup unpublished packages on the App-V client](appv-auto-clean-unpublished-packages.md) - [Migrating to App-V from a Previous Version](appv-migrating-to-appv-from-a-previous-version.md) - [Maintaining App-V](appv-maintaining-appv.md) - [Administering App-V by Using Windows PowerShell](appv-administering-appv-with-powershell.md) diff --git a/windows/manage/appv-install-the-appv-client-for-shared-content-store-mode.md b/windows/manage/appv-install-the-appv-client-for-shared-content-store-mode.md deleted file mode 100644 index 77ee61220b..0000000000 --- a/windows/manage/appv-install-the-appv-client-for-shared-content-store-mode.md +++ /dev/null @@ -1,4 +0,0 @@ ---- -title: How to Install the App-V Client for Shared Content Store Mode (Windows 10) -redirect_url: https://technet.microsoft.com/itpro/windows/manage/appv-deploying-the-appv-sequencer-and-client ---- diff --git a/windows/manage/appv-modify-client-configuration-with-powershell.md b/windows/manage/appv-modify-client-configuration-with-powershell.md index ef256839b0..e3ca1981bf 100644 --- a/windows/manage/appv-modify-client-configuration-with-powershell.md +++ b/windows/manage/appv-modify-client-configuration-with-powershell.md @@ -16,15 +16,15 @@ ms.prod: w10 Use the following procedure to configure the App-V client configuration. -1. To configure the client settings using Windows PowerShell, use the **Set-AppvClientConfiguration** cmdlet. For more information about installing Windows PowerShell, and a list of cmdlets see, [How to Load the Windows PowerShell Cmdlets for App-V and Get Cmdlet Help](appv-load-the-powershell-cmdlets-and-get-cmdlet-help.md). +1. To configure the client settings using Windows PowerShell, use the **Set-AppVClientConfiguration** cmdlet. For more information about installing Windows PowerShell, and a list of cmdlets see, [How to Load the Windows PowerShell Cmdlets for App-V and Get Cmdlet Help](appv-load-the-powershell-cmdlets-and-get-cmdlet-help.md). -2. To modify the client configuration, open a Windows PowerShell Command prompt and run **Set-AppvClientConfiguration** with any required parameters. For example: +2. To modify the client configuration, open a Windows PowerShell Command prompt and run **Set-AppVClientConfiguration** with any required parameters. For example: - `$config = Get-AppvClientConfiguration` + `$config = Get-AppVClientConfiguration` - `Set-AppcClientConfiguration $config` + `Set-AppVClientConfiguration $config` - `Set-AppcClientConfiguration –Name1 MyConfig –Name2 “xyz”` + `Set-AppVClientConfiguration –Name1 MyConfig –Name2 “xyz”` ## Have a suggestion for App-V? diff --git a/windows/manage/appv-modify-client-configuration-with-the-admx-template-and-group-policy.md b/windows/manage/appv-modify-client-configuration-with-the-admx-template-and-group-policy.md deleted file mode 100644 index 5d1058e257..0000000000 --- a/windows/manage/appv-modify-client-configuration-with-the-admx-template-and-group-policy.md +++ /dev/null @@ -1,4 +0,0 @@ ---- -title: How to Modify App-V Client Configuration Using the ADMX Template and Group Policy (Windows 10) -redirect_url: https://technet.microsoft.com/itpro/windows/manage/appv-deploying-the-appv-sequencer-and-client ---- diff --git a/windows/manage/appv-planning-for-migrating-from-a-previous-version-of-appv.md b/windows/manage/appv-planning-for-migrating-from-a-previous-version-of-appv.md deleted file mode 100644 index 5b98eac02b..0000000000 --- a/windows/manage/appv-planning-for-migrating-from-a-previous-version-of-appv.md +++ /dev/null @@ -1,4 +0,0 @@ ---- -title: Planning for Migrating from a Previous Version of App-V (Windows 10) -redirect_url: https://technet.microsoft.com/itpro/windows/manage/appv-migrating-to-appv-from-a-previous-version ---- diff --git a/windows/manage/appv-planning-for-using-appv-with-office.md b/windows/manage/appv-planning-for-using-appv-with-office.md index bd79da1f4f..a08cd69548 100644 --- a/windows/manage/appv-planning-for-using-appv-with-office.md +++ b/windows/manage/appv-planning-for-using-appv-with-office.md @@ -28,81 +28,16 @@ Use the following information to plan how to deploy Office by using Microsoft Ap You can use the App-V Sequencer to create plug-in packages for Language Packs, Language Interface Packs, Proofing Tools and ScreenTip Languages. You can then include the plug-in packages in a Connection Group, along with the Office package that you create by using the Office Deployment Toolkit. The Office applications and the plug-in Language Packs interact seamlessly in the same connection group, just like any other packages that are grouped together in a connection group. -**Note**   -Microsoft Visio and Microsoft Project do not provide support for the Thai Language Pack. +>[!NOTE]  +>Microsoft Visio and Microsoft Project do not provide support for the Thai Language Pack. ## Supported versions of Microsoft Office +See [Microsoft Office Product IDs that App-V supports](https://support.microsoft.com/en-us/help/2842297/product-ids-that-are-supported-by-the-office-deployment-tool-for-click) for a list of supported Office products. - +>[!NOTE] +>You must use the Office Deployment Tool to create App-V packages for Office 365 ProPlus. Creating packages for the volume-licensed versions of Office Professional Plus or Office Standard is not supported. You cannot use the App-V Sequencer. -The following table lists the versions of Microsoft Office that App-V supports, methods of Office package creation, supported licensing, and supported deployments. - - ------ - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
          Supported Office VersionPackage CreationSupported LicensingSupported Deployments

          Office 365 ProPlus (either the Office 2013 or the Office 2016 version)

          -

          Also supported:

          -
            -

          • Visio Pro for Office 365

            • -

          • Project Pro for Office 365

            • -

          Office Deployment Tool

          Subscription

            -

          • Desktop

            • -

          • Personal VDI

            • -

          • Pooled VDI

            • -

          • RDS

            • -
            -

          • Visio Professional 2016 (C2R-P)

            • -

          • Visio Standard 2016 (C2R-P)

            • -

          • Project Professional 2016 (C2R-P)

            • -

          • Project Standard 2016 (C2R-P)

            • -

          Office Deployment Tool

          Volume Licensing

            -

          • Desktop

            • -

          • Personal VDI

            • -

          • Pooled VDI

            • -

          • RDS

            • -

          Office Professional Plus 2013

          -

          Also supported:

          -
            -

          • Visio Professional 2013

            • -

          • Project Professional 2013

            • -

          Office Deployment Tool

          Volume Licensing

            -

          • Desktop

            • -

          • Personal VDI

            • -

          • Pooled VDI

            • -

          • RDS

            • -
          +>Support for the [Office 2013 version of Office 365 ended in Februrary 2017](https://support.microsoft.com/kb/3199744) ## Planning for using App-V with coexisting versions of Office @@ -148,8 +83,8 @@ The Office documentation provides extensive guidance on coexistence for Windows The following tables summarize the supported coexistence scenarios. They are organized according to the version and deployment method you’re starting with and the version and deployment method you are migrating to. Be sure to fully test all coexistence solutions before deploying them to a production audience. -**Note**   -Microsoft does not support the use of multiple versions of Office in Windows Server environments that have the Remote Desktop Session Host role service enabled. To run Office coexistence scenarios, you must disable this role service. +>[!NOTE]  +>Microsoft does not support the use of multiple versions of Office in Windows Server environments that have the Remote Desktop Session Host role service enabled. To run Office coexistence scenarios, you must disable this role service.   diff --git a/windows/manage/appv-release-notes-for-appv-for-windows-1703.md b/windows/manage/appv-release-notes-for-appv-for-windows-1703.md new file mode 100644 index 0000000000..9e787d612c --- /dev/null +++ b/windows/manage/appv-release-notes-for-appv-for-windows-1703.md @@ -0,0 +1,121 @@ +--- +title: Release Notes for App-V for Windows 10, version 1703 (Windows 10) +description: A list of known issues and workarounds for App-V running on Windows 10, version 1703. +author: eross-msft +ms.pagetype: mdop, appcompat, virtualization +ms.mktglfcycl: deploy +ms.sitesec: library +ms.prod: w10 +--- + + +# Release Notes for App-V for Windows 10, version 1703 + +**Applies to** +- Windows 10, version 1703 + +The following are known issues and workarounds for Application Virtualization (App-V) running on Windows 10, version 1703. + + + + + + + + + + + + + + + + + + + + + + + + +
          ProblemWorkaround
          Unable to manually create a system-owned folder needed for the set-AppVClientConfiguration PowerShell cmdlet when using the PackageInstallationRoot, IntegrationRootUser, or IntegrationRootGlobal parameters.Don't create this file manually, instead let the Add-AppVClientPackage cmdlet auto-generate it.
          Failure to update an App-V package from App-V 5.x to the latest in-box version, by using the PowerShell sequencing commands.Make sure you have the complete App-V package or the MSI file from the original app.
          Unable to modify the locale for auto-sequencing.Open the C:\Program Files (x86)\Windows Kits\10\Microsoft Application Virtualization\AutoSequencer\Unattend_Sequencer_User_Setup_Template.xml file and include the language code for your locale. For example, if you wanted Spanish (Spain), you'd use: es-ES.
          Filetype and protocol handlers aren't registering properly with the Google Chrome browser, causing you to not see App-V packages as an option for default apps from the Settings > Apps> Default Apps area.The recommended workaround is to add the following code to the AppXManifest.xml file, underneath the <appv:Extensions> tag: +
          
+<appv:Extension Category="AppV.URLProtocol">
+	<appv:URLProtocol>
+		<appv:Name>ftp</appv:Name>
+		<appv:ApplicationURLProtocol>
+			<appv:DefaultIcon>[{ProgramFilesX86}]\Google\Chrome\Application\chrome.exe,0</appv:DefaultIcon>
+			<appv:ShellCommands>
+				<appv:DefaultCommand>open</appv:DefaultCommand>
+				<appv:ShellCommand>
+					<appv:ApplicationId>[{ProgramFilesX86}]\Google\Chrome\Application\chrome.exe</appv:ApplicationId>
+					<appv:Name>open</appv:Name>
+					<appv:CommandLine>"[{ProgramFilesX86}]\Google\Chrome\Application\chrome.exe" -- "%1"</appv:CommandLine>
+					<appv:DdeExec>
+						<appv:DdeCommand />
+					</appv:DdeExec>
+				</appv:ShellCommand>
+			</appv:ShellCommands>
+		</appv:ApplicationURLProtocol>
+	</appv:URLProtocol>
+</appv:Extension>
+<appv:Extension Category="AppV.URLProtocol">
+	<appv:URLProtocol>
+		<appv:Name>http</appv:Name>
+		<appv:ApplicationURLProtocol>
+			<appv:DefaultIcon>[{ProgramFilesX86}]\Google\Chrome\Application\chrome.exe,0</appv:DefaultIcon>
+			<appv:ShellCommands>
+				<appv:DefaultCommand>open</appv:DefaultCommand>
+				<appv:ShellCommand>
+					<appv:ApplicationId>[{ProgramFilesX86}]\Google\Chrome\Application\chrome.exe</appv:ApplicationId>
+					<appv:Name>open</appv:Name>
+					<appv:CommandLine>"[{ProgramFilesX86}]\Google\Chrome\Application\chrome.exe" -- "%1"</appv:CommandLine>
+					<appv:DdeExec>
+						<appv:DdeCommand />
+					</appv:DdeExec>
+				</appv:ShellCommand>
+			</appv:ShellCommands>
+		</appv:ApplicationURLProtocol>
+	</appv:URLProtocol>
+</appv:Extension>
+<appv:Extension Category="AppV.URLProtocol">
+	<appv:URLProtocol>
+		<appv:Name>https</appv:Name>
+		<appv:ApplicationURLProtocol>
+			<appv:DefaultIcon>[{ProgramFilesX86}]\Google\Chrome\Application\chrome.exe,0</appv:DefaultIcon>
+			<appv:ShellCommands>
+				<appv:DefaultCommand>open</appv:DefaultCommand>
+				<appv:ShellCommand>
+					<appv:ApplicationId>[{ProgramFilesX86}]\Google\Chrome\Application\chrome.exe</appv:ApplicationId>
+					<appv:Name>open</appv:Name>
+					<appv:CommandLine>"[{ProgramFilesX86}]\Google\Chrome\Application\chrome.exe" -- "%1"</appv:CommandLine>
+					<appv:DdeExec>
+						<appv:DdeCommand />
+					</appv:DdeExec>
+				</appv:ShellCommand>
+			</appv:ShellCommands>
+		</appv:ApplicationURLProtocol>
+	</appv:URLProtocol>
+</appv:Extension>
+
          +
          + + +## Related resources list +For information that can help with troubleshooting App-V for Windows 10, see: +- [Application Virtualization (App-V): List of Microsoft Support Knowledge Base Articles](http://social.technet.microsoft.com/wiki/contents/articles/14272.app-v-v5-x-list-of-microsoft-support-knowledge-base-articles.aspx) + +- [The Official Microsoft App-V Team Blog](https://blogs.technet.microsoft.com/appv/) + +- [Technical Reference for App-V](https://technet.microsoft.com/itpro/windows/manage/appv-technical-reference) + +- [App-V TechNet Forum](https://social.technet.microsoft.com/forums/en-us/home?forum=mdopappv) + +## Have a suggestion for App-V? +Add or vote on suggestions on the [Application Virtualization feedback site](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization).
          For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv). + +## Related topics +- [What's new in App-V for Windows 10](appv-about-appv.md) + +- [Release Notes for App-V for Windows 10, version 1607](appv-release-notes-for-appv-for-windows-1703.md) diff --git a/windows/manage/appv-release-notes-for-appv-for-windows.md b/windows/manage/appv-release-notes-for-appv-for-windows.md index 0982031249..290e4b19b9 100644 --- a/windows/manage/appv-release-notes-for-appv-for-windows.md +++ b/windows/manage/appv-release-notes-for-appv-for-windows.md @@ -1,23 +1,21 @@ --- -title: Release Notes for App-V (Windows 10) -description: Release Notes for App-V -author: MaggiePucciEvans +title: Release Notes for App-V for Windows 10, version 1607 (Windows 10) +description: A list of known issues and workarounds for App-V running on Windows 10, version 1607. +author: eross-msft ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library ms.prod: w10 --- - # Release Notes for App-V for Windows 10, version 1607 **Applies to** - Windows 10, version 1607 -The following are known issues in Application Virtualization (App-V) for Windows 10, version 1607. +The following are known issues and workarounds for Application Virtualization (App-V) running on Windows 10, version 1607. ## Windows Installer packages (.msi files) generated by the App-V sequencer (version 5.1 and earlier) fail to install on computers with the in-box App-V client - MSI packages that were generated using an App-V sequencer from previous versions of App-V (App-V versions 5.1 and earlier) include a check to validate that the App-V client is installed on client devices before allowing the MSI package to install. Now that the App-V client is installed automatically when you upgrade user devices to Windows 10, version 1607, the pre-requisite check fails and causes the MSI to fail. **Workaround**: @@ -45,13 +43,11 @@ MSI packages that were generated using an App-V sequencer from previous versions where the path is to the new directory (**C:\MyMsiTools\ for this example**). ## Error occurs during publishing refresh between App-V 5.0 SP3 Management Server and App-V Client on Windows 10 - An error is generated during publishing refresh when synchronizing packages from the App-V 5.0 SP3 management server to an App-V client on Windows 10. This error occurs because the App-V 5.0 SP3 server does not understand the Windows 10 operating system that is specified in the publishing URL. The issue is fixed for App-V publishing server, but is not backported to versions of App-V 5.0 SP3 or earlier. **Workaround**: Upgrade the App-V 5.0 Management server to the App-V Management server for Windows 10 Clients. ## Custom configurations do not get applied for packages that will be published globally if they are set using the App-V Server - If you assign a package to an AD group that contains machine accounts and apply a custom configuration to that group using the App-V Server, the custom configuration will not be applied to those machines. The App-V Client will publish packages assigned to a machine account globally. However, it stores custom configuration files per user in each user’s profile. Globally published packages will not have access to this custom configuration. **Workaround**: Do one of the following: @@ -95,7 +91,6 @@ On the Packages page of the Management Console, if you click **Add or Upgrade** 3. Paste the path into the **Add Package** dialog box input field ## Upgrading App-V Management Server to 5.1 sometimes fails with the message “A database error occurred” - If you install the App-V 5.0 SP1 Management Server, and then try to upgrade to App-V Server when multiple connection groups are configured and enabled, the following error is displayed: “A database error occurred. Reason: 'Invalid column name 'PackageOptional'. Invalid column name 'VersionOptional'.” **Workaround**: Run this command on your SQL database: @@ -105,14 +100,11 @@ If you install the App-V 5.0 SP1 Management Server, and then try to upgrade to A where “AppVManagement” is the name of the database. ## Users cannot open a package in a user-published connection group if you add or remove an optional package - In environments that are running the RDS Client or that have multiple concurrent users per computer, logged-in users cannot open applications in packages that are in a user-published connection group if an optional package is added to or removed from the connection group. **Workaround**: Have users log out and then log back in. ## Error message is erroneously displayed when the connection group is published only to the user - - When you run Repair-AppvClientConnectionGroup, the following error is displayed, even when the connection group is published only to the user: “Internal App-V Integration error: Package not integrated for the user. Please ensure that the package is added to the machine and published to the user.” **Workaround**: Do one of the following: @@ -132,40 +124,37 @@ When you run Repair-AppvClientConnectionGroup, the following error is displayed, 3. If the package is currently published, run **Repair-AppvClientPackage** on that package. ## Icons not displayed properly in Sequencer - Icons in the Shortcuts and File Type Associations tab are not displayed correctly when modifying a package in the App-V Sequencer. This problem occurs when the size of the icons are not 16x16 or 32x32. **Workaround**: Only use icons that are 16x16 or 32x32. ## InsertVersionInfo.sql script no longer required for the Management Database - - The InsertVersionInfo.sql script is not required for versions of the App-V management database later than App-V 5.0 SP3. The Permissions.sql script should be updated according to **Step 2** in [KB article 3031340](https://support.microsoft.com/kb/3031340). -**Important**   -**Step 1** is not required for versions of App-V later than App-V 5.0 SP3. - +>[!IMPORTANT]  +>**Step 1** of the KB article listed above isn't required for versions of App-V later than App-V 5.0 SP3. ## Microsoft Visual Studio 2012 not supported +App-V doesn't support Visual Studio 2012. - -App-V does not support Visual Studio 2012. - -**Workaround**: None +**Workaround**: Use a newer version of Microsoft Visual Studio. ## Application filename restrictions for App-V Sequencer - - The App-V Sequencer cannot sequence applications with filenames matching "CO_<x>" where x is any numeral. Error 0x8007139F will be generated. **Workaround**: Use a different filename -## Have a suggestion for App-V? +## Related resources list +For information that can help with troubleshooting App-V for Windows 10, see: +- [Application Virtualization (App-V): List of Microsoft Support Knowledge Base Articles](http://social.technet.microsoft.com/wiki/contents/articles/14272.app-v-v5-x-list-of-microsoft-support-knowledge-base-articles.aspx) +- [The Official Microsoft App-V Team Blog](https://blogs.technet.microsoft.com/appv/) +- [Technical Reference for App-V](https://technet.microsoft.com/itpro/windows/manage/appv-technical-reference) +- [App-V TechNet Forum](https://social.technet.microsoft.com/forums/en-us/home?forum=mdopappv) +## Have a suggestion for App-V? Add or vote on suggestions on the [Application Virtualization feedback site](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization).
          For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv). -## Related topics +Help us to improve -[What's new in App-V for Windows 10](appv-about-appv.md) diff --git a/windows/manage/appv-sequence-a-new-application.md b/windows/manage/appv-sequence-a-new-application.md index 24b1fb9ba1..7479636bf9 100644 --- a/windows/manage/appv-sequence-a-new-application.md +++ b/windows/manage/appv-sequence-a-new-application.md @@ -1,7 +1,7 @@ --- -title: How to Sequence a New Application with App-V (Windows 10) -description: How to Sequence a New Application with App-V -author: MaggiePucciEvans +title: Manually sequence a new app using the Microsoft Application Virtualization Sequencer (App-V Sequencer) (Windows 10) +description: How to manually sequence a new app using the App-V Sequencer +author: eross-msft ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library @@ -9,10 +9,10 @@ ms.prod: w10 --- -# How to Sequence a New Application with App-V +# Manually sequence a new app using the Microsoft Application Virtualization Sequencer (App-V Sequencer) **Applies to** -- Windows 10, version 1607 +- Windows 10, version 1607 and later In Windows 10, version 1607, the App-V Sequencer is included with the Windows ADK. For more info on how to install the App-V Sequencer, see [Install the App-V Sequencer](appv-install-the-sequencer.md). @@ -36,8 +36,8 @@ In Windows 10, version 1607, the App-V Sequencer is included with the Windows AD - If short paths have been disabled for the virtualized package’s target volume, you must also sequence the package to a volume that was created and still has short-paths disabled. It cannot be the system volume. -> [!NOTE] -> The App-V Sequencer cannot sequence applications with filenames matching "CO_<_x_>" where x is any numeral. Error 0x8007139F will be generated. +>[!NOTE] +>The App-V Sequencer cannot sequence applications with filenames matching "CO_<_x_>" where x is any numeral. Error 0x8007139F will be generated. **To sequence a new standard application** @@ -47,15 +47,15 @@ In Windows 10, version 1607, the App-V Sequencer is included with the Windows AD 3. On the **Prepare Computer** page, review the issues that could cause the package creation to fail or could cause the package to contain unnecessary data. You should resolve all potential issues before you continue. After making any corrections, click **Refresh** to display the updated information. After you have resolved all potential issues, click **Next**. - > [!IMPORTANT] - > If you are required to disable virus scanning software, you should first scan the computer that runs the sequencer in order to ensure that no unwanted or malicious files could be added to the package. + >[!IMPORTANT] + >If you are required to disable virus scanning software, you should first scan the computer that runs the sequencer in order to ensure that no unwanted or malicious files could be added to the package. 4. On the **Type of Application** page, click the **Standard Application (default)** check box, and then click **Next**. 5. On the **Select Installer** page, click **Browse** and specify the installation file for the application. - > [!NOTE] - > If the specified application installer modifies security access to a file or directory, existing or new, the associated changes will not be captured into the package. + >[!NOTE] + >If the specified application installer modifies security access to a file or directory, existing or new, the associated changes will not be captured into the package. If the application does not have an associated installer file and you plan to run all installation steps manually, select the **Perform a Custom Installation** check box, and then click **Next**. @@ -65,8 +65,8 @@ In Windows 10, version 1607, the App-V Sequencer is included with the Windows AD 7. On the **Installation** page, when the sequencer and application installer are ready you can proceed to install the application so that the sequencer can monitor the installation process. - > [!IMPORTANT] - > You should always install applications to a secure location and make sure no other users are logged on to the computer running the sequencer during monitoring. + >[!IMPORTANT] + >You should always install applications to a secure location and make sure no other users are logged on to the computer running the sequencer during monitoring. Use the application's installation process to perform the installation. If additional installation files must be run as part of the installation, click **Run** to locate and run the additional installation files. When you are finished with the installation, select **I am finished installing**. Click **Next**. @@ -74,8 +74,8 @@ In Windows 10, version 1607, the App-V Sequencer is included with the Windows AD 9. On the **Configure Software** page, optionally run the programs contained in the package. This step allows you to complete any necessary license or configuration tasks before you deploy and run the package on target computers. To run all the programs at one time, select at least one program, and then click **Run All**. To run specific programs, select the program or programs, and then click **Run Selected**. Complete the required configuration tasks and then close the applications. You may need to wait several minutes for all programs to run. - > [!NOTE] - > To run first-use tasks for any application that is not available in the list, open the application. The associated information will be captured during this step. + >[!NOTE] + >To run first-use tasks for any application that is not available in the list, open the application. The associated information will be captured during this step. Click **Next**. @@ -91,23 +91,21 @@ In Windows 10, version 1607, the App-V Sequencer is included with the Windows AD 12. On the **Streaming** page, run each program so that it can be optimized and run more efficiently on target computers. It can take several minutes for all the applications to run. After all applications have run, close each of the applications, and then click **Next**. - > [!NOTE] - > If you do not open any applications during this step, the default streaming method is on-demand streaming delivery. This means applications will be downloaded bit by bit until it can be opened, and then depending on how the background loading is configured, will load the rest of the application. - -   + >[!NOTE] + >If you do not open any applications during this step, the default streaming method is on-demand streaming delivery. This means applications will be downloaded bit by bit until it can be opened, and then depending on how the background loading is configured, will load the rest of the application. 13. On the **Target OS** page, specify the operating systems that can run this package. To allow all supported operating systems in your environment to run this package, select **Allow this package to run on any operating system**. To configure this package to run only on specific operating systems, select **Allow this package to run only on the following operating systems** and select the operating systems that can run this package. Click **Next**. - > [!IMPORTANT] - > Make sure that the operating systems you specify here are supported by the application you are sequencing. + >[!IMPORTANT] + >Make sure that the operating systems you specify here are supported by the application you are sequencing. 14. The **Create Package** page is displayed. To modify the package without saving it, select **Continue to modify package without saving using the package editor**. This option opens the package in the sequencer console so that you can modify the package before it is saved. Click **Next**. To save the package immediately, select **Save the package now** (default). Add optional **Comments** to be associated with the package. Comments are useful for identifying the program version and other information about the package. - > [!IMPORTANT] - > The system does not support non-printable characters in **Comments** and **Descriptions**. + >[!IMPORTANT] + >The system does not support non-printable characters in **Comments** and **Descriptions**. The default **Save Location** is also displayed on this page. To change the default location, click **Browse** and specify the new location. Click **Create**. @@ -115,14 +113,13 @@ In Windows 10, version 1607, the App-V Sequencer is included with the Windows AD The package is now available in the sequencer. - > [!IMPORTANT] - > After you have successfully created a virtual application package, you cannot run the virtual application package on the computer that is running the sequencer. - + >[!IMPORTANT] + >After you have successfully created a virtual application package, you cannot run the virtual application package on the computer that is running the sequencer.   **To sequence an add-on or plug-in application** -> [!NOTE] +>[!NOTE] >Before performing the following procedure, install the parent application locally on the computer that is running the sequencer. Or if you have the parent application virtualized, you can follow the steps in the add-on or plug-in workflow to unpack the parent application on the computer. >For example, if you are sequencing a plug-in for Microsoft Excel, install Microsoft Excel locally on the computer that is running the sequencer. Also install the parent application in the same directory where the application is installed on target computers. If the plug-in or add-on is going to be used with an existing virtual application package, install the application on the same virtual application drive that was used when you created the parent virtual application package. @@ -133,9 +130,8 @@ In Windows 10, version 1607, the App-V Sequencer is included with the Windows AD 3. On the **Prepare Computer** page, review the issues that might cause the package creation to fail or could cause the package to contain unnecessary data. You should resolve all potential issues before you continue. After making any corrections, click **Refresh** to display the updated information. After you have resolved all potential issues, click **Next**. - > [!IMPORTANT] - > If you are required to disable virus scanning software, you should first scan the computer that runs the sequencer in order to ensure that no unwanted or malicious files could be added to the package. - + >[!IMPORTANT] + >If you are required to disable virus scanning software, you should first scan the computer that runs the sequencer in order to ensure that no unwanted or malicious files could be added to the package. 4. On the **Type of Application** page, select **Add-on or Plug-in**, and then click **Next**. @@ -143,17 +139,17 @@ In Windows 10, version 1607, the App-V Sequencer is included with the Windows AD 6. On the **Install Primary** page, ensure that the primary application is installed on the computer that runs the sequencer. Alternatively, you can expand an existing package that has been saved locally on the computer that runs the sequencer. To do this, click **Expand Package**, and then select the package. After you have expanded or installed the parent program, select **I have installed the primary parent program**. - Click **Next**. +7. Click **Next**. -7. On the **Package Name** page, type a name that will be associated with the package. Use a name that helps identify the purpose and version of the application that will be added to the package. The package name will be displayed in the App-V Management Console. +8. On the **Package Name** page, type a name that will be associated with the package. Use a name that helps identify the purpose and version of the application that will be added to the package. The package name will be displayed in the App-V Management Console. - Click **Next**. +9. Click **Next**. -8. On the **Installation** page, when the sequencer and application installer are ready you can proceed to install the plug-in or add-in application so the sequencer can monitor the installation process. Use the application's installation process to perform the installation. If additional installation files must be run as part of the installation, click **Run** and locate and run the additional installation files. When you are finished with the installation, select **I am finished installing**, and then click **Next**. +10. On the **Installation** page, when the sequencer and application installer are ready you can proceed to install the plug-in or add-in application so the sequencer can monitor the installation process. Use the application's installation process to perform the installation. If additional installation files must be run as part of the installation, click **Run** and locate and run the additional installation files. When you are finished with the installation, select **I am finished installing**, and then click **Next**. -9. On the **Installation Report** page, you can review information about the virtual application package that you just sequenced. For a more detailed explanation about the information displayed in **Additional Information**, double-click the event. After you have reviewed the information, click **Next**. +11. On the **Installation Report** page, you can review information about the virtual application package that you just sequenced. For a more detailed explanation about the information displayed in **Additional Information**, double-click the event. After you have reviewed the information, click **Next**. -10. The **Customize** page is displayed. If you are finished installing and configuring the virtual application, select **Stop now** and skip to step 12 of this procedure. To perform either of the following customizations, select **Customize**. +12. The **Customize** page is displayed. If you are finished installing and configuring the virtual application, select **Stop now** and skip to step 12 of this procedure. To perform either of the following customizations, select **Customize**. - Optimize how the package will run across a slow or unreliable network. @@ -161,12 +157,10 @@ In Windows 10, version 1607, the App-V Sequencer is included with the Windows AD Click **Next**. -11. On the **Streaming** page, run each program so that it can be optimized and run more efficiently on target computers. Streaming improves the experience when the virtual application package is run on target computers on high-latency networks. It can take several minutes for all the applications to run. After all applications have run, close each of the applications. You can also configure the package to be required to be fully downloaded before opening by selecting the **Force applications to be downloaded** check-box. Click **Next**. +13. On the **Streaming** page, run each program so that it can be optimized and run more efficiently on target computers. Streaming improves the experience when the virtual application package is run on target computers on high-latency networks. It can take several minutes for all the applications to run. After all applications have run, close each of the applications. You can also configure the package to be required to be fully downloaded before opening by selecting the **Force applications to be downloaded** check-box. Click **Next**. - > [!NOTE]    - > If necessary, you can stop an application from loading during this step. In the **Application Launch** dialog box, click **Stop** and select one of the check boxes: **Stop all applications** or **Stop this application only**. - -   + >[!NOTE]    + >If necessary, you can stop an application from loading during this step. In the **Application Launch** dialog box, click **Stop** and select one of the check boxes: **Stop all applications** or **Stop this application only**. 12. On the **Target OS** page, specify the operating systems that can run this package. To allow all supported operating systems in your environment to run this package, select the **Allow this package to run on any operating system** check box. To configure this package to run only on specific operating systems, select the **Allow this package to run only on the following operating systems** check box, and then select the operating systems that can run this package. Click **Next**. @@ -174,8 +168,8 @@ In Windows 10, version 1607, the App-V Sequencer is included with the Windows AD To save the package immediately, select **Save the package now**. Optionally, add a **Description** that will be associated with the package. Descriptions are useful for identifying the version and other information about the package. - > [!IMPORTANT]    - > The system does not support non-printable characters in Comments and Descriptions. + >[!IMPORTANT]    + >The system does not support non-printable characters in Comments and Descriptions. The default **Save Location** is also displayed on this page. To change the default location, click **Browse** and specify the new location. Click **Create**. @@ -187,9 +181,8 @@ In Windows 10, version 1607, the App-V Sequencer is included with the Windows AD 3. On the **Prepare Computer** page, review the issues that could cause the package creation to fail or could cause the package to contain unnecessary data. You should resolve all potential issues before you continue. After making any corrections, click **Refresh** to display the updated information. After you have resolved all potential issues, click **Next**. - > [!IMPORTANT] - > If you are required to disable virus scanning software, you should first scan the computer that runs the App-V Sequencer in order to ensure that no unwanted or malicious files can be added to the package. - + >[!IMPORTANT] + >If you are required to disable virus scanning software, you should first scan the computer that runs the App-V Sequencer in order to ensure that no unwanted or malicious files can be added to the package. 4. On the **Type of Application** page, select **Middleware**, and then click **Next**. @@ -197,37 +190,35 @@ In Windows 10, version 1607, the App-V Sequencer is included with the Windows AD 6. On the **Package Name** page, type a name that will be associated with the package. Use a name that helps identify the purpose and version of the application that will be added to the package. The package name is displayed in the App-V Management Console. - Click **Next**. +7. Click **Next**. -7. On the **Installation** page, when the sequencer and middleware application installer are ready you can proceed to install the application so that the sequencer can monitor the installation process. Use the application's installation process to perform the installation. If additional installation files must be run as part of the installation, click **Run**, to locate and run the additional installation files. When you are finished with the installation, select the **I am finished installing** check box, and then click **Next**. +8. On the **Installation** page, when the sequencer and middleware application installer are ready you can proceed to install the application so that the sequencer can monitor the installation process. Use the application's installation process to perform the installation. If additional installation files must be run as part of the installation, click **Run**, to locate and run the additional installation files. When you are finished with the installation, select the **I am finished installing** check box, and then click **Next**. -8. On the **Installation** page, wait while the sequencer configures the virtual application package. +9. On the **Installation** page, wait while the sequencer configures the virtual application package. -9. On the **Installation Report** page, you can review information about the virtual application package that you have just sequenced. In **Additional Information**, double-click an event to obtain more detailed information. To proceed, click **Next**. +10. On the **Installation Report** page, you can review information about the virtual application package that you have just sequenced. In **Additional Information**, double-click an event to obtain more detailed information. To proceed, click **Next**. -10. On the **Target OS** page, specify the operating systems that can run this package. To enable all supported operating systems in your environment to run this package, select the **Allow this package to run on any operating system** check box. To configure this package to run only on specific operating systems, select the **Allow this package to run only on the following operating systems** check box and select the operating systems that can run this package. Click **Next**. +11. On the **Target OS** page, specify the operating systems that can run this package. To enable all supported operating systems in your environment to run this package, select the **Allow this package to run on any operating system** check box. To configure this package to run only on specific operating systems, select the **Allow this package to run only on the following operating systems** check box and select the operating systems that can run this package. Click **Next**. -11. On the **Create Package** page is displayed. To modify the package without saving it, select **Continue to modify package without saving using the package editor**. This option opens the package in the sequencer console so that you can modify the package before it is saved. Click **Next**. +12. On the **Create Package** page is displayed. To modify the package without saving it, select **Continue to modify package without saving using the package editor**. This option opens the package in the sequencer console so that you can modify the package before it is saved. Click **Next**. To save the package immediately, select **Save the package now**. Optionally, add a **Description** to be associated with the package. Descriptions are useful for identifying the program version and other information about the package. - > [!IMPORTANT]    - > The system does not support non-printable characters in Comments and Descriptions. + >[!IMPORTANT]    + >The system does not support non-printable characters in Comments and Descriptions. The default **Save Location** is also displayed on this page. To change the default location, click **Browse** and specify the new location. Click **Create**. -12. The **Completion** page is displayed. Review the information in the **Virtual Application Package Report** pane as needed, then click **Close**. This information is also available in the **Report.xml** file that is located in the directory specified in step 11 of this procedure. +13. The **Completion** page is displayed. Review the information in the **Virtual Application Package Report** pane as needed, then click **Close**. This information is also available in the **Report.xml** file that is located in the directory specified in step 11 of this procedure. The package is now available in the sequencer. To edit the package properties, click **Edit \[Package Name\]**. - > [!IMPORTANT]    - > After you have successfully created a virtual application package, you cannot run the virtual application package on the computer that is running the sequencer. + >[!IMPORTANT]    + >After you have successfully created a virtual application package, you cannot run the virtual application package on the computer that is running the sequencer. ## Have a suggestion for App-V? - Add or vote on suggestions on the [Application Virtualization feedback site](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization).
          For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv). ## Related topics - - [Install the App-V Sequencer](appv-install-the-sequencer.md) - [Operations for App-V](appv-operations.md) diff --git a/windows/manage/appv-sequence-a-package-with-powershell.md b/windows/manage/appv-sequence-a-package-with-powershell.md index e1920755b9..1d3143b133 100644 --- a/windows/manage/appv-sequence-a-package-with-powershell.md +++ b/windows/manage/appv-sequence-a-package-with-powershell.md @@ -59,10 +59,15 @@ The following list displays additional optional parameters that can be used with - FullLoad - specifies that the package must be fully downloaded to the computer running the App-V before it can be opened. -## Have a suggestion for App-V? +In Windows 10, version 1703, running the new-appvsequencerpackage or the update-appvsequencepackage cmdlets automatically captures and stores all of your customizations as an App-V project template. If you want to make changes to this package later, your customizations are automatically loaded from this template file. -Add or vote on suggestions on the [Application Virtualization feedback site](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization).
          For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv). +>[!IMPORTANT] +>If you have an auto-saved template and you attempt to load another template through the _TemplateFilePath_ parameter, the customization value from the parameter will override the auto-saved template. ## Related topics - [Administering App-V by using Windows PowerShell](appv-administering-appv-with-powershell.md) + +## Have a suggestion for App-V? + +Add or vote on suggestions on the [Application Virtualization feedback site](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization).
          For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv). \ No newline at end of file diff --git a/windows/manage/change-history-for-manage-and-update-windows-10.md b/windows/manage/change-history-for-manage-and-update-windows-10.md index 715f8edfb9..62a652728f 100644 --- a/windows/manage/change-history-for-manage-and-update-windows-10.md +++ b/windows/manage/change-history-for-manage-and-update-windows-10.md @@ -1,6 +1,6 @@ --- -title: Change history for Manage and update Windows 10 (Windows 10) -description: This topic lists new and updated topics in the Manage and update Windows 10 documentation for Windows 10 and Windows 10 Mobile. +title: Change history for Manage Windows 10 (Windows 10) +description: This topic lists new and updated topics in the Manage Windows 10 documentation for Windows 10 and Windows 10 Mobile. ms.assetid: 29144AFA-1DA9-4532-B07D-1EBE34B7E1E0 ms.prod: w10 ms.mktglfcycl: manage @@ -8,27 +8,47 @@ ms.sitesec: library author: jdeckerMS --- -# Change history for Manage and update Windows 10 +# Change history for Manage Windows 10 -This topic lists new and updated topics in the [Manage and update Windows 10](index.md) documentation for [Windows 10 and Windows 10 Mobile](../index.md). +This topic lists new and updated topics in the [Manage Windows 10](index.md) documentation for [Windows 10 and Windows 10 Mobile](../index.md). >If you're looking for **update history** for Windows 10, see [Windows 10 and Windows Server 2016 update history](https://support.microsoft.com/help/12387/windows-10-update-history). -## February 2017 +## RELEASE: Windows 10, version 1703 +The topics in this library have been updated for Windows 10, version 1703 (also known as the Creators Update). Some topics have been moved to [Update Windows 10](../update/index.md) or to [Configure Windows 10](../configure/index.md). The following new topics have been added: + +- [Release Notes for App-V for Windows 10, version 1703](appv-release-notes-for-appv-for-windows-1703.md) +- [Automatically provision your sequencing environment using Microsoft Application Virtualization Sequencer (App-V Sequencer)](appv-auto-provision-a-vm.md) +- [Automatically sequence multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer)](appv-auto-batch-sequencing.md) +- [Automatically update multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer)](appv-auto-batch-updating.md) +- [Automatically cleanup unpublished packages on the App-V client](appv-auto-clean-unpublished-packages.md) +- [Available Mobile Device Management (MDM) settings for App-V](appv-available-mdm-settings.md) + + +## March 2017 | New or changed topic | Description | | --- | --- | +|[Test scenario 6 - Review a reminder suggested by Cortana based on what you’ve promised in email](cortana-at-work-scenario-6.md) |New | + + +## February 2017 +| New or changed topic | Description | +| --- | --- | +| [Windows Libraries](windows-libraries.md) | New | | [Monitor Windows Updates with Update Compliance](update-compliance-monitor.md) | New | | [Get started with Update Compliance](update-compliance-get-started.md) | New | | [Use Update Compliance to monitor Windows Updates](update-compliance-using.md) | New | -| [Assign devices to servicing branches for Windows 10 updates](waas-servicing-branches-windows-10-updates.md) | Added Group Policy setting that blocks user access to Windows Update. | +|[Assign devices to servicing branches for Windows 10 updates](waas-servicing-branches-windows-10-updates.md) | Added Group Policy setting that blocks user access to Windows Update. | +|[Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md) |Added Express updates. | | [Distribute offline apps](distribute-offline-apps.md) | General updates to topic. Added links to supporting content for System Center Configuration Manager and Microsoft Intune. | + ## January 2017 | New or changed topic | Description | | --- | --- | -| [Cortana integration in your business or enterprise](cortana-at-work-overview.md) | New | +| [Cortana at work topics](../configure/cortana-at-work-overview.md)]|New | | [Start layout XML for desktop editions of Windows 10](start-layout-xml-desktop.md) | New (previously published in Hardware Dev Center on MSDN) | | [Start layout XML for mobile editions of Windows 10](start-layout-xml-mobile.md) | New (previously published in Hardware Dev Center on MSDN) | | [Quick guide to Windows as a service](waas-quick-start.md) | Added video that explains how Windows as a service works. | @@ -55,7 +75,7 @@ This topic lists new and updated topics in the [Manage and update Windows 10](in | --- | --- | | [Manage device restarts after updates](waas-restart.md) | New | | [Manage Windows 10 in your organization - transitioning to modern management](manage-windows-10-in-your-organization-modern-management.md) | New | -| [Cortana integration in your business or enterprise](manage-cortana-in-enterprise.md) |Added an important note about Cortana and Office 365 integration. | +| [Cortana integration in your business or enterprise](../configure/cortana-at-work-overview.md) |Added an important note about Cortana and Office 365 integration. | | [Customize Windows 10 Start and taskbar with Group Policy](customize-windows-10-start-screens-by-using-group-policy.md) | Fixed the explanation for Start behavior when the .xml file containing the layout is not available when the user signs in. | | [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md) | Added link to the Windows Restricted Traffic Limited Functionality Baseline. Added Teredo Group Policy. | | [Manage updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md) | Added Current Branch for Business (CBB) support for Windows 10 IoT Mobile. | @@ -66,7 +86,7 @@ This topic lists new and updated topics in the [Manage and update Windows 10](in | New or changed topic | Description | | --- | --- | | [Update Windows 10 in the enterprise](waas-update-windows-10.md), replaces **Windows 10 servicing options** | New | -| [Lockdown features from Windows Embedded 8.1 Industry](lockdown-features-windows-10.md) | Added Group Policy setting to replace Gesture Filter | +| [Lockdown features from Windows Embedded 8.1 Industry](../configure/lockdown-features-windows-10.md) | Added Group Policy setting to replace Gesture Filter | | [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md) | Added content for Windows Server 2016 | | [Set up a kiosk on Windows 10 Pro, Enterprise, or Education](set-up-a-kiosk-for-windows-10-for-desktop-editions.md) | Updated the script for setting a custom shell using Shell Launcher. | @@ -79,15 +99,15 @@ This topic lists new and updated topics in the [Manage and update Windows 10](in | [Configure Windows 10 taskbar](configure-windows-10-taskbar.md) | Updated sample XML for combined Start and taskbar layout; added note to explain the difference between applying taskbar configuration by Group Policy and by provisioning package | | [Set up a kiosk on Windows 10 Pro, Enterprise, or Education](set-up-a-kiosk-for-windows-10-for-desktop-editions.md) | Updated instructions for exiting assigned access mode. | | Application development for Windows as a service | Topic moved to MSDN: [Application development for Windows as a service](https://msdn.microsoft.com/windows/uwp/get-started/application-development-for-windows-as-a-service) -| Windows 10 servicing options | New content replaced this topic; see [Overview of Windows as a service](https://technet.microsoft.com/en-us/itpro/windows/manage/waas-overview) | +| Windows 10 servicing options | New content replaced this topic; see [Overview of Windows as a service](waas-overview.md) | ## RELEASE: Windows 10, version 1607 -The topics in this library have been updated for Windows 10, version 1607 (also known as the Anniversary Update). The following new topics have been added: +The topics in this library have been updated for Windows 10, version 1607 (also known as the Anniversary Update). The following new topics have been added: - [Connect to remote Azure Active Directory-joined PC](connect-to-remote-aadj-pc.md) - [Configure Windows 10 taskbar](configure-windows-10-taskbar.md) -- [Set up a shared or guest PC with Windows 10](set-up-shared-or-guest-pc.md) +- [Set up a shared or guest PC with Windows 10](../configure/set-up-shared-or-guest-pc.md) - [Guidelines for choosing an app for assigned access (kiosk mode)](guidelines-for-assigned-access-app.md) - [Application Virtualization (App-V) for Windows 10](appv-for-windows.md) - [User Experience Virtualization (UE-V) for Windows 10](uev-for-windows.md) @@ -115,7 +135,7 @@ The topics in this library have been updated for Windows 10, version 1607 (also | [Configure Windows telemetry in your organization](configure-windows-telemetry-in-your-organization.md) | New telemetry content | | [Manage Wi-Fi Sense in your company](manage-wifi-sense-in-enterprise.md) |Removed info about sharing wi-fi network access with contacts, since it's been deprecated. | | [Set up a kiosk on Windows 10 Pro, Enterprise, or Education](set-up-a-kiosk-for-windows-10-for-desktop-editions.md) | Corrected script for setting a custom shell using Shell Launcher | -| [Windows 10 servicing options for updates and upgrades](introduction-to-windows-10-servicing.md) | Removed Windows 10 Mobile from **Applies to** | +| [Windows 10 servicing options for updates and upgrades](introduction-to-windows-10-servicing.md) | Removed Windows 10 Mobile from **Applies to** | @@ -133,25 +153,25 @@ The topics in this library have been updated for Windows 10, version 1607 (also | ---|---| | [Application development for Windows as a service](application-development-for-windows-as-a-service.md) | New | | [Join Windows 10 Mobile to Azure Active Directory](join-windows-10-mobile-to-azure-active-directory.md) | New | -| [Cortana integration in your business or enterprise](manage-cortana-in-enterprise.md) | Updated to include the new Preview feature, Cortana and Microsoft Dynamics CRM integration. | +| [Cortana integration in your business or enterprise](../configure/cortana-at-work-overview.md) | Updated to include the new Preview feature, Cortana and Microsoft Dynamics CRM integration. | ## February 2016 | New or changed topic | Description | | ---|---| | [Configure telemetry and other settings in your organization](disconnect-your-organization-from-microsoft.md) | Added call history and email to the Settings > Privacy section.
          Added the Turn off Windows Mail application Group Policy to the Mail synchronization section. | -| [Customize and export Start layout](customize-and-export-start-layout.md) | Added a note to clarify that partial Start layout is only supported in Windows 10, version 1511 and later | +| [Customize and export Start layout](customize-and-export-start-layout.md) | Added a note to clarify that partial Start layout is only supported in Windows 10, version 1511 and later | | [Customize Windows 10 Start with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md) | Added instructions for replacing markup characters with escape characters in Start layout XML | | [Introduction to configuration service providers (CSPs) for IT pros](how-it-pros-can-use-configuration-service-providers.md) | New | | [Windows 10 Mobile and MDM](windows-10-mobile-and-mdm.md) | New | -| [Windows 10 servicing options for updates and upgrades](introduction-to-windows-10-servicing.md) | Added information on servicing options for Windows 10 Mobile, Windows 10 Mobile Enterprise, and Windows 10 IoT Core (IoT Core). | -  +| [Windows 10 servicing options for updates and upgrades](introduction-to-windows-10-servicing.md) | Added information on servicing options for Windows 10 Mobile, Windows 10 Mobile Enterprise, and Windows 10 IoT Core (IoT Core). | + ## December 2015 | New or changed topic | Description | | ---|---| -| [Cortana integration in your business or enterprise](manage-cortana-in-enterprise.md) | New | +| [Cortana integration in your business or enterprise](../configure/cortana-at-work-overview.md) | New | | [Manage Wi-Fi Sense in your company](manage-wifi-sense-in-enterprise.md) | New | | [Customize Windows 10 Start with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md) | New | @@ -183,5 +203,3 @@ The topics in this library have been updated for Windows 10, version 1607 (also [Change history for Deploy Windows 10](../deploy/change-history-for-deploy-windows-10.md) [Change history for Keep Windows 10 secure](../keep-secure/change-history-for-keep-windows-10-secure.md) - -  \ No newline at end of file diff --git a/windows/manage/configure-mdm-provider-windows-store-for-business.md b/windows/manage/configure-mdm-provider-windows-store-for-business.md index d4c07de29f..8d22548f35 100644 --- a/windows/manage/configure-mdm-provider-windows-store-for-business.md +++ b/windows/manage/configure-mdm-provider-windows-store-for-business.md @@ -30,7 +30,7 @@ Your management tool needs to be installed and configured with Azure AD, in the 3. Click **Applications**, find the application, and add it to your directory. -After your management tool is added to your Azure AD directory, you can configure it to work with Store for Business. +After your management tool is added to your Azure AD directory, you can configure it to work with Store for Business. You can configure multiple management tools - just repeat the following procedure. **To configure a management tool in Store for Business** @@ -40,7 +40,7 @@ After your management tool is added to your Azure AD directory, you can configur You'll see a list of available MDM tools. - ![](images/wsfb-settings-mgmt.png) + ![Screenshot showing page in Management tools page in Windows Store for Business](images/wsfb-settings-mgmt.png) 3. Choose the MDM tool you want to synchronize with Store for Business, and then click **Activate.** diff --git a/windows/manage/configure-windows-10-devices-to-stop-data-flow-to-microsoft.md b/windows/manage/configure-windows-10-devices-to-stop-data-flow-to-microsoft.md deleted file mode 100644 index 8a9777af29..0000000000 --- a/windows/manage/configure-windows-10-devices-to-stop-data-flow-to-microsoft.md +++ /dev/null @@ -1,4 +0,0 @@ ---- -title: Configure Windows 10 devices to stop data flow to Microsoft (Windows 10) -redirect_url: https://technet.microsoft.com/itpro/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services ---- \ No newline at end of file diff --git a/windows/manage/cortana-at-work-testing-scenarios.md b/windows/manage/cortana-at-work-testing-scenarios.md deleted file mode 100644 index 41f734e006..0000000000 --- a/windows/manage/cortana-at-work-testing-scenarios.md +++ /dev/null @@ -1,32 +0,0 @@ ---- -title: Testing scenarios using Cortana in your business or organization (Windows 10) -description: A list of suggested testing scenarios that you can use to test Cortana in your organization. -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -localizationpriority: high ---- - -# Testing scenarios using Cortana in your business or organization -**Applies to:** - -- Windows 10, Windows Insider Program -- Windows 10 Mobile, Windows Insider Program - ->[!IMPORTANT] ->Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. - -We've come up with a list of suggested testing scenarios that you can use to test Cortana in your organization. After you complete all the scenarios, you should be able to: - -- Sign-in to Cortana using Azure AD, manage entries in the notebook, and search for content across your device, Bing, and the cloud, using Cortana. - -- Set a reminder and have it remind you when you’ve reached a specific location. - -- Search for your upcoming meetings on your work calendar. - -- Send an email to a co-worker from your work email app. - -- Use WIP to secure content on a device and then try to manage your organization’s entries in the notebook. - ->[!IMPORTANT] ->The data created as part of these scenarios will be uploaded to Microsoft’s Cloud to help Cortana learn and help your employees. This is the same info that Cortana uses in the consumer offering. \ No newline at end of file diff --git a/windows/manage/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md b/windows/manage/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md deleted file mode 100644 index 7cc8395f8b..0000000000 --- a/windows/manage/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md +++ /dev/null @@ -1,122 +0,0 @@ ---- -title: Customize Windows 10 Start with ICD and provisioning packages (Windows 10) -description: In Windows 10, you can use a provisioning package to deploy a customized Start layout to users. -ms.assetid: AC952899-86A0-42FC-9E3C-C25F45B1ACAC -keywords: ["Start layout", "start menu"] -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -author: jdeckerMS -localizationpriority: medium ---- - -# Customize Windows 10 Start and taskbar with ICD and provisioning packages - - -**Applies to** - -- Windows 10 -- Windows 10 Mobile - -**Looking for consumer information?** - -- [Customize the Start menu](https://go.microsoft.com/fwlink/p/?LinkId=623630) - -In Windows 10 Mobile, Windows 10 Enterprise, and Windows 10 Education, version 1607, you can use a provisioning package that you create with Windows Imaging and Configuration Designer (ICD) tool to deploy a customized Start and taskbar layout to users. No reimaging is required, and the Start and taskbar layout can be updated simply by overwriting the .xml file that contains the layout. The provisioning package can be applied to a running device. This enables you to customize Start and taskbar layouts for different departments or organizations, with minimal management overhead. - ->[!IMPORTANT] ->If you use a provisioning package to configure the taskbar, your configuration will be reapplied each time the explorer.exe process restarts. If your configuration pins an app and the user unpins that app, the user's change will be overwritten the next time the configuration is applied. To apply a taskbar configuration and allow users to make changes that will persist, apply your configuration by using Group Policy. - -**Before you begin**: [Customize and export Start layout](customize-and-export-start-layout.md) for desktop editions or [create a Start layout XML](start-layout-xml-mobile.md) for mobile. - -## How Start layout control works - - -Three features enable Start and taskbar layout control: - -- The **Export-StartLayout** cmdlet in Windows PowerShell exports a description of the current Start layout in .xml file format. - - **Note**   - To import the layout of Start to a mounted Windows image, use the [Import-StartLayout](https://go.microsoft.com/fwlink/p/?LinkId=623707) cmdlet. - -- [You can modify the Start .xml file](configure-windows-10-taskbar.md) to include `` or create an .xml file just for the taskbar configuration. - - -- In ICD, you use the **Start/StartLayout** setting to set the path to the .xml file that defines the Start and taskbar layout. - -## Create a provisioning package that contains a customized Start layout - - -Use the [Imaging and Configuration Designer (ICD) tool](https://go.microsoft.com/fwlink/p/?LinkID=525483) included in the Windows Assessment and Deployment Kit (ADK) for Windows 10 to create a provisioning package that applies a customized Start and taskbar layout. [Install the ADK.](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit) - ->[!IMPORTANT] ->When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when they are no longer needed. - -1. Open ICD (by default, %systemdrive%\\Program Files (x86)\\Windows Kits\\10\\Assessment and Deployment Kit\\Imaging and Configuration Designer\\x86\\ICD.exe). -2. Choose **Advanced provisioning**. - -3. Name your project, and click **Next**. - -4. Choose **All Windows desktop editions** and click **Next**. - -5. On **New project**, click **Finish**. The workspace for your package opens. - -6. Expand **Runtime settings** > **Start**, and click **StartLayout**. - - >[!TIP] - >If **Start** is not listed, check the type of settings you selected in step 4. You must create the project using settings for **All Windows desktop editions**. - -7. Specify the path and file name of the Start layout .xml that you created with the [Export-StartLayout](https://go.microsoft.com/fwlink/p/?LinkId=620879) cmdlet. - -8. On the **File** menu, select **Save.** - -9. On the **Export** menu, select **Provisioning package**. - -10. Change **Owner** to **IT Admin**, which will set the precedence of this provisioning package higher than provisioning packages applied to this device from other sources, and then select **Next.** - -11. Optional. In the **Provisioning package security** window, you can choose to encrypt the package and enable package signing. - - - **Enable package encryption** - If you select this option, an auto-generated password will be shown on the screen. - - - **Enable package signing** - If you select this option, you must select a valid certificate to use for signing the package. You can specify the certificate by clicking **Select...** and choosing the certificate you want to use to sign the package. - -12. Click **Next** to specify the output location where you want the provisioning package to go when it's built. By default, Windows Imaging and Configuration Designer (ICD) uses the project folder as the output location. - - Optionally, you can click **Browse** to change the default output location. - -13. Click **Next**. - -14. Click **Build** to start building the package. The provisioning package doesn't take long to build. The project information is displayed in the build page and the progress bar indicates the build status. - - If you need to cancel the build, click **Cancel**. This cancels the current build process, closes the wizard, and takes you back to the **Customizations Page**. - -15. If your build fails, an error message will show up that includes a link to the project folder. You can scan the logs to determine what caused the error. Once you fix the issue, try building the package again. - - If your build is successful, the name of the provisioning package, output directory, and project directory will be shown. - - - If you choose, you can build the provisioning package again and pick a different path for the output package. To do this, click **Back** to change the output package name and path, and then click **Next** to start another build. - - If you are done, click **Finish** to close the wizard and go back to the **Customizations Page**. - -16. Copy the provisioning package to the target device. - -17. Double-click the ppkg file and allow it to install. - -## Related topics - - -[Manage Windows 10 Start and taskbar layout](windows-10-start-layout-options-and-policies.md) - -[Customize and export Start layout](customize-and-export-start-layout.md) - -[Customize Windows 10 Start and taskbar with Group Policy](customize-windows-10-start-screens-by-using-group-policy.md) - -[Customize Windows 10 Start with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md) - -  - -  - - - - - diff --git a/windows/manage/disconnect-your-organization-from-microsoft.md b/windows/manage/disconnect-your-organization-from-microsoft.md deleted file mode 100644 index 8a9777af29..0000000000 --- a/windows/manage/disconnect-your-organization-from-microsoft.md +++ /dev/null @@ -1,4 +0,0 @@ ---- -title: Configure Windows 10 devices to stop data flow to Microsoft (Windows 10) -redirect_url: https://technet.microsoft.com/itpro/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services ---- \ No newline at end of file diff --git a/windows/manage/group-policies-for-enterprise-and-education-editions.md b/windows/manage/group-policies-for-enterprise-and-education-editions.md index 40c5250e62..74dced9953 100644 --- a/windows/manage/group-policies-for-enterprise-and-education-editions.md +++ b/windows/manage/group-policies-for-enterprise-and-education-editions.md @@ -18,17 +18,17 @@ In Windows 10, version 1607, the following Group Policy settings apply only to W | Policy name | Policy path | Comments | | --- | --- | --- | -| **Configure Spotlight on lock screen** | User Configuration > Administrative Templates > Windows Components > Cloud Content | For more info, see [Windows spotlight on the lock screen](windows-spotlight.md). Note that an additional **Cloud Content** policy, **Do not suggest third-party content in Windows spotlight**, does apply to Windows 10 Pro. | -| **Turn off all Windows Spotlight features** | User Configuration > Administrative Templates > Windows Components > Cloud Content | For more info, see [Windows spotlight on the lock screen](windows-spotlight.md) | -| **Turn off Microsoft consumer features** | Computer Configuration > Administrative Templates > Windows Components > Cloud Content | For more info, see [Windows spotlight on the lock screen](windows-spotlight.md) | -| **Do not display the lock screen** | Computer Configuration > Administrative Templates > Control Panel > Personalization | For more info, see [Windows spotlight on the lock screen](windows-spotlight.md) | +| **Configure Spotlight on lock screen** | User Configuration > Administrative Templates > Windows Components > Cloud Content | For more info, see [Windows spotlight on the lock screen](../configure/windows-spotlight.md). Note that an additional **Cloud Content** policy, **Do not suggest third-party content in Windows spotlight**, does apply to Windows 10 Pro. | +| **Turn off all Windows Spotlight features** | User Configuration > Administrative Templates > Windows Components > Cloud Content | For more info, see [Windows spotlight on the lock screen](../configure/windows-spotlight.md) | +| **Turn off Microsoft consumer features** | Computer Configuration > Administrative Templates > Windows Components > Cloud Content | For more info, see [Windows spotlight on the lock screen](../configure/windows-spotlight.md) | +| **Do not display the lock screen** | Computer Configuration > Administrative Templates > Control Panel > Personalization | For more info, see [Windows spotlight on the lock screen](../configure/windows-spotlight.md) | | **Do not require CTRL+ALT+DEL**
          combined with
          **Turn off app notifications on the lock screen** | Computer Configuration > Administrative Templates > System > Logon
          and
          Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options > Interactive logon | When both of these policy settings are enabled, the combination will also disable lock screen apps ([assigned access](set-up-a-device-for-anyone-to-use.md)) on Windows 10 Enterprise and Windows 10 Education only. These policy settings can be applied to Windows 10 Pro, but lock screen apps will not be disabled on Windows 10 Pro.

          **Important:** The description for **Interactive logon: Do not require CTRL+ALT+DEL** in the Group Policy Editor incorrectly states that it only applies to Windows 10 Enterprise and Education. The description will be corrected in a future release.| -| **Do not show Windows Tips** | Computer Configuration > Administrative Templates > Windows Components > Cloud Content | For more info, see [Windows spotlight on the lock screen](windows-spotlight.md | -| **Force a specific default lock screen image** | Computer Configuration > Administrative Templates > Control Panel > Personalization | For more info, see [Windows spotlight on the lock screen](windows-spotlight.md) | +| **Do not show Windows Tips** | Computer Configuration > Administrative Templates > Windows Components > Cloud Content | For more info, see [Windows spotlight on the lock screen](../configure/windows-spotlight.md | +| **Force a specific default lock screen image** | Computer Configuration > Administrative Templates > Control Panel > Personalization | For more info, see [Windows spotlight on the lock screen](../configure/windows-spotlight.md) | | **Start layout** | User Configuration\Administrative Templates\Start Menu and Taskbar | For more info, see [Manage Windows 10 Start layout options and policies](windows-10-start-layout-options-and-policies.md) | | **Turn off the Store application** | Computer Configuration > Administrative Templates > Windows Components > Store > Turn off the Store application

          User Configuration > Administrative Templates > Windows Components > Store > Turn off the Store application | For more info, see [Knowledge Base article# 3135657](https://support.microsoft.com/kb/3135657). | | **Only display the private store within the Windows Store app** | Computer Configuration > Administrative Templates > Windows Components > Store > Only display the private store within the Windows Store app

          User Configuration > Administrative Templates > Windows Components > Store > Only display the private store within the Windows Store app | For more info, see [Manage access to private store](manage-access-to-private-store.md) | -| **Don't search the web or display web results** | Computer Configuration\Administrative Templates\Windows Components\Search\Don't search the web or display web results | For more info, see [Cortana integration in your enterprise](manage-cortana-in-enterprise.md) | +| **Don't search the web or display web results** | Computer Configuration\Administrative Templates\Windows Components\Search\Don't search the web or display web results | For more info, see [Cortana integration in your enterprise](../configure/cortana-at-work-overview.md) | diff --git a/windows/manage/images/button.png b/windows/manage/images/button.png new file mode 100644 index 0000000000..1ba7590f76 Binary files /dev/null and b/windows/manage/images/button.png differ diff --git a/windows/manage/images/cortana-communication-history-permissions.png b/windows/manage/images/cortana-communication-history-permissions.png new file mode 100644 index 0000000000..db182be13c Binary files /dev/null and b/windows/manage/images/cortana-communication-history-permissions.png differ diff --git a/windows/manage/images/cortana-suggested-reminder-settings.png b/windows/manage/images/cortana-suggested-reminder-settings.png new file mode 100644 index 0000000000..176dbff483 Binary files /dev/null and b/windows/manage/images/cortana-suggested-reminder-settings.png differ diff --git a/windows/manage/images/cortana-suggested-reminder.png b/windows/manage/images/cortana-suggested-reminder.png new file mode 100644 index 0000000000..4184bd1b6c Binary files /dev/null and b/windows/manage/images/cortana-suggested-reminder.png differ diff --git a/windows/manage/images/waas-wufb-update-compliance.png b/windows/manage/images/waas-wufb-update-compliance.png new file mode 100644 index 0000000000..0c1bbaea7c Binary files /dev/null and b/windows/manage/images/waas-wufb-update-compliance.png differ diff --git a/windows/manage/index.md b/windows/manage/index.md index 61fd0bf61e..3446fc1a1b 100644 --- a/windows/manage/index.md +++ b/windows/manage/index.md @@ -1,5 +1,5 @@ --- -title: Manage and update Windows 10 (Windows 10) +title: Manage Windows 10 (Windows 10) description: Learn about managing and updating Windows 10. ms.assetid: E5716355-02AB-4B75-A962-14B1A7F7BDA0 keywords: Windows 10, MDM, WSUS, Windows update @@ -11,73 +11,37 @@ localizationpriority: high author: jdeckerMS --- -# Manage and update Windows 10 +# Manage Windows 10 -Learn about managing and updating Windows 10. +Learn about managing Windows 10. >[!NOTE] >Information for Windows 10 Enterprise also applies to Windows 10 IoT Enterprise, and information for Windows 10 Mobile Enterprise also applies to Windows 10 IoT Mobile. For information about managing devices running Windows 10 IoT Core, see [Windows 10 IoT Core Commercialization](https://www.windowsforiotdevices.com/). ## In this section - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
          TopicDescription

          [Administrative Tools in Windows 10](administrative-tools-in-windows-10.md)

          Administrative Tools is a folder in Control Panel that contains tools for system administrators and advanced users.

          [Cortana integration in your business or enterprise](manage-cortana-in-enterprise.md)

          The world’s first personal digital assistant helps users get things done, even at work. Cortana includes powerful configuration options specifically to optimize for unique small to medium-sized business and enterprise environments.

          [Update Windows 10 in the enterprise](waas-update-windows-10.md) Learn how to manage updates to Windows 10 in your organization, including Update Compliance, and Windows Update for Business.

          [Manage corporate devices](manage-corporate-devices.md)

          You can use the same management tools to manage all device types running Windows 10: desktops, laptops, tablets, and phones. And your current management tools, such as Group Policy, Windows Management Instrumentation (WMI), PowerShell scripts, Orchestrator runbooks, System Center tools, and so on, will continue to work for Windows 10 on desktop editions.

          [Windows Spotlight on the lock screen](windows-spotlight.md)

          Windows Spotlight is an option for the lock screen background that displays different background images and occasionally offers suggestions on the lock screen.

          [Manage Windows 10 Start layout options](windows-10-start-layout-options-and-policies.md)

          Organizations might want to deploy a customized Start screen and menu to devices running Windows 10 Enterprise or Windows 10 Education. A standard Start layout can be useful on devices that are common to multiple users and devices that are locked down for specialized purposes.

          [Create mandatory user profiles](mandatory-user-profile.md)

          Mandatory user profiles are useful when standardization is important, such as on a kiosk device or in educational settings.

          [Lock down Windows 10](lock-down-windows-10.md)

          Enterprises often need to manage how people use corporate devices. Windows 10 provides a number of features and methods to help you lock down specific parts of a Windows 10 device.

          [Join Windows 10 Mobile to Azure Active Directory](join-windows-10-mobile-to-azure-active-directory.md)

          Devices running Windows 10 Mobile can join Azure Active Directory (Azure AD) when the device is configured during the out-of-box experience (OOBE).

          [Configure devices without MDM](configure-devices-without-mdm.md)

          Create a runtime provisioning package to apply settings, profiles, and file assets to a device running Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile, or Windows 10 Mobile Enterprise.

          [Application Virtualization for Windows (App-V)](appv-for-windows.md)

          When you deploy Application Virtualization (App-V) in your orgnazation, you can deliver Win32 applications to users as virtual applications. Virtual applications are installed on centrally managed servers and delivered to users as a service – in real time and on as as-needed basis. Users launch virtual applications from familiar access points, including the Windows Store, and interact with them as if they were installed locally.

          [User Experience Virtualization for Windows (UE-V)](uev-for-windows.md)

          When you deploy User Experience Virtualization (UE-V) in your organization, you can synchronize users' personalized application and operating system settings across all the devices they work from. UE-V allows you to capture user-customized application and Windows settings and store them on a centrally managed network file share. When users log on, their personalized settings are applied to their work session, regardless of which device or virtual desktop infrastructure (VDI) sessions they log on to.

          [Windows Store for Business](windows-store-for-business.md)

          Welcome to the Windows Store for Business! You can use the Store for Business, to find, acquire, distribute, and manage apps for your organization.

          [Change history for Manage and update Windows 10](change-history-for-manage-and-update-windows-10.md)

          This topic lists new and updated topics in the Manage and update Windows 10 documentation for [Windows 10 and Windows 10 Mobile](../index.md).

          + + +| Topic | Description | +| --- | --- | +| [Manage Windows 10 in your organization - transitioning to modern management](manage-windows-10-in-your-organization-modern-management.md) | Strategies for deploying and managing Windows 10, including deploying Windows 10 in a mixed environment. | +| [Windows 10 Mobile and MDM](windows-10-mobile-and-mdm.md) | How to plan for and deploy Windows 10 Mobile devices. | +| [Administrative Tools in Windows 10](administrative-tools-in-windows-10.md) | Administrative Tools is a folder in Control Panel that contains tools for system administrators and advanced users. | +| [Windows Store for Business](windows-store-for-business.md) | Welcome to the Windows Store for Business! You can use the Store for Business, to find, acquire, distribute, and manage apps for your organization. | +| [Create mandatory user profiles](mandatory-user-profile.md) | Mandatory user profiles are useful when standardization is important, such as on a kiosk device or in educational settings. | +| [Connect to remote Azure Active Directory-joined PC](connect-to-remote-aadj-pc.md) | How to use Remote Desktop Connection to connect to an Azure AD-joined PC. | +| [Join Windows 10 Mobile to Azure Active Directory](join-windows-10-mobile-to-azure-active-directory.md) | Devices running Windows 10 Mobile can join Azure Active Directory (Azure AD) when the device is configured during the out-of-box experience (OOBE). | +| [New policies for Windows 10](new-policies-for-windows-10.md) | New Group Policy settings added in Windows 10. | +| [Group Policies that apply only to Windows 10 Enterprise and Windows 10 Education](group-policies-for-enterprise-and-education-editions.md) | Group Policy settings that apply only to Windows 10 Enterprise and Windows 10 Education. | +| [Reset a Windows 10 Mobile device](reset-a-windows-10-mobile-device.md) | There are two methods for resetting a Windows 10 Mobile device: factory reset and "wipe and persist" reset. | +| [Application Virtualization (App-V) for Windows](appv-for-windows.md) | When you deploy Application Virtualization (App-V) in your orgnazation, you can deliver Win32 applications to users as virtual applications. Virtual applications are installed on centrally managed servers and delivered to users as a service – in real time and on as as-needed basis. Users launch virtual applications from familiar access points, including the Windows Store, and interact with them as if they were installed locally. | +| [User Experience Virtualization for Windows (UE-V)](uev-for-windows.md) | When you deploy User Experience Virtualization (UE-V) in your organization, you can synchronize users' personalized application and operating system settings across all the devices they work from. UE-V allows you to capture user-customized application and Windows settings and store them on a centrally managed network file share. When users log on, their personalized settings are applied to their work session, regardless of which device or virtual desktop infrastructure (VDI) sessions they log on to. | +| [Change history for Manage Windows 10](change-history-for-manage-and-update-windows-10.md) | This topic lists new and updated topics in the Manage and update Windows 10 documentation for [Windows 10 and Windows 10 Mobile](../index.md). | + + + + +   ## Related topics [Windows 10 and Windows 10 Mobile](../index.md) diff --git a/windows/manage/introduction-to-windows-10-servicing.md b/windows/manage/introduction-to-windows-10-servicing.md deleted file mode 100644 index f57d4145be..0000000000 --- a/windows/manage/introduction-to-windows-10-servicing.md +++ /dev/null @@ -1,493 +0,0 @@ ---- -title: Windows 10 servicing options for updates and upgrades (Windows 10) -description: This article describes the new servicing options available in Windows 10. -ms.assetid: D1DEB7C0-283F-4D7F-9A11-EE16CB242B42 -keywords: update, LTSB, lifecycle, Windows update, upgrade -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -ms.pagetype: security, servicing -author: jdeckerMS -redirect_url: https://technet.microsoft.com/en-us/itpro/windows/manage/waas-update-windows-10 ---- - -# Windows 10 servicing options - -**Applies to** -- Windows 10 -- Windows 10 IoT Core (IoT Core) - -This article provides detailed information about new servicing options available in Windows 10 and IoT Core. It also provides information on how enterprises can make better use of Windows Update, and what the new servicing options mean for support lifecycles. Before reading this article, you should understand the new Windows 10 servicing model. For an overview of this servicing model, see: [Windows 10 servicing overview](../plan/windows-10-servicing-options.md). - -For Windows 10 current version numbers by servicing option see: [Windows 10 release information](https://technet.microsoft.com/en-us/windows/mt679505.aspx). -  -## Key terminology - -The following terms are used When discussing the new Windows 10 servicing model: - - - - - - - - - - - - - - - - - - - - - - -
          **Term****Description**
          UpgradeA new Windows 10 release that contains additional features and capabilities, released two to three times per year.
          UpdatePackages of security fixes, reliability fixes, and other bug fixes that are released periodically, typically once a month on Update Tuesday (sometimes referred to as Patch Tuesday). With Windows 10, these are cumulative in nature.
          BranchThe windows servicing branch is one of four choices: Windows Insider, Current Branch, Current Branch for Business, or Long-Term Servicing Branch. Branches are determined by the frequency with which the computer is configured to receive feature updates.
          RingA ring is a groups of PCs that are all on the same branch and have the same update settings. Rings can be used internally by organizations to better control the upgrade rollout process.
          - -## Windows 10 servicing - -The following table provides an overview of the planning implications of the three Windows 10 servicing options so that IT administrators can be well-grounded conceptually before they start a Windows 10 deployment project. - -Table 1. Windows 10 servicing options - -| Servicing option | Availability of new feature upgrades for installation | Minimum length of servicing lifetime | Key benefits | Supported editions | -|-----------------------------------|-----------------------------------------------------------|--------------------------------------|-------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------| -| Current Branch (CB) | Immediately after first published by Microsoft | Approximately 4 months | Makes new features available to users as soon as possible | Home, Pro, Education, Enterprise, IoT Core, Windows 10 IoT Core Pro (IoT Core Pro) | -| Current Branch for Business (CBB) | Approximately 4 months after first published by Microsoft | Approximately 8 months | Provides additional time to test new feature upgrades before deployment | Pro, Education, Enterprise, IoT Core Pro | -| Long-Term Servicing Branch (LTSB) | Immediately after published by Microsoft | 10 Years | Enables long-term deployment of selected Windows 10 releases in low-change configurations | Enterprise LTSB | -  -## Streamlined product development and release cycles - -**Product cycles and builds** - -The Windows engineering team adds new features and functionality to Windows through *product cycles* comprised of development, testing, and release phases. Each day during a product cycle, the team compiles the source code for Windows and assembles the output into a *build* that users can install on their devices. The first recipients of builds are Microsoft employees who begin what Microsoft calls *selfhost* testing. - -**Testing and release prior to Windows 10** - -Prior to Windows 10, Microsoft issued and extensively tested many builds internally before selecting one for testing outside Microsoft. After repeating the external test cycle several times against builds of progressively better quality, the engineering team selected a build to enter the release phase. At the end of this phase, the team published the build as a new version of Windows – an event referred to as the *Release to Manufacturing* (RTM) milestone. In total, product cycles took between one and three years to complete, with testing and release processes taking up as much as half of the total investment in time. - -**A different approach for Windows 10** - -In today’s environment, where user expectations frequently are set by device-centric experiences, complete product cycles need to be measured in months, not years. Additionally, new releases must be made available on a continual basis, and must be deployable with minimal impact on users. Microsoft designed Windows 10 to meet these requirements by implementing a new approach to innovation development and delivery called *Windows as a Service* (WaaS). -The key to enabling significantly shorter product cycles while maintaining high quality levels is an innovative community-centric approach to testing that Microsoft has implemented for Windows 10. The community, known as Windows Insiders, is comprised of millions of users around the world. When Windows Insiders opt in to the community, they test many builds over the course of a product cycle, and provide feedback to Microsoft through an iterative methodology called *flighting*. -Builds distributed as *flights* provide the Windows engineering team with significant data regarding how well builds are performing in actual use. Flighting with Windows Insiders also enables Microsoft to test builds in much more diverse hardware, application, and networking environments than in the past, and to identify issues far more quickly. As a result, Microsoft believes that community-focused flighting will enable both a faster pace of innovation delivery, and better public release quality than ever. - -**Windows 10 release types and cadences** - -Although Microsoft releases flight builds to Windows Insiders, Microsoft will publish two types of Windows 10 releases broadly to the public on an ongoing basis: -- **Feature upgrades** that install the latest new features, experiences, and capabilities on devices that are already running Windows 10. Because feature upgrades contain an entire copy of Windows, they are also what customers use to install Windows 10 on existing devices running Windows 7 or Windows 8.1, and on new devices where no operating system is installed. -- **Servicing updates** that focus on the installation of security fixes and other important updates. -Microsoft expects to publish an average of two to three new feature upgrades per year, and to publish servicing updates as needed for any feature upgrades that are still in support. Microsoft will continue publishing servicing updates on Update Tuesday (sometimes referred to as Patch Tuesday). Additionally, Microsoft may publish additional servicing updates for Windows 10 outside the Update Tuesday process when required to address customer needs. - -**The cumulative nature of all Windows 10 releases** -It is important to note that, in order to improve release quality and simplify deployments, all new releases that Microsoft publishes for Windows 10 will be *cumulative*. This means new feature upgrades and servicing updates will contain the *payloads* of all previous releases (in an optimized form to reduce storage and networking requirements), and installing the release on a device will bring it completely up to date. Also, unlike earlier versions of Windows, you cannot install a subset of the contents of a Windows 10 servicing update. For example, if a servicing update contains fixes for three security vulnerabilities and one reliability issue, deploying the update will result in the installation of all four fixes.   - -## New Windows 10 delivery and installation alternatives - -As with earlier releases of Windows, Windows 10 includes support for the deployment of new releases using Windows Update, Windows Server Update Services, System Center Configuration Manager, and third-party configuration management tools. Because of the importance of the Windows as a Service (WaaS) approach to delivering innovations to businesses, and the proven ability of Windows Update to deploy releases quickly and seamlessly to consumers and small businesses, several of the largest investments in Windows 10 focus on enabling broader use of Windows Update within enterprises. - -**Windows Update use by consumers and small businesses** - -Since Microsoft introduced the first generation of Windows Update with Windows 95, Windows Update has evolved to become the standard way for consumers and small businesses to help keep devices running Windows secure and running reliably. Almost one billion Windows devices communicate with the Windows Update service on a regular basis. The process of downloading and installing updates has evolved to be less and less obtrusive to users. More recently, Microsoft also has used Windows Update to deliver larger, feature-centric updates, such as the upgrade from Windows 8 to Windows 8.1, and is using Windows Update to upgrade devices running Windows 7 and Windows 8.1 to Windows 10. - -**Windows Update use within enterprises** - -Although Windows Update greatly simplifies and accelerates update deployment, enterprises are not using Windows Update as broadly as consumers and small businesses. This is largely because Windows Update maintains control over which updates are installed and the timing of installation. This makes it difficult for IT administrators to test updates before deployment in their specific environment. - -**The role of Windows Server Update Services** - -To help address the concerns of IT administrators, Microsoft released Windows Server Update Services in 2005. Windows Server Update Services enables IT administrators to obtain the updates that Windows Update determines are applicable to the devices in their enterprise, perform additional testing and evaluation on the updates, and select the updates they want to install. Windows Server Update Services also provides IT administrators with an all or nothing way to specify when they want an approved update to be installed. Because IT administrators ultimately select and install most updates identified by Windows Update, the role of Windows Server Update Services in many enterprises is to provide IT administrators with the additional time they need to gain confidence in the quality of updates prior to deployment. - -**New Windows Update capabilities in Windows 10** - -To enable enterprises to manage more of their devices using Windows Update directly, Windows 10 provides IT administrators with a way to configure devices so that Windows Update will defer new feature upgrade installations until approximately four months after Microsoft first publishes them. The additional time can be used to perform testing or enable releases to gain additional time in market prior to deployment. -At the end of each approximately four month period, Microsoft executes a set of processes that require no action from enterprise IT administrators. First, Microsoft creates new installation media for the feature upgrade by combining the original installation media with all the servicing updates published by Microsoft since the original media’s release. This reduces the time it can take to install a feature upgrade on a device. Second, Microsoft *republishes* the new media to Windows Update with *targeting* instructions that state (in effect) “install this media on devices that are configured for deferred installation of new feature upgrades.” At this point, devices configured to defer installation will begin receiving and installing the feature upgrade automatically. - -**The role of Windows Update for Business** - -Although Windows 10 will enable IT administrators to defer installation of new feature upgrades using Windows Update, enterprises may also want additional control over how and when Windows Update installs releases. With this need in mind, Microsoft [announced Windows Update for Business](https://go.microsoft.com/fwlink/p/?LinkId=624798) in May of 2015. Microsoft designed Windows Update for Business to provide IT administrators with additional Windows Update-centric management capabilities, such as the ability to deploy updates to groups of devices and to define maintenance windows for installing releases. This article will be updated with additional information about the role of Windows Update for Business in servicing Windows 10 devices as it becomes available. - -## Windows 10 servicing branches - -Historically, because of the length of time between releases of new Windows versions, and the relatively low number of enterprise devices that were upgraded to newer versions of Windows during their deployment lifetimes, most IT administrators defined servicing as installing the updates that Microsoft published every month. Looking forward, because Microsoft will be publishing new feature upgrades on a continual basis, *servicing* will also include (on some portion of an enterprise's devices) installing new feature upgrades as they become available. -In fact, when planning to deploy Windows 10 on a device, one of the most important questions for IT administrators to ask is, “What should happen to this device when Microsoft publishes a new feature upgrade?” This is because Microsoft designed Windows 10 to provide businesses with multiple servicing options, centered on enabling different rates of feature upgrade adoption. In particular, IT administrators can configure Windows 10 devices to: -- Receive feature upgrades immediately after Microsoft makes them available publicly, so that users gain access to new features, experiences, and functionality as soon as possible. For more information, see [Immediate feature upgrade installation with Current Branch (CB) servicing](#immediate-upgrade-cb). -- Defer receiving feature upgrades for a period of approximately four months after Microsoft makes them available publicly, to provide IT administrators with time to perform pre-deployment testing and provide feature upgrades releases with additional time-in-market to mature. For more information, see [Deferred feature upgrade installation with Current Branch for Business (CBB) servicing](#deferred-upgrade-cbb). -- Receive only servicing updates for the duration of their Windows 10 deployment in order to reduce the number of non-essential changes made to the device. For more information, see [Install servicing updates only by using Long-Term Servicing Branch (LTSB) servicing](#install-updates-ltsb). -The breakout of a company’s devices by the categories above is likely to vary significantly by industry and other factors. What is most important is that companies can decide what works best for them and can choose different options for different devices. - -## Current Branch versus Current Branch for Business - -When the development of a new Windows 10 feature upgrade is complete, it is initially offered to Current Branch computers; those computers configured for Current Branch for Business will receive the feature upgrade (with additional fixes) at a later date, generally at least four months later. An additional deferral of at least eight months is available to organizations that use tools to control the update process. During this time, monthly security updates will continue to be made available to machines not yet upgraded. - -The process to configure a PC for Current Branch for Business is simple. The **Defer upgrades** setting needs to be configured, either manually (through the Settings app), by using Group Policy, or by using mobile device management (MDM). - -![figure 1](images/fig1-deferupgrades.png) - -Figure 1. Configure the **Defer upgrades** setting - -Most organizations today leverage Windows Server Update Services (WSUS) or System Center Configuration Manager to update their PCs. With Windows 10, this does not need to change; all updates are controlled through approvals or automatic deployment rules configured in those products, so new upgrades will not be deployed until the organization chooses. The **Defer upgrades** setting can function as an additional validation check, so that Current Branch for Business machines that are targeted with a new upgrade prior to the end of the initial four-month deferral period will decline to install it; they can install the upgrade any time within the eight-month window after that initial four-month deferral period. - -For computers configured to receive updates from Windows Update directly, the **Defer upgrades** setting directly controls when the PC will be upgraded. Computers that are not configured to defer upgrades will be upgraded at the time of the initial Current Branch release; computers that are configured to defer upgrades will be upgraded four months later. - -With Windows 10 it is now possible to manage updates for PCs and tablets that have a higher degree of mobility and are not joined to a domain. For these PCs, you can leverage mobile device management (MDM) services or Windows Update for Business to provide the same type of control provided today with WSUS or Configuration Manager. - -For PCs enrolled in a mobile device management (MDM) service, Windows 10 provides new update approval mechanisms that could be leveraged to delay the installation of a new feature upgrade or any other update. Windows Update for Business will eventually provide these and other capabilities to manage upgrades and updates; more details on these capabilities will be provided when they are available later in 2015. - -With the release of each Current Branch feature update, new ISO images will be made available. You can use these images to upgrade existing machines or to create new custom images. These feature upgrades will also be published with WSUS to enable simple deployment to devices already running Windows 10. - -Unlike previous versions of Windows, the servicing lifetime of Current Branch or Current Branch for Business is finite. You must install new feature upgrades on machines running these branches in order to continue receiving monthly security updates. This requires new ways of thinking about software deployment. It is best to align your deployment schedule with the Current Branch release schedule: - -- Begin your evaluation process with the Windows Insider Program releases. -- Perform initial pilot deployments by using the Current Branch. -- Expand to broad deployment after the Current Branch for Business is available. -- Complete deployments by using that release in advance of the availability of the next Current Branch. - -![figure 2](images/fig2-deploymenttimeline.png) - -Figure 2. Deployment timeline - -Some organizations may require more than 12 months to deploy Windows 10 to all of their existing PCs. To address this, it may be necessary to deploy multiple Windows 10 releases, switching to these new releases during the deployment project. Notice how the timelines can overlap, with the evaluation of one release happening during the pilot and deployment of the previous release: - -![figure 3](images/fig3-overlaprelease.png) - -Figure 3. Overlapping releases - -As a result of these overlapping timelines, organizations can choose which release to deploy. Note though that by continuing for longer with one release, that gives you less time to deploy the subsequent release (to both existing Windows 10 PCs as well as newly-migrated ones), so staying with one release for the full lifetime of that release can be detrimental overall. - -## Long-Term Servicing Branch - -For specialized devices, Windows 10 Enterprise Long Term Servicing Branch (LTSB) ISO images will be made available. These are expected to be on a variable schedule, less often than CB and CBB releases. Once released, these will be supported with security and reliability fixes for an extended period; no new features will be added over its servicing lifetime. Note that LTSB images will not contain most in-box Universal Windows Apps (for example, Microsoft Edge, Cortana, the Windows Store, the Mail and Calendar apps) because the apps or the services that they use will be frequently updated with new functionality and therefore cannot be supported on PCs running the LTSB OS. - -These LTSB images can be used to upgrade existing machines or to create new custom images. - -Note that Windows 10 Enterprise LTSB installations fully support the Universal Windows Platform, with the ability to run line-of-business apps created using the Windows SDK, Visual Studio, and related tools capable of creating Universal Windows apps. For apps from other ISVs (including those published in the Windows Store), contact the ISV to confirm if they will provide long-term support for their specific apps. - -As mentioned previously, there are few, if any, scenarios where an organization would use the Long-Term Servicing Branch for every PC – or even for a majority of them. - -## Windows Insider Program - -During the development of a new Windows 10 feature update, preview releases will be made available to Windows Insider Program participants. This enables those participants to try out new features, check application compatibility, and provide feedback during the development process. - -To obtain Windows Insider Program builds, the Windows Insider Program participants must opt in through the Settings app, and specify their Microsoft account. - -Occasionally (typically as features are made available to those in the Windows Insider Program “slow” ring), new ISO images will be released to enable deployment validation, testing, and image creation. - -## Switching between branches - -During the life of a particular PC, it may be necessary or desirable to switch between the available branches. Depending on the branch you are using, the exact mechanism for doing this can be different; some will be simple, others more involved. - - ----- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
          For a PC that uses…Changing to…You need to:
          Windows Insider ProgramCurrent BranchWait for the final Current Branch release.
          Current Branch for BusinessNot directly possible, because Windows Insider Program machines are automatically upgraded to the Current Branch release at the end of the development cycle.
          Long-Term Servicing BranchNot directly possible (requires wipe-and-load).
          Current BranchInsiderUse the Settings app to enroll the device in the Windows Insider Program.
          Current Branch for BusinessSelect the Defer upgrade setting, or move the PC to a target group or flight that will not receive the next upgrade until it is business ready. Note that this change will not have any immediate impact; it only prevents the installation of the next Current Branch release.
          Long-Term Servicing BranchNot directly possible (requires wipe-and-load).
          Current Branch for BusinessInsiderUse the Settings app to enroll the device in the Windows Insider Program.
          Current BranchDisable the Defer upgrade setting, or move the PC to a target group or flight that will receive the latest Current Branch release.
          Long-Term Servicing BranchNot directly possible (requires wipe-and-load).
          Long-Term Servicing BranchInsiderUse media to upgrade to the latest Windows Insider Program build.
          Current BranchUse media to upgrade to a later Current Branch build. (Note that the Current Branch build must be a later build.)
          Current Branch for BusinessUse media to upgrade to a later Current Branch for Business build (Current Branch build plus fixes). Note that it must be a later build.
          - -## Plan for Windows 10 deployment - -The remainder of this article focuses on the description of the three options outlined above, and their planning implications, in more detail. In practice, IT administrators have to focus on two areas when planning a Windows 10 device deployment: -- **When should new feature upgrades be deployed?** Should the device install new feature upgrades when they are published by Microsoft? If so, should installation occur immediately or on a deferred basis? -- **How will releases be installed on devices?** Will Windows Update or Windows Server Update Services be used to install new releases, or will installation be performed using a configuration management system such as -Configuration Manager? - -The content that follows will provide IT administrators with the context needed to understand why these areas are pivotal, and the choices available to them. - -**How Microsoft releases Windows 10 feature upgrades** - ->Some figures in this article show multiple feature upgrades of Windows being released by Microsoft over time. Be aware that these figures were created with dates that were chosen for illustrative clarity, not for release roadmap accuracy, and should not be used for planning purposes. - -When it is time to release a build as a new feature upgrade for Windows 10, Microsoft performs several processes in sequence. The first process involves creating either one or two servicing branches in a source code management system. These branches (shown in Figure 4) are required to produce feature upgrade installation media and servicing update packages that can be deployed on different Windows 10 editions, running in different configurations. - -![figure 4](images/w10servicing-f1-branches.png) - -Figure 4. Feature upgrades and servicing branches - -In all cases, Microsoft creates a servicing branch (referred to in Figure 4 as Servicing Branch \#1) that is used to produce releases for approximately one year (although the lifetime of the branch will ultimately depend on when Microsoft publishes subsequent feature upgrade releases). If Microsoft has selected the feature upgrade to receive long-term servicing-only support, Microsoft also creates a second servicing branch (referred to in Figure 4 as Servicing Branch \#2) that is used to produce servicing update releases for up to 10 years. - -As shown in Figure 5, when Microsoft publishes a new feature upgrade, Servicing Branch \#1 is used to produce the various forms of media needed by OEMs, businesses, and consumers to install Windows 10 Home, Pro, Education, and Enterprise editions. Microsoft also produces the files needed by Windows Update to distribute and install the feature upgrade, along with *targeting* information that instructs Windows Update to only install the files on devices configured for *immediate* installation of feature upgrades. - -![figure 5](images/win10servicing-fig2-featureupgrade.png) - -Figure 5. Producing feature upgrades from servicing branches - -Approximately four months after publishing the feature upgrade, Microsoft uses Servicing Branch \#1 again to *republish* updated installation media for Windows 10 Pro, Education, and Enterprise editions. The updated media contains the exact same feature upgrade as contained in the original media except Microsoft also includes all the servicing updates that were published since the feature upgrade was first made available. This enables the feature upgrade to be installed on a device more quickly, and in a way that is potentially less obtrusive to users. - -Concurrently, Microsoft also changes the way the feature upgrade is published in the Windows Update service. In particular, the files used by Windows Update to distribute and install the feature upgrade are refreshed with the updated versions, and the targeting instructions are changed so that the updated feature upgrade will now be installed on devices configured for *deferred* installation of feature upgrades. - -**How Microsoft publishes the Windows 10 Enterprise LTSB Edition** - -If Microsoft has selected the feature upgrade to receive long-term servicing support, Servicing Branch \#2 is used to publish the media needed to install the Windows 10 Enterprise LTSB edition. The time between releases of feature upgrades with long-term servicing support will vary between one and three years, and is strongly influenced by input from customers regarding the readiness of the release for long-term enterprise deployment. Figure 5 shows the Windows 10 Enterprise LTSB edition being published at the same time as the other Windows 10 editions, which mirrors the way editions were actually published for Windows 10 in July of 2015. It is important to note that this media is never published to Windows Update for deployment. Installations of the Enterprise LTSB edition on devices must be performed another way. - -**How Microsoft releases Windows 10 servicing updates** - -As shown in Figure 6, servicing branches are also used by Microsoft to produce servicing updates containing fixes for security vulnerabilities and other important issues. Servicing updates are published in a way that determines the Windows 10 editions on which they can be installed. For example, servicing updates produced from a given servicing branch can only be installed on devices running a Windows 10 edition produced from the same servicing branch. In addition, because Windows 10 Home does not support deferred installation of feature upgrades, servicing updates produced from Servicing Branch \#1 are targeted at devices running Windows 10 Home only until Microsoft publishes feature upgrades for deferred installation. - -![figure 6](images/win10servicing-fig3.png) - -Figure 6. Producing servicing updates from servicing branches - -**Release installation alternatives** - -When IT administrators select Windows Update and/or Windows Server Update Services to deploy feature upgrades and servicing updates, Windows 10 and Windows Update will determine and deploy the correct releases for each of the three servicing options at the appropriate times. If there are multiple feature upgrades receiving long-term servicing support at the same time, Windows Update will select updates for each device that are appropriate for the feature upgrades they are running. - -When IT administrators manage deployments of feature upgrades and servicing updates directly with configuration management products such as Configuration Manager, they are responsible for the timing of installation of both feature upgrades and servicing updates. It is important to note that until IT administrators install a new servicing update, devices may remain exposed to security vulnerabilities. Therefore, when managing deployments directly, IT administrators should deploy new servicing updates as soon as possible. - -## Servicing options and servicing branch designations - -Servicing options have several different attributes that affect deployment planning decisions. For example, each servicing option: -- Is supported on a selected set of Windows 10 editions (and no Windows 10 edition supports all three servicing options). -- Has a policy that determines the periods of time during which Microsoft will produce servicing updates for a given feature upgrade. -- Has a policy that determines when devices being managed by Windows Update or Windows Server Update Services will install new feature upgrades when they become available from Microsoft. - -Because the servicing lifetime of a feature upgrade typically ends when the servicing lifetime of the subsequent feature upgrade begins, the length of servicing lifetimes will also vary. To simplify referring to these ranges, -Microsoft created *servicing branch designations* for each of the three time range/servicing branch combinations. The designations are Current Branch (CB), Current Branch for Business (CBB), and Long-Term Servicing Branch (LTSB). -Because there is a one-to-one mapping between servicing options and servicing branch designations, Microsoft occasionally refers to servicing options using servicing branch-centric terminology. The following sections describe servicing options and servicing branch designations, including terminology, servicing lifetime policies, upgrade behavior, and edition support, in more detail. - -**Service lifetime and feature upgrade installation paths** - -Although Microsoft is currently planning to release approximately two to three feature upgrades per year, the actual frequency and timing of releases will vary. Because the servicing lifetimes of feature upgrades typically end when the servicing lifetimes of other, subsequent feature upgrades begin, the lengths of servicing lifetimes will also vary. - -![figure 7](images/win10servicing-fig4-upgradereleases.png) - -Figure 7. Example release cadence across multiple feature upgrades - -To show the variability of servicing lifetimes, and show the paths that feature upgrade installations will take when Windows Update and Windows Server Update Services are used for deployments, Figure 4 contains three feature upgrade releases (labeled *X*, *Y*, and *Z*) and their associated servicing branches. The time period between publishing X and Y is four months, and the time period between publishing Y and Z is six months. X and Z have long-term servicing support, and Y has shorter-term servicing support only. - -The same underlying figure will be used in subsequent figures to show all three servicing options in detail. It is important to note that Figure 7 is provided for illustration of servicing concepts only and should not be used for actual Windows 10 release planning. - -To simplify the servicing lifetime and feature upgrade behavior explanations that follow, this document refers to branch designations for a specific feature upgrade as the +0 versions, the designations for the feature upgrade after the +0 version as the +1 (or successor) versions, and the designation for the feature upgrade after the +1 version as the +2 (or second successor) versions. - -### - -**Immediate feature upgrade installation with Current Branch (CB) servicing** -As shown in Figure 8, the Current Branch (CB) designation refers to Servicing Branch \#1 during the period that starts when Microsoft publishes a feature upgrade targeted for devices configured for *immediate* installation and ends when Microsoft publishes the *successor* feature upgrade targeted for devices configured for *immediate* installation. - -![figure 8](images/win10servicing-fig5.png) - -Figure 8. Immediate installation with Current Branch Servicing - -The role of Servicing Branch \#1 during the CB period is to produce feature upgrades and servicing updates for Windows 10 devices configured for *immediate* installation of new feature upgrades. Microsoft refers to devices configured this way as being *serviced from CBs*. The Windows 10 editions that support servicing from CBs are Home, Pro, Education, and Enterprise. The Current Branch designation is intended to reflect the fact that devices serviced using this approach will be kept as current as possible with respect to the latest Windows 10 feature upgrade release. -Windows 10 Home supports Windows Update for release deployment. Windows 10 editions (Pro, Education, and Enterprise) support Windows Update, Windows Server Update Services, Configuration Manager, and other configuration management systems: -- When IT administrators use Windows Update to manage deployments, devices will receive new feature upgrades and servicing updates as soon as they are published by Microsoft in the Windows Update service, targeted to devices configured for *immediate* feature upgrade installation. -- When devices are being managed by using Windows Server Update Services, the same workflows are executed as with Windows Update except IT administrators must approve releases before installations begin. -- When using configuration management systems such as Configuration Manager to manage deployments, IT administrators can obtain installation media from Microsoft and deploy new feature upgrades immediately by using standard change control processes. IT administrators who use configuration management systems should also make sure to obtain and deploy all servicing updates published by Microsoft as soon as possible. -It is important to note that devices serviced from CBs must install two to three feature upgrades per year to remain current and continue to receive servicing updates. - -### - -**Deferred feature upgrade installation with Current Branch for Business (CBB) servicing** -As shown in Figure 9, the Current Branch for Business (CBB) designation refers to Servicing Branch \#1 during the period that starts when Microsoft republishes a feature upgrade targeted for devices configured for *deferred* installation and ends when Microsoft republishes the *second successor* feature upgrade targeted for devices configured for *deferred* installation. - -![figure 9](images/win10servicing-fig6.png) - -Figure 9. Deferred installation with Current Branch for Business Servicing - -The role of Servicing Branch \#1 during the CBB period is to produce feature upgrades and servicing updates for Windows 10 devices configured for *deferred* installation of new feature upgrades. Microsoft refers to devices configured this way as being *serviced from CBBs*. The Windows 10 editions that support servicing from CBBs are Pro, Education, and Enterprise. The Current Branch for Business designation is intended to reflect the fact that many businesses require IT administrators to test feature upgrades prior to deployment, and servicing devices from CBBs is a pragmatic solution for businesses with testing constraints to remain as current as possible. -Windows 10 (Pro, Education, and Enterprise editions) support release deployment by using Windows Update, Windows Server Update Services, Configuration Manager, and other configuration management systems: -- When IT administrators use Windows Update to manage deployments, devices will receive new feature upgrades and servicing updates as soon as they are published by Microsoft in the Windows Update service, targeted to devices configured for *deferred* feature upgrade installation. It is important to note that, even when devices are configured to defer installations, all servicing updates that are applicable to the feature upgrade that is running on a device will be installed immediately after being published by Microsoft in the Windows Update service. -- When devices are being managed through Windows Server Update Services, the same workflows are executed as with Windows Update except IT administrators must approve releases before installations begin. -- When using configuration management systems such as Configuration Manager to manage deployments, IT administrators can obtain media published for deferred installation from Microsoft and deploy new feature upgrades by using standard change control processes. When deferring feature upgrade installations, IT administrators should still deploy all applicable servicing updates as soon as they become available from Microsoft. -Microsoft designed Windows 10 servicing lifetime policies so that CBBs will receive servicing updates for approximately twice as many months as CBs. This enables two CBBs to receive servicing support at the same time, which provides businesses with more flexibility when deploying new feature upgrades. That said, it is important to note that Microsoft will not produce servicing updates for a feature upgrade after its corresponding CBB reaches the end of its servicing lifetime. This means that feature upgrade deployments cannot be extended indefinitely and IT administrators should ensure that they deploy newer feature upgrades onto devices before CBBs end. - -### - -**Install servicing updates only by using Long-Term Servicing Branch (LTSB) servicing** - -As shown in Figure 10, the Long-Term Servicing Branch (LTSB) designation refers to Servicing Branch \#2 from beginning to end. LTSBs begin when a feature upgrade with long-term support is published by Microsoft and end after 10 years. It is important to note that only the Windows 10 Enterprise LTSB edition supports long-term servicing, and there are important differences between this edition and other Windows 10 editions regarding upgradability and feature set (described below in the [Considerations when configuring devices for servicing updates only](#servicing-only) section). - -![figure 10](images/win10servicing-fig7.png) - -Figure 10. Servicing updates only using LTSB Servicing - -The role of LTSBs is to produce servicing updates for devices running Windows 10 configured to install servicing updates only. Devices configured this way are referred to as being *serviced from LTSBs*. The Long-Term Servicing Branch designation is intended to reflect the fact that this servicing option is intended for scenarios where changes to software running on devices must be limited to essential updates (such as those for security vulnerabilities and other important issues) for the duration of deployments. -Windows 10 Enterprise LTSB supports release deployment by using Windows Update, Windows Server Update Services, Configuration Manager, and other configuration management systems: -- When IT administrators use Windows Update to manage deployments, Windows Update will install only servicing updates, and do so as soon as they are published by Microsoft in the Windows Update service. Windows Update does not install feature upgrades on devices configured for long-term servicing. -- When devices are being managed using Windows Server Update Services, the same workflows are executed as with Windows Update except IT administrators must approve releases before installations begin. -- When using configuration management systems such as System Center Configuration Manager to manage deployments, IT administrators should make sure to obtain and deploy all servicing updates published by Microsoft as soon as possible. - -**Note**   -It is important to note again that not all feature upgrades will have an LTSB. The initial release of Windows 10, published in July 2015, has an LTSB and Microsoft expects to designate one additional feature upgrade in the next 12 months for long-term support. After that, Microsoft expects to publish feature upgrades with long-term servicing support approximately every two to three years. Microsoft will provide additional information in advance of publishing new feature upgrades so that IT administrators can make informed deployment planning decisions. -  -### - -**Considerations when configuring devices for servicing updates only** -Before deciding to configure a device for LTSB-based servicing, IT administrators should carefully consider the implications of changing to a different servicing option later, and the effect of using Windows 10 Enterprise LTSB on the availability of *in-box* applications. - -Regarding edition changes, it is possible to reconfigure a device running Windows 10 Enterprise LTSB to run Windows 10 Enterprise while preserving the data and applications already on the device. Reconfiguring a device running Windows 10 Enterprise LTSB to run other editions of Windows 10 may require IT administrators to restore data and/or reinstall applications on the device after the other edition has been installed. -Regarding in-box applications, Windows 10 Enterprise LTSB does not include all the universal apps that are included with other Windows 10 editions. This is because the universal apps included with Windows 10 will be continually upgraded by Microsoft, and new releases of in-box universal apps are unlikely to remain compatible with a feature upgrade of Windows 10 Enterprise LTSB for the duration of its servicing lifetime. Examples of apps that Windows 10 Enterprise LTSB does not include are Microsoft Edge, Windows Store Client, Cortana (limited search capabilities remain available), Outlook Mail, Outlook Calendar, OneNote, Weather, News, Sports, Money, Photos, Camera, Music, and Clock. - -Windows 10 Enterprise LTSB does include Internet Explorer 11, and is compatible with Windows 32 versions of Microsoft Office. IT administrators can also install universal apps on devices when apps are compatible with the feature upgrades running on the device. They should do so with care, however, as servicing updates targeted for devices running Windows 10 Enterprise LTSB will not include security or non-security fixes for universal apps. Additionally, Microsoft will not provide servicing updates for specific releases of apps on any Windows 10 edition after the feature upgrade of Windows 10 with which the apps were included reaches the end of its servicing lifetime. - -**Servicing option summary** - -Table 2. Servicing option summary - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
          ComparisonWindows 10 servicing options
          Current Branch (CB)Current Branch for Business (CBB)Long-Term Servicing Branch (LTSB)
          Availability of new feature upgrades for installationImmediateDeferred by ~4 monthsNot applicable
          Supported editionsWindows 10 Home, Windows 10 Pro, Windows 10 Education, Windows 10 Enterprise, -IoT Core, IoT Core ProWindows 10 Pro, -Windows 10 Education, -Windows 10 Enterprise, -IoT Core ProWindows 10 Enterprise LTSB
          Minimum length of servicing lifetimeApproximately 4 MonthsApproximately 8 months10 years
          Ongoing installation of new feature upgrades required to receive servicing updatesYesYesNo
          Supports Windows Update for release deploymentYesYesYes
          Supports Windows Server Update Services for release deploymentYes -(excludes Home) -YesYes
          Supports Configuration Manager/configuration management systems for release deploymentYes -(excludes Home) -YesYes
          First party browsers includedMicrosoft Edge, -Internet Explorer 11Microsoft Edge, -IE11IE11
          Notable Windows -system apps removed -NoneNoneMicrosoft Edge, Windows Store Client, Cortana (limited search available)
          Notable Windows -universal apps removed -NoneNoneOutlook Mail/Calendar, OneNote, Weather, News, Sports, Money, Photos, Camera, Music, Clock
          -  -## Related topics - -[Plan for Windows 10 deployment](../plan/index.md) - -[Deploy Windows 10](https://go.microsoft.com/fwlink/p/?LinkId=624776) - -[Manage and update Windows 10](https://go.microsoft.com/fwlink/p/?LinkId=624796) -  -  diff --git a/windows/manage/join-windows-10-mobile-to-azure-active-directory.md b/windows/manage/join-windows-10-mobile-to-azure-active-directory.md index 969c7bc490..61e6b65929 100644 --- a/windows/manage/join-windows-10-mobile-to-azure-active-directory.md +++ b/windows/manage/join-windows-10-mobile-to-azure-active-directory.md @@ -62,7 +62,7 @@ However, neither of these methods provides SSO in the Windows Store or SSO to re Using **Settings** > **Accounts** > **Your email and accounts** > **Add work or school account**, users can add their Azure AD account to the device. Alternatively, a work account can be added when the user signs in to an application like Mail, Word, etc. If you [enable auto-enrollment in your MDM settings](https://go.microsoft.com/fwlink/p/?LinkID=691615), the device will automatically be enrolled in MDM. -An added work account provides the same SSO experience in browser apps like Office 365 (Office portal, Outlook Web Access, Calendar, People, OneDrive), Azure AD profile and change password app, and Visual Studio. You get SSO to built-in applications like Mail, Calendar, People, OneDrive and files hosted on OneDrive without prompts for a password. In Office apps like Microsoft Word, Microsoft Excel, etc., you simply select the Azure AD account and you are able to open files without entering a password. +An added work account provides the same SSO experience in browser apps like Office 365 (Office portal, Outlook on the web, Calendar, People, OneDrive), Azure AD profile and change password app, and Visual Studio. You get SSO to built-in applications like Mail, Calendar, People, OneDrive and files hosted on OneDrive without prompts for a password. In Office apps like Microsoft Word, Microsoft Excel, etc., you simply select the Azure AD account and you are able to open files without entering a password. ## Preparing for Windows 10 Mobile diff --git a/windows/manage/lock-down-windows-10.md b/windows/manage/lock-down-windows-10.md deleted file mode 100644 index a3374f6d0f..0000000000 --- a/windows/manage/lock-down-windows-10.md +++ /dev/null @@ -1,77 +0,0 @@ ---- -title: Lock down Windows 10 (Windows 10) -description: Windows 10 provides a number of features and methods to help you lock down specific parts of a Windows 10 device. -ms.assetid: 955BCD92-0A1A-4C48-98A8-30D7FAF2067D -keywords: lockdown -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -ms.pagetype: security, mobile -author: jdeckerMS -localizationpriority: high ---- - -# Lock down Windows 10 - -Enterprises often need to manage how people use corporate devices. Windows 10 provides a number of features and methods to help you lock down specific parts of a Windows 10 device. - -## In this section - - - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
          TopicDescription

          [Lockdown features from Windows Embedded 8.1 Industry](lockdown-features-windows-10.md)

          Many of the lockdown features available in Windows Embedded 8.1 Industry have been modified in some form for Windows 10.

          [Set up a shared or guest PC with Windows 10](set-up-shared-or-guest-pc.md)

          Windows 10, Version 1607, introduces *shared PC mode*, which optimizes Windows 10 for shared use scenarios, such as touchdown spaces in an enterprise and temporary customer use in retail.

          [Set up a device for anyone to use (kiosk mode)](set-up-a-device-for-anyone-to-use.md)

          You can configure a device running Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile, or Windows 10 Mobile Enterprise as a kiosk device, so that users can only interact with a single application that you select.

          [Lock down Windows 10 to specific apps](lock-down-windows-10-to-specific-apps.md)

          Learn how to configure a device running Windows 10 Enterprise or Windows 10 Education so that users can only run a few specific apps. The result is similar to [a kiosk device](set-up-a-device-for-anyone-to-use.md), but with multiple apps available. For example, you might set up a library computer so that users can search the catalog and browse the Internet, but can't run any other apps or change computer settings.

          [Configure Windows telemetry in your organization](configure-windows-telemetry-in-your-organization.md)

          Use this article to make informed decisions about how you can configure Windows telemetry in your organization.

          [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md)

          Learn about the network connections that Windows components make to Microsoft and also the privacy settings that affect data that is shared with either Microsoft or apps and how they can be managed by an IT Pro.

          [Configure access to Windows Store](stop-employees-from-using-the-windows-store.md)

          IT Pros can configure access to Windows Store for client computers in their organization. For some organizations, business policies require blocking access to Windows Store.

          [Manage Wi-Fi Sense in your company](manage-wifi-sense-in-enterprise.md)

          Wi-Fi Sense automatically connects you to Wi-Fi, so you can get online quickly in more places. It can connect you to open Wi-Fi hotspots it knows about through crowdsourcing, or to Wi-Fi networks your contacts have shared with you by using Wi-Fi Sense.

          -

          The initial settings for Wi-Fi Sense are determined by the options you chose when you first set up your PC with Windows 10.

          [Configure Windows 10 Mobile using Lockdown XML](lockdown-xml.md)

          Windows 10 Mobile allows enterprises to lock down a device, define multiple user roles, and configure custom layouts on a device.

          [Reset a Windows 10 Mobile device](reset-a-windows-10-mobile-device.md)

          There are two methods for resetting a Windows 10 Mobile device: factory reset and "wipe and persist" reset.

          - -## Learn more - -[Customizing Your Device Experience with Assigned Access](https://channel9.msdn.com/Events/Build/2016/P508) - -## Related topics - -[Lockdown features from Windows Embedded Industry 8.1](../whats-new/lockdown-features-windows-10.md) diff --git a/windows/manage/manage-cortana-in-enterprise.md b/windows/manage/manage-cortana-in-enterprise.md deleted file mode 100644 index 33b7160191..0000000000 --- a/windows/manage/manage-cortana-in-enterprise.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Cortana integration in your business or enterprise (Windows 10) -description: The world’s first personal digital assistant helps users get things done, even at work. Cortana includes powerful configuration options specifically to optimize for unique small to medium-sized business and enterprise environments. -redirect_url: https://technet.microsoft.com/en-us/itpro/windows/manage/cortana-at-work-overview ---- \ No newline at end of file diff --git a/windows/manage/manage-inventory-windows-store-for-business.md b/windows/manage/manage-inventory-windows-store-for-business.md deleted file mode 100644 index f8db99379b..0000000000 --- a/windows/manage/manage-inventory-windows-store-for-business.md +++ /dev/null @@ -1,10 +0,0 @@ ---- -title: Manage inventory in Windows Store for Business (Windows 10) -description: When you acquire apps from the Windows Store for Business, we add them to the Inventory for your organization. Once an app is part of your inventory, you can distribute the app, and manage licenses. -redirect_url: https://technet.microsoft.com/itpro/windows/manage/app-inventory-managemement-windows-store-for-business -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library ---- - - diff --git a/windows/manage/manage-windows-10-in-your-organization-modern-management.md b/windows/manage/manage-windows-10-in-your-organization-modern-management.md index e0852318ad..ed2c748110 100644 --- a/windows/manage/manage-windows-10-in-your-organization-modern-management.md +++ b/windows/manage/manage-windows-10-in-your-organization-modern-management.md @@ -44,11 +44,10 @@ As indicated in the diagram, Microsoft continues to provide support for deep man With Windows 10, you can continue to use traditional OS deployment, but you can also “manage out of the box.” To transform new devices into fully-configured, fully-managed devices, you can: - - Avoid reimaging by using dynamic provisioning, enabled by a cloud-based device management services like [Microsoft Intune](https://docs.microsoft.com/intune/understand-explore/introduction-to-microsoft-intune). -- Create self-contained provisioning packages built with the [Windows Imaging and Configuration Designer (ICD)](https://msdn.microsoft.com/library/windows/hardware/dn916113(v=vs.85).aspx). +- Create self-contained provisioning packages built with the [Windows Configuration Designer](https://technet.microsoft.com/itpro/windows/deploy/provisioning-packages). - Use traditional imaging techniques such as deploying custom images using [System Center Configuration Manager](https://docs.microsoft.com/sccm/core/understand/introduction). @@ -81,7 +80,7 @@ You can envision user and device management as falling into these two categories Domain joined PCs and tablets can continue to be managed with the [System Center Configuration Manager](https://docs.microsoft.com/sccm/core/understand/introduction) client or Group Policy. -For more information about how Windows 10 and Azure AD optimize access to work resources across a mix of devices and scenarios, see [Using Windows 10 devices in your workplace](https://azure.microsoft.com/en-us/documentation/articles/active-directory-azureadjoin-windows10-devices/). +For more information about how Windows 10 and Azure AD optimize access to work resources across a mix of devices and scenarios, see [Using Windows 10 devices in your workplace](https://azure.microsoft.com/documentation/articles/active-directory-azureadjoin-windows10-devices/). As you review the roles in your organization, you can use the following generalized decision tree to begin to identify users or devices that require domain join. Consider switching the remaining users to Azure AD. diff --git a/windows/manage/mandatory-user-profile.md b/windows/manage/mandatory-user-profile.md index 698093e9a1..3ced9aa8fd 100644 --- a/windows/manage/mandatory-user-profile.md +++ b/windows/manage/mandatory-user-profile.md @@ -60,7 +60,7 @@ First, you create a default user profile with the customizations that you want, 3. [Create an answer file (Unattend.xml)](https://msdn.microsoft.com/library/windows/hardware/dn915085.aspx) that sets the [CopyProfile](https://msdn.microsoft.com/library/windows/hardware/dn922656.aspx) parameter to **True**. The CopyProfile parameter causes Sysprep to copy the currently signed-on user’s profile folder to the default user profile. You can use [Windows System Image Manager](https://msdn.microsoft.com/library/windows/hardware/dn922445.aspx), which is part of the Windows Assessment and Deployment Kit (ADK) to create the Unattend.xml file. -3. Use the [Remove-AppxProvisionedPackage](https://technet.microsoft.com/library/dn376476%28v=wps.620%29.aspx) cmdlet in Windows PowerShell to uninstall the following applications: +3. For devices running Windows 10, use the [Remove-AppxProvisionedPackage](https://technet.microsoft.com/library/dn376476%28v=wps.620%29.aspx) cmdlet in Windows PowerShell to uninstall the following applications: - Microsoft.windowscommunicationsapps_8wekyb3d8bbwe - Microsoft.BingWeather_8wekyb3d8bbwe @@ -146,14 +146,14 @@ It may take some time for this change to replicate to all domain controllers. ## Apply policies to improve sign-in time -When a user is configured with a mandatory profile, Windows 10 starts as though it was the first sign-in each time the user signs in. To improve sign-in performance for users with mandatory user profiles, apply the following Group Policy settings. - -- Computer Configuration > Administrative Templates > System > Logon > **Show first sign-in animation** = Disabled -- Computer Configuration > Administrative Templates > Windows Components > Search > **Allow Cortana** = Disabled -- Computer Configuration > Administrative Templates > Windows Components > Cloud Content > **Turn off Microsoft consumer experience** = Enabled - +When a user is configured with a mandatory profile, Windows 10 starts as though it was the first sign-in each time the user signs in. To improve sign-in performance for users with mandatory user profiles, apply the Group Policy settings shown in the following table. (The table shows which operating system versions each policy setting can apply to.) +| Group Policy setting | Windows 10 | Windows Server 2016 | Windows 8.1 | Windows Server 2012 | +| --- | --- | --- | --- | --- | +| Computer Configuration > Administrative Templates > System > Logon > **Show first sign-in animation** = Disabled | ![supported](images/checkmark.png) | ![supported](images/checkmark.png) | ![supported](images/checkmark.png) | ![supported](images/checkmark.png) | +| Computer Configuration > Administrative Templates > Windows Components > Search > **Allow Cortana** = Disabled | ![supported](images/checkmark.png) | ![supported](images/checkmark.png) | ![not supported](images/crossmark.png) | ![not supported](images/crossmark.png) | +| Computer Configuration > Administrative Templates > Windows Components > Cloud Content > **Turn off Microsoft consumer experience** = Enabled | ![supported](images/checkmark.png) | ![not supported](images/crossmark.png) | ![not supported](images/crossmark.png) | ![not supported](images/crossmark.png) | @@ -164,7 +164,7 @@ When a user is configured with a mandatory profile, Windows 10 starts as though - [Manage Windows 10 Start layout and taskbar options](windows-10-start-layout-options-and-policies.md) - [Lock down Windows 10 to specific apps](lock-down-windows-10-to-specific-apps.md) -- [Windows Spotlight on the lock screen](windows-spotlight.md) +- [Windows Spotlight on the lock screen](../configure/windows-spotlight.md) - [Configure devices without MDM](configure-devices-without-mdm.md) diff --git a/windows/manage/new-policies-for-windows-10.md b/windows/manage/new-policies-for-windows-10.md index 873c393efd..311f3f125f 100644 --- a/windows/manage/new-policies-for-windows-10.md +++ b/windows/manage/new-policies-for-windows-10.md @@ -74,6 +74,8 @@ Mobile device management (MDM) for Windows 10 Pro, Windows 10 Enterprise, Wind - Consumer experiences, such as suggested apps in Start and app tiles from Microsoft dynamically inserted in the default Start menu +Windows 10, version 1703, adds a number of [ADMX-backed policies to MDM](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-admx-backed). + If you use Microsoft Intune for MDM, you can [configure custom policies](https://go.microsoft.com/fwlink/p/?LinkId=616316) to deploy Open Mobile Alliance Uniform Resource Identifier (OMA-URI) settings that can be used to control features on Windows 10. For a list of OMA-URI settings, see [Custom URI settings for Windows 10 devices](https://go.microsoft.com/fwlink/p/?LinkId=616317). No new [Exchange ActiveSync policies](https://go.microsoft.com/fwlink/p/?LinkId=613264). For more information, see the [ActiveSync configuration service provider](https://go.microsoft.com/fwlink/p/?LinkId=618944) technical reference. diff --git a/windows/manage/roles-and-permissions-windows-store-for-business.md b/windows/manage/roles-and-permissions-windows-store-for-business.md index 9542529fbe..8985c21e1c 100644 --- a/windows/manage/roles-and-permissions-windows-store-for-business.md +++ b/windows/manage/roles-and-permissions-windows-store-for-business.md @@ -26,72 +26,15 @@ Store for Business has a set of roles that help admins and employees manage acce This table lists the global user accounts and the permissions they have in the Store for Business. - ------ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
          Global AdministratorUser AdministratorBilling Administrator

          Sign up for Store for Business

          X

          Assign roles

          X

          X

          Modify company profile settings

          X

          Manage Store for Business settings

          X

          Acquire apps

          X

          X

          Distribute apps

          X

          X

          Sign policies and catalogs

          X

          - +| | Global Administrator | Billing Administrator | +| ------------------------------ | --------------------- | --------------------- | +| Sign up for Store for Business | X | | +| Modify company profile settings | X | | +| Acquire apps | X | X | +| Distribute apps | X | X |   -- **Global Administrator** - IT Pros with this account have full access to Store for Business. They can do everything allowed in the Store for Business Admin role, plus they can sign up for the Store for Business, and assign Store for Business roles to other employees. - -- **User Administrator** - IT Pros with this account can assign Store for Business roles to other employees, as long as the User Administrator also has the Store for Business Admin role. +- **Global Administrator** - IT Pros with this account have full access to Store for Business. They can do everything allowed in the Store for Business Admin role, plus they can sign up for the Store for Business. - **Billing Administrator** - IT Pros with this account have the same permissions as the Store for Business Purchaser role. @@ -101,74 +44,15 @@ Store for Business has a set of roles that help IT admins and employees manage a This table lists the roles and their permissions. - ------ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
          AdminPurchaserDevice Guard signer

          Sign up for Store for Business

          Assign roles

          Modify company profile settings

          Manage Store for Business settings

          X

          Acquire apps

          X

          X

          Distribute apps

          X

          X

          Sign policies and catalogs

          X

          Sign Device Guard changes

          X

          +| | Admin | Purchaser | Device Guard signer | +| ------------------------------ | ------ | -------- | ------------------- | +| Assign roles | X | | | +| Manage Store for Business settings | X | | | +| Acquire apps | X | X | | +| Distribute apps | X | X | | +| Sign policies and catalogs | X | | | +| Sign Device Guard changes | X | | X | -  These permissions allow people to: @@ -184,7 +68,7 @@ These permissions allow people to: - Offline licensing - - Permissions (view only) + - Permissions - Private store @@ -196,12 +80,10 @@ These permissions allow people to: 1. Sign in to Store for Business. - **Note**   - You need to be a Global Administrator, or have the Store for Business Admin role to access the **Permissions** page. - - To assign roles, you need to be a Global Administrator or a Store Administrator that is also a User Administrator. - -   + >[!Note] + >You need to be a Global Administrator, or have the Store for Business Admin role to access the **Permissions** page.  + + To assign roles, you need to be a Global Administrator or a Store Administrator. 2. Click **Settings**, and then choose **Permissions**. @@ -211,9 +93,7 @@ These permissions allow people to: ![Image showing Assign roles to people box in Windows Store for Business.](images/wsfb-permissions-assignrole.png) -4. - - If you are not finding the name you want, you might need to add people to your Azure AD directory. For more information, see [Manage user accounts in the Windows Store for Business.](manage-users-and-groups-windows-store-for-business.md) +4. If you are not finding the name you want, you might need to add people to your Azure AD directory. For more information, see [Manage user accounts in the Windows Store for Business.](manage-users-and-groups-windows-store-for-business.md)   diff --git a/windows/manage/uev-accessibility.md b/windows/manage/uev-accessibility.md deleted file mode 100644 index 08416f8349..0000000000 --- a/windows/manage/uev-accessibility.md +++ /dev/null @@ -1,4 +0,0 @@ ---- -title: Accessibility for UE-V -redirect_url: https://technet.microsoft.com/itpro/windows/manage/uev-for-windows ---- \ No newline at end of file diff --git a/windows/manage/uev-privacy-statement.md b/windows/manage/uev-privacy-statement.md deleted file mode 100644 index eb9e64f8a1..0000000000 --- a/windows/manage/uev-privacy-statement.md +++ /dev/null @@ -1,4 +0,0 @@ ---- -title: User Experience Virtualization Privacy Statement -redirect_url: https://technet.microsoft.com/en-us/itpro/windows/manage/uev-security-considerations ---- \ No newline at end of file diff --git a/windows/manage/update-windows-store-for-business-account-settings.md b/windows/manage/update-windows-store-for-business-account-settings.md index dbf68b6bad..43a9468143 100644 --- a/windows/manage/update-windows-store-for-business-account-settings.md +++ b/windows/manage/update-windows-store-for-business-account-settings.md @@ -31,7 +31,7 @@ We need an email address in case we need to contact you about your Store for Bus To update Organization information, click **Edit organization information**. -## Organization tax information ## +## Organization tax information Taxes for Windows Store for Business purchases are determined by your business address. Businesses in these countries can provide their VAT number or local equivalent: - Austria - Belgium @@ -96,7 +96,7 @@ For example:
          ($1.29 X .095) X 100 = $12.25 -##Payment options## +## Payment options You can purchase apps from the Windows Store for Business using your credit card. You can enter your credit card information on Account Information, or when you purchase an app. We currently accept these credit cards: 1. VISA 2. MasterCard @@ -104,8 +104,8 @@ You can purchase apps from the Windows Store for Business using your credit card 4. American Express 5. Japan Commercial Bureau (JCB) -**Note**:
          -Not all cards available in all countries. When you add a payment option, Store for Business shows which cards are available in your region. +> [!NOTE] +> Not all cards available in all countries. When you add a payment option, Store for Business shows which cards are available in your region. **To add a new payment option** @@ -116,7 +116,8 @@ Not all cards available in all countries. When you add a payment option, Store f Once you click Next, the information you provided will be validated with a test authorization transaction and, if validated, the payment option will be added to your list of available payment options. Otherwise, you will be prompted for additional information or notified if there are any problems. -**Note**: 
          When adding credit or debit cards, you may be prompted to enter a CVV . The CVV is only used for verification purposes and is not stored in our systems after validation. +> [!NOTE] +> When adding credit or debit cards, you may be prompted to enter a CVV . The CVV is only used for verification purposes and is not stored in our systems after validation **To update a payment option** @@ -126,9 +127,10 @@ Once you click Next, the information you provided will be validated with a tes 4. Enter any updated information in the appropriate fields, and then click **Next**. Once you click **Next**, the information you provided will be validated with a test authorization transaction and, if validated, the payment option will be added to your list of available payment options. Otherwise, you will be prompted for additional information or notified if there are any problems. -**Note**:
           Certain actions, like updating or adding a payment option, require temporary “test authorization” transactions to validate the payment option. These may appear on your statement as $0.00 authorizations or as small pending transactions. These transactions are temporary and should not impact your account unless you make several changes in a short period of time or have a low balance. +> [!NOTE] +> Certain actions, like updating or adding a payment option, require temporary “test authorization” transactions to validate the payment option. These may appear on your statement as $0.00 authorizations or as small pending transactions. These transactions are temporary and should not impact your account unless you make several changes in a short period of time, or have a low balance. -##Offline licensing## +## Offline licensing Offline licensing is a new licensing option for Windows 10. With offline licenses, organizations can cache apps and their licenses to deploy within their network. ISVs or devs can opt-in their apps for offline licensing when they submit them to the developer center. Only apps that are opted in to offline licensing will show that they are available for offline licensing in Store for Business. This model means organizations can deploy apps when users or devices do not have connectivity to the Store. For more information on the Store for Business licensing model, see [licensing model](https://technet.microsoft.com/itpro/windows/manage/apps-in-windows-store-for-business#licensing-model). diff --git a/windows/manage/windows-10-start-layout-options-and-policies.md b/windows/manage/windows-10-start-layout-options-and-policies.md deleted file mode 100644 index 85a835748e..0000000000 --- a/windows/manage/windows-10-start-layout-options-and-policies.md +++ /dev/null @@ -1,178 +0,0 @@ ---- -title: Manage Windows 10 Start and taskbar layout (Windows 10) -description: Organizations might want to deploy a customized Start and taskbar layout to devices running Windows 10 Enterprise or Windows 10 Education. -ms.assetid: 2E94743B-6A49-463C-9448-B7DD19D9CD6A -keywords: ["start screen", "start menu"] -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -author: jdeckerMS -localizationpriority: high ---- - -# Manage Windows 10 Start and taskbar layout - - -**Applies to** - -- Windows 10 - -> **Looking for consumer information?** See [Customize the Start menu](http://windows.microsoft.com/windows-10/getstarted-see-whats-on-the-menu) - -Organizations might want to deploy a customized Start and taskbar configuration to devices running Windows 10 Enterprise or Windows 10 Education. A standard, customized Start layout can be useful on devices that are common to multiple users and devices that are locked down for specialized purposes. Configuring the taskbar allows the organization to pin useful apps for their employees and to remove apps that are pinned by default. - ->[!NOTE] ->Taskbar configuration is available starting in Windows 10, version 1607. - -## Start options - -![start layout sections](images/startannotated.png) - -Some areas of Start can be managed using Group Policy. The layout of Start tiles can be managed using either Group Policy or Mobile Device Management (MDM) policy. - -The following table lists the different parts of Start and any applicable policy settings or Settings options. Group Policy settings are in the **User Configuration**\\**Administrative Templates**\\**Start Menu and Taskbar** path except where a different path is listed in the table. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
          StartPolicySetting
          User tileGroup Policy: Remove Logoff on the Start menu
          Most usedGroup Policy: Remove frequent programs from the Start menuSettings > Personalization > Start > Show most used apps

          Suggestions

          -

          -and-

          -

          Dynamically inserted app tile

          MDM: Allow Windows Consumer Features

          -

          Group Policy: Computer Configuration\\Administrative Templates\\Windows Components\\Cloud Content\\Turn off Microsoft consumer experiences

          -
          -Note   -

          This policy also enables or disables notifications for a user's Microsoft account and app tiles from Microsoft dynamically inserted in the default Start menu.

          -
          -
          -  -
          		Settings > Personalization > Start > Occasionally show suggestions in Start
          Recently addednot applicableSettings > Personalization > Start > Show recently added apps
          Pinned foldersnot applicableSettings > Personalization > Start > Choose which folders appear on Start
          PowerGroup Policy: Remove and prevent access to the Shut Down, Restart, Sleep, and Hibernate commandsNone
          Start layout

          MDM: Start layout

          -

          Group Policy: Start layout

          -

          Group Policy: Prevent users from customizing their Start Screen

          -
          -Note   -

          When a full Start screen layout is imported with Group Policy or MDM, the users cannot pin, unpin, or uninstall apps from the Start screen. Users can view and open all apps in the All Apps view, but they cannot pin any apps to the Start screen. When a partial Start screen layout is imported, users cannot change the tile groups applied by the partial layout, but can modify other tile groups and create their own.

          Start layout policy can be used to pin apps to the taskbar based on an XML File that you provide. Users will be able to change the order of pinned apps, unpin apps, and pin additional apps to the taskbar. -

          -
          -  -
          		None
          Jump listsGroup Policy: Do not keep history of recently opened documentsSettings > Personalization > Start > Show recently opened items in Jump Lists on Start or the taskbar
          Start size

          MDM: Force Start size

          -

          Group Policy: Force Start to be either full screen size or menu size

          		Settings > Personalization > Start > Use Start full screen
          All SettingsGroup Policy: Prevent changes to Taskbar and Start Menu SettingsNone
          - - ## Taskbar options - -Starting in Windows 10, version 1607, you can pin additional apps to the taskbar and remove default pinned apps from the taskbar. You can specify different taskbar configurations based on device locale or region. - -There are three categories of apps that might be pinned to a taskbar: -* Apps pinned by the user -* Default Windows apps, pinned during operating system installation (Microsoft Edge, File Explorer, Store) -* Apps pinned by the enterprise, such as in an unattended Windows setup - - **Note**   - The earlier method of using [TaskbarLinks](https://go.microsoft.com/fwlink/p/?LinkId=761230) in an unattended Windows setup file is deprecated in Windows 10, version 1607. - -The following example shows how apps will be pinned - Windows default apps to the left (blue circle), apps pinned by the user in the center (orange triangle), and apps that you pin using XML to the right (green square). - -> **Note**  In operating systems configured to use a right-to-left language, the taskbar order will be reversed. - -![Windows left, user center, enterprise to the right](images/taskbar-generic.png) - -Whether you apply the taskbar configuration to a clean install or an update, users will still be able to: -* Pin additional apps -* Change the order of pinned apps -* Unpin any app - -### Taskbar configuration applied to clean install of Windows 10 - -In a clean install, if you apply a taskbar layout, only the apps that you specify and default apps that you do not remove will be pinned to the taskbar. Users can pin additional apps to the taskbar after the layout is applied. - -### Taskbar configuration applied to Windows 10 upgrades - -When a device is upgraded to Windows 10, apps will be pinned to the taskbar already. Some apps may have been pinned to the taskbar by a user, and others may have been pinned to the taskbar through a customized base image or by using Windows Unattend setup. - -The new taskbar layout for upgrades to Windows 10, version 1607 or later, will apply the following behavior: -* If the user pinned the app to the taskbar, those pinned apps remain and new apps will be added to the right. -* If the user didn't pin the app (it was pinned during installation or by policy) and the app is not in updated layout file, the app will be unpinned. -* If the user didn't pin the app and the app is in the updated layout file, the app will be pinned to the right. -* New apps specified in updated layout file are pinned to right of user's pinned apps. - - - -## Related topics - - -[Customize and export Start layout](customize-and-export-start-layout.md) - -[Configure Windows 10 taskbar](configure-windows-10-taskbar.md) - -[Customize Windows 10 Start and taskbar with Group Policy](customize-windows-10-start-screens-by-using-group-policy.md) - -[Customize Windows 10 Start with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md) - -[Customize Windows 10 Start and taskbar with ICD and provisioning packages](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md) - -[Changes to Group Policy settings for Windows 10 Start](changes-to-start-policies-in-windows-10.md) - -  - -  - - - - - diff --git a/windows/manage/windows-libraries.md b/windows/manage/windows-libraries.md index 1608798dce..f8937e7a43 100644 --- a/windows/manage/windows-libraries.md +++ b/windows/manage/windows-libraries.md @@ -10,10 +10,10 @@ author: jasongerend ms.date: 2/6/2017 description: All about Windows Libraries, which are containers for users' content, such as Documents and Pictures. --- -> Applies to: Windows 10, Windows 8.1, Windows 7, Windows Server 2016, Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2 - # Windows Libraries +> Applies to: Windows 10, Windows 8.1, Windows 7, Windows Server 2016, Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2 + Libraries are virtual containers for users’ content. A library can contain files and folders stored on the local computer or in a remote storage location. In Windows Explorer, users interact with libraries in ways similar to how they would interact with other folders. Libraries are built upon the legacy known folders (such as My Documents, My Pictures, and My Music) that users are familiar with, and these known folders are automatically included in the default libraries and set as the default save location. ## Features for Users diff --git a/windows/manage/windows-spotlight.md b/windows/manage/windows-spotlight.md deleted file mode 100644 index 1b2430b14d..0000000000 --- a/windows/manage/windows-spotlight.md +++ /dev/null @@ -1,81 +0,0 @@ ---- -title: Windows Spotlight on the lock screen (Windows 10) -description: Windows Spotlight is an option for the lock screen background that displays different background images on the lock screen. -ms.assetid: 1AEA51FA-A647-4665-AD78-2F3FB27AD46A -keywords: ["lockscreen"] -ms.prod: w10 -ms.mktglfcycl: explore -ms.sitesec: library -author: jdeckerMS -localizationpriority: high ---- - -# Windows Spotlight on the lock screen - - -**Applies to** - -- Windows 10 - -Windows Spotlight is an option for the lock screen background that displays different background images and occasionally offers suggestions on the lock screen. Windows Spotlight is available in all desktop editions of Windows 10. - -For managed devices running Windows 10 Enterprise and Windows 10 Education, enterprise administrators can configure a mobile device management (MDM) or Group Policy setting to prevent users from using the Windows Spotlight background. For managed devices running Windows 10 Pro, version 1607, administrators can disable suggestions for third party apps. - -## What does Windows Spotlight include? - - -- **Background image** - - The Windows Spotlight displays a new image on the lock screen each day. The initial background image is included during installation. Additional images are downloaded on ongoing basis. - - ![lock screen image](images/lockscreen.png) - -- **Feature suggestions, fun facts, tips** - - The lock screen background will occasionally suggest Windows 10 features that the user hasn't tried yet, such as **Snap assist**. - -## How do you turn off Windows Spotlight locally? - - -To turn off Windows Spotlight locally, go to **Settings** > **Personalization** > **Lock screen** > **Background** > **Windows spotlight** > select a different lock screen background - -![personalization background](images/spotlight.png) - -## How do you disable Windows Spotlight for managed devices? - - -Windows 10, version 1607, provides three new Group Policy settings to help you manage Windows Spotlight on enterprise computers. - -**Windows 10 Pro, Enterprise, and Education** - -- **User Configuration\Administrative Templates\Windows Components\Cloud Content\Do not suggest third-party content in Windows spotlight** enables enterprises to restrict suggestions to Microsoft apps and services. - -**Windows 10 Enterprise and Education** - -* **User Configuration\Administrative Templates\Windows Components\Cloud Content\Turn off all Windows Spotlight features** enables enterprises to completely disable all Windows Spotlight features in a single setting. -* **User Configuration\Administrative Templates\Windows Components\Cloud Content\Configure Spotlight on lock screen** specifically controls the use of the dynamic Windows Spotlight image on the lock screen, and can be enabled or disabled. (The Group Policy setting **Enterprise Spotlight** does not work in Windows 10, version 1607.) - -Windows Spotlight is enabled by default. Administrators can replace Windows Spotlight with a selected image using the Group Policy setting **Computer Configuration** > **Administrative Templates** > **Control Panel** > **Personalization** > **Force a specific default lock screen image**. - ->[!WARNING] -> In Windows 10, version 1607, the **Force a specific default lock screen image** policy setting will prevent users from changing the lock screen image. This behavior will be corrected in a future release. - -![lockscreen policy details](images/lockscreenpolicy.png) - -Pay attention to the checkbox in **Options**. In addition to providing the path to the lock screen image, administrators can choose to allow or **Turn off fun facts, tips, tricks, and more on lock screen**. If the checkbox is not selected, users will see the lock screen image that is defined in the policy setting, and will also see occasional messages, such as the example in the following image. - -![fun facts](images/funfacts.png) - -## Related topics - - -[Manage Windows 10 Start layout options](../manage/windows-10-start-layout-options-and-policies.md) - -  - -  - - - - - diff --git a/windows/manage/windows-store-for-business-overview.md b/windows/manage/windows-store-for-business-overview.md index c2ce1d7706..a3a565c261 100644 --- a/windows/manage/windows-store-for-business-overview.md +++ b/windows/manage/windows-store-for-business-overview.md @@ -18,12 +18,12 @@ localizationpriority: high - Windows 10 - Windows 10 Mobile -With the new Windows Store for Business, organizations can make volume purchases of Windows apps. The Store for Business provides app purchases based on organizational identity, flexible distribution options, and the ability to reclaim or re-use licenses. Organizations can also use the Store for Business to create a private store for their employees that includes apps from the Store, as well private Line-of-Business (LOB) apps. +With Windows Store for Business, organizations can make volume purchases of Windows apps. The Store for Business provides app purchases based on organizational identity, flexible distribution options, and the ability to reclaim or re-use licenses. Organizations can also use the Store for Business to create a private store for their employees that includes apps from the Store, as well private Line-of-Business (LOB) apps. ## Features -Organizations of any size can benefit from using the Store for Business provides: +Organizations of any size can benefit from using the Store for Business: - **Scales to fit the size of your business** - For smaller businesses, with Azure AD accounts and Windows 10 devices, you can quickly have an end-to-end process for acquiring and distributing content using the Store for Business. For larger businesses, all the capabilities of the Store for Business are available to you, or you can integrate the Store for Business with management tools, for greater control over access to apps and app updates. You can use existing work or school accounts. @@ -47,7 +47,6 @@ Organizations of any size can benefit from using the Store for Business provides ## Prerequisites - You'll need this software to work with the Store for Business. ### Required @@ -78,7 +77,6 @@ While not required, you can use a management tool to distribute and manage apps. ## How does the Store for Business work? - ### Sign up! The first step for getting your organization started with the Store for Business is signing up. To sign up for the Business store, you need an Azure AD account and you must be a Global Administrator for your organization. @@ -89,50 +87,12 @@ For more information, see [Sign up for the Store for Business](../manage/sign-up After your admin signs up for the Store for Business, they can assign roles to other employees in your company. The admin needs Azure AD User Admin permissions to assign WSFB roles. These are the roles and their permissions. - ------- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
          PermissionAccount settingsAcquire appsDistribute appsDevice Guard signing

          Admin

          X

          X

          X

          Purchaser

          X

          X

          Device Guard signer

          X

          - +| Permission | Account settings | Acquire apps | Distribute apps | Device Guard signing | +| ---------- | ---------------- | ------------ | --------------- | -------------------- | +| Admin | X | X | X | | +| Purchaser | | X | X | | +| Device Guard signer | | | | X | - In some cases, admins will need to add Azure Active Directory (AD) accounts for their employees. For more information, see [Manage user accounts and groups](../manage/manage-users-and-groups-windows-store-for-business.md). Also, if your organization plans to use a management tool, you’ll need to configure your management tool to sync with the Store for Business. @@ -292,6 +252,7 @@ Store for Business is currently available in these markets.

        3. Luxembourg
        4. Malaysia
        5. Malta
          6. +
        6. Mauritius
        7. Mexico
        8. Mongolia
        9. Montenegro
          10. @@ -313,12 +274,12 @@ Store for Business is currently available in these markets.
        10. Portugal
        11. Puerto Rico
        12. Qatar
          13. -
        13. Romania
          14. -
        14. Rwanda
          15. +
        15. Romania
            16. +
          • Rwanda
          • Saint Kitts and Nevis
          • Saudi Arabia
          • Senegal
            • @@ -343,8 +304,7 @@ Store for Business is currently available in these markets.
          • Viet Nam
          • Virgin Islands, U.S.
          • Zambia
            • -
          • Zimbabwe
             
             
             
             
            • - +
          • Zimbabwe
                  
          @@ -367,7 +327,19 @@ Store for Business is currently available in these markets. - +## Privacy notice + +Microsoft Store for Business services get names and email addresses of people in your organization from Azure Active Directory. This information is needed for these admin functions: +- Granting and managing permissions +- Managing app licenses +- Distributing apps to people (names appear in a list that admins can select from) + +Store for Business does not save names, or email addresses. + +Your use of Store for Business is also governed by the Store for Business Terms of Use. + +Information sent to Store for Business is subject to the [Store for Business Privacy Statement](https://privacy.microsoft.com/privacystatement/). + ## ISVs and the Store for Business diff --git a/windows/plan/TOC.md b/windows/plan/TOC.md index 9bee9778e7..08c2baded5 100644 --- a/windows/plan/TOC.md +++ b/windows/plan/TOC.md @@ -1,4 +1,5 @@ # [Plan for Windows 10 deployment](index.md) +## [Windows 10 Enterprise FAQ for IT Pros](windows-10-enterprise-faq-itpro.md) ## [Windows 10 deployment considerations](windows-10-deployment-considerations.md) ## [Windows 10 compatibility](windows-10-compatibility.md) ## [Windows 10 infrastructure requirements](windows-10-infrastructure-requirements.md) diff --git a/windows/plan/act-community-ratings-and-process.md b/windows/plan/act-community-ratings-and-process.md deleted file mode 100644 index e9c34a2026..0000000000 --- a/windows/plan/act-community-ratings-and-process.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: ACT Community Ratings and Process (Windows 10) -description: The Application Compatibility Toolkit (ACT) Community uses the Microsoft® Compatibility Exchange to share compatibility ratings between all registered ACT Community members. -redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics ---- \ No newline at end of file diff --git a/windows/plan/act-database-configuration.md b/windows/plan/act-database-configuration.md deleted file mode 100644 index 7c07865d8a..0000000000 --- a/windows/plan/act-database-configuration.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: ACT Database Configuration (Windows 10) -description: The Application Compatibility Toolkit (ACT) uses a Microsoft® SQL Server® database for storing and sharing compatibility issue data. -redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics ---- \ No newline at end of file diff --git a/windows/plan/act-database-migration.md b/windows/plan/act-database-migration.md deleted file mode 100644 index e8b5e9b74f..0000000000 --- a/windows/plan/act-database-migration.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: ACT Database Migration (Windows 10) -description: The schema for an ACT database can change when ACT is updated or when a new version of ACT is released. -redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics ---- \ No newline at end of file diff --git a/windows/plan/act-deployment-options.md b/windows/plan/act-deployment-options.md deleted file mode 100644 index a550b72152..0000000000 --- a/windows/plan/act-deployment-options.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: ACT Deployment Options (Windows 10) -description: While planning your deployment of the Application Compatibility Toolkit (ACT), consider which computers you want running the various tools, packages, and services for ACT. -redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics ---- \ No newline at end of file diff --git a/windows/plan/act-glossary.md b/windows/plan/act-glossary.md deleted file mode 100644 index 17f66a70be..0000000000 --- a/windows/plan/act-glossary.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: ACT Glossary (Windows 10) -description: The following table lists terms and definitions used by the Application Compatibility Toolkit (ACT). -redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics ---- \ No newline at end of file diff --git a/windows/plan/act-lps-share-permissions.md b/windows/plan/act-lps-share-permissions.md deleted file mode 100644 index 37a6534881..0000000000 --- a/windows/plan/act-lps-share-permissions.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: ACT LPS Share Permissions (Windows 10) -description: To upload log files to the ACT Log Processing Service (LPS) share, certain permissions must be set at the share level and folder level. -redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics ---- \ No newline at end of file diff --git a/windows/plan/act-operatingsystem-application-report.md b/windows/plan/act-operatingsystem-application-report.md deleted file mode 100644 index 62da93a40d..0000000000 --- a/windows/plan/act-operatingsystem-application-report.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: OperatingSystem - Application Report (Windows 10) -description: This section describes the compatibility reports in Application Compatibility Manager (ACM) and how you can work with the reports. -redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics ---- \ No newline at end of file diff --git a/windows/plan/act-operatingsystem-computer-report.md b/windows/plan/act-operatingsystem-computer-report.md deleted file mode 100644 index bf508ee97a..0000000000 --- a/windows/plan/act-operatingsystem-computer-report.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: OperatingSystem - Computer Report (Windows 10) -description: This section describes the compatibility reports in Application Compatibility Manager (ACM) and how you can work with the reports. -redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics ---- \ No newline at end of file diff --git a/windows/plan/act-operatingsystem-device-report.md b/windows/plan/act-operatingsystem-device-report.md deleted file mode 100644 index 6668aa3041..0000000000 --- a/windows/plan/act-operatingsystem-device-report.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: OperatingSystem - Device Report (Windows 10) -description: This section describes the compatibility reports in Application Compatibility Manager (ACM) and how you can work with the reports. -redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics ---- \ No newline at end of file diff --git a/windows/plan/act-product-and-documentation-resources.md b/windows/plan/act-product-and-documentation-resources.md deleted file mode 100644 index 2c3290db5b..0000000000 --- a/windows/plan/act-product-and-documentation-resources.md +++ /dev/null @@ -1,13 +0,0 @@ ---- -title: ACT Product and Documentation Resources (Windows 10) -description: The following sections provide links to resources and reference material for the Application Compatibility Toolkit (ACT). -redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics ---- -  - -  - - - - - diff --git a/windows/plan/act-settings-dialog-box-preferences-tab.md b/windows/plan/act-settings-dialog-box-preferences-tab.md deleted file mode 100644 index eaa5fec362..0000000000 --- a/windows/plan/act-settings-dialog-box-preferences-tab.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Settings Dialog Box - Preferences Tab (Windows 10) -description: To display the Settings dialog box, in Application Compatibility Manager (ACM), on the Tools menu, click Settings. -redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics ---- \ No newline at end of file diff --git a/windows/plan/act-settings-dialog-box-settings-tab.md b/windows/plan/act-settings-dialog-box-settings-tab.md deleted file mode 100644 index 30e7000dd2..0000000000 --- a/windows/plan/act-settings-dialog-box-settings-tab.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Settings Dialog Box - Settings Tab (Windows 10) -description: To display the Settings dialog box, in Application Compatibility Manager (ACM), on the Tools menu, click Settings. -redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics ---- \ No newline at end of file diff --git a/windows/plan/act-toolbar-icons-in-acm.md b/windows/plan/act-toolbar-icons-in-acm.md deleted file mode 100644 index bd6b97dcde..0000000000 --- a/windows/plan/act-toolbar-icons-in-acm.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Toolbar Icons in ACM (Windows 10) -description: The following table shows icons that appear on toolbars and navigational elements in Application Compatibility Manager (ACM). -redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics ---- \ No newline at end of file diff --git a/windows/plan/act-tools-packages-and-services.md b/windows/plan/act-tools-packages-and-services.md deleted file mode 100644 index 7e20751a4a..0000000000 --- a/windows/plan/act-tools-packages-and-services.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: ACT Tools, Packages, and Services (Windows 10) -description: The Application Compatibility Toolkit is included with the Windows ADK. Download the Windows ADK. -redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics ---- \ No newline at end of file diff --git a/windows/plan/act-user-interface-reference.md b/windows/plan/act-user-interface-reference.md deleted file mode 100644 index affbef996f..0000000000 --- a/windows/plan/act-user-interface-reference.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: ACT User Interface Reference (Windows 10) -description: This section contains information about the user interface for Application Compatibility Manager (ACM), which is a tool in the Application Compatibility Toolkit (ACT). -redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics ---- \ No newline at end of file diff --git a/windows/plan/activating-and-closing-windows-in-acm.md b/windows/plan/activating-and-closing-windows-in-acm.md deleted file mode 100644 index 4640049e22..0000000000 --- a/windows/plan/activating-and-closing-windows-in-acm.md +++ /dev/null @@ -1,13 +0,0 @@ ---- -title: Activating and Closing Windows in ACM (Windows 10) -description: The Windows dialog box shows the windows that are open in Application Compatibility Manager (ACM). -redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics ---- -  - -  - - - - - diff --git a/windows/plan/adding-or-editing-a-solution.md b/windows/plan/adding-or-editing-a-solution.md deleted file mode 100644 index b5a52a45c2..0000000000 --- a/windows/plan/adding-or-editing-a-solution.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Adding or Editing a Solution (Windows 10) -description: If you find your own solutions to compatibility issues, you can enter the solutions in Application Compatibility Manager (ACM). You can use the Microsoft Compatibility Exchange to upload solutions to Microsoft Corporation. -redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics ---- \ No newline at end of file diff --git a/windows/plan/adding-or-editing-an-issue.md b/windows/plan/adding-or-editing-an-issue.md deleted file mode 100644 index 08d2098675..0000000000 --- a/windows/plan/adding-or-editing-an-issue.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Adding or Editing an Issue (Windows 10) -description: In Application Compatibility Manager (ACM), you can enter information about the compatibility issues that you discover. -redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics ---- \ No newline at end of file diff --git a/windows/plan/analyzing-your-compatibility-data.md b/windows/plan/analyzing-your-compatibility-data.md deleted file mode 100644 index 2d69b55931..0000000000 --- a/windows/plan/analyzing-your-compatibility-data.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Analyzing Your Compatibility Data (Windows 10) -description: This section provides information about viewing and working with your compatibility data in Application Compatibility Manager (ACM). -redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics ---- \ No newline at end of file diff --git a/windows/plan/application-dialog-box.md b/windows/plan/application-dialog-box.md deleted file mode 100644 index 7615d0949e..0000000000 --- a/windows/plan/application-dialog-box.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Application Dialog Box (Windows 10) -description: In Application Compatibility Manager (ACM), the Application dialog box shows information about the selected application. -redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics ---- \ No newline at end of file diff --git a/windows/plan/categorizing-your-compatibility-data.md b/windows/plan/categorizing-your-compatibility-data.md deleted file mode 100644 index e77b9ca34e..0000000000 --- a/windows/plan/categorizing-your-compatibility-data.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Categorizing Your Compatibility Data (Windows 10) -description: Steps to customize and filter your compatibility reports through categories and subcategories. -redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics ---- \ No newline at end of file diff --git a/windows/plan/change-history-for-plan-for-windows-10-deployment.md b/windows/plan/change-history-for-plan-for-windows-10-deployment.md index 6d43bdcb7f..e8814f6869 100644 --- a/windows/plan/change-history-for-plan-for-windows-10-deployment.md +++ b/windows/plan/change-history-for-plan-for-windows-10-deployment.md @@ -13,6 +13,12 @@ author: TrudyHa This topic lists new and updated topics in the [Plan for Windows 10 deployment](index.md) documentation for [Windows 10 and Windows 10 Mobile](../index.md). + +## RELEASE: Windows 10, version 1703 + +The topics in this library have been updated for Windows 10, version 1703 (also known as the Creators Update). The following is a new topic: +- [Windows 10 Enterprise - FAQ for IT Professionals](windows-10-enterprise-faq-itpro.md) + ## January 2017 | New or changed topic | Description | |----------------------|-------------| diff --git a/windows/plan/chromebook-migration-guide.md b/windows/plan/chromebook-migration-guide.md deleted file mode 100644 index 8db7b3b57c..0000000000 --- a/windows/plan/chromebook-migration-guide.md +++ /dev/null @@ -1,854 +0,0 @@ ---- -title: Chromebook migration guide (Windows 10) -description: In this guide you will learn how to migrate a Google Chromebook-based learning environment to a Windows 10-based learning environment. -redirect_url: https://technet.microsoft.com/edu/windows/chromebook-migration-guide -ms.assetid: 7A1FA48A-C44A-4F59-B895-86D4D77F8BEA -keywords: migrate, automate, device -ms.prod: w10 -ms.mktglfcycl: plan -ms.sitesec: library -ms.pagetype: edu; devices -author: craigash - ---- -# Chromebook migration guide - -**Applies to** -- Windows 10 - -In this guide you will learn how to migrate a Google Chromebook-based learning environment to a Windows 10-based learning environment. You will learn how to perform the necessary planning steps, including Windows device deployment, migration of user and device settings, app migration or replacement, and cloud storage migration. You will then learn the best method to perform the migration by using automated deployment and migration tools. - -## Plan Chromebook migration - -Before you begin to migrate Chromebook devices, plan your migration. As with most projects, there can be an urge to immediately start doing before planning. When you plan your Chromebook migration before you perform the migration, you can save countless hours of frustration and mistakes during the migration process. - -In the planning portion of this guide, you will identify all the decisions that you need to make and how to make each decision. At the end of the planning section, you will have a list of information you need to collect and what you need to do with the information. You will be ready to perform your Chromebook migration. - -## Plan for app migration or replacement - -App migration or replacement is an essential part of your Chromebook migration. In this section you will plan how you will migrate or replace Chromebook (Chrome OS) apps that are currently in use with the same or equivalent Windows apps. At the end of this section, you will have a list of the active Chrome OS apps and the Windows app counterparts. - -**Identify the apps currently in use on Chromebook devices** - -Before you can do any analysis or make decisions about which apps to migrate or replace, you need to identify which apps are currently in use on the Chromebook devices. You will create a list of apps that are currently in use (also called an app portfolio). - -> **Note**  The majority of Chromebook apps are web apps. For these apps you need to first perform Microsoft Edge compatibility testing and then publish the web app URL to the Windows users. For more information, see the [Perform app compatibility testing for web apps](#perform-testing-webapps) section. - -You can divide the apps into the following categories: - -- **Apps installed and managed by the institution.** These apps are typically managed in the Apps section in the Google Admin Console. You can record the list of these apps in your app portfolio. -- **Apps installed by faculty or students.** Faculty or students might have installed these apps as a part of a classroom curriculum. Obtain the list of these apps from faculty or students. Ensure you only record apps that are legitimately used as a part of classroom curriculum (and not for personal entertainment or use). - -Record the following information about each app in your app portfolio: - -- App name -- App type (such as offline app, online app, web app, and so on) -- App publisher or developer -- App version currently in use -- App priority (how necessary is the app to the day-to-day process of the institution or a classroom? Rank as high, medium, or low) - -Throughout the entire app migration or replacement process, focus on the higher priority apps. Focus on lower priority apps only after you have determined what you will do with the higher priority apps. - -### - -**Select Google Apps replacements** - -Table 1 lists the Windows device app replacements for the common Google Apps on Chromebook devices. If your users rely on any of these Google Apps, use the corresponding app on the Windows device. Use the information in Table 1 to select the Google App replacement on a Windows device. - -Table 1. Google App replacements - -| If you use this Google app on a Chromebook | Use this app on a Windows device | -|--------------------------------------------|--------------------------------------| -| Google Docs | Word 2016 or Word Online | -| Google Sheets | Excel 2016 or Excel Online | -| Google Slides | PowerPoint 2016 or PowerPoint Online | -| Google Apps Gmail | Outlook 2016 or Outlook Web App | -| Google Hangouts | Microsoft Skype for Business | -| Chrome | Microsoft Edge | -| Google Drive | Microsoft OneDrive for Business | -  -It may be that you will decide to replace Google Apps after you deploy Windows devices. For more information on making this decision, see the [Select cloud services migration strategy](#select-cs-migrationstrat) section of this guide. - -**Find the same or similar apps in the Windows Store** - -In many instances, software vendors will create a version of their app for multiple platforms. You can search the Windows Store to find the same or similar apps to any apps not identified in the [Select Google Apps replacements](#select-googleapps) section. - -In other instances, the offline app does not have a version written for the Windows Store or is not a web app. In these cases, look for an app that provides similar functions. For example, you might have a graphing calculator offline Android app published on the Chrome OS, but the software publisher does not have a version for Windows devices. Search the Windows Store for a graphing calculator app that provides similar features and functionality. Use that Windows Store app as a replacement for the graphing calculator offline Android app published on the Chrome OS. - -Record the Windows app that replaces the Chromebook app in your app portfolio. - -### - -**Perform app compatibility testing for web apps** - -The majority of Chromebook apps are web apps. Because you cannot run native offline Chromebook apps on a Windows device, there is no reason to perform app compatibility testing for offline Chromebook apps. However, you may have a number of web apps that will run on both platforms. - -Ensure that you test these web apps in Microsoft Edge. Record the level of compatibility for each web app in Microsoft Edge in your app portfolio. - -## Plan for migration of user and device settings - -Some institutions have configured the Chromebook devices to make the devices easier to use by using the Google Chrome Admin Console. You have also probably configured the Chromebook devices to help ensure the user data access and ensure that the devices themselves are secure by using the Google Chrome Admin Console. - -However, in addition to your centralized configuration in the Google Admin Console, Chromebook users have probably customized their device. In some instances, users may have changed the web content that is displayed when the Chrome browser starts. Or they may have bookmarked websites for future reference. Or users may have installed apps for use in the classroom. - -In this section, you will identify the user and device configuration settings for your Chromebook users and devices. Then you will prioritize these settings to focus on the configuration settings that are essential to your educational institution. -At the end of this section, you should have a list of Chromebook user and device settings that you want to migrate to Windows, as well as a level of priority for each setting. You may discover at the end of this section that you have few or no higher priority settings to be migrated. If this is the -case, you can skip the [Perform migration of user and device settings](#migrate-user-device-settings) section of this guide. - -**Identify Google Admin Console settings to migrate** - -You use the Google Admin Console (as shown in Figure 1) to manage user and device settings. These settings are applied to all the Chromebook devices in your institution that are enrolled in the Google Admin Console. Review the user and device settings in the Google Admin Console and determine which settings are appropriate for your Windows devices. - -![figure 1](images/chromebook-fig1-googleadmin.png) - -Figure 1. Google Admin Console - -Table 2 lists the settings in the Device Management node in the Google Admin Console. Review the settings and determine which settings you will migrate to Windows. - -Table 2. Settings in the Device Management node in the Google Admin Console - - ---- - - - - - - - - - - - - - - - - - - - - -
          SectionSettings
          Network

          These settings configure the network connections for Chromebook devices and include the following settings categories:

          -
            -

          • Wi-Fi. Configures the Wi-Fi connections that are available. The Windows devices will need these configuration settings to connect to the same Wi-Fi networks.

            • -

          • Ethernet. Configures authentication for secured, wired Ethernet connections (802.1x). The Windows devices will need these configuration settings to connect to the network.

            • -

          • VPN. Specifies the VPN network connections used by devices when not directly connected to your intranet. The Windows devices will need the same VPN network connections for users to remotely connect to your intranet.

            • -

          • Certificates. Contains the certificates used for network authentication. The Windows devices will need these certificates to connect to the network.

            • -
          Mobile

          These settings configure and manage companion devices (such as smartphones or tablets) that are used in conjunction with the Chromebook devices and include the following settings categories:

          -
            -

          • Device management settings. Configures settings for mobile (companion) devices, such as device synchronization, password settings, auditing, enable remote wipe, and other settings. Record these settings so that you can ensure the same settings are applied when the devices are being managed by Microsoft Intune or another mobile device management (MDM) provider.

            • -

          • Device activation. Contains a list of mobile (companion) devices that need to be approved for management by using the Google Admin Console. Approve or block any devices in this list so that the list of managed devices accurately reflects active managed devices.

            • -

          • Managed devices. Performs management tasks on mobile (companion) devices that are managed by the Google Admin Console. Record the list of companion devices on this page so that you can ensure the same devices are managed by Intune or another MDM provider.

            • -

          • Set Up Apple Push Certificate. Configures the certificate that is essentially the digital signature that lets the Google Admin Console manage iOS devices. You will need this certificate if you plan to manage iOS devices by using Intune or another MDM provider.

            • -

          • Set Up Android for Work. Authorizes the Google Admin Console to be the MDM provider for Android devices by providing an Enterprise Mobility Management (EMM) token. You will need this token if you plan to manage Android devices by using another MDM provider.

            • -
          Chrome management

          These settings configure and manage companion devices (such as smartphones or tablets) that are used in conjunction with the Chromebook devices and include the following settings categories:

          -
            -

          • User settings. Configures user-based settings for the Chrome browser and Chromebook devices. Most of these Chromebook user-based settings can be mapped to a corresponding setting in Windows. Record the settings and then map them to settings in Group Policy or Intune.

            • -

          • Public session settings. Configures Public Sessions for Chrome devices that are used as kiosks, loaner devices, shared computers, or for any other work or school-related purpose for which users don't need to sign in with their credentials. You can configure Windows devices similarly by using Assigned Access. Record the settings and apps that are available in Public Sessions so that you can provide similar configuration in Assigned Access.

            • -

          • Device settings. Configures device-based settings for the Chrome browser and Chromebook devices. You can map most of these Chromebook device-based settings to a corresponding setting in Windows. Record the settings and then map them to settings in Group Policy or Intune.

            • -

          • Devices. Manages Chrome device management licenses. The number of licenses recorded here should correspond to the number of licenses you will need for your new management system, such as Intune. Record the number of licenses and use those to determine how many licenses you will need to manage your Windows devices.

            • -

          • App Management. Provides configuration settings for Chrome apps. Record the settings for any apps that you have identified that will run on Windows devices.

            • -
          -  -Table 3 lists the settings in the Security node in the Google Admin Console. Review the settings and determine which settings you will migrate to Windows. - -Table 3. Settings in the Security node in the Google Admin Console - - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
          SectionSettings

          Basic settings

          These settings configure password management and whether or not two-factor authentication (2FA) is configured. You can set the minimum password length, the maximum password length, if non-admin users can recover their own passwords, and enable 2FA.

          -

          Record these settings and use them to help configure your on-premises Active Directory or Azure Active Directory (Azure AD) to mirror the current behavior of your Chromebook environment.

          Password monitoring

          This section is used to monitor the strength of user passwords. You don’t need to migrate any settings in this section.

          API reference

          This section is used to enable access to various Google Apps Administrative APIs. You don’t need to migrate any settings in this section.

          Set up single sign-on (SSO)

          This section is used to configure SSO for Google web-based apps (such as Google Apps Gmail or Google Apps Calendar). While you don’t need to migrate any settings in this section, you probably will want to configure Azure Active Directory synchronization to replace Google-based SSO.

          Advanced settings

          This section is used to configure administrative access to user data and to configure the Google Secure Data Connector (which allows Google Apps to access data on your local network). You don’t need to migrate any settings in this section.

          -  -**Identify locally-configured settings to migrate** - -In addition to the settings configured in the Google Admin Console, users may have locally configured their devices based on their own personal preferences (as shown in Figure 2). Table 4 lists the Chromebook user and device settings that you can locally configure. Review the settings and determine which settings you will migrate to Windows. Some of the settings listed in Table 4 can only be seen when you click the **Show advanced settings** link (as shown in Figure 2). - -![figure 2](images/fig2-locallyconfig.png) - -Figure 2. Locally-configured settings on Chromebook - -Table 4. Locally-configured settings - -| Section | Settings | -| - | - | -| Internet connections | These settings configure the Internet connection for the devices, such as Wi-Fi and VPN connections. Record the network connection currently in use and configure the Windows device to use the same network connection settings. | -| Appearances | These settings affect the appearance of the desktop. Record the wallpaper image file that is used. Migrate the image file to the Windows device and configure as the user’s wallpaper to maintain similar user experience. | -| Search | These settings configure which search engine is used to search for content. Record this setting so that you can use as the search engine on the Windows device. | -| Advanced sync settings | These settings configure which user settings are synchronized with the Google cloud, such as Apps, Extensions, History, Passwords, Settings, and so on. Record these settings and configure the Windows device with the same settings if you decide to continue to use Google Apps and other cloud services after you migrate to Windows devices. | -| Date and time | These settings configure the time zone and if 24-hour clock time should be used. Record these settings and configure the Windows device to use these settings. | -| Privacy | These settings configure Google Chrome web browser privacy settings (such as prediction service, phishing and malware protection, spelling errors, resource pre-fetch, and so on). Record these settings and configure Microsoft Edge, Internet Explorer, or the web browser of your choice with these settings. | -| Bluetooth | This setting configures whether or not Bluetooth is enabled on the device. Record this setting and configure the Windows device similarly. | -| Passwords and forms | These settings configure Google Chrome web browser to enable autofill of web forms and to save web passwords. Record these settings and configure Microsoft Edge, Internet Explorer, or the web browser of your choice with these settings. | -| Smart lock | These settings configure the Chromebook when the user’s Android phone is nearby and unlocked, which eliminates the need to type a password. You don’t need to migrate settings in this section. | -| Web content | These settings configure how the Chrome web browser displays content (such as font size and page zoom). Record these settings and configure Microsoft Edge, Internet Explorer, or the web browser of your choice with these settings. | -| Languages | These settings configure the language in use for the Chromebook. Record these settings and configure the Windows device to support the same language. | -| Downloads | These settings configure the default folder for file download, if the user should be prompted where to save files, and if the Google Drive account should be disconnected. Record these settings and configure the Windows device with similar settings. | -| HTTPS/SSL | These settings configure client-side certificates that are used to authenticate the device. Depending on the services or apps that use these certificates, you may need to export and then migrate these certificates to the Windows device. Contact the service or app provider to determine if you can use the existing certificate or if a new certificate needs to be issued. Record these settings and migrate the certificate to the Windows device or enroll for a new certificate as required by the service or app. | -| Google Cloud Print | These settings configure the printers that are available to the user. Record the list of printers available to the user and configure the Windows device to have the same printers available. Ensure that the user-friendly printer names in Windows are the same as for the Chromebook device. For example, if the Chromebook device has a printer named “Laser Printer in Registrar’s Office”, use that same name in Windows. | -| On startup | These settings configure which web pages are opened when the Chrome web browser starts. Record these settings and configure Microsoft Edge, Internet Explorer, or the web browser of your choice with these settings. | -| Accessibility | These settings configure the Chromebook ease of use (such as display of large mouse cursor, use of high contrast mode, enablement of the screen magnifier, and so on). Record these settings and configure the Windows device with similar settings. | -| Powerwash | This action removes all user accounts and resets the Chromebook device back to factory settings. You don’t have to migrate any settings in this section. | -| Reset settings | This action retains all user accounts, but restores all settings back to their default values. You don’t have to migrate any settings in this section. | -  -Determine how many users have similar settings and then consider managing those settings centrally. For example, a large number of users may have many of the same Chrome web browser settings. You can centrally manage these settings in Windows after migration. -Also, as a part of this planning process, consider settings that may not be currently managed centrally, but should be managed centrally. Record the settings that are currently being locally managed, but you want to manage centrally after the migration. - -**Prioritize settings to migrate** - -After you have collected all the Chromebook user, app, and device settings that you want to migrate, you need to prioritize each setting. Evaluate each setting and assign a priority to the setting based on the levels of high, medium, and low. -Assign the setting-migration priority based on how critical the setting is to the faculty performing their day-to-day tasks and how the setting affects the curriculum in the classrooms. Focus on the migration of higher priority settings and put less effort into the migration of lower priority settings. There may be some settings that are not necessary at all and can be dropped from your list of settings entirely. Record the setting priority in the list of settings you plan to migrate. - -## Plan for email migration - -Many of your users may be using Google Apps Gmail to manage their email, calendars, and contacts. You need to create the list of users you will migrate and the best time to perform the migration. -Office 365 supports automated migration from Google Apps Gmail to Office 365. For more information, see [Migrate Google Apps mailboxes to Office 365](https://go.microsoft.com/fwlink/p/?LinkId=690252). - -**Identify the list of user mailboxes to migrate** - -In regards to creating the list of users you will migrate, it might seem that the answer “all the users” might be the best one. However, depending on the time you select for migration, only a subset of the users may need to be migrated. For example, you may not persist student email accounts between semesters or between academic years. In this case you would only need to migrate faculty and staff. - -Also, when you perform a migration it is a great time to verify that all user mailboxes are active. In many environments there are a significant number of mailboxes that were provisioned for users that are no longer a part of the institution (such as interns or student assistants). You can eliminate these users from your list of user mailboxes to migrate. - -Create your list of user mailboxes to migrate in Excel 2016 based on the format described in step 7 in [Create a list of Gmail mailboxes to migrate](https://go.microsoft.com/fwlink/p/?LinkId=690253). If you follow this format, you can use the Microsoft Excel spreadsheet to perform the actual migration later in the process. - -**Identify companion devices that access Google Apps Gmail** - -In addition to Chromebook devices, users may have companion devices (smartphones, tablets, desktops, laptops, and so on) that also access the Google Apps Gmail mailbox. You will need to identify those companion devices and identify the proper configuration for those devices to access Office 365 mailboxes. - -After you have identified each companion device, verify the settings for the device that are used to access Office 365. You only need to test one type of each companion device. For example, if users use Android phones to access Google Apps Gmail mailboxes, configure the device to access Office 365 and then record those settings. You can publish those settings on a website or to your helpdesk staff so that users will know how to access their Office 365 mailbox. - -In most instances, users will only need to provide in their Office 365 email account and password. However, you should verify this on each type of companion device. For more information about how to configure a companion device to work with Office 365, see [Compare how different mobile devices work with Office 365](https://go.microsoft.com/fwlink/p/?LinkId=690254). -**Identify the optimal timing for the migration** - -Typically, the best time to perform the migration is between academic years or during semester breaks. Select the time of least activity for your institution. And during that time, the optimal time to perform the migration might be during an evening or over a weekend. - -Ensure that you communicate the time the migration will occur to your users well in advance. Also, ensure that users know how to access their Office 365 email after the migration is complete. Finally, ensure that your users know how to perform the common tasks they performed in Google Apps Gmail in Office 365 and/or Outlook 2016. - -## Plan for cloud storage migration - -Chromebook devices have limited local storage. So, most of your users will store data in cloud storage, such as Google Drive. You will need to plan how to migrate your cloud storage as a part of the Chromebook migration process. - -In this section, you will create a list of the existing cloud services, select the Microsoft cloud services that best meet your needs, and then optimize your cloud storage services migration plan. - -**Identify cloud storage services currently in use** - -Typically, most Chromebook users use Google Drive for cloud storage services because your educational institution purchased other Google cloud services and Google Drive is a part of those services. However, some users may use cloud storage services from other vendors. For each member of your faculty and staff and for each student, create a list of cloud storage services that includes the following: -- Name of the cloud storage service -- Cloud storage service vendor -- Associated licensing costs or fees -- Approximate storage currently in use per user - -Use this information as the requirements for your cloud storage services after you migrate to Windows devices. If at the end of this discovery you determine there is no essential data being stored in cloud storage services that requires migration, then you can skip to the [Plan for cloud services migration](#plan-cloud-services) section. - -**Optimize cloud storage services migration plan** - -Now that you know the current cloud storage services configuration, you need to optimize your cloud storage services migration plan for Microsoft OneDrive for Business. Optimization helps ensure that your use only the cloud storage services resources that are necessary for your requirements. - -Consider the following to help optimize your cloud storage services migration plan: - -- **Eliminate inactive user storage.** Before you perform the cloud storage services migration, identify cloud storage that is currently allocated to inactive users. Remove this storage from your list of cloud storage to migrate. -- **Eliminate or archive inactive files.** Review cloud storage to identify files that are inactive (have not been accessed for some period of time). Eliminate or archive these files so that they do not consume cloud storage. -- **Consolidate cloud storage services.** If multiple cloud storage services are in use, reduce the number of cloud storage services and standardize on one cloud storage service. This will help reduce management complexity, support time, and typically will reduce cloud storage costs. - -Record your optimization changes in your cloud storage services migration plan. - -## Plan for cloud services migration - -Many of your users may use cloud services on their Chromebook device, such as Google Apps, Google Drive, or Google Apps Gmail. You have planned for these individual cloud services in the [Plan for app migration or replacement](#plan-app-migrate-replace), [Plan for Google Apps Gmail to Office 365 migration](#plan-email-migrate), and [Plan for cloud storage migration](#plan-cloud-storage-migration) sections. - -In this section, you will create a combined list of these cloud services and then select the appropriate strategy to migrate these cloud services. - -### - -**Identify cloud services currently in use** - -You have already identified the individual cloud services that are currently in use in your educational institution in the [Plan for app migration or replacement](#plan-app-migrate-replace), [Plan for Google Apps Gmail to Office 365 migration](#plan-email-migrate), and [Plan for cloud storage migration](#plan-cloud-storage-migration) sections. Create a unified list of these cloud services and record the following about each service: -- Cloud service name -- Cloud service provider -- Number of users that use the cloud service - -**Select cloud services to migrate** - -One of the first questions you should ask after you identify the cloud services currently in use is, “Why do we need to migrate from these cloud services?” The answer to this question largely comes down to finances and features. - -Here is a list of reasons that describe why you might want to migrate from an existing cloud service to Microsoft cloud services: -- **Better integration with Office 365.** If your long-term strategy is to migrate to Office 365 apps (such as Word 2016 or Excel 2016) then a migration to Microsoft cloud services will provide better integration with these apps. The use of existing cloud services may not be as intuitive for users. For example, Office 365 apps will integrate better with OneDrive for Business compared to Google Drive. -- **Online apps offer better document compatibility.** Microsoft Office online apps (such as Word Online and Excel Online) provide the highest level of compatibility with Microsoft Office documents. The Office online apps allow you to open and edit documents directly from SharePoint or OneDrive for Business. Users can access the Office online app from any device with Internet connectivity. -- **Reduce licensing costs.** If you pay for Office 365 licenses, then Office 365 apps and cloud storage are included in those licenses. Although you could keep existing cloud services, you probably would pay more to keep those services. -- **Improve storage capacity and cross-platform features.** Microsoft cloud services provide competitive storage capacity and provide more Windows-centric features than other cloud services providers. While the Microsoft cloud services user experience is highly optimized for Windows devices, Microsoft cloud services are also highly optimized for companion devices (such as iOS or Android devices). -Review the list of existing cloud services that you created in the [Identify cloud services currently in use](#identify-cloud-services-inuse) section and identify the cloud services that you want to migrate to Microsoft cloud services. If you determine at the end of this task that there are no cloud services to be migrated, then skip to the [Plan for Windows device deployment](#plan-windevice-deploy) section. Also, skip the [Perform cloud services migration](#perform-cloud-services-migration) section later in this guide. - -**Prioritize cloud services** - -After you have created your aggregated list of cloud services currently in use by Chromebook users, prioritize each cloud service. Evaluate each cloud service and assign a priority based on the levels of high, medium, and low. -Assign the priority based on how critical the cloud service is to the faculty and staff performing their day-to-day tasks and how the cloud service affects the curriculum in the classrooms. Also, make cloud services that are causing pain for the users a higher priority. For example, if users experience outages with a specific cloud service, then make migration of that cloud service a higher priority. - -Focus on the migration of higher priority cloud services first and put less effort into the migration of lower priority cloud services. There may be some cloud services that are unnecessary and you can remove them from your list of cloud services to migrate entirely. Record the cloud service migration priority in the list of cloud services you plan to migrate. - -### - -**Select cloud services migration strategy** - -When you deploy the Windows devices, should you migrate the faculty, staff, and students to the new cloud services? Perhaps. But, in most instances you will want to select a migration strategy that introduces a number of small changes over a period of time. - -Consider the following when you create your cloud services migration strategy: - -- **Introduce small changes.** The move from Chrome OS to Windows will be simple for most users as most will have exposure to Windows from home, friends, or family. However, users may not be as familiar with the apps or cloud services. Consider the move to Windows first, and then make other changes as time progresses. -- **Start off by using existing apps and cloud services.** Immediately after the migration to Windows devices, you may want to consider running the existing apps and cloud services (such Google Apps, Google Apps Gmail, and Google Drive). This gives users a familiar method to perform their day-to-day tasks. -- **Resolve pain points.** If some existing apps or cloud services cause problems, you may want to migrate them sooner rather than later. In most instances, users will be happy to go through the learning curve of a new app or cloud service if it is more reliable or intuitive for them to use. -- **Migrate classrooms or users with common curriculum.** Migrate to Windows devices for an entire classroom or for multiple classrooms that share common curriculum. You must ensure that the necessary apps and cloud services are available for the curriculum prior to the migration of one or more classrooms. -- **Migrate when the fewest number of active users are affected.** Migrate your cloud services at the end of an academic year or end of a semester. This will ensure you have minimal impact on faculty, staff, and students. Also, a migration during this time will minimize the learning curve for users as they are probably dealing with new curriculum for the next semester. Also, you may not need to migrate student apps and data because many educational institutions do not preserve data between semesters or academic years. -- **Overlap existing and new cloud services.** For faculty and staff, consider overlapping the existing and new cloud services (having both services available) for one business cycle (end of semester or academic year) after migration. This allows you to easily recover any data that might not have migrated successfully from the existing cloud services. At a minimum, overlap the user of existing and new cloud services until the user can verify the migration. Of course, the tradeoff for using this strategy is the cost of the existing cloud services. However, depending on when license renewal occurs, the cost may be minimal. - -## Plan for Windows device deployment - -You need to plan for Windows device deployment to help ensure that the devices are successfully installed and configured to replace the Chromebook devices. Even if the vendor that provides the devices pre-loads Windows 10 on them, you still will need to perform other tasks. - -In this section you will select a Windows device deployment strategy; plan for Active Directory Domain Services (AD DS) and Azure AD services; plan for device, user, and app management; and plan for any necessary network infrastructure remediation. - -### - -**Select a Windows device deployment strategy** - -What decisions need to be made about Windows device deployment? You just put the device on a desk, hook up power, connect to Wi-Fi, and then let the users operate the device, right? That is essentially correct, but depending on the extent of your deployment and other factors, you need to consider different deployment strategies. - -For each classroom that has Chromebook devices, select a combination of the following device deployment strategies: - -- **Deploy one classroom at a time.** In most cases you will want to perform your deployment in batches of devices and a classroom is an excellent way to batch devices. You can treat each classroom as a unit and check each classroom off your list after you have deployed the devices. -- **Deploy based on curriculum.** Deploy the Windows devices after you have confirmed that the curriculum is ready for the Windows devices. If you deploy Windows devices without the curriculum installed and tested, you could significantly reduce the ability for students and teachers to perform effectively in the classroom. Also, deployment based on curriculum has the advantage of letting you move from classroom to classroom quickly if multiple classrooms use the same curriculum. -- **Deploy side-by-side.** In some instances you may need to have both the Chromebook and Windows devices in one or more classrooms. You can use this strategy if some of the curriculum only works on Chromebook and other parts of the curriculum works on Windows devices. This is a good method to help prevent delays in Windows device deployment, while ensuring that students and teachers can make optimal use of technology in their curriculum. -- **Deploy after apps and cloud services migration.** If you deploy a Windows device without the necessary apps and cloud services to support the curriculum, this provides only a portion of your complete solution. Ensure that the apps and cloud services are tested, provisioned, and ready for use prior to the deployment of Windows devices. -- **Deploy after the migration of user and device settings.** Ensure that you have identified the user and device settings that you plan to migrate and that those settings are ready to be applied to the new Windows devices. For example, you would want to create Group Policy Objects (GPOs) to apply the user and device settings to Windows devices. - - If you ensure that Windows devices closely mirror the Chromebook device configuration, you will ease user learning curve and create a sense of familiarity. Also, when you have the settings ready to be applied to the devices, it helps ensure you will deploy your new Windows devices in a secure configuration. - -Record the combination of Windows device deployment strategies that you selected. - -### - -**Plan for AD DS and Azure AD services** - -The next decision you will need to make concerns AD DS and Azure AD services. You can run AD DS on-premises, in the cloud by using Azure AD, or a combination of both (hybrid). The decision about which of these options is best is closely tied to how you will manage your users, apps, and devices and if you will use Office 365 and other Azure-based cloud services. - -In the hybrid configuration, your on-premises AD DS user and group objects are synchronized with Azure AD (including passwords). The synchronization happens both directions so that changes are made in both your on-premises AD DS and Azure AD. -Table 5 is a decision matrix that helps you decide if you can use only on-premises AD DS, only Azure AD, or a combination of both (hybrid). If the requirements you select from the table require on-premises AD DS and Azure AD, then you should select hybrid. For example, if you plan to use Office 365 and use Group Policy for management, then you would select hybrid. However, if you plan to use Office 365 and use Intune for management, then you would select only Azure AD. - -Table 5. Select on-premises AD DS, Azure AD, or hybrid - - ------ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
          If you plan to...On-premises AD DSAzure ADHybrid
          Use Office 365XX
          Use Intune for managementXX
          Use System Center 2012 R2 Configuration Manager for managementXX
          Use Group Policy for managementXX
          Have devices that are domain-joinedXX
          Allow faculty and students to Bring Your Own Device (BYOD) which are not domain-joinedXX
          -  -### - -**Plan device, user, and app management** - -You may ask the question, “Why plan for device, user, and app management before you deploy the device?” The answer is that you will only deploy the device once, but you will manage the device throughout the remainder of the device's lifecycle. -Also, planning management before deployment is essential to being ready to support the devices as you deploy them. You want to have your management processes and technology in place when the first teachers, facility, or students start using their new Windows device. -Table 6 is a decision matrix that lists the device, user, and app management products and technologies and the features supported by each product or technology. The primary device, user, and app management products and technologies include Group Policy, System Center Configuration Manager, Intune, and the Microsoft Deployment Toolkit (MDT). Use this decision matrix to help you select the right combination of products and technologies for your plan. - -Table 6. Device, user, and app management products and technologies - - --------- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
          Desired featureWindows provisioning packagesGroup PolicyConfiguration ManagerIntuneMDTWindows Software Update Services
          Deploy operating system imagesXXX
          Deploy apps during operating system deploymentXXX
          Deploy apps after operating system deploymentXXX
          Deploy software updates during operating system deploymentXX
          Deploy software updates after operating system deploymentXXXXX
          Support devices that are domain-joinedXXXXX
          Support devices that are not domain-joinedXXX
          Use on-premises resourcesXXXX
          Use cloud-based servicesX
          -  -You can use Configuration Manager and Intune in conjunction with each other to provide features from both products and technologies. In some instances you may need only one of these products or technologies. In other instances, you may need two or more to meet the device, user, and app management needs for your institution. - -Record the device, user, and app management products and technologies that you selected. - -### - -**Plan network infrastructure remediation** - -In addition to AD DS, Azure AD, and management components, there are other network infrastructure services that Windows devices need. In most instances, Windows devices have the same network infrastructure requirements as the existing Chromebook devices. - -Examine each of the following network infrastructure technologies and services and determine if any remediation is necessary: - -- **Domain Name System (DNS)** provides translation between a device name and its associated IP address. For Chromebook devices, public facing, Internet DNS services are the most important. For Windows devices that only access the Internet, they have the same requirements. - - However, if you intend to communicate between Windows devices (peer-to-peer or client/server) then you will need local DNS services. Windows devices will register their name and IP address with the local DNS services so that Windows devices can locate each other. - -- **Dynamic Host Configuration Protocol (DHCP)** provides automatic IP configuration for devices. Your existing Chromebook devices probably use DHCP for configuration. If you plan to immediately replace the Chromebook devices with Windows devices, then you only need to release all the DHCP reservations for the Chromebook devices prior to the deployment of Windows devices. - - If you plan to run Chromebook and Windows devices side-by-side, then you need to ensure that your DHCP service has adequate IP addresses available for both sets of devices. - -- **Wi-Fi.** Chromebook devices are designed to connect to Wi-Fi networks. Windows devices are the same. Your existing Wi-Fi network for the Chromebook devices should be adequate for the same number of Windows devices. - - If you plan to significantly increase the number of Windows devices or you plan to run Chromebook and Windows devices side-by-side, then you need to ensure that Wi-Fi network can support the number of devices. - -- **Internet bandwidth.** Chromebook devices consume more Internet bandwidth (up to 700 times more) than Windows devices. This means that if your existing Internet bandwidth is adequate for the Chromebook devices, then the bandwidth will be more than adequate for Windows devices. - - However, if you plan to significantly increase the number of Windows devices or you plan to run Chromebook and Windows devices side-by-side, then you need to ensure that your Internet connection can support the number of devices. - - For more information that compares Internet bandwidth consumption for Chromebook and Windows devices, see the following resources: - - - [Chromebook vs. Windows Notebook Network Traffic Analysis](https://go.microsoft.com/fwlink/p/?LinkId=690255) - - [Hidden Cost of Chromebook Deployments](https://go.microsoft.com/fwlink/p/?LinkId=690256) - - [Microsoft Windows 8.1 Notebook vs. Chromebooks for Education](https://go.microsoft.com/fwlink/p/?LinkId=690257) - -- **Power.** Although not specifically a network infrastructure, you need to ensure your classrooms have adequate power. Chromebook and Windows devices should consume similar amounts of power. This means that your existing power outlets should support the same number of Windows devices. - - If you plan to significantly increase the number of Windows devices or you plan to run Chromebook and Windows devices side-by-side, you need to ensure that the power outlets, power strips, and other power management components can support the number of devices. - -At the end of this process, you may determine that no network infrastructure remediation is necessary. If so, you can skip the [Perform network infrastructure remediation](#network-infra-remediation) section of this guide. - -## Perform Chromebook migration - -Thus far, planning has been the primary focus. Believe it or not most of the work is now done. The rest of the Chromebook migration is just the implementation of the plan you have created. - -In this section you will perform the necessary steps for the Chromebook device migration. You will perform the migration based on the planning decision that you made in the [Plan Chromebook migration](#plan-migration) section earlier in this guide. - -You must perform some of the steps in this section in a specific sequence. Each section has guidance about when to perform a step. You can perform other steps before, during, or after the migration. Again, each section will tell you if the sequence is important. - -## Perform network infrastructure remediation - -The first migration task is to perform any network infrastructure remediation. In the [Plan network infrastructure remediation](#plan-network-infra-remediation) section, you determined the network infrastructure remediation (if any) that you needed to perform. - -It is important that you perform any network infrastructure remediation first because the remaining migration steps are dependent on the network infrastructure. Table 7 lists the Microsoft network infrastructure products and technologies and deployment resources for each. - -Table 7. Network infrastructure products and technologies and deployment resources - - ---- - - - - - - - - - - - - - - - - -
          Product or technologyResources
          DHCP
            -

          • [Core Network Guide](https://go.microsoft.com/fwlink/p/?LinkId=733920)

            • -

          • [DHCP Deployment Guide](https://go.microsoft.com/fwlink/p/?LinkId=734021)

            • -
          DNS
            -

          • [Core Network Guide](https://go.microsoft.com/fwlink/p/?LinkId=733920)

            • -

          • [Deploying Domain Name System (DNS)](https://go.microsoft.com/fwlink/p/?LinkId=734022)

            • -
          -  -If you use network infrastructure products and technologies from other vendors, refer to the vendor documentation on how to perform the necessary remediation. If you determined that no remediation is necessary, you can skip this section. - -## Perform AD DS and Azure AD services deployment or remediation - -It is important that you perform AD DS and Azure AD services deployment or remediation right after you finish network infrastructure remediation. Many of the remaining migration steps are dependent on you having your identity system (AD DS or Azure AD) in place and up to necessary expectations. -In the [Plan for Active Directory services](#plan-adservices) section, you determined the AD DS and/or Azure AD deployment or remediation (if any) that needed to be performed. Table 8 list AD DS, Azure AD, and the deployment resources for both. Use the resources in this table to deploy or remediate on-premises AD DS, Azure AD, or both. - -Table 8. AD DS, Azure AD and deployment resources - - ---- - - - - - - - - - - - - - - - - -
          Product or technologyResources
          AD DS
            -

          • [Core Network Guide](https://go.microsoft.com/fwlink/p/?LinkId=733920)

            • -

          • [Active Directory Domain Services Overview](https://go.microsoft.com/fwlink/p/?LinkId=733909)

            • -
          Azure AD
            -

          • [Azure Active Directory documentation](https://go.microsoft.com/fwlink/p/?LinkId=690258)

            • -

          • [Manage and support Azure Active Directory Premium](https://go.microsoft.com/fwlink/p/?LinkId=690259)

            • -

          • [Guidelines for Deploying Windows Server Active Directory on Azure Virtual Machines](https://go.microsoft.com/fwlink/p/?LinkId=690260)

            • -
          -  -If you decided not to migrate to AD DS or Azure AD as a part of the migration, or if you determined that no remediation is necessary, you can skip this section. If you use identity products and technologies from another vendor, refer to the vendor documentation on how to perform the necessary steps. -## Prepare device, user, and app management systems - -In the [Plan device, user, and app management](#plan-userdevapp-manage) section of this guide, you selected the products and technologies that you will use to manage devices, users, and apps on Windows devices. You need to prepare your management systems prior to Windows 10 device deployment. You will use these management systems to manage the user and device settings that you selected to migrate in the [Plan for migration of user and device settings](#plan-migrate-user-device-settings) section. You need to prepare these systems prior to the migration of user and device settings. - -Table 9 lists the Microsoft management systems and the deployment resources for each. Use the resources in this table to prepare (deploy or remediate) these management systems. - -Table 9. Management systems and deployment resources - - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
          Management systemResources
          Windows provisioning packages
            -

          • [Build and apply a provisioning package](https://go.microsoft.com/fwlink/p/?LinkId=733918)

            • -

          • [Windows Imaging and Configuration Designer](https://go.microsoft.com/fwlink/p/?LinkId=733911)

            • -

          • [Step-By-Step: Building Windows 10 Provisioning Packages](https://go.microsoft.com/fwlink/p/?LinkId=690261)

            • -
          Group Policy
            -

          • [Core Network Companion Guide: Group Policy Deployment](https://go.microsoft.com/fwlink/p/?LinkId=733915)

            • -

          • [Deploying Group Policy](https://go.microsoft.com/fwlink/p/?LinkId=734024)

            • -
          Configuration Manager
            -

          • [Site Administration for System Center 2012 Configuration Manager](https://go.microsoft.com/fwlink/p/?LinkId=733914)

            • -

          • [Deploying Clients for System Center 2012 Configuration Manager](https://go.microsoft.com/fwlink/p/?LinkId=733919)

            • -
          Intune
            -

          • [Set up and manage devices with Microsoft Intune](https://go.microsoft.com/fwlink/p/?LinkId=690262)

            • -

          • [Smoother Management Of Office 365 Deployments with Windows Intune](https://go.microsoft.com/fwlink/p/?LinkId=690263)

            • -

          • [System Center 2012 R2 Configuration Manager & Windows Intune](https://go.microsoft.com/fwlink/p/?LinkId=690264)

            • -
          MDT
            -

          • [MDT documentation in the Microsoft Deployment Toolkit (MDT) 2013](https://go.microsoft.com/fwlink/p/?LinkId=690324)

            • -

          • [Step-By-Step: Installing Windows 8.1 From A USB Key](https://go.microsoft.com/fwlink/p/?LinkId=690265)

            • -
          -  -If you determined that no new management system or no remediation of existing systems is necessary, you can skip this section. If you use a management system from another vendor, refer to the vendor documentation on how to perform the necessary steps. - -## Perform app migration or replacement - -In the [Plan for app migration or replacement](#plan-app-migrate-replace) section, you identified the apps currently in use on Chromebook devices and selected the Windows apps that will replace the Chromebook apps. You also performed app compatibility testing for web apps to ensure that web apps on the Chromebook devices would run on Microsoft Edge and Internet Explorer. - -In this step, you need to configure your management system to deploy the apps to the appropriate Windows users and devices. Table 10 lists the Microsoft management systems and the app deployment resources for each. Use the resources in this table to configure these management systems to deploy the apps that you selected in the [Plan for app migration or replacement](#plan-app-migrate-replace) section of this guide. - -Table 10. Management systems and app deployment resources - - ---- - - - - - - - - - - - - - - - - - - - - -
          Management systemResources
          Group Policy
            -

          • [Editing an AppLocker Policy](https://go.microsoft.com/fwlink/p/?LinkId=734025)

            • -

          • [Group Policy Software Deployment Background](https://go.microsoft.com/fwlink/p/?LinkId=734026)

            • -

          • [Assigning and Publishing Software](https://go.microsoft.com/fwlink/p/?LinkId=734027)

            • -
          Configuration Manager
            -

          • [How to Deploy Applications in Configuration Manager](https://go.microsoft.com/fwlink/p/?LinkId=733917)

            • -

          • [Application Management in Configuration Manager](https://go.microsoft.com/fwlink/p/?LinkId=733907)

            • -
          Intune
            -

          • [Deploy apps to mobile devices in Microsoft Intune](https://go.microsoft.com/fwlink/p/?LinkId=733913)

            • -

          • [Manage apps with Microsoft Intune](https://go.microsoft.com/fwlink/p/?LinkId=733910)

            • -
          -  -If you determined that no deployment of apps is necessary, you can skip this section. If you use a management system from another vendor, refer to the vendor documentation on how to perform the necessary steps. - -## Perform migration of user and device settings - -In the [Plan for migration of user and device settings](#plan-migrate-user-device-settings) section, you determined the user and device settings that you want to migrate. You selected settings that are configured in the Google Admin Console and locally on the Chromebook device. - -Perform the user and device setting migration by using the following steps: - -1. From the list of institution-wide settings that you created in the [Plan for migration of user and device settings](#plan-migrate-user-device-settings) section, configure as many as possible in your management system (such as Group Policy, Configuration Manager, or Intune). -2. From the list of device-specific settings that you created in the [Plan for migration of user and device settings](#plan-migrate-user-device-settings) section, configure device-specific setting for higher priority settings. -3. From the list of user-specific settings that you created in the [Plan for migration of user and device settings](#plan-migrate-user-device-settings) section, configure user-specific setting for higher priority settings. -4. Verify that all higher-priority user and device settings have been configured in your management system. - -If you do no want to migrate any user or device settings from the Chromebook devices to the Windows devices, you can skip this section. - -## Perform email migration - -In the [Plan for email migration](#plan-email-migrate) section, you identified the user mailboxes to migrate, identified the companion devices that access Google Apps Gmail, and identified the optimal timing for migration. You can perform this migration before or after you deploy the Windows devices. - -Office 365 supports automated migration from Google Apps Gmail to Office 365. For more information on how to automate the migration from Google Apps Gmail to Office 365, see [Migrate Google Apps mailboxes to Office 365](https://go.microsoft.com/fwlink/p/?LinkId=690252). - -Alternatively, if you want to migrate to Office 365 from: -- **On-premises Microsoft Exchange Server.** Use the following resources to migrate to Office 365 from an on-premises Microsoft Exchange Server: - - [Cutover Exchange Migration and Single Sign-On](https://go.microsoft.com/fwlink/p/?LinkId=690266) - - [Step-By-Step: Migration of Exchange 2003 Server to Office 365](https://go.microsoft.com/fwlink/p/?LinkId=690267) - - [Step-By-Step: Migrating from Exchange 2007 to Office 365](https://go.microsoft.com/fwlink/p/?LinkId=690268) -- **Another on-premises or cloud-based email service.** Follow the guidance from that vendor. - -## Perform cloud storage migration - -In the [Plan for cloud storage migration](#plan-cloud-storage-migration) section, you identified the cloud storage services currently in use, selected the Microsoft cloud storage services that you will use, and optimized your cloud storage services migration plan. You can perform the cloud storage migration before or after you deploy the Windows devices. - -Manually migrate the cloud storage migration by using the following steps: - -1. Install both Google Drive app and OneDrive for Business or OneDrive app on a device. -2. Sign in as the user in the Google Drive app. -3. Sign in as the user in the OneDrive for Business or OneDrive app. -4. Copy the data from the Google Drive storage to the OneDrive for Business or OneDrive storage. -5. Optionally uninstall the Google Drive app. - -There are also a number of software vendors who provide software that helps automate the migration from Google Drive to OneDrive for Business, Office 365 SharePoint, or OneDrive. For more information about these automated migration tools, contact the vendors. - -## Perform cloud services migration - -In the [Plan for cloud services migration](#plan-cloud-services)section, you identified the cloud services currently in use, selected the cloud services that you want to migrate, prioritized the cloud services to migrate, and then selected the cloud services migration strategy. You can perform the cloud services migration before or after you deploy the Windows devices. - -Migrate the cloud services that you currently use to the Microsoft cloud services that you selected. For example, you could migrate from a collaboration website to Office 365 SharePoint. Perform the cloud services migration based on the existing cloud services and the Microsoft cloud services that you selected. - -There are also a number of software vendors who provide software that helps automate the migration from other cloud services to Microsoft cloud services. For more information about these automated migration tools, contact the vendors. - -## Perform Windows device deployment - -In the [Select a Windows device deployment strategy](#select-windows-device-deploy) section, you selected how you wanted to deploy Windows 10 devices. The other migration task that you designed in the [Plan for Windows device deployment](#plan-windevice-deploy) section have already been performed. Now it's time to deploy the actual devices. - -For example, if you selected to deploy Windows devices by each classroom, start with the first classroom and then proceed through all of the classrooms until you’ve deployed all Windows devices. - -In some instances, you may receive the devices with Windows 10 already deployed, and want to use provisioning packages. In other cases, you may have a custom Windows 10 image that you want to deploy to the devices by using Configuration Manager and/or MDT. For information on how to deploy -Windows 10 images to the devices, see the following resources: - -- [Windows Imaging and Configuration Designer](https://go.microsoft.com/fwlink/p/?LinkId=733911) -- [Build and apply a provisioning package](https://go.microsoft.com/fwlink/p/?LinkId=733918) -- [MDT documentation in the Microsoft Deployment Toolkit (MDT) 2013](https://go.microsoft.com/fwlink/p/?LinkId=690324) -- [Step-By-Step: Installing Windows 8.1 From A USB Key](https://go.microsoft.com/fwlink/p/?LinkId=690265) -- [Operating System Deployment in Configuration Manager](https://go.microsoft.com/fwlink/p/?LinkId=733916) - -In addition to the Windows 10 image deployment, you may need to perform the following tasks as a part of device deployment: - -- Enroll the device with your management system. -- Ensure that Windows Defender is enabled and configured to receive updates. -- Ensure that Windows Update is enabled and configured to receive updates. -- Deploy any apps that you want the user to immediately be able to access when they start the device (such as Word 2016 or Excel 2016). - -After you complete these steps, your management system should take over the day-to-day maintenance tasks for the Windows 10 devices. Verify that the user and device settings migrated correctly as you deploy each batch of Windows 10 devices. Continue this process until you deploy all Windows 10 devices. - -## Related topics -- [Try it out: Windows 10 deployment (for education)](https://go.microsoft.com/fwlink/p/?LinkId=623254) -- [Try it out: Windows 10 in the classroom](https://go.microsoft.com/fwlink/p/?LinkId=623255) -  -  diff --git a/windows/plan/common-compatibility-issues.md b/windows/plan/common-compatibility-issues.md deleted file mode 100644 index 0883298316..0000000000 --- a/windows/plan/common-compatibility-issues.md +++ /dev/null @@ -1,6 +0,0 @@ ---- -title: Common Compatibility Issues (Windows 10) -ms.assetid: f5ad621d-bda2-45b5-ae85-bc92970f602f -description: List of common compatibility issues, based on the type of technology. -redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics ---- \ No newline at end of file diff --git a/windows/plan/compatibility-monitor-users-guide.md b/windows/plan/compatibility-monitor-users-guide.md deleted file mode 100644 index a183923ba1..0000000000 --- a/windows/plan/compatibility-monitor-users-guide.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Compatibility Monitor User's Guide (Windows 10) -description: Compatibility Monitor is a tool in the runtime analysis package that you can use to monitor applications for compatibility issues. You can also use the Compatibility Monitor tool to submit compatibility feedback. -redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics ---- \ No newline at end of file diff --git a/windows/plan/computer-dialog-box.md b/windows/plan/computer-dialog-box.md deleted file mode 100644 index 89054bac9a..0000000000 --- a/windows/plan/computer-dialog-box.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Computer Dialog Box (Windows 10) -description: In Application Compatibility Manager (ACM), the Computer dialog box shows information about the selected computer. -redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics ---- \ No newline at end of file diff --git a/windows/plan/configuring-act.md b/windows/plan/configuring-act.md deleted file mode 100644 index 372e1dcaf1..0000000000 --- a/windows/plan/configuring-act.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Configuring ACT (Windows 10) -description: This section provides information about setting up the Application Compatibility Toolkit (ACT) in your organization. -redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics ---- \ No newline at end of file diff --git a/windows/plan/creating-a-runtime-analysis-package.md b/windows/plan/creating-a-runtime-analysis-package.md deleted file mode 100644 index e6b56c752b..0000000000 --- a/windows/plan/creating-a-runtime-analysis-package.md +++ /dev/null @@ -1,11 +0,0 @@ ---- -title: Creating a Runtime-Analysis Package (Windows 10) -description: In Application Compatibility Manager (ACM), you can create runtime-analysis packages, which you can then deploy to computers for compatibility testing in your test environment. -redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics ---- -  - - - - - diff --git a/windows/plan/creating-an-enterprise-environment-for-compatibility-testing.md b/windows/plan/creating-an-enterprise-environment-for-compatibility-testing.md deleted file mode 100644 index 2953ad9c9f..0000000000 --- a/windows/plan/creating-an-enterprise-environment-for-compatibility-testing.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Creating an Enterprise Environment for Compatibility Testing (Windows 10) -description: The goal of the test environment is to model the operating system that you want to deploy and assess compatibility before deploying the operating system to your production environment. -redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics ---- \ No newline at end of file diff --git a/windows/plan/creating-an-inventory-collector-package.md b/windows/plan/creating-an-inventory-collector-package.md deleted file mode 100644 index c52e8f3965..0000000000 --- a/windows/plan/creating-an-inventory-collector-package.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Creating an Inventory-Collector Package (Windows 10) -description: You can use Application Compatibility Manager (ACM) to create an inventory-collector package. -redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics ---- \ No newline at end of file diff --git a/windows/plan/creating-and-editing-issues-and-solutions.md b/windows/plan/creating-and-editing-issues-and-solutions.md deleted file mode 100644 index e1897a0122..0000000000 --- a/windows/plan/creating-and-editing-issues-and-solutions.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Creating and Editing Issues and Solutions (Windows 10) -description: This section provides step-by-step instructions for adding and editing application compatibility issues and solutions. Your issue and solution data can be uploaded to Microsoft through the Microsoft® Compatibility Exchange. -redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics ---- \ No newline at end of file diff --git a/windows/plan/customizing-your-report-views.md b/windows/plan/customizing-your-report-views.md deleted file mode 100644 index 1c69e77305..0000000000 --- a/windows/plan/customizing-your-report-views.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Customizing Your Report Views (Windows 10) -description: You can customize how you view your report data in Application Compatibility Manager (ACM). -redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics ---- \ No newline at end of file diff --git a/windows/plan/data-sent-through-the-microsoft-compatibility-exchange.md b/windows/plan/data-sent-through-the-microsoft-compatibility-exchange.md deleted file mode 100644 index 97e2f14378..0000000000 --- a/windows/plan/data-sent-through-the-microsoft-compatibility-exchange.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Data Sent Through the Microsoft Compatibility Exchange (Windows 10) -description: The Microsoft Compatibility Exchange propagates data of various types between Microsoft Corporation, independent software vendors (ISVs) and the Application Compatibility Toolkit (ACT) Community. -redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics ---- \ No newline at end of file diff --git a/windows/plan/deciding-whether-to-fix-an-application-or-deploy-a-workaround.md b/windows/plan/deciding-whether-to-fix-an-application-or-deploy-a-workaround.md deleted file mode 100644 index d4d3319cbc..0000000000 --- a/windows/plan/deciding-whether-to-fix-an-application-or-deploy-a-workaround.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Deciding Whether to Fix an Application or Deploy a Workaround (Windows 10) -description: You can fix a compatibility issue by changing the code for the application or by deploying a workaround. -redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics ---- \ No newline at end of file diff --git a/windows/plan/deciding-which-applications-to-test.md b/windows/plan/deciding-which-applications-to-test.md deleted file mode 100644 index 4b548c65f6..0000000000 --- a/windows/plan/deciding-which-applications-to-test.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Deciding Which Applications to Test (Windows 10) -description: Before starting your compatibility testing on the version of Windows that you want to deploy, you can use the Application Compatibility Toolkit (ACT) to identify which applications should be the focus of your testing. -redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics ---- \ No newline at end of file diff --git a/windows/plan/deleting-a-data-collection-package.md b/windows/plan/deleting-a-data-collection-package.md deleted file mode 100644 index c5401542c9..0000000000 --- a/windows/plan/deleting-a-data-collection-package.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Deleting a Data-Collection Package (Windows 10) -description: In Application Compatibility Manager (ACM), you can delete any of your existing data-collection packages from the database. -redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics ---- \ No newline at end of file diff --git a/windows/plan/deploy-windows-10-in-a-school.md b/windows/plan/deploy-windows-10-in-a-school.md deleted file mode 100644 index b451e7b8aa..0000000000 --- a/windows/plan/deploy-windows-10-in-a-school.md +++ /dev/null @@ -1,1263 +0,0 @@ ---- -title: Deploy Windows 10 in a school (Windows 10) -description: Learn how to integrate your school environment with Microsoft Office 365, Active Directory Domain Services (AD DS), and Microsoft Azure Active Directory (Azure AD). Deploy Windows 10 and apps to new devices or upgrade existing devices to Windows 10. Manage faculty, students, and devices by using Microsoft Intune and Group Policy. -redirect_url: https://technet.microsoft.com/edu/windows/deploy-windows-10-in-a-school -keywords: configure, tools, device, school -ms.prod: w10 -ms.mktglfcycl: plan -ms.pagetype: edu -ms.sitesec: library -author: craigash ---- - -# Deploy Windows 10 in a school - - -**Applies to** - -- Windows 10 - -This guide shows you how to deploy the Windows 10 operating system in a school environment. You learn how to deploy Windows 10 in classrooms; integrate the school environment with Microsoft Office 365, Active Directory Domain Services (AD DS), and Microsoft Azure Active Directory (Azure AD); and deploy Windows 10 and your apps to new devices or upgrade existing devices to Windows 10. This guide also describes how to use Microsoft Intune and Group Policy to manage devices. Finally, the guide discusses common, ongoing maintenance tasks that you will perform after initial deployment as well as the automated tools and built-in features of the operating system. - -## Prepare for school deployment - -Proper preparation is essential for a successful school deployment. To avoid common mistakes, your first step is to plan a typical school configuration. Just as with building a house, you need a blueprint for what your school should look like when it’s finished. The second step in preparation is to learn how you will configure your school. Just as a builder needs to have the right tools to build a house, you need the right set of tools to deploy your school. - -### Plan a typical school configuration - -As part of preparing for your school deployment, you need to plan your configuration—the focus of this guide. Figure 1 illustrates a typical finished school configuration that you can use as a model (the blueprint in our builder analogy) for the finished state. - -![fig 1](images/deploy-win-10-school-figure1.png) - -*Figure 1. Typical school configuration for this guide* - -Figure 2 shows the classroom configuration this guide uses. - -![fig 2](images/deploy-win-10-school-figure2.png) - -*Figure 2. Typical classroom configuration in a school* - -This school configuration has the following characteristics: -- It contains one or more admin devices. -- It contains two or more classrooms. -- Each classroom contains one teacher device. -- The classrooms connect to each other through multiple subnets. -- All devices in each classroom connect to a single subnet. -- All devices have high-speed, persistent connections to each other and to the Internet. -- All teachers and students have access to Windows Store or Windows Store for Business. -- All devices receive software updates from Intune (or another device management system). -- You install a 64-bit version of Windows 10 on the admin device. -- You install the Windows Assessment and Deployment Kit (Windows ADK) on the admin device. -- You install the Windows Assessment and Deployment Kit (Windows ADK) on the admin device. -- You install the 64-bit version of the Microsoft Deployment Toolkit (MDT) 2013 Update 2 on the admin device. ->**Note:**  In this guide, all references to MDT refer to the 64-bit version of MDT 2013 Update 2. -- The devices use Azure AD in Office 365 Education for identity management. -- If you have on-premises AD DS, you can [integrate Azure AD with on-premises AD DS](http://azure.microsoft.com/en-us/documentation/articles/active-directory-aadconnect/). -- Use [Intune](http://technet.microsoft.com/library/jj676587.aspx), [compliance settings in Office 365](https://support.office.com/en-us/article/Manage-mobile-devices-in-Office-365-dd892318-bc44-4eb1-af00-9db5430be3cd?ui=en-US&rs=en-US&ad=US), or [Group Policy](http://technet.microsoft.com/en-us/library/cc725828%28v=ws.10%29.aspx?f=255&MSPPError=-2147217396) in AD DS to manage devices. -- Each device supports a one-student-per-device or multiple-students-per-device scenario. -- The devices can be a mixture of different make, model, and processor architecture (32 bit or 64 bit) or be identical. -- To initiate Windows 10 deployment, use a USB flash drive, DVD-ROM or CD-ROM, or Pre-Boot Execution Environment Boot (PXE Boot). -- The devices can be a mixture of different Windows 10 editions, such as Windows 10 Home, Windows 10 Pro, and Windows 10 Education. - -Office 365 Education allows: - -- Students and faculty to use Microsoft Office Online to create and edit Microsoft Word, OneNote, PowerPoint, and Excel documents in a browser. -- Teachers to use the [OneNote Class Notebook app](https://www.onenote.com/classnotebook) to share content and collaborate with students. -- Faculty to use the [OneNote Staff Notebooks app](https://www.onenote.com/staffnotebookedu) to collaborate with other teachers, administration, and faculty. -- Teachers to employ Sway to create interactive educational digital storytelling. -- Students and faculty to use email and calendars, with mailboxes up to 50 GB per user. -- Faculty to use advanced email features like email archiving and legal hold capabilities. -- Faculty to help prevent unauthorized users from accessing documents and email by using Azure Rights Management. -- Faculty to use advanced compliance tools on the unified eDiscovery pages in the Office 365 Compliance Center. -- Faculty to host online classes, parent–teacher conferences, and other collaboration in Skype for Business or Skype. -- Students and faculty to access up to 1 TB of personal cloud storage that users inside and outside the educational institution can share through OneDrive for Business. -- Teachers to provide collaboration in the classroom through Microsoft SharePoint Online team sites. -- Students and faculty to use Office 365 Video to manage videos. -- Students and faculty to use Yammer to collaborate through private social networking. -- Students and faculty to access classroom resources from anywhere on any device (including Windows 10 Mobile, iOS, and Android devices). - -For more information about Office 365 Education features and a FAQ, go to [Office 365 Education](https://products.office.com/en-us/academic). - -## How to configure a school - -Now that you have the plan (blueprint) for your classroom, you’re ready to learn about the tools you will use to deploy it. There are many tools you could use to accomplish the task, but this guide focuses on using those tools that require the least infrastructure and technical knowledge. - -The primary tool you will use to deploy Windows 10 in your school is MDT, which uses Windows ADK components to make deployment easier. You could just use the Windows ADK to perform your deployment, but MDT simplifies the process by providing an intuitive, wizard-driven user interface (UI). - -You can use MDT as a stand-alone tool or integrate it with Microsoft System Center Configuration Manager. As a stand-alone tool, MDT performs Lite Touch Installation (LTI) deployments—deployments that require minimal infrastructure and allow you to control the level of automation. When integrated with System Center Configuration Manager, MDT performs Zero Touch Installation (ZTI) deployments, which require more infrastructure (such as System Center Configuration Manager) but result in fully automated deployments. - -MDT includes the Deployment Workbench—a console from which you can manage the deployment of Windows 10 and your apps. You configure the deployment process in the Deployment Workbench, including the management of operating systems, device drivers, apps and migration of user settings on existing devices. - -LTI performs deployment from a *deployment share*—a network-shared folder on the device where you installed MDT. You can perform over-the-network deployments from the deployment share or perform deployments from a local copy of the deployment share on a USB drive or DVD. You will learn more about MDT in the [Prepare the admin device](#prepare-the-admin-device) section. - -The focus of MDT is deployment, so you also need tools that help you manage your Windows 10 devices and apps. You can manage Windows 10 devices and apps with Intune, the Compliance Management feature in Office 365, or Group Policy in AD DS. You can use any combination of these tools based on your school requirements. - -The configuration process requires the following devices: - -- **Admin device.** This is the device you use for your day-to-day job functions. It’s also the one you use to create and manage the Windows 10 and app deployment process. You install the Windows ADK and MDT on this device. -- **Faculty devices.** These are the devices that the teachers and other faculty use for their day-to-day job functions. You use the admin device to deploy (or upgrade) Windows 10 and apps to these devices. -- **Student devices.** The students will use these devices. You will use the admin device deploy (or upgrade) Windows 10 and apps to them. - -The high-level process for deploying and configuring devices within individual classrooms and the school as a whole is as follows and illustrated in Figure 3: - -1. Prepare the admin device for use, which includes installing the Windows ADK and MDT. -2. On the admin device, create and configure the Office 365 Education subscription that you will use for each classroom in the school. -3. On the admin device, configure integration between on-premises AD DS and Azure AD (if you have an on premises AD DS configuration). -4. On the admin device, create and configure a Windows Store for Business portal. -5. On the admin device, prepare for management of the Windows 10 devices after deployment. -6. On the student and faculty devices, deploy Windows 10 to new or existing devices, or upgrade eligible devices to Windows 10. -7. On the admin device, manage the Windows 10 devices and apps, the Office 365 subscription, and the AD DS and Azure AD integration. - -![fig 3](images/deploy-win-10-school-figure3.png) - -*Figure 3. How school configuration works* - -Each of the steps illustrated in Figure 3 directly correspond to the remaining high-level sections in this guide. - -### Summary - -In this section, you looked at the final configuration of your individual classrooms and the school as a whole upon completion of this guide. You also learned the high-level steps you need to perform to deploy the faculty and student devices in your school. - -## Prepare the admin device - -Now, you’re ready to prepare the admin device for use in the school. This process includes installing the Windows ADK, installing the MDT, and creating the MDT deployment share. - -### Install the Windows ADK - -The first step in preparing the admin device is to install the Windows ADK. The Windows ADK contains the deployment tools that MDT uses, including the Windows Preinstallation Environment (Windows PE), the Windows User State Migration Tool (USMT), and Deployment Image Servicing and Management. - -When you install the Windows ADK on the admin device, select the following features: - -- Deployment tools -- Windows Preinstallation Environment (Windows PE) -- User State Migration Tool (USMT) - -For more information about installing the Windows ADK, see [Step 2-2: Install the Windows ADK](http://technet.microsoft.com/en-us/library/dn781086.aspx?f=255&MSPPError=-2147217396#InstallWindowsADK). - -### Install MDT - -Next, install MDT. MDT uses the Windows ADK to help you manage and perform Windows 10 and app deployment and is a free tool available directly from Microsoft. - -You can use MDT to deploy 32-bit or 64-bit versions of Windows 10. Install the 64-bit version of MDT to support deployment of 32-bit and 64-bit operating systems. - ->**Note:**  If you install the 32-bit version of MDT, you can install only 32-bit versions of Windows 10. Ensure that you download and install the 64-bit version of MDT so that you can install 64-bit and 32 bit versions of the operating system. - -For more information about installing MDT on the admin device, see [Installing a New Instance of MDT](https://technet.microsoft.com//library/dn759415.aspx#InstallingaNewInstanceofMDT). - -Now, you’re ready to create the MDT deployment share and populate it with the operating system, apps, and device drivers you want to deploy to your devices. - -### Create a deployment share - -MDT includes the Deployment Workbench, a graphical user interface that you can use to manage MDT deployment shares. A deployment share is a shared folder that contains all the MDT deployment content. The LTI Deployment Wizard accesses the deployment content over the network or from a local copy of the deployment share (known as MDT deployment media). - -For more information about how to create a deployment share, see [Step 3-1: Create an MDT Deployment Share](http://technet.microsoft.com/en-us/library/dn781086.aspx?f=255&MSPPError=-2147217396#CreateMDTDeployShare). - -### Summary - -In this section, you installed the Windows ADK and MDT on the admin device. You also created the MDT deployment share that you will configure and use later in the LTI deployment process. - -## Create and configure Office 365 - -Office 365 is one of the core components of your classroom environment. You create and manage student identities in Office 365, and students and teachers use the suite as their email, contacts, and calendar system. Teachers and students use Office 365 collaboration features such as SharePoint, OneNote, and OneDrive for Business. - -As a first step in deploying your classroom, create an Office 365 Education subscription, and then configure Office 365 for the classroom. For more information about Office 365 Education deployment, see [School deployment of Office 365 Education](http://www.microsoft.com/en-us/education/products/office-365-deployment-resources/default.aspx). - -### Select the appropriate Office 365 Education license plan - -Complete the following steps to select the appropriate Office 365 Education license plan for your school: - -
            -
          1. Determine the number of faculty members and students who will use the classroom.
            Office 365 Education licensing plans are available specifically for faculty and students. You must assign faculty and students the correct licensing plan. -
            2. -
          2. Determine the faculty members and students who need to install Office applications on devices (if any). Faculty and students can use Office applications online (standard plans) or run them locally (Office 365 ProPlus plans). Table 1 lists the advantages and disadvantages of standard and Office 365 ProPlus plans.
            3. -
            -*Table 1. Comparison of standard and Microsoft Office 365 ProPlus plans* -
            - ----- - - - - - - - - - - - - -
            PlanAdvantagesDisadvantages
            Standard
            • Less expensive than Office 365 ProPlus
            • Can be run from any device
            • No installation necessary
            • Must have an Internet connection to use it
            • Does not support all the features found in Office 365 ProPlus
            Office ProPlus
            • Only requires an Internet connection every 30 days (for activation)
            • Supports full set of Office features
            • Requires installation
            • Can be installed on only five devices per user (there is no limit to the number of devices on which you can run Office apps online)
            -
            -The best user experience is to run Office 365 ProPlus or use native Office apps on mobile devices. If neither of these options is available, use Office applications online. In addition, all Office 365 plans provide a better user experience by storing documents in OneDrive for Business, which is included in all Office 365 plans. OneDrive for Business keeps content in sync among devices and helps ensure that users always have access to their documents on any device. -
            -
          3. Determine whether students or faculty need Azure Rights Management.
            You can use Azure Rights Management to protect classroom information against unauthorized access. Azure Rights Management protects your information inside or outside the classroom through encryption, identity, and authorization policies, securing your files and email. You can retain control of the information, even when it’s shared with people outside the classroom or your educational institution. Azure Rights Management is free to use with all Office 365 Education license plans. For more information, see [Azure Rights Management](https://technet.microsoft.com/library/jj585024.aspx).
            4. -
          4. Record the Office 365 Education license plans needed for the classroom in Table 2.

            - -*Table 2. Office 365 Education license plans needed for the classroom* -
            - ---- - - - - - - - - - - - - -
            QuantityPlan
            Office 365 Education for students
            Office 365 Education for faculty
            Azure Rights Management for students
            Azure Rights Management for faculty
            -
            -You will use the Office 365 Education license plan information you record in Table 2 in the [Create user accounts in Office 365](#create-user-accounts-in-office-365) section of this guide.
          - -### Create a new Office 365 Education subscription - -To create a new Office 365 Education subscription for use in the classroom, use your educational institution’s email account. There are no costs to you or to students for signing up for Office 365 Education subscriptions. - ->**Note:**  If you already have an Office 365 Education subscription, you can use that subscription and continue to the next section, [Add domains and subdomains](#add-domains-and-subdomains). - -#### To create a new Office 365 subscription - -1. In Microsoft Edge or Internet Explorer, type `https://portal.office.com/start?sku=faculty` in the address bar. - - >**Note**  If you have already used your current sign-in account to create a new Office 365 subscription, you will be prompted to sign in. If you want to create a new Office 365 subscription, start an In-Private Window in one of the following:
          - - Microsoft Edge by opening the Microsoft Edge app, either pressing Ctrl+Shift+P or clicking or tapping **More actions**, and then clicking or tapping **New InPrivate window**. - - Internet Explorer 11 by opening Internet Explorer 11, either pressing Ctrl+Shift+P or clicking or tapping **Settings**, clicking or tapping **Safety**, and then clicking or tapping **InPrivate Browsing**. - -2. On the **Get started** page, type your school email address in the **Enter your school email address** box, and then click **Sign up**. You will receive an email in your school email account. -3. Click the hyperlink in the email in your school email account. -4. On the **One last thing** page, complete your user information, and then click **Start**. The wizard creates your new Office 365 Education subscription, and you are automatically signed in as the administrative user you specified when you created the subscription. - -### Add domains and subdomains - -Now that you have created your new Office 365 Education subscription, add the domains and subdomains that your institution uses. For example, if your institution has contoso.edu as the primary domain name but you have subdomains for students or faculty (such as students.contoso.edu and faculty.contoso.edu), then you need to add the subdomains. - -#### To add additional domains and subdomains - -1. In the Office 365 admin center, in the list view, click **DOMAINS**. -2. In the details pane, above the list of domains, on the menu bar, click **Add domain**. -3. In the Add a New Domain in Office 365 Wizard, on the **Verify domain wizard** page, click **Let’s get started**. -4. On the **Verify domain** wizard page, in the **Enter a domain you already own** box, type your domain name, and then click **Next**. -5. Sign in to your domain name management provider (for example, Network Solutions or GoDaddy), and then complete the steps for your provider. -6. Repeat these steps for each domain and subdomain you want faculty and students to use for your institution. - -### Configure automatic tenant join - -To make it easier for faculty and students to join your Office 365 Education subscription (or *tenant*), allow them to automatically sign up to your tenant (*automatic tenant join*). In automatic tenant join, when a faculty member or student signs up for Office 365, Office 365 automatically adds (joins) the user to your Office 365 tenant. - ->**Note:**  By default, automatic tenant join is enabled in Office 365 Education, with the exception of certain areas in Europe, the Middle East, and Africa. These countries require opt-in steps to add new users to existing Office 365 tenants. Check your country requirements to determine the automatic tenant join default configuration. Also, if you use Azure AD Connect, then automatic tenant join is disabled. - -Office 365 uses the domain portion of the user’s email address to know which Office 365 tenant to join. For example, if a faculty member or student provides an email address of user@contoso.edu, then Office 365 automatically performs one of the following tasks: - -- If an Office 365 tenant with that domain name (contoso.edu) exists, Office 365 automatically adds the user to that tenant. -- If an Office 365 tenant with that domain name (contoso.edu) does not exists, Office 365 automatically creates a new Office 365 tenant with that domain name and adds the user to it. - -You will always want faculty and students to join the Office 365 tenant that you created. Ensure that you perform the steps in the [Create a new Office 365 Education subscription](#create-a-new-office-365-education-subscription) and [Add domains and subdomains](#add-domains-and-subdomains) sections before allowing other faculty and students to join Office 365. - ->**Note:**  You cannot merge multiple tenants, so any faculty or students who create their own tenant will need to abandon their existing tenant and join yours. - -All new Office 365 Education subscriptions have automatic tenant join enabled by default, but you can enable or disable automatic tenant join by using the Windows PowerShell commands in Table 3. For more information about how to run these commands, see [How can I prevent students from joining my existing Office 365 tenant](https://support.office.com/en-us/article/Office-365-Education-Self-Sign-up-Technical-FAQ-7fb1b2f9-94c2-4cbb-b01e-a6eca34261d6?ui=en-US&rs=en-US&ad=US#BKMK_PreventJoins). - -*Table 3. Windows PowerShell commands to enable or disable Automatic Tenant Join* - - -| Action | Windows PowerShell command | -|------- |----------------------------| -| Enable |`Set-MsolCompanySettings -AllowEmailVerifiedUsers $true`| -| Disable |`Set-MsolCompanySettings -AllowEmailVerifiedUsers $false`| -

          ->**Note:**  If your institution has AD DS, then disable automatic tenant join. Instead, use Azure AD integration with AD DS to add users to your Office 365 tenant. - -### Disable automatic licensing - -To reduce your administrative effort, automatically assign Office 365 Education or Office 365 Education Plus licenses to faculty and students when they sign up (automatic licensing). Automatic licensing also enables Office 365 Education or Office 365 Education Plus features that do not require administrative approval. - ->**Note:**  By default, automatic licensing is enabled in Office 365 Education. If you want to use automatic licensing, then skip this section and go to the next section. - -Although all new Office 365 Education subscriptions have automatic licensing enabled by default, you can enable or disable it for your Office 365 tenant by using the Windows PowerShell commands in Table 4. For more information about how to run these commands, see [How can I prevent students from joining my existing Office 365 tenant](https://support.office.com/en-us/article/Office-365-Education-Self-Sign-up-Technical-FAQ-7fb1b2f9-94c2-4cbb-b01e-a6eca34261d6?ui=en-US&rs=en-US&ad=US#BKMK_PreventJoins). - -*Table 4. Windows PowerShell commands to enable or disable automatic licensing* - -| Action | Windows PowerShell command| -| -------| --------------------------| -| Enable |`Set-MsolCompanySettings -AllowAdHocSubscriptions $true`| -|Disable | `Set-MsolCompanySettings -AllowAdHocSubscriptions $false`| -

          -### Enable Azure AD Premium - -When you create your Office 365 subscription, you create an Office 365 tenant that includes an Azure AD directory. Azure AD is the centralized repository for all your student and faculty accounts in Office 365, Intune, and other Azure AD–integrated apps. Azure AD is available in Free, Basic, and Premium editions. Azure AD Free, which is included in Office 365 Education, has fewer features than Azure AD Basic, which in turn has fewer features than Azure AD Premium. - -Educational institutions can obtain Azure AD Basic edition licenses at no cost. After you obtain your licenses, activate your Azure AD access by completing the steps in [Step 3: Activate your Azure Active Directory access](https://azure.microsoft.com/en-us/documentation/articles/active-directory-get-started-premium/#step-3-activate-your-azure-active-directory-access). - -The Azure AD Premium features that are not in Azure AD Basic include: - -- Allow designated users to manage group membership -- Dynamic group membership based on user metadata -- Multifactor authentication (MFA) -- Identify cloud apps that your users run -- Automatic enrollment in a mobile device management (MDM) system (such as Intune) -- Self-service recovery of BitLocker -- Add local administrator accounts to Windows 10 devices -- Azure AD Connect health monitoring -- Extended reporting capabilities - -You can assign Azure AD Premium licenses to the users who need these features. For example, you may want the users who have access to confidential student information to use MFA. In this example, you could assign Azure AD Premium to only those users. - -You can sign up for Azure AD Premium, and then assign licenses to users. In this section, you sign up for Azure AD Premium. You will assign Azure AD Premium licenses to users later in the deployment process. - -For more information about: - -- Azure AD editions and the features in each, see [Azure Active Directory editions](https://azure.microsoft.com/en-us/documentation/articles/active-directory-editions/). -- How to enable Azure AD premium, see [Associate an Azure AD directory with a new Azure subscription](https://msdn.microsoft.com/en-us/library/azure/jj573650.aspx#create_tenant3). - -### Summary -You provision and initially configure Office 365 Education as part of the initial configuration. With the subscription in place, automatic tenant join configured, automatic licensing established, and Azure AD Premium enabled (if required), you’re ready to select the method you will use to create user accounts in Office 365. - -## Select an Office 365 user account–creation method - - -Now that you have an Office 365 subscription, you need to determine how you will create your Office 365 user accounts. Use the following methods to create Office 365 user accounts: - -- **Method 1:** Automatically synchronize your on-premises AD DS domain with Azure AD. Select this method if you have an on-premises AD DS domain. -- **Method 2:** Bulk-import the user accounts from a .csv file (based on information from other sources) into Azure AD. Select this method if you don’t have an on-premises AD DS domain. - -### Method 1: Automatic synchronization between AD DS and Azure AD - -In this method, you have an on-premises AD DS domain. As shown in Figure 4, the Azure AD Connector tool automatically synchronizes AD DS with Azure AD. When you add or change any user accounts in AD DS, the Azure AD Connector tool automatically updates Azure AD. - ->**Note:**  Azure AD Connect also supports synchronization from any Lightweight Directory Access Protocol version 3 (LDAPv3)–compliant directory by using the information provided in [Generic LDAP Connector for FIM 2010 R2 Technical Reference](https://technet.microsoft.com//library/dn510997.aspx?f=255&MSPPError=-2147217396). - -![fig 4](images/deploy-win-10-school-figure4.png) - -*Figure 4. Automatic synchronization between AD DS and Azure AD* - -For more information about how to perform this step, see the [Integrate on-premises AD DS with Azure AD](#integrate-on-premises-ad-ds-with-azure-ad) section in this guide. - -### Method 2: Bulk import into Azure AD from a .csv file - -In this method, you have no on-premises AD DS domain. As shown in Figure 5, you manually prepare a .csv file with the student information from your source, and then manually import the information directly into Azure AD. The .csv file must be in the format that Office 365 specifies. - -![fig 5](images/deploy-win-10-school-figure5.png) - -*Figure 5. Bulk import into Azure AD from other sources* - -To implement this method, perform the following steps: - -1. Export the student information from the source. Ultimately, you want to format the student information in the format the bulk-import feature requires. -2. Bulk-import the student information into Azure AD. For more information about how to perform this step, see the [Bulk-import user accounts into Office 365](#bulk-import-user-accounts-into-office-365) section. - -### Summary - -In this section, you selected the method for creating user accounts in your Office 365 subscription. Ultimately, these user accounts are in Azure AD (which is the identity management system for Office 365). Now, you’re ready to create your Office 365 accounts. - -## Integrate on-premises AD DS with Azure AD - -You can integrate your on-premises AD DS domain with Azure AD to provide identity management for your Office 365 tenant. With this integration, you can synchronize the users, security groups, and distribution lists in your AD DS domain with Azure AD with the Azure AD Connect tool. Users will be able to sign in to Office 365 automatically by using their email account and the same password they use to sign in to AD DS. - ->**Note:**  If your institution does not have an on-premises AD DS domain, you can skip this section. - -### Select synchronization model - -Before you deploy AD DS and Azure AD synchronization, you need to determine where you want to deploy the server that runs Azure AD Connect. - -You can deploy the Azure AD Connect tool by using one of the following methods: - -- **On premises.** As shown in Figure 6, Azure AD Connect runs on premises, which has the advantage of not requiring a virtual private network (VPN) connection to Azure. It does, however, require a virtual machine (VM) or physical server. - - ![fig 6](images/deploy-win-10-school-figure6.png) - - *Figure 6. Azure AD Connect on premises* - -- **In Azure**. As shown in Figure 7, Azure AD Connect runs on a VM in Azure AD, which has the advantages of being faster to provision (than a physical, on-premises server), offers better site availability, and helps reduce the number of on-premises servers. The disadvantage is that you need to deploy a VPN gateway on premises. - - ![fig 7](images/deploy-win-10-school-figure7.png) - - *Figure 7. Azure AD Connect in Azure* - -This guide describes how to run Azure AD Connect on premises. For information about running Azure AD Connect in Azure, see [Deploy Office 365 Directory Synchronization (DirSync) in Microsoft Azure](https://technet.microsoft.com//library/dn635310.aspx). - -### Deploy Azure AD Connect on premises - -In this synchronization model (illustrated in Figure 6), you run Azure AD Connect on premises on a physical device or VM. Azure AD Connect synchronizes AD DS user and group accounts with Azure AD. Azure AD Connect includes a wizard that helps you configure Azure AD Connect for your AD DS domain and Office 365 subscription. First, you install Azure AD Connect; then, you run the wizard to configure it for your institution. - -#### To deploy AD DS and Azure AD synchronization - -1. Configure your environment to meet the prerequisites for installing Azure AD Connect by performing the steps in [Prerequisites for Azure AD Connect](https://azure.microsoft.com/en-us/documentation/articles/active-directory-aadconnect-prerequisites/). -2. On the VM or physical device that will run Azure AD Connect, sign in with a domain administrator account. -3. Install Azure AD Connect by performing the steps in [Install Azure AD Connect](https://azure.microsoft.com/en-us/documentation/articles/active-directory-aadconnect/#install-azure-ad-connect). -4. Configure Azure AD Connect features based on your institution’s requirements by performing the steps in [Configure features](https://azure.microsoft.com/en-us/documentation/articles/active-directory-aadconnect/#configure-sync-features). - -Now that you have used on premises Azure AD Connect to deploy AD DS and Azure AD synchronization, you’re ready to verify that Azure AD Connect is synchronizing AD DS user and group accounts with Azure AD. - -### Verify synchronization - -Azure AD Connect should start synchronization immediately. Depending on the number of users in your AD DS domain, the synchronization process can take some time. To monitor the process, view the number of AD DS users and groups the tool has synchronized with Azure AD in the Office 365 admin console. - -#### To verify AD DS and Azure AD synchronization - -1. Open https://portal.office.com in your web browser. -2. Using the administrative account that you created in the [Create a new Office 365 Education subscription](#create-a-new-office-365-education-subscription) section, sign in to Office 365. -3. In the list view, expand **USERS**, and then click **Active Users**. -4. In the details pane, view the list of users. The list of users should mirror the users in AD DS. -5. In the list view, click **GROUPS**. -6. In the details pane, view the list of security groups. The list of users should mirror the security groups in AD DS. -7. In the details pane, double-click one of the security groups. -8. The list of security group members should mirror the group membership for the corresponding security group in AD DS. -9. Close the browser. - -Now that you have verified Azure AD Connect synchronization, you’re ready to assign user licenses for Azure AD Premium. - -### Summary - -In this section, you selected your synchronization model, deployed Azure AD Connect, and verified that Azure AD is synchronizing properly. - -## Bulk-import user and group accounts into AD DS - -You can bulk-import user and group accounts into your on-premises AD DS domain. Bulk-importing accounts helps reduce the time and effort needed to create users compared to creating the accounts manually in the Office 365 Admin portal. First, you select the appropriate method for bulk-importing user accounts into AD DS. Next, you create the .csv file that contains the user accounts. Finally, you use the selected method to import the .csv file into AD DS. - ->**Note:**  If your institution doesn’t have an on-premises AD DS domain, you can skip this section. - -### Select the bulk import method - -Several methods are available to bulk-import user accounts into AD DS domains. Table 5 lists the methods that the Windows Server operating system supports natively. In addition, you can use partner solutions to bulk-import user and group accounts into AD DS. - -*Table 5. AD DS bulk-import account methods* - -|Method | Description and reason to select this method | -|-------| ---------------------------------------------| -|Ldifde.exe |This command-line tool allows you to import and export objects (such as user accounts) from AD DS. Select this method if you aren’t comfortable with Microsoft Visual Basic Scripting Edition (VBScript), Windows PowerShell, or other scripting languages. For more information about using Ldifde.exe, see [Step-by-Step Guide to Bulk Import and Export to Active Directory](https://technet.microsoft.com//library/bb727091.aspx), [LDIFDE—Export/Import data from Active Directory—LDIFDE commands](https://support.microsoft.com/en-us/kb/555636), [Import or Export Directory Objects Using Ldifde](https://technet.microsoft.com/library/cc816781.aspx), and [LDIFDE](https://technet.microsoft.com/library/cc755456.aspx).| -|VBScript | This scripting language uses the Active Directory Services Interfaces (ADSI) Component Object Model interface to manage AD DS objects, including user and group objects. Select this method if you’re comfortable with VBScript. For more information about using VBScript and ADSI, see [Step-by-Step Guide to Bulk Import and Export to Active Directory](https://technet.microsoft.com//library/bb727091.aspx) and [ADSI Scriptomatic](https://technet.microsoft.com//scriptcenter/dd939958.aspx).| -|Windows PowerShell| This scripting language natively supports cmdlets to manage AD DS objects, including user and group objects. Select this method if you’re comfortable with Window PowerShell scripting. For more information about using Windows PowerShell, see [Import Bulk Users to Active Directory](https://blogs.technet.microsoft.com/bettertogether/2011/01/09/import-bulk-users-to-active-directory/) and [PowerShell: Bulk create AD Users from CSV file](http://social.technet.microsoft.com/wiki/contents/articles/24541.powershell-bulk-create-ad-users-from-csv-file.aspx).| -

          -### Create a source file that contains the user and group accounts - -After you have selected your user and group account bulk import method, you’re ready to create the source file that contains the user and group account. You’ll use the source file as the input to the import process. The source file format depends on the method you selected. Table 6 lists the source file format for the bulk import methods. - -*Table 6. Source file format for each bulk import method* - -| Method | Source file format | -|--------| -------------------| -|Ldifde.exe|Ldifde.exe requires a specific format for the source file. Use Ldifde.exe to export existing user and group accounts so that you can see the format. For examples of the format that Ldifde.exe requires, see [Step-by-Step Guide to Bulk Import and Export to Active Directory](https://technet.microsoft.com//library/bb727091.aspx), [LDIFDE—Export/Import data from Active Directory—LDIFDE commands](https://support.microsoft.com/en-us/kb/555636), [Import or Export Directory Objects Using Ldifde](https://technet.microsoft.com/library/cc816781.aspx), and [LDIFDE](https://technet.microsoft.com/library/cc755456.aspx).| -|VBScript | VBScript can use any .csv file format to create a source file for the bulk-import process. To create the .csv file, use software such as Excel. For examples of how to format your source file in comma-separated values (CSV) format, see [Step-by-Step Guide to Bulk Import and Export to Active Directory](https://technet.microsoft.com//library/bb727091.aspx).| -| Windows PowerShell| Windows PowerShell can use any .csv file format you want to create as a source file for the bulk-import process. To create the .csv file, use software such as Excel. For examples of how to format your source file in CSV format, see [Import Bulk Users to Active Directory](https://blogs.technet.microsoft.com/bettertogether/2011/01/09/import-bulk-users-to-active-directory/) and [PowerShell: Bulk create AD Users from CSV file](http://social.technet.microsoft.com/wiki/contents/articles/24541.powershell-bulk-create-ad-users-from-csv-file.aspx).| -

          -### Import the user accounts into AD DS - -With the bulk-import source file finished, you’re ready to import the user and group accounts into AD DS. The steps for importing the file are slightly different for each method. - ->**Note:**  Bulk-import your group accounts first, and then import your user accounts. Importing in this order allows you to specify group membership when you import your user accounts. - -For more information about how to import user accounts into AD DS by using: - -- Ldifde.exe, see [Step-by-Step Guide to Bulk Import and Export to Active Directory](https://technet.microsoft.com//library/bb727091.aspx), [LDIFDE—Export/Import data from Active Directory—LDIFDE commands](https://support.microsoft.com/en-us/kb/555636), [Import or Export Directory Objects Using Ldifde](https://technet.microsoft.com/library/cc816781.aspx), and [LDIFDE](https://technet.microsoft.com/library/cc755456.aspx). -- VBScript, see [Step-by-Step Guide to Bulk Import and Export to Active Directory](https://technet.microsoft.com//library/bb727091.aspx). -- Windows PowerShell, see [Import Bulk Users to Active Directory](https://blogs.technet.microsoft.com/bettertogether/2011/01/09/import-bulk-users-to-active-directory/) and [PowerShell: Bulk create AD Users from CSV file](http://social.technet.microsoft.com/wiki/contents/articles/24541.powershell-bulk-create-ad-users-from-csv-file.aspx). - -### Summary - -In this section, you selected the bulk-import method, created the source file that contains the user and group accounts, and imported the user and group accounts in to AD DS. If you have Azure AD Connect, it automatically synchronizes the new AD DS user and group accounts to Azure AD. Now, you’re ready to assign user licenses for Azure AD Premium in the [Assign user licenses for Azure AD Premium](#assign-user-licenses-for-azure-ad-premium) section later in this guide. - -## Bulk-import user accounts into Office 365 - -You can bulk-import user and group accounts directly into Office 365, reducing the time and effort required to create users. First, you bulk-import the user accounts into Office 365. Then, you create the security groups for your institution. Finally, you create the email distribution groups your institution requires. - -### Create user accounts in Office 365 - -Now that you have created your new Office 365 Education subscription, you need to create user accounts. You can add user accounts for the teachers, other faculty, and students who will use the classroom. - -You can use the Office 365 admin center to add individual Office 365 accounts manually—a reasonable process when you’re adding only a few users. If you have many users, however, you can automate the process by creating a list of those users, and then use that list to create user accounts (that is, bulk-add users). - -The bulk-add process assigns the same Office 365 Education license plan to all users on the list. Therefore, you must create a separate list for each license plan you recorded in Table 2. Depending on the number of faculty members who need to use the classroom, you may want to add the faculty Office 365 accounts manually; however, use the bulk-add process to add student accounts. - -For more information about how to bulk-add users to Office 365, see [Add several users at the same time to Office 365](https://support.office.com/en-us/article/Add-several-users-at-the-same-time-to-Office-365-Admin-Help-1f5767ed-e717-4f24-969c-6ea9d412ca88?ui=en-US&rs=en-US&ad=US). - ->**Note:**  If you encountered errors during bulk add, resolve them before you continue the bulk-add process. You can view the log file to see which users caused the errors, and then modify the .csv file to correct the problems. Click **Back** to retry the verification process. - -The email accounts are assigned temporary passwords upon creation. You must communicate these temporary passwords to your users before they can sign in to Office 365. - -### Create Office 365 security groups - -Assign SharePoint Online resource permissions to Office 365 security groups, not individual user accounts. For example, create one security group for faculty members and another for students. Then, you can assign unique SharePoint Online resource permissions to faculty members and a different set of permissions to students. Add or remove users from the security groups to grant or revoke access to SharePoint Online resources. - ->**Note:**  If your institution has AD DS, don’t create security accounts in Office 365. Instead, create the security groups in AD DS, and then use Azure AD integration to synchronize the security groups with your Office 365 tenant. - -For information about creating security groups, see [Create and manage Office 365 groups in Admin Center Preview](https://support.office.com/en-us/article/Create-and-manage-Office-365-groups-in-Admin-Center-Preview-93df5bd4-74c4-45e8-9625-56db92865a6e?ui=en-US&rs=en-US&ad=US). - -You can add and remove users from security groups at any time. - ->**Note:**  Office 365 evaluates group membership when users sign in. If you change group membership for a user, that user may need to sign out, and then sign in again for the change to take effect. - -### Create email distribution groups - -Microsoft Exchange Online uses an email distribution group as a single email recipient for multiple users. For example, you could create an email distribution group that contains all students. Then, you could send a message to the email distribution group instead of individually addressing the message to each student. - -You can create email distribution groups based on job role (such as teachers, administration, or students) or specific interests (such as robotics, drama club, or soccer team). You can create any number of distribution groups, and users can be members of more than one group. - ->**Note:**  Office 365 can take some time to complete the Exchange Online creation process. You will have to wait until Office 365 completes the Exchange Online creation process before you can perform the following steps. - -For information about how to create security groups, see [Create and manage Office 365 groups in Admin Center Preview](https://support.office.com/en-us/article/Create-and-manage-Office-365-groups-in-Admin-Center-Preview-93df5bd4-74c4-45e8-9625-56db92865a6e?ui=en-US&rs=en-US&ad=US). - -### Summary - -Now, you have bulk-imported the user accounts into Office 365. First, you selected the bulk-import method. Next, you created the Office 365 security groups in Office 365. Finally, you created the Office 365 email distribution groups. Now, you’re ready to assign user licenses for Azure AD Premium. - -## Assign user licenses for Azure AD Premium - -Azure AD is available in Free, Basic, and Premium editions. Azure AD Free, which is included in Office 365 Education, has fewer features than Azure AD Basic, which in turn has fewer features than Azure AD Premium. Educational institutions can obtain Azure AD Basic licenses at no cost and Azure AD Premium licenses at a reduced cost. - -You can assign Azure AD Premium licenses to the users who need the features this edition offers. For example, you may want the users who have access to confidential student information to use MFA. In this example, you could assign Azure AD Premium only to those users. - -For more information about: - -- Azure AD editions, see [Azure Active Directory editions](https://azure.microsoft.com/en-us/documentation/articles/active-directory-editions/). -- How to assign user licenses for Azure AD Premium, see [How to assign EMS/Azure AD Premium licenses to user accounts](https://channel9.msdn.com/Series/Azure-Active-Directory-Videos-Demos/How-to-assign-Azure-AD-Premium-Licenses-to-user-accounts). - -## Create and configure a Windows Store for Business portal - -Windows Store for Business allows you to create your own private portal to manage Windows Store apps in your institution. With Windows Store for Business, you can do the following: - -- Find and acquire Windows Store apps. -- Manage apps, app licenses, and updates. -- Distribute apps to your users. - -For more information about Windows Store for Business, see [Windows Store for Business overview](https://technet.microsoft.com/itpro/windows/whats-new/windows-store-for-business-overview). - -The following section shows you how to create a Windows Store for Business portal and configure it for your school. - -### Create and configure your Windows Store for Business portal - -To create and configure your Windows Store for Business portal, simply use the administrative account for your Office 365 subscription to sign in to Windows Store for Business. Windows Store for Business automatically creates a portal for your institution and uses your account as its administrator. - -#### To create and configure a Windows Store for Business portal - -1. In Microsoft Edge or Internet Explorer, type `http://microsoft.com/business-store` in the address bar. -2. On the **Windows Store for Business** page, click **Sign in with an organizational account**. ->**Note:**  If your institution has AD DS, then don’t create security accounts in Office 365. Instead, create the security groups in AD DS, and then use Azure AD integration to synchronize the security groups with your Office 365 tenant. -3. On the Windows Store for Business sign-in page, use the administrative account for the Office 365 subscription you created in the [Create a new Office 365 Education subscription](#create-a-new-office-365-education-subscription) section to sign in. -4. On the **Windows Store for Business Services Agreement** page, review the agreement, select the **I accept this agreement and certify that I have the authority to bind my organization to its terms** check box, and then click **Accept** -5. In the **Welcome to the Windows Store for Business** dialog box, click **OK**. - -After you create the Windows Store for Business portal, configure it by using the commands in the settings menu listed in Table 7. Depending on your institution, you may (or may not) need to change these settings to further customize your portal. - -*Table 7. Menu selections to configure Windows Store for Business settings* - -| Menu selection | What you can do in this menu | -|---------------| -------------------| -|Account information|Displays information about your Windows Store for Business account (no settings can be changed). You make changes to this information in Office 365 or the Azure Portal. For more information, see [Update Windows Store for Business account settings](https://technet.microsoft.com/itpro/windows/manage/update-windows-store-for-business-account-settings).| -|Device Guard signing|Allows you to upload and sign Device Guard catalog and policy files. For more information about Device Guard, see [Device Guard deployment guide](https://technet.microsoft.com/itpro/windows/keep-secure/device-guard-deployment-guide).| -|LOB publishers| Allows you to add line-of-business (LOB) publishers that can then publish apps to your private store. LOB publishers are usually internal developers or software vendors that are working with your institution. For more information, see [Working with line-of-business apps](https://technet.microsoft.com/itpro/windows/manage/working-with-line-of-business-apps).| -|Management tools| Allows you to add tools that you can use to distribute (deploy) apps in your private store. For more information, see [Distribute apps with a management tool](https://technet.microsoft.com/itpro/windows/manage/distribute-apps-with-management-tool).| -|Offline licensing|Allows you to show (or not show) offline licensed apps to people shopping in your private store. For more information, see [Licensing model: online and offline licenses](https://technet.microsoft.com/itpro/windows/manage/apps-in-windows-store-for-business#licensing-model).| -|Permissions|Allows you to grant other users in your organization the ability to buy, manage, and administer your Windows Store for Business portal. You can also remove permissions you have previously granted. For more information, see [Roles and permissions in Windows Store for Business](https://technet.microsoft.com/itpro/windows/manage/roles-and-permissions-windows-store-for-business).| -|Private store|Allows you to change the organization name used in your Windows Store for Business portal. When you create your portal, the private store uses the organization name that you used to create your Office 365 subscription. For more information, see [Distribute apps using your private store](https://technet.microsoft.com/itpro/windows/manage/distribute-apps-from-your-private-store).| -

          -### Find, acquire, and distribute apps in the portal - -Now that you have created your Windows Store for Business portal, you’re ready to find, acquire, and distribute apps that you will add to your portal. You do this by using the Inventory page in Windows Store for Business. - ->**Note:**  Your educational institution can now use a credit card or purchase order to pay for apps in Windows Store for Business. - -You can deploy apps to individual users or make apps available to users through your private store. Deploying apps to individual users restricts the app to those specified users. Making apps available through your private store allows all your users. - -For more information about how to find, acquire, and distribute apps in the portal, see [App inventory management for Windows Store for Business](https://technet.microsoft.com/itpro/windows/manage/app-inventory-managemement-windows-store-for-business). - -### Summary - -At the end of this section, you should have a properly configured Windows Store for Business portal. You have also found and acquired your apps from Windows Store. Finally, you should have deployed all your Windows Store apps to your users. Now, you’re ready to deploy Windows Store apps to your users. - -## Plan for deployment - -You will use the LTI deployment process in MDT to deploy Windows 10 to devices or to upgrade devices to Windows 10. Prior to preparing for deployment, you must make some deployment planning decisions, including selecting the operating systems you will use, the approach you will use to create your Windows 10 images, and the method you will use to initiate the LTI deployment process. - -### Select the operating systems - -Later in the process, you will import the versions of Windows 10 you want to deploy. You can deploy the operating system to new devices, refresh existing devices, or upgrade existing devices. In the case of: - -- New devices or refreshing existing devices, you will complete replace the existing operating system on a device with Windows 10. -- Upgrading existing devices, you will upgrade the existing operating system (the Windows 8.1 or Windows 7 operating system) to Windows 10. - -Depending on your school’s requirements, you may need any combination of the following Windows 10 editions: - -- **Windows 10 Home**. Use this operating system to upgrade existing eligible institution-owned and personal devices that are running Windows 8.1 Home or Windows 7 Home to Windows 10 Home. -- **Windows 10 Pro**. Use this operating system to: - - Upgrade existing eligible institution-owned and personal devices running Windows 8.1 Pro or Windows 7 Professional to Windows 10 Pro. - - Deploy new instances of Windows 10 Pro to devices so that new devices have a known configuration. -- **Windows 10 Education**. Use this operating system to: - - Upgrade institution-owned devices to Windows 10 Education. - - Deploy new instances of Windows 10 Education so that new devices have a known configuration. - ->**Note:**  Although you can use Windows 10 Home on institution-owned devices, Microsoft recommends that you use Windows 10 Pro or Windows 10 Education, instead. Windows 10 Pro and Windows 10 Education provide support for MDM, policy-based management, and Windows Store for Business. These features are not available in Windows 10 Home. - -One other consideration is the mix of processor architectures you will support. If you can, support only 64-bit versions of Windows 10. If you have devices that can run only 32 bit versions of Windows 10, you will need to import both 64-bit and 32-bit versions of the Windows 10 editions listed above. - ->**Note:**  On devices that have minimal system resources (such as devices with only 2 GB of memory or 32 GB of storage), use 32-bit versions of Windows 10 because 64-bit versions of Windows 10 place more stress on device system resources. - -Finally, as a best practice, minimize the number of operating systems that you deploy and manage. If possible, standardize institution-owned devices on one Windows 10 edition (such as a 64-bit version of Windows 10 Education or Windows 10 Pro). Of course, you cannot standardize personal devices on a specific operating system version or processor architecture. - -### Select an image approach - -A key operating system image decision is whether to use a “thin” or “thick” image. *Thin images* contain only the operating system, and MDT installs the necessary device drivers and apps after the operating system has been installed. *Thick images* contain the operating system, “core” apps (such as Office), and device drivers. With thick images, MDT installs any device drivers and apps not included in the thick image after the operating system has been installed. - -The advantage to a thin image is that the final deployment configuration is dynamic, and you can easily change the configuration without having to capture another image. The disadvantage of a thin image is that it takes longer to complete the deployment. - -The advantage of a thick image is that the deployment takes less time than it would for a thin image. The disadvantage of a thick image is that you need to capture a new image each time you want to make a change to the operating system, apps, or other software in the image. - -### Select a method to initiate deployment - -The MDT deployment process is highly automated, requiring minimal information to deploy or upgrade Windows 10, but you must manually initiate the MDT deployment process. To do so, use the method listed in Table 8 that best meets the needs of your institution. - -*Table 8. Methods to initiate MDT deployment* - - ---- - - - - - - - - - - - - - - - - - - - - - - - -
          MethodDescription and reason to select this method
          Windows Deployment ServicesThis method:

          -
            -
          • Uses diskless booting to initiate MDT deployment.
            • -
          • Works only with devices that support PXE boot.
            • -
          • Deploys Windows 10 over the network, which consumes more network bandwidth than deployment from local media.
            • -
          • Deploys images more slowly than when using local media.
            • -
          • Requires that you deploy a Windows Deployment Services server.
            • -
          - -Select this method when you want to deploy Windows over-the-network and perform diskless booting. The advantage of this method is that the diskless media are generic and typically don’t require updates after you create them (the Deployment Wizard accesses the centrally located deployment share over the network). The disadvantage of this method is that over-the-network deployments are slower than deployments from local media, and you must deploy a Windows Deployment Services server.
          Bootable mediaThis method:

          -
            -
          • Initiates MDT deployment by booting from local media, including from USB drives, DVD-ROM, or CD-ROM.
            • -
          • Deploys Windows 10 over the network, which consumes more network bandwidth than deployment from local media.
            • -
          • Deploys images more slowly than when using local media.
            • -
          • Requires no additional infrastructure.
            • -
          - -Select this method when you want to deploy Windows over-the-network and are willing to boot the target device from local media. The advantage of this method is that the media are generic and typically don’t require updates after you create them (the Deployment Wizard accesses the centrally located deployment share over the network). The disadvantage of this method is that over-the-network deployments are slower than deployment from local media.
          MDT deployment mediaThis method:

          -
            -
          • Initiates MDT deployment by booting from a local USB hard disk.
            • -
          • Deploys Windows 10 from local media, which consumes less network bandwidth than over-the-network methods.
            • -
          • Deploys images more quickly than network-based methods do.
            • -
          • Requires a USB hard disk because of the deployment share’s storage requirements (up to 100 GB).
            • -
          - -Select this method when you want to perform local deployments and are willing to boot the target device from a local USB hard disk. The advantage of this method is that local deployments are faster than over-the-network deployments. The disadvantage of this method is that each time you change the deployment share, you must regenerate the MDT deployment media and update the USB hard disk.
          - -### Summary - -At the end of this section, you should know the Windows 10 editions and processor architecture that you want to deploy (and will import later in the process). You also determined whether you want to use thin or thick images. Finally, you selected the method for initiating your LTI deployment. Now, you can prepare for Windows 10 deployment. - -## Prepare for deployment - -To deploy Windows 10 to devices, using the LTI deployment method in MDT. In this section, you prepare your MDT environment and Windows Deployment Services for Windows 10 deployment. - -### Configure the MDT deployment share - -The first step in preparation for Windows 10 deployment is to configure—that is, *populate*—the MDT deployment share. Table 9 lists the MDT deployment share configuration tasks that you must perform. Perform the tasks in the order represented in Table 9. - -*Table 9. Tasks to configure the MDT deployment share* - - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
          TaskDescription
          1. Import operating systemsImport the operating systems that you selected in the [Select operating systems](#select-the-operating-systems) section into the deployment share. For more information about how to import operating systems, see [Import an Operating System into the Deployment Workbench](https://technet.microsoft.com//library/dn759415.aspx#ImportanOperatingSystemintotheDeploymentWorkbench).
          2. Import device drivesDevice drivers allow Windows 10 to know a device’s hardware resources and connected hardware accessories. Without the proper device drivers, certain features may be unavailable. For example, without the proper audio driver, a device cannot play sounds; without the proper camera driver, the device cannot take photos or use video chat.

          - -Import device drivers for each device in your institution. For more information about how to import device drivers, see [Import Device Drivers into the Deployment Workbench](https://technet.microsoft.com//library/dn759415.aspx#ImportDeviceDriversintotheDeploymentWorkbench). - -
          3. Create MDT applications for Windows Store appsCreate an MDT application for each Windows Store app you want to deploy. You can deploy Windows Store apps by using *sideloading*, which allows you to use the **Add-AppxPackage** Windows PowerShell cmdlet to deploy the .appx files associated with the app (called *provisioned apps*). Use this method to deploy up to 24 apps to Windows 10.

          - -Prior to sideloading the .appx files, obtain the Windows Store .appx files that you will use to deploy (sideload) the apps in your provisioning package. For apps in Windows Store, you will need to obtain the .appx files from the app software vendor directly. If you are unable to obtain the .appx files from the app software vendor, then you or the students will need to install the apps on the student devices directly from Windows Store or Windows Store for Business.

          - -If you have Intune, you can deploy Windows Store apps after you deploy Windows 10, as described in the [Deploy apps by using Intune](#deploy-apps-by-using-intune) section. This method provides granular deployment of Windows Store apps, and you can use it for ongoing management of Windows Store apps. This is the preferred method of deploying and managing Windows Store apps.

          - -In addition, you must prepare your environment for sideloading (deploying) Windows Store apps. For more information about how to:

          -
            -
          • Prepare your environment for sideloading, see [Sideload LOB apps in Windows 10](https://technet.microsoft.com/itpro/windows/deploy/sideload-apps-in-windows-10).
            • -
          • Create an MDT application, see [Create a New Application in the Deployment Workbench](https://technet.microsoft.com//library/dn759415.aspx#CreateaNewApplicationintheDeploymentWorkbench).
            • -
          - - -
          4. Create MDT applications for Windows desktop apps -You need to create an MDT application for each Windows desktop app you want to deploy. You can obtain the Windows desktop apps from any source, but ensure that you have sufficient licenses for them.

          - -To help reduce the effort needed to deploy Microsoft Office 2016 desktop apps, use the Office Deployment Tool, as described in [Deploy Click-to-Run for Office 365 products by using the Office Deployment Tool](https://technet.microsoft.com//library/jj219423.aspx?f=255&MSPPError=-2147217396).

          - -If you have Intune, you can deploy Windows desktop apps after you deploy Windows 10, as described in the [Deploy apps by using Intune](#deploy-apps-by-using-intune) section. This method provides granular deployment of Windows desktop apps, and you can use it for ongoing management of the apps. This is the preferred method for deploying and managing Windows desktop apps.

          **Note:**  You can also deploy Windows desktop apps after you deploy Windows 10, as described in the [Deploy apps by using Intune](#deploy-apps-by-using-intune) section.

          - -For more information about how to create an MDT application for Window desktop apps, see [Create a New Application in the Deployment Workbench](https://technet.microsoft.com//library/dn759415.aspx#CreateaNewApplicationintheDeploymentWorkbench). - -
          5. Create task sequences. -You must create a separate task sequences for each Windows 10 edition, processor architecture, operating system upgrade process, and new operating system deployment process. Minimally, create a task sequence for each Windows 10 operating system you imported in Step 1—for example, (1) if you want to deploy Windows 10 Education to new devices or refresh existing devices with a new deployment of Windows 10 Education; (2) if you want to upgrade existing devices running Windows 8.1 or Windows 7 to Windows 10 Education; or (3) if you want to run deployments and upgrades for both 32 bit and 64 bit versions of Windows 10. To do so, you must create task sequences that will: -

          -
          • Deploy Windows 10 Education 64-bit to devices.
            • -
          • Deploy Windows 10 Education 32-bit to devices.
            • -
          • Upgrade existing devices to Windows 10 Education 64-bit.
            • -
          • Upgrade existing devices to Windows 10 Education 32-bit.
            • -
          - -Again, you will create the task sequences based on the operating systems that you imported in Step 1. For more information about how to create a task sequence, see [Create a New Task Sequence in the Deployment Workbench](https://technet.microsoft.com//library/dn759415.aspx#CreateaNewTaskSequenceintheDeploymentWorkbench). - -
          6. Update the deployment share. -Updating a deployment share generates the MDT boot images you use to initiate the Windows 10 deployment process. You can configure the process to create 32 bit and 64 bit versions of the .iso and .wim files you can use to create bootable media or in Windows Deployment Services.

          - -For more information about how to update a deployment share, see [Update a Deployment Share in the Deployment Workbench](https://technet.microsoft.com//library/dn759415.aspx#UpdateaDeploymentShareintheDeploymentWorkbench).
          - -### Configure Window Deployment Services for MDT - -You can use Windows Deployment Services in conjunction with MDT to automatically initiate boot images on target computers. These boot images can be Windows PE images (which you generated in Step 6 in Table 9) or custom images that can deploy operating systems directly to the target computers. - -#### To configure Windows Deployment Services for MDT - -1. Set up and configure Windows Deployment Services.

          Windows Deployment Services is a server role available in all Windows Server editions. You can enable the Windows Deployment Services server role on a new server or on any server running Windows Server in your institution. For more information about how to perform this step, see the following resources: - - - [Windows Deployment Services overview](https://technet.microsoft.com/library/hh831764.aspx) - - The Windows Deployment Services Help file, included in Windows Deployment Services - - [Windows Deployment Services Getting Started Guide for Windows Server 2012](https://technet.microsoft.com//library/jj648426.aspx) - -2. Add LTI boot images (Windows PE images) to Windows Deployment Services.

          The LTI boot images (.wim files) that you will add to Windows Deployment Services are in the MDT deployment share. Locate the .wim files in the Boot subfolder in the deployment share. For more information about how to perform this step, see [Add LTI Boot Images to Windows Deployment Services](https://technet.microsoft.com//library/dn759415.aspx#AddLTIBootImagestoWindowsDeploymentServices). - -### Summary - -Now, Windows Deployment Services is ready to initiate the LTI deployment process in MDT. You have set up and configured Windows Deployment Services and added the LTI boot images, which you generated in the previous section, to Windows Deployment Services. Now, you’re ready to prepare to manage the devices in your institution. - -## Prepare for device management - -Before you deploy Windows 10 in your institution, you must prepare for device management. You will deploy Windows 10 in a configuration that complies with your requirements, but you want to help ensure that your deployments remain compliant. - -### Select the management method - -If you have only one device to configure, manually configuring that one device is tedious but possible. When you have multiple classrooms of devices to configure, however, manually configuring each device becomes overwhelming. In addition, manually keeping an identical configuration on each device is virtually impossible as the number of devices in the school increases. - -For a school, there are many ways to manage devices. Table 10 lists the methods that this guide describes and recommends. Use the information in Table 10 to determine which combination of management methods is right for your institution. - -*Table 10. School management methods* - - ---- - - - - - - - - - - - - - - - - - - - -
          MethodDescription
          Group Policy -Group Policy is an integral part of AD DS and allows you to specify configuration settings for Windows 10 and previous versions of Windows. Select this method when you: -
            -
          • Want to manage institution-owned devices that are domain joined (personally owned devices are typically not domain joined).
            • -
          • Want more granular control of device and user settings.
            • -
          • Have an existing AD DS infrastructure.
            • -
          • Typically manage on-premises devices.
            • -
          • Can manage a required setting only by using Group Policy.
            • -
          - -The advantages of this method include: -
            -
          • No cost beyond the AD DS infrastructure.
            • -
          • A larger number of settings (compared to Intune).
            • -
          -The disadvantages of this method are: -
            -
          • Can only manage domain-joined (institution-owned devices).
            • -
          • Requires an AD DS infrastructure (if the institution does not have AD DS already).
            • -
          • Typically manages on-premises devices (unless devices connect by using a VPN or DirectAccess).
            • -
          -
          IntuneIntune is a cloud-based management system that allows you to specify configuration settings for Windows 10, previous versions of Windows, and other operating systems (such as iOS or Android). Intune is a subscription-based cloud service that integrates with Office 365 and Azure AD. -Select this method when you: -
            -
          • Want to manage institution-owned and personal devices (does not require that the device be domain joined).
            • -
          • Don’t require the level of granular control over device and user settings (compared to Group Policy).
            • -
          • Don’t have an existing AD DS infrastructure.
            • -
          • Need to manage devices regardless of where they are (on or off premises).
            • -
          • Can manage a required setting only by using Intune.
            • -
          - -The advantages of this method are: -
            -
          • You can manage institution-owned and personal devices.
            • -
          • It doesn’t require that devices be domain joined.
            • -
          • It doesn’t require any on-premises infrastructure.
            • -
          • It can manage devices regardless of their location (on or off premises).
            • - -
          -The disadvantages of this method are: -
            -
          • Carries an additional cost for subscription.
            • -
          • Doesn’t have a granular level control over device and user settings (compared to Group Policy).
            • -
          - -

          - -### Select Microsoft-recommended settings - -Microsoft has several recommended settings for educational institutions. Table 11 lists them, provides a brief description of why you need to configure them, and recommends methods for configuring the settings. Review the settings in Table 11 and evaluate their relevancy to your institution. Use the information to help you determine whether you need to configure the setting and which method you will use to do so. At the end, you will have a list of settings that you want to apply to the Windows 10 devices and know which management method you will use to configure the settings. - -*Table 11. Recommended settings for educational institutions* - - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
          RecommendationDescription
          Use of Microsoft accountsYou want faculty and students to use only Azure AD accounts for institution-owned devices. For these devices, do not use Microsoft accounts or associate a Microsoft account with the Azure AD accounts.

          -**Note:**  Personal devices typically use Microsoft accounts. Faculty and students can associate their Microsoft account with their Azure AD account on these devices.

          -**Group Policy.** Configure the [Accounts: Block Microsoft accounts](https://technet.microsoft.com//library/jj966262.aspx?f=255&MSPPError=-2147217396) Group Policy setting to use the Users can’t add Microsoft accounts setting option.

          -**Intune.** Enable or disable the camera by using the **Allow Microsoft account**, **Allow adding non-Microsoft accounts manually**, and **Allow settings synchronization for Microsoft accounts** policy settings under the **Accounts and Synchronization** section of a **Windows 10 General Configuration** policy. -
          Restrict local administrator accounts on the devicesEnsure that only authorized users are local administrators on institution-owned devices. Typically, you don’t want students to be administrators on instruction-owned devices. Explicitly specify the users who will be local administrators on a group of devices.

          -**Group Policy**. Create a **Local Group** Group Policy preference to limit the local administrators group membership. Select the **Delete all member users** and **Delete all member groups** check boxes to remove any existing members. For more information about how to configure Local Group preferences, see [Configure a Local Group Item](https://technet.microsoft.com//library/cc732525.aspx).

          -**Intune**. Not available. -
          Restrict the local administrator accounts on the devicesEnsure that only authorized users are local administrators on institution-owned devices. Typically, you don’t want students to be administrators on instruction-owned devices. Explicitly specify the users who will be local administrators on a group of devices.

          -**Group Policy**. Create a **Local Group** Group Policy preference to limit the local administrators group membership. Select the **Delete all member users** and **Delete all member groups** check boxes to remove any existing members. For more information about how to configure Local Group preferences, see [Configure a Local Group Item](https://technet.microsoft.com//library/cc732525.aspx).

          -**Intune**. Not available. -
          Manage the built-in administrator account created during device deploymentWhen you use MDT to deploy Windows 10, the MDT deployment process automatically creates a local Administrator account with the password you specified. As a security best practice, rename the built-in Administrator account and optionally disable it.

          -**Group Policy**. Rename the built-in Administrator account by using the **Accounts: Rename administrator account** Group Policy setting. For more information about how to rename the built-in Administrator account, see [To rename the Administrator account using the Group Policy Management Console](https://technet.microsoft.com//library/cc747484.aspx). You will specify the new name for the Administrator account. You can disable the built-in Administrator account by using the **Accounts: Administrator account status** Group Policy setting. For more information about how to disable the built-in Administrator account, see [Accounts: Administrator account status](https://technet.microsoft.com//library/jj852165.aspx).

          -**Intune**. Not available. -
          Control Windows Store accessYou can control access to Windows Store and whether existing Windows Store apps receive updates. You can only disable the Windows Store app in Windows 10 Education and Windows 10 Enterprise.

          -**Group Policy**. You can disable the Windows Store app by using the **Turn off the Store Application** Group Policy setting. You can prevent Windows Store apps from receiving updates by using the **Turn off Automatic Download and Install of updates** Group Policy setting. For more information about configuring these settings, see [Can I use Group Policy to control the Windows Store in my enterprise environment?](https://technet.microsoft.com//library/hh832040.aspx#BKMK_UseGP).

          -**Intune**. You can enable or disable the camera by using the **Allow application store** policy setting in the **Apps** section of a **Windows 10 General Configuration** policy. -
          Use of Remote Desktop connections to devicesRemote Desktop connections could allow unauthorized access to the device. Depending on your institution’s policies, you may want to disable Remote Desktop connections on your devices.

          -**Group Policy**. You can enable or disable Remote Desktop connections to devices by using the **Allow Users to connect remotely using Remote Desktop setting** in Computer Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Connections.

          -**Intune**. Not available. -
          Use of cameraA device’s camera can be a source of disclosure or privacy issues in an education environment. Depending on your institution’s policies, you may want to disable the camera on your devices.

          -**Group Policy**. Not available.

          -**Intune**. You can enable or disable the camera by using the **Allow camera** policy setting in the **Hardware** section of a **Windows 10 General Configuration** policy. -
          Use of audio recordingAudio recording (by using the Sound Recorder app) can be a source of disclosure or privacy issues in an education environment. Depending on your institution’s policies, you may want to disable the Sound Recorder app on your devices.

          -**Group Policy**. You can disable the Sound Recorder app by using the **Do not allow Sound Recorder to run** Group Policy setting. You can disable other audio recording apps by using AppLocker policies. Create AppLocker policies by using the information in [Editing an AppLocker Policy](https://technet.microsoft.com//library/ee791894(v=ws.10).aspx) and [Create Your AppLocker Policies](https://technet.microsoft.com//library/ee791899.aspx).

          -**Intune**. You can enable or disable the camera by using the **Allow voice recording** policy setting in the **Features** section of a **Windows 10 General Configuration** policy. -
          Use of screen captureScreen captures can be a source of disclosure or privacy issues in an education environment. Depending on your institution’s policies, you may want to disable the ability to perform screen captures on your devices.

          -**Group Policy**. Not available.

          -**Intune**. You can enable or disable the camera by using the **Allow screen capture** policy setting in the **System** section of a **Windows 10 General Configuration** policy. -
          Use of location servicesProviding a device’s location can be a source of disclosure or privacy issues in an education environment. Depending on your institution’s policies, you may want to disable the location service on your devices.

          -**Group Policy**. You can enable or disable location services by using the **Turn off location** Group Policy setting in User Configuration\Windows Components\Location and Sensors.

          -**Intune**. You can enable or disable the camera by using the **Allow geolocation** policy setting in the **Hardware** section of a **Windows 10 General Configuration** policy. -
          Changing wallpaperDisplaying a custom wallpaper can be a source of disclosure or privacy issues in an education environment (if the wallpaper displays information about the user or the device). Depending on your institution’s policies, you may want to prevent users from changing the wallpaper on your devices.

          -**Group Policy**. You can configure the wallpaper by using the **Desktop WallPaper** setting in User Configuration\Administrative Templates\Desktop\Desktop.

          -**Intune**. Not available. -

          - -### Configure settings by using Group Policy - -Now, you’re ready to configure settings by using Group Policy. The steps in this section assume that you have an AD DS infrastructure. You will configure the Group Policy settings you select in the [Select Microsoft-recommended settings](#select-microsoft-recommended-settings) section. - -For more information about Group Policy, see [Group Policy Planning and Deployment Guide](https://technet.microsoft.com//library/cc754948.aspx). - -#### To configure Group Policy settings - -1. Create a Group Policy object (GPO) that will contain the Group Policy settings by completing the steps in [Create a new Group Policy object](https://technet.microsoft.com//library/cc738830.aspx). -2. Configure the settings in the GPO by completing the steps in [Edit a Group Policy object](https://technet.microsoft.com//library/cc739902.aspx). -3. Link the GPO to the appropriate AD DS site, domain, or organizational unit by completing the steps in [Link a Group Policy object to a site, domain, or organizational unit](https://technet.microsoft.com//library/cc738954(v=ws.10).aspx). - -### Configure settings by using Intune - -Now, you’re ready to configure settings by using Intune. The steps in this section assume that you have an Office 365 subscription. You will configure the Intune settings that you selected in the [Select Microsoft-recommended settings](#select-microsoft-recommended-settings) section. - -For more information about Intune, see [Documentation for Microsoft Intune](https://docs.microsoft.com/en-us/intune/). - -#### To configure Intune settings - -1. Add Intune to your Office 365 subscription by completing the steps in [Get started with a paid subscription to Microsoft Intune](https://docs.microsoft.com/en-us/intune/get-started/start-with-a-paid-subscription-to-microsoft-intune). -2. Enroll devices with Intune by completing the steps in [Get ready to enroll devices in Microsoft Intune](https://technet.microsoft.com//library/dn646962.aspx). -3. Configure the settings in Intune Windows 10 policies by completing the steps in [Manage settings and features on your devices with Microsoft Intune policies](https://technet.microsoft.com//library/dn646984.aspx). -4. Manage Windows 10 devices by completing the steps in [Manage Windows PCs with Microsoft Intune](https://technet.microsoft.com//library/dn646959.aspx). - -### Deploy apps by using Intune - -You can use Intune to deploy Windows Store and Windows desktop apps. Intune provides improved control over which users receive specific apps. In addition, Intune allows you deploy apps to companion devices (such as Windows 10 Mobile, iOS, or Android devices) Finally, Intune helps you manage app security and features, such as mobile application management policies that let you manage apps on devices that are not enrolled in Intune or are managed by another solution. - -For more information about how to configure Intune to manage your apps, see [Deploy and configure apps with Microsoft Intune](https://docs.microsoft.com/en-us/intune/). - -### Summary - -In this section, you prepared your institution for device management. You determined whether you want to use Group Policy or Intune to manage your devices. You identified the configuration settings that you want to use to manage your users and devices. Finally, you configured the Group Policy and Intune settings in Group Policy and Intune, respectively. - -## Deploy Windows 10 to devices - -You’re ready to deploy Windows 10 to faculty and student devices. You must complete the steps in this section for each student device in the classrooms as well as for any new student devices you add in the future. You can also perform these actions for any device that’s eligible for a Windows 10 upgrade. This section discusses deploying Windows 10 to new devices, refreshing Windows 10 on existing devices, and upgrading existing devices that are running eligible versions of Windows 8.1 or Windows to Windows 10. - -### Prepare for deployment - -Prior to deployment of Windows 10, ensure that you complete the tasks listed in Table 12. Most of these tasks are already complete, but use this step to make sure. - -*Table 12. Deployment preparation checklist* - -|Task | | -| ---| --- | -| |The target devices have sufficient system resources to run Windows 10. | -| | Identify the necessary devices drivers, and import them to the MDT deployment share.| -| | Create an MDT application for each Windows Store and Windows desktop app.| -| | Notify the students and faculty about the deployment.| -

          -### Perform the deployment - -Use the Deployment Wizard to deploy Windows 10. The LTI deployment process is almost fully automated: You provide only minimal information to the Deployment Wizard at the beginning of the process. After the wizard collects the necessary information, the remainder of the process is fully automated. - ->**Note:**  To fully automate the LTI deployment process, complete the steps in the “Fully Automated LTI Deployment Scenario” section in the [Microsoft Deployment Toolkit Samples Guide](https://technet.microsoft.com//library/dn781089.aspx). - -In most instances, deployments occur without incident. Only in rare occasions do deployments experience problems. - -#### To deploy Windows 10 - -1. **Initiate the LTI deployment process**. Initiate the LTI deployment process booting over the network (PXE boot) or from local media. You selected the method for initiating the LTI deployment process in the [Select a method to initiate deployment](#select-a-method-to-initiate-deployment) section earlier in this guide. -2. **Complete the Deployment Wizard**. For more information about how to complete the Deployment Wizard, see the “Running the Deployment Wizard” topic in [Using the Microsoft Deployment Toolkit](https://technet.microsoft.com//library/dn759415.aspx#Running%20the%20Deployment%20Wizard). - -### Set up printers - -After you have deployed Windows 10, the devices are almost ready for use. First, you must set up the printers that each classroom will use. Typically, you connect the printers to the same network as the devices in the same classroom. If you don’t have printers in your classrooms, skip this section and proceed to the [Verify deployment](#verify-deployment) section. - ->**Note:**  If you’re performing an upgrade instead of a new deployment, the printers remain configured as they were in the previous version of Windows. As a result, you can skip this section and proceed to the [Verify deployment](#verify-deployment) section. - -#### To set up printers - -1. Review the printer manufacturer’s instructions for installing the printer drivers. -2. On the admin device, download the printer drivers. -3. Copy the printer drivers to a USB drive. -4. On a device, use the same account you used to set up Windows 10 in the [Perform the deployment](#perform-the-deployment) section to sign in to the device. -5. Insert the USB drive in the device. -6. Follow the printer manufacturer’s instructions to install the printer drivers from the USB drive. -7. Verify that the printer drivers were installed correctly by printing a test page. -8. Complete steps 1–8 for each printer. - -### Verify deployment - -As a final quality control step, verify the device configuration to ensure that all apps run. Microsoft recommends that you perform all the tasks that the user would perform. Specifically, verify the following: - -- The device can connect to the Internet and view the appropriate web content in Microsoft Edge. -- Windows Update is active and current with software updates. -- Windows Defender is active and current with malware signatures. -- The SmartScreen Filter is active. -- All Windows Store apps are properly installed and updated. -- All Windows desktop apps are properly installed and updated. -- Printers are properly configured. - -When you have verified that the first device is properly configured, you can move to the next device and perform the same steps. - -### Summary - -You prepared the devices for deployment by verifying that they have adequate system resources and that the resources in the devices have corresponding Windows 10 device drivers. You performed device deployment over the network or by using local MDT media. Next, you configured the appropriate printers on the devices. Finally, you verified that the devices are properly configured and ready for use. - -## Maintain Windows devices and Office 365 - -After the initial deployment, you will need to perform certain tasks to maintain the Windows 10 devices and your Office 365 Education subscription. You should perform these tasks on the following schedule: - -- **Monthly.** These tasks help ensure that the devices are current with software updates and properly protected against viruses and malware. -- **New semester or academic year.** Perform these tasks prior to the start of a new curriculum—for example, at the start of a new academic year or semester. These tasks help ensure that the classroom environments are ready for the next group of students. -- **As required (ad hoc).** Perform these tasks as necessary in a classroom. For example, a new version of an app may be available, or a student may inadvertently corrupt a device so that you must restore it to the default configuration. - -Table 13 lists the school and individual classroom maintenance tasks, the resources for performing the tasks, and the schedule (or frequency) on which you should perform the tasks. - -*Table 13. School and individual classroom maintenance tasks, with resources and the schedule for performing them* - - ------ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
          Task and resourcesMonthlyNew semester or academic yearAs required
          Verify that Windows Update is active and current with operating system and software updates.

          -For more information about completing this task when you have: -
            -
          • Intune, see [Keep Windows PCs up to date with software updates in Microsoft Intune](https://docs.microsoft.com/en-us/intune/deploy-use/keep-windows-pcs-up-to-date-with-software-updates-in-microsoft-intune).
            • -
          • Group Policy, see [Windows Update for Business](https://technet.microsoft.com/itpro/windows/plan/windows-update-for-business).
            • -
          • Windows Server Update Services (WSUS), see [Windows Server Update Services](https://msdn.microsoft.com/en-us/library/bb332157.aspx?f=255&MSPPError=-2147217396).
            • -
          • Neither Intune, Group Policy, or WSUS, see [Update Windows 10](http://windows.microsoft.com/en-id/windows-10/update-windows-10)
            • -
          -          		XXX
          Verify that Windows Defender is active and current with malware signatures.

          -For more information about completing this task, see [Turn Windows Defender on or off](http://windows.microsoft.com/en-us/windows-10/how-to-protect-your-windows-10-pc#v1h=tab01) and [Updating Windows Defender](http://windows.microsoft.com/en-us/windows-10/how-to-protect-your-windows-10-pc#v1h=tab03).           		XXX
          Verify that Windows Defender has run a scan in the past week and that no viruses or malware were found.

          -For more information about completing this task, see [How do I find and remove a virus?](http://windows.microsoft.com/en-US/windows-8/how-find-remove-virus) -          		XXX
          Verify that you are using the appropriate Windows 10 servicing options for updates and upgrades (such as selecting whether you want to use Current Branch or Current Branch for Business).

          -For more information about Windows 10 servicing options for updates and upgrades, see [Windows 10 servicing options for updates and upgrades](https://technet.microsoft.com/itpro/windows/manage/introduction-to-windows-10-servicing).          		XX
          Refresh the operating system and apps on devices.

          -For more information about completing this task, see the [Deploy Windows 10 to devices](#deploy-windows-10-to-devices) section. - -          		XX
          Install any new Windows desktop apps or update any Windows desktop apps that are used in the curriculum.

          -For more information, see the [Deploy apps by using Intune](#deploy-apps-by-using-intune) section. - -          		XX
          Install new or update existing Windows Store apps that are used in the curriculum.

          -Windows Store apps are automatically updated from Windows Store. The menu bar in the Windows Store app shows whether any Windows Store app updates are available for download.

          -You can also deploy Windows Store apps directly to devices by using Intune. For more information, see the [Deploy apps by using Intune](#deploy-apps-by-using-intune) section. - -          		XX
          Remove unnecessary user accounts (and corresponding licenses) from Office 365.

          -For more information about how to: -
            -
          • Remove unnecessary user accounts, see [Delete or restore users](https://support.office.com/en-us/article/Delete-or-restore-users-d5155593-3bac-4d8d-9d8b-f4513a81479e?ui=en-US&rs=en-US&ad=US).
            • -
          • Unassign licenses, see [Assign or unassign licenses for Office 365 for business](https://support.office.com/en-us/article/Assign-or-unassign-licenses-for-Office-365-for-business-997596b5-4173-4627-b915-36abac6786dc?ui=en-US&rs=en-US&ad=US).
            • -
          - -          		XX
          Add new accounts (and corresponding licenses) to Office 365.

          -For more information about how to: -
            -
          • Add user accounts, see [Add users to Office 365 for business](https://support.office.com/en-us/article/Add-users-to-Office-365-for-business-435ccec3-09dd-4587-9ebd-2f3cad6bc2bc) and [Add users individually or in bulk to Office 365](https://www.youtube.com/watch?v=zDs3VltTJps).
            • -
          • Assign licenses, see [Assign or unassign licenses for Office 365 for business](https://support.office.com/en-us/article/Assign-or-unassign-licenses-for-Office-365-for-business-997596b5-4173-4627-b915-36abac6786dc?ui=en-US&rs=en-US&ad=US).
            • -
          -          		XX
          Create or modify security groups and manage group membership in Office 365.

          -For more information about how to: -
            -
          • Create or modify security groups, see [View, create, and delete Groups in the Office 365 admin center](https://support.office.com/en-us/article/View-create-and-delete-groups-in-the-Office-365-admin-center-a6360120-2fc4-46af-b105-6a04dc5461c7).
            • -
          • Manage group membership, see [Manage Group membership in the Office 365 admin center](https://support.office.com/en-us/article/Manage-Group-membership-in-the-Office-365-admin-center-e186d224-a324-4afa-8300-0e4fc0c3000a).
            • -
          - -          		XX
          Create or modify Exchange Online or Microsoft Exchange Server distribution lists in Office 365.

          -For more information about how to create or modify Exchange Online or Exchange Server distribution lists in Office 365, see [Manage Distribution Groups](https://technet.microsoft.com/library/bb124513.aspx) and [Groups in Exchange Online and SharePoint Online](https://support.office.com/en-us/article/Create-edit-or-delete-a-security-group-55C96B32-E086-4C9E-948B-A018B44510CB#__groups_in_exchange). - -          		XX
          Install new student devices

          -Follow the same steps described in the [Deploy Windows 10 to devices](#deploy-windows-10-to-devices) section. - -          		X
          -

          -### Summary - -Now, you have identified the tasks you need to perform monthly, at the end of an academic year or semester, and as required. Your school configuration should match the typical school configuration that you saw in the [Plan a typical school configuration](#plan-a-typical-school-configuration) section. By performing these maintenance tasks you help ensure that your school stays secure and is configured as you specified. - -##Related resources -

            -
          • [Try it out: Windows 10 deployment (for educational institutions)](https://go.microsoft.com/fwlink/p/?LinkId=623254)
            • -
          • [Try it out: Windows 10 in the classroom](https://go.microsoft.com/fwlink/p/?LinkId=623255)
            • -
          • [Chromebook migration guide](https://go.microsoft.com/fwlink/p/?LinkId=623249)
            • -
          - diff --git a/windows/plan/deploying-a-runtime-analysis-package.md b/windows/plan/deploying-a-runtime-analysis-package.md deleted file mode 100644 index 38f478a9b9..0000000000 --- a/windows/plan/deploying-a-runtime-analysis-package.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Deploying a Runtime-Analysis Package (Windows 10) -description: When you deploy a runtime-analysis package, you are deploying it to your test environment for compatibility testing. -redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics ---- \ No newline at end of file diff --git a/windows/plan/deploying-an-inventory-collector-package.md b/windows/plan/deploying-an-inventory-collector-package.md deleted file mode 100644 index 784ecd61b4..0000000000 --- a/windows/plan/deploying-an-inventory-collector-package.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Deploying an Inventory-Collector Package (Windows 10) -description: How to deploy an inventory-collector package to your destination computers. -redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics ---- \ No newline at end of file diff --git a/windows/plan/example-filter-queries.md b/windows/plan/example-filter-queries.md deleted file mode 100644 index 8494d2a4b1..0000000000 --- a/windows/plan/example-filter-queries.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Example Filter Queries (Windows 10) -description: You can filter your compatibility-issue data or reports by selecting specific restriction criteria. -redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics ---- \ No newline at end of file diff --git a/windows/plan/exporting-a-data-collection-package.md b/windows/plan/exporting-a-data-collection-package.md deleted file mode 100644 index e3b5a9ce64..0000000000 --- a/windows/plan/exporting-a-data-collection-package.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Exporting a Data-Collection Package (Windows 10) -description: In Application Compatibility Manager (ACM), you can export a data-collection package as a Windows installer (.msi) file. You can then use the .msi file to install the data-collection package on the computers from which you want to gather data. -redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics ---- \ No newline at end of file diff --git a/windows/plan/filtering-your-compatibility-data.md b/windows/plan/filtering-your-compatibility-data.md deleted file mode 100644 index 83040f196c..0000000000 --- a/windows/plan/filtering-your-compatibility-data.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Filtering Your Compatibility Data (Windows 10) -description: You can use Query Builder to filter your compatibility-issue data or reports by selecting specific restriction criteria. -redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics ---- \ No newline at end of file diff --git a/windows/plan/fixing-compatibility-issues.md b/windows/plan/fixing-compatibility-issues.md deleted file mode 100644 index 50f8032d64..0000000000 --- a/windows/plan/fixing-compatibility-issues.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Fixing Compatibility Issues (Windows 10) -description: This section provides step-by-step instructions and describes development tools that you can use to help fix your compatibility issues. -redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics ---- \ No newline at end of file diff --git a/windows/plan/identifying-computers-for-inventory-collection.md b/windows/plan/identifying-computers-for-inventory-collection.md deleted file mode 100644 index 524304a7cf..0000000000 --- a/windows/plan/identifying-computers-for-inventory-collection.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Identifying Computers for Inventory Collection (Windows 10) -description: To generate a complete inventory and obtain a comprehensive view of your organization, inventory all computers. However, remember that deploying inventory-collector packages to all computers in your organization will require the additional work of analyzing and reducing a larger list of applications. If you do not have the resources to deploy to all computers or you cannot process a larger list of applications, consider deploying inventory-collector packages to representative subsets of computers instead. -redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics ---- \ No newline at end of file diff --git a/windows/plan/index.md b/windows/plan/index.md index dfa19e4252..125db28968 100644 --- a/windows/plan/index.md +++ b/windows/plan/index.md @@ -16,6 +16,7 @@ Windows 10 provides new deployment capabilities, scenarios, and tools by buildi ## In this section |Topic |Description | |------|------------| +|[Windows 10 Enterprise: FAQ for IT professionals](windows-10-enterprise-faq-itpro.md) | Get answers to common questions around compatibility, installation, and support for Windows 10 Enterprise. | |[Windows 10 deployment considerations](windows-10-deployment-considerations.md) |There are new deployment options in Windows 10 that help you simplify the deployment process and automate migration of existing settings and applications. | |[Windows 10 compatibility](windows-10-compatibility.md) |Windows 10 will be compatible with most existing PC hardware; most devices running Windows 7, Windows 8, or Windows 8.1 will meet the requirements for Windows 10. | |[Windows 10 infrastructure requirements](windows-10-infrastructure-requirements.md) |There are specific infrastructure requirements to deploy and manage Windows 10 that should be in place prior to significant Windows 10 deployments within your organization. | diff --git a/windows/plan/integration-with-management-solutions-.md b/windows/plan/integration-with-management-solutions-.md deleted file mode 100644 index 7246b22a3a..0000000000 --- a/windows/plan/integration-with-management-solutions-.md +++ /dev/null @@ -1,53 +0,0 @@ ---- -title: Integration with management solutions (Windows 10) -description: You can integrate Windows Update for Business deployments with existing management tools such as Windows Server Update Services (WSUS), System Center Configuration Manager, and Microsoft Intune. -ms.assetid: E0CB0CD3-4FE1-46BF-BA6F-5A5A8BD14CC9 -keywords: update, upgrade, deployment, manage, tools -ms.prod: w10 -ms.mktglfcycl: plan -ms.sitesec: library -ms.pagetype: servicing, devices -author: jdeckerMS -redirect_url: https://technet.microsoft.com/en-us/itpro/windows/manage/waas-manage-updates-wufb ---- - -# Integration with management solutions - -**Applies to** -- Windows 10 - -You can integrate Windows Update for Business deployments with existing management tools such as Windows Server Update Services (WSUS), System Center Configuration Manager, and Microsoft Intune. - -## System Center Configuration Manager - -For Windows 10, version 1511, organizations that already manage their systems with Configuration Manager can also have their devices configured for Windows Update for Business (in other words, set deferral policies on those machines). For Windows 10, version 1511, such devices will be visible in the Configuration Manager console, however they will appear with a detection state of “Unknown”. - -![figure 1](images/wuforbusiness-fig10-sccmconsole.png) - -## WSUS standalone - -For Windows 10, version 1511, you cannot configure devices for both Windows Update for Business *and* to receive updates from WSUS. If both group policies are set (for both deferrals as well as WSUS scanning), Windows Update for Business settings will NOT be respected and devices will continue to scan against WSUS. - -## Enterprise Mobility Suite: Intune - -You can configure Windows Update for Business by using MDM policy. To configure Windows Update for Business with Intune: -1. Create a new Windows 10 custom policy. (Add a policy, and choose **Custom Configuration for Windows 10 Desktop and phone…**). - - ![figure 2](images/wuforbusiness-fig11-intune.png) - -2. Configure the device to Consumer Branch for Business by selecting to defer upgrades (as described in [Setup and deployment](setup-and-deployment.md). - - **Note**   - As noted, because WSUS and Windows Update for Business are mutually exclusive policies, do not set **UpdateServiceUrl** if you want to configure to defer upgrades. -   -3. Establish deferral windows for updates and upgrades. - - ![figure 3](images/wuforbusiness-fig12a-updates.png) - - ![figure 4](images/wuforbusiness-fig13a-upgrades.png) - -## Related topics - -[Windows Update for Business](windows-update-for-business.md) - -[Setup and deployment](setup-and-deployment.md) diff --git a/windows/plan/internet-explorer-web-site-report.md b/windows/plan/internet-explorer-web-site-report.md deleted file mode 100644 index f30fc92bd6..0000000000 --- a/windows/plan/internet-explorer-web-site-report.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Internet Explorer - Web Site Report (Windows 10) -description: The Internet Explorer - Web Site Report screen shows the URL, your organization's compatibility rating, issue count, and resolved issue count, for each of the websites visited in your organization. -redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics ---- \ No newline at end of file diff --git a/windows/plan/labeling-data-in-acm.md b/windows/plan/labeling-data-in-acm.md deleted file mode 100644 index 92f7448f84..0000000000 --- a/windows/plan/labeling-data-in-acm.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Labeling Data in ACM (Windows 10) -description: Application data and its associated compatibility issues can vary within an organization. -redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics ---- \ No newline at end of file diff --git a/windows/plan/log-file-locations-for-data-collection-packages.md b/windows/plan/log-file-locations-for-data-collection-packages.md deleted file mode 100644 index 5fa3b6c466..0000000000 --- a/windows/plan/log-file-locations-for-data-collection-packages.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Log File Locations for Data-Collection Packages (Windows 10) -description: Selecting the output for your data-collection package log files. -redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics ---- \ No newline at end of file diff --git a/windows/plan/managing-your-data-collection-packages.md b/windows/plan/managing-your-data-collection-packages.md deleted file mode 100644 index 03cbe4849d..0000000000 --- a/windows/plan/managing-your-data-collection-packages.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Managing Your Data-Collection Packages (Windows 10) -description: This section provides information about using Application Compatibility Manager (ACM) to manage your data-collection packages. -redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics ---- \ No newline at end of file diff --git a/windows/plan/organizational-tasks-for-each-report-type.md b/windows/plan/organizational-tasks-for-each-report-type.md deleted file mode 100644 index 61498e165d..0000000000 --- a/windows/plan/organizational-tasks-for-each-report-type.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Organizational Tasks for Each Report Type (Windows 10) -description: The following table shows which tasks can be performed for each report type. -redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics ---- \ No newline at end of file diff --git a/windows/plan/organizing-your-compatibility-data.md b/windows/plan/organizing-your-compatibility-data.md deleted file mode 100644 index 30d2918977..0000000000 --- a/windows/plan/organizing-your-compatibility-data.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Organizing Your Compatibility Data (Windows 10) -description: This section provides step-by-step instructions for organizing your compatibility data in Application Compatibility Manager (ACM). -redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics ---- \ No newline at end of file diff --git a/windows/plan/prioritizing-your-compatibility-data.md b/windows/plan/prioritizing-your-compatibility-data.md deleted file mode 100644 index 7304d6dbb9..0000000000 --- a/windows/plan/prioritizing-your-compatibility-data.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Prioritizing Your Compatibility Data (Windows 10) -description: Prioritizing your apps, websites, computers, and devices to help customize and filter your compatibilty reports. -redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics ---- \ No newline at end of file diff --git a/windows/plan/ratings-icons-in-acm.md b/windows/plan/ratings-icons-in-acm.md deleted file mode 100644 index c1f0184338..0000000000 --- a/windows/plan/ratings-icons-in-acm.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Ratings Icons in ACM (Windows 10) -description: Compatibility ratings can originate from Microsoft, the application vendor, your organization, and from the Application Compatibility Toolkit (ACT) community. -redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics ---- \ No newline at end of file diff --git a/windows/plan/resolving-an-issue.md b/windows/plan/resolving-an-issue.md deleted file mode 100644 index e6a5b97651..0000000000 --- a/windows/plan/resolving-an-issue.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Resolving an Issue (Windows 10) -description: You can use Application Compatibility Manager (ACM) to flag issues as resolved. Resolving an issue changes the status of the issue from a red x to a green check mark on your report and report detail screens. -redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics ---- \ No newline at end of file diff --git a/windows/plan/saving-opening-and-exporting-reports.md b/windows/plan/saving-opening-and-exporting-reports.md deleted file mode 100644 index 65bfc93fba..0000000000 --- a/windows/plan/saving-opening-and-exporting-reports.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Saving, Opening, and Exporting Reports (Windows 10) -description: You can perform several common reporting tasks from the Analyze screen, including saving a compatibility report, opening a saved compatibility report (.adq) file, and exporting your report data to a spreadsheet (.xls) file. -redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics ---- \ No newline at end of file diff --git a/windows/plan/selecting-the-send-and-receive-status-for-an-application.md b/windows/plan/selecting-the-send-and-receive-status-for-an-application.md deleted file mode 100644 index 3674f73b68..0000000000 --- a/windows/plan/selecting-the-send-and-receive-status-for-an-application.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Selecting the Send and Receive Status for an Application (Windows 10) -description: For each application listed in Application Compatibility Manager (ACM), you can select whether to send and receive specific application data through the Microsoft Compatibility Exchange. -redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics ---- \ No newline at end of file diff --git a/windows/plan/selecting-your-compatibility-rating.md b/windows/plan/selecting-your-compatibility-rating.md deleted file mode 100644 index e0b0defc6d..0000000000 --- a/windows/plan/selecting-your-compatibility-rating.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Selecting Your Compatibility Rating (Windows 10) -description: You can rate the compatibility of your applications, installation packages, or websites, based on whether they run successfully on a 32-bit or 64-bit operating system. -redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics ---- \ No newline at end of file diff --git a/windows/plan/selecting-your-deployment-status.md b/windows/plan/selecting-your-deployment-status.md deleted file mode 100644 index 61fdf90369..0000000000 --- a/windows/plan/selecting-your-deployment-status.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Selecting Your Deployment Status (Windows 10) -description: In Application Compatibility Manager (ACM), you can track the deployment status of your applications and websites. -redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics ---- \ No newline at end of file diff --git a/windows/plan/sending-and-receiving-compatibility-data.md b/windows/plan/sending-and-receiving-compatibility-data.md deleted file mode 100644 index fe2e0356a0..0000000000 --- a/windows/plan/sending-and-receiving-compatibility-data.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Sending and Receiving Compatibility Data (Windows 10) -description: The Microsoft® Compatibility Exchange is a web service that propagates application compatibility issues between various data sources, for example Microsoft Corporation, independent software vendors (ISVs) and the ACT Community. -redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics ---- \ No newline at end of file diff --git a/windows/plan/settings-for-acm.md b/windows/plan/settings-for-acm.md deleted file mode 100644 index fe209d179d..0000000000 --- a/windows/plan/settings-for-acm.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Settings for ACM (Windows 10) -description: This section provides information about settings that you can configure in Application Compatibility Manager (ACM). -redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics ---- \ No newline at end of file diff --git a/windows/plan/setup-and-deployment.md b/windows/plan/setup-and-deployment.md deleted file mode 100644 index 2b2e1e2a43..0000000000 --- a/windows/plan/setup-and-deployment.md +++ /dev/null @@ -1,184 +0,0 @@ ---- -title: Setup and deployment (Windows 10) -description: This article describes the basic features of a Windows Update for Business deployment. -ms.assetid: E176BB36-3B1B-4707-9665-968D80050DD1 -keywords: update, upgrade, deployment -ms.prod: w10 -ms.mktglfcycl: plan -ms.sitesec: library -ms.pagetype: servicing, devices -author: jdeckerMS -redirect_url: https://technet.microsoft.com/en-us/itpro/windows/manage/waas-manage-updates-wufb ---- - -# Setup and deployment - -**Applies to** -- Windows 10 - -This article describes the basic features of a Windows Update for Business deployment. Use this information to familiarize yourself with a simple deployment with a single group of machines connected to Windows Update, in addition to more complex scenarios such as the creation of Windows Update for Business validation groups that receive updates from Windows Update at different time intervals, as well as Windows Update for Business deployments integrated with existing management tools such as Windows Server Update Services (WSUS), System Center Configuration Manager, or Microsoft Intune. - -## Configure your systems to receive updates on CBB - -To use Windows Update for Business, Windows 10-based devices must first be configured for the Current Branch for Business (CBB). You can configure devices manually, by using Group Policy, or by using mobile device management (MDM). - -![figure 1](images/wuforbus-fig1-manuallyset.png) - -![figure 2](images/wuforbusiness-fig2-gp.png) - -![figure 3](images/wuforbusiness-fig3-mdm.png) - -## Defer OS upgrade and update deployments - -Windows Update for Business allows administrators to control when upgrades and updates are deployed to their Windows 10 clients by specifying deferral windows from when they are initially made available on the Windows Update service. As mentioned, there are restrictions as to how long you can delay upgrades and updates. The following table details these restrictions, per deployment category type: - - - - - - - - - - - - - - - - -
          -

          Group Policy keys

          -          		 -

          HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\DeferUpgradePeriod

          -
            -
          • -

            Values: 0-8 where each unit for upgrade is a month -

            -
            • -
          -
          -

          HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\DeferUpdatePeriod

          -
            -
          • -

            Values: 0-4 where each unit for update is a week -

            -
            • -
          -
          -

          MDM

          -

          ./Vendor/MSFT/Update/DeferUpgrade

          -          		 -

          Software\Microsoft\PolicyManager\current\Update\RequireDeferUpgrade -

          -
            -
          • -

            Values: 0-8 where each unit for upgrade is a month - -

            -
            • -
          -
          -

          Software\Microsoft\PolicyManager\current\Update\RequireDeferUpdate

          -
            -
          • -

            Values: 0-4 where each unit for update is a week -

            -
            • -
          -
          -  -Administrators can control deferral periods with Group Policy Objects by using the [Local Group Policy Editor (GPEdit)](https://go.microsoft.com/fwlink/p/?LinkId=734030) or, for domain joined systems, [Group Policy Management Console (GPMC)](https://go.microsoft.com/fwlink/p/?LinkId=699325). For additional details on Group Policy management see [Group Policy management for IT pros](https://go.microsoft.com/fwlink/p/?LinkId=699282). -**Set different deferrals based on update classification in GPedit.msc** -![figure 4](images/wuforbusiness-fig4-localpoleditor.png) -![figure 5](images/wuforbusiness-fig5-deferupgrade.png) -## Pause upgrades and updates -Although administrators can use deferral periods to stagger the rate at which deployments go out to their organization (which provides time to verify quality and address any issues), there may be cases where additional time is needed before an update is set to deploy to a machine, or group of machines. Windows Update for Business provides a means for administrators to *pause* updates and upgrades on a per-machine basis. This pause functionality ensures that no updates or upgrades will be made available for the specified machine; the machine will remain in this state until the machine is specifically “unpaused”, or when a period of five weeks (35 days) has passed, at which point updates are auto-resumed. -**Note**   -The five-week period ensures that pause functionality overlaps a possible subsequent Update Tuesday release. -  -**Note**   -Group Policy does not allow you to set a future "unpause” — administrators must actively select to unpause a deployment if they wish to do so before the time expiration. -  - ---- - - - - - - - - - - -

          Group Policy keys

          HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\Pause

          MDM

          -

          ./Vendor/MSFT/Update/DeferUpgrade

          Software\Microsoft\PolicyManager\current\Update\Pause

          -
            -

          • Values (bool): 0, 1

            • -
          -  -![figure 6](images/wuforbusiness-fig6-pause.png) - -## Create validation groups for deployments - -By grouping machines into similar deferral periods, administrators are able to cluster devices into deployment or validation groups which can be used as a quality control measure as updates are deployed in Windows 10. With deferral windows and the ability to pause, administrators can effectively control and measure update deployments by rolling out to a small pool of devices first to verify quality, prior to a broader roll-out to their organization. - -Administrators can establish validation groups to maintain a level of control over update/driver deployments which allows them to: -- Control the date, time, and frequency updates will be applied and devices rebooted -- Deploy a small set of machines to verify quality prior to broad roll-out -- Stage broad roll-out in waves to continue quality verification and minimize disruptions -- Manage membership of waves based on criteria defined by IT -- Halt and roll-back deployment of updates/drivers that may be causing trouble - -![figure 7](images/wuforbusiness-fig7-validationgroup.png) - -## Peer-to-peer networking for deployments - -Windows Update Delivery Optimization enables Windows Update for Business enrolled devices to download Windows updates and Windows Store apps from sources other than Microsoft. With multiple devices, Delivery Optimization can reduce the amount of Internet bandwidth that is required to keep all of your Windows Update for Business enrolled systems up to date. It can also help ensure that devices get updates and apps more quickly if they have a limited or unreliable Internet connection. - -In addition to downloading updates and apps from Microsoft, Windows will get updates and apps from other PCs that already have them. You can choose which PCs you get these updates from. - -### How Delivery Optimization works - -- **PCs on your local network.** When Windows downloads an update or app, it will look for other PCs on your local network that have already downloaded the update or app using Delivery Optimization. Windows then downloads parts of the file from those PCs and parts of the file from Microsoft. Windows doesn’t download the entire file from one place. Instead, the download is broken down into smaller parts. Windows uses the fastest, most reliable download source for each part of the file. -- **PCs on your local network and PCs on the Internet.** Windows uses the same process as when getting updates and apps from PCs on your local network, and also looks for PCs on the Internet that can be used as a source to download parts of updates and apps. - -### Delivery Optimization settings - -Delivery Optimization is turned on by default for the Enterprise and Education editions of Windows 10, where the default option is that updates will only be pulled and shared from PCs on your LAN and not the Internet. -Delivery Optimization configuration settings can be viewed by going to: Settings > Update and Security > Advanced Options > Choose how your updates are delivered - -![figure 8](images/wuforbusiness-fig8a-chooseupdates.png) - -## Use Group Policy to configure Windows Update Delivery Optimization - -You can use Group Policy to configure Windows Update Delivery Optimization. To do this, use the following steps: - -1. Download the [Administrative Templates (.admx) file for Windows 10](https://go.microsoft.com/fwlink/p/?LinkId=699283) from the Microsoft Download Center. -2. Copy the following files to the SYSVOL central store: - - DeliveryOptimization.admx from C:\\Program Files (x86)\\Microsoft Group Policy\\Windows 10\\PolicyDefinitions - - DeliveryOptimization.adml from C:\\Program Files (x86)\\Microsoft Group Policy\\Windows 10\\PolicyDefinitions\\en-US -3. Start the Gpeditor tool. -4. Browse to the following location: - - Computer Configuration\\Administrative Templates\\Windows Components\\Delivery Optimization -5. Make the following Windows Update Delivery Optimization settings, as appropriate. - - ![figure 9](images/wuforbusiness-fig9-dosettings.jpg) - -**Virus-scan claim** - -Microsoft scanned this file for viruses, using the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help prevent any unauthorized changes to it. - -For more information about Windows Update Delivery Optimization in Windows 10, see the [Windows Update Delivery Optimization FAQ](https://go.microsoft.com/fwlink/p/?LinkId=699284). - -For additional resources, see [How to use Group Policy to configure Windows Update Delivery Optimization in Windows 10](https://go.microsoft.com/fwlink/p/?LinkId=699288). - -## Related topics - -[Windows Update for Business](windows-update-for-business.md) - -[Integration with management solutions](integration-with-management-solutions-.md) diff --git a/windows/plan/software-requirements-for-act.md b/windows/plan/software-requirements-for-act.md deleted file mode 100644 index d631eef7aa..0000000000 --- a/windows/plan/software-requirements-for-act.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Software Requirements for ACT (Windows 10) -description: The Application Compatibility Toolkit (ACT) has the following software requirements. -redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics ---- \ No newline at end of file diff --git a/windows/plan/software-requirements-for-rap.md b/windows/plan/software-requirements-for-rap.md deleted file mode 100644 index b9914238fc..0000000000 --- a/windows/plan/software-requirements-for-rap.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Software Requirements for RAP (Windows 10) -description: The runtime-analysis package (RAP) has the following software requirements. -redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics ---- \ No newline at end of file diff --git a/windows/plan/taking-inventory-of-your-organization.md b/windows/plan/taking-inventory-of-your-organization.md deleted file mode 100644 index d199af1ab6..0000000000 --- a/windows/plan/taking-inventory-of-your-organization.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Taking Inventory of Your Organization (Windows 10) -description: This section provides information about how to use the Application Compatibility Toolkit (ACT) to identify applications and devices that are installed in your organization. -redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics ---- \ No newline at end of file diff --git a/windows/plan/testing-compatibility-on-the-target-platform.md b/windows/plan/testing-compatibility-on-the-target-platform.md deleted file mode 100644 index 9ba06e8cb3..0000000000 --- a/windows/plan/testing-compatibility-on-the-target-platform.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Testing Compatibility on the Target Platform (Windows 10) -description: This section provides information about setting up a test environment for compatibility testing, and about creating and deploying runtime-analysis packages to the test environment. -redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics ---- \ No newline at end of file diff --git a/windows/plan/troubleshooting-act-database-issues.md b/windows/plan/troubleshooting-act-database-issues.md deleted file mode 100644 index e0fb05fd2a..0000000000 --- a/windows/plan/troubleshooting-act-database-issues.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Troubleshooting ACT Database Issues (Windows 10) -description: The following solutions may help you resolve issues that are related to your Microsoft® SQL Server® database for the Application Compatibility Toolkit (ACT). -redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics ---- \ No newline at end of file diff --git a/windows/plan/troubleshooting-act.md b/windows/plan/troubleshooting-act.md deleted file mode 100644 index 1366988ae6..0000000000 --- a/windows/plan/troubleshooting-act.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Troubleshooting ACT (Windows 10) -description: This section provides troubleshooting information for the Application Compatibility Toolkit (ACT). -redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics ---- \ No newline at end of file diff --git a/windows/plan/troubleshooting-the-act-configuration-wizard.md b/windows/plan/troubleshooting-the-act-configuration-wizard.md deleted file mode 100644 index 08200ff49f..0000000000 --- a/windows/plan/troubleshooting-the-act-configuration-wizard.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Troubleshooting the ACT Configuration Wizard (Windows 10) -description: When you start Application Compatibility Manager (ACM) for the first time, the Application Compatibility Toolkit (ACT) Configuration Wizard appears. -redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics ---- \ No newline at end of file diff --git a/windows/plan/troubleshooting-the-act-log-processing-service.md b/windows/plan/troubleshooting-the-act-log-processing-service.md deleted file mode 100644 index 5f338b3141..0000000000 --- a/windows/plan/troubleshooting-the-act-log-processing-service.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Troubleshooting the ACT Log Processing Service (Windows 10) -description: The following solutions may help you resolve issues that are related to the Application Compatibility Toolkit (ACT) Log Processing Service. -redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics ---- \ No newline at end of file diff --git a/windows/plan/using-act.md b/windows/plan/using-act.md deleted file mode 100644 index 3e3ffff7d2..0000000000 --- a/windows/plan/using-act.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Using ACT (Windows 10) -description: This section describes how to use the Application Compatibility Toolkit (ACT) in your organization. -redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics ---- \ No newline at end of file diff --git a/windows/plan/using-compatibility-monitor-to-send-feedback.md b/windows/plan/using-compatibility-monitor-to-send-feedback.md deleted file mode 100644 index c5e20c52ba..0000000000 --- a/windows/plan/using-compatibility-monitor-to-send-feedback.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Using Compatibility Monitor to Send Feedback (Windows 10) -description: The Microsoft Compatibility Monitor tool is installed as part of the runtime-analysis package. -redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics ---- \ No newline at end of file diff --git a/windows/plan/viewing-your-compatibility-reports.md b/windows/plan/viewing-your-compatibility-reports.md deleted file mode 100644 index 57ba7d07a9..0000000000 --- a/windows/plan/viewing-your-compatibility-reports.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Viewing Your Compatibility Reports (Windows 10) -description: This section describes the compatibility reports in Application Compatibility Manager (ACM) and how you can work with the reports. -redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics ---- \ No newline at end of file diff --git a/windows/plan/websiteurl-dialog-box.md b/windows/plan/websiteurl-dialog-box.md deleted file mode 100644 index e07214a067..0000000000 --- a/windows/plan/websiteurl-dialog-box.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: WebsiteURL Dialog Box (Windows 10) -description: In Application Compatibility Manager (ACM), the websiteURL dialog box shows information about the selected website. -redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics ---- \ No newline at end of file diff --git a/windows/plan/welcome-to-act.md b/windows/plan/welcome-to-act.md deleted file mode 100644 index b4ef6d3088..0000000000 --- a/windows/plan/welcome-to-act.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Welcome to ACT (Windows 10) -description: The Application Compatibility Toolkit (ACT) helps you determine whether the applications, devices, and computers in your organization are compatible with versions of the Windows® operating system. -redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics ---- \ No newline at end of file diff --git a/windows/plan/whats-new-in-act-60.md b/windows/plan/whats-new-in-act-60.md deleted file mode 100644 index 89d6afdf1c..0000000000 --- a/windows/plan/whats-new-in-act-60.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: What's New in ACT 6.1 (Windows 10) -description: Two major updates have been released since ACT 6.1. -redirect_url: https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics ---- \ No newline at end of file diff --git a/windows/plan/windows-10-enterprise-faq-itpro.md b/windows/plan/windows-10-enterprise-faq-itpro.md new file mode 100644 index 0000000000..60a48fef2f --- /dev/null +++ b/windows/plan/windows-10-enterprise-faq-itpro.md @@ -0,0 +1,127 @@ +--- +title: Windows 10 Enterprise FAQ for IT pros (Windows 10) +description: Get answers to common questions around compatibility, installation, and support for Windows 10 Enterprise. +keywords: Windows 10 Enterprise, download, system requirements, drivers, appcompat, manage udpates, Windows as a service, servicing branches, deployment tools +ms.prod: w10 +ms.mktglfcycl: plan +localizationpriority: high +ms.sitesec: library +author: +--- + +# Windows 10 Enterprise: FAQ for IT professionals + +Get answers to common questions around compatibility, installation, and support for Windows 10 Enterprise. + +## Download and requirements + +### Where can I download Windows 10 Enterprise? + +If you have Windows volume licenses with Software Assurance, or if you have purchased licenses for Windows 10 Enterprise volume licenses, you can download 32-bit and 64-bit versions of Windows 10 Enterprise from the [Volume Licensing Service Center](https://www.microsoft.com/Licensing/servicecenter/default.aspx). If you do not have current Software Assurance for Windows and would like to purchase volume licenses for Windows 10 Enterprise, contact your preferred Microsoft Reseller or see [How to purchase through Volume Licensing](https://www.microsoft.com/en-us/Licensing/how-to-buy/how-to-buy.aspx). + +### What are the system requirements? + +For details, see [Windows 10 Enterprise system requirements](https://technet.microsoft.com/windows/dn798752). + +### What are the hardware requirements for Windows 10? + +Most computers that are compatible with Windows 8.1 will be compatible with Windows 10. You may need to install updated drivers in Windows 10 for your devices to properly function. See [Windows 10 specifications](https://www.microsoft.com/windows/windows-10-specifications) for more information. + +### Can I evaluate Windows 10 Enterprise? + +Yes, a 90-day evaluation of Windows 10 Enterprise is available through the [TechNet Evaluation Center](https://www.microsoft.com/en-us/evalcenter/evaluate-windows-10-enterprise). The evaluation is available in Chinese (Simplified), Chinese (Traditional), French, German, Italian, Japanese, Korean, Portuguese (Brazil), and Spanish (Spain, International Sort). We highly recommend that organizations make use of the Windows 10 Enterprise 90-day Evaluation to try out deployment and management scenarios, test compatibility with hardware and applications, and to get hands on experience with Windows 10 Enterprise features. + +## Drivers and compatibility + +### Where can I find drivers for my devices for Windows 10 Enterprise? + +For many devices, drivers will be automatically installed in Windows 10 and there will be no need for additional action. +- For some devices, Windows 10 may be unable to install drivers that are required for operation. If your device drivers are not automatically installed, visit the manufacturer’s support website for your device to download and manually install the drivers. If Windows 10 drivers are not available, the most up-to-date drivers for Windows 8.1 will often work in Windows 10. +- For some devices, the manufacturer may provide more up-to-date drivers or drivers that enable additional functionality than the drivers installed by Windows 10. Always follow the recommendations of the device manufacturer for optimal performance and stability. +- Some computer manufacturers provide packs of drivers for easy implementation in management and deployment solutions like the Microsoft Deployment Toolkit (MDT) or Microsoft System Center Configuration Manager. These driver packs contain all of the drivers needed for each device and can greatly simplify the process of deploying Windows to a new make or model of computer. Driver packs for some common manufacturers include: + - [HP driver pack](http://www8.hp.com/us/en/ads/clientmanagement/drivers-pack.html) + - [Dell driver packs for enterprise client OS deployment](http://en.community.dell.com/techcenter/enterprise-client/w/wiki/2065.dell-command-deploy-driver-packs-for-enterprise-client-os-deployment) + - [Lenovo Configuration Manager and MDT package index](https://support.lenovo.com/us/en/documents/ht074984) + +### Where can I find out if an application or device is compatible with Windows 10? + +Many existing Win32 and Win64 applications already run reliably on Windows 10 without any changes. You can also expect strong compatibility and support for Web apps and devices. The [Ready for Windows](https://www.readyforwindows.com/) website lists software solutions that are supported and in use for Windows 10. You can find additional guidance to help with application compatibility at [Windows 10 application compatibility](https://technet.microsoft.com/windows/mt703793) on the Windows IT Center. + +### Is there an easy way to assess if my organization’s devices are ready to upgrade to Windows 10? + +[Windows Analytics Upgrade Readiness](https://technet.microsoft.com/itpro/windows/deploy/manage-windows-upgrades-with-upgrade-analytics) (formerly known as Upgrade Analytics) provides powerful insights and recommendations about the computers, applications, and drivers in your organization, at no extra cost and without additional infrastructure requirements. This new service guides you through your upgrade and feature update projects using a workflow based on Microsoft recommended practices. Up-to-date inventory data allows you to balance cost and risk in your upgrade projects. You can find additional product information at [Windows Analytics](https://www.microsoft.com/en-us/WindowsForBusiness/Windows-Analytics). + +## Administration and deployment + +### Which deployment tools support Windows 10? + +Updated versions of Microsoft deployment tools, including MDT, Configuration Manager, and the Windows Assessment and Deployment Kit (Windows ADK) have been released to support Windows 10. +- [MDT](http://www.microsoft.com/mdt) is Microsoft’s recommended collection of tools, processes, and guidance for automating desktop and server deployment. +- Configuration Manager simplifies the deployment and management of Windows 10. If you are not currently using Configuration Manager, you can download a free 180-day trial of [System Center Configuration Manager and Endpoint Protection (current branch)](https://www.microsoft.com/evalcenter/evaluate-system-center-configuration-manager-and-endpoint-protection) from the TechNet Evaluation Center. +- The [Windows ADK](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit#winADK) has tools that allow you to customize Windows images for large-scale deployment, and test system quality and performance. You can download the latest version of the Windows ADK for Windows 10 from the Hardware Dev Center. + +### Can I upgrade computers from Windows 7 or Windows 8.1 without deploying a new image? + +Computers running Windows 7 or Windows 8.1 can be upgraded directly to Windows 10 through the in-place upgrade process without a need to reimage the device using MDT and/or Configuration Manager. For more information, see [Upgrade to Windows 10 with System Center Configuration Manager](https://technet.microsoft.com/itpro/windows/deploy/upgrade-to-windows-10-with-system-center-configuraton-manager) or [Upgrade to Windows 10 with the Microsoft Deployment Toolkit](https://technet.microsoft.com/itpro/windows/deploy/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit). + +### Can I upgrade from Windows 7 Enterprise or Windows 8.1 Enterprise to Windows 10 Enterprise for free? + +If you have Windows 7 Enterprise or Windows 8.1 Enterprise and current Windows 10 Enterprise E3 or E5 subscription, you are entitled to the upgrade to Windows 10 Enterprise through the rights of Software Assurance. You can find your product keys and installation media at the [Volume Licensing Service Center](https://www.microsoft.com/Licensing/servicecenter/default.aspx). + +For devices that are licensed under a volume license agreement for Windows that does not include Software Assurance, new licenses will be required to upgrade these devices to Windows 10. + +## Managing updates + +### What is Windows as a service? + +The Windows 10 operating system introduces a new way to build, deploy, and service Windows: Windows as a service. Microsoft has reimagined each part of the process, to simplify the lives of IT pros and maintain a consistent Windows 10 experience for its customers. These improvements focus on maximizing customer involvement in Windows development, simplifying the deployment and servicing of Windows client computers, and leveling out the resources needed to deploy and maintain Windows over time. For more information, see [Overview of Windows as a service](https://technet.microsoft.com/itpro/windows/manage/waas-overview). + +### How is servicing different with Windows as a service? + +Traditional Windows servicing has included several release types: major revisions (e.g., the Windows 8.1, Windows 8, and Windows 7 operating systems), service packs, and monthly updates. With Windows 10, there are two release types: feature updates that add new functionality two to three times per year, and quality updates that provide security and reliability fixes at least once a month. + +### What are the servicing branches? + +To align with the new method of delivering feature updates and quality updates in Windows 10, Microsoft introduced the concept of servicing branches to allow customers to designate how aggressively their individual devices are updated. For example, an organization may have test devices that the IT department can update with new features as soon as possible, and then specialized devices that require a longer feature update cycle to ensure continuity. With that in mind, Microsoft offers three servicing branches for Windows 10: Current Branch (CB), Current Branch for Business (CBB), and Long-Term Servicing Branch (LTSB). For details about the versions in each servicing branch, see [Windows 10 release information](https://technet.microsoft.com/windows/release-info.aspx). For more information on each branch, see [servicing branches](https://technet.microsoft.com/en-us/itpro/windows/manage/waas-overview#servicing-branches). + +### What tools can I use to manage Windows as a service updates? + +There are many tools are available. You can choose from these: +- Windows Update +- Windows Update for Business +- Windows Server Update Services +- System Center Configuration Manager + +For more information on pros and cons for these tools, see [Servicing Tools](https://technet.microsoft.com/itpro/windows/manage/waas-overview#servicing-branches). + +## User experience + +### Where can I find information about new features and changes in Windows 10 Enterprise? + +For an overview of the new enterprise features in Windows 10 Enterprise, see [What's new in Windows 10](https://technet.microsoft.com/itpro/windows/whats-new/index) and [What's new in Windows 10, version 1703](https://tnstage.redmond.corp.microsoft.com/itpro/windows/whats-new/whats-new-windows-10-version-1703?branch=rs2) in the TechNet library. + +Another place to track the latest information about new features of interest to IT professionals is the [Windows for IT Pros blog](https://blogs.technet.microsoft.com/windowsitpro/). Here you’ll find announcements of new features, information on updates to the Windows servicing model, and details about the latest resources to help you more easily deploy and manage Windows 10. + +To find out which version of Windows 10 is right for your organization, you can also [compare Windows editions](https://www.microsoft.com/WindowsForBusiness/Compare). + +### How will people in my organization adjust to using Windows 10 Enterprise after upgrading from Windows 7 or Windows 8.1? + +Windows 10 combines the best aspects of the user experience from Windows 8.1 and Windows 7 to make using Windows simple and straightforward. Users of Windows 7 will find the Start menu in the same location as they always have. In the same place, users of Windows 8.1 will find the live tiles from their Start screen, accessible by the Start button in the same way as they were accessed in Windows 8.1. To help you make the transition a seamless one, download the [Windows 10 for Business Onboarding Kit](https://blogs.technet.microsoft.com/windowsitpro/2016/06/28/windows-10-for-business-onboarding-kit/) and see our [end user readiness](https://technet.microsoft.com/windows/dn621092) resources. + +### How does Windows 10 help people work with applications and data across a variety of devices? + +The desktop experience in Windows 10 has been improved to provide a better experience for people that use a traditional mouse and keyboard. Key changes include: +- Start menu is a launching point for access to apps. +- Universal apps now open in windows instead of full screen. +- [Multitasking is improved with adjustable Snap](http://blogs.windows.com/bloggingwindows/2015/06/04/arrange-your-windows-in-a-snap/), which allows you to have more than two windows side-by-side on the same screen and to customize how those windows are arranged. +- Tablet Mode to simplify using Windows with a finger or pen by using touch input. + +## Help and support + +### Where can I ask a question about Windows 10? + +Use the following resources for additional information about Windows 10. +- If you are an IT professional or if you have a question about administering, managing, or deploying Windows 10 in your organization or business, visit the [Windows 10 IT Professional forums](https://social.technet.microsoft.com/forums/home?category=windows10itpro) on TechNet. +- If you are an end user or if you have a question about using Windows 10, visit the [Windows 10 forums on Microsoft Community](http://answers.microsoft.com/windows/forum/windows_10). +- If you are a developer or if you have a question about making apps for Windows 10, visit the [Windows Desktop Development forums](https://social.msdn.microsoft.com/forums/en-us/home?category=windowsdesktopdev) or [Windows and Windows phone apps forums](https://social.msdn.microsoft.com/forums/en-us/home?category=windowsapps) on MSDN. +- If you have a question about Internet Explorer, visit the [Internet Explorer forums](https://social.technet.microsoft.com/forums/ie/en-us/home) on TechNet. \ No newline at end of file diff --git a/windows/plan/windows-10-guidance-for-education-environments.md b/windows/plan/windows-10-guidance-for-education-environments.md deleted file mode 100644 index f4ce0e1a32..0000000000 --- a/windows/plan/windows-10-guidance-for-education-environments.md +++ /dev/null @@ -1,39 +0,0 @@ ---- -title: Guidance for education environments (Windows 10) -description: Find resources to help you plan your deployment of Windows 10 to desktops, laptops, tablets, and other devices in educational institutions. -redirect_url: https://technet.microsoft.com/edu/windows/index -ms.assetid: 225C9D6F-9329-4DDF-B447-6CE7804E314E -ms.prod: w10 -ms.mktglfcycl: plan -ms.sitesec: library -ms.pagetype: edu, security -author: craigash ---- - -# Guidance for education environments - -Find resources to help you plan your deployment of Windows 10 to desktops, laptops, tablets, and other devices in educational institutions. - -## In this section - - ---- - - - - - - - - - - - - -
          TopicDescription

          [Chromebook migration guide](chromebook-migration-guide.md)

          In this guide you will learn how to migrate a Google Chromebook-based learning environment to a Windows 10-based learning environment. You will learn how to perform the necessary planning steps, including Windows device deployment, migration of user and device settings, app migration or replacement, and cloud storage migration. You will then learn the best method to perform the migration by using automated deployment and migration tools.

          -  -  -  diff --git a/windows/plan/windows-10-servicing-options.md b/windows/plan/windows-10-servicing-options.md deleted file mode 100644 index 8ad9c29c5a..0000000000 --- a/windows/plan/windows-10-servicing-options.md +++ /dev/null @@ -1,79 +0,0 @@ ---- -title: Windows 10 servicing overview (Windows 10) -description: Windows 10 provides a new model for organizations to deploy and upgrade Windows by providing updates to features and capabilities through a continual process. -ms.assetid: 6EF0792C-B587-497D-8489-4A7F5848D92A -keywords: deploy, upgrade, update, servicing -ms.prod: w10 -ms.mktglfcycl: plan -ms.pagetype: servicing -ms.sitesec: library -author: jdeckerMS -redirect_url: https://technet.microsoft.com/en-us/itpro/windows/manage/waas-overview ---- - -# Windows 10 servicing overview - -**Applies to** -- Windows 10 -- Windows 10 Mobile - -This topic provides an overview of the new servicing model for Windows 10. For more detailed information about this model, refer to [Windows 10 servicing options](../manage/introduction-to-windows-10-servicing.md). - -## The Windows servicing model - -Traditionally, new versions of Windows have been released every few years. The deployment of those new versions within an organization would then become a project, either by leveraging a "wipe and load" process to deploy the new operating system version to existing computers, or by migrating to the new operating system version as part of the hardware replacement cycle. Either way, a significant amount of time and effort was required to complete these tasks. - -With Windows 10, a new model is being adopted. This new model, referred to as "Windows as a service," requires organizations to rethink how they deploy and upgrade Windows. It is no longer a project that happens every few years, it is a continual process. - -## Windows as a service - -Instead of new features being added only in new releases that happen every few years, the goal of Windows as a service is to continually provide new capabilities. New features are provided or updated two to three times per year, while maintaining a high level of hardware and application compatibility. - -This new model uses simpler deployment methods, reducing the overall amount of effort required for Windows servicing. By combining these simpler methods (such as in-place upgrade) with new techniques to deploy upgrades in phases to existing devices, the effort that used to be performed as part of a traditional deployment project is spread across a broad period of time. - -## Windows 10 servicing branches - -The concept of branching goes back many years, and represents how Windows has traditionally been written and serviced. Each release of Windows was from a particular branch of the Windows code, and updates would be made to that release for the lifecycle of that release. This concept still applies now with Windows 10, but is much more visible because it is incorporated directly into the servicing model. - -Microsoft has implemented the following new servicing options in Windows 10: - -**Windows Insider Program**: To see new features before they are released, to provide feedback on those new features, and to initially validate compatibility with existing applications and hardware, a small number of PCs can leverage the Windows Insider Program branch. These are typically dedicated lab machines used for IT testing, secondary PCs used by IT administrators, and other non-critical devices.
          -**Current Branch (CB)**: For early adopters, IT teams, and other broader piloting groups, the Current Branch (CB) can be used to further validate application compatibility and newly-released features.
          -**Current Branch for Business (CBB)**. For the majority of people in an organization, the Current Branch for Business (CBB) allows for a staged deployment of new features over a longer period of time.
          -**Long-Term Servicing Branch (LTSB)**: For critical or specialized devices (for example, operation of factory floor machinery, point-of-sale systems, automated teller machines), the Long-Term Servicing Branch (LTSB) provides a version of Windows 10 Enterprise that receives no new features, while continuing to be supported with security and other updates for a long time. (Note that the Long-Term Servicing Branch is a separate Windows 10 Enterprise image, with many in-box apps, including Microsoft Edge, Cortana, and Windows Store, removed.)
          -![branches](images/branch.png) - -These servicing options provide pragmatic solutions to keep more devices more current in enterprise environments than was previously possible. Most organizations will leverage all of these choices, with the mix determined by how individual PCs are used. Some examples are shown in the table below: - -| Industry | Windows Insider Program | Current Branch | Current Branch for Business | Long-Term Servicing Branch | -|--------------------|-------------------------|----------------|-----------------------------|----------------------------| -| Retail | <1% | 10% | 60% | 30% | -| Manufacturing | <1% | 10% | 55% | 45% | -| Pharmaceuticals | <1% | 10% | 50% | 40% | -| Consulting | 10% | 50% | 35% | 5% | -| Software developer | 30% | 60% | 5% | 5% | -
          -Because every organization is different, the exact breakdown will vary even within a specific industry. The examples shown above should not be taken as specific recommendations. To determine the appropriate mix for a specific organization, profile how individual PCs are used within the organization, and target them with the appropriate branch. - -- Retailers often have critical devices (for example, point-of-sale systems) in stores which results in higher percentages of PCs on the Long-Term Servicing Branch. But those used by information workers in support of the retail operations would leverage Current Branch for Business to receive new features. - -- Manufacturers typically have critical devices (for example, control systems) in factories; these are also good candidates for the Long-Term Servicing Branch. But as with retailers, information workers that support those factories are better suited to the Current Branch for Business. - -- Pharmaceutical firms often have regulatory requirements for PCs used for the development of their products, which are best satisfied by using Long-Term Servicing Branch. But not all PCs are subject to these regulatory requirements; those that are not can use the Current Branch for Business. - -- Consulting firms want their employees to have the latest functionality so they can be as productive as possible. They also want to develop expertise with new capabilities as soon as possible, hence more emphasis on Current Branch. But they also have information workers that provide services to the consultants; these workers can leverage Current Branch for Business. - -- Software developers typically work on software that will release in conjunction with a new Windows upgrade. To enable that, a significant percentage of developers may use the Windows Insider Program preview branch for initial efforts, which shifts to Current Branch as development progresses. - -Note that there are few, if any, scenarios where an entire organization would use the Long-Term Servicing Branch for all PCs – or even for a majority of them. - -With these new servicing options, Microsoft streamlined the Windows product engineering and release cycle so that Microsoft can deliver new features, experiences, and functionality more quickly than ever. Microsoft also created new ways to deliver and install feature upgrades and servicing updates that simplify deployments and on-going management, broaden the base of employees who can be kept current with the latest Windows capabilities and experiences, and lower total cost of ownership. - -Windows 10 enables organizations to fulfill the desire to provide users with the latest features while balancing the need for manageability and cost control. To keep pace with technology, there are good business reasons to keep a significant portion of your enterprise's devices *current* with the latest release of Windows. - -## Related topics - -[Windows 10 release information](https://technet.microsoft.com/windows/release-info)
          -[Windows 10 deployment considerations](windows-10-deployment-considerations.md)
          -[Windows 10 compatibility](windows-10-compatibility.md)
          -[Windows 10 infrastructure requirements](windows-10-infrastructure-requirements.md) \ No newline at end of file diff --git a/windows/plan/windows-update-for-business.md b/windows/plan/windows-update-for-business.md deleted file mode 100644 index 87315ba806..0000000000 --- a/windows/plan/windows-update-for-business.md +++ /dev/null @@ -1,97 +0,0 @@ ---- -title: Windows Update for Business (Windows 10) -description: Get an overview of how you can implement and deploy a Windows Update for Business solution and how to maintain enrolled systems. -ms.assetid: DF61F8C9-A8A6-4E83-973C-8ABE090DB8C6 -keywords: update, upgrade, deployment, WSUS -ms.prod: w10 -ms.mktglfcycl: plan -ms.sitesec: library -ms.pagetype: servicing; devices -author: jdeckerMS -redirect_url: https://technet.microsoft.com/en-us/itpro/windows/manage/waas-manage-updates-wufb ---- - -# Windows Update for Business - -**Applies to** -- Windows 10 - -Get an overview of how you can implement and deploy a Windows Update for Business solution and how to maintain enrolled systems. - -## Introduction - -Windows Update for Business enables information technology administrators to keep the Windows 10-based devices in their organization always up to date with the latest security defenses and Windows features by directly connecting these systems to Microsoft’s Windows Update service. By using [Group Policy Objects](https://go.microsoft.com/fwlink/p/?LinkId=699279), Windows Update for Business is an easily established and implemented system which enables organizations and administrators to exercise control on how their Windows 10-based devices are updated, by allowing: -- **Deployment and validation groups**; where administrators can specify which devices go first in an update wave, and which devices will come later (to ensure any quality bars are met). -- **Peer-to-peer delivery**, which administrators can enable to make delivery of updates to branch offices and remote sites with limited bandwidth very efficient. -- **Use with existing tools** such as System Center Configuration Manager and the [Enterprise Mobility Suite](https://go.microsoft.com/fwlink/p/?LinkId=699281). - -Together, these Windows Update for Business features help reduce device management costs, provide controls over update deployment, offer quicker access to security updates, as well as provide access to the latest innovations from Microsoft on an ongoing basis. Windows Update for Business is a free service for all Windows 10 Pro, Enterprise, and Education editions, and can be used independent of, or in conjunction with, existing device management solutions such as [Windows Server Update Services (WSUS)](https://go.microsoft.com/fwlink/p/?LinkId=734043) and [System Center Configuration Manager](https://go.microsoft.com/fwlink/p/?LinkId=734044). - -## Deploy Windows Update for Business in your organization - -For Windows 10, version 1511, Windows Update for Business is enabled using a set of client-side configurations, allowing you to manage how and when Windows-based devices receive updates and upgrades. These capabilities use the Windows Update service like any other Windows 10 clients, but provides controls to help businesses validate update quality as well as time their update deployments to machines through the use of Group Policy Objects. Windows Update for Business also incorporates smart peer-to-peer networking for distribution of Windows updates, which will help maintain bandwidth efficiency in the absence of a WSUS solution. - -## Eligible devices - -All devices running Windows 10 Pro, Enterprise, and Education on the Current Branch for Business (CBB) are Windows Update for Business eligible. - -## OS upgrades and updates - -In Windows 10, Windows Update for Business recognizes three deployment categories that clients receive from Windows Update: -- **Upgrades** - - Examples: Windows 10 (Build 10240) to Windows 10, version 1511; CBB 1 to CBB 2 - **Note**   - In the Windows 10 servicing model, new CBBs will be declared 2-3 times per year. -   -- **Updates** - - General OS updates, typically released the second Tuesday of each month. These include Security, Critical, and Driver updates. -- **Other/non-deferrable** - - Definition updates (these cannot be deferred) -Both upgrades and updates can be deferred from deployment to client machines by a Windows Update for Business administrator within a bounded rage of time from when those updates are first made available on the Windows Update service. This deferral capability allows administrators to validate deployments as they are pushed to all their Windows Update for Business enrolled clients. The following table defines maximum deferral periods allowed by deployment type: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
          CategoryMaximum deferralDeferral incrementsClassification typeClassification GUID
          OS upgrades8 months1 monthUpgrade3689BDC8-B205-4AF4-8D4A-A63924C5E9D5
          OS updates4 weeks1 weekSecurity updates0FA1201D-4330-4FA8-8AE9-B877473B6441
          DriversEBFC1FC5-71A4-4F7B-9ACA-3B9A503104A0
          UpdatesCD5FFD1E-E932-4E3A-BF74-18BF0B1BBD83
          Other/non-deferrableNo deferralNo deferralDefinition updatesE0789628-CE08-4437-BE74-2495B842F43B
          - -## Related topics - -[Setup and deployment](setup-and-deployment.md) - -[Integration with management solutions](integration-with-management-solutions-.md) - -[Windows 10 servicing options for updates and upgrades](../manage/introduction-to-windows-10-servicing.md) diff --git a/windows/update/TOC.md b/windows/update/TOC.md new file mode 100644 index 0000000000..b16ed8c89e --- /dev/null +++ b/windows/update/TOC.md @@ -0,0 +1,26 @@ +# [Update Windows 10](index.md) +## [Quick guide to Windows as a service](waas-quick-start.md) +## [Overview of Windows as a service](waas-overview.md) +## [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md) +## [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) +## [Assign devices to servicing branches for Windows 10 updates](waas-servicing-branches-windows-10-updates.md) +## [Monitor Windows Updates with Update Compliance](update-compliance-monitor.md) +### [Get started with Update Compliance](update-compliance-get-started.md) +### [Use Update Compliance](update-compliance-using.md) +## [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md) +### [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md) +### [Configure BranchCache for Windows 10 updates](waas-branchcache.md) +## [Manage updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md) +## [Manage updates using Windows Update for Business](waas-manage-updates-wufb.md) +### [Configure Windows Update for Business](waas-configure-wufb.md) +### [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md) +### [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md) +### [Walkthrough: use Intune to configure Windows Update for Business](waas-wufb-intune.md) +## [Manage Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md) +## [Manage Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md) +## [Manage device restarts after updates](waas-restart.md) +## [Windows Insider Program for Business](waas-windows-insider-for-business.md) +### [Windows Insider Program for Business using Azure Active Directory](waas-windows-insider-for-business-aad.md) +### [Windows Insider Program for Business Frequently Asked Questions](waas-windows-insider-for-business-faq.md) +## [Change history for Update Windows 10](change-history-for-update-windows-10.md) + diff --git a/windows/update/change-history-for-update-windows-10.md b/windows/update/change-history-for-update-windows-10.md new file mode 100644 index 0000000000..97ece9af22 --- /dev/null +++ b/windows/update/change-history-for-update-windows-10.md @@ -0,0 +1,21 @@ +--- +title: Change history for Update Windows 10 (Windows 10) +description: This topic lists new and updated topics in the Update Windows 10 documentation for Windows 10 and Windows 10 Mobile. +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +author: DaniHalfin +--- + +# Change history for Update Windows 10 + +This topic lists new and updated topics in the [Update Windows 10](index.md) documentation for [Windows 10 and Windows 10 Mobile](../index.md). + +>If you're looking for **update history** for Windows 10, see [Windows 10 and Windows Server 2016 update history](https://support.microsoft.com/help/12387/windows-10-update-history). + +## RELEASE: Windows 10, version 1703 + +The topics in this library have been updated for Windows 10, version 1703 (also known as the Creators Update). The following new topics have been added: +* [Windows Insider Program for Business](waas-windows-insider-for-business.md) +* [Windows Insider Program for Business using Azure Active Directory](waas-windows-insider-for-business-aad.md) +* [Windows Insider Program for Business Frequently Asked Questions](waas-windows-insider-for-business-faq.md) \ No newline at end of file diff --git a/windows/update/images/ActionCenterXML.jpg b/windows/update/images/ActionCenterXML.jpg new file mode 100644 index 0000000000..b9832b2708 Binary files /dev/null and b/windows/update/images/ActionCenterXML.jpg differ diff --git a/windows/update/images/AppsXML.jpg b/windows/update/images/AppsXML.jpg new file mode 100644 index 0000000000..ecc1869bb5 Binary files /dev/null and b/windows/update/images/AppsXML.jpg differ diff --git a/windows/update/images/AppsXML.png b/windows/update/images/AppsXML.png new file mode 100644 index 0000000000..3981543264 Binary files /dev/null and b/windows/update/images/AppsXML.png differ diff --git a/windows/update/images/ButtonsXML.jpg b/windows/update/images/ButtonsXML.jpg new file mode 100644 index 0000000000..238eca7e68 Binary files /dev/null and b/windows/update/images/ButtonsXML.jpg differ diff --git a/windows/update/images/CSPRunnerXML.jpg b/windows/update/images/CSPRunnerXML.jpg new file mode 100644 index 0000000000..071b316a9e Binary files /dev/null and b/windows/update/images/CSPRunnerXML.jpg differ diff --git a/windows/update/images/ICDstart-option.PNG b/windows/update/images/ICDstart-option.PNG new file mode 100644 index 0000000000..1ba49bb261 Binary files /dev/null and b/windows/update/images/ICDstart-option.PNG differ diff --git a/windows/update/images/MenuItemsXML.png b/windows/update/images/MenuItemsXML.png new file mode 100644 index 0000000000..cc681250bb Binary files /dev/null and b/windows/update/images/MenuItemsXML.png differ diff --git a/windows/update/images/SettingsXML.png b/windows/update/images/SettingsXML.png new file mode 100644 index 0000000000..98a324bdea Binary files /dev/null and b/windows/update/images/SettingsXML.png differ diff --git a/windows/update/images/StartGrid.jpg b/windows/update/images/StartGrid.jpg new file mode 100644 index 0000000000..36136f3201 Binary files /dev/null and b/windows/update/images/StartGrid.jpg differ diff --git a/windows/update/images/StartGridPinnedApps.jpg b/windows/update/images/StartGridPinnedApps.jpg new file mode 100644 index 0000000000..fbade52f53 Binary files /dev/null and b/windows/update/images/StartGridPinnedApps.jpg differ diff --git a/windows/update/images/TilesXML.png b/windows/update/images/TilesXML.png new file mode 100644 index 0000000000..cec52bbbf7 Binary files /dev/null and b/windows/update/images/TilesXML.png differ diff --git a/windows/update/images/aadj1.jpg b/windows/update/images/aadj1.jpg new file mode 100644 index 0000000000..2348fc4c84 Binary files /dev/null and b/windows/update/images/aadj1.jpg differ diff --git a/windows/update/images/aadj2.jpg b/windows/update/images/aadj2.jpg new file mode 100644 index 0000000000..39486bfc66 Binary files /dev/null and b/windows/update/images/aadj2.jpg differ diff --git a/windows/update/images/aadj3.jpg b/windows/update/images/aadj3.jpg new file mode 100644 index 0000000000..80e1f5762f Binary files /dev/null and b/windows/update/images/aadj3.jpg differ diff --git a/windows/update/images/aadj4.jpg b/windows/update/images/aadj4.jpg new file mode 100644 index 0000000000..0db2910012 Binary files /dev/null and b/windows/update/images/aadj4.jpg differ diff --git a/windows/update/images/aadjbrowser.jpg b/windows/update/images/aadjbrowser.jpg new file mode 100644 index 0000000000..c8d909688e Binary files /dev/null and b/windows/update/images/aadjbrowser.jpg differ diff --git a/windows/update/images/aadjcal.jpg b/windows/update/images/aadjcal.jpg new file mode 100644 index 0000000000..1858886f5f Binary files /dev/null and b/windows/update/images/aadjcal.jpg differ diff --git a/windows/update/images/aadjcalmail.jpg b/windows/update/images/aadjcalmail.jpg new file mode 100644 index 0000000000..5a5661259a Binary files /dev/null and b/windows/update/images/aadjcalmail.jpg differ diff --git a/windows/update/images/aadjmail1.jpg b/windows/update/images/aadjmail1.jpg new file mode 100644 index 0000000000..89b1fcc3b7 Binary files /dev/null and b/windows/update/images/aadjmail1.jpg differ diff --git a/windows/update/images/aadjmail2.jpg b/windows/update/images/aadjmail2.jpg new file mode 100644 index 0000000000..0608010c6a Binary files /dev/null and b/windows/update/images/aadjmail2.jpg differ diff --git a/windows/update/images/aadjmail3.jpg b/windows/update/images/aadjmail3.jpg new file mode 100644 index 0000000000..d7154a7e0e Binary files /dev/null and b/windows/update/images/aadjmail3.jpg differ diff --git a/windows/update/images/aadjonedrive.jpg b/windows/update/images/aadjonedrive.jpg new file mode 100644 index 0000000000..6fb1196d5f Binary files /dev/null and b/windows/update/images/aadjonedrive.jpg differ diff --git a/windows/update/images/aadjonenote.jpg b/windows/update/images/aadjonenote.jpg new file mode 100644 index 0000000000..4ccd207f9f Binary files /dev/null and b/windows/update/images/aadjonenote.jpg differ diff --git a/windows/update/images/aadjonenote2.jpg b/windows/update/images/aadjonenote2.jpg new file mode 100644 index 0000000000..1b6941e638 Binary files /dev/null and b/windows/update/images/aadjonenote2.jpg differ diff --git a/windows/update/images/aadjonenote3.jpg b/windows/update/images/aadjonenote3.jpg new file mode 100644 index 0000000000..3ac6911046 Binary files /dev/null and b/windows/update/images/aadjonenote3.jpg differ diff --git a/windows/update/images/aadjpin.jpg b/windows/update/images/aadjpin.jpg new file mode 100644 index 0000000000..dac6cfec30 Binary files /dev/null and b/windows/update/images/aadjpin.jpg differ diff --git a/windows/update/images/aadjppt.jpg b/windows/update/images/aadjppt.jpg new file mode 100644 index 0000000000..268d5fe662 Binary files /dev/null and b/windows/update/images/aadjppt.jpg differ diff --git a/windows/update/images/aadjverify.jpg b/windows/update/images/aadjverify.jpg new file mode 100644 index 0000000000..7b30210f39 Binary files /dev/null and b/windows/update/images/aadjverify.jpg differ diff --git a/windows/update/images/aadjword.jpg b/windows/update/images/aadjword.jpg new file mode 100644 index 0000000000..db2a58406e Binary files /dev/null and b/windows/update/images/aadjword.jpg differ diff --git a/windows/update/images/aadjwsfb.jpg b/windows/update/images/aadjwsfb.jpg new file mode 100644 index 0000000000..428f1a26d4 Binary files /dev/null and b/windows/update/images/aadjwsfb.jpg differ diff --git a/windows/update/images/admin-tools-folder.png b/windows/update/images/admin-tools-folder.png new file mode 100644 index 0000000000..4831204f73 Binary files /dev/null and b/windows/update/images/admin-tools-folder.png differ diff --git a/windows/update/images/admin-tools.png b/windows/update/images/admin-tools.png new file mode 100644 index 0000000000..1470cffdd5 Binary files /dev/null and b/windows/update/images/admin-tools.png differ diff --git a/windows/update/images/allow-rdp.png b/windows/update/images/allow-rdp.png new file mode 100644 index 0000000000..55c13b53bc Binary files /dev/null and b/windows/update/images/allow-rdp.png differ diff --git a/windows/update/images/app-v-in-adk.png b/windows/update/images/app-v-in-adk.png new file mode 100644 index 0000000000..a36ef9f00f Binary files /dev/null and b/windows/update/images/app-v-in-adk.png differ diff --git a/windows/update/images/apprule.png b/windows/update/images/apprule.png new file mode 100644 index 0000000000..ec5417849a Binary files /dev/null and b/windows/update/images/apprule.png differ diff --git a/windows/update/images/appwarning.png b/windows/update/images/appwarning.png new file mode 100644 index 0000000000..877d8afebd Binary files /dev/null and b/windows/update/images/appwarning.png differ diff --git a/windows/update/images/backicon.png b/windows/update/images/backicon.png new file mode 100644 index 0000000000..3007e448b1 Binary files /dev/null and b/windows/update/images/backicon.png differ diff --git a/windows/update/images/checklistbox.gif b/windows/update/images/checklistbox.gif new file mode 100644 index 0000000000..cbcf4a4f11 Binary files /dev/null and b/windows/update/images/checklistbox.gif differ diff --git a/windows/update/images/checklistdone.png b/windows/update/images/checklistdone.png new file mode 100644 index 0000000000..7e53f74d0e Binary files /dev/null and b/windows/update/images/checklistdone.png differ diff --git a/windows/update/images/checkmark.png b/windows/update/images/checkmark.png new file mode 100644 index 0000000000..f9f04cd6bd Binary files /dev/null and b/windows/update/images/checkmark.png differ diff --git a/windows/update/images/choose-package.png b/windows/update/images/choose-package.png new file mode 100644 index 0000000000..2bf7a18648 Binary files /dev/null and b/windows/update/images/choose-package.png differ diff --git a/windows/update/images/config-policy.png b/windows/update/images/config-policy.png new file mode 100644 index 0000000000..b9cba70af6 Binary files /dev/null and b/windows/update/images/config-policy.png differ diff --git a/windows/update/images/config-source.png b/windows/update/images/config-source.png new file mode 100644 index 0000000000..58938bacf7 Binary files /dev/null and b/windows/update/images/config-source.png differ diff --git a/windows/update/images/configconflict.png b/windows/update/images/configconflict.png new file mode 100644 index 0000000000..011a2d76e7 Binary files /dev/null and b/windows/update/images/configconflict.png differ diff --git a/windows/update/images/connect-aad.png b/windows/update/images/connect-aad.png new file mode 100644 index 0000000000..8583866165 Binary files /dev/null and b/windows/update/images/connect-aad.png differ diff --git a/windows/update/images/copy-to-change.png b/windows/update/images/copy-to-change.png new file mode 100644 index 0000000000..21aa250c0c Binary files /dev/null and b/windows/update/images/copy-to-change.png differ diff --git a/windows/update/images/copy-to-path.png b/windows/update/images/copy-to-path.png new file mode 100644 index 0000000000..1ef00fc86b Binary files /dev/null and b/windows/update/images/copy-to-path.png differ diff --git a/windows/update/images/copy-to.PNG b/windows/update/images/copy-to.PNG new file mode 100644 index 0000000000..dad84cedc8 Binary files /dev/null and b/windows/update/images/copy-to.PNG differ diff --git a/windows/update/images/cortana-about-me.png b/windows/update/images/cortana-about-me.png new file mode 100644 index 0000000000..32c1ccefab Binary files /dev/null and b/windows/update/images/cortana-about-me.png differ diff --git a/windows/update/images/cortana-add-reminder.png b/windows/update/images/cortana-add-reminder.png new file mode 100644 index 0000000000..3f03528e11 Binary files /dev/null and b/windows/update/images/cortana-add-reminder.png differ diff --git a/windows/update/images/cortana-chicago-weather.png b/windows/update/images/cortana-chicago-weather.png new file mode 100644 index 0000000000..9273bf201b Binary files /dev/null and b/windows/update/images/cortana-chicago-weather.png differ diff --git a/windows/update/images/cortana-complete-send-email-coworker-mic.png b/windows/update/images/cortana-complete-send-email-coworker-mic.png new file mode 100644 index 0000000000..3238c8d31d Binary files /dev/null and b/windows/update/images/cortana-complete-send-email-coworker-mic.png differ diff --git a/windows/update/images/cortana-connect-crm.png b/windows/update/images/cortana-connect-crm.png new file mode 100644 index 0000000000..c70c42f75e Binary files /dev/null and b/windows/update/images/cortana-connect-crm.png differ diff --git a/windows/update/images/cortana-connect-o365.png b/windows/update/images/cortana-connect-o365.png new file mode 100644 index 0000000000..df1ffa449b Binary files /dev/null and b/windows/update/images/cortana-connect-o365.png differ diff --git a/windows/update/images/cortana-connect-uber.png b/windows/update/images/cortana-connect-uber.png new file mode 100644 index 0000000000..724fecb5b5 Binary files /dev/null and b/windows/update/images/cortana-connect-uber.png differ diff --git a/windows/update/images/cortana-crm-screen.png b/windows/update/images/cortana-crm-screen.png new file mode 100644 index 0000000000..ded5d80a59 Binary files /dev/null and b/windows/update/images/cortana-crm-screen.png differ diff --git a/windows/update/images/cortana-feedback.png b/windows/update/images/cortana-feedback.png new file mode 100644 index 0000000000..6e14018c98 Binary files /dev/null and b/windows/update/images/cortana-feedback.png differ diff --git a/windows/update/images/cortana-final-reminder.png b/windows/update/images/cortana-final-reminder.png new file mode 100644 index 0000000000..f114e058e5 Binary files /dev/null and b/windows/update/images/cortana-final-reminder.png differ diff --git a/windows/update/images/cortana-meeting-specific-time.png b/windows/update/images/cortana-meeting-specific-time.png new file mode 100644 index 0000000000..a108355133 Binary files /dev/null and b/windows/update/images/cortana-meeting-specific-time.png differ diff --git a/windows/update/images/cortana-meeting-tomorrow.png b/windows/update/images/cortana-meeting-tomorrow.png new file mode 100644 index 0000000000..13273b6600 Binary files /dev/null and b/windows/update/images/cortana-meeting-tomorrow.png differ diff --git a/windows/update/images/cortana-newyork-weather.png b/windows/update/images/cortana-newyork-weather.png new file mode 100644 index 0000000000..b3879737be Binary files /dev/null and b/windows/update/images/cortana-newyork-weather.png differ diff --git a/windows/update/images/cortana-o365-screen.png b/windows/update/images/cortana-o365-screen.png new file mode 100644 index 0000000000..ba06dd6de5 Binary files /dev/null and b/windows/update/images/cortana-o365-screen.png differ diff --git a/windows/update/images/cortana-place-reminder.png b/windows/update/images/cortana-place-reminder.png new file mode 100644 index 0000000000..89ccdab3e3 Binary files /dev/null and b/windows/update/images/cortana-place-reminder.png differ diff --git a/windows/update/images/cortana-powerbi-create-report.png b/windows/update/images/cortana-powerbi-create-report.png new file mode 100644 index 0000000000..a22789d72a Binary files /dev/null and b/windows/update/images/cortana-powerbi-create-report.png differ diff --git a/windows/update/images/cortana-powerbi-expand-nav.png b/windows/update/images/cortana-powerbi-expand-nav.png new file mode 100644 index 0000000000..c8b47943f9 Binary files /dev/null and b/windows/update/images/cortana-powerbi-expand-nav.png differ diff --git a/windows/update/images/cortana-powerbi-field-selection.png b/windows/update/images/cortana-powerbi-field-selection.png new file mode 100644 index 0000000000..8aef58c23a Binary files /dev/null and b/windows/update/images/cortana-powerbi-field-selection.png differ diff --git a/windows/update/images/cortana-powerbi-getdata-samples.png b/windows/update/images/cortana-powerbi-getdata-samples.png new file mode 100644 index 0000000000..3bfa4792df Binary files /dev/null and b/windows/update/images/cortana-powerbi-getdata-samples.png differ diff --git a/windows/update/images/cortana-powerbi-getdata.png b/windows/update/images/cortana-powerbi-getdata.png new file mode 100644 index 0000000000..55b7b61589 Binary files /dev/null and b/windows/update/images/cortana-powerbi-getdata.png differ diff --git a/windows/update/images/cortana-powerbi-myreport.png b/windows/update/images/cortana-powerbi-myreport.png new file mode 100644 index 0000000000..cc04d9c6f0 Binary files /dev/null and b/windows/update/images/cortana-powerbi-myreport.png differ diff --git a/windows/update/images/cortana-powerbi-pagesize.png b/windows/update/images/cortana-powerbi-pagesize.png new file mode 100644 index 0000000000..fd1c1ef917 Binary files /dev/null and b/windows/update/images/cortana-powerbi-pagesize.png differ diff --git a/windows/update/images/cortana-powerbi-report-qna.png b/windows/update/images/cortana-powerbi-report-qna.png new file mode 100644 index 0000000000..d17949aa8a Binary files /dev/null and b/windows/update/images/cortana-powerbi-report-qna.png differ diff --git a/windows/update/images/cortana-powerbi-retail-analysis-dashboard.png b/windows/update/images/cortana-powerbi-retail-analysis-dashboard.png new file mode 100644 index 0000000000..5b94a2e2fc Binary files /dev/null and b/windows/update/images/cortana-powerbi-retail-analysis-dashboard.png differ diff --git a/windows/update/images/cortana-powerbi-retail-analysis-dataset.png b/windows/update/images/cortana-powerbi-retail-analysis-dataset.png new file mode 100644 index 0000000000..b2ffec3b70 Binary files /dev/null and b/windows/update/images/cortana-powerbi-retail-analysis-dataset.png differ diff --git a/windows/update/images/cortana-powerbi-retail-analysis-sample.png b/windows/update/images/cortana-powerbi-retail-analysis-sample.png new file mode 100644 index 0000000000..e3b61dcaa2 Binary files /dev/null and b/windows/update/images/cortana-powerbi-retail-analysis-sample.png differ diff --git a/windows/update/images/cortana-powerbi-search.png b/windows/update/images/cortana-powerbi-search.png new file mode 100644 index 0000000000..88a8b40296 Binary files /dev/null and b/windows/update/images/cortana-powerbi-search.png differ diff --git a/windows/update/images/cortana-powerbi-settings.png b/windows/update/images/cortana-powerbi-settings.png new file mode 100644 index 0000000000..0f51229895 Binary files /dev/null and b/windows/update/images/cortana-powerbi-settings.png differ diff --git a/windows/update/images/cortana-redmond-weather.png b/windows/update/images/cortana-redmond-weather.png new file mode 100644 index 0000000000..7e8adc1929 Binary files /dev/null and b/windows/update/images/cortana-redmond-weather.png differ diff --git a/windows/update/images/cortana-reminder-edit.png b/windows/update/images/cortana-reminder-edit.png new file mode 100644 index 0000000000..79cc280947 Binary files /dev/null and b/windows/update/images/cortana-reminder-edit.png differ diff --git a/windows/update/images/cortana-reminder-list.png b/windows/update/images/cortana-reminder-list.png new file mode 100644 index 0000000000..1f57fc0f05 Binary files /dev/null and b/windows/update/images/cortana-reminder-list.png differ diff --git a/windows/update/images/cortana-reminder-mic.png b/windows/update/images/cortana-reminder-mic.png new file mode 100644 index 0000000000..46a18e8e0b Binary files /dev/null and b/windows/update/images/cortana-reminder-mic.png differ diff --git a/windows/update/images/cortana-reminder-pending-mic.png b/windows/update/images/cortana-reminder-pending-mic.png new file mode 100644 index 0000000000..159d408e0a Binary files /dev/null and b/windows/update/images/cortana-reminder-pending-mic.png differ diff --git a/windows/update/images/cortana-reminder-pending.png b/windows/update/images/cortana-reminder-pending.png new file mode 100644 index 0000000000..a6b64b5621 Binary files /dev/null and b/windows/update/images/cortana-reminder-pending.png differ diff --git a/windows/update/images/cortana-send-email-coworker-mic.png b/windows/update/images/cortana-send-email-coworker-mic.png new file mode 100644 index 0000000000..0cfa8fb731 Binary files /dev/null and b/windows/update/images/cortana-send-email-coworker-mic.png differ diff --git a/windows/update/images/cortana-send-email-coworker.png b/windows/update/images/cortana-send-email-coworker.png new file mode 100644 index 0000000000..40ce18bdca Binary files /dev/null and b/windows/update/images/cortana-send-email-coworker.png differ diff --git a/windows/update/images/cortana-weather-multipanel.png b/windows/update/images/cortana-weather-multipanel.png new file mode 100644 index 0000000000..e8db031744 Binary files /dev/null and b/windows/update/images/cortana-weather-multipanel.png differ diff --git a/windows/update/images/crossmark.png b/windows/update/images/crossmark.png new file mode 100644 index 0000000000..69432ff71c Binary files /dev/null and b/windows/update/images/crossmark.png differ diff --git a/windows/update/images/csp-placeholder.png b/windows/update/images/csp-placeholder.png new file mode 100644 index 0000000000..fe6bcf4720 Binary files /dev/null and b/windows/update/images/csp-placeholder.png differ diff --git a/windows/update/images/cspinicd.png b/windows/update/images/cspinicd.png new file mode 100644 index 0000000000..a60ad9e2bf Binary files /dev/null and b/windows/update/images/cspinicd.png differ diff --git a/windows/update/images/csptable.png b/windows/update/images/csptable.png new file mode 100644 index 0000000000..ee210cad69 Binary files /dev/null and b/windows/update/images/csptable.png differ diff --git a/windows/update/images/deploymentworkflow.png b/windows/update/images/deploymentworkflow.png new file mode 100644 index 0000000000..b665a0bfea Binary files /dev/null and b/windows/update/images/deploymentworkflow.png differ diff --git a/windows/update/images/doneicon.png b/windows/update/images/doneicon.png new file mode 100644 index 0000000000..d80389f35b Binary files /dev/null and b/windows/update/images/doneicon.png differ diff --git a/windows/update/images/export-mgt-desktop.png b/windows/update/images/export-mgt-desktop.png new file mode 100644 index 0000000000..13349c3b4e Binary files /dev/null and b/windows/update/images/export-mgt-desktop.png differ diff --git a/windows/update/images/export-mgt-mobile.png b/windows/update/images/export-mgt-mobile.png new file mode 100644 index 0000000000..6a74c23e59 Binary files /dev/null and b/windows/update/images/export-mgt-mobile.png differ diff --git a/windows/update/images/express-settings.png b/windows/update/images/express-settings.png new file mode 100644 index 0000000000..99e9c4825a Binary files /dev/null and b/windows/update/images/express-settings.png differ diff --git a/windows/update/images/fig1-deferupgrades.png b/windows/update/images/fig1-deferupgrades.png new file mode 100644 index 0000000000..f8c52b943e Binary files /dev/null and b/windows/update/images/fig1-deferupgrades.png differ diff --git a/windows/update/images/fig2-deploymenttimeline.png b/windows/update/images/fig2-deploymenttimeline.png new file mode 100644 index 0000000000..a8061d2f15 Binary files /dev/null and b/windows/update/images/fig2-deploymenttimeline.png differ diff --git a/windows/update/images/fig3-overlaprelease.png b/windows/update/images/fig3-overlaprelease.png new file mode 100644 index 0000000000..58747a35cf Binary files /dev/null and b/windows/update/images/fig3-overlaprelease.png differ diff --git a/windows/update/images/funfacts.png b/windows/update/images/funfacts.png new file mode 100644 index 0000000000..71355ec370 Binary files /dev/null and b/windows/update/images/funfacts.png differ diff --git a/windows/update/images/genrule.png b/windows/update/images/genrule.png new file mode 100644 index 0000000000..1d68f1ad0b Binary files /dev/null and b/windows/update/images/genrule.png differ diff --git a/windows/update/images/gp-branch.png b/windows/update/images/gp-branch.png new file mode 100644 index 0000000000..997bcc830a Binary files /dev/null and b/windows/update/images/gp-branch.png differ diff --git a/windows/update/images/gp-exclude-drivers.png b/windows/update/images/gp-exclude-drivers.png new file mode 100644 index 0000000000..0010749139 Binary files /dev/null and b/windows/update/images/gp-exclude-drivers.png differ diff --git a/windows/update/images/gp-feature.png b/windows/update/images/gp-feature.png new file mode 100644 index 0000000000..b862d545d4 Binary files /dev/null and b/windows/update/images/gp-feature.png differ diff --git a/windows/update/images/gp-quality.png b/windows/update/images/gp-quality.png new file mode 100644 index 0000000000..d7ff30172d Binary files /dev/null and b/windows/update/images/gp-quality.png differ diff --git a/windows/update/images/icd-adv-shared-pc.PNG b/windows/update/images/icd-adv-shared-pc.PNG new file mode 100644 index 0000000000..a8da5fa78a Binary files /dev/null and b/windows/update/images/icd-adv-shared-pc.PNG differ diff --git a/windows/update/images/icd-school.PNG b/windows/update/images/icd-school.PNG new file mode 100644 index 0000000000..e6a944a193 Binary files /dev/null and b/windows/update/images/icd-school.PNG differ diff --git a/windows/update/images/icd-simple.PNG b/windows/update/images/icd-simple.PNG new file mode 100644 index 0000000000..7ae8a1728b Binary files /dev/null and b/windows/update/images/icd-simple.PNG differ diff --git a/windows/update/images/icdbrowse.png b/windows/update/images/icdbrowse.png new file mode 100644 index 0000000000..53c91074c7 Binary files /dev/null and b/windows/update/images/icdbrowse.png differ diff --git a/windows/update/images/identitychoices.png b/windows/update/images/identitychoices.png new file mode 100644 index 0000000000..9a69c04f20 Binary files /dev/null and b/windows/update/images/identitychoices.png differ diff --git a/windows/update/images/launchicon.png b/windows/update/images/launchicon.png new file mode 100644 index 0000000000..d469c68a2c Binary files /dev/null and b/windows/update/images/launchicon.png differ diff --git a/windows/update/images/license-terms.png b/windows/update/images/license-terms.png new file mode 100644 index 0000000000..8dd34b0a18 Binary files /dev/null and b/windows/update/images/license-terms.png differ diff --git a/windows/update/images/lockdownapps.png b/windows/update/images/lockdownapps.png new file mode 100644 index 0000000000..ad928d87bc Binary files /dev/null and b/windows/update/images/lockdownapps.png differ diff --git a/windows/update/images/lockscreen.png b/windows/update/images/lockscreen.png new file mode 100644 index 0000000000..68c64e15ec Binary files /dev/null and b/windows/update/images/lockscreen.png differ diff --git a/windows/update/images/lockscreenpolicy.png b/windows/update/images/lockscreenpolicy.png new file mode 100644 index 0000000000..30b6a7ae9d Binary files /dev/null and b/windows/update/images/lockscreenpolicy.png differ diff --git a/windows/update/images/mdm-diag-report-powershell.PNG b/windows/update/images/mdm-diag-report-powershell.PNG new file mode 100644 index 0000000000..86f5b49211 Binary files /dev/null and b/windows/update/images/mdm-diag-report-powershell.PNG differ diff --git a/windows/update/images/mdm.png b/windows/update/images/mdm.png new file mode 100644 index 0000000000..8ebcc00526 Binary files /dev/null and b/windows/update/images/mdm.png differ diff --git a/windows/update/images/mobile-start-layout.png b/windows/update/images/mobile-start-layout.png new file mode 100644 index 0000000000..d1055d6c87 Binary files /dev/null and b/windows/update/images/mobile-start-layout.png differ diff --git a/windows/update/images/oma-uri-shared-pc.png b/windows/update/images/oma-uri-shared-pc.png new file mode 100644 index 0000000000..68f9fa3b32 Binary files /dev/null and b/windows/update/images/oma-uri-shared-pc.png differ diff --git a/windows/update/images/oobe.jpg b/windows/update/images/oobe.jpg new file mode 100644 index 0000000000..53a5dab6bf Binary files /dev/null and b/windows/update/images/oobe.jpg differ diff --git a/windows/update/images/package.png b/windows/update/images/package.png new file mode 100644 index 0000000000..f5e975e3e9 Binary files /dev/null and b/windows/update/images/package.png differ diff --git a/windows/update/images/packageaddfileandregistrydata-global.png b/windows/update/images/packageaddfileandregistrydata-global.png new file mode 100644 index 0000000000..775e290a36 Binary files /dev/null and b/windows/update/images/packageaddfileandregistrydata-global.png differ diff --git a/windows/update/images/packageaddfileandregistrydata-stream.png b/windows/update/images/packageaddfileandregistrydata-stream.png new file mode 100644 index 0000000000..0e1205c62b Binary files /dev/null and b/windows/update/images/packageaddfileandregistrydata-stream.png differ diff --git a/windows/update/images/packageaddfileandregistrydata.png b/windows/update/images/packageaddfileandregistrydata.png new file mode 100644 index 0000000000..603420e627 Binary files /dev/null and b/windows/update/images/packageaddfileandregistrydata.png differ diff --git a/windows/update/images/phoneprovision.png b/windows/update/images/phoneprovision.png new file mode 100644 index 0000000000..01ada29ac9 Binary files /dev/null and b/windows/update/images/phoneprovision.png differ diff --git a/windows/update/images/policytocsp.png b/windows/update/images/policytocsp.png new file mode 100644 index 0000000000..80ca76cb62 Binary files /dev/null and b/windows/update/images/policytocsp.png differ diff --git a/windows/update/images/powericon.png b/windows/update/images/powericon.png new file mode 100644 index 0000000000..b497ff859d Binary files /dev/null and b/windows/update/images/powericon.png differ diff --git a/windows/update/images/priv-telemetry-levels.png b/windows/update/images/priv-telemetry-levels.png new file mode 100644 index 0000000000..9581cee54d Binary files /dev/null and b/windows/update/images/priv-telemetry-levels.png differ diff --git a/windows/update/images/prov.jpg b/windows/update/images/prov.jpg new file mode 100644 index 0000000000..1593ccb36b Binary files /dev/null and b/windows/update/images/prov.jpg differ diff --git a/windows/update/images/provisioning-csp-assignedaccess.png b/windows/update/images/provisioning-csp-assignedaccess.png new file mode 100644 index 0000000000..14d49cdd89 Binary files /dev/null and b/windows/update/images/provisioning-csp-assignedaccess.png differ diff --git a/windows/update/images/rdp.png b/windows/update/images/rdp.png new file mode 100644 index 0000000000..ac088d0b06 Binary files /dev/null and b/windows/update/images/rdp.png differ diff --git a/windows/update/images/resetdevice.png b/windows/update/images/resetdevice.png new file mode 100644 index 0000000000..4e265c3f8d Binary files /dev/null and b/windows/update/images/resetdevice.png differ diff --git a/windows/update/images/settings-table.png b/windows/update/images/settings-table.png new file mode 100644 index 0000000000..ada56513fc Binary files /dev/null and b/windows/update/images/settings-table.png differ diff --git a/windows/update/images/settingsicon.png b/windows/update/images/settingsicon.png new file mode 100644 index 0000000000..0ad27fc558 Binary files /dev/null and b/windows/update/images/settingsicon.png differ diff --git a/windows/update/images/setupmsg.jpg b/windows/update/images/setupmsg.jpg new file mode 100644 index 0000000000..12935483c5 Binary files /dev/null and b/windows/update/images/setupmsg.jpg differ diff --git a/windows/update/images/sign-in-prov.png b/windows/update/images/sign-in-prov.png new file mode 100644 index 0000000000..55c9276203 Binary files /dev/null and b/windows/update/images/sign-in-prov.png differ diff --git a/windows/update/images/spotlight.png b/windows/update/images/spotlight.png new file mode 100644 index 0000000000..515269740b Binary files /dev/null and b/windows/update/images/spotlight.png differ diff --git a/windows/update/images/spotlight2.png b/windows/update/images/spotlight2.png new file mode 100644 index 0000000000..27401c1a2b Binary files /dev/null and b/windows/update/images/spotlight2.png differ diff --git a/windows/update/images/start-pinned-app.png b/windows/update/images/start-pinned-app.png new file mode 100644 index 0000000000..e1e4a24a00 Binary files /dev/null and b/windows/update/images/start-pinned-app.png differ diff --git a/windows/update/images/startannotated.png b/windows/update/images/startannotated.png new file mode 100644 index 0000000000..d46f3a70c2 Binary files /dev/null and b/windows/update/images/startannotated.png differ diff --git a/windows/update/images/starticon.png b/windows/update/images/starticon.png new file mode 100644 index 0000000000..fa8cbdff10 Binary files /dev/null and b/windows/update/images/starticon.png differ diff --git a/windows/update/images/startlayoutpolicy.jpg b/windows/update/images/startlayoutpolicy.jpg new file mode 100644 index 0000000000..d3c8d054fe Binary files /dev/null and b/windows/update/images/startlayoutpolicy.jpg differ diff --git a/windows/update/images/starttemplate.jpg b/windows/update/images/starttemplate.jpg new file mode 100644 index 0000000000..900eed08c5 Binary files /dev/null and b/windows/update/images/starttemplate.jpg differ diff --git a/windows/update/images/sysprep-error.png b/windows/update/images/sysprep-error.png new file mode 100644 index 0000000000..aa004efbb6 Binary files /dev/null and b/windows/update/images/sysprep-error.png differ diff --git a/windows/update/images/taskbar-blank.png b/windows/update/images/taskbar-blank.png new file mode 100644 index 0000000000..185027f2fd Binary files /dev/null and b/windows/update/images/taskbar-blank.png differ diff --git a/windows/update/images/taskbar-default-plus.png b/windows/update/images/taskbar-default-plus.png new file mode 100644 index 0000000000..8afcebac09 Binary files /dev/null and b/windows/update/images/taskbar-default-plus.png differ diff --git a/windows/update/images/taskbar-default-removed.png b/windows/update/images/taskbar-default-removed.png new file mode 100644 index 0000000000..b3ff924e9f Binary files /dev/null and b/windows/update/images/taskbar-default-removed.png differ diff --git a/windows/update/images/taskbar-default.png b/windows/update/images/taskbar-default.png new file mode 100644 index 0000000000..41c6c72258 Binary files /dev/null and b/windows/update/images/taskbar-default.png differ diff --git a/windows/update/images/taskbar-generic.png b/windows/update/images/taskbar-generic.png new file mode 100644 index 0000000000..6d47a6795a Binary files /dev/null and b/windows/update/images/taskbar-generic.png differ diff --git a/windows/update/images/taskbar-region-defr.png b/windows/update/images/taskbar-region-defr.png new file mode 100644 index 0000000000..6d707b16f4 Binary files /dev/null and b/windows/update/images/taskbar-region-defr.png differ diff --git a/windows/update/images/taskbar-region-other.png b/windows/update/images/taskbar-region-other.png new file mode 100644 index 0000000000..fab367ef7a Binary files /dev/null and b/windows/update/images/taskbar-region-other.png differ diff --git a/windows/update/images/taskbar-region-usuk.png b/windows/update/images/taskbar-region-usuk.png new file mode 100644 index 0000000000..6bba65ee81 Binary files /dev/null and b/windows/update/images/taskbar-region-usuk.png differ diff --git a/windows/update/images/taskbarSTARTERBLANK.png b/windows/update/images/taskbarSTARTERBLANK.png new file mode 100644 index 0000000000..e206bdc196 Binary files /dev/null and b/windows/update/images/taskbarSTARTERBLANK.png differ diff --git a/windows/update/images/trust-package.png b/windows/update/images/trust-package.png new file mode 100644 index 0000000000..8a293ea4da Binary files /dev/null and b/windows/update/images/trust-package.png differ diff --git a/windows/update/images/twain.png b/windows/update/images/twain.png new file mode 100644 index 0000000000..53cd5eadc7 Binary files /dev/null and b/windows/update/images/twain.png differ diff --git a/windows/update/images/uc-01.png b/windows/update/images/uc-01.png new file mode 100644 index 0000000000..7f4df9f6d7 Binary files /dev/null and b/windows/update/images/uc-01.png differ diff --git a/windows/update/images/uc-02.png b/windows/update/images/uc-02.png new file mode 100644 index 0000000000..8317f051c3 Binary files /dev/null and b/windows/update/images/uc-02.png differ diff --git a/windows/update/images/uc-02a.png b/windows/update/images/uc-02a.png new file mode 100644 index 0000000000..d12544e3a0 Binary files /dev/null and b/windows/update/images/uc-02a.png differ diff --git a/windows/update/images/uc-03.png b/windows/update/images/uc-03.png new file mode 100644 index 0000000000..58494c4128 Binary files /dev/null and b/windows/update/images/uc-03.png differ diff --git a/windows/update/images/uc-03a.png b/windows/update/images/uc-03a.png new file mode 100644 index 0000000000..39412fc8f3 Binary files /dev/null and b/windows/update/images/uc-03a.png differ diff --git a/windows/update/images/uc-04.png b/windows/update/images/uc-04.png new file mode 100644 index 0000000000..ef9a37d379 Binary files /dev/null and b/windows/update/images/uc-04.png differ diff --git a/windows/update/images/uc-04a.png b/windows/update/images/uc-04a.png new file mode 100644 index 0000000000..537d4bbe72 Binary files /dev/null and b/windows/update/images/uc-04a.png differ diff --git a/windows/update/images/uc-05.png b/windows/update/images/uc-05.png new file mode 100644 index 0000000000..21c8e9f9e0 Binary files /dev/null and b/windows/update/images/uc-05.png differ diff --git a/windows/update/images/uc-05a.png b/windows/update/images/uc-05a.png new file mode 100644 index 0000000000..2271181622 Binary files /dev/null and b/windows/update/images/uc-05a.png differ diff --git a/windows/update/images/uc-06.png b/windows/update/images/uc-06.png new file mode 100644 index 0000000000..03a559800b Binary files /dev/null and b/windows/update/images/uc-06.png differ diff --git a/windows/update/images/uc-06a.png b/windows/update/images/uc-06a.png new file mode 100644 index 0000000000..15df1cfea0 Binary files /dev/null and b/windows/update/images/uc-06a.png differ diff --git a/windows/update/images/uc-07.png b/windows/update/images/uc-07.png new file mode 100644 index 0000000000..de1ae35e82 Binary files /dev/null and b/windows/update/images/uc-07.png differ diff --git a/windows/update/images/uc-07a.png b/windows/update/images/uc-07a.png new file mode 100644 index 0000000000..c0f2d9fd73 Binary files /dev/null and b/windows/update/images/uc-07a.png differ diff --git a/windows/update/images/uc-08.png b/windows/update/images/uc-08.png new file mode 100644 index 0000000000..877fcd64c0 Binary files /dev/null and b/windows/update/images/uc-08.png differ diff --git a/windows/update/images/uc-08a.png b/windows/update/images/uc-08a.png new file mode 100644 index 0000000000..89da287d3d Binary files /dev/null and b/windows/update/images/uc-08a.png differ diff --git a/windows/update/images/uc-09.png b/windows/update/images/uc-09.png new file mode 100644 index 0000000000..37d7114f19 Binary files /dev/null and b/windows/update/images/uc-09.png differ diff --git a/windows/update/images/uc-09a.png b/windows/update/images/uc-09a.png new file mode 100644 index 0000000000..f6b6ec5b60 Binary files /dev/null and b/windows/update/images/uc-09a.png differ diff --git a/windows/update/images/uc-10.png b/windows/update/images/uc-10.png new file mode 100644 index 0000000000..3ab72d10d2 Binary files /dev/null and b/windows/update/images/uc-10.png differ diff --git a/windows/update/images/uc-10a.png b/windows/update/images/uc-10a.png new file mode 100644 index 0000000000..1c6b8b01dc Binary files /dev/null and b/windows/update/images/uc-10a.png differ diff --git a/windows/update/images/uc-11.png b/windows/update/images/uc-11.png new file mode 100644 index 0000000000..8b4fc568ea Binary files /dev/null and b/windows/update/images/uc-11.png differ diff --git a/windows/update/images/uc-12.png b/windows/update/images/uc-12.png new file mode 100644 index 0000000000..4198684c99 Binary files /dev/null and b/windows/update/images/uc-12.png differ diff --git a/windows/update/images/uc-13.png b/windows/update/images/uc-13.png new file mode 100644 index 0000000000..117f9b9fd8 Binary files /dev/null and b/windows/update/images/uc-13.png differ diff --git a/windows/update/images/uc-14.png b/windows/update/images/uc-14.png new file mode 100644 index 0000000000..66047984e7 Binary files /dev/null and b/windows/update/images/uc-14.png differ diff --git a/windows/update/images/uc-15.png b/windows/update/images/uc-15.png new file mode 100644 index 0000000000..c241cd9117 Binary files /dev/null and b/windows/update/images/uc-15.png differ diff --git a/windows/update/images/uc-16.png b/windows/update/images/uc-16.png new file mode 100644 index 0000000000..e7aff4d4ed Binary files /dev/null and b/windows/update/images/uc-16.png differ diff --git a/windows/update/images/uc-17.png b/windows/update/images/uc-17.png new file mode 100644 index 0000000000..cb8e42ca5e Binary files /dev/null and b/windows/update/images/uc-17.png differ diff --git a/windows/update/images/uc-18.png b/windows/update/images/uc-18.png new file mode 100644 index 0000000000..5eff59adc9 Binary files /dev/null and b/windows/update/images/uc-18.png differ diff --git a/windows/update/images/uc-19.png b/windows/update/images/uc-19.png new file mode 100644 index 0000000000..791900eafc Binary files /dev/null and b/windows/update/images/uc-19.png differ diff --git a/windows/update/images/uc-20.png b/windows/update/images/uc-20.png new file mode 100644 index 0000000000..7dbb027b9f Binary files /dev/null and b/windows/update/images/uc-20.png differ diff --git a/windows/update/images/uc-21.png b/windows/update/images/uc-21.png new file mode 100644 index 0000000000..418db41fe4 Binary files /dev/null and b/windows/update/images/uc-21.png differ diff --git a/windows/update/images/uc-22.png b/windows/update/images/uc-22.png new file mode 100644 index 0000000000..2ca5c47a61 Binary files /dev/null and b/windows/update/images/uc-22.png differ diff --git a/windows/update/images/uc-23.png b/windows/update/images/uc-23.png new file mode 100644 index 0000000000..58b82db82d Binary files /dev/null and b/windows/update/images/uc-23.png differ diff --git a/windows/update/images/uc-24.png b/windows/update/images/uc-24.png new file mode 100644 index 0000000000..00bc61e3e1 Binary files /dev/null and b/windows/update/images/uc-24.png differ diff --git a/windows/update/images/uc-25.png b/windows/update/images/uc-25.png new file mode 100644 index 0000000000..4e0f0bdb03 Binary files /dev/null and b/windows/update/images/uc-25.png differ diff --git a/windows/update/images/uev-adk-select-uev-feature.png b/windows/update/images/uev-adk-select-uev-feature.png new file mode 100644 index 0000000000..1556f115c0 Binary files /dev/null and b/windows/update/images/uev-adk-select-uev-feature.png differ diff --git a/windows/update/images/uev-archdiagram.png b/windows/update/images/uev-archdiagram.png new file mode 100644 index 0000000000..eae098e666 Binary files /dev/null and b/windows/update/images/uev-archdiagram.png differ diff --git a/windows/update/images/uev-checklist-box.gif b/windows/update/images/uev-checklist-box.gif new file mode 100644 index 0000000000..8af13c51d1 Binary files /dev/null and b/windows/update/images/uev-checklist-box.gif differ diff --git a/windows/update/images/uev-deployment-preparation.png b/windows/update/images/uev-deployment-preparation.png new file mode 100644 index 0000000000..b665a0bfea Binary files /dev/null and b/windows/update/images/uev-deployment-preparation.png differ diff --git a/windows/update/images/uev-generator-process.png b/windows/update/images/uev-generator-process.png new file mode 100644 index 0000000000..e16cedd0a7 Binary files /dev/null and b/windows/update/images/uev-generator-process.png differ diff --git a/windows/update/images/w10servicing-f1-branches.png b/windows/update/images/w10servicing-f1-branches.png new file mode 100644 index 0000000000..ac4a549aed Binary files /dev/null and b/windows/update/images/w10servicing-f1-branches.png differ diff --git a/windows/update/images/waas-active-hours-policy.PNG b/windows/update/images/waas-active-hours-policy.PNG new file mode 100644 index 0000000000..af80ef6652 Binary files /dev/null and b/windows/update/images/waas-active-hours-policy.PNG differ diff --git a/windows/update/images/waas-active-hours.PNG b/windows/update/images/waas-active-hours.PNG new file mode 100644 index 0000000000..c262c302ed Binary files /dev/null and b/windows/update/images/waas-active-hours.PNG differ diff --git a/windows/update/images/waas-auto-update-policy.PNG b/windows/update/images/waas-auto-update-policy.PNG new file mode 100644 index 0000000000..52a1629cbf Binary files /dev/null and b/windows/update/images/waas-auto-update-policy.PNG differ diff --git a/windows/update/images/waas-do-fig1.png b/windows/update/images/waas-do-fig1.png new file mode 100644 index 0000000000..2a2b6872e9 Binary files /dev/null and b/windows/update/images/waas-do-fig1.png differ diff --git a/windows/update/images/waas-do-fig2.png b/windows/update/images/waas-do-fig2.png new file mode 100644 index 0000000000..cc42b328eb Binary files /dev/null and b/windows/update/images/waas-do-fig2.png differ diff --git a/windows/update/images/waas-do-fig3.png b/windows/update/images/waas-do-fig3.png new file mode 100644 index 0000000000..d9182d3b20 Binary files /dev/null and b/windows/update/images/waas-do-fig3.png differ diff --git a/windows/update/images/waas-do-fig4.png b/windows/update/images/waas-do-fig4.png new file mode 100644 index 0000000000..a66741ed90 Binary files /dev/null and b/windows/update/images/waas-do-fig4.png differ diff --git a/windows/update/images/waas-overview-patch.png b/windows/update/images/waas-overview-patch.png new file mode 100644 index 0000000000..6ac0a03227 Binary files /dev/null and b/windows/update/images/waas-overview-patch.png differ diff --git a/windows/update/images/waas-restart-policy.PNG b/windows/update/images/waas-restart-policy.PNG new file mode 100644 index 0000000000..936f9aeb08 Binary files /dev/null and b/windows/update/images/waas-restart-policy.PNG differ diff --git a/windows/update/images/waas-rings.png b/windows/update/images/waas-rings.png new file mode 100644 index 0000000000..041a59ce87 Binary files /dev/null and b/windows/update/images/waas-rings.png differ diff --git a/windows/update/images/waas-sccm-fig1.png b/windows/update/images/waas-sccm-fig1.png new file mode 100644 index 0000000000..6bf2b1c621 Binary files /dev/null and b/windows/update/images/waas-sccm-fig1.png differ diff --git a/windows/update/images/waas-sccm-fig10.png b/windows/update/images/waas-sccm-fig10.png new file mode 100644 index 0000000000..ad3b5c922f Binary files /dev/null and b/windows/update/images/waas-sccm-fig10.png differ diff --git a/windows/update/images/waas-sccm-fig11.png b/windows/update/images/waas-sccm-fig11.png new file mode 100644 index 0000000000..6c4f905630 Binary files /dev/null and b/windows/update/images/waas-sccm-fig11.png differ diff --git a/windows/update/images/waas-sccm-fig12.png b/windows/update/images/waas-sccm-fig12.png new file mode 100644 index 0000000000..87464dd5f1 Binary files /dev/null and b/windows/update/images/waas-sccm-fig12.png differ diff --git a/windows/update/images/waas-sccm-fig2.png b/windows/update/images/waas-sccm-fig2.png new file mode 100644 index 0000000000..c83e7bc781 Binary files /dev/null and b/windows/update/images/waas-sccm-fig2.png differ diff --git a/windows/update/images/waas-sccm-fig3.png b/windows/update/images/waas-sccm-fig3.png new file mode 100644 index 0000000000..dcbc83b8ff Binary files /dev/null and b/windows/update/images/waas-sccm-fig3.png differ diff --git a/windows/update/images/waas-sccm-fig4.png b/windows/update/images/waas-sccm-fig4.png new file mode 100644 index 0000000000..782c5ca6ef Binary files /dev/null and b/windows/update/images/waas-sccm-fig4.png differ diff --git a/windows/update/images/waas-sccm-fig5.png b/windows/update/images/waas-sccm-fig5.png new file mode 100644 index 0000000000..cb399a6c6f Binary files /dev/null and b/windows/update/images/waas-sccm-fig5.png differ diff --git a/windows/update/images/waas-sccm-fig6.png b/windows/update/images/waas-sccm-fig6.png new file mode 100644 index 0000000000..77dd02d61e Binary files /dev/null and b/windows/update/images/waas-sccm-fig6.png differ diff --git a/windows/update/images/waas-sccm-fig7.png b/windows/update/images/waas-sccm-fig7.png new file mode 100644 index 0000000000..a74c7c8133 Binary files /dev/null and b/windows/update/images/waas-sccm-fig7.png differ diff --git a/windows/update/images/waas-sccm-fig8.png b/windows/update/images/waas-sccm-fig8.png new file mode 100644 index 0000000000..2dfaf75ddf Binary files /dev/null and b/windows/update/images/waas-sccm-fig8.png differ diff --git a/windows/update/images/waas-sccm-fig9.png b/windows/update/images/waas-sccm-fig9.png new file mode 100644 index 0000000000..311d79dc94 Binary files /dev/null and b/windows/update/images/waas-sccm-fig9.png differ diff --git a/windows/update/images/waas-strategy-fig1a.png b/windows/update/images/waas-strategy-fig1a.png new file mode 100644 index 0000000000..7a924c43bc Binary files /dev/null and b/windows/update/images/waas-strategy-fig1a.png differ diff --git a/windows/update/images/waas-wipfb-aad-classicaad.png b/windows/update/images/waas-wipfb-aad-classicaad.png new file mode 100644 index 0000000000..424f4bca0a Binary files /dev/null and b/windows/update/images/waas-wipfb-aad-classicaad.png differ diff --git a/windows/update/images/waas-wipfb-aad-classicenable.png b/windows/update/images/waas-wipfb-aad-classicenable.png new file mode 100644 index 0000000000..9cc78c2736 Binary files /dev/null and b/windows/update/images/waas-wipfb-aad-classicenable.png differ diff --git a/windows/update/images/waas-wipfb-aad-consent.png b/windows/update/images/waas-wipfb-aad-consent.png new file mode 100644 index 0000000000..aeb78e5ddf Binary files /dev/null and b/windows/update/images/waas-wipfb-aad-consent.png differ diff --git a/windows/update/images/waas-wipfb-aad-error.png b/windows/update/images/waas-wipfb-aad-error.png new file mode 100644 index 0000000000..83e6ca9974 Binary files /dev/null and b/windows/update/images/waas-wipfb-aad-error.png differ diff --git a/windows/update/images/waas-wipfb-aad-newaad.png b/windows/update/images/waas-wipfb-aad-newaad.png new file mode 100644 index 0000000000..87a6f5e750 Binary files /dev/null and b/windows/update/images/waas-wipfb-aad-newaad.png differ diff --git a/windows/update/images/waas-wipfb-aad-newdirectorybutton.png b/windows/update/images/waas-wipfb-aad-newdirectorybutton.png new file mode 100644 index 0000000000..9da18db5d1 Binary files /dev/null and b/windows/update/images/waas-wipfb-aad-newdirectorybutton.png differ diff --git a/windows/update/images/waas-wipfb-aad-newenable.png b/windows/update/images/waas-wipfb-aad-newenable.png new file mode 100644 index 0000000000..f9bbe57b26 Binary files /dev/null and b/windows/update/images/waas-wipfb-aad-newenable.png differ diff --git a/windows/update/images/waas-wipfb-aad-newusersettings.png b/windows/update/images/waas-wipfb-aad-newusersettings.png new file mode 100644 index 0000000000..ab28da5cbc Binary files /dev/null and b/windows/update/images/waas-wipfb-aad-newusersettings.png differ diff --git a/windows/update/images/waas-wipfb-accounts.png b/windows/update/images/waas-wipfb-accounts.png new file mode 100644 index 0000000000..27387e3e7b Binary files /dev/null and b/windows/update/images/waas-wipfb-accounts.png differ diff --git a/windows/update/images/waas-wipfb-change-user.png b/windows/update/images/waas-wipfb-change-user.png new file mode 100644 index 0000000000..bf6fe39beb Binary files /dev/null and b/windows/update/images/waas-wipfb-change-user.png differ diff --git a/windows/update/images/waas-wipfb-work-account.jpg b/windows/update/images/waas-wipfb-work-account.jpg new file mode 100644 index 0000000000..4b34385b18 Binary files /dev/null and b/windows/update/images/waas-wipfb-work-account.jpg differ diff --git a/windows/update/images/waas-wsus-fig1.png b/windows/update/images/waas-wsus-fig1.png new file mode 100644 index 0000000000..14bf35958a Binary files /dev/null and b/windows/update/images/waas-wsus-fig1.png differ diff --git a/windows/update/images/waas-wsus-fig10.png b/windows/update/images/waas-wsus-fig10.png new file mode 100644 index 0000000000..3efa119693 Binary files /dev/null and b/windows/update/images/waas-wsus-fig10.png differ diff --git a/windows/update/images/waas-wsus-fig11.png b/windows/update/images/waas-wsus-fig11.png new file mode 100644 index 0000000000..ae6d79221a Binary files /dev/null and b/windows/update/images/waas-wsus-fig11.png differ diff --git a/windows/update/images/waas-wsus-fig12.png b/windows/update/images/waas-wsus-fig12.png new file mode 100644 index 0000000000..47479ea1df Binary files /dev/null and b/windows/update/images/waas-wsus-fig12.png differ diff --git a/windows/update/images/waas-wsus-fig13.png b/windows/update/images/waas-wsus-fig13.png new file mode 100644 index 0000000000..f0b1578094 Binary files /dev/null and b/windows/update/images/waas-wsus-fig13.png differ diff --git a/windows/update/images/waas-wsus-fig14.png b/windows/update/images/waas-wsus-fig14.png new file mode 100644 index 0000000000..b5b930ddad Binary files /dev/null and b/windows/update/images/waas-wsus-fig14.png differ diff --git a/windows/update/images/waas-wsus-fig15.png b/windows/update/images/waas-wsus-fig15.png new file mode 100644 index 0000000000..95e38c039e Binary files /dev/null and b/windows/update/images/waas-wsus-fig15.png differ diff --git a/windows/update/images/waas-wsus-fig16.png b/windows/update/images/waas-wsus-fig16.png new file mode 100644 index 0000000000..3848ac1772 Binary files /dev/null and b/windows/update/images/waas-wsus-fig16.png differ diff --git a/windows/update/images/waas-wsus-fig17.png b/windows/update/images/waas-wsus-fig17.png new file mode 100644 index 0000000000..5511da3e5c Binary files /dev/null and b/windows/update/images/waas-wsus-fig17.png differ diff --git a/windows/update/images/waas-wsus-fig18.png b/windows/update/images/waas-wsus-fig18.png new file mode 100644 index 0000000000..f9ac774754 Binary files /dev/null and b/windows/update/images/waas-wsus-fig18.png differ diff --git a/windows/update/images/waas-wsus-fig19.png b/windows/update/images/waas-wsus-fig19.png new file mode 100644 index 0000000000..f69d793afe Binary files /dev/null and b/windows/update/images/waas-wsus-fig19.png differ diff --git a/windows/update/images/waas-wsus-fig2.png b/windows/update/images/waas-wsus-fig2.png new file mode 100644 index 0000000000..167774a6c9 Binary files /dev/null and b/windows/update/images/waas-wsus-fig2.png differ diff --git a/windows/update/images/waas-wsus-fig20.png b/windows/update/images/waas-wsus-fig20.png new file mode 100644 index 0000000000..ea6bbb350a Binary files /dev/null and b/windows/update/images/waas-wsus-fig20.png differ diff --git a/windows/update/images/waas-wsus-fig3.png b/windows/update/images/waas-wsus-fig3.png new file mode 100644 index 0000000000..272e8c05e9 Binary files /dev/null and b/windows/update/images/waas-wsus-fig3.png differ diff --git a/windows/update/images/waas-wsus-fig4.png b/windows/update/images/waas-wsus-fig4.png new file mode 100644 index 0000000000..bb5f27e3da Binary files /dev/null and b/windows/update/images/waas-wsus-fig4.png differ diff --git a/windows/update/images/waas-wsus-fig5.png b/windows/update/images/waas-wsus-fig5.png new file mode 100644 index 0000000000..23faf303c6 Binary files /dev/null and b/windows/update/images/waas-wsus-fig5.png differ diff --git a/windows/update/images/waas-wsus-fig6.png b/windows/update/images/waas-wsus-fig6.png new file mode 100644 index 0000000000..7857351d19 Binary files /dev/null and b/windows/update/images/waas-wsus-fig6.png differ diff --git a/windows/update/images/waas-wsus-fig7.png b/windows/update/images/waas-wsus-fig7.png new file mode 100644 index 0000000000..e7f02649d2 Binary files /dev/null and b/windows/update/images/waas-wsus-fig7.png differ diff --git a/windows/update/images/waas-wsus-fig8.png b/windows/update/images/waas-wsus-fig8.png new file mode 100644 index 0000000000..da5f620425 Binary files /dev/null and b/windows/update/images/waas-wsus-fig8.png differ diff --git a/windows/update/images/waas-wsus-fig9.png b/windows/update/images/waas-wsus-fig9.png new file mode 100644 index 0000000000..f3d5a4eb6a Binary files /dev/null and b/windows/update/images/waas-wsus-fig9.png differ diff --git a/windows/update/images/waas-wufb-gp-broad.png b/windows/update/images/waas-wufb-gp-broad.png new file mode 100644 index 0000000000..92b71c8936 Binary files /dev/null and b/windows/update/images/waas-wufb-gp-broad.png differ diff --git a/windows/update/images/waas-wufb-gp-cb2-settings.png b/windows/update/images/waas-wufb-gp-cb2-settings.png new file mode 100644 index 0000000000..ae6ed4d856 Binary files /dev/null and b/windows/update/images/waas-wufb-gp-cb2-settings.png differ diff --git a/windows/update/images/waas-wufb-gp-cb2.png b/windows/update/images/waas-wufb-gp-cb2.png new file mode 100644 index 0000000000..006a8c02d3 Binary files /dev/null and b/windows/update/images/waas-wufb-gp-cb2.png differ diff --git a/windows/update/images/waas-wufb-gp-cbb1-settings.png b/windows/update/images/waas-wufb-gp-cbb1-settings.png new file mode 100644 index 0000000000..c9e1029b8b Binary files /dev/null and b/windows/update/images/waas-wufb-gp-cbb1-settings.png differ diff --git a/windows/update/images/waas-wufb-gp-cbb2-settings.png b/windows/update/images/waas-wufb-gp-cbb2-settings.png new file mode 100644 index 0000000000..e5aff1cc89 Binary files /dev/null and b/windows/update/images/waas-wufb-gp-cbb2-settings.png differ diff --git a/windows/update/images/waas-wufb-gp-cbb2q-settings.png b/windows/update/images/waas-wufb-gp-cbb2q-settings.png new file mode 100644 index 0000000000..33a02165c6 Binary files /dev/null and b/windows/update/images/waas-wufb-gp-cbb2q-settings.png differ diff --git a/windows/update/images/waas-wufb-gp-create.png b/windows/update/images/waas-wufb-gp-create.png new file mode 100644 index 0000000000..d74eec4b2e Binary files /dev/null and b/windows/update/images/waas-wufb-gp-create.png differ diff --git a/windows/update/images/waas-wufb-gp-edit-defer.png b/windows/update/images/waas-wufb-gp-edit-defer.png new file mode 100644 index 0000000000..c697b42ffd Binary files /dev/null and b/windows/update/images/waas-wufb-gp-edit-defer.png differ diff --git a/windows/update/images/waas-wufb-gp-edit.png b/windows/update/images/waas-wufb-gp-edit.png new file mode 100644 index 0000000000..1b8d21a175 Binary files /dev/null and b/windows/update/images/waas-wufb-gp-edit.png differ diff --git a/windows/update/images/waas-wufb-gp-scope-cb2.png b/windows/update/images/waas-wufb-gp-scope-cb2.png new file mode 100644 index 0000000000..fcacdbea57 Binary files /dev/null and b/windows/update/images/waas-wufb-gp-scope-cb2.png differ diff --git a/windows/update/images/waas-wufb-gp-scope.png b/windows/update/images/waas-wufb-gp-scope.png new file mode 100644 index 0000000000..a04d8194df Binary files /dev/null and b/windows/update/images/waas-wufb-gp-scope.png differ diff --git a/windows/update/images/waas-wufb-intune-cb2a.png b/windows/update/images/waas-wufb-intune-cb2a.png new file mode 100644 index 0000000000..3e8c1ce19e Binary files /dev/null and b/windows/update/images/waas-wufb-intune-cb2a.png differ diff --git a/windows/update/images/waas-wufb-intune-cbb1a.png b/windows/update/images/waas-wufb-intune-cbb1a.png new file mode 100644 index 0000000000..bc394fe563 Binary files /dev/null and b/windows/update/images/waas-wufb-intune-cbb1a.png differ diff --git a/windows/update/images/waas-wufb-intune-cbb2a.png b/windows/update/images/waas-wufb-intune-cbb2a.png new file mode 100644 index 0000000000..a980e0e43a Binary files /dev/null and b/windows/update/images/waas-wufb-intune-cbb2a.png differ diff --git a/windows/update/images/waas-wufb-intune-step11a.png b/windows/update/images/waas-wufb-intune-step11a.png new file mode 100644 index 0000000000..7291484c93 Binary files /dev/null and b/windows/update/images/waas-wufb-intune-step11a.png differ diff --git a/windows/update/images/waas-wufb-intune-step19a.png b/windows/update/images/waas-wufb-intune-step19a.png new file mode 100644 index 0000000000..de132abd28 Binary files /dev/null and b/windows/update/images/waas-wufb-intune-step19a.png differ diff --git a/windows/update/images/waas-wufb-intune-step2a.png b/windows/update/images/waas-wufb-intune-step2a.png new file mode 100644 index 0000000000..9a719b8fda Binary files /dev/null and b/windows/update/images/waas-wufb-intune-step2a.png differ diff --git a/windows/update/images/waas-wufb-intune-step7a.png b/windows/update/images/waas-wufb-intune-step7a.png new file mode 100644 index 0000000000..daa96ba18c Binary files /dev/null and b/windows/update/images/waas-wufb-intune-step7a.png differ diff --git a/windows/update/images/waas-wufb-settings-branch.jpg b/windows/update/images/waas-wufb-settings-branch.jpg new file mode 100644 index 0000000000..7dfb770d4a Binary files /dev/null and b/windows/update/images/waas-wufb-settings-branch.jpg differ diff --git a/windows/update/images/waas-wufb-settings-defer.jpg b/windows/update/images/waas-wufb-settings-defer.jpg new file mode 100644 index 0000000000..5e6c58a101 Binary files /dev/null and b/windows/update/images/waas-wufb-settings-defer.jpg differ diff --git a/windows/update/images/waas-wufb-update-compliance.png b/windows/update/images/waas-wufb-update-compliance.png new file mode 100644 index 0000000000..0c1bbaea7c Binary files /dev/null and b/windows/update/images/waas-wufb-update-compliance.png differ diff --git a/windows/update/images/who-owns-pc.png b/windows/update/images/who-owns-pc.png new file mode 100644 index 0000000000..d3ce1def8d Binary files /dev/null and b/windows/update/images/who-owns-pc.png differ diff --git a/windows/update/images/wifisense-grouppolicy.png b/windows/update/images/wifisense-grouppolicy.png new file mode 100644 index 0000000000..1142d834bd Binary files /dev/null and b/windows/update/images/wifisense-grouppolicy.png differ diff --git a/windows/update/images/wifisense-registry.png b/windows/update/images/wifisense-registry.png new file mode 100644 index 0000000000..cbb1fa8347 Binary files /dev/null and b/windows/update/images/wifisense-registry.png differ diff --git a/windows/update/images/wifisense-settingscreens.png b/windows/update/images/wifisense-settingscreens.png new file mode 100644 index 0000000000..cbb6903177 Binary files /dev/null and b/windows/update/images/wifisense-settingscreens.png differ diff --git a/windows/update/images/win10-mobile-mdm-fig1.png b/windows/update/images/win10-mobile-mdm-fig1.png new file mode 100644 index 0000000000..6ddac1df99 Binary files /dev/null and b/windows/update/images/win10-mobile-mdm-fig1.png differ diff --git a/windows/update/images/win10servicing-fig2-featureupgrade.png b/windows/update/images/win10servicing-fig2-featureupgrade.png new file mode 100644 index 0000000000..e4dc76b44f Binary files /dev/null and b/windows/update/images/win10servicing-fig2-featureupgrade.png differ diff --git a/windows/update/images/win10servicing-fig3.png b/windows/update/images/win10servicing-fig3.png new file mode 100644 index 0000000000..688f92b173 Binary files /dev/null and b/windows/update/images/win10servicing-fig3.png differ diff --git a/windows/update/images/win10servicing-fig4-upgradereleases.png b/windows/update/images/win10servicing-fig4-upgradereleases.png new file mode 100644 index 0000000000..961c8bebe2 Binary files /dev/null and b/windows/update/images/win10servicing-fig4-upgradereleases.png differ diff --git a/windows/update/images/win10servicing-fig5.png b/windows/update/images/win10servicing-fig5.png new file mode 100644 index 0000000000..dc4b2fc5b2 Binary files /dev/null and b/windows/update/images/win10servicing-fig5.png differ diff --git a/windows/update/images/win10servicing-fig6.png b/windows/update/images/win10servicing-fig6.png new file mode 100644 index 0000000000..4cdc5f9c6f Binary files /dev/null and b/windows/update/images/win10servicing-fig6.png differ diff --git a/windows/update/images/win10servicing-fig7.png b/windows/update/images/win10servicing-fig7.png new file mode 100644 index 0000000000..0a9a851449 Binary files /dev/null and b/windows/update/images/win10servicing-fig7.png differ diff --git a/windows/update/images/windows-10-management-cyod-byod-flow.png b/windows/update/images/windows-10-management-cyod-byod-flow.png new file mode 100644 index 0000000000..6121e93832 Binary files /dev/null and b/windows/update/images/windows-10-management-cyod-byod-flow.png differ diff --git a/windows/update/images/windows-10-management-gp-intune-flow.png b/windows/update/images/windows-10-management-gp-intune-flow.png new file mode 100644 index 0000000000..c9e3f2ea31 Binary files /dev/null and b/windows/update/images/windows-10-management-gp-intune-flow.png differ diff --git a/windows/update/images/windows-10-management-range-of-options.png b/windows/update/images/windows-10-management-range-of-options.png new file mode 100644 index 0000000000..e4de546709 Binary files /dev/null and b/windows/update/images/windows-10-management-range-of-options.png differ diff --git a/windows/update/images/wsfb-distribute.png b/windows/update/images/wsfb-distribute.png new file mode 100644 index 0000000000..d0482f6ebe Binary files /dev/null and b/windows/update/images/wsfb-distribute.png differ diff --git a/windows/update/images/wsfb-firstrun.png b/windows/update/images/wsfb-firstrun.png new file mode 100644 index 0000000000..2673567a1e Binary files /dev/null and b/windows/update/images/wsfb-firstrun.png differ diff --git a/windows/update/images/wsfb-inventory-viewlicense.png b/windows/update/images/wsfb-inventory-viewlicense.png new file mode 100644 index 0000000000..9fafad1aff Binary files /dev/null and b/windows/update/images/wsfb-inventory-viewlicense.png differ diff --git a/windows/update/images/wsfb-inventory.png b/windows/update/images/wsfb-inventory.png new file mode 100644 index 0000000000..b060fb30e4 Binary files /dev/null and b/windows/update/images/wsfb-inventory.png differ diff --git a/windows/update/images/wsfb-inventoryaddprivatestore.png b/windows/update/images/wsfb-inventoryaddprivatestore.png new file mode 100644 index 0000000000..bb1152e35b Binary files /dev/null and b/windows/update/images/wsfb-inventoryaddprivatestore.png differ diff --git a/windows/update/images/wsfb-landing.png b/windows/update/images/wsfb-landing.png new file mode 100644 index 0000000000..beae0b52af Binary files /dev/null and b/windows/update/images/wsfb-landing.png differ diff --git a/windows/update/images/wsfb-licenseassign.png b/windows/update/images/wsfb-licenseassign.png new file mode 100644 index 0000000000..5904abb3b9 Binary files /dev/null and b/windows/update/images/wsfb-licenseassign.png differ diff --git a/windows/update/images/wsfb-licensedetails.png b/windows/update/images/wsfb-licensedetails.png new file mode 100644 index 0000000000..53e0f5c935 Binary files /dev/null and b/windows/update/images/wsfb-licensedetails.png differ diff --git a/windows/update/images/wsfb-licensereclaim.png b/windows/update/images/wsfb-licensereclaim.png new file mode 100644 index 0000000000..9f94cd3600 Binary files /dev/null and b/windows/update/images/wsfb-licensereclaim.png differ diff --git a/windows/update/images/wsfb-manageinventory.png b/windows/update/images/wsfb-manageinventory.png new file mode 100644 index 0000000000..9a544ddc21 Binary files /dev/null and b/windows/update/images/wsfb-manageinventory.png differ diff --git a/windows/update/images/wsfb-offline-distribute-mdm.png b/windows/update/images/wsfb-offline-distribute-mdm.png new file mode 100644 index 0000000000..ec0e77a9a9 Binary files /dev/null and b/windows/update/images/wsfb-offline-distribute-mdm.png differ diff --git a/windows/update/images/wsfb-onboard-1.png b/windows/update/images/wsfb-onboard-1.png new file mode 100644 index 0000000000..012e91a845 Binary files /dev/null and b/windows/update/images/wsfb-onboard-1.png differ diff --git a/windows/update/images/wsfb-onboard-2.png b/windows/update/images/wsfb-onboard-2.png new file mode 100644 index 0000000000..2ff98fb1f7 Binary files /dev/null and b/windows/update/images/wsfb-onboard-2.png differ diff --git a/windows/update/images/wsfb-onboard-3.png b/windows/update/images/wsfb-onboard-3.png new file mode 100644 index 0000000000..ed9a61d353 Binary files /dev/null and b/windows/update/images/wsfb-onboard-3.png differ diff --git a/windows/update/images/wsfb-onboard-4.png b/windows/update/images/wsfb-onboard-4.png new file mode 100644 index 0000000000..d99185ddc6 Binary files /dev/null and b/windows/update/images/wsfb-onboard-4.png differ diff --git a/windows/update/images/wsfb-onboard-5.png b/windows/update/images/wsfb-onboard-5.png new file mode 100644 index 0000000000..68049f4425 Binary files /dev/null and b/windows/update/images/wsfb-onboard-5.png differ diff --git a/windows/update/images/wsfb-onboard-7.png b/windows/update/images/wsfb-onboard-7.png new file mode 100644 index 0000000000..38b7348b21 Binary files /dev/null and b/windows/update/images/wsfb-onboard-7.png differ diff --git a/windows/update/images/wsfb-online-distribute-mdm.png b/windows/update/images/wsfb-online-distribute-mdm.png new file mode 100644 index 0000000000..4b0f7cbf3a Binary files /dev/null and b/windows/update/images/wsfb-online-distribute-mdm.png differ diff --git a/windows/update/images/wsfb-paid-app-temp.png b/windows/update/images/wsfb-paid-app-temp.png new file mode 100644 index 0000000000..89e3857d07 Binary files /dev/null and b/windows/update/images/wsfb-paid-app-temp.png differ diff --git a/windows/update/images/wsfb-permissions-assignrole.png b/windows/update/images/wsfb-permissions-assignrole.png new file mode 100644 index 0000000000..de2e1785ba Binary files /dev/null and b/windows/update/images/wsfb-permissions-assignrole.png differ diff --git a/windows/update/images/wsfb-private-store-gpo.PNG b/windows/update/images/wsfb-private-store-gpo.PNG new file mode 100644 index 0000000000..5e7fe44ec2 Binary files /dev/null and b/windows/update/images/wsfb-private-store-gpo.PNG differ diff --git a/windows/update/images/wsfb-privatestore.png b/windows/update/images/wsfb-privatestore.png new file mode 100644 index 0000000000..74c9f1690d Binary files /dev/null and b/windows/update/images/wsfb-privatestore.png differ diff --git a/windows/update/images/wsfb-privatestoreapps.png b/windows/update/images/wsfb-privatestoreapps.png new file mode 100644 index 0000000000..1ddb543796 Binary files /dev/null and b/windows/update/images/wsfb-privatestoreapps.png differ diff --git a/windows/update/images/wsfb-renameprivatestore.png b/windows/update/images/wsfb-renameprivatestore.png new file mode 100644 index 0000000000..c6db282581 Binary files /dev/null and b/windows/update/images/wsfb-renameprivatestore.png differ diff --git a/windows/update/images/wsfb-settings-mgmt.png b/windows/update/images/wsfb-settings-mgmt.png new file mode 100644 index 0000000000..2a7b590d19 Binary files /dev/null and b/windows/update/images/wsfb-settings-mgmt.png differ diff --git a/windows/update/images/wsfb-settings-permissions.png b/windows/update/images/wsfb-settings-permissions.png new file mode 100644 index 0000000000..63d04d270b Binary files /dev/null and b/windows/update/images/wsfb-settings-permissions.png differ diff --git a/windows/update/images/wsfb-wsappaddacct.png b/windows/update/images/wsfb-wsappaddacct.png new file mode 100644 index 0000000000..5c0bd9a4ce Binary files /dev/null and b/windows/update/images/wsfb-wsappaddacct.png differ diff --git a/windows/update/images/wsfb-wsappprivatestore.png b/windows/update/images/wsfb-wsappprivatestore.png new file mode 100644 index 0000000000..9c29e7604c Binary files /dev/null and b/windows/update/images/wsfb-wsappprivatestore.png differ diff --git a/windows/update/images/wsfb-wsappsignin.png b/windows/update/images/wsfb-wsappsignin.png new file mode 100644 index 0000000000..c2c2631a94 Binary files /dev/null and b/windows/update/images/wsfb-wsappsignin.png differ diff --git a/windows/update/images/wsfb-wsappworkacct.png b/windows/update/images/wsfb-wsappworkacct.png new file mode 100644 index 0000000000..5eb9035124 Binary files /dev/null and b/windows/update/images/wsfb-wsappworkacct.png differ diff --git a/windows/update/images/wufb-config1a.png b/windows/update/images/wufb-config1a.png new file mode 100644 index 0000000000..1514b87528 Binary files /dev/null and b/windows/update/images/wufb-config1a.png differ diff --git a/windows/update/images/wufb-config2.png b/windows/update/images/wufb-config2.png new file mode 100644 index 0000000000..f54eef9a50 Binary files /dev/null and b/windows/update/images/wufb-config2.png differ diff --git a/windows/update/images/wufb-config3a.png b/windows/update/images/wufb-config3a.png new file mode 100644 index 0000000000..538028cfdc Binary files /dev/null and b/windows/update/images/wufb-config3a.png differ diff --git a/windows/update/images/wufb-do.png b/windows/update/images/wufb-do.png new file mode 100644 index 0000000000..8d6c9d0b8a Binary files /dev/null and b/windows/update/images/wufb-do.png differ diff --git a/windows/update/images/wufb-groups.png b/windows/update/images/wufb-groups.png new file mode 100644 index 0000000000..13cdea04b0 Binary files /dev/null and b/windows/update/images/wufb-groups.png differ diff --git a/windows/update/images/wufb-pause-feature.png b/windows/update/images/wufb-pause-feature.png new file mode 100644 index 0000000000..afeac43e29 Binary files /dev/null and b/windows/update/images/wufb-pause-feature.png differ diff --git a/windows/update/images/wufb-qual.png b/windows/update/images/wufb-qual.png new file mode 100644 index 0000000000..4a93408522 Binary files /dev/null and b/windows/update/images/wufb-qual.png differ diff --git a/windows/update/images/wufb-sccm.png b/windows/update/images/wufb-sccm.png new file mode 100644 index 0000000000..1d568c1fe4 Binary files /dev/null and b/windows/update/images/wufb-sccm.png differ diff --git a/windows/manage/waas-update-windows-10.md b/windows/update/index.md similarity index 90% rename from windows/manage/waas-update-windows-10.md rename to windows/update/index.md index 353a7bf43d..18f0e7fcdd 100644 --- a/windows/manage/waas-update-windows-10.md +++ b/windows/update/index.md @@ -41,22 +41,8 @@ Windows as a service provides a new way to think about building, deploying, and | [Manage Windows 10 updates using Windows Server Update Services (WSUS)](waas-manage-updates-wsus.md) | Explains how to use WSUS to manage Windows 10 updates. | | [Manage Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md) | Explains how to use Configuration Manager to manage Windows 10 updates. | | [Manage device restarts after updates](waas-restart.md) | Explains how to use Group Policy to manage device restarts. | +| [Windows Insider Program for Business](waas-windows-insider-for-business.md) | Explains how the Windows Insider Program for Business works and how to become an insider. | >[!TIP] >Windows servicing is changing, but for disaster recovery scenarios and bare-metal deployments of Windows 10, you still can use traditional imaging software such as System Center Configuration Manager or the Microsoft Deployment Toolkit. Using these tools to deploy Windows 10 images is similar to deploying previous versions of Windows. ->With each release of a new feature update for CB, Microsoft makes available new .iso files for use in updating your custom images. Each Windows 10 build has a finite servicing lifetime, so it’s important that images stay up to date with the latest build. For detailed information about how to deploy Windows 10 to bare-metal machines or to upgrade to Windows 10 from previous builds of Windows, see [Deploy Windows 10 with System Center 2012 R2 Configuration Manager](https://technet.microsoft.com/itpro/windows/deploy/deploy-windows-10-with-system-center-2012-r2-configuration-manager). - - -## Related topics - - -- [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md) -- [Configure BranchCache for Windows 10 updates](waas-branchcache.md) -- [Configure Windows Update for Business](waas-configure-wufb.md) -- [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md) -- [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md) -- [Walkthrough: use Intune to configure Windows Update for Business](waas-wufb-intune.md) - - - - +>With each release of a new feature update for CB, Microsoft makes available new .iso files for use in updating your custom images. Each Windows 10 build has a finite servicing lifetime, so it’s important that images stay up to date with the latest build. For detailed information about how to deploy Windows 10 to bare-metal machines or to upgrade to Windows 10 from previous builds of Windows, see [Deploy Windows 10 with System Center 2012 R2 Configuration Manager](https://technet.microsoft.com/itpro/windows/deploy/deploy-windows-10-with-system-center-2012-r2-configuration-manager).--- diff --git a/windows/manage/update-compliance-get-started.md b/windows/update/update-compliance-get-started.md similarity index 87% rename from windows/manage/update-compliance-get-started.md rename to windows/update/update-compliance-get-started.md index 9d2d540b82..ad42d0a9ca 100644 --- a/windows/manage/update-compliance-get-started.md +++ b/windows/update/update-compliance-get-started.md @@ -21,7 +21,7 @@ Steps are provided in sections that follow the recommended setup process: Update Compliance has the following requirements: 1. Update Compliance is currently only compatible with Windows 10 devices. The solution is intended to be used with desktop devices (Windows 10 workstations and laptops). -2. The solution requires that Windows 10 telemetry is enabled on all devices that are intended to be displayed in the solution. These devices must have at least the [basic level of telemetry](https://technet.microsoft.com/itpro/windows/manage/configure-windows-telemetry-in-your-organization#basic-level) enabled. To learn more about Windows telemetry, see [Configure Windows telemetry in your organization](configure-windows-telemetry-in-your-organization.md). +2. The solution requires that Windows 10 telemetry is enabled on all devices that are intended to be displayed in the solution. These devices must have at least the [basic level of telemetry](https://technet.microsoft.com/itpro/windows/manage/configure-windows-telemetry-in-your-organization#basic-level) enabled. To learn more about Windows telemetry, see [Configure Windows telemetry in your organization](../configure/configure-windows-telemetry-in-your-organization.md). 3. The telemetry of your organization’s Windows devices must be successfully transmitted to Microsoft. Microsoft has specified [endpoints for different aspects of telemetry](https://technet.microsoft.com/itpro/windows/manage/configure-windows-telemetry-in-your-organization#endpoints), which must be whitelisted by your organization so the data can be transmitted. The following table is taken from the article on telemetry endpoints and summarizes the use of each endpoint: @@ -109,20 +109,7 @@ In order for your devices to show up in Windows Analytics: Update Compliance, th 3. In the **Options** box, under **Commercial Id**, type the Commercial ID GUID, and then click **OK**.

          - Using Microsoft Mobile Device Management (MDM)

          - Microsoft’s Mobile Device Management can be used to deploy your Commercial ID to your organization’s devices. The Commercial ID is listed under **Provider/ProviderID/CommercialID**. More information on deployment using MDM can be found [here](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/dmclient-csp). - - For information on how to use MDM configuration CSPs, see [Introduction to configuration service providers (CSPs) for IT pros](https://technet.microsoft.com/en-us/itpro/windows/manage/how-it-pros-can-use-configuration-service-providers). - - When using the Intune console, you can use the OMA-URI settings of a [custom policy](https://go.microsoft.com/fwlink/p/?LinkID=616316) to configure the commercial ID. The OMA-URI (case sensitive) path for configuring the commerical ID is: 

          ./Vendor/MSFT/DMClient/Provider/ProviderID/CommercialID
          - - For example, you can use the following values in **Add or edit OMA-URI Setting**: - - **Setting Name**: Windows Analytics Commercial ID
          - **Setting Description**: Configuring commercial id for Windows Analytics solutions
          - **Data Type**: String
          - **OMA-URI (case sensitive)**: ./Vendor/MSFT/DMClient/Provider/ProviderID/CommercialID
          - **Value**: \
          - + Microsoft’s Mobile Device Management can be used to deploy your Commercial ID to your organization’s devices. The Commercial ID is listed under **Provider/ProviderID/CommercialID**. More information on deployment using MDM can be found [here](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/dmclient-csp).   ## Related topics diff --git a/windows/manage/update-compliance-monitor.md b/windows/update/update-compliance-monitor.md similarity index 100% rename from windows/manage/update-compliance-monitor.md rename to windows/update/update-compliance-monitor.md diff --git a/windows/manage/update-compliance-using.md b/windows/update/update-compliance-using.md similarity index 100% rename from windows/manage/update-compliance-using.md rename to windows/update/update-compliance-using.md diff --git a/windows/manage/waas-branchcache.md b/windows/update/waas-branchcache.md similarity index 98% rename from windows/manage/waas-branchcache.md rename to windows/update/waas-branchcache.md index 6e44cbaaa1..605234e7e2 100644 --- a/windows/manage/waas-branchcache.md +++ b/windows/update/waas-branchcache.md @@ -48,7 +48,7 @@ In addition to these steps, there is one requirement for WSUS to be able to use ## Related topics -- [Update Windows 10 in the enterprise](waas-update-windows-10.md) +- [Update Windows 10 in the enterprise](index.md) - [Overview of Windows as a service](waas-overview.md) - [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md) - [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) diff --git a/windows/manage/waas-configure-wufb.md b/windows/update/waas-configure-wufb.md similarity index 55% rename from windows/manage/waas-configure-wufb.md rename to windows/update/waas-configure-wufb.md index fcb36d20f6..03aeba51b9 100644 --- a/windows/manage/waas-configure-wufb.md +++ b/windows/update/waas-configure-wufb.md @@ -18,7 +18,7 @@ localizationpriority: high > **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) -You can use Group Policy or your mobile device management (MDM) service to configure Windows Update for Business settings for your devices. The sections in this topic provide the Group Policy and MDM policies for both Windows 10, version 1511, and Windows 10, version 1607. The MDM policies use the OMA-URI setting from the [Policy CSP](https://msdn.microsoft.com/en-us/library/windows/hardware/dn904962.aspx). +You can use Group Policy or your mobile device management (MDM) service to configure Windows Update for Business settings for your devices. The sections in this topic provide the Group Policy and MDM policies for Windows 10, version 1511 and above. The MDM policies use the OMA-URI setting from the [Policy CSP](https://msdn.microsoft.com/en-us/library/windows/hardware/dn904962.aspx). >[!IMPORTANT] >For Windows Update for Business policies to be honored, the Telemetry level of the device must be set to **1 (Basic)** or higher. If it is set to **0 (Security)**, Windows Update for Business policies will have no effect. For instructions, see [Configure the operating system telemetry level](https://technet.microsoft.com/en-us/itpro/windows/manage/configure-windows-telemetry-in-your-organization#configure-the-operating-system-telemetry-level). @@ -32,27 +32,35 @@ By grouping devices with similar deferral periods, administrators are able to cl >[!TIP] >In addition to setting up multiple rings for your update deployments, also incorporate devices enrolled in the Windows Insider Program as part of your deployment strategy. This will provide you the chance to not only evaluate new features before they are broadly available to the public, but it also increases the lead time to provide feedback and influence Microsoft’s design on functional aspects of the product. For more information on Windows Insider program, see [https://insider.windows.com/](https://insider.windows.com/). - + ## Configure devices for Current Branch (CB) or Current Branch for Business (CBB) -With Windows Update for Business, you can set a device to be on either the Current Branch (CB) or the Current Branch for Business (CBB) servicing branch. For more information on this servicing model, see [Windows 10 servicing options](https://technet.microsoft.com/en-us/itpro/windows/manage/introduction-to-windows-10-servicing). +With Windows Update for Business, you can set a device to be on either the Current Branch (CB) or the Current Branch for Business (CBB) servicing branch. For more information on this servicing model, see [Windows 10 servicing options](waas-overview.md#servicing-branches). **Release branch policies** | Policy | Sets registry key under **HKLM\Software** | | --- | --- | -| GPO for version 1607:
          Computer Configuration > Administrative Templates > Windows Components > Windows Update > Defer Windows Updates > **Select when Feature Updates are received** | \Policies\Microsoft\Windows\WindowsUpdate\BranchReadinessLevel | +| GPO for version 1607 and above:
          Computer Configuration > Administrative Templates > Windows Components > Windows Update > Defer Windows Updates > **Select when Feature Updates are received** | \Policies\Microsoft\Windows\WindowsUpdate\BranchReadinessLevel | | GPO for version 1511:
          Computer Configuration > Administrative Templates > Windows Components > Windows Update > **Defer Upgrades and Updates** | \Policies\Microsoft\Windows\WindowsUpdate\DeferUpgrade | -| MDM for version 1607:
          ../Vendor/MSFT/Policy/Config/Update/
          **BranchReadinessLevel** | \Microsoft\PolicyManager\default\Update\BranchReadinessLevel | +| MDM for version 1607 and above:
          ../Vendor/MSFT/Policy/Config/Update/
          **BranchReadinessLevel** | \Microsoft\PolicyManager\default\Update\BranchReadinessLevel | | MDM for version 1511:
          ../Vendor/MSFT/Policy/Config/Update/
          **RequireDeferredUpgrade** | \Microsoft\PolicyManager\default\Update\RequireDeferUpgrade | +Starting with version 1703, users are able to configure their device's branch readiness level, by going to **Settings > Update & security > Windows Update > Advanced options**. + +![Branch readiness level setting](images/waas-wufb-settings-branch.jpg) + +>[!NOTE] +>Users will not be able to change this setting if it was configured by policy. ## Configure when devices receive Feature Updates -After you configure the servicing branch (CB or CBB), you can then define if, and for how long, you would like to defer receiving Feature Updates following their availability from Microsoft on Windows Update. You can defer receiving these Feature Updates for a period of 180 days from their release by setting the `DeferFeatureUpdatesPeriodinDays` value. +After you configure the servicing branch (CB or CBB), you can then define if, and for how long, you would like to defer receiving Feature Updates following their availability from Microsoft on Windows Update. You can defer receiving these Feature Updates for a period of up to 365 days from their release by setting the `DeferFeatureUpdatesPeriodinDays` value. >[!IMPORTANT] >This policy does not apply to Windows 10 Mobile Enterprise. +> +>You can only defer up to 180 days prior to version 1703. **Examples** @@ -66,32 +74,45 @@ After you configure the servicing branch (CB or CBB), you can then define if, an | Policy | Sets registry key under **HKLM\Software** | | --- | --- | -| GPO for version 1607:
          Computer Configuration > Administrative Templates > Windows Components > Windows Update > Defer Windows Updates > **Select when Feature Updates are received** | \Policies\Microsoft\Windows\WindowsUpdate\DeferFeatureUpdates
          \Policies\Microsoft\Windows\WindowsUpdate\DeferFeatureUpdatesPeriodInDays | +| GPO for version 1607 and above:
          Computer Configuration > Administrative Templates > Windows Components > Windows Update > Defer Windows Updates > **Select when Feature Updates are received** | \Policies\Microsoft\Windows\WindowsUpdate\DeferFeatureUpdates
          \Policies\Microsoft\Windows\WindowsUpdate\DeferFeatureUpdatesPeriodInDays | | GPO for version 1511:
          Computer Configuration > Administrative Templates > Windows Components > Windows Update > **Defer Upgrades and Updates** | \Policies\Microsoft\Windows\WindowsUpdate\DeferUpgradePeriod | -| MDM for version 1607:
          ../Vendor/MSFT/Policy/Config/Update/
          **DeferFeatureUpdatesPeriodInDays** | \Microsoft\PolicyManager\default\Update\DeferFeatureUpdatesPeriodInDays | +| MDM for version 1607 and above:
          ../Vendor/MSFT/Policy/Config/Update/
          **DeferFeatureUpdatesPeriodInDays** | \Microsoft\PolicyManager\default\Update\DeferFeatureUpdatesPeriodInDays | | MDM for version 1511:
          ../Vendor/MSFT/Policy/Config/Update/
          **DeferUpgrade** | \Microsoft\PolicyManager\default\Update\RequireDeferUpgrade | +>[!NOTE] +>If not configured by policy, users can defer feature updates, by going to **Settings > Update & security > Windows Update > Advanced options**. ## Pause Feature Updates -You can also pause a device from receiving Feature Updates by a period of up to 60 days from when the value is set. After 60 days has passed, pause functionality will automatically expire and the device will scan Windows Update for applicable Feature Updates. Following this scan, Feature Updates for the device can then be paused again. +You can also pause a device from receiving Feature Updates by a period of up to 35 days from when the value is set. After 35 days has passed, pause functionality will automatically expire and the device will scan Windows Update for applicable Feature Updates. Following this scan, Feature Updates for the device can then be paused again. + +Starting with version 1703, when configuring pause through policy, a start date has to be set from which the pause begins. The pause period will be calculated by adding 35 days to the start date. + +In cases where the pause policy is first applied after the configured start date has passed, administrators will be able to extend the pause period up to a total of 35 days by configuring a later start date. + +With version 1703, pausing through the settings app will provide a more consistent experience: +- Any active restart notification are cleared or closed +- Any pending restarts are canceled +- Any pending update installations are canceled +- Any update installation running when pause is activated will attempt to rollback >[!IMPORTANT] >This policy does not apply to Windows 10 Mobile Enterprise. +> +>Prior to Windows 10, version 1703, feature updates could be paused by up to 60 days. This number has been changed to 35, similar to the number of days for quality updates. **Pause Feature Updates policies** | Policy | Sets registry key under **HKLM\Software** | | --- | --- | -| GPO for version 1607:
          Computer Configuration > Administrative Templates > Windows Components > Windows Update > Defer Windows Updates > **Select when Feature Updates are received** | \Policies\Microsoft\Windows\WindowsUpdate\PauseFeatureUpdates | +| GPO for version 1607 and above:
          Computer Configuration > Administrative Templates > Windows Components > Windows Update > Defer Windows Updates > **Select when Feature Updates are received** | **1607:** \Policies\Microsoft\Windows\WindowsUpdate\PauseFeatureUpdates
          **1703:** \Policies\Microsoft\Windows\WindowsUpdate\PauseFeatureUpdatesStartDate | | GPO for version 1511:
          Computer Configuration > Administrative Templates > Windows Components > Windows Update > **Defer Upgrades and Updates** | \Policies\Microsoft\Windows\WindowsUpdate\Pause | -| MDM for version 1607:
          ../Vendor/MSFT/Policy/Config/Update/
          **PauseFeatureUpdates** | \Microsoft\PolicyManager\default\Update\PauseFeatureUpdates | +| MDM for version 1607 and above:
          ../Vendor/MSFT/Policy/Config/Update/
          **PauseFeatureUpdates** | **1607:** \Microsoft\PolicyManager\default\Update\PauseFeatureUpdates
          **1703:** \Microsoft\PolicyManager\default\Update\PauseFeatureUpdatesStartDate | | MDM for version 1511:
          ../Vendor/MSFT/Policy/Config/Update/
          **DeferUpgrade** | \Microsoft\PolicyManager\default\Update\Pause | - You can check the date Feature Updates were paused at by checking the registry key **PausedFeatureDate** under **HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings**. -The local group policy editor (GPEdit.msc) will not reflect if your Feature Update Pause period has expired. Although the device will resume Feature Updates after 60 days automatically, the pause checkbox will remain checked in the policy editor. To see if a device has auto-resumed taking Feature Updates, you can check the status registry key **PausedFeatureStatus** under **HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings**. +The local group policy editor (GPEdit.msc) will not reflect if your Feature Update Pause period has expired. Although the device will resume Feature Updates after 35 days automatically, the pause checkbox will remain checked in the policy editor. To see if a device has auto-resumed taking Feature Updates, you can check the status registry key **PausedFeatureStatus** under **HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings**. | Value | Status| | --- | --- | @@ -99,6 +120,8 @@ The local group policy editor (GPEdit.msc) will not reflect if your Feature Upda | 1 | Feature Updates paused | | 2 | Feature Updates have auto-resumed after being paused | +>[!NOTE] +>If not configured by policy, users can pause feature updates, by going to **Settings > Update & security > Windows Update > Advanced options**. ## Configure when devices receive Quality Updates @@ -113,16 +136,28 @@ You can set your system to receive updates for other Microsoft products—known | Policy | Sets registry key under **HKLM\Software** | | --- | --- | -| GPO for version 1607:
          Computer Configuration > Administrative Templates > Windows Components > Windows Update > Defer Windows Updates > **Select when Quality Updates are received** | \Policies\Microsoft\Windows\WindowsUpdate\DeferQualityUpdates
          \Policies\Microsoft\Windows\WindowsUpdate\DeferQualityUpdatesPeriodInDays | +| GPO for version 1607 and above:
          Computer Configuration > Administrative Templates > Windows Components > Windows Update > Defer Windows Updates > **Select when Quality Updates are received** | \Policies\Microsoft\Windows\WindowsUpdate\DeferQualityUpdates
          \Policies\Microsoft\Windows\WindowsUpdate\DeferQualityUpdatesPeriodInDays | | GPO for version 1511:
          Computer Configuration > Administrative Templates > Windows Components > Windows Update > **Defer Upgrades and Updates** | \Policies\Microsoft\Windows\WindowsUpdate\DeferUpdatePeriod | -| MDM for version 1607:
          ../Vendor/MSFT/Policy/Config/Update/
          **DeferQualityUpdatesPeriodInDays** | \Microsoft\PolicyManager\default\Update\DeferQualityUpdatesPeriodInDays | +| MDM for version 1607 and above:
          ../Vendor/MSFT/Policy/Config/Update/
          **DeferQualityUpdatesPeriodInDays** | \Microsoft\PolicyManager\default\Update\DeferQualityUpdatesPeriodInDays | | MDM for version 1511:
          ../Vendor/MSFT/Policy/Config/Update/
          **DeferUpgrade** | \Microsoft\PolicyManager\default\Update\RequireDeferUpdate | +>[!NOTE] +>If not configured by policy, users can defer quality updates, by going to **Settings > Update & security > Windows Update > Advanced options**. ## Pause Quality Updates You can also pause a system from receiving Quality Updates for a period of up to 35 days from when the value is set. After 35 days has passed, pause functionality will automatically expire and the system will scan Windows Updates for applicable Quality Updates. Following this scan, Quality Updates for the device can then be paused again. +Starting with version 1703, when configuring pause through policy, a start date has to be set from which the pause begins. The pause period will be calculated by adding 35 days to the start date. + +In cases where the pause policy is first applied after the configured start date has passed, administrators will be able to extend the pause period up to a total of 35 days by configuring a later start date. + +With version 1703, pause will provide a more consistent experience: +- Any active restart notification are cleared or closed +- Any pending restarts are canceled +- Any pending update installations are canceled +- Any update installation running when pause is activated will attempt to rollback + >[!IMPORTANT] >This policy pauses both Feature and Quality Updates on Windows 10 Mobile Enterprise. @@ -130,12 +165,11 @@ You can also pause a system from receiving Quality Updates for a period of up to | Policy | Sets registry key under **HKLM\Software** | | --- | --- | -| GPO for version 1607:
          Computer Configuration > Administrative Templates > Windows Components > Windows Update > Defer Windows Updates > **Select when Quality Updates are received** |\Policies\Microsoft\Windows\WindowsUpdate\PauseQualityUpdates | +| GPO for version 1607 and above:
          Computer Configuration > Administrative Templates > Windows Components > Windows Update > Defer Windows Updates > **Select when Quality Updates are received** |**1607:** \Policies\Microsoft\Windows\WindowsUpdate\PauseQualityUpdates
          **1703:** \Policies\Microsoft\Windows\WindowsUpdate\PauseQualityUpdatesStartTime | | GPO for version 1511:
          Computer Configuration > Administrative Templates > Windows Components > Windows Update > **Defer Upgrades and Updates** | \Policies\Microsoft\Windows\WindowsUpdate\Pause | -| MDM for version 1607:
          ../Vendor/MSFT/Policy/Config/Update/
          **PauseQualityUpdates** | \Microsoft\PolicyManager\default\Update\PauseQualityUpdates | +| MDM for version 1607 and above:
          ../Vendor/MSFT/Policy/Config/Update/
          **PauseQualityUpdates** | **1607:** \Microsoft\PolicyManager\default\Update\PauseQualityUpdates
          **1703:** \Microsoft\PolicyManager\default\Update\PauseQualityUpdatesStartTime | | MDM for version 1511:
          ../Vendor/MSFT/Policy/Config/Update/
          **DeferUpgrade** | \Microsoft\PolicyManager\default\Update\Pause | - You can check the date that Quality Updates were paused at by checking the registry key **PausedQualityDate** under **HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings**. The local group policy editor (GPEdit.msc) will not reflect if your Quality Update Pause period has expired. Although the device will resume Quality Updates after 35 days automatically, the pause checkbox will remain checked in the policy editor. To see if a device has auto-resumed taking Quality Updates, you can check the status registry key **PausedQualityStatus** under **HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings**. @@ -146,22 +180,23 @@ The local group policy editor (GPEdit.msc) will not reflect if your Quality Upda | 1 | Quality Updates paused | | 2 | Quality Updates have auto-resumed after being paused | +>[!NOTE] +>If not configured by policy, users can pause quality updates, by going to **Settings > Update & security > Windows Update > Advanced options**. + ## Exclude drivers from Quality Updates -In Windows 10, version 1607, you can selectively option out of receiving driver update packages as part of your normal quality update cycle. This policy will not pertain to updates to inbox drivers (which will be packaged within a security or critical update) or to Feature Updates, where drivers may be dynamically installed to ensure the Feature Update process can complete. +In Windows 10, starting with version 1607, you can selectively option out of receiving driver update packages as part of your normal quality update cycle. This policy will not pertain to updates to inbox drivers (which will be packaged within a security or critical update) or to Feature Updates, where drivers may be dynamically installed to ensure the Feature Update process can complete. **Exclude driver policies** | Policy | Sets registry key under **HKLM\Software** | | --- | --- | -| GPO for version 1607:
          Computer Configuration > Administrative Templates > Windows Components > Windows Update > **Do not include drivers with Windows Updates** | \Policies\Microsoft\Windows\WindowsUpdate\ExcludeWUDriversInQualityUpdate | -| MDM for version 1607:
          ../Vendor/MSFT/Policy/Config/Update/
          **ExcludeWUDriversInQualityUpdate** | \Microsoft\PolicyManager\default\Update\ExcludeWUDriversInQualityUpdate | +| GPO for version 1607 and above:
          Computer Configuration > Administrative Templates > Windows Components > Windows Update > **Do not include drivers with Windows Updates** | \Policies\Microsoft\Windows\WindowsUpdate\ExcludeWUDriversInQualityUpdate | +| MDM for version 1607 and above:
          ../Vendor/MSFT/Policy/Config/Update/
          **ExcludeWUDriversInQualityUpdate** | \Microsoft\PolicyManager\default\Update\ExcludeWUDriversInQualityUpdate | +## Summary: MDM and Group Policy for version 1703 - -## Summary: MDM and Group Policy for version 1607 - -Below are quick-reference tables of the supported Windows Update for Business policy values for Windows 10, version 1607. +Below are quick-reference tables of the supported Windows Update for Business policy values for Windows 10, version 1607 and above. **GPO: HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate** @@ -169,11 +204,11 @@ Below are quick-reference tables of the supported Windows Update for Business po | --- | --- | --- | | BranchReadinessLevel | REG_DWORD | 16: systems take Feature Updates for the Current Branch (CB)
          32: systems take Feature Updates for the Current Branch for Business (CBB)
          Note: Other value or absent: receive all applicable updates (CB) | | DeferQualityUpdates | REG_DWORD | 1: defer quality updates
          Other value or absent: don’t defer quality updates | -| DeferQualityUpdatesPeriodinDays | REG_DWORD | 0-30: defer quality updates by given days | -| PauseQualityUpdates | REG_DWORD | 1: pause quality updates
          Other value or absent: don’t pause quality updates | +| DeferQualityUpdatesPeriodinDays | REG_DWORD | 0-35: defer quality updates by given days | +| PauseQualityUpdatesStartDate | REG_DWORD | 1: pause quality updates
          Other value or absent: don’t pause quality updates | |DeferFeatureUpdates | REG_DWORD | 1: defer feature updates
          Other value or absent: don’t defer feature updates | -| DeferFeatureUpdatesPeriodinDays | REG_DWORD | 0-180: defer feature updates by given days | -| PauseFeatureUpdates | REG_DWORD |1: pause feature updates
          Other value or absent: don’t pause feature updates | +| DeferFeatureUpdatesPeriodinDays | REG_DWORD | 0-365: defer feature updates by given days | +| PauseFeatureUpdatesStartDate | REG_DWORD |1: pause feature updates
          Other value or absent: don’t pause feature updates | | ExcludeWUDriversInQualityUpdate | REG_DWORD | 1: exclude Windows Update drivers
          Other value or absent: offer Windows Update drivers | @@ -182,40 +217,42 @@ Below are quick-reference tables of the supported Windows Update for Business po | MDM Key | Key type | Value | | --- | --- | --- | | BranchReadinessLevel | REG_DWORD | 16: systems take Feature Updates for the Current Branch (CB)
          32: systems take Feature Updates for the Current Branch for Business (CBB)
          Note: Other value or absent: receive all applicable updates (CB) | -| DeferQualityUpdatesPeriodinDays | REG_DWORD | 0-30: defer quality updates by given days | -| PauseQualityUpdates | REG_DWORD | 1: pause quality updates
          Other value or absent: don’t pause quality updates | -| DeferFeatureUpdatesPeriodinDays | REG_DWORD | 0-180: defer feature updates by given days | -| PauseFeatureUpdates | REG_DWORD | 1: pause feature updates
          Other value or absent: don’t pause feature updates | +| DeferQualityUpdatesPeriodinDays | REG_DWORD | 0-35: defer quality updates by given days | +| PauseQualityUpdatesStartDate | REG_DWORD | 1: pause quality updates
          Other value or absent: don’t pause quality updates | +| DeferFeatureUpdatesPeriodinDays | REG_DWORD | 0-365: defer feature updates by given days | +| PauseFeatureUpdatesStartDate | REG_DWORD | 1: pause feature updates
          Other value or absent: don’t pause feature updates | | ExcludeWUDriversinQualityUpdate | REG_DWORD | 1: exclude Windows Update drivers
          Other value or absent: offer Windows Update drivers | -## Update devices from Windows 10, version 1511 to version 1607 +## Update devices to newer versions -Due to the changes in the Windows Update for Business feature set, Windows 10, version 1607, uses different GPO and MDM keys than those available in version 1511. However,Windows Update for Business clients running version 1511 will still see their policies honored after they update to version 1607; the old policy keys will continue to exist with their values ported forward during the update. Following the update to version 1607, it should be noted that only the version 1511 keys will be populated and not the new version 1607 keys, until the newer keys are explicitly defined on the device by the administrator. +Due to the changes in the Windows Update for Business feature set, Windows 10, version 1607, uses different GPO and MDM keys than those available in version 1511. Windows 10, version 1703, is also using a few new GPO and MDM keys than those available in version 1607. However,Windows Update for Business clients running version older versions will still see their policies honored after they update to a newer version; the old policy keys will continue to exist with their values ported forward during the update. Following the update to a newer version, it should be noted that only the old keys will be populated and not the new version keys, until the newer keys are explicitly defined on the device by the administrator. -### How version 1511 policies are respected on version 1607 +### How older version policies are respected on newer versions -When a client running version 1607 sees an update available on Windows Update, the client will first evaluate and execute against the Windows Updates for Business policy keys for version 1607. If these are not present, it will then check to see if any of the version 1511 keys are set and defer accordingly. Update keys for version 1607 will always supersede the version 1511 equivalent. +When a client running a newer version sees an update available on Windows Update, the client will first evaluate and execute against the Windows Updates for Business policy keys for it's version. If these are not present, it will then check to see if any of the older version keys are set and defer accordingly. Update keys for newer versions will always supersede the older equivalent. ### Comparing the version 1511 keys to the version 1607 keys In the Windows Update for Business policies in version 1511, all the deferral rules were grouped under a single policy where pausing affected both upgrades and updates. In Windows 10, version 1607, this functionality has been broken out into separate polices: deferral of Feature and Quality Updates can be enabled and paused independently of one other.
          - +
          Group Policy keys
          Version 1511 GPO keysVersion 1607 GPO keys
          **DeferUpgrade**: *enable/disable*
              -Enabling allows user to set deferral periods for upgrades and updates. It also puts the device on CBB (no ability to defer updates while on the CB branch).

          **DeferUpgradePeriod**: *0 - 8 months*

          **DeferUpdatePeriod**: *1 – 4 weeks*

          **Pause**: *enable/disable*
             Enabling will pause both upgrades and updates for a max of 35 days          		**DeferFeatureUpdates**: *enable/disable*

          **BranchReadinessLevel**
             Set device on CB or CBB

          **DeferFeatureUpdatesPeriodinDays**: *1 - 180 days*

          **PauseFeatureUpdates**: *enable/disable*
             Enabling will pause Feature updates for a max of 60 days

          **DeferQualityUpdates**: *Enable/disable*

          **DeferQualityUpdatesPeriodinDays**: *0 - 30 days*

          **PauseQualityUpdates**: *enable/disable*
             Enabling will pause Quality updates for a max of 35 days

          **ExcludeWUDrivers**: *enable/disable*
          **DeferUpgrade**: *enable/disable*
          Enabling allows user to set deferral periods for upgrades and updates. It also puts the device on CBB (no ability to defer updates while on the CB branch).

          **DeferUpgradePeriod**: *0 - 8 months*

          **DeferUpdatePeriod**: *1 – 4 weeks*

          **Pause**: *enable/disable*
          Enabling will pause both upgrades and updates for a max of 35 days
          		**DeferFeatureUpdates**: *enable/disable*

          **BranchReadinessLevel**
          Set device on CB or CBB

          **DeferFeatureUpdatesPeriodinDays**: *1 - 180 days*

          **PauseFeatureUpdates**: *enable/disable*
          Enabling will pause Feature updates for a max of 60 days

          **DeferQualityUpdates**: *Enable/disable*

          **DeferQualityUpdatesPeriodinDays**: *0 - 35 days*

          **PauseQualityUpdates**: *enable/disable*
          Enabling will pause Quality updates for a max of 35 days

          **ExcludeWUDrivers**: *enable/disable*
          - +
          MDM keys
          Version 1511 MDM keysVersion 1607 MDM keys
          **RequireDeferUpgade**: *bool*
             Puts the device on CBB (no ability to defer updates while on the CB branch).

          **DeferUpgradePeriod**: *0 - 8 months*

          **DeferUpdatePeriod**: *1 – 4 weeks*

          **PauseDeferrals**: *bool*
             Enabling will pause both upgrades and updates for a max of 35 days          		**BranchReadinessLevel**
             Set system on CB or CBB

          **DeferFeatureUpdatesPeriodinDays**: *1 - 180 days*

          **PauseFeatureUpdates**: *enable/disable*
             Enabling will pause Feature updates for a max of 60 days

          **DeferQualityUpdatesPeriodinDays**: *0 - 30 days*

          **PauseQualityUpdates**: *enable/disable*
              Enabling will pause Quality updates for a max of 35 days

          **ExcludeWUDriversInQualityUpdate**: *enable/disable<*/td>
          **RequireDeferUpgade**: *bool*
          Puts the device on CBB (no ability to defer updates while on the CB branch).

          **DeferUpgradePeriod**: *0 - 8 months*

          **DeferUpdatePeriod**: *1 – 4 weeks*

          **PauseDeferrals**: *bool*
          Enabling will pause both upgrades and updates for a max of 35 days
          		**BranchReadinessLevel**
          Set system on CB or CBB

          **DeferFeatureUpdatesPeriodinDays**: *1 - 180 days*

          **PauseFeatureUpdates**: *enable/disable*
          Enabling will pause Feature updates for a max of 60 days

          **DeferQualityUpdatesPeriodinDays**: *0 - 35 days*

          **PauseQualityUpdates**: *enable/disable*
          Enabling will pause Quality updates for a max of 35 days

          **ExcludeWUDriversInQualityUpdate**: *enable/disable*
          +### Comparing the version 1607 keys to the version 1703 keys - - +| Version 1607 key | Version 1703 key | +| --- | --- | +| PauseFeatureUpdates | PauseFeatureUpdatesStartTime | +| PauseQualityUpdates | PauseQualityUpdatesStartTime | ## Related topics -- [Update Windows 10 in the enterprise](waas-update-windows-10.md) +- [Update Windows 10 in the enterprise](index.md) - [Overview of Windows as a service](waas-overview.md) - [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md) - [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) diff --git a/windows/manage/waas-delivery-optimization.md b/windows/update/waas-delivery-optimization.md similarity index 51% rename from windows/manage/waas-delivery-optimization.md rename to windows/update/waas-delivery-optimization.md index b1701d80d9..ffc4f91f43 100644 --- a/windows/manage/waas-delivery-optimization.md +++ b/windows/update/waas-delivery-optimization.md @@ -32,14 +32,66 @@ By default in Windows 10 Enterprise and Education, Delivery Optimization allows You can use Group Policy or an MDM solution like Intune to configure Delivery Optimization. -- Group Policy: Computer Configuration\Policies\Administrative Templates\Windows Components\Delivery Optimization -- MDM: .Vendor/MSFT/Policy/Config/DeliveryOptimization +You will find the Delivery Optimization settings in Group Policy under **Configuration\Policies\Administrative Templates\Windows Components\Delivery Optimization**. +In MDM, the same settings are under **.Vendor/MSFT/Policy/Config/DeliveryOptimization/**. -Several Delivery Optimization features are configurable. +Several Delivery Optimization features are configurable: - +| Group Policy setting | MDM setting | Supported from version | +| --- | --- | --- | +| [Download mode](#download-mode) | DODownloadMode | 1511 | +| [Group ID](#group-id) | DOGroupID | 1511 | +| [Minimum RAM (inclusive) allowed to use Peer Caching](#minimum-ram-allowed-to-use-peer-caching) | DOMinRAMAllowedToPeer | 1703 | +| [Minimum disk size allowed to use Peer Caching](#minimum-disk-size-allowed-to-use-peer-caching) | DOMinDiskSizeAllowedToPeer | 1703 | +| [Max Cache Age](#max-cache-age) | DOMaxCacheAge | 1511 | +| [Max Cache Size](#max-cache-size) | DOMaxCacheSize | 1511 | +| [Absolute Max Cache Size](#absolute-max-cache-size) | DOAbsoluteMaxCacheSize | 1607 | +| [Modify Cache Drive](#modify-cache-drive) | DOModifyCacheDrive | 1607 | +| [Minimum Peer Caching Content File Size](#minimum-peer-caching-content-file-size) | DOMinFileSizeToCache | 1703 | +| [Maximum Download Bandwidth](#maximum-download-bandwidth) | DOMaxDownloadBandwidth | 1607 | +| [Percentage of Maximum Download Bandwidth](#percentage-of-maximum-download-bandwidth) | DOPercentageMaxDownloadBandwidth | 1607 | +| [Max Upload Bandwidth](#max-upload-bandwidth) | DOMaxUploadBandwidth | 1607 | +| [Monthly Upload Data Cap](#monthly-upload-data-cap) | DOMonthlyUploadDataCap | 1607 | +| [Minimum Background QoS](#minimum-background-qos) | DOMinBackgroundQoS | 1607 | +| [Enable Peer Caching while the device connects via VPN](#enable-peer-caching-while-the-device-connects-via-vpn) | DOAllowVPNPeerCaching | 1703 | +| [Allow uploads while the device is on battery while under set Battery level](#allow-uploads-while-the-device-is-on-battery-while-under-set-battery-level) | DOMinBatteryPercentageAllowedToUpload | 1703 | -### Download mode (DODownloadMode) +When configuring Delivery Optimization on Windows 10 devices, the first and most important thing to configure, would be [Download mode](#download-mode). Download mode dictates how Delivery Optimization downloads Windows updates. + +While every other feature setting is optional, they offer enhanced control of the Delivery Optimization behavior. + +[Group ID](#group-id), combined with Group [Download mode](#download-mode), enables administrators to create custom device groups that will share content between devices in the group. + +Delivery Optimization uses locally cached updates. In cases where devices have ample local storage and you would like to cache more content, or if you have limited storage and would like to cache less, use the settings below to adjust the Delivery Optimization cache to suit your scenario: +- [Max Cache Size](#max-cache-size) and [Absolute Max Cache Size](#absolute-max-cache-size) control the amount of space the Delivery Optimization cache can use. +- [Max Cache Age](#max-cache-age) controls the retention period for each update in the cache. +- The system drive is the default location for the Delivery Optimization cache. [Modify Cache Drive](#modify-cache-drive) allows administrators to change that location. + +>[!NOTE] +>It is possible to configure preferred cache devices. For more information, see [Set “preferred” cache devices for Delivery Optimization](#set-preferred-cache-devices). + +All cached files have to be above a set minimum size. This size is automatically set by the Delivery Optimization cloud services. Administrators may choose to change it, which will result in increased performance, when local storage is sufficient and the network isn't strained or congested. [Minimum Peer Caching Content File Size](#minimum-peer-caching-content-file-size) determines the minimum size of files to be cached. + +There are additional options available to robustly control the impact Delivery Optimization has on your network: +- [Maximum Download Bandwidth](#maximum-download-bandwidth) and [Percentage of Maximum Download Bandwidth](#percentage-of-maximum-download-bandwidth) controls the download bandwidth used by Delivery Optimization. +- [Max Upload Bandwidth](#max-upload-bandwidth) controls the Delivery Optimization upload bandwidth usage. +- [Monthly Upload Data Cap](#monthly-upload-data-cap) controls the amount of data a client can upload to peers per month. +- [Minimum Background QoS](#minimum-background-qos) lets administrators guarantee a minimum download speed for Windows updates. This is achieved by adjusting the amount of data downloaded directly from Windows Update or WSUS servers, rather than other peers in the network. + +Various controls allow administrators to further customize scenarios where Delivery Optimization will be used: +- [Minimum RAM (inclusive) allowed to use Peer Caching](#minimum-ram-allowed-to-use-peer-caching) sets the minimum RAM required for peer caching to be enabled. +- [Minimum disk size allowed to use Peer Caching](#minimum-disk-size-allowed-to-use-peer-caching) sets the minimum disk size required for peer caching to be enabled. +- [Enable Peer Caching while the device connects via VPN](#enable-peer-caching-while-the-device-connects-via-vpn) allows clients connected through VPN to use peer caching. +- [Allow uploads while the device is on battery while under set Battery level](#allow-uploads-while-the-device-is-on-battery-while-under-set-battery-level) controls the minimum battery level required for uploads to occur. Enabling this policy is required to allow upload while on battery. + +### How Microsoft uses Delivery Optimization +In Microsoft, to help ensure that ongoing deployments weren’t affecting our network and taking away bandwidth for other services, Microsoft IT used a couple of different bandwidth management strategies. Delivery Optimization, peer-to-peer caching enabled through Group Policy, was piloted and then deployed to all managed devices using Group Policy. Based on recommendations from the Delivery Optimization team, we used the "group" configuration to limit sharing of content to only the devices that are members of the same Active Directory domain. The content is cached for 24 hours. More than 76 percent of content came from peer devices versus the Internet. + +For more details, check out the [Adopting Windows as a Service at Microsoft](https://www.microsoft.com/itshowcase/Article/Content/851/Adopting-Windows-as-a-service-at-Microsoft) technical case study. + +Provided below is a detailed description of every configurable feature setting. Use these details when configuring any of the above settings. + +### Download mode Download mode dictates which download sources clients are allowed to use when downloading Windows updates in addition to Windows Update servers. The following table shows the available download mode options and what they do. @@ -55,176 +107,82 @@ Download mode dictates which download sources clients are allowed to use when do >[!NOTE] >Group mode is a best effort optimization and should not be relied on for an authentication of identity of devices participating in the group. -### Group ID (DOGroupID) +### Group ID By default, peer sharing on clients using the group download mode is limited to the same domain in Windows 10, version 1511, and the same domain and AD DS site in Windows 10, version 1607. By using the Group ID setting, you can optionally create a custom group that contains devices that should participate in Delivery Optimization but do not fall within those domain or AD DS site boundaries, including devices in another domain. Using Group ID, you can further restrict the default group (for example create a sub-group representing an office building), or extend the group beyond the domain, allowing devices in multiple domains in your organization to peer. This setting requires the custom group to be specified as a GUID on each device that participates in the custom group. >[!NOTE] +>To generate a GUID using Powershell, use [```[guid]::NewGuid()```](https://blogs.technet.microsoft.com/heyscriptingguy/2013/07/25/powertip-create-a-new-guid-by-using-powershell/) +> >This configuration is optional and not required for most implementations of Delivery Optimization. - -### Max Cache Age (DOMaxCacheAge) + + +### Minimum RAM (inclusive) allowed to use Peer Caching + +This setting specifies the minimum RAM size in GB required to use Peer Caching. For example if the minimum set is 1 GB, then devices with 1 GB or higher available RAM will be allowed to use Peer caching. The recommended values are 1 to 4 GB, and the default value is 4 GB. + +### Minimum disk size allowed to use Peer Caching + +This setting specifies the required minimum disk size (capacity in GB) for the device to use Peer Caching. The recommended values are 64 to 256 GB, and the default value is 32 GB. + +>[!NOTE] +>If the [Modify Cache Drive](#modify-cache-drive) policy is set, the disk size check will apply to the new working directory specified by this policy. + + +### Max Cache Age In environments configured for Delivery Optimization, you may want to set an expiration on cached updates and Windows application installation files. If so, this setting defines the maximum number of seconds each file can be held in the Delivery Optimization cache on each Windows 10 client computer. The default Max Cache Age value is 259,200 seconds (3 days). Alternatively, organizations may choose to set this value to “0” which means “unlimited” to avoid peers re-downloading content. When “Unlimited” value is set, Delivery Optimization will hold the files in the cache longer and will clean up the cache as needed (for example when the cache size exceeded the maximum space allowed). -### Max Cache Size (DOMaxCacheSize) +### Max Cache Size This setting limits the maximum amount of space the Delivery Optimization cache can use as a percentage of the available drive space, from 1 to 100. For example, if you set this value to 10 on a Windows 10 client computer that has 100 GB of available drive space, then Delivery Optimization will use up to 10 GB of that space. Delivery Optimization will constantly assess the available drive space and automatically clear the cache to keep the maximum cache size under the set percentage. The default value for this setting is 20. -### Absolute Max Cache Size (DOAbsoluteMaxCacheSize) +### Absolute Max Cache Size -This setting specifies the maximum number of gigabytes the Delivery Optimization cache can use. This is different from the **DOMaxCacheSize** setting, which is a percentage of available disk space. Also, if you configure this policy, it will override the **DOMaxCacheSize** setting. The default value for this setting is 10 GB. +This setting specifies the maximum number of gigabytes the Delivery Optimization cache can use. This is different from the [**Max Cache Size**](#max-cache-size) setting, which is a percentage of available disk space. Also, if you configure this policy, it will override the [**Max Cache Size**](#max-cache-size) setting. The default value for this setting is 10 GB. -### Maximum Download Bandwidth (DOMaxDownloadBandwidth) +### Minimum Peer Caching Content File Size + +This setting specifies the minimum content file size in MB enabled to use Peer Caching. The recommended values are from 1 to 100000 MB. + +### Maximum Download Bandwidth This setting specifies the maximum download bandwidth that can be used across all concurrent Delivery Optimization downloads in kilobytes per second (KB/s). A default value of 0 means that Delivery Optimization will dynamically adjust and optimize the maximum bandwidth used. -### Percentage of Maximum Download Bandwidth (DOPercentageMaxDownloadBandwidth) +### Percentage of Maximum Download Bandwidth This setting specifies the maximum download bandwidth that Delivery Optimization can use across all concurrent download activities as a percentage of available download bandwidth. The default value 0 means that Delivery Optimization dynamically adjusts to use the available bandwidth for downloads. -### Max Upload Bandwidth (DOMaxUploadBandwidth) +### Max Upload Bandwidth This setting allows you to limit the amount of upload bandwidth individual clients can use for Delivery Optimization. Consider this setting when clients are providing content to requesting peers on the network. This option is set in kilobytes per second (KB/s). The default setting is 0, or “unlimited” which means Delivery Optimization dynamically optimizes for minimal usage of upload bandwidth; however it does not cap the upload bandwidth rate at a set rate. -### Minimum Background QoS (DOMinBackgroundQoS) +### Minimum Background QoS -This value specifies the minimum download speed guarantee that a client attempts to achieve and will fulfill by downloading more bytes from Windows Update servers or WSUS. Simply put, the lower this value is, the more content will be sourced using peers on the network rather than Windows Update. The higher this value, the more content is received from Windows Update servers or WSUS, versus peers on the local network. +This value specifies the minimum download speed guarantee that a client attempts to achieve and will fulfill by downloading more kilobytes from Windows Update servers or WSUS. Simply put, the lower this value is, the more content will be sourced using peers on the network rather than Windows Update. The higher this value, the more content is received from Windows Update servers or WSUS, versus peers on the local network. -### Modify Cache Drive (DOModifyCacheDrive) +### Modify Cache Drive This setting allows for an alternate Delivery Optimization cache location on the clients. By default, the cache is stored on the operating system drive through the %SYSTEMDRIVE% environment variable. You can set the value to an environment variable (e.g., %SYSTEMDRIVE%), a drive letter (e.g., D:), or a folder path (e.g., D:\DOCache). -### Monthly Upload Data Cap (DOMonthlyUploadDataCap) +### Monthly Upload Data Cap This setting specifies the total amount of data in gigabytes that a Delivery Optimization client can upload to Internet peers per month. A value of 0 means that an unlimited amount of data can be uploaded. The default value for this setting is 20 GB. -## Delivery Optimization configuration examples +### Enable Peer Caching while the device connects via VPN -Delivery Optimization can be configured in various ways, leveraging the policies described in the previous section. The following samples describe some common scenarios that organizations may want to set up, given specific scenarios in use for their organization. +This setting determines whether a device will be allowed to participate in Peer Caching while connected to VPN. Specify "true" to allow the device to participate in Peer Caching while connected via VPN to the domain network. This means the device can download from or upload to other domain network devices, either on VPN or on the corporate domain network. -### Use Delivery Optimzation with group download mode +### Allow uploads while the device is on battery while under set Battery level -Delivery Optimization by default will consider all PCs in an organizations as peers for sharing content, even those that might be located across a slower WAN link. Group download mode is designed to help with this by limiting the PCs that can be used. In Windows 10, version 1511, group download mode considers PCs in the same domain and with the same configured Group ID to be eligible peers. In Windows 10, version 1607, the default behavior also adds the PC's AD DS site into the grouping determination. +This setting specifies battery levels at which a device will be allowed to upload data. Specify any value between 1 and 100 (in percentage) to allow the device to upload data to LAN and Group peers while on DC power (Battery). Uploads will automatically pause when the battery level drops below the set minimum battery level. The recommended value to set if you allow uploads on battery is 40 (for 40%). +The device can download from peers while on battery regardless of this policy. -**To use Group Policy to configure Delivery Optimization for group download mode** +>[!IMPORTANT] +> By default, devices **will not upload while on battery**. To enable uploads while on battery, you need to enable this policy and set the battery value under which uploads pause. -1. Open Group Policy Management Console (GPMC). - -2. Expand Forest\Domains\\*Your_Domain*. - -3. Right-click *Your_Domain*, and then click **Create a GPO in this domain, and Link it here**. - -4. In the **New GPO** dialog box, in the **Name** box, type **Delivery Optimization – Group**. - -5. Right-click the **Delivery Optimization – Group** GPO, and then click **Edit**. - -6. In the Group Policy Management Editor, go to Computer Configuration\Policies\Administrative Templates\Windows Components\Delivery Optimization. - -7. Right-click the **Download Mode** setting, and then click **Edit**. - -8. Enable the policy, and then select the **Group** download mode. - -9. Right-click the **GroupID** setting, and then click **Edit**. Enable the policy, and then specify a unique GUID for each group of PCs. (This is not required for Windows 10, version 1607, since the AD site code will be used to group devices automatically.) - -10. Click **OK**, and then close the Group Policy Management Editor. - -11. In GPMC, select the **Delivery Optimization – Group** policy. - -12. On the **Scope** tab, under **Security Filtering**, configure the policy to be targeted to an approprite computer group. - -**To use Intune to configure Delivery Optimization for group download mode** - -1. Sign in to [https://manage.microsoft.com](https://manage.microsoft.com) with your Intune administrator credentials. - -2. Click the **Policy** workspace. In the middle pane, click **Configuration Policies**, and then click **Add** in the details pane. - -3. In the Create a New Policy Wizard, select **Windows\Custom Configuration (Windows 10 Desktop and Mobile and later)**, and then click **Create Policy**. - -4. Name the policy **Windows Update for Business - CBB1**. Then, in the **OMA-URI Settings** section, click **Add**. - -5. In **Setting name**, type **Set Delivery Optimization to Group**, and then select **Integer** from the **Data type** list. - -6. In the **OMA-URI** box, type **.Vendor/MSFT/Policy/Config/DeliveryOptimization/DODownloadMode**. - -7. In the **Value** box, type **2**, and then click **OK**. - - >[!NOTE] - >The OMA-URI settings are case sensitive, so be sure to review [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) for the proper syntax. - -8. Click **Save Policy**. - -9. In the **Deploy Policy: Windows Update for Business – CBB1** dialog box, click **Yes**. - - >[!NOTE] - >If this dialog box doesn't appear, select the policy, and then click **Manage Deployment**. - -10. In the **Manage Deployment** dialog box, select the **All Computers** group, click **Add**, and then click **OK**. - -### Use WSUS and BranchCache with Windows 10, version 1511 - -In Windows 10, version 1511, Delivery Optimization is enabled by default and is used for peer-to-peer sharing of updates. For organizations that wish to instead leverage BranchCache for the caching of updates being delivered from a WSUS server, Delivery Optimization can be configured to leverage the **HTTP only** download mode, which results in Background Intelligent Transfer Service (BITS) being used to transfer the content; BITS will then use BranchCache when peers are available on the same subnet, and use the WSUS server directly when no peers are available. - -**To use Group Policy to configure HTTP only download mode** - -1. Open Group Policy Management Console (GPMC). - -2. Expand Forest\Domains\\*Your_Domain*. - -3. Right-click *Your_Domain*, and then click **Create a GPO in this domain, and Link it here**. - -4. In the **New GPO** dialog box, in the **Name** box, type **Delivery Optimization – HTTP Only**. - -5. Right-click the **Delivery Optimization – HTTP Only** GPO, and then click **Edit**. - -6. In the Group Policy Management Editor, go to Computer Configuration\Policies\Administrative Templates\Windows Components\Delivery Optimization. - -7. Right-click the **Download Mode** setting, and then click **Edit**. - -8. Enable the policy, and then select the **HTTP only** download mode. - -9. Click **OK**, and then close the Group Policy Management Editor. - -10. In GPMC, select the **Delivery Optimization – HTTP Only** policy. - -11. On the **Scope** tab, under **Security Filtering**, select the default **AUTHENTICATED USERS** security group, and then click **Remove**. Then, click **Add**, browse to the **Domain Computers** group, and then click **OK**. - - ![example of UI](images/waas-do-fig4.png) - - >[!NOTE] - >This example uses the Domain Computers group, but you can deploy this policy setting to any computer group. - -### Use WSUS and BranchCache with Windows 10, version 1607 - -In Windows 10, version 1607, Delivery Optimization is enabled by default and is used for peer-to-peer sharing of updates. For organizations that wish to instead leverage BranchCache for the caching of updates being delivered from a WSUS server, Delivery Optimization can be configured to leverage the **Bypass** download mode (new in Windows 10, version 1607), which results in BITS being used to transfer the content; BITS will then use BranchCache when peers are available on the same subnet, and use the WSUS server directly when no peers are available. - -**To use Group Policy to enable the Bypass download mode** - -1. Open Group Policy Management Console (GPMC). - -2. Expand Forest\Domains\\*Your_Domain*. - -3. Right-click *Your_Domain*, and then click **Create a GPO in this domain, and Link it here**. - -4. In the **New GPO** dialog box, in the **Name** box, type **Delivery Optimization – Bypass**. - -5. Right-click the **Delivery Optimization – Bypass** GPO, and then click **Edit**. - -6. In the Group Policy Management Editor, go to Computer Configuration\Policies\Administrative Templates\Windows Components\Delivery Optimization. - -7. Right-click the **Download Mode** setting, and then click **Edit**. - -8. Enable the policy, and then select the **Bypass** download mode. (Note that this download mode is only present in the Windows 10, version 1607, Group Policy ADMX files.) - -9. Click **OK**, and then close the Group Policy Management Editor. - -10. In GPMC, select the **Delivery Optimization – Bypass** policy. - -11. On the **Scope** tab, under **Security Filtering**, select the default **AUTHENTICATED USERS** security group, and then click **Remove**. Then, click **Add**, select the **Domain Computers** group, and then click **OK**. - - >[!NOTE] - >This example uses the Domain Computers group, but you can deploy this policy setting to any computer group. - -### Set “preferred” cache devices for Delivery Optimization + +## Set “preferred” cache devices for Delivery Optimization In some cases, IT pros may have an interest in identifying specific devices that will be “preferred” as sources to other devices—for example, devices that have hard-wired connections, large drives that you can use as caches, or a high-end hardware profile. These preferred devices will act as a “master” for the update content related to that devices’s configuration (Delivery Optimization only caches content relative to the client downloading the content). @@ -232,7 +190,7 @@ To specify which devices are preferred, you can set the **Max Cache Age** config On devices that are not preferred, you can choose to set the following policy to prioritize data coming from local peers instead of the Internet: -- Set **DOMinBackgroundQoS** with a low value, for example `65536` which is the equivalent of 64 KB/s. +- Set **DOMinBackgroundQoS** with a low value, for example `64` which is the equivalent of 64 KB/s. ## Learn more @@ -241,7 +199,7 @@ On devices that are not preferred, you can choose to set the following policy to ## Related topics -- [Update Windows 10 in the enterprise](waas-update-windows-10.md) +- [Update Windows 10 in the enterprise](index.md) - [Overview of Windows as a service](waas-overview.md) - [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md) - [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) diff --git a/windows/manage/waas-deployment-rings-windows-10-updates.md b/windows/update/waas-deployment-rings-windows-10-updates.md similarity index 98% rename from windows/manage/waas-deployment-rings-windows-10-updates.md rename to windows/update/waas-deployment-rings-windows-10-updates.md index 1277f71080..697b85bf4b 100644 --- a/windows/manage/waas-deployment-rings-windows-10-updates.md +++ b/windows/update/waas-deployment-rings-windows-10-updates.md @@ -67,7 +67,7 @@ or [Manage Windows 10 updates using System Center Configuration Manager](waas-ma ## Related topics -- [Update Windows 10 in the enterprise](waas-update-windows-10.md) +- [Update Windows 10 in the enterprise](index.md) - [Manage updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md) - [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md) - [Configure BranchCache for Windows 10 updates](waas-branchcache.md) diff --git a/windows/manage/waas-integrate-wufb.md b/windows/update/waas-integrate-wufb.md similarity index 99% rename from windows/manage/waas-integrate-wufb.md rename to windows/update/waas-integrate-wufb.md index 26e1d2bb42..f6058440b0 100644 --- a/windows/manage/waas-integrate-wufb.md +++ b/windows/update/waas-integrate-wufb.md @@ -92,7 +92,7 @@ For Windows 10, version 1607, organizations already managing their systems with ## Related topics -- [Update Windows 10 in the enterprise](waas-update-windows-10.md) +- [Update Windows 10 in the enterprise](index.md) - [Overview of Windows as a service](waas-overview.md) - [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md) - [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) diff --git a/windows/manage/waas-manage-updates-configuration-manager.md b/windows/update/waas-manage-updates-configuration-manager.md similarity index 99% rename from windows/manage/waas-manage-updates-configuration-manager.md rename to windows/update/waas-manage-updates-configuration-manager.md index 10a6565a03..9bdb0238e0 100644 --- a/windows/manage/waas-manage-updates-configuration-manager.md +++ b/windows/update/waas-manage-updates-configuration-manager.md @@ -392,7 +392,7 @@ or Manage Windows 10 updates using System Center Configuration Manager (this top ## Related topics -- [Update Windows 10 in the enterprise](waas-update-windows-10.md) +- [Update Windows 10 in the enterprise](index.md) - [Overview of Windows as a service](waas-overview.md) - [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md) - [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) diff --git a/windows/manage/waas-manage-updates-wsus.md b/windows/update/waas-manage-updates-wsus.md similarity index 99% rename from windows/manage/waas-manage-updates-wsus.md rename to windows/update/waas-manage-updates-wsus.md index 6fee51df69..d491319549 100644 --- a/windows/manage/waas-manage-updates-wsus.md +++ b/windows/update/waas-manage-updates-wsus.md @@ -335,7 +335,7 @@ or [Manage Windows 10 updates using System Center Configuration Manager](waas-ma ## Related topics -- [Update Windows 10 in the enterprise](waas-update-windows-10.md) +- [Update Windows 10 in the enterprise](index.md) - [Overview of Windows as a service](waas-overview.md) - [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md) - [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) diff --git a/windows/manage/waas-manage-updates-wufb.md b/windows/update/waas-manage-updates-wufb.md similarity index 90% rename from windows/manage/waas-manage-updates-wufb.md rename to windows/update/waas-manage-updates-wufb.md index 790cb61972..f38ac5333c 100644 --- a/windows/manage/waas-manage-updates-wufb.md +++ b/windows/update/waas-manage-updates-wufb.md @@ -89,7 +89,7 @@ Both Feature and Quality Updates can be deferred from deploying to client device Windows Update for Business was first made available in Windows 10, version 1511. In Windows 10, version 1607 (also known as the Anniversary Update), there are several new or changed capabilities provided as well as updated behavior. >[!NOTE] ->For more information on Current Branch and Current Branch for Business, see [Windows 10 servicing options](introduction-to-windows-10-servicing.md). +>For more information on Current Branch and Current Branch for Business, see [Windows 10 servicing options](waas-overview.md#servicing-branches). @@ -104,6 +104,13 @@ Windows Update for Business was first made available in Windows 10, version 1511

          Drivers

          No driver-specific controls

          Drivers can be selectively excluded from Windows Update for Business.

          +## Monitor Windows Updates using Update Compliance + +Update Compliance, now **available in public preview**, provides a holistic view of OS update compliance, update deployment progress, and failure troubleshooting for Windows 10 devices. This new service uses telemetry data including installation progress, Windows Update configuration, and other information to provide such insights, at no extra cost and without additional infrastructure requirements. Whether used with Windows Update for Business or other management tools, you can be assured that your devices are properly updated. + +![Update Compliance Dashboard](images/waas-wufb-update-compliance.png) + +For more information about Update Compliance, see [Monitor Windows Updates using Update Compliance](update-compliance-monitor.md). ## Steps to manage updates for Windows 10 @@ -119,10 +126,8 @@ or [Manage Windows 10 updates using System Center Configuration Manager](waas-ma
          - ## Related topics - -- [Update Windows 10 in the enterprise](waas-update-windows-10.md) +- [Update Windows 10 in the enterprise](index.md) - [Overview of Windows as a service](waas-overview.md) - [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md) - [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) diff --git a/windows/manage/waas-mobile-updates.md b/windows/update/waas-mobile-updates.md similarity index 98% rename from windows/manage/waas-mobile-updates.md rename to windows/update/waas-mobile-updates.md index 1352624cc9..ce0c446a7a 100644 --- a/windows/manage/waas-mobile-updates.md +++ b/windows/update/waas-mobile-updates.md @@ -63,7 +63,7 @@ If a device running Windows 10 Mobile Enterprise or Windows 10 IoT Mobile, versi ## Related topics -- [Update Windows 10 in the enterprise](waas-update-windows-10.md) +- [Update Windows 10 in the enterprise](index.md) - [Overview of Windows as a service](waas-overview.md) - [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md) - [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) diff --git a/windows/manage/waas-optimize-windows-10-updates.md b/windows/update/waas-optimize-windows-10-updates.md similarity index 57% rename from windows/manage/waas-optimize-windows-10-updates.md rename to windows/update/waas-optimize-windows-10-updates.md index 9563562c28..0c618399e9 100644 --- a/windows/manage/waas-optimize-windows-10-updates.md +++ b/windows/update/waas-optimize-windows-10-updates.md @@ -13,24 +13,24 @@ localizationpriority: high **Applies to** -- Windows 10 +- Windows 10 -> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) +> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) When considering your content distribution strategy for Windows 10, think about enabling a form of peer-to-peer content sharing to reduce bandwidth issues during updates. Windows 10 offers two peer-to-peer options for update content distribution: Delivery Optimization and BranchCache. These technologies can be used with several of the servicing tools for Windows 10. -Two methods of peer-to-peer content distribution are available in Windows 10. +Two methods of peer-to-peer content distribution are available in Windows 10. -- [Delivery Optimization](waas-delivery-optimization.md) is a new peer-to-peer distribution method in Windows 10. Windows 10 clients can source content from other devices on their local network that have already downloaded the updates or from peers over the internet. Using the settings available for Delivery Optimization, clients can be configured into groups, allowing organizations to identify devices that are possibly the best candidates to fulfil peer-to-peer requests. +- [Delivery Optimization](waas-delivery-optimization.md) is a new peer-to-peer distribution method in Windows 10. Windows 10 clients can source content from other devices on their local network that have already downloaded the updates or from peers over the internet. Using the settings available for Delivery Optimization, clients can be configured into groups, allowing organizations to identify devices that are possibly the best candidates to fulfil peer-to-peer requests. - Windows Update, Windows Update for Business, and Windows Server Update Services (WSUS) can use Delivery Optimization. Delivery Optimization can significantly reduce the amount of network traffic to external Windows Update sources as well as the time it takes for clients to retrieve the updates. + Windows Update, Windows Update for Business, and Windows Server Update Services (WSUS) can use Delivery Optimization. Delivery Optimization can significantly reduce the amount of network traffic to external Windows Update sources as well as the time it takes for clients to retrieve the updates. -- [BranchCache](waas-branchcache.md) is a bandwidth optimization technology that is included in some editions of the Windows Server 2016 Technical Preview and Windows 10 operating systems, as well as in some editions of Windows Server 2012 R2, Windows 8.1, Windows Server 2012, Windows 8, Windows Server 2008 R2, and Windows 7. +- [BranchCache](waas-branchcache.md) is a bandwidth optimization technology that is included in some editions of the Windows Server 2016 Technical Preview and Windows 10 operating systems, as well as in some editions of Windows Server 2012 R2, Windows 8.1, Windows Server 2012, Windows 8, Windows Server 2008 R2, and Windows 7. >[!NOTE] >Full BranchCache functionality is supported in Windows 10 Enterprise and Education; Windows 10 Pro supports some BranchCache functionality, including BITS transfers used for servicing operations. - Windows Server Update Services (WSUS) and System Center Configuration Manager can use BranchCache to allow peers to source content from each other versus always having to contact a server. Using BranchCache, files are cached on each individual client, and other clients can retrieve them as needed. This approach distributes the cache rather than having a single point of retrieval, saving a significant amount of bandwidth while drastically reducing the time that it takes for clients to receive the requested content. + Windows Server Update Services (WSUS) and System Center Configuration Manager can use BranchCache to allow peers to source content from each other versus always having to contact a server. Using BranchCache, files are cached on each individual client, and other clients can retrieve them as needed. This approach distributes the cache rather than having a single point of retrieval, saving a significant amount of bandwidth while drastically reducing the time that it takes for clients to receive the requested content.

          @@ -40,10 +40,43 @@ Two methods of peer-to-peer content distribution are available in Windows 10. | BranchCache | ![no](images/crossmark.png) | ![no](images/crossmark.png) |![yes](images/checkmark.png) | ![yes](images/checkmark.png) | >[!NOTE] ->Starting with preview version 1604, System Center Configuration Manager has an additional feature called Client Peer Cache that allows peer-to-peer content sharing between clients you use System Center Configuration Manager to manage in the same Configuration Manager boundary group. This is expected to be available in later Configuration Manager current branch releases. +>System Center Configuration Manager has an additional feature called Client Peer Cache that allows peer-to-peer content sharing between clients you use System Center Configuration Manager to manage, in the same Configuration Manager boundary Group. For more information, see [Client Peer Cache](https://docs.microsoft.com/sccm/core/plan-design/hierarchy/client-peer-cache). > ->In addition to client content sharing, similar functionality is available in the Windows Preinstallation Environment (Windows PE) for imaging-related content. Using this technology, clients imaging with System Center Configuration Manager task sequences can source operating system images, driver packages, boot images, packages, and programs from peers instead of distribution points. For detailed information about how Windows PE Peer Cache works and how to configure it, see [Prepare Windows PE peer cache to reduce WAN traffic in System Center Configuration Manager](https://technet.microsoft.com/en-us/library/mt613173.aspx). +>In addition to Client Peer Cache, similar functionality is available in the Windows Preinstallation Environment (Windows PE) for imaging-related content. Using this technology, clients imaging with System Center Configuration Manager task sequences can source operating system images, driver packages, boot images, packages, and programs from peers instead of distribution points. For detailed information about how Windows PE Peer Cache works and how to configure it, see [Prepare Windows PE peer cache to reduce WAN traffic in System Center Configuration Manager](https://technet.microsoft.com/library/mt613173.aspx). +## Express update delivery + +Windows 10 update downloads can be large because every package contains all previously released fixes to ensure consistency and simplicity. Windows has been able to reduce the size of Windows Update downloads with a feature called Express. + +### How Microsoft supports Express +- **Express on System Center Configuration Manager** starting with version 1702 of Configuration Manager and Windows 10, version 1703 or 1607 with the April 2017 cumulative update. +- **Express on WSUS Standalone** + + Express update delivery is available on [all support versions of WSUS](https://technet.microsoft.com/library/cc708456(v=ws.10).aspx). +- **Express on devices directly connected to Windows Update** +- **Enterprise devices managed using [Windows Update for Business](waas-manage-updates-wufb.md)** also get the benefit of Express update delivery support without any change in configuration. + +### How Express download works + +For OS updates that support Express, there are two versions of the file payload stored on the service: +1. **Full-file version** - essentially replacing the local versions of the update binaries. +2. **Express version** - containing the deltas needed to patch the existing binaries on the device. + +Both the full-file version and the Express version are referenced in the update's metadata, which has been downloaded to the client as part of the scan phase. + +**Express download works as follows:** + +The Windows Update client will try to download Express first, and under certain situations fall back to full-file if needed (for example, if going through a proxy that doesn't support byte range requests). + +1. When the Windows Update client initiates an Express download, **Windows Update first downloads a stub**, which is part of the Express package. +2. **The Windows Update client passes this stub to the Windows installer**, which uses the stub to do a local inventory, comparing the deltas of the file on the device with what is needed to get to the latest version of the file being offered. +3. **The Windows installer then requests the Windows Update client to download the ranges**, which have been determined to be required. +4. **The client downloads these ranges and passes them to the Windows Installer**, which applies the ranges and then determines if additional ranges are needed. This repeats until the Windows installer tells the Windows Update client that all necessary ranges have been downloaded. + +At this point, the download is complete and the update is ready to be installed. + +>[!TIP] +>Express will **always** be leveraged if your machines are updated regularly with the latest cumulative updates. ## Steps to manage updates for Windows 10 @@ -63,7 +96,8 @@ or [Manage Windows 10 updates using System Center Configuration Manager](waas-ma ## Related topics -- [Update Windows 10 in the enterprise](waas-update-windows-10.md) + +- [Update Windows 10 in the enterprise](index.md) - [Manage updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md) - [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md) - [Configure BranchCache for Windows 10 updates](waas-branchcache.md) @@ -72,5 +106,3 @@ or [Manage Windows 10 updates using System Center Configuration Manager](waas-ma - [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md) - [Walkthrough: use Intune to configure Windows Update for Business](waas-wufb-intune.md) - [Manage device restarts after updates](waas-restart.md) - - diff --git a/windows/manage/waas-overview.md b/windows/update/waas-overview.md similarity index 99% rename from windows/manage/waas-overview.md rename to windows/update/waas-overview.md index d597a74145..0df38fb0e2 100644 --- a/windows/manage/waas-overview.md +++ b/windows/update/waas-overview.md @@ -173,7 +173,7 @@ or [Manage Windows 10 updates using System Center Configuration Manager](waas-ma ## Related topics -- [Update Windows 10 in the enterprise](waas-update-windows-10.md) +- [Update Windows 10 in the enterprise](index.md) - [Quick guide to Windows as a service](waas-quick-start.md) - [Manage updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md) - [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md) diff --git a/windows/manage/waas-quick-start.md b/windows/update/waas-quick-start.md similarity index 92% rename from windows/manage/waas-quick-start.md rename to windows/update/waas-quick-start.md index eef6aed2a3..51827c8f74 100644 --- a/windows/manage/waas-quick-start.md +++ b/windows/update/waas-quick-start.md @@ -17,7 +17,7 @@ localizationpriority: high - Windows 10 Mobile - Windows 10 IoT Mobile -Windows as a service is a new concept, introduced with the release of Windows 10. While [an extensive set of documentation](waas-update-windows-10.md) is available explaining all the specifics and nuances, here is a quick guide to the most important concepts. +Windows as a service is a new concept, introduced with the release of Windows 10. While [an extensive set of documentation](index.md) is available explaining all the specifics and nuances, here is a quick guide to the most important concepts. ## Definitions @@ -42,7 +42,7 @@ See [Assign devices to servicing branches for Windows 10 updates](waas-servicing ## Staying up to date -The process for keeping Windows 10 up to date involves deploying a feature update, at an appropriate time after its release. A variety of tools management and patching tools such as Windows Update, Windows Update for Business, Windows Server Update Services, System Center Configuration Manager, and third-party products) can be used to help with this process. [Windows Upgrade Analytics](https://www.microsoft.com/en-us/WindowsForBusiness/upgrade-analytics), a free tool to streamline Windows upgrade projects, is another important tool to help. +The process for keeping Windows 10 up to date involves deploying a feature update, at an appropriate time after its release. A variety of tools management and patching tools such as Windows Update, Windows Update for Business, Windows Server Update Services, System Center Configuration Manager, and third-party products) can be used to help with this process. [Windows Analytics Upgrade Readiness](https://www.microsoft.com/en-us/WindowsForBusiness/windows-analytics), a free tool to streamline Windows upgrade projects, is another important tool to help. Because app compatibility, both for desktop apps and web apps, is outstanding with Windows 10, extensive advanced testing isn’t required. Instead, only business-critical apps need to be tested, with the remaining apps validated through a series of pilot deployment rings. Once these pilot deployments have validated most apps and CBB has been declared, broad deployment can begin. @@ -63,7 +63,7 @@ See [Build deployment rings for Windows 10 updates](waas-deployment-rings-window ## Related topics -- [Update Windows 10 in the enterprise](waas-update-windows-10.md) +- [Update Windows 10 in the enterprise](index.md) - [Manage updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md) - [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md) - [Configure BranchCache for Windows 10 updates](waas-branchcache.md) diff --git a/windows/manage/waas-restart.md b/windows/update/waas-restart.md similarity index 66% rename from windows/manage/waas-restart.md rename to windows/update/waas-restart.md index ffb43434aa..da651bccc2 100644 --- a/windows/manage/waas-restart.md +++ b/windows/update/waas-restart.md @@ -49,6 +49,8 @@ For a detailed description of these regsitry keys, see [Registry keys used to ma By default, active hours are from 8 AM to 5 PM on PCs and from 5 AM to 11 PM on phones. Users can change the active hours manually. +Starting with Windows 10, version 1703, you can also specify the max active hours range. The specified range will be counted from the active hours start time. + Administrators can use multiple ways to set active hours for managed devices: - You can use Group Policy, as described in the procedure that follows. @@ -63,7 +65,7 @@ To configure active hours using Group Policy, go to **Computer Configuration\Adm ### Configuring active hours with MDM -MDM uses the [Update/ActiveHoursStart and Update/ActiveHoursEnd](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_ActiveHoursEnd) settings in the [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) to configure active hours. +MDM uses the [Update/ActiveHoursStart and Update/ActiveHoursEnd](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_ActiveHoursEnd) and [Update/ActiveHoursMaxRange](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-activehoursmaxrange) settings in the [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) to configure active hours. ### Configuring active hours through Registry @@ -80,10 +82,64 @@ For a detailed description of these regsitry keys, see [Registry keys used to ma > >![Change active hours](images/waas-active-hours.png) +### Configuring active hours max range + +With Windows 10, version 1703, administrators can specify the max active hours range users can set. This option gives you additional flexibility to leave some of the decision for active hours on the user's side, while making sure you allow enough time for updating. The max range is calculated from active hours start time. + +To configure active hours max range through Group Policy, go to **Computer Configuration\Administrative Templates\Windows Components\Windows Update** and open the **Specify active hours range for auto-restarts**. + +To configure active hours max range through MDM, use [**Update/ActiveHoursMaxRange**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider?UpdatePolicies#update-activehoursmaxrange). + ## Limit restart delays After an update is installed, Windows 10 attemtps automatic restart outside of active hours. If the restart does not succeed after 7 days (by default), the user will see a notification that restart is required. You can use the **Specify deadline before auto-restart for update installation** policy to change the delay from 7 days to a number of days between 2 and 14. +## Control restart notifications + +In Windows 10, version 1703, we have added settings to control restart notifications for users. + +### Auto-restart notifications + +Administrators can override the default behavior for the auto-restart required notification. By default, this notification will dismiss automatically. + +To configure this behavior through Group Policy, go to **Computer Configuration\Administrative Templates\Windows Components\Windows Update** and select **Configure auto-restart required notification for updates**. When configured to **2 - User Action**, a user that gets this notification must manually dismiss it. + +To configure this behavior through MDM, use [**Update/AutoRestartRequiredNotificationDismissal**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider?UpdatePolicies#update-AutoRestartRequiredNotificationDismissal) + +You can also configure the period prior to an update that this notification will show up on. The default value is 15 minutes. + +To change it through Group Policy, select **Configure auto-restart-reminder notifications for updates** under **Computer Configuration\Administrative Templates\Windows Components\Windows Update** and select the period in minutes. + +To change it through MDM, use [**Update/AutoRestartNotificationSchedule**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider?UpdatePolicies#update-AutoRestartNotificationSchedule). + + +In some cases, you don't need a notification to show up. + +To do so through Group Policy, go to **Computer Configuration\Administrative Templates\Windows Components\Windows Update** and select **Turn off auto-restart notifications for update installations**. + +To do so through MDM, use [**Update/SetAutoRestartNotificationDisable**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider?UpdatePolicies#update-setautorestartnotificationdisable). + +### Scheduled auto-restart warnings + +Since users are not able to postpone a scheduled restart once the deadline has been reached, you can configure a warning reminder prior to the scheduled a restart. You can also configure a configure a warning prior to the restart, to notify users once the restart is imminent and allow them to save their work. + +To configure both through Group Policy, find **Configure auto-restart warning notifications schedule for updates** under **Computer Configuration\Administrative Templates\Windows Components\Windows Update**. The warning reminder can be configured by **Reminder (hours)** and the warning prior to an imminent auto-restart can be configured by **Warning (mins)**. + +In MDM, the warning reminder is configured using [**Update/ScheduleRestartWarning**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider?UpdatePolicies#update-ScheduleRestartWarning) and the auto-restart imminent warning is configured using [**Update/ScheduleImminentRestartWarning**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider?UpdatePolicies#update-ScheduleImminentRestartWarning). + +### Engaged restart + +Engaged restart is the period of time when users are required to schedule a restart. When this period ends (7 days by default), Windows transitions to auto-restart outside of active hours. + +The following settings can be adjusted for engaged restart: +* Period of time before engaged restart transitions to auto-restart. +* The number of days that users can snooze engaged restart reminder notifications. +* The number of days before a pending restart automatically executes outside of working hours. + +In Group Policy, go to **Computer Configuration\Administrative Templates\Windows Components\Windows Update** and pick **Specify Engaged restart transition and notification schedule for updates**. + +In MDM, use [**Update/EngagedRestartTransitionSchedule**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider?UpdatePolicies#update-EngagedRestartTransitionSchedule), [**Update/EngagedRestartSnoozeSchedule**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider?UpdatePolicies#update-EngagedRestartSnoozeSchedule) and [**Update/EngagedRestartDeadline**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider?UpdatePolicies#update-EngagedRestartDeadline) respectively. + ## Group Policy settings for restart In the Group Policy editor, you will see a number of policy settings that pertain to restart behavior in **Computer Configuration\Administrative Templates\Windows Components\Windows Update**. The following table shows which policies apply to Windows 10. @@ -132,7 +188,7 @@ There are 3 different registry combinations for controlling restart behavior: ## Related topics -- [Update Windows 10 in the enterprise](waas-update-windows-10.md) +- [Update Windows 10 in the enterprise](index.md) - [Overview of Windows as a service](waas-overview.md) - [Manage updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md) - [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md) diff --git a/windows/manage/waas-servicing-branches-windows-10-updates.md b/windows/update/waas-servicing-branches-windows-10-updates.md similarity index 99% rename from windows/manage/waas-servicing-branches-windows-10-updates.md rename to windows/update/waas-servicing-branches-windows-10-updates.md index 322b7c07b2..dec5263d65 100644 --- a/windows/manage/waas-servicing-branches-windows-10-updates.md +++ b/windows/update/waas-servicing-branches-windows-10-updates.md @@ -207,7 +207,7 @@ By enabling the Group Policy setting under **Computer Configuration\Administrati ## Related topics -- [Update Windows 10 in the enterprise](waas-update-windows-10.md) +- [Update Windows 10 in the enterprise](index.md) - [Manage updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md) - [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md) - [Configure BranchCache for Windows 10 updates](waas-branchcache.md) diff --git a/windows/manage/waas-servicing-strategy-windows-10-updates.md b/windows/update/waas-servicing-strategy-windows-10-updates.md similarity index 99% rename from windows/manage/waas-servicing-strategy-windows-10-updates.md rename to windows/update/waas-servicing-strategy-windows-10-updates.md index 52c156bbeb..6996fe3d0f 100644 --- a/windows/manage/waas-servicing-strategy-windows-10-updates.md +++ b/windows/update/waas-servicing-strategy-windows-10-updates.md @@ -59,7 +59,7 @@ or [Manage Windows 10 updates using System Center Configuration Manager](waas-ma ## Related topics -- [Update Windows 10 in the enterprise](waas-update-windows-10.md) +- [Update Windows 10 in the enterprise](index.md) - [Manage updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md) - [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md) - [Configure BranchCache for Windows 10 updates](waas-branchcache.md) diff --git a/windows/update/waas-windows-insider-for-business-aad.md b/windows/update/waas-windows-insider-for-business-aad.md new file mode 100644 index 0000000000..5467e01600 --- /dev/null +++ b/windows/update/waas-windows-insider-for-business-aad.md @@ -0,0 +1,111 @@ +--- +title: Windows Insider Program for Business using Azure Active Directory +description: Benefits and configuration of corporate accounts in the Windows Insider Program +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +author: DaniHalfin +localizationpriority: high +--- + +# Windows Insider Program for Business using Azure Active Directory + + +**Applies to** + +- Windows 10 + +> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) + +We recently added features and benefits to better support the IT Professionals and business users in our Insider community. This includes the option to download Windows 10 Insider Preview builds using your corporate credentials in Azure Active Directory (AAD). By enrolling devices in AAD, you increase the visibility of feedback submitted by users in your organization – especially on features that support your specific business needs. + +>[!NOTE] +>At this point, the Windows Insider Program for Business only supports Azure Active Directory (and not Active Directory on premises) as a corporate authentication method. + +>[!TIP] +>New to Azure Active Directory? Go here for [an introduction to AAD](https://docs.microsoft.com/azure/active-directory/connect/active-directory-aadconnect), including guidance for [adding users](https://docs.microsoft.com/azure/active-directory/active-directory-users-create-azure-portal), [device registration](https://docs.microsoft.com/azure/active-directory/active-directory-device-registration-overview) and [integrating your on-premises directories with Azure AD](https://docs.microsoft.com/azure/active-directory/connect/active-directory-aadconnect). +> +>If your company is currently not using AAD – but has a paid subscription to Office 365, Microsoft Dynamics CRM Online, Enterprise Mobility Suite, or other Microsoft services – you have a free subscription to Microsoft Azure Active Directory. This subscription can be used to create users for enrollment in the Windows Insider Program for Business. + +In order to get the most benefit out of the Windows Insider Program for Business, organizations should not use a test tenant of AAD. There will be no modifications to the AAD tenant to support the Windows Insider Program as it will only be used as an authentication method. + +## Check if a device is connected to your company’s Azure Active Directory subscription +Simply go to **Settings > Accounts > Access work or school**. If a corporate account is on Azure Active Directory and it is connected to the device, you will see the account listed as highlighted in the image below. + +![Device connected to Work Account](images/waas-wipfb-work-account.jpg) + +## Enroll a device with an Azure Active Directory account +1. Visit [insider.windows.com](https://insider.windows.com). Sign-in with your corporate account in AAD and follow the on-screen registration directions. +2. On your Windows 10 device, go to **Settings > Updates & Security > Windows Insider Program**. +3. Enter the AAD account that you used to register and follow the on-screen directions. + +>[!NOTE] +>Make sure that you have administrator rights to the machine and that it has latest Windows updates. + +## Switch device enrollment from your Microsoft account to your AAD account +1. Visit [insider.windows.com](https://insider.windows.com) to register your AAD account. If you are signed in with your Microsoft account, sign out, then sign back in with your corporate AAD account. +2. Click **Get started**, read and accept the privacy statement and program terms and click **Submit**. +3. On your Windows 10 PC, go to **Settings > Updates & Security > Windows Insider Program**. +4. Under Windows Insider account, click your Microsoft account, then **Change** to open a Sign In box. +5. Select your corporate account and click Continue to change your account. + +![Change Windows Insider account](images/waas-wipfb-change-user.png) + +>[!NOTE] +>Your device must be connected to your corporate account in AAD for the account to appear in the account list. + +## User consent requirement + +With the current version of the Feedback Hub app, we need the user's consent to access their AAD account profile data (We read their name, organizational tenant ID and user ID). When they sign in for the first time with the AAD account, they will see a popup asking for their permission, like this: + +![Feedback Hub consent to AAD pop-up](images/waas-wipfb-aad-consent.png) + +Once agreed, everything will work fine and that user won't be prompted for permission again. + +### Something went wrong + +The option for users to give consent for apps to access their profile data is controlled through Azure Active Directory. This means the AAD administrators have the ability to allow or block users from giving consent. + +In case the administrators blocked this option, when the user signs in with the AAD account, they will see the following error message: + +![Feedback Hub consent error message](images/waas-wipfb-aad-error.png) + +This blocks the user from signing in, which means they won't be able to use the Feedback Hub app with their AAD credentials. + +**To fix this issue**, an adminsitrator of the AAD directory will need to enable user consent for apps to access their data. + +To do this through the **classic Azure portal**: +1. Go to https://manage.windowsazure.com/ . +2. Switch to the **Active Directory** dashboard. + ![Azure classic portal dashboard button](images/waas-wipfb-aad-classicaad.png) +3. Select the appropriate directory and go to the **Configure** tab. +4. Under the **integrated applications** section, enable **Users may give applications permissions to access their data**. + ![Azure classic portal enable consent](images/waas-wipfb-aad-classicenable.png) + +To do this through the **new Azure portal**: +1. Go to https://portal.azure.com/ . +2. Switch to the **Active Directory** dashboard. + ![Azure new portal dashboard button](images/waas-wipfb-aad-newaad.png) +3. Switch to the appropriate directory. + ![Azure new portal switch directory button](images/waas-wipfb-aad-newdirectorybutton.png) +4. Under the **Manage** section, select **User settings**. + ![Azure new portal user settings](images/waas-wipfb-aad-newusersettings.png) +5. In the **Enterprise applications** section, enable **Users can allow apps to access their data**. + ![Azure new portal enable consent](images/waas-wipfb-aad-newenable.png) + + +## Frequently Asked Questions + +### Will my test machines be affected by automatic registration? +All devices enrolled in the Windows Insider Program (physical or virtual) will receive Windows 10 Insider Preview builds (regardless of registration with MSA or AAD). + +### Once I register with my corporate account in AAD, do I need to keep my Microsoft account for the Windows Insider Program? +No, once you set up your device using AAD credentials – all feedback and flighting on that machine will be under your AAD account. You may need MSA for other machines that aren’t being used on your corporate network or to get Windows store app updates. + +### How do I stop receiving updates? +You can simply “unlink” your account by going to **Settings > Updates & Security > Windows Insider Program**, select Windows Insider Account and click **Unlink**. + + +## Related Topics +- [Windows Insider Program for Business](waas-windows-insider-for-business.md) +- [Windows Insider Program for Business Frequently Asked Questions](waas-windows-insider-for-business-faq.md) diff --git a/windows/update/waas-windows-insider-for-business-faq.md b/windows/update/waas-windows-insider-for-business-faq.md new file mode 100644 index 0000000000..aa84530023 --- /dev/null +++ b/windows/update/waas-windows-insider-for-business-faq.md @@ -0,0 +1,91 @@ +--- +title: Windows Insider Program for Business Frequently Asked Questions +description: Frequently Asked Questions and answers about the Windows Insider Program +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +author: DaniHalfin +localizationpriority: high +--- + +# Windows Insider Program for Business Frequently Asked Questions + + +**Applies to** + +- Windows 10 + +> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) + +### Are the Windows Insider Program and Windows Insider Program for Business separate programs? +No, in fact just the opposite. The Windows Insider Program was created in 2014 to help Microsoft engage with Windows Fans worldwide. Windows Insiders are the first to be able to try new Windows features that we introduce through Windows 10 Insider Preview Builds. At the same time, they can provide feedback through the Feedback Hub App which helps create even better versions of Windows for all users. The Windows Insider Program for Business enables you to incorporate Insider Preview builds into your deployment plans using your corporate credentials, deepen connections with the IT Pro community, collect feedback within your organization, and increase the visibility of your organization’s feedback – especially on features that support productivity and business needs. Together we can resolve blocking or critical issues to better support your organization’s needs sooner. Incorporating the Windows Insider Program for Business into your deployment plans enables you to prepare your organization for the next update of Windows 10, to deploy new services and tools more quickly, to help secure your applications, and to increase productivity and confidence in the stability of your environment. Windows Insider Program for Business participants collaborate with the Windows team to build and document features, infuse innovation, and plan for what’s around the bend. We’ve architected some great features together, received amazing feedback, and we’re not done. + +### What Languages are available? +Insider Preview builds are available in the following languages: English (United States), English (United Kingdom), Chinese (Simplified), Chinese (Traditional), Portuguese (Brazilian), Japanese,Russian, German, French, French (Canada), Korean, Italian, Spanish, Spanish (Latin America), Swedish, Finnish, Turkish, Arabic, Dutch, Czech, Polish, Thai, Catalan, Hindi, and Vietnamese. + +If your Windows build is not in one of the available base languages, you will not receive Insider Preview builds. + +Hindi, Catalan, and Vietnamese can only be installed as a language pack over [supported base languages](https://support.microsoft.com/help/14236/language-packs). + +>[!NOTE] +> To learn how to install a language pack, see [How to add an input language to your PC Additional](https://support.microsoft.com/instantanswers/60f32ff8-8697-4452-af7d-647439c38433/how-to-add-and-switch-input-languages-on-your-pc). + +### How do I register for the Windows Insider Program for Business? +To register for the Windows Insider Program for Business, follow the steps below using your corporate account in Azure Active Directory (AAD). This account is the same account that you use for Office 365 and other Microsoft services. + +1. Visit https://insider.windows.com and click **Get Started**. +2. Sign-in with your corporate account in AAD (username/password) and follow the on-screen registration directions. +3. Enroll your Windows 10 PC to get the latest Windows 10 Insider Preview builds. Go to **Settings > Updates & Security > Windows Insider Program**. Click **Get Started**, enter your corporate credentials that you used to register, then follow the on-screen directions. + +>[!NOTE] +>Make sure that you have administrator rights to your machine and that it has latest Windows updates. + +### How can I find out if my corporate account is on Azure Active Directory? +On your PC, go to **Settings > Accounts > Access work or school**. If your organization has set up your corporate account in Azure Active Directory and it is connected to your PC, you will see the account listed. + +### I have more than one Azure Active Directory account. Which should I use? +Register for Windows Insider Program for Business with the same active account that you use to access your corporate email in Office 365 and other Microsoft services. To ensure you get the most benefit out of the Windows Insider Program for Business and that your company is fully represented, do not set up a separate tenant for testing activities. There will be no modifications to the AAD tenant to support Windows Insider Program for Business, and it will only be used as an authentication method. + +### My account is listed in Active Directory but not Azure Active Directory. Can I still register using my Active Directory credentials? +No. At this point, we are only supporting Azure Active Directory as a corporate authentication method. If you’d like to suggest or upvote another authentication method, please visit this [forum](https://answers.microsoft.com/en-us/insider/forum/insider_wintp). + +### I just want to participate as a Windows Insider. Do I still need to register with my corporate account in Azure Active Directory? +No. You can join using your Microsoft account (MSA) by following the steps below. However, please note that if you want to access the benefits of the Windows Insider Program for Business, you will need to sign-up using your corporate account in Azure Active Directory. + +1. Visit https://insider.windows.com and click Get Started. +2. Register with your Microsoft account and follow the on-screen registration directions. +3. Enroll your Windows 10 PC to get the latest Windows 10 Insider Preview builds by going to **Settings > Updates & Security > Windows Insider Program** and entering your Microsoft account that you used to register. Now follow the on-screen directions. + +>[!NOTE] +>Make sure that you have administrator rights to your machine and that it has latest Windows updates. + +### I am already a Windows Insider. I want to switch my account from my Microsoft account to my corporate account in Azure Active Directory. How do I do this? +In just a few steps, you can switch your existing program registration from your Microsoft account to your corporate account in Azure Active Directory. + +1. Visit https://insider.windows.com. If you are signed in with your Microsoft account, sign out then sign back in to register with your corporate account in AAD. +2. On your Windows 10 PC, go to **Settings > Updates & Security > Windows Insider Program**. +3. In your account Under Windows Insider account, click **Change** to open a pop-up box. +4. Select your corporate account and click Continue to change your account. + +>[!NOTE] +>Your corporate account must be connected to the device for it to appear in the account list. + +### How do I sign into the Feedback Hub with my corporate credentials? +Sign in to the Feedback Hub using the same AAD account you are using to flight builds. + +### Am I going to lose all the feedback I submitted and badges I earned with my MSA? +No. However, your feedback will not be transferred from your MSA to your AAD account. You can switch back to your MSA account in the Feedback Hub to access feedback you’ve submitted and badges you’ve earned. + +### How is licensing handled for Windows 10 Insider builds? +All PCs need to have a valid Windows 10 license. This requirement applies whether the device is joined to the Windows Insider Program using a Microsoft account or an Azure Active Directory account. + +### Can I use the Software in a live operating environment? +The software is a pre-release version, and we do not recommend that organizations run Windows Insider Preview builds outside of their test environments. This software may not work the way a final version of the software will. We may change it for the final, commercial version. We also may not release a commercial version. + +### Can a single MSA or AAD account be used to register more than one PC in the program? +Yes. If each PC has a valid Windows 10 or Windows 10 Mobile license you can use your MSA on as many devices as you’d like. However, the main concern would be that within the feedback it all looks like it comes from a single user. If multiple devices are experiencing problems with a build, you’d want the ability to submit the same feedback from multiple people (or upvote the same piece of feedback). + + +## Related Topics +- [Windows Insider Program for Business](waas-windows-insider-for-business.md) +- [Windows Insider Program for Business using Azure Active Directory](waas-windows-insider-for-business-aad.md) \ No newline at end of file diff --git a/windows/update/waas-windows-insider-for-business.md b/windows/update/waas-windows-insider-for-business.md new file mode 100644 index 0000000000..5308d3e795 --- /dev/null +++ b/windows/update/waas-windows-insider-for-business.md @@ -0,0 +1,171 @@ +--- +title: Windows Insider Program for Business +description: Overview of the Windows Insider Program for Business +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +author: DaniHalfin +localizationpriority: high +--- + +# Windows Insider Program for Business + + +**Applies to** + +- Windows 10 + +> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) + +For many IT pros, gaining visibility into feature updates early—before they’re available to the CB servicing branch—can be both intriguing and valuable for future end user communications as well as provide additional prestaging for CB machines. With Windows 10, feature flighting enables Windows Insiders to consume and deploy preproduction code to their test machines, gaining early visibility into the next build. Testing the early builds of Windows 10 helps both Microsoft and its customers because they have the opportunity to discover possible issues before the update is ever publicly available and can report it to Microsoft. Also, as flighted builds get closer to their release to CB, organizations can test their deployment on test devices for compatibility validation. + +The Windows Insider Program for Business gives you the opportunity to: +* Get early access to Windows Insider Preview Builds. +* Provide feedback to Microsoft in real-time via the Feedback Hub app. +* Sign-in with corporate credentials (Azure Active Directory) and increase the visibility of your organization's feedback with Microsoft – especially on features that support your productivity and business needs. + + +Microsoft recommends that all organizations have at least a few PCs enrolled in the Windows Insider Program, to include the Windows Insider Program in their deployment plans and to provide feedback on any issues they encounter to Microsoft via our Feedback Hub app. + +The Windows Insider Program isn’t intended to replace CB deployments in an organization. Rather, it provides IT pros and other interested parties with pre-release Windows builds that they can test and ultimately provide feedback on to Microsoft. + +## Getting started with Windows Insider Program for Business + +To get started with the Windows Insider Program for Business, you will need to follow a few simple steps: + +1. Navigate to [insider.windows.com](https://insider.windows.com) and go to **Get Started**. +2. Sign-in with you desired account. It can be either a Microsoft Account or your organizational Azure Active Directory Account. + +![Account Types](images/waas-wipfb-accounts.png) + +3. Enroll your device by going to **Start > Settings > Update & security > Windows Insider Program** and selecting **Get Started**. Sign-in using the account you used to register for the Windows Insider Program. +4. After reading the privacy statement and clicking **Next**, **Confirm** and schedule a restart. + +## Install your first preview build from the Windows Insider Program + +After enrolling your devices, you are ready to install your first preview build. To do so, go to **Start** > **Settings** > **Update & security** > **Windows Insider Program** to select your Insider level. The device receives the most recent Windows Insider build for the Insider level you select. + +>[!TIP] +>Flighting rings are used to evaluate the quality of our software as it is released to progressively larger audiences. We will flight a Feature Update, application, etc. to the first ring if it passes all required automated testing in the lab. The flight will continue to be evaluated against a set of criteria to ensure it is ready to progress to the next ring. + +The options for Insider level are: + +### Release Preview + +Best for Insiders who enjoy getting early access to updates for the Current Branch, Microsoft applications, and drivers, with minimal risk to their devices, and still want to provide feedback to make Windows devices great. + +Insiders on this level receive builds of Windows just before Microsoft releases them for CB. Although these builds aren’t final, they are the most complete and stable builds available to Windows Insider Program participants. This level provides the best testing platform for organizations that conduct early application compatibility testing on Windows Insider PCs. + +* The Release Preview Ring will only be visible when your Windows build version is the same as the Current Branch. +* The easiest way to go between the Development Branch to the Current Branch is to use the [Media Creation Tool](http://go.microsoft.com/fwlink/?LinkId=691209) (for PC) or [Windows Device Recovery Tool](http://go.microsoft.com/fwlink/p/?LinkId=522381) (for Mobile) to reinstall Windows. + +### Slow + +The Slow Windows Insider level is for users who enjoy seeing new builds of Windows with minimal risk to their devices but still want to provide feedback to Microsoft about their experience with the new build. + +* Builds are sent to the Slow Ring after feedback has been received from Insiders within the Fast Ring and analyzed by our Engineering teams. +* These builds will include updates to fix key issues that would prevent many Windows Insiders from being able to use the build on a daily basis. +* These builds still may have issues that would be addressed in a future flight. + +### Fast + +Best for Insiders who enjoy being the first to get access to builds and feature upgrades, with some risk to their devices in order to identify issues, and provide suggestions and ideas to make Windows software and devices great. + +* Windows Insiders with devices in the Fast Ring should be prepared for more issues that may block key activities that are important to you or may require significant workarounds. +* Because we are also validating a build on a smaller set of devices before going to Fast, there is also a chance that some features may work on some devices but may fail in other device configurations. +* Windows Insiders should be ready to reinstall Windows using the [Media Creation Tool](http://go.microsoft.com/fwlink/?LinkId=691209) or [Windows Device Recovery Tool](http://go.microsoft.com/fwlink/p/?LinkId=522381) when you are significantly blocked. +* Please remember to report any issue to us through the Windows Insider Feedback Hub or the Windows Insider community Forum. + +>[!NOTE] +>Once your machine is updated to Windows 10 and you select your desired flight ring, the process known as "Compatibility check" will need to run in the background. There is no manual way to force this process to run. This process allows for the discovery of your OS type (32-bit, 64-bit), build edition (Home, Pro, Enterprise), country and language settings, and other required information. Once this process is complete, your machine will be auto-targeted for the next available flight for your selected ring. For the first build on any given machine, this may take up to 24 hours to complete. + +## How to switch between flight rings + +During your time in the Windows Insider Program, you may want to change between flight rings for any number of reasons. Changing rings is a simple process that requires only a few clicks: + +1. Go to **Settings > Updates & Security > Windows Insider Program** +2. Under **Choose your level**, select between the following rings - + * [Windows Insider Fast](#fast) + * [Windows Insider Slow](#slow) + * [Release Preview](#release-preview) + +## How to switch between your MSA and your Corporate AAD account + +The Windows Insider Program for Business now gives users the option to register and enroll devices using a corporate account in [Azure Active Directory](https://azure.microsoft.com/services/active-directory/) (AAD) as well as their Microsoft Account (MSA). + +To switch between accounts, go to **Settings > Updates & Security > Windows Insider Program**, and under **Windows Insider account** select **Change**. +![Change Windows Insider account](images/waas-wipfb-change-user.png) + +>[!NOTE] +>If you would like to use your corporate account, your device must be connected to your corporate account in AAD for the account to appear in the account list. + +## Sharing Feedback Via the Feedback Hub +As you know a key benefit to being a Windows Insider is Feedback. It’s definitely a benefit to us, and we hope it’s a benefit to you. Feedback is vital for making changes and improvements in Windows 10. Receiving quality and actionable feedback is key in achieving these goals. + +When providing feedback, please consider the following: +1. Please use the **Feedback Hub** app to submit your feedback to Microsoft. +2. Check for existing feedback on the topic you are preparing to log. Another user may have already shared the same feedback. If they have, please “upvote” the existing feedback to help prevent duplicate submissions. Adding additional comments to existing feedback can help others by providing clarity to existing information or additional scenarios to review. +3. Provide as much information to us as possible: include reproduction steps, screenshots, any detail you think would help us experience the issue as you have, so that we can work on a fix and get it into a new build as soon as possible. + +### How to use your corporate AAD account for additional Feedback Hub benefits +Get even more out of the Feedback Hub by signing in to the Feedback Hub using the same corporate account in AAD that you're using to flight builds. One of the benefits of submitting feedback using your AAD account is the addition of a page to the Feedback Hub for your organization. Simply click the **My Company** page in the feedback hub to see and upvote all feedback submitted by other Insiders in your organization. + +>[!NOTE] +>If you signed into the Feedback Hub previously with your MSA, your feedback and badges will not be transferred to your AAD sing-in. However, you can switch back to your MSA account in the Feedback Hub to access feedback you’ve submitted and badges you’ve earned. + +>[!IMPORTANT] +>With the current version of the Feedback Hub app, we need the user's consent to access their AAD account profile data (We read their name, organizational tenant ID and user ID). When they sign in for the first time with the AAD account, they will se a popup asking for their permissions. Once agreed, everything will work fine and that user won't be asked for permissions again. +> +> If something goes wrong, it is possible that users aren't enabled to give persmissions to access their data. This can be resolved through the AAD portal. For more information about this, please see [User consent requirement](waas-windows-insider-for-business-aad.md#user-consent-requirement). + +## Not receiving Windows 10 Insider Preview build updates? + +In some cases, your PC may not update to the latest Insider Preview build as expected. Here are items that you can review to troubleshoot this issue: + +### Perform a manual check for updates +Go to **Settings > Updates & Security**. Review available updates or select **Check for updates**. + +>[!NOTE] +>If you have set Active Hours, ensure your device is left turned on and signed in during the off-hours so the install process can complete. + +### Make sure Windows is activated +Go to **Settings > Updates & Security > Activation** to verify Windows is activated. + +### Make sure your corporate account in AAD is connected to your device +Open **Settings \ Accounts \ Access work or school**. If your PC is not listed as connected to your account in AAD, click Connect and enter your AAD account. + +### Make sure you have selected a flight ring +Open **Settings > Update & Security > Windows Insider Program** and select your flight ring. + +### Have you recently done a roll-back? +If so, please double-check your flight settings under **Settings > Update & Security > Windows Insider Program**. + +### Did you do a clean install? +After a clean-install and initial setup of a Microsoft or coporate account (even one that has been used previously for flighting) the appropriate targeting needs to take place for your PC. This background process is known as Compatibility Checker and will run during idle time on your PC. This process may take up to 24 hours. Please leave your PC turned on to ensure this occurs in timely manner. + +### Are there known issues for your current build? +On rare occasion, there may be an issue with a build that could lead to issues with updates being received. Please check the most recent Blog Post or reach out to the Windows Insider team on Twitter for verification (*@WindowsInsider*). You can also check the **Feedback Hub** for announcments and known issues. + +## Exiting flighting + +After you’ve tried the latest Insider Preview builds, you may want to opt out. In order to do that, go to **Settings > Update & Security > Windows Insider Program** and select **Stop Insider Preview Builds**. Follow the on-screen instructions to stop flighting to your device. + +## Additional help resources + +* [**Windows Blog**](https://blogs.windows.com/blog/tag/windows-insider-program/) - With each new build release we publish a Windows Blog post that outlines key feature changes as well as known issues that Insiders may encounter while using the build. +* [**Windows Insider Preview community forum**](https://answers.microsoft.com/en-us/insider/forum/insider_wintp) - Answers is Microsoft’s forum platform and there is an entire area dedicated to the Windows Insider Program. Insiders can filter between PC, Office, Edge, and many others. + +## Learn More +- [Windows Insider Program for Business using Azure Active Directory](waas-windows-insider-for-business-aad.md) +- [Windows Insider Program for Business Frequently Asked Questions](waas-windows-insider-for-business-faq.md) + + +## Related Topics +- [Overview of Windows as a service](waas-overview.md) +- [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md) +- [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) +- [Assign devices to servicing branches for Windows 10 updates](waas-servicing-branches-windows-10-updates.md) +- [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md) +- [Manage updates using Windows Update for Business](waas-manage-updates-wufb.md) +- [Manage Windows 10 updates using Windows Server Update Services (WSUS)](waas-manage-updates-wsus.md) +- [Manage Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md) \ No newline at end of file diff --git a/windows/manage/waas-wufb-group-policy.md b/windows/update/waas-wufb-group-policy.md similarity index 99% rename from windows/manage/waas-wufb-group-policy.md rename to windows/update/waas-wufb-group-policy.md index 87d3b8ba3f..9346bd5711 100644 --- a/windows/manage/waas-wufb-group-policy.md +++ b/windows/update/waas-wufb-group-policy.md @@ -334,7 +334,7 @@ The **Ring 4 Broad business users** deployment ring has now been configured. Fin ## Related topics -- [Update Windows 10 in the enterprise](waas-update-windows-10.md) +- [Update Windows 10 in the enterprise](index.md) - [Overview of Windows as a service](waas-overview.md) - [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md) - [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) diff --git a/windows/manage/waas-wufb-intune.md b/windows/update/waas-wufb-intune.md similarity index 99% rename from windows/manage/waas-wufb-intune.md rename to windows/update/waas-wufb-intune.md index c730a5edfd..5b610b1336 100644 --- a/windows/manage/waas-wufb-intune.md +++ b/windows/update/waas-wufb-intune.md @@ -257,7 +257,7 @@ You have now configured the **Ring 4 Broad business users** deployment ring to r ## Related topics -- [Update Windows 10 in the enterprise](waas-update-windows-10.md) +- [Update Windows 10 in the enterprise](index.md) - [Overview of Windows as a service](waas-overview.md) - [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md) - [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) diff --git a/windows/whats-new/TOC.md b/windows/whats-new/TOC.md index c672a255a8..4944339989 100644 --- a/windows/whats-new/TOC.md +++ b/windows/whats-new/TOC.md @@ -1,4 +1,5 @@ # [What's new in Windows 10](index.md) +## [What's new in Windows 10, version 1703](whats-new-windows-10-version-1703.md) ## [What's new in Windows 10, version 1607](whats-new-windows-10-version-1607.md) ## [What's new in Windows 10, versions 1507 and 1511](whats-new-windows-10-version-1507-and-1511.md) diff --git a/windows/whats-new/applocker.md b/windows/whats-new/applocker.md deleted file mode 100644 index 2e082cd98c..0000000000 --- a/windows/whats-new/applocker.md +++ /dev/null @@ -1,30 +0,0 @@ ---- -title: What's new in AppLocker (Windows 10) -description: AppLocker helps you control which apps and files users can run. These include executable files, scripts, Windows Installer files, dynamic-link libraries (DLLs), packaged apps, and packaged app installers. -ms.assetid: 6F836FF6-7794-4E7B-89AA-1EABA1BF183F -ms.pagetype: security, mobile -ms.prod: w10 -ms.mktglfcycl: explore -ms.sitesec: library -author: brianlic-msft -redirect_url: https://technet.microsoft.com/itpro/windows/whats-new/whats-new-windows-10-version-1507-and-1511 ---- - -# What's new in AppLocker? - -**Applies to** -- Windows 10 -- Windows 10 Mobile - -AppLocker helps you control which apps and files users can run. These include executable files, scripts, Windows Installer files, dynamic-link libraries (DLLs), packaged apps, and packaged app installers. -In Windows 10, AppLocker has added some improvements. - -## New features in Windows 10 - -- A new parameter was added to the [New-AppLockerPolicy](http://technet.microsoft.com/library/hh847211.aspx) Windows PowerShell cmdlet that lets you choose whether executable and DLL rule collections apply to non-interactive processes. To enable this, set the **ServiceEnforcement** to **Enabled**. -- A new [AppLocker](http://msdn.microsoft.com/library/windows/hardware/dn920019.aspx) configuration service provider was add to allow you to enable AppLocker rules by using an MDM server. -- You can manage Windows 10 Mobile devices by using the new [AppLocker CSP](http://msdn.microsoft.com/library/windows/hardware/dn920019.aspx). - -[Learn how to manage AppLocker within your organization](../keep-secure/applocker-overview.md). -  -  diff --git a/windows/whats-new/bitlocker.md b/windows/whats-new/bitlocker.md deleted file mode 100644 index 9f0df242bf..0000000000 --- a/windows/whats-new/bitlocker.md +++ /dev/null @@ -1,41 +0,0 @@ ---- -title: What's new in BitLocker (Windows 10) -description: BitLocker Drive Encryption is a data protection feature that integrates with the operating system and addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned computers. -ms.assetid: 3F2DE365-68A1-4CDB-AB5F-C65574684C7B -ms.prod: w10 -ms.mktglfcycl: explore -ms.sitesec: library -ms.pagetype: security, mobile -author: brianlic-msft -redirect_url: https://technet.microsoft.com/itpro/windows/whats-new/whats-new-windows-10-version-1507-and-1511 ---- - -# What's new in BitLocker? - -**Applies to** -- Windows 10 -- Windows 10 Mobile - -BitLocker Drive Encryption is a data protection feature that integrates with the operating system and addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned computers. - -## New features in Windows 10, version 1511 - -- **XTS-AES encryption algorithm**. BitLocker now supports the XTS-AES encryption algorithm. XTS-AES provides additional protection from a class of attacks on encryption that rely on manipulating cipher text to cause predictable changes in plain text. BitLocker supports both 128-bit and 256-bit XTS-AES keys. - It provides the following benefits: - - The algorithm is FIPS-compliant. - - Easy to administer. You can use the BitLocker Wizard, manage-bde, Group Policy, MDM policy, Windows PowerShell, or WMI to manage it on devices in your organization. - **Note**   - Drives encrypted with XTS-AES will not be accessible on older version of Windows. This is only recommended for fixed and operating system drives. Removable drives should continue to use the AES-CBC 128-bit or AES-CBC 256-bit algorithms. -   -## New features in Windows 10 - -- **Encrypt and recover your device with Azure Active Directory**. In addition to using a Microsoft Account, automatic [Device Encryption](http://technet.microsoft.com/library/dn306081.aspx#bkmk-encryption) can now encrypt your devices that are joined to an Azure Active Directory domain. When the device is encrypted, the BitLocker recovery key is automatically escrowed to Azure Active Directory. This will make it easier to recover your BitLocker key online. -- **DMA port protection**. You can use the [DataProtection/AllowDirectMemoryAccess](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) MDM policy to block DMA ports when the device is starting up. Also, when a device is locked, all unused DMA ports are turned off, but any devices that are already plugged into a DMA port will continue to work. When the device is unlocked, all DMA ports are turned back on. -- **New Group Policy for configuring pre-boot recovery**. You can now configure the pre-boot recovery message and recover URL that is shown on the pre-boot recovery screen. For more info, see the "Configure pre-boot recovery message and URL" section in [BitLocker Group Policy settings](../keep-secure/bitlocker-group-policy-settings.md). - -[Learn how to deploy and manage BitLocker within your organization](../keep-secure/bitlocker-overview.md). - -## Related topics - -[Trusted Platform Module](../keep-secure/trusted-platform-module-overview.md) -  \ No newline at end of file diff --git a/windows/whats-new/change-history-for-what-s-new-in-windows-10.md b/windows/whats-new/change-history-for-what-s-new-in-windows-10.md deleted file mode 100644 index a38cbf4702..0000000000 --- a/windows/whats-new/change-history-for-what-s-new-in-windows-10.md +++ /dev/null @@ -1,68 +0,0 @@ ---- -title: Change history for What's new in Windows 10 (Windows 10) -description: This topic lists new and updated topics in the What's new in Windows 10 documentation for Windows 10 and Windows 10 Mobile. -ms.assetid: 75F285B0-09BE-4821-9B42-37B9BE54CEC6 -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -author: TrudyHa -redirect_url: https://technet.microsoft.com/en-us/itpro/windows/whats-new/index ---- - -# Change history for What's new in Windows 10 -This topic lists new and updated topics in the [What's new in Windows 10](index.md) documentation for [Windows 10 and Windows 10 Mobile](../index.md). - - -## April 2016 - -|New or changed topic |Description | -|---------------------|------------| -|[Enterprise data protection (EDP) overview](edp-whats-new-overview.md) |Updated to remove content that's duplicated in the EDP content and added pointer. | - -## February 2016 - -|New or changed topic |Description | -|---------------------|------------| -|[Lockdown features from Windows Embedded Industry 8.1](lockdown-features-windows-10.md) |Updated to include policy setting names for USB filter and Toast notification filter| - -## January 2016 - -|New or changed topic |Description | -|---------------------|------------| -|[Browser: Microsoft Edge and Internet Explorer 11](edge-ie11-whats-new-overview.md) |Updated to include the **Applies to** section | - -## December 2015 - -|New or changed topic |Description | -|---------------------|------------| -|[Security](security.md) |New | -|[Windows Update for Business](windows-update-for-business.md) |New | - -## November 2015 - -|New or changed topic |Description | -|---------------------|------------| -|[AppLocker](applocker.md) |New | -|[BitLocker](bitlocker.md) |New | -|[Credential Guard](credential-guard.md) |New | -|[Device Guard](device-guard-overview.md) |New | -|[Lockdown features from Windows Embedded 8.1 Industry](lockdown-features-windows-10.md) |New | -|[Security auditing](security-auditing.md) |New | -|[Trusted Platform Module](trusted-platform-module.md) |New | -|[Windows spotlight on the lock screen](windows-spotlight.md) |New | -|[Windows Store for Business overview](windows-store-for-business-overview.md) |New | - -## Related topics -- [Change history for Plan for Windows 10 deployment](../plan/change-history-for-plan-for-windows-10-deployment.md) -- [Change history for Deploy Windows 10](../deploy/change-history-for-deploy-windows-10.md) -- [Change history for Keep Windows 10 secure](../keep-secure/change-history-for-keep-windows-10-secure.md) -- [Change history for Manage and update Windows 10](../manage/change-history-for-manage-and-update-windows-10.md) - -  - -  - - - - - diff --git a/windows/whats-new/credential-guard.md b/windows/whats-new/credential-guard.md deleted file mode 100644 index 3edfe53458..0000000000 --- a/windows/whats-new/credential-guard.md +++ /dev/null @@ -1,32 +0,0 @@ ---- -title: What's new in Credential Guard (Windows 10) -description: Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them. -ms.assetid: 59C206F7-2832-4555-97B4-3070D93CC3C5 -ms.pagetype: security -ms.prod: w10 -ms.mktglfcycl: explore -ms.sitesec: library -author: brianlic-msft -redirect_url: https://technet.microsoft.com/itpro/windows/whats-new/whats-new-windows-10-version-1507-and-1511 ---- - -# What's new in Credential Guard? - -**Applies to** -- Windows 10 -- Windows Server 2016 - -Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them. - -## New features in Windows 10, version 1511 - -- **Credential Manager support**. Credentials that are stored with Credential Manager, including domain credentials, are protected with Credential Guard with the following considerations: - - Credentials that are saved by the Remote Desktop Protocol cannot be used. Employees in your organization can manually store credentials in Credential Manager as generic credentials. - - Applications that extract derived domain credentials using undocumented APIs from Credential Manager will no longer be able to use those saved derived credentials. - - You cannot restore credentials using the Credential Manager control panel if the credentials were backed up from a PC that has Credential Guard turned on. If you need to back up your credentials, you must do this before you enable Credential Guard. Otherwise, you won't be able to restore those credentials. -- **Enable Credential Guard without UEFI lock**. You can enable Credential Guard by using the registry. This allows you to disable Credential Guard remotely. However, we recommend that Credential Guard is enabled with UEFI lock. You can configure this by using Group Policy. -- **CredSSP/TsPkg credential delegation**. CredSSP/TsPkg cannot delegate default credentials when Credential Guard is enabled. - -[Learn how to deploy and manage Credential Guard within your organization](../keep-secure/credential-guard.md). -  -  diff --git a/windows/whats-new/device-guard-overview.md b/windows/whats-new/device-guard-overview.md deleted file mode 100644 index e42271af40..0000000000 --- a/windows/whats-new/device-guard-overview.md +++ /dev/null @@ -1,34 +0,0 @@ ---- -title: Device Guard overview (Windows 10) -description: Device Guard is a combination of enterprise-related hardware and software security features that, when configured together, will lock a device down so that it can only run trusted applications. -ms.assetid: FFE244EE-5804-4CE8-A2A9-48F49DC3AEF2 -ms.pagetype: mobile, security -keywords: Device Guard -ms.prod: w10 -ms.mktglfcycl: explore -ms.sitesec: library -author: brianlic-msft -redirect_url: https://technet.microsoft.com/itpro/windows/whats-new/whats-new-windows-10-version-1507-and-1511 ---- - -# Device Guard overview - -**Applies to** -- Windows 10 -- Windows 10 Mobile -- Windows Server 2016 - -Device Guard is a combination of enterprise-related hardware and software security features that, when configured together, will lock a device down so that it can only run trusted applications. If the app isn’t trusted it can’t run, period. It also means that even if an attacker manages to get control of the Windows kernel, he or she will be much less likely to be able to run malicious executable code after the computer restarts because of how decisions are made about what can run and when. - -Device Guard uses the new virtualization-based security in Windows 10 Enterprise to isolate the Code Integrity service from the Microsoft Windows kernel itself, letting the service use signatures defined by your enterprise-controlled policy to help determine what is trustworthy. In effect, the Code Integrity service runs alongside the kernel in a Windows hypervisor-protected container. - -For details on how to implement Device Guard, see [Device Guard deployment guide](../keep-secure/device-guard-deployment-guide.md). - -## Why use Device Guard -With thousands of new malicious files created every day, using traditional methods like signature-based detection to fight against malware provides an inadequate defense against new attacks. Device Guard on Windows 10 Enterprise changes from a mode where apps are trusted unless blocked by an antivirus or other security solutions, to a mode where the operating system trusts only apps authorized by your enterprise. -Device Guard also helps protect against [zero day attacks](https://go.microsoft.com/fwlink/p/?linkid=534209) and works to combat the challenges of [polymorphic viruses](https://go.microsoft.com/fwlink/p/?LinkId=534210). -## Virtualization-based security using Windows 10 Enterprise Hypervisor - -Windows 10 Enterprise Hypervisor introduces new capabilities around virtual trust levels, which helps Windows 10 Enterprise services to run in a protected environment, in isolation from the running operating system. Windows 10 Enterprise virtualization-based security helps protect kernel code integrity and helps to provide credential isolation for the local security authority (LSA). Letting the Kernel Code Integrity service run as a hypervisor-hosted service increases the level of protection around the root operating system, adding additional protections against any malware that compromises the kernel layer. - ->**Important**  Device Guard devices that run Kernel Code Integrity with virtualization-based security (VBS) must have compatible drivers (legacy drivers can be updated) and meet requirements for the hardware and firmware that support virtualization-based security. For more information, see [Hardware, firmware, and software requirements for Device Guard](../keep-secure/requirements-and-deployment-planning-guidelines-for-device-guard.md#hardware-firmware-and-software-requirements-for-device-guard) diff --git a/windows/whats-new/device-management.md b/windows/whats-new/device-management.md deleted file mode 100644 index 79260f0f69..0000000000 --- a/windows/whats-new/device-management.md +++ /dev/null @@ -1,17 +0,0 @@ ---- -title: Enterprise management for Windows 10 devices (Windows 10) -description: Windows 10 provides mobile device management (MDM) capabilities that enable enterprise-level management of devices. -ms.assetid: 36DA67A1-25F1-45AD-A36B-AEEAC30C9BC4 -ms.prod: w10 -ms.pagetype: devices, mobile -ms.mktglfcycl: explore -ms.sitesec: library -author: jdeckerMS -redirect_url: https://technet.microsoft.com/en-us/itpro/windows/manage/manage-corporate-devices ---- - -# Enterprise management for Windows 10 devices - -This page has been redirected to **What's new in Windows 10, versions 1507 and 1511**. - - diff --git a/windows/whats-new/edge-ie11-whats-new-overview.md b/windows/whats-new/edge-ie11-whats-new-overview.md deleted file mode 100644 index 8c053fd990..0000000000 --- a/windows/whats-new/edge-ie11-whats-new-overview.md +++ /dev/null @@ -1,6 +0,0 @@ ---- -title: Browser Microsoft Edge and Internet Explorer 11 (Windows 10) -description: Resources to help you explore the Windows 10 browsing options for your enterprise. -redirect_url: https://technet.microsoft.com/itpro/microsoft-edge/enterprise-guidance-using-microsoft-edge-and-ie11 ---- - diff --git a/windows/whats-new/edp-whats-new-overview.md b/windows/whats-new/edp-whats-new-overview.md deleted file mode 100644 index a6816c161f..0000000000 --- a/windows/whats-new/edp-whats-new-overview.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Enterprise data protection (EDP) overview (Windows 10) -description: With the increase of employee-owned devices in the enterprise, there’s also an increasing risk of accidental data disclosure through apps and services that are outside of the enterprise’s control like email, social media, and the public cloud. -redirect_url: https://technet.microsoft.com/itpro/windows/keep-secure/protect-enterprise-data-using-wip ---- \ No newline at end of file diff --git a/windows/whats-new/images/bulk-token.PNG b/windows/whats-new/images/bulk-token.PNG new file mode 100644 index 0000000000..b0d2221824 Binary files /dev/null and b/windows/whats-new/images/bulk-token.PNG differ diff --git a/windows/whats-new/images/ldstore.PNG b/windows/whats-new/images/ldstore.PNG new file mode 100644 index 0000000000..63f0eedee7 Binary files /dev/null and b/windows/whats-new/images/ldstore.PNG differ diff --git a/windows/whats-new/images/wcd-cleanpc.PNG b/windows/whats-new/images/wcd-cleanpc.PNG new file mode 100644 index 0000000000..434eb55cb0 Binary files /dev/null and b/windows/whats-new/images/wcd-cleanpc.PNG differ diff --git a/windows/whats-new/images/wcd-options.png b/windows/whats-new/images/wcd-options.png new file mode 100644 index 0000000000..b3d998ba1b Binary files /dev/null and b/windows/whats-new/images/wcd-options.png differ diff --git a/windows/whats-new/index.md b/windows/whats-new/index.md index ff170bce3b..b64a85a590 100644 --- a/windows/whats-new/index.md +++ b/windows/whats-new/index.md @@ -1,6 +1,6 @@ --- title: What's new in Windows 10 (Windows 10) -description: Learn about new features in Windows 10 for IT professionals, such as Enterprise Data Protection, Microsoft Passport, Device Guard, and more. +description: Learn about new features in Windows 10 for IT professionals, such as Enterprise Data Protection, Windows Hello, Device Guard, and more. ms.assetid: F1867017-76A1-4761-A200-7450B96AEF44 keywords: ["What's new in Windows 10", "Windows 10", "anniversary update", "contribute", "edit topic"] ms.prod: w10 @@ -15,6 +15,7 @@ Windows 10 provides IT professionals with advanced protection against modern sec ## In this section +- [What's new in Windows 10, version 1703](whats-new-windows-10-version-1703.md) - [What's new in Windows 10, version 1607](whats-new-windows-10-version-1607.md) - [What's new in Windows 10, versions 1507 and 1511](whats-new-windows-10-version-1507-and-1511.md) diff --git a/windows/whats-new/lockdown-features-windows-10.md b/windows/whats-new/lockdown-features-windows-10.md deleted file mode 100644 index 67a759be13..0000000000 --- a/windows/whats-new/lockdown-features-windows-10.md +++ /dev/null @@ -1,16 +0,0 @@ ---- -title: Lockdown features from Windows Embedded 8.1 Industry (Windows 10) -description: Many of the lockdown features available in Windows Embedded 8.1 Industry have been modified in some form for Windows 10. -ms.assetid: 3C006B00-535C-4BA4-9421-B8F952D47A14 -keywords: lockdown, embedded -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -author: jdeckerMS -redirect_url: https://technet.microsoft.com/en-us/itpro/windows/manage/lockdown-features-windows-10 ---- - -# Lockdown features from Windows Embedded 8.1 Industry - -This topic has been redirected. \ No newline at end of file diff --git a/windows/whats-new/microsoft-passport.md b/windows/whats-new/microsoft-passport.md deleted file mode 100644 index e8b4935152..0000000000 --- a/windows/whats-new/microsoft-passport.md +++ /dev/null @@ -1,16 +0,0 @@ ---- -title: Windows Hello overview (Windows 10) -description: In Windows 10, Windows Hello replaces passwords with strong two-factor authentication. -ms.assetid: 292F3BE9-3651-4B20-B83F-85560631EF5B -keywords: password, hello, fingerprint, iris, biometric, passport -ms.prod: w10 -ms.mktglfcycl: explore -ms.sitesec: library -ms.pagetype: mobile, security -author: jdeckerMS -redirect_url: https://technet.microsoft.com/en-us/itpro/windows/keep-secure/manage-identity-verification-using-microsoft-passport ---- - -# Windows Hello overview - -This topic has been redirected. \ No newline at end of file diff --git a/windows/whats-new/new-provisioning-packages.md b/windows/whats-new/new-provisioning-packages.md deleted file mode 100644 index 18725fae2a..0000000000 --- a/windows/whats-new/new-provisioning-packages.md +++ /dev/null @@ -1,16 +0,0 @@ ---- -title: Provisioning packages (Windows 10) -description: With Windows 10, you can create provisioning packages that let you quickly and efficiently configure a device without having to install a new image. -ms.assetid: 287706E5-063F-4AB5-902C-A0DF6D0730BC -ms.prod: w10 -ms.mktglfcycl: explore -ms.sitesec: library -ms.pagetype: mobile -author: jdeckerMS -redirect_url: https://technet.microsoft.com/en-us/itpro/windows/deploy/provisioning-packages ---- - -# Provisioning packages - - -This topic has been redirected. \ No newline at end of file diff --git a/windows/whats-new/security-auditing.md b/windows/whats-new/security-auditing.md deleted file mode 100644 index 8683fc520d..0000000000 --- a/windows/whats-new/security-auditing.md +++ /dev/null @@ -1,125 +0,0 @@ ---- -title: What's new in security auditing (Windows 10) -description: Security auditing is one of the most powerful tools that you can use to maintain the integrity of your system. -ms.assetid: CB35A02E-5C66-449D-8C90-7B73C636F67B -ms.prod: w10 -ms.mktglfcycl: explore -ms.sitesec: library -author: brianlic-msft -ms.pagetype: security, mobile -redirect_url: https://technet.microsoft.com/itpro/windows/whats-new/whats-new-windows-10-version-1507-and-1511 ---- - -# What's new in security auditing? - -**Applies to** -- Windows 10 -- Windows 10 Mobile -- Windows Server 2016 - -Security auditing is one of the most powerful tools that you can use to maintain the integrity of your system. As part of your overall security strategy, you should determine the level of auditing that is appropriate for your environment. Auditing should identify attacks (successful or not) that pose a threat to your network, and attacks against resources that you have determined to be valuable in your risk assessment. - -## New features in Windows 10, version 1511 - -- The [WindowsSecurityAuditing](https://go.microsoft.com/fwlink/p/?LinkId=690517) and [Reporting](https://go.microsoft.com/fwlink/p/?LinkId=690525) configuration service providers allow you to add security audit policies to mobile devices. - -## New features in Windows 10 - -In Windows 10, security auditing has added some improvements: -- [New audit subcategories](#bkmk-auditsubcat) -- [More info added to existing audit events](#bkmk-moreinfo) - -### New audit subcategories - -In Windows 10, two new audit subcategories were added to the Advanced Audit Policy Configuration to provide greater granularity in audit events: -- [Audit Group Membership](../keep-secure/audit-group-membership.md) Found in the Logon/Logoff audit category, the Audit Group Membership subcategory allows you to audit the group membership information in a user's logon token. Events in this subcategory are generated when group memberships are enumerated or queried on the PC where the logon session was created. For an interactive logon, the security audit event is generated on the PC that the user logged on to. For a network logon, such as accessing a shared folder on the network, the security audit event is generated on the PC hosting the resource. - When this setting is configured, one or more security audit events are generated for each successful logon. You must also enable the **Audit Logon** setting under **Advanced Audit Policy Configuration\\System Audit Policies\\Logon/Logoff**. Multiple events are generated if the group membership information cannot fit in a single security audit event. -- [Audit PNP Activity](../keep-secure/audit-pnp-activity.md) Found in the Detailed Tracking category, the Audit PNP Activity subcategory allows you to audit when plug and play detects an external device. - Only Success audits are recorded for this category. If you do not configure this policy setting, no audit event is generated when an external device is detected by plug and play. - A PnP audit event can be used to track down changes in system hardware and will be logged on the PC where the change took place. A list of hardware vendor IDs are included in the event. - -### More info added to existing audit events - -With Windows 10, we've added more info to existing audit events to make it easier for you to put together a full audit trail and come away with the information you need to protect your enterprise. Improvements were made to the following audit events: -- [Changed the kernel default audit policy](#bkmk-kdal) -- [Added a default process SACL to LSASS.exe](#bkmk-lsass) -- [Added new fields in the logon event](#bkmk-logon) -- [Added new fields in the process creation event](#bkmk-logon) -- [Added new Security Account Manager events](#bkmk-sam) -- [Added new BCD events](#bkmk-bcd) -- [Added new PNP events](#bkmk-pnp) - -### Changed the kernel default audit policy - -In previous releases, the kernel depended on the Local Security Authority (LSA) to retrieve info in some of its events. In Windows 10, the process creation events audit policy is automatically enabled until an actual audit policy is received from LSA. This results in better auditing of services that may start before LSA starts. - -### Added a default process SACL to LSASS.exe - -In Windows 10, a default process SACL was added to LSASS.exe to log processes attempting to access LSASS.exe. The SACL is L"S:(AU;SAFA;0x0010;;;WD)". You can enable this under **Advanced Audit Policy Configuration\\Object Access\\Audit Kernel Object**. -This can help identify attacks that steal credentials from the memory of a process. - -### New fields in the logon event - -The logon event ID 4624 has been updated to include more verbose information to make them easier to analyze. The following fields have been added to event 4624: -1. **MachineLogon** String: yes or no - If the account that logged into the PC is a computer account, this field will be yes. Otherwise, the field is no. -2. **ElevatedToken** String: yes or no - If the account that logged into the PC is an administrative logon, this field will be yes. Otherwise, the field is no. Additionally, if this is part of a split token, the linked login ID (LSAP\_LOGON\_SESSION) will also be shown. -3. **TargetOutboundUserName** String - **TargetOutboundUserDomain** String - The username and domain of the identity that was created by the LogonUser method for outbound traffic. -4. **VirtualAccount** String: yes or no - If the account that logged into the PC is a virtual account, this field will be yes. Otherwise, the field is no. -5. **GroupMembership** String - A list of all of the groups in the user's token. -6. **RestrictedAdminMode** String: yes or no - If the user logs into the PC in restricted admin mode with Remote Desktop, this field will be yes. - For more info on restricted admin mode, see [Restricted Admin mode for RDP](http://blogs.technet.com/b/kfalde/archive/2013/08/14/restricted-admin-mode-for-rdp-in-windows-8-1-2012-r2.aspx). - -### New fields in the process creation event - -The logon event ID 4688 has been updated to include more verbose information to make them easier to analyze. The following fields have been added to event 4688: -1. **TargetUserSid** String - The SID of the target principal. -2. **TargetUserName** String - The account name of the target user. -3. **TargetDomainName** String - The domain of the target user.. -4. **TargetLogonId** String - The logon ID of the target user. -5. **ParentProcessName** String - The name of the creator process. -6. **ParentProcessId** String - A pointer to the actual parent process if it's different from the creator process. - -### New Security Account Manager events - -In Windows 10, new SAM events were added to cover SAM APIs that perform read/query operations. In previous versions of Windows, only write operations were audited. The new events are event ID 4798 and event ID 4799. The following APIs are now audited: -- SamrEnumerateGroupsInDomain -- SamrEnumerateUsersInDomain -- SamrEnumerateAliasesInDomain -- SamrGetAliasMembership -- SamrLookupNamesInDomain -- SamrLookupIdsInDomain -- SamrQueryInformationUser -- SamrQueryInformationGroup -- SamrQueryInformationUserAlias -- SamrGetMembersInGroup -- SamrGetMembersInAlias -- SamrGetUserDomainPasswordInformation - -### New BCD events - -Event ID 4826 has been added to track the following changes to the Boot Configuration Database (BCD): -- DEP/NEX settings -- Test signing -- PCAT SB simulation -- Debug -- Boot debug -- Integrity Services -- Disable Winload debugging menu - -### New PNP events - -Event ID 6416 has been added to track when an external device is detected through Plug and Play. One important scenario is if an external device that contains malware is inserted into a high-value machine that doesn’t expect this type of action, such as a domain controller. -[Learn how to manage your security audit policies within your organization](../keep-secure/security-auditing-overview.md). diff --git a/windows/whats-new/security.md b/windows/whats-new/security.md deleted file mode 100644 index 5cf158fc99..0000000000 --- a/windows/whats-new/security.md +++ /dev/null @@ -1,204 +0,0 @@ ---- -title: What's new in Windows 10 security (Windows 10) -description: There are several key client security improvements Microsoft has made in Windows 10. -ms.assetid: 6B8A5F7A-ABD3-416C-87B0-85F68B214C81 -keywords: secure, data loss prevention, multifactor authentication -ms.prod: w10 -ms.mktglfcycl: explore -ms.sitesec: library -ms.pagetype: security -author: TrudyHa ---- - -# What's new in Windows 10 security - -There are several key client security improvements Microsoft has made in Windows 10. These improvements focus on three key areas — threat resistance, information protection, and identity protection and access control. In addition to an overview of the features themselves, this article discusses the hardware requirements for each new feature and offers configuration recommendations and links to more detailed resources. - -Microsoft designed the Windows 10 operating system to be the most secure version of the Windows operating system to date. To achieve this goal, Windows 10 employs advanced and now widely available hardware features to help protect users and devices against modern cyber threats. With thousands of new malware variants discovered daily and malicious hacking techniques evolving rapidly, never before has Windows client security been more important. In Windows 10, organizations can deploy new threat-resistant security features that harden the operating system in ways that can benefit Bring Your Own Device (BYOD) and corporate-owned device scenarios, as well as devices for special use cases, such as kiosks, ATMs, and point-of-sale (PoS) systems. These new threat-resistant features are modular—that is, they’re designed to be deployed together, although you can also implement them individually. With all these new features enabled together, organizations can protect themselves immediately against a majority of today’s most sophisticated threats and malware. - -In addition to new, impactful threat mitigations, Windows 10 includes several improvements in built-in information protection, including a new data loss-prevention (DLP) component. These improvements allow organizations to separate business and personal data easily, define which apps have access to business data, and determine how data can be shared (for example, copy and paste). Unlike other DLP solutions, Microsoft integrated this functionality deeply into the Windows platform, offering the same type of security capabilities that container-based solutions offer but without altering such user experiences as requiring mode changes or switching applications. - -Finally, new identity-protection and access control features make it easier to implement two-factor authentication (2FA) across the entire enterprise, which empowers organizations to transition away from passwords. Windows 10 introduces Microsoft Passport, a new 2FA user credential built directly into the operating system that users can access with either a PIN or a new biometrics-driven capability called Windows Hello. Together, these technologies provide a simple logon experience for users, with the robust security of multifactor authentication (MFA). Unlike third-party multifactor solutions, Microsoft Passport is designed specifically to integrate with Microsoft Azure Active Directory (Azure AD) and hybrid Active Directory environments and requires minimal administrative configuration and maintenance. - -## Threat resistance - -Today’s security threat landscape is one of aggressive and tenacious threats. In previous years, malicious attackers mostly focused on gaining community recognition through their attacks and the personal enjoyment of temporarily taking a system offline. Since then, attacker’s motives have shifted toward monetizing their attacks, which includes holding machines and data hostage until the owners pay the demanded ransom and exploiting the valuable information the attackers discover for monetary gain. Unlike these examples, modern attacks increasingly focus on large-scale intellectual property theft; targeted system degradation that results in financial loss; and now even cyberterrorism that threatens the security of individuals, businesses, and national interests all over the world. These attackers are typically highly trained individuals and security experts, some of whom are in the employ of nation states that have large budgets, seemingly unlimited human resources, and unknown motives. Threats like these require a different approach and mitigations that can meet the challenge. - -Windows 10 introduces several new security features that help mitigate modern threats and protect organizations against cyber attackers, regardless of their motive. Microsoft has made significant investments in Windows 10 to make it the most malware-resistant Windows operating system to date. Rather than simply adding defenses to the operating system, as was the case in previous Windows releases, Microsoft introduces architectural changes in Windows 10 that address entire classes of threats. By fundamentally changing the way the operating system works, Microsoft seeks to make Windows 10 much more difficult for modern attackers to exploit. New features in Windows 10 include Device Guard, configurable code integrity, virtualization-based security (VBS), and improvements to Windows Defender, to name just a few. By enabling all these new features together, organizations can immediately protect themselves against the types of malware responsible for approximately 95 percent of modern attacks. - -### Virtualization-based security - -In the server world, virtualization technologies like Microsoft Hyper-V have proven extremely effective in isolating and protecting virtual machines (VMs) in the data center. Now, with those virtualization capabilities becoming more pervasive in modern client devices, there is an incredible opportunity for new Windows client security scenarios. Windows 10 can use virtualization technology to isolate core operating system services in a segregated, virtualized environment, similar to a VM. This additional level of protection, called virtualization-based security, ensures that no one can manipulate those services, even if the kernel mode of the host operating system is compromised. - -Just like with client Hyper-V, Windows itself can now take advantage of processors equipped with second-level address translation (SLAT) technology and virtualization extensions, such as Intel Virtualization Technology (VT) x and AMD V, to create a secure execution environment for sensitive Windows functions and data. This VBS environment protects the following services: - -- **Hypervisor Code Integrity (HVCI).** The HVCI service in Windows 10 determines whether code executing in kernel mode is securely designed and trustworthy. It offers Zero Day and vulnerability exploit protection capabilities by ensuring that all software running in kernel mode, including drivers, securely allocate memory and operate as they are intended. In Windows 10, kernel mode code integrity is configurable, which allows organizations to scope preboot code execution to their desired configuration. For more information about configurable code integrity in Windows 10, see the [Configurable code integrity](#configurable-code-integrity) section. -- **Local Security Authority (LSA).** The LSA service in Windows manages authentication operations, including NT LAN Manager (NTLM) and Kerberos mechanisms. In Windows 10, the Credential Guard feature isolates a portion of this service and helps mitigate the pass-the-hash and pass-the-ticket techniques by protecting domain credentials. In addition to logon credentials, this protection is extended to credentials stored within Credential Manager. For more information about Credential Guard, see the [Credential Guard](#credential-guard) section. - -**Note**
          -To determine whether virtualization is supported for a client machine model, simply run **systeminfo** from a command prompt window. -  -VBS provides the core framework for some of the most impactful mitigations Windows 10 offers. Having client machines within your organization that can employ this functionality is crucial to modern threat resistance. For more information about the specific hardware features that each Windows 10 feature requires, including VBS, see the [Windows 10 hardware considerations](#hardware) section. - -### Device Guard - -Microsoft Device Guard is a feature set that combines system integrity–hardening features that revolutionize Windows security by taking advantage of new VBS options to protect the system core and a trust-nothing model often seen in mobile operating systems. This feature set takes advantage of the best preexisting Windows hardening features (for example, Unified Extensible Firmware Interface \[UEFI\] Secure Boot, Windows Trusted Boot), and then combines them with powerful new app control features like the VBS-powered HVCI service and configurable code integrity, which together help prevent vulnerability exploits and unauthorized apps from running on the device in both user and kernel modes. For more information about VBS in Windows 10 and the additional features that use it, see the [Virtualization-based security](#virtualization-based-security) section. For more information about configurable code integrity, see the [Configurable code integrity](#configurable-code-integrity) section. - -Although Microsoft intends the Device Guard feature set to run alongside new Windows security features such as Credential Guard, it can run independently. Depending on your organization’s client resources, you can selectively choose which features make sense for your environment and device compatibility. For information about the hardware requirements for Device Guard and other Windows 10 security features, see the [Windows 10 hardware considerations](#hardware) section. For more information about Credential Guard, see the [Credential Guard](#credential-guard) section. - -For most organizations, implementing specific Device Guard functionality will depend on the role of the device and its primary user, employing more features on single-workload devices, such as kiosks, and fewer features on administrative machines over which users are allowed full control. By using this model, IT organizations can categorize users into groups that align with Device Guard security policies relating to device security and code integrity restrictions. For more information about configurable code integrity, see the [Configurable code integrity](#configurable-code-integrity) section. - -New desktops and laptops will be available to expedite your Device Guard implementation efforts. Device Guard-ready devices will require the least amount of physical interaction with the actual device before it’s ready for use. - -Going forward, all devices will fall into one of the following three categories: -- **Device Guard capable**. These devices will meet all the hardware requirements for Device Guard. You will still need to properly prepare devices with components that require enablement or configuration for Device Guard deployment. Device drivers on the device must be compatible with HVCI and may require updates from the original equipment manufacturer (OEM). -- **Device Guard ready**. Device Guard-ready devices will come directly from the OEM with all necessary hardware components and drivers to run Device Guard. In addition, all of these components will be pre-configured and enabled, which minimizes the effort needed to deploy Device Guard. No interaction with the BIOS is necessary to deploy these devices, and you can use Group Policy, System Center Configuration Manager, or Microsoft Intune to manage them. -- **Not supported for Device Guard**. Many current devices cannot take advantage of all Device Guard features because they don’t have the required hardware components or HVCI-compatible drivers. However, most of these devices can enable some Device Guard features, such as configurable code integrity. - -For more information about how to prepare for, manage, and deploy Device Guard, see the [Device Guard deployment guide](../keep-secure/device-guard-deployment-guide.md). - -### Configurable code integrity - -*Code integrity* is the Windows component that verifies that the code Windows is running is trusted and safe. Like the operating modes found in Windows itself, Windows code integrity contains two primary components: kernel mode code integrity (KMCI) and user mode code integrity (UMCI). Microsoft has used KMCI in recent versions of Windows to prevent the Windows kernel from executing unsigned drivers. Although this approach is effective, drivers aren’t the only route malware can take to penetrate the operating system’s kernel mode space. So, for Windows 10, Microsoft has raised the standard for kernel mode code out of the box by requiring the use of security best practices regarding memory management and has provided enterprises with a way to set their own UMCI and KMCI standards. - -Historically, UMCI has been available only for Windows RT and Windows Phone devices, which made it difficult for attackers to infect such devices with viruses and malware. This reduced infection rate results from the way the operating system determines which code to execute. Natively, binaries follow a process to prove to the operating system that they are trustworthy before the operating system allows them to execute. This process is intended to restrict the execution of arbitrary code and thereby decrease the risk of malware infection. This successful trust-nothing operating system model is now available in Windows 10 through a feature called *configurable code integrity*. -Configurable code integrity allows IT organizations to create and deploy code integrity policies that stipulate exactly which binaries can run in their environment. Administrators can manage this trust at a certification authority or publisher level down to the individual hash values for each executed binary. This level of customization allows organizations to create policies that are as restrictive as they desire. In addition, organizations can choose to provide different levels of restriction for certain types of machines. For example, fixed-workload devices such as kiosks and PoS systems would likely receive a strict policy, because their purpose is to provide the same service day after day. Administrators can manage devices that have more variable workloads, such as users’ PCs, at a higher level, providing certain software publishers’ applications for installation or aligning those devices with the organization’s software catalog. - -**Note**
          -Configurable code integrity is not intended to replace technologies that allow or block programs such as AppLocker or an organization’s antivirus software. Rather, it complements such technologies by establishing a baseline of security, and then using those additional technologies to fine-tune client security. -  -Configurable code integrity is not limited to Windows Store applications. In fact, it is not even limited to existing signed applications. Windows 10 gives you a way to sign line-of-business or third-party applications without having to repackage them: you can monitor the application’s installation and initial execution to create a list of binaries called a catalog file. When created, you sign these catalog files and add the signing certificate to the code integrity policy so that those binaries contained within the catalog files are allowed to execute. Then, you can use Group Policy, Configuration Manager, or any other familiar management tool to distribute these catalog files to your client machines. Historically, most malware has been unsigned; simply by deploying code integrity policies, your organization can immediately protect itself against unsigned malware, which is responsible for most modern attacks. - -**Note**
          -For detailed deployment and planning information about configurable code integrity, see the [Device Guard deployment guide](../keep-secure/device-guard-deployment-guide.md). -  -The process to create, test, and deploy a code integrity policy is as follows: -1. **Create a code integrity policy.** Use the Windows PowerShell cmdlet **New-CIPolicy**, available in Windows 10, to create a new code integrity policy. This cmdlet scans a PC for all listings of a specific policy level. For example, if you set the rule level to **Hash**, the cmdlet would add hash values for all discovered binaries to the policy that resulted from the scan. When you enforce and deploy the policy, this list of hash values determines exactly which binaries are allowed to run on the machines that receive the policy. Code integrity policies can contain both a kernel mode and user mode execution policy, restricting what can run in either or both modes. Finally, when created, this policy is converted to binary format so that the managed client can consume it when the policy is copied to the client’s code integrity folder. -2. **Audit the code integrity policy for exceptions.** When you first create a code integrity policy, audit mode is enabled by default so that you can simulate the effect of a code integrity policy without actually blocking the execution of any binaries. Instead, policy exceptions are logged in the CodeIntegrity event log so that you can add the exceptions to the policy later. Be sure to audit any policy to discover potential issues before you deploy it. -3. **Merge the audit results with the existing policy.** After you have audited a policy, you can use the audit events to create an additional code integrity policy. Because each machine processes just one code integrity policy, you must merge the file rules within this new code integrity policy with the original policy. To do so, run the **Merge-CIPolicy** cmdlet, which is available in Windows 10 Enterprise. -4. **Enforce and sign the policy.** After you create, audit, and merge the resulting code integrity policies, it’s time to enforce your policy. To do so, run the **Set-RuleOption** cmdlet to remove the **Unsigned Policy** rule. When enforced, no binaries that are exceptions to the policy will be allowed to run. In addition to enforcing a policy, signed policies offer an additional level of protection. Signed code integrity policies inherently protect themselves against manipulation and deletion, even by administrators. -5. **Deploy the code integrity policy.** When you have enforced and optionally signed your code integrity policy, it’s ready for deployment. To deploy your code integrity policies, you can use Microsoft client management technologies, mobile device management solutions, or Group Policy, or you can simply copy the file to the correct location on your client computers. For Group Policy deployment, a new administrative template is available in Windows 10 and the Windows Server 2016 operating system to simplify the deployment process. - -**Note**
          -Configurable code integrity is available in Windows 10 Enterprise and Windows 10 Education. -  -You can enable configurable code integrity as part of a Device Guard deployment or as a stand-alone component. In addition, you can run configurable code integrity on hardware that is compatible with the Windows 7 operating system, even if such hardware is not Device Guard ready. Code integrity policies can align with an existing application catalog, existing corporate imaging strategy, or with any other method that provides the organization’s desired levels of restriction. For more information about configurable code integrity with Device Guard, see the [Device Guard deployment guide](../keep-secure/device-guard-deployment-guide.md). - -### Measured Boot and remote attestation - -Although software-based antimalware and antivirus solutions are effective, they have no way to detect pre–operating system resource modification or infection such as by bootkits and rootkits—malicious software that can manipulate a client before the operating system and antimalware solutions load. Bootkits and rootkits and similar software are nearly impossible to detect using software-based solutions alone, so Windows 10 uses the client’s Trusted Platform Module (TPM) and the Windows Measured Boot feature to analyze the overall boot integrity. When requested, Windows 10 reports integrity information to the Windows cloud-based device health attestation service, which can then be used in coordination with management solutions such as Intune to analyze the data and provide conditional access to resources based on the device’s health state. - -Measured Boot uses one of TPM’s key functionalities and provides unique benefits to secure organizations. The feature can accurately and securely report the state of a machine’s trusted computing base (TCB). By measuring a system’s TCB, which consists of crucial startup-related security components such as firmware, the Operating System Loader, and drivers and software, the TPM can store the current device state in platform configuration registers (PCRs). When this measurement process is complete, the TPM cryptographically signs this PCR data so that Measured Boot information can be sent to either the Windows cloud-based device health attestation service or a non-Microsoft equivalent for signing or review. For example, if a company only wants to validate a computer’s BIOS information before allowing network access, PCR\[0\], which is the PCR that contains BIOS information, would be added to the policy for the attestation server to validate. This way, when the attestation server receives the manifest from the TPM, the server knows which values that PCR should contain. - -Measured Boot by itself does not prevent malware from loading during the startup process, but it does provide a TPM-protected audit log that allows a trusted remote attestation server to evaluate the PC’s startup components and determine its trustworthiness. If the remote attestation server indicates that the PC loaded an untrusted component and is therefore out of compliance, a management system can use the information for conditional access scenarios to block the PC’s access to network resources or perform other quarantine actions. - -### Improvements in Windows Defender - -For Windows 10, Microsoft has revamped Windows Defender and combined it with Microsoft System Center Endpoint Protection. Unlike with Microsoft System Center 2012 R2, there will be no System Center Endpoint Protection client to deploy to Windows 10 machines because Windows Defender is built into the operating system and enabled by default. - -In addition to simplified deployment, Windows Defender contains several improvements. The most important improvements to Windows Defender are: - -- **Early Launch Antimalware (ELAM) compatible.** After Secure Boot has verified that the loading operating system is trusted, ELAM can start a registered and signed antimalware application before any other operating system components. Windows Defender is compatible with ELAM. -- **Local context for detections and centralized sensory data.** Unlike most antimalware software and previous versions of Windows Defender, Windows Defender in Windows 10 reports additional information about the context of discovered threats. This information includes the source of the content that contains the threat as well as the historical movement of the malware throughout the system. When collection is complete, Windows Defender reports this information (when users elect to enable cloud-based protection) and uses it to mitigate threats more quickly. -- **User Account Control (UAC) integration.** Windows Defender is now closely integrated with the UAC mechanism in Windows 10. Whenever a UAC request is made, Windows Defender automatically scans the threat before prompting the user, which helps prevent users from providing elevated privileges to malware. -- **Simplified management.** In Windows 10, you can manage Windows Defender much more easily than ever before. Manage settings through Group Policy, Intune, or Configuration Manager. - -## Information protection - -Protecting the integrity of company data as well as preventing the inappropriate disclosure and sharing of that data are a top priority for IT organizations. Trends like BYOD and mobility make the task of information protection more challenging than ever before. Windows 10 includes several improvements to built-in information protection, including a new Windows Information Protection (WIP) feature that offers DLP capability. This feature allows an organizations’ users to classify data themselves and gives you the ability to automatically classify data as it ingresses from business resources. It can also help prevent users from copying business content to unauthorized locations such as personal documents or websites. - -Unlike some current DLP solutions, WIP does not require users to switch modes or apps or work within containers to protect data, and the protection happens behind the scenes without altering the user experience that your users have grown accustomed to in Windows. For more information about WIP in Windows 10, see the [Windows Information Protection](#windows-information-protection) section. - -In addition to WIP, Microsoft has made substantial improvements to BitLocker, including simplified manageability through Microsoft BitLocker Administration and Monitoring (MBAM), used-space-only encryption, and single sign-on (SSO) capability. For more information about BitLocker improvements in Windows 10, see the [Improvements in BitLocker](#bitlocker) section. - -### Windows Information Protection - -DLP systems are intended to protect sensitive corporate data through encryption and managed use while the data is in use, in motion, or at rest. Traditional DLP software is typically invasive and frustrating for users and can be complicated for administrators to configure and deploy. Windows 10 now includes a Windows Information Protection (WIP) feature that offers DLP capabilities and is built in and simple to use. This solution gives you the flexibility to define policies that will help determine what kind of data to protect as business data and what should be considered personal. Based on these policies, you can also choose what to do, either automatically or manually, whenever you suspect that data is about to be or has been compromised. For example, if an employee has a personal but managed device that contains business data, an IT organization could block that user from copying and pasting business data to nonbusiness documents and locations or could even selectively wipe the business data from the device at any time without affecting the personal data on the device. - -You can configure WIP policies to encrypt and protect files automatically based on the network source from which the content was acquired, such as an email server, file share, or a Microsoft SharePoint site. The policies can work with on-premises resources as well as those that originate from the Internet. When specified, any data retrieved from internal network resources will always be protected as business data; even if that data is copied to portable storage, such as a flash drive or CD, the protection remains. In an effort to allow easy corrections of misclassified data, users who feel that WIP has incorrectly protected their personal data can modify the data’s classification. When such a modification occurs, you have access to audit data on the client machine. You can also use a policy to prevent users from reclassifying data. The WIP feature in Windows 10 also includes policy controls that allow you to define which apps have access to business data and even which have access to the corporate virtual private network (VPN). - -To manage WIP, you use the same system management tools you probably already use to manage your Windows client computers, such as Configuration Manager and Intune. For more information about WIP, see [Protect your enterprise data using Windows Information Protection](https://technet.microsoft.com/itpro/windows/keep-secure/protect-enterprise-data-using-wip). - -### Improvements in BitLocker - -With so many laptops stolen annually, protecting data at rest should be a top priority for any IT organization. Microsoft has provided an encryption solution called BitLocker directly in Windows since 2004. If your last encounter with BitLocker was in Windows 7, you’ll find that the manageability and SSO capabilities that were previously lacking are now included in Windows 10. These and other improvements make BitLocker one of the best choices on the marketplace for protecting data on Windows devices. Windows 10 builds on the BitLocker improvements made in the Windows 8.1 and Windows 8 operating systems to make BitLocker more manageable and to simplify its deployment even further. - -Microsoft has made the following key improvements to BitLocker: -- **Automatic drive encryption through Device Encryption.** By default, BitLocker is automatically enabled on clean installations of Windows 10 if the device has passed the Device Encryption Requirements test from the Windows Hardware Certification Kit. Many Windows 10–compatible PCs will meet this requirement. This version of BitLocker is called Device Encryption. Whenever devices on which Drive Encryption is enabled join your domain, the encryption keys can be escrowed in either Active Directory or MBAM. -- **MBAM improvements.** MBAM provides a simplified management console for BitLocker administration. It also simplifies recovery requests by providing a self-service portal in which users can recover their drives without calling the help desk. -- **SSO.** BitLocker for Windows 7 often required the use of a pre-boot PIN to access the protected drive’s encryption key and allow Windows to start. In Windows 10, user input-based preboot authentication (in other words, a PIN) is not required because the TPM maintains the keys. In addition, modern hardware often mitigates the cold boot attacks (for example, port-based direct memory access attacks) that have previously necessitated PIN protection. For more information to determine which cases and device types require the use of PIN protection, refer to [BitLocker Countermeasures](../keep-secure/bitlocker-countermeasures.md). -- **Used-space-only encryption.** Rather than encrypting an entire hard drive, you can configure BitLocker to encrypt only the used space on a drive. This option drastically reduces the overall encryption time required. - -## Identity protection and access control - -User credentials are vital to the overall security of an organization’s domain. Until Windows 10, user name-password combinations were the primary way for a person to prove his or her identity to a machine or system. Unfortunately, passwords are easily stolen, and attackers can use them remotely to spoof a user’s identity. Some organizations deploy public key infrastructure (PKI)-based solutions, like smart cards, to address the weaknesses of passwords. Because of the complexity and costs associated with these solutions, however, they’re rarely deployed and, even when they are used, frequently used only to protect top-priority assets such as the corporate VPN. Windows 10 introduces new identity-protection and access control features that address the weaknesses of today’s solutions and can effectively remove the need for user passwords in an organization. - -Windows 10 also includes a feature called Microsoft Passport, a new 2FA mechanism built directly into the operating system. The two factors of authentication include a combination of something you know (for example, a PIN), something you have (for example, your PC, your phone), or something about the user (for example, biometrics). With Microsoft Passport enabled, when you log on to a computer, Microsoft Passport is responsible for brokering user authentication around the network, providing the same SSO experience with which you’re familiar. For more information about Microsoft Passport, see the [Microsoft Passport](#passport) section. - -The biometrics factor available for Microsoft Passport is driven by another new feature in Windows 10 called Windows Hello. Windows Hello uses a variety of biometric sensors to accept different points of biometric measurement, such as the face, iris, and fingerprints, which allows organizations to choose from various options when they consider what makes the most sense for their users and devices. By combining Windows Hello with Microsoft Passport, users no longer need to remember a password to access corporate resources. For more information about Windows Hello, see the [Windows Hello](#hello) section. - -Finally, Windows 10 uses VBS to isolate the Windows service responsible for maintaining and brokering a user’s derived credentials (for example, Kerberos ticket, NTLM hash) through a feature called Credential Guard. In addition to service isolation, the TPM protects credential data while the machine is running and while it’s off. Credential Guard provides a comprehensive strategy to protect user-derived credentials at runtime as well as at rest, thus preventing them from being accessed and used in pass-the-hash–type attacks. For more information about Credential Guard, see the [Credential Guard](#credential-guard) section. - -### Microsoft Passport - -Historically, companies have mitigated the risk of credential theft by implementing 2FA. In this method, a combination of something you know (for example, a PIN), something you have (traditionally a smart card or token), or possibly something about the user (for example, biometrics) strengthens the logon process. The additional factor beyond something you know requires that a credential thief acquire a physical device or, in the case of biometrics, the actual user. - -Microsoft Passport introduces a strong 2FA mechanism integrated directly into Windows. Many organizations use 2FA today but don’t integrate its functionality into their organization because of the expense and time required to do so. Therefore, most organizations use MFA only to secure VPN connections and the highest-value resources on their network, and then use traditional passwords for logon to devices and to navigate the rest of the network. Microsoft Passport is unlike these other forms of 2FA in that Microsoft designed it specifically to address the complexity, cost, and user experience challenges of traditional 2FA solutions, making it simple to deploy throughout the enterprise through existing infrastructure and devices. - -Microsoft Passport can use the biometric information from Windows Hello or a unique PIN with cryptographic signing keys stored in the device’s TPM. For organizations that don’t have an existing PKI, the TPM—or Windows, when no TPM is present—can generate and protect these keys. If your organization has an on-premises PKI or wants to deploy one, you can use certificates from the PKI to generate the keys, and then store them in the TPM. When the user has registered the device and uses Windows Hello or a PIN to log in to the device, the Microsoft Passports private key fulfills any subsequent authentication requests. Microsoft Passport combines the deployment flexibility of virtual smart cards with the robust security of physical smart cards without requiring the extra infrastructure components needed for traditional smart card deployments and hardware such as cards and readers. - -In Windows 10, the physical factor of authentication is the user’s device—either his or her PC or mobile phone. By using the new phone sign-in capability which will available to Windows Insiders as a preview in early 2016, users can unlock their PC without ever touching it. Users simply enroll their phone with Microsoft Passport by pairing it with the PC via Wi-Fi or Bluetooth and install a simple-to-use application on their phone that allows them to select which PC to unlock. When selected, users can enter a PIN or their biometric login from their phone to unlock their PC. - -### Windows Hello -Passwords represent a losing identity and access control mechanism. When an organization relies on password-driven Windows authentication, attackers only have to determine a single string of text to access anything on a corporate network that those credentials protect. Unfortunately, attackers can use several methods to retrieve a user’s password, making credential theft relatively easy for determined attackers. By moving to an MFA mechanism to verify user identities, organizations can remove the threats that single-factor options like passwords represent. - -Windows Hello is the enterprise-grade biometric integration feature in Windows 10. This feature allows users to use their face, iris, or fingerprint rather than a password to authenticate. Although biometric logon capabilities have been around since the Windows XPoperating system, they have never been as easy, seamless, and secure as they are in Windows 10. In previous uses of biometrics in Windows, the operating system used the biometric information only to unlock the device; then, behind the scenes the user’s traditional password was used to access resources on the organization’s network. Also, the IT organization had to run additional software to configure the biometric devices to log in to Windows or applications. Windows Hello is integrated directly into the operating system and so doesn’t require additional software to function. However, as with any other biometrics-based login, Windows Hello requires specific hardware to function: -- **Facial recognition.** To establish facial recognition, Windows Hello uses special infrared (IR) cameras and anti-spoofing technology to reliably tell the difference between a photograph and a living person. This requirement ensures that no one can take a person’s PC and spoof his or her identity simply by obtaining a high-definition picture. Many manufacturers already offer PC models that include such cameras and are therefore compatible with Windows Hello. For those machines that don’t currently include these special cameras, several external cameras are available. -- **Fingerprint recognition.** Fingerprint sensors already exist in a large percentage of consumer and business PCs. Most of them (whether external or integrated into laptops or USB keyboards) work with Windows Hello. The detection and anti-spoofing technology available in Windows 10 is much more advanced than in previous versions of Windows, making it more difficult for attackers to deceive the operating system. -- **Iris recognition.** Like facial recognition, iris-based recognition uses special IR cameras and anti-spoofing technology to reliably tell the difference between the user’s iris and an impostor. Iris recognition will be available in mobile devices by the end of 2016 but is also available for independent hardware vendors and OEMs to incorporate into PCs. -With Windows Hello in conjunction with Microsoft Passport, users have the same SSO experience they would if they logged on with domain credentials: they simply use biometrics, instead. In addition, because no passwords are involved, users won’t be calling the help desk saying that they have forgotten their password. For an attacker to spoof a user’s identity, he or she would have to have physical possession of both the user and the device on which the user is set up for Windows Hello. From a privacy perspective, organizations can rest assured that the biometric data Windows Hello uses is not centrally stored; can’t be converted to images of the user’s fingerprint, face, or iris; and is designed never to leave the device. In the end, Windows Hello and Microsoft Passport can completely remove the necessity for passwords for Azure AD and hybrid Azure AD/Active Directory environments and the apps and web services that depend on them for identity services. For more information about Microsoft Passport, see the [Microsoft Passport](#passport) section. - -### Credential Guard - -Pass the hash is the most commonly used derived credential attack today. This attack begins with an attacker extracting a user account’s derived credentials (hash value) from memory. Then, by using a product such as Mimikatz, the attacker reuses (passes) those credentials to other machines and resources on the network to gain additional access. Microsoft designed Credential Guard specifically to eliminate derived credential theft and abuse in pass-the-hash–type attacks. - -Credential Guard is another new feature in Windows 10 Enterprise that employs VBS to protect domain credentials against theft, even when the host operating system is compromised. To achieve such protection, Credential Guard isolates a portion of the LSA service, which is responsible for managing authentication, inside a virtualized container. This container is similar to a VM running on a hypervisor but is extremely lightweight and contains only those files and components required to operate the LSA and other isolated services. By isolating a portion of the LSA service within this virtualized environment, credentials are protected even if the system kernel is compromised, removing the attack vector for pass the hash. - -For more information about the hardware requirements for Credential Guard, see the [Windows 10 hardware considerations](#hardware) section. For more information about VBS in Windows 10, see the [Virtualization-based security](#virtualization-based-security) section. - -> [!NOTE] -> Starting in Windows 10, version 1607, you can configure Credential Guard on a VM. - -  -The Credential Guard feature is targeted at resisting the use of pass-the-hash and pass-the-ticket techniques. By employing a MFA option such as Microsoft Passport with Credential Guard, you can gain additional protection against such threats. For more in-depth information about how Credential Guard works and the specific mitigations it provides, see [Protect derived domain credentials with Credential Guard](../keep-secure/credential-guard.md). - -## Windows 10 hardware considerations - -Most of the features this article describes rely on specific hardware to maximize their capabilities. By purchasing hardware that includes these features during your next purchase cycle, you will be able to take advantage of the most comprehensive client security package Windows 10 has to offer. Careful consideration about which hardware vendor and specific models to purchase is vital to the success of your organization’s client security portfolio. Table 1 contains a list of each new Windows 10 security feature and its hardware requirements. - -Table 1. Windows 10 hardware requirements - -| Windows 10 feature | TPM | Input/output memory management unit | Virtualization extensions | SLAT | UEFI 2.3.1 | x64 architecture only | -|-------------------------------------------------|-----|-------------------------------------|---------------------------|------|------------|-----------------------| -| Credential Guard | R | N | Y | Y | Y | Y | -| Device Guard | N | Y | Y | Y | Y | Y | -| BitLocker | R | N | N | N | N | N | -| Configurable code integrity | N | N | N | N | R | R | -| Microsoft Passport | R | N | N | N | N | N | -| Windows Hello | R | N | N | N | N | N | -| VBS | N | Y | Y | Y | N | Y | -| UEFI Secure Boot | R | N | N | N | Y | N | -| Device health attestation through Measured Boot | Y | N | N | N | Y | Y | -  - -**Note**
          -In this table, **R** stands for *recommended*, **Y** means that the hardware component is *required* for that Windows 10 feature, and **N** means that the hardware component is *not used* with that Windows 10 feature. -  -## Related topics - -- [Windows 10 Specifications](https://go.microsoft.com/fwlink/p/?LinkId=717550) -- [Making Windows 10 More Personal and More Secure with Windows Hello](https://go.microsoft.com/fwlink/p/?LinkId=717551) -- [Protect BitLocker from pre-boot attacks](../keep-secure/protect-bitlocker-from-pre-boot-attacks.md) -- [BitLocker Countermeasures](../keep-secure/bitlocker-countermeasures.md) -- [Device Guard deployment guide](../keep-secure/device-guard-deployment-guide.md) -- [Protect derived domain credentials with Credential Guard](../keep-secure/credential-guard.md) diff --git a/windows/whats-new/trusted-platform-module.md b/windows/whats-new/trusted-platform-module.md deleted file mode 100644 index e4a2614653..0000000000 --- a/windows/whats-new/trusted-platform-module.md +++ /dev/null @@ -1,46 +0,0 @@ ---- -title: What's new in Trusted Platform Module (Windows 10) -description: This topic for the IT professional describes new features for the Trusted Platform Module (TPM) in Windows 10. -ms.assetid: CE8BBC2A-EE2D-4DFA-958E-2A178F2E6C44 -ms.prod: w10 -ms.mktglfcycl: explore -ms.sitesec: library -ms.pagetype: security, mobile -author: brianlic-msft -redirect_url: https://technet.microsoft.com/itpro/windows/keep-secure/trusted-platform-module-overview ---- - -# What's new in Trusted Platform Module? - -**Applies to** -- Windows 10 -- Windows 10 Mobile -- Windows Server 2016 - -This topic for the IT professional describes new features for the Trusted Platform Module (TPM) in Windows 10. - -## New features in Windows 10, version 1511 - -- Key Storage Providers (KSPs) and srvcrypt support elliptical curve cryptography (ECC). - -## New features in Windows 10 - -The following sections describe the new and changed functionality in the TPM for Windows 10: -- [Device health attestation](#bkmk-dha) -- [Microsoft Passport](microsoft-passport.md) support -- [Device Guard](device-guard-overview.md) support -- [Credential Guard](credential-guard.md) support - -## Device health attestation - -Device health attestation enables enterprises to establish trust based on hardware and software components of a managed device. With device heath attestation, you can configure an MDM server to query a health attestation service that will allow or deny a managed device access to a secure resource. -Some things that you can check on the device are: -- Is Data Execution Prevention supported and enabled? -- Is BitLocker Drive Encryption supported and enabled? -- Is SecureBoot supported and enabled? - -> **Note**  The device must be running Windows 10 and it must support at least TPM 2.0. -  -[Learn how to deploy and manage TPM within your organization](../keep-secure/trusted-platform-module-overview.md). -  -  diff --git a/windows/whats-new/user-account-control.md b/windows/whats-new/user-account-control.md deleted file mode 100644 index 4a670324d3..0000000000 --- a/windows/whats-new/user-account-control.md +++ /dev/null @@ -1,32 +0,0 @@ ---- -title: What's new in User Account Control (Windows 10) -description: User Account Control (UAC) helps prevent malware from damaging a computer and helps organizations deploy a better-managed desktop environment. -ms.assetid: 9281870C-0819-4694-B4F1-260255BB8D07 -ms.prod: w10 -ms.mktglfcycl: explore -ms.sitesec: library -ms.pagetype: security -author: brianlic-msft -redirect_url: https://technet.microsoft.com/itpro/windows/whats-new/whats-new-windows-10-version-1507-and-1511 ---- - -# What's new in User Account Control? - -**Applies to** -- Windows 10 - -User Account Control (UAC) helps prevent malware from damaging a computer and helps organizations deploy a better-managed desktop environment. - -You should not turn off UAC because this is not a supported scenario for devices running Windows 10. If you do turn off UAC, all Univeral Windows Platform apps stop working. You must always set the **HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\EnableLUA** registry value to 1. If you need to provide auto elevation for programmatic access or installation, you could set the **HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\ConsentPromptBehaviorAdmin** registry value to 0, which is the same as setting the UAC slider Never Notify. This is not recommended for devices running Windows 10. - -For more info about how manage UAC, see [UAC Group Policy Settings and Registry Key Settings](../keep-secure/user-account-control-group-policy-and-registry-key-settings.md). - -In Windows 10, User Account Control has added some improvements. - -## New features in Windows 10 - -- **Integration with the Antimalware Scan Interface (AMSI)**. The [AMSI](http://msdn.microsoft.com/library/windows/desktop/dn889587.aspx) scans all UAC elevation requests for malware. If malware is detected, the admin privilege is blocked. - -[Learn how to manage User Account Control within your organization](../keep-secure/user-account-control-overview.md). -  -  diff --git a/windows/whats-new/whats-new-windows-10-version-1507-and-1511.md b/windows/whats-new/whats-new-windows-10-version-1507-and-1511.md index 92c077d28e..a909347a7b 100644 --- a/windows/whats-new/whats-new-windows-10-version-1507-and-1511.md +++ b/windows/whats-new/whats-new-windows-10-version-1507-and-1511.md @@ -13,7 +13,9 @@ localizationpriority: high Below is a list of some of the new and updated features included in the initial release of Windows 10 (version 1507) and the Windows 10 update to version 1511. -> **Note:** For release dates and servicing options for each version, see [Windows 10 release information](https://technet.microsoft.com/en-us/windows/release-info). +>[!NOTE] +>For release dates and servicing options for each version, see [Windows 10 release information](https://technet.microsoft.com/en-us/windows/release-info). +  ## Deployment @@ -249,7 +251,6 @@ Windows 10 provides mobile device management (MDM) capabilities for PCs, laptop ### MDM support - MDM policies for Windows 10 align with the policies supported in Windows 8.1 and are expanded to address even more enterprise scenarios, such as managing multiple users who have Microsoft Azure Active Directory (Azure AD) accounts, full control over the Windows Store, VPN configuration, and more. MDM support in Windows 10 is based on [Open Mobile Alliance (OMA)](https://go.microsoft.com/fwlink/p/?LinkId=533885) Device Management (DM) protocol 1.2.1 specification. @@ -299,7 +300,7 @@ Lockdown settings can also be configured for device look and feel, such as a the A standard, customized Start layout can be useful on devices that are common to multiple users and devices that are locked down for specialized purposes. Starting in Windows 10, version 1511, administrators can configure a *partial* Start layout, which applies specified tile groups while allowing users to create and customize their own tile groups. Learn how to [customize and export Start layout](../manage/customize-and-export-start-layout.md). -Administrators can also use mobile device management (MDM) or Group Policy to disable the use of [Windows Spotlight on the lock screen](../manage/windows-spotlight.md). +Administrators can also use mobile device management (MDM) or Group Policy to disable the use of [Windows Spotlight on the lock screen](../configure/windows-spotlight.md). ### Windows Store for Business **New in Windows 10, version 1511** @@ -346,7 +347,7 @@ We also recommend that you upgrade to IE11 if you're running any earlier version ## Learn more -- [Windows 10 release information](https://technet.microsoft.com/en-us/windows/release-info) +- [Windows 10 release information](https://technet.microsoft.com/windows/release-info)   diff --git a/windows/whats-new/whats-new-windows-10-version-1607.md b/windows/whats-new/whats-new-windows-10-version-1607.md index 2a85e07f4d..87a9c88d26 100644 --- a/windows/whats-new/whats-new-windows-10-version-1607.md +++ b/windows/whats-new/whats-new-windows-10-version-1607.md @@ -14,7 +14,9 @@ localizationpriority: high Below is a list of some of the new and updated features in Windows 10, version 1607 (also known as the Anniversary Update). -> **Note:** For release dates and servicing options for each version, see [Windows 10 release information](https://technet.microsoft.com/en-us/windows/release-info). +>[!NOTE] +>For release dates and servicing options for each version, see [Windows 10 release information](https://technet.microsoft.com/en-us/windows/release-info). +    ## Deployment @@ -128,7 +130,7 @@ Numerous settings have been added to the Windows 10 CSPs to expand MDM capabilit ### Shared PC mode -Windows 10, Version 1607, introduces shared PC mode, which optimizes Windows 10 for shared use scenarios, such as touchdown spaces in an enterprise and temporary customer use in retail. You can apply shared PC mode to Windows 10 Pro, Education, and Enterprise. [Learn how to set up a shared or guest PC.](../manage/set-up-shared-or-guest-pc.md) +Windows 10, Version 1607, introduces shared PC mode, which optimizes Windows 10 for shared use scenarios, such as touchdown spaces in an enterprise and temporary customer use in retail. You can apply shared PC mode to Windows 10 Pro, Education, and Enterprise. [Learn how to set up a shared or guest PC.](../configure/set-up-shared-or-guest-pc.md) ### Application Virtualization (App-V) for Windows 10 @@ -144,7 +146,7 @@ Many users customize their settings for Windows and for specific applications. C With User Experience Virtualization (UE-V), you can capture user-customized Windows and application settings and store them on a centrally managed network file share. When users log on, their personalized settings are applied to their work session, regardless of which device or virtual desktop infrastructure (VDI) sessions they log on to. -With the release of Windows 10, version 1607, UE-V is included with the Windows 10 for Enterprise edition. If you are new to Windows 10 and EU-V or upgrading from a previous version of UE-V, you’ll need to download, activate, and install server- and client-side components to start synchronizing user-customized settings across devices. +With the release of Windows 10, version 1607, UE-V is included with the Windows 10 for Enterprise edition. If you are new to Windows 10 and UE-V or upgrading from a previous version of UE-V, you’ll need to download, activate, and install server- and client-side components to start synchronizing user-customized settings across devices. [Learn how to synchronize user-customized settings with UE-V.](../manage/uev-for-windows.md) diff --git a/windows/whats-new/whats-new-windows-10-version-1703.md b/windows/whats-new/whats-new-windows-10-version-1703.md new file mode 100644 index 0000000000..f10f250341 --- /dev/null +++ b/windows/whats-new/whats-new-windows-10-version-1703.md @@ -0,0 +1,304 @@ +--- +title: What's in Windows 10, version 1703 +description: New and updated IT pro content about new features in Windows 10, version 1703 (also known as the Creators Updated). +keywords: ["What's new in Windows 10", "Windows 10", "creators update"] +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +author: JasonGerend +localizationpriority: high +ms.assetid: dca7c655-c4f6-45f8-aa02-64187b202617 +--- + +# What's new in Windows 10, version 1703 IT pro content + +Below is a list of some of the new and updated content that discusses Information Technology (IT) pro features in Windows 10, version 1703 (also known as the Creators Update). + +For more general info about Windows 10 features, see [Features available only on Windows 10](https://www.microsoft.com/windows/features). For info about previous versions of Windows 10, see [What's New in Windows 10](index.md). Also see this blog post: [What’s new for IT pros in the Windows 10 Creators Update](https://blogs.technet.microsoft.com/windowsitpro/2017/04/05/whats-new-for-it-pros-in-the-windows-10-creators-update/). + +>[!NOTE] +>Windows 10, version 1703 contains all fixes included in previous cumulative updates to Windows 10, version 1607. For info about each version, see [Windows 10 release information](https://technet.microsoft.com/en-us/windows/release-info). For a list of removed features, see [Features that are removed or deprecated in Windows 10 Creators Update](https://support.microsoft.com/help/4014193/features-that-are-removed-or-deprecated-in-windows-10-creators-update). +  +## Configuration + +### Windows Configuration Designer + +Previously known as *Windows Imaging and Configuration Designer (ICD)*, the tool for creating provisioning packages is renamed **Windows Configuration Designer**. The new Windows Configuration Designer is available in [Windows Store as an app](https://www.microsoft.com/store/apps/9nblggh4tx22). To run Windows Configuration Designer on earlier versions of Windows, you can still install Windows Configuration Designer from the [Windows Assessment and Deployment Kit (ADK)](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit). + +Windows Configuration Designer in Windows 10, version 1703, includes several new wizards to make it easier to create provisioning packages. + +![wizards for desktop, mobile, kiosk, Surface Hub](images/wcd-options.png) + +Both the desktop and kiosk wizards include an option to remove pre-installed software, based on the new [CleanPC configuration service provider (CSP)](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/cleanpc-csp). + +![remove pre-installed software option](images/wcd-cleanpc.png) + +[Learn more about Windows Configuration Designer.](../configure/provisioning-packages.md) + + +### Azure Active Directory join in bulk + +Using the new wizards in Windows Configuration Designer, you can [create provisioning packages to enroll devices in Azure Active Directory](../configure/provisioning-packages.md#configuration-designer-wizards). Azure AD join in bulk is available in the desktop, mobile, kiosk, and Surface Hub wizards. + +![get bulk token action in wizard](images/bulk-token.png) + + +### Windows Spotlight + +The following new Group Policy and mobile device management (MDM) settings are added to help you configure Windows Spotlight user experiences: + +- **Turn off the Windows Spotlight on Action Center** +- **Do not use diagnostic data for tailored experiences** +- **Turn off the Windows Welcome Experience** + +[Learn more about Windows Spotlight.](../configure/windows-spotlight.md) + + +### Start and taskbar layout + +Enterprises have been able to apply customized Start and taskbar layouts to devices running Windows 10 Enterprise and Education. In Windows 10, version 1703, customized Start and taskbar layout can also be applied to Windows 10 Pro. + +Previously, the customized taskbar could only be deployed using Group Policy or provisioning packages. Windows 10, version 1703, adds support for customized taskbars to [MDM](../configure/customize-windows-10-start-screens-by-using-mobile-device-management.md). + +[Additional MDM policy settings are available for Start and taskbar layout](../configure/windows-10-start-layout-options-and-policies.md). New MDM policy settings include: + +- Settings for the User tile: [**Start/HideUserTile**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hideusertile), [**Start/HideSwitchAccount**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hideswitchaccount), [**Start/HideSignOut**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hidesignout), [**Start/HideLock**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hidelock), and [**Start/HideChangeAccountSettings**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hidechangeaccountsettings) +- Settings for Power: [**Start/HidePowerButton**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hidepowerbutton), [**Start/HideHibernate**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hidehibernate), [**Start/HideRestart**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hiderestart), [**Start/HideShutDown**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hideshutdown), and [**Start/HideSleep**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hidesleep) +- Additional new settings: [**Start/HideFrequentlyUsedApps**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hidefrequentlyusedapps), [**Start/HideRecentlyAddedApps**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hiderecentlyaddedapps), **AllowPinnedFolder**, **ImportEdgeAssets**, [**Start/HideRecentJumplists**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hiderecentjumplists), [**Start/NoPinningToTaskbar**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-nopinningtotaskbar), [**Settings/PageVisibilityList**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#settings-pagevisibilitylist), and [**Start/HideAppsList**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hideapplist). + + + + +### Cortana at work + +Cortana is Microsoft’s personal digital assistant, who helps busy people get things done, even while at work. Cortana has powerful configuration options, specifically optimized for your business. By signing in with an Azure Active Directory (Azure AD) account, your employees can give Cortana access to their enterprise/work identity, while getting all the functionality Cortana provides to them outside of work. + +Using Azure AD also means that you can remove an employee’s profile (for example, when an employee leaves your organization) while respecting Windows Information Protection (WIP) policies and ignoring enterprise content, such as emails, calendar items, and people lists that are marked as enterprise data. + +For more info about Cortana at work, see (../configure/cortana-at-work-overview.md) + + +## Deployment + +### MBR2GPT.EXE + +MBR2GPT.EXE is a new command-line tool available in Windows 10 version 1703 and later versions. MBR2GPT converts a disk from Master Boot Record (MBR) to GUID Partition Table (GPT) partition style without modifying or deleting data on the disk. The tool is designed to be run from a Windows Preinstallation Environment (Windows PE) command prompt, but can also be run from the full Windows 10 operating system (OS). + +The GPT partition format is newer and enables the use of larger and more disk partitions. It also provides added data reliability, supports additional partition types, and enables faster boot and shutdown speeds. If you convert the system disk on a computer from MBR to GPT, you must also configure the computer to boot in UEFI mode, so make sure that your device supports UEFI before attempting to convert the system disk. + +Additional security features of Windows 10 that are enabled when you boot in UEFI mode include: Secure Boot, Early Launch Anti-malware (ELAM) driver, Windows Trusted Boot, Measured Boot, Device Guard, Credential Guard, and BitLocker Network Unlock. + +For details, see [MBR2GPT.EXE](../deploy/mbr-to-gpt.md). + +## Security + +### Windows Defender Advanced Threat Protection + +New features in Windows Defender Advanced Threat Protection (ATP) for Windows 10, version 1703 include: +- **Detection**
          + Enhancements to the detection capabilities include: + - [Use the threat intelligence API to create custom alerts](../keep-secure/use-custom-ti-windows-defender-advanced-threat-protection.md) - Understand threat intelligence concepts, enable the threat intel application, and create custom threat intelligence alerts for your organization. + - Improvements on OS memory and kernel sensors to enable detection of attackers who are using in-memory and kernel-level attacks + - Upgraded detections of ransomware and other advanced attacks + - Historical detection capability ensures new detection rules apply to up to six months of stored data to detect previous attacks that might not have been noticed + +- **Investigation**
          + Enterprise customers can now take advantage of the entire Windows security stack with Windows Defender Antivirus detections and Device Guard blocks being surfaced in the Windows Defender ATP portal. Other capabilities have been added to help you gain a holistic view on investigations. + + Other investigation enhancements include: + - [Investigate a user account](../keep-secure/investigate-user-windows-defender-advanced-threat-protection.md) - Identify user accounts with the most active alerts and investigate cases of potential compromised credentials. + - [Alert process tree](../keep-secure/investigate-alerts-windows-defender-advanced-threat-protection.md#alert-process-tree) - Aggregates multiple detections and related events into a single view to reduce case resolution time. + - [Pull alerts using REST API](../keep-secure/pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md) - Use REST API to pull alerts from Windows Defender ATP. + +- **Response**
          + When detecting an attack, security response teams can now take immediate action to contain a breach: + - [Take response actions on a machine](../keep-secure/respond-machine-alerts-windows-defender-advanced-threat-protection.md) - Quickly respond to detected attacks by isolating machines or collecting an investigation package. + - [Take response actions on a file](../keep-secure/respond-file-alerts-windows-defender-advanced-threat-protection.md) - Quickly respond to detected attacks by stopping and quarantining files or blocking a file. + + +- **Other features** + - [Check sensor health state](../keep-secure/check-sensor-status-windows-defender-advanced-threat-protection.md) - Check an endpoint's ability to provide sensor data and communicate with the Windows Defender ATP service and fix known issues. + +You can read more about ransomware mitigations and detection capability in Windows Defender Advanced Threat Protection in the blog: [Averting ransomware epidemics in corporate networks with Windows Defender ATP](https://blogs.technet.microsoft.com/mmpc/2017/01/30/averting-ransomware-epidemics-in-corporate-networks-with-windows-defender-atp/). + +Get a quick, but in-depth overview of Windows Defender ATP for Windows 10 and the new capabilities in Windows 10, version 1703 see (Windows Defender ATP for Windows 10 Creators Update)[https://technet.microsoft.com/en-au/windows/mt782787]. + +### Windows Defender Antivirus +Windows Defender is now called Windows Defender Antivirus, and we've [increased the breadth of the documentation library for enterprise security admins](../keep-secure/windows-defender-antivirus-in-windows-10.md). + +The new library includes information on: +- [Deploying and enabling AV protection](../keep-secure/deploy-windows-defender-antivirus.md) +- [Managing updates](../keep-secure/manage-updates-baselines-windows-defender-antivirus.md) +- [Reporting](../keep-secure/report-monitor-windows-defender-antivirus.md) +- [Configuring features](../keep-secure/configure-windows-defender-antivirus-features.md) +- [Troubleshooting](../keep-secure/troubleshoot-windows-defender-antivirus.md) + +Some of the highlights of the new library include: +- [Evaluation guide for Windows Defender AV](../keep-secure/evaluate-windows-defender-antivirus.md) +- [Deployment guide for Windows Defender AV in a virtual desktop infrastructure environment](../keep-secure/deployment-vdi-windows-defender-antivirus.md) + +New features for Windows Defender AV in Windows 10, version 1703 include: + +- [Updates to how the Block at First Sight feature can be configured](../keep-secure/configure-block-at-first-sight-windows-defender-antivirus.md) +- [The ability to specify the level of cloud-protection](../keep-secure/specify-cloud-protection-level-windows-defender-antivirus.md) +- [Windows Defender Antivirus protection in the Windows Defender Security Center app](../keep-secure/windows-defender-security-center-antivirus.md) + +In Windows 10, version 1607, we [invested heavily in helping to protect against ransomware](https://blogs.windows.com/business/2016/11/11/defending-against-ransomware-with-windows-10-anniversary-update/#UJlHc6SZ2Zm44jCt.97), and we continue that investment in version 1703 with [updated beahvior monitoring and always-on real-time protection](../keep-secure/configure-real-time-protection-windows-defender-antivirus.md). + + +You can read more about ransomware mitigations and detection capability in Windows Defender AV in the [Ransomware Protection in Windows 10 Anniversary Update whitepaper (PDF)](http://wincom.blob.core.windows.net/documents/Ransomware_protection_in_Windows_10_Anniversary_Update.pdf) and at the [Microsoft Malware Protection Center blog](https://blogs.technet.microsoft.com/mmpc/category/research/ransomware/). + +### Device Guard and Credential Guard + +Additional security qualifications for Device Guard and Credential Guard help protect vulnerabilities in UEFI runtime. +For more information, see [Device Guard Requirements](../keep-secure/requirements-and-deployment-planning-guidelines-for-device-guard.md#device-guard-requirements-for-improved-security) and [Credential Guard Security Considerations](../keep-secure/credential-guard-requirements.md#security-considerations). + +### Group Policy Security Options + +The security setting [**Interactive logon: Display user information when the session is locked**](../keep-secure/interactive-logon-display-user-information-when-the-session-is-locked.md) has been updated to work in conjunction with the **Privacy** setting in **Settings** > **Accounts** > **Sign-in options**. + +A new security policy setting +[**Interactive logon: Don't display username at sign-in**](../keep-secure/interactive-logon-dont-display-username-at-sign-in.md) has been introduced in Windows 10 version 1703. This security policy setting determines whether the username is displayed during sign in. It works in conjunction with the **Privacy** setting in **Settings** > **Accounts** > **Sign-in options**. The setting only affects the **Other user** tile. + +### Windows Hello for Business + +You can now reset a forgotten PIN without deleting company managed data or apps on devices managed by [Microsoft Intune](https://www.microsoft.com/cloud-platform/microsoft-intune). + +For Windows Phone devices, an adminisrator is able to initiate a remote PIN reset through the Intune portal. + +For Windows desktops, users are able to reset a forgotten PIN through **Settings > Accounts > Sign-in options**. + +For more details, check out [What if I forget my PIN?](../keep-secure/hello-why-pin-is-better-than-password.md#what-if-i-forget-my-pin). + +## Update + +### Windows Update for Business + +The pause feature has been changed, and now requires a start date to set up. Users are now able to pause through **Settings > Update & security > Windows Update > Advanced options** in case a policy has not been configured. We have also increased the pause limit on quality updates to 35 days. You can find more information on pause in [Pause Feature Updates](../update/waas-configure-wufb.md#pause-feature-updates) and [Pause Quality Updates](../update/waas-configure-wufb.md#pause-quality-updates). + +Windows Update for Business managed devices are now able to defer feature update installation by up to 365 days (it used to be 180 days). In settings, users are able to select their branch readiness level and update deferal periods. See [Configure devices for Current Branch (CB) or Current Branch for Business (CBB)](../update/waas-configure-wufb.md#configure-devices-for-current-branch-or-current-branch-for-business), [Configure when devices receive Feature Updates](../update/waas-configure-wufb.md#configure-when-devices-receive-feature-updates) and [Configure when devices receive Quality Updates](../update/waas-configure-wufb.md#configure-when-devices-receive-quality-updates) for details. + +### Windows Insider for Business + +We recently added the option to download Windows 10 Insider Preview builds using your corporate credentials in Azure Active Directory (AAD). By enrolling devices in AAD, you increase the visibility of feedback submitted by users in your organization – especially on features that support your specific business needs. For details, see [Windows Insider Program for Business](../update/waas-windows-insider-for-business.md). + +### Optimize update delivery + +With changes delivered in Windows 10, version 1703, [Express updates](../update/waas-optimize-windows-10-updates.md#express-update-delivery) are now fully supported with System Center Configuration Manager, starting with version 1702 of Configuration Manager, as well as with other third-party updating and management products that [implement this new functionality](https://technet.microsoft.com/windows-server-docs/management/windows-server-update-services/deploy/express-update-delivery-isv-support). This is in addition to current Express support on Windows Update, Windows Update for Business and WSUS. + +>[!NOTE] +> The above changes can be made available to Windows 10, version 1607, by installing the April 2017 cumulative update. + +Delivery Optimization policies now enable you to configure additional restrictions to have more control in various scenarios. + +Added policies include: +- [Allow uploads while the device is on battery while under set Battery level](../update/waas-delivery-optimization.md#allow-uploads-while-the-device-is-on-battery-while-under-set-battery-level) +- [Enable Peer Caching while the device connects via VPN](../update/waas-delivery-optimization.md#enable-peer-caching-while-the-device-connects-via-vpn) +- [Minimum RAM (inclusive) allowed to use Peer Caching](../update/waas-delivery-optimization.md#minimum-ram-allowed-to-use-peer-caching) +- [Minimum disk size allowed to use Peer Caching](../update/waas-delivery-optimization.md#minimum-disk-size-allowed-to-use-peer-caching) +- [Minimum Peer Caching Content File Size](../update/waas-delivery-optimization.md#minimum-peer-caching-content-file-size) + +To check out all the details, see [Configure Delivery Optimization for Windows 10 updates](../update/waas-delivery-optimization.md) + +### Uninstalled in-box apps no longer automatically reinstall + +When upgrading to Windows 10, version 1703, in-box apps that were uninstalled by the user won't automatically reinstall as part of the feature update installation process. (Apps de-provisioned by IT administrators will still be reinstalled.) + +## Management + +### New MDM capabilities + +Windows 10, version 1703 adds many new [configuration service providers (CSPs)](../configure/how-it-pros-can-use-configuration-service-providers.md) that provide new capabilities for managing Windows 10 devices using MDM or provisioning packages. Among other things, these CSPs enable you to configure a few hundred of the most useful Group Policy settings via MDM - see [Policy CSP - ADMX-backed policies](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-admx-backed). + +Some of the other new CSPs are: + +- The [DynamicManagement CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/dynamicmanagement-csp) allows you to manage devices differently depending on location, network, or time. For example, managed devices can have cameras disabled when at a work location, the cellular service can be disabled when outside the country to avoid roaming charges, or the wireless network can be disabled when the device is not within the corporate building or campus. Once configured, these settings will be enforced even if the device can’t reach the management server when the location or network changes. The Dynamic Management CSP enables configuration of policies that change how the device is managed in addition to setting the conditions on which the change occurs. + +- The [CleanPC CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/cleanpc-csp) allows removal of user-installed and pre-installed applications, with the option to persist user data. + +- The [BitLocker CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/bitlocker-csp) is used to manage encryption of PCs and devices. For example, you can require storage card encryption on mobile devices, or require encryption for operating system drives. + +- The [NetworkProxy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/networkproxy-csp) is used to configure a proxy server for ethernet and Wi-Fi connections. + +- The [Office CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/office-csp) enables a Microsoft Office client to be installed on a device via the Office Deployment Tool. For more information, see [Configuration options for the Office Deployment Tool](https://technet.microsoft.com/library/jj219426.aspx). + +- The [EnterpriseAppVManagement CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/enterpriseappvmanagement-csp) is used to manage virtual applications in Windows 10 PCs (Enterprise and Education editions) and enables App-V sequenced apps to be streamed to PCs even when managed by MDM. + +IT pros can use the new [MDM Migration Analysis Tool (MMAT)](http://aka.ms/mmat) to determine which Group Policy settings have been configured for a user or computer and cross-reference those settings against a built-in list of supported MDM policies. MMAT can generate both XML and HTML reports indicating the level of support for each Group Policy setting and MDM equivalents. + +[Learn more about new MDM capabilities.](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/new-in-windows-mdm-enrollment-management#whatsnew10) + +### Mobile application management support for Windows 10 + +The Windows version of mobile application management (MAM) is a lightweight solution for managing company data access and security on personal devices. MAM support is built into Windows on top of Windows Information Protection (WIP), starting in Windows 10, version 1703. + +For more info, see [Implement server-side support for mobile application management on Windows](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/implement-server-side-mobile-application-management). + +### MDM diagnostics + +In Windows 10, version 1703, we continue our work to improve the diagnostic experience for modern management. By introducing auto-logging for mobile devices, Windows will automatically collect logs when encountering an error in MDM, eliminating the need to have always-on logging for memory-constrained devices. Additionally, we are introducing [Microsoft Message Analyzer](https://www.microsoft.com/download/details.aspx?id=44226) as an additional tool to help Support personnel quickly reduce issues to their root cause, while saving time and cost. + +### Application Virtualization for Windows (App-V) +Previous versions of the Microsoft Application Virtualization Sequencer (App-V Sequencer) have required you to manually create your sequencing environment. Windows 10, version 1703 introduces two new PowerShell cmdlets, New-AppVSequencerVM and Connect-AppvSequencerVM, which automatically create your sequencing environment for you, including provisioning your virtual machine. Addtionally, the App-V Sequencer has been updated to let you sequence or update multiple apps at the same time, while automatically capturing and storing your customizations as an App-V project template (.appvt) file, and letting you use PowerShell or Group Policy settings to automatically cleanup your unpublished packages after a device restart. + +For more info, see the following topics: +- [Automatically provision your sequencing environment using Microsoft Application Virtualization Sequencer (App-V Sequencer)](../manage/appv-auto-provision-a-vm.md) +- [Automatically sequence multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer)](../manage/appv-auto-batch-sequencing.md) +- [Automatically update multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer)](../manage/appv-auto-batch-updating.md) +- [Automatically cleanup unpublished packages on the App-V client](../manage/appv-auto-clean-unpublished-packages.md) + +### Windows diagnostic data + +Learn more about the diagnostic data that's collected at the Basic level and some examples of the types of data that is collected at the Full level. + +- [Windows 10, version 1703 basic level Windows diagnostic events and fields](../configure/basic-level-windows-diagnostic-events-and-fields.md) +- [Windows 10, version 1703 Diagnostic Data](../configure/windows-diagnostic-data.md) + +## Windows 10 Mobile enhancements + +### Lockdown Designer + +The Lockdown Designer app helps you configure and create a lockdown XML file to apply to devices running Windows 10 Mobile, and includes a remote simulation to help you determine the layout for tiles on the Start screen. Using Lockdown Designer is easier than [manually creating a lockdown XML file](../configure/lockdown-xml.md). + +![Lockdown Designer app in Store](images/ldstore.png) + +[Learn more about the Lockdown Designer app.](../configure/mobile-lockdown-designer.md) + +### Other enhancements + +Windows 10 Mobile, version 1703 also includes the following enhancements: + +- SD card encryption +- Remote PIN resets for Azure Active Directory accounts +- SMS text message archiving +- WiFi Direct management +- OTC update tool +- Continuum display management + - Individually turn off the monitor or phone screen when not in use + - Indivudally adjust screen time-out settings +- Continuum docking solutions + - Set Ethernet port properties + - Set proxy properties for the Ethernet port + +## New features in related products +The following new features aren't part of Windows 10, but help you make the most of it. + +### Upgrade Readiness + +Upgrade Readiness helps you ensure that applications and drivers are ready for a Windows 10 upgrade. The solution provides up-to-date application and driver inventory, information about known issues, troubleshooting guidance, and per-device readiness and tracking details. The Upgrade Readiness tool moved from public preview to general availability on March 2, 2017. + +The development of Upgrade Readiness has been heavily influenced by input from the community the development of new features is ongoing. To begin using Upgrade Readiness, add it to an existing Operation Management Suite (OMS) workspace or sign up for a new OMS workspace with the Upgrade Readiness solution enabled. + +For more information about Upgrade Readiness, see the following topics: + +- [Windows Analytics blog](https://blogs.technet.microsoft.com/upgradeanalytics/) +- [Manage Windows upgrades with Upgrade Readiness](../deploy/manage-windows-upgrades-with-upgrade-readiness.md) + + +### Update Compliance + +Update Compliance helps you to keep Windows 10 devices in your organization secure and up-to-date. + +Update Compliance is a solution built using OMS Log Analytics that provides information about installation status of monthly quality and feature updates. Details are provided about the deployment progress of existing updates and the status of future updates. Information is also provided about devices that might need attention to resolve issues. + +For more information about Update Compliance, see [Monitor Windows Updates with Update Compliance](../manage/update-compliance-monitor.md). diff --git a/windows/whats-new/windows-spotlight.md b/windows/whats-new/windows-spotlight.md deleted file mode 100644 index 15caeeb2a9..0000000000 --- a/windows/whats-new/windows-spotlight.md +++ /dev/null @@ -1,16 +0,0 @@ ---- -title: Windows Spotlight on the lock screen (Windows 10) -description: Windows Spotlight is an option for the lock screen background that displays different background images on the lock screen. -ms.assetid: 1AEA51FA-A647-4665-AD78-2F3FB27AD46A -keywords: ["lockscreen"] -ms.prod: w10 -ms.mktglfcycl: explore -ms.sitesec: library -author: jdeckerMS -redirect_url: https://technet.microsoft.com/en-us/itpro/windows/manage/windows-spotlight ---- - -# Windows Spotlight on the lock screen - - -This topic has been redirected. \ No newline at end of file diff --git a/windows/whats-new/windows-store-for-business-overview.md b/windows/whats-new/windows-store-for-business-overview.md deleted file mode 100644 index abb7c7f8f3..0000000000 --- a/windows/whats-new/windows-store-for-business-overview.md +++ /dev/null @@ -1,11 +0,0 @@ ---- -title: Windows Store for Business overview (Windows 10) -description: With the new Windows Store for Business, organizations can make volume purchases of Windows apps. -ms.assetid: 9DA71F6B-654D-4121-9A40-D473CC654A1C -ms.prod: w10 -ms.pagetype: store, mobile -ms.mktglfcycl: manage -ms.sitesec: library -redirect_url: https://technet.microsoft.com/itpro/windows/manage/windows-store-for-business-overview -author: TrudyHa ---- diff --git a/windows/whats-new/windows-update-for-business.md b/windows/whats-new/windows-update-for-business.md deleted file mode 100644 index 4b69cf6ecd..0000000000 --- a/windows/whats-new/windows-update-for-business.md +++ /dev/null @@ -1,50 +0,0 @@ ---- -title: What's new in Windows Update for Business (Windows 10) -description: Windows Update for Business enables information technology administrators to keep the Windows 10-based devices in their organization always up to date with the latest security defenses and Windows features by directly connecting these systems to Microsoft’s Windows Update service. -ms.assetid: 9271FC9A-6AF1-4BBD-A272-909BF54363F4 -ms.prod: w10 -ms.mktglfcycl: explore -ms.sitesec: library -author: TrudyHa -redirect_url: https://technet.microsoft.com/itpro/windows/whats-new/whats-new-windows-10-version-1507-and-1511 ---- - -# What's new in Windows Update for Business? - - -**Applies to** - -- Windows 10 - -Windows Update for Business enables information technology administrators to keep the Windows 10-based devices in their organization always up to date with the latest security defenses and Windows features by directly connecting these systems to Microsoft’s Windows Update service. - -## Benefits of Windows Update for Business - - -By using [Group Policy Objects](https://go.microsoft.com/fwlink/p/?LinkId=699279), Windows Update for Business is an easily established and implemented system which enables organizations and administrators to exercise control on how their Windows 10-based devices are updated, by allowing: - -- **Deployment and validation groups**; where administrators can specify which devices go first in an update wave, and which devices will come later (to ensure any quality bars are met). - -- **Peer-to-peer delivery**, which administrators can enable to make delivery of updates to branch offices and remote sites with limited bandwidth very efficient. - -- **Use with existing tools** such as System Center Configuration Manager and the [Enterprise Mobility Suite](https://go.microsoft.com/fwlink/p/?LinkId=699281). - -Together, these Windows Update for Business features help reduce device management costs, provide controls over update deployment, offer quicker access to security updates, as well as provide access to the latest innovations from Microsoft on an ongoing basis. Windows Update for Business is a free service for all Windows 10 Pro, Enterprise, and Education editions, and can be used independent of, or in conjunction with, existing device management solutions such as [Windows Server Update Services (WSUS)](http://technet.microsoft.com/library/hh852345.aspx) and [System Center Configuration Manager](http://technet.microsoft.com/library/gg682129.aspx). - -## Learn more - - -[Windows Update for Business](../plan/windows-update-for-business.md) - -[Setup and deployment](../plan/setup-and-deployment.md) - -[Integration with management solutions](../plan/integration-with-management-solutions-.md) - -  - -  - - - - -