deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-15 06:47:21 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge pull request #428 from MicrosoftDocs/master

Browse Source 
Public to live (plus some small fixes)
This commit is contained in:
Dani Halfin 2019-06-12 10:57:37 -07:00 committed by GitHub
commit 38e744d4f9
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
19 changed files with 201 additions and 68 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
browsers/edge/includes/allow-prelaunch-include.md
View File

@ -40,7 +40,7 @@ ms:topic: include
- **Data type:** Integer
#### Registry settings
- **Path:** HKLM\Software\Policies\Microsoft\MicrosoftEdge\
- **Path:** HKLM\Software\Policies\Microsoft\MicrosoftEdge\Main
- **Value name:** AllowPrelaunch
- **Value type:** REG_DWORD

4
browsers/edge/includes/allow-tab-preloading-include.md
View File

@ -38,8 +38,8 @@ ms:topic: include
- **Data type:** Integer
#### Registry settings
- **Path:** HKCU\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main
- **Create Value name:** AllowPrelaunch
- **Path:** HKCU\SOFTWARE\Policies\Microsoft\MicrosoftEdge\TabPreloader
- **Create Value name:** AllowTabPreloading
- **Value type:** REG_DWORD
- **DWORD Value:** 1

2
browsers/includes/interoperability-goals-enterprise-guidance.md
View File

@ -18,7 +18,7 @@ You must continue using IE11 if web apps use any of the following:
* x-ua-compatible headers
* <meta> tags
* <meta> tags with an http-equivalent value of X-UA-Compatible header
* Enterprise mode or compatibility view to addressing compatibility issues

8
devices/surface-hub/TOC.md
View File

@ -48,6 +48,14 @@
## [How Surface Hub addresses Wi-Fi Direct security issues](surface-hub-wifi-direct.md)
## [Top support solutions for Surface Hub](support-solutions-surface-hub.md)
## [Troubleshoot Microsoft Surface Hub](troubleshoot-surface-hub.md)
## [Surface Hub Update History](surface-hub-update-history.md)
## [Known issues and additional information about Microsoft Surface Hub](known-issues-and-additional-info-about-surface-hub.md)
## [How to use cloud recovery for BitLocker on a Surface Hub](use-cloud-recovery-for-bitlocker-on-surfacehub.md)
## [Using the Surface Hub Hardware Diagnostic Tool to test a device account](use-surface-hub-diagnostic-test-device-account.md)
## [Surface Hub Miracast channels 149-165 not supported in Europe, Japan, Israel](surfacehub-miracast-not-supported-europe-japan-israel.md)
## [What to do if the Connect app in Surface Hub exits unexpectedly](connect-app-in-surface-hub-unexpectedly-exits.md)
## [Surface Hub may install updates and restart outside maintenance hours](surface-hub-installs-updates-and-restarts-outside-maintenance-hours.md)
## [General Data Privacy Regulation and Surface Hub](general-data-privacy-regulation-and-surface-hub.md)
## [Troubleshoot Miracast on Surface Hub](miracast-troubleshooting.md)
## [Useful downloads for Surface Hub administrators](surface-hub-downloads.md)
## [Technical information for 55” Microsoft Surface Hub](surface-hub-technical-55.md)

2
store-for-business/distribute-apps-from-your-private-store.md
View File

@ -51,7 +51,7 @@ Microsoft Store adds the app to **Products and services**. Click **Manage**, **A
The value under **Private store** for the app will change to pending. It will take approximately thirty-six hours before the app is available in the private store.
>[!Note]
> If you are working with a new Line-of-Business (LOB) app, you have to wait for the app to be available in **Products & services** before adding it to your private store. For more information, see [Working with line of business apps](working-with-line-of-business-apps.md).
> If you are working with a new Line-of-Business (LOB) app, you have to wait for the app to be available in **Products & services** before adding it to your private store. For more information, see [Working with line-of-business apps](working-with-line-of-business-apps.md).
## Private store availability
You can use security groups to scope which users can install an app from your private store. For more information, see [Private store availability](app-inventory-management-microsoft-store-for-business.md#private-store-availability).

1
windows/client-management/mdm/policy-csp-experience.md
View File

@ -937,6 +937,7 @@ The following list shows the supported values:
<!--Description-->
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
> Prior to Windows 10, version 1803, this policy had User scope.
This policy allows IT admins to turn on experiences that are typically for consumers only, such as Start suggestions, Membership notifications, Post-OOBE app install and redirect tiles.

58
windows/client-management/mdm/surfacehub-csp.md
View File

@ -97,37 +97,37 @@ The following diagram shows the SurfaceHub CSP management objects in tree format
<a href="" id="deviceaccount-domainname"></a>**DeviceAccount/DomainName**
<p style="margin-left: 20px">Domain of the device account when you are using Active Directory. To use a device account from Active Directory, you should specify both DomainName and UserName for the device account.
<p style="margin-left: 20px">The data type is char. Supported operation is Get and Replace.
<p style="margin-left: 20px">The data type is string. Supported operation is Get and Replace.
<a href="" id="deviceaccount-username"></a>**DeviceAccount/UserName**
<p style="margin-left: 20px">Username of the device account when you are using Active Directory. To use a device account from Active Directory, you should specify both DomainName and UserName for the device account.
<p style="margin-left: 20px">The data type is char. Supported operation is Get and Replace.
<p style="margin-left: 20px">The data type is string. Supported operation is Get and Replace.
<a href="" id="deviceaccount-userprincipalname"></a>**DeviceAccount/UserPrincipalName**
<p style="margin-left: 20px">User principal name (UPN) of the device account. To use a device account from Azure Active Directory or a hybrid deployment, you should specify the UPN of the device account.
<p style="margin-left: 20px">The data type is char. Supported operation is Get and Replace.
<p style="margin-left: 20px">The data type is string. Supported operation is Get and Replace.
<a href="" id="deviceaccount-sipaddress"></a>**DeviceAccount/SipAddress**
<p style="margin-left: 20px">Session Initiation Protocol (SIP) address of the device account. Normally, the device will try to auto-discover the SIP. This field is only required if auto-discovery fails.
<p style="margin-left: 20px">The data type is char. Supported operation is Get and Replace.
<p style="margin-left: 20px">The data type is string. Supported operation is Get and Replace.
<a href="" id="deviceaccount-password"></a>**DeviceAccount/Password**
<p style="margin-left: 20px">Password for the device account.
<p style="margin-left: 20px">The data type is char. Supported operation is Get and Replace. The operation Get is allowed, but it will always return a blank.
<p style="margin-left: 20px">The data type is string. Supported operation is Get and Replace. The operation Get is allowed, but it will always return a blank.
<a href="" id="deviceaccount-validateandcommit"></a>**DeviceAccount/ValidateAndCommit**
<p style="margin-left: 20px">This method validates the data provided and then commits the changes.
<p style="margin-left: 20px">The data type is char. Supported operation is Execute.
<p style="margin-left: 20px">The data type is string. Supported operation is Execute.
<a href="" id="deviceaccount-email"></a>**DeviceAccount/Email**
<p style="margin-left: 20px">Email address of the device account.
<p style="margin-left: 20px">The data type is char.
<p style="margin-left: 20px">The data type is string.
<a href="" id="deviceaccount-passwordrotationenabled"></a>**DeviceAccount/PasswordRotationEnabled**
<p style="margin-left: 20px">Specifies whether automatic password rotation is enabled. If you enforce a password expiration policy on the device account, use this setting to allow the device to manage its own password by changing it frequently, without requiring you to manually update the account information when the password expires. You can reset the password at any time using Active Directory (or Azure AD).
@ -137,17 +137,17 @@ The following diagram shows the SurfaceHub CSP management objects in tree format
- 0 - password rotation enabled
- 1 - disabled
<p style="margin-left: 20px">The data type is int. Supported operation is Get and Replace.
<p style="margin-left: 20px">The data type is integer. Supported operation is Get and Replace.
<a href="" id="deviceaccount-exchangeserver"></a>**DeviceAccount/ExchangeServer**
<p style="margin-left: 20px">Exchange server of the device account. Normally, the device will try to auto-discover the Exchange server. This field is only required if auto-discovery fails.
<p style="margin-left: 20px">The data type is char. Supported operation is Get and Replace.
<p style="margin-left: 20px">The data type is string. Supported operation is Get and Replace.
<a href="" id="deviceaccount-calendarsyncenabled"></a>**DeviceAccount/CalendarSyncEnabled**
<p style="margin-left: 20px">Specifies whether calendar sync and other Exchange server services is enabled.
<p style="margin-left: 20px">The data type is bool. Supported operation is Get and Replace.
<p style="margin-left: 20px">The data type is boolean. Supported operation is Get and Replace.
<a href="" id="deviceaccount-errorcontext"></a>**DeviceAccount/ErrorContext**
<p style="margin-left: 20px">If there is an error calling ValidateAndCommit, there is additional context for that error in this node. Here are the possible error values:
@ -203,8 +203,8 @@ The following diagram shows the SurfaceHub CSP management objects in tree format
</tr>
</tbody>
</table>
<p style="margin-left: 20px">The data type is int. Supported operation is Get.
 
<p style="margin-left: 20px">The data type is integer. Supported operation is Get.
<a href="" id="maintenancehourssimple-hours"></a>**MaintenanceHoursSimple/Hours**
<p style="margin-left: 20px">Node for maintenance schedule.
@ -212,12 +212,12 @@ The following diagram shows the SurfaceHub CSP management objects in tree format
<a href="" id="maintenancehourssimple-hours-starttime"></a>**MaintenanceHoursSimple/Hours/StartTime**
<p style="margin-left: 20px">Specifies the start time for maintenance hours in minutes from midnight. For example, to set a 2:00 am start time, set this value to 120.
<p style="margin-left: 20px">The data type is int. Supported operation is Get and Replace.
<p style="margin-left: 20px">The data type is integer. Supported operation is Get and Replace.
<a href="" id="maintenancehourssimple-hours-duration"></a>**MaintenanceHoursSimple/Hours/Duration**
<p style="margin-left: 20px">Specifies the duration of maintenance window in minutes. For example, to set a 3-hour duration, set this value to 180.
<p style="margin-left: 20px">The data type is int. Supported operation is Get and Replace.
<p style="margin-left: 20px">The data type is integer. Supported operation is Get and Replace.
<a href="" id="inboxapps"></a>**InBoxApps**
<p style="margin-left: 20px">Node for the in-box app settings.
@ -228,7 +228,7 @@ The following diagram shows the SurfaceHub CSP management objects in tree format
<a href="" id="inboxapps-skypeforbusiness-domainname"></a>**InBoxApps/SkypeForBusiness/DomainName**
<p style="margin-left: 20px">Added in Windows 10, version 1703. Specifies the domain of the Skype for Business account when you are using Active Directory. For more information, see <a href="https://support.office.com/en-us/article/Set-up-Skype-for-Business-Online-40296968-e779-4259-980b-c2de1c044c6e?ui=en-US&amp;rs=en-US&amp;ad=US#bkmk_users" data-raw-source="[Set up Skype for Business Online](https://support.office.com/en-us/article/Set-up-Skype-for-Business-Online-40296968-e779-4259-980b-c2de1c044c6e?ui=en-US&amp;rs=en-US&amp;ad=US#bkmk_users)">Set up Skype for Business Online</a>.
<p style="margin-left: 20px">The data type is char. Supported operation is Get and Replace.
<p style="margin-left: 20px">The data type is string. Supported operation is Get and Replace.
<a href="" id="inboxapps-welcome"></a>**InBoxApps/Welcome**
<p style="margin-left: 20px">Node for the welcome screen.
@ -236,7 +236,7 @@ The following diagram shows the SurfaceHub CSP management objects in tree format
<a href="" id="inboxapps-welcome-autowakescreen"></a>**InBoxApps/Welcome/AutoWakeScreen**
<p style="margin-left: 20px">Automatically turn on the screen using motion sensors.
<p style="margin-left: 20px">The data type is bool. Supported operation is Get and Replace.
<p style="margin-left: 20px">The data type is boolean. Supported operation is Get and Replace.
<a href="" id="inboxapps-welcome-currentbackgroundpath"></a>**InBoxApps/Welcome/CurrentBackgroundPath**
<p style="margin-left: 20px">Background image for the welcome screen. To set this, specify a https URL to a PNG file (only PNGs are supported for security reasons).
@ -251,7 +251,7 @@ The following diagram shows the SurfaceHub CSP management objects in tree format
- 0 - Organizer and time only
- 1 - Organizer, time, and subject. Subject is hidden in private meetings.
<p style="margin-left: 20px">The data type is int. Supported operation is Get and Replace.
<p style="margin-left: 20px">The data type is integer. Supported operation is Get and Replace.
<a href="" id="inboxapps-wirelessprojection"></a>**InBoxApps/WirelessProjection**
<p style="margin-left: 20px">Node for the wireless projector app settings.
@ -259,12 +259,12 @@ The following diagram shows the SurfaceHub CSP management objects in tree format
<a href="" id="inboxapps-wirelessprojection-pinrequired"></a>**InBoxApps/WirelessProjection/PINRequired**
<p style="margin-left: 20px">Users must enter a PIN to wirelessly project to the device.
<p style="margin-left: 20px">The data type is bool. Supported operation is Get and Replace.
<p style="margin-left: 20px">The data type is boolean. Supported operation is Get and Replace.
<a href="" id="inboxapps-wirelessprojection-enabled"></a>**InBoxApps/WirelessProjection/Enabled**
<p style="margin-left: 20px">Enables wireless projection to the device.
<p style="margin-left: 20px">The data type is bool. Supported operation is Get and Replace.
<p style="margin-left: 20px">The data type is boolean. Supported operation is Get and Replace.
<a href="" id="inboxapps-wirelessprojection-channel"></a>**InBoxApps/WirelessProjection/Channel**
<p style="margin-left: 20px">Wireless channel to use for Miracast operation. The supported channels are defined by the Wi-Fi Alliance Wi-Fi Direct specification.
@ -293,7 +293,7 @@ The following diagram shows the SurfaceHub CSP management objects in tree format
<p style="margin-left: 20px">The default value is 255. Outside of regulatory concerns, if the channel is configured incorrectly the driver will either not boot, or will broadcast on the wrong channel (which senders won&#39;t be looking for).
<p style="margin-left: 20px">The data type is int. Supported operation is Get and Replace.
<p style="margin-left: 20px">The data type is integer. Supported operation is Get and Replace.
<a href="" id="inboxapps-connect"></a>**InBoxApps/Connect**
<p style="margin-left: 20px">Added in Windows 10, version 1703. Node for the Connect app.
@ -303,7 +303,7 @@ The following diagram shows the SurfaceHub CSP management objects in tree format
<p style="margin-left: 20px">If this setting is true, the Connect app will be automatically launched. If false, the user will need to launch the Connect app manually from the Hubs settings.
<p style="margin-left: 20px">The data type is bool. Supported operation is Get and Replace.
<p style="margin-left: 20px">The data type is boolean. Supported operation is Get and Replace.
<a href="" id="properties"></a>**Properties**
<p style="margin-left: 20px">Node for the device properties.
@ -316,7 +316,7 @@ The following diagram shows the SurfaceHub CSP management objects in tree format
<a href="" id="properties-defaultvolume"></a>**Properties/DefaultVolume**
<p style="margin-left: 20px">Added in Windows 10, version 1703. Specifies the default volume value for a new session. Permitted values are 0-100. The default is 45.
<p style="margin-left: 20px">The data type is int. Supported operation is Get and Replace.
<p style="margin-left: 20px">The data type is integer. Supported operation is Get and Replace.
<a href="" id="properties-screentimeout"></a>**Properties/ScreenTimeout**
<p style="margin-left: 20px">Added in Windows 10, version 1703. Specifies the number of minutes until the Hub screen turns off.
@ -368,7 +368,7 @@ The following diagram shows the SurfaceHub CSP management objects in tree format
</tbody>
</table>
<p style="margin-left: 20px">The data type is int. Supported operation is Get and Replace.
<p style="margin-left: 20px">The data type is integer. Supported operation is Get and Replace.
<a href="" id="properties-sessiontimeout"></a>**Properties/SessionTimeout**
<p style="margin-left: 20px">Added in Windows 10, version 1703. Specifies the number of minutes until the session times out.
@ -420,7 +420,7 @@ The following diagram shows the SurfaceHub CSP management objects in tree format
</tbody>
</table>
<p style="margin-left: 20px">The data type is int. Supported operation is Get and Replace.
<p style="margin-left: 20px">The data type is integer. Supported operation is Get and Replace.
<a href="" id="properties-sleeptimeout"></a>**Properties/SleepTimeout**
<p style="margin-left: 20px">Added in Windows 10, version 1703. Specifies the number of minutes until the Hub enters sleep mode.
@ -472,35 +472,35 @@ The following diagram shows the SurfaceHub CSP management objects in tree format
</tbody>
</table>
<p style="margin-left: 20px">The data type is int. Supported operation is Get and Replace.
<p style="margin-left: 20px">The data type is integer. Supported operation is Get and Replace.
<a href="" id="properties-allowsessionresume"></a>**Properties/AllowSessionResume**
<p style="margin-left: 20px">Added in Windows 10, version 1703. Specifies whether to allow the ability to resume a session when the session times out.
<p style="margin-left: 20px">If this setting is true, the &quot;Resume Session&quot; feature will be available on the welcome screen when the screen is idle. If false, once the screen idles, the session will be automatically cleaned up as if the “End Session&quot; feature was initiated.
<p style="margin-left: 20px">The data type is bool. Supported operation is Get and Replace.
<p style="margin-left: 20px">The data type is boolean. Supported operation is Get and Replace.
<a href="" id="properties-allowautoproxyauth"></a>**Properties/AllowAutoProxyAuth**
<p style="margin-left: 20px">Added in Windows 10, version 1703. Specifies whether to use the device account for proxy authentication.
<p style="margin-left: 20px">If this setting is true, the device account will be used for proxy authentication. If false, a separate account will be used.
<p style="margin-left: 20px">The data type is bool. Supported operation is Get and Replace.
<p style="margin-left: 20px">The data type is boolean. Supported operation is Get and Replace.
<a href="" id="properties-disablesigninsuggestions"></a>**Properties/DisableSigninSuggestions**
<p style="margin-left: 20px">Added in Windows 10, version 1703. Specifies whether to disable auto-populating of the sign-in dialog with invitees from scheduled meetings.
<p style="margin-left: 20px">If this setting is true, the sign-in dialog will not be populated. If false, the dialog will auto-populate.
<p style="margin-left: 20px">The data type is bool. Supported operation is Get and Replace.
<p style="margin-left: 20px">The data type is boolean. Supported operation is Get and Replace.
<a href="" id="properties-donotshowmymeetingsandfiles"></a>**Properties/DoNotShowMyMeetingsAndFiles**
<p style="margin-left: 20px">Added in Windows 10, version 1703. Specifies whether to disable the &quot;My meetings and files&quot; feature in the Start menu, which shows the signed-in user&#39;s meetings and files from Office 365.
<p style="margin-left: 20px">If this setting is true, the “My meetings and files” feature will not be shown. When false, the “My meetings and files” feature will be shown.
<p style="margin-left: 20px">The data type is bool. Supported operation is Get and Replace.
<p style="margin-left: 20px">The data type is boolean. Supported operation is Get and Replace.
<a href="" id="momagent"></a>**MOMAgent**
<p style="margin-left: 20px">Node for the Microsoft Operations Management Suite.

BIN
windows/deployment/images/UR-Azureportal3.PNG
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 143 KiB

After

Width:  |  Height:  |  Size: 56 KiB

51
windows/deployment/update/update-compliance-security-update-status.md
View File

@ -7,8 +7,8 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: deploy
author: greg-lindsay
ms.author: greglin
author: jaimeo
ms.author: jaimeo
ms.collection: M365-analytics
ms.topic: article
---
@ -24,9 +24,48 @@ The **Overall Security Update Status** blade provides a visualization of devices
The **Latest Security Update Status** and **Previous Security Update Status** tiles are stacked to form one blade. The **Latest Security Update Status** provides a visualization of the different deployment states devices are in regarding the latest update for each build (or version) of Windows 10, along with the revision of that update. The **Previous Security Update Status** blade provides the same information without the accompanying visualization.
The various deployment states reported by devices are as follows:
* **Installed** devices are devices that have completed installation for the given update.
* When a device is counted as **In Progress or Deferred**, it has either begun the installation process for the given update or has been intentionally deferred or paused using Windows Update for Business Settings.
* Devices that have **Update Issues** have failed to update at some point during the installation process of the given security update or have not seen progress for a period of seven days.
* If a device should be, in some way, progressing toward this security update, but its status cannot be inferred, it will count as **Status Unknown**. This is most often devices that have not scanned for an update in some time, or devices not being managed through Windows Update.
## Deployment status
Deployment status summarizes detailed status into higher-level states to get a quick sense of the status the given device was last reported to be in relative to this specific update. Note that with the latency of deployment data, devices might have since moved on from the reported deployment status.
|Deployment status |Description |
|---------|---------|
|Failed | The device encountered a failure during the update process. Note that due to latency, devices reporting this status may have since retried the update. |
|Progress stalled | he device started the update process, but no progress has been reported in the last 7 days. |
|Deferred | The device is currently deferring the update process due to Windows Update for Business policies. |
|In progress | The device has begun the updating process for this update. This status appears if the device is in any stage of the update process including and after download, but before completing the update. If no progress has been reported in the last 7 days, devices will move to **Progress stalled**.** |
|Update completed | The device has completed the update process. |
|Update paused | The device is prevented from being offered the update due to updates being paused on the device. |
|Unknown | No record is available for this device relative to this update. This is a normal status if an update has recently been released or if the device does not use Windows Update. |
## Detailed status
Detailed status provides a detailed stage-level representation of where in the update process the device was last reported to be in relative to this specific update. Note that with the latency of deployment data, devices might have since moved on from the reported detailed status.
|Detaild status |Description |
|---------|---------|
|Scheduled in next X days | The device is currently deferring the update with Windows Update for Business policies but will be offered the update within the next X days. |
|Compatibility hold | The device has been placed under a *compatibility hold* to ensure a smooth feature update experience and will not resume the update until the hold has been cleared. For more information see [Feature Update Status report](update-compliance-feature-update-status.md#compatibility-holds) |
|Update deferred | The device is currently deferring the update with Windows Update for Business policies. |
|Update paused | The device is prevented from being offered the update due to updates being paused on the device. |
|Update offered | The device has been offered the update by Windows Update but has not yet begun to download it. |
|Download started | The device has begun downloading the update. |
|Download succeeded | The device has finished downloading the update but has not yet begun installing the update. |
|Install started | The device has begun installing the update. |
|PreInstall task passed | The device has passed checks prior to beginning the rest of the installation process after a restart. |
|Reboot required | The device requires a restart to install the update, but one has not yet been scheduled. |
|Reboot pending | The device is pending a restart to install the update. |
|Reboot initiated | The device reports "Reboot initiated" just before actually restarting specifically to apply the update. |
|Commit | The device, after a restart, is committing changes relevant to the update. |
|Finalize succeeded | The device has finished final tasks after a restart to apply the update. |
|Update successful | The device has successfully applied the update. |
|Cancelled | The update was cancelled at some point in the update process. |
|Uninstalled | The update was successfully uninstalled from the device. |
|Rollback | The update failed to apply during the update process, causing the device to roll back changes and revert to the previous update. |
The rows of each tile in this section are interactive; selecting them will navigate you to the query that is representative of that row and section.

2
windows/deployment/update/waas-manage-updates-wsus.md
View File

@ -248,7 +248,7 @@ The next time the clients in the **Ring 4 Broad Business Users** security group
For clients that should have their feature updates approved as soon as theyre available, you can configure Automatic Approval rules in WSUS.
>[!NOTE]
>WSUS respects the clients servicing branch. If you approve a feature update while it is still Current Branch (CB), WSUS will install the update only on PCs that are in the CB servicing branch. When Microsoft releases the build for Current Branch for Business (CBB), the PCs in the CBB servicing branch will install it.
>WSUS respects the clients servicing branch. If you approve a feature update while it is still Current Branch (CB), WSUS will install the update only on PCs that are in the CB servicing branch. When Microsoft releases the build for Current Branch for Business (CBB), the PCs in the CBB servicing branch will install it. Windows Update for Business branch settings do not apply to feature updates through WSUS.
**To configure an Automatic Approval rule for Windows 10 feature updates and approve them for the Ring 3 Broad IT deployment ring**

82
windows/deployment/update/waas-wu-settings.md
View File

@ -155,7 +155,9 @@ If you disable or do not configure this policy, Windows Update will include upda
Enables the IT admin to manage automatic update behavior to scan, download, and install updates.
When enabling this setting through Group Policy, under **Computer Configuration\Administrative Templates\Windows Components\Windows update\Configure Automatic Updates**, you must select one of the four options:
#### Configuring Automatic Updates by using Group Policy
Under **Computer Configuration\Administrative Templates\Windows Components\Windows update\Configure Automatic Updates**, you must select one of the four options:
**2 - Notify for download and auto install** - When Windows finds updates that apply to this device, users will be notified that updates are ready to be downloaded. After going to **Settings > Update & security > Windows Update**, users can download and install any available updates.
@ -169,7 +171,85 @@ If this setting is set to *Disabled*, any updates that are available on Windows
If this setting is set to *Not Configured*, an administrator can still configure Automatic Updates through the settings app, under **Settings > Update & security > Windows Update > Advanced options**.
#### Configuring Automatic Updates by editing the registry
> ![Note]
> Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require you to reinstall the operating system. Microsoft cannot guarantee that these problems can be resolved. Modify the registry at your own risk.
In an environment that does not have Active Directory deployed, you can edit registry settings to configure group policies for Automatic Update.
To do this, follow these steps:
1. Select **Start**, search for "regedit", and then open Registry Editor.
2. Open the following registry key:
```
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
```
3. Add one of the following registry values to configure Automatic Update.
* NoAutoUpdate (REG_DWORD):
* **0**: Automatic Updates is enabled (default).
* **1**: Automatic Updates is disabled.
* AUOptions (REG_DWORD):
* **1**: Keep my computer up to date is disabled in Automatic Updates.
* **2**: Notify of download and installation.
* **3**: Automatically download and notify of installation.
* **4**: Automatically download and scheduled installation.
* ScheduledInstallDay (REG_DWORD):
* **0**: Every day.
* **1** through **7**: The days of the week from Sunday (1) to Saturday (7).
* ScheduledInstallTime (REG_DWORD):
**n**, where **n** equals the time of day in a 24-hour format (0-23).
* UseWUServer (REG_DWORD)
Set this value to **1** to configure Automatic Updates to use a server that is running Software Update Services instead of Windows Update.
* RescheduleWaitTime (REG_DWORD)
**m**, where **m** equals the time period to wait between the time Automatic Updates starts and the time that it begins installations where the scheduled times have passed. The time is set in minutes from 1 to 60, representing 1 minute to 60 minutes)
> ![Note]
> This setting only affects client behavior after the clients have updated to the SUS SP1 client version or later versions.
* NoAutoRebootWithLoggedOnUsers (REG_DWORD):
**0** (false) or **1** (true). If set to **1**, Automatic Updates does not automatically restart a computer while users are logged on.
> ![Note]
> This setting affects client behavior after the clients have updated to the SUS SP1 client version or later versions.
To use Automatic Updates with a server that is running Software Update Services, see the Deploying Microsoft Windows Server Update Services 2.0 guidance.
When you configure Automatic Updates directly by using the policy registry keys, the policy overrides the preferences that are set by the local administrative user to configure the client. If an administrator removes the registry keys at a later date, the preferences that were set by the local administrative user are used again.
To determine the WSUS server that the client computers and servers connect to for updates, add the following registry values to the registry:
```
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\
```
* WUServer (REG_SZ)
This value sets the WSUS server by HTTP name (for example, http://IntranetSUS).
* WUStatusServer (REG_SZ)
This value sets the SUS statistics server by HTTP name (for example, http://IntranetSUS).
## Related topics

9
windows/deployment/update/windows-analytics-get-started.md
View File

@ -66,8 +66,7 @@ To enable data sharing, configure your proxy server to whitelist the following e
| `https://watson.telemetry.microsoft.com` | Windows Error Reporting (WER); required for Device Health reports. Not used by Upgrade Readiness or Update Compliance AV reports. |
| `https://oca.telemetry.microsoft.com` | Online Crash Analysis; required for Device Health reports. Not used by Upgrade Readiness or Update Compliance AV reports. |
| `https://login.live.com` | This endpoint is required by Device Health to ensure data integrity and provides a more reliable device identity for all of the Windows Analytics solutions on Windows 10. If you want to disable end-user managed service account (MSA) access, you should apply the appropriate [policy](https://docs.microsoft.com/windows/security/identity-protection/access-control/microsoft-accounts#block-all-consumer-microsoft-account-user-authentication) instead of blocking this endpoint. |
| `https://www.msftncsi.com` | Windows Error Reporting (WER); required for Device Health to check connectivity |
| `https://www.msftconnecttest.com` | Windows Error Reporting (WER); required for Device Health to check connectivity |
>[!NOTE]
@ -94,10 +93,8 @@ The compatibility update scans your devices and enables application usage tracki
| **Operating System** | **Updates** |
|----------------------|-----------------------------------------------------------------------------|
| Windows 10 | Windows 10 includes the compatibility update, so you will automatically have the latest compatibility update so long as you continue to keep your Windows 10 devices up to date with cumulative updates. |
| Windows 8.1 | [KB 2976978](https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB2976978)<br>Performs diagnostics on the Windows 8.1 systems that participate in the Windows Customer Experience Improvement Program. These diagnostics help determine whether compatibility issues might be encountered when the latest Windows operating system is installed. <br>For more information about this update, see <https://support.microsoft.com/kb/2976978>|
| Windows 7 SP1 | [KB2952664](https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB2952664) <br>Performs diagnostics on the Windows 7 SP1 systems that participate in the Windows Customer Experience Improvement Program. These diagnostics help determine whether compatibility issues might be encountered when the latest Windows operating system is installed. <br>For more information about this update, see <https://support.microsoft.com/kb/2952664>|
We also recommend installing the latest [Windows Monthly Rollup](https://catalog.update.microsoft.com/v7/site/Search.aspx?q=security%20monthly%20quality%20rollup) on Windows 7 and Windows 8.1 devices.
| Windows 8.1 | The compatibility update is included in monthly quality updates for Windows 8.1. We recommend installing the latest [Windows Monthly Rollup](http://www.catalog.update.microsoft.com/Search.aspx?q=security%20monthly%20quality%20rollup%20for%20windows%208) before attempting to enroll devices into Windows Analytics. |
| Windows 7 SP1 | The compatibility update is included in monthly quality updates for Windows 7. We recommend installing the latest [Windows Monthly Rollup](http://www.catalog.update.microsoft.com/Search.aspx?q=security%20monthly%20quality%20rollup%20for%20windows%207) before attempting to enroll devices into Windows Analytics. |
### Connected User Experiences and Telemetry service
With Windows diagnostic data enabled, the Connected User Experience and Telemetry service (DiagTrack) collects system, application, and driver data. Microsoft analyzes this data, and shares it back to you through Windows Analytics. For the best experience, install these updates depending upon the operating system version.

6
windows/deployment/upgrade/resolution-procedures.md
View File

@ -537,6 +537,12 @@ Download and run the media creation tool. See <a href="https://www.microsoft.com
</td>
</tr>
<tr>
<td>0x80244018</td>
<td>Your machine is connected through a proxy server.</td>
<td>Make sure Automatically Detect Settings is selected in internet options. (Control Panel > Internet Options > Connections > LAN Settings).
</td>
</tr>
<tr>
<td>0xC1900201</td>
<td>The system did not pass the minimum requirements to install the update.</td>
<td>Contact the hardware vendor to get the latest updates.</td>

2
windows/deployment/windows-autopilot/enrollment-status.md
View File

@ -23,7 +23,7 @@ ms.topic: article
- Windows 10
The Windows Autopilot Enrollment Status page displaying the status of the complete device configuration process. Incorporating feedback from customers, this provides information to the user to show that the device is being set up and can be configured to prevent access to the desktop until the configuration is complete.
The Windows Autopilot Enrollment Status Page displays the status of the complete device configuration process. Incorporating feedback from customers, this provides information to the user to show that the device is being configured. The Enrollment Status Page can be also configured to prevent access to the desktop until the configuration process is complete.
![Enrollment status page](images/enrollment-status-page.png)

14
windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
View File

@ -27,7 +27,7 @@ ms.date: 05/16/2019
If you're looking for content on what each diagnostic data level means and how to configure it in your organization, see [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md).
Learn about the network connections that Windows components make to Microsoft and also the privacy settings that affect data that is shared with either Microsoft or apps and how they can be managed by an IT Pro.
Learn about the network connections that Windows components make to Microsoft in addition to the privacy settings that affect the data which is shared with either Microsoft or apps and how they can be managed by an IT Pro.
If you want to minimize connections from Windows to Microsoft services, or configure particular privacy settings, this article covers the settings that you could consider. You can configure diagnostic data at the lowest level for your edition of Windows, and also evaluate which other connections Windows makes to Microsoft services you want to turn off in your environment from the list in this article.
@ -233,7 +233,7 @@ For more information, see [Automatic Root Certificates Update Configuration](htt
Although not recommended, you can turn off Automatic Root Certificates Update, which also prevents updates to the disallowed certificate list and the pin rules list.
> [!CAUTION]
> By not automatically downloading the root certificates, the device might have not be able to connect to some websites.
> By not automatically downloading the root certificates, the device might have not been able to connect to some websites.
For Windows 10, Windows Server 2016 with Desktop Experience, and Windows Server 2016 Server Core:
@ -418,7 +418,7 @@ To turn off Insider Preview builds for Windows 10:
### <a href="" id="bkmk-ie"></a>8. Internet Explorer
> [!NOTE]
> The following Group Policies and Registry Keys are for user interactive scenarios rather then the typical idle traffic scenario. Find the Internet Explorer Group Policy objects under **Computer Configuration > Administrative Templates > Windows Components > Internet Explorer** and make these settings:
> The following Group Policies and Registry Keys are for user interactive scenarios rather than the typical idle traffic scenario. Find the Internet Explorer Group Policy objects under **Computer Configuration > Administrative Templates > Windows Components > Internet Explorer** and make these settings:
| Policy | Description |
|------------------------------------------------------|-----------------------------------------------------------------------------------------------------|
@ -583,7 +583,7 @@ Find the Microsoft Edge Group Policy objects under **Computer Configuration** &g
| Prevent the First Run webpage from opening on Microsoft Edge | Choose whether employees see the First Run webpage. <br /> **Set to: Enable** |
| Allow Microsoft Compatibility List | Choose whether to use the Microsoft Compatibility List in Microsoft Edge. <br /> **Set to: Disabled** |
Alternatively, you can configure the these Registry keys as described:
Alternatively, you can configure the following Registry keys as described:
| Registry Key | Registry path |
| - | - |
@ -914,7 +914,7 @@ To turn off **Let websites provide locally relevant content by accessing my lang
- Create a new REG_DWORD registry setting named **HttpAcceptLanguageOptOut** in **HKEY_CURRENT_USER\\Control Panel\\International\\User Profile** with a value of 1.
To turn off **Let apps on my other devices open apps and continue experiences on this devices**:
To turn off **Let apps on my other devices open apps and continue experiences on this device**:
- Turn off the feature in the UI.
@ -1412,7 +1412,7 @@ To turn this off:
-or-
- **Enable** the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access dignostic information about other apps**
- **Enable** the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access diagnostic information about other apps**
-or-
@ -1596,7 +1596,7 @@ You can disconnect from the Microsoft Antimalware Protection Service.
>1. Ensure Windows and Windows Defender are fully up to date.
>2. Search the Start menu for "Tamper Protection" by clicking on the search icon next to the Windows Start button. Then scroll down to >the Tamper Protection toggle and turn it **Off**. This will allow you to modify the Registry key and allow the Group Policy to make >the setting. Alternatively, you can go to **Windows Security Settings -> Virus & threat protection, click on Manage Settings** link >and then scroll down to the Tamper Protection toggle to set it to **Off**.
- **Enable** the Group Policy **Computer Configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **Windows Defender Antivirus** &gt; **MAPS** &gt; **Join Microsoft MAPS** and then select **Disabled** from the drop down box named **Join Microsoft MAPS**
- **Enable** the Group Policy **Computer Configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **Windows Defender Antivirus** &gt; **MAPS** &gt; **Join Microsoft MAPS** and then select **Disabled** from the drop-down box named **Join Microsoft MAPS**
-OR-

3
windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-policy.md
View File

@ -67,6 +67,9 @@ Sign-in a domain controller or management workstations with _Domain Admin_ equiv
2. In the navigation pane, expand the domain and expand the node that has your Active Directory domain name. Right-click the **Domain Controllers** organizational unit and click **Link an existing GPO<50>**
3. In the **Select GPO** dialog box, select **Domain Controller Auto Certificate Enrollment** or the name of the domain controller certificate enrollment Group Policy object you previously created and click **OK**.
>[!IMPORTANT]
>If you don't find options in GPO, you have to load the [PolicyDefinitions folder](https://support.microsoft.com/help/3087759/how-to-create-and-manage-the-central-store-for-group-policy-administra).
### Windows Hello for Business Group Policy
The Windows Hello for Business Group Policy object delivers the correct Group Policy settings to the user, which enables them to enroll and use Windows Hello for Business to authenticate to Azure and Active Directory

2
windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md
View File

@ -54,7 +54,7 @@ As a cloud service, it is required that computers have access to the internet an
| *Windows Defender Antivirus cloud-delivered protection service, also referred to as Microsoft Active Protection Service (MAPS)*|Used by Windows Defender Antivirus to provide cloud-delivered protection|*.wdcp.microsoft.com *.wdcpalt.microsoft.com *.wd.microsoft.com|
| *Microsoft Update Service (MU)*| Security intelligence and product updates |*.update.microsoft.com|
| *Security intelligence updates Alternate Download Location (ADL)*| Alternate location for Windows Defender Antivirus Security intelligence updates if the installed Security intelligence is out of date (7 or more days behind)| *.download.microsoft.com|
| *Malware submission storage *|Upload location for files submitted to Microsoft via the Submission form or automatic sample submission |*.blob.core.windows.net|
| *Malware submission storage *|Upload location for files submitted to Microsoft via the Submission form or automatic sample submission | ussus1eastprod.blob.core.windows.net ussus1westprod.blob.core.windows.net usseu1northprod.blob.core.windows.net usseu1westprod.blob.core.windows.net ussuk1southprod.blob.core.windows.net ussuk1westprod.blob.core.windows.net ussas1eastprod.blob.core.windows.net ussas1southeastprod.blob.core.windows.net ussau1eastprod.blob.core.windows.net ussau1southeastprod.blob.core.windows.net |
| *Certificate Revocation List (CRL)* |Used by Windows when creating the SSL connection to MAPS for updating the CRL | http://www.microsoft.com/pkiops/crl/ http://www.microsoft.com/pkiops/certs http://crl.microsoft.com/pki/crl/products http://www.microsoft.com/pki/certs |
| *Symbol Store *|Used by Windows Defender Antivirus to restore certain critical files during remediation flows | https://msdl.microsoft.com/download/symbols |
| *Universal Telemetry Client* | Used by Windows to send client diagnostic data; Windows Defender Antivirus uses this for product quality monitoring purposes | This update uses SSL (TCP Port 443) to download manifests and upload diagnostic data to Microsoft that uses the following DNS endpoints: * vortex-win.data.microsoft.com * settings-win.data.microsoft.com|

17
windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md
View File

@ -149,30 +149,30 @@ Pick the correct version of each .dll for the Windows release you plan to suppor
<Deny ID="ID_DENY_MWFC" FriendlyName="Microsoft.Workflow.Compiler.exe" FileName="Microsoft.Workflow.Compiler.exe" MinimumFileVersion="65535.65535.65535.65535" />
<Deny ID="ID_DENY_WFC" FriendlyName="WFC.exe" FileName="wfc.exe" MinimumFileVersion="65535.65535.65535.65535" />
<Deny ID="ID_DENY_KILL" FriendlyName="kill.exe" FileName="kill.exe" MinimumFileVersion="65535.65535.65535.65535" />
<! -- msxml3.dll pick correct version based on release you are supporting -->
<! -- msxml6.dll pick correct version based on release you are supporting -->
<! -- jscript9.dll pick correct version based on release you are supporting -->
<! -- RS1 Windows 1607
<!-- msxml3.dll pick correct version based on release you are supporting -->
<!-- msxml6.dll pick correct version based on release you are supporting -->
<!-- jscript9.dll pick correct version based on release you are supporting -->
<!-- RS1 Windows 1607
<Deny ID="ID_DENY_MSXML3" FriendlyName="msxml3.dll" FileName="msxml3.dll" MinimumFileVersion ="8.110.14393.2550"/>
<Deny ID="ID_DENY_MSXML6" FriendlyName="msxml6.dll" FileName="msxml6.dll" MinimumFileVersion ="6.30.14393.2550"/>
<Deny ID="ID_DENY_JSCRIPT9" FriendlyName="jscript9.dll" FileName="jscript9.dll" MinimumFileVersion ="11.0.14393.2607"/>
-->
<! -- RS2 Windows 1703
<!-- RS2 Windows 1703
<Deny ID="ID_DENY_MSXML3" FriendlyName="msxml3.dll" FileName="msxml3.dll" MinimumFileVersion ="8.110.15063.1386"/>
<Deny ID="ID_DENY_MSXML6" FriendlyName="msxml6.dll" FileName="msxml6.dll" MinimumFileVersion ="6.30.15063.1386"/>
<Deny ID="ID_DENY_JSCRIPT9" FriendlyName="jscript9.dll" FileName="jscript9.dll" MinimumFileVersion ="11.0.15063.1445"/>
-->
<! -- RS3 Windows 1709
<!-- RS3 Windows 1709
<Deny ID="ID_DENY_MSXML3" FriendlyName="msxml3.dll" FileName="msxml3.dll" MinimumFileVersion ="8.110.16299.725"/>
<Deny ID="ID_DENY_MSXML6" FriendlyName="msxml6.dll" FileName="msxml6.dll" MinimumFileVersion ="6.30.16299.725"/>
<Deny ID="ID_DENY_JSCRIPT9" FriendlyName="jscript9.dll" FileName="jscript9.dll" MinimumFileVersion ="11.0.16299.785"/>
-->
<! -- RS4 Windows 1803
<!-- RS4 Windows 1803
<Deny ID="ID_DENY_MSXML3" FriendlyName="msxml3.dll" FileName="msxml3.dll" MinimumFileVersion ="8.110.17134.344"/>
<Deny ID="ID_DENY_MSXML6" FriendlyName="msxml6.dll" FileName="msxml6.dll" MinimumFileVersion ="6.30.17134.344"/>
<Deny ID="ID_DENY_JSCRIPT9" FriendlyName="jscript9.dll" FileName="jscript9.dll" MinimumFileVersion ="11.0.17134.406"/>
-->
<! -- RS5 Windows 1809
<!-- RS5 Windows 1809
<Deny ID="ID_DENY_MSXML3" FriendlyName="msxml3.dll" FileName="msxml3.dll" MinimumFileVersion ="8.110.17763.54"/>
<Deny ID="ID_DENY_MSXML6" FriendlyName="msxml6.dll" FileName="msxml6.dll" MinimumFileVersion ="6.30.17763.54"/>
<Deny ID="ID_DENY_JSCRIPT9" FriendlyName="jscript9.dll" FileName="jscript9.dll" MinimumFileVersion ="11.0.17763.133"/>
@ -1502,4 +1502,3 @@ Pick the correct version of each .dll for the Windows release you plan to suppor
```
<br />

2
windows/security/threat-protection/windows-security-configuration-framework/windows-security-configuration-framework.md
View File

@ -35,7 +35,7 @@ This new security configuration framework, which we affectionately nickname the
- [Level 2 enterprise enhanced security](level-2-enterprise-enhanced-security.md) We recommend this configuration for devices where users access sensitive or confidential information. Some of the controls may have an impact to app compat, and therefore will often go through an audit-configure-enforce workflow. Recommendations for this level are generally accessible to most organizations and are designed to be deployable within 90 days.
- [Level 3 enterprise high security](level-3-enterprise-high-security.md) We recommend this configuration for devices run by an organization with a larger or more sophisticated security team, or for specific users or groups who are at uniquely high risk (as one example, one organization identified users who handle data whose theft would directly and seriously impact their stock price). An organization likely to be targeted by well-funded and sophisticated adversaries should aspire to this configuration. Recommendations for this level can be complex (for example, removing local admin rights for some organizations can be a long project in and of itself) and can often go beyond 90 days.
- [Level 4 DevOps workstation](level-4-enterprise-devops-security.md) We recommend this configuration for developers and testers, who are an attractive target both for supply chain attacks and access to servers and systems containing high value data or where critical business functions could be disrupted. Level 4 guidance is coming soon!
- [Level 1 administrator workstation](level-5-enterprise-administrator-security.md) Administrators (particularly of identity or security systems) present the highest risk to the organization, through data theft, data alteration, or service disruption. Level 5 guidance is coming soon!
- [Level 5 administrator workstation](level-5-enterprise-administrator-security.md) Administrators (particularly of identity or security systems) present the highest risk to the organization, through data theft, data alteration, or service disruption. Level 5 guidance is coming soon!
The security configuration framework divides configuration into Productivity Devices and Privileged Access Workstations. This document will focus on Productivity Devices