deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-29 05:37:22 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge branch 'master' of https://github.com/Microsoft/win-cpub-itpro-docs into edumaylaunch

Browse Source
This commit is contained in:
Celeste de Guzman 2017-05-18 12:46:28 -07:00
commit 3a33737813
37 changed files with 835 additions and 300 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.openpublishing.publish.config.json
View File

@ -426,7 +426,7 @@
"Pdf"
]
},
"need_generate_pdf_url_template": false,
"need_generate_pdf_url_template": true,
"Targets": {
"Pdf": {
"template_folder": "_themes.pdf"

58
education/windows/school-get-minecraft.md
View File

@ -15,12 +15,12 @@ author: trudyha
- Windows 10
When you sign up for a [Minecraft: Education Edition](http://education.minecraft.net) trial, or purchase a [Minecraft: Education Edition](http://education.minecraft.net) subscription. Minecraft will be added to the inventory in your Windows Store for Business, a private version of Windows Store associated with your Azure Active Directory (Azure AD) tenant. Your Store for Business is only displayed to members of your organization.
When you sign up for a [Minecraft: Education Edition](http://education.minecraft.net) trial, or purchase a [Minecraft: Education Edition](http://education.minecraft.net) subscription. Minecraft will be added to the inventory in your Microsoft Store for Education which is associated with your Azure Active Directory (Azure AD) tenant. Your Microsoft Store for Education is only displayed to members of your organization.
>[!Note]
>If you don't have an Azure AD or Office 365 tenant, you can set up a free Office 365 Education subscription when you request Minecraft: Education Edition. For more information see [Office 365 Education plans and pricing](https://products.office.com/academic/compare-office-365-education-plans).
## Add Minecraft to your Windows Store for Business
## Add Minecraft to your Windows Store for Education
You can start with the Minecraft: Education Edition trial to get individual copies of the app. For more information, see [Minecraft: Education Edition - direct purchase](#individual-copies).
@ -36,40 +36,36 @@ If youve been approved and are part of the Enrollment for Education Solutions
<!-- ![Enter school email address](images/enter-email.png) -->
3. Select **Get the app**. This will take you to the Windows Store for Business to download the app. You will also receive an email with instructions and a link to the Store.
3. Select **Get the app**. This will take you to the Microsoft Store for Education to download the app. You will also receive an email with instructions and a link to the Store.
<!-- ![You can get the app now](images/get-the-app.png) -->
4. Sign in to Windows Store for Business with your email address.
4. Sign in to Microsoft Store for Education with your email address.
5. Read and accept the Windows Store for Business Service Agreement, and then select **Next**.
5. Read and accept the Microsoft Store for Education Service Agreement, and then select **Next**.
6. **Minecraft: Education Edition** opens in the Windows Store for Business. Select **Get the app**. This places **Minecraft: Education Edition** in your Store inventory.
6. **Minecraft: Education Edition** opens in the Microsoft Store for Education. Select **Get the app**. This places **Minecraft: Education Edition** in your Store inventory.
<!-- ![Get Minecraft app in Store](images/minecraft-get-the-app.png) -->
Now that the app is in your Store for Business inventory, you can choose how to distribute Minecraft. For more information on distribution options, see [Distribute Minecraft](#distribute-minecraft).
Now that the app is in your Microsoft Store for Education inventory, you can choose how to distribute Minecraft. For more information on distribution options, see [Distribute Minecraft](#distribute-minecraft).
If you need additional licenses for **Minecraft: Education Edition**, see [Purchase additional licenses](https://technet.microsoft.com/edu/windows/education-scenarios-store-for-business#purchase-additional-licenses).
### <a href="" id="volume-license"></a>Minecraft: Education Edition - volume licensing
Qualified education institutions can purchase Minecraft: Education Edition licenses through their Microsoft channel partner. Schools need to be part of the Enrollment for Education Solutions (EES) volume licensing program. Educational institutions should work with their channel partner to determine which Minecraft: Education Edition licensing offer is best for their institution. The process looks like this:
- Your channel partner will submit and process your volume license order, your licenses will be shown on [Volume Licensing Service Center](https://www.microsoft.com/Licensing/servicecenter/default.aspx), and the licenses will be available in your [Windows Store for Business](https://www.microsoft.com/business-store) inventory.
- Youll receive an email with a link to Windows Store for Business.
- Sign in to [Windows Store for Business](https://www.microsoft.com/business-store) to distribute and manage the Minecraft: Education Edition licenses. For more information on distribution options, see [Distribute Minecraft](#distribute-minecraft)
- Your channel partner will submit and process your volume license order, your licenses will be shown on [Volume Licensing Service Center](https://www.microsoft.com/Licensing/servicecenter/default.aspx), and the licenses will be available in your [Microsoft Store for Education](https://www.microsoft.com/business-store) inventory.
- Youll receive an email with a link to Microsoft Store for Education.
- Sign in to [Windows Store for Education](https://educationstore.microsoft.com) to distribute and manage the Minecraft: Education Edition licenses. For more information on distribution options, see [Distribute Minecraft](#distribute-minecraft)
## Minecraft: Education Edition payment options
You can pay for Minecraft: Education Edition with a debit or credit card, or with an invoice.
### Debit or credit cards
During the purchase, click **Get started! Add a way to pay.** Provide the info needed for your debit or credit card.
### Invoices
Invoices are now a supported payment method for Minecraft: Education Edition. There are a few requirements:
- Admins only (not supported for Teachers)
- $500 invoice minimum for your initial purchase
@ -87,12 +83,13 @@ Invoices are now a supported payment method for Minecraft: Education Edition. Th
### Find your invoice
After you've finished the purchase, you can find your invoice by checking **Minecraft: Education Edition** in your **Inventory**.
After you've finished the purchase, you can find your invoice by checking **Minecraft: Education Edition** in your **Apps & software**.
> **Note**: After you complete a purchase, it can take up to twenty-four hours for the app to appear in **Inventory**.
> [!NOTE]
> After you complete a purchase, it can take up to twenty-four hours for the app to appear in **Apps & software**.
**To view your invoice**
1. In Windows Store for Business, click **Manage** and then click **Inventory**.
1. In Microsoft Store for Education, click **Manage** and then click **Apps & software**.
2. Click **Minecraft: Education Edition** in the list of apps.
3. On **Minecraft: Education Edition**, click **View Bills**.
@ -104,10 +101,8 @@ After you've finished the purchase, you can find your invoice by checking **Mine
The **Payment Instructions** section on the first page of the invoice has information on invoice amount, due date, and how to pay with electronic funds transfer, or with a check.
## Distribute Minecraft
After Minecraft: Education Edition is added to your Windows Store for Business inventory, you have three options:
After Minecraft: Education Edition is added to your Microsoft Store for Education inventory, you have three options:
- You can install the app on your PC.
- You can assign the app to others.
@ -131,10 +126,10 @@ For Minecraft: Education Edition, you can use auto assign subscription to contro
**How to turn off automatic subscription assignment**
>[!Note]
>The version of the Minecraft: Education Edition page in the Store for Business will be different depending on which Store for Business flight you are using.
> [!Note]
> The version of the Minecraft: Education Edition page in the Microsoft Store will be different depending on which Microsoft Store for Education flight you are using.
1. Sign in to Microsoft Store for Business
1. Sign in to [Microsoft Store for Education](https://educationstore.microsoft.com)
2. Click Manage.
You'll see Minecraft: Education Edition product page.
@ -150,7 +145,7 @@ For Minecraft: Education Edition, you can use auto assign subscription to contro
### Install for me
You can install the app on your PC. This gives you a chance to test the app and know how you might help others in your organization use the app.
1. Sign in to Microsoft Store for Business.
1. Sign in to [Microsoft Store for Education](https://educationstore.microsoft.com).
2. Click **Manage**, and then click **Install**.
![Minecraft Education Edition product page](images/mc-install-for-me-teacher.png)
@ -162,7 +157,7 @@ Enter email addresses for your students, and each student will get an email with
**To assign to others**
1. Sign in to Windows Store for Business.
1. Sign in to [Microsoft Store for Education](https://educationstore.microsoft.com).
2. Click **Manage**.
![Minecraft Education Edition product page](images/mc-install-for-me-teacher.png)
@ -234,7 +229,7 @@ You'll download a .zip file, extract the files, and then use one of the files to
<!--- ## Manage Minecraft: Education Edition -->
<!--- ### Access to Windows Store for Business
<!--- ### Access to Microsoft Store for Business
By default, when a teacher with a work or school account acquires Minecraft: Education Edition, they are automatically signed up for Window Store for Business, and the **Basic Purchaser** role is assigned to them. **Basic Purchaser** role allows teachers to acquire Minecraft: Education Edition and to distribute it to students.
However, tenant admins can control whether or not teachers automatically sign up for Windows Store for Business, and get the **Basic Purchaser** role. You can configure this with the **Allow educators in my organization to sign up for the Windows Store for Business.** You'll find this on the **Permissions** page.
@ -298,15 +293,12 @@ You can purchase more licenses by working with your channel partner. Licenses ar
If youve purchased a volume license, be sure to let other basic purchasers in your organization know about the volume license. That should help prevent unnecessary purchases of individual copies. -->
## Learn more
[Working with Windows Store for Business education scenarios](education-scenarios-store-for-business.md) </br>
Learn about overall Windows Store for Business management: manage settings, shop for apps, distribute apps, manage inventory, and manage order history.
[Roles and permissions in Windows Store for Business](https://technet.microsoft.com/itpro/windows/manage/roles-and-permissions-windows-store-for-business)
[Troubleshoot Windows Store for Business](https://technet.microsoft.com/itpro/windows/manage/troubleshoot-windows-store-for-business)
[Working with Microsoft Store for Education education scenarios](education-scenarios-store-for-business.md) </br>
Learn about overall Microsoft Store for Education management: manage settings, shop for apps, distribute apps, manage inventory, and manage order history.
[Roles and permissions in Microsoft Store for Business and Education](https://technet.microsoft.com/itpro/windows/manage/roles-and-permissions-windows-store-for-business)
[Troubleshoot Microsoft Store for Business and Education](https://technet.microsoft.com/itpro/windows/manage/troubleshoot-windows-store-for-business)
## Related topics
[Get Minecraft: Education Edition](get-minecraft-for-education.md)
[For teachers get Minecraft: Education Edition](teacher-get-minecraft.md)

25
education/windows/teacher-get-minecraft.md
View File

@ -17,7 +17,7 @@ author: trudyha
Learn how teachers can get and distribute Minecraft: Education Edition.
## Add Minecraft to your Windows Store for Business
## Add Minecraft to your Microsoft Store for Education
1. Go to [http://education.minecraft.net/](http://education.minecraft.net/) and select **GET STARTED**.
@ -27,15 +27,15 @@ Learn how teachers can get and distribute Minecraft: Education Edition.
<!-- ![Enter school email address](images/enter-email.png) -->
3. Select **Get the app**. This will take you to the Windows Store for Business to download the app. You will also receive an email with instructions and a link to the Store.
3. Select **Get the app**. This will take you to Microsoft Store for Ecucation to download the app. You will also receive an email with instructions and a link to the Store.
<!-- ![You can get the app now](images/get-the-app.png) -->
4. Sign in to Windows Store for Business with your email address.
4. Sign in to Microsoft Store for Education with your email address.
5. Read and accept the Windows Store for Business Service Agreement, and then select **Next**.
5. Read and accept the Microsoft Store for Business and Education Service Agreement, and then select **Next**.
6. **Minecraft: Education Edition** opens in the Windows Store for Business. Select **Get the app**. This places **Minecraft: Education Edition** in your Windows Store for Business inventory.
6. **Minecraft: Education Edition** opens in the Microsoft Store for Education. Select **Get the app**. This places **Minecraft: Education Edition** in your Microsoft Store inventory.
![Get Minecraft app in Store](images/minecraft-get-the-app.png)
@ -43,7 +43,7 @@ If you need additional licenses for **Minecraft: Education Edition**, see [Purch
## Distribute Minecraft
After Minecraft: Education Edition is added to your Windows Store for Business inventory, you have three options:
After Minecraft: Education Edition is added to your Microsoft Store for Education inventory, you have three options:
- You can install the app on your PC.
- You can assign the app to others.
@ -54,7 +54,7 @@ After Minecraft: Education Edition is added to your Windows Store for Business i
### Install for me
You can install the app on your PC. This gives you a chance to work with the app before using it with your students.
1. Sign in to Windows Store for Business.
1. Sign in to [Microsoft Store for Education](https://educationstore.microsoft.com).
2. Click **Manage**, and then click **Install**.
![Minecraft Education Edition product page](images/mc-install-for-me-teacher.png)
@ -65,7 +65,7 @@ You can install the app on your PC. This gives you a chance to work with the app
Enter email addresses for your students, and each student will get an email with a link to install the app. This option is best for older, more tech-savvy students who will always use the same PC at school.
**To assign to others**
1. Sign in to Windows Store for Business.
1. Sign in to [Microsoft Store for Education](https://educationstore.microsoft.com).
2. Click **Manage**.
![Minecraft Education Edition product page](images/mc-install-for-me-teacher.png)
@ -95,7 +95,7 @@ Students will receive an email with a link that will install the app on their PC
![Windows Store app showing access to My Library](images/minecraft-private-store.png)
When students click **My Libarary** they'll find apps assigned to them.
When students click **My Library** they'll find apps assigned to them.
![My Library for example student](images/minecraft-my-library.png)
@ -131,7 +131,6 @@ You'll download a .zip file, extract the files, and then use one of the files to
![Windows Store app showing access to My Library](images/mc-dnld-others-teacher.png)
2. **Extract files**. Find the .zip file that you downloaded and extract the files. This is usually your **Downloads** folder, unless you chose to save the .zip file to a different location. Right-click the file and choose **Extract all**.
3. **Save to USB drive**. After you've extracted the files, save the Minecraft: Education Edition folder to a USB drive, or to a network location that you can access from each PC.
4. **Install app**. Use the USB drive to copy the Minecraft folder to each Windows 10 PC where you want to install Minecraft: Education Edition. Open Minecraft: Education Edition folder, right-click **InstallMinecraftEducationEdition.bat** and click **Run as administrator**.
@ -155,11 +154,9 @@ If you are still having trouble installing the app, you can get more help on our
## Related topics
[Working with Windows Store for Business education scenarios](education-scenarios-store-for-business.md) </br>
Learn about overall Windows Store for Business management: manage settings, shop for apps, distribute apps, manage inventory, and manage order history.
[Working with Microsoft Store for Education](education-scenarios-store-for-business.md) </br>
Learn about overall Microsoft Store for Business management: manage settings, shop for apps, distribute apps, manage inventory, and manage order history.
[Get Minecraft: Education Edition](get-minecraft-for-education.md)
[For IT admins: get Minecraft: Education Edition](school-get-minecraft.md)

2
store-for-business/manage-users-and-groups-windows-store-for-business.md
View File

@ -21,7 +21,7 @@ localizationpriority: high
Microsoft Store for Business and Education manages permissions with a set of roles. Currently, you can [assign these roles to individuals in your organization](roles-and-permissions-windows-store-for-business.md), but not to groups.
## Why Azure AD accounts?
For organizations planning to use the private store feature with Store for Business, we recommend that you also configure cloud domain join. This provides a seamless integration between the identity your admin and employees will use to sign in to Windows and the Store for Business.
For organizations planning to use the private store feature with Store for Business, we recommend that you also configure cloud domain join. This provides a seamless integration between the identity your admin and employees will use to sign in to Windows and the Microsoft Store for Business.
Azure AD is an Azure service that provides identity and access management capabilities using the cloud. It is primarily designed to provide this service for cloud- or web-based applications that need to access your local Active Directory information. Azure AD identity and access management includes:

14
store-for-business/troubleshoot-windows-store-for-business.md
View File

@ -48,13 +48,9 @@ The private store for your organization is a page in the Windows Store app that
## Still having trouble?
If you are still having trouble using WSfB or installing the app, you can get more help on our [Support page](https://go.microsoft.com/fwlink/?LinkID=799386).
 
 
If you are still having trouble using Microsoft Store or installing an app, Admins can sign in and look for topics on our **Support** page.
**To view Support page** 
1. Sign in to [Microsoft Store for Business](https://businessstore.microsoft.com)
2. Click **Manage**, and then click **Support**.

6
store-for-business/update-windows-store-for-business-account-settings.md
View File

@ -35,7 +35,7 @@ We need an email address in case we need to contact you about your Microsoft Sto
2. Click **Manage**, click **Payments & billing**, and then click **Edit**.
## Organization tax information
Taxes for Windows Store for Business purchases are determined by your business address. Businesses in these countries can provide their VAT number or local equivalent:
Taxes for Microsoft Store for Business purchases are determined by your business address. Businesses in these countries can provide their VAT number or local equivalent:
- Austria
- Belgium
- Croatia
@ -99,7 +99,7 @@ For example:<br>
($1.29 X .095) X 100 = $12.25
## Payment options
You can purchase apps from the Windows Store for Business using your credit card. You can enter your credit card information on Account Information, or when you purchase an app. We currently accept these credit cards:
You can purchase apps from the Microsoft Store for Business using your credit card. You can enter your credit card information on Account Information, or when you purchase an app. We currently accept these credit cards:
1. VISA
2. MasterCard
3. Discover
@ -136,7 +136,7 @@ Once you click**Next**, the information you provided will be validated with a
Offline licensing is a new licensing option for Windows 10. With offline licenses, organizations can cache apps and their licenses to deploy within their network. ISVs or devs can opt-in their apps for offline licensing when they submit them to the developer center. Only apps that are opted in to offline licensing will show that they are available for offline licensing in Store for Business. This model means organizations can deploy apps when users or devices do not have connectivity to the Store. For more information on the Store for Business licensing model, see [licensing model](https://technet.microsoft.com/itpro/windows/manage/apps-in-windows-store-for-business#licensing-model).
Admins can decide whether or not offline licenses are shown for apps in Windows Store for Business.
Admins can decide whether or not offline licenses are shown for apps in Microsoft Store.
**To set offline license visibility**

20
windows/configuration/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
View File

@ -25,7 +25,7 @@ If you want to minimize connections from Windows to Microsoft services, or confi
You can configure telemetry at the Security level, turn off Windows Defender telemetry and MSRT reporting, and turn off all other connections to Microsoft network endpoints as described in this article to help prevent Windows from sending any data to Microsoft. There are many reasons why these communications are enabled by default, such as updating malware definitions and maintain current certificate revocation lists, which is why we strongly recommend against this. This data helps us deliver a secure, reliable, and more delightful personalized experience.
To help make it easier to deploy settings to restrict connections from Windows 10 to Microsoft, you can apply the [Windows Restricted Traffic Limited Functionality Baseline](https://go.microsoft.com/fwlink/?linkid=828887). This baseline was created in the same way as the [Windows security baselines](/windows/device-security/windows-security-baselines) that are often used to efficiently configure Windows to a known secure state. Running the Windows Restricted Traffic Limited Functionality Baseline on devices in your organization will allow you to quickly configure all of the settings covered in this document. However, some of the settings reduce the functionality and security configuration of your device and are therefore not recommended. Make sure should you've chosen the right settings configuration for your environment before applying. You should not extract this package to the the windows\\system32 folder because it will not apply correctly. Applying this baseline is equivalent to applying the Windows 10 steps covered in this article.
To help make it easier to deploy settings to restrict connections from Windows 10 to Microsoft, you can apply the [Windows Restricted Traffic Limited Functionality Baseline](https://go.microsoft.com/fwlink/?linkid=828887). This baseline was created in the same way as the [Windows security baselines](/windows/device-security/windows-security-baselines) that are often used to efficiently configure Windows to a known secure state. Running the Windows Restricted Traffic Limited Functionality Baseline on devices in your organization will allow you to quickly configure all of the settings covered in this document. However, some of the settings reduce the functionality and security configuration of your device and are therefore not recommended. Make sure should you've chosen the right settings configuration for your environment before applying. You should not extract this package to the windows\\system32 folder because it will not apply correctly. Applying this baseline is equivalent to applying the Windows 10 steps covered in this article.
We are always striving to improve our documentation and welcome your feedback. You can provide feedback by contacting telmhelp@microsoft.com.
@ -287,15 +287,19 @@ You can prevent Windows from setting the time automatically.
-or-
- Create a REG\_SZ registry setting in **HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\W32Time\\Parameters\\Type** with a value of **NoSync**.
After that, configure the following:
- Disable the Group Policy: **Computer Configuration** &gt; **Administrative Templates** &gt; **System** &gt; **Enable Windows NTP Server** &gt; **Windows Time Service** &gt; **Configure Windows NTP Client**
> [!NOTE]
> This is only available on Windows 10, version 1703 and later.
-or -
- Create a new REG\_DWORD registry setting **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\W32time\\TimeProviders\\NtpClient!Enabled** to 0 (zero).
- Create a new REG\_DWORD registry setting **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\W32time\\TimeProviders\\NtpClient!Enabled** and set it to 0 (zero).
-or-
- Create a REG\_SZ registry setting in **HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\W32Time\\Parameters\\Type** with a value of **NoSync**.
### <a href="" id="bkmk-devinst"></a>4. Device metadata retrieval
@ -392,7 +396,6 @@ Use Group Policy to manage settings for Internet Explorer. You can find the Int
| Turn on Suggested Sites| Choose whether an employee can configure Suggested Sites. <br /> Default: Enabled <br /> You can also turn this off in the UI by clearing the **Internet Options** &gt; **Advanced** &gt; **Enable Suggested Sites** check box.|
| Allow Microsoft services to provide enhanced suggestions as the user types in the Address Bar | Choose whether an employee can configure enhanced suggestions, which are presented to the employee as they type in the address bar. <br /> Default: Enabled|
| Turn off the auto-complete feature for web addresses | Choose whether auto-complete suggests possible matches when employees are typing web address in the address bar. <br /> Default: Disabled </br> You can also turn this off in the UI by clearing the <strong>Internet Options</strong> &gt; **Advanced** &gt; **Use inline AutoComplete in the Internet Explorer Address Bar and Open Dialog** check box.|
| Disable Periodic Check for Internet Explorer software updates| Choose whether Internet Explorer periodically checks for a new version. <br /> Default: Enabled |
| Turn off browser geolocation | Choose whether websites can request location data from Internet Explorer. <br /> Default: Disabled|
| Prevent managing SmartScreen filter | Choose whether employees can manage the SmartScreen Filter in Internet Explorer. <br /> Default: Disabled |
@ -403,7 +406,6 @@ Alternatively, you could use the registry to set the Group Policies.
| Turn on Suggested Sites| HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Internet Explorer\\Suggested Sites!Enabled <br /> REG_DWORD: 0|
| Allow Microsoft services to provide enhanced suggestions as the user types in the Address Bar | HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Internet Explorer\\AllowServicePoweredQSA <br /> REG_DWORD: 0|
| Turn off the auto-complete feature for web addresses | HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Explorer\\AutoComplete!AutoSuggest<br /> REG_SZ: **No** |
| Disable Periodic Check for Internet Explorer software updates| HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Internet Explorer\\Infodelivery\\Restrictions!NoUpdateCheck<br /> REG_DWORD: 1 |
| Turn off browser geolocation | HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Internet Explorer\\Geolocation!PolicyDisableGeolocation <br /> REG_DWORD: 1 |
| Prevent managing SmartScreen filter | HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\ Internet Explorer\\PhishingFilter!EnabledV9 <br /> REG_DWORD: 0 |
@ -510,8 +512,8 @@ Find the Microsoft Edge Group Policy objects under **Computer Configuration** &g
| Configure search suggestions in Address bar | Choose whether the address bar shows search suggestions. <br /> Default: Enabled |
| Configure Windows Defender SmartScreen Filter (Windows 10, version 1703) <br/> Configure SmartScreen Filter (Windows Server 2016) | Choose whether Windows Defender SmartScreen is turned on or off. <br /> Default: Enabled |
| Allow web content on New Tab page | Choose whether a new tab page appears. <br /> Default: Enabled |
| Configure Start pages | Choose the Start page for domain-joined devices. <br /> Set this to **about:blank** |
| Prevent the First Run webpage from opening pages | Choose whether employees see the First Run webpage. <br /> Default: Enabled |
| Configure Start pages | Choose the Start page for domain-joined devices. <br /> Set this to **\<about:blank\>** |
| Prevent the First Run webpage from opening on Microsoft Edge | Choose whether employees see the First Run webpage. <br /> Default: Disabled |
The Windows 10, version 1511 Microsoft Edge Group Policy names are:

353
windows/deployment/TOC.md
View File

@ -1,44 +1,176 @@
# [Deploy Windows 10](index.md)
## [What's new in Windows 10 deployment](deploy-whats-new.md)
## [Plan for Windows 10 deployment](planning/index.md)
### [Windows 10 Enterprise FAQ for IT Pros](planning/windows-10-enterprise-faq-itpro.md)
### [Windows 10 deployment considerations](planning/windows-10-deployment-considerations.md)
### [Windows 10 compatibility](planning/windows-10-compatibility.md)
### [Windows 10 infrastructure requirements](planning/windows-10-infrastructure-requirements.md)
### [Windows To Go: feature overview](planning/windows-to-go-overview.md)
#### [Best practice recommendations for Windows To Go](planning/best-practice-recommendations-for-windows-to-go.md)
#### [Deployment considerations for Windows To Go](planning/deployment-considerations-for-windows-to-go.md)
#### [Prepare your organization for Windows To Go](planning/prepare-your-organization-for-windows-to-go.md)
#### [Security and data protection considerations for Windows To Go](planning/security-and-data-protection-considerations-for-windows-to-go.md)
#### [Windows To Go: frequently asked questions](planning/windows-to-go-frequently-asked-questions.md)
### [Application Compatibility Toolkit (ACT) Technical Reference](planning/act-technical-reference.md)
#### [SUA User's Guide](planning/sua-users-guide.md)
##### [Using the SUA Wizard](planning/using-the-sua-wizard.md)
##### [Using the SUA Tool](planning/using-the-sua-tool.md)
###### [Tabs on the SUA Tool Interface](planning/tabs-on-the-sua-tool-interface.md)
###### [Showing Messages Generated by the SUA Tool](planning/showing-messages-generated-by-the-sua-tool.md)
###### [Applying Filters to Data in the SUA Tool](planning/applying-filters-to-data-in-the-sua-tool.md)
###### [Fixing Applications by Using the SUA Tool](planning/fixing-applications-by-using-the-sua-tool.md)
#### [Compatibility Administrator User's Guide](planning/compatibility-administrator-users-guide.md)
##### [Using the Compatibility Administrator Tool](planning/using-the-compatibility-administrator-tool.md)
###### [Available Data Types and Operators in Compatibility Administrator](planning/available-data-types-and-operators-in-compatibility-administrator.md)
###### [Searching for Fixed Applications in Compatibility Administrator](planning/searching-for-fixed-applications-in-compatibility-administrator.md)
###### [Searching for Installed Compatibility Fixes with the Query Tool in Compatibility Administrator](planning/searching-for-installed-compatibility-fixes-with-the-query-tool-in-compatibility-administrator.md)
###### [Creating a Custom Compatibility Fix in Compatibility Administrator](planning/creating-a-custom-compatibility-fix-in-compatibility-administrator.md)
###### [Creating a Custom Compatibility Mode in Compatibility Administrator](planning/creating-a-custom-compatibility-mode-in-compatibility-administrator.md)
###### [Creating an AppHelp Message in Compatibility Administrator](planning/creating-an-apphelp-message-in-compatibility-administrator.md)
###### [Viewing the Events Screen in Compatibility Administrator](planning/viewing-the-events-screen-in-compatibility-administrator.md)
###### [Enabling and Disabling Compatibility Fixes in Compatibility Administrator](planning/enabling-and-disabling-compatibility-fixes-in-compatibility-administrator.md)
###### [Installing and Uninstalling Custom Compatibility Databases in Compatibility Administrator](planning/installing-and-uninstalling-custom-compatibility-databases-in-compatibility-administrator.md)
##### [Managing Application-Compatibility Fixes and Custom Fix Databases](planning/managing-application-compatibility-fixes-and-custom-fix-databases.md)
###### [Understanding and Using Compatibility Fixes](planning/understanding-and-using-compatibility-fixes.md)
###### [Compatibility Fix Database Management Strategies and Deployment](planning/compatibility-fix-database-management-strategies-and-deployment.md)
###### [Testing Your Application Mitigation Packages](planning/testing-your-application-mitigation-packages.md)
##### [Using the Sdbinst.exe Command-Line Tool](planning/using-the-sdbinstexe-command-line-tool.md)
#### [Compatibility Fixes for Windows 10, Windows 8, Windows 7, and Windows Vista](planning/compatibility-fixes-for-windows-8-windows-7-and-windows-vista.md)
### [Change history for Plan for Windows 10 deployment](planning/change-history-for-plan-for-windows-10-deployment.md)
## [Windows 10 deployment scenarios](windows-10-deployment-scenarios.md)
## Upgrade Windows
# [Deploy, Upgrade and Update Windows 10](index.md)
## Deploy Windows 10
### [What's new in Windows 10 deployment](deploy-whats-new.md)
### [Plan for Windows 10 deployment](planning/index.md)
#### [Windows 10 Enterprise FAQ for IT Pros](planning/windows-10-enterprise-faq-itpro.md)
#### [Windows 10 deployment considerations](planning/windows-10-deployment-considerations.md)
#### [Windows 10 compatibility](planning/windows-10-compatibility.md)
#### [Windows 10 infrastructure requirements](planning/windows-10-infrastructure-requirements.md)
#### [Windows To Go: feature overview](planning/windows-to-go-overview.md)
##### [Best practice recommendations for Windows To Go](planning/best-practice-recommendations-for-windows-to-go.md)
##### [Deployment considerations for Windows To Go](planning/deployment-considerations-for-windows-to-go.md)
##### [Prepare your organization for Windows To Go](planning/prepare-your-organization-for-windows-to-go.md)
##### [Security and data protection considerations for Windows To Go](planning/security-and-data-protection-considerations-for-windows-to-go.md)
##### [Windows To Go: frequently asked questions](planning/windows-to-go-frequently-asked-questions.md)
#### [Application Compatibility Toolkit (ACT) Technical Reference](planning/act-technical-reference.md)
##### [SUA User's Guide](planning/sua-users-guide.md)
###### [Using the SUA Wizard](planning/using-the-sua-wizard.md)
###### [Using the SUA Tool](planning/using-the-sua-tool.md)
####### [Tabs on the SUA Tool Interface](planning/tabs-on-the-sua-tool-interface.md)
####### [Showing Messages Generated by the SUA Tool](planning/showing-messages-generated-by-the-sua-tool.md)
####### [Applying Filters to Data in the SUA Tool](planning/applying-filters-to-data-in-the-sua-tool.md)
####### [Fixing Applications by Using the SUA Tool](planning/fixing-applications-by-using-the-sua-tool.md)
##### [Compatibility Administrator User's Guide](planning/compatibility-administrator-users-guide.md)
###### [Using the Compatibility Administrator Tool](planning/using-the-compatibility-administrator-tool.md)
####### [Available Data Types and Operators in Compatibility Administrator](planning/available-data-types-and-operators-in-compatibility-administrator.md)
####### [Searching for Fixed Applications in Compatibility Administrator](planning/searching-for-fixed-applications-in-compatibility-administrator.md)
####### [Searching for Installed Compatibility Fixes with the Query Tool in Compatibility Administrator](planning/searching-for-installed-compatibility-fixes-with-the-query-tool-in-compatibility-administrator.md)
####### [Creating a Custom Compatibility Fix in Compatibility Administrator](planning/creating-a-custom-compatibility-fix-in-compatibility-administrator.md)
####### [Creating a Custom Compatibility Mode in Compatibility Administrator](planning/creating-a-custom-compatibility-mode-in-compatibility-administrator.md)
####### [Creating an AppHelp Message in Compatibility Administrator](planning/creating-an-apphelp-message-in-compatibility-administrator.md)
####### [Viewing the Events Screen in Compatibility Administrator](planning/viewing-the-events-screen-in-compatibility-administrator.md)
####### [Enabling and Disabling Compatibility Fixes in Compatibility Administrator](planning/enabling-and-disabling-compatibility-fixes-in-compatibility-administrator.md)
####### [Installing and Uninstalling Custom Compatibility Databases in Compatibility Administrator](planning/installing-and-uninstalling-custom-compatibility-databases-in-compatibility-administrator.md)
###### [Managing Application-Compatibility Fixes and Custom Fix Databases](planning/managing-application-compatibility-fixes-and-custom-fix-databases.md)
####### [Understanding and Using Compatibility Fixes](planning/understanding-and-using-compatibility-fixes.md)
####### [Compatibility Fix Database Management Strategies and Deployment](planning/compatibility-fix-database-management-strategies-and-deployment.md)
####### [Testing Your Application Mitigation Packages](planning/testing-your-application-mitigation-packages.md)
###### [Using the Sdbinst.exe Command-Line Tool](planning/using-the-sdbinstexe-command-line-tool.md)
##### [Compatibility Fixes for Windows 10, Windows 8, Windows 7, and Windows Vista](planning/compatibility-fixes-for-windows-8-windows-7-and-windows-vista.md)
#### [Change history for Plan for Windows 10 deployment](planning/change-history-for-plan-for-windows-10-deployment.md)
### [Windows 10 deployment scenarios](windows-10-deployment-scenarios.md)
### [Windows 10 deployment tools reference](windows-10-deployment-tools-reference.md)
#### [Windows 10 deployment tools](windows-deployment-scenarios-and-tools.md)
#### [Windows ADK for Windows 10 scenarios for IT Pros](windows-adk-scenarios-for-it-pros.md)
#### [Volume Activation Management Tool (VAMT) Technical Reference](volume-activation/volume-activation-management-tool.md)
##### [Introduction to VAMT](volume-activation/introduction-vamt.md)
##### [Active Directory-Based Activation Overview](volume-activation/active-directory-based-activation-overview.md)
##### [Install and Configure VAMT](volume-activation/install-configure-vamt.md)
###### [VAMT Requirements](volume-activation/vamt-requirements.md)
###### [Install VAMT](volume-activation/install-vamt.md)
###### [Configure Client Computers](volume-activation/configure-client-computers-vamt.md)
##### [Add and Manage Products](volume-activation/add-manage-products-vamt.md)
###### [Add and Remove Computers](volume-activation/add-remove-computers-vamt.md)
###### [Update Product Status](volume-activation/update-product-status-vamt.md)
###### [Remove Products](volume-activation/remove-products-vamt.md)
##### [Manage Product Keys](volume-activation/manage-product-keys-vamt.md)
###### [Add and Remove a Product Key](volume-activation/add-remove-product-key-vamt.md)
###### [Install a Product Key](volume-activation/install-product-key-vamt.md)
###### [Install a KMS Client Key](volume-activation/install-kms-client-key-vamt.md)
##### [Manage Activations](volume-activation/manage-activations-vamt.md)
###### [Perform Online Activation](volume-activation/online-activation-vamt.md)
###### [Perform Proxy Activation](volume-activation/proxy-activation-vamt.md)
###### [Perform KMS Activation](volume-activation/kms-activation-vamt.md)
###### [Perform Local Reactivation](volume-activation/local-reactivation-vamt.md)
###### [Activate an Active Directory Forest Online](volume-activation/activate-forest-vamt.md)
###### [Activate by Proxy an Active Directory Forest](volume-activation/activate-forest-by-proxy-vamt.md)
##### [Manage VAMT Data](volume-activation/manage-vamt-data.md)
###### [Import and Export VAMT Data](volume-activation/import-export-vamt-data.md)
###### [Use VAMT in Windows PowerShell](volume-activation/use-vamt-in-windows-powershell.md)
##### [VAMT Step-by-Step Scenarios](volume-activation/vamt-step-by-step.md)
###### [Scenario 1: Online Activation](volume-activation/scenario-online-activation-vamt.md)
###### [Scenario 2: Proxy Activation](volume-activation/scenario-proxy-activation-vamt.md)
###### [Scenario 3: KMS Client Activation](volume-activation/scenario-kms-activation-vamt.md)
##### [VAMT Known Issues](volume-activation/vamt-known-issues.md)
#### [User State Migration Tool (USMT) Technical Reference](usmt/usmt-technical-reference.md)
##### [User State Migration Tool (USMT) Overview Topics](usmt/usmt-topics.md)
###### [User State Migration Tool (USMT) Overview](usmt/usmt-overview.md)
###### [Getting Started with the User State Migration Tool (USMT)](usmt/getting-started-with-the-user-state-migration-tool.md)
###### [Windows Upgrade and Migration Considerations](upgrade/windows-upgrade-and-migration-considerations.md)
##### [User State Migration Tool (USMT) How-to topics](usmt/usmt-how-to.md)
###### [Exclude Files and Settings](usmt/usmt-exclude-files-and-settings.md)
###### [Extract Files from a Compressed USMT Migration Store](usmt/usmt-extract-files-from-a-compressed-migration-store.md)
###### [Include Files and Settings](usmt/usmt-include-files-and-settings.md)
###### [Migrate Application Settings](usmt/migrate-application-settings.md)
###### [Migrate EFS Files and Certificates](usmt/usmt-migrate-efs-files-and-certificates.md)
###### [Migrate User Accounts](usmt/usmt-migrate-user-accounts.md)
###### [Reroute Files and Settings](usmt/usmt-reroute-files-and-settings.md)
###### [Verify the Condition of a Compressed Migration Store](usmt/verify-the-condition-of-a-compressed-migration-store.md)
##### [User State Migration Tool (USMT) Troubleshooting](usmt/usmt-troubleshooting.md)
###### [Common Issues](usmt/usmt-common-issues.md)
###### [Frequently Asked Questions](usmt/usmt-faq.md)
###### [Log Files](usmt/usmt-log-files.md)
###### [Return Codes](usmt/usmt-return-codes.md)
###### [USMT Resources](usmt/usmt-resources.md)
##### [User State Migration Toolkit (USMT) Reference](usmt/usmt-reference.md)
###### [USMT Requirements](usmt/usmt-requirements.md)
###### [USMT Best Practices](usmt/usmt-best-practices.md)
###### [How USMT Works](usmt/usmt-how-it-works.md)
###### [Plan Your Migration](usmt/usmt-plan-your-migration.md)
####### [Common Migration Scenarios](usmt/usmt-common-migration-scenarios.md)
####### [What Does USMT Migrate?](usmt/usmt-what-does-usmt-migrate.md)
####### [Choose a Migration Store Type](usmt/usmt-choose-migration-store-type.md)
######## [Migration Store Types Overview](usmt/migration-store-types-overview.md)
######## [Estimate Migration Store Size](usmt/usmt-estimate-migration-store-size.md)
######## [Hard-Link Migration Store](usmt/usmt-hard-link-migration-store.md)
######## [Migration Store Encryption](usmt/usmt-migration-store-encryption.md)
####### [Determine What to Migrate](usmt/usmt-determine-what-to-migrate.md)
######## [Identify Users](usmt/usmt-identify-users.md)
######## [Identify Applications Settings](usmt/usmt-identify-application-settings.md)
######## [Identify Operating System Settings](usmt/usmt-identify-operating-system-settings.md)
######## [Identify File Types, Files, and Folders](usmt/usmt-identify-file-types-files-and-folders.md)
####### [Test Your Migration](usmt/usmt-test-your-migration.md)
###### [User State Migration Tool (USMT) Command-line Syntax](usmt/usmt-command-line-syntax.md)
####### [ScanState Syntax](usmt/usmt-scanstate-syntax.md)
####### [LoadState Syntax](usmt/usmt-loadstate-syntax.md)
####### [UsmtUtils Syntax](usmt/usmt-utilities.md)
###### [USMT XML Reference](usmt/usmt-xml-reference.md)
####### [Understanding Migration XML Files](usmt/understanding-migration-xml-files.md)
####### [Config.xml File](usmt/usmt-configxml-file.md)
####### [Customize USMT XML Files](usmt/usmt-customize-xml-files.md)
####### [Custom XML Examples](usmt/usmt-custom-xml-examples.md)
####### [Conflicts and Precedence](usmt/usmt-conflicts-and-precedence.md)
####### [General Conventions](usmt/usmt-general-conventions.md)
####### [XML File Requirements](usmt/xml-file-requirements.md)
####### [Recognized Environment Variables](usmt/usmt-recognized-environment-variables.md)
####### [XML Elements Library](usmt/usmt-xml-elements-library.md)
###### [Offline Migration Reference](usmt/offline-migration-reference.md)
### [Deploy Windows 10 with System Center 2012 R2 Configuration Manager](deploy-windows-sccm/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md)
#### [Integrate Configuration Manager with MDT](deploy-windows-mdt/integrate-configuration-manager-with-mdt.md)
#### [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](deploy-windows-sccm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)
#### [Create a custom Windows PE boot image with Configuration Manager](deploy-windows-sccm/create-a-custom-windows-pe-boot-image-with-configuration-manager.md)
#### [Add a Windows 10 operating system image using Configuration Manager](deploy-windows-sccm/add-a-windows-10-operating-system-image-using-configuration-manager.md)
#### [Create an application to deploy with Windows 10 using Configuration Manager](deploy-windows-sccm/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md)
#### [Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](deploy-windows-sccm/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md)
#### [Create a task sequence with Configuration Manager and MDT](deploy-windows-mdt/create-a-task-sequence-with-configuration-manager-and-mdt.md)
#### [Finalize the operating system configuration for Windows 10 deployment with Configuration Manager](deploy-windows-sccm/finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md)
#### [Deploy Windows 10 using PXE and Configuration Manager](deploy-windows-sccm/deploy-windows-10-using-pxe-and-configuration-manager.md)
#### [Monitor the Windows 10 deployment with Configuration Manager](deploy-windows-sccm/monitor-windows-10-deployment-with-configuration-manager.md)
#### [Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](deploy-windows-sccm/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md)
#### [Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](deploy-windows-sccm/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md)
#### [Perform an in-place upgrade to Windows 10 using Configuration Manager](upgrade/upgrade-to-windows-10-with-system-center-configuraton-manager.md)
#### [Deploy Windows 10 in a test lab using System Center Configuration Manager](windows-10-poc-sc-config-mgr.md)
### [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md)
#### [Get started with the Microsoft Deployment Toolkit (MDT)](deploy-windows-mdt/get-started-with-the-microsoft-deployment-toolkit.md)
##### [Key features in MDT](deploy-windows-mdt/key-features-in-mdt.md)
##### [MDT Lite Touch components](deploy-windows-mdt/mdt-lite-touch-components.md)
##### [Prepare for deployment with MDT](deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md)
#### [Create a Windows 10 reference image](deploy-windows-mdt/create-a-windows-10-reference-image.md)
#### [Deploy a Windows 10 image using MDT](deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md)
#### [Build a distributed environment for Windows 10 deployment](deploy-windows-mdt/build-a-distributed-environment-for-windows-10-deployment.md)
#### [Refresh a Windows 7 computer with Windows 10](deploy-windows-mdt/refresh-a-windows-7-computer-with-windows-10.md)
#### [Replace a Windows 7 computer with a Windows 10 computer](deploy-windows-mdt/replace-a-windows-7-computer-with-a-windows-10-computer.md)
#### [Perform an in-place upgrade to Windows 10 with MDT](upgrade/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md)
#### [Configure MDT settings](deploy-windows-mdt/configure-mdt-settings.md)
##### [Set up MDT for BitLocker](deploy-windows-mdt/set-up-mdt-for-bitlocker.md)
##### [Configure MDT deployment share rules](deploy-windows-mdt/configure-mdt-deployment-share-rules.md)
##### [Configure MDT for UserExit scripts](deploy-windows-mdt/configure-mdt-for-userexit-scripts.md)
##### [Simulate a Windows 10 deployment in a test environment](deploy-windows-mdt/simulate-a-windows-10-deployment-in-a-test-environment.md)
##### [Use the MDT database to stage Windows 10 deployment information](deploy-windows-mdt/use-the-mdt-database-to-stage-windows-10-deployment-information.md)
##### [Assign applications using roles in MDT](deploy-windows-mdt/assign-applications-using-roles-in-mdt.md)
##### [Use web services in MDT](deploy-windows-mdt/use-web-services-in-mdt.md)
##### [Use Orchestrator runbooks with MDT](deploy-windows-mdt/use-orchestrator-runbooks-with-mdt.md)
#### [Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit](windows-10-poc-mdt.md)
### [Step by step guide: Configure a test lab to deploy Windows 10](windows-10-poc.md)
## Upgrade to Windows 10
### [Windows 10 upgrade paths](upgrade/windows-10-upgrade-paths.md)
### [Windows 10 edition upgrade](upgrade/windows-10-edition-upgrades.md)
### [Deploy Windows To Go in your organization](deploy-windows-to-go.md)
@ -55,47 +187,8 @@
##### [Step 3: Deploy Windows](upgrade/upgrade-readiness-deploy-windows.md)
##### [Additional insights](upgrade/upgrade-readiness-additional-insights.md)
#### [Troubleshoot Upgrade Readiness](upgrade/troubleshoot-upgrade-readiness.md)
## [Step by step guide: Configure a test lab to deploy Windows 10](windows-10-poc.md)
### [Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit](windows-10-poc-mdt.md)
### [Deploy Windows 10 in a test lab using System Center Configuration Manager](windows-10-poc-sc-config-mgr.md)
## [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md)
### [Get started with the Microsoft Deployment Toolkit (MDT)](deploy-windows-mdt/get-started-with-the-microsoft-deployment-toolkit.md)
#### [Key features in MDT](deploy-windows-mdt/key-features-in-mdt.md)
#### [MDT Lite Touch components](deploy-windows-mdt/mdt-lite-touch-components.md)
#### [Prepare for deployment with MDT](deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md)
### [Create a Windows 10 reference image](deploy-windows-mdt/create-a-windows-10-reference-image.md)
### [Deploy a Windows 10 image using MDT](deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md)
### [Build a distributed environment for Windows 10 deployment](deploy-windows-mdt/build-a-distributed-environment-for-windows-10-deployment.md)
### [Refresh a Windows 7 computer with Windows 10](deploy-windows-mdt/refresh-a-windows-7-computer-with-windows-10.md)
### [Replace a Windows 7 computer with a Windows 10 computer](deploy-windows-mdt/replace-a-windows-7-computer-with-a-windows-10-computer.md)
### [Perform an in-place upgrade to Windows 10 with MDT](upgrade/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md)
### [Configure MDT settings](deploy-windows-mdt/configure-mdt-settings.md)
#### [Set up MDT for BitLocker](deploy-windows-mdt/set-up-mdt-for-bitlocker.md)
#### [Configure MDT deployment share rules](deploy-windows-mdt/configure-mdt-deployment-share-rules.md)
#### [Configure MDT for UserExit scripts](deploy-windows-mdt/configure-mdt-for-userexit-scripts.md)
#### [Simulate a Windows 10 deployment in a test environment](deploy-windows-mdt/simulate-a-windows-10-deployment-in-a-test-environment.md)
#### [Use the MDT database to stage Windows 10 deployment information](deploy-windows-mdt/use-the-mdt-database-to-stage-windows-10-deployment-information.md)
#### [Assign applications using roles in MDT](deploy-windows-mdt/assign-applications-using-roles-in-mdt.md)
#### [Use web services in MDT](deploy-windows-mdt/use-web-services-in-mdt.md)
#### [Use Orchestrator runbooks with MDT](deploy-windows-mdt/use-orchestrator-runbooks-with-mdt.md)
## [Deploy Windows 10 with System Center 2012 R2 Configuration Manager](deploy-windows-sccm/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md)
### [Integrate Configuration Manager with MDT](deploy-windows-mdt/integrate-configuration-manager-with-mdt.md)
### [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](deploy-windows-sccm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)
### [Create a custom Windows PE boot image with Configuration Manager](deploy-windows-sccm/create-a-custom-windows-pe-boot-image-with-configuration-manager.md)
### [Add a Windows 10 operating system image using Configuration Manager](deploy-windows-sccm/add-a-windows-10-operating-system-image-using-configuration-manager.md)
### [Create an application to deploy with Windows 10 using Configuration Manager](deploy-windows-sccm/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md)
### [Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](deploy-windows-sccm/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md)
### [Create a task sequence with Configuration Manager and MDT](deploy-windows-mdt/create-a-task-sequence-with-configuration-manager-and-mdt.md)
### [Finalize the operating system configuration for Windows 10 deployment with Configuration Manager](deploy-windows-sccm/finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md)
### [Deploy Windows 10 using PXE and Configuration Manager](deploy-windows-sccm/deploy-windows-10-using-pxe-and-configuration-manager.md)
### [Monitor the Windows 10 deployment with Configuration Manager](deploy-windows-sccm/monitor-windows-10-deployment-with-configuration-manager.md)
### [Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](deploy-windows-sccm/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md)
### [Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](deploy-windows-sccm/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md)
### [Perform an in-place upgrade to Windows 10 using Configuration Manager](upgrade/upgrade-to-windows-10-with-system-center-configuraton-manager.md)
## [Resolve Windows 10 upgrade errors](upgrade/resolve-windows-10-upgrade-errors.md)
## [Convert MBR partition to GPT](mbr-to-gpt.md)
## [Configure a PXE server to load Windows PE](configure-a-pxe-server-to-load-windows-pe.md)
## [Sideload apps in Windows 10](/windows/application-management/sideload-apps-in-windows-10)
### [Resolve Windows 10 upgrade errors](upgrade/resolve-windows-10-upgrade-errors.md)
## [Update Windows 10](update/index.md)
### [Quick guide to Windows as a service](update/waas-quick-start.md)
### [Overview of Windows as a service](update/waas-overview.md)
@ -117,11 +210,17 @@
### [Deploy Windows 10 updates using Windows Server Update Services](update/waas-manage-updates-wsus.md)
### [Deploy Windows 10 updates using System Center Configuration Manager](update/waas-manage-updates-configuration-manager.md)
### [Manage device restarts after updates](update/waas-restart.md)
### [Manage additional Windows Update settings](update/waas-wu-settings.md)
### [Windows Insider Program for Business](update/waas-windows-insider-for-business.md)
#### [Windows Insider Program for Business using Azure Active Directory](update/waas-windows-insider-for-business-aad.md)
#### [Windows Insider Program for Business Frequently Asked Questions](update/waas-windows-insider-for-business-faq.md)
### [Change history for Update Windows 10](update/change-history-for-update-windows-10.md)
## [Convert MBR partition to GPT](mbr-to-gpt.md)
## [Configure a PXE server to load Windows PE](configure-a-pxe-server-to-load-windows-pe.md)
## [Sideload apps in Windows 10](/windows/application-management/sideload-apps-in-windows-10)
## [Windows 10 Enterprise E3 in CSP Overview](windows-10-enterprise-e3-overview.md)
## [Volume Activation [client]](volume-activation/volume-activation-windows-10.md)
### [Plan for volume activation [client]](volume-activation/plan-for-volume-activation-client.md)
### [Activate using Key Management Service [client]](volume-activation/activate-using-key-management-service-vamt.md)
@ -130,91 +229,5 @@
### [Monitor activation [client]](volume-activation/monitor-activation-client.md)
### [Use the Volume Activation Management Tool [client]](volume-activation/use-the-volume-activation-management-tool-client.md)
### [Appendix: Information sent to Microsoft during activation [client]](volume-activation/appendix-information-sent-to-microsoft-during-activation-client.md)
## [Windows 10 Enterprise E3 in CSP Overview](windows-10-enterprise-e3-overview.md)
## [Windows 10 deployment tools reference](windows-10-deployment-tools-reference.md)
### [Windows 10 deployment tools](windows-deployment-scenarios-and-tools.md)
### [Windows ADK for Windows 10 scenarios for IT Pros](windows-adk-scenarios-for-it-pros.md)
### [Volume Activation Management Tool (VAMT) Technical Reference](volume-activation/volume-activation-management-tool.md)
#### [Introduction to VAMT](volume-activation/introduction-vamt.md)
#### [Active Directory-Based Activation Overview](volume-activation/active-directory-based-activation-overview.md)
#### [Install and Configure VAMT](volume-activation/install-configure-vamt.md)
##### [VAMT Requirements](volume-activation/vamt-requirements.md)
##### [Install VAMT](volume-activation/install-vamt.md)
##### [Configure Client Computers](volume-activation/configure-client-computers-vamt.md)
#### [Add and Manage Products](volume-activation/add-manage-products-vamt.md)
##### [Add and Remove Computers](volume-activation/add-remove-computers-vamt.md)
##### [Update Product Status](volume-activation/update-product-status-vamt.md)
##### [Remove Products](volume-activation/remove-products-vamt.md)
#### [Manage Product Keys](volume-activation/manage-product-keys-vamt.md)
##### [Add and Remove a Product Key](volume-activation/add-remove-product-key-vamt.md)
##### [Install a Product Key](volume-activation/install-product-key-vamt.md)
##### [Install a KMS Client Key](volume-activation/install-kms-client-key-vamt.md)
#### [Manage Activations](volume-activation/manage-activations-vamt.md)
##### [Perform Online Activation](volume-activation/online-activation-vamt.md)
##### [Perform Proxy Activation](volume-activation/proxy-activation-vamt.md)
##### [Perform KMS Activation](volume-activation/kms-activation-vamt.md)
##### [Perform Local Reactivation](volume-activation/local-reactivation-vamt.md)
##### [Activate an Active Directory Forest Online](volume-activation/activate-forest-vamt.md)
##### [Activate by Proxy an Active Directory Forest](volume-activation/activate-forest-by-proxy-vamt.md)
#### [Manage VAMT Data](volume-activation/manage-vamt-data.md)
##### [Import and Export VAMT Data](volume-activation/import-export-vamt-data.md)
##### [Use VAMT in Windows PowerShell](volume-activation/use-vamt-in-windows-powershell.md)
#### [VAMT Step-by-Step Scenarios](volume-activation/vamt-step-by-step.md)
##### [Scenario 1: Online Activation](volume-activation/scenario-online-activation-vamt.md)
##### [Scenario 2: Proxy Activation](volume-activation/scenario-proxy-activation-vamt.md)
##### [Scenario 3: KMS Client Activation](volume-activation/scenario-kms-activation-vamt.md)
#### [VAMT Known Issues](volume-activation/vamt-known-issues.md)
### [User State Migration Tool (USMT) Technical Reference](usmt/usmt-technical-reference.md)
#### [User State Migration Tool (USMT) Overview Topics](usmt/usmt-topics.md)
##### [User State Migration Tool (USMT) Overview](usmt/usmt-overview.md)
##### [Getting Started with the User State Migration Tool (USMT)](usmt/getting-started-with-the-user-state-migration-tool.md)
##### [Windows Upgrade and Migration Considerations](upgrade/windows-upgrade-and-migration-considerations.md)
#### [User State Migration Tool (USMT) How-to topics](usmt/usmt-how-to.md)
##### [Exclude Files and Settings](usmt/usmt-exclude-files-and-settings.md)
##### [Extract Files from a Compressed USMT Migration Store](usmt/usmt-extract-files-from-a-compressed-migration-store.md)
##### [Include Files and Settings](usmt/usmt-include-files-and-settings.md)
##### [Migrate Application Settings](usmt/migrate-application-settings.md)
##### [Migrate EFS Files and Certificates](usmt/usmt-migrate-efs-files-and-certificates.md)
##### [Migrate User Accounts](usmt/usmt-migrate-user-accounts.md)
##### [Reroute Files and Settings](usmt/usmt-reroute-files-and-settings.md)
##### [Verify the Condition of a Compressed Migration Store](usmt/verify-the-condition-of-a-compressed-migration-store.md)
#### [User State Migration Tool (USMT) Troubleshooting](usmt/usmt-troubleshooting.md)
##### [Common Issues](usmt/usmt-common-issues.md)
##### [Frequently Asked Questions](usmt/usmt-faq.md)
##### [Log Files](usmt/usmt-log-files.md)
##### [Return Codes](usmt/usmt-return-codes.md)
##### [USMT Resources](usmt/usmt-resources.md)
#### [User State Migration Toolkit (USMT) Reference](usmt/usmt-reference.md)
##### [USMT Requirements](usmt/usmt-requirements.md)
##### [USMT Best Practices](usmt/usmt-best-practices.md)
##### [How USMT Works](usmt/usmt-how-it-works.md)
##### [Plan Your Migration](usmt/usmt-plan-your-migration.md)
###### [Common Migration Scenarios](usmt/usmt-common-migration-scenarios.md)
###### [What Does USMT Migrate?](usmt/usmt-what-does-usmt-migrate.md)
###### [Choose a Migration Store Type](usmt/usmt-choose-migration-store-type.md)
####### [Migration Store Types Overview](usmt/migration-store-types-overview.md)
####### [Estimate Migration Store Size](usmt/usmt-estimate-migration-store-size.md)
####### [Hard-Link Migration Store](usmt/usmt-hard-link-migration-store.md)
####### [Migration Store Encryption](usmt/usmt-migration-store-encryption.md)
###### [Determine What to Migrate](usmt/usmt-determine-what-to-migrate.md)
####### [Identify Users](usmt/usmt-identify-users.md)
####### [Identify Applications Settings](usmt/usmt-identify-application-settings.md)
####### [Identify Operating System Settings](usmt/usmt-identify-operating-system-settings.md)
####### [Identify File Types, Files, and Folders](usmt/usmt-identify-file-types-files-and-folders.md)
###### [Test Your Migration](usmt/usmt-test-your-migration.md)
##### [User State Migration Tool (USMT) Command-line Syntax](usmt/usmt-command-line-syntax.md)
###### [ScanState Syntax](usmt/usmt-scanstate-syntax.md)
###### [LoadState Syntax](usmt/usmt-loadstate-syntax.md)
###### [UsmtUtils Syntax](usmt/usmt-utilities.md)
##### [USMT XML Reference](usmt/usmt-xml-reference.md)
###### [Understanding Migration XML Files](usmt/understanding-migration-xml-files.md)
###### [Config.xml File](usmt/usmt-configxml-file.md)
###### [Customize USMT XML Files](usmt/usmt-customize-xml-files.md)
###### [Custom XML Examples](usmt/usmt-custom-xml-examples.md)
###### [Conflicts and Precedence](usmt/usmt-conflicts-and-precedence.md)
###### [General Conventions](usmt/usmt-general-conventions.md)
###### [XML File Requirements](usmt/xml-file-requirements.md)
###### [Recognized Environment Variables](usmt/usmt-recognized-environment-variables.md)
###### [XML Elements Library](usmt/usmt-xml-elements-library.md)
##### [Offline Migration Reference](usmt/offline-migration-reference.md)
## [Change history for Deploy Windows 10](change-history-for-deploy-windows-10.md)
## [Change history for Deploy, Upgrade and Update Windows 10](change-history-for-deploy-windows-10.md)

BIN
windows/deployment/images/security-update.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 2.5 KiB

61
windows/deployment/index.md
View File

@ -9,34 +9,69 @@ localizationpriority: high
author: greg-lindsay
---
# Deploy Windows 10
Learn about deploying Windows 10 for IT professionals.
<font size=1>
<table border="0">
<tr>
<td><img src="images/security-update.png" alt="Icon showing a security alert"> </td>
<td>A wide-spread ransomware attack, known as "WannaCrypt," targets Windows systems that do not yet have the latest updates. Given the severity of this threat, immediately update your Windows systems. [Learn more](https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/).</td>
</tr>
</table>
</font>
# Deploy, Upgrade and Update Windows 10
Learn about deployment in Windows 10 for IT professionals. This includes deploying the operating system, upgrading to it from previous version and updating Windows 10.
## In this section
### Deploy Windows 10
|Topic |Description |
|------|------------|
|[What's new in Windows 10 deployment](deploy-whats-new.md) |See this topic for a summary of new features and some recent changes related to deploying Windows 10 in your organization. |
|[Plan for Windows 10 deployment](planning/index.md) | This topic provides information about Windows 10 deployment considerations. It also provides details to assist in Windows 10 deployment planning. |
|[Windows 10 deployment scenarios](windows-10-deployment-scenarios.md) |To successfully deploy the Windows 10 operating system in your organization, it is important to understand the different ways that it can be deployed, especially now that there are new scenarios to consider. Choosing among these scenarios, and understanding the key capabilities and limitations of each, is a key task. |
|[Manage Windows upgrades with Upgrade Readiness](upgrade/manage-windows-upgrades-with-upgrade-readiness.md) |With Upgrade Readiness, enterprises now have the tools to plan and manage the upgrade process end to end, allowing them to adopt new Windows releases more quickly. With Windows telemetry enabled, Upgrade Readiness collects system, application, and driver data for analysis. We then identify compatibility issues that can block an upgrade and suggest fixes when they are known to Microsoft. The Upgrade Readiness workflow steps you through the discovery and rationalization process until you have a list of computers that are ready to be upgraded. |
|[Step by step guide: Configure a test lab to deploy Windows 10](windows-10-poc.md) |This guide contains instructions to configure a proof of concept (PoC) environment requiring a minimum amount of resources. The guide makes extensive use of Windows PowerShell and Hyper-V. Subsequent companion guides contain steps to deploy Windows 10 using the PoC environment. After completing this guide, see the following Windows 10 PoC deployment guides: [Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit](windows-10-poc-mdt.md), [Deploy Windows 10 in a test lab using System Center Configuration Manager](windows-10-poc-sc-config-mgr.md). |
|[Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md) |This guide will walk you through the process of deploying Windows 10 in an enterprise environment using the Microsoft Deployment Toolkit (MDT). |
|[Windows 10 deployment tools reference](windows-10-deployment-tools-reference.md) |Learn about the tools available to deploy Windows 10. |
|[Deploy Windows 10 with System Center 2012 R2 Configuration Manager](deploy-windows-sccm/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md) |If you have Microsoft System Center 2012 R2 Configuration Manager in your environment, you will most likely want to use it to deploy Windows 10. This topic will show you how to set up Configuration Manager for operating system deployment and how to integrate Configuration Manager with the Microsoft Deployment Toolkit (MDT) or. |
|[Resolve Windows 10 upgrade errors](upgrade/resolve-windows-10-upgrade-errors.md) |This topic provides a brief introduction to Windows 10 installation processes, and provides resolution procedures that IT administrators can use to resolve issues with Windows 10 upgrade. |
|[Convert MBR partition to GPT](mbr-to-gpt.md) |This topic provides detailed instructions for using the MBR2GPT partition conversion tool. |
|[Configure a PXE server to load Windows PE](configure-a-pxe-server-to-load-windows-pe.md) |This guide describes how to configure a PXE server to load Windows PE by booting a client computer from the network. |
|[Windows 10 edition upgrade](upgrade/windows-10-edition-upgrades.md) |With Windows 10, you can quickly upgrade from one edition of Windows 10 to another, provided the upgrade path is supported. |
|[Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md) |This guide will walk you through the process of deploying Windows 10 in an enterprise environment using the Microsoft Deployment Toolkit (MDT). |
|[Step by step guide: Configure a test lab to deploy Windows 10](windows-10-poc.md) |This guide contains instructions to configure a proof of concept (PoC) environment requiring a minimum amount of resources. The guide makes extensive use of Windows PowerShell and Hyper-V. Subsequent companion guides contain steps to deploy Windows 10 using the PoC environment. After completing this guide, see the following Windows 10 PoC deployment guides: [Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit](windows-10-poc-mdt.md), [Deploy Windows 10 in a test lab using System Center Configuration Manager](windows-10-poc-sc-config-mgr.md). |
### Upgrade to Windows 10
|Topic |Description |
|------|------------|
|[Windows 10 upgrade paths](upgrade/windows-10-upgrade-paths.md) |You can upgrade directly to Windows 10 from a previous operating system. |
|[Windows 10 edition upgrade](upgrade/windows-10-edition-upgrades.md) |With Windows 10, you can quickly upgrade from one edition of Windows 10 to another, provided the upgrade path is supported. |
|[Deploy Windows To Go in your organization](deploy-windows-to-go.md) |This topic helps you to deploy Windows To Go in your organization. Before you begin deployment, make sure that you have reviewed the topics [Windows To Go: feature overview](planning/windows-to-go-overview.md) and [Prepare your organization for Windows To Go](planning/prepare-your-organization-for-windows-to-go.md) to ensure that you have the correct hardware and are prepared to complete the deployment. You can then use the steps in this topic to start your Windows To Go deployment. |
|[Upgrade a Windows Phone 8.1 to Windows 10 Mobile with Mobile Device Management](upgrade/upgrade-windows-phone-8-1-to-10.md) |This topic describes how to upgrade eligible Windows Phone 8.1 devices to Windows 10 Mobile. |
|[Manage Windows upgrades with Upgrade Readiness](upgrade/manage-windows-upgrades-with-upgrade-readiness.md) |With Upgrade Readiness, enterprises now have the tools to plan and manage the upgrade process end to end, allowing them to adopt new Windows releases more quickly. With Windows telemetry enabled, Upgrade Readiness collects system, application, and driver data for analysis. We then identify compatibility issues that can block an upgrade and suggest fixes when they are known to Microsoft. The Upgrade Readiness workflow steps you through the discovery and rationalization process until you have a list of computers that are ready to be upgraded. |
|[Resolve Windows 10 upgrade errors](upgrade/resolve-windows-10-upgrade-errors.md) |This topic provides a brief introduction to Windows 10 installation processes, and provides resolution procedures that IT administrators can use to resolve issues with Windows 10 upgrade. |
### Update Windows 10
|Topic |Description |
|------|------------|
| [Quick guide to Windows as a service](update/waas-quick-start.md) | Provides a brief summary of the key points for the new servicing model for Windows 10. |
| [Overview of Windows as a service](update/waas-overview.md) | Explains the differences in building, deploying, and servicing Windows 10; introduces feature updates, quality updates, and the different servicing branches; compares servicing tools. |
| [Prepare servicing strategy for Windows 10 updates](update/waas-servicing-strategy-windows-10-updates.md) | Explains the decisions you need to make in your servicing strategy. |
| [Build deployment rings for Windows 10 updates](update/waas-deployment-rings-windows-10-updates.md) | Explains how to make use of servicing branches and update deferrals to manage Windows 10 updates. |
| [Assign devices to servicing branches for Windows 10 updates](update/waas-servicing-branches-windows-10-updates.md) | Explains how to assign devices to Current Branch (CB) or Current Branch for Business (CBB) for feature and quality updates, and how to enroll devices in Windows Insider. |
| [Monitor Windows Updates with Update Compliance](update/update-compliance-monitor.md) | Explains how to use Windows Analytics: Update Compliance to monitor and manage Windows Updates on devices in your organization. |
| [Optimize update delivery for Windows 10 updates](update/waas-optimize-windows-10-updates.md) | Explains the benefits of using Delivery Optimization or BranchCache for update distribution. |
| [Deploy updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](update/waas-mobile-updates.md) | Explains updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile. |
| [Deploy updates using Windows Update for Business](update/waas-manage-updates-wufb.md) | Explains how to use Windows Update for Business to manage when devices receive updates directly from Windows Update. Includes walkthroughs for configuring Windows Update for Business using Group Policy and Microsoft Intune. |
| [Deploy Windows 10 updates using Windows Server Update Services (WSUS)](update/waas-manage-updates-wsus.md) | Explains how to use WSUS to manage Windows 10 updates. |
| [Deploy Windows 10 updates using System Center Configuration Manager](update/waas-manage-updates-configuration-manager.md) | Explains how to use Configuration Manager to manage Windows 10 updates. |
| [Manage device restarts after updates](update/waas-restart.md) | Explains how to manage update related device restarts. |
| [Manage additional Windows Update settings](update/waas-wu-settings.md) | Provides details about settings available to control and configure Windows Update |
| [Windows Insider Program for Business](update/waas-windows-insider-for-business.md) | Explains how the Windows Insider Program for Business works and how to become an insider. |
### Additional topics
|Topic |Description |
|------|------------|
|[Convert MBR partition to GPT](mbr-to-gpt.md) |This topic provides detailed instructions for using the MBR2GPT partition conversion tool. |
|[Configure a PXE server to load Windows PE](configure-a-pxe-server-to-load-windows-pe.md) |This guide describes how to configure a PXE server to load Windows PE by booting a client computer from the network. |
|[Sideload apps in Windows 10](/windows/application-management/sideload-apps-in-windows-10) |Sideload line-of-business apps in Windows 10. |
|[Volume Activation [client]](volume-activation/volume-activation-windows-10.md) |This guide is designed to help organizations that are planning to use volume activation to deploy and activate Windows 10, including organizations that have used volume activation for earlier versions of Windows. |
|[Windows 10 deployment tools reference](windows-10-deployment-tools-reference.md) |Learn about the tools available to deploy Windows 10. |
|[Change history for Deploy Windows 10](change-history-for-deploy-windows-10.md) |This topic lists new and updated topics in the Deploy Windows 10 documentation for [Windows 10 and Windows 10 Mobile](/windows/windows-10). |
## Related topics
- [Windows 10 and Windows 10 Mobile](/windows/windows-10)
 
 

11
windows/deployment/update/index.md
View File

@ -7,6 +7,14 @@ ms.sitesec: library
author: DaniHalfin
localizationpriority: high
---
<font size=1>
<table border="0">
<tr>
<td><img src="../images/security-update.png" alt="Icon showing a security alert"> </td>
<td>A wide-spread ransomware attack, known as "WannaCrypt," targets Windows systems that do not yet have the latest updates. Given the severity of this threat, immediately update your Windows systems. [Learn more](https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/).</td>
</tr>
</table>
</font>
# Update Windows 10 in the enterprise
@ -40,7 +48,8 @@ Windows as a service provides a new way to think about building, deploying, and
| [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md) | Explains how to use Windows Update for Business to manage when devices receive updates directly from Windows Update. Includes walkthroughs for configuring Windows Update for Business using Group Policy and Microsoft Intune. |
| [Deploy Windows 10 updates using Windows Server Update Services (WSUS)](waas-manage-updates-wsus.md) | Explains how to use WSUS to manage Windows 10 updates. |
| [Deploy Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md) | Explains how to use Configuration Manager to manage Windows 10 updates. |
| [Manage device restarts after updates](waas-restart.md) | Explains how to use Group Policy to manage device restarts. |
| [Manage device restarts after updates](waas-restart.md) | Explains how to manage update related device restarts. |
| [Manage additional Windows Update settings](waas-wu-settings.md) | Provides details about settings available to control and configure Windows Update |
| [Windows Insider Program for Business](waas-windows-insider-for-business.md) | Explains how the Windows Insider Program for Business works and how to become an insider. |
>[!TIP]

2
windows/deployment/update/waas-configure-wufb.md
View File

@ -2,7 +2,7 @@
title: Configure Windows Update for Business (Windows 10)
description: You can use Group Policy or your mobile device management (MDM) service to configure Windows Update for Business settings for your devices.
ms.prod: w10
ms.mktglfcycl: manage
ms.mktglfcycl: deploy
ms.sitesec: library
author: DaniHalfin
localizationpriority: high

2
windows/deployment/update/waas-delivery-optimization.md
View File

@ -2,7 +2,7 @@
title: Configure Delivery Optimization for Windows 10 updates (Windows 10)
description: Delivery Optimization is a new peer-to-peer distribution method in Windows 10
ms.prod: w10
ms.mktglfcycl: manage
ms.mktglfcycl: deploy
ms.sitesec: library
author: DaniHalfin
localizationpriority: high

8
windows/deployment/update/waas-manage-updates-configuration-manager.md
View File

@ -7,6 +7,14 @@ ms.sitesec: library
author: DaniHalfin
localizationpriority: high
---
<font size=1>
<table border="0">
<tr>
<td><img src="../images/security-update.png" alt="Icon showing a security alert"> </td>
<td>A wide-spread ransomware attack, known as "WannaCrypt," targets Windows systems that do not yet have the latest updates. Given the severity of this threat, immediately update your Windows systems. [Learn more](https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/).</td>
</tr>
</table>
</font>
# Deploy Windows 10 updates using System Center Configuration Manager

8
windows/deployment/update/waas-manage-updates-wsus.md
View File

@ -7,6 +7,14 @@ ms.sitesec: library
author: DaniHalfin
localizationpriority: high
---
<font size=1>
<table border="0">
<tr>
<td><img src="../images/security-update.png" alt="Icon showing a security alert"> </td>
<td>A wide-spread ransomware attack, known as "WannaCrypt," targets Windows systems that do not yet have the latest updates. Given the severity of this threat, immediately update your Windows systems. [Learn more](https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/).</td>
</tr>
</table>
</font>
# Deploy Windows 10 updates using Windows Server Update Services (WSUS)

8
windows/deployment/update/waas-manage-updates-wufb.md
View File

@ -7,6 +7,14 @@ ms.sitesec: library
author: DaniHalfin
localizationpriority: high
---
<font size=1>
<table border="0">
<tr>
<td><img src="../images/security-update.png" alt="Icon showing a security alert"> </td>
<td>A wide-spread ransomware attack, known as "WannaCrypt," targets Windows systems that do not yet have the latest updates. Given the severity of this threat, immediately update your Windows systems. [Learn more](https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/).</td>
</tr>
</table>
</font>
# Deploy updates using Windows Update for Business

2
windows/deployment/update/waas-restart.md
View File

@ -2,7 +2,7 @@
title: Manage device restarts after updates (Windows 10)
description: tbd
ms.prod: w10
ms.mktglfcycl: manage
ms.mktglfcycl: deploy
ms.sitesec: library
author: DaniHalfin
localizationpriority: high

2
windows/deployment/update/waas-servicing-branches-windows-10-updates.md
View File

@ -2,7 +2,7 @@
title: Assign devices to servicing branches for Windows 10 updates (Windows 10)
description: tbd
ms.prod: w10
ms.mktglfcycl: manage
ms.mktglfcycl: deploy
ms.sitesec: library
author: DaniHalfin
localizationpriority: high

177
windows/deployment/update/waas-wu-settings.md Normal file
View File

@ -0,0 +1,177 @@
---
title: Manage additional Windows Update settings (Windows 10)
description: Additional settings to control the behavior of Windows Update (WU) in Windows 10
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
author: DaniHalfin
localizationpriority: high
---
# Manage additional Windows Update settings
**Applies to**
- Windows 10
- Windows 10 Mobile
> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
You can use Group Policy settings or mobile device management (MDM) to configure the behavior of Windows Update (WU) on your Windows 10 devices. You can configure the update detection frequency, select when updates are received, specify the update service location and more.
>[!IMPORTANT]
>In Windows 10, any Group Policy user configuration settings for Windows Update were deprecated and are no longer supported on this platform.
## Summary of Windows Update settings
| Group Policy setting | MDM setting | Supported from version |
| --- | --- | --- |
| [Specify Intranet Microsoft update service location](#specify-intranet-microsoft-update-service-location) | [UpdateServiceUrl](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-updateserviceurl) and [UpdateServiceUrlAlternate](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-updateserviceurlalternate) | All |
| [Automatic Updates Detection Frequency](#automatic-updates-detection-frequency) | [DetectionFrequency](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-detectionfrequency) | 1703 |
| [Remove access to use all Windows Update features](#remove-access-to-use-all-windows-update-features) | | All |
| [Do not connect to any Windows Update Internet locations](#do-not-connect-to-any-windows-update-internet-locations) | | All |
| [Enable client-side targeting](#enable-client-side-targeting) | | All |
| [Allow signed updates from an intranet Microsoft update service location](#allow-signed-updates-from-an-intranet-microsoft-update-service-location) | [AllowNonMicrosoftSignedUpdate](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-allownonmicrosoftsignedupdate) | All |
| [Do not include drivers with Windows Updates](#do-not-include-drivers-with-windows-updates) | [ExcludeWUDriversInQualityUpdate](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-excludewudriversinqualityupdate) | 1607 |
| [Configure Automatic Updates](#configure-automatic-updates) | [AllowAutoUpdate](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-allowautoupdate) | All |
>[!IMPORTANT]
>Additional information about settings to manage device restarts and restart notifications for updates is available on **[Manage device restarts after updates](waas-restart.md)**.
>
>Additional settings that configure when Feature and Quality updates are received are detailed on **[Configure Windows Update for Business](waas-configure-wufb.md)**.
## Scanning for updates
With Windows 10, admins have a lot of flexibility in configuring how their devices scan and receive updates.
[Specify Intranet Microsoft update service location](#specify-intranet-microsoft-update-service-location) allows admins to point devices to an internal Microsoft update service location, while [Do not connect to any Windows Update Internet locations](#do-not-connect-to-any-windows-update-internet-locations) gives them to option to restrict devices to just that internal update service. [Automatic Updates Detection Frequency](#automatic-updates-detection-frequency) controls how frequently devices scan for updates.
You can make custom device groups that'll work with your internal Microsoft update service by using [Enable client-side targeting](#enable-client-side-targeting). You can also make sure your devices receive updates that were not signed by Microsoft from your internal Microsoft update service, through [Allow signed updates from an intranet Microsoft update service location](#allow-signed-updates-from-an-intranet-microsoft-update-service-location).
Finally, to make sure the updating experience is fully controlled by the admins, you can [Remove access to use all Windows Update features](#remove-access-to-use-all-windows-update-features) for users.
For additional settings that configure when Feature and Quality updates are received, see [Configure Windows Update for Business](waas-configure-wufb.md).
### Specify Intranet Microsoft update service location
Specifies an intranet server to host updates from Microsoft Update. You can then use this update service to automatically update computers on your network.
This setting lets you specify a server on your network to function as an internal update service. The Automatic Updates client will search this service for updates that apply to the computers on your network.
To use this setting in Group Policy, go to **Computer Configuration\Administrative Templates\Windows Components\Windows Update\Specify Intranet Microsoft update service location**. You must set two server name values: the server from which the Automatic Updates client detects and downloads updates, and the server to which updated workstations upload statistics. You can set both values to be the same server. An optional server name value can be specified to configure Windows Update Agent to download updates from an alternate download server instead of the intranet update service.
If the setting is set to **Enabled**, the Automatic Updates client connects to the specified intranet Microsoft update service (or alternate download server), instead of Windows Update, to search for and download updates. Enabling this setting means that end users in your organization dont have to go through a firewall to get updates, and it gives you the opportunity to test updates after deploying them.
If the setting is set to **Disabled** or **Not Configured**, and if Automatic Updates is not disabled by policy or user preference, the Automatic Updates client connects directly to the Windows Update site on the Internet.
The alternate download server configures the Windows Update Agent to download files from an alternative download server instead of the intranet update service.
The option to download files with missing Urls allows content to be downloaded from the Alternate Download Server when there are no download Urls for files in the update metadata. This option should only be used when the intranet update service does not provide download Urls in the update metadata for files which are present on the alternate download server.
>[!NOTE]
>If the "Configure Automatic Updates" policy is disabled, then this policy has no effect.
>
>If the "Alternate Download Server" is not set, it will use the intranet update service by default to download updates.
>
>The option to "Download files with no Url..." is only used if the "Alternate Download Server" is set.
To configure this policy with MDM, use [UpdateServiceUrl](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-updateserviceurl) and [UpdateServiceUrlAlternate](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-updateserviceurlalternate).
### Automatic Updates detection frequency
Specifies the hours that Windows will use to determine how long to wait before checking for available updates. The exact wait time is determined by using the hours specified here minus zero to twenty percent of the hours specified. For example, if this policy is used to specify a 20-hour detection frequency, then all clients to which this policy is applied will check for updates anywhere between 16 to 20 hours.
To set this setting with Group Policy, navigate to **Computer Configuration\Administrative Templates\Windows Components\Windows Update\Automatic Updates detection frequency**.
If the setting is set to **Enabled**, Windows will check for available updates at the specified interval.
If the setting is set to **Disabled** or **Not Configured**, Windows will check for available updates at the default interval of 22 hours.
>[!NOTE]
>The “Specify intranet Microsoft update service location” setting must be enabled for this policy to have effect.
>
>If the “Configure Automatic Updates” policy is disabled, this policy has no effect.
To configure this policy with MDM, use [DetectionFrequency](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-detectionfrequency).
### Remove access to use all Windows Update features
By enabling the Group Policy setting under **Computer Configuration\Administrative Templates\Windows Components\Windows update\Remove access to use all Windows update features**, administrators can disable the "Check for updates" option for users. Any background update scans, downloads and installations will continue to work as configured.
### Do not connect to any Windows Update Internet locations
Even when Windows Update is configured to receive updates from an intranet update service, it will periodically retrieve information from the public Windows Update service to enable future connections to Windows Update, and other services like Microsoft Update or the Microsoft Store.
Use **Computer Configuration\Administrative Templates\Windows Components\Windows update\Do not connect to any Windows Update Internet locations** to enable this policy. When enabled, this policy will disable the functionality described above, and may cause connection to public services such as the Microsoft Store, Windows Update for Business and Delivery Optimization to stop working.
>[!NOTE]
>This policy applies only when the device is configured to connect to an intranet update service using the "Specify intranet Microsoft update service location" policy.
### Enable client-side targeting
Specifies the target group name or names that should be used to receive updates from an intranet Microsoft update service. This allows admins to configure device groups that will receive different updates from sources like WSUS or SCCM.
This Group Policy setting can be found under **Computer Configuration\Administrative Templates\Windows Components\Windows update\Enable client-side targeting**.
If the setting is set to **Enabled**, the specified target group information is sent to the intranet Microsoft update service which uses it to determine which updates should be deployed to this computer.
If the setting is set to **Disabled** or **Not Configured**, no target group information will be sent to the intranet Microsoft update service.
If the intranet Microsoft update service supports multiple target groups, this policy can specify multiple group names separated by semicolons. Otherwise, a single group must be specified.
>[!NOTE]
>This policy applies only when the intranet Microsoft update service the device is directed to is configured to support client-side targeting. If the “Specify intranet Microsoft update service location” policy is disabled or not configured, this policy has no effect.
### Allow signed updates from an intranet Microsoft update service location
This policy setting allows you to manage whether Automatic Updates accepts updates signed by entities other than Microsoft when the update is found on an intranet Microsoft update service location.
To configure this setting in Group Policy, go to **Computer Configuration\Administrative Templates\Windows Components\Windows update\Allow signed updates from an intranet Microsoft update service location**.
If you enable this policy setting, Automatic Updates accepts updates received through an intranet Microsoft update service location, as specified by [Specify Intranet Microsoft update service location](#specify-intranet-microsoft-update-service-location), if they are signed by a certificate found in the “Trusted Publishers” certificate store of the local computer.
If you disable or do not configure this policy setting, updates from an intranet Microsoft update service location must be signed by Microsoft.
>[!NOTE]
>Updates from a service other than an intranet Microsoft update service must always be signed by Microsoft and are not affected by this policy setting.
To configure this policy with MDM, use [AllowNonMicrosoftSignedUpdate](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-allownonmicrosoftsignedupdate).
## Installing updates
To add more flexibility to the update process, settings are available to control update installation.
[Configure Automatic Updates](#configure-automatic-updates) offers 4 different options for automatic update installation, while [Do not include drivers with Windows Updates](#do-not-include-drivers-with-windows-updates) makes sure drivers are not installed with the rest of the received updates.
### Do not include drivers with Windows Updates
Allows admins to exclude Windows Update (WU) drivers during updates.
To configure this setting in Group Policy, use **Computer Configuration\Administrative Templates\Windows Components\Windows update\Do not include drivers with Windows Updates**.
Enable this policy to not include drivers with Windows quality updates.
If you disable or do not configure this policy, Windows Update will include updates that have a Driver classification.
### Configure Automatic Updates
Enables the IT admin to manage automatic update behavior to scan, download, and install updates.
When enabling this setting through Group Policy, under **Computer Configuration\Administrative Templates\Windows Components\Windows update\Configure Automatic Updates**, you must select one of the four options:
**2 - Notify for download and auto install** - When Windows finds updates that apply to this device, users will be notified that updates are ready to be downloaded. After going to **Settings > Update & security > Windows Update**, users can download and install any available updates.
**3 - Auto download and notify for Install** - Windows finds updates that apply to the device and downloads them in the background (the user is not notified or interrupted during this process). When the downloads are complete, users will be notified that they are ready to install. After going to **Settings > Update & security > Windows Update**, users can install them.
**4 - Auto download and schedule the install** - Specify the schedule using the options in the Group Policy Setting. For more information about this setting, see [Schedule update installation](waas-restart.md#schedule-update-installation).
**5 - Allow local admin to choose setting** - With this option, local administrators will be allowed to use the settings app to select a configuration option of their choice. Local administrators will not be allowed to disable the configuration for Automatic Updates.
If this setting is set to *Disabled*, any updates that are available on Windows Update must be downloaded and installed manually. To do this, users must go to **Settings > Update & security > Windows Update**.
If this setting is set to *Not Configured*, an administrator can still configure Automatic Updates through the settings app, under **Settings > Update & security > Windows Update > Advanced options**.
## Related topics
- [Update Windows 10 in the enterprise](index.md)
- [Overview of Windows as a service](waas-overview.md)
- [Manage updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md)
- [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md)
- [Configure BranchCache for Windows 10 updates](waas-branchcache.md)
- [Configure Windows Update for Business](waas-configure-wufb.md)
- [Manage device restarts after updates](waas-restart.md)

8
windows/device-security/bitlocker/bitlocker-group-policy-settings.md
View File

@ -237,7 +237,7 @@ On a computer with a compatible TPM, four types of authentication methods can be
- only the TPM for authentication
- insertion of a USB flash drive containing the startup key
- the entry of a 4-digit to 20-digit personal identification number (PIN)
- the entry of a 6-digit to 20-digit personal identification number (PIN)
- a combination of the PIN and the USB flash drive
There are four options for TPM-enabled computers or devices:
@ -347,14 +347,14 @@ This policy setting is used to set a minimum PIN length when you use an unlock m
</tr>
<tr class="odd">
<td align="left"><p><strong>When disabled or not configured</strong></p></td>
<td align="left"><p>Users can configure a startup PIN of any length between 4 and 20 digits.</p></td>
<td align="left"><p>Users can configure a startup PIN of any length between 6 and 20 digits.</p></td>
</tr>
</tbody>
</table>
 
**Reference**
This policy setting is applied when you turn on BitLocker. The startup PIN must have a minimum length of 4 digits and can have a maximum length of 20 digits.
This policy setting is applied when you turn on BitLocker. The startup PIN must have a minimum length of 6 digits and can have a maximum length of 20 digits.
### Disable new DMA devices when this computer is locked
@ -527,7 +527,7 @@ This policy setting is used to control what unlock options are available for com
 
**Reference**
On a computer with a compatible TPM, two authentication methods can be used at startup to provide added protection for encrypted data. When the computer starts, it can require users to insert a USB drive that contains a startup key. It can also require users to enter a 4-digit to 20-digit startup PIN.
On a computer with a compatible TPM, two authentication methods can be used at startup to provide added protection for encrypted data. When the computer starts, it can require users to insert a USB drive that contains a startup key. It can also require users to enter a 6-digit to 20-digit startup PIN.
A USB drive that contains a startup key is needed on computers without a compatible TPM. Without a TPM, BitLocker-encrypted data is protected solely by the key material that is on this USB drive.

7
windows/device-security/change-history-for-device-security.md
View File

@ -11,7 +11,12 @@ author: brianlic-msft
# Change history for device security
This topic lists new and updated topics in the [Device security](index.md) documentation.
## May 2017
|New or changed topic |Description |
|---------------------|------------|
| [BitLocker Group Policy settings](bitlocker/bitlocker-group-policy-settings.md) | Changed startup PIN minimun length from 4 to 6. |
## March 2017
|New or changed topic |Description |
|---------------------|------------|
|[Requirements and deployment planning guidelines for Device Guard](device-guard/requirements-and-deployment-planning-guidelines-for-device-guard.md) |Updated to include additional security qualifications starting with Window 10, version 1703.|
|[Requirements and deployment planning guidelines for Device Guard](device-guard/requirements-and-deployment-planning-guidelines-for-device-guard.md) | Updated to include additional security qualifications starting with Windows 10, version 1703.|

BIN
windows/threat-protection/images/security-update.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 2.5 KiB

BIN
windows/threat-protection/images/wanna1.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 15 KiB

BIN
windows/threat-protection/images/wanna2.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 21 KiB

BIN
windows/threat-protection/images/wanna3.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 30 KiB

BIN
windows/threat-protection/images/wanna4.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 67 KiB

BIN
windows/threat-protection/images/wanna5.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 20 KiB

BIN
windows/threat-protection/images/wanna6.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 179 KiB

BIN
windows/threat-protection/images/wanna7.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 21 KiB

BIN
windows/threat-protection/images/wanna8.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 5.9 KiB

9
windows/threat-protection/index.md
View File

@ -8,6 +8,15 @@ ms.pagetype: security
author: brianlic-msft
---
<font size=1>
<table border="0">
<tr>
<td><img src="images/security-update.png" alt="Icon showing a security alert"> </td>
<td>A wide-spread ransomware attack, known as "WannaCrypt," targets Windows systems that do not yet have the latest updates. Given the severity of this threat, immediately update your Windows systems. [Learn more](https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/).</td>
</tr>
</table>
</font>
# Threat Protection
Learn more about how to help protect against threats in Windows 10 and Windows 10 Mobile.

250
windows/threat-protection/wannacrypt-ransomware-worm-targets-out-of-date-systems-wdsi.md Normal file
View File

@ -0,0 +1,250 @@
---
title: WannaCrypt ransomware worm targets out-of-date systems
description: In this blog, we provide an early analysis of the end-to-end ransomware attack. Please note this threat is still under investigation. The attack is still active, and there is a possibility that the attacker will attempt to react to our detection response.
keywords: wannacry, wannacrypt, wanna, ransomware
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
localizationpriority: medium
author: iaanw
---
# WannaCrypt ransomware worm targets out-of-date systems
On May 12, 2017 we detected a new ransomware that spreads like a worm by leveraging vulnerabilities that have been previously fixed. While security updates are automatically applied in most computers, some users and enterprises may delay deployment of patches. Unfortunately, the ransomware, known as [WannaCrypt](https://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Ransom:Win32/WannaCrypt), appears to have affected computers that have not applied the patch for these vulnerabilities. While the attack is unfolding, we remind users to install [MS17-010](https://technet.microsoft.com/en-us/library/security/ms17-010.aspx) if they have not already done so.
Microsoft antimalware telemetry immediately picked up signs of this campaign. Our expert systems gave us visibility and context into this new attack as it happened, allowing [Windows Defender Antivirus](https://technet.microsoft.com/en-us/itpro/windows/keep-secure/windows-defender-in-windows-10) to deliver real-time defense. Through automated analysis, machine learning, and predictive modeling, we were able to rapidly protect against this malware.
In this blog, we provide an early analysis of the end-to-end ransomware attack. Please note this threat is still under investigation. The attack is still active, and there is a possibility that the attacker will attempt to react to our detection response.
## Attack vector
Ransomware threats do not typically spread rapidly. Threats like WannaCrypt (also known as WannaCry, WanaCrypt0r, WCrypt, or WCRY) usually leverage social engineering or email as primary attack vector, relying on users downloading and executing a malicious payload. However, in this unique case, the ransomware perpetrators used publicly available exploit code for the patched SMB 'EternalBlue' vulnerability, [CVE-2017-0145](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0145), which can be triggered by sending a specially crafted packet to a targeted SMBv1 server. This vulnerability was fixed in security bulletin [MS17-010](https://technet.microsoft.com/en-us/library/security/ms17-010.aspx), which was released on March 14, 2017.
WannaCrypt's spreading mechanism is borrowed from [well-known](https://packetstormsecurity.com/files/142464/MS17-010-SMBv1-SrvOs2FeaToNt-OOB-Remote-Code-Execution.html) [public SMB exploits](https://github.com/RiskSense-Ops/MS17-010), which armed this regular ransomware with worm-like functionalities, creating an entry vector for machines still unpatched even after the fix had become available.
The exploit code used by WannaCrypt was designed to work only against unpatched Windows 7 and Windows Server 2008 (or earlier OS) systems, so Windows 10 PCs are not affected by this attack.
We haven't found evidence of the exact initial entry vector used by this threat, but there are two scenarios that we believe are highly possible explanations for the spread of this ransomware:
- Arrival through social engineering emails designed to trick users to run the malware and activate the worm-spreading functionality with the SMB exploit
- Infection through SMB exploit when an unpatched computer is addressable from other infected machines
## Dropper
The threat arrives as a dropper Trojan that has the following two components:
1. A component that attempts to exploit the SMB CVE-2017-0145 vulnerability in other computers
2. The ransomware known as WannaCrypt
The dropper tries to connect the following domains using the API `InternetOpenUrlA()`:
- www[.]iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com
- www[.]ifferfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com
If connection to the domains is successful, the dropper does not infect the system further with ransomware or try to exploit other systems to spread; it simply stops execution. However, if the connection fails, the threat proceeds to drop the ransomware and creates a service on the system.
In other words, unlike in most malware infections, **IT Administrators should NOT block these domains**. Note that the malware is not proxy-aware, so a local DNS record may be required. This does not need to point to the Internet, but can resolve to any accessible server which will accept connections on TCP 80.
![Connection information from WannaCrypt code](images/wanna1.png)
The threat creates a service named *mssecsvc2.0*, whose function is to exploit the SMB vulnerability in other computers accessible from the infected system:
```
Service Name: mssecsvc2.0
Service Description: (Microsoft Security Center (2.0) Service)
Service Parameters: '-m security'
```
![Mssecsvc2.0 process details](images/wanna2.png)
## WannaCrypt ransomware
The ransomware component is a dropper that contains a password-protected .zip archive in its resource section. The document encryption routine and the files in the .zip archive contain support tools, a decryption tool, and the ransom message. In the samples we analyzed, the password for the .zip archive is 'WNcry@2ol7'.
When run, WannaCrypt creates the following registry keys:
- *HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\\<random string> = '\<malware working directory>\tasksche.exe'*
- *HKLM\SOFTWARE\WanaCrypt0r\\wd = '\<malware working directory>'*
It changes the wallpaper to a ransom message by modifying the following registry key:
- *HKCU\Control Panel\Desktop\Wallpaper: '\<malware working directory>\\@WanaDecryptor@.bmp'*
It creates the following files in the malware's working directory:
- *00000000.eky*
- *00000000.pky*
- *00000000.res*
- *274901494632976.bat*
- *@Please_Read_Me@.txt*
- *@WanaDecryptor@.bmp*
- *@WanaDecryptor@.exe*
- *b.wnry*
- *c.wnry*
- *f.wnry*
- *m.vbs*
- *msg\m_bulgarian.wnry*
- *msg\m_chinese (simplified).wnry*
- *msg\m_chinese (traditional).wnry*
- *msg\m_croatian.wnry*
- *msg\m_czech.wnry*
- *msg\m_danish.wnry*
- *msg\m_dutch.wnry*
- *msg\m_english.wnry*
- *msg\m_filipino.wnry*
- *msg\m_finnish.wnry*
- *msg\m_french.wnry*
- *msg\m_german.wnry*
- *msg\m_greek.wnry*
- *msg\m_indonesian.wnry*
- *msg\m_italian.wnry*
- *msg\m_japanese.wnry*
- *msg\m_korean.wnry*
- *msg\m_latvian.wnry*
- *msg\m_norwegian.wnry*
- *msg\m_polish.wnry*
- *msg\m_portuguese.wnry*
- *msg\m_romanian.wnry*
- *msg\m_russian.wnry*
- *msg\m_slovak.wnry*
- *msg\m_spanish.wnry*
- *msg\m_swedish.wnry*
- *msg\m_turkish.wnry*
- *msg\m_vietnamese.wnry*
- *r.wnry*
- *s.wnry*
- *t.wnry*
- *TaskData\Tor\libeay32.dll*
- *TaskData\Tor\libevent-2-0-5.dll*
- *TaskData\Tor\libevent_core-2-0-5.dll*
- *TaskData\Tor\libevent_extra-2-0-5.dll*
- *TaskData\Tor\libgcc_s_sjlj-1.dll*
- *TaskData\Tor\libssp-0.dll*
- *TaskData\Tor\ssleay32.dll*
- *TaskData\Tor\taskhsvc.exe*
- *TaskData\Tor\tor.exe*
- *TaskData\Tor\zlib1.dll*
- *taskdl.exe*
- *taskse.exe*
- *u.wnry*
WannaCrypt may also create the following files:
- *%SystemRoot%\tasksche.exe*
- *%SystemDrive%\intel\\\<random directory name>\tasksche.exe*
- *%ProgramData%\\\<random directory name>\tasksche.exe*
It may create a randomly named service that has the following associated ImagePath: `cmd.exe /c '<malware working directory>\tasksche.exe'`.
It then searches the whole computer for any file with any of the following file name extensions: *.123, .jpeg , .rb , .602 , .jpg , .rtf , .doc , .js , .sch , .3dm , .jsp , .sh , .3ds , .key , .sldm , .3g2 , .lay , .sldm , .3gp , .lay6 , .sldx , .7z , .ldf , .slk , .accdb , .m3u , .sln , .aes , .m4u , .snt , .ai , .max , .sql , .ARC , .mdb , .sqlite3 , .asc , .mdf , .sqlitedb , .asf , .mid , .stc , .asm , .mkv , .std , .asp , .mml , .sti , .avi , .mov , .stw , .backup , .mp3 , .suo , .bak , .mp4 , .svg , .bat , .mpeg , .swf , .bmp , .mpg , .sxc , .brd , .msg , .sxd , .bz2 , .myd , .sxi , .c , .myi , .sxm , .cgm , .nef , .sxw , .class , .odb , .tar , .cmd , .odg , .tbk , .cpp , .odp , .tgz , .crt , .ods , .tif , .cs , .odt , .tiff , .csr , .onetoc2 , .txt , .csv , .ost , .uop , .db , .otg , .uot , .dbf , .otp , .vb , .dch , .ots , .vbs , .der' , .ott , .vcd , .dif , .p12 , .vdi , .dip , .PAQ , .vmdk , .djvu , .pas , .vmx , .docb , .pdf , .vob , .docm , .pem , .vsd , .docx , .pfx , .vsdx , .dot , .php , .wav , .dotm , .pl , .wb2 , .dotx , .png , .wk1 , .dwg , .pot , .wks , .edb , .potm , .wma , .eml , .potx , .wmv , .fla , .ppam , .xlc , .flv , .pps , .xlm , .frm , .ppsm , .xls , .gif , .ppsx , .xlsb , .gpg , .ppt , .xlsm , .gz , .pptm , .xlsx , .h , .pptx , .xlt , .hwp , .ps1 , .xltm , .ibd , .psd , .xltx , .iso , .pst , .xlw , .jar , .rar , .zip , .java , .raw.*
WannaCrypt encrypts all files it finds and renames them by appending *.WNCRY* to the file name. For example, if a file is named *picture.jpg*, the ransomware encrypts and renames the file to *picture.jpg.WNCRY*.
This ransomware also creates the file *@Please_Read_Me@.txt* in every folder where files are encrypted. The file contains the same ransom message shown in the replaced wallpaper image (see screenshot below).
After completing the encryption process, the malware deletes the volume shadow copies by running the following command:
`cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet`
It then replaces the desktop background image with the following message:
![Example background image of WannaCrypt](images/wanna3.png)
It also runs an executable showing a ransom note which indicates a $300 ransom in Bitcoins as well as a timer:
![Screenshot of WannaCrypt ransom notice](images/wanna4.png)
The text is localized into the following languages: Bulgarian, Chinese (simplified), Chinese (traditional), Croatian, Czech, Danish, Dutch, English, Filipino, Finnish, French, German, Greek, Indonesian, Italian, Japanese, Korean, Latvian, Norwegian, Polish, Portuguese, Romanian, Russian, Slovak, Spanish, Swedish, Turkish, and Vietnamese.
The ransomware also demonstrates the decryption capability by allowing the user to decrypt a few random files, free of charge. It then quickly reminds the user to pay the ransom to decrypt all the remaining files.
![Screenshot of decryption window](images/wanna5.png)
## Spreading capability
The worm functionality attempts to infect unpatched Windows machines in the local network. At the same time, it also executes massive scanning on Internet IP addresses to find and infect other vulnerable computers. This activity results in large SMB traffic from the infected host, which can be observed by SecOps personnel, as shown below.
![Spreading scanning activity](images/wanna6.png)
The Internet scanning routine randomly generates octets to form the IPv4 address. The malware then targets that IP to attempt to exploit CVE-2017-0145. The threat avoids infecting the IPv4 address if the randomly generated value for first octet is 127 or if the value is equal to or greater than 224, in order to skip local loopback interfaces. Once a vulnerable machine is found and infected, it becomes the next hop to infect other machines. The vicious infection cycle continues as the scanning routing discovers unpatched computers.
When it successfully infects a vulnerable computer, the malware runs kernel-level shellcode that seems to have been copied from the public backdoor known as DOUBLEPULSAR, but with certain adjustments to drop and execute the ransomware dropper payload, both for x86 and x64 systems.
![Kernel-level shellcode used by WannaCrypt](images/wanna7.png)
![Kernel-level shellcode used by WannaCrypt](images/wanna8.png)
## Protection against the WannaCrypt attack
To get the latest protection from Microsoft, upgrade to [Windows 10](https://www.microsoft.com/en-us/windows/windows-10-upgrade). Keeping your computers [up-to-date](https://www.microsoft.com/en-us/security/portal/mmpc/help/updatefaqs.aspx) gives you the benefits of the latest features and proactive mitigations built into the latest versions of Windows.
We recommend customers that have not yet installed the security update [MS17-010](https://technet.microsoft.com/en-us/library/security/ms17-010.aspx) do so as soon as possible. Until you can apply the patch, we also recommend two possible workarounds to reduce the attack surface:
- Disable SMBv1 with the steps documented at [Microsoft Knowledge Base Article 2696547](https://support.microsoft.com/kb/2696547) and as [recommended previously](https://blogs.technet.microsoft.com/filecab/2016/09/16/stop-using-smb1/)
- Consider adding a rule on your router or firewall to block incoming SMB traffic on port 445
[Windows Defender Antivirus](https://technet.microsoft.com/en-us/itpro/windows/keep-secure/windows-defender-in-windows-10) detects this threat as [Ransom:Win32/WannaCrypt](https://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Ransom:Win32/WannaCrypt) as of the *1.243.297.0* update. Windows Defender Antivirus uses cloud-based protection, helping to protect you from the latest threats.
For enterprises, use [Device Guard](https://technet.microsoft.com/itpro/windows/keep-secure/device-guard-deployment-guide) to lock down devices and provide kernel-level virtualization-based security, allowing only trusted applications to run, effectively preventing malware from running.
Use [Office 365 Advanced Threat Protection](https://blogs.office.com/2015/04/08/introducing-exchange-online-advanced-threat-protection/), which has machine learning capability that blocks dangerous email threats, such as the emails carrying ransomware.
Monitor networks with [Windows Defender Advanced Threat Protection](http://www.microsoft.com/en-us/WindowsForBusiness/windows-atp), which alerts security operations teams about suspicious activities. Download this playbook to see how you can leverage Windows Defender ATP to detect, investigate, and mitigate ransomware in networks: [Windows Defender Advanced Threat Protection - Ransomware response playbook](https://www.microsoft.com/en-us/download/details.aspx?id=55090).
## Resources
Download English language security updates: [Windows Server 2003 SP2 x64](http://download.windowsupdate.com/d/csa/csa/secu/2017/02/windowsserver2003-kb4012598-x64-custom-enu_f24d8723f246145524b9030e4752c96430981211.exe), [Windows Server 2003 SP2 x86,](http://download.windowsupdate.com/c/csa/csa/secu/2017/02/windowsserver2003-kb4012598-x86-custom-enu_f617caf6e7ee6f43abe4b386cb1d26b3318693cf.exe) [Windows XP SP2 x64](http://download.windowsupdate.com/d/csa/csa/secu/2017/02/windowsserver2003-kb4012598-x64-custom-enu_f24d8723f246145524b9030e4752c96430981211.exe), [Windows XP SP3 x86](http://download.windowsupdate.com/d/csa/csa/secu/2017/02/windowsxp-kb4012598-x86-custom-enu_eceb7d5023bbb23c0dc633e46b9c2f14fa6ee9dd.exe), [Windows XP Embedded SP3 x86](http://download.windowsupdate.com/c/csa/csa/secu/2017/02/windowsxp-kb4012598-x86-embedded-custom-enu_8f2c266f83a7e1b100ddb9acd4a6a3ab5ecd4059.exe), [Windows 8 x86,](http://download.windowsupdate.com/c/msdownload/update/software/secu/2017/05/windows8-rt-kb4012598-x86_a0f1c953a24dd042acc540c59b339f55fb18f594.msu) [Windows 8 x64](http://download.windowsupdate.com/c/msdownload/update/software/secu/2017/05/windows8-rt-kb4012598-x64_f05841d2e94197c2dca4457f1b895e8f632b7f8e.msu)
Download localized language security updates: [Windows Server 2003 SP2 x64](http://www.microsoft.com/downloads/details.aspx?FamilyId=d3cb7407-3339-452e-8371-79b9c301132e), [Windows Server 2003 SP2 x86](http://www.microsoft.com/downloads/details.aspx?FamilyId=350ec04d-a0ba-4a50-9be3-f900dafeddf9), [Windows XP SP2 x64](http://www.microsoft.com/downloads/details.aspx?FamilyId=5fbaa61b-15ce-49c7-9361-cb5494f9d6aa), [Windows XP SP3 x86](http://www.microsoft.com/downloads/details.aspx?FamilyId=7388c05d-9de6-4c6a-8b21-219df407754f), [Windows XP Embedded SP3 x86](http://www.microsoft.com/downloads/details.aspx?FamilyId=a1db143d-6ad2-4e7e-9e90-2a73316e1add), [Windows 8 x86](http://www.microsoft.com/downloads/details.aspx?FamilyId=6e2de6b7-9e43-4b42-aca2-267f24210340), [Windows 8 x64](http://www.microsoft.com/downloads/details.aspx?FamilyId=b08bb3f1-f156-4e61-8a68-077963bae8c0)
MS17-010 Security Update: [https://technet.microsoft.com/en-us/library/security/ms17-010.aspx](https://technet.microsoft.com/en-us/library/security/ms17-010.aspx)
Customer guidance for WannaCrypt attacks: [https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/](https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/)
General information on ransomware: [https://www.microsoft.com/en-us/security/portal/mmpc/shared/ransomware.aspx](https://www.microsoft.com/en-us/security/portal/mmpc/shared/ransomware.aspx)
## Indicators of compromise
SHA1 of samples analyzed:
- 51e4307093f8ca8854359c0ac882ddca427a813c
- e889544aff85ffaf8b0d0da705105dee7c97fe26
Files created:
- %SystemRoot%\mssecsvc.exe
- %SystemRoot%\tasksche.exe
- %SystemRoot%\qeriuwjhrf
- b.wnry
- c.wnry
- f.wnry
- r.wnry
- s.wnry
- t.wnry
- u.wnry
- taskdl.exe
- taskse.exe
- 00000000.eky
- 00000000.res
- 00000000.pky
- @WanaDecryptor@.exe
- @Please_Read_Me@.txt
- m.vbs
- @WanaDecryptor@.exe.lnk
- @WanaDecryptor@.bmp
- 274901494632976.bat
- taskdl.exe
- Taskse.exe
- Files with '.wnry' extension
- Files with '.WNCRY' extension
Registry keys created:
- HKLM\SOFTWARE\WanaCrypt0r\wd
*Karthik Selvaraj, Elia Florio, Andrea Lelli, and Tanmay Ganacharya*<br />*Microsoft Malware Protection Center*

3
windows/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus.md
View File

@ -28,7 +28,7 @@ You can use a dedicated command-line tool to perform various functions in Window
This utility can be useful when you want to automate the use of Windows Defender Antivirus.
The utility is available in _%Program Files%\Windows Defender\MpCmdRun.exe_ and must be run from a command prompt.
The utility is available in _%ProgramFiles%\Windows Defender\MpCmdRun.exe_ and must be run from a command prompt.
> [!NOTE]
> You may need to open an administrator-level version of the command prompt. Right-click the item in the Start menu, click **Run as administrator** and click **Yes** at the permissions prompt.
@ -51,6 +51,7 @@ Command | Description
\-ListAllDynamicSignature [-Path] | Lists the loaded dynamic signatures
\-RemoveDynamicSignature [-SignatureSetID] | Removes a dynamic signature
\-ValidateMapsConnection | Used to validate connection to the [cloud-delivered protection service](configure-network-connections-windows-defender-antivirus.md)
\-SignatureUpdate [-UNC [-Path <path>]] | Checks for new definition updates

2
windows/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md
View File

@ -146,6 +146,8 @@ Use the following argument with the Windows Defender AV command line utility (*m
```DOS
MpCmdRun - ValidateMapsConnection
```
> [!NOTE]
> You may need to open an administrator-level version of the command prompt. Right-click the item in the Start menu, click **Run as administrator** and click **Yes** at the permissions prompt.
See [Use the mpcmdrun.exe commandline tool to configure and manage Windows Defender Antivirus](command-line-arguments-windows-defender-antivirus.md) for more information on how to use the *mpcmdrun.exe* utility.

BIN
windows/threat-protection/windows-defender-antivirus/images/defender/wdav-wdsc-defs.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 37 KiB

68
windows/threat-protection/windows-defender-antivirus/manage-protection-updates-windows-defender-antivirus.md
View File

@ -1,6 +1,6 @@
---
title: Manage how and where Windows Defender AV receives updates
description: Manage how Windows Defender Antivirus receives protection updates.
description: Manage the fallback order for how Windows Defender Antivirus receives protection updates.
keywords: updates, security baselines, protection, fallback order, ADL, MMPC, UNC, file path, share, wsus
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
@ -12,14 +12,14 @@ localizationpriority: medium
author: iaanw
---
# Manage Windows Defender Antivirus protection and definition updates
# Manage the sources for Windows Defender Antivirus protection updates
**Applies to**
- Windows 10
**Audience**
- Network administrators
- Enterprise security administrators
**Manageability available with**
@ -31,40 +31,60 @@ author: iaanw
<a id="protection-updates"></a>
<!-- this has been used as anchor in VDI content -->
Windows Defender AV uses both [cloud-delivered protection](utilize-microsoft-cloud-protection-windows-defender-antivirus.md) (also called the Microsoft Advanced Protection Service or MAPS) and periodically downloaded protection updates to provide protection. These protection updates are also known as "definitions" or "signature updates".
The cloud-delivered protection is “always-on” and requires an active connection to the Internet to function, while the protection updates generally occur once a day (although this can be configured).
There are two components to managing protection updates - where the updates are downloaded from, and when updates are downloaded and applied.
This topic describes the locations
This topic describes where you can specify the updates should be downloaded from, also known as the fallback order.
See the [Manage Windows Defender AV updates and apply baselines](manage-updates-baselines-windows-defender-antivirus.md) topic for an overview on how updates work, and how to configure other aspects of updates (such as scheduling updates).
<a id="fallback-order"></a>
## Manage the fallback order for downloading protection updates
There are five locations where you can specify where an endpoint should obtain updates. Typically, you would configure each endpoint to individually download the updates from a primary source and specify fallback sources in case the primary source is unavailable.
There are five locations where you can specify where an endpoint should obtain updates. Typically, you would configure endpoints to individually download the updates from a primary source, followed by the other sources in order of priority based on your network configuration.
Updates will be obtained from the sources in the order you specify. If a source is not available, the next source in the list will be used.
You can use the following sources:
- Microsoft Update
- [Windows Server Update Service (WSUS)](https://technet.microsoft.com/windowsserver/bb332157.aspx)
- Microsoft Update.
- The [Microsoft Malware Protection Center definitions page (MMPC)](http://www.microsoft.com/security/portal/definitions/adl.aspx)
- System Center Configuration Manager
- A network file share
- Configuration manager
- The [Microsoft Malware Protection Center definitions page (MMPC)](http://www.microsoft.com/security/portal/definitions/adl.aspx)
Each location has typical scenarios (in addition to acting as fallback locations) for when you would use that source, as described in the following table:
When updates are published, some logic will be applied to minimize the size of the update. In most cases, only the "delta" (or the differences between the latest update and the update that is currently installed on the endpoint) will be downloaded and applied. However, the size of the delta depends on:
- How old the current update on the endpoint is
- Which source you use
The older the updates on an endpoint, the larger the download. However, you must also consider frequency versus size - a more frequent update schedule may result in more ad hoc network usage, while a less-frequent schedule may result in larger file sizes.
Microsoft Update allows for rapid releases, which means it will download small deltas on a frequent basis. This ensures the best protection, but may increase network bandwidth.
The WSUS, Configuration Manager and MMPC sources will deliver less frequent updates. The size of the updates may be slightly larger than the frequent release from Microsoft Update (as the delta, or differences between the latest version and what is on the endpoint will be larger). This ensures consistent protection without increasing ad hoc network usage (although the amount of data may be the same or increased as the updates will be fewer, but may be slightly larger).
Each source has typical scenarios that depend on how your network is configured, in addition to how often they publish updates, as described in the following table:
Location | Sample scenario
---|---
WSUS | You are using WSUS to manage updates for your network
Microsoft Update | You want your endpoints to connect directly to Microsoft Update. This can be useful for endpoints that irregularly connect to your enterprise network.
MMPC | You need to download the latest protection updates because of a recent infection or to help provision a strong, base image for [VDI deployment](deployment-vdi-windows-defender-antivirus.md).
File share | You have non-Internet-connected devices (such as VMs). You can use your Internet-connected VM host download the updates to a network share, from which the VMs can obtain the updates. See the [VDI deployment guide](deployment-vdi-windows-defender-antivirus.md) for how file shares can be used in virtual desktop infrastructure (VDI) environments.
WSUS | You are using WSUS to manage updates for your network.
Microsoft Update | You want your endpoints to connect directly to Microsoft Update. This can be useful for endpoints that irregularly connect to your enterprise network, or if you do not use WSUS to manage your updates.
File share | You have non-Internet-connected devices (such as VMs). You can use your Internet-connected VM host to download the updates to a network share, from which the VMs can obtain the updates. See the [VDI deployment guide](deployment-vdi-windows-defender-antivirus.md) for how file shares can be used in virtual desktop infrastructure (VDI) environments.
Configuration Manager | You are using System Center Configuration Manager to update your endpoints.
MMPC | You need to download the latest protection updates because of a recent infection or to help provision a strong, base image for [VDI deployment](deployment-vdi-windows-defender-antivirus.md). This option should generally be used only as a final fallback source, and not the primary source.
You can manage the order in which update sources are used with Group Policy, System Center Configuration Manager, PowerShell cmdlets, and WMI.
> [!IMPORTANT]
> If you set WSUS as a download location, you must approve the updates - regardless of what management tool you use to specify the location. You can set up an automatic approval rule with WSUS, which may be useful as updates arrive at least once a day. See [To synchronize endpoint protection updates in standalone WSUS](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-definitions-wsus#to-synchronize-endpoint-protection-definition-updates-in-standalone-wsus) for more details.
The procedures in this article first describe how to set the order, and then how to set up the **File share** option if you have enabled it.
**Use Group Policy to manage the update location:**
1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
@ -77,7 +97,7 @@ You can manage the order in which update sources are used with Group Policy, Sys
1. Double-click the **Define the order of sources for downloading definition updates** setting and set the option to **Enabled**.
2. Enter the order of sources, separated by a single pipe, for example: `InternalDefinitionUpdateServer|MicrosoftUpdateServer|MMPC`, shown in the following screenshot.
2. Enter the order of sources, separated by a single pipe, for example: `InternalDefinitionUpdateServer|MicrosoftUpdateServer|MMPC`, as shown in the following screenshot.
![Screenshot of group policy setting listing the order of sources](images/defender/wdav-order-update-sources.png)
@ -131,11 +151,11 @@ See the following for more information:
## Related topics
- [Deploy, manage updates, and report on Windows Defender Antivirus](deploy-manage-report-windows-defender-antivirus.md)
- [Manage Windows Defender Antivirus updates and apply baselines](manage-updates-baselines-windows-defender-antivirus.md)
- [Deploy, manage updates, and report on Windows Defender AV](deploy-manage-report-windows-defender-antivirus.md)
- [Manage Windows Defender AV updates and apply baselines](manage-updates-baselines-windows-defender-antivirus.md)
- [Manage when protection updates should be downloaded and applied](manage-protection-update-schedule-windows-defender-antivirus.md)
- [Manage updates for endpoints that are out of date](manage-outdated-endpoints-windows-defender-antivirus.md)
- [Manage event-based forced updates](manage-event-based-updates-windows-defender-antivirus.md)
- [Manage updates for mobile devices and virtual machines (VMs)](manage-updates-mobile-devices-vms-windows-defender-antivirus.md)
- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
- [Manage updates for mobile devices and VMs](manage-updates-mobile-devices-vms-windows-defender-antivirus.md)
- [Windows Defender AV in Windows 10](windows-defender-antivirus-in-windows-10.md)

27
windows/threat-protection/windows-defender-antivirus/windows-defender-security-center-antivirus.md
View File

@ -89,13 +89,15 @@ This section describes how to perform some of the most common tasks when reviewi
4. Click **Advanced scan** to specify different types of scans, such as a full scan.
**Download protection updates in the Windows Defender Security Center app**
<a id="definition-version"></a>
**Review the definition update version and download the latest updates in the Windows Defender Security Center app**
1. Open the Windows Defender Security Center app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar).
3. Click **Protection updates**.
3. Click **Protection updates**. The currently installed version is displayed along with some information about when it was downloaded. You can check this against the latest version available for manual download, or review the change log for that version.
![Definition version number information](images/defender/wdav-wdsc-defs.png)
4. Click **Check for updates** to download new protection updates (if there are any).
@ -129,15 +131,16 @@ This section describes how to perform some of the most common tasks when reviewi
5. Click the plus icon to choose the type and set the options for each exclusion.
<a id="detection-history"></a>
**Review threat detection history in the Windows Defender Security Center app**
1. Open the Windows Defender Security Center app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar).
3. Click **Scan history**.
4. Click **See full history** under each of the categories (**Current threats**, **Quarantined threats**, **Allowed threats**).
**Review threat detection history in the Windows Defender Security Center app**
1. Open the Windows Defender Security Center app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar).
3. Click **Scan history**.
4. Click **See full history** under each of the categories (**Current threats**, **Quarantined threats**, **Allowed threats**).