deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-13 22:07:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge branch 'master' into removing-provisioned-apps-from-windows

Browse Source
This commit is contained in:
Heidi Lohr 2018-04-26 09:00:43 -07:00
commit 3c5497bcc0
28 changed files with 447 additions and 149 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

BIN
education/trial-in-a-box/images/Bug.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 294 KiB

BIN
education/trial-in-a-box/images/screenshot-bug.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 294 KiB

4
education/trial-in-a-box/itadmin-tib-get-started.md
View File

@ -231,10 +231,10 @@ The Microsoft Store for Education is where you can shop for more apps for your s
Update settings for all devices in your tenant by adding the **Documents** and **Downloads** folders to all devices managed in Intune for Education.
1. Go to the <a href="https://intuneeducation.portal.azure.com/" target="_blank">Intune for Education console</a>.
2. Select **Group > All Devices > Settings** and expand **Windows interface customizations**.
2. Select **Group > All Devices > Settings** and expand **Windows interface settings**.
3. In **Choose folders that appear in the Start menu**, select **Documents** and **Downloads**.
![Choose folders that appear in the Start menu](images/i4e_groups_alldevices_newfolders.png)
![Choose folders that appear in the Start menu](images/Bug.png)
4. **Save** your changes.

74
mdop/appv-v5/how-to-sequence-a-new-application-with-app-v-51-beta-gb18030.md
View File

@ -57,8 +57,8 @@ ms.date: 06/16/2016
- If short paths have been disabled for the virtualized packages target volume, you must also sequence the package to a volume that was created and still has short-paths disabled. It cannot be the system volume.
**Note**
The App-V 5.x Sequencer cannot sequence applications with filenames matching "CO_&lt;x&gt;" where x is any numeral. Error 0x8007139F will be generated.
> [!NOTE]
> The App-V 5.x Sequencer cannot sequence applications with filenames matching "CO_&lt;x&gt;" where x is any numeral. Error 0x8007139F will be generated.
**To sequence a new standard application**
@ -68,13 +68,13 @@ The App-V 5.x Sequencer cannot sequence applications with filenames matching "CO
3. On the **Prepare Computer** page, review the issues that could cause the package creation to fail or could cause the package to contain unnecessary data. You should resolve all potential issues before you continue. After making any corrections, click **Refresh** to display the updated information. After you have resolved all potential issues, click **Next**.
**Important**  
If you are required to disable virus scanning software, you should first scan the computer that runs the sequencer in order to ensure that no unwanted or malicious files could be added to the package.
> [!IMPORTANT]
> If you are required to disable virus scanning software, you should first scan the computer that runs the sequencer in order to ensure that no unwanted or malicious files could be added to the package.
 
**Note**  
There is currently no way to disable Windows Defender in Windows 10. If you receive a warning, you can safely ignore it. It is unlikely that Windows Defender will affect sequencing at all.
> [!NOTE]
> There is currently no way to disable Windows Defender in Windows 10. If you receive a warning, you can safely ignore it. It is unlikely that Windows Defender will affect sequencing at all.
 
@ -82,8 +82,8 @@ The App-V 5.x Sequencer cannot sequence applications with filenames matching "CO
5. On the **Select Installer** page, click **Browse** and specify the installation file for the application.
**Note**  
If the specified application installer modifies security access to a file or directory, existing or new, the associated changes will not be captured into the package.
> [!NOTE]
> If the specified application installer modifies security access to a file or directory, existing or new, the associated changes will not be captured into the package.
 
@ -95,8 +95,8 @@ The App-V 5.x Sequencer cannot sequence applications with filenames matching "CO
7. On the **Installation** page, when the sequencer and application installer are ready you can proceed to install the application so that the sequencer can monitor the installation process.
**Important**  
You should always install applications to a secure location and make sure no other users are logged on to the computer running the sequencer during monitoring.
> [!IMPORTANT]
> You should always install applications to a secure location and make sure no other users are logged on to the computer running the sequencer during monitoring.
 
@ -106,8 +106,8 @@ The App-V 5.x Sequencer cannot sequence applications with filenames matching "CO
9. On the **Configure Software** page, optionally run the programs contained in the package. This step allows you to complete any necessary license or configuration tasks before you deploy and run the package on target computers. To run all the programs at one time, select at least one program, and then click **Run All**. To run specific programs, select the program or programs, and then click **Run Selected**. Complete the required configuration tasks and then close the applications. You may need to wait several minutes for all programs to run.
**Note**  
To run first-use tasks for any application that is not available in the list, open the application. The associated information will be captured during this step.
> [!NOTE]
> To run first-use tasks for any application that is not available in the list, open the application. The associated information will be captured during this step.
 
@ -125,15 +125,15 @@ The App-V 5.x Sequencer cannot sequence applications with filenames matching "CO
12. On the **Streaming** page, run each program so that it can be optimized and run more efficiently on target computers. It can take several minutes for all the applications to run. After all applications have run, close each of the applications, and then click **Next**.
**Note**  
If you do not open any applications during this step, the default streaming method is on-demand streaming delivery. This means applications will be downloaded bit by bit until it can be opened, and then depending on how the background loading is configured, will load the rest of the application.
> [!NOTE]
> If you do not open any applications during this step, the default streaming method is on-demand streaming delivery. This means applications will be downloaded bit by bit until it can be opened, and then depending on how the background loading is configured, will load the rest of the application.
 
13. On the **Target OS** page, specify the operating systems that can run this package. To allow all supported operating systems in your environment to run this package, select **Allow this package to run on any operating system**. To configure this package to run only on specific operating systems, select **Allow this package to run only on the following operating systems** and select the operating systems that can run this package. Click **Next**.
**Important**  
Make sure that the operating systems you specify here are supported by the application you are sequencing.
> [!IMPORTANT]
> Make sure that the operating systems you specify here are supported by the application you are sequencing.
 
@ -141,8 +141,8 @@ The App-V 5.x Sequencer cannot sequence applications with filenames matching "CO
To save the package immediately, select **Save the package now** (default). Add optional **Comments** to be associated with the package. Comments are useful for identifying the program version and other information about the package.
**Important**  
The system does not support non-printable characters in **Comments** and **Descriptions**.
> [!IMPORTANT]
> The system does not support non-printable characters in **Comments** and **Descriptions**.
 
@ -152,19 +152,17 @@ The App-V 5.x Sequencer cannot sequence applications with filenames matching "CO
The package is now available in the sequencer.
**Important**  
After you have successfully created a virtual application package, you cannot run the virtual application package on the computer that is running the sequencer.
> [!IMPORTANT]
> After you have successfully created a virtual application package, you cannot run the virtual application package on the computer that is running the sequencer.
 
**To sequence an add-on or plug-in application**
1.
**Note**  
Before performing the following procedure, install the parent application locally on the computer that is running the sequencer. Or if you have the parent application virtualized, you can follow the steps in the add-on or plug-in workflow to unpack the parent application on the computer.
For example, if you are sequencing a plug-in for Microsoft Excel, install Microsoft Excel locally on the computer that is running the sequencer. Also install the parent application in the same directory where the application is installed on target computers. If the plug-in or add-on is going to be used with an existing virtual application package, install the application on the same virtual application drive that was used when you created the parent virtual application package.
1. > [!NOTE]
> Before performing the following procedure, install the parent application locally on the computer that is running the sequencer. Or if you have the parent application virtualized, you can follow the steps in the add-on or plug-in workflow to unpack the parent application on the computer.
>
> For example, if you are sequencing a plug-in for Microsoft Excel, install Microsoft Excel locally on the computer that is running the sequencer. Also install the parent application in the same directory where the application is installed on target computers. If the plug-in or add-on is going to be used with an existing virtual application package, install the application on the same virtual application drive that was used when you created the parent virtual application package.
 
@ -174,8 +172,8 @@ The App-V 5.x Sequencer cannot sequence applications with filenames matching "CO
3. On the **Prepare Computer** page, review the issues that might cause the package creation to fail or could cause the package to contain unnecessary data. You should resolve all potential issues before you continue. After making any corrections, click **Refresh** to display the updated information. After you have resolved all potential issues, click **Next**.
**Important**  
If you are required to disable virus scanning software, you should first scan the computer that runs the sequencer in order to ensure that no unwanted or malicious files could be added to the package.
> [!IMPORTANT]
> If you are required to disable virus scanning software, you should first scan the computer that runs the sequencer in order to ensure that no unwanted or malicious files could be added to the package.
 
@ -205,8 +203,8 @@ The App-V 5.x Sequencer cannot sequence applications with filenames matching "CO
11. On the **Streaming** page, run each program so that it can be optimized and run more efficiently on target computers. Streaming improves the experience when the virtual application package is run on target computers on high-latency networks. It can take several minutes for all the applications to run. After all applications have run, close each of the applications. You can also configure the package to be required to be fully downloaded before opening by selecting the **Force applications to be downloaded** check-box. Click **Next**.
**Note**  
If necessary, you can stop an application from loading during this step. In the **Application Launch** dialog box, click **Stop** and select one of the check boxes: **Stop all applications** or **Stop this application only**.
> [!NOTE]
> If necessary, you can stop an application from loading during this step. In the **Application Launch** dialog box, click **Stop** and select one of the check boxes: **Stop all applications** or **Stop this application only**.
 
@ -216,8 +214,8 @@ The App-V 5.x Sequencer cannot sequence applications with filenames matching "CO
To save the package immediately, select **Save the package now**. Optionally, add a **Description** that will be associated with the package. Descriptions are useful for identifying the version and other information about the package.
**Important**  
The system does not support non-printable characters in Comments and Descriptions.
> [!IMPORTANT]
> The system does not support non-printable characters in Comments and Descriptions.
 
@ -231,8 +229,8 @@ The App-V 5.x Sequencer cannot sequence applications with filenames matching "CO
3. On the **Prepare Computer** page, review the issues that could cause the package creation to fail or could cause the package to contain unnecessary data. You should resolve all potential issues before you continue. After making any corrections, click **Refresh** to display the updated information. After you have resolved all potential issues, click **Next**.
**Important**  
If you are required to disable virus scanning software, you should first scan the computer that runs the App-V 5.0 Sequencer in order to ensure that no unwanted or malicious files can be added to the package.
> [!IMPORTANT]
> If you are required to disable virus scanning software, you should first scan the computer that runs the App-V 5.0 Sequencer in order to ensure that no unwanted or malicious files can be added to the package.
 
@ -256,8 +254,8 @@ The App-V 5.x Sequencer cannot sequence applications with filenames matching "CO
To save the package immediately, select **Save the package now**. Optionally, add a **Description** to be associated with the package. Descriptions are useful for identifying the program version and other information about the package.
**Important**  
The system does not support non-printable characters in Comments and Descriptions.
> [!IMPORTANT]  
> The system does not support non-printable characters in Comments and Descriptions.
 
@ -267,8 +265,8 @@ The App-V 5.x Sequencer cannot sequence applications with filenames matching "CO
The package is now available in the sequencer. To edit the package properties, click **Edit \[Package Name\]**.
**Important**  
After you have successfully created a virtual application package, you cannot run the virtual application package on the computer that is running the sequencer.
> [!IMPORTANT]  
> After you have successfully created a virtual application package, you cannot run the virtual application package on the computer that is running the sequencer.
 

297
windows/client-management/mdm/applocker-csp.md
View File

@ -7,7 +7,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 11/09/2017
ms.date: 04/24/2018
---
# AppLocker CSP
@ -430,6 +430,11 @@ The following list shows the apps that may be included in the inbox.
<td>59553c14-5701-49a2-9909-264d034deb3d</td>
<td></td>
</tr>
<tr class="odd">
<td>Broker plug-in (same as Work or school account)</td>
<td></td>
<td>Microsoft.AAD.BrokerPlugin</td>
</tr>
<tr class="even">
<td>Calculator</td>
<td>b58171c6-c70c-4266-a2e8-8f9c994f4456</td>
@ -466,6 +471,21 @@ The following list shows the apps that may be included in the inbox.
<td>Microsoft.Windows.Cortana</td>
</tr>
<tr class="odd">
<td>Cortana Listen UI</td>
<td></td>
<td>CortanaListenUI</td>
</tr>
<tr class="odd">
<td>Credentials Dialog Host</td>
<td></td>
<td>Microsoft.CredDialogHost</td>
</tr>
<tr class="odd">
<td>Device Portal PIN UX</td>
<td></td>
<td>holopairingapp</td>
</tr>
<tr class="odd">
<td>Email and accounts</td>
<td>39cf127b-8c67-c149-539a-c02271d07060</td>
<td>Microsoft.AccountsControl</td>
@ -536,6 +556,11 @@ The following list shows the apps that may be included in the inbox.
<td></td>
</tr>
<tr class="odd">
<td>Holographic Shell</td>
<td></td>
<td>HoloShell</td>
</tr>
<tr class="odd">
<td>Lumia motion data</td>
<td>8fc25fd2-4e2e-4873-be44-20e57f6ec52b</td>
<td></td>
@ -567,6 +592,11 @@ The following list shows the apps that may be included in the inbox.
<td></td>
</tr>
<tr class="odd">
<td>Migration UI</td>
<td></td>
<td>MigrationUIApp</td>
</tr>
<tr class="odd">
<td>MiracastView</td>
<td>906beeda-b7e6-4ddc-ba8d-ad5031223ef9</td>
<td>906beeda-b7e6-4ddc-ba8d-ad5031223ef9</td>
@ -691,6 +721,11 @@ The following list shows the apps that may be included in the inbox.
<td>2a4e62d8-8809-4787-89f8-69d0f01654fb</td>
</tr>
<tr class="odd">
<td>Settings</td>
<td></td>
<td>SystemSettings</td>
</tr>
<tr class="odd">
<td>Setup wizard</td>
<td>07d87655-e4f0-474b-895a-773790ad4a32</td>
<td></td>
@ -701,6 +736,11 @@ The following list shows the apps that may be included in the inbox.
<td></td>
</tr>
<tr class="odd">
<td>Sign-in for Windows 10 Holographic</td>
<td></td>
<td>WebAuthBridgeInternetSso, WebAuthBridgeInternet, WebAuthBridgeIntranetSso, WebAuthBrokerInternetSso, WebAuthBrokerInternetSso, WebAuthBrokerInternetSso, WebAuthBrokerInternet, WebAuthBrokerIntranetSso, SignIn</td>
</tr>
<tr class="odd">
<td>Skype</td>
<td>c3f8e570-68b3-4d6a-bdbb-c0a3f4360a51</td>
<td>Microsoft.SkypeApp</td>
@ -1360,6 +1400,261 @@ In this example, **MobileGroup0** is the node name. We recommend using a GUID fo
</SyncML>
```
## Example for Windows 10 Holographic for Business
The following example for Windows 10 Holographic for Business denies all apps and allows the minimum set of [inbox apps](#inboxappsandcomponents) to enable to enable a working device, as well as Settings.
``` syntax
<RuleCollection Type="Appx" EnforcementMode="Enabled">
<FilePublisherRule Id="96B82A15-F841-499a-B674-963DC647762F"
Name="Whitelist BackgroundTaskHost"
Description=""
UserOrGroupSid="S-1-1-0"
Action="Allow">
<Conditions>
<FilePublisherCondition PublisherName="CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US"
ProductName="*"
BinaryName="BackgroundTaskHost*">
<BinaryVersionRange LowSection="*" HighSection="*" />
</FilePublisherCondition>
</Conditions>
</FilePublisherRule>
<FilePublisherRule Id="8D345CB2-AC5B-4b6b-8F0B-DCE3F6FB9259"
Name="Whitelist CertInstaller"
Description=""
UserOrGroupSid="S-1-1-0"
Action="Allow">
<Conditions>
<FilePublisherCondition PublisherName="*"
ProductName="4c4ad968-7100-49de-8cd1-402e198d869e"
BinaryName="*">
<BinaryVersionRange LowSection="*" HighSection="*" />
</FilePublisherCondition>
</Conditions>
</FilePublisherRule>
<FilePublisherRule Id="9F07FB38-B952-4f3c-A17A-CE7EC8132987"
Name="Whitelist MigrationUI"
Description=""
UserOrGroupSid="S-1-1-0"
Action="Allow">
<Conditions>
<FilePublisherCondition PublisherName="CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US"
ProductName="MigrationUIApp"
BinaryName="*">
<BinaryVersionRange LowSection="*" HighSection="*" />
</FilePublisherCondition>
</Conditions>
</FilePublisherRule>
<FilePublisherRule Id="1C32E96F-2F44-4317-9D98-2F624147D7AE"
Name="Whitelist CredDiagHost"
Description=""
UserOrGroupSid="S-1-1-0"
Action="Allow">
<Conditions>
<FilePublisherCondition PublisherName="CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US"
ProductName="Microsoft.CredDialogHost"
BinaryName="*">
<BinaryVersionRange LowSection="*" HighSection="*" />
</FilePublisherCondition>
</Conditions>
</FilePublisherRule>
<FilePublisherRule Id="53DCC751-E92A-4d0a-84DF-E6EAC2A7C7CE"
Name="Whitelist Settings"
Description=""
UserOrGroupSid="S-1-1-0"
Action="Allow">
<Conditions>
<FilePublisherCondition PublisherName="CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US"
ProductName="SystemSettings"
BinaryName="*">
<BinaryVersionRange LowSection="*" HighSection="*" />
</FilePublisherCondition>
</Conditions>
</FilePublisherRule>
<FilePublisherRule Id="70D9E233-81F4-4707-B79D-58F9C3A6BFB1"
Name="Whitelist HoloShell"
Description=""
UserOrGroupSid="S-1-1-0"
Action="Allow">
<Conditions>
<FilePublisherCondition PublisherName="CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US"
ProductName="HoloShell"
BinaryName="*">
<BinaryVersionRange LowSection="*" HighSection="*" />
</FilePublisherCondition>
</Conditions>
</FilePublisherRule>
<FilePublisherRule Id="6557A9BC-BA1F-4b7d-90FD-8C620CA81906"
Name="Whitelist MSA"
Description=""
UserOrGroupSid="S-1-1-0"
Action="Allow">
<Conditions>
<FilePublisherCondition PublisherName="CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US"
ProductName="Microsoft.Windows.CloudExperienceHost"
BinaryName="*">
<BinaryVersionRange LowSection="*" HighSection="*" />
</FilePublisherCondition>
</Conditions>
</FilePublisherRule>
<FilePublisherRule Id="81CD98A6-82EC-443f-87F8-039B00DFBE78"
Name="Whitelist BrokerPlugin"
Description=""
UserOrGroupSid="S-1-1-0"
Action="Allow">
<Conditions>
<FilePublisherCondition PublisherName="CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US"
ProductName="Microsoft.AAD.BrokerPlugin"
BinaryName="*">
<BinaryVersionRange LowSection="*" HighSection="*" />
</FilePublisherCondition>
</Conditions>
</FilePublisherRule>
<FilePublisherRule Id="1330E03E-7D43-4e01-9853-40ED8CF62D10"
Name="Whitelist SignIn1"
Description=""
UserOrGroupSid="S-1-1-0"
Action="Allow">
<Conditions>
<FilePublisherCondition PublisherName="CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US"
ProductName="WebAuthBridgeInternetSso"
BinaryName="*">
<BinaryVersionRange LowSection="*" HighSection="*" />
</FilePublisherCondition>
</Conditions>
</FilePublisherRule>
<FilePublisherRule Id="107EC30A-2CEF-4ec1-B556-F7DAA7DF7998"
Name="Whitelist SignIn2"
Description=""
UserOrGroupSid="S-1-1-0"
Action="Allow">
<Conditions>
<FilePublisherCondition PublisherName="CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US"
ProductName="WebAuthBridgeInternet"
BinaryName="*">
<BinaryVersionRange LowSection="*" HighSection="*" />
</FilePublisherCondition>
</Conditions>
</FilePublisherRule>
<FilePublisherRule Id="F806AC17-3E31-4a83-92EB-6A34696478D1"
Name="Whitelist SignIn3"
Description=""
UserOrGroupSid="S-1-1-0"
Action="Allow">
<Conditions>
<FilePublisherCondition PublisherName="CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US"
ProductName="WebAuthBridgeIntranetSso"
BinaryName="*">
<BinaryVersionRange LowSection="*" HighSection="*" />
</FilePublisherCondition>
</Conditions>
</FilePublisherRule>
<FilePublisherRule Id="E8CAF694-2256-4516-BDCC-CDABF218573C"
Name="Whitelist SignIn4"
Description=""
UserOrGroupSid="S-1-1-0"
Action="Allow">
<Conditions>
<FilePublisherCondition PublisherName="CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US"
ProductName="WebAuthBrokerInternetSso"
BinaryName="*">
<BinaryVersionRange LowSection="*" HighSection="*" />
</FilePublisherCondition>
</Conditions>
</FilePublisherRule>
<FilePublisherRule Id="5918428D-B9A8-4810-8FB4-25AE5A25D5A7"
Name="Whitelist SignIn5"
Description=""
UserOrGroupSid="S-1-1-0"
Action="Allow">
<Conditions>
<FilePublisherCondition PublisherName="CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US"
ProductName="WebAuthBrokerInternet"
BinaryName="*">
<BinaryVersionRange LowSection="*" HighSection="*" />
</FilePublisherCondition>
</Conditions>
</FilePublisherRule>
<FilePublisherRule Id="C90D99E3-C3EE-47c5-B181-7E8C54FA66B3"
Name="Whitelist SignIn6"
Description=""
UserOrGroupSid="S-1-1-0"
Action="Allow">
<Conditions>
<FilePublisherCondition PublisherName="CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US"
ProductName="WebAuthBrokerIntranetSso"
BinaryName="*">
<BinaryVersionRange LowSection="*" HighSection="*" />
</FilePublisherCondition>
</Conditions>
</FilePublisherRule>
<FilePublisherRule Id="9CD87A91-FB48-480d-B788-3770A950CD03"
Name="Whitelist SignIn7"
Description=""
UserOrGroupSid="S-1-1-0"
Action="Allow">
<Conditions>
<FilePublisherCondition PublisherName="CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US"
ProductName="SignIn"
BinaryName="*">
<BinaryVersionRange LowSection="*" HighSection="*" />
</FilePublisherCondition>
</Conditions>
</FilePublisherRule>
<FilePublisherRule Id="DCF74448-C287-4195-9072-8F3649AB9305"
Name="Whitelist Cortana"
Description=""
UserOrGroupSid="S-1-1-0"
Action="Allow">
<Conditions>
<FilePublisherCondition PublisherName="CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US"
ProductName="Microsoft.Windows.Cortana"
BinaryName="*">
<BinaryVersionRange LowSection="*" HighSection="*" />
</FilePublisherCondition>
</Conditions>
</FilePublisherRule>
<FilePublisherRule Id="BE4FD0C4-527B-45a3-A5B8-F4EA00584779"
Name="Whitelist Cortana ListenUI"
Description=""
UserOrGroupSid="S-1-1-0"
Action="Allow">
<Conditions>
<FilePublisherCondition PublisherName="CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US"
ProductName="CortanaListenUI"
BinaryName="*">
<BinaryVersionRange LowSection="*" HighSection="*" />
</FilePublisherCondition>
</Conditions>
</FilePublisherRule>
<FilePublisherRule Id="336509A7-FFBA-48cb-81BD-8DF9060B3CF8"
Name="Whitelist Email and accounts"
Description=""
UserOrGroupSid="S-1-1-0"
Action="Allow">
<Conditions>
<FilePublisherCondition PublisherName="CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US"
ProductName="Microsoft.AccountsControl"
BinaryName="*">
<BinaryVersionRange LowSection="*" HighSection="*" />
</FilePublisherCondition>
</Conditions>
</FilePublisherRule>
<FilePublisherRule Id="55912F15-0B94-445b-80E1-83BC8F0E8999"
Name="Whitelist Device Portal PIN UX"
Description=""
UserOrGroupSid="S-1-1-0"
Action="Allow">
<Conditions>
<FilePublisherCondition PublisherName="CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US"
ProductName="holopairingapp"
BinaryName="*">
<BinaryVersionRange LowSection="*" HighSection="*" />
</FilePublisherCondition>
</Conditions>
</FilePublisherRule>
</RuleCollection>
```
## Recommended deny list for Windows Information Protection
The following example for Windows 10, version 1607 denies known unenlightened Microsoft apps from accessing enterprise data as an allowed app. (An administrator might still use an exempt rule, instead.) This ensures an administrator does not accidentally make these apps Windows Information Protection allowed, and avoid known compatibility issues related to automatic file encryption with these applications.

64
windows/client-management/mdm/assignedaccess-csp.md
View File

@ -7,7 +7,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 03/20/2018
ms.date: 04/25/2018
---
# AssignedAccess CSP
@ -20,7 +20,7 @@ For a step-by-step guide for setting up devices to run in kiosk mode, see [Set u
In Windows 10, version 1709, the AssignedAccess configuration service provider (CSP) has been expanded to make it easy for administrators to create kiosks that run more than one app. You can configure multi-app kiosks using a provisioning package. For a step-by-step guide, see [Create a Windows 10 kiosk that runs multiple apps](https://docs.microsoft.com/en-us/windows/configuration/lock-down-windows-10-to-specific-apps).
> [!Note]
> The AssignedAccess CSP is supported in Windows 10 Enterprise and Windows 10 Education. Starting from Windows 10, version 1709 it is also supported in Windows 10 Pro and Windows 10 S.
> The AssignedAccess CSP is supported in Windows 10 Enterprise and Windows 10 Education. Starting from Windows 10, version 1709 it is also supported in Windows 10 Pro and Windows 10 S. Starting in Windows 10, version 1803, it is also supported in Windows Holographic for Business edition.
The following diagram shows the AssignedAccess configuration service provider in tree format
@ -1137,4 +1137,64 @@ ShellLauncherConfiguration Get
</xs:complexType>
</xs:element>
</xs:schema>
```
## Windows Holographic for Business edition example
This example configures the following apps: Skype, Learning, Feedback Hub, and Calibration, for first line workers. Use this XML in a provisioning package using Windows Configuration Designer. For instructions, see [Configure HoloLens using a provisioning package](https://docs.microsoft.com/en-us/hololens/hololens-provisioning).
``` syntax
<?xml version="1.0" encoding="utf-8" ?>
<!--
This is a sample Assigned Access XML file. The Profile specifies which apps are allowed
and their app IDs. An Assigned Access Config specifies the accounts or groups to which
a Profile is applicable.
!!! NOTE: Change the Account below to a user in the tenant being tested !!!
-->
<AssignedAccessConfiguration xmlns="http://schemas.microsoft.com/AssignedAccess/2017/config">
<Profiles>
<Profile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}">
<AllAppsList>
<AllowedApps>
<!-- Learning app -->
<App AppUserModelId="GGVLearning_cw5n1h2txyewy!GGVLearning" />
<!-- Calibration app -->
<App AppUserModelId="ViewCalibrationApp_cw5n1h2txyewy!ViewCalibrationApp" />
<!-- Feedback Hub -->
<App AppUserModelId="Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe!App" />
<!-- HoloSkype -->
<App AppUserModelId="Microsoft.SkypeApp_kzf8qxf38zg5c!App" />
</AllowedApps>
</AllAppsList>
<!-- This section is required for parity with Desktop Assigned Access. It is not currently used on HoloLens -->
<StartLayout>
<![CDATA[<LayoutModificationTemplate xmlns:defaultlayout="http://schemas.microsoft.com/Start/2014/FullDefaultLayout" xmlns:start="http://schemas.microsoft.com/Start/2014/StartLayout" Version="1" xmlns="http://schemas.microsoft.com/Start/2014/LayoutModification">
<LayoutOptions StartTileGroupCellWidth="6" />
<DefaultLayoutOverride>
<StartLayoutCollection>
<defaultlayout:StartLayout GroupCellWidth="6">
<start:Group Name="Life at a glance">
<start:Tile Size="2x2" Column="0" Row="0" AppUserModelID="Microsoft.SkypeApp_kzf8qxf38zg5c!App" />
</start:Group>
</defaultlayout:StartLayout>
</StartLayoutCollection>
</DefaultLayoutOverride>
</LayoutModificationTemplate>
]]>
</StartLayout>
<!-- This section is required for parity with Desktop Assigned Access. It is not currently used on HoloLens -->
<Taskbar ShowTaskbar="true"/>
</Profile>
</Profiles>
<Configs>
<!-- IMPORTANT: Replace the account name here with an email address of the user you want to
be enabled for assigned access. The value in the Account node must begin with
AzureAD\ for AAD accounts. -->
<Config>
<Account>AzureAD\multiusertest@analogfre.onmicrosoft.com</Account>
<DefaultProfile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}"/>
</Config>
</Configs>
</AssignedAccessConfiguration>
```

14
windows/client-management/mdm/configuration-service-provider-reference.md
View File

@ -7,7 +7,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 04/20/2018
ms.date: 04/24/2018
---
# Configuration service provider reference
@ -2585,9 +2585,9 @@ The following list shows the configuration service providers supported in Window
| Configuration service provider | Windows Holographic edition | Windows Holographic for Business edition |
|--------|--------|------------|
| [AccountManagement CSP](accountmanagement-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png)3 |
| [Application CSP](application-csp.md) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) |
| [AccountManagement CSP](accountmanagement-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png)4 |
| [AppLocker CSP](applocker-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) |
| [AssignedAccess CSP](assignedaccess-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png)4 |
| [CertificateStore CSP](certificatestore-csp.md) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png)|
| [ClientCertificateInstall CSP](clientcertificateinstall-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) |
| [DevDetail CSP](devdetail-csp.md) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) |
@ -2606,9 +2606,11 @@ The following list shows the configuration service providers supported in Window
| [WiFi CSP](wifi-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) |
| [WindowsLicensing CSP](windowslicensing-csp.md) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) |
Footnotes:
- 2 - Added in Windows 10, version 1703
- 3 - Added in Windows 10, version 1803
 Footnotes:
- 1 - Added in Windows 10, version 1607
- 2 - Added in Windows 10, version 1703
- 3 - Added in Windows 10, version 1709
- 4 - Added in Windows 10, version 1803
## <a href="" id="surfacehubcspsupport"></a>CSPs supported in Microsoft Surface Hub

8
windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
View File

@ -10,7 +10,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 04/11/2018
ms.date: 04/25/2018
---
# What's new in MDM enrollment and management
@ -1185,7 +1185,6 @@ For details about Microsoft mobile device management protocols for Windows 10 s
<li>LocalPoliciesSecurityOptions/InteractiveLogon_SmartCardRemovalBehavior</li>
<li>LocalPoliciesSecurityOptions/MicrosoftNetworkClient_DigitallySignCommunicationsIfServerAgrees</li>
<li>LocalPoliciesSecurityOptions/MicrosoftNetworkClient_SendUnencryptedPasswordToThirdPartySMBServers</li>
<li>LocalPoliciesSecurityOptions/MicrosoftNetworkServer_AmountOfIdleTimeRequiredBeforeSuspendingSession</li>
<li>LocalPoliciesSecurityOptions/MicrosoftNetworkServer_DigitallySignCommunicationsAlways</li>
<li>LocalPoliciesSecurityOptions/MicrosoftNetworkServer_DigitallySignCommunicationsIfClientAgrees</li>
<li>LocalPoliciesSecurityOptions/NetworkAccess_DoNotAllowAnonymousEnumerationOfSAMAccounts</li>
@ -1310,7 +1309,7 @@ For details about Microsoft mobile device management protocols for Windows 10 s
<li>ShellLauncher</li>
<li>StatusConfiguration</li>
</ul>
<p>Updated the AssigneAccessConfiguration schema.</p>
<p>Updated the AssigneAccessConfiguration schema. Starting in Windows 10, version 1803 AssignedAccess CSP is supported in Windows Holographic for Business edition. Added example for Windows Holographic for Business edition.</p>
</td></tr>
<tr class="odd">
<td style="vertical-align:top">[MultiSIM CSP](multisim-csp.md)</td>
@ -1808,7 +1807,7 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
<li>ShellLauncher</li>
<li>StatusConfiguration</li>
</ul>
<p>Updated the AssigneAccessConfiguration schema.</p>
<p>Updated the AssigneAccessConfiguration schema. Starting in Windows 10, version 1803 AssignedAccess CSP is supported in Windows Holographic for Business edition. Added example for Windows Holographic for Business edition.</p>
</td></tr>
<tr class="odd">
<td style="vertical-align:top">[MultiSIM CSP](multisim-csp.md)</td>
@ -1870,7 +1869,6 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
<li>LocalPoliciesSecurityOptions/InteractiveLogon_SmartCardRemovalBehavior</li>
<li>LocalPoliciesSecurityOptions/MicrosoftNetworkClient_DigitallySignCommunicationsIfServerAgrees</li>
<li>LocalPoliciesSecurityOptions/MicrosoftNetworkClient_SendUnencryptedPasswordToThirdPartySMBServers</li>
<li>LocalPoliciesSecurityOptions/MicrosoftNetworkServer_AmountOfIdleTimeRequiredBeforeSuspendingSession</li>
<li>LocalPoliciesSecurityOptions/MicrosoftNetworkServer_DigitallySignCommunicationsAlways</li>
<li>LocalPoliciesSecurityOptions/MicrosoftNetworkServer_DigitallySignCommunicationsIfClientAgrees</li>
<li>LocalPoliciesSecurityOptions/NetworkAccess_DoNotAllowAnonymousEnumerationOfSAMAccounts</li>

4
windows/client-management/mdm/office-csp.md
View File

@ -6,13 +6,13 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 01/26/2018
ms.date: 04/25/2018
---
# Office CSP
The Office configuration service provider (CSP) enables a Microsoft Office client to be installed on a device via the Office Deployment Tool (ODT). For more information, see [Configuration options for the Office Deployment Tool](https://technet.microsoft.com/en-us/library/jj219426.aspx).
The Office configuration service provider (CSP) enables a Microsoft Office client to be installed on a device via the Office Deployment Tool (ODT). For more information, see [Configuration options for the Office Deployment Tool](https://technet.microsoft.com/en-us/library/jj219426.aspx) and [How to assign Office 365 apps to Windows 10 devices with Microsoft Intune](https://docs.microsoft.com/en-us/intune/apps-add-office365).
This CSP was added in Windows 10, version 1703.
For additional information, see [Office DDF](office-ddf.md).

4
windows/client-management/mdm/policy-configuration-service-provider.md
View File

@ -2054,9 +2054,6 @@ The following diagram shows the Policy configuration service provider in tree fo
<dd>
<a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-microsoftnetworkclient-sendunencryptedpasswordtothirdpartysmbservers" id="localpoliciessecurityoptions-microsoftnetworkclient-sendunencryptedpasswordtothirdpartysmbservers">LocalPoliciesSecurityOptions/MicrosoftNetworkClient_SendUnencryptedPasswordToThirdPartySMBServers</a>
</dd>
<dd>
<a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-microsoftnetworkserver-amountofidletimerequiredbeforesuspendingsession" id="localpoliciessecurityoptions-microsoftnetworkserver-amountofidletimerequiredbeforesuspendingsession">LocalPoliciesSecurityOptions/MicrosoftNetworkServer_AmountOfIdleTimeRequiredBeforeSuspendingSession</a>
</dd>
<dd>
<a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-microsoftnetworkserver-digitallysigncommunicationsalways" id="localpoliciessecurityoptions-microsoftnetworkserver-digitallysigncommunicationsalways">LocalPoliciesSecurityOptions/MicrosoftNetworkServer_DigitallySignCommunicationsAlways</a>
</dd>
@ -4388,7 +4385,6 @@ The following diagram shows the Policy configuration service provider in tree fo
- [LocalPoliciesSecurityOptions/InteractiveLogon_SmartCardRemovalBehavior](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-interactivelogon-smartcardremovalbehavior)
- [LocalPoliciesSecurityOptions/MicrosoftNetworkClient_DigitallySignCommunicationsIfServerAgrees](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-microsoftnetworkclient-digitallysigncommunicationsifserveragrees)
- [LocalPoliciesSecurityOptions/MicrosoftNetworkClient_SendUnencryptedPasswordToThirdPartySMBServers](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-microsoftnetworkclient-sendunencryptedpasswordtothirdpartysmbservers)
- [LocalPoliciesSecurityOptions/MicrosoftNetworkServer_AmountOfIdleTimeRequiredBeforeSuspendingSession](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-microsoftnetworkserver-amountofidletimerequiredbeforesuspendingsession)
- [LocalPoliciesSecurityOptions/MicrosoftNetworkServer_DigitallySignCommunicationsAlways](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-microsoftnetworkserver-digitallysigncommunicationsalways)
- [LocalPoliciesSecurityOptions/MicrosoftNetworkServer_DigitallySignCommunicationsIfClientAgrees](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-microsoftnetworkserver-digitallysigncommunicationsifclientagrees)
- [LocalPoliciesSecurityOptions/NetworkAccess_DoNotAllowAnonymousEnumerationOfSAMAccounts](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networkaccess-donotallowanonymousenumerationofsamaccounts)

4
windows/client-management/mdm/policy-csp-defender.md
View File

@ -936,7 +936,7 @@ The following list shows the supported values:
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
<td><img src="images/crossmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
@ -994,7 +994,7 @@ ADMX Info:
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
<td><img src="images/crossmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>

60
windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md
View File

@ -90,9 +90,6 @@ ms.date: 04/06/2018
<dd>
<a href="#localpoliciessecurityoptions-microsoftnetworkclient-sendunencryptedpasswordtothirdpartysmbservers">LocalPoliciesSecurityOptions/MicrosoftNetworkClient_SendUnencryptedPasswordToThirdPartySMBServers</a>
</dd>
<dd>
<a href="#localpoliciessecurityoptions-microsoftnetworkserver-amountofidletimerequiredbeforesuspendingsession">LocalPoliciesSecurityOptions/MicrosoftNetworkServer_AmountOfIdleTimeRequiredBeforeSuspendingSession</a>
</dd>
<dd>
<a href="#localpoliciessecurityoptions-microsoftnetworkserver-digitallysigncommunicationsalways">LocalPoliciesSecurityOptions/MicrosoftNetworkServer_DigitallySignCommunicationsAlways</a>
</dd>
@ -1612,63 +1609,6 @@ GP Info:
<hr/>
<!--Policy-->
<a href="" id="localpoliciessecurityoptions-microsoftnetworkserver-amountofidletimerequiredbeforesuspendingsession"></a>**LocalPoliciesSecurityOptions/MicrosoftNetworkServer_AmountOfIdleTimeRequiredBeforeSuspendingSession**
<!--SupportedSKUs-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<!--/SupportedSKUs-->
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
Microsoft network server: Amount of idle time required before suspending a session
This security setting determines the amount of continuous idle time that must pass in a Server Message Block (SMB) session before the session is suspended due to inactivity.
Administrators can use this policy to control when a computer suspends an inactive SMB session. If client activity resumes, the session is automatically reestablished.
For this policy setting, a value of 0 means to disconnect an idle session as quickly as is reasonably possible. The maximum value is 99999, which is 208 days; in effect, this value disables the policy.
Default:This policy is not defined, which means that the system treats it as 15 minutes for servers and undefined for workstations.
<!--/Description-->
<!--RegistryMapped-->
GP Info:
- GP English name: *Microsoft network server: Amount of idle time required before suspending session*
- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
<!--/RegistryMapped-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="localpoliciessecurityoptions-microsoftnetworkserver-digitallysigncommunicationsalways"></a>**LocalPoliciesSecurityOptions/MicrosoftNetworkServer_DigitallySignCommunicationsAlways**

4
windows/security/index.yml
View File

@ -154,7 +154,7 @@ sections:
title: Windows Hello for Business
- href: \windows\security\threat-protection\windows-defender-application-control
- href: \windows\security\threat-protection\windows-defender-application-control\windows-defender-application-control
html: <p>Lock down applications that run on a device</p>
@ -251,7 +251,7 @@ sections:
- html: <a href="/windows/security/identity-protection/windows-firewall/windows-firewall-with-advanced-security">Windows Defender Firewall</a>
- html: <a href="/windows/security/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard">Windows Defender Exploit Guard</a>
- html: <a href="/windows/security/identity-protection/credential-guard/credential-guard">Windows Defender Credential Guard</a>
- html: <a href="/windows/security/threat-protection/device-guard/device-guard-deployment-guide">Windows Defender Device Guard</a>
- html: <a href="/windows/security/threat-protection/windows-defender-device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control">Windows Defender Device Guard</a>
- html: <a href="/windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview">Windows Defender Application Guard</a>
- html: <a href="/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-overview">Windows Defender SmartScreen</a>
- html: <a href="/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center">Windows Defender Security Center</a>

8
windows/security/threat-protection/TOC.md
View File

@ -294,10 +294,7 @@
#### [Evaluate Exploit protection](windows-defender-exploit-guard\evaluate-exploit-protection.md)
#### [Enable Exploit protection](windows-defender-exploit-guard\enable-exploit-protection.md)
#### [Customize Exploit protection](windows-defender-exploit-guard\customize-exploit-protection.md)
##### [Import, export, and deploy Exploit protection configurations](windows-defender-exploit-guard\import-export-exploit-protection-emet-xml.md)
#### [Memory integrity](windows-defender-exploit-guard/memory-integrity.md)
##### [Requirements and deployment planning guidelines for virtualization-based protection of code integrity](windows-defender-exploit-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md)
##### [Enable virtualization-based protection of code integrity](windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity.md)
##### [Import, export, and deploy Exploit protection configurations](windows-defender-exploit-guard/import-export-exploit-protection-emet-xml.md)
### [Attack surface reduction](windows-defender-exploit-guard\attack-surface-reduction-exploit-guard.md)
#### [Evaluate Attack surface reduction](windows-defender-exploit-guard\evaluate-attack-surface-reduction.md)
#### [Enable Attack surface reduction](windows-defender-exploit-guard\enable-attack-surface-reduction.md)
@ -311,6 +308,9 @@
#### [Evaluate Controlled folder access](windows-defender-exploit-guard\evaluate-controlled-folder-access.md)
#### [Enable Controlled folder access](windows-defender-exploit-guard\enable-controlled-folders-exploit-guard.md)
#### [Customize Controlled folder access](windows-defender-exploit-guard\customize-controlled-folders-exploit-guard.md)
### [Memory integrity](windows-defender-exploit-guard\memory-integrity.md)
#### [Requirements for virtualization-based protection of code integrity](windows-defender-exploit-guard\requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md)
#### [Enable virtualization-based protection of code integrity](windows-defender-exploit-guard\enable-virtualization-based-protection-of-code-integrity.md)
## [Windows Defender Application Control](windows-defender-application-control/windows-defender-application-control.md)

2
windows/security/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md
View File

@ -18,7 +18,7 @@ ms.date: 11/09/2017
**Applies to:**
- Windows 10, version 1709
- Windows 10 Enterprise edition, version 1709 or higher

2
windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md
View File

@ -20,7 +20,7 @@ ms.date: 11/09/2017
**Applies to:**
- Windows 10, version 1709
- Windows 10 Enterprise edition, version 1709 or higher

2
windows/security/threat-protection/windows-defender-exploit-guard/enable-network-protection.md
View File

@ -20,7 +20,7 @@ ms.date: 10/16/2017
**Applies to:**
- Windows 10, version 1709
- Windows 10 Enterprise edition, version 1709 or higher

4
windows/security/threat-protection/windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity.md
View File

@ -16,9 +16,7 @@ ms.date: 04/19/2018
- Windows 10
- Windows Server 2016
Virtualization-based protection of code integrity (herein referred to as hypervisor-protected code integrity, or HVCI) is a powerful system mitigation that leverages hardware virtualization and the Windows Hyper-V hypervisor to protect Windows kernel-mode processes against the injection and execution of malicious or unverified code.
Code integrity validation is performed in a secure environment that is resistant to attack from malicious software, and page permissions for kernel mode are set and maintained by the Hyper-V hypervisor.
This topic covers different ways to enable Hypervisor-protected code integrity (HVCI) on Windows 10.
Some applications, including device drivers, may be incompatible with HVCI.
This can cause devices or software to malfunction and in rare cases may result in a Blue Screen. Such issues may occur after HVCI has been turned on or during the enablement process itself.
If this happens, see [Troubleshooting](#troubleshooting) for remediation steps.

2
windows/security/threat-protection/windows-defender-exploit-guard/evaluate-attack-surface-reduction.md
View File

@ -19,7 +19,7 @@ ms.date: 11/20/2017
**Applies to:**
- Windows 10, version 1709
- Windows 10 Enterprise edition, version 1709 or higher

4
windows/security/threat-protection/windows-defender-exploit-guard/evaluate-network-protection.md
View File

@ -20,7 +20,7 @@ ms.date: 11/20/2017
**Applies to:**
- Windows 10, version 1709
- Windows 10 Enterprise edition, version 1709 or higher
@ -115,4 +115,4 @@ You can also use Group Policy, Intune, or MDM CSPs to configure and deploy the s
- [Protect your network with Windows Defender Exploit Guard](network-protection-exploit-guard.md)
- [Evaluate Windows Defender Exploit Guard](evaluate-windows-defender-exploit-guard.md)
- [Use audit mode to evaluate Windows Defender Exploit Guard](audit-windows-defender-exploit-guard.md)
- [Use audit mode to evaluate Windows Defender Exploit Guard](audit-windows-defender-exploit-guard.md)

BIN
windows/security/threat-protection/windows-defender-exploit-guard/images/ball_50.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 1.6 KiB

BIN
windows/security/threat-protection/windows-defender-exploit-guard/images/ball_75.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 1.4 KiB

BIN
windows/security/threat-protection/windows-defender-exploit-guard/images/ball_empty.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 1.4 KiB

BIN
windows/security/threat-protection/windows-defender-exploit-guard/images/ball_full.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 1.4 KiB

2
windows/security/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard.md
View File

@ -20,7 +20,7 @@ ms.date: 11/20/2017
**Applies to:**
- Windows 10, version 1709
- Windows 10 Enterprise edition, version 1709 or higher

4
windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-asr.md
View File

@ -18,7 +18,7 @@ ms.date: 12/12/2017
**Applies to:**
- Windows 10, version 1709
- Windows 10 Enterprise edition, version 1709 or higher
**Audience**
@ -45,7 +45,7 @@ There are four steps to troubleshooting these problems:
Attack surface reduction (ASR) will only work on devices with the following conditions:
>[!div class="checklist"]
> - Endpoints are running Windows 10, version 1709 (also known as the Fall Creators Update).
> - Endpoints are running Windows 10 Enterprise edition, version 1709 (also known as the Fall Creators Update).
> - Endpoints are using Windows Defender Antivirus as the sole antivirus protection app. [Using any other antivirus app will cause Windows Defender AV to disable itself](../windows-defender-antivirus/windows-defender-antivirus-compatibility.md).
> - [Real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md) is enabled.
> - Audit mode is not enabled. Use Group Policy to set the rule to **Disabled** (value: **0**) as described in the [Enable ASR topic](enable-attack-surface-reduction.md#use-group-policy-to-enable-or-audit-attack-surface-reduction-rules).

4
windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-np.md
View File

@ -18,7 +18,7 @@ ms.date: 12/12/2017
**Applies to:**
- Windows 10, version 1709
- Windows 10 Enterprise edition, version 1709 or higher
**Audience**
@ -45,7 +45,7 @@ There are four steps to troubleshooting these problems:
Windows Defender Exploit Guard will only work on devices with the following conditions:
>[!div class="checklist"]
> - Endpoints are running Windows 10, version 1709 (also known as the Fall Creators Update).
> - Endpoints are running Windows 10 Enterprise edition, version 1709 or higher (also known as the Fall Creators Update).
> - Endpoints are using Windows Defender Antivirus as the sole antivirus protection app. [Using any other antivirus app will cause Windows Defender AV to disable itself](../windows-defender-antivirus/windows-defender-antivirus-compatibility.md).
> - [Real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md) is enabled.
> - [Cloud-delivered protection](../windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md) is enabled.

25
windows/security/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard.md
View File

@ -61,17 +61,28 @@ You can use the Windows Defender ATP console to obtain detailed reporting into e
Each of the features in Windows Defender EG have slightly different requirements:
Feature | [Windows Defender Antivirus](../windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md) | [Windows Defender Advanced Threat Protection license](../windows-defender-atp/minimum-requirements-windows-defender-advanced-threat-protection.md)
-|-|-|-
Exploit protection | No requirement | Required for reporting in the Windows Defender ATP console
Attack surface reduction | [Real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md) must be enabled | Required for reporting in the Windows Defender ATP console
Network protection | [Real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md) must be enabled | Required for reporting in the Windows Defender ATP console
Controlled folder access | [Real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md) must be enabled | Required for reporting in the Windows Defender ATP console
| Feature | Windows 10 Home | Windows 10 Professional | Windows 10 E3 | Windows 10 E5 |
| ----------------- | :------------------------------------: | :---------------------------: | :-------------------------: | :--------------------------------------: |
| Exploit protection | ![supported](./images/ball_50.png) | ![supported](./images/ball_50.png) | ![supported, enhanced](./images/ball_75.png) | ![supported, full reporting](./images/ball_full.png) |
| Attack surface reduction | ![not supported](./images/ball_empty.png) | ![not supported](./images/ball_empty.png) | ![not supported](./images/ball_empty.png) | ![supported, full reporting](./images/ball_full.png) |
| Network protection | ![not supported](./images/ball_empty.png) | ![not supported](./images/ball_empty.png) | ![supported, limited reporting](./images/ball_50.png) | ![supported, full reporting](./images/ball_full.png) |
| Controlled folder access | ![supported, limited reporting](./images/ball_50.png) | ![supported, limited reporting](./images/ball_50.png) | ![supported, limited reporting](./images/ball_50.png) | ![supported, full reporting](./images/ball_full.png) |
> [!NOTE]
> ![supported, enhanced](./images/ball_75.png) Exploit Protection - On Windows 10 E3, includes advanced exploit protection for the kernel mode via [HVCI] (https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity).
> ![supported, full reporting](./images/ball_full.png) On Windows 10 E5, includes automated reporting into the Windows Defender ATP console.
| Feature | [Windows Defender Antivirus](../windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md)
|-----------------| ------------------------------------ |
| Exploit protection | No requirement |
| Attack surface reduction | [Real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md) must be enabled |
| Network protection | [Real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md) must be enabled |
| Controlled folder access | [Real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md) must be enabled |
> [!NOTE]
> Each feature's requirements are further described in the individual topics in this library.
## In this library
Topic | Description