diff --git a/devices/surface-hub/prepare-your-environment-for-surface-hub.md b/devices/surface-hub/prepare-your-environment-for-surface-hub.md index e11e0e6e42..9ae8f829c5 100644 --- a/devices/surface-hub/prepare-your-environment-for-surface-hub.md +++ b/devices/surface-hub/prepare-your-environment-for-surface-hub.md @@ -42,6 +42,20 @@ Microsoft collects telemetry to help improve your Surface Hub experience. Add th - Telemetry client endpoint: `https://vortex.data.microsoft.com/` - Telemetry settings endpoint: `https://settings.data.microsoft.com/` +### Proxy configuration + +If your organization restricts computers on your network from connecting to the Internet, there is a set of URLs that need to be available for devices to use Store for Business. Some of the Store for Business features use Windows Store app and Windows Store services. Devices using Store for Business – either to acquire, install, or update apps – will need access to these URLs. If you use a proxy server to block traffic, your configuration needs to allow these URLs: + +- login.live.com +- login.windows.net +- account.live.com +- clientconfig.passport.net +- windowsphone.com +- *.wns.windows.com +- *.microsoft.com +- www.msftncsi.com (prior to Windows 10, version 1607) +- www.msftconnecttest.com/connecttest.txt (replaces www.msftncsi.com starting with Windows 10, version 1607) + ## Work with other admins diff --git a/devices/surface-hub/troubleshoot-surface-hub.md b/devices/surface-hub/troubleshoot-surface-hub.md index ff05c19f62..678d06e664 100644 --- a/devices/surface-hub/troubleshoot-surface-hub.md +++ b/devices/surface-hub/troubleshoot-surface-hub.md @@ -622,7 +622,9 @@ This section lists status codes, mapping, user messages, and actions an admin ca     +## Related content +- [Troubleshooting Miracast connection to the Surface Hub](https://blogs.msdn.microsoft.com/surfacehub/2017/01/30/troubleshooting-miracast-connection-to-the-surface-hub/)   diff --git a/windows/configure/lockdown-xml.md b/windows/configure/lockdown-xml.md index 9398934ee7..36fa6806f7 100644 --- a/windows/configure/lockdown-xml.md +++ b/windows/configure/lockdown-xml.md @@ -91,7 +91,7 @@ The following example is a complete lockdown XML file that disables Action Cente The Apps setting serves as an allow list and specifies the applications that will be available in the All apps list. Apps that are not included in this setting are hidden from the user and blocked from running. -You provide the product ID for each app in your file. The product ID identifies an app package, and an app package can contain multiple apps, so you should also provide the App User Model ID (AUMID) to differentiate the app. Optionally, you can set an app to run automatically. [Get product ID and AUMID for apps in Windows 10 Mobile.](product-ids-in-windows-10-mobile.md) +You provide the App User Model ID (AUMID) and product ID for each app in your file. The product ID identifies an app package, and an app package can contain multiple apps, so you also provide the ADUMID to differentiate the app. Optionally, you can set an app to run automatically. [Get product ID and AUMID for apps in Windows 10 Mobile.](product-ids-in-windows-10-mobile.md) The following example makes Outlook Calendar available on the device. diff --git a/windows/configure/product-ids-in-windows-10-mobile.md b/windows/configure/product-ids-in-windows-10-mobile.md index 6fd085952b..f2a3295ba9 100644 --- a/windows/configure/product-ids-in-windows-10-mobile.md +++ b/windows/configure/product-ids-in-windows-10-mobile.md @@ -230,21 +230,8 @@ The following table lists the product ID and AUMID for each app that is included   -## Get product ID and AUMID for other apps -To get the product ID and AUMID for apps that are installed from Windows Store or installed locally ([side-loaded](https://go.microsoft.com/fwlink/p/?LinkID=623433)), use the following steps. - -**Prerequisites**: a device with an SD card inserted and all apps installed that you want to get IDs for - -1. On Start ![start](images/starticon.png), swipe over to the App list, then tap **Settings** ![settings](images/settingsicon.png) > **Accounts** > **Apps Corner**. - -2. Tap **Apps**, tap to select the app that you want to get IDs for, and then tap done ![done button](images/doneicon.png) - -3. Tap **advanced**, and then **tap export to SD card**. - -4. Connect the device to a PC using USB, and then open the WEHLockdown.xml file on the SD card of the device to view the product ID and AUMID for each app. - ## Related topics diff --git a/windows/keep-secure/bitlocker-group-policy-settings.md b/windows/keep-secure/bitlocker-group-policy-settings.md index c0112dcf47..c16db3871b 100644 --- a/windows/keep-secure/bitlocker-group-policy-settings.md +++ b/windows/keep-secure/bitlocker-group-policy-settings.md @@ -32,7 +32,7 @@ The following sections provide a comprehensive list of BitLocker Group Policy se The following policy settings can be used to determine how a BitLocker-protected drive can be unlocked. -- [Allow devices with Secure Boot and protect DMS ports to opt out of preboot PIN](#bkmk-hstioptout) +- [Allow devices with Secure Boot and protect DMA ports to opt out of preboot PIN](#bkmk-hstioptout) - [Allow network unlock at startup](#bkmk-netunlock) - [Require additional authentication at startup](#bkmk-unlockpol1) - [Allow enhanced PINs for startup](#bkmk-unlockpol2) @@ -86,7 +86,7 @@ The following policies are used to support customized deployment scenarios in yo - [Allow access to BitLocker-protected fixed data drives from earlier versions of Windows](#bkmk-depopt4) - [Allow access to BitLocker-protected removable data drives from earlier versions of Windows](#bkmk-depopt5) -### Allow devices with Secure Boot and protect DMS ports to opt out of preboot PIN +### Allow devices with Secure Boot and protect DMA ports to opt out of preboot PIN This policy setting allows users on devices that are compliant with InstantGo or the Microsoft Hardware Security Test Interface (HSTI) to not have a PIN for preboot authentication. @@ -137,7 +137,8 @@ This setting enables an exception to the PIN-required policy on secure hardware. ### Allow network unlock at startup -This policy controls a portion of the behavior of the Network Unlock feature in BitLocker. This policy is required to enable BitLocker Network Unlock on a network because it allows clients running BitLocker to create the necessary network key protector during encryption. This policy is used in addition to the BitLocker Drive Encryption Network Unlock Certificate security policy (located in the **Public Key Policies** folder of Local Computer Policy) to allow systems that are connected to a trusted network to properly utilize the Network Unlock feature. +This policy controls a portion of the behavior of the Network Unlock feature in BitLocker. This policy is required to enable BitLocker Network Unlock on a network because it allows clients running BitLocker to create the necessary network key protector during encryption. +This policy is used in addition to the BitLocker Drive Encryption Network Unlock Certificate security policy (located in the **Public Key Policies** folder of Local Computer Policy) to allow systems that are connected to a trusted network to properly utilize the Network Unlock feature. diff --git a/windows/keep-secure/change-history-for-keep-windows-10-secure.md b/windows/keep-secure/change-history-for-keep-windows-10-secure.md index 6cd59dffcb..64117b1d7c 100644 --- a/windows/keep-secure/change-history-for-keep-windows-10-secure.md +++ b/windows/keep-secure/change-history-for-keep-windows-10-secure.md @@ -16,6 +16,7 @@ This topic lists new and updated topics in the [Keep Windows 10 secure](index.md ## March 2017 |New or changed topic |Description | |---------------------|------------| +|[Limitations while using Windows Information Protection (WIP)](limitations-with-wip.md)]|Added note about Azure RMS and USB drives and added new limitation about folder redirection.| |[Protect derived domain credentials with Credential Guard](credential-guard.md) |Updated to include additional security qualifications starting with Window 10, version 1703.| |[Requirements and deployment planning guidelines for Device Guard](requirements-and-deployment-planning-guidelines-for-device-guard.md) |Updated to include additional security qualifications starting with Window 10, version 1703.| |[Windows Defender SmartScreen overview](windows-defender-smartscreen-overview.md)|New | @@ -29,6 +30,7 @@ This topic lists new and updated topics in the [Keep Windows 10 secure](index.md |---------------------|------------| |[Overview of threat mitigations in Windows 10](overview-of-threat-mitigations-in-windows-10.md) | Reorganized from existing content, to provide a better overview of threat mitigations. Added information that maps the Enhanced Mitigation Experience Toolkit (EMET) to Windows 10 features. | +>>>>>>> refs/remotes/origin/rs2 ## January 2017 diff --git a/windows/keep-secure/deploy-device-guard-enable-virtualization-based-security.md b/windows/keep-secure/deploy-device-guard-enable-virtualization-based-security.md index b03c8c1332..68ae726ace 100644 --- a/windows/keep-secure/deploy-device-guard-enable-virtualization-based-security.md +++ b/windows/keep-secure/deploy-device-guard-enable-virtualization-based-security.md @@ -144,7 +144,7 @@ reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "EnableVirtualiza reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "RequirePlatformSecurityFeatures" /t REG_DWORD /d 1 /f ``` -> To enable **VBS with Secure Boot and DMA (value 2)**, in the preceding command, change **/d 1** to **/d 2**. +> To enable **VBS with Secure Boot and DMA (value 3)**, in the preceding command, change **/d 1** to **/d 3**. **To enable VBS without UEFI lock (value 0)** @@ -196,7 +196,7 @@ reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "EnableVirtualiza reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "RequirePlatformSecurityFeatures" /t REG_DWORD /d 1 /f ``` -> To enable **VBS with Secure Boot and DMA (value 2)**, in the preceding command, change **/d 1** to **/d 2**. +> To enable **VBS with Secure Boot and DMA (value 3)**, in the preceding command, change **/d 1** to **/d 3**. **To enable virtualization-based protection of Code Integrity policies (with the default, UEFI lock)** diff --git a/windows/keep-secure/limitations-with-wip.md b/windows/keep-secure/limitations-with-wip.md index 39aaeb8dc5..bbb6393ee7 100644 --- a/windows/keep-secure/limitations-with-wip.md +++ b/windows/keep-secure/limitations-with-wip.md @@ -27,7 +27,7 @@ This table provides info about the most common problems you might encounter whil - + @@ -79,6 +79,27 @@ This table provides info about the most common problems you might encounter whil + + + + +
Your enterprise data on USB drives might be tied to the device it was protected on, based on your Azure RMS configuration. If you’re using Azure RMS: Authenticated users can open enterprise data on USB drives, on computers running the latest build from the Windows Insider Program.

If you’re not using Azure RMS: Data in the new location remains encrypted, but becomes inaccessible on other devices and for other users. For example, the file won't open or the file opens, but doesn't contain readable text.

Share files with fellow employees through enterprise file servers or enterprise cloud locations. If data must be shared via USB, employees can decrypt protected files, but it will be audited.

We strongly recommend educating employees about how to limit or eliminate the need for this decryption.

Share files with fellow employees through enterprise file servers or enterprise cloud locations. If data must be shared via USB, employees can decrypt protected files, but it will be audited.

We strongly recommend educating employees about how to limit or eliminate the need for this decryption.

Important
If you're running WIP with Azure Rights Management (Azure RMS), you can open any enterprise data copied to a USB drive on computers running Windows 10, version 1703 and later. For more info about how to set up WIP with Azure RMS, see [Create a Windows Information Protection (WIP) policy using Microsoft Intune](https://technet.microsoft.com/en-us/itpro/windows/keep-secure/create-wip-policy-using-intune).
Direct Access is incompatible with WIP.Webpages that use ActiveX controls can potentially communicate with other outside processes that aren’t protected by using WIP. We recommend that you switch to using Microsoft Edge, the more secure and safer browser that prevents the use of ActiveX controls. We also recommend that you limit the usage of Internet Explorer 11 to only those line-of-business apps that require legacy technology.

For more info, see [Out-of-date ActiveX control blocking](https://technet.microsoft.com/en-us/itpro/internet-explorer/ie11-deploy-guide/out-of-date-activex-control-blocking).
WIP isn’t turned on if any of the following folders have the MakeFolderAvailableOfflineDisabled option set to False: +
    +
  • AppDataRoaming
    • +
  • Desktop
    • +
  • StartMenu
    • +
  • Documents
    • +
  • Pictures
    • +
  • Music
    • +
  • Videos
    • +
  • Favorites
    • +
  • Contacts
    • +
  • Downloads
    • +
  • Links
    • +
  • Searches
    • +
  • SavedGames
    • +
+ 		WIP isn’t turned on for employees in your organization.Don’t set the MakeFolderAvailableOfflineDisabled option to False for any of the specified folders.

If you currently use redirected folders, we recommend that you migrate to a file synchronization solution that supports WIP, such as Work Folders or OneDrive for Business. Additionally, if you apply redirected folders after WIP is already in place, you might be unable to open your files offline. For more info about these potential access errors, see [Can't open files offline when you use Offline Files and Windows Information Protection](https://support.microsoft.com/en-us/help/3187045/can-t-open-files-offline-when-you-use-offline-files-and-windows-information-protection).

>[!NOTE] diff --git a/windows/keep-secure/mandatory-settings-for-wip.md b/windows/keep-secure/mandatory-settings-for-wip.md index f92c5cee6a..5aa3037101 100644 --- a/windows/keep-secure/mandatory-settings-for-wip.md +++ b/windows/keep-secure/mandatory-settings-for-wip.md @@ -19,7 +19,7 @@ localizationpriority: high This list provides all of the tasks and settings that are required for the operating system to turn on Windows Information Protection (WIP), formerly known as enterprise data protection (EDP), in your enterprise. >[!IMPORTANT] ->All sections provided for more info appear in either the [Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune.md) or [Create a Windows Information Protection (WIP) policy using System Center Configuration Manager](create-wip-policy-using-sccm.md), based on the tool you're using in your enterprise. +>All sections provided for more info appear in either the [Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune.md) or [Create a Windows Information Protection (WIP) policy using System Center Configuration Manager](create-wip-policy-using-sccm.md), based on the tool you're using in your organization. |Task |Description | diff --git a/windows/whats-new/whats-new-windows-10-version-1703.md b/windows/whats-new/whats-new-windows-10-version-1703.md index d4150db6cf..8d699e5eda 100644 --- a/windows/whats-new/whats-new-windows-10-version-1703.md +++ b/windows/whats-new/whats-new-windows-10-version-1703.md @@ -58,13 +58,6 @@ Additional MDM policy settings are available for Start and taskbar layout. For d Previously, the customized taskbar could only be deployed using Group Policy or provisioning packages. Windows 10, version 1703, adds support for customized taskbars to [MDM](../configure/customize-windows-10-start-screens-by-using-mobile-device-management.md). -### Lockdown Designer for Windows 10 Mobile lockdown files - -The Lockdown Designer app helps you configure and create a lockdown XML file to apply to devices running Windows 10 Mobile, and includes a remote simulation to help you determine the layout for tiles on the Start screen. Using Lockdown Designer is easier than [manually creating a lockdown XML file](../configure/lockdown-xml.md). - -![Lockdown Designer app in Store](images/ldstore.png) - -[Learn more about the Lockdown Designer app.](../configure/mobile-lockdown-designer.md) ### Cortana at work @@ -95,7 +88,7 @@ New features in Windows Defender Advanced Threat Protection (ATP) for Windows 10 - [Use the threat intelligence API to create custom alerts](../keep-secure/use-custom-ti-windows-defender-advanced-threat-protection.md) - Understand threat intelligence concepts, enable the threat intel application, and create custom threat intelligence alerts for your organization. - Improvements on OS memory and kernel sensors to enable detection of attackers who are using in-memory and kernel-level attacks - Upgraded detections of ransomware and other advanced attacks - - Historical detection capability ensures new detection rules apply to up to six months of stored data to detect attacks that previously went unnoticed + - Historical detection capability ensures new detection rules apply to up to six months of stored data to detect previous attacks that might not have been noticed - **Investigation**
Enterprise customers can now take advantage of the entire Windows security stack with Windows Defender Antivirus detections and Device Guard blocks being surfaced in the Windows Defender ATP portal. Other capabilities have been added to help you gain a holistic view on investigations. @@ -136,7 +129,7 @@ New features for Windows Defender AV in Windows 10, version 1703 include: - [The ability to specify the level of cloud-protection](../keep-secure/specify-cloud-protection-level-windows-defender-antivirus.md) - [Windows Defender Antivirus protection in the Windows Defender Security Center app](../keep-secure/windows-defender-security-center-antivirus.md) -In Windows 10, version 1607, we [invested heavily in helping to protect against ransomware](https://blogs.windows.com/business/2016/11/11/defending-against-ransomware-with-windows-10-anniversary-update/#UJlHc6SZ2Zm44jCt.97), and we continue that investment in version 1703 with [updated beahvior monitoring and always-on real-time protection](.../keep-secure/configure-real-time-protection-windows-defender-antivirus.md). +In Windows 10, version 1607, we [invested heavily in helping to protect against ransomware](https://blogs.windows.com/business/2016/11/11/defending-against-ransomware-with-windows-10-anniversary-update/#UJlHc6SZ2Zm44jCt.97), and we continue that investment in version 1703 with [updated beahvior monitoring and always-on real-time protection](../keep-secure/configure-real-time-protection-windows-defender-antivirus.md). You can read more about ransomware mitigations and detection capability in Windows Defender AV in the [Ransomware Protection in Windows 10 Anniversary Update whitepaper (PDF)](http://wincom.blob.core.windows.net/documents/Ransomware_protection_in_Windows_10_Anniversary_Update.pdf) and at the [Microsoft Malware Protection Center blog](https://blogs.technet.microsoft.com/mmpc/category/research/ransomware/). @@ -158,7 +151,7 @@ A new security policy setting The pause feature has been changed, and now requires a start date to set up. Users are now able to pause through **Settings > Update & security > Windows Update > Advanced options** in case a policy has not been configured. We have also increased the pause limit on quality updates to 35 days. You can find more information on pause in [Pause Feature Updates](../update/waas-configure-wufb.md#pause-feature-updates) and [Pause Quality Updates](../update/waas-configure-wufb.md#pause-quality-updates). -Windows Update for Business managed devices are now able to defer feature update installation by up to 365 days. In settings, users are able to select their branch readiness level and update deferal periods. See [Configure devices for Current Branch (CB) or Current Branch for Business (CBB)](../update/waas-configure-wufb.md#configure-devices-for-current-branch-or-current-branch-for-business), [Configure when devices receive Feature Updates](../update/waas-configure-wufb.md#configure-when-devices-receive-feature-updates) and [Configure when devices receive Quality Updates](../update/waas-configure-wufb.md#configure-when-devices-receive-quality-updates) for details. +Windows Update for Business managed devices are now able to defer feature update installation by up to 365 days (it used to be 180 days). In settings, users are able to select their branch readiness level and update deferal periods. See [Configure devices for Current Branch (CB) or Current Branch for Business (CBB)](../update/waas-configure-wufb.md#configure-devices-for-current-branch-or-current-branch-for-business), [Configure when devices receive Feature Updates](../update/waas-configure-wufb.md#configure-when-devices-receive-feature-updates) and [Configure when devices receive Quality Updates](../update/waas-configure-wufb.md#configure-when-devices-receive-quality-updates) for details. ### Optimize update delivery @@ -208,6 +201,32 @@ For more info, see the following topics: - [Automatically update multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer)](../manage/appv-auto-batch-updating.md) - [Automatically cleanup unpublished packages on the App-V client](../manage/appv-auto-clean-unpublished-packages.md) +## Windows 10 Mobile enhancements + +### Lockdown Designer + +The Lockdown Designer app helps you configure and create a lockdown XML file to apply to devices running Windows 10 Mobile, and includes a remote simulation to help you determine the layout for tiles on the Start screen. Using Lockdown Designer is easier than [manually creating a lockdown XML file](../configure/lockdown-xml.md). + +![Lockdown Designer app in Store](images/ldstore.png) + +[Learn more about the Lockdown Designer app.](../configure/mobile-lockdown-designer.md) + +### Other enhancements + +Windows 10 Mobile, version 1703 also includes the following enhancements: + +- SD card encryption +- Remote PIN resets for Azure Active Directory accounts +- SMS text message archiving +- WiFi Direct management +- OTC update tool +- Continuum display management + - Individually turn off the monitor or phone screen when not in use + - Indivudally adjust screen time-out settings +- Continuum docking solutions + - Set Ethernet port properties + - Set proxy properties for the Ethernet port + ## New features in related products The following new features aren't part of Windows 10, but help you make the most of it.