From 81db6093f6f48ffb56c2158a61ea64ea2334e183 Mon Sep 17 00:00:00 2001 From: LizRoss Date: Thu, 16 Mar 2017 12:36:32 -0700 Subject: [PATCH 01/14] Adding 1 new limitation and 1 important note --- ...ange-history-for-keep-windows-10-secure.md | 1 + windows/keep-secure/limitations-with-wip.md | 23 ++++++++++++++++++- 2 files changed, 23 insertions(+), 1 deletion(-) diff --git a/windows/keep-secure/change-history-for-keep-windows-10-secure.md b/windows/keep-secure/change-history-for-keep-windows-10-secure.md index 858577af50..ccc3240c10 100644 --- a/windows/keep-secure/change-history-for-keep-windows-10-secure.md +++ b/windows/keep-secure/change-history-for-keep-windows-10-secure.md @@ -18,6 +18,7 @@ This topic lists new and updated topics in the [Keep Windows 10 secure](index.md |---------------------|------------| |[Protect derived domain credentials with Credential Guard](credential-guard.md) |Updated to include additional security qualifications starting with Window 10, version 1703.| |[Requirements and deployment planning guidelines for Device Guard](requirements-and-deployment-planning-guidelines-for-device-guard.md) |Updated to include additional security qualifications starting with Window 10, version 1703.| +|[Limitations while using Windows Information Protection (WIP)](limitations-with-wip.md)]|Added note about Azure RMS and USB drives and added new limitation about folder redirection.| ## January 2017 diff --git a/windows/keep-secure/limitations-with-wip.md b/windows/keep-secure/limitations-with-wip.md index 39aaeb8dc5..a9a107a41c 100644 --- a/windows/keep-secure/limitations-with-wip.md +++ b/windows/keep-secure/limitations-with-wip.md @@ -27,7 +27,7 @@ This table provides info about the most common problems you might encounter whil Your enterprise data on USB drives might be tied to the device it was protected on, based on your Azure RMS configuration. If you’re using Azure RMS: Authenticated users can open enterprise data on USB drives, on computers running the latest build from the Windows Insider Program.

If you’re not using Azure RMS: Data in the new location remains encrypted, but becomes inaccessible on other devices and for other users. For example, the file won't open or the file opens, but doesn't contain readable text. - Share files with fellow employees through enterprise file servers or enterprise cloud locations. If data must be shared via USB, employees can decrypt protected files, but it will be audited.

We strongly recommend educating employees about how to limit or eliminate the need for this decryption. + Share files with fellow employees through enterprise file servers or enterprise cloud locations. If data must be shared via USB, employees can decrypt protected files, but it will be audited.

We strongly recommend educating employees about how to limit or eliminate the need for this decryption.

Important
If you're running WIP with Azure Rights Management (Azure RMS), you can open any enterprise data copied to a USB drive on computers running Windows 10, version 1703 and later. For more info about how to set up WIP with Azure RMS, see [Create a Windows Information Protection (WIP) policy using Microsoft Intune](https://technet.microsoft.com/en-us/itpro/windows/keep-secure/create-wip-policy-using-intune). Direct Access is incompatible with WIP. @@ -79,6 +79,27 @@ This table provides info about the most common problems you might encounter whil Webpages that use ActiveX controls can potentially communicate with other outside processes that aren’t protected by using WIP. We recommend that you switch to using Microsoft Edge, the more secure and safer browser that prevents the use of ActiveX controls. We also recommend that you limit the usage of Internet Explorer 11 to only those line-of-business apps that require legacy technology.

For more info, see [Out-of-date ActiveX control blocking](https://technet.microsoft.com/en-us/itpro/internet-explorer/ie11-deploy-guide/out-of-date-activex-control-blocking). + + WIP isn’t turned on if any of the following folders have the MakeFolderAvailableOfflineDisabled option set to False: +

+ + WIP isn’t turned on for employees in your organization. + Don’t set the MakeFolderAvailableOfflineDisabled option to False for any of the specified folders.

If you currently use redirected folders, we recommend that you migrate to a file synchronization solution that supports WIP, such as Work Folders or OneDrive for Business. For more info about Work Folders and Offline Files see the blog, [Work Folders and Offline Files support for Windows Information Protection](https://blogs.technet.microsoft.com/filecab/2016/08/29/work-folders-and-offline-files-support-for-windows-information-protection/). + >[!NOTE] From 923d474b200719858faa8f0c59b7e6974eedd0c8 Mon Sep 17 00:00:00 2001 From: LizRoss Date: Thu, 16 Mar 2017 14:48:25 -0700 Subject: [PATCH 02/14] Updated with fringe situation and KB article link --- windows/keep-secure/limitations-with-wip.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/keep-secure/limitations-with-wip.md b/windows/keep-secure/limitations-with-wip.md index a9a107a41c..7183cc590d 100644 --- a/windows/keep-secure/limitations-with-wip.md +++ b/windows/keep-secure/limitations-with-wip.md @@ -98,7 +98,7 @@ This table provides info about the most common problems you might encounter whil WIP isn’t turned on for employees in your organization. - Don’t set the MakeFolderAvailableOfflineDisabled option to False for any of the specified folders.

If you currently use redirected folders, we recommend that you migrate to a file synchronization solution that supports WIP, such as Work Folders or OneDrive for Business. For more info about Work Folders and Offline Files see the blog, [Work Folders and Offline Files support for Windows Information Protection](https://blogs.technet.microsoft.com/filecab/2016/08/29/work-folders-and-offline-files-support-for-windows-information-protection/). + Don’t set the MakeFolderAvailableOfflineDisabled option to False for any of the specified folders.

If you currently use redirected folders, we recommend that you migrate to a file synchronization solution that supports WIP, such as Work Folders or OneDrive for Business. Additionally, if you apply redirected folders after WIP is already in place, you might be unable to open your files offline. For more info about these potential access errors, see [Can't open files offline when you use Offline Files and Windows Information Protection](https://support.microsoft.com/en-us/help/3187045/can-t-open-files-offline-when-you-use-offline-files-and-windows-information-protection). From bb021526dae5d79ad24b312e38c11f6e1498ab3e Mon Sep 17 00:00:00 2001 From: LizRoss Date: Mon, 20 Mar 2017 12:48:01 -0700 Subject: [PATCH 03/14] Added content --- windows/keep-secure/limitations-with-wip.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/windows/keep-secure/limitations-with-wip.md b/windows/keep-secure/limitations-with-wip.md index 7183cc590d..ad8c162569 100644 --- a/windows/keep-secure/limitations-with-wip.md +++ b/windows/keep-secure/limitations-with-wip.md @@ -100,6 +100,10 @@ This table provides info about the most common problems you might encounter whil WIP isn’t turned on for employees in your organization. Don’t set the MakeFolderAvailableOfflineDisabled option to False for any of the specified folders.

If you currently use redirected folders, we recommend that you migrate to a file synchronization solution that supports WIP, such as Work Folders or OneDrive for Business. Additionally, if you apply redirected folders after WIP is already in place, you might be unable to open your files offline. For more info about these potential access errors, see [Can't open files offline when you use Offline Files and Windows Information Protection](https://support.microsoft.com/en-us/help/3187045/can-t-open-files-offline-when-you-use-offline-files-and-windows-information-protection). + + Switching from a mobile application management (MAM) solution to a mobile device management (MDM) solution, while running Windows Home edition, turns WIP off. + WIP stops working if your organization switches from MAM to MDM while using Windows Home edition. + Continue to use your MAM solution. For more info, see the Integration with Windows Information Protection section of the [Implement server-side support for mobile application management on Windows](https://msdn.microsoft.com/en-us/windows/hardware/commercialize/customize/mdm/implement-server-side-mobile-application-management) topic. >[!NOTE] From dbe40390b8dfe756b7e714c61587ac13c7eb261a Mon Sep 17 00:00:00 2001 From: jdeckerMS Date: Wed, 29 Mar 2017 07:16:05 -0700 Subject: [PATCH 04/14] AUMID --- windows/manage/lockdown-xml.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/manage/lockdown-xml.md b/windows/manage/lockdown-xml.md index 936ed8c310..9b7b8d4489 100644 --- a/windows/manage/lockdown-xml.md +++ b/windows/manage/lockdown-xml.md @@ -90,7 +90,7 @@ The following example is a complete lockdown XML file that disables Action Cente The Apps setting serves as an allow list and specifies the applications that will be available in the All apps list. Apps that are not included in this setting are hidden from the user and blocked from running. -You provide the product ID for each app in your file. The product ID identifies an app package, and an app package can contain multiple apps, so you should also provide the App User Model ID (AUMID) to differentiate the app. Optionally, you can set an app to run automatically. [Get product ID and AUMID for apps in Windows 10 Mobile.](product-ids-in-windows-10-mobile.md) +You provide the App User Model ID (AUMID) and product ID for each app in your file. The product ID identifies an app package, and an app package can contain multiple apps, so you also provide the ADUMID to differentiate the app. Optionally, you can set an app to run automatically. [Get product ID and AUMID for apps in Windows 10 Mobile.](product-ids-in-windows-10-mobile.md) The following example makes Outlook Calendar available on the device. From 075c7987a125a7c6fd7ba54557a7b02a13e9c6f5 Mon Sep 17 00:00:00 2001 From: jdeckerMS Date: Wed, 29 Mar 2017 07:48:36 -0700 Subject: [PATCH 05/14] remove Apps Corner reference --- .../configure/product-ids-in-windows-10-mobile.md | 13 ------------- 1 file changed, 13 deletions(-) diff --git a/windows/configure/product-ids-in-windows-10-mobile.md b/windows/configure/product-ids-in-windows-10-mobile.md index 6fd085952b..f2a3295ba9 100644 --- a/windows/configure/product-ids-in-windows-10-mobile.md +++ b/windows/configure/product-ids-in-windows-10-mobile.md @@ -230,21 +230,8 @@ The following table lists the product ID and AUMID for each app that is included   -## Get product ID and AUMID for other apps -To get the product ID and AUMID for apps that are installed from Windows Store or installed locally ([side-loaded](https://go.microsoft.com/fwlink/p/?LinkID=623433)), use the following steps. - -**Prerequisites**: a device with an SD card inserted and all apps installed that you want to get IDs for - -1. On Start ![start](images/starticon.png), swipe over to the App list, then tap **Settings** ![settings](images/settingsicon.png) > **Accounts** > **Apps Corner**. - -2. Tap **Apps**, tap to select the app that you want to get IDs for, and then tap done ![done button](images/doneicon.png) - -3. Tap **advanced**, and then **tap export to SD card**. - -4. Connect the device to a PC using USB, and then open the WEHLockdown.xml file on the SD card of the device to view the product ID and AUMID for each app. - ## Related topics From 5bfd77c959e47957ee68b2cf72dc5f90845a0f49 Mon Sep 17 00:00:00 2001 From: jdeckerMS Date: Wed, 29 Mar 2017 07:49:49 -0700 Subject: [PATCH 06/14] rkot correction --- devices/surface-hub/prepare-your-environment-for-surface-hub.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/devices/surface-hub/prepare-your-environment-for-surface-hub.md b/devices/surface-hub/prepare-your-environment-for-surface-hub.md index f5c342d43d..7abdf4888c 100644 --- a/devices/surface-hub/prepare-your-environment-for-surface-hub.md +++ b/devices/surface-hub/prepare-your-environment-for-surface-hub.md @@ -27,7 +27,7 @@ Review these dependencies to make sure Surface Hub features will work in your IT | Skype for Business (Lync Server 2013 or later, or Skype for Business Online) | Skype for Business is used for various conferencing features, like video calls, instant messaging, and screen sharing.

If screen sharing on a Surface Hub fails and the error message **An error occurred during the screen presentation** is displayed, see [Video Based Screen Sharing not working on Surface Hub](https://support.microsoft.com/help/3179272/video-based-screen-sharing-not-working-on-surface-hub) for help. | | Mobile device management (MDM) solution (Microsoft Intune, System Center Configuration Manager, or supported third-party MDM provider) | If you want to apply settings and install apps remotely, and to multiple devices at a time, you must set up a MDM solution and enroll the device to that solution. See [Manage settings with an MDM provider](manage-settings-with-mdm-for-surface-hub.md) for details. | | Microsoft Operations Managmement Suite (OMS) | OMS is used to monitor the health of Surface Hub devices. See [Monitor your Surface Hub](monitor-surface-hub.md) for details. | -| Network and Internet access |

In order to function properly, the Surface Hub should have access to a wired or wireless network. Overall, a wired connection is preferred.

**Dynamic IP:** The Surface Hub cannot be configured to use a static IP. It must use DHCP to assign an IP address.

**Proxy servers:** If your topology requires a connection to a proxy server to reach Internet services, then you can configure it during first run, or in Settings. | +| Network and Internet access |

To function properly, the Surface Hub should have internet access via a wired or wireless network. Overall, a wired connection is preferred.

**Dynamic IP:** The Surface Hub cannot be configured to use a static IP. It must use DHCP to assign an IP address.

**Proxy servers:** If your topology requires a connection to a proxy server to reach Internet services, then you can configure it during first run, or in Settings. | Additionally, note that Surface Hub requires the following open ports: - HTTPS: 443 From 3d85f202f22f1e75443fccee234583058c860bd6 Mon Sep 17 00:00:00 2001 From: jdeckerMS Date: Wed, 29 Mar 2017 07:56:07 -0700 Subject: [PATCH 07/14] add proxy config --- ...prepare-your-environment-for-surface-hub.md | 18 +++++++++++++++++- 1 file changed, 17 insertions(+), 1 deletion(-) diff --git a/devices/surface-hub/prepare-your-environment-for-surface-hub.md b/devices/surface-hub/prepare-your-environment-for-surface-hub.md index 7abdf4888c..e23f75f5e3 100644 --- a/devices/surface-hub/prepare-your-environment-for-surface-hub.md +++ b/devices/surface-hub/prepare-your-environment-for-surface-hub.md @@ -27,7 +27,9 @@ Review these dependencies to make sure Surface Hub features will work in your IT | Skype for Business (Lync Server 2013 or later, or Skype for Business Online) | Skype for Business is used for various conferencing features, like video calls, instant messaging, and screen sharing.

If screen sharing on a Surface Hub fails and the error message **An error occurred during the screen presentation** is displayed, see [Video Based Screen Sharing not working on Surface Hub](https://support.microsoft.com/help/3179272/video-based-screen-sharing-not-working-on-surface-hub) for help. | | Mobile device management (MDM) solution (Microsoft Intune, System Center Configuration Manager, or supported third-party MDM provider) | If you want to apply settings and install apps remotely, and to multiple devices at a time, you must set up a MDM solution and enroll the device to that solution. See [Manage settings with an MDM provider](manage-settings-with-mdm-for-surface-hub.md) for details. | | Microsoft Operations Managmement Suite (OMS) | OMS is used to monitor the health of Surface Hub devices. See [Monitor your Surface Hub](monitor-surface-hub.md) for details. | -| Network and Internet access |

To function properly, the Surface Hub should have internet access via a wired or wireless network. Overall, a wired connection is preferred.

**Dynamic IP:** The Surface Hub cannot be configured to use a static IP. It must use DHCP to assign an IP address.

**Proxy servers:** If your topology requires a connection to a proxy server to reach Internet services, then you can configure it during first run, or in Settings. | +| Network and Internet access |

To function properly, the Surface Hub should have internet access via a wired or wireless network. Overall, a wired connection is preferred.

**Dynamic IP:** The Surface Hub cannot be configured to use a static IP. It must use DHCP to assign an IP address.

**Proxy servers:** If your topology requires a connection to a proxy server to reach Internet services, then you can configure it during first run, or in Settings. See [Proxy configuration](#proxy-configuration) for additional requirements. | + +### Port and endpoint requirements Additionally, note that Surface Hub requires the following open ports: - HTTPS: 443 @@ -41,6 +43,20 @@ Microsoft collects telemetry to help improve your Surface Hub experience. Add th - Telemetry client endpoint: `https://vortex.data.microsoft.com/` - Telemetry settings endpoint: `https://settings.data.microsoft.com/` +### Proxy configuration + +If your organization restricts computers on your network from connecting to the Internet, there is a set of URLs that need to be available for devices to use Store for Business. Some of the Store for Business features use Windows Store app and Windows Store services. Devices using Store for Business – either to acquire, install, or update apps – will need access to these URLs. If you use a proxy server to block traffic, your configuration needs to allow these URLs: + +- login.live.com +- login.windows.net +- account.live.com +- clientconfig.passport.net +- windowsphone.com +- *.wns.windows.com +- *.microsoft.com +- www.msftncsi.com (prior to Windows 10, version 1607) +- www.msftconnecttest.com/connecttest.txt (replaces www.msftncsi.com starting with Windows 10, version 1607) + ## Work with other admins From 01470dc501443df84f1593dc1d9a69dd8bc0c217 Mon Sep 17 00:00:00 2001 From: jdeckerMS Date: Wed, 29 Mar 2017 08:08:14 -0700 Subject: [PATCH 08/14] +change history --- devices/surface-hub/change-history-surface-hub.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/devices/surface-hub/change-history-surface-hub.md b/devices/surface-hub/change-history-surface-hub.md index 74ee57c2f5..44777315a6 100644 --- a/devices/surface-hub/change-history-surface-hub.md +++ b/devices/surface-hub/change-history-surface-hub.md @@ -14,6 +14,12 @@ localizationpriority: medium This topic lists new and updated topics in the [Surface Hub Admin Guide]( surface-hub-administrators-guide.md). +## March 2017 + +| New or changed topic | Description | +| --- | --- | +| [Prepare your environment for Microsoft Surface Hub](prepare-your-environment-for-surface-hub.md) | Added proxy configuration. | + ## February 2017 | New or changed topic | Description | From 8ed3ddb6745ec0b862e23b29409768d20ea3522c Mon Sep 17 00:00:00 2001 From: jdeckerMS Date: Wed, 29 Mar 2017 08:13:17 -0700 Subject: [PATCH 09/14] miracast link --- devices/surface-hub/troubleshoot-surface-hub.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/devices/surface-hub/troubleshoot-surface-hub.md b/devices/surface-hub/troubleshoot-surface-hub.md index cc3bd57b95..12a2488a50 100644 --- a/devices/surface-hub/troubleshoot-surface-hub.md +++ b/devices/surface-hub/troubleshoot-surface-hub.md @@ -622,7 +622,9 @@ This section lists status codes, mapping, user messages, and actions an admin ca     +## Related content +- [Troubleshooting Miracast connection to the Surface Hub](https://blogs.msdn.microsoft.com/surfacehub/2017/01/30/troubleshooting-miracast-connection-to-the-surface-hub/)   From 5b644a852a6c2e884800e84f675fc15587ea3bde Mon Sep 17 00:00:00 2001 From: Jason Gerend Date: Wed, 29 Mar 2017 08:31:49 -0700 Subject: [PATCH 10/14] Another tweak per PR request --- windows/whats-new/whats-new-windows-10-version-1703.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/whats-new/whats-new-windows-10-version-1703.md b/windows/whats-new/whats-new-windows-10-version-1703.md index d4150db6cf..1749688be6 100644 --- a/windows/whats-new/whats-new-windows-10-version-1703.md +++ b/windows/whats-new/whats-new-windows-10-version-1703.md @@ -158,7 +158,7 @@ A new security policy setting The pause feature has been changed, and now requires a start date to set up. Users are now able to pause through **Settings > Update & security > Windows Update > Advanced options** in case a policy has not been configured. We have also increased the pause limit on quality updates to 35 days. You can find more information on pause in [Pause Feature Updates](../update/waas-configure-wufb.md#pause-feature-updates) and [Pause Quality Updates](../update/waas-configure-wufb.md#pause-quality-updates). -Windows Update for Business managed devices are now able to defer feature update installation by up to 365 days. In settings, users are able to select their branch readiness level and update deferal periods. See [Configure devices for Current Branch (CB) or Current Branch for Business (CBB)](../update/waas-configure-wufb.md#configure-devices-for-current-branch-or-current-branch-for-business), [Configure when devices receive Feature Updates](../update/waas-configure-wufb.md#configure-when-devices-receive-feature-updates) and [Configure when devices receive Quality Updates](../update/waas-configure-wufb.md#configure-when-devices-receive-quality-updates) for details. +Windows Update for Business managed devices are now able to defer feature update installation by up to 365 days (it used to be 180 days). In settings, users are able to select their branch readiness level and update deferal periods. See [Configure devices for Current Branch (CB) or Current Branch for Business (CBB)](../update/waas-configure-wufb.md#configure-devices-for-current-branch-or-current-branch-for-business), [Configure when devices receive Feature Updates](../update/waas-configure-wufb.md#configure-when-devices-receive-feature-updates) and [Configure when devices receive Quality Updates](../update/waas-configure-wufb.md#configure-when-devices-receive-quality-updates) for details. ### Optimize update delivery From 3a61c4ac2a2a73f62168bedd6e5782828b808066 Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Wed, 29 Mar 2017 08:40:00 -0700 Subject: [PATCH 11/14] changed reg value for Secure Boot with DMA --- ...eploy-device-guard-enable-virtualization-based-security.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/keep-secure/deploy-device-guard-enable-virtualization-based-security.md b/windows/keep-secure/deploy-device-guard-enable-virtualization-based-security.md index b03c8c1332..68ae726ace 100644 --- a/windows/keep-secure/deploy-device-guard-enable-virtualization-based-security.md +++ b/windows/keep-secure/deploy-device-guard-enable-virtualization-based-security.md @@ -144,7 +144,7 @@ reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "EnableVirtualiza reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "RequirePlatformSecurityFeatures" /t REG_DWORD /d 1 /f ``` -> To enable **VBS with Secure Boot and DMA (value 2)**, in the preceding command, change **/d 1** to **/d 2**. +> To enable **VBS with Secure Boot and DMA (value 3)**, in the preceding command, change **/d 1** to **/d 3**. **To enable VBS without UEFI lock (value 0)** @@ -196,7 +196,7 @@ reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "EnableVirtualiza reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "RequirePlatformSecurityFeatures" /t REG_DWORD /d 1 /f ``` -> To enable **VBS with Secure Boot and DMA (value 2)**, in the preceding command, change **/d 1** to **/d 2**. +> To enable **VBS with Secure Boot and DMA (value 3)**, in the preceding command, change **/d 1** to **/d 3**. **To enable virtualization-based protection of Code Integrity policies (with the default, UEFI lock)** From e1596347ce08360a8f48d10782b6b7fb0c935324 Mon Sep 17 00:00:00 2001 From: LizRoss Date: Wed, 29 Mar 2017 08:55:25 -0700 Subject: [PATCH 12/14] Updated content --- windows/keep-secure/limitations-with-wip.md | 6 +----- windows/keep-secure/mandatory-settings-for-wip.md | 2 +- 2 files changed, 2 insertions(+), 6 deletions(-) diff --git a/windows/keep-secure/limitations-with-wip.md b/windows/keep-secure/limitations-with-wip.md index ad8c162569..bbb6393ee7 100644 --- a/windows/keep-secure/limitations-with-wip.md +++ b/windows/keep-secure/limitations-with-wip.md @@ -98,12 +98,8 @@ This table provides info about the most common problems you might encounter whil WIP isn’t turned on for employees in your organization. - Don’t set the MakeFolderAvailableOfflineDisabled option to False for any of the specified folders.

If you currently use redirected folders, we recommend that you migrate to a file synchronization solution that supports WIP, such as Work Folders or OneDrive for Business. Additionally, if you apply redirected folders after WIP is already in place, you might be unable to open your files offline. For more info about these potential access errors, see [Can't open files offline when you use Offline Files and Windows Information Protection](https://support.microsoft.com/en-us/help/3187045/can-t-open-files-offline-when-you-use-offline-files-and-windows-information-protection). + Don’t set the MakeFolderAvailableOfflineDisabled option to False for any of the specified folders.

If you currently use redirected folders, we recommend that you migrate to a file synchronization solution that supports WIP, such as Work Folders or OneDrive for Business. Additionally, if you apply redirected folders after WIP is already in place, you might be unable to open your files offline. For more info about these potential access errors, see [Can't open files offline when you use Offline Files and Windows Information Protection](https://support.microsoft.com/en-us/help/3187045/can-t-open-files-offline-when-you-use-offline-files-and-windows-information-protection). - - Switching from a mobile application management (MAM) solution to a mobile device management (MDM) solution, while running Windows Home edition, turns WIP off. - WIP stops working if your organization switches from MAM to MDM while using Windows Home edition. - Continue to use your MAM solution. For more info, see the Integration with Windows Information Protection section of the [Implement server-side support for mobile application management on Windows](https://msdn.microsoft.com/en-us/windows/hardware/commercialize/customize/mdm/implement-server-side-mobile-application-management) topic. >[!NOTE] diff --git a/windows/keep-secure/mandatory-settings-for-wip.md b/windows/keep-secure/mandatory-settings-for-wip.md index 1c7ea0a9ff..85a6f3d8c9 100644 --- a/windows/keep-secure/mandatory-settings-for-wip.md +++ b/windows/keep-secure/mandatory-settings-for-wip.md @@ -18,7 +18,7 @@ localizationpriority: high This list provides all of the tasks and settings that are required for the operating system to turn on Windows Information Protection (WIP), formerly known as enterprise data protection (EDP), in your enterprise. >[!IMPORTANT] ->All sections provided for more info appear in either the [Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune.md) or [Create a Windows Information Protection (WIP) policy using System Center Configuration Manager](create-wip-policy-using-sccm.md), based on the tool you're using in your enterprise. +>All sections provided for more info appear in either the [Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune.md) or [Create a Windows Information Protection (WIP) policy using System Center Configuration Manager](create-wip-policy-using-sccm.md), based on the tool you're using in your organization. |Task |Description | From 232c08786864e521d2c5f063e9467033e3202c67 Mon Sep 17 00:00:00 2001 From: Jason Gerend Date: Wed, 29 Mar 2017 09:13:33 -0700 Subject: [PATCH 13/14] Added Mobile section and tweaked WDATP txt per PR --- .../whats-new-windows-10-version-1703.md | 37 ++++++++++++++----- 1 file changed, 28 insertions(+), 9 deletions(-) diff --git a/windows/whats-new/whats-new-windows-10-version-1703.md b/windows/whats-new/whats-new-windows-10-version-1703.md index 1749688be6..8d699e5eda 100644 --- a/windows/whats-new/whats-new-windows-10-version-1703.md +++ b/windows/whats-new/whats-new-windows-10-version-1703.md @@ -58,13 +58,6 @@ Additional MDM policy settings are available for Start and taskbar layout. For d Previously, the customized taskbar could only be deployed using Group Policy or provisioning packages. Windows 10, version 1703, adds support for customized taskbars to [MDM](../configure/customize-windows-10-start-screens-by-using-mobile-device-management.md). -### Lockdown Designer for Windows 10 Mobile lockdown files - -The Lockdown Designer app helps you configure and create a lockdown XML file to apply to devices running Windows 10 Mobile, and includes a remote simulation to help you determine the layout for tiles on the Start screen. Using Lockdown Designer is easier than [manually creating a lockdown XML file](../configure/lockdown-xml.md). - -![Lockdown Designer app in Store](images/ldstore.png) - -[Learn more about the Lockdown Designer app.](../configure/mobile-lockdown-designer.md) ### Cortana at work @@ -95,7 +88,7 @@ New features in Windows Defender Advanced Threat Protection (ATP) for Windows 10 - [Use the threat intelligence API to create custom alerts](../keep-secure/use-custom-ti-windows-defender-advanced-threat-protection.md) - Understand threat intelligence concepts, enable the threat intel application, and create custom threat intelligence alerts for your organization. - Improvements on OS memory and kernel sensors to enable detection of attackers who are using in-memory and kernel-level attacks - Upgraded detections of ransomware and other advanced attacks - - Historical detection capability ensures new detection rules apply to up to six months of stored data to detect attacks that previously went unnoticed + - Historical detection capability ensures new detection rules apply to up to six months of stored data to detect previous attacks that might not have been noticed - **Investigation**
Enterprise customers can now take advantage of the entire Windows security stack with Windows Defender Antivirus detections and Device Guard blocks being surfaced in the Windows Defender ATP portal. Other capabilities have been added to help you gain a holistic view on investigations. @@ -136,7 +129,7 @@ New features for Windows Defender AV in Windows 10, version 1703 include: - [The ability to specify the level of cloud-protection](../keep-secure/specify-cloud-protection-level-windows-defender-antivirus.md) - [Windows Defender Antivirus protection in the Windows Defender Security Center app](../keep-secure/windows-defender-security-center-antivirus.md) -In Windows 10, version 1607, we [invested heavily in helping to protect against ransomware](https://blogs.windows.com/business/2016/11/11/defending-against-ransomware-with-windows-10-anniversary-update/#UJlHc6SZ2Zm44jCt.97), and we continue that investment in version 1703 with [updated beahvior monitoring and always-on real-time protection](.../keep-secure/configure-real-time-protection-windows-defender-antivirus.md). +In Windows 10, version 1607, we [invested heavily in helping to protect against ransomware](https://blogs.windows.com/business/2016/11/11/defending-against-ransomware-with-windows-10-anniversary-update/#UJlHc6SZ2Zm44jCt.97), and we continue that investment in version 1703 with [updated beahvior monitoring and always-on real-time protection](../keep-secure/configure-real-time-protection-windows-defender-antivirus.md). You can read more about ransomware mitigations and detection capability in Windows Defender AV in the [Ransomware Protection in Windows 10 Anniversary Update whitepaper (PDF)](http://wincom.blob.core.windows.net/documents/Ransomware_protection_in_Windows_10_Anniversary_Update.pdf) and at the [Microsoft Malware Protection Center blog](https://blogs.technet.microsoft.com/mmpc/category/research/ransomware/). @@ -208,6 +201,32 @@ For more info, see the following topics: - [Automatically update multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer)](../manage/appv-auto-batch-updating.md) - [Automatically cleanup unpublished packages on the App-V client](../manage/appv-auto-clean-unpublished-packages.md) +## Windows 10 Mobile enhancements + +### Lockdown Designer + +The Lockdown Designer app helps you configure and create a lockdown XML file to apply to devices running Windows 10 Mobile, and includes a remote simulation to help you determine the layout for tiles on the Start screen. Using Lockdown Designer is easier than [manually creating a lockdown XML file](../configure/lockdown-xml.md). + +![Lockdown Designer app in Store](images/ldstore.png) + +[Learn more about the Lockdown Designer app.](../configure/mobile-lockdown-designer.md) + +### Other enhancements + +Windows 10 Mobile, version 1703 also includes the following enhancements: + +- SD card encryption +- Remote PIN resets for Azure Active Directory accounts +- SMS text message archiving +- WiFi Direct management +- OTC update tool +- Continuum display management + - Individually turn off the monitor or phone screen when not in use + - Indivudally adjust screen time-out settings +- Continuum docking solutions + - Set Ethernet port properties + - Set proxy properties for the Ethernet port + ## New features in related products The following new features aren't part of Windows 10, but help you make the most of it. From 8622757a2e1d4fcd20829d080a8fe2ccba21e4f9 Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Wed, 29 Mar 2017 09:45:16 -0700 Subject: [PATCH 14/14] fixed typo in DMA --- windows/keep-secure/bitlocker-group-policy-settings.md | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/windows/keep-secure/bitlocker-group-policy-settings.md b/windows/keep-secure/bitlocker-group-policy-settings.md index c0112dcf47..c16db3871b 100644 --- a/windows/keep-secure/bitlocker-group-policy-settings.md +++ b/windows/keep-secure/bitlocker-group-policy-settings.md @@ -32,7 +32,7 @@ The following sections provide a comprehensive list of BitLocker Group Policy se The following policy settings can be used to determine how a BitLocker-protected drive can be unlocked. -- [Allow devices with Secure Boot and protect DMS ports to opt out of preboot PIN](#bkmk-hstioptout) +- [Allow devices with Secure Boot and protect DMA ports to opt out of preboot PIN](#bkmk-hstioptout) - [Allow network unlock at startup](#bkmk-netunlock) - [Require additional authentication at startup](#bkmk-unlockpol1) - [Allow enhanced PINs for startup](#bkmk-unlockpol2) @@ -86,7 +86,7 @@ The following policies are used to support customized deployment scenarios in yo - [Allow access to BitLocker-protected fixed data drives from earlier versions of Windows](#bkmk-depopt4) - [Allow access to BitLocker-protected removable data drives from earlier versions of Windows](#bkmk-depopt5) -### Allow devices with Secure Boot and protect DMS ports to opt out of preboot PIN +### Allow devices with Secure Boot and protect DMA ports to opt out of preboot PIN This policy setting allows users on devices that are compliant with InstantGo or the Microsoft Hardware Security Test Interface (HSTI) to not have a PIN for preboot authentication. @@ -137,7 +137,8 @@ This setting enables an exception to the PIN-required policy on secure hardware. ### Allow network unlock at startup -This policy controls a portion of the behavior of the Network Unlock feature in BitLocker. This policy is required to enable BitLocker Network Unlock on a network because it allows clients running BitLocker to create the necessary network key protector during encryption. This policy is used in addition to the BitLocker Drive Encryption Network Unlock Certificate security policy (located in the **Public Key Policies** folder of Local Computer Policy) to allow systems that are connected to a trusted network to properly utilize the Network Unlock feature. +This policy controls a portion of the behavior of the Network Unlock feature in BitLocker. This policy is required to enable BitLocker Network Unlock on a network because it allows clients running BitLocker to create the necessary network key protector during encryption. +This policy is used in addition to the BitLocker Drive Encryption Network Unlock Certificate security policy (located in the **Public Key Policies** folder of Local Computer Policy) to allow systems that are connected to a trusted network to properly utilize the Network Unlock feature.